Search This Blog

Showing posts with label Crypto. Show all posts

TeamTNT is Back & Targets Servers to Run Bitcoin Encryption Solvers

 

AquaSec threat analysts have detected TeamTNT activity on their honeypots since early September, leading them to believe the infamously hacking group is back in business. 

TeamTNT announced its retirement in November 2021, and most associated observations since then have involved remnants of previous infections, such as automated scripts, but no new payloads. The recent attacks, however, bear various signatures associated with TeamTNT and rely on tools previously deployed by the gang, indicating that the threat actor is likely making a comeback.  The researchers observed three attack types utilized in the reportedly new TeamTNT attacks, the most intriguing being the use of hijacked servers' computational power to run Bitcoin encryption solvers.

The attack, dubbed "the Kangaroo attack" because it employs Pollard's Kangaroo WIF solver, scans for vulnerable Docker Daemons, deploys an AlpineOS image, drops a script ("k.sh"), and eventually retrieves the solver from GitHub. Pollard's Kangaroo interval ECDLP (Elliptic Curve Discrete Logarithm Problem) solver algorithm attempts to decipher the SECP256K1 encryption used in Bitcoin's public-key cryptography.

“It [the algorithm] is designed to run in a distributed fashion since the algorithm breaks the key into chunks and distributes them to various nodes (attacked servers), collecting the results which are then written locally to a text file,” explains AquaSec.

While quantum computing is expected to break existing Bitcoin encryption at some point in the future, it is thought to be impossible to achieve with current machines, TeamTNT appears willing to test the theory anyway, using other people's resources.

Perhaps the threat actors are simply experimenting with new attack pathways, payload deployment, and evasion while performing intensive operations on captured systems, with the Kangaroo attack ticking all of the boxes.

Other Attacks

Other attacks detected by AquaSec are similar to previous TeamTNT operations but have some new characteristics.

The "Cronb Attack" employs well-documented rootkits, cron jobs for persistence, cryptominers for profit, and lateral movement tools. The appearance of new C2 infrastructure addresses and more elaborate data exchange is the novel element.

The "What Will Be" attack targets Docker Daemons with shell-file dropping Alpine images once more, taking advantage of a vulnerability to escape from the container to the host. The attackers then download and execute additional scripts, rootkits, and a cryptominer, as well as add cronjobs and perform network SSH scans.

These scripts introduce a new trick in this attack, allowing threat actors to optimise crypto mining performance by modifying CPU model-specific registers. Whether it is TeamTNT or someone else carrying out these attacks, organisations should strengthen their cloud security, strengthen Docker configuration, and implement all available security updates before it is too late.

UK Agency Publishes New Guidelines for Crypto Exchanges to Stop Sanctions Evaders

 

Crypto exchanges are now required to report suspected sanctions breaches to UK authorities under new rules introduced amid concerns that digital currencies such as Bitcoin, Ether, and Tether, or non-fungible tokens (NFTs) are being used to evade Russian sanctions. 

On August 30, the Treasury’s Office of Financial Sanctions Implementation (OFSI) updated official guidelines to specifically include "crypto assets" among the things that must be blocked if sanctions are imposed on an individual or enterprise. 

According to the regulations established by the Treasury's Office of Financial Penalties Implementation, cryptocurrency exchanges will be breaking the law if they fail to report customers who are subject to sanctions. 

The regulations mean that exchanges now have the same legal obligations as professionals like estate agents, accountants, lawyers, and jewelers. The breach of guidelines will mean crypto exchanges are committing a criminal offense if they fail to report customers designated for sanctions. 

“It is vital to address the risk of crypto-assets being used to breach or circumvent financial sanctions,” a Treasury spokesperson stated. “These new requirements will cover firms that either record holdings of, or enable the transfer of, crypto-assets and are therefore most likely to hold relevant information.”

Financial sanctions on Russian business tycoons, politicians, and firms have been among the UK’s most prominent responses to the invasion of Ukraine. 

Earlier this year in April, Binance, the cryptocurrency exchange giant, blocked the accounts of relatives of Russian politicians, including Polina Kovaleva, the stepdaughter of the foreign minister, Sergei Lavrov, and Elizaveta Peskova, the daughter of Putin’s spokesperson, Dmitry Peskov. 

Employing crypto assets to bypass sanctions and shift money across the globe was already illegal in the UK under laws that cover all “economic resources”. However, the latest guidelines underline authorities’ concern regarding the new assets, which could be employed for circumventing sanctions because customers do not rely on regulated exchanges to make transactions. 

Anna Bradshaw, a partner in Business Crime Department at Peters & Peters, a London law firm, supported the UK’s move by stating the new guidelines were “in line with the more general expansion of financial services and anti-financial crime regulation to the crypto sector”.

“Crypto and virtual assets are treated no differently than any other type of assets for the purposes of an asset freeze. Having said that, reliance on crypto or virtual currencies could potentially make it more difficult to detect that a sanctioned party is involved, or that it relates to sanctioned trade or other sanctioned activity – at least in time for steps to be taken to prevent it.”

FBI: Hackers use DeFi Bugs to Steal Cryptocurrency

 


Investors are being warned by the FBI that hackers are increasingly using Decentralized Finance (DeFi) platform security flaws to steal cryptocurrency.

According to the PSA, which was posted on the FBI's Internet Crime Complaint Center (IC3) today, nearly 97% of the $1.3 billion in bitcoin that was stolen between January and March 2022 came via DeFi sites. This represents a big increase from 72% in 2021 and roughly 30% in 2020, according to projections by the FBI.

The FBI urges people to be aware of the hazards, seek professional assistance if they are unsure, and research the security and general business practices of DeFi providers. Additionally, we all refer to DeFi providers as exchanges, markets, and other websites where you may buy, sell, trade, and borrow bitcoins and other digital assets.

The FBI's warning is due to a Chainalysis analysis from April that revealed how, per Q1 2022 statistics, DeFi cryptocurrency platforms are currently more targeted than ever.

In the majority of occurrences, the hackers rely on using security flaws in their platform's code or unauthorized access to drain cryptocurrency to addresses under their command.

According to Chainalysis, the threat actors responsible for these attacks used dangerous laundering services, like unlawful exchanges and coin tumblers on the dark web, to re-launder the majority of the stolen funds in 2022.

The FBI's alert provides investors with guidance that begins with basic cautions about performing due diligence before investing and then suggests the following:

Before investing, research DeFi platforms, protocols, and smart contracts and be aware of the dangers associated with DeFi investments.

Verify whether the DeFi investment platform has undergone one or more code audits done by impartial auditors. A code audit normally entails carefully examining and studying the platform's underlying code to find any flaws or vulnerabilities that might impair the platform's functionality.

Be wary of DeFi investment pools with short join windows and quick smart contract rollouts, especially if they don't perform the advised code audit.

Be mindful of the potential risks crowdsourced solutions pose for finding and patching vulnerabilities. Open source code repositories give anyone, even those with malicious intent, unauthorized access.

This year, no DeFi-taken monies have been reimbursed, indicating that attackers are less interested in protecting their stolen assets than they were in 2021 when almost 25% of all cryptocurrency stolen via DeFi platforms was eventually recovered and given to the victims.

The FBI established a link between the Lazarus and BlueNorOff (also known as APT38) North Korean threat organizations and the April attack of Axie Infinity's Ronin network bridge, now the largest crypto hack ever.

The $611 million breach of the decentralized merge protocols and network Poly System in August 2021 was the most significant cryptocurrency theft to date.




Hackers are Actively Targeting Linux-Based Devices

Ransomware attacks against Linux have accelerated as cybercriminals try to increase their options and take advantage of an operating system that is sometimes neglected when organizations think about security. 

According to Trend Micro, hackers prefer using ransomware-as-a-service (RaaS) techniques because they enable quicker deployment and higher rewards. Additionally, they increasingly focused their attacks on Linux-based computers and employed relatively new ransomware families in high-profile strikes. Operators of ransomware also used both cutting-edge and time-tested strategies to attack cloud environments.

Linux powers significant enterprise IT infrastructure, including servers, making it a target for ransomware gangs. This is especially true when cybersecurity teams may decide to concentrate on protecting Windows networks against cybercrime due to a believed lack of threat to Linux systems compared to Windows.

For instance, LockBit, one of the most widespread and effective ransomware operations in recent memory, now provides the choice of a Linux-based variant that is made to target Linux systems and has been used to carry out assaults in the field.

Hackers are regularly extending the scope of their exploits by focusing on Linux, one of the most potent operating systems utilized in cloud platforms and servers around the world, in addition to upping the ante by utilizing MaaS methods in their attacks.

The RaaS architecture makes it simpler and quicker for cyber criminals to deploy ransomware attacks than traditional ransomware models, even those with limited technical knowledge. According to SPN data, three ransomware families—the infamous LockBit, Conti, and BlackCat families—dominated the RaaS space in terms of detections. BlackCat is a family of ransomware that was developed in the Rust programming language at the end of 2021.

Attackers using ransomware are motivated by money and would jump at new possibilities if they believe they can increase their earnings; it would seem that encrypting Linux systems and demanding payment for the key to open servers and files are becoming more and more common.

According to researchers, as ransomware perpetrators strive to maximize their profits, this strategy will only grow in popularity.

It's not only ransomware entities that are focusing more on Linux, according to Trend Micro, but there has also been a 145% increase in Linux-based cryptocurrency-mining malware attacks, wherein online criminals covertly use the processing power of infected computers and servers to mine for cryptocurrency for their own gain.

That 'Clean' Google Translate App is Actually Windows Crypto-mining Malware

 

 
The Turkish-speaking group responsible for Nitrokod, which has been active since 2019 is said to have infected thousands of systems in 11 countries. Nitrokod, a crypto mining Trojan, is usually disguised as a clean Windows app and functions normally for days or weeks before its hidden Monero-crafting code is executed. What's interesting is that the apps offer a desktop version of services that are normally only available online.

"The malware is dropped from applications that are popular, but don't have an actual desktop version, such as Google Translate, keeping the malware versions in demand and exclusive," Check Point malware analyst Moshe Marelus wrote in a report Monday.

"The malware drops almost a month after the infection, and following other stages to drop files, making it very hard to analyze back to the initial stage."

Nitrokod also uses other translation applications, such as Microsoft Translator Desktop, and MP3 downloader programmes in addition to Google Translate. On some websites, malicious applications will highlight about being "100% clean," despite the fact that they are infected with mining malware. Nitrokod has been productive in spreading its malicious code through download sites such as Softpedia. Since December 2019, the Nitrokod Google Translator app has been downloaded over 112,000 times, according to Softpedia.

Nitrokod programmers, according to Check Point, are patient, taking a long time and multiple steps to conceal the malware's presence inside an infected PC before installing aggressive crypto mining code. Due to the lengthy, multi-stage infection efforts, the campaign went unnoticed for years before being discovered by cybersecurity experts.

"Most of their developed programs are easily built from the official web pages using a Chromium-based framework. For example, the Google translate desktop application is converted from the Google Translate web page using the CEF [Chromium Embedded Framework] project. This gives the attackers the ability to spread functional programs without having to develop them."

After the program is downloaded and the user launches the software, an actual Google Translate app, built using Chromium as described above, is installed and runs normally. Simultaneously, the software quietly fetches and saves a series of executables, eventually scheduling one specific.exe to run every day once unpacked. This extracts another executable that connects to a remote command-and-control server, retrieves Monero miner code configuration settings, and begins the mining process, with generated coins sent to the miscreants' wallets. To conceal its tracks, some of the early-stage code will self-destruct.

One stage also looks for known virtual-machine processes and security products, which may indicate that the software is being researched. If one is discovered, the programme will terminate. If the programme is allowed to run, it will create a firewall rule that will allow incoming network connections.

Throughout the various stages, the attackers deliver the next stage using password-protected RAR-encrypted files to make them more difficult to detect. According to Marelus, Check Point researchers were able to investigate the crypto mining campaign using the vendor's Infinity extended detection and response (XDR) platform.

Binance Executive: Scammers Created a 'Deep Fake Hologram' of him to Fool Victims

 

According to a Binance public relations executive, fraudsters created a deep-fake "AI hologram" of him to scam cryptocurrency projects via Zoom video calls.

Patrick Hillmann, chief communications officer at the crypto hypermart, stated he received messages from project teams thanking him for meeting with them virtually to discuss listing their digital assets on Binance over the past month. This raised some suspicions because Hillmann isn't involved in the exchange's listings and doesn't know the people messaging him.

"It turns out that a sophisticated hacking team used previous news interviews and TV appearances over the years to create a 'deep fake' of me," Hillmann said. "Other than the 15 pounds that I gained during COVID being noticeably absent, this deep fake was refined enough to fool several highly intelligent crypto community members."

Hillmann included a screenshot of a project manager asking him to confirm that he was, in fact, on a Zoom call in his write-up this week. The hologram is the latest example of cybercriminals impersonating Binance employees and executives on Twitter, LinkedIn, and other social media platforms.

Scams abound in the cryptocurrency world.
Despite highlighting a wealth of security experts and systems at Binance, Hillman insisted that users must be the first line of defence against scammers. He wrote that they can do so by being vigilant, using the Binance Verify tool, and reporting anything suspicious to Binance support.

“I was not prepared for the onslaught of cyberattacks, phishing attacks, and scams that regularly target the crypto community. Now I understand why Binance goes to the lengths it does,” he added.

The only proof Hillman provided was a screenshot of a chat with someone asking him to confirm a Zoom call they previously had. Hillman responds: “That was not me,” before the unidentified person posts a link to somebody’s LinkedIn profile, telling Hillman “This person sent me a Zoom link then your hologram was in the zoom, please report the scam”.

The fight against deepfakes
Deepfakes are becoming more common in the age of misinformation and artificial intelligence, as technological advancements make convincing digital impersonations of people online more viable.

They are sometimes highly realistic fabrications that have sparked global outrage, particularly when used in a political context. A deepfake video of Ukrainian President Volodymyr Zelenskyy was posted online in March of this year, with the digital impersonation of the leader telling citizens to surrender to Russia.

On Twitter, one version of the deepfake was viewed over 120,000 times. In its fight against disinformation, the European Union has targeted deepfakes, recently requiring tech companies such as Google, Facebook, and Twitter to take countermeasures or face heavy fines.

'DarkTortilla' Crypter Produces Targeted Malware 

Researchers from Secureworks examined "DarkTortilla," a.NET-based crypter used to distribute both well-known malware and custom payloads. 

Agent Tesla, AsyncRat, NanoCore, and RedLine were among the information stealers and remote access trojans (RATs) delivered by DarkTortilla, which has probably been active since 2015. It was also detected distributing specific payloads like Cobalt Strike and Metasploit.

Software tools known as crypters enable malware to evade detection by security programs by combining encryption, obfuscation, and code manipulation.

Averaging 93 samples each week between January 2021 and May 2022, the highly adjustable and complicated crypter can also be used to send add-ons, such as additional payloads, decoy documents, and executables. It also looks to be particularly popular among hackers.

SecureWorks analysts have discovered code resemblances with a crypter employed by the RATs Crew threat organization between 2008 and 2011 as well as with malware discovered in 2021, Gameloader.

The malicious spam emails that transmit DarkTortilla include archives with an executable for an initial loader that is used to decode and run a core processor module, either hidden within the email itself or downloaded through text-storage websites like Pastebin.

The researchers have found spam email samples in English, German, Italian, Bulgarian, Romanian, and Spanish languages. These emails are adapted to the target's language.

A complex configuration file that enables the core processor to drop add-on packages like keyloggers, clipboard stealers, and cryptocurrency miners is then used to establish persistence and inject the main RAT payload into memory without leaving a trace on the file system.

The anti-tamper safeguards utilized by DarkTortilla are also significant since they guarantee that both processes used to run the components in memory are restarted right away after termination.

A second executable called a WatchDog, which is intended to monitor the targeted process and rerun it if it is destroyed, specifically enables the persistence of the first loader.

In addition to performing anti-VM and anti-sandbox checks, achieving persistence, migrating execution to the 'tmp' folder, processing add-on packages, and migrating execution to its install directory, DarkTortilla's core processor can be configured to do these things.

To prevent interference with the execution of DarkTortilla or the payload, it then injects its payload within the context of the configured subprocess and, if configured, can also provide anti-tamper protections.

This method is similar to the one used by the threat actor Moses Staff, who was discovered earlier this year using a watchdog-based strategy to prevent any interruption of his payloads. Two additional controls are also used to ensure the persistence of the initial loader as well as the continuing execution of the dumped WatchDog software itself.

Over 17 months from 2021 to May 2022, Secureworks claimed to have found an average of 93 different DarkTortilla samples being posted to the VirusTotal malware database per week. Only roughly nine of the 10,000 samples monitored during that period were used to propagate ransomware, with seven distributing Babuk and two more distributing MedusaLocker.






Microsoft Facing a Growing Threat by Cryptojackers

 

Cryptojackers, are still invading computers all over the world while also getting more discreet and skilled at evading detection. The data was released by Microsoft's 365 Defender Research Team, which on Thursday posted a new analysis of cryptojackers on its blog.

Microsoft Defender Antivirus detects cryptojackers on more than 200,000 devices per day using a variety of sensors and innovative detection techniques, including its connection with Intel TDT. In campaigns, hackers strongly favor the exploitation of notepad.exe over several valid system utilities.

What are Cryptojackers?

Cryptojackers are mining viruses that hijack and use a target's device resources for the former's gain without the user's knowledge or approval. They are one of the threat categories that have emerged and thrived since the advent of cryptocurrencies. The threat data indicates that over the past year, companies have encountered millions of cryptojackers.

Furthermore, as per Microsoft, Javascript is frequently used in the creation of cryptojackers, which in this instance use browsers to infiltrate systems. The tech titan also cautioned against fileless cryptojackers, who mine in a device's memory and maintain persistence by abusing legal programs and LOLBins.

Cryptojacking operation

Among several legitimate system utilities, notepad.exe abuse is heavily favored by attackers in campaigns that have been observed. An improved version of the cryptojacker known as Mehcrypt was employed in this campaign. 
  • This is a significant improvement over the previous version, which used a script to access its command-and-control (C2) server and download additional components that later carried out malicious deeds. 
  • The new version also condenses all of its routines into a single script and connects to a C2 server in the final stage of its attack chain.
  • An archive file containing autoit.exe and a heavily obscured, arbitrarily named.au3 script serves as the threat's delivery vehicle. 
  • Autoit.exe is started when the archive file is opened, and it decodes the.au3 script in memory. 
  • When the script is executed, it continues to decode more obfuscation layers and loads more decoded scripts into memory.
  • The script then places a copy of itself and autoit.exe in a folder with an arbitrary name under C:ProgramData.
  • To run the script each time the device begins, the script inserts autostart registry entries and generates a scheduled task to destroy the original files.
  • The software then incorporates persistence methods, loads malicious code into VBC.exe using process hollowing, and establishes a connection to a C2 server to wait for commands. 
  • The software loads its cryptojacking code into notepad.exe using process hollowing based on the C2 answer.

The warning was issued just a few weeks after Microsoft released a study describing how a widespread phishing effort managed to steal sign-in credentials, hijack sign-in sessions, and bypass the authentication step even when multi-factor authentication (MFA) was turned on.

Sneak Peek: Hive’s RaaS Techniques

 

With the average ransomware pay-out expected to reach $541,010 in 2021 and some affiliates earning up to 80% of each ransom payment, it's no wonder that RaaS setups are claimed to assist nearly two-thirds of ransomware operations. 

Indeed, service providers, such as Hive, are giving threat actors a head start in their criminal careers. Hive is a new RaaS group that was discovered in June 2021. However, its aggressive tactics and frequent variation improvements have turned it into a powerful opponent in the space. While other ransomware operators, like as REvil, dominated news in its first year, 

Hive gained prominence in November 2021 by hitting Media Markt, Europe's largest consumer electronics shop.The attack piqued the interest of the RaaS industry, causing the platform's victim count to soon rise into the hundreds, with the bulk of these victims being IT and real estate enterprises in the United States. 

How Hive Set Up a "Sales Department" 

The Menlo Labs research team examined interactions between the Hive ransomware gang and some of its victims in order to better comprehend this new and formidable RaaS group. Hive ransomware exploits a variety of attack vectors, including hijacked VPN credentials, weak RDP servers, and phishing emails with a Cobalt Strike payload. The examined programme was highly active, with attackers using the Hive platform putting considerable pressure on their targets. 

The Labs team discovered that Hive provides compromised victims a unique identification before encrypting their data, generally during unsociable hours, after reviewing some of the network traffic. Once this is accomplished, information about the victim is released on Hive's dark web data leak sites (DLS). The victim is then emailed an automatically created ransom letter with a link to the website, login credentials, and a call to action to contact Hive's "sales department." 

When the victim logs in, a live chat between the victim and a Hive admin is opened, during which the ransom is sought - generally in the form of Bitcoin - in return for a decryptor, a security report, and a file tree highlighting exactly what was stolen.

Hive was utilising malware written in Golang by its developers at the time the communications were reviewed by the Menlo Labs team, with the samples acquired being obfuscated to prevent detection and analysis.

However, Microsoft has now announced that Hive has produced a new variation that uses a different programming language, switching from Golang to Rust. The migration is expected to give Hive with various benefits that Rust has over other programming languages, including the use of string encryption as a strategy to make it more elusive.

Surprisingly, the new variant will also employ a different cryptographic technique.While the Golang variation embeds one encrypted key in each file it encrypts, the Rust variant has been proven to construct two sets of keys in memory, use them to encrypt the files, and then save the sets to the root of the disc it encrypts, both with the.key extension. While the new variant's key set creation differs from the previous set examined by the Menlo Labs team, its file encryption is remarkably comparable.

With these changes, the Hive danger is projected to grow much more. As a result, enterprises must prepare to battle RaaS and ransomware more extensively in the future.

Here's How BlackMatter Ransomware is Linked With LockBit 3.0

 

LockBit 3.0, the most recent version of LockBit ransomware, and BlackMatter contain similarities discovered by cybersecurity researchers. 

In addition to introducing a brand-new leak site, the first ransomware bug bounty program, LockBit 3.0, was released in June 2022. Zcash was also made available as a cryptocurrency payment method.

"The encrypted filenames are appended with the extensions 'HLJkNskOq' or '19MqZqZ0s' by the ransomware, and its icon is replaced with a.ico file icon. The ransom note then appears, referencing 'Ilon Musk'and the General Data Protection Regulation of the European Union (GDPR)," researchers from Trend Micro stated.

The ransomware alters the machine's wallpaper when the infection process is finished to alert the user of the attack. Several LockBit 3.0's code snippets were found to be lifted from the BlackMatter ransomware by Trend Micro researchers when they were debugging the Lockbit 3.0 sample.

Identical ransomware threats

The researchers draw attention to the similarities between BlackMatter's privilege escalation and API harvesting techniques. By hashing a DLL's API names and comparing them to a list of the APIs the ransomware requires, LockBit 3.0 executes API harvesting. As the publically accessible script for renaming BlackMatter's APIs also functions for LockBit 3.0, this procedure is the same as that of BlackMatter.

The most recent version of LockBit also examines the UI language of the victim machine to prevent infection of machines that speak these languages in the Commonwealth of Independent States (CIS) member states.

Windows Management Instrumentation (WMI) via COM objects is used by Lockbit 3.0 and BlackMatter to delete shadow copies. Experts draw attention to the fact that LockBit 2.0 deletes using vssadmin.exe.

The findings coincide with LockBit attacks becoming the most active ransomware-as-a-service (RaaS) gangs in 2022, with the Italian Internal Revenue Service (L'Agenzia delle Entrate) being the most recent target.

The ransomware family contributed to 14% of intrusions, second only to Conti at 22%, according to Palo Alto Networks' 2022 Unit 42 Incident Response Report, which was released and is based on 600 instances handled between May 2021 and April 2022.


Hackers Used Fake LinkedIn Job Offer to Steal $625M

 

Earlier this year, Ronin Network (RON), the blockchain network behind the popular crypto games Axie Infinity and Axie DAO, experienced the greatest crypto attack against a decentralised financial network ever reported. 

The United States issued advice in May 2022, stating that highly competent hackers from North Korea were attempting to get work by posing as IT freelancers. The Axie Infinity attack was socially engineered, with the North Korean government-backed hacker organisation Lazarus into Sky Mavis' network by giving one of the company's workers a PDF file carrying malware. Lazarus' participation in such a high-profile breach should come as no surprise. 

In January 2022, analysts from several crypto security organizations concluded that North Korean hackers had stolen $1.3 billion from cryptocurrency exchanges throughout the world, with the famed Lazarus group as their top suspect. 

Axie Infinity Hack 

The employee, an ex-senior engineer at the firm, fell for the trap and opened the PDF, believing it was a high-paying job offer from another company. However, this firm did not exist in reality.

During the recruitment process, the ex-employee disclosed sensitive personal information that attackers utilised to steal from the organisation. Sky Mavis' staff are regularly threatened by sophisticated spear-phishing attempts on multiple social networks, according to the company. In this case, one person, who does not even work at Sky Mavis, was duped. 

How was Ronin hacked? 

According to The Block, at the time of the attack, Axie Infinity had nine validators from its proof-of-authority, an Ethereum-based sidechain Ronin. 

“The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes,” Sky Mavis stated.

To get access to the company's networks, the attacker needed to seize five out of nine validators. The spyware-laced PDF allowed the attacker to gain control of four validators and get entry to the community-run Axie DAO (Decentralized Autonomous Organization), from which they gained control of the fifth validator. After breaching the network, the attackers took $25 million in USDC stablecoin and 173,600 ether (about $597 million) from Axie Infinity's treasury, totaling $625 million in crypto. 

Nonetheless, the Ronin sidechain upped the number of validators to 11 to improve security, and Sky Mavis is reimbursing Axie Players who lost crypto as a result of the hack. In April 2022, the company raised $150 million in funding. 

The US administration alleges that the assault was carried out by the renowned North Korean hacking organisation Lazarus. This organisation specialises in such attacks. This is hardly Lazarus' first foray into the blockchain sector. However, Lazarus using social engineering to infiltrate a company's networks is unusual. In reality, the Slovak internet security company ESET notified LinkedIn users in June 2020 about Lazarus' involvement in a complex LinkedIn recruiting fraud targeting military and aerospace industries.

NFTs Worth 200 Ether Were Stolen From the Bored Ape Yacht Club 

 

Yuga Lab's Bored Ape Yacht Club or Otherside Metaverse Discord services were hacked to publish a phishing scheme, hackers allegedly took approximately $257,000 in Ethereum and 32 NFTs. A Yuga Labs community manager's Discord account was allegedly hacked on June 4 and used to spread a phishing scam on the firm's Discord servers. 

According to Coindesk, the attacker hacked Boris Vagner's Discord account, put many phishing links on the account, its related metaverse account 'Otherside,' and the NFT fantasy football team Spoiled Banana Society's (SPS) Discord account. As of 8.50 a.m., the worldwide crypto market capitalization had increased by 3.43 percent to $1.27 trillion. According to Coinmarketcap data, worldwide crypto volume increased by 18.04 percent to $51.24 billion. 

The phishing communications, which claimed to be from Vagner, advertised an exclusive prize and stated that only BAYC, Mutant Ape Yacht Club, and Otherside NFTS holders were eligible. The owners were then directed to a phishing site, where they were requested to input the login information. The attackers then took all Ethereum and NFTS contained in the account's associated wallet after receiving the login credentials. Yuga Labs finally regained login to the Discord server, but not before significant harm had been done. 

The seized NFTS were worth roughly 200 ETH ($361,000) according to BAYC's official Twitter account. The perpetrators made off with 145 Ethereum and 32 NFTS, valued at a total of $250,000.

Approximately 32 NFTs were taken, according to blockchain cybersecurity firm PeckShield, including the Bored Ape Yacht Club, Otherdeed, Bored App Kennel Club, and Mutant Ape Yacht Club projects. 

As per the reports, it is unknown how the forum manager's account was hacked or whether two-factor authentication was turned on, which generally protects against such assaults.

OpenSea Warns of Discord Channel Hack

 

The nonfungible token (NFT) marketplace OpenSea had a server breach on its primary Discord channel, with hackers posting phoney "Youtube partnership" announcements. A screenshot shared on Friday reveals a phishing site linked to fraudulent collaboration news. 

The marketplace's Discord server was hacked Friday morning, according to OpenSea Support's official Twitter account, which urged users not to click links in the channel. OpenSea has "partnered with YouTube to bring their community into the NFT Space," according to the hacker's original post on the announcements channel. 

It also stated that they will collaborate with OpenSea to create a mint pass that would allow holders to mint their project for free. The attacker appeared to have been able to stay on the server for a long time before OpenSea staff was able to recover control. The hacker uploaded follow-ups to the initial totally bogus statement, reiterating the phoney link and saying that 70% of the supply had already been coined, in an attempt to generate "fear of missing out" in the victims. 

The scammer also tried to persuade OpenSea users by claiming that anyone who claimed the NFTs would receive "insane utilities" from YouTube. They state that this offer is one-of-a-kind and that there would be no other rounds to engage in, which is typical of scammers. As of this writing, on-chain data indicates that 13 wallets have been infiltrated, with the most valued stolen NFT being a Founders' Pass worth about 3.33 ETH ($8,982.58). 

According to initial reports, the hacker used webhooks to get access to server controls. A webhook is a server plugin that lets other software get real-time data. Hackers are increasingly using webhooks as an attack vector since they allow them to send messages from official server accounts. The OpenSea Discord server isn't the only one that uses webhooks. 

In early April, a similar flaw enabled the hacker to utilise official server identities to post phishing links on several popular NFT collections' channels, including Bored Ape Yacht Club, Doodles, and KaijuKings.

Hackers Steal NFTs Worth $3M in Bored Ape Yacht Club Heist

 

Hackers stole non-fungible tokens (NFTs) estimated to be worth $3 million after getting into the Bored Ape Yacht Club's Instagram account and uploading a link to a replica website that tried to capture marks' assets.

The fake post offered a free airdrop – essentially a promotional token giveaway, to customers who clicked the link and connected their MetaMask crypto-asset wallets to the scammer's wallet. Rather than receiving free items, victims had their digital wallets drained. 

Bored Ape Yacht Club tweeted Monday morning in a warning that came too late for some of its members, "It looks like BAYC Instagram was hacked. Do not mint anything, click links, or link your wallet to anything,"  

The Bored Ape Yacht Club, or BAYC, is a collection of photographs depicting bored primates in various attitudes and costumes, which can be used as internet profile avatars and sell for hundreds of dollars in crypto coins. 

Miscreants stole four Bored Apes, six Mutant Apes, and three Bored Ape Kennel Club NFTs, as well as "assorted additional NFTs estimated at a total value of $3 million," according to Yuga Labs, the company that launched Bored Ape Yacht Club. 

"We are actively working to establish contact with affected users," a Yuga Labs spokesperson said, adding that its hijacked Instagram account did have two-factor authentication enabled, "and the security practices surrounding the IG account were tight." 

"Yuga Labs and Instagram are currently investigating how the hacker was able to gain access to the account," the spokesperson stated. 

This is the second time in less than a month that the NFT collection has been hacked. Bored Ape Yacht Club said on March 31 that their Discord server had been compromised. According to security firm PeckShield, a cybercriminal stole one NFT: Mutant Ape Yacht Club #8662 in a previous incident. 

In March, following the launch of the ApeCoin cryptocurrency by the Bored Ape Yacht Club, fraudsters stole around $1.5 million by claiming a huge amount of tokens using NFTs they did not own and obtaining bogus flash loans. Flash loans are given and repaid in a single blockchain transaction, which might take as little as seconds to get and return the funds. These and other recent hacks have raised security concerns about NFT and cryptocurrency technologies.

YouTube Scammers Steal $1.7M in Fake Crypto Giveaway

 

According to Group-IB, a group of online scammers made approximately $1.7 million by promising cryptocurrency giveaways on YouTube. 

The group allegedly aired 36 YouTube videos between February 16 and 18, gaining at least 165,000 views, according to the Singapore-based security company. To give validity to their efforts, they included footage of tech entrepreneurs and crypto enthusiasts like Elon Musk, Brad Garlinghouse, Michael Saylor, Changpeng Zhao, and Cathie Wood. 

According to Group-IB, the channels were either hacked or bought on the black market. They included links to at least 29 websites with instructions on how to double cryptocurrency investments in the streams they built. 

'Investors' were encouraged to send a tiny sum of virtual currency and promised that they would be paid back twice that amount. Some victims were prompted to enter seed phrases to 'link' their wallets, depending on the cryptocurrency and wallet type utilised. 

However, the fraudsters were able to take control of their wallet and withdraw all of their funds as a result of this. The scammers received 281 transactions totalling nearly $1.7 million into their crypto wallets in just three days. The precise number of victims and the overall amount stolen, however, are unknown. 

Group-IB stated, “The fake crypto giveaway scheme is not new, but apparently is still having a moment. Further analysis of the scammers’ domain infrastructure revealed that the 29 websites were part of a massive network of 583 interconnected resources all set up in the first quarter of 2022. Notably, there were three times as many domains registered for this scheme in less than three months of 2022 compared to the whole of last year.” 

Crypto enthusiasts should be wary of freebies and avoid sharing personal information online, according to Group-IB. Users were also encouraged to double-check the authenticity of any promos and use a password manager to store any seed phrases.

Australian Consumer Watchdog Reports Massive Surge of Crypto Use in Investment Scams

 

Australians’ losses from investment frauds surged 90% to AU$103 million from the start of the year to March 20, with the Australian Competition and Consumer Commission (ACCC) confirming payments to fraudsters are most often carried out in cryptocurrency. 

Consumer and Fair Trade Executive Managing Director Rami Greiss said that while the increase in the use of crypto follows its growing popularity, it has facets that lend themselves to being exploited by fraudsters. “It’s also the fact that it’s an unregulated product, so there are no controls. There are no institutions that can be roped in to assist. So really, it’s the fact that it’s the wild west,” Greiss explained.

"In relation to scamwatch, we see a number of scams relating to investment schemes, and we are now seeing that the payments in relation to those are now more often by way of cryptocurrency than by way of bank transfer," Gina Cass-Gottlieb, the new president of the ACCC stated. 

According to ACCC, it has received 66 reports of money recovery frauds this year on its website Scamwatch which is a 725 percent increase compared to the same period in 2021. The commission also disclosed that fraudsters target previous scam victims by contacting them and then posing as someone representing a trusted firm such as a law firm, fraud task force, or government agency. 

Subsequently, the fraudsters ask victims to fill out fake paperwork or provide identity documents and seek upfront payments. They may request remote access to computers or smartphones, enabling them to scam their unsuspecting victims. Earlier this year, the Australian government announced it would design a crypto badge of approval to licence intermediaries such as exchanges.

Last week, Australia’s Financial Services Minister Jane Hume stated that the license will include a "fit and proper person" test, and could include anti-hawking measures to prevent cold calling. Hume also explicitly ruled out a ban. 

“Crypto values will go up and down sure as eggs, and the government will not be protecting consumers from market volatility—and nor should they,” she said. But Australian investors will be sure that if they use a licensed Australian exchange, they can trust the exchange will deliver on its commitments to customers and have appropriate protections.”

Germany Shuts Down World's Largest Illegal Marketplace on Darknet

 

The German authorities have confiscated the servers of Hydra Market, the most well-known Russian darknet network for drug sales and money laundering. The authorities were also able to seize 543 bitcoins worth a little more than $25 million from the earnings of Hydra. 

The money seized reflects the scale of the Hydra market, which had over 19,000 registered vendor accounts serving at least 17 million clients worldwide. Hydra Market had a turnover of $1.35 billion in 2020, according to the Central Office for Combating Cybercrime (ZIT) and Germany's Federal Criminal Police Office (BKA), making it the world's largest darknet market. 

Elliptic, a blockchain analytics firm, confirmed the authorities' confiscation of digital assets today, charting the action as 88 transactions totalling 543.3 bitcoin. Hydra also provided stolen databases, falsified documents, and hacking for hire services, in addition to the core focus of narcotics and money laundering. 

An investigation into a shady area 

The BKA, operating on behalf of the Attorney General's Office in Frankfurt am Main, confiscated the market's infrastructure following a coordinated international law enforcement action, according to Hydra's homepage. This move was made possible following a lengthy examination of the platform's previously unknown operators and administrators. 

 Hydra Market had a Bitcoin Bank Mixer, which disguised all bitcoin transactions done on the platform, making it difficult for law enforcement organisations to track money gained through illicit activity, according to the BKA announcement. 

According to a BKA spokesperson, no arrests have been made in this operation, and they are unable to give any other information on the evaluation of the confiscated infrastructure owing to ongoing investigations.

Bored Ape & Other Major NFT Project Discords Hacked by Fraudsters

 

The Discords of several prominent NFT projects were hacked last week as part of a phishing scheme to mislead members into handing up their digital jpegs. 

In tweets, the Bored Ape Yacht Club, Nyoki, and Shamanz all confirmed Discord hacks. The Discords of NFT projects Doodles and Kaiju Kingz were also attacked, according to screenshots released by independent blockchain investigator Zachxbt. Doodles and Kaiju Kingz both confirmed that they had been hacked on their Discords. 

“Oh no, our dogs are mutating,” read one of the phishing posts posted in the BAYC Discord by a compromised bot viewed by Motherboard.

“MAKC can be staked for our $APE token. Holders of MAYC + BAYC will be able to claim exclusive rewards just by simply minting and holding our mutant dogs.” 

The hack's purpose was to get users to click a link to "mint" a phoney NFT by submitting ETH and, in some cases, an NFT to wrap into a token. 

“STAY SAFE. Do not mint anything from any Discord right now. A webhook in our Discord was briefly compromised,” the official BAYC Twitter account said early Friday morning. 

“We caught it immediately but please know: we are not doing any April Fools stealth mints / airdrops etc. Other Discords are also being attacked right now.” 

"Along with blue-chip projects like BAYC, and Doodles, our server was also compromised today due to a recent large-scale hack," the Nyoki’s tweet said. 

On blockchain explorer Etherscan, two wallet addresses have been linked to the hacks and are now dubbed Fake Phishing5519 and Fake Phishing5520. The 5519 wallet, which sent 19.85 ETH to the 5520 wallets, stole at least one Mutant Ape Yacht Club NFT (a BAYC offshoot by developer Yuga Labs) and soon sold it. Early Friday morning, this second wallet delivered 61 ETH ($211,000) to the mixing service Tornado Cash. The wallet's most recent transaction is a transfer of.6 ETH to an inactive wallet, which subsequently sent the same amount to an extremely active wallet with 1,447 ETH ($5 million), 6 million Tether coins ($6 million), and a variety of other tokens. 

This is not the first or last attack on crypto assets on Discord, which, while being a gaming-focused network, serves as a crucial centre for the great majority of projects. Crypto projects already have to deal with hacks that take advantage of smart contract flaws, but the fact that so many of them are also on Discord subjects them to frauds that exploit the power of the platform itself. 

Several high-profile accounts have already fallen prey to schemes that hacked bots responsible for channel-wide announcements and pushed websites in order to steal ETH, NFTs, or wallets.

Ola Finance: Attackers Stole $4.7M in 'Re-Entrancy' Exploit

 

According to a post-mortem report released by the developers, the decentralised lending platform Ola Finance was exploited for approximately $4.67 million in a "re-entrancy" assault on Thursday. 

Ola runs a decentralised finance (DeFi) platform that spans multiple blockchains, and the hack on Thursday targeted the Fuse network. For financial services such as lending and borrowing, DeFi refers to the use of smart contracts rather than third parties. 216,964.18 USDC, 507,216.68 BUSD, 200,000.00 fUSD, 550.45 wrapped ether, 26.25 wrapped bitcoin, and 1,240,000.00 FUSE were obtained using Ola's services on the Fuse network. 

At current pricing, all of that is worth more than $4.67 million. The attack took use of a re-entrancy flaw in the ERC677 token standard. Reentrancy is a frequent issue that allows attackers to deceive a smart contract into stealing assets by repeatedly calling a protocol. An authorization for a smart contract address to communicate with a user's wallet address is known as a call. 

The attacker used a 515 WETH flash loan from the WETH-WBTC pair on Voltage Finance to execute the initial heist transaction. The attacker avoided a flash loan in subsequent transactions by using funds that had already been stolen, according to the post-mortem study. Voltage is a decentralised trading protocol for the Fuse network that enables for automated trading of DeFi coins. 

Attackers were able to fool Voltage's smart contracts by transferring wrapped assets — which they generated using flash loans, a type of short-term uncollateralized borrowing, asking the smart contract send payments from Voltage to the hacker's addresses The attack, according to Ola Finance, could not be replicated on any of the lending networks it supports. The developers stated, “We will investigate each token’s 'transfer' logic to make sure no problematic token standards are in use.” 

 Meanwhile, Voltage stated it was in contact with third parties to track down the attacker and devise a method to compensate those who had been harmed.

One arrested in ₹1,200-Crore Crypto Fraud Case, 900 Investors Scammed

 

The Enforcement Directorate announced on Tuesday that it had arrested a suspect in connection with a money-laundering investigation into a Kerala-based businessman who is suspected of scamming more than 900 investors out of Rs 1,200 crore in exchange for bitcoin. 

Abdul Gafoor, one of the most prominent stockists of the 'Morris Coin Cryptocurrency,' was arrested on March 24, according to the source. The next day, he was taken into prison by the Enforcement Directorate (ED) and held until March 31. Mr Gafoor was accused of not complying with the investigation and of being extremely evasive in his responses, according to the federal investigation agency. 

The agency stated, "Considering the fact that Abdul Gafoor is one of the directors of Stoxglobal Brokers Pvt. Ltd. and has played an active role in facilitating the placement and layering of proceeds of crime, he has been placed under arrest on March 24," 

The ED case arose from an FIR filed by the Kerala Police (Malappuram crime branch unit) against the case's main accused, businessman Nishad K. The agency alleged Nishad K "cheated several investors by accepting investments, under a Ponzi scheme, through his three Bengaluru based firms-- Long Reach Global, Long Reach Technologies and Morris Trading by offering high returns of dividend such as 3-5 per cent per day." 

According to the police complaint, "more than 900 investors were cheated to the tune of ₹ 1,200 crore." The investigation discovered that "Nishad, the main accused person, had appointed those persons as pin stockists who had invested a minimum of ₹ 10 lakh in Nishad's scheme and Nishad promised them that he would give five per cent as commission on the investment.” 

The ED stated, "They made aggressive enrolment of new members into an illegal money circulation scheme under the garb of multi-level marketing, resorted to the fraudulent practice of investing the money received from the investors in the Morris Coin cryptocurrency plan run by Nishad and others". 

It alleged that this resulted in the viral growth of the scheme network, resulting in significant unjust gain at the cost of investors. It had previously stated that the deposits taken from the general public were illegal and did not require any regulatory approval. It had attached Nishad K's assets worth ₹ 36.72 crore, as well as those of his colleagues, including the Indian Rupee equivalent of cryptocurrencies purchased with proceeds of crime by a close associate, in January.