Bitcoin Forum
July 11, 2025, 10:38:20 PM *
News: Latest Bitcoin Core release: 29.0 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1] 2 3 4 5 6 »
1  Other / Beginners & Help / New version of Triada malware target cryptos and more on: April 03, 2025, 09:29:59 AM
A new version of Triada was recently discovered by Kaspersky. And per analysis, it has reported that it was able to transfer $270,000 in various cryptocurrencies already. But the numbers could be higher as this malware targets Monero.

And this is a type of clipboard malware that's why it was very easy for them to trap their victims as they could have not suspected that there are changes when they make transactions.

One way to lure their victims is offering mobile phones that are cheap but then it is laden with this malware that's why no one will suspect it initially until it was too late. And below are the capabilities of this malware:

Quote
● steal user accounts in instant messengers and social networks, in particular Telegram and TikTok;

● secretly send messages allegedly on behalf of the victim in WhatsApp** and Telegram, and also delete them to erase traces;

● steal cryptocurrency by replacing crypto wallet addresses in the required applications;

● monitor the victim’s activity in browsers and replace links;

● replace numbers during calls - to redirect the subscriber to the contact needed by the attackers;

● control SMS: intercept, send and delete messages;

● allow sending premium SMS to receive paid services;

● download and run other programs on the infected smartphone;

● block network connections, for example, to interfere with the operation of anti-fraud systems.

https://www.kaspersky.ru/about/press-releases/novaya-versiya-triada-kradyot-kriptovalyutu-akkaunty-v-messendzherah-i-podmenyaet-nomera-telefonov-vo-vremya-zvonkov

And it fits perfectly what we have learn so far in crypto, it if is too good to be true, then probably is.

So just buy your phone on authorized dealer and don't let be trap by those cheap offerings that you can find online as you could be the next victim.
2  Other / Beginners & Help / Arcane: New info stealer including targeting crypto wallets on: March 21, 2025, 08:26:48 AM
There is a new malware, called Arcane stealer. It's a variant of  Phemedrone Stealer malware. One way of it's spread is thru Youtube, so the attackers promoted a game hack and it's usually in Russian language. So in the video, it will have a link to an archive file and it's a password protected, and one you unlock the archive, there is a batch file and the UnRAR.exe.



So it's not just a cryptominer, but also targets login credentials, passwords, credit card data, and cookies from various Chromium- and Gecko-based browsers.

And targets includes crypto wallets as well:

  • VPN clients: OpenVPN, Mullvad, NordVPN, IPVanish, Surfshark, Proton, hidemy.name, PIA, CyberGhost, ExpressVPN
  • Network clients and utilities: ngrok, Playit, Cyberduck, FileZilla, DynDNS
  • Messaging apps: ICQ, Tox, Skype, Pidgin, Signal, Element, Discord, Telegram, Jabber, Viber
  • Email clients: Outlook
  • Gaming clients and services: Riot Client, Epic, Steam, Ubisoft Connect (ex-Uplay), Roblox, Battle.net, various Minecraft clients
  • Crypto wallets: Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic, Guarda, Coinomi

https://securelist.com/arcane-stealer/115919/

And again, we shouldn't be downloading anything from unknown sources, specially game cheats like this one.
3  Other / Beginners & Help / Fake Coinbase Migration Phishing Email on: March 20, 2025, 09:04:30 AM
So in seems that there are new wave of Coinbase Phishing email attacks like the one below.



And from the looks of it, seems very legit, but upon closer inspection, the source of the email is very suspecting,

Code:
noreply@akamai.com

The thing is that this is a clever approach by the attackers, and reverse of what we have been seeing before. There is no phishing link that when you click or downloaded it, the malware will steal your credentials, like pass phrase.

Here, the attackers will give you to 12 digit mnemonic phrase and then let you transfer all your crypto to that wallet and once you transfer, there could be bot that will automatically transfer it to a new wallet that the attackers have control.

So if you got this email, delete it as this is an obvious phishing email from the attackers.

https://gbhackers.com/fake-coinbase-migration-messages-target-users/
4  Other / Beginners & Help / Malicious PDF + fake captcha with Lumma stealer on: March 03, 2025, 02:43:45 AM
It's seems that criminals have shift their focus to a new trend, that is many people are searching for PDF and then you will be redirected to a site that you need to fill in a fake captcha

Quote
As Netskope Threat Labs extends its hunt for phishing campaigns leveraging PDFs, fake CAPTCHAs, and SEO poisoning, we observed more than 260 unique domains hosting phishing PDF files. While Webflow leads all domains for hosting phishing PDFs, other noteworthy content delivery domains include GoDaddy, Strikingly, Wix, and Fastly. Notably, three of the top 15 domains are content delivery networks related to GoDaddy, which are wsimg.com, s123-cdn-static.com, and f-static.net.

Cyber criminals attack started when they to online libraries like

Code:
https://pdfcoffee.com/
https://pdf4pro.com/
https://pdfbean.org/

So once you go to this website and search their something and unfortunately download a pdf that is poison leaden with malware like in this example,



And most likely it is with a Lumma stealer.

Quote
Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.

So this is just a warning for those for those who are downloading PDF's and on other sites. That when you see a captcha then you have to think twice before downloding or executing any thing as you might be the next victim here.

https://www.netskope.com/blog/fake-captchas-malicious-pdfs-seo-traps-leveraged-for-user-manual-searches
5  Economy / Exchanges / Phemex Exchange hacked on: January 29, 2025, 08:08:16 AM


https://x.com/Phemex_official/status/1882417902038749317

I'm not sure if this has been discussed already, but another exchange has been hacked recently (https://phemex.com/announcements/phemex-hot-wallet-security-incident-update-and-timeline).

And it is said that they have lost  $85 million from the said hacks.

So another obvious reasons to get out your funds from crypto exchanges and store it in the wallet that you have total control.
6  Bitcoin / Bitcoin Discussion / Warning: Cyber actors taking advantage of Ross Ulbricht news on X on: January 23, 2025, 04:38:45 AM


https://x.com/vxunderground/status/1881946956806926351

Just want to give everyone a heads-up regarding the news about Ross Ulbricht being freed by the Trump administration. There are set of threat actors who are taking advantage of it in X.

They used a fake but verified Ross Ulbricht accounts on X, then instruct people to a malicious Telegram channels, presenting itself as a official Ulbricht portals.

And after you are re-directed to it, you will be walk thorough fake verification process name "Safeguard". And then mini app with automatically copies a PowerShell command and then it will instruct you to open the Windows run dialog and paste that command.

Which eventually will download a zip file at

Code:
http://openline[.]cyou

With a Cobalt Strike loader (https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike).

So never ever download or even execute or even run it in a dialog. Even if you are so called advance users, you don't know what's inside the PowerShell or that zip file.
7  Other / Beginners & Help / Fake WalletConnect on Google Play on: October 03, 2024, 08:48:25 AM
It was unraveled that there was a malicious app on Google play that is targeting crypto enthusiast and obviously it is designed to be a mobile device to be used by many of us. And it has a good evasion technique that's why it was under the radar for quite sometime (five months) now and it could have victimized already.

One method it uses is that it exploited the trusted name of "WalletConnect" protocol. And then it has a group of armies to make fake reviews as well that's why it got 10,000 downloads and it was even rank high in search engines.

It is said that it was able to drain crypto users of about $70,000 before being caught and removed.





https://research.checkpoint.com/2024/wallet-scam-a-case-study-in-crypto-drainer-tactics/

And it seems that this criminals is shifting to mobile devices kind of attacks. So we should really be careful of anything that we download specially crypto apps from Google store and we should very everything first, before connecting our wallets. Although this has been taking down, for sure, this criminals are not going to stop and could be coming up with another kind of downloads.
8  Bitcoin / Legal / Europol Shuts down major group that target mobile phones on: September 21, 2024, 05:03:18 AM
Europol has reported that it has taken down a major international criminal network engaged in unlocking stolen or lost mobile phones through a phishing platform.



Quote
Investigators reported 483 000 victims worldwide, who had attempted to regain access to their phones and been phished in the process. The victims are mainly Spanish-speaking nationals from European, North American and South American countries.

The successful operation took place thanks to international cooperation between law enforcement and judiciary authorities from Spain, Argentina, Chile, Colombia, Ecuador and Peru.

The action week took place between 10 and 17 September and resulted in 17 arrests, 28 searches and 921 items seized, mainly mobile phones but also other electronic devices, vehicles and weapons.

https://www.europol.europa.eu/media-press/newsroom/news/criminal-phishing-network-resulting-in-over-480-000-victims-worldwide-busted-in-spain-and-latin-america

I guess this is a big win for Europol in their fight against cyber criminals. There are a big group and we can see that they've almost victimized half a million people around Lat-Am alone. Hopefully there will be more criminal gangs that will be taken out by the authorities, specially those who targets crypto enthusiast.
9  Other / Beginners & Help / Be careful, SambaSpy Malware on: September 20, 2024, 11:19:04 AM
A new clipboard malware has emerge and exclusively targeting Italy via phishing campaign. Below is the infection chain,

Infection chain:



The email usually comes a German email address that really looks legit. And then it has a attached invoice embedded in link. And once you click it, it will redirect you to a malicious website.

And once the Zip archive is opened, it will download and then deploy a dropper, a multi functional RAT payload. And it's functionalities includes the following:



So it's has capabilities that is very dangerous to crypto enthusiast, as it could be a clipper malware and then steal our password as well, so not just in crypto but like in banking apps that we have in our system.

Take note that right now, it targets Italy, but the code of the malware itself is Brazilian or Portuguese speaking so this might evolved later to target Lat-Am.

https://securelist.com/sambaspy-rat-targets-italian-users/113851/
10  Other / Beginners & Help / Be careful, FoxIt PDF Reader flaw being exploited by Hackers targeting cryptos on: May 21, 2024, 12:57:57 PM
I'm pretty sure that majority of us have used PDF before and have used either Adobe Acrobat PDF reader, or the alternative FoxIt PDF reader. The later then was recently used by cyber criminals to deliver their malware and somewhat as a crypto enthusiast we are one of the targets as it has crypto miner and crypto wallets.

First you might received this kind of email and if you click on the attached link, you might see the below:



And once you click "OK", a second pop up will appear



And if you are unsuspecting about everything and then click, "Open". It will then download and executed the malware's payload.

These are all the system information that this hackers are going to get from you,



And as recommended:

Quote
Until the software update is applied, Foxit users are advised to remain vigilant about potential exploitation and adhere to classic defense practices. To mitigate the risks of being affected by such threats, it is essential to:

- Keep operating systems and applications updated through timely patches and other means.
- Be cautious of unexpected emails with links, especially from unknown senders.
- Enhance cybersecurity awareness among employees.
- Consult security specialists for any doubts or uncertainties.

This is just a heads-up, we are really exposed to this cyber threat now as we approach the bull run and so everyone should be very careful.

https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/
11  Bitcoin / Bitcoin Discussion / Twitter hackers pleads guilty and agree to a 3 year in prison on: March 19, 2021, 10:21:25 AM
I'm pretty sure that the Twitter hack is still fresh in our memory, this is high profile because it involves a lot of crypto exchanges like, @coinbase, @Gemini, and @binance and then celebrities, @JeffBezos, @BarackObama, @elon_musk, @JoeBiden, @BillGates, and @WarrenBuffett.

And Graham Ivan Clark was charge last year and now agreed on Tuesday to be sentenced as a youthful offender to three years in prison, + three years of probation.

Here are the official docs: https://www.documentcloud.org/documents/20515610-plea-agreement-acknowledgment-of-waiver-of-rights-bc-6f018852-673e-4df1-85da-4c5629856265

https://www.sao13th.com/2021/03/prosecutors-reach-plea-agreement-in-case-of-twitter-hacker-graham-clark/ (please note that access might be block for some region due to security reasons).

What are your thoughts of the sentencing? he has served seven months already of the three years sentenced on him.
12  Other / Meta / Gah, your tab just crashed on: February 06, 2021, 11:21:24 AM
I was quite surprised to see this error, actually if was my first time to see this kind of message from this forum. Been here for some time now so I'm wondering if others have seen this kind of error message before. I know that you can just refresh to restore the tab. But I'm just curious though.



Note: this coincides with bitcoin hits $40k again so probably there are a lot of online users right now causing this kind of error
13  Other / Beginners & Help / Another mixer is being targeted by criminals - (https://[banned mixer]/en/) on: January 19, 2021, 10:01:50 AM
I saw this post of @Xal0lex here, and it didn't took so long to identify another fake site.

Code:
xn--mxer-qpa.money

Original: https://[banned mixer]/en/

Archive: https://archive.is/qrVRM

Quote
Registrant    REDACTED FOR PRIVACY
Registrant Country    gb
Registrar    1API GmbH
IANA ID: 1387
URL: http://www.1api.net
Whois Server: whois.1api.net

(p)
Registrar Status    clientTransferProhibited
Dates    23 days old
Created on 2020-12-27
Expires on 2021-12-27
Updated on 2021-01-01
 

IP Address    104.18.40.235 - 462 other sites hosted on this server

Image of the fake site below, you can't see any difference visually, isn't it?



So very careful, this is another warning to all of us, mixers are prime target as well. And even though this mixers is not that well-known (this is the first time I heard of it), but still we will never know.
14  Economy / Scam Accusations / [Scam]: Fake OnX Swap website on: January 13, 2021, 02:57:22 AM
What happened: Fake OnX Swap website

Website:
Code:
https://onxswap.online/



Archived: https://archive.is/sdFcr

Original website: https://app.onx.finance/dashboard
Quote
Whois Record for OnXSwap.online
How does this work?
Domain Profile
Registrant Org    Not Applicable
Registrant Country    us
Registrar    Hostinger, UAB
IANA ID: 1636
URL: —
Whois Server: whois.hostinger.com

(p)
Registrar Status    clientTransferProhibited, serverTransferProhibited
Dates    14 days old
Created on 2020-12-29
Expires on 2021-12-30
Updated on 2021-01-03    
  
Name Servers    NS1.DNS-PARKING.COM (has 815,330 domains)
NS2.DNS-PARKING.COM (has 815,330 domains)
   
  
Tech Contact    —
IP Address    151.106.97.138 - 62 other sites hosted on this server
   
  
IP Location    Germany - Bayern - Nuremberg - Hostinger International Limited
ASN    Germany AS47583 AS-HOSTINGER, CY (registered Apr 04, 2011)
IP History    1 change on 1 unique IP addresses over 1 years    
  
Hosting History    1 change on 2 unique name servers over 1 year

15  Alternate cryptocurrencies / Service Discussion (Altcoins) / Fake Tornado Cash website on: January 12, 2021, 12:09:28 PM
Tornado cash - https://tornado.cash/, "a non-custodial Ethereum and ERC20 privacy solution based on zkSNARKs. It improves transaction privacy by breaking the on-chain link between the recipient and destination addresses", is now being clone as well by cyber actors.

The fake website:
Code:
https://tornadocash.org/



Archived: https://archive.is/zYvKT

Quote
Registrant Org    WhoisGuard, Inc.
Registrant Country    pa
Registrar    NameCheap, Inc.
IANA ID: 1068
URL: http://www.namecheap.com
Whois Server: whois.namecheap.com

(p)
Registrar Status    serverTransferProhibited
Dates    37 days old
Created on 2020-12-06
Expires on 2021-12-06
Updated on 2020-12-06   

IP Address    104.31.77.95 - -1 other site is hosted on this server

The real website is: https://app.tornado.cash/. And this is how it looks:



Almost the same and it's hard to distinguished initially.

This is the official github repo: https://github.com/tornadocash/tornado-core
16  Economy / Scam Accusations / [Warning]: New Bustabit phishing site - 1 day old on: January 12, 2021, 08:47:58 AM
What happened: New Bustabit phishing site

Website
Code:
https://bustabit.cam/



Archive: https://archive.is/C0tx9

Quote
Whois Record for BustaBit.cam
How does this work?
Domain Profile
Registrant Org    WhoisGuard, Inc.
Registrant Country    pa
Registrar    Namecheap
IANA ID: 1068
URL: https://namecheap.com
Whois Server: whois.namecheap.com

(p)
Registrar Status    addPeriod, clientTransferProhibited, serverTransferProhibited
Dates    1 days old
Created on 2021-01-10
Expires on 2022-01-10
Updated on 2021-01-10     
 
Tech Contact    —
IP Address    63.250.38.6 - 534 other sites hosted on this server

It seems that the attack on bustabit continues, like this one, just 1 day old website, freshly created by this criminals to take advantage of those who uses Google to search for bustabit games.
17  Economy / Scam Accusations / [Scam]: Phishing and Fake Balancer.exchange on: January 10, 2021, 10:21:47 AM
What happened: Fake Balancer website

Website:
Code:
https://bolancer.exchange/ 

Original Website: https://balancer.exchange/#/swap


Image of fake website:

Quote
Whois Record for BoLancer.exchange
How does this work?
Domain Profile
Registrant    REDACTED FOR PRIVACY
Registrant Org    See PrivacyGuardian.org
Registrant Country    us
Registrar    NameSilo, LLC
IANA ID: 1479
URL: http://www.namesilo.com
Whois Server: www.namesilo.com/whois.php

(p)
Registrar Status    clientTransferProhibited
Dates    14 days old
Created on 2020-12-27
Expires on 2021-12-27
Updated on 2021-01-01    

IP Address    172.67.190.61 - 21 other sites hosted on this server

18  Other / Beginners & Help / Another fake and phishing Blockchain.com website on: November 25, 2020, 10:10:19 AM
There is another fake blockchain.com, which is just 4 day old, actually it was a redirection from:

Code:
login.bhlockchain.com
to
Code:
https://bıockchainı.com/



Archive: https://archive.is/J3Nyv

Quote
Registrant    WhoisGuard Protected
Registrant Org    WhoisGuard, Inc.
Registrant Country    pa
Registrar    NAMECHEAP INC NameCheap, Inc.
IANA ID: 1068
URL: http://www.namecheap.com
Whois Server: whois.namecheap.com

(p)
Registrar Status    addPeriod, clientTransferProhibited
Dates    4 days old
Created on 2020-11-21
Expires on 2021-11-21
Updated on 0000-12-31    
 
IP Address    209.97.129.163 is hosted on a dedicated server

So watch out for this kind of attacks, need to be very careful as the price of bitcoin is almost at a all time high again.

And I need everyone to help me report this website to:

https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en or direct to the domain registrar:

https://support.namecheap.com/index.php?/Tickets/Submit->Abuse Reports->Fraud / Phishing
19  Economy / Scam Accusations / Another Bitcoin mixing phishing site - Foxmixėr.com on: November 23, 2020, 10:51:19 AM
There is a phishing site of Foxmixer.com. It might not be a popular mixing services, but they have their ANN thread here, ✰ [ANN] FoxMixer.com ✰✰✰ The High Quality Bitcoin Mixer ✰✰✰ 3+ Years Online ✰.

Website:

Code:
www.xn--foxmixr-y8a.com
https://www.foxmixėr.com/



The real website is: https://www.foxmixer.com/

Quote
Whois Record for Foxmixėr.com
How does this work?
Domain Profile
IP Address    198.54.116.178 - 730 other sites hosted on this server
   
 
IP Location    United States Of America - Georgia - Atlanta - Namecheap Inc.
ASN    United States Of America AS22612 NAMECHEAP-NET, US (registered Jun 21, 2011)
Domain Status    Never Registered Before
IP History    1 change on 1 unique IP addresses over 0 years    
 
Registrar History    1 registrar    
 
Hosting History    1 change on 2 unique name servers over 0 year
20  Economy / Scam Accusations / [WARNING]: Fake Paypal Giveaway on: November 22, 2020, 10:27:10 PM
Since Paypal have joined the crypto currency band wagon, scammers was very quick to take advantage and created a website for a supposedly Paypal giveaway.

This is obvious fake and malicious and who's intention is to trap crypto enthusiast and play with their emotions and greed. So please do not fall for this scheme.

Website:
Code:
http://paypalbtc.org/

Archived: https://archive.is/uuqT1

Bitcoin address:
Code:
1PAYPRAKcnQyqnLMA7WyLTyzWakXVidx6W

The address has somewhat a balance of 0.00037650 BTC already.



Quote
Registrant Org    Maslov Anatoliy Zaharovich
Registrant Country    ru
Registrar    Regional Network Information Center, JSC dba RU-CENTER
IANA ID: 463
URL: https://www.nic.ru/whois
Whois Server: https://www.nic.ru/whois

(p)
Registrar Status    clientTransferProhibited, serverTransferProhibited
Dates    28 days old
Created on 2020-10-25
Expires on 2021-10-25
Updated on 2020-11-10    
  
Name Servers    NS3.NIC.RU (has 551,119 domains)
NS4.NIC.RU (has 551,119 domains)
NS8.NIC.RU (has 551,119 domains)
   
  
Tech Contact    —
IP Address    195.24.68.9 - 2,361 other sites hosted on this server
   
  
IP Location    Russian Federation - Moskva - Moscow - Jsc Ru-center
ASN    Russian Federation AS48287 RU-CENTER, RU (registered Nov 04, 2008)
Pages: [1] 2 3 4 5 6 »
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!