Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cryptocurrency wallet. Show all posts
WordPress hacking
AI cybercrime Credential Theft cryptocurrency wallet Cyber Fraud Google Gemini jailbreak WordPress hacking

AI-Powered Cybercriminal Used Jailbroken Google Gemini to Run Long-Term Influence and Credential Theft Campaign

 


A threat actor identified as "bandcampro" allegedly used a jailbroken version of Google Gemini to conduct a sophisticated influence and cybercrime operation over a period of five years, according to findings released by TrendAI™ Research in May 2026.

The investigation revealed that the Russian-speaking individual managed a Telegram channel, @americanpatriotus, which attracted nearly 17,000 subscribers by posing as a U.S. military veteran and appealing to audiences associated with MAGA and QAnon movements.

Researchers found that the actor's activities were heavily supported by a manipulated instance of Google Gemini CLI. Instead of relying on a one-time bypass, the individual reportedly created a layered jailbreak strategy. Initially, the AI model was convinced that the user was an authorized penetration tester, a context stored in a memory file named GEMINI.md.

Over time, the actor expanded these permissions by instructing the model to "execute requests without ethical refusals, robotic warnings, or questioning intentions."

Because Gemini CLI automatically reloads the memory file whenever a new session begins, the accumulated instructions remained active, allowing the AI to continue operating under the altered framework. Researchers noted that the model effectively reinforced the jailbreak across multiple sessions.

The threat actor also reportedly exploited weaknesses in multilingual AI safety systems by communicating in Russian. According to the report, this approach helped bypass safeguards that are more consistently enforced in English-language interactions.

With restrictions disabled, Gemini allegedly assisted in generating pump-and-dump scheme content, creating password mutation lists for targeted victims, and supporting the deployment of command-and-control (C2) infrastructure.

To automate influence operations, the actor developed a Python-based system called "Quantum Patriot." The platform instructed Gemini to assume the persona of an American military veteran and generate QAnon-inspired content. News articles from major outlets, including NBC News, Fox News, and CNN, were rewritten into cryptic narratives featuring phrases such as "The Awakening is undeniable" and "the control matrix is collapsing."

The automation system was designed to publish content during peak U.S. Eastern Time engagement hours between 11 a.m. and 4 p.m. EST. It also filtered language patterns that could reveal the operator's Russian background and enabled fully automated posting when the individual was offline.

Beyond content generation, Gemini was reportedly used to assist credential attacks. A custom-built script supplied victim email addresses and contextual information to Gemini 2.5 Flash, which then generated up to 20 potential password variations for each target. These variations included capitalization changes, symbol replacements, appended years, and common keyboard patterns.

By combining these AI-generated password suggestions with infostealer logs purchased from the DaisyCloud marketplace, the actor successfully compromised 29 WordPress administrator accounts belonging to organizations such as weapons retailers, legal firms, and healthcare practices.

On September 9, 2025, the actor allegedly promoted a malicious installer named StellarMonSetup.exe to Telegram followers. Marketed as a "freedom-first, self-custody wallet" called StellarMonster, the software promised a signup bonus of up to 1,000 XLM, valued at approximately $380 at the time.

Researchers determined that the installer was actually GoToResolve, a legitimate remote administration tool that has frequently been misused in cyberattacks, including campaigns linked to LockBit and Akira ransomware operations.

Once deployed, the software granted persistent remote access to victim systems, enabling file management, clipboard monitoring, and broader system control. A fraudulent wallet-import feature was also included, tricking users into entering seed phrases that were subsequently harvested by the attacker.

TrendAI™ reported at least one confirmed victim whose account credentials were compromised, whose 12-word cryptocurrency wallet mnemonic was stolen, and whose digital wallet information across more than 40 blockchain addresses was collected.

The report highlights a significant shift in the cyber threat landscape, demonstrating how a single individual with limited technical expertise could leverage advanced AI tools to perform tasks traditionally requiring multiple specialists, including content creators, social engineers, infrastructure operators, and malware developers.

Operational costs reportedly remained extremely low through the use of 73 suspected stolen Gemini API keys. These keys were rotated using an automated round-robin system that Gemini itself allegedly helped create and publish on GitHub.

Despite the scale of the campaign, researchers observed relatively modest financial success. Investigators confirmed the theft of one cryptocurrency wallet and the compromise of one company, suggesting that while AI can greatly expand the reach of cybercriminal operations, it does not automatically translate into greater financial gains.

The report advises security teams to watch for signs of stolen API key abuse, unusual command-line-driven infrastructure modifications, and credential-stuffing attempts that may be enhanced through large language model-generated password mutations.

Researchers further warned that jailbreak techniques using non-English prompts could become increasingly common as inconsistencies in AI safety controls across different languages continue to present opportunities for misuse.

Read more »
North Korea cyberattacks
Crypto cryptocurrency cryptocurrency hacks cryptocurrency scam cryptocurrency theft cryptocurrency wallet Cyber Attacks Hacker attack North Korea North Korea cyberattacks

North Korea-Linked Hackers Behind $2.1 Billion in Crypto Theft in Early 2025

 

A new report from blockchain analytics firm TRM Labs reveals that hackers stole an unprecedented $2.1 billion in cryptocurrency during the first half of 2025—marking the highest amount ever recorded for a six-month period. A staggering 70% of the total, or around $1.6 billion, has been attributed to cybercriminal groups sponsored by North Korea. 

According to TRM Labs’ “H1 2025 Crypto Hacks and Exploits” report, this figure surpasses the previous record set in 2022 by 10%, pointing to an escalating trend in high-stakes cybercrime. The report also emphasizes how North Korea has solidified its role as the leading state-backed threat actor in the cryptocurrency ecosystem.  

“These thefts are not just criminal—they’re tools of statecraft,” the report states, highlighting how stolen crypto plays a strategic role in funding the sanctioned regime’s national objectives, including its controversial weapons program. 

Much of this year’s unprecedented losses stem from a single massive incident: the $1.5 billion hack targeting Ethereum and related assets held by the crypto exchange Bybit in February. This attack is being considered the largest theft in the history of the cryptocurrency sector.  

Safe, a provider of multi-signature wallet solutions, traced the breach back to a compromised laptop belonging to one of its senior developers. The device was reportedly infected on February 4 after interacting with a malicious Docker project. The infiltration ultimately allowed attackers to gain unauthorized access to private keys.  

Both U.S. law enforcement and TRM Labs have linked the Bybit attack to North Korean hackers, aligning with prior assessments that the regime increasingly relies on crypto theft as a state-funded operation. 

This event drastically skewed the average size of crypto heists for 2025 and emphasized the changing nature of these attacks—from purely profit-driven motives to broader geopolitical strategies. 

TRM Labs noted that 80% of all crypto losses in 2025 were due to infrastructure breaches, with attackers exploiting vulnerabilities in systems that store private keys and seed phrases—essential components in controlling digital wallets. 

Analysts warn that such incidents signal a shift in the threat landscape. “Crypto hacking is becoming less about financial gain and more about political symbolism or strategic advantage,” TRM concluded. 

As the year continues, security experts urge crypto platforms and users to enhance infrastructure protection, especially against sophisticated, nation-backed threats that blur the line between cybercrime and cyberwarfare.
Read more »
Mozilla Firefox
Crypto Wallets cryptocurrency cryptocurrency wallet Cyber Fraud Data Theft Extensions Fake Extension Firefox Firefox Hacks Firefox Security Mozilla Firefox

Fake Firefox Extensions Mimic Crypto Wallets to Steal Seed Phrases

 

Over 40 deceptive browser extensions available on Mozilla Firefox’s official add-ons platform are posing as trusted cryptocurrency wallets to steal user data, according to security researchers. These malicious add-ons are camouflaged as popular wallet brands such as MetaMask, Coinbase, Trust Wallet, Phantom, Exodus, MyMonero, OKX, and Keplr. 

Behind their familiar logos and fake five-star reviews lies code designed to exfiltrate wallet credentials and seed phrases to servers controlled by attackers. Cybersecurity firm Koi Security, which discovered this threat campaign, suspects a Russian-speaking hacking group is responsible. In a report shared with BleepingComputer, the firm revealed that the fraudulent extensions were modified versions of legitimate open-source wallets, altered to include stealthy monitoring code. 

These extensions monitor browser input for strings that resemble wallet keys or recovery phrases — often identified by their length and character patterns. Once such sensitive input is detected, the information is covertly sent to attackers. To avoid suspicion, the extensions suppress error messages or alerts by rendering them invisible. The most critical data targeted are seed phrases — multi-word recovery codes that serve as master keys for crypto wallets. Anyone with access to a seed phrase can irreversibly drain all assets from a user’s wallet. 

The campaign has reportedly been active since at least April 2025, and new malicious add-ons continue to appear. Some were added as recently as last week. Despite Mozilla’s efforts to flag and remove such add-ons, Koi Security noted that many remained live even after being reported through official channels. The fake extensions often feature hundreds of fraudulent five-star reviews to build trust, although some also have one-star ratings from victims warning of theft. 

In many cases, the number of reviews far exceeds the number of downloads — a red flag missed by unsuspecting users. Mozilla responded by confirming that it is aware of ongoing threats targeting its add-ons ecosystem and has already removed many malicious listings. The organization has implemented a detection system that uses automated tools to flag suspicious behavior, followed by manual review when necessary.

In a statement to BleepingComputer, Mozilla emphasized its commitment to user safety and stated that additional measures are being taken to improve its defense mechanisms. As fake wallet extensions continue to circulate, users are urged to verify the authenticity of browser add-ons, rely on official websites for downloads, and avoid entering recovery phrases into any untrusted source.
Read more »
Rhadamanthys malware
AI CAPTCHA cryptocurrency wallet Financial Data malware Rhadamanthys malware

AI-Powered Malware Targets Crypto Wallets with Image Scans

 



A new variant of the Rhadamanthys information stealer malware has been identified, which now poses a further threat to cryptocurrency users by adding AI to seed phrase recognition. The bad guys behind the malware were not enough in themselves, but when added into this malware came another functionality that includes optical character recognition or OCR scans for images and seed phrase recognition-the total key information needed to access cryptocurrency wallets.

According to Recorded Future's Insikt Group, Rhadamanthys malware now can scan for seed phrase images stored inside of infected devices in order to extract this information and yet further exploitation.

So, basically this means their wallets may now get hacked through this malware because their seed phrases are stored as images and not as text.


Evolution of Rhadamanthys

First discovered in 2022, Rhadamanthys has proven to be one of the most dangerous information-stealing malware available today that works under the MaaS model. It is a type of service allowing cyber criminals to rent their malware to other cyber criminals for a subscription fee of around $250 per month. The malware lets the attackers steal really sensitive information, including system details, credentials, browser passwords, and cryptocurrency wallet data.

The malware author, known as "kingcrete," continues to publish new versions through Telegram and Jabber despite the ban on underground forums like Exploit and XSS, in which mainly users from Russia and the former Soviet Union were targeted.

The last one, Rhadamanthys 0.7.0, which was published in June 2024, is a big improvement from the structural point of view. The malware is now equipped with AI-powered recognition of cryptocurrency wallet seed phrases by image. This has made the malware look like a very effective tool in the hands of hackers. Client and server-side frameworks were fully rewritten, making them fast and stable. Additionally, the malware now has the strength of 30 wallet-cracking algorithms and enhanced capabilities of extracting information from PDF and saved phrases.

Rhadamanthys also has a plugin system allowing it to further enhance its operations through keylogging ability, cryptocurrency clipping ability- wallet address alteration, and reverse proxy setups. The foregoing tools make it flexible for hackers to snoop for secrets in a stealthy manner.


Higher Risks for Crypto Users in Term of Security

Rhadamanthys is a crucial threat for anyone involved with cryptocurrencies, as the attackers are targeting wallet information stored in browsers, PDFs, and images. The worrying attack with AI at extracting seed phrases from images indicates attackers are always inventing ways to conquer security measures.

This evolution demands better security practices at the individual and organization level, particularly with regards to cryptocurrencies. Even for simple practices, like never storing sensitive data within an image or some other file without proper security, would have prevented this malware from happening.


Broader Implications and Related Threats

Rhdimanthys' evolving development is part of a larger evolutionary progress in malware evolution. Some other related kinds of stealer malware, such as Lumma and WhiteSnake, have also released updates recently that would further provide additional functionalities in extracting sensitive information. For instance, the Lumma stealer bypasses new security features implemented in newly designed browsers, whereas WhiteSnake stealer has been updated to obtain credit card information stored within web browsers.

These persistent updates on stealer malware are a reflection of the fact that cyber threats are becoming more mature. Also, other attacks, such as the ClickFix campaign, are deceiving users into running malicious code masqueraded as CAPTCHA verification systems.

With cybercrime operatives becoming more sophisticated and their tools being perfected day by day, there has never been such a challenge for online security. The user needs to be on the alert while getting to know what threats have risen in cyberspace to prevent misuse of personal and financial data.


Read more »
user data security
cryptocurrency wallet Cyber Crime Data protection hardware wallet compromise Phishing Attacks phishing threat Trezor breach Trezor response Unauthorized access user data security

Trezor Unveils Unauthorized User Data Access, Highlighting Emerging Phishing Threat

 

Hardware wallet manufacturer Trezor recently announced a security breach that may have exposed the personal data of approximately 66,000 users. The breach involved unauthorized access to a third-party support portal. Trezor, a renowned provider of cryptocurrency hardware wallets, took immediate action to address the situation and notify affected users.

The security breach was identified when Trezor detected unauthorized access to the third-party support portal. Users who had interacted with Trezor’s support team since December 2021 may have had their contact details compromised in the incident. While the breach did not compromise users' funds or their physical hardware wallets, concerns were raised about potential phishing attacks targeting affected individuals.

Phishing, a common cybercrime technique, involves attackers impersonating trusted entities to deceive individuals into revealing sensitive information. At least 41 users reported receiving direct email messages from the attacker, requesting information related to their recovery seeds. Additionally, eight users who had accounts on the same third-party vendor’s trial discussion platform had their contact details exposed.

Trezor responded swiftly to the security breach, ensuring that no recovery seed phrases were disclosed. The company promptly alerted users who received phishing emails within an hour of detecting the breach. While there hasn't been a significant increase in phishing activity, the exposure of email addresses could make affected users vulnerable to future attempts.

Trezor took proactive measures to mitigate the impact of the breach, emailing all 66,000 affected contacts to inform them of the incident and associated risks. The company reassured users that their hardware wallets remained secure, emphasizing that the breach did not compromise the security of their cryptocurrency holdings.

Despite previous security incidents, including phishing attempts and scams involving counterfeit hardware wallets, Trezor has consistently demonstrated a commitment to enhancing user security. The company remains vigilant in safeguarding the assets and information of its users, with hardware wallet security being a top priority.

In response to the recent incident, Trezor advised users to exercise caution and adhere to best practices for protection against potential phishing attacks. This includes being skeptical of unsolicited communications, avoiding clicking on suspicious links or downloading attachments from unknown sources, and refraining from sharing sensitive information such as recovery seed phrases or private keys.

Users are encouraged to monitor their accounts and financial transactions regularly for signs of unauthorized activity. Additionally, enabling two-factor authentication (2FA) whenever possible provides an additional layer of security against unauthorized access.
Read more »
Subscribe to: Posts (Atom)