Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Crypto. Show all posts
Token Theft
AI AI Economy Crypto Technology Token Pilfering Token Theft

Token Pilfering: How Token Theft is Plaguing Cybersecurity


AI economy and computing threat

The rising AI economy is bringing a new type of cybercrime. Cybercriminals are scamming AI firms by signing up for new accounts to steal tokens via computing power. The problem is getting worse, according to Patrick Collison, CEO of payment behemoth Stripe. The token hackers now amount for one in every six new customer subscriptions.

Token pilfering

Experts said that the threat actors steal the tokens to later sell them on the dark web. ‘Token pilfering’ has plagued the cybersecurity world and is becoming quite expensive for AI startups to give free trials to potential customers.

Startups attacked for money

It is not new for hackers to attack startups. With the AI economy rising, it has created fractures for hackers because with traditional software trials, a registration for an AI firm brings valuable tokens for compute power that hackers can sell later.

The token theft

The most neglected subject in AI is token theft. Because they are using tokens at machine speed, these attackers can swiftly accrue enormous consumption bills that they never plan to pay and burn inference costs. This is one of the most frightening aspects of that.

In order to use the tokens for purposes unrelated to what the company is delivering or to resell them, token theft sometimes involves thieves creating many accounts at an AI company and across multiple firms. They always vanish after using up all of the tokens; Sands compared this swindle to those who "dine and dash" at restaurants.

Attack tactic

The problem surfaces as the crooks use agents to steal the tokens in minutes. Unlike a traditional software company, the cybercrime happens too fast for the organization to address the issue.

It is hell for AI firms who want to give out free trials to get more new users. Typically, it costs nothing for a firm to give out free trials on a temporary basis, but for AI firms, the customer-acquisition costs can go up to $500 due to scammers abusing the startup policies of giving out free tokens for trial accounts.

Token epidemic

The token epidemic has created problems for startups. Few have stopped free trials, but it has affected their growth as it shuts down the opportunities to get new customers.

Luckily, one solution exists. According to Stripe, there exists a product called Radar that works as a default fraud detector in the credit card payment network, adapts tools, and helps clients find and block token fraud.

Read more »
Technology
AI Bitcoin Crypto ETH Etherium Quantum Computing Technology

Crypto at Risk: Experts Believe Quantum Threat Arriving by 2030


A recent report has warned that cryptographic foundations that secure trillions of dollars in digital currency can be hacked by quantum computers within the next four to seven years, and the blockchain industry is not prepared for damage control.

About quantum computing and threats

Project Eleven, a quantum security firm, published a report that said these quantum computers, even one, is powerful enough to hack the elliptic curve digital signatures securing Ethereum, Bitcoin, and other big blockchains. Experts say they won’t exist beyond 2033, and may end soon by 2030. The window for action is closing fast. According to the report, “Migration to quantum-resistant cryptography is no longer optional but imperative for any blockchain system expected to be trusted and secure into the future." 

Why is quantum computing so fast?

Recent innovations have significantly lowered the hardware bar needed to launch such attacks. A breakthrough Google paper said that breaking the elliptic curve cryptography threshold could be achieved within 1,200 logical cubits, and less than 90 minutes of computing time on a supercomputing hardware.

Google has put a Q-Day (like D-day)  at 2032. Project Eleven’s research has decreased the timeline by two years: 2030. The report estimates that 6.9 million Bitcoin (one third of the total estimated supply) have already been leaked on-chain, exposed to the potential quantum attack. For ETH, exposure is more, with over 65% of all ETH held in quantum-exposed addresses.

Why are blockchains weak against quantum computing?

The public ledgers and bearer-instruments offer no security. Blockchains has no scam department, no redressal platform for stolen funds, and no chargeback measures. If a quantum hacker recovers a private key and steals money, the loss is permanent. The transition problem is further fouled by slow-moving blockchain governance. 

What makes blockchains particularly vulnerable, the report explains, is that their public ledgers and bearer-instrument design offer no safety net. Unlike a bank, a blockchain has no fraud department, no chargeback mechanism, and no way to reverse a forged transaction. Once a quantum attacker recovers a private key and drains a wallet, the loss is permanent. 

Why is crypto migration difficult?

Bitcoin SegWit upgrade took more than two years to complete whereas ETH’s transition of proof stake took around 6 years to build. Quantum migration reaches the most basic layer of any blockchain mechanism.

The tech world has already started moving. More than half of web traffic (human) is currently post-quantum encrypted, Cloudflare data from December 2025 said. 

Is the digital industry prepared?

The digital asset industry lacks preparedness. Crypto developers are suggesting various proposals but these plans will take years to execute while the threat is already brushing businesses and users.

"The internet has already moved," the report added. "The digital asset industry—which arguably has more at stake because blockchains directly protect bearer value with the exact cryptographic primitives that quantum computers threaten—has barely started."

Read more »
Telegram
Application Apps Crypto Crypto scams Cyber Crime Scam Telegram

Hackers Exploit Telegram Mini Apps, Distribute Malware and Crypto Scams

 

Cybersecurity experts found a large-scale fraud campaign that used Telegram’s Mini App feature to launch crypto attacks, mimic famous brands and spread Android malware. 

FEMITBOT malware 


Research by CTM360 has dubbed the platform as FEMITBOT, it is based on a string present in API responses and uses Telegram bots and integrated Mini Apps to make believable, app-like experiences directly inside the messaging platform.

These Mini Apps are lightweight web apps that run within Telegram’s built-in browser, allowing services like payments, interactive tools, and account access without needing users to leave the application. Exploiting Telegram Mini apps

The FEMITBOT platform is used for various scams such as financial frauds, AI tools, streaming sites, and fake cryptocurrency platforms.

In a few campaigns, hackers imitated famous brands to boost engagement and credibility, while having the same backend infrastructure with multiple Telegram bots and different domains.

Brands impersonated


Brands copied in this campaign are Disny, eBay, YouKu, NVIDIA, Moon Pay, Apple, and Coco-Cola. The campaign used a common backend, different phishing domains used the same API response: “Welcome to join the FEMITBOT platform," indicating they are all using the same infrastructure.

Telegram bots compromised


Campaign used Telegram bots to show phishing websites directly inside the social media site. Once a user interacts with a Telegram bot and opens “Start,” the bot starts a Mini App that shows a phishing page inside Telegram’s default WebView. The user is tricked into thinking it's part of the application itself.

Tricking users via phishing tactics


After entering the system, targets are displayed dashboards with fake balances with fake countdown timers or limited-time offers to bait users.

When a user tries to take money, they are asked to make a deposit or do referral work. This is a general tactic in advanced-fee scams and investments.

The infrastructure is built to be used across multiple campaigns so that hackers can easily switch among brands, themes, and languages. The campaigns also use tracking scripts like TikTok and Meta tracking pixels, to trace users’ activity, optimize performance, and measure interactions.

Malware distribution via mini apps


Additionally, some Mini Apps tried to spread malware by posing as companies like the BBC, NVIDIA, CineTV, Coreweave, and Claro in Android APKs.

“Built on a modular, template-driven architecture, FEMITBOT enables rapid deployment, brand impersonation, and campaign optimization using real-time tracking and analytics. This reflects a shift toward scalable, marketing-like fraud operations designed to maximize user conversion and financial gain,” the report said.
Read more »
North Korean Hackers
Crypto Cyber Crime Hacked Hacking North Korean Hackers

North Korean Hackers Hack US Crytpo Executives in Just Five Minutes

 

About Arctic Wolf 


Cybersecurity experts at Arctic Wolf have disclosed information about an advanced campaign attacking North American Web3 and cryptocurrency organizations. State-sponsored group BlueNoroff launched the attack campaign, it is a financially motivated gang associated with the infamous North Korean Lazarus Group. The aim is to make persistent access on the victim device.  

The gang does this by fooling the victim into deploying malware on the systems; however, their tactic is quite advanced.  

The discovery 


Arctic Wolf found an active malicious intrusion in which the threat actor used spear-phishing to send an altered Calendly calendar invite with a typo-squatted Zoom link while posing as a respectable person in the Fintech legal industry. When the victim clicked the link, they were shown a phony Zoom meeting interface that simultaneously launched a ClickFix-style clipboard injection attack and secretly exfiltrated their live camera feed to use as a lure in subsequent attacks. 

After that, information was stolen from the victim's device and browsers via a multi-stage credential extraction pipeline that concentrated on cryptocurrency wallet extensions.v Now enters ClickFix 

While launching the attack campaign, the hackers use real, high-profile people from the Web3 world, create fake headshots (that look real) via ChatGPT, and generate animated videos via Adobe Premiere Pro. 

After this, the hackers would make a fake Zoom video call website similar to the actual Zoom call page, and would show the video to make it all look real.  

Attack tactic 


After this, BlueNoroff gang would invite the actual victim via Calendly, six months prior (to make it all look real and convincing) as prominent people are busy.  

Once the victim opens the Zoom link, they see the usual: a video call webpage with the user on the other side moving and acting like they are real people (remember they are all fake sem-animated video)but, after eight seconds on call, a notification comes up, saying their “SDK is deprecated” and showing users “Update Now” option. 

“The technical execution chain in this campaign is both efficient and operationally disciplined. From initial URL click to full system compromise, including C2 establishment, Telegram session theft, browser credential harvesting, and persistence, the attacker completed in under five minutes,” Arctic Wolf said.
Read more »
Technology
Bitcoin Blockchain Cloud Crypto Data Technology

Too Much Data Regulation Can Create Security Risks


Bitcoin transactions are transparent by design, they work as a pseudonym where operations are visible but identity is hidden. But the increasing amount of identity-based data around users is affecting the transparency into a personal security threat. 

The problem 

The increasing regulatory data collection is now mixing with bitcoin’s on-chain transparency, making a trove of identity linked data that hackers can abuse for forced, real-world attacks. 

What makes data a target? 

Physical attacks against cryptocurrency holders are on the rise due to a number of factors, including social engineering, frequent major data breaches, KYC requirements, and regulatory data collection. 

These occurrences, which are frequently referred to as "wrench attacks," entail coercion to gain private keys or force transactions by threats or physical violence. With France emerging as a focus point, this movement is highlighting a weakness in the industry's regulation.

Threats has become the rule rather than the exception, with at least 47.2% of cases involving verified torture or physical assault and 51.5% including firearms. There were 19 fatal occurrences, which resulted in 24 deaths overall and a 6.2% fatality rate. 2025 was the most violent year on record in terms of recorded cases, but analysts warn that the actual number of occurrences is probably greater because of underreporting. All numbers are based on cases that were publicly available at the time of reporting.

What are the risks?

The risk profile for Bitcoin holders is very harsh. Transactions are irreversible once private keys are turned over under duress. Chargebacks, account freezes, and institutional recovery procedures are nonexistent. When coupled with actual compulsion, the protocol's famed finality becomes a liability. 

France serves as an example of how rapidly this risk might increase. In France, there were twenty bitcoin-related physical attacks in 2025, compared to a total of just four between 2017 and 2024. Eight more cases had already been reported by early February 2026, indicating that the rise is continuing rather than leveling down. Europe now accounts for around 40% of all events worldwide, up from about 22% in 2024.

Read more »
Passwords
Crypto Cyber Security Cybersecurity GitHub Linux Passwords

Fake Go Crypto Package Caught Stealing Passwords and Spreading Linux Backdoor

 



Cybersecurity investigators have revealed a rogue Go module engineered to capture passwords, establish long-term SSH access, and deploy a Linux backdoor known as Rekoobe.

The package, published as github[.]com/xinfeisoft/crypto, imitates the legitimate Go cryptography repository widely imported by developers. Instead of delivering standard encryption utilities, the altered version embeds hidden instructions that intercept sensitive input entered in terminal password prompts. The stolen credentials are transmitted to a remote server, which then responds by delivering a shell script that the compromised system executes.

Researchers at Socket explained that the attack relies on namespace confusion. The authentic cryptography project identifies its canonical source as go.googlesource.com/crypto, while GitHub merely hosts a mirror copy. By exploiting this distinction, the threat actor made the counterfeit repository appear routine in dependency graphs, increasing the likelihood that developers would mistake it for the genuine library.

The malicious modification is embedded inside the ssh/terminal/terminal.go file. Each time an application calls the ReadPassword() function, which is designed to securely capture hidden input from a user, the manipulated code silently records the data. What should have been a secure input mechanism becomes a covert data collection point.

Once credentials are exfiltrated, the downloaded script functions as a Linux stager. It appends the attacker’s SSH public key to the /home/ubuntu/.ssh/authorized_keys file, enabling passwordless remote logins. It also changes default iptables policies to ACCEPT, reducing firewall restrictions and increasing exposure. The script proceeds to fetch further payloads from an external server, disguising them with a misleading .mp5 file extension to avoid suspicion.

Two additional components are retrieved. The first acts as a helper utility that checks internet connectivity and attempts to communicate with the IP address 154.84.63[.]184 over TCP port 443, commonly used for encrypted web traffic. Researchers believe this tool likely serves as reconnaissance or as a loader preparing the system for subsequent stages.

The second payload has been identified as Rekoobe, a Linux trojan active in the wild since at least 2015. Rekoobe allows remote operators to receive commands from a control server, download additional malware, extract files, and open reverse shell sessions that grant interactive system control. Security reporting as recently as August 2023 has linked the malware’s use to advanced threat groups, including APT31.

While the malicious module remained listed on the Go package index at the time of analysis, the Go security team has since taken measures to block it as harmful.

Researchers caution that this operation reflects a repeatable, low-effort strategy with glaring impact. By targeting high-value functions such as ReadPassword() and hosting staged payloads through commonly trusted platforms, attackers can rotate infrastructure without republishing code. Defenders are advised to anticipate similar supply chain campaigns aimed at credential-handling libraries, including SSH utilities, command-line authentication tools, and database connectors, with increased use of layered hosting services to conceal corrupted infrastructure.


Read more »
saaS
Bitcoin Crypto Cyber Security Google Mandiant saaS

Google Owned Mandiant Finds Vishing Attacks Against SaaS Platforms


Mandiant recently said that it found an increase in threat activity that deploys tradecraft for extortion attacks carried out by a financially gained group ShinyHunters.

  • These attacks use advanced voice phishing (vishing) and fake credential harvesting sites imitating targeted organizations to get illicit access to victims systems by collecting sign-on (SSO) credentials and two factor authentication codes. 
  • The attacks aim to target cloud-based software-as-a-service (SaaS) apps to steal sensitive data and internal communications and blackmail victims. 

Google owned Mandiant’s threat intelligence team is tracking the attacks under various clusters: UNC6661, UNC6671, and UNC6240 (aka ShinyHunters). These gangs might be improving their attack tactics. "While this methodology of targeting identity providers and SaaS platforms is consistent with our prior observations of threat activity preceding ShinyHunters-branded extortion, the breadth of targeted cloud platforms continues to expand as these threat actors seek more sensitive data for extortion," Mandiant said. 

"Further, they appear to be escalating their extortion tactics with recent incidents, including harassment of victim personnel, among other tactics.”

Theft details

UNC6661 was pretending to be IT staff sending employees to credential harvesting links tricking them into multi-factor authentication (MFA) settings. This was found during mid-January 2026.

Threat actors used stolen credentials to register their own device for MFA and further steal data from SaaS platforms. In one incident, the hacker exploited their access to infected email accounts to send more phishing emails to users in cryptocurrency based organizations.

The emails were later deleted to hide the tracks. Experts also found UNC6671 mimicking IT staff to fool victims to steal credentials and MFA login codes on credential harvesting websites since the start of this year. In a few incidents, the hackers got access to Okta accounts. 

UNC6671 leveraged PowerShell to steal sensitive data from OneDrive and SharePoint. 

Attack tactic 

The use of different domain registrars to register the credential harvesting domains (NICENIC for UNC6661 and Tucows for UNC6671) and the fact that an extortion email sent after UNC6671 activity did not overlap with known UNC6240 indicators are the two main differences between UNC6661 and UNC6671. 

This suggests that other groups of people might be participating, highlighting how nebulous these cybercrime organizations are. Furthermore, the targeting of bitcoin companies raises the possibility that the threat actors are searching for other opportunities to make money.

Read more »
Windows
AI Bitcoin Cloud Crypto Ethereum Internet Technology Windows

Malicous npm package exploit crypto wallets


Experts have found a malicious npm package that consists of stealthy features to deploy malicious code into pc apps targeting crypto wallets such as Exodus and Atomic. 

About the package

Termed as “nodejs-smtp,” the package imitates the genuine email library nodemailer with the same README descriptions, page styling, and tagline, bringing around 347 downloads since it was uploaded to the npm registry earlier this year by a user “nikotimon.” 

It is not available anymore. Socket experts Krill Boychenko said, "On import, the package uses Electron tooling to unpack Atomic Wallet's app.asar, replace a vendor bundle with a malicious payload, repackage the application, and remove traces by deleting its working directory.”

What is the CIS build kit?

The aim is to overwrite the recipient address with hard-coded wallets handled by a cybercriminal. The package delivers by working as an SMTP-based mailer while trying to escape developers’ attention. 

This has surfaced after ReversingLabs found an npm package called "pdf-to-office" that got the same results by releasing the “app.asar” archives linked to Exodus and Atomic wallets and changing the JavaScript file inside them to launch the clipper function. 

According to Boychenko, “this campaign shows how a routine import on a developer workstation can quietly modify a separate desktop application and persist across reboots. He also said that “by using import time execution and Electron packaging, a lookalike mailer becomes a wallet drainer that alters Atomic and Exodus on compromised Windows systems."

What next?

The campaign has exposed how a routine import on a developer's pc can silently change a different desktop application and stay alive in reboots. By exploiting the import time execution and Electron packaging, an identical mailer turns into a wallet drainer. Security teams should be careful of incoming wallet drainers deployed through package registries. 

Read more »
North Korea
AI Bybit Crypto cryptocurrency Cyber Attacks Ethereum Internet North Korea

ByBit Crypto Heist: First Half of 2025 Records All-time High Crypto Theft

ByBit Crypto Heist: First Half of 2025 Records All-time High Crypto Theft

2025 H1 records all-time crypto theft

In the first half of 2025, hackers stole a record $2.1 billion in cryptocurrency, marking an all-time high. The data highlights the vulnerable state of the cryptocurrency industry. North Korean state-sponsored hackers accounted for 70% of the losses, responsible for USD 1.6 billion, rising as the most notorious nation-state actor in the crypto space, according to a report by TRM Labs

This indicates a significant increase in illegal operations, surpassing the 2022 H1 record by 10% and nearly matching the total amount stolen for the entire 2022 year, highlighting the danger to digital assets. 

Implications of nation-state actors in crypto attacks

The biggest cryptocurrency attack has redefined the H1 2025 narrative, the attack on Dubai-based crypto exchange Bybit. TRM believes the attack highlights a rising effort by the Democratic People’s Republic of Korea (DPRK) for cryptocurrency profits that can help them escape sanctions and fund strategic aims like nuclear weapons programs, besides being a crucial component of their statecraft. 

“Although North Korea remains the dominant force in this arena, incidents such as reportedly Israel-linked group Gonjeshke Darande (also known as Predatory Sparrow) hacking Iran’s largest crypto exchange, Nobitex, on June 18, 2025, for over USD 90 million, suggest other state actors may increasingly leverage crypto hacks for geopolitical ends,” TRM said in a blog post. 

Mode of operation

"Infrastructure attacks — such as private key and seed phrase thefts, and front-end compromises — accounted for over 80% of stolen funds in H1 2025 and were, on average, ten times larger than other attack types," reports TRM. These attacks target the technical spine of the digital asset system to get illicit access, reroute assets, and mislead users. Infrastructure attacks are done via social engineering or insider access and expose fractures in the cryptosecurity foundation.

Takeaways 

H1 2025 has shown a shift towards crypto hacking, attacks from state-sponsored hackers, and geopolitically motivated groups are rising. Large-scale breaches related to nation-state attacks have trespassed traditional cybersecurity. The industry must adopt advanced, effective measures to prevent such breaches. Global collaboration through information sharing and teamed efforts can help in the prosecution of such cyber criminals. 

Read more »
North Korea cyberattacks
Crypto cryptocurrency cryptocurrency hacks cryptocurrency scam cryptocurrency theft cryptocurrency wallet Cyber Attacks Hacker attack North Korea North Korea cyberattacks

North Korea-Linked Hackers Behind $2.1 Billion in Crypto Theft in Early 2025

 

A new report from blockchain analytics firm TRM Labs reveals that hackers stole an unprecedented $2.1 billion in cryptocurrency during the first half of 2025—marking the highest amount ever recorded for a six-month period. A staggering 70% of the total, or around $1.6 billion, has been attributed to cybercriminal groups sponsored by North Korea. 

According to TRM Labs’ “H1 2025 Crypto Hacks and Exploits” report, this figure surpasses the previous record set in 2022 by 10%, pointing to an escalating trend in high-stakes cybercrime. The report also emphasizes how North Korea has solidified its role as the leading state-backed threat actor in the cryptocurrency ecosystem.  

“These thefts are not just criminal—they’re tools of statecraft,” the report states, highlighting how stolen crypto plays a strategic role in funding the sanctioned regime’s national objectives, including its controversial weapons program. 

Much of this year’s unprecedented losses stem from a single massive incident: the $1.5 billion hack targeting Ethereum and related assets held by the crypto exchange Bybit in February. This attack is being considered the largest theft in the history of the cryptocurrency sector.  

Safe, a provider of multi-signature wallet solutions, traced the breach back to a compromised laptop belonging to one of its senior developers. The device was reportedly infected on February 4 after interacting with a malicious Docker project. The infiltration ultimately allowed attackers to gain unauthorized access to private keys.  

Both U.S. law enforcement and TRM Labs have linked the Bybit attack to North Korean hackers, aligning with prior assessments that the regime increasingly relies on crypto theft as a state-funded operation. 

This event drastically skewed the average size of crypto heists for 2025 and emphasized the changing nature of these attacks—from purely profit-driven motives to broader geopolitical strategies. 

TRM Labs noted that 80% of all crypto losses in 2025 were due to infrastructure breaches, with attackers exploiting vulnerabilities in systems that store private keys and seed phrases—essential components in controlling digital wallets. 

Analysts warn that such incidents signal a shift in the threat landscape. “Crypto hacking is becoming less about financial gain and more about political symbolism or strategic advantage,” TRM concluded. 

As the year continues, security experts urge crypto platforms and users to enhance infrastructure protection, especially against sophisticated, nation-backed threats that blur the line between cybercrime and cyberwarfare.
Read more »
North Korea
Black Mail Businesses Crypto Cyber Crime Extortion NFTs North Korea

US Seizes $7.7 Million From Crypto Linked to North Korea's IT Worker Scam


The US Department of Justice has filed a civil forfeiture complaint against North Korean IT workers for illegally gaining employment with US businesses, and earning millions for the Korean government, which amounts to violations of sanctions.

The government seized $7.7m in funds in 2023 that involved Sim Hyon Sop- a worker at the North Korean Foreign Trade Bank (FTB) who joined hands with IT workers to launder the money for Pyongyang.

According to the complaint, the North Korean IT workers escaped security via fraud IDs and tactics that hid their real location. The salaries were credited in stablecoins like USDT and USDC.

To launder the money, employees created accounts using fake IDs, transferred funds in small amounts to other blockchains (chain hopping), and/or converted them into other digital currencies (token swapping).

Scammers also bought non-fungible tokens (NFTs) and used US accounts to make their operations look real. Sim worked with Kim Sang Man, the CEO of the “Jinyong IT Cooperation Company,” who served as a middleman between the FTB and the IT workers. 

According to the Justice Department’s National Security Division, North Korea, for years has “exploited global remote IT contracting and cryptocurrency ecosystems to evade US sanctions and bankroll its weapons programs.” 

Department head Sue Bai said, “Today’s multimillion-dollar forfeiture action reflects the Department’s strategic focus on disrupting these illicit revenue schemes. We will continue to use every legal tool available to cut off the financial lifelines that sustain the DPRK and its destabilizing agenda.”

North Korean IT workers have been slithering their way into employment in US firms for many years.  However, the advancement of these operations was exposed in 2024 when security expert KnowBe4 disclosed that even their organization was tricked into hiring an IT specialist from North Korea.

After that, Google has cautioned that US businesses remain a primary target and also warned that the threat actors have nor started focusing their operations at Europan firms.  While few do normal work to get paid, there is also a concern that their organization access allows them to extract important data and use it for extortion.

Read more »
Social Media
Crypto Cyber Security Facebook Instagram Internet Meta Pig Butchering Scam Social Media

Beware of Pig Butchering Scams That Steal Your Money

Beware of Pig Butchering Scams That Steal Your Money

Pig butchering, a term we usually hear in the meat market, sadly, has also become a lethal form of cybercrime that can cause complete financial losses for the victims. 

Pig Butchering is a “form of investment fraud in the crypto space where scammers build relationships with targets through social engineering and then lure them to invest crypto in fake opportunities or platforms created by the scammer,” according to The Department of Financial Protection & Innovation. 

Pig butchering has squeezed billions of dollars from victims globally. Cambodian-based Huione Group gang stole over $4 billion from August 2021 to January 2025, the New York Post reported.

How to stay safe from pig butchering?

Individuals should watch out for certain things to avoid getting caught in these extortion schemes. Scammers often target seniors and individuals who are not well aware about cybercrime. The National Council on Aging cautions that such scams begin with receiving messages from scammers pretending to be someone else. Never respond or send money to random people who text you online, even if the story sounds compelling. Scammers rely on earning your trust, a sob story is one easy way for them to trick you. 

Another red flag is receiving SMS or social media texts that send you to other platforms like WeChat or Telegram, which have fewer regulations. Scammers also convince users to invest their money, which they claim to return with big profits. In one incident, the scammer even asked the victim to “go to a loan shark” to get the money.

Stopping scammers

Last year, Meta blocked over 2 million accounts that were promoting crypto investment scams such as pig butchering. Businesses have increased efforts to combat this issue, but the problem still very much exists. A major step is raising awareness via public posts broadcasting safety tips among individuals to prevent them from falling prey to such scams. 

Organizations have now started releasing warnings in Instagram DMs and Facebook Messenger warning users about “potentially suspicious interactions or cold outreach from people you don’t know”, which is a good initiative. Banks have started tipping of customers about the dangers of scams when sending money online. 

Read more »
Ransom
Coinbase Crypto Crypto Wallet cryptocurrency Cyber Security Data Theft Extortion Ransom

$400Million Coinbase Breach Linked to Customer Data Leak from India


Coinbase data breach linked to India

A Reuters investigation revealed that cryptocurrency exchange Coinbase knew in January about a breach affecting outsourced customer support agents in India. Six people who knew about the incident said Coinbase was aware of sensitive user data compromise through its contractor, TaskUs, before it was officially announced in May. 

On 14th May, TaskUs filed an SEC document revealing that an India-based TaskUs employee was found taking pictures of a computer screen with her phone. Five former TaskUs employees confirmed that the worker and one accomplice were bribed by threat actors to get Coinbase user data.

The breach cost $400 million

After this information, more than 200 TaskUs employees were fired in a mass layoff from the Indore center, which drew media attention in India. Earlier, Coinbase suspected ‘overseas support agents’ but now the breach is estimated to cost 400 million dollars.

Coinbase had been a long-term partner of TaskUs, a Texas-based outsourcing firm, cost-cutting labor by giving customer support work to offshore teams. After 2017, TaskUs agents, mostly from developing countries, handled Coinbase customer inquiries. 

In the May SEC filing, Coinbase said it didn’t know about the full scale of the breach until it received an extortion demand of $20 Million on 11th May. As a cautionary measure, Coinbase cut ties with TaskUs employees and other unknown foreign actors. Coinbase has notified regulators, compensated affected users, and taken strict measures to strengthen security. 

In a public statement, TaskUs confirmed it had fired two staff (unnamed) for data theft but didn’t mention Coinbase. The company found the two staff involved in a cyber attack campaign that targeted other service providers linked to the client. 

Hackers use social engineering tactic

Hackers did not breach the Coinbase crypto wallets directly, they cleverly used the stolen information to impersonate the Coinbase employees in a series of social engineering scams. The hackers posed as support agents, fooling victims into transferring their crypto assets. 

According to Money Control, “The person familiar with the matter confirmed that Coinbase was the client and that the incident took place in January. Reuters could not determine whether any arrests have been made. Police in Indore did not return a message seeking comment.”

Read more »
WebSockets
Blockchain codebase Credentials Crypto Cybersecurity dataexfiltration dependency devtools Firewall Gmail Hacking malware phishing PyPI python scripts SMTP Spoofing Threatactors WebSockets

Malicious PyPI Packages Exploit Gmail to Steal Sensitive Data

 

Cybersecurity researchers have uncovered a disturbing new tactic involving malicious PyPI packages that use Gmail to exfiltrate stolen data and communicate with threat actors. The discovery, made by security firm Socket, led to the removal of the infected packages from the Python Package Index (PyPI), although not before considerable damage had already occurred.

Socket reported identifying seven malicious packages on PyPI, some of which had been listed for more than four years. Collectively, these packages had been downloaded over 55,000 times. Most were spoofed versions of the legitimate "Coffin" package, with deceptive names such as Coffin-Codes-Pro, Coffin-Codes, NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, and Coffin-Grave. Another package was titled cfc-bsb.

According to the researchers, once installed, these packages would connect to Gmail using hardcoded credentials and initiate communication with a command-and-control (C2) server. They would then establish a WebSockets tunnel that leverages Gmail’s email server, allowing the traffic to bypass traditional firewalls and security systems.

This setup enabled attackers to remotely execute code, extract files, and gain unauthorized access to targeted systems.

Evidence suggests that the attackers were mainly targeting cryptocurrency assets. One of the email addresses used by the malware featured terms like “blockchain” and “bitcoin” — an indication of its intent.

“Coffin-Codes-Pro establishes a connection to Gmail’s SMTP server using hardcoded credentials, namely sphacoffin@gmail[.]com and a password,” the report says.
“It then sends a message to a second email address, blockchain[.]bitcoins2020@gmail[.]com politely and demurely signaling that the implant is working.”

Socket has issued a warning to all Python developers and users who may have installed these packages, advising them to remove the compromised libraries immediately, and rotate all sensitive credentials.

The researchers further advised developers to remain alert for suspicious outbound connections:

“especially SMTP traffic”, and warned them not to trust a package just because it was a few years old.
“To protect your codebase, always verify package authenticity by checking download counts, publisher history, and GitHub repository links,” they added.

“Regular dependency audits help catch unexpected or malicious packages early. Keep strict access controls on private keys, carefully limiting who can view or import them in development. Use isolated, dedicated environments when testing third-party scripts to contain potentially harmful code.”
Read more »
Hacking
Crypto Cyber Attacks Cybersecurity Hacking

‘Elusive Comet’ Hackers Exploit Zoom to Target Crypto Users in Sophisticated Scam

 

A newly identified hacking group known as Elusive Comet is targeting cryptocurrency users through a deceptive campaign that leverages Zoom’s remote control feature to gain unauthorized access to victims' systems.

The remote control tool, built into Zoom, enables meeting participants to take control of another person's computer — a capability now being manipulated by cybercriminals to bypass technical defenses through social engineering rather than traditional code exploitation.

According to a report from cybersecurity firm Trail of Bits, the group’s tactics closely resemble those used in the $1.5 billion Bybit crypto heist believed to be linked to the Lazarus group.

"The ELUSIVE COMET methodology mirrors the techniques behind the recent $1.5 billion Bybit hack in February, where attackers manipulated legitimate workflows rather than exploiting code vulnerabilities," explains the Trail of Bits report.

Trail of Bits uncovered the campaign when attackers attempted to target their CEO via a direct message on X (formerly Twitter), posing as representatives of Bloomberg Crypto.

The ruse begins with a fraudulent invitation to a "Bloomberg Crypto" interview, sent to high-profile individuals either through email (bloombergconferences[@]gmail.com) or social media. The attackers use sock-puppet accounts, mimicking journalists or crypto media outlets, and send Calendly links to schedule the meeting.

Because both Calendly and Zoom links are genuine, the setup appears trustworthy to the victims. During the meeting, the attackers launch a screen-sharing session and issue a remote control request — with a crucial twist: their Zoom display name is changed to “Zoom.”

This results in a misleading prompt that reads:
"Zoom is requesting remote control of your screen,"
— tricking the target into thinking the request is from the app itself.

Granting access allows the attacker full remote control, enabling data theft, malware installation, unauthorized file access, or even the initiation of crypto transactions. In some cases, attackers establish persistence through hidden backdoors, remaining unnoticed even after disconnecting.

"What makes this attack particularly dangerous is the permission dialog's similarity to other harmless Zoom notifications," says Trail of Bits.
"Users habituated to clicking 'Approve' on Zoom prompts may grant complete control of their computer without realizing the implications."

To guard against such threats, Trail of Bits recommends the use of Privacy Preferences Policy Control (PPPC) profiles to restrict system accessibility permissions. For highly sensitive environments — particularly those handling digital assets or crypto transactions — the firm advises removing the Zoom desktop client entirely.

"For organizations handling particularly sensitive data or cryptocurrency transactions, the risk reduction from eliminating the Zoom client entirely often outweighs the minor inconvenience of using browser-based alternatives," explains Trail of Bits.
Read more »
Technology
BitcoinOS Crypto Digital Security Innovation Technology

BitcoinOS to Introduce Alpha Mainnet for Digital Ownership Platform

 

BitcoinOS and Sovryn founder Edan Yago is creating a mechanism to turn Bitcoin into a digital ownership platform. Growing up in South Africa and coming from a family of Holocaust survivors, Yago's early experiences sneaking gold coins out of the nation between the ages of nine and eleven influenced his opinion that having financial independence is crucial for both human dignity and survival. 

"Money is power, and power is freedom," Yago explains. "Controlling people's access to capital means controlling their freedom. That's why property rights are critical. This conviction drives his work on BitcoinOS, which seeks to establish a foundation for digital property rights independent of governments or companies. 

Yago sees technology as the fundamental cause of societal transformation. He argues that the Industrial Revolution made slavery economically unviable, not a sudden moral awakening. However, he warns that technology needs direction, referencing how the internet morphed from a promise of decentralisation to a system dominated by industry titans.

When Yago uncovered Bitcoin in 2011, he saw it as "the missing piece" of digital property rights. Bitcoin introduced a decentralised ledger for ownership records, while Ethereum added smart contracts for decentralised computing, but both have size and efficiency restrictions.

BitcoinOS addresses these issues with zero-knowledge proofs, which enable computations to be confirmed without running on every node. "Instead of putting everything on a blockchain, we only store the proof that a computation happened correctly," Yago tells me. This technique can allow Bitcoin to support numerous types of property, including: real estate, stocks , digital identities, and other assets in Bitcoin's global ledger.

Yago characterises the cryptocurrency business as being in its "teenage years," but believes it will mature over the next decade. His vision goes beyond Bitcoin to embrace digital sovereignty and encryption as ways to better safeguard rights than traditional legal systems. 

BitcoinOS plans to launch its alpha mainnet in the coming months. Yago is optimistic about the project's potential: "We're creating property rights for the digital age." When you comprehend that, everything else comes into place." 

The quest for Bitcoin-based solutions coincides with increased institutional usage. BlackRock, the world's largest asset management, has recently launched its first Bitcoin exchange-traded product in Europe, which is now available on platforms in Paris, Amsterdam, and Frankfurt. This follows BlackRock's success in the United States, where it raised more than $50 billion for similar products.
Read more »
Telegram
Crypto CyberCrime Cyberhackers Cybersecurity CyberThreat Desert Dexter IT malware Telegram

Malware Alert as Desert Dexter Strikes Over 900 Victims Worldwide

 


Several countries in the Middle East and North Africa have been targeted by an advanced Trojan named Desert Dexter, identified by security experts at Positive Technologies. This malware campaign has compromised nearly 900 victims as a result of its sophisticated campaign. The AsyncRAT malware campaign began in September 2024 to spread a modified variant of the malware using social media platforms and geopolitical tensions in an attempt to exploit these platforms. 

Using deceptive tactics to lure unsuspecting users, hackers exploit the vulnerabilities in the Internet, highlighting the growing threat posed by cyber espionage and political cyberattacks. The Positive Technologies Expert Security Center (PT ESC) has discovered and analyzed a new malware campaign that has been orchestrated to target individuals in the Middle East and North Africa (MENA) region with the primary aim of infecting their systems and exfiltrating sensitive data as a result. 

The campaign has been active since September 2024 and has been using a modified version of AsyncRAT to compromise victims' systems and steal sensitive information. On social media, attackers disguised themselves as legitimate news outlets to spread malware, crafting misleading promotional posts containing links to file-sharing services and Telegram channels, which allowed them to spread malware. 

Once executed, the malware extracts cryptocurrency wallet credentials and establishes communications with a Telegram bot, enabling remote data theft and control over cryptocurrency wallets. About 900 individuals have been reported to be affected by this malware, primarily everyday users. The investigation indicates a significant number of victims are employees from key industries, including oil and gas, construction, information technology, and agriculture. This raises concerns about espionage and financial fraud, which could occur in these industries. 

Based on a geographical analysis of the infections, Libya (49%) has been the worst hit, followed by Saudi Arabia (17%), Egypt (10%), Turkey (9%), the UAE (7%), and Qatar (5%) with additional cases reported across other regions. This attack is widespread, which shows that cybercriminals are evolving their tactics, and enhanced cybersecurity measures are necessary to keep them from harm. This malicious campaign was orchestrated by the Desert Dexter threat group, a group that is named after a single employee suspected of running it. 

It was discovered by cybersecurity researchers that hackers were using temporary accounts and fake news channels to evade advertising filters and disseminate malicious content on Facebook, which enabled them to evade ad filtering mechanisms. There was a similar campaign reported in 2019, however this latest operation seems to incorporate enhancements aimed at improving the efficiency and impact of the malware. 

According to Denis Kuvshinov, Head of Threat Intelligence at Positive Technologies, the attack follows a multi-stage approach that involves several steps and attacks. The initial victim is lured to a file-sharing service or Telegram channel, where a RAR archive containing malicious files is downloaded unintentionally, causing them to unknowingly download them. 

After the files are executed, they install a modified version of AsyncRAT, which gathers data about the system, transmits it to the threat actors' Telegram bot, and then distributes it to them. This variant of AsyncRAT contains the upgraded IdSender module specifically designed for cryptocurrency wallet extensions, two-factor authentication plugins, and wallet management software that are specifically targeted by the latest version. 

Although Desert Dexter's campaign's success has been largely attributed to the use of social media advertising and legitimate online services, which are not highly technical, the tools used by the organization have not been highly sophisticated. There is an attack underway by malicious actors targeting both individuals and high profile officials within the Middle East and North Africa (MENA) region as a result of geopolitical tensions within the region. 

Due to ongoing political instability throughout the MENA region, cyber threats remain a top priority, with phishing campaigns increasingly focusing on politically charged themes to deceive and compromise victims in the region. While the majority of individuals involved in the cyberattack seem to be everyday consumers, cybersecurity researchers have identified individuals across a wide variety of industries, including those involved in oil production, construction, technology, and agriculture, who have also been affected by the cyberattack. 

With the widespread scale of these infections, it is clear that social engineering techniques are effective at deceiving victims and geopolitical narratives. Through the application of these tactics, the attackers managed to successfully infiltrate multiple devices in multiple countries, even though they utilized relatively simple tools. There is a malware campaign that is continuing to succeed, and cybersecurity experts are urging everyone to exercise caution when confronted with unverified links or attachments, particularly those that claim to contain sensitive political material. 

Several organizations operating within the affected regions are advised to adopt proactive cybersecurity strategies, enhance employee awareness regarding cybersecurity threats, and implement robust security protocols for mitigating the risks posed by this and similar emerging threats that are being faced by these organizations.
Read more »
TON
Blockchain Crypto Cyberattacks CyberCrime Cybersecurity CyberThreat Digital Privacy Technology Telegram TON

Telegram's TON Blockchain Embarks on US Growth Mission

 



A foundation, closely associated with Telegram, called the Open Network (TON), is pursuing ambitious expansion in the United States. A strategic move like this comes amid the expectation that Donald Trump's upcoming administration will be able to offer a more favourable regulatory environment. The TON Foundation is proud to announce a pivotal leadership transition: Manuel "Manny" Stotz, an experienced investor and blockchain advocate, has been selected as President of the organisation. 

There is a new chapter in the foundation's journey to accelerate global adoption of the blockchain, emphasising expanded operations in the United States as part of a strategic expansion plan. In a statement released by a spokesperson for the TON Foundation to Cointelegraph on January 14, a spokesperson confirmed to the Cointelegraph that the US will become one of the most important markets for TON under the Trump Administration. 

The TON Foundation has recently appointed Manuel Stotz, one of the world's leading digital asset investors, as its new president. The foundation will be able to expand its operations in the U.S. market with Stotz, the founder of Kingsway Capital Partners. Stotz stated that the U.S. would soon become a global crypto centre specialising in innovation. Steve Yun, who will remain a board member, will resign from the presidency, and he will be taking over the CEO role. 

In light of the trend that a new president in the US is expected to provide a more favourable environment for cryptocurrency, this shift reflects this expectation. It is expected that his administration will address some of the most important regulatory issues on the day of his inauguration, which is scheduled for January 20, among crypto supporters. Among the concerns is how digital assets are treated by banks, with many in the crypto sector hoping that a change will happen in the rules regarding whether they will be accounted for as liabilities. 

In addition to the issue of “de-banking,” which has impacted many crypto firms in the U.S., another issue that may be addressed is the issue of blockchain technology and its prospects. It has been Stotz's honour to serve as a board member of the TON Foundation since it was founded in Switzerland in 2023. With his new role at the TON Foundation, he will replace Steve Yun, who remains on the board. Stotz is a major investor in the digital asset industry and is the founder of Kingsway Capital Partners, an investment management firm. 

There have been over 50 projects backed by the firm, among them Animoca Brands, Blockchain.com, CoinDCX, Toncoin, Genesis Digital Assets, and others. In the TON Foundation's opinion, the changing regulatory environment in the United States offers new opportunities for blockchain technology. Notably, several industry participants are optimistic about the incoming administration's pro-crypto stance, which includes plans for creating a national Bitcoin reserve and promoting blockchain-based economic reform. 

As President-elect Trump has also indicated his desire to advance the field by appointing influential figures, such as Paul Atkins and David Sacks, to key positions in the sector, it is anticipated that these developments will lead to a surge in blockchain and artificial intelligence innovation. TON Foundation president Stotz believes that these developments may signify a turning point for the industry as a whole, and he believes that the US is an important market for accelerating blockchain adoption worldwide.

A decentralised project called TON is closely related to Telegram's TON blockchain, which was developed by the messenger and then turned into a decentralised project. The Toncoin token allows the network to provide 950 million Telegram users with services such as in-app payments and games, and with Stotz's leadership, TON plans to increase its user base and integrate blockchain-based solutions into everyday applications under Stotz's leadership. 

The main objective of the fund is to use Telegram's vast global audience to promote the widespread adoption of blockchain technologies. With the TON Foundation, which is dedicated to supporting the development of the TON blockchain, Telegram's 950 million users will have access to crypto services through Telegram's platform. In 2023, Telegram formalised the foundation in Switzerland, a year after a 2020 settlement with the SEC ended Telegram's earlier fundraising efforts. 

It was announced in December 2024 that the foundation would be expanding to Abu Dhabi following the ADGM's distributed ledger technology framework. This move is intended to provide legal backing for decentralised projects throughout the MENA and APAC regions, with a target of reaching 500 million users by 2028. In the crypto industry, the return of Trump to power could be considered a turning point in the market as a result. He has announced that cryptocurrencies will be treated differently in the United States of America than they were in the past, which could result in more blockchain projects coming into the country in the future and increased innovation in decentralised technologies. 

Despite this change in leadership at the TON Foundation, the organisation continues to adhere to its mission and values even during this transition and continues to follow through with its objectives. As a board member of the foundation, Steve Yun provides ongoing leadership and direction and Manny Stotz plays a pivotal role in helping to make it a place for growth, collaboration, and innovation in the future. TON anticipates milestones to be achieved in the US over the coming months, which will further enhance the company's reputation as one of the leading blockchain companies in the world.

Read more »
Technology
Bitcoin Crypto Israel Startups Technology

Tech Ventures: Israel Advances in Crypto Ecosystem

Tech Ventures: Israel Advances in Crypto Ecosystem

Israel, often known as the "Startup Nation," has emerged as a global leader in cybersecurity, defense, and internet technologies. Cryptocurrency has easily integrated into the high-tech ecosystem, transforming the digital asset class and blockchain technology into key drivers of the country's economic growth. 

Bitcoin ETFs: The Game Changer

In January 2024, when the Securities and Exchange Commission approved various Bitcoin ETFs in the United States, the worldwide crypto market had a 70% price increase, bringing more than $11 billion into the industry. BTC ETF options for US markets were announced in November 2024, resulting in increased retail and institutional investor inflows into the crypto markets. This contributed to the global crypto bull run.  

Blockaid, Ingonyama, Tres, Oobit, and Fordefi are all part of Israel's cryptocurrency ecosystem. In January 2024, Israel had 24 "unicorns". These are private enterprises worth more than $1 billion.  Then there's Starkware, a leader in the Ethereum scaling field, which has reached a $20 billion valuation since the creation of the $STARK token. 

According to a recent yearly assessment, Tel Aviv has the fifth most attractive startup ecosystem in the world. Despite geopolitical uncertainties, the crypto community will undoubtedly increase. These are cryptocurrency enthusiasts, after all.

Israel and Tech Startup Landscape

Israel has traditionally inspired the technology sector, so it was logical that the blockchain would find its place here. The country has a strong emphasis on education, research, and development, as well as a surplus of technical skills. 

They discovered an odd ally in military intelligence who has assisted in the development of tech entrepreneurs and the facilitation of their cryptocurrency investments. Unit 8200 is deeply involved in the cryptocurrency world, and its alumni have joined and established successful firms, bringing government ties, extensive cybersecurity knowledge, and a well-rounded computer education to the blockchain. The Mamram Blockchain Incubator is also associated with the IDF's Centre for Computing and Information Systems.

Tech Revolution in Israel

The Israeli government has contributed to the digital revolution by publicly experimenting with one of the world's first Central Bank Digital Coins. In 2021, the government released the first prototype of the Digital Shekel, and the Bank of Israel recently announced a Digital Shekel Challenge to investigate potential CBDC uses.

The country is also investing in supercomputer technology to compete in the Artificial Intelligence arms race and keep its position at the forefront of the tech start-up scene. 

Read more »
Web3
Bitcoin Bull Market Crypto GitHub Technology Trading Web3

Crypto Bull Market Targeted: The Lottie-Player Security Breach


In an alarming development for the tech community, especially for those immersed in the Web3 ecosystem, a supply chain attack has targeted the popular animation library, Lottie-Player. If users fall for this prompt, it could enable attackers to drain cryptocurrency wallets. 

Given Lottie-Player's impressive tally of over 4 million downloads and its significant presence on many prominent websites for animation embedding, this incident underscores the security vulnerabilities associated with open-source libraries.

Understanding the Attack

The breach initially came to light on GitHub when a user noticed an unusual Web3 wallet prompt while integrating Lottie-Player on their website. Upon closer examination, it was discovered that versions 2.0.5, 2.0.6, and 2.0.7 of Lottie-Player, released between 8:12 PM and 9:57 PM GMT on October 30, 2024, had been tampered with and compromised.

The attack involved the introduction of malicious code into three new versions of the Lottie-Player library, a widely used tool for rendering animations on websites and applications. Threat actors infiltrated the distribution chain, embedding code designed to steal cryptocurrencies from users' wallets. This method of attack is particularly insidious because it leverages the trust developers place in the libraries they use.

The Broader Implications

Once the compromised versions were released, they were integrated into numerous high-profile projects, unknowingly exposing countless users to the threat—the malicious code activated during transactions, redirecting funds to wallets controlled by the attackers. In one notable case, a user reportedly lost 10 Bitcoin (BTC), worth hundreds of thousands of dollars, due to a phishing transaction triggered by the malicious script.

Following the discovery of the attack, the Lottie-Player team swiftly released a clean version, 2.0.8, which developers can use to replace the compromised files. To further contain the breach and limit exposure, versions 2.0.5 through 2.0.7 were promptly removed from npm and CDN providers like unpkg and jsdelivr.

Moving Forward

The attack occurred during a pivotal phase of the crypto bull market, intensifying efforts to steal increasingly valuable tokens. To mitigate risks, it's advisable to connect a wallet only for specific purposes rather than granting full-time permissions for signing transactions. Additionally, being prompted to connect a wallet immediately upon entering a website can serve as a potential warning sign.

Read more »
Subscribe to: Posts (Atom)