Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cryptocurrency theft. Show all posts
Siri Vulnerability
Apple Security Bluetooth Forensics Crypto Wallet cryptocurrency theft Cybercrime Investigation digital surveillance FakeWallet Campaign iOS security malware Siri Vulnerability

Apple Account Data and Bluetooth Signals Tie Suspect to Crypto Robbery


 

The App Store ecosystem has been infiltrated by a coordinated wave of fraudulent cryptocurrency wallet applications that exploit regional platform restrictions and user trust to steal credentials from iOS users. More than two dozen malicious apps have been identified as related to a campaign called "FakeWallet," which has been active since at least late 2025 and was designed to harvest passwords and private keys from unsuspecting users via the use of various malware programs.

During the early months of March, counterfeit wallet applications became prominent in search results within China’s App Store after they began appearing prominently in search results, posing a threat to the legitimacy of several legitimate crypto wallet services due to regulatory restrictions. 

In addition to replicating the trusted wallet branding, abusing typosquatting techniques and embedding deceptive prompts leading users towards unofficial wallet downloads, the campaign blurred the distinction between genuine financial tools and malicious software, significantly increasing iPhone users' chances of committing cryptocurrency theft. 

During technical analysis, Kaspersky determined that phishing applications were primarily used as delivery mechanisms for trojanized cryptocurrency wallet software to be installed via browsers. According to the researchers, malicious payloads are commonly embedded through third-party libraries embedded within the applications, despite several samples demonstrating direct modifications of the wallet code itself, indicating a more sophisticated level of tampering. 

Through reverse engineering, special routines have been found that can intercept and exfiltrate recovery phrases as well as seed phrases, while simultaneously manipulating the wallet restoration process for recovering hot wallets. The investigation also identified two separate implants targeting cold wallets hosted on Ledger, extending the campaign's scope beyond software-based assets to hardware wallet users as well. 

A counterfeit website impersonating Ledger's official platform was also discovered by researchers, which distributed malicious iOS application links and compromised Android wallet packages hosted on Chinese-language phishing websites outside of Google Play. It is unclear whether the malware modules had geographic enforcement mechanisms despite the infrastructure and linguistic indicators suggesting that Chinese-speaking victims were targeted. 

It is of concern that the campaign may easily be extended to international targets based on some phishing prompts that dynamically adapt to the language settings of the infected application. Furthermore, the operation has been linked to the previously identified SparkKitty malware cluster, which was discovered last year, based on overlapping distribution tactics, cryptocurrency-centered targeting patterns, Chinese-language debugging strings within the malicious code, and the inclusion of SparkKitty-related components within several analyzed programs. 

When the findings were disclosed to Apple, they were notified and the identified malicious applications have since been removed from the App Store. According to court records reviewed by Forbes, the incident occurred as a result of a targeted home invasion last month in Winnetka, where attackers allegedly used social engineering tactics to gain physical access to the victim's property. 

Investigators reported that a man impersonating a food delivery driver approached the residence and knocked on the front door before at least four armed accomplices gained access moments after the resident responded. Once inside, the group demanded access to a secure safe as well as credentials related to online cryptocurrency accounts, emphasizing the increasing convergence between the targeting of digital assets and conventional violent crimes.

A report by authorities indicates that the operation failed in achieving its intended objective after the victim escaped the residence, leading the suspects to depart the scene without obtaining any known cryptocurrency assets. 

In spite of the attempted robbery, organized groups have increasingly combined physical coercion with identity deception and intelligence-driven targeting to compromise high-value cryptocurrency holders. It is believed that the investigation developed into a broader criminal case involving Chicago rapper Lil Zay Osama, formally known as Isaiah Dukes, along with five additional suspects, were alleged to have kidnapped children and committed a violent cryptocurrency-related robbery. 

Dukes has entered a not guilty plea to the latest charges after previously serving a 14-month prison sentence for unlawful possession of a machine gun in 2024. According to reports, investigators used unconventional but highly effective digital forensics methods in order to identify members of the group after one suspect connected his iPhone to a stolen getaway vehicle's Bluetooth interface.

The combination of the infotainment pairing logs and the subpoenaed Apple records provided authorities with information that allowed them to locate the connected device in a iCloud account belonging to Tyrese Fenton-Watson. The discovery was significant as it demonstrated how telemetry generated by connected consumer technologies, such as smartphone synchronization and in-vehicle wireless systems, is becoming an increasingly important tool for criminal investigations in modern times.

Technology and cybersecurity landscapes were also subject to increasing scrutiny due to the emergence of artificial intelligence, surveillance practices, and digital governance concerns. Anthropic's reported intention to broaden access to its advanced "Mythos" model, which was originally restricted to approximately 40 organizations due to concerns surrounding misuse of the system and offensive security applications. This model is designed with large-scale cyber vulnerability discovery capabilities and is designed to detect cyber vulnerabilities on a large scale.

Reports in The Wall Street Journal indicated that the company hoped to expand its availability to approximately 120 companies, though White House officials expressed reservations about both national security implications and the potential strain on Anthropic's infrastructure and disruption of government access to the technology that could result from excessive external usage. 

In addition, further revelations indicated that the boundary between the deployment of AI, the privacy of users, and digital surveillance is increasingly blurred. In a report published by Wired, it was reported that the DHS had requested location and identification information from Google regarding a Canadian user who criticized the Trump administration, but it is unclear whether Google complied with this request. 

Additionally, Meta disclosed that Facebook and Instagram were using artificial intelligence-driven bone structure analysis to detect whether users are under the age of 13. According to security researcher Jeremiah Fowler, nearly 90,000 screenshots allegedly extracted from a celebrity's smartphone had been exposed as a result of spyware exposure, including sensitive photos, financial records, and private conversations, further illustrating the degree of personal data risks associated with commercial surveillance tools.

A significant amount of industry attention was also drawn to Forbes' publication of its eighth annual AI 50 ranking in partnership with Mayfield, highlighting some of the leading private AI firms, including Harvey and ElevenLabs, along with emerging startups, including Gamma, Chai Discovery, and Rogo. In addition, the AI 50 Brink list highlighted early-stage companies that were expected to compete effectively with more established companies. 

During the investigation, law enforcement agencies also recorded a notable operational success after cooperating with Meta and international authorities to dismantle nine cryptocurrency scam centers and arrest more than 275 individuals allegedly involved in fraudulent schemes targeting Americans. This marks a rare instance of coordinated action between the Department of Justice and China's Ministry of Public Security. 

A report alleging that workers employed by contractor Sama encountered explicit and sensitive footage while annotating video captured through Ray-Ban smart glasses prompted Meta to be subjected to renewed scrutiny for its privacy oversight. As a result of these allegations, Meta terminated its relationship with Sama shortly before terminating its agreement due to an unmet standard, a claim Sama denied publicly. 

Following the latest developments, the company issued a series of critical software updates to resolve vulnerabilities affecting Siri, the company's voice-based digital assistant, resulting in the potential for unauthorized access to sensitive user information on locked mobile devices. These updates further renewed attention to mobile device security. It was found that the assistant was capable of processing certain voice interactions even while the device was locked, allowing attackers who possessed iPhones or other Apple hardware to access contact information and additional private data without complete authentication if they had physical possession of the devices. 

As a result, Apple introduced security enhancements as a means of limiting Siri's functionality when devices are immobilized. By doing so, Apple reduces the likelihood that unauthorized commands may be executed while the device is immobilized as well as strengthening protections against physical access attacks. Several products within Apple's ecosystem, including iPhone, Apple Watch, iPadOS, and macOS Ventura systems, have been patched as part of broader platform security updates to mitigate the vulnerabilities.

Several software updates have been recommended to ensure that vulnerabilities are fully mitigated across all supported devices, including iOS 17.6 and iPadOS 17.6, by using the standard settings, general, and software update process. 

Collectively, these incidents reflect a rapidly evolving threat environment in which cybercrime, artificial intelligence, connected consumer technologies, and digital surveillance are becoming increasingly interconnected. This collection of cases illustrates how both attackers and law enforcement are leveraging the expanding data footprint created by modern devices and online services in order to infiltrate trusted app ecosystems with malicious cryptocurrency wallet campaigns as well as investigators using Bluetooth telemetry and cloud account records to investigate violent crimes. 

Furthermore, growing concerns surrounding the discovery of vulnerabilities using artificial intelligence, spyware-linked data exposure, biometric analysis, and voice assistant security continue to increase pressure for technology companies to strengthen platform security measures while maintaining a balance between privacy, accessibility, and operational transparency. 

Increasing sophistication and technical integration of cyber-enabled financial crime underscores the importance of proactive security updates, stricter application vetting, and enhanced awareness of consumers in increasingly interconnected digital ecosystems as cyber-enabled financial crime becomes more sophisticated and technologically integrated.
Read more »
Solana Security
Blockchain Exploit Crypto Laundering cryptocurrency theft cyber espionage Data Breach DeFi Security DPRK Cyber Attack Drift Protocol Hack Solana Security

Six Month DPRK Campaign Behind $285 Million Drift Cyber Theft


 

The Drift Protocol, widely considered to be the largest perpetual futures exchange operating on the Solana blockchain, became the focal point of a highly coordinated attack on April 1, 2026, which is rapidly turning into one of the most significant breaches in decentralized finance this year. 

In addition to revealing a vulnerability within one platform, this incident highlighted the sophistication of threat actors operating throughout the crypto ecosystem, which has increased over the years. Elliptic estimates that approximately $286 million was siphoned during the attack, with a pattern of transactions, asset movements, and laundering processes that resembled operations previously attributed to North Korean state-linked groups. 

The breach would represent the eighth incident of this type recorded during the current year alone, contributing to a cumulative loss of over $300 million, should attribution be formally established. In general, it is indicative of the persistence of a strategic campaign in which upwards of $6.5 billion in cryptoassets have been exfiltrated in recent years activity that has been repeatedly linked to the financing of the country's weapons development programs by U.S. authorities.

According to Elliptic's analysis released on Thursday, the $285 million exploitation event has multiple layers of alignment with operational patterns traditionally associated with North Korea's state-sponsored cyber units, making it the largest recorded incident this year. 

Not only is the sequence of transactions on the blockchain highlighted in the assessment, but also obfuscation techniques are systematically employed, including staging asset dispersal and laundering pathways that mimic prior state-linked campaigns. As well as telemetry and interaction signatures, network-level interactions strongly suggest that a coordinated, well-resourceful intrusion is more likely than an opportunistic one.

In response to the incident, Drift Protocol's native token has declined by more than 40 percent, trading near $0.06. This reflects both immediate liquidity concerns and broader concerns about the platform's security. 

Since Drift is the most significant decentralized perpetual futures exchange in the Solana ecosystem, the compromise has implications that go beyond a single protocol, and it raises new concerns about systemic risk, adversarial persistence, and the resilience of decentralized trading infrastructures in the face of sustained, state-aligned threat activities. 

A Drift Protocol internal assessment further suggests that the breach was the culmination of a deliberate and six-month intrusion campaign. The activity was attributed with moderate confidence to a North Korea-aligned threat cluster identified as UNC4736. 

There are numerous aliases for this actor, including AppleJeus, Citrine Sleet, Golden Chollima and Gleaming Pisces. This group has a long history of financial motivated intrusions within the cryptocurrency threat landscape, as evidenced by its track record of financial motivations. It is noteworthy that the group's past activity has been associated with high-impact incidents such as the X_TRADER and 3CX supply chain compromises of 2023 and the Radiant Capital breach of late 2024, both of which resulted in $53 million losses. 

As a consequence of Drift's analysis, transactional continuity and operational continuity can be demonstrated by observing the preparatory fund movements that were associated with the exploit that were traceable to earlier attacks. 

Additionally, the social engineering framework demonstrated measurable overlap with previously documented DPRK-linked campaigns in terms of persona construction and engagement tactics. This attribution is supported by independent threat intelligence reports. CrowdStrike's January 2026 assessment identifies Golden Chollima as an offshoot of the DPRK cyber apparatus that performs sustained cryptocurrency theft operations against smaller fintech companies throughout North America, Europe, and parts of Asia as part of its ongoing cyber warfare efforts. 

Based on the group's methodology, it appears that the group is pursuing consistent revenue streams through repeated, lower-profile compromises in favor of singular, high-profile events. In line with the regime’s broader strategic imperatives, cyber-enabled financial theft is seen as an effective means of balancing economic constraints and supporting long-term military and technological objectives. 

As observed, UNC4736 engages in social engineering with precision, as well as post-compromise technical depth. A documented case from late 2024 illustrates how the group utilized a fabricated recruitment campaign to distribute malicious Python packages, establishing a foothold in a fintech environment within Europe.

A lateral movement into cloud infrastructure enabled access to identity and access management configurations, which enabled diversion of digital assets to adversary-controlled wallets as a result of this access. It is becoming increasingly apparent, within this context, that the Drift incident is not merely an isolated exploit, but rather an intelligent intelligence operation that was conducted with patience and strategic intent. 

In collaboration with law enforcement agencies and forensic specialists, the platform is reconstructing the intrusion timeline, and initial indications suggest an organized progression from reconnaissance and access acquisition to staged execution and asset extraction. 

An examination of the larger operational ecosystem underpinning such campaigns reveals a highly structured, multinational workforce model designed to sustain long-term access and revenue generation. A distributed network of technical proficient individuals is employed by the program, many of whom operate in jurisdictions such as China and Russia. 

Through company-issued systems hosted in geographically dispersed laptop farms, including within the United States, employees are remote interacting with corporate environments. It is supported by an intermediary layer of facilitators who coordinate logistical tasks, which include handling devices, processing payroll, and establishing identity credentials, which are often orchestrated through shell entities aimed at obscuring attribution and bypassing regulatory scrutiny. 

In itself, the recruitment and placement pipeline exhibits a degree of operational maturity which is commonly associated with legitimate global hiring ecosystems. As part of the initial recruitment process, dedicated recruiters identify potential candidates, followed by a structured onboarding process in which curated identities are assigned and refined. 

Facilitators are responsible for managing professional profiles, directing summary development, and conducting targeted interview coaching, ensuring alignment with Western employers' expectations. The use of enhanced verification mechanisms involves the introduction of additional collaborators in order to satisfy compliance checks, thereby effectively bridging the gap between fabricated personas and real-world hiring requirements. This model relies on cryptocurrency for the financial backbone, allowing wages to be systematically repatriated while minimizing exposure to international sanctions. 

Furthermore, threat intelligence reports indicate that this workforce is deliberately transient by design. Employees frequently change roles, identities, and digital accounts, maintaining a fluid presence that complicates detection and attribution. 

By reducing exposure risk for a long period, constant churn enables continuous infiltration across multiple organizations simultaneously and reduces the risk of long-term exposure. A recent study indicates that the recruitment base has been expanded beyond traditional boundaries, with individuals from Iran, Syria, Lebanon, and Saudi Arabia actively participating in the program. 

A number of documented examples demonstrate the effectiveness of the model in advancing candidates from these regions through employment processes with U.S.-based employers. Within this framework, there has been an important development in the use of legitimate professional networking platforms to recruit auxiliary participants individuals who are responsible for performing real-time interactions such as technical interviews in under assumed identities. 

The participants, often trained and evaluated through recording sessions, serve as proxies for obtaining employment positions based upon fabricated Western personas. Such access can be used for a variety of intelligence purposes once embedded, as well as financial extraction. 

While monetary gains remain the primary motivation, the intentional targeting of sectors such as the defense contracting industry, financial services, and cryptocurrency infrastructure suggests a convergence of economic and strategic objectives.

In the aggregate, these developments reveal a highly sophisticated, multi-layered strategy that extends far beyond conventional cybercrime, blurring the distinction between the infiltration of workers, espionage activities, and financial operations carried out by the state. 

As a whole, the incident illustrates a convergence in advanced intrusion capabilities and increasingly institutionalized support architecture that goes beyond conventional definitions of cybercrime. A well-crafted exploit is not the only thing that emerged from the Drift breach, but a deeply embedded operational system that integrates financial theft with identity theft and worker infiltration. 

Considering how large the assets were exfiltrated, along with the precision with which transactions were staged and laundered, one can conclude that these campaigns were neither isolated nor opportunistic, but rather were part of an ongoing and adaptive model operating across jurisdictions, platforms, and regulatory environments.

As a result of the attribution indicators viewed together with historical activity, a continuity of intent and methodology has been identified that is consistent with long-observed DPRK-linked activity. In light of the interplay between on-chain movement patterns, infrastructure reuse, and human manipulation, a hybrid threat approach is being developed, which combines technical compromise with social engineering and operational deception. 

Through this dual-layered methodology, threat actors can not only amp up the effectiveness of individual attacks, but also enhance their persistence, making it possible for them to reconstitute revenue streams and access after partial disruptions. This instance highlights the inherent tension between innovation and security within rapidly evolving financial architectures, as well as its systemic implications for the broader digital asset ecosystem. 

As a result, critical questions emerge regarding trust assumptions within decentralized environments, the effectiveness of monitoring mechanisms for complex transaction flows, and the readiness of platforms to counter adversaries who operate both strategically and with state-level resources. In the coming months and years, the Drift incident is likely to be viewed less as a single breach and more as an example of state-administered cyber-financial operations maturing. 

Throughout the digital domain, economic objectives, geopolitical strategies, and technical execution are increasingly converged. This is creating a threat landscape that challenges traditional defensive models and requires both industry and government stakeholders to respond more intelligently and integrated. 

Accordingly, the Drift incident illustrates the emergence of highly sophisticated intrusion capabilities and an increasingly formalized operational ecosystem that is well beyond the traditional frameworks used by cybercriminals. In addition to the exploitation of a technically complex exploit, the breach reveals the existence of a larger, deeply embedded apparatus that, in its unified and scalable form, systematically combine financial extraction, identity manipulation, and workforce infiltration.

With such a large amount of asset exfiltration combined with calculated sequencing of fund movements and obfuscation, it is evident that such operations are deliberate, repeatable, and designed to operate across diverse regulatory and technological environments. Upon contextualization with prior activity, the attribution signals suggest a consistent alignment of intent and execution, consistent with long-documented DPRK-linked campaigns. 

As a consequence of the correlation between on-chain behavioral patterns, reuse of operational infrastructure, and coordinated human-centric tactics, it is apparent that a hybrid threat model is being developed in which technical compromise and controlled deception are inseparable. 

As a result of this layered approach, operational success rates are increased as well as resilience is achieved, enabling threat actors to re-establish footholds and maintain financial output even in the event of partial exposure or disruption. This has material implications for the wider ecosystem of digital assets. 

A prominent decentralized derivatives platform has been compromised, bringing into sharp relief the inherent trade-off between rapid innovation in financial markets and robust security measures. As a result, decentralized systems are once again in the spotlight, causing us to examine the role trust plays within them, the effectiveness of existing transaction monitoring frameworks, and the overall readiness of platforms to combat adversaries who have strategic foresight and state backing. 

In time, as investigations progress and details of attribution become clearer, the breach may serve as a useful historical reference point for understanding how state-aligned cyber-financial operations have changed over time. 

Economic imperatives, geopolitical objectives, and technical sophistication are now convergent within the cyber domain, which is redefining threat paradigms and reinforcing the need for coordinated, intelligence-driven defense strategies both within the public and private sectors.
Read more »
Hackers
crypto theft 2025 cryptocurrency theft cyber attack Cyber Attacks Hackers

Crypto Thefts Hit Record $2.7 Billion in 2025

 

Hackers stole more than $2.7 billion in cryptocurrency in 2025, setting a new annual record for crypto-related thefts, according to data from multiple blockchain monitoring firms. 

The losses were driven by dozens of attacks on cryptocurrency exchanges and decentralized finance projects during the year. The largest incident was a breach at Dubai-based exchange Bybit, where attackers made off with about $1.4 billion worth of digital assets. 

Blockchain analysis firms and the FBI have attributed the attack to North Korean state-backed hackers, who have become the most prolific crypto thieves in recent years. 

The Bybit breach was the biggest known cryptocurrency theft to date and ranks among the largest financial heists on record. Previous major crypto hacks include the 2022 attacks on Ronin Network and Poly Network, which resulted in losses of $624 million and $611 million, respectively. 

Blockchain analytics firms Chainalysis and TRM Labs both estimated total crypto thefts at around $2.7 billion in 2025. Chainalysis said it also tracked an additional $700,000 stolen from individual crypto wallets. 

Web3 security firm De.Fi, which maintains the REKT database of crypto exploits, reported a similar total. North Korean hackers accounted for the majority of losses, stealing at least $2 billion during the year, according to Chainalysis and Elliptic. 

Elliptic estimates that North Korean-linked groups have stolen roughly $6 billion in cryptocurrency since 2017, funds that analysts say are used to support the country’s sanctioned nuclear weapons program. 

Other significant incidents in 2025 included a $223 million hack of decentralized exchange Cetus, a $128 million breach at Ethereum-based protocol Balancer, and a theft of more than $73 million from crypto exchange Phemex. 

Crypto-related cybercrime has continued to rise in recent years. Hackers stole about $2.2 billion in digital assets in 2024 and roughly $2 billion in 2023, underscoring persistent security challenges across the cryptocurrency ecosystem.
Read more »
North Korean Hackers
Bybit crypto hack cryptocurrency theft Cyber Attacks DPRK nuclear funding fake remote tech jobs North Korea cyberattacks North Korean Hackers

North Korean Hackers Steal Billions Through Crypto Heists and Fake Remote Jobs to Fund Nuclear Program, Report Reveals

 

North Korean hackers have siphoned off billions of dollars by breaching cryptocurrency exchanges and using false identities to secure remote tech jobs abroad, according to a new international assessment of the country’s cyber operations.

The 138-page report, released by the Multilateral Sanctions Monitoring Team—a coalition including the U.S. and 10 allied nations—found that Pyongyang’s government directs these covert schemes to bankroll its nuclear weapons research and development. The group was established last year to track North Korea’s adherence to U.N. sanctions.

The findings reveal that North Korea has leveraged cryptocurrencies to launder illicit funds and procure military equipment, effectively evading global restrictions tied to its nuclear ambitions. Investigators noted that hackers linked to Pyongyang routinely deploy malware against international corporations and institutions, aiming to disrupt systems and exfiltrate sensitive data.

Despite its isolation and limited economic power, North Korea has made substantial investments in offensive cyber warfare, achieving a level of sophistication that rivals China and Russia, the report concluded. Unlike other major cyber actors such as China, Russia, and Iran, North Korea primarily uses its hacking operations as a financial lifeline—employing cyberattacks and fake employees to generate state revenue.

The report further stated that, aided by actors in Russia and China, North Korea’s cyber campaigns have “been directly linked to the destruction of physical computer equipment, endangerment of human lives, private citizens’ loss of assets and property, and funding for the DPRK’s unlawful weapons of mass destruction and ballistic missile programs.”

The monitoring team—comprising the U.S., Australia, Canada, France, Germany, Italy, Japan, the Netherlands, New Zealand, South Korea, and the United Kingdom—was created after Russia vetoed a U.N. Security Council resolution that previously empowered a panel of experts to oversee North Korea’s sanctions compliance. Its initial report in May examined North Korea’s military aid to Russia.

Earlier this year, hackers tied to North Korea executed one of the largest cryptocurrency thefts in history, stealing $1.5 billion in Ethereum from the exchange Bybit. The FBI later attributed the theft to a hacker collective operating under North Korea’s intelligence agency.

U.S. authorities have also alleged that thousands of North Korean IT professionals are secretly employed by American companies using stolen or fabricated identities. These workers allegedly infiltrate internal systems and redirect their earnings back to the North Korean regime—sometimes juggling multiple remote jobs simultaneously.

A request for comment sent to North Korea’s mission to the U.N. on Wednesday went unanswered.
Read more »
North Korea cyberattacks
Crypto cryptocurrency cryptocurrency hacks cryptocurrency scam cryptocurrency theft cryptocurrency wallet Cyber Attacks Hacker attack North Korea North Korea cyberattacks

North Korea-Linked Hackers Behind $2.1 Billion in Crypto Theft in Early 2025

 

A new report from blockchain analytics firm TRM Labs reveals that hackers stole an unprecedented $2.1 billion in cryptocurrency during the first half of 2025—marking the highest amount ever recorded for a six-month period. A staggering 70% of the total, or around $1.6 billion, has been attributed to cybercriminal groups sponsored by North Korea. 

According to TRM Labs’ “H1 2025 Crypto Hacks and Exploits” report, this figure surpasses the previous record set in 2022 by 10%, pointing to an escalating trend in high-stakes cybercrime. The report also emphasizes how North Korea has solidified its role as the leading state-backed threat actor in the cryptocurrency ecosystem.  

“These thefts are not just criminal—they’re tools of statecraft,” the report states, highlighting how stolen crypto plays a strategic role in funding the sanctioned regime’s national objectives, including its controversial weapons program. 

Much of this year’s unprecedented losses stem from a single massive incident: the $1.5 billion hack targeting Ethereum and related assets held by the crypto exchange Bybit in February. This attack is being considered the largest theft in the history of the cryptocurrency sector.  

Safe, a provider of multi-signature wallet solutions, traced the breach back to a compromised laptop belonging to one of its senior developers. The device was reportedly infected on February 4 after interacting with a malicious Docker project. The infiltration ultimately allowed attackers to gain unauthorized access to private keys.  

Both U.S. law enforcement and TRM Labs have linked the Bybit attack to North Korean hackers, aligning with prior assessments that the regime increasingly relies on crypto theft as a state-funded operation. 

This event drastically skewed the average size of crypto heists for 2025 and emphasized the changing nature of these attacks—from purely profit-driven motives to broader geopolitical strategies. 

TRM Labs noted that 80% of all crypto losses in 2025 were due to infrastructure breaches, with attackers exploiting vulnerabilities in systems that store private keys and seed phrases—essential components in controlling digital wallets. 

Analysts warn that such incidents signal a shift in the threat landscape. “Crypto hacking is becoming less about financial gain and more about political symbolism or strategic advantage,” TRM concluded. 

As the year continues, security experts urge crypto platforms and users to enhance infrastructure protection, especially against sophisticated, nation-backed threats that blur the line between cybercrime and cyberwarfare.
Read more »
Malware Attack
Crypto Platform cryptocurrency cryptocurrency security cryptocurrency theft Cyber Attacks Digital Assets Lazarus Group Lazarus Group attack Malware Attack

Lazarus Group Suspected in $11M Crypto Heist Targeting Taiwan’s BitoPro Exchange

 

Taiwanese cryptocurrency platform BitoPro has blamed North Korea’s Lazarus Group for a cyberattack that resulted in $11 million in stolen digital assets. The breach occurred on May 8, 2025, during an upgrade to the exchange’s hot wallet system. 

According to BitoPro, the tactics and methods used by the hackers closely resemble those seen in other global incidents tied to the Lazarus Group, including high-profile thefts via SWIFT banking systems and other major crypto platforms. BitoPro serves a primarily Taiwanese customer base, offering fiat transactions in TWD alongside various cryptocurrencies. 

The exchange currently supports over 800,000 users and processes approximately $30 million in daily trades. The attack exploited vulnerabilities during a system update, enabling the unauthorized withdrawal of funds from a legacy hot wallet spread across several blockchain networks, including Ethereum, Tron, Solana, and Polygon. The stolen cryptocurrency was then quickly laundered through decentralized exchanges and mixers such as Tornado Cash, Wasabi Wallet, and ThorChain, making recovery and tracing more difficult. 

Despite the attack taking place in early May, BitoPro only publicly acknowledged the breach on June 2. At that time, the exchange assured users that daily operations remained unaffected and that the compromised hot wallet had been replenished from its reserve funds. Following a thorough investigation, the exchange confirmed that no internal staff were involved. 

However, the attackers used social engineering tactics to infect a cloud administrator’s device with malware. This allowed them to steal AWS session tokens, bypass multi-factor authentication, and gain unauthorized access to BitoPro’s cloud infrastructure. From there, they were able to insert scripts directly into the hot wallet system and carry out the theft while mimicking legitimate activity to avoid early detection. 

After discovering the breach, BitoPro deactivated the affected wallet system and rotated its cryptographic keys, though the damage had already been done. The company reported the incident to authorities and brought in a third-party cybersecurity firm to conduct an independent review, which concluded on June 11. 

The Lazarus Group has a long history of targeting cryptocurrency and decentralized finance platforms. This attack on BitoPro adds to their growing list of cyber heists, including the recent $1.5 billion digital asset theft from the Bybit exchange.
Read more »
social media scams
cryptocurrency theft cybercrime syndicate information stealers malware social media scams

Crazy Evil Gang Strikes Crypto Sector with StealC, AMOS, and Angel Drainer Malware

 


A Russian-speaking cybercrime syndicate, Crazy Evil, has been tied to more than 10 active social media scams, employing diverse tactics to trick victims into installing malicious software such as StealC, Atomic macOS Stealer (AMOS), and Angel Drainer.

"Specializing in identity fraud, cryptocurrency theft, and information-stealing malware, Crazy Evil operates a sophisticated network of traffers — social engineering specialists tasked with redirecting legitimate traffic to malicious phishing sites," stated Recorded Future's Insikt Group in their analysis.

The group's varied malware arsenal indicates that its targets include both Windows and macOS users, posing a significant threat to the decentralized finance sector.

Crazy Evil, active since at least 2021, mainly operates as a traffer team, redirecting legitimate traffic to fraudulent landing pages controlled by other criminal entities. It is allegedly managed by a figure known as @AbrahamCrazyEvil on Telegram, where the group has over 4,800 subscribers (@CrazyEvilCorp).

Unlike typical scams that create counterfeit shopping websites for fraudulent transactions, Crazy Evil focuses on stealing digital assets, including NFTs, cryptocurrencies, payment card information, and online banking credentials. The group is believed to have generated over $5 million in illicit revenue, impacting thousands of devices worldwide.

The group's notoriety has grown following exit scams involving two other cybercrime outfits—Markopolo and CryptoLove—which were previously associated with a ClickFix campaign involving fake Google Meet pages in October 2024.

"Crazy Evil explicitly targets the cryptocurrency sector with custom spear-phishing lures," Recorded Future noted. "Crazy Evil traffers often spend days or even weeks scouting operations, identifying targets, and initiating engagements."

In addition to orchestrating attacks that deliveThe group's notoriety has grown following exit scams involving two other cybercrime outfits—Markopolo and CryptoLover information stealers and wallet-draining malware, the group's leaders offer training materials and guidance for traffers, alongside an affiliate structure to delegate operations.

Crazy Evil is the second cybercrime group after Telekopye to be exposed in recent years, with its operations centered around Telegram. New recruits are guided by a Telegram bot controlled by the threat actor to various private channels, such as:

  • Payments: Announcing earnings for traffers
  • Logbar: Tracking information-stealer attacks and stolen data
  • Info: Offering regular updates on administrative and technical matters
  • Global Chat: A central space for communication, from work-related topics to casual discussions
The group operates through six sub-teams—AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND—each responsible for specific scams involving the installation of malicious tools via fake websites.

"As Crazy Evil continues to thrive, other cybercriminal groups are likely to mimic its tactics, urging security teams to stay alert to avoid large-scale breaches and loss of trust within the cryptocurrency, gaming, and software sectors," said Recorded Future.

This revelation follows the discovery of a traffic distribution system (TDS) named TAG-124, which overlaps with activity clusters linked to multiple threat groups, including Rhysida ransomware, Interlock ransomware, and SocGholish. This TDS is used in initial infection chains to distribute malware, such as the Remcos RAT and CleanUpLoader, which serves as a conduit for both Rhysida and Interlock ransomware.

"TAG-124 is composed of compromised WordPress sites, actor-controlled payload servers, and additional components," explained Recorded Future. "When specific criteria are met, these sites display fake Google Chrome update landing pages, leading to malware infections."

The use of TAG-124 further links Rhysida and Interlock ransomware strains, with newer variants employing the ClickFix technique, which instructs visitors to execute a command copied to their clipboard to trigger the malware infection.

Compromised WordPress sites, totaling over 10,000, have been used to distribute AMOS and SocGholish as part of client-side attacks.

"JavaScript loaded in the user's browser generates a fake page within an iframe," said researcher Himanshu Anand. "Attackers exploit outdated WordPress versions and plugins to avoid detection by websites lacking client-side monitoring tools."

Additionally, threat actors have leveraged the trust in platforms like GitHub to distribute malicious installers leading to the deployment of Lumma Stealer and other payloads, including SectopRAT, Vidar Stealer, and Cobalt Strike Beacon.

Trend Micro highlighted that this activity shares similarities with the tactics used by the threat actor Stargazer Goblin, known for utilizing GitHub repositories for payload distribution. However, the key difference is that the infection chain begins with compromised websites that redirect to malicious GitHub release links.

"The Lumma Stealer distribution method is evolving, with the attacker now using GitHub repositories to host malware," said security researchers Buddy Tancio, Fe Cureg, and Jovit Samaniego.

"The malware-as-a-service (MaaS) model makes it easier for cybercriminals to execute sophisticated cyberattacks, simplifying the spread of threats like Lumma Stealer."

In a comment to The Hacker News, Antonis Terefos, a reverse engineer at Check Point Research, noted that the Stargazer Goblin group has been observed "shifting from Atlantida Stealer to Lumma, and testing other stealers."
Read more »
South Korea
cryptocurrency cryptocurrency theft cyber espionage Cyber Security IT Industry North Korea North Korea Hackers South Korea

Sanctions Imposed on North Korean Cyber Activities Supporting Nuclear Ambitions

 

South Korea has announced sanctions against 15 North Korean nationals and the Chosun Geumjeong Economic Information Technology Exchange Corporation for orchestrating schemes that finance North Korea’s nuclear weapons and missile programs. These measures target a global network involved in IT job fraud, cryptocurrency theft, and cyberattacks. 

The sanctioned individuals are linked to the 313th General Bureau, a division of North Korea’s Ministry of Munitions Industry. This bureau oversees the production and development of weapons and ballistic missiles. According to South Korea’s Peninsula Policy Bureau, these operatives are dispatched to countries such as China, Russia, Southeast Asia, and Africa. Using fake identities, they secure positions in international IT companies, generating revenue funneled back to the regime. 

Central to this operation is the Chosun Geumjeong Economic Information Technology Exchange Corporation. This organization plays a critical role by deploying IT professionals abroad and channeling significant financial resources to North Korea’s military projects. In recent years, North Korean operatives have increasingly infiltrated Western companies by posing as IT workers. This tactic not only generates revenue for the regime but also enables cyber espionage and theft. These workers have been found installing malware, stealing sensitive company data, and misappropriating funds. Some have even attempted to infiltrate secure software development environments. 

Despite the gravity of these actions, the stigma associated with hiring fraudulent workers has led many companies to keep such breaches private, leaving the true scope of the issue largely unknown. Additionally, South Korea accuses North Korea of being a major player in global cryptocurrency theft. A 2024 United Nations report found that North Korean hackers carried out 58 cyberattacks against cryptocurrency firms between 2017 and 2023, amassing approximately $3 billion in stolen funds. North Korean nationals have also reportedly violated international sanctions by earning income through employment in various industries, including construction and hospitality. 

These activities pose significant risks to the global cybersecurity landscape and international stability. South Korea asserts that the funds generated through these operations directly support North Korea’s nuclear and missile programs, emphasizing the need for a unified international response. By imposing these sanctions, South Korea aims to disrupt North Korea’s illicit financial networks and mitigate the broader risks posed by its cyber activities. 

This marks a crucial step in the global effort to counter the threats associated with Pyongyang’s nuclear ambitions and its exploitation of cyberspace for financial gain.
Read more »
Scammer
AWS Crypto Phishing cryptocurrency cryptocurrency theft Cyber Attacks Fake Emails Ledger Phishing scam Scammer

Ledger Phishing Scam Targets Cryptocurrency Wallets

 


A sophisticated phishing email campaign has emerged, targeting cryptocurrency users by impersonating Ledger, a prominent hardware wallet provider. These fraudulent emails claim that the recipient’s Ledger wallet seed phrase — also known as a recovery or mnemonic seed — has been compromised. In an attempt to secure their funds, users are directed to a so-called “secure verification tool” where they are asked to confirm their seed phrase. The phishing emails appear convincing, offering a “Verify my recovery phrase” button. Clicking this button redirects victims through an Amazon Web Services (AWS) website to a fake domain, “ledger-recovery[.]info.”

Once users enter their seed phrase on this page, the attackers capture the information, granting them full access to the victims’ cryptocurrency wallets. A recovery phrase, typically consisting of 12 or 24 random words, acts as the key to accessing a wallet’s funds. The importance of keeping this phrase private and offline cannot be overstated. By stealing these phrases, the attackers gain control of the wallets and can siphon all funds, leaving victims with no recourse.

To increase the scam’s credibility, the phishing site includes several deceptive features. For example, it accepts only valid seed phrase words from a predetermined list of 2,048 options. Regardless of the entered data, the site falsely informs users that their phrase is incorrect, encouraging them to re-enter their information multiple times and ensuring the attackers receive accurate details.

The Evolving Nature of Phishing Scams

This phishing attempt highlights the evolving sophistication of such scams. In the past, phishing emails were often marred by poor grammar or clumsy wording, making them easier to spot. However, with advancements in generative artificial intelligence, scammers can now produce polished and professional-looking messages. In this instance, one of the few red flags was the use of the SendGrid email marketing platform and the redirection through an AWS website, which sharp-eyed recipients might notice.

While it remains unclear how many individuals fell victim to this scheme, any user who shared their seed phrase likely lost their funds permanently. This incident underscores the importance of exercising caution and maintaining strict security protocols when handling sensitive information like recovery phrases.

How to Protect Your Cryptocurrency Wallet

Cryptocurrency users are advised to verify communications directly through official sources and avoid clicking on links in unsolicited emails. Recovery phrases should never be shared online, as doing so compromises the entire wallet’s security. With scams becoming increasingly sophisticated, vigilance and education are crucial in safeguarding digital assets.

Read more »
spear-phishing
Check Point research copyright scam cryptocurrency theft Cybersecurity Detection Infostealer malware phishing protection Rhadamanthys malware spear-phishing

Global Companies Targeted by "CopyR(ight)hadamantys" Phishing Scam Using Advanced Infostealer Malware

 

Hundreds of organizations worldwide have recently fallen victim to a sophisticated spear-phishing campaign, where emails falsely claiming copyright infringement are used to deliver an advanced infostealer malware.

Since July, Check Point Research has tracked the distribution of these emails across regions like the Americas, Europe, and Southeast Asia. Each email originates from a unique domain, and hundreds of Check Point’s clients have been targeted, suggesting the campaign's scope may be even broader.

The emails are designed to provoke recipients into downloading Rhadamanthys, a powerful infostealer capable of extracting sensitive data, such as cryptocurrency wallet information. Check Point researchers refer to the campaign as "CopyR(ight)hadamantys" and note the use of automated tools to send emails from different addresses. This automation can lead to awkward results, such as emails written in incorrect languages, limiting the emails’ ability to impersonate recognizable brands effectively. Roughly 70% of impersonated companies belong to the tech or media and entertainment sectors, including Check Point itself.

The phishing emails claim that the recipient has violated copyright laws by posting unauthorized content online. According to Sergey Shykevich, threat intelligence manager at Check Point, these accusations often cause recipients to question if they mistakenly used copyrighted material, increasing the chance they'll download the malware.

Recipients are directed to download a password-protected file, which contains a link leading to Dropbox or Discord. This file holds a decoy document, a legitimate program, and a malicious DLL (dynamic link library) that installs Rhadamanthys. Rhadamanthys stands out as one of the most sophisticated information-stealing tools sold on the dark web, priced around $1,000—significantly higher than other infostealers, which typically range from $100 to $200. Rhadamanthys is known for its modularity, obfuscation, and stealth, making detection much more challenging.

One notable feature of Rhadamanthys is its machine-learning-based OCR (optical character recognition) component. While limited in capability—it struggles with complex fonts and handwriting—this feature allows it to extract information from images and PDF files. The OCR module in the current campaign contains a dictionary of words tied to Bitcoin wallet security, suggesting a focus on cryptocurrency theft.

The CopyR(ight)hadamantys campaign aligns with financially motivated tactics, but Rhadamanthys has also been linked to state-sponsored actors, including Iran’s Void Manticore and the pro-Palestinian Handala group. Organizations are advised to enhance phishing defenses, though this campaign has an additional, unusual feature.

Once deployed, the malicious DLL creates a much larger file in the user’s Documents folder, disguised as a Firefox component. This larger version, though identical in function, uses an "overlay" of excess data, which serves two purposes: altering the file’s hash value, and potentially avoiding antivirus detection by exploiting a tendency of some programs to skip scanning large files.

According to Shykevich, organizations should monitor unusually large files downloaded via email, though legitimate files may also be large. He believes implementing effective download rules could help combat this tactic.
Read more »
Web3 news
crpto theft cryptocurrency scam cryptocurrency theft Cyber secu Google Play fake apps Latest Cybersecurity news Web3 news

Crypto Wallet App on Google Play Steals $70,000 from Mobile Users

 

A fake crypto wallet draining app on Google Play has stolen USD 70,000 from users, making it the first case where mobile users were specifically targeted by such a scam. The app stayed active for several months before being discovered, according to a report from Check Point Research. 

The app pretended to be a real crypto wallet service, tricking more than 10,000 users into downloading it. What made the scam effective was its professional appearance, which included consistent branding and fake positive reviews. These tactics helped the app rank high in Google Play’s search results, making it seem trustworthy to people looking for a secure place to store their cryptocurrency. 

Once users installed the app, it was able to quietly drain funds from their wallets without being noticed right away. This case stands out because, up until now, most crypto wallet attacks have focused on desktop or browser-based platforms. This marks a shift, as cybercriminals are now targeting the growing number of people who use mobile platforms for crypto transactions. 

The app’s ability to avoid detection for such a long time shows how advanced cybercriminal tactics have become. It also highlights the need for greater caution among users when downloading apps, even from trusted platforms like Google Play. This scam underscores the importance of stronger security measures for mobile transactions, such as using verified wallets and enabling two-factor authentication. 

It also calls attention to the need for better app screening by platforms like Google Play to prevent such scams from reaching users in the first place. Though the amount stolen may seem small compared to other crypto thefts, this case is significant because it shows how cybercriminals are adapting to target mobile users as cryptocurrency becomes more popular.
Read more »
data security
Bounty CERT-In Crypto Funds cryptocurrency cryptocurrency theft Customer Information Cyber Attacks data security

WazirX Responds to Major Cyberattack with Trading Halt and Bounty Program

 

In the wake of a significant cyberattack, WazirX, one of India’s foremost cryptocurrency exchanges, has taken drastic measures to mitigate the damage. The exchange announced a halt in trading and introduced a bounty program aimed at recovering stolen assets. This attack has severely impacted their ability to maintain 1:1 collateral with assets, necessitating immediate action. 

In a series of posts on X, WazirX detailed their response to the breach. They have filed a police complaint and reported the incident to the Financial Intelligence Unit (FIU) and CERT-In. Co-founder Nischal Shetty emphasized the urgency of the situation, stating that the exchange is reaching out to over 500 other exchanges to block the identified addresses associated with the stolen funds. This broad collaboration is essential as the stolen assets move through various platforms. 

To further their recovery efforts, WazirX is launching a bounty program to incentivize individuals and entities to help freeze or recover the stolen assets. This initiative is part of a broader strategy to trace the stolen funds and enhance the security measures of the exchange. The team is also consulting with several expert groups specializing in cryptocurrency transaction tracking to provide continuous monitoring and support during the recovery process. The exchange expressed gratitude for the support from the broader Web3 ecosystem, underscoring the need for a collective effort to resolve the issue and maintain the integrity of the Web3 community. 

Shetty mentioned that the team is conducting a thorough analysis to understand the extent of the damage caused by the attack. This analysis is crucial for developing an effective recovery plan and ensuring that all possible measures are taken to protect customer funds. In addition to their internal efforts, WazirX is working closely with forensic experts and law enforcement agencies to identify and apprehend the perpetrators. This collaboration aims to ensure that those responsible are brought to justice and that as many stolen assets as possible are recovered. 

The cyberattack has resulted in a substantial loss of approximately $235 million, making it one of the largest hacks of a centralized exchange in recent history. Crypto investigator ZachXBT revealed that the main attacker’s wallet still holds over $104 million in funds, which have yet to be offloaded. 

This highlights the ongoing challenges and complexities of securing digital assets in the ever-evolving cryptocurrency landscape. WazirX’s proactive measures and the support from the broader community will be crucial in navigating this crisis and reinforcing the security frameworks essential for the future of cryptocurrency exchanges.
Read more »
North Korea Hackers
Crypto Hacking cryptocurrency cryptocurrency theft Cyber Security Finance North Korea Hackers

The Week of Crypto Platform Breaches: Prisma Finance Incident Highlights

 

The past week witnessed a series of bewildering events in the realm of cryptocurrency, marked by breaches on two prominent platforms that left the crypto community grappling with perplexing motives and unexpected outcomes. 

The first incident unfolded on Tuesday evening when the Munchables blockchain-based game fell victim to an attack, resulting in the theft of approximately $62 million worth of cryptocurrency. Initial speculation pointed towards North Korea-linked hackers, given the country's history of targeting cryptocurrency platforms for financial gain. However, the situation took an unexpected turn when the alleged perpetrator voluntarily returned the stolen funds without any ransom demands. 

In a surprising twist, Munchables shared that the individual behind the attack had relinquished access to the private keys containing the stolen funds, expressing gratitude for their cooperation. Despite this resolution, questions lingered about the circumstances surrounding the incident, including the attacker's identity and motives, prompting calls for enhanced security measures within the crypto community. Shortly thereafter, another breach occurred on Thursday evening, this time affecting Prisma Finance, a popular decentralized finance (DeFi) platform, which suffered a loss of approximately $11.6 million. 

However, the aftermath of this breach was marked by cryptic messages from the hacker, who claimed the attack was a "white hat" endeavour aimed at highlighting vulnerabilities in the platform's smart contracts. The hacker, whose identity remained undisclosed, reached out to Prisma Finance seeking to return the stolen funds and engaging in a discourse about smart contract auditing and developer responsibilities. 

Despite the hacker's apparent altruistic intentions, the incident underscored the importance of rigorous security measures and comprehensive audits in the DeFi space. Prisma Finance later released a post-mortem report detailing the flash loan attack that led to the breach, shedding light on the exploitation of vulnerabilities in the platform. The report emphasized ongoing efforts to investigate the incident and ensure the safety of users' funds, highlighting the collaborative nature of the crypto community in addressing security breaches. 

These breaches come against the backdrop of heightened scrutiny of cyberattacks on cryptocurrency platforms, with a recent United Nations report identifying North Korean hackers as key perpetrators. The report highlighted a staggering $3 billion in illicit gains attributed to North Korean cyberattacks over a six-year period, underscoring the persistent threat posed by state-sponsored hackers in the crypto space. 

As the investigation into these breaches continues, the crypto community remains vigilant, emphasizing the importance of robust security measures and proactive collaboration to safeguard against future threats. While the motives behind these breaches may remain shrouded in mystery, the incidents serve as a stark reminder of the ever-present risks associated with digital assets and the imperative of maintaining heightened security protocols in the evolving landscape of cryptocurrency.
Read more »
Tornado Cash
Axie Infinity cryptocurrency theft Cyber Crime decentralized mixers Horizon Bridge law enforcement actions Lazarus Group North Korean Hackers Sinbad.io Tornado Cash

Lazarus Group Hackers Resurface Utilizing Tornado Cash for Money Laundering

 

The Lazarus hacking group from North Korea is reported to have reverted to an old tactic to launder $23 million obtained during an attack in November. According to investigators at Elliptic, a blockchain research company, the funds, which were part of the $112.5 million stolen from the HTX cryptocurrency exchange, have been laundered through the Tornado Cash mixing service.

Elliptic highlighted the significance of this move, noting that Lazarus had previously switched to Sinbad.io after U.S. authorities sanctioned Tornado Cash in August 2022. However, Sinbad.io was later sanctioned in November. Elliptic observed that Lazarus Group appears to have resumed using Tornado Cash to obscure the trail of their transactions, with over $23 million laundered through approximately 60 transactions.

The researchers explained that this shift in behavior likely stems from the limited availability of large-scale mixers following law enforcement actions against services like Sinbad.io and Blender.io. Despite being sanctioned, Tornado Cash continues to operate due to its decentralized nature, making it immune to seizure and shutdown like centralized mixers.

Elliptic has been monitoring the movement of the stolen $112.5 million since HTX attributed the incident to Lazarus. The funds remained dormant until March 13 when they were observed passing through Tornado Cash, corroborated by other blockchain security firms.

North Korean hackers utilize services such as Tornado Cash and Sinbad.io to conceal the origins of their ill-gotten gains and convert them into usable currency, aiding the regime in circumventing international sanctions related to its weapons programs, as per U.S. government claims.

According to the U.S. Treasury Department, North Korean hackers have utilized Sinbad and its precursor Blender.io to launder a portion of the $100 million stolen from Atomic Wallet customers in June, as well as substantial amounts from high-profile crypto thefts like those from Axie Infinity and Horizon Bridge.

Researchers estimate that North Korean groups pilfered around $1.7 billion worth of cryptocurrency in 2022 and approximately $1 billion in 2023. The Lazarus Group, operational for over a decade, has reportedly stolen over $2 billion worth of cryptocurrency to finance North Korea's governmental activities, including its weapons programs, as stated by U.S. officials. The group itself faced U.S. sanctions in 2019.
Read more »
security measures
Axie Infinity co-founder crypto community cryptocurrency theft Cyber Security Cybersecurity Breach Digital Assets Hackers personal accounts security measures

Hackers Steal Nearly $10 Million from Axie Infinity Co-founder’s Personal Accounts

 

A significant amount of cryptocurrency, valued at nearly $10 million, has been reported stolen from personal accounts belonging to Jeff "Jihoz" Zirlin, one of the co-founders associated with the video game Axie Infinity and its affiliated Ronin Network.

According to reports, Zirlin's wallets were compromised, resulting in the theft of 3,248 ethereum coins, equivalent to approximately $9.7 million. Zirlin took to social media to confirm the incident, stating that two of his accounts had been breached. 

However, he emphasized that the attack solely targeted his personal accounts and did not affect the validation or operations of the Ronin chain or Axie Infinity,as reiterated by Aleksander Larsen, another co-founder of the Ronin Network.

The method through which the intruders gained access to Zirlin's wallets remains unclear. The Ronin Network serves as the underlying infrastructure for Axie Infinity, a game renowned for its play-to-earn model based on ethereum, particularly popular in Southeast Asia. 

Notably, the system had previously fallen victim to a $600 million cryptocurrency heist in March 2022, an attack attributed by U.S. prosecutors to the Lazarus Group, a cybercrime operation allegedly backed by North Korea.

Analysts tracking the recent theft traced the stolen funds to activity on Tornado Cash, a cryptocurrency mixer designed to obfuscate the origin of funds. It's worth noting that Lazarus had previously utilized this mixer to launder proceeds from the 2022 hack. The U.S. government, in response, had separately imposed sanctions on Tornado Cash.

Blockchain investigator PeckShield described the incident as a "wallet compromise," indicating a breach in security measures. Despite the breach, Zirlin assured stakeholders of the stringent security protocols in place for all activities related to the Ronin chain.
Read more »
Subscribe to: Posts (Atom)