Search This Blog

Showing posts with label cryptocurrency. Show all posts

North Korea Linked APT: US Sanctions Crypto Mixer Tornado Cash

The U.S Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned the crypto mixer service Tornado Cash. It was used by North Korean hackers linked to Lazarus APT Group. 

What is Crypto Mixers?

The mixers are crucial elements for threat actors that use it for money laundering, the mixer was used in laundering the funds stolen from victims. 

As per OFAC, cybercriminals used Tornado Cash to launder more than $7 Billion worth of virtual currency, which was created in 2019. The Lazarus APT group laundered more than $455 million money and stole in the biggest ever virtual currency heist to date. 

About the attack

It was also used in laundering over $96 million of malicious actors' funds received from the 24th June 2022 Harmony Bridge Heist and around $7.8 million from Nomad crypto heist recently. The sanction has been taken in accordance with Executive Order (E.O) 13694. 

"Today, Treasury is sanctioning Tornado Cash, a virtual currency mixer that launders the proceeds of cybercrimes, including those committed against victims in the United States,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.”

The Sanctions

In May, the US department of treasury sanctioned another cryptocurrency mixer,, it was used by Lazarus APT, a hacking group linked to North Korea. It was used for laundering money from Axie Infinity's Ronin Bridge. The treasury has for the first time sanctioned a virtual currency mixer. 

"Virtual currency mixers that assist criminals are a threat to U.S. national security. Treasury will continue to investigate the use of mixers for illicit purposes and use its authorities to respond to illicit financing risks in the virtual currency ecosystem.” concludes the announcement published by the U.S. Treasury Department. “Criminals have increased their use of anonymity-enhancing technologies, including mixers, to help hide the movement or origin of funds.”

Hackers Used Fake LinkedIn Job Offer to Steal $625M


Earlier this year, Ronin Network (RON), the blockchain network behind the popular crypto games Axie Infinity and Axie DAO, experienced the greatest crypto attack against a decentralised financial network ever reported. 

The United States issued advice in May 2022, stating that highly competent hackers from North Korea were attempting to get work by posing as IT freelancers. The Axie Infinity attack was socially engineered, with the North Korean government-backed hacker organisation Lazarus into Sky Mavis' network by giving one of the company's workers a PDF file carrying malware. Lazarus' participation in such a high-profile breach should come as no surprise. 

In January 2022, analysts from several crypto security organizations concluded that North Korean hackers had stolen $1.3 billion from cryptocurrency exchanges throughout the world, with the famed Lazarus group as their top suspect. 

Axie Infinity Hack 

The employee, an ex-senior engineer at the firm, fell for the trap and opened the PDF, believing it was a high-paying job offer from another company. However, this firm did not exist in reality.

During the recruitment process, the ex-employee disclosed sensitive personal information that attackers utilised to steal from the organisation. Sky Mavis' staff are regularly threatened by sophisticated spear-phishing attempts on multiple social networks, according to the company. In this case, one person, who does not even work at Sky Mavis, was duped. 

How was Ronin hacked? 

According to The Block, at the time of the attack, Axie Infinity had nine validators from its proof-of-authority, an Ethereum-based sidechain Ronin. 

“The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes,” Sky Mavis stated.

To get access to the company's networks, the attacker needed to seize five out of nine validators. The spyware-laced PDF allowed the attacker to gain control of four validators and get entry to the community-run Axie DAO (Decentralized Autonomous Organization), from which they gained control of the fifth validator. After breaching the network, the attackers took $25 million in USDC stablecoin and 173,600 ether (about $597 million) from Axie Infinity's treasury, totaling $625 million in crypto. 

Nonetheless, the Ronin sidechain upped the number of validators to 11 to improve security, and Sky Mavis is reimbursing Axie Players who lost crypto as a result of the hack. In April 2022, the company raised $150 million in funding. 

The US administration alleges that the assault was carried out by the renowned North Korean hacking organisation Lazarus. This organisation specialises in such attacks. This is hardly Lazarus' first foray into the blockchain sector. However, Lazarus using social engineering to infiltrate a company's networks is unusual. In reality, the Slovak internet security company ESET notified LinkedIn users in June 2020 about Lazarus' involvement in a complex LinkedIn recruiting fraud targeting military and aerospace industries.

NPM JavaScript Package Repository Targeted by Widespread Cryptomining Campaign


Checkmarx researchers have unearthed a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. 

The hacker behind this malicious campaign, dubbed CuteBoi, published 1,283 modules in the repository and employed over 1,000 different user accounts. The researchers discovered the supply chain assault after spotting a burst of suspicious NPM users and packages designed automatically. 

“Checkmarx SCS team detected over 1200 npm packages released to the registry by over a thousand different user accounts. This was done using automation which includes the ability to pass the NPM 2FA challenge. This cluster of packages seems to be a part of an attacker experimenting at this point,” reads the post published by Israeli application security testing firm Checkmarx. 

All the rogue packages impersonated a near-identical source code from an already existing package named eazyminer that's employed to mine Monero by means of utilizing unused resources of systems such as ci/cd and web servers. One notable modification entails the URL to which the mined cryptocurrency should be sent, although installing the rogue modules will not bring about a negative effect. 

"The copied code from eazyminer includes a miner functionality intended to be triggered from within another program and not as a standalone tool," researcher Aviad Gershon explained. "The attacker didn't change this feature of the code and for that reason, it won't run upon installation." 

As observed in the case of RED-LILI earlier this year, the packages are published via an automation methodology that allows hackers to bypass two-factor authentication (2FA) protections. 

However, while the former involved setting up a custom server and using a combination of tools like Selenium and Interactsh to programmatically design an NPM user account and defeat 2FA, CuteBoi depends on a disposable email service called to automate the creation of the users that upload the packages to the NPM repository. 

Specifically, it utilizes a REST API provided by the free platform that enables "programs to open disposable mailboxes and read the received emails sent to them with a simple API call." In this, hackers behind the CuteBoi campaign can circumvent the NPM 2FA challenge when creating a flood of user accounts to publish the packages. 

Earlier this week, security research uncovered another NPM-related large-scale software supply chain attack dubbed IconBurst designed to siphon sensitive data from forms embedded in downstream mobile applications and websites. 

Crypto Scam to be Investigated by British Army


On Sunday, the UK Ministry of Defence confirmed that the British Army’s YouTube and Twitter accounts were hacked. The hackers were using both handles for their cryptocurrency promotion scams. However, at present Ministry department has not confirmed the exact dates of the takeover, and both accounts appear to be back to normal now. 

“We are aware of a breach of the Army’s Twitter and YouTube accounts and an investigation is underway. The Army takes information security extremely seriously and is resolving the issue. Until the investigation is complete it would be inappropriate to comment further,” The Ministry of Defence Press Office said on Twitter. 

Malicious actors took control of the British Army’s Twitter page, swapping out the organization’s profile picture, bio, and cover photo to make it appear genuine like it was associated with The Possessed NFT collection, and promote crypto giveaway schemes. Meanwhile, its YouTube handle aired livestreams with clips of Elon Musk, Jack Dorsey, and Ark CEO Katie Wood discussing cryptocurrency-directed users to crypto scam websites. 

The clips feature the promotion of “double your money” Bitcoin and Ethereum scams. According to Web3 is Going Great, a similar scheme took place in May. However, it is unclear which group is behind this campaign. 

The malicious actors changed the army’s verified Twitter account name to The Possessed, a project involving a collection of 10,000 animated NFTs with a price floor of 0.58 Ethereum (approximately $1,063). 

According to the Department of Ministry, it is possible that the hack is part of a broader campaign to leverage the recent popularity of The Possessed. On Saturday, the project’s official Twitter handle notified its followers of another verified account that was also hacked to promote an NFT scam using The Possessed brand. 

“The breach of the Army’s Twitter and YouTube accounts that occurred earlier today has been resolved and an investigation is underway. The Army takes information security extremely seriously and until their investigation is complete it would be inappropriate to comment further,” the UK Ministry of Defence Press Office tweeted later.

Dutch University Receives Bitcoin Ransom Paid in 2019


The southern Maastricht University in Netherland that fell victim to a major ransomware assault has partly received back its stolen money, a local news organization reported on Saturday. 

The Dutch University suffered a large cyberattack in 2019 that locked them, and their students, out of valuable data until they agreed to pay a €200,000 ($208,000) ransom in Bitcoin which hackers demanded to decrypt the data.

"The criminals had encrypted hundreds of Windows servers and backup systems, preventing 25,000 students and employees from accessing scientific data, library and mail," the daily De Volkskrant told. 

"After a week the university decide to accede to the criminal gang's demand," the paper said. This was partly because personal data was in danger of being lost and students were unable to take an exam or work on their theses.” 

As part of an investigation into the cyberattack, local police traced part of the ransom paid to an account belonging to a money launderer in Ukraine. In 2020, the authorities seized the perpetrator's account, which contained a number of different cryptocurrencies including part of the ransom money paid by Maastricht University. 

Earlier this week, the authorities were able to return the ransom back to the university. But the value of the Bitcoin held in the Ukrainian account has increased from its then-value of €40,000 to €500,000.

"When, now after more than two years, it was finally possible to get that money to the Netherlands, the value had increased from 40,000 euros to half-a-million euros," the paper further read. Maastricht University will now get the 500,000 euros ($521,000) back. 

"This money will not go to a general fund, but into a fund to help financially strapped students," Maastricht University ICT director Michiel Borgers stated. 

The administrators of Maastricht University should count themselves lucky as they were able to retrieve their stolen money. Last year, the University of California paid $1.14 million to NetWalker attackers after they encrypted data within its School of Medicine’s servers, and the University of Utah paid hackers $457,000 to prevent them from releasing data stolen during an attack on its network. 

In 2021, ransomware attackers targeted 58 U.S. education organizations and school districts, including 830 individual schools, according to the report published by Emsisoft threat analyst Brett Callow. Emsisoft estimates that in 2020, 84 incidents disrupted learning at 1,681 individual schools, colleges, and universities.

NFT Marketplace OpenSea Suffers a Major Data Breach


Earlier this week, NFT marketplace OpenSea revealed a data breach and warned users of phishing assaults that could target them in the coming days. 

The company's Head of Security, Cory Hardman, said that an employee of its email delivery vendor,, allegedly downloaded and shared stored email addresses linked with OpenSea accounts and newsletter subscriptions with an unknown third party. 

"If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with in their ongoing investigation, and we have reported this incident to law enforcement," Hardman stated. Because the data compromise included email addresses, there may be a heightened likelihood for email phishing attempts." 

The crypto platform has more than 600,000 users and a transaction volume that surpassed $20 billion earlier this January. Customers were also told to look for emails sent from domains that hackers could exploit to spoof OpenSea's official email domain 

Examples of domains that could be employed in phishing attacks targeting OpenSea users include,, and

Additionally, the company shared a set of safety recommendations that would help defend against phishing attempts advising them to be suspicious of any emails trying to mimic OpenSea, not to download and open email attachments, and to check the URLs of pages linked in OpenSea emails.

Users are also urged never to share or confirm their passwords or secret wallet phrases and never to sign wallet transactions if prompted directly via email.

"We wanted to share the information we have at this time, and let you know that we've reported the incident to law enforcement and are cooperating in their investigation," Hardman added. 

Recently, crypto platforms have emerged as a lucrative target for malicious hackers as the industry witnesses rapid growth and money flooding in. Blockchain-based, decentralized networks promise better security, but average users today lean toward centralized services like OpenSea for their convenience. 

Earlier in March, a data leak at HubSpot, a customer-relations management software firm, led to data breaches at BlockFi, Circle, and others. Fractal, an NFT platform started by Twitch co-founder Justin Kan, had a rocky debut last year in December after a fraudster hacked the announcement bot to siphon $150,000.

Hacker Steals $100 million Worth of Crypto from Harmony Horizon Bridge


Earlier this week, the Horizon bridge linking Harmony – a Layer-1 PoS blockchain designed for native token ONE – to the Ethereum and Binance Chain ecosystem was exploited, resulting in a loss of nearly $100 million in Ethereum. Fortunately, the BTC bridge remained unaffected and has been shut down to prevent further losses. 

The U.S. crypto startup has notified the FBI and requested to assist with an investigation in identifying the culprit and retrieving stolen assets. 

“The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds,” the company posted on Twitter. 

“We have also notified exchanges and stopped the Horizon bridge to prevent further transactions. The team is all hands-on deck as investigations continue. We will keep everyone up-to-date as we investigate this further and obtain more information.”

The attack appears to have taken place over the span of 17 hours, starting at about 7:08 am EST until 7:26 am EST. The value of the first transaction was 4,919 ETH, followed by multiple smaller transactions ranging from 911 to 0.0003 ETH. The last one took place after the bridge had been shut down. 

The hack is the latest in a series of exploits affecting the crypto space. So far, Frax (FRAX), Wrapped Ether (wETH). Aave (AAVE), SushiSwap (SUSHI), Frax Share (FXS), AAG (AAG), Binance USD (BUSD), Dai (DAI), Tether (USDT), Wrapped BTC (wBTC), and USD Coin (USDC) have been stolen from the bridge via this exploit. 

Interestingly, a warning was issued by an independent researcher and blockchain developer Ape Dev back on the 2nd of April. In a series of tweets, the researcher warned that the security of the Horizon bridge hinged on a multisignature — or “multisig” — a wallet that required just two signatures to initiate transactions. The hackers could exploit this loophole to execute a very simple attack by getting 2 of the owners to sign off on transfers worth up to $330million. 

The hack adds to a series of negative news in the crypto space lately. Crypto lenders Celsius and Babel Finance put a freeze on withdrawals after a sharp drop in the value of their assets resulted in a liquidity crunch. Meanwhile, crypto hedge fund Three Arrows Capital could be declared as a defaulter for failing to repay a $660 million loan from brokerage firm Voyager Digital.

This New Malware Redirects Cryptocurrency Payments to Wallets Controlled by the Attacker


A clipper malware is a type of software that, once installed on a computer, continuously scans the contents of the user's clipboard for cryptocurrency wallets. If the user copies and pastes the wallet someplace, it gets substituted by the cybercriminal's wallet. 

As a result, if an unknowing user uses any interface to transfer a cryptocurrency payment to a wallet, which is often done by copying and pasting a valid destination wallet, the legitimate wallet is substituted with the fake one. Clipper malware is not a new issue, but it is unknown to the majority of individuals and businesses. 

The first clipper malware surfaced on Windows operating systems in 2017. In 2019, the same malware was also discovered on the Google Play Store. Clipper attacks are effective due to the duration of cryptocurrency wallets. People who transfer cryptocurrency from one wallet to another seldom double-check that the copy/paste result is the one given by a genuine receiver. Cyble researchers examined a new Clipper malware termed Keona Clipper by its developer. 

The malware is provided as a service for $49 per month. Keona Clipper was written in the.NET programming language and is safeguarded by Confuser 1.x. This tool protects.NET applications by changing symbols, obfuscating control flow, encrypting constants and resources, employing anti-debugging, memory dumping, tampering, and disabling decompilers, making reverse engineering more difficult. 

Since May 2022, Cyble researchers have identified over 90 distinct Keona samples, demonstrating widespread deployment. The discrepancy in those Keona samples might be due to minor changes in the code, or it could be the result of several usages of the Confuser protector, which generates a new binary each time a sample is provided to prevent detection by security solutions relying only on file signature. 

Malware capabilities of Keona Clipper

Once launched, the malware uses the Telegram API to connect with an attacker-controlled Telegram bot. The malware's initial contact with the bot includes a message written in Russian that translates as "clipper has started on the computer" and the username of the user whose account is utilised by the malware. 

The malware also ensures that it is always performed, even if the system is restarted. The malware copies itself to numerous areas, including the Administrative Tools folder and the Startup folder, to guarantee persistence. Autostart entries are also placed in the Windows registry to guarantee that the malware runs every time the computer restarts. Keona Clipper then discreetly analyses clipboard activity and checks for bitcoin wallets using regular expressions. 

BTC, ETH, LTC, XMR, XLM, XRP, NEC, BCH, ZCASH, BNB, DASH, DOGE, USDT TRC20, and ADA coins are among the cryptocurrencies that Keona Clipper can steal. If a wallet is discovered, it is instantly replaced in the clipboard with a wallet address supplied by the threat actor. 

How can one defend oneself against this danger?

Every bitcoin payment should be thoroughly scrutinised. By comparing the output of their copy/paste manipulation to the wallet given by the seller, users should visually authenticate the wallet utilised as the transaction's destination. Private keys and wallet seeds should never be kept insecurely on any device. If feasible, keep these encrypted on a different storage device or in a physical hardware wallet. 

To identify the danger, security solutions should be implemented. We don't know the first vector of propagation for Keona, but we think it was emailed, hence email-based protection must be deployed. Email fraud and phishing should also be made more visible to users. 

Finally, the operating system and any software that runs on it should be maintained up to date and patched at all times. If the malware is dumped and executed on the system via a popular vulnerability, a patched system will almost certainly halt the danger.

Indian Crypto Users Duped Of Rs 1,000 Crore By Fake Exchange


CloudSEK researchers have identified a new scam called CoinEgg, which duped Indian investors of more than $128 million (nearly Rs 1,000 crore). 

“We discovered an on-going malicious scheme involving multiple payment gateway domains and Android-based applications, used to lure unsuspecting individuals into a mass gambling scam,” the researchers explained in a blog post. 

The hackers designed several bogus domains mimicking crypto trading platforms, with the word ‘CloudEgg’ in them. “The sites are designed to replicate the official website’s dashboard and user experience,” the researchers stated, adding that the crypto scam is divided into seven phases. 

After creating the fake domains, the scammers design a female profile on social media to lure the potential victim and establish a friendship. This phony profile is used to entice the victim to invest in crypto and start trading. The profile also shares a $100 gift voucher, which will be deposited when they invest in specific crypto. 

Upon registering and depositing funds on the exchange, the hacker freezes their account to keep them from withdrawing the funds and disappears. If you think the scam ends here, you are mistaken. In the last phase of the scam, when the victims switch to other platforms to share their experience, the hacker uses other fake accounts to reach out to them and pose as if they are investigators.

“To retrieve the frozen assets, they request victims to provide confidential information such as ID cards and bank details via email. These details are then used to perpetrate other nefarious activities,” the researchers said.

The researchers also identified two domains used by the scammers. It was said that both were registered on GoDaddy on March 3, 2022, as part of the strategy to set up several backup domains in the case of a takedown.

Earlier this year in March, the Pune City police’s cybercrime cell detained two specialists — Pankaj Ghode (38) and Ravindranath Patil (45) and an ex-IPS officer of Jammu and Kashmir cadre, following an exhaustive probe that began in April 2021.

In 2018, Ghode and Patil aided a Pune police Special Investigations squad in uncovering two multimillion-dollar Bitcoin Ponzi schemes. The duo transferred the cryptocurrencies, recovered from the Gainbitcoin scam, and then manipulated the screenshots of those transactions and gave them to the police as proof. However, the technical investigation revealed that there were some bitcoins in the said wallet and Ghode did not give information regarding them to the investigating officer.

Hackers Target Inverse Finance in a Flash Loan Oracle Attack


Inverse Finance, a decentralized autonomous organization (DAO) has suffered a flash loan assault, where hackers stole $1.26 million in Tether (USDT) and Wrapped Bitcoin (WBTC). This comes just two months after the Defi exchange witnessed an exploit where the hackers siphoned $15.6 million in a price oracle manipulation exploit. 

"Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said. 

Inverse Finance is an Ethereum-based decentralized finance (DeFi) protocol that facilitates the borrowing and lending of cryptos. The latest exploit worked by employing a flash loan attack where hackers take a flash loan from a Defi platform. Subsequently, they pay it back in the same transaction, causing the price of the crypto asset to surge and then quickly withdraw their investments. 

Upon discovering the attack, the defi protocol temporarily paused borrowing and took down DOLA stablecoin from the money market saying that it is investigating the incident, while no user funds were at risk. 

It later confirmed that only the hacker’s deposited collateral was impacted in the incident. In a tweet, the company requested the attackers to return the funds in return for a “generous bounty”. 

The hacker in total secured 99,976 USDT and 53.2 WBTC from the attacks. As soon as the hack was successful, the attackers routed the funds via Tornado Cash, a cryptocurrency mixing or tumbling protocol designed to obscure where funds came from. Coincidentally, the service is popular for money laundering.

It should be noted that the significant rise in Defi which facilitates crypto-denominated lending outside traditional banking, has been a major factor in the increase in stolen funds and frauds. Threat actors have targeted DeFis the most, in yet another warning for those dabbling in this emerging segment of the crypto industry.

“DeFi is one of the most exciting areas of the wider cryptocurrency ecosystem, presenting huge opportunities to entrepreneurs and cryptocurrency users alike,” as per a report by Chainalysis. 

Last year, more stolen funds flowed to DeFi platforms (51 percent) and centralized exchanges received less than 15 percent of the total stolen funds, Chainalysis wrote in its annual Crypto Crime report. “This is likely due to exchanges’ embrace of AML and KYC processes, which threaten the anonymity of cybercriminals,” the report added.

Report: Clipminer Botnet Operators Rake in $1.7 Million


According to Symantec security experts, cyber criminals operating the Clipminer botnet have made at least $1.7 million in illegal earnings to date. 

The Clipminer trojan spreads via trojanized cracked or pirated software and shares characteristics with the cryptomining trojan KryptoCibule, implying that it is either a copycat or a development of the latter. Clipminer was discovered around January 2021, shortly after KryptoCibule was revealed in an ESET research study, suggesting a probable rebranding of the same threat, according to Symantec. 

Once inside a machine, the malware may exploit its resources to mine for bitcoin, but it can also change clipboard data. When Symantec detects that a user has duplicated a cryptowallet address, it replaces it with the address of an attacker-controlled wallet in order to reroute cash there. 

“On each clipboard update, it scans the clipboard content for wallet addresses, recognizing address formats used by at least a dozen different cryptocurrencies. […] For the majority of the address formats, the attackers provide multiple replacement wallet addresses to choose from,” Symantec added. 

Within the malware, the researchers discovered a total of 4,375 distinct cryptowallet addresses, 3,677 of which are utilised for only three different types of Bitcoin addresses. Symantec discovered about 34.3 Bitcoin and 129.9 Ethereum in some of the attackers' addresses and stated that some other funds had already been moved to cryptocurrency mixing services. 

“If we include the funds transferred out to these services, the malware operators have potentially made at least $1.7 million from clipboard hijacking alone,” the researchers added.

Alert! Scam Pixelmon NFT Website Hosts Password-stealing Malware


A bogus Pixelmon NFT site tempts visitors with free tokens and collectables while infecting them with spyware that steals their cryptocurrency wallets. Pixelmon is a popular NFT project with plans to create an online metaverse game where users can gather, train, and battle other players with pixelmon pets. 

The project has attracted a lot of attention, with nearly 200,000 Twitter followers and over 25,000 Discord members. Threat actors have replicated the original website and built a fake version at pixelmon[.]pw to deliver malware to take advantage of this interest. Instead of providing a demo of the project's game, the malicious site provides executables that install password-stealing malware on a device. 

The website is selling a package named that contains a faulty executable that does not infect customers with malware. However, MalwareHunterTeam, which was the first to identify this malicious site, detected other dangerous files transmitted by it, allowing to see what malware it was spreading., which contains the setup.lnk file, is one of the files sent by this fraudulent site. Setup.lnk is a Windows shortcut that runs a PowerShell command to download pixelmon[.]pw's system32.hta file. 

When BleepingComputer tested these malicious payloads, the System32.hta file downloaded Vidar, a password-stealing malware that is no longer widely used. Security researcher Fumik0_, who has previously examined this malware family, confirmed this. When launched, the Vidar sample from the threat actor connects to a Telegram channel and retrieves the IP address of a malware's command and control server. The malware will then obtain a configuration instruction from the C2 and download further modules to steal data from the afflicted device. 

Vidar malware may steal passwords from browsers and apps, as well as scan a computer for files with certain names, which it subsequently sends to the threat actor. The C2 commands the malware to seek for and steal numerous files, including text files, cryptocurrency wallets, backups, codes, password files, and authentication files, as seen in the malware setup below. Because this is an NFT site, visitors are expected to have bitcoin wallets installed on their PCs. 

As a result, threat actors focus on looking for and stealing cryptocurrency-related files. While the site is presently not distributing a functioning payload, BleepingComputer has observed evidence that the threat actors have been modifying the site in recent days, as payloads that were available two days ago are no longer available. 

One can expect this campaign to continue to be active, and working threats to be added soon, based on the site's activity. Due to the high number of fraudsters attempting to steal the bitcoin from NFT projects, one should always double-check that the URL they are viewing is indeed associated with  their interested project.

Fake Crypto Giveaways Use Elon Musk Ark Invest Video to Steal Millions of Dollars


Using a “double your funding” scheme, threat actors once again are luring their victims with the promise of high Bitcoin profits. Millions of dollars have been stolen with the help of fake endorsements from the prominent faces of Elon Musk, Jack Dorsey, and Cathie Wood.

The unknown fraudsters made more than $1.3 million in just a few weeks after re-streaming an edited model of an old live panel dialogue on cryptocurrency with Elon Musk, Jack Dorsey, and Cathie Wood at Ark Invest’s “The ₿ Word” convention. 

Cybersecurity analysts from cybersecurity firm McAfee have published a report on this, in which they spotted 11 fraudulent websites linked to the videos. McAfee updated the report after it was published to say that the number of these websites had elevated to 26 in just 24 hours. 

“The YouTube streams promoted several websites with a similar theme. They claim to send cryptocurrencies at twice the value received. For example, if you send 1BTC, you will receive 2BTC back,” said McAfee. 

Additionally, researchers examined the crypto wallets associated with the sites to which the victims had to send their “investment”. For example, on May 5, there were trades worth $280,000. Total damage was estimated at $1.3 million. Numbered, but there are certainly a significant number of other victims.

Bleeping Computer also uncovered about 10 YouTube channels reposting the manipulated discussion. The title of just about all of them included the strings Tesla, Elon Musk, Ark Invest, or a mixture of them. Interestingly, a few of these channels selling a cryptocurrency rip-off website have massive followership, between 71,000 and 1.08 million subscribers. 

In the majority of cases, the number of subscribers for these channels seems to have been artificially blown so as to add credibility to the videos promoting the scam, since they haven’t any different content material out there. 

Previously, fraudsters used different movies associated with Elon Musk, together with SpaceX launches or Tesla movies, to efficiently promote pretend giveaways and earn hundreds of thousands of dollars.

In 2020, Brad Garlinghouse, CEO of financial tech firm Ripple filed a lawsuit against YouTube for failing to remove fake videos featuring his name. Last March, he ended up settling with the tech giant. YouTube claimed that it wasn’t responsible for the content third parties published on its platform.

Hackers Steal NFTs Worth $3M in Bored Ape Yacht Club Heist


Hackers stole non-fungible tokens (NFTs) estimated to be worth $3 million after getting into the Bored Ape Yacht Club's Instagram account and uploading a link to a replica website that tried to capture marks' assets.

The fake post offered a free airdrop – essentially a promotional token giveaway, to customers who clicked the link and connected their MetaMask crypto-asset wallets to the scammer's wallet. Rather than receiving free items, victims had their digital wallets drained. 

Bored Ape Yacht Club tweeted Monday morning in a warning that came too late for some of its members, "It looks like BAYC Instagram was hacked. Do not mint anything, click links, or link your wallet to anything,"  

The Bored Ape Yacht Club, or BAYC, is a collection of photographs depicting bored primates in various attitudes and costumes, which can be used as internet profile avatars and sell for hundreds of dollars in crypto coins. 

Miscreants stole four Bored Apes, six Mutant Apes, and three Bored Ape Kennel Club NFTs, as well as "assorted additional NFTs estimated at a total value of $3 million," according to Yuga Labs, the company that launched Bored Ape Yacht Club. 

"We are actively working to establish contact with affected users," a Yuga Labs spokesperson said, adding that its hijacked Instagram account did have two-factor authentication enabled, "and the security practices surrounding the IG account were tight." 

"Yuga Labs and Instagram are currently investigating how the hacker was able to gain access to the account," the spokesperson stated. 

This is the second time in less than a month that the NFT collection has been hacked. Bored Ape Yacht Club said on March 31 that their Discord server had been compromised. According to security firm PeckShield, a cybercriminal stole one NFT: Mutant Ape Yacht Club #8662 in a previous incident. 

In March, following the launch of the ApeCoin cryptocurrency by the Bored Ape Yacht Club, fraudsters stole around $1.5 million by claiming a huge amount of tokens using NFTs they did not own and obtaining bogus flash loans. Flash loans are given and repaid in a single blockchain transaction, which might take as little as seconds to get and return the funds. These and other recent hacks have raised security concerns about NFT and cryptocurrency technologies.

Docker Servers Targeted by LemonDuck Cryptomining Campaign


LemonDuck botnet operators have launched a large-scale Monero cryptomining campaign targeting Docker APIs on Linux servers. Cryptomining hackers are a persistent danger to Docker systems that aren’t properly shielded or configured, with multiple mass-exploitation efforts recorded in recent years.

The cryptomining malware was first identified in 2019 by researchers from Trend Micro while targeting enterprise networks. Previously, the botnet has targeted Microsoft Exchange servers, Linux machines via SSH brute force attacks, Windows systems susceptible to SMBGhost, and servers running Redis and Hadoop instances. 

Methodology Employed 

The LemonDuck botnet secures access to the exposed Docker APIs and runs a malicious container to fetch a Bash script disguised as a PNG image. 

The script is downloaded from the domain t.m7n0y[.]com, which was observed in other LemonDuck attacks. 

“The “core.png” file acts as a pivot by setting a Linux cronjob inside the container. Next, this cronjob downloads another disguised file “a.asp,” which is actually a Bash file,” Crowdstrikes researchers explained. “The “a.asp” file is the actual payload in this attack. It takes several steps before downloading and starting a mining operation once it is triggered by a cronjob, as follows.” 

The Bash file (a.asp) performs the following actions: 

• Kill processes based on names of known mining pools, competing cryptomining groups, etc. 
• Kill daemons like crond, sshd and syslog. 
• Delete known indicator of compromise (IOC) file paths. 
• Kill network connections to C2s known to belong to competing cryptomining groups. 
• Disable Alibaba Cloud’s monitoring service that protects instances from risky activities. 

Last year in November, cryptomining malware used by unknown attackers was found to disable protective mechanisms in Alibaba Cloud services. After doing the above tasks, the Bash script then downloads and executes the cryptomining program XMRig and a configuration file that hides the actor’s wallets behind proxy pools. 

After the initially infected machine has been set up to mine, Lemon_Duck attempts lateral movement by leveraging SSH keys found on the filesystem. If those are available, the attacker will employ them to carry out a second infection. Hiding the Docker APIs properly on cloud instances is currently the only solution for avoiding LemonDuck crypto-mining attacks.

FBI: North Korean Hackers Stole $600M+ Worth Cryptocurrency


The FBI accused North Korean government associated hackers of stealing more than $600 million in bitcoin from a video game company last month, the latest in a sequence of sophisticated cyber thefts linked to Pyongyang. 

The FBI said in a statement, "Through our investigation we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $620 million in Ethereum reported on March 29th." "DPRK" is an abbreviation for North Korea's official name, the Democratic People's Republic of Korea, and Ethereum is a technology platform linked with a type of cryptocurrency. 

The FBI was referring to the recent hack of Axie Infinity's computer network, which allows gamers to win cryptocurrency. Undiscovered hackers stole the equivalent of about $600 million — estimated at the time of the hack's detection — on March 23 from a "bridge," or network that allows users to transmit cryptocurrency from one blockchain to another, according to Sky Mavis, the business that developed Axie Infinity. 

The US Treasury Department sanctioned Lazarus Group, a large group of hackers suspected of working for the North Korean government, on Thursday. The precise "wallet," or bitcoin address, that was utilised to cash out on the Axie Infinity hack was sanctioned by the Treasury Department.

According to a United Nations panel and outside cybersecurity experts, cyberattacks have been a major source of revenue for the North Korean state for years as its leader, Kim Jong Un, pursued nuclear weapons. North Korea is reported to have fired its first intercontinental ballistic missile in more than four years last month. According to Chainalysis, a company that records digital currency transactions, the Lazarus Group has stolen an estimated $1.75 billion in cryptocurrencies in recent years. 

Ari Redbord, head of legal affairs at TRM Labs, a firm that investigates financial crime said,"A hack of a cryptocurrency business, unlike a retailer, for example, is essentially bank robbery at the speed of the internet and funds North Korea's destabilizing activity and weapons proliferation. As long as they are successful and profitable, they will not stop." 

While much of the focus of cybersecurity analysts has been on Russian hacking in the wake of the Ukraine conflict, suspected North Korean hackers have been far from silent. Last month, Google researchers revealed two separate suspected North Korean cyber attempts aimed at US media and IT businesses, as well as the bitcoin and financial technology industries. Users who are targeted by state-sponsored hackers are notified by Google. 

If a Google user has "any link to being active in Bitcoin or cryptocurrencies" and receives a warning from Google about state-backed hacking, it nearly invariably turns out to be North Korean activity, according to Shane Huntley, who leads Google's Threat Analysis Group.

Further, Huntley told CNN, "It seems to be an ongoing strategy for them to supplement and make money through this activity." 

Indian Crypto Exchanges Disables Deposits Via UPI System


Multiple Indian crypto exchanges have disabled rupee deposits using the Unified Payments Interface (UPI) system, which is the most widely used retail payment method. This comes after the National Payments Corporation of India (NPCI) said last week that it was unaware of any crypto exchange using UPI. 

The Indian government has spent years working on a law to ban or regulate cryptocurrencies, with a ban backed by the central bank over risks to financial stability. However, recently the government has taken a decision to put a tax on the income from cryptocurrency and other digital assets. 

Crypto exchange Wazirx is not offering UPI support. The exchange tweeted on Wednesday, “Currently, UPI is not available,” and advised users to do P2P payments instead, which have zero fees. The platform also added that it has no estimated time limit to address the issue with UPI deposits. Coindcx is also not supporting payments by UPI, saying on Twitter Monday, “UPI is temporarily unavailable.”

Coinswitch Kuber, with over 15 million users went one step ahead and reportedly suspended all INR deposit services, including UPI and bank transfers via NEFT, RTGS, and IMPS. The Nasdaq-listed crypto exchange Coinbase, which recently launched in India, has also disabled all purchase options, including the UPI. 

Last month, multiple reports suggested that Coinbase has begun rolling out UPI and IMPS support for its users in India after users noticed the inclusion of the two payment systems (UPI & IMPS) on Coinbase’s app. The company acknowledged the same at its launch event on 7th April. 

“We are aware of the recent statement published by NPCI regarding the use of UPI by cryptocurrency exchanges. We are committed to working with NPCI and other relevant authorities to ensure we are aligned with local expectations and industry norms,” the exchange clarified. 

An industry source with direct knowledge of the matter said the NPCI was caught between a rock and a hard place when Coinbase claimed to launch with UPI support. “Once the launch of Coinbase happened in India and they announced the usage of UPI as a payment option, NPCI realized it needed to put a clarification out there,” the person said. 

Earlier this month, popular payment service Mobikwik also disabled offering services to crypto exchanges. Meanwhile, crypto exchanges have been declining in India after the 30% tax on crypto income went into effect without allowing loss offsets or deductions on April 1. From July 1st, a 1% tax deducted at source (TDS), will also be applicable on crypto transactions. 

There are no official data available on the size of India's crypto market, but industry experts believe the number of investors ranges from 15 million to 20 million, with a holding of about Rs 40,000 crore ($5.25 billion).

YouTube Scammers Steal $1.7M in Fake Crypto Giveaway


According to Group-IB, a group of online scammers made approximately $1.7 million by promising cryptocurrency giveaways on YouTube. 

The group allegedly aired 36 YouTube videos between February 16 and 18, gaining at least 165,000 views, according to the Singapore-based security company. To give validity to their efforts, they included footage of tech entrepreneurs and crypto enthusiasts like Elon Musk, Brad Garlinghouse, Michael Saylor, Changpeng Zhao, and Cathie Wood. 

According to Group-IB, the channels were either hacked or bought on the black market. They included links to at least 29 websites with instructions on how to double cryptocurrency investments in the streams they built. 

'Investors' were encouraged to send a tiny sum of virtual currency and promised that they would be paid back twice that amount. Some victims were prompted to enter seed phrases to 'link' their wallets, depending on the cryptocurrency and wallet type utilised. 

However, the fraudsters were able to take control of their wallet and withdraw all of their funds as a result of this. The scammers received 281 transactions totalling nearly $1.7 million into their crypto wallets in just three days. The precise number of victims and the overall amount stolen, however, are unknown. 

Group-IB stated, “The fake crypto giveaway scheme is not new, but apparently is still having a moment. Further analysis of the scammers’ domain infrastructure revealed that the 29 websites were part of a massive network of 583 interconnected resources all set up in the first quarter of 2022. Notably, there were three times as many domains registered for this scheme in less than three months of 2022 compared to the whole of last year.” 

Crypto enthusiasts should be wary of freebies and avoid sharing personal information online, according to Group-IB. Users were also encouraged to double-check the authenticity of any promos and use a password manager to store any seed phrases.

Cryptocurrency Network Ronin Suffers Breach, Hackers Steal Millions

Ronin, a cryptocurrency network revealed a breach where threat actors swept $540 million worth of Ethereum and USDC stablecoin. The attack is one of the biggest in the history of cryptocurrency cyberattacks, particularly retrieved funds from a service called Ronin Bridge. Pulled-off attacks on "blockchain bridges" have become normal in the last two years, the Ronnie incident is a testimony to thinking hard about the problem. Blockchain bridges (network bridges) are apps that allow users to transfer digital assets from one blockchain to another. 

Cryptocurrencies can't usually interoperate, for instance, one can't do a transaction on a bitcoin platform via doge coins, hence, these "bridges" have become an important process, in the cryptocurrency world. Bridge services use 'cryptocurrency' to convert a bitcoin into another. For instance, if one goes to a bridge and uses a different cryptocurrency, like bitcoin (BTC), the bridge splits out wrapped Bitcoins (WBTC). In simple terms, it's similar to a gift card or a check that shows stored value in an open alternative format. 

Bridges require a vault of cryptocurrency coins to underwrite the total wrapped coins, and that trove is the primary target for threat actors. "Bridges will continue to grow because people will always want the opportunity to join new ecosystems. Over time, we'll professionalize, develop best practices, and there will be more people capable of building and analyzing bridge code. Bridges are new enough that there are very few experts," says James Prestwich. 

Besides the Ronin heist, hackers stole around $80 Million worth of cryptocurrency from the Qubit bridge in January, around $320 Million from the Wormhole bridge in February, and $4.2 Million a few days later from Meterio Bridge. Another thing that one should note is that Poly network had around $615 Million worth of cryptocurrency stolen in August last year, but the attackers returned the fund a few days after. "Ronin was created by the Vietnamese company Sky Mavis, which develops the popular NFT-based video game Axie Infinity. In the case of this bridge hack, it seems attackers used social engineering to trick their way into accessing the private encryption keys used to verify transactions on the network," reports the Wired.

One arrested in ₹1,200-Crore Crypto Fraud Case, 900 Investors Scammed


The Enforcement Directorate announced on Tuesday that it had arrested a suspect in connection with a money-laundering investigation into a Kerala-based businessman who is suspected of scamming more than 900 investors out of Rs 1,200 crore in exchange for bitcoin. 

Abdul Gafoor, one of the most prominent stockists of the 'Morris Coin Cryptocurrency,' was arrested on March 24, according to the source. The next day, he was taken into prison by the Enforcement Directorate (ED) and held until March 31. Mr Gafoor was accused of not complying with the investigation and of being extremely evasive in his responses, according to the federal investigation agency. 

The agency stated, "Considering the fact that Abdul Gafoor is one of the directors of Stoxglobal Brokers Pvt. Ltd. and has played an active role in facilitating the placement and layering of proceeds of crime, he has been placed under arrest on March 24," 

The ED case arose from an FIR filed by the Kerala Police (Malappuram crime branch unit) against the case's main accused, businessman Nishad K. The agency alleged Nishad K "cheated several investors by accepting investments, under a Ponzi scheme, through his three Bengaluru based firms-- Long Reach Global, Long Reach Technologies and Morris Trading by offering high returns of dividend such as 3-5 per cent per day." 

According to the police complaint, "more than 900 investors were cheated to the tune of ₹ 1,200 crore." The investigation discovered that "Nishad, the main accused person, had appointed those persons as pin stockists who had invested a minimum of ₹ 10 lakh in Nishad's scheme and Nishad promised them that he would give five per cent as commission on the investment.” 

The ED stated, "They made aggressive enrolment of new members into an illegal money circulation scheme under the garb of multi-level marketing, resorted to the fraudulent practice of investing the money received from the investors in the Morris Coin cryptocurrency plan run by Nishad and others". 

It alleged that this resulted in the viral growth of the scheme network, resulting in significant unjust gain at the cost of investors. It had previously stated that the deposits taken from the general public were illegal and did not require any regulatory approval. It had attached Nishad K's assets worth ₹ 36.72 crore, as well as those of his colleagues, including the Indian Rupee equivalent of cryptocurrencies purchased with proceeds of crime by a close associate, in January.