Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label cryptocurrency. Show all posts
human trafficking scams
cryptocurrency Cyber Fraud Cyber Scams CyberCrime Cybersecurity Digital Arrest Digital Crime Digital Slavery global cybercrime human trafficking scams

The Rise of Digital Slavery in the Age of Global Cybercrime

 


A growing number of cybercriminals are becoming more sophisticated and dangerous in the hyperconnected digital world of today. These criminals use advanced methods to exploit individuals and organisations who are not expecting them. To lure victims into divulging confidential information, perpetrators often disguise themselves as legitimate individuals—posing as bank officials, customer service representatives, or company executives—to deceive them into disclosing confidential information voluntarily. 

Social engineering is an effective way for fraudsters to manipulate emotions, exploit trust, and overcome even the most vigilant security measures. Once these fraudsters have gained access to critical information such as banking credentials, personal identification numbers, or login details, they begin stealing identities, engaging in financial fraud, and causing large-scale data breaches as a result. As a result, this cybercrime threat is particularly alarming because it is relentlessly adaptable. 

Cyberfraud, in its current form, has evolved not only from isolated phishing attempts but has also developed into a worldwide threat that is well-organised and is constantly changing as time goes on. With the rise of digital platforms, both personal and professional, there has never been a greater urgency to recognise, detect, and fight cyber fraud. 

Digital organised crime has begun to emerge as a new frontier in the digital world, where cyber slavery is emerging as a widespread and deeply concealed problem, which is an alarming development. Rather than being isolated incidents, this growing phenomenon is structured, transnational, and profit-driven, with credible investigations revealing that in so-called "scam compounds," thousands of people are held against their will. 

They are often duped into accepting fake work offers and trafficked across borders, thus forcing them to carry out large-scale online fraud operations under inhumane conditions, ranging from phishing scams to cryptocurrency scams, which are implemented by politicians and businesses alike. Many of the spam messages or suspicious links that appear to the average user to be harmless are, in fact, the product of forced labour that is orchestrated by criminal syndicates. 

In light of this troubling intersection between human trafficking and digital fraud, it is imperative that we raise global awareness, intervene with policy, and cooperate with each other so these hidden networks of exploitation will cease to operate. An opportunity that seems promising at first glance can, with a single click, plunge an unsuspecting applicant into captivity and brutal exploitation, even if it seems to offer a promising salary, flexible working schedules, and the allure of a new start abroad. 

Currently, cyberslavery encompasses several groups of victims: those deceived by online scams, as well as those who are forced to run those very scams due to their trafficking, confinement, and exploitation. It is known that these individuals are enticed to work for counterfeit companies, transported across borders, stripped of their travel documents, and locked inside secure compounds where they are forced to engage in phishing scams, romance scams, and cryptocurrency scams under constant threat of violence, and that the rapid expansion of this phenomenon is directly connected to modern connectivity. 

There was a time when limited bandwidth curtailed large-scale abuses, but today's high-speed internet, encrypted messaging apps, and global social media platforms serve as frictionless tools for traffickers to recruit, control, and conceal the forced labourers they are exploiting. A recent event underscores the scale of the problem: in Myawaddy, Myanmar, police turned over 540 Indians coerced into participating in scams after agents lured them into employment in Dubai, Bangkok, and Kuala Lumpur by promising jobs there. 

A total of 40 Karnatakaians were rescued after a lengthy journey through several Southeast Asian hubs and clandestine boat transfers. After being imprisoned and forced to commit cyberfraud against victims worldwide, they were found guilty and sentenced to conduct it. In this ordeal, the stark reality is illustrated: a shadow industry spawned by the intersection of high-tech crime and human trafficking has flourished on broken promises and stolen identity, creating an urgency for international coordination and action that must be taken now. 

There is no doubt that cyberslavery is becoming a major concern across Southeast Asia, with countries like Cambodia, Laos, Myanmar, and the Philippines emerging as key hotspots for this disturbing phenomenon. It has been reported that scam centres in these regions have become an epicentre of modern-day slavery and grave human rights violations, according to recent research findings. 

It is common for victims to experience physical abuse, psychological manipulation, and extreme coercion, as well as being forced to carry out sophisticated online scams targeting individuals all over the world – they are often trafficked or kidnapped. Criminal syndicates orchestrate these illicit activities, and they are enabled by complicit business networks which take advantage of resources like capital, human labour, and digital infrastructure to sustain and expand their criminal operations. 

As a result of the tremendous stakes involved, reports by international agencies have estimated that these scamcentress generate billions of dollars in illicit revenue every year. Nevertheless, it has been very difficult to dismantle this deeply embedded system, which is characterized by its transnational nature, complex organizational structures, and the presence of overlapping legal, political, and jurisdictional barriers.

In addition to this crisis, cyber slavery is still widely misunderstood by the public, causing policymaking decisions to be influenced by public misconceptions, which limit public awareness and support for victims of cyber slavery. As these scam networks have evolved over the past decade, they have shown a further sign of their increasing sophistication as well. At first, such operations were based out of modest apartments, small villas, or rented hotels.

The trend began to shift by the late 2010s, with large-scale compounds containing multiple criminal operations under one roof while employing thousands of coerced workers under the roof. This phenomenon became especially prevalent in the Cambodian city of Sihanoukville, which has become a central hub for such operations in the past few years, emphasising the necessity for coordinated regional and global responses to combat a growing industry of digital exploitation that has become largely hidden but has become more aggressive in recent years. 

Currently, law enforcement agencies are grappling with the challenge of combating cyber slavery, a complex and ever-evolving problem, as it is characterised by transnational criminality, legal fragmentation, and legal instability across different jurisdictions. Cybercriminals are often based in countries with different laws governing cybercrime, regulatory frameworks, and definitions of digital exploitation, making international cooperation both complex and inconclusive.

It can be exceedingly difficult to collect admissible evidence across borders, especially with the help of mechanisms like the Mutual Legal Assistance Treaty (MLAT), because they are extremely time-consuming and bureaucratic in nature, which can often delay vital investigative action. In addition to that difficulty, fraudsters and scam operators frequently mask themselves with false documents, virtual private networks (VPNs), and encrypted communication platforms, which makes their activities even more difficult. 

Cyber slavery, in addition, is not limited to forced labour used in scam operations. As a result, some individuals are blackmailed or psychologically manipulated into participating in cybercrime, blurring the line between culpability and victimhood, as a result of which they are blackmailed or psychologically manipulated. As a key component of building a case, digital evidence presents its own set of challenges. 

Since it is volatile, it must be preserved in the utmost way possible. Victims trapped in scam compounds, however, are often unable to communicate online or are unable to interact via tightly controlled channels, so they are limited in their ability to report abuse or cooperate with authorities. These restrictions highlight the urgent need for a multifaceted response to these crimes.
To effectively address the threat of cyber slavery, several strategic approaches must be developed, including cross-border collaboration, cybercrime units, public-private partnerships, and proactive legal reforms. There needs to be a vigorous enforcement of domestic laws such as the Indian Emigration Act of 1983, in particular to crack down on illegal recruitment agents who are a significant part of the trafficking industry by masquerading as overseas employees. 

Additionally, large-scale awareness campaigns can be conducted via traditional as well as digital media simultaneously to inform the public, especially vulnerable job seekers, regarding the risks that unregistered recruiters pose to them, as well as their deceptive tactics used to lure people into digital servitude. There is only one way to effectively curb the growing menace of cyber slavery, and that is by coordinating global efforts, reforming policies, and maintaining public involvement. 

A rapid increase in cyber fraud is an indication that cyber fraud is becoming an increasingly dangerous threat within the digital ecosystem. It entails a variety of sophisticated tactics, along with a broad spectrum of damaging consequences resulting from cyber fraud. In its simplest sense, cyber fraud is a form of deception that manipulates victims into disclosing sensitive information or performing actions that serve the fraudsters' interests. 
To achieve this kind of manipulation, advanced technological means are often employed, including phishing schemes, malware deployment, and a variety of social engineering techniques. Cyber fraud is an alarming phenomenon in the sense that the perpetrators usually operate under a veil of anonymity online, which makes the task of tracing and prosecuting offenders incredibly difficult. 

Cyber fraud has a global reach that is one of its most alarming aspects. It is different from traditional crime in that it transcends geographical boundaries, meaning that perpetrators can target victims on other continents and with minimal risk of detection. Further, there is an ever-evolving landscape of cyber fraud. 

As fraudsters adjust their methods to counter the increased security measures that organisations and individuals face, individuals and  mustorganisations remain informed and proactive in adopting robust cybersecurity protocols, no matter what. Several forms of cyber fraud havebecomeg more popular in recent years. 

Phishing attacks, for example, use phoney email messages, messages from phoney websites, or false links to steal login information and financial details. Identity theft is when individuals are impersonated by someone else in order to conduct unauthorised transactions by using their personal data. Online scams exploit trust to request payments or personal information under false pretences, while ransomware attacks block users from accessing their own data, requiring payment before they can get to it. 

Data breaches, which occur when a secure system is breached by an unauthorised individual, expose large amounts of sensitive data with lasting consequences. Cyber fraud has profound and far-reaching effects on a company's bottom line. Financial losses are one of the most immediate and visible consequences, as victims may suffer theft of funds, unauthorised purchases, or costly efforts to recover their money. 

In addition, businesses can suffer severe reputational damage, leading to reduced consumer trust, regulatory penalties, and the possibility of a lawsuit. Furthermore, cyber attacks can cause significant disruptions to vital services such as healthcare, transportation, and communications, which puts the public at risk. 

Cyber fraud is a problem of a global scale that threatens trust in digital platforms and financial systems. The persistence of cyber fraud erodes trust in digital platforms and financial systems, which constitutes a significant obstacle to economic stability and growth in a world which is increasingly connected. The government, businesses, and ordinary citizens must adopt vigilance and responsibility to stem the escalating tide of cyber-enabled exploitation. 

Lawmakers should close jurisdictional gaps by harmonising cybercrime statutes and streamlining evidence-sharing protocols, at the same time that enforcement agencies need to invest heavily in digital forensics capacity and the development of multilingual victim support channels to close cybercrime loopholes. Especially in the areas of finance, telecommunications, and social media, private firms need to implement a real-time fraud detection system and rigorously vet third-party recruiters who operate on their platforms.

The first line of defence should remain establishing “zero-trust” digital habits at the individual level, which includes verifying unsolicited emails, using strong authentication, and immediately reporting suspicious activity. A multilayered, collaborative approach is the only way for the global community to dismantle the infrastructure of cyber slavery and fraud, protect vulnerable populations, and restore trust in the digital economy through the implementation of this multilayered, collaborative approach.
Read more »
North Korea cyberattack
Apple Apple MacOS Blockchain Blockchain Technology Crypto Attack crypto community cryptocurrency Cyber Attacks data security Data Theft Mac Mac Malware Malware Attack Malwares North Korea cyberattack

North Korean Malware Targets Mac Users in Crypto Sector via Calendly and Telegram

 

Cybersecurity researchers have identified a sophisticated malware campaign targeting Mac users involved in blockchain technologies. According to SentinelLabs, the attack has been linked to North Korean threat actors, based on an investigation conducted by Huntabil.IT. 

The attack method is designed to appear as a legitimate interaction. Victims are contacted via Telegram, where the attacker impersonates a known associate or business contact. They are then sent a meeting invite using Calendly, a widely-used scheduling platform. The Calendly message includes a link that falsely claims to be a “Zoom SDK update script.” Instead, this link downloads malware specifically designed to infiltrate macOS systems. 

The malware uses a combination of AppleScript, C++, and the Nim programming language to evade detection. This mix is relatively novel, especially the use of Nim in macOS attacks. Once installed, the malware gathers a broad range of data from the infected device. This includes system information, browser activity, and chat logs from Telegram. It also attempts to extract login credentials, macOS Keychain passwords, and data stored in browsers like Arc, Brave, Firefox, Chrome, and Microsoft Edge. Interestingly, Safari does not appear to be among the targeted applications. 

While the campaign focuses primarily on a niche audience—Mac users engaged in crypto-related work who use Calendly and Telegram—SentinelLabs warns that the tactics employed could signal broader threats on the horizon. The use of obscure programming combinations to bypass security measures is a red flag for potential future campaigns targeting a wider user base. 

To safeguard against such malware, users are advised to avoid downloading software from public code repositories or unofficial websites. While the Mac App Store is considered the safest source for macOS applications, software downloaded directly from reputable developers’ websites is generally secure. Users who rely on pirated or cracked applications remain at significantly higher risk of infection. 

Cyber hygiene remains essential. Never click on suspicious links received via email, text, or social platforms, especially from unknown or unverified sources. Always verify URLs by copying and pasting them into a text editor to see their true destination before visiting. It’s also crucial to install macOS security updates promptly, as these patches address known vulnerabilities.  

For additional protection, consider using trusted antivirus software. Guides from Macworld suggest that while macOS has built-in security, third-party tools like Intego can offer enhanced protection. As malware campaigns evolve in complexity and scope, staying vigilant is the best defense.
Read more »
North Korea
AI Bybit Crypto cryptocurrency Cyber Attacks Ethereum Internet North Korea

ByBit Crypto Heist: First Half of 2025 Records All-time High Crypto Theft

ByBit Crypto Heist: First Half of 2025 Records All-time High Crypto Theft

2025 H1 records all-time crypto theft

In the first half of 2025, hackers stole a record $2.1 billion in cryptocurrency, marking an all-time high. The data highlights the vulnerable state of the cryptocurrency industry. North Korean state-sponsored hackers accounted for 70% of the losses, responsible for USD 1.6 billion, rising as the most notorious nation-state actor in the crypto space, according to a report by TRM Labs

This indicates a significant increase in illegal operations, surpassing the 2022 H1 record by 10% and nearly matching the total amount stolen for the entire 2022 year, highlighting the danger to digital assets. 

Implications of nation-state actors in crypto attacks

The biggest cryptocurrency attack has redefined the H1 2025 narrative, the attack on Dubai-based crypto exchange Bybit. TRM believes the attack highlights a rising effort by the Democratic People’s Republic of Korea (DPRK) for cryptocurrency profits that can help them escape sanctions and fund strategic aims like nuclear weapons programs, besides being a crucial component of their statecraft. 

“Although North Korea remains the dominant force in this arena, incidents such as reportedly Israel-linked group Gonjeshke Darande (also known as Predatory Sparrow) hacking Iran’s largest crypto exchange, Nobitex, on June 18, 2025, for over USD 90 million, suggest other state actors may increasingly leverage crypto hacks for geopolitical ends,” TRM said in a blog post. 

Mode of operation

"Infrastructure attacks — such as private key and seed phrase thefts, and front-end compromises — accounted for over 80% of stolen funds in H1 2025 and were, on average, ten times larger than other attack types," reports TRM. These attacks target the technical spine of the digital asset system to get illicit access, reroute assets, and mislead users. Infrastructure attacks are done via social engineering or insider access and expose fractures in the cryptosecurity foundation.

Takeaways 

H1 2025 has shown a shift towards crypto hacking, attacks from state-sponsored hackers, and geopolitically motivated groups are rising. Large-scale breaches related to nation-state attacks have trespassed traditional cybersecurity. The industry must adopt advanced, effective measures to prevent such breaches. Global collaboration through information sharing and teamed efforts can help in the prosecution of such cyber criminals. 

Read more »
North Korea cyberattacks
Crypto cryptocurrency cryptocurrency hacks cryptocurrency scam cryptocurrency theft cryptocurrency wallet Cyber Attacks Hacker attack North Korea North Korea cyberattacks

North Korea-Linked Hackers Behind $2.1 Billion in Crypto Theft in Early 2025

 

A new report from blockchain analytics firm TRM Labs reveals that hackers stole an unprecedented $2.1 billion in cryptocurrency during the first half of 2025—marking the highest amount ever recorded for a six-month period. A staggering 70% of the total, or around $1.6 billion, has been attributed to cybercriminal groups sponsored by North Korea. 

According to TRM Labs’ “H1 2025 Crypto Hacks and Exploits” report, this figure surpasses the previous record set in 2022 by 10%, pointing to an escalating trend in high-stakes cybercrime. The report also emphasizes how North Korea has solidified its role as the leading state-backed threat actor in the cryptocurrency ecosystem.  

“These thefts are not just criminal—they’re tools of statecraft,” the report states, highlighting how stolen crypto plays a strategic role in funding the sanctioned regime’s national objectives, including its controversial weapons program. 

Much of this year’s unprecedented losses stem from a single massive incident: the $1.5 billion hack targeting Ethereum and related assets held by the crypto exchange Bybit in February. This attack is being considered the largest theft in the history of the cryptocurrency sector.  

Safe, a provider of multi-signature wallet solutions, traced the breach back to a compromised laptop belonging to one of its senior developers. The device was reportedly infected on February 4 after interacting with a malicious Docker project. The infiltration ultimately allowed attackers to gain unauthorized access to private keys.  

Both U.S. law enforcement and TRM Labs have linked the Bybit attack to North Korean hackers, aligning with prior assessments that the regime increasingly relies on crypto theft as a state-funded operation. 

This event drastically skewed the average size of crypto heists for 2025 and emphasized the changing nature of these attacks—from purely profit-driven motives to broader geopolitical strategies. 

TRM Labs noted that 80% of all crypto losses in 2025 were due to infrastructure breaches, with attackers exploiting vulnerabilities in systems that store private keys and seed phrases—essential components in controlling digital wallets. 

Analysts warn that such incidents signal a shift in the threat landscape. “Crypto hacking is becoming less about financial gain and more about political symbolism or strategic advantage,” TRM concluded. 

As the year continues, security experts urge crypto platforms and users to enhance infrastructure protection, especially against sophisticated, nation-backed threats that blur the line between cybercrime and cyberwarfare.
Read more »
Mozilla Firefox
Crypto Wallets cryptocurrency cryptocurrency wallet Cyber Fraud Data Theft Extensions Fake Extension Firefox Firefox Hacks Firefox Security Mozilla Firefox

Fake Firefox Extensions Mimic Crypto Wallets to Steal Seed Phrases

 

Over 40 deceptive browser extensions available on Mozilla Firefox’s official add-ons platform are posing as trusted cryptocurrency wallets to steal user data, according to security researchers. These malicious add-ons are camouflaged as popular wallet brands such as MetaMask, Coinbase, Trust Wallet, Phantom, Exodus, MyMonero, OKX, and Keplr. 

Behind their familiar logos and fake five-star reviews lies code designed to exfiltrate wallet credentials and seed phrases to servers controlled by attackers. Cybersecurity firm Koi Security, which discovered this threat campaign, suspects a Russian-speaking hacking group is responsible. In a report shared with BleepingComputer, the firm revealed that the fraudulent extensions were modified versions of legitimate open-source wallets, altered to include stealthy monitoring code. 

These extensions monitor browser input for strings that resemble wallet keys or recovery phrases — often identified by their length and character patterns. Once such sensitive input is detected, the information is covertly sent to attackers. To avoid suspicion, the extensions suppress error messages or alerts by rendering them invisible. The most critical data targeted are seed phrases — multi-word recovery codes that serve as master keys for crypto wallets. Anyone with access to a seed phrase can irreversibly drain all assets from a user’s wallet. 

The campaign has reportedly been active since at least April 2025, and new malicious add-ons continue to appear. Some were added as recently as last week. Despite Mozilla’s efforts to flag and remove such add-ons, Koi Security noted that many remained live even after being reported through official channels. The fake extensions often feature hundreds of fraudulent five-star reviews to build trust, although some also have one-star ratings from victims warning of theft. 

In many cases, the number of reviews far exceeds the number of downloads — a red flag missed by unsuspecting users. Mozilla responded by confirming that it is aware of ongoing threats targeting its add-ons ecosystem and has already removed many malicious listings. The organization has implemented a detection system that uses automated tools to flag suspicious behavior, followed by manual review when necessary.

In a statement to BleepingComputer, Mozilla emphasized its commitment to user safety and stated that additional measures are being taken to improve its defense mechanisms. As fake wallet extensions continue to circulate, users are urged to verify the authenticity of browser add-ons, rely on official websites for downloads, and avoid entering recovery phrases into any untrusted source.
Read more »
Malware Attack
Crypto Platform cryptocurrency cryptocurrency security cryptocurrency theft Cyber Attacks Digital Assets Lazarus Group Lazarus Group attack Malware Attack

Lazarus Group Suspected in $11M Crypto Heist Targeting Taiwan’s BitoPro Exchange

 

Taiwanese cryptocurrency platform BitoPro has blamed North Korea’s Lazarus Group for a cyberattack that resulted in $11 million in stolen digital assets. The breach occurred on May 8, 2025, during an upgrade to the exchange’s hot wallet system. 

According to BitoPro, the tactics and methods used by the hackers closely resemble those seen in other global incidents tied to the Lazarus Group, including high-profile thefts via SWIFT banking systems and other major crypto platforms. BitoPro serves a primarily Taiwanese customer base, offering fiat transactions in TWD alongside various cryptocurrencies. 

The exchange currently supports over 800,000 users and processes approximately $30 million in daily trades. The attack exploited vulnerabilities during a system update, enabling the unauthorized withdrawal of funds from a legacy hot wallet spread across several blockchain networks, including Ethereum, Tron, Solana, and Polygon. The stolen cryptocurrency was then quickly laundered through decentralized exchanges and mixers such as Tornado Cash, Wasabi Wallet, and ThorChain, making recovery and tracing more difficult. 

Despite the attack taking place in early May, BitoPro only publicly acknowledged the breach on June 2. At that time, the exchange assured users that daily operations remained unaffected and that the compromised hot wallet had been replenished from its reserve funds. Following a thorough investigation, the exchange confirmed that no internal staff were involved. 

However, the attackers used social engineering tactics to infect a cloud administrator’s device with malware. This allowed them to steal AWS session tokens, bypass multi-factor authentication, and gain unauthorized access to BitoPro’s cloud infrastructure. From there, they were able to insert scripts directly into the hot wallet system and carry out the theft while mimicking legitimate activity to avoid early detection. 

After discovering the breach, BitoPro deactivated the affected wallet system and rotated its cryptographic keys, though the damage had already been done. The company reported the incident to authorities and brought in a third-party cybersecurity firm to conduct an independent review, which concluded on June 11. 

The Lazarus Group has a long history of targeting cryptocurrency and decentralized finance platforms. This attack on BitoPro adds to their growing list of cyber heists, including the recent $1.5 billion digital asset theft from the Bybit exchange.
Read more »
malware
cryptocurrency DanaBot DDOS Attacks Law Enforcement malware

DanaBot Malware Network Disrupted After Researchers Discover Key Flaw

 



In a major breakthrough, cybersecurity experts uncovered a major weakness in the DanaBot malware system that ultimately led to the disruption of its operations and criminal charges against its operators.

DanaBot, which has been active since 2018, is known for being sold as a service to carry out cybercrimes like banking fraud, stealing personal information, carrying out remote attacks, and launching distributed denial-of-service (DDoS) attacks. The malware remained a persistent threat until recent enforcement actions successfully targeted its infrastructure.


Discovery of the DanaBot Weakness

Researchers from Zscaler’s ThreatLabz team identified a serious flaw in DanaBot’s system in a version released in June 2022. This flaw, later called "DanaBleed," exposed the internal workings of the malware to security professionals without the attackers realizing it.

The issue stemmed from changes made to DanaBot’s communication system, known as the command and control (C2) protocol. The updated system failed to properly handle random data in its responses, accidentally revealing leftover information stored in the malware’s memory.

Because of this memory leak, security experts were able to repeatedly collect sensitive fragments from DanaBot’s servers over time. This flaw is similar to the infamous HeartBleed vulnerability that affected OpenSSL in 2014 and caused serious security concerns worldwide.


What the Flaw Exposed

Through careful analysis, researchers were able to access highly valuable information, including:

• Details about the malware operators, such as usernames and IP addresses

• Locations of DanaBot’s servers and websites

• Stolen victim data, including login credentials

• Records of malware updates and internal changes

• Private cryptographic keys used for security

• Internal system logs and SQL database activity

• Parts of the malware’s management dashboard

For more than three years, DanaBot continued to operate with this hidden security hole, giving investigators a rare opportunity to quietly monitor the criminals and gather detailed evidence.


Law Enforcement Action

After collecting enough proof, international law enforcement teams launched a coordinated operation called "Operation Endgame" to shut down DanaBot’s network. This effort led to the takedown of key servers, the seizure of over 650 domains connected to the malware, and the recovery of nearly $4 million in cryptocurrency.

While the core group of attackers, mainly located in Russia, has been formally charged, no arrests have been reported so far. However, the removal of DanaBot’s infrastructure has significantly reduced the threat.


Final Thoughts

This case highlights the importance of careful cybersecurity monitoring and how even well-established criminal groups can be exposed by overlooked technical mistakes. Staying updated on the latest security research is essential, as malware groups often release new versions and fixes that may change the threat landscape quickly.

Read more »
Ransom
Coinbase Crypto Crypto Wallet cryptocurrency Cyber Security Data Theft Extortion Ransom

$400Million Coinbase Breach Linked to Customer Data Leak from India


Coinbase data breach linked to India

A Reuters investigation revealed that cryptocurrency exchange Coinbase knew in January about a breach affecting outsourced customer support agents in India. Six people who knew about the incident said Coinbase was aware of sensitive user data compromise through its contractor, TaskUs, before it was officially announced in May. 

On 14th May, TaskUs filed an SEC document revealing that an India-based TaskUs employee was found taking pictures of a computer screen with her phone. Five former TaskUs employees confirmed that the worker and one accomplice were bribed by threat actors to get Coinbase user data.

The breach cost $400 million

After this information, more than 200 TaskUs employees were fired in a mass layoff from the Indore center, which drew media attention in India. Earlier, Coinbase suspected ‘overseas support agents’ but now the breach is estimated to cost 400 million dollars.

Coinbase had been a long-term partner of TaskUs, a Texas-based outsourcing firm, cost-cutting labor by giving customer support work to offshore teams. After 2017, TaskUs agents, mostly from developing countries, handled Coinbase customer inquiries. 

In the May SEC filing, Coinbase said it didn’t know about the full scale of the breach until it received an extortion demand of $20 Million on 11th May. As a cautionary measure, Coinbase cut ties with TaskUs employees and other unknown foreign actors. Coinbase has notified regulators, compensated affected users, and taken strict measures to strengthen security. 

In a public statement, TaskUs confirmed it had fired two staff (unnamed) for data theft but didn’t mention Coinbase. The company found the two staff involved in a cyber attack campaign that targeted other service providers linked to the client. 

Hackers use social engineering tactic

Hackers did not breach the Coinbase crypto wallets directly, they cleverly used the stolen information to impersonate the Coinbase employees in a series of social engineering scams. The hackers posed as support agents, fooling victims into transferring their crypto assets. 

According to Money Control, “The person familiar with the matter confirmed that Coinbase was the client and that the incident took place in January. Reuters could not determine whether any arrests have been made. Police in Indore did not return a message seeking comment.”

Read more »
Trojan
cryptocurrency Cyberattack Hacking malware printing Ransomware remoteaccess Security Software Trojan

Malware Discovered in Procolored Printer Software, Users Advised to Update Immediately

 

For at least six months, the official software bundled with Procolored printers reportedly included malicious code, including a remote access trojan (RAT) and a cryptocurrency-stealing malware.

Procolored, a Shenzhen-based manufacturer known for its affordable Direct-to-Film (DTF), UV DTF, UV, and Direct-to-Garment (DTG) printers, has built a strong reputation in the digital printing market. Since its founding in 2018, the company has expanded to over 31 countries and developed a considerable footprint in the United States.

The issue was first identified by Cameron Coward, a tech YouTuber behind the channel Serial Hobbyism. He was installing the driver and companion software for a $7,000 Procolored UV printer when his security tool flagged a threat: the Floxif USB worm.

After further investigation, cybersecurity firm G Data confirmed that malware was being distributed through Procolored’s official software packages—potentially impacting customers for over half a year.

Initially dismissed by Procolored as a “false positive,” Coward found that every time he attempted to download or unzip the printer software, his system immediately quarantined the files.

“If I try to download the files from their website or unzip the files on the USB drive they gave me, my computer immediately quarantines them,” said the YouTuber.

Coward turned to Reddit for support in analyzing the malware before publishing a critical review. G Data researcher Karsten Hahn responded and discovered that six printer models—F8, F13, F13 Pro, V6, V11 Pro, and VF13 Pro—came with software downloads hosted on Mega that were infected with malware.

Mega.nz is the file-sharing platform Procolored uses to distribute printer software via its official website.

Hahn found 39 infected files, including:

  • XRedRAT: A RAT with capabilities such as keylogging, taking screenshots, accessing the remote shell, and file manipulation. Its hardcoded command-and-control (C2) URLs were consistent with previously analyzed samples.
  • SnipVex: A newly identified clipper malware that infects .EXE files and hijacks Bitcoin addresses copied to the clipboard. This malware is believed to have compromised the developer’s machine or software build environment.

According to G Data, the SnipVex malware was used to steal around 9.308 BTC (worth nearly $1 million at current exchange rates).

Company Response and Security Measures

Though Procolored initially denied any wrongdoing, the compromised software was removed from its website on May 8, and the company launched an internal probe.

In communication with G Data, Procolored explained that the infected files had been uploaded via a USB drive possibly infected with the Floxif worm.

“As a precaution, all software has been temporarily removed from the Procolored official website,” explained Procolored to G Data.

“We are conducting a comprehensive malware scan of every file. Only after passing stringent virus and security checks will the software be re-uploaded.”

G Data later confirmed that the newly uploaded software packages are clean and safe to install.

Customers who previously downloaded Procolored software are urged to update to the new versions and perform a system scan to remove remnants of XRedRAT and SnipVex. Given the nature of SnipVex's binary tampering, experts recommend a thorough system cleaning.

In a comment to BleepingComputer, Procolored emphasized that all of its software has now been verified and is secure:

“Procolored confirms that its software is completely safe, clean, and has no connection whatsoever to any cryptocurrency-related incidents. All software packages have been thoroughly scanned and verified by third-party tools including VirusTotal and G Data, with no threats detected. Users can purchase and use Procolored products with complete confidence, as there is no risk of Bitcoin or other cryptocurrency theft linked to their software.”

“To further reassure customers, Procolored has provided third-party certifications and conducted strict technical checks to prove its software is secure.”

“In particular, the hash values of the key ‘PrintExp.exe’ file were verified and confirmed to match the official values published on Procolored’s website, proving the file is authentic, untampered, and free of any viruses or malware.”

“The company remains fully committed to customer care — no matter the issue, whether software or hardware, Procolored promises to resolve it to customer satisfaction, supported by their dedicated after-sales team and U.S.-based service resources.”


Read more »
phishing
Coinbase credit freeze Crypto Wallet cryptocurrency Cybersecurity Data Breach Identity Theft phishing

Coinbase Confirms Data Breach Impacting Over 69,000 Users, Refuses $20M Extortion Demand

 

Coinbase, the leading cryptocurrency exchange in the United States, disclosed a recent cybersecurity breach affecting 69,461 users, according to a notification submitted to the Maine attorney general’s office. Although the hackers failed to access individual accounts or sensitive login details such as two-factor authentication codes, private keys, or crypto wallets, they were able to obtain a wide array of personal data.

The compromised information includes:
  • Full names
  • Residential addresses
  • Phone numbers
  • Email addresses
  • Partial Social Security numbers
  • Masked bank account details
  • Government-issued ID images (e.g., driver’s licenses, passports)
  • Account-related data such as transaction history and snapshots
In an SEC filing, Coinbase revealed that the attackers paid offshore contractors to gain access to internal systems. This information was weaponized to launch a social engineering scam. The perpetrators demanded $20 million in exchange for not leaking the stolen data—an offer Coinbase declined.

"Instead of funding criminal activity, we have investigated the incident, reinforced our controls, and will reimburse customers impacted by this incident," the company said in its statement.

Coinbase is currently collaborating with law enforcement and has established a $20 million reward fund to incentivize tips that could lead to the identification and capture of the individuals responsible.

Meanwhile, reports on Reddit suggest that some users received unsolicited password reset notifications as early as last week. It is still unclear whether these incidents are directly connected to the breach. CNET contacted Coinbase for a response, but no comment was issued at the time.

Steps to Protect Your Crypto and Data
Although Coinbase has confirmed that seed phrases and investor accounts remain secure, the exposure of personal data is significant. Here’s what you should do now to safeguard your information:

1. Use a Cold Wallet
security, coldwallet, hardwarewallet, cryptoassets
For regular crypto investors, shifting funds to a cold wallet—a device not connected to the internet—can provide an extra layer of security in case of future breaches

2. Freeze Your Credit Reports
creditfreeze, SSN, financialsecurity
Freeze your credit reports with all three major bureaus and consider placing a lock on your Social Security number to prevent identity misuse. Be cautious of phishing attempts that may exploit this situation.

"It's worth the hassle of setting up accounts with all three major credit bureaus. I get peace of mind at zero cost to me," said Danni Santana, CNET’s identity theft editor.

3. Notify Your Bank
banking, accountsecurity, financialfraud
Even if only partial account information was exposed, contact your bank to report the incident. You may want to open new checking or savings accounts as a precaution.

4. Enroll in Identity Monitoring Services
identitytheft, monitoring, datasecurity, insurance
Opt into a free credit and identity monitoring service. While these platforms don’t take direct action, they provide alerts if your data appears on the dark web. Paid services like Aura go further, offering identity restoration support and up to $1 million in identity theft insurance.
Read more »
Web3
Blockchain cryptocurrency Cyber Attacks CyberCrime Cybersecurity global threat Hacking IT workers North Korea Sanctions Web3

North Korea’s Global Cybercrime Network Uncovered: Fake IT Workers Funding Regime's Ambitions

 

A new report by cybersecurity firm DTEX has exposed how North Korea is operating a sophisticated international cybercrime network by embedding fake information technology workers within leading global corporations. These operatives, disguised as freelance developers, are channeling millions in stolen cryptocurrency to fund the reclusive nation’s military and weapons programs.

According to the report, North Korean agents are not driven by ideology but by a systemic need to survive. Trained from a young age, many are groomed to become covert cyber operatives or IT contractors. Two individuals, using the aliases “Naoki Murano” and “Jenson Collins,” were found residing in Russia and are believed to be involved in infiltrating Western companies. They’ve been linked to a $6 million cryptocurrency theft.

The regime operates through shadowy IT entities like Chinyong, which positions agents in countries like China, Laos, and Russia. These agents gain trust within blockchain and cryptocurrency projects, ultimately diverting digital assets back to Pyongyang. Since 2017, North Korea has reportedly funneled tens of millions of dollars through such schemes—prompting U.S. sanctions for financing weapons development (see: US Sanctions North Korean Entities for Sending Regime Funds).

The report states that North Korea’s cyber program has reached a pivotal stage, with its tactics becoming more aggressive and unpredictable. The regime now deploys techniques ranging from supply chain attacks to financial sector infiltration and even online propaganda. DTEX researchers noted that these operatives are so deeply integrated into major cryptocurrency and Web3 initiatives that, “it would seem that every other Web3 project has a North Korean on the payroll.”

“The threat of unintentionally hiring North Korean IT workers is larger than most people realize,” Kevin Mandia, founder and former CEO of Mandiant, said in a statement accompanying the report. “It's cover is global and active right now - which is why the industry and government need to work together to come up with solutions to counter the threat.”

The study also challenges the notion that North Korean cyber operatives follow rigid roles. Instead, many shift between missions, take on leadership responsibilities, and reuse false identities—suggesting a highly adaptive and fluid structure.

Past investigations have revealed that North Korean attacks on European tech firms were often facilitated by individuals operating from the U.S. and the U.K. An April report by Mandiant warned of increasing attempts by North Korean IT workers to secure positions in defense and government agencies, with U.S. businesses being their primary focus—even as operations grow across Europe (see: North Korean IT Scammers Targeting European Companies).

Michael Barnhart, the lead analyst behind the DTEX report, said his research is based on open-source intelligence, testimonies from defectors, blockchain forensics, and insights from Web3 infrastructure. He also leveraged proprietary datasets from unnamed partners to trace how North Korean agents shift money, access, and identities across borders.

“DPRK operatives are persistent,” Barnhart wrote, adding that North Korean cyber agents “do not take kindly to scrutiny” and “will try to uncover who is studying them and how.”
Read more »
python
Blockchain cryptocurrency Cyber Attacks Cybersecurity GitHub Hacker JavaScript Linkedin malware python

North Korean Hacker Group Targets Cryptocurrency Developers via LinkedIn

 

A North Korean threat group known as Slow Pisces has launched a sophisticated cyberattack campaign, focusing on developers in the cryptocurrency industry through LinkedIn. Also referred to as TraderTraitor or Jade Sleet, the group impersonates recruiters offering legitimate job opportunities and coding challenges to deceive their targets. In reality, they deliver malicious Python and JavaScript code designed to compromise victims' systems.

This ongoing operation has led to massive cryptocurrency thefts. In 2023 alone, Slow Pisces was tied to cyber heists exceeding $1 billion. Notable incidents include a $1.5 billion breach at a Dubai exchange and a $308 million theft from a Japanese firm. The attackers typically initiate contact by sending PDFs containing job descriptions and later provide coding tasks hosted on GitHub. Although these repositories mimic authentic open-source projects, they are secretly altered to carry hidden malware.

As victims work on these assignments, they unknowingly execute malicious programs like RN Loader and RN Stealer on their devices. These infected projects resemble legitimate developer tools—for instance, Python repositories that claim to analyze stock market data but are actually designed to communicate with attacker-controlled servers.

The malware cleverly evades detection by using YAML deserialization techniques instead of commonly flagged functions like eval or exec. Once triggered, the loader fetches and runs additional malicious payloads directly in memory, making the infection harder to detect and eliminate.

One key malware component, RN Stealer, is built to extract sensitive information, including credentials, cloud configuration files, and SSH keys, especially from macOS systems. JavaScript-based versions of the malware behave similarly, leveraging the Embedded JavaScript templating engine to conceal harmful code. This code activates selectively based on IP addresses or browser signatures, targeting specific victims.

Forensic investigations revealed that the malware stores its code in hidden folders and uses HTTPS channels secured with custom tokens to communicate. However, experts were unable to fully recover the malicious JavaScript payload.

Both GitHub and LinkedIn have taken action against the threat.

"GitHub and LinkedIn removed these malicious accounts for violating our respective terms of service. Across our products, we use automated technology, combined with teams of investigation experts and member reporting, to combat bad actors and enforce terms of service. We continue to evolve and improve our processes and encourage our customers and members to report any suspicious activity," the companies said in a joint statement.

Given the increasing sophistication of these attacks, developers are urged to exercise caution when approached with remote job offers or coding tests. It is recommended to use robust antivirus solutions and execute unknown code within secure, sandboxed environments, particularly when working in the high-risk cryptocurrency sector.

Security experts advise using trusted integrated development environments (IDEs) equipped with built-in security features. Maintaining a vigilant and secure working setup can significantly lower the chances of falling victim to these state-sponsored cyberattacks.
Read more »
Zoom
APTs cryptocurrency CyberCrime Cyberfraud Cyberhackers Cybersecurity CyberThreat Elusive lazarus Privacy Zoom

Zoom Platform Misused by Elusive Comet Attackers in Fraud Scheme

 


Recent reports suggest that North Korean threat actors are now employing an alarming evolution in the tactics they employ to launch a sophisticated cybercrime operation known as Elusive Comet, a sophisticated cybercrime operation. This newly uncovered campaign demonstrates a way of exploiting Zoom's remote control capabilities to gain unauthorised access to cryptocurrency industry users' systems. 

It is clear from this development that a significant trend is occurring in which widely trusted communication platforms are being exploited as tools to facilitate high-level cyber intrusions. Security Alliance, one of the most reputable cybersecurity research organisations, conducted the investigation and analysis that led to the discovery. Elusive Comet exhibited some significant operational similarities to activities previously associated with North Korea's notorious Lazarus Group, a group which has been linked to North Korea for some years. 

The findings suggest that definitive attribution is yet to be made. Due to the lack of conclusive evidence, attempts to link this campaign with any known state-sponsored entity have been complicated, further demonstrating how covert cyberattacks have become increasingly common in the financial sector. This campaign, according to security experts, marks a dramatic departure from the traditional methods of gaining access to cryptocurrency targets previously used to attack them. This is because the attackers can leverage legitimate features of mainstream platforms such as Zoom, which not only makes their operations more successful but also makes detection and prevention much more difficult. 

Using such ubiquitous communication tools emphasises the need for enhanced security protocols in industries that handle digital assets to stay on top of digital threats. With the emergence of Elusive Comet, the threat landscape continues to evolve, and adversaries are increasingly adopting innovative approaches to bypass traditional defences, a reminder that the threat landscape is constantly changing and that adversaries are continuously evolving. The threat actors behind Elusive Comet have invested considerable resources into establishing a convincing online persona to maintain an appearance of legitimacy. 

To reinforce their facade of authenticity, they operate credible websites and maintain active social media profiles. As one example of the fraudulent entities that are associated with the group, Aureon Capital, a fake venture capital company posing as a legitimate company, Aureon Press, and The OnChain Podcast have all been carefully designed to trick unsuspecting individuals and businesses. 

The attackers usually contact users by sending them direct messages via X (formerly Twitter), or by contacting them via email, or by offering invitations to appear on their fabricated podcast as a guest. In the study, researchers found that after initiating contact and establishing a certain level of trust, attackers then move swiftly to set up a Zoom meeting under the pretext of learning more about the target's professional activities. 

It is common for key meeting details to be withheld until very near the time of the scheduled meeting, a tactic employed by the organisation to create an impression of urgency and encourage compliance among participants. A common occurrence is that victims are often asked to share their screens during the call so that they can demonstrate their work, and in doing so, they unknowingly expose their sensitive systems and data to the attackers. As a result of the Elusive Comet operation, Jake Gallen, CEO of the cryptocurrency company Emblem Vault, lost over $100,000 of his digital assets, which included his company's cryptocurrency. As a result, he was targeted after agreeing to participate in a Zoom interview with someone who was posing as a media person. 

By manipulating Gallen during the session into granting remote access to his computer under the disguise of technical facilitation, the attacker succeeded in obtaining his permission to do so. The attackers were able to install a malicious payload, referred to by the attackers as "GOOPDATE," which allowed them to gain access to his cryptocurrency wallets and steal the funds that resulted from this attack. 

It is clear from this incident that cryptocurrencies are vulnerable, especially among executives and high-net-worth individuals who interact regularly with media outlets and investors, which makes them particularly susceptible to sophisticated social engineering schemes because of their high level of exposure to these media outlets. Additionally, the breach emphasises that professionals operating in high-value financial sectors should have heightened awareness of cybersecurity and adopt stricter digital hygiene policies. 

A leading cybersecurity research and advisory firm specialising in forensics and advanced persistent threats (APTS), Security Alliance, meticulously tracked and analysed the Elusive Comet campaign, a campaign that is highly likely to persist for many years to come. Security Alliance published a comprehensive report in March 2025 detailing the tactics, techniques, and procedures (TTPS) used by threat actors and presenting comprehensive insights into these tactics. In their research, the attackers were able to install malware on victims' systems based primarily on a combination of social engineering and using Zoom's remote control features to get their malicious code into the systems of their victims. 

Despite drawing parallels between the methods used to conduct this campaign and those of the notorious Lazarus Group of North Korea, Security Alliance exercised caution when attributions were made. It was noted in the research that the similarities in techniques and tools could indicate common origins or shared resources; however, the researchers stressed the difficulties associated with attribution in a cyber threat landscape where various actors tend to duplicate or repurpose the methodologies of each other. 

Taking into account the methods employed by the Elusive Comet campaign, cryptocurrency professionals are strongly advised to take a comprehensive and proactive security posture to reduce the risk of falling victim to the same types of sophisticated attacks again. First and foremost, companies and individuals should make sure that Zoom's remote control feature is disabled by default, and that it is only enabled when necessary by the organisation and the individual. This functionality can be significantly restricted by restricting the use of this feature, which reduces the chances of cybercriminals exploiting virtual engagements as well.

It is also important to exercise increased caution in responding to unsolicited meeting invitations. When invitations are sent by an unknown or unverified source, it is essential to verify the identity of the requester through independent channels. In order to increase account security in cryptocurrency-related platforms, including digital wallets and exchanges, it is imperative to implement multi-factor authentication (MFA) as a critical barrier. 

MFA serves as an additional layer of protection if credentials are compromised as well, providing an extra layer of defence. Further, it will be beneficial for organisations to deploy robust endpoint protection solutions as well as maintain all software, including communication platforms such as Zoom, consistently updated, to protect against the exploitation of known vulnerabilities. Additionally, regular cybersecurity education and training for employees, partners, and key stakeholders is also extremely important. 

An organisation can strengthen the security awareness of its teams through the development of a culture of security awareness, which will allow them to identify and resist threat actors' tactics, such as social engineering, phishing attacks, and other deceptive tactics. The Elusive Comet operation highlights a broader, more dangerous threat to the cryptocurrency industry as cybercriminals are increasingly manipulating trusted communication tools to launch highly targeted and covert attacks targeting the crypto market. 

There is a strong possibility that the attacker may have been part of the North Korean Lazarus Group, but an official attribution remains elusive, further illustrating the difficulty in identifying cyber threat actors, yet there are some clear lessons to be learned from this attack. 

As today's cybersecurity landscape becomes more volatile and more complex, it is more important than ever for organisations to maintain vigilance, implement rigorous security protocols, and continually adapt to emerging threats to survive. The adversaries are continually refining their tactics, so the only people who can successfully safeguard the assets and reputation of their organisations and businesses against evolving threats to their identity and reputation will be those who invest in resilient defence strategies.
Read more »
Money Laundering
cryptocurrency Cyber Security CyberCrime Dark Web Elon Musk FBI international cybercrime operation Money Laundering

FBI Operated ElonmuskWHM: Undercover Money Laundering Site That Handled $90M in Crypto

 

In a bold and controversial move, the FBI operated a money laundering platform on the dark web under the alias “ElonmuskWHM,” aiming to infiltrate the criminal ecosystem it served. According to an investigation by 404 Media, the FBI’s undercover cybercrime operation lasted nearly 11 months and facilitated close to $90 million in cryptocurrency transactions. 

The ElonmuskWHM site allowed cybercriminals—including drug traffickers and hackers—to convert illicit cryptocurrency into cash, often mailed discreetly to customers across the country. In exchange, the operator took a 20% fee. The service, regularly advertised on forums like White House Market (WHM), offered anonymity and required no form of identity verification—making it a go-to laundering tool for bad actors avoiding mainstream exchanges like Coinbase or Binance. 

A 404 Media review of court documents and online evidence confirmed the FBI’s direct role in running the site following the arrest of its original operator, Anurag Pramod Murarka, a 30-year-old Indian national. Murarka was eventually sentenced to over 10 years in prison. During its covert management, the FBI used the ElonmuskWHM site to investigate major crimes including drug trafficking, hacking schemes, and even a violent robbery in San Francisco. 

This FBI crypto sting is part of a broader pattern of law enforcement embedding within the digital underworld. Similar tactics were used in previous operations like Trojan Shield, where the agency ran a fake encrypted phone company named ANOM, secretly monitoring global criminal communications. Another example includes the infiltration of the ransomware group “Hive,” enabling the FBI to intercept communications and disrupt attacks. While effective, the ElonmuskWHM sting also sparked privacy concerns. Court documents reveal that the FBI requested data from Google identifying every user who watched a specific YouTube video, raising red flags about surveillance overreach and potential constitutional violations. 

Still, authorities defend such undercover cybercrime strategies as essential to understanding and dismantling complex digital criminal networks. Gabrielle Dudgeon, spokesperson for the U.S. Attorney’s Office, noted that the operation directly supported multiple federal prosecutions and investigations. As cybercrime becomes increasingly sophisticated, law enforcement agencies are evolving too—blurring ethical lines in the process. The ElonmuskWHM operation underscores the high-stakes chess match between digital criminals and those tasked with stopping them.
Read more »
phishing
AI Bybit cryptocurrency Cyber Attacks Ethereum phishing

600 Phishing Campaigns Emerged After Bybit Heist, Biggest Crypto Scam in History

600 Phishing Campaigns Emerged After Bybit Heist, Biggest Crypto Scam in History

Recently, the cryptocurrency suffered the largest cyberattack to date. The Bybit exchange was hit by the "largest cryptocurrency heist in history, with approximately $1.5 billion in Ethereum tokens stolen in a matter of hours," Forbes said.

After the Bybit hack, phishing campaigns steal crypto

Security vendor BforeAI said around 600 phishing campaigns surfaced after the Bybit heist, which was intended to steal cryptocurrency from its customers. In the last three weeks, after the news of the biggest crypto scam in history, BforeAI found 596 suspicious domains from 13 different countries. 

Dozens of these malicious domains mimicked the cryptocurrency exchange itself (Bybit), most using typosquatting techniques and keywords like “wallet,” “refund,” “information, “recovery,” and “check.” 

According to BforeAI, there were also “instances of popular crypto keywords such as ‘metaconnect,’ ‘mining,’ and ‘airdrop,’ as well as the use of free hosting and subdomain registration services such as Netlify, Vercel, and Pages.dev.” 

Malicious free domains used for attacks

The use of free hosting services and dynamics is a common practice in this dataset. Many phishing pages are hosted on forums that offer anonymous, quick deployment without asking for domain purchases.  Also, the highest number of verified malicious domains were registered in the UK.

After the incident, Bybit assured customers that they wouldn’t lose any money as a result. But the hackers took advantage of this situation and intentionally created a sense of anxiety and urgency via deceptive tactics like ‘fake recovery services and ‘phishing schemes.’ A few phishing websites pretended to be the “Bybit Help Center.”

The end goal was to make victims enter their crypto/Bybit passwords. A few weeks later, campaigns changed from “withdrawals, information, and refunds” through spoof Bybit sites to providing “crypto and training guides” and special rewards to trick potential investors. 

Regardless of the change in these crypto and training guides, the campaigns persevered a “connection to the earlier withdrawal scams by including ‘how to withdraw from Bybit guides,’ BforeAI explained. This results in “a flow of traffic between learning resources fakes and withdrawal phishing attempts,” it added.

Bybit has accused North Korean hackers behind the attacks, costing the firm a massive $1.5 billion in stolen crypto. The campaign has contributed to Q1 2025 with an infamous record: a $1.7 billion theft in the first quarter, the highest in history.

Read more »
Sanctions
Crypto Exchange cryptocurrency cryptocurrency security Cyber Security financial risks Garantex Russian Crypto Sanctions

Sanctioned Russian Crypto Exchange Garantex Allegedly Rebrands as Grinex

 

International efforts to dismantle illicit financial networks are facing new challenges, as the recently sanctioned Russian cryptocurrency exchange Garantex appears to have rebranded and resumed operations under a new name—Grinex. Reports from blockchain analytics firm Global Ledger suggest that Grinex may be a direct successor to Garantex, which was shut down earlier this month in a joint operation by law enforcement agencies from the U.S., Germany, and Finland. 

Despite the crackdown, Global Ledger researchers have identified on-chain movements linking the two exchanges, including the transfer of Garantex’s holdings in a ruble-backed stablecoin, A7A5, to wallets controlled by Grinex. Off-chain clues further support the connection, such as the sudden surge in trading volume—Grinex reportedly handled over $40 million in transactions within two weeks of its launch. According to Lex Fisun, CEO of Global Ledger, social media activity also suggests a direct relationship between the platforms.

In a Telegram post, Sergey Mendeleev, a known figure associated with Garantex, downplayed the similarities between the two exchanges while making light of the situation. Meanwhile, reports indicate that former Garantex users have been transferring funds at the exchange’s physical offices in Europe and the Middle East, strengthening claims that Grinex is simply a rebranded version of the defunct platform. While leading blockchain analytics firms such as Chainalysis and TRM Labs have yet to verify these findings, Andrew Fierman, Head of National Security Intelligence at Chainalysis, acknowledged that early indicators point to a connection between Garantex and Grinex. 

However, a full assessment of Grinex’s infrastructure is still underway. If Grinex is indeed a rebranded Garantex, it would not be the first time a sanctioned exchange has attempted to evade regulatory scrutiny through rebranding. Similar cases have been observed in the past—BTC-E, a Russian exchange taken down by U.S. authorities in 2017, later reemerged as WEX, only to collapse due to internal conflicts. Likewise, Suex, another Russian exchange sanctioned for facilitating illicit transactions, resurfaced as Chatex before facing renewed enforcement actions. 

The reappearance of Garantex in another form underscores the persistent difficulties regulators face in enforcing financial sanctions. Despite the seizure of its servers and domain, the exchange’s infrastructure appears to have been quickly reestablished under a new identity. Experts warn that non-compliant exchanges operating in high-risk regions will continue to find ways to circumvent restrictions. Before its takedown, Garantex had been identified as a hub for money laundering and illicit financial transactions. 

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the exchange in 2022, citing its involvement in facilitating payments for ransomware groups such as Black Basta and Conti, as well as its ties to darknet marketplaces like Hydra. Court documents also revealed that Garantex provided financial services to North Korea’s Lazarus Group, a state-backed hacking organization responsible for some of the largest cryptocurrency heists in history, including the $1.4 billion Bybit hack.

Additionally, Russian oligarchs reportedly used the platform to bypass economic sanctions imposed after Russia’s invasion of Ukraine. Two individuals linked to Garantex’s operations, Lithuanian national and Russian resident Aleksej Besciokov and Russian citizen Aleksandr Mira Serda, have been charged with conspiracy to commit money laundering. Besciokov was arrested in India earlier this month while on vacation with his family and is expected to be extradited to the U.S. to face trial. 

While authorities work to contain illicit financial activity in the crypto space, the rapid emergence of Grinex serves as a reminder of how easily such operations can adapt and reappear under new identities. Analysts warn that other high-risk exchanges in Russia, such as ABCEX and Keine-Exchange, are poised to take advantage of regulatory loopholes and fill the void left by Garantex’s shutdown.
Read more »
Security Breach
Crypto Exchange Crypto Hack cryptocurrency Cyber Attacks Digital Assets Lazarus Group Security Breach

Bybit Crypto Exchange Hacked for $1.5 Billion in Largest Crypto Heist

 

Bybit, one of the world’s largest cryptocurrency exchanges, has suffered a massive security breach, resulting in the loss of $1.5 billion in digital assets. The hack, now considered the largest in crypto history, compromised the exchange’s cold wallet—an offline storage system designed to provide enhanced security against cyber threats. 

Despite the breach, Bybit CEO Ben Zhou assured users that other cold wallets remain secure and that withdrawals continue as normal. Blockchain analysis firms, including Elliptic and Arkham Intelligence, traced the stolen funds as they were quickly moved across multiple wallets and laundered through various platforms. Most of the stolen assets were in ether, which were liquidated swiftly to avoid detection. 

The scale of the attack far exceeds previous high-profile crypto thefts, including the $611 million Poly Network hack in 2021 and the $570 million stolen from Binance’s BNB token in 2022. Investigators later linked the attack to North Korea’s Lazarus Group, a state-sponsored hacking organization known for targeting cryptocurrency platforms. The group has a history of siphoning billions from the digital asset industry to fund the North Korean regime. 

Experts say Lazarus employs advanced laundering techniques to hide the stolen funds, making recovery difficult. Elliptic’s chief scientist, Tom Robinson, confirmed that the hacker’s addresses have been flagged in an attempt to prevent further transactions or cash-outs on other exchanges. However, the sheer speed and sophistication of the operation suggest that a significant portion of the funds may already be out of reach. The news of the breach sent shockwaves through the crypto community, triggering a surge in withdrawals as users feared the worst. 

While Bybit has managed to stabilize outflows, concerns remain over the platform’s ability to recover from such a massive loss. To reassure customers, Bybit announced that it had secured a bridge loan from undisclosed partners to cover any unrecoverable losses and maintain operations. The Lazarus Group’s involvement highlights the persistent security risks in the cryptocurrency industry. Since 2017, the group has orchestrated multiple cyberattacks, including the theft of $200 million in bitcoin from South Korean exchanges. 

Their methods have become increasingly sophisticated, exploiting vulnerabilities in crypto platforms to fund North Korea’s financial needs. Industry experts warn that large-scale thefts like this will continue unless exchanges implement stronger security measures. Robinson emphasized that making it harder for criminals to profit from these attacks is the best deterrent against future incidents. 

Meanwhile, law enforcement agencies and crypto-tracking firms are working to trace the stolen assets in hopes of recovering a portion of the funds. While exchanges have made strides in improving security, cybercriminals continue to find ways to exploit weaknesses, making robust protections more crucial than ever.
Read more »
Technology
AI Agent Chatbots cryptocurrency Finance Technology

How AI Agents Are Transforming Cryptocurrency

 



Artificial intelligence (AI) agents are revolutionizing the cryptocurrency sector by automating processes, enhancing security, and improving trading strategies. These smart programs help analyze blockchain data, detect fraud, and optimize financial decisions without human intervention.


What Are AI Agents?

AI agents are autonomous software programs that operate independently, analyzing information and taking actions to achieve specific objectives. These systems interact with their surroundings through data collection, decision-making algorithms, and execution of tasks. They play a critical role in multiple industries, including finance, cybersecurity, and healthcare.


There are different types of AI agents:

1. Simple Reflex Agents: React based on pre-defined instructions.

2. Model-Based Agents: Use internal models to make informed choices.

3. Goal-Oriented Agents: Focus on achieving specific objectives.

4. Utility-Based Agents: Weigh outcomes to determine the best action.

5. Learning Agents: Continuously improve based on new data.


Evolution of AI Agents

AI agents have undergone advancements over the years. Here are some key milestones:

1966: ELIZA, an early chatbot, was developed at MIT to simulate human-like conversations.

1980: MYCIN, an AI-driven medical diagnosis tool, was created at Stanford University.

2011: IBM Watson demonstrated advanced natural language processing by winning on Jeopardy!

2014: AlphaGo, created by DeepMind, outperformed professional players in the complex board game Go.

2020: OpenAI introduced GPT-3, an AI model capable of generating human-like text.

2022: AlphaFold solved long-standing biological puzzles related to protein folding.

2023: AI-powered chatbots like ChatGPT and Claude AI gained widespread use for conversational tasks.

2025: ElizaOS, a blockchain-based AI platform, is set to enhance AI-agent applications.


AI Agents in Cryptocurrency

The crypto industry is leveraging AI agents for automation and security. In late 2024, Virtuals Protocol, an AI-powered Ethereum-based platform, saw its market valuation soar to $1.9 billion. By early 2025, AI-driven crypto tokens collectively reached a $7.02 billion market capitalization.

AI agents are particularly valuable in decentralized finance (DeFi). They assist in managing liquidity pools, adjusting lending and borrowing rates, and securing financial transactions. They also enhance security by identifying fraudulent activities and vulnerabilities in smart contracts, ensuring compliance with regulations like Know Your Customer (KYC) and Anti-Money Laundering (AML).


The Future of AI in Crypto

Tech giants like Amazon and Apple are integrating AI into digital assistants like Alexa and Siri, making them more interactive and capable of handling complex tasks. Similarly, AI agents in cryptocurrency will continue to take new shapes, offering greater efficiency and security for traders, investors, and developers.

As these intelligent systems advance, their role in crypto and blockchain technology will expand, paving the way for more automated, reliable, and secure financial ecosystems.



Read more »
Subscribe to: Posts (Atom)