Search This Blog

Showing posts with label Bitcoins. Show all posts

Welcome “Frappo”: Resecurity Discovered a New Phishing-as-a-Service


The Resecurity HUNTER squad discovered "Frappo," a new underground service available on the Dark Web. "Frappo" is a Phishing-as-a-Service platform that allows fraudsters to host and develop high-quality phishing websites that imitate significant online banking, e-commerce, prominent stores, and online services in order to steal client information. 

Cybercriminals created the platform in order to use spam campaigns to spread professional phishing information. "Frappo" is widely advertised on the Dark Web and on Telegram, where it has a group of over 1,965 members where hackers discuss their success in targeting users of various online sites. The service first appeared on the Dark Web on March 22, 2021, and has been substantially updated. The most recent version of the service was registered on May 1, 2022. 

"Frappo" allows attackers to operate with stolen material in an anonymous and encrypted manner. It offers anonymous billing, technical assistance, upgrades, and a dashboard for tracking acquired credentials. "Frappo" was created as an anonymous cryptocurrency wallet based on a Metamask fork. It is totally anonymous and does not require a threat actor to create an account. 

Amazon, Uber, Netflix, Bank of Montreal (BMO), Royal Bank of Canada (RBC), CIBC, TD Bank, Desjardins, Wells Fargo, Citizens, Citi, and Bank of America are among the financial institutions (FIs) for which the service creates phishing pages. The authors of "Frappo" offer hackers a variety of payment options based on the length of their subscription.  "Frappo," works like SaaS-based services and platforms for legitimate enterprises, enabling hackers to reduce the cost of developing phishing kits and deploy them on a larger scale. Notably, the phishing page deployment procedure is totally automated, since "Frappo" uses a pre-configured Docker container and a secure route to gather compromised credentials through API. 

Once "Frappo" is properly configured, statistical data such as how many victims opened the phishing page, accessed authorisation and input credentials, uptime, and the server status will be collected and visualised. Compromised credentials will appear in the "Logs" area alongside further information about each victim, such as IP address, User-Agent, Username, Password, and so forth. The phishing pages (or "phishlets") that have been discovered are of high quality and include interactive scenarios that fool victims into providing authorization credentials. 

Threat actors have successfully leveraged services like "Frappo" for account takeover, business email compromise, and payment and identity data theft. Cybercriminals use sophisticated tools and methods to assault consumers all over the world. Digital identity protection has become one of the top objectives for online safety, and as a result, a new digital battleground emerges, with threat actors looking for stolen data.

Christian Lees, Chief Technology Officer (CTO) of Resecurity, Inc. stated, “Resecurity is committed to protecting consumers and enterprises all over the globe, and is actively involved in public-private partnerships to share actionable cyber threat intelligence (CTI) with financial institutions, technology companies and law enforcement to ultimately minimize the risk of credentials being compromised and data breaches being executed.”

US Attributes North Korean Lazarus Hackers to Axie Infinity Crypto Theft


The US Treasury Department announced on Thursday that it had linked North Korean hackers to the heist of hundreds of millions of dollars in cryptocurrencies linked to the popular online game Axie Infinity. 

On March 23, digital cash worth about $615 million was stolen, according to Ronin, a blockchain network that enables users to transfer crypto in and out of the game. No one has claimed responsibility for the hack, but the US Treasury announced on Thursday that a digital currency address used by the hackers was under the control of a North Korean hacking group known as "Lazarus." 

The Treasury Department spokesperson stated, using the initials of North Korea’s official name, “The United States is aware that the DPRK has increasingly relied on illicit activities — including cybercrime — to generate revenue for its weapons of mass destruction and ballistic missile programs as it tries to evade robust U.S. and U.N. sanctions.” 

The wallet's users risk being sanctioned by the US, according to the representative. Chainalysis and Elliptic, two blockchain analytics companies, said the designation validated North Korea was behind the break-in. Sky Mavis co-founder Aleksander Larsen, who develops Axie Infinity, declined to comment. Sky Mavis engaged CrowdStrike to investigate the incident, but the firm declined to comment. 

The FBI has ascribed the attack to the Lazarus Group, according to a post on the official Ronin blog, and the US Treasury Department has sanctioned the address that received the stolen money. The Reconnaissance General Bureau, North Korea's primary intelligence bureau, is said to be in charge of the Lazarus hacking squad, according to the US. It has been accused of being involved in the "WannaCry" ransomware attacks, as well as hacking multinational banks and customer accounts and the Sony Pictures Entertainment hacks in 2014. 

Cryptocurrency systems have long been afflicted by hacks. The Ronin hack was one of the most massive cryptocurrency thefts ever. Sky Mavis stated it will refund the money lost using a combination of its own balance sheet capital and $150 million raised from investors including Binance. 

The Ronin blog stated, “We are still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk. Expect the bridge to be deployed by end of month.” 

According to a Treasury spokesperson, the US will consider publishing crypto cybersecurity guidelines to help in the fight against the stolen virtual currency.

OpenSea Phishing Scam Swindled Millions in NFTs


On Saturday, a phishing attack targeted 17 users of OpenSea, one of the major NFT markets, according to the company. The hack apparently resulted in the theft of over 250 NFTs worth at least $1.7 million. 

A nonfungible token, or NFT, is a way of proving ownership of a digital asset. NFTs linked to digital art have been increasingly popular in recent months, owing to the involvement of high-profile personalities. The attacker, or attackers, stole NFTs from OpenSea users over a 3-hour window on Saturday by compromising the underlying code that allows NFTs to be bought and sold. 

OpenSea tweeted late Sunday that the attack didn't appear to be active, with the most recent action 15 hours before. Nadav Hollander, the CTO of OpenSea, also provided a technical breakdown of the phishing attack. Phishing attacks are frequently carried out using emails that contain harmful links and fraudulently purport to be from a company. It's still unknown how OpenSea customers were lured into the phishing scam.

While the identity of the wallet's owner can be hidden in digital wallets used to keep NFTs, the transactions of digital assets on a blockchain are normally public. As a result, anyone with technical knowledge can track the NFTs from wallet to wallet. 

OpenSea CEO Devin Finzer in a post on Twitter on Saturday after the attack stated, "The attacker has $1.7 million of ETH in his wallet from selling some of the stolen NFTs." 

The hacker also appears to have returned some of the NFTs to the original owners. OpenSea tweeted on Sunday that the investigation into Saturday's phishing attack is still ongoing. OpenSea's CTO, Nadav Hollander, posted a Twitter thread summarising the company's current understanding of the attack, which the company believes did not originate from OpenSea. 

Hollander said, "All of the malicious orders contain valid signatures from the affected users, indicating that they did sign an order somewhere, at some point in time. However, none of these orders were broadcasted to OpenSea at the time of signing."

New Golang Botnet Drains Windows Users’ Cryptocurrency Wallets


A new Golang-based botnet has been ensnaring hundreds of Windows PCs, each time its operators launch a new command and control (C2) server. This previously undiscovered botnet, dubbed Kraken by ZeroFox researchers in October 2021, utilizes the SmokeLoader backdoor and malware downloader to proliferate to new Windows systems. 

The botnet adds a new Registry key after compromising a new Windows device in order to accomplish persistence across system restarts. It also includes a Microsoft Defender exclusion to assure that its installation directory is never examined, and use the hidden attribute to hide its binary in Window Explorer. 

Kraken has a basic feature set that allows attackers to download and run additional malicious payloads on infected devices, such as the RedLine Stealer malware. RedLine is the most extensively used data thief, capable of gathering victims' passwords, browser cookies, credit card information, and cryptocurrency wallet information. 

ZeroFox stated, "Monitoring commands sent to Kraken victims from October 2021 through December 2021 revealed that the operator had focused entirely on pushing information stealers – specifically RedLine Stealer. It is currently unknown what the operator intends to do with the stolen credentials that have been collected or what the end goal is for creating this new botnet." 

The botnet, however, has built-in data-stealing skills and can steal cryptocurrency wallets before dropping other data thieves and cryptocurrency miners. Kraken can steal information from Zcash, Armory, Bytecoin, Electrum, Ethereum, Exodus, Guarda, Atomic, and Jaxx Liberty crypto wallets, according to ZeroFox. This botnet appears to be adding almost USD 3,000 to its masters' wallets every month, according to data obtained from the Ethermine cryptocurrency mining pool. 

The researchers added, "While in development, Kraken C2s seem to disappear often. ZeroFox has observed dwindling activity for a server on multiple occasions, only for another to appear a short time later using either a new port or a completely new IP."

Regardless, "by using SmokeLoader to spread, Kraken quickly gains hundreds of new bots each time the operator changes the C2."

Cheap Malware Behind Surge in Attacks on Cryptocurrency Wallets


Due to the surge in low-cost, easy-to-use malware, cyber thieves may now steal cryptocurrency more easily than before. 

Whether stealing it be straight from cryptocurrency exchanges or demanding it as an extortion payment in ransomware attacks, Bitcoin has consistently been a favoured target for sophisticated cybercriminals. 

However, because of its rising value, cryptocurrency has swiftly become a target for cyber thieves, who are increasingly undertaking attacks aimed at stealing cryptocurrency from individual users' wallets. According to Chainalysis, cryptocurrency users are more vulnerable to malware such as information stealers, clippers (which allow attackers to alter text copied by the user, routing cryptocurrency to their own wallets), and trojans, all of which can be purchased for "quite cheap." 

On Russian cybercrime forums, for example, a type of info-stealer virus known as Redline is marketed for $150 for a month's subscription or $800 for a 'lifetime' membership. Unfortunately, for a cybercriminal aiming to steal cryptocurrencies, it's quite likely that they'll recoup their investment in software within a few attacks. 

The illegal service also gives users access to a tool that enables attackers to encrypt malware, making it harder for anti-virus software to identify it, boosting the chances of attacks successfully taking cryptocurrency from victims. 

"The proliferation of cheap access to malware families like Redline means that even relatively low-skilled cybercriminals can use them to steal cryptocurrency," warned the report. 

Overall, the malware families in the research got 5,974 transfers from victims in 2021, up from 5,449 in 2020 – but still far less than the 7,000 transfers seen in 2019. However, Redline is only one kind of malware designed to steal cryptocurrency, and the market for this type of malware is rising. Crypobot, an infostealer, was the most common theft of cryptocurrency wallets and account credentials among the occurrences tracked, acquiring about half a million dollars in bitcoin in 2021. 

Furthermore, progress in stealing cryptocurrency from consumers may encourage more ambitious cyber criminals to attack organisations and even cryptocurrency exchanges, implying that the possibility of cybercriminals attacking crypto wallets and credentials is something that businesses should be aware of. 

The blog post stated, "The cybersecurity industry has been dealing with malware for years, but the usage of these malicious programs to steal cryptocurrency means cybersecurity teams need new tools in their toolbox." 

"Likewise, cryptocurrency compliance teams already well-versed in blockchain analysis must educate themselves on malware in order to ensure these threat actors aren't taking advantage of their platforms to launder stolen cryptocurrency."

$57 Million in Seized Cryptocurrency Being Sold for Victims of BitConnect Scam


US law enforcement authorities will begin liquidating around $57 million in cryptocurrency confiscated from the now-defunct BitConnect crypto exchange. 

The amount is insignificant in comparison to the $2 billion that BitConnect executives defrauded from American and foreign investors over the course of the company's two years of presence. Nonetheless, the US Department of Justice considers this liquidation to be "the largest single recovery of cryptocurrency for victims to date" and the first step in assisting BitConnect victims regain some of their losses. 

BitConnect, an open-source cryptocurrency exchange with its own token, the BitConnect Coin, was founded in 2016. (BCC). The platform, which offers a high-yield investment programme (up to 1% per day), swiftly gained traction, with the token's value hitting the 'top 20' by the summer of 2017. 

Soon, clouds gathered above BitConnect as regulators accused it of being a Ponzi scheme, a charge the company frequently denied. After several probes, the platform was eventually shut down in January 2018, BCC's price collapsed, and a restraining order was filed to freeze all of the company's assets. 

During the subsequent investigations, it was found that one of the top executives was actively involved in money laundering as well as a second fraud known as 'Regal Coin.' On September 1, 2021, the company's founder, Glen Arcaro, pleaded guilty to the criminal allegations brought by the US Department of Justice. 
Arcaro agreed that he deceived investors about BitConnect's allegedly patented technology, which promised investors a profit. Early BitConnect investors were compensated with money from later BitConnect investors, as he admitted, a classic Ponzi scheme example (SEC complaint). 

Acting U.S. Attorney Randy S. Grossman of the Southern District of California stated, "Arcaro and his confidantes preyed on investor interest in cryptocurrency. As a result, a staggering number of individuals lost an enormous amount of money. To the investing public, let this also serve as a cautionary tale to safeguard your money and invest it wisely." 

The offender now faces up to twenty years in jail, $250,000 in penalties, forfeiture, and restitution, or double the gross gain or loss from the offence. Arcaro's sentence will be heard on January 7, 2022.
Victims of the BitConnect scam can identify themselves as possible victims by filling out this victim impact statement form. Victims can also willingly provide their information to the FBI to help with the investigation. 

It's suggested to keep an eye out for counterfeit wallet software, spoofed websites, and multiplier frauds while investing in cryptocurrency. Even if people find a platform that looks to be reliable, it’s recommended to not put all the money in one place. Rather, diversify the cryptocurrency and investment portfolio to reduce the danger of losing everything all at once.

This Malware Botnet Gang has Made Millions With a Surprisingly Simple Trick


MyKings, a long-running botnet, is still active and has generated at least $24.7 million by using its network of compromised computers to mine for cryptocurrencies. 

It is also known as Smominru and Hexen and is the world's largest botnet focused on mining cryptocurrencies by exploiting the CPUs of its victims' desktop and server computers. It's a profitable business that grabbed notoriety in 2017 after infecting more than half a million Windows machines to mine $2.3 million of Monero in a month. 

A security firm, Avast has now verified that its operators have received at least $24.7 million in cryptocurrencies, which have been transferred to Bitcoin, Ethereum, and Dogecoin accounts. It states, however, that the majority of this was accomplished by the group's 'clipboard stealer module.' When it detects that a cryptocurrency wallet address has been duplicated (for example, to make a payment), this module replaces it with a new cryptocurrency address authorized by the group. 

Since the beginning of 2020, Avast claims to have blocked the MyKings clipboard stealer from 144,000 computers: the clipboard stealer module has emerged in 2018. 

According to the study of the security firm Sophos, the clipboard stealer, a trojan, monitors PCs for the usage of various currency wallet formats. It operates because users frequently utilise the copy/paste option to enter rather lengthy wallet IDs when logging into an account. 

Sophos noted in a report, "This method relies on the practice that most (if not all) people don't type in the long wallet IDs rather store it somewhere and use the clipboard to copy it when they need it. Thus, when they would initiate a payment to a wallet, and copy the address to the clipboard, the Trojan quickly replaces it with the criminals' own wallet, and the payment is diverted to their account." 

Sophos did mention, however, that the coin addresses it discovered "hadn't received more than a few dollars," implying that coin theft was a tiny component of the MyKings operation. Sophos estimates that the crypto-mining part of the company generated around $10,000 per month in October 2019. 

Avast now claims that MyKings is generating significantly more money from the clipboard trojan after extending the 49 coin addresses uncovered in Sophos' investigation to over 1,300 coin addresses. 

According to Avast, the clipboard stealer's involvement may be far greater than Sophos uncovered. Avast researchers explain in a report, "This malware count on the fact that users do not expect to paste values different from the one that they copied. It is easy to notice when someone forgets to copy and paste something completely different (e.g. a text instead of an account number), but it takes special attention to notice the change of a long string of random numbers and letters to a very similar looking string, such as crypto wallet addresses.” 

"This process of swapping is done using functions OpenClipboard, EmptyClipboard, SetClipboardData and CloseClipboard. Even though this functionality is quite simple, it is concerning that attackers could have gained over $24,700,000 using such a simple method." 

Remarks from users on Etherscan who claimed to have mistakenly sent amounts to accounts covered in Avast's study provide circumstantial evidence to support the idea that the clipboard stealer is certainly effective.

Avast recommended that people should always double-check transaction details before sending money.

Hacker Behind $600 Million Crypto Heist Returned Stolen Funds


The hacker behind the biggest cryptocurrency heist of all time has finally handed access to the final tranche of stolen funds. 

Poly Network, a platform in the decentralized finance or "DeFi" area, was hacked last month, with the hacker or hackers acquiring almost $600 million in digital tokens. The criminal took advantage of Poly Network's software flaw to move the cash to their own accounts. 

In an unexpected twist, the Poly Network hacker did not flee with the funds. Instead, they initiated contact with the targeted organization, offering to return all funds. Last week, the hacker returned all of the funds virtually, except $33 million in tether, or USDT, a dollar-pegged bitcoin that was locked by its issuers. 

However, there was a problem, more than $200 million in assets were locked up in an account that needed both Poly Network and the hacker to enter passwords. The hacker has been refusing to provide out their password for several days, only stating that they would do it when "everyone is ready." 

Poly Network appealed to the hacker, dubbed "Mr. White Hat," to refund the money. The company guaranteed the anonymous person a $500,000 reward for assisting in identifying a security weakness in its systems, as well as a post as "chief security advisor." 

Poly Network now has access to the final batch of stolen cash. According to a blog post published Monday, hacker Mr. White Hat provided the so-called private key needed to restore control of the remaining assets. 

“At this point, all the user assets that were transferred out during the incident have been fully recovered,” Poly Network stated. 

“We are in the process of returning full asset control to users as swiftly as possible.” 

Last week, the Japanese cryptocurrency exchange Liquid announced that it had been the target of a cyberattack in which hackers obtained $97 million worth of cryptocurrencies. However, in the case of Poly Network, the hacker kept an open dialogue going with their victim, eventually reclaiming the assets they had stolen. 

Security experts believe the attacker recognized it would be impossible to launder the money and cash because all transactions are recorded on the blockchain, the public ledgers that underlie most major digital currencies. 

An unidentified individual claiming to be the hacker stated they were “(quitting) the show” in a message embedded in a digital currency transaction. 

“My actions, which may be considered weird, are my efforts to contribute to the security of the Poly project in my personal style,” the unidentified person stated. 

“The consensus was reached in a painful and obscure way, but it works. Some people even suspect that the whole story is a PR stunt.” 

Poly Network's team verified that the private key is authentic, according to the organization.

“As of now, Poly Network has regained control of the $610 million (not including the frozen $33 million USDT) in assets that were overall affected in this attack. Once again, we would like to thank Mr. White Hat for keeping his promise, as well as the community, partners, and the multiple security agencies for their assistance.”

Email extortionists threatening to release your sex tape

Scammers are circulating a new email scam campaign claiming that hey have a sex tape of you, and if you do not send them a $1,500 in bitcoins they will release it.

The extortion email sent states that the extortionists had intercourse with you a long time ago and had secretly recorded everything, apart from that they even stole all your passwords and contact lists while you were in the bathroom.

The email further specify that they will delete everything about you once you send them $1,500 in bitcoins, and will never hear from them again.

But, the receiver of this mail should not worry, as it is just a scam and the senders do not have any tape sex tape of you.  Therefore, you should not send them any money or be worried that it is true.


I have yet another surprise for you, our intercourse video. 

Yes, you read it right. We had intercourse quite a long time back, and I recorded a video of it. Not just the video, I even saved all your passwords, contact lists and everything. I did all of this when you were in the bathroom, trying to clean yourself. 

Trust me, I can fcuk up your life if I want to. 

I am not an evil individual, it's just that, I need some money and I am certain you can help me with it. 

So here is the non-negotiable deal. You send me $1500, and I will delete everything I have about you. You will not ever ever hear from me. 

Send the money to my bitcoin (BTC) address. Search Google (How to buy bitcoin), if you do not know how to send bitcoin. 


Darling, the address is case-sensitive, so it is better to copy and paste it. 

If I do not get the bitcoins within one day, I promise, I will: 

1. Send our intercourse video to all of your contacts. 
2. I will leave our intercourse DVD to your neighbors (I know where you reside), and a copy for your nice family as well. 
3. I will NOT let you live your life, as simple as that. I will keep coming back. 

For the apparent reason, I can not tell you my personal name, but yes, I can tell you one thing that, it was a long, long time back darling.

According to the BleepingComputer, the bitcoin address associated with the above email had not received any payments as of today.  

Unfortunately, the bitcoin address cannot be provided due to privacy concern of the person who shared the email. 

Bitcoin Ransom Of $950,000 Paid To Kidnappers For An American Man Who’s Still Missing!

Bitcoin Ransom Of $950,000 Paid To Kidnappers For An American Man Who’s Still Missing

A Bitcoin ransom of $950,000 was demanded by the kidnappers in exchange for a United States’ businessman. Despite having paid it the abducted man is still missing.

The missing man, who was the owner of an online gambling platform, has been identified as William Sean Creighton Kopko.

The man had gone missing in Costa Rica, where last September, reportedly he was wrested unawares.

All around 12 persons were arrested by the Spanish and Costa Rican police, in relation with the aforementioned kidnapping.

The family of Kopko had to pay the much demanded ransom of bitcoin worth $950K , after which the kidnappers cut the communication.

The kidnappers under suspicion absconded to Cuba, suddenly and returned to Spain in early November of 2018.

These suspects then rented an apartment and that’s when they got arrested in Zaragoza, Spain.

Tech savvy criminals have always been keen on crypto-currency and hence the harvesting of bitcoin has always been a thing.

Also, sometime earlier criminals posing as students willing to learn about bitcoin tortured a man into revealing their passwords to crypto-currency accounts.

There have been recent cases wherein, in exchange for kidnapped wives and other important entities, crypto-currency has been asked for.

Apparently, demanding bitcoins as ransom has become the latest thing.