Fidelity Incorporates Staking in Spot Ethereum ETF Offering to Boost Fund’s Income

March 19, 2024 Bitcoin.com

Lazarus used ‘Kandykorn’ malware in attempt to compromise exchange — Elastic

November 1, 2023 Coin Telegraph

alphapo

Lazarus members posed as engineers and fooled exchange employees into downloading difficult-to-detect malware.

Lazarus Group used a new form of malware in an attempt to compromise a crypto exchange, according to an Oct. 31 report from Elastic Security Labs.

Elastic has named the new malware “Kandykorn” and the loader program that loads it into memory “Sugarload,” as the loader file has a novel “.sld” extension in its name. Elastic did not name the exchange that was targeted.

Crypto exchanges have suffered a rash of private-key hacks in 2023, most of which have been traced to the North Korean cybercrime enterprise Lazarus Group.

*Kandykorn infection process. Source: Elastic Security Labs*

According to Elastic, the attack began when Lazarus members posed as blockchain engineers and targeted engineers from the unnamed crypto exchange. The attackers made contact on Discord, claiming they had designed a profitable arbitrage bot that could profit from discrepancies between the prices of cryptocurrencies on different exchanges.

The attackers convinced the engineers to download this “bot.” The files in the program’s ZIP folder had disguised names like “config.py” and “pricetable.py” that made it appear to be an arbitrage bot.

Once the engineers ran the program, it executed a “Main.py” file that ran some ordinary programs as well as a malicious file called “Watcher.py.” Watcher.py established a connection to a remote Google Drive account and began downloading content from it to another file named testSpeed.py. The malicious program then ran testSpeed.py a single time before deleting it in order to cover its tracks.

During the single-time execution of testSpeed.py, the program downloaded more content and eventually executed a file that Elastic calls “Sugarloader.” This file was obfuscated using a “binary packer,” Elastic stated, allowing it to bypass most malware detection programs. However, they were able to discover it by forcing the program to stop after its initialization functions had been called, then snapshotting the process’ virtual memory.

According to Elastic, it ran VirusTotal malware detection on Sugarloader, and the detector declared that the file was not malicious.

Once Sugarloader was downloaded onto the computer, it connected to a remote server and downloaded Kandykorn directly into the device’s memory. Kandykorn contains numerous functions that can be used by the remote server to perform various malicious activities. For example, the command “0xD3” can be used to list the contents of a directory on the victim’s computer, and “resp_file_down” can be used to transfer any of the victim’s files to the attacker’s computer.

Elastic believes that the attack occurred in April 2023. It claims that the program is probably still being used to perform attacks today, stating:

“This threat is still active and the tools and techniques are being continuously developed.”

Centralized crypto exchanges and apps suffered a rash of attacks in 2023. Alphapo, CoinsPaid, Atomic Wallet, Coinex, Stake and others have been victims of these attacks, most of which seem to have involved the attacker stealing a private key from the victim’s device and using it to transfer customers’ cryptocurrency to the attacker’s address.

The United States Federal Bureau of Investigation has accused the Lazarus Group of being behind the Coinex hack, as well as performing the Stake attack and others.

Exclusive: Hackers selling discounted tokens linked to CoinEx, Stake hacks

October 3, 2023 Coin Telegraph

Blockchain

Blockchain analytics firm Match Systems has made contact with an individual who is believed to be selling tokens linked to the recent CoinEx and Stake hacks at discounted prices.

Blockchain analytics investigators have uncovered an individual linked to a cryptocurrency laundering operation that is offering stolen tokens at discounted prices from recent high-profile exchange hacks.

Speaking exclusively to Cointelegraph, a representative from blockchain security firm Match Systems outlined how investigations into several major breaches featuring similar methods through the summer months of 2023 have pointed to an individual who is allegedly selling stolen cryptocurrency tokens via peer-to-peer transfers.

The investigators managed to identify and make contact with an individual on Telegram offering stolen assets. The team confirmed that the user was in control of an address containing over $6 million worth of cryptocurrencies after receiving a small transaction from the corresponding address.

A message from the seller advertising stolen tokens being linked to CoinEx and Stake hacks. Source: Match Systems

The exchange of stolen assets was then conducted through a specially created Telegram bot, which offered a 3% discount off the token’s market price. Following initial conversations, the owner of the address reported that the initial assets on offer had been sold and that new tokens would be available some three weeks later:

“Maintaining our contact, this individual notified us about the commencement of new asset sales. Based on the available information, it is logical to assume that these are funds from CoinEx or Stake companies.”

The Match Systems team has not been able to fully identify the individual but has narrowed down their location to the European time zone based on several screenshots they had received and timings of conversations:

“We believe he is not part of the core team but is associated with them, possibly having been de-anonymized as a guarantee that he will not misuse the delegated assets.”

The individual also reportedly displayed "unstable" and "erratic" behavior during various interactions, abruptly leaving conversations with excuses like "Sorry, I must go; my mom is calling me to dinner”.

"Typically, he offers a 3% discount. Previously, when we first identified him, he would send 3.14 TRX as a form of proof to potential clients.”

Match Systems told Cointelegraph that the individual accepted Bitcoin (BTC) as a means of payment for the discounted stolen tokens and had previously sold $6 million worth of TRON (TRX) tokens. The latest offering from the Telegram user has listed $50 million worth of TRX, Ether (ETH) and Binance Smart Chain (BSC) tokens.

Blockchain security firm CertiK previously outlined the movement of stolen funds from the Stake heist in correspondence with Cointelegraph, with around $4.8 million of the total $41 million being laundered through various token movements and cross-chain swaps.

FBI later identified North Korean Lazarus Group hackers as the culprits of the Stake attack, while cyber security firm SlowMist also linked the $55 million CoinEx hack to the North Korean group.

This is in slight contrast to information obtained by Cointelegraph from Match Systems which suggests that the perpetrators of the CoinEx and Stake hacks had slightly different identifiers in methodology.

Their analysis highlights that previous Lazarus Group laundering efforts did not involve Commonwealth of Independent States (CIS) nations like Russia and Ukraine while the 2023 summer hacks saw stolen funds being actively laundered in these jurisdictions.

Lazarus hackers left minimal digital footprints behind while recent incidents have left plenty of breadcrumbs for investigators. Social engineering has also been identified as a key attack vector in the summer hacks while Lazarus Group targeted “mathematical vulnerabilities”.

Lastly the firm notes that Lazarus hackers typically used Tornado Cash to launder stolen cryptocurrency while recent incidents have seen funds mixed through protocols like Sinbad and Wasabi. Key similarities are still significant. All these hacks have used BTC wallets as the primary repository for stolen assets as well as the Avalanche Bridge and mixers for token laundering.

Blockchain data reviewed at the end of Sept. 2023 suggests that North Korean hackers have stolen an estimated $47 million worth of cryptocurrency this year, including $42.5 million in BTC and $1.9 million ETH.

Magazine: Blockchain detectives: Mt. Gox collapse saw birth of Chainalysis

Criminals more reliant on cross-chain bridges than ever after mixer crackdowns

September 20, 2023 Coin Telegraph

Avalanche Bridge

The sanction of cryptocurrency mixer Tornado Cash in August caused the first major shift, but that is now accelerating even faster than projected.

Cybercriminals have accelerated their shift away from crypto mixers for cross-chain bridges over the past year, according to blockchain forensics firm Elliptic.

In June and July, nearly all of the crypto stolen was laundered through cross-chain bridges, Elliptic’s data shows a complete reversal from the first half of 2022.

In a Sept. 18 blog post, Elliptic explained the cross-chain crime trend is due to the “crime displacement” effect — where criminals move to a new method to carry out the illicit activity when the existing method gets over-policed. However, the shift to cross-chain bridges is rising ahead of their projections.

*Proportion of funds laundered between cryptocurrency mixers and cross-chain bridges between January 2022 and July 2023. Source: Elliptic.*

Between July and September 2022, the ratio of laundered funds passing through mixers vs. cross-chain bridges flipped, corresponding to the U.S. Office of Foreign Asset Control’s sanctioning of Tornado Cash in August 2022, said the firm.

Elliptic said many cybercriminals, like the North Korean-backed Lazarus Group, flocked to the Avalanche bridge after the sanctions.

This same bridge was reportedly used recently by the Lazarus Group to facilitate some of the stolen funds in Stake’s $41 million exploit on Sept. 4, according to blockchain security firm CertiK.

Crypto mixers saw a small comeback between November 2022 and January 2023, due to the shutdown of RenBridge — which closed in December after its financer, Alameda Research collapsed from FTX’s bankruptcy.

Elliptic estimates that RenBridge facilitated $500 million in laundered funds throughout its operation.

However, shortly after, criminals have moved back to cross-chain bridges again, even more than before.

Chain-hopping via bridges has become one of the most popular money laundering methods for illicit actors. That's been a problem for crypto investigators — until now. Meet TRM Phoenix — automated cross-chain tracing through 12+ bridges & services: https://t.co/OziATjlO4P pic.twitter.com/7QsLthn180
— TRM Labs (@trmlabs) August 25, 2022

Elliptic said that criminals may be preferring cross-chain bridges as it is difficult for blockchain forensic firms to track illicit activity across chains in a scalable manner.

“Criminals are aware that legacy blockchain analytics solutions do not have the means to trace illicit blockchain activity across blockchains or tokens in a programmatic or scalable manner.”

In addition, many of these stolen tokens are only exchangeable through cross-chain bridges, while most of these DeFi services do not require identity verification to use, Elliptic explained.

The firm estimates that $4 billion in illicit or high-risk cryptocurrencies have been laundered through cross-chain bridges since 2020.

Magazine: $3.4B of Bitcoin in a popcorn tin — The Silk Road hacker’s story

3 steps crypto investors can take to avoid hacks by the Lazarus Group

September 17, 2023 Coin Telegraph

Coin Telegraph

The Lazarus Group has mastered the art of stealing crypto investors’ assets. Here are a few tips on how investors can protect their portfolios.

Cryptocurrency users frequently fall prey to online hacks with Mark Cuban being just the latest high-profile example how nearly a million dollars can leave your digital wallet.

It is possible to substantially bolster the security of your funds by heeding three simple guidelines that will be outlined in this article. But before delving into these, it's crucial to understand the type of threat that exists today.

FBI has clear evidence on the Lazarus Group

The Lazarus Group is a North Korean state-sponsored hacking group, known for their sophisticated attacks linked to various cyberattacks and cybercriminal activities, including the WannaCry ransomware attack.

WannaCry disrupted critical services in numerous organizations, including healthcare institutions and government agencies by encrypting files on infected computers and demanding a ransom payment in Bitcoin (BTC).

One of its earliest crypto-related hacks was the breach of South Korean crypto exchange Yapizon (later rebranded to Youbit) in April 2017, resulting in the theft of 3,831 Bitcoin, worth over $4.5 million at the time.

The Lazarus Group's activities in the cryptocurrency space have raised concerns about its ability to generate funds for the North Korean regime and evade international sanctions. For instance, in 2022 the group was tied to a number of high-profile cryptocurrency hacks, including the theft of $620 million from Axie Infinity bridge Ronin.

The Federal Bureau of Investigation (FBI) blamed Lazarus Group for the Alphapo, CoinsPaid and Atomic Wallet hacks, stating that losses from all of these hacks add up to over $200 million the group has stolen in 2023.

This month, the FBI have attributed Lazarus Group to a $41 million hack of the crypto gambling site Stake, which was carried out through a spear-phishing campaign that targeted some of its employees.

Lastly, according to blockchain security firm SlowMist, the $55 million hack of the crypto exchange CoinEx was carried out by the North Korean state sponsored hackers.

Most hacks involve social engineering and exploit human error

Contrary to what movies usually display, meaning hackers either gaining physical access to devices or brute forcing passwords, most hacks occur through phishing and social engineering. The attacker relies on human curiosity or greed to entice the victim.

Those hackers may pose as customer support representatives or other trusted figures in order to trick victims into giving up their personal information.

For instance, a hacker might impersonate a company's IT support and call an employee, claiming they need to verify their login credentials for a system update. To build trust, the attacker might use public information about the company and the target's role.

Phishing attacks involve sending deceptive emails or messages to trick recipients into taking malicious actions. An attacker might impersonate a reputable organization, such as a bank, and send an email to a user, asking them to click on a link to verify their account. The link takes them to a fraudulent website where their login credentials are stolen.

Baiting attacks offer something enticing to the victim, such as free software or a job opportunity. An attacker poses as a recruiter and creates a convincing job posting on a reputable job search website. To further establish trust, they may even conduct a fake video interview, and later inform the candidate that they have been selected. The hackers proceed by sending a seemingly innocuous file, like a PDF or a Word document, which contains malware.

How crypto investors can avoid hacks and exploits

Luckily, despite the increasing sophistication and capabilities of hackers today, there are three simple steps you can take to keep your funds safe. Namely:

Use hardware wallets for long-term storage of your crypto assets, not directly connected to the internet, making them highly secure against online threats like phishing attacks or malware. They provide an extra layer of protection by keeping your private keys offline and away from potential hackers.

*Common crypto hardware wallets. Source: Enjin*

Enable Two-Factor Authentication, or 2FA, on all your crypto exchange and wallet accounts. This adds an extra security step by requiring you to provide a one-time code generated by an app like Google Authenticator or Authy. Even if an attacker manages to steal your password, they won't be able to access your accounts.
Be extremely cautious when clicking on links on emails and social media. Scammers often use enticing offers or giveaways to lure victims. Use separate "burner" accounts or wallets for experimenting with new decentralized applications and for airdrops to reduce the risk of losing your funds.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Hackers behind $41M Stake heist shifts BNB, MATIC in latest move: CertiK

September 12, 2023 Coin Telegraph

Hackers behind M Stake heist shifts BNB, MATIC in latest move: CertiK

Beosin

A total of $4.8 million in funds have now been moved by the hacker to Bitcoin and now Avalanche.

The hackers behind cryptocurrency casino Stake’s $41 million hack have shifted another $328,000 million worth of Polygon (MATIC) and Binance Coin (BNB) tokens — its latest moves following the Sept. 4 exploit, according to blockchain security firm CertiK.

The most recent transfer involved 300 BNB tokens worth about $61,500 to an externally owned address “0x695…” which were then bridged to the Avalanche blockchain on Sept. 11 at 4:09 pm UTC.

Another 520,000 MATIC tokens worth over $266,000 were also moved to Avalanche seven hours earlier at 7:18 am UTC.

#CertiKSkynetAlert

We are seeing a further movement of funds from the Stake exploiter.

520k MATIC was swapped and bridged to Avalanche before being bridged to BTC as per other fund movements from the exploiter.

See more on Skynet https://t.co/Sdsfh29AoF
— CertiK Alert (@CertiKAlert) September 11, 2023

The 520,000 MATIC and 300 BNB — totaling $328,000 — add to the $4.5 million in stolen funds that were bridged to the Bitcoin blockchain (in the form of BTC) on Sept. 7, according to blockchain security firm Arkham.

The total $4.8 million transferred however only represents 1.2% of the total $41 million stolen from the hackers.

Over the past 24 hours, the Hacker has been gradually bridging funds to the BTC Blockchain using a series of new wallets on Polygon and Avalanche.

They have so far bridged $4.5M to BTC addresses, with the remaining $36M still held on ETH/BNB/Polygon. pic.twitter.com/fiMy62ABwL
— Arkham (@ArkhamIntel) September 7, 2023

It is understood the hacker gained access to the private key of Stake’s Binance Smart Chain and Ethereum hot wallets to perpetrate the hack on Sept. 4.

The United States Federal Bureau of Investigation believes North Korea’s Lazarus Group was behind the exploit.

Estimated funds lost from hacks, scams passes $1 billion

With $41 million stripped from Stake, the industry’s malicious actors have now taken the cryptocurrency hacks and scams toll to well over $1 billion in 2023.

CertiK previously reported the figure to be $997 million at the end of August, though several attacks in the last two weeks will push the figure over the $1 billion mark.

In September, a cryptocurrency whale lost $24 million in staked Ether (ETH) in a phishing attack on Sept. 6, and Vitalik Buterin’s X (formerly Twitter) account was then compromised on Sept. 9, where the hacker then lured several victims into a nonfungible token scam which totaled $691,000.

The three incidents would take CertiK’s August figure to at least $1.04 billion.

Crypto Hacks And Scams Reach Nearly a Billion Dollars In 2023!

⚔️ThreatSlayer is your security sidekick that keeps you safe! pic.twitter.com/pZmPCdZzP2
— Interlock (@interlockweb3) September 11, 2023

Other recent incidents include Pepe (PEPE) coin’s withdrawal incident which set back investors $13.2 million, Exactly Protocol’s $7.3 million exploit and an exposed security vulnerability on Balancer which did $2.1 million in damage.

Magazine: $3.4B of Bitcoin in a popcorn tin — The Silk Road hacker’s story

Stake hack of $41M was performed by North Korean group: FBI

September 7, 2023 Coin Telegraph

Stake hack of M was performed by North Korean group: FBI

alphapo

After investigating, the FBI concluded that the hack of crypto gambling site Stake was carried out by North Korean hackers Lazarus Group.

The $41 million hack of crypto gambling site Stake was carried out by the North Korean Lazarus Group, the Federal Bureau of Investigation (FBI) stated in an announcement on Sept. 7. This group has stolen more than $200 million of crypto in 2023, the announcement stated.

[JUST IN] FBI Identifies Lazarus Group Cyber Actors as Responsible for Theft of $41 Million from Stakehttps://t.co/Kq1tpjNuC5
— snailnews (@snailnews_) September 7, 2023

Stake is a crypto gambling platform that offers casino games and sports betting. It was the victim of a cyberattack on Sept. 4 that drained over $41 million worth of cryptocurrency from its hot wallets. The Stake team stated that the hacker only obtained a small percentage of funds and that users would not be affected.

According to the FBI statement on Sept. 7, the agency has carried out an investigation and has concluded that the attack was performed by the Lazarus Group, a notorious cybercrime organization believed to be associated with the Democratic People’s Republic of Korea (DPRK). DPRK is also known as “North Korea.”

The FBI listed the addresses where the stolen funds are now held, which exist on the Bitcoin, Ethereum, BNB Smart Chain and Polygon networks. It recommended that all crypto protocols and businesses review the addresses used in the hack and avoid transacting with them, stating:

“Private sector entities are encouraged to review the previously released Cyber Security Advisory on TraderTraitor and examine the blockchain data associated with the above-referenced virtual currency addresses and be vigilant in guarding against transactions directly with, or derived from, those addresses.”

The agency also blamed Lazarus for the Alphapo, CoinsPaid and Atomic Wallet hacks, stating that losses from all of these hacks add up to over $200 million the group has stolen in 2023. Alphapo is a payment processor that suffered over $65 million in suspicious withdrawals on July 23. CoinsPaid, another payments firm, lost over $37 million through social engineering sometime in late July. And Atomic Wallet users lost a whopping $100 million in June through an unknown exploit.

Crypto casino Stake reopens withdrawals just 5 hours after $41M hack

September 4, 2023 Coin Telegraph

Crypto casino Stake reopens withdrawals just 5 hours after M hack

Beosin

The online crypto casino reported unauthorized transactions from its hot wallets on Sept. 4 with blockchain security firms estimating at least $41 million pilfered from hackers.

Crypto betting platform Stake has reopened deposits and withdrawals and resumed services for users only five hours after the platform was hacked to the tune of $41.3 million, blockchain security firms estimate.

Stake confirmed that all services resumed at 9:28pm UTC time on Sept. 4 — a few hours after the platform confirmed that several unauthorized transactions were made on Stake’s ETH/ BTC hot wallets:

All services have resumed! Deposits & withdrawals are processing instantly for all currencies. We apologise for any inconvenience.
— Stake.com (@Stake) September 4, 2023

The betting site said its Bitcoin (BTC), Litecoin (LTC), and XRP wallets were not impacted but hasn’t yet shared the cause of the exploit or how much was stolen. Stake however confirmed that user funds remain safe.

Three hours ago, unauthorised tx’s were made from Stake’s ETH/BSC hot wallets.

We are investigating and will get the wallets up as soon as they’re completely re-secured.

User funds are safe.

BTC, LTC, XRP, EOS, TRX + all other wallets remain fully operational.
— Stake.com (@Stake) September 4, 2023

Recent analysis by blockchain security firm Beosin calculated the total loss to be $41.35 million, which included $15.7 million on Ethereum (ETH), $7.8 million on Polygon (MATIC) and another $17.8 million from the Binance Smart Chain.

@Stake has experienced multiple suspicious outflows on #Ethereum, #BSC and #Polygon.

ETH: ~$15.7M
Polygon: ~$7.8M
BSC: ~$17.8M
The total funds were ~$41.35M.

Stay alert! pic.twitter.com/cKBK3kMeUz
— Beosin Alert (@BeosinAlert) September 4, 2023

An earlier estimate of $15.7 million by fellow blockchain security firm PeckShield didn’t account for the $25.6 million allegedly lost on BSC and Polygon, according to on-chain analyst ZachXBT.

The first transaction occurred at 12:48 pm UTC, transferring approximately $3.9 million worth of stablecoin Tether (USDT) from Stake to the attacker’s account. The next two transactions removed over 6,000 Ether, worth approximately $9.8 million at the current prices.

The attacker continued to remove tokens over the next few minutes, including about $1 million in USD Coin (USDC), $900,000 worth of Dai (DAI) and 333 Stake Classic (STAKE) ($75) which is understood to have made up the first $15.7 million on Ethereum.

Magazine: How smart people invest in dumb memecoins — 3-point plan for success

Crypto gambling site Stake sees $16M withdrawals in possible hack

September 4, 2023 Coin Telegraph

Crypto gambling site Stake sees M withdrawals in possible hack

Coin Telegraph

Unusually large withdrawals were made from Stake to an account with no previous activity, including $3.9 million in Tether and $9.8 million in Ether.

Crypto gambling site Stake has experienced $16 million in withdrawals on Sept. 4 in what security platform Cyvers Alerts is calling “suspicious transactions.” The withdrawing account has been labeled “Stake.com Hacker” by Etherscan, implying that the drained funds may be the result of a stolen private key.

ALERTOur AI-powered system has detected multiple suspicious transactions with @Stake.https://t.co/0ZoMITOyF5 address received about $16M in $ETH $USDC $USDT and $DAI

All the stable coins are converted to $ETH and distributed to different EOAs.

FYI: @tayvano_ @zachxbt pic.twitter.com/CSGwRHEiVm
— Cyvers Alerts (@CyversAlerts) September 4, 2023

Blockchain data shows very large withdrawals from Stake.com contracts into the alleged attacker’s account. The first transaction occurred at 12:48 p.m., transferring approximately $3.9 million worth of Tether (USDT) stablecoin from Stake to the attacker’s account. The next two transactions removed 6,001 Ether (ETH), worth approximately $9.8 million at the current price. The attacker continued to remove tokens over the next few minutes, including approximately $1 million USD Coin (USDC), $900,000 worth of Dai (DAI) stablecoin, and 333 Stake Classic (STAKE) ($75.48). Cyvers has estimated the total value of crypto drained at $16 million.

After draining the funds, the alleged attacker distributed them to multiple accounts. At the time of publication, Stake has not made an announcement regarding the suspicious withdrawals.

Stake is a crypto gambling protocol that offers dice games, Blackjack, Lingo, and other casino games, as well as sports betting for basketball, tennis, volleyball and others.

This is not the first time in 2023 that crypto gambling sites may have been targeted by hackers. On July 23, payments provider Alphapo suffered $31 million in suspicious withdrawals. Alphapo was a provider for several crypto gambling sites, including Hypedrop, Bovada, and Ignition.

This is a developing story, and further information will be added as it becomes available.

C6 Bank’s Climate Tool to Track CO2 Emissions From Customer Transactions Prompts Debate on Future of Banking

April 14, 2023 Bitcoin.com

stake

FBI has clear evidence on the Lazarus Group

Most hacks involve social engineering and exploit human error

How crypto investors can avoid hacks and exploits

Estimated funds lost from hacks, scams passes $1 billion

Share this video