Search This Blog

Showing posts with label cryptocurrency. Show all posts

Fake Crypto Website: Berkshire Hathaway Issues Warning




Warren Buffett's company Berkshire Hathaway Inc. issued a warning to investors on Friday stating that it is not associated with a fictitious cryptocurrency trading website that uses the Berkshire Hathaway brand.

According to the website's creator, a Texas-based broker was established in 2020 to offer investors the chance to earn a fully passive income through investments in cryptocurrency mining.

It concerns alleged client endorsements and claims that the broker is licensed in the US, UK, Cyprus, and South Africa while mispronouncing the names of two authorities. Its email format is different from Buffett's company's.

Buffett has always been wary of cryptocurrencies; despite a change in the public's opinion of bitcoin, Buffett still would not purchase it. He has a bias to view cryptocurrencies as passive investments that holders purchase with the expectation of long-term price growth.

At the Berkshire Hathaway annual shareholders meeting on Saturday, he said that the asset is not productive and produces nothing measurable.

"The entity that owns this web address has no affiliation with Berkshire Hathaway Inc. or its Chairman and CEO, Warren E. Buffett," according to a statement from Buffett's company, which claimed it learned about the website.

It has gained recognition as an investment asset in Western countries, especially during the past year as rates and inflation have increased. People continue to see great potential for its application as digital currency in other areas.

"Assets must provide someone with something in order to be valuable. Additionally, just one type of currency is recognized. You can think of all kinds of things; we can even put up Berkshire coins, but at the end of the day, this is money," remarked Warren Buffett, holding up a $20 bill.

Requests for comment from the website's owner were not immediately answered. Recent months have seen increased scrutiny of cryptocurrencies.

As a result of reports of $10 billion in client, assets were transferred from FTX to Bankman-trading Fried's firm Alameda Research, FTX declared bankruptcy and is now under investigation by American authorities.

The Hunt for the FTX Thieves Has Started

 

Cryptocurrency has always provided an interesting mix of temptations and difficulties for those trying to steal it.  It is a lucrative target because it is digital cash held in multibillion-dollar sums on hackable, internet-connected networks. However, once stolen, the blockchains on which almost every cryptocurrency is built allow for tracking the money's every move and, in many cases, identifying the thieves.  

Recently, unknown transactions were reported to have drained FTX wallets. As per observers, FTX was hacked or insiders stole client funds during the abrupt FTX collapse. There have been "unauthorized transactions" from the group's wallets to addresses not controlled by FTX, according to FTX US general counsel Ryne Miller. FTX filed for Chapter 11 bankruptcy protection from its creditors yesterday. These creditors are concerned that some of their funds will be unavailable for payment.

On Twitter, a developer announced that "hundreds of millions of dollars" in cryptocurrency were being transferred from FTX wallets. Because of the late hour of the transactions, it appeared that liquidators were not assisting creditors.

Afterward, on-chain forensics expert ZachXBT tweeted that the receiving addresses were not FTX wallets, according to former FTX employees. Because FTX and FTX US are supposedly separate businesses and were operated as such, a hacker would be unlikely to gain simultaneous access to the private keys of both exchanges unless they had inside information or were insiders.

However, given FTX's demise, anything is possible. According to Bloomberg, junior employees took the initiative to sell off some of FTX's troubled assets. There are two major drainage areas that have been identified. It is possible that up to $383 million in cryptocurrency was stolen:
Main draining address: 
https://etherscan.io/address/0x59abf3837fa962d6853b4cc0a19513aa031fd32b

Shitcoin draining address:
https://etherscan.io/address/0xd8019a114e86ad41d71a3eeb6620b19dd166a969

According to Nansen, a crypto analytics research firm, the outflows totaled at least $266 million. As per the Australian Financial Review, the number of missing funds in Ethereum, Solana, BNB LINK, AVAX, and MATIC could be as high as $600 million.

Were the FTX app and website also compromised?

There are also unconfirmed reports that the FTX app has been infected with malware and should no longer be used, as well as the FTX website. However, Rey, an FTX Telegram administrator, uploaded it.

Nevertheless, the puzzling scenario for the 1,2 million FTX customers is still evolving. The FTX app has been updated, but for the time being, experts recommend all FTX clients avoid running the update or interacting with their FTX account.

Customers are advised not to make any changes to their accounts until further information, presumably in the form of an official announcement from FTX, becomes available. According to his most recent tweet, Binance founder and CEO Changpeng Zhao (CZ) is unimpressed with the latest turn of events. Elon Musk also contributed, despite the fact that he was expected to be preoccupied with the blue tick scandal.

Growing Cyberattacks on Cryptocurrency

Cybercrimes against cryptocurrencies continue to soar and pose a primary threat to giant institutions of cryptocurrencies, individuals, and governments worldwide. The whole world talks about bitcoin, cryptocurrencies, and blockchain technology, however, no one seems to talk about the high probability of loss and cyber threats. 

In the first half of 2022, malicious actors have successfully captured nearly $2 billion worth of cryptocurrencies, a 60% rise from last year. There are various reasons why cryptocurrencies are attacked by cybercriminals, often and extensively. 

SonicWall published a report that disclosed that cryptojacking and ransomware attacks had dropped in the latter half of 2019. Cyber intelligence further added that the drastic drop in the number of crypto-jacking cases happened because of the closing down of Coinhive. However, it led cyber attackers to turn to more targeted attack vectors with an increase in specialized malware attacks to steal digital currencies. 

While some cybersecurity organizations are showing their interest in slowing down the crypto market would lead to a slowdown in cybercrime, this is not possible, and the risks and threats associated with it will remain high. Even some trends indicate that the crypto-crime problem may grow worse in the coming years. 

According to the technical data, cryptocurrency exchanges, personal wallets, and platforms are primary targets of cryptohackers since they deal in large volumes of virtual money. The research shows that from June 2021 to June 2022, crypto platforms witnessed a loss of an estimated amount of $44 billion. 

Cyberthreats exploited unsecured wallets, SIM card jacking, and stealing recovery phrases and passwords. Furthermore, the profile of the cyber incident shows that cryptocurrency ATMs are currently targeted by cryptohackers. There were approximately 1,500 cases of crypto ATM fraud last year reported in which hackers captured $28 million, said the FBI. 

Nevertheless, reports also confirmed that State-sponsored cryptohackers regularly target crypto firms and the stolen money is being funded for financing terrorist activities and war crimes. Cryptocurrency is also the de facto currency of the Dark Web, where virtual currency is traded for various illicit activities. 

How can you protect your system and your funds from being compromised? 


  • Educate yourself and your workforce about the threats and methods of protecting your system. 
  • It is always advisable to do business with exchanges and marketplaces that follow proper regulations and security practices. 
  • Organizations should follow multi-layered defense protection and have the proper technical defenses in place when it comes to emergencies because cyberattacks can impact even the most security-savvy organizations.

Spidark Stole Ed Sheeran’s Unreleased Songs, Sentenced To 18 Months In Prison

A 23-year-old hacker, named Adrian Kwiatkowski who allegedly stole two unreleased songs from English singer-songwriter Ed Sheeran and 12 songs from American rapper Lix Uzi Vert has been sentenced to 18 months in prison. 
 
The hacker is charged with hacking the artists’ cloud-based accounts, the stolen songs were then sold for cryptocurrencies. He allegedly generated a sum of $147,000 from these nefarious transactions. 
 
Kwiatkowski pleaded guilty to a total of 19 charges, including copyright infringement and possessing criminal property. The hacker was charged with three instances of unauthorized access to computer data, 14 of making an article that violates copyright available for sale, one of converting criminal property, and two of possession of the criminal property, as per a report by the CPS. 
 
A search in the hacker’s laptop also unveiled 565 audio files, seven devices storing 1,263 unreleased songs by 89 different music artists, including the unreleased songs from Ed Sheeran and Lix Uzi Vert. Additionally, the hacker also admitted to receiving bitcoins in return for the unreleased songs. 
 
“Kwiatkowski had complete disregard for the musicians’ creativity and hard work producing original songs and the subsequent loss of earning” says Joanne Jakymec from the CPS. “He selfishly stole their music to make money for himself by selling it on the dark web […] We will be pursuing ill-gotten gains from these proceeds of crime.” 
 
According to a press release, Kwiatkowski was arrested on October 21st, Friday at Ipswich Crown Court, England. The hacker has been operating under the mononym Spirdark, and his operations were allegedly reported by numerous music companies. 
 
In 2019, an investigation took place by the Manhattan District Attorney’s Office, after a few musicians reported of someone with the name Spirdark has hacked their accounts. The investigation then led to the convict’s identification as Kwiatkowski via his email address and IP address. Later that year, London police detained the hacker. Eventually, he pleaded guilty to the charges.

Missing Cryptoqueen: Leaked Police Files May Have Alerted the OneCoin Fraudster Ruja Ignatova

 

Best known as the “Missing CryptoQueen,” convicted fraudster Ruja Ignatova who was included on the most wanted list by the US Federal Bureau of Investigation (FBI) is assumed to be receiving the information of the investigation before her disappearance. 
 
The 42-year-old fraudster, based in Bulgaria is convicted of her suspected involvement in the $4 billion OneCoin cryptocurrency fraud. The details of the scam were uncovered in a BBC podcast ‘The Missing Cryptoqueen’ devoted to the infamous fraudster. 

The police documents related to the case were apparently shown in the podcast by Frank Schneider, a former spy and trusted adviser to Ignatova. Following the allegations, Schneider is now facing extradition to the US for his role in the OneCoin fraud. 

While the metadata on the files suggests that Ignatova acquired the said documents through her own contacts in Bulgaria, Schneider denies the claims of obtaining the documents himself, which he says were obtained on a USB memory stick by Ignatova. 
 
Ignatova disappeared on October 25th, 2017, after being made aware of the police investigation into her OneCoin cryptocurrency. Following this, in June 2022 she was included in the FBI's most wanted list.
 
In an interview with the BBC, Schneider informed about the police files containing presentations made at a Europol meeting named ‘Operation Satellite.’ The meeting was attended by officials from Dubai, Bulgaria, the UK, Germany, and the Netherlands along with the FBI, the US Department of Justice, and the New York District Attorney five months before the disappearance of Ignatova. 
 
The said documents contained details of US authorities having a “high-placed confidential informant”, bank accounts from OneCoin receiving investor funds, and failed attempts of the UK's City of London to interview Ignatova. 

On being asked about the aforementioned files, Schneider said "When the Bulgarians participated at certain Europol meetings, it only took hours for her to get a complete rundown and get the minutes of what was said in those meetings.” “I can only deduce that it came from the circles that she was in and the she had through a variety of influential personalities.”

North Korea Uses Stolen Cryptoassets to fund its Nuclear Weapons Programs

International investigators and researchers have claimed that North Korea, in recent months is responsible for stealing $300 million worth of Bitcoin and other cryptocurrencies, which was done through hacking and other mass cyberattacks. 
 
The crypto assets are allegedly stolen in order to pay for North Korea's nuclear weapons program. In regards to this, a row has broken out in South Korean political circles over Korea's politicians’ and other leaders' ties to crypto developer Virgil Griffith. 
 
This development comes after North Korea’s missile launches have intensified in the past 10 days. In the wake of the recent nuclear attacks on the island of Hokkaido, more than 5 million Japanese citizens were urgently ordered to take cover as a protective measure. Pyongyang claims that these missile launches were “simulations” for nuclear attacks on South Korea. 
 
As per Military analysts, a large part of this missile launch is being funded, using the stolen cryptocurrency. North Korea is believed to have employed thousands of well-trained hackers, who have affected South Korean businesses and organizations. It has also been accused of exploiting its cyber skills for financial gains. 
 
According to Yonhap, one of South Korea's major news sources, the UN Security Council’s North Korea Sanctions Panel has blamed the North Korean cyber organization such as ‘Lazarus Group’ for Ronin Bridge and the Harmony bridge hack. 
 
As per the experts, the hermit state is utilizing the absence of worldwide regulatory constraints on cryptocurrencies, in order to steal cryptocurrencies to fund nuclear weapons and missile projects. 
 
In an interview with the VOA Korean Service, Jason Barlett, a researcher at the Center for a New American Security (CNAS) stated, “Cryptocurrency offers Pyongyang a new kind of currency that is substantially less regulated and understood by national governments, financial institutions, and institutions, and international organizations.”  
 
In accordance with a report by Nikkei Asia, North Korea is in the penultimate phase, to prepare for a nuclear weapon test, with such incidents pointing to the excavation of an underground tunnel and testing of triggering mechanisms.

Binance Bridge Hit by $560 Million Hack

A group of threat actors exploited a cross-chain bridge to transfer $560 million worth of cryptocurrency from the world’s biggest exchange Binance Bridge. The hack is deemed to have been perpetrated by a bug within the bridge. It enabled the hacker to breach the safety proofs of the BNB Chain. 

Following the incident, Binance BNB/USD fell greater than 3% on Friday. A single-day hack on the BNB Chain led to a lack of at least $100 million. However, BNB Chain estimates the determination at $7 million, with about $560 million initially focused. 

Binance is a cryptocurrency exchange designed to help with the transfer of information and assets between blockchains, it is the largest exchange in the world in terms of the daily trading volume of cryptocurrencies. 

The information about the hack was delivered to the public on Thursday by Binance CEO Changpeng Zhao. He announced on Twitter that the threat actors exploited vulnerability in the BSC (BNB Chain) Token Hub cross-chain bridge. 

“An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly,” he added. 

According to Zhao, the overall loss that the platform has to bear because of the attack is around $100 million worth of BNB. However, the threat actors’ wallet reportedly received two transactions of 1,000,000 BNB each, which is worth more than $560 million. 

However, the platform assured its customers that their funds are safe and secure. When the platform learned about the heck it worked with validators to temporarily suspend BSC, to freeze transfers. Additionally, the platform reported that it has already recovered some of the stolen funds. 

“We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly…” the platform reported. “…Initial estimates for funds taken off BSC are between $100M - $110M. However, thanks to the community and our internal and external security partners, an estimated $7M has already been frozen,” 

Malware Targets Weblog Servers And Dockers APIs For Cryptomining

Malicious malware known as Kinsing is using both recently discovered and legacy vulnerabilities in Oracle WebLogic Server to boost cryptocurrency mining malware. 
  
It was discovered by Trend Micro, that a financially-motivated cyber attack group behind the malware was making use of the vulnerability to run Python scripts that could disable Operating System (OS) security features such as Security-Enahnced Linux (SELinux), and many more. 
 
Kinsing malware has a history of acquiring vulnerable servers to co-opt into botnet devices such as Redis, SaltStack, Log4Shell, Spring4Shell, and the Atlassian Confluence vulnerability (CVE-2022-26134). The malware has also reportedly been involved in campaign container environments via misconfigured open Docker Daemon API ports instigating crypto mining and spreading the malware to other containers am host devices. 
 
In the latest wave of attacks, the malicious actor weaponized a two-year-old Remote Code Execution (RCE) bug, dubbed CVE-2020-14882 (CVSS score 9.8), against unpatched vulnerabilities to seize control of the servers and cause harm to the victims through malicious payloads. 
 
The exploitation of the bug further involved deploying a shell script responsible for various actions, such as removing the var/log/syslog/systemlog, disabling security functions and cloud service agents from conglomerates like Alibaba and Tencent – killing competing crypto mining processes.  
 
It is then followed by the shell script downloading the Kinsing malware from a remote server, along with taking steps to ensure persistence through a cron job. 
 
“The successful exploitation of this vulnerability can lead to RCE, which can allow attackers to perform plethora of malicious activities on the affected systems” Trend Micro said. “This can range from malware execution [...] to theft of critical data, and even complete control of a compromised machine.”
 
TeamTNT malwares makes comeback
 
Researchers at Aqua Security, a cloud-native security company, have linked three new attacks to another “vibrant” cryptojacking group called "TeamTNT", which eventually stopped functioning in November 2021.  
 
“TeamTNT has been scanning for microconfigured Docker Daemon and deploying alpine, a vanilla container image, with a command line to download a shell script (k.sh) to C2 server”, stated Aqua Security researcher Assaf Morag. 

The attack chain appears to be designed to crack SECP256K1 encryption, which if successful could give the malicious actor the ability to compute the keys for each cryptocurrency wallet. Thus, using high but illegal processing power of its targets to run the ECDLP solver and acquire the key. The other two attacks carried out by the threat group involve exploiting exposed Redis servers and misconfigured Docker API to provide cryptominers and Tsunami binaries. 
 
The targeting of Docker REST APIs by TeamTNTs has been well-documented over the past years. But in an operational security blunder observed by Trend Micro, credentials connected with two of the attacker-controlled DockerHub accounts have been uncovered. 

The accounts namely 'alpineos' and 'sandeep078' are said to have been used to distribute numerous malicious payloads like rootkits, Kubernetes exploits kits, credential stealers, XMTig Monero miners, and even the Kingsing malware. 
 
“The account alpineos was used in exploitation attempts on out honeypots three times, from mid-September to early October 2021, and we tracked the deployments’ IP addresses to their location in Germany,” stated Nitesh Surana, a researcher at Trend Micro. 
 
As estimated by Trends Micro, alpineos image has been downloaded more than 150,000 times. This further notified Docker about these accounts. 
 
The cybersecurity platform recommends organizations configure the exposed RESR API with TLS to steer clear of the adversary-in-the-middle (AiTM) attacks, along with using credential stores and helpers to host user credentials.

Crypto Scammers Hack Famous Youtube Channel ‘DALLMYD’ with 13 Million Subscribers

 

Popular YouTuber Jake Koehler (aka Scuba Jake) has disclosed the hacking of his channel with over 13 million subscribers and 1.75 billion views since its establishment in 2011. The crypto fraudsters took control of the channel on September 9 and tried to defraud subscribers with a bogus giveaway involving Bitcoin (BTC) and Ethereum (ETH). 

An analysis by the financial news and crypto analysis blog Finbold shows that fraudsters siphoned 1.01 BTC, equivalent to nearly $21,000 in a fake crypto lottery. The investigation relied on QR codes published by scammers for subscribers to scan before sending cryptocurrencies. 

The shared Bitcoin wallet recorded four transactions and received a total of 1,0107 BTC. That’s the same amount the crypto scammers siphoned from Jake’s subscribers, but it can be much higher as the fraudsters may have switched wallets during the live broadcast, Blockchain.com reported. 

The scam impersonated other fraudulent incidents on YouTube where scammers utilize an old interview involving a famous personality in crypto circles, re-post it as a live stream, and advertise the fake giveaway in the information section. It is believed that scammers opt for the live option because it offers more credibility. 

How fraudsters targeted Scuba Jack subscribers 

Under the crypto scam, the fraudsters changed the channel’s name from ‘DALLMYD’ to ‘MicroStargey US,’ replicating the crypto-friendly American business intelligence company MicroStrategy. 

Subsequently, the scammers conducted at least two live streams of an old video involving former MicroStrategy’s CEO Michael Saylor. In this case, the scammers lured innocent subscribers into sending cryptocurrency, thinking they would receive a prize from Saylor or higher returns. Currently, the channel had been restored, with Jack confirming the same via an Instagram story on September 10.

Scammers leveraging YouTube to launch crypto scams 

The scammers are exploiting the YouTube platform to target high-profile individuals and organizations. Earlier this year in May, the crypto scammers employed a “double your funding” scheme to lure their victims with the promise of high Bitcoin profits. Millions of dollars were stolen with the help of fake endorsements from the prominent faces of Elon Musk, Jack Dorsey, and Cathie Wood. 

The unknown fraudsters made more than $1.3 million in just a few weeks after re-streaming an edited model of an old live panel dialogue on cryptocurrency with Elon Musk, Jack Dorsey, and Cathie Wood at Ark Invest’s “The ₿ Word” convention. 

Furthermore, research by antivirus software firm Kaspersky disclosed that besides targeting YouTube channels, fraudsters are increasingly prowling the comments section under videos to promote fake crypto services while offering low prices for certain currencies. The hackers usually target top-trending videos and leave comments promoting a fake “breach” in the crypto market with enticing statistics.

Hackers Exploit Zero-Day Bug, Steal Crypto from Bitcoin ATMs

 


General Bytes and the Vulnerability

Hackers have abused a zero-day vulnerability in General Bytes Bitcoin ATM servers to get cryptocurrency from customers. When customers would deposit or buy cryptocurrency via the ATM, the funds would be stolen by hackers. 

General Bytes manufactures the Bitcoin ATMs that, according to the product, let people buy or sell more than 40 different cryptocurrencies. 

Actors Exploit CAS Zero-day

Crypto Application Server (CAS) controls the Bitcoin ATMs, looks over the ATM's operations, and the cryptocurrency it supports, and completes the sales and purchases of cryptocurrency on exchange forums. 

The attacks were carried out using a zero-day vulnerability in the company's Crypto Application Server (CAS). The hacker created an admin user remotely via CAS administrative interface through a URL call on the tab, using it for default installation on the server and therefore creating the first administration user. The vulnerability exists in the CAS software since version 20201208

General Bytes believes that the threat actors searched the internet for exposed servers that run on TCP ports 443 or 7777, this includes servers hosted at Digital Ocean and General Bytes' own cloud service.

Hackers exploit bugs to transfer money

The hackers then used the bug to put a default admin user named 'GB' in the CAS and changed the 'buy' and 'sell' crypto settings and 'invalid payment addresses' to use a cryptocurrency wallet within the attacker's control. 

After the hackers have modified these settings, any cryptocurrency sent to CAS was forwarded to the attackers instead. Two-way ATMs' began sending money into hackers' wallets when the customers deposited coins in the ATM. 

What should the users do?

General Bytes has warned its customers not to use their Bitcoin ATMs until the company has implemented two server patch releases 20220531.38 and 20220725.22, on their servers. General Bytes also gave a steps checklist for the devices before they are put back to use. 

We should note that the hackers wouldn't have been able to launch these attacks if the servers had a firewall, this would allow connections from only trusted servers. Hence, we should always configure firewalls to only give access to trusted IP addresses for the Crypto Application Server, for instance, the customer's offices or the ATM's location.

According to General Bytes, the following things didn't happen-

1. The attacker didn't gain access to the host operating system.
2. The attacker didn't gain access to the host file system.
3. The attacker didn't gain access to the database.
4. The attacker didn't gain access to any passwords, password hashes, salts, private keys, or API keys.

Currently, 18 General Bytes CAS are still vulnerable to the internet, most of these are located in Canada. We aren't aware of how many servers were compromised using this vulnerability and how much cryptocurrency was stolen. As of now, no further updates have come from General Bytes', CySecurity will update its readers in case.

North Korea Linked APT: US Sanctions Crypto Mixer Tornado Cash


The U.S Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned the crypto mixer service Tornado Cash. It was used by North Korean hackers linked to Lazarus APT Group. 

What is Crypto Mixers?

The mixers are crucial elements for threat actors that use it for money laundering, the mixer was used in laundering the funds stolen from victims. 

As per OFAC, cybercriminals used Tornado Cash to launder more than $7 Billion worth of virtual currency, which was created in 2019. The Lazarus APT group laundered more than $455 million money and stole in the biggest ever virtual currency heist to date. 

About the attack

It was also used in laundering over $96 million of malicious actors' funds received from the 24th June 2022 Harmony Bridge Heist and around $7.8 million from Nomad crypto heist recently. The sanction has been taken in accordance with Executive Order (E.O) 13694. 

"Today, Treasury is sanctioning Tornado Cash, a virtual currency mixer that launders the proceeds of cybercrimes, including those committed against victims in the United States,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.”

The Sanctions

In May, the US department of treasury sanctioned another cryptocurrency mixer, Blender.io, it was used by Lazarus APT, a hacking group linked to North Korea. It was used for laundering money from Axie Infinity's Ronin Bridge. The treasury has for the first time sanctioned a virtual currency mixer. 

"Virtual currency mixers that assist criminals are a threat to U.S. national security. Treasury will continue to investigate the use of mixers for illicit purposes and use its authorities to respond to illicit financing risks in the virtual currency ecosystem.” concludes the announcement published by the U.S. Treasury Department. “Criminals have increased their use of anonymity-enhancing technologies, including mixers, to help hide the movement or origin of funds.”



Hackers Used Fake LinkedIn Job Offer to Steal $625M

 

Earlier this year, Ronin Network (RON), the blockchain network behind the popular crypto games Axie Infinity and Axie DAO, experienced the greatest crypto attack against a decentralised financial network ever reported. 

The United States issued advice in May 2022, stating that highly competent hackers from North Korea were attempting to get work by posing as IT freelancers. The Axie Infinity attack was socially engineered, with the North Korean government-backed hacker organisation Lazarus into Sky Mavis' network by giving one of the company's workers a PDF file carrying malware. Lazarus' participation in such a high-profile breach should come as no surprise. 

In January 2022, analysts from several crypto security organizations concluded that North Korean hackers had stolen $1.3 billion from cryptocurrency exchanges throughout the world, with the famed Lazarus group as their top suspect. 

Axie Infinity Hack 

The employee, an ex-senior engineer at the firm, fell for the trap and opened the PDF, believing it was a high-paying job offer from another company. However, this firm did not exist in reality.

During the recruitment process, the ex-employee disclosed sensitive personal information that attackers utilised to steal from the organisation. Sky Mavis' staff are regularly threatened by sophisticated spear-phishing attempts on multiple social networks, according to the company. In this case, one person, who does not even work at Sky Mavis, was duped. 

How was Ronin hacked? 

According to The Block, at the time of the attack, Axie Infinity had nine validators from its proof-of-authority, an Ethereum-based sidechain Ronin. 

“The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes,” Sky Mavis stated.

To get access to the company's networks, the attacker needed to seize five out of nine validators. The spyware-laced PDF allowed the attacker to gain control of four validators and get entry to the community-run Axie DAO (Decentralized Autonomous Organization), from which they gained control of the fifth validator. After breaching the network, the attackers took $25 million in USDC stablecoin and 173,600 ether (about $597 million) from Axie Infinity's treasury, totaling $625 million in crypto. 

Nonetheless, the Ronin sidechain upped the number of validators to 11 to improve security, and Sky Mavis is reimbursing Axie Players who lost crypto as a result of the hack. In April 2022, the company raised $150 million in funding. 

The US administration alleges that the assault was carried out by the renowned North Korean hacking organisation Lazarus. This organisation specialises in such attacks. This is hardly Lazarus' first foray into the blockchain sector. However, Lazarus using social engineering to infiltrate a company's networks is unusual. In reality, the Slovak internet security company ESET notified LinkedIn users in June 2020 about Lazarus' involvement in a complex LinkedIn recruiting fraud targeting military and aerospace industries.

NPM JavaScript Package Repository Targeted by Widespread Cryptomining Campaign

 

Checkmarx researchers have unearthed a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. 

The hacker behind this malicious campaign, dubbed CuteBoi, published 1,283 modules in the repository and employed over 1,000 different user accounts. The researchers discovered the supply chain assault after spotting a burst of suspicious NPM users and packages designed automatically. 

“Checkmarx SCS team detected over 1200 npm packages released to the registry by over a thousand different user accounts. This was done using automation which includes the ability to pass the NPM 2FA challenge. This cluster of packages seems to be a part of an attacker experimenting at this point,” reads the post published by Israeli application security testing firm Checkmarx. 

All the rogue packages impersonated a near-identical source code from an already existing package named eazyminer that's employed to mine Monero by means of utilizing unused resources of systems such as ci/cd and web servers. One notable modification entails the URL to which the mined cryptocurrency should be sent, although installing the rogue modules will not bring about a negative effect. 

"The copied code from eazyminer includes a miner functionality intended to be triggered from within another program and not as a standalone tool," researcher Aviad Gershon explained. "The attacker didn't change this feature of the code and for that reason, it won't run upon installation." 

As observed in the case of RED-LILI earlier this year, the packages are published via an automation methodology that allows hackers to bypass two-factor authentication (2FA) protections. 

However, while the former involved setting up a custom server and using a combination of tools like Selenium and Interactsh to programmatically design an NPM user account and defeat 2FA, CuteBoi depends on a disposable email service called mail.tm to automate the creation of the users that upload the packages to the NPM repository. 

Specifically, it utilizes a REST API provided by the free platform that enables "programs to open disposable mailboxes and read the received emails sent to them with a simple API call." In this, hackers behind the CuteBoi campaign can circumvent the NPM 2FA challenge when creating a flood of user accounts to publish the packages. 

Earlier this week, security research uncovered another NPM-related large-scale software supply chain attack dubbed IconBurst designed to siphon sensitive data from forms embedded in downstream mobile applications and websites. 

Crypto Scam to be Investigated by British Army

 

On Sunday, the UK Ministry of Defence confirmed that the British Army’s YouTube and Twitter accounts were hacked. The hackers were using both handles for their cryptocurrency promotion scams. However, at present Ministry department has not confirmed the exact dates of the takeover, and both accounts appear to be back to normal now. 

“We are aware of a breach of the Army’s Twitter and YouTube accounts and an investigation is underway. The Army takes information security extremely seriously and is resolving the issue. Until the investigation is complete it would be inappropriate to comment further,” The Ministry of Defence Press Office said on Twitter. 

Malicious actors took control of the British Army’s Twitter page, swapping out the organization’s profile picture, bio, and cover photo to make it appear genuine like it was associated with The Possessed NFT collection, and promote crypto giveaway schemes. Meanwhile, its YouTube handle aired livestreams with clips of Elon Musk, Jack Dorsey, and Ark CEO Katie Wood discussing cryptocurrency-directed users to crypto scam websites. 

The clips feature the promotion of “double your money” Bitcoin and Ethereum scams. According to Web3 is Going Great, a similar scheme took place in May. However, it is unclear which group is behind this campaign. 

The malicious actors changed the army’s verified Twitter account name to The Possessed, a project involving a collection of 10,000 animated NFTs with a price floor of 0.58 Ethereum (approximately $1,063). 

According to the Department of Ministry, it is possible that the hack is part of a broader campaign to leverage the recent popularity of The Possessed. On Saturday, the project’s official Twitter handle notified its followers of another verified account that was also hacked to promote an NFT scam using The Possessed brand. 

“The breach of the Army’s Twitter and YouTube accounts that occurred earlier today has been resolved and an investigation is underway. The Army takes information security extremely seriously and until their investigation is complete it would be inappropriate to comment further,” the UK Ministry of Defence Press Office tweeted later.

Dutch University Receives Bitcoin Ransom Paid in 2019

 

The southern Maastricht University in Netherland that fell victim to a major ransomware assault has partly received back its stolen money, a local news organization reported on Saturday. 

The Dutch University suffered a large cyberattack in 2019 that locked them, and their students, out of valuable data until they agreed to pay a €200,000 ($208,000) ransom in Bitcoin which hackers demanded to decrypt the data.

"The criminals had encrypted hundreds of Windows servers and backup systems, preventing 25,000 students and employees from accessing scientific data, library and mail," the daily De Volkskrant told. 

"After a week the university decide to accede to the criminal gang's demand," the paper said. This was partly because personal data was in danger of being lost and students were unable to take an exam or work on their theses.” 

As part of an investigation into the cyberattack, local police traced part of the ransom paid to an account belonging to a money launderer in Ukraine. In 2020, the authorities seized the perpetrator's account, which contained a number of different cryptocurrencies including part of the ransom money paid by Maastricht University. 

Earlier this week, the authorities were able to return the ransom back to the university. But the value of the Bitcoin held in the Ukrainian account has increased from its then-value of €40,000 to €500,000.

"When, now after more than two years, it was finally possible to get that money to the Netherlands, the value had increased from 40,000 euros to half-a-million euros," the paper further read. Maastricht University will now get the 500,000 euros ($521,000) back. 

"This money will not go to a general fund, but into a fund to help financially strapped students," Maastricht University ICT director Michiel Borgers stated. 

The administrators of Maastricht University should count themselves lucky as they were able to retrieve their stolen money. Last year, the University of California paid $1.14 million to NetWalker attackers after they encrypted data within its School of Medicine’s servers, and the University of Utah paid hackers $457,000 to prevent them from releasing data stolen during an attack on its network. 

In 2021, ransomware attackers targeted 58 U.S. education organizations and school districts, including 830 individual schools, according to the report published by Emsisoft threat analyst Brett Callow. Emsisoft estimates that in 2020, 84 incidents disrupted learning at 1,681 individual schools, colleges, and universities.

NFT Marketplace OpenSea Suffers a Major Data Breach

 

Earlier this week, NFT marketplace OpenSea revealed a data breach and warned users of phishing assaults that could target them in the coming days. 

The company's Head of Security, Cory Hardman, said that an employee of its email delivery vendor, Customer.io, allegedly downloaded and shared stored email addresses linked with OpenSea accounts and newsletter subscriptions with an unknown third party. 

"If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement," Hardman stated. Because the data compromise included email addresses, there may be a heightened likelihood for email phishing attempts." 

The crypto platform has more than 600,000 users and a transaction volume that surpassed $20 billion earlier this January. Customers were also told to look for emails sent from domains that hackers could exploit to spoof OpenSea's official email domain opensea.io. 

Examples of domains that could be employed in phishing attacks targeting OpenSea users include opensea.org, opensea.xyz, and opeansae.io.

Additionally, the company shared a set of safety recommendations that would help defend against phishing attempts advising them to be suspicious of any emails trying to mimic OpenSea, not to download and open email attachments, and to check the URLs of pages linked in OpenSea emails.

Users are also urged never to share or confirm their passwords or secret wallet phrases and never to sign wallet transactions if prompted directly via email.

"We wanted to share the information we have at this time, and let you know that we've reported the incident to law enforcement and are cooperating in their investigation," Hardman added. 

Recently, crypto platforms have emerged as a lucrative target for malicious hackers as the industry witnesses rapid growth and money flooding in. Blockchain-based, decentralized networks promise better security, but average users today lean toward centralized services like OpenSea for their convenience. 

Earlier in March, a data leak at HubSpot, a customer-relations management software firm, led to data breaches at BlockFi, Circle, and others. Fractal, an NFT platform started by Twitch co-founder Justin Kan, had a rocky debut last year in December after a fraudster hacked the announcement bot to siphon $150,000.

Hacker Steals $100 million Worth of Crypto from Harmony Horizon Bridge

 

Earlier this week, the Horizon bridge linking Harmony – a Layer-1 PoS blockchain designed for native token ONE – to the Ethereum and Binance Chain ecosystem was exploited, resulting in a loss of nearly $100 million in Ethereum. Fortunately, the BTC bridge remained unaffected and has been shut down to prevent further losses. 

The U.S. crypto startup has notified the FBI and requested to assist with an investigation in identifying the culprit and retrieving stolen assets. 

“The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds,” the company posted on Twitter. 

“We have also notified exchanges and stopped the Horizon bridge to prevent further transactions. The team is all hands-on deck as investigations continue. We will keep everyone up-to-date as we investigate this further and obtain more information.”

The attack appears to have taken place over the span of 17 hours, starting at about 7:08 am EST until 7:26 am EST. The value of the first transaction was 4,919 ETH, followed by multiple smaller transactions ranging from 911 to 0.0003 ETH. The last one took place after the bridge had been shut down. 

The hack is the latest in a series of exploits affecting the crypto space. So far, Frax (FRAX), Wrapped Ether (wETH). Aave (AAVE), SushiSwap (SUSHI), Frax Share (FXS), AAG (AAG), Binance USD (BUSD), Dai (DAI), Tether (USDT), Wrapped BTC (wBTC), and USD Coin (USDC) have been stolen from the bridge via this exploit. 


Interestingly, a warning was issued by an independent researcher and blockchain developer Ape Dev back on the 2nd of April. In a series of tweets, the researcher warned that the security of the Horizon bridge hinged on a multisignature — or “multisig” — a wallet that required just two signatures to initiate transactions. The hackers could exploit this loophole to execute a very simple attack by getting 2 of the owners to sign off on transfers worth up to $330million. 

The hack adds to a series of negative news in the crypto space lately. Crypto lenders Celsius and Babel Finance put a freeze on withdrawals after a sharp drop in the value of their assets resulted in a liquidity crunch. Meanwhile, crypto hedge fund Three Arrows Capital could be declared as a defaulter for failing to repay a $660 million loan from brokerage firm Voyager Digital.

This New Malware Redirects Cryptocurrency Payments to Wallets Controlled by the Attacker

 

A clipper malware is a type of software that, once installed on a computer, continuously scans the contents of the user's clipboard for cryptocurrency wallets. If the user copies and pastes the wallet someplace, it gets substituted by the cybercriminal's wallet. 

As a result, if an unknowing user uses any interface to transfer a cryptocurrency payment to a wallet, which is often done by copying and pasting a valid destination wallet, the legitimate wallet is substituted with the fake one. Clipper malware is not a new issue, but it is unknown to the majority of individuals and businesses. 

The first clipper malware surfaced on Windows operating systems in 2017. In 2019, the same malware was also discovered on the Google Play Store. Clipper attacks are effective due to the duration of cryptocurrency wallets. People who transfer cryptocurrency from one wallet to another seldom double-check that the copy/paste result is the one given by a genuine receiver. Cyble researchers examined a new Clipper malware termed Keona Clipper by its developer. 

The malware is provided as a service for $49 per month. Keona Clipper was written in the.NET programming language and is safeguarded by Confuser 1.x. This tool protects.NET applications by changing symbols, obfuscating control flow, encrypting constants and resources, employing anti-debugging, memory dumping, tampering, and disabling decompilers, making reverse engineering more difficult. 

Since May 2022, Cyble researchers have identified over 90 distinct Keona samples, demonstrating widespread deployment. The discrepancy in those Keona samples might be due to minor changes in the code, or it could be the result of several usages of the Confuser protector, which generates a new binary each time a sample is provided to prevent detection by security solutions relying only on file signature. 

Malware capabilities of Keona Clipper

Once launched, the malware uses the Telegram API to connect with an attacker-controlled Telegram bot. The malware's initial contact with the bot includes a message written in Russian that translates as "clipper has started on the computer" and the username of the user whose account is utilised by the malware. 

The malware also ensures that it is always performed, even if the system is restarted. The malware copies itself to numerous areas, including the Administrative Tools folder and the Startup folder, to guarantee persistence. Autostart entries are also placed in the Windows registry to guarantee that the malware runs every time the computer restarts. Keona Clipper then discreetly analyses clipboard activity and checks for bitcoin wallets using regular expressions. 

BTC, ETH, LTC, XMR, XLM, XRP, NEC, BCH, ZCASH, BNB, DASH, DOGE, USDT TRC20, and ADA coins are among the cryptocurrencies that Keona Clipper can steal. If a wallet is discovered, it is instantly replaced in the clipboard with a wallet address supplied by the threat actor. 

How can one defend oneself against this danger?

Every bitcoin payment should be thoroughly scrutinised. By comparing the output of their copy/paste manipulation to the wallet given by the seller, users should visually authenticate the wallet utilised as the transaction's destination. Private keys and wallet seeds should never be kept insecurely on any device. If feasible, keep these encrypted on a different storage device or in a physical hardware wallet. 

To identify the danger, security solutions should be implemented. We don't know the first vector of propagation for Keona, but we think it was emailed, hence email-based protection must be deployed. Email fraud and phishing should also be made more visible to users. 

Finally, the operating system and any software that runs on it should be maintained up to date and patched at all times. If the malware is dumped and executed on the system via a popular vulnerability, a patched system will almost certainly halt the danger.

Indian Crypto Users Duped Of Rs 1,000 Crore By Fake Exchange

 

CloudSEK researchers have identified a new scam called CoinEgg, which duped Indian investors of more than $128 million (nearly Rs 1,000 crore). 

“We discovered an on-going malicious scheme involving multiple payment gateway domains and Android-based applications, used to lure unsuspecting individuals into a mass gambling scam,” the researchers explained in a blog post. 

The hackers designed several bogus domains mimicking crypto trading platforms, with the word ‘CloudEgg’ in them. “The sites are designed to replicate the official website’s dashboard and user experience,” the researchers stated, adding that the crypto scam is divided into seven phases. 

After creating the fake domains, the scammers design a female profile on social media to lure the potential victim and establish a friendship. This phony profile is used to entice the victim to invest in crypto and start trading. The profile also shares a $100 gift voucher, which will be deposited when they invest in specific crypto. 

Upon registering and depositing funds on the exchange, the hacker freezes their account to keep them from withdrawing the funds and disappears. If you think the scam ends here, you are mistaken. In the last phase of the scam, when the victims switch to other platforms to share their experience, the hacker uses other fake accounts to reach out to them and pose as if they are investigators.

“To retrieve the frozen assets, they request victims to provide confidential information such as ID cards and bank details via email. These details are then used to perpetrate other nefarious activities,” the researchers said.

The researchers also identified two domains used by the scammers. It was said that both were registered on GoDaddy on March 3, 2022, as part of the strategy to set up several backup domains in the case of a takedown.

Earlier this year in March, the Pune City police’s cybercrime cell detained two specialists — Pankaj Ghode (38) and Ravindranath Patil (45) and an ex-IPS officer of Jammu and Kashmir cadre, following an exhaustive probe that began in April 2021.

In 2018, Ghode and Patil aided a Pune police Special Investigations squad in uncovering two multimillion-dollar Bitcoin Ponzi schemes. The duo transferred the cryptocurrencies, recovered from the Gainbitcoin scam, and then manipulated the screenshots of those transactions and gave them to the police as proof. However, the technical investigation revealed that there were some bitcoins in the said wallet and Ghode did not give information regarding them to the investigating officer.

Hackers Target Inverse Finance in a Flash Loan Oracle Attack

 

Inverse Finance, a decentralized autonomous organization (DAO) has suffered a flash loan assault, where hackers stole $1.26 million in Tether (USDT) and Wrapped Bitcoin (WBTC). This comes just two months after the Defi exchange witnessed an exploit where the hackers siphoned $15.6 million in a price oracle manipulation exploit. 

"Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said. 

Inverse Finance is an Ethereum-based decentralized finance (DeFi) protocol that facilitates the borrowing and lending of cryptos. The latest exploit worked by employing a flash loan attack where hackers take a flash loan from a Defi platform. Subsequently, they pay it back in the same transaction, causing the price of the crypto asset to surge and then quickly withdraw their investments. 

Upon discovering the attack, the defi protocol temporarily paused borrowing and took down DOLA stablecoin from the money market saying that it is investigating the incident, while no user funds were at risk. 

It later confirmed that only the hacker’s deposited collateral was impacted in the incident. In a tweet, the company requested the attackers to return the funds in return for a “generous bounty”. 

The hacker in total secured 99,976 USDT and 53.2 WBTC from the attacks. As soon as the hack was successful, the attackers routed the funds via Tornado Cash, a cryptocurrency mixing or tumbling protocol designed to obscure where funds came from. Coincidentally, the service is popular for money laundering.

It should be noted that the significant rise in Defi which facilitates crypto-denominated lending outside traditional banking, has been a major factor in the increase in stolen funds and frauds. Threat actors have targeted DeFis the most, in yet another warning for those dabbling in this emerging segment of the crypto industry.

“DeFi is one of the most exciting areas of the wider cryptocurrency ecosystem, presenting huge opportunities to entrepreneurs and cryptocurrency users alike,” as per a report by Chainalysis. 

Last year, more stolen funds flowed to DeFi platforms (51 percent) and centralized exchanges received less than 15 percent of the total stolen funds, Chainalysis wrote in its annual Crypto Crime report. “This is likely due to exchanges’ embrace of AML and KYC processes, which threaten the anonymity of cybercriminals,” the report added.