https://www.justice.gov/usao-cdca/pr/socal-man-arrested-federal-charges-alleging-he-schemed-advertise-and-sell-hive

So they caught the individual selling it to undercover employee, just the old and traditional way of catching criminals

After advertising the Hive RAT, according to the indictment, Chakhmakhchyan exchanged electronic messages with purchasers and explained to one buyer that the malware “allowed the Hive RAT user to access another person’s computer without that person knowing about the access.” After this purchaser told Chakhmakhchyan that “the point” of using the Hive RAT was because the victim had “20k in bitcoin on a blockchain wallet” and “project files worth over 5k,” Chakhmakhchyan agreed to sell the Hive RAT, the indictment alleges. Later, Chakhmakhchyan allegedly also sold a license for the Hive RAT to an undercover employee of a law enforcement agency.
And he was charge with,

• to advertise a device as an interception device
• to transmit a code to intentionally cause damage to a protected computer
• and to intentionally access a computer to obtain information
• as well as one count of advertising a device as an interception device

Each count carries a statutory maximum penalty of five years in federal prison.

Good riddance, hopefully he will get the maximum sentence and who knows, maybe him and SBF will be in the same jail,  .

Kidding aside, good work by the authorities, tracking and the undercover for doing his job.

I'm sure majority of us are into AI, at least for me I have been trying to learn a lot of tools, like Mid Journey, Capcut, In-video,  Leonardo AI, Elevenlabs, Runway and others. So when I say this reports, I was taken aback as how cyber criminals is also leveraging AI tools now to steal our crypto credentiasl as most of them are info stealer.

The way it works is that this threat actor will take over a Facebook account, hack it specially those who have a lot of followers and then turn it into face site similar to the original AI tools.

• Cybercrooks have taken over Facebook profiles to run sponsored malvertising campaigns impersonating Midjourney, Sora AI, DALL-E 3, Evoto, ChatGPT 5 and many others
• The malicious pages on Facebook are meticulously designed to trick users into downloading purportedly official desktop versions of popular AI software. The cybercriminals behind these campaigns regularly change and adapt the malicious payloads in an attempt to avoid further detection from security software
• The links direct users to malicious webpages that download a variety of intrusive stealers to harvest sensitive information from compromised systems, including credentials, autocomplete data, credit card information, and even crypto wallet information.
• The analyzed campaigns employ malicious ads that contain links to executable files that serve Rilide, Vidar, IceRAT, Nova Stealers. The entire batch of malicious software is often offered as malware-as-a-service by threat actors on specialized forums and channels.
• The malvertising campaigns have tremendous reach through Meta’s sponsored ad system and have actively been targeting European users from Germany, Poland, Italy, France, Belgium, Spain, the Netherlands, Romania, Sweden, and elsewhere.
• The ads use convincing descriptions alongside generated AI videos and photos to lure potential users into accessing malicious payloads
• One particular Facebook page impersonating Midjourney with a whopping 1.2 million followers was active for nearly a year until it was shut down on March 8, 2024. Since then threat actors have continuously set up more fraudulent pages to deliver malicious ads to users.
• The Midjourney malvertising ad campaign was directed towards male Facebook users aged 25 to 55 and had an ad reach of approximately 500,000 individuals from Europe (demographics and reach of the campaign were obtained by tracking Meta’s Ad Library catalog)

The malware included here and most of them have been reported already in this community,

Rilide Stealer by @The Cryptovator
Vidar by @Lafu
Nova Stealer

And one of the well-known AI tools right now, Mid-Journey,  had 1.2 million followers and reach of over 500,000 individuals in Europe before being taken down on March 8, this year.



https://www.bitdefender.com/blog/labs/ai-meets-next-gen-info-stealers-in-social-media-malvertising-campaigns/

I know others will say that we should go and look for the official page and check everything before downloading. But with the recent AI resurgence, including myself joining the picture and taking advantage of it for whatever purpose it may served to me, still there are dangers lurking in the dark specially for us crypto enthusiast and those trying to learn AI.

Mispadu, a supposedly banking trojan and infostealer that targets LATAM has evolved itself and now venturing not just in that region but other European as well and it also includes crypto exchanges in their crosshair.

Sample phishing email sent by the threat actor, which include a PDF attachment that contains the malware as it will download a ZIP file through a URL shortener service.




Below are the target crypto exchanges,



And this is the two Bitcoin addresses associated with the cyber criminals,

• bc1qn5fwarp0wesjahyaavj3zpzawsh3mp0mpuw94n
• bc1qzcdrhp30eztexrmyvz5dwuyzzqyylq5muuyllf

The first address has close to 1 BTC already.

This address has transacted 62 times on the Bitcoin blockchain. It has received a total of 0.82939740 BTC $55,022.77 and has sent a total of 0.82937010 BTC $55,020.96 The current value of this address is 0.00002730 BTC $1.81.

https://blog.morphisec.com/mispadu-infiltration-beyond-latam

We have been talking about using Mac OS or even Unix flavored for our crypto activities because using Windows based are very dangerous as malwares can easily spread with this OS. However, recently, there was a info-stealer, known as Atomic Stealer.

So the threat actor leveraged everything when someone searches for

Code:

Arc Browser

And then it will redirect them to a fake site

Code:

airci[.]net

.

It will ask you to download the installer,

Code:

ArcSetup.dmg

that contains the Atomic Stealer.

Other supported actions of the stealer include:

• collection of usernames and passwords from browser login data
• the ability to pull credit card details
• stealing data from a list of installed crypto wallets, among which are Ledger and Trezor

Although Ledger has blocked it, still we are not sure what is the extend of this malware as it could targets a lot of crypto wallets.



So again, we are not really safe in the world that we live-in. Hackers and criminals are evolving to author malware that will target any OS today and in the future.
https://www.jamf.com/blog/infostealers-pose-threat-to-macos/

[What happened:]

What happened: Fake BlockGames pre-sale website

Website:

Code:

https://events-blockgames.com/

Archive: https://archive.fo/Jo52q

Domain info:

Code:

Domain Name: EVENTS-BLOCKGAMES.COM
   Registry Domain ID: 2866050571_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.nicenic.net
   Registrar URL: http://www.nicenic.net
   Updated Date: 2024-03-23T08:21:09Z
   Creation Date: 2024-03-23T08:21:08Z
   Registry Expiry Date: 2025-03-23T08:21:08Z
   Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED
   Registrar IANA ID: 3765
   Registrar Abuse Contact Email: 
   

Original site: https://presale.blockgames.com/

Do not connect your wallet and if you have time then report it here:-> https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en

[119 target Chrome wallets]

Another malware in the wild dubbed as Azorult malware using fake fronting Google Sites pages and HTML smuggling to steal sensitive information that includes crypto wallet. It is reported that this malware is on the rise and probably it's because of the current bull run that we are seeing.

Azorult malware contains a list of 119 target Chrome wallets and 12 Edge wallet extensions.

we uncovered a campaign wherein an attacker created fake Google Docs pages on Google Sites from which they used HTML smuggling to download malicious payloads. They lure their victims to the fake Google Docs pages to trick them into believing the downloaded file was from Google Docs.

And the payload is The Azorult payload is a .NET compiled.  All stolen files and data are then transmitted to the C2 server over HTTP.

Code:

pg20.exe

Targeted Chrome Wallets



Targeted Edge Wallet



Targeted Firefox Wallet



And it looks for this keyword as well:




So again, cyber criminals activities are ramping up as we go on a bull run already. So we might be very careful time and time again and not let our defense down as the attacks are getting very sophisticated by the day. I think we already have enough information in our community on how to protect our wallets. But from time to time it's also a good practice to revisit it just saying.

https://www.netskope.com/blog/from-delivery-to-execution-an-evasive-azorult-campaign-smuggled-through-google-sites

https://www.justice.gov/opa/pr/bitcoin-fog-operator-convicted-money-laundering-conspiracy

Russian-Swedish national Roman Sterlingov was convicted by the US DOJ and a faces a max penalty of 20 years in prison.

It took them years though, as this mixer existed since 2011 and have a lot of customers with illicit activities as it is rampant during those early days and this individual was taking advantage of it.

But then again, the long hand of the law has caught up with them.

[What happened:]

What happened: Scam Smog Token website

Website:

Code:

 https://staking.smogtoken.co/

Archive: https://web.archive.org/save/https://staking.smogtoken.co/

Whois Information:

Registrar   Hosting Concepts B.V. d/b/a Registrar.eu
IANA ID: 1647
URL: www.openprovider.com
Whois Server: whois.registrar.eu

(p)
Registrar Status   addPeriod, clientTransferProhibited, serverTransferProhibited
Dates   Created on 2024-03-02
Expires on 2025-03-02
Updated on 2024-03-02    
Name Servers   NS1.DNS-PARKING.COM (has 4,554,470 domains)
NS2.DNS-PARKING.COM (has 4,554,470 domains)
 
IP Address   185.212.70.114 - 52 other sites hosted on this server
 
IP Location   United States - Arizona - Phoenix - Hostinger International Limited

Real Website: https://smogtoken.com/en

Criminals are taking advantage as this is one of the hottest airdrop right now. So the UI is very similar and it's really hard for us to catch it as there's not much difference. But please, double or even triple check everything before we connect our Wallet.

Please report it to: https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en

A package listed on the Python Package Index (PyPI) repository, which has been dormant since it first published to PyPI in April 2022. The package name is,

Code:

django-log-tracker

And it's repository is https://github.com/Ragib01/django_log_tracker. Django-log-tracker has been downloaded 3,866 times to date, with the rogue version (1.0.4) downloaded 107 times on the date it was published. While the linked GitHub repository hasn't been updated since April 10, 2022, the introduction of a malicious update suggests a likely compromise of the PyPI account belonging to the developer.

So most likely their could be some machines already being compromised and stealing cryptos. Below are the crypto address that have been used by criminals.

Ethereum address

has transacted 43 times on the Ethereum blockchain. It has received a total of 0.552653110090466539 ETH $1,649.89 and has sent a total of 0.52827227363384611 ETH $1,577.10. The current value of this address is 0.00 ETH $0.00.

And the Bitcoin address

has transacted 49 times on the Bitcoin blockchain. It has received a total of 0.33228144 BTC $17,166.00 and has sent a total of 0.33228144 BTC $17,166.00 (❗) The current value of this address is 0.00000000 BTC $0.00.

https://blog.phylum.io/dormant-pypi-package-updated-to-deploy-novasentinel-stealer/

So for Python developers out there, just be careful on what packages you used which includes: libraries, frameworks, utilities, and tools.

Malwares are everywhere now and very difficult for us crypto enthusiast as we are the target by this cyber criminals.

https://www.aba.com/-/media/documents/letters-to-congress-and-regulators/jointclsec20240214.pdf

I'm no banking expert, and so I'm asking others who have knowledge or at least understand what's the request of the American Bankers Association (“ABA”) and other groups to SEC's Chairman Gary Gensler's.

It did mentioned Bitcoin Spot ETP in the official document and so I'm curious as to what changes they want?

Are they asking that at least regulatory bodies be lenient for now specially for Bitcoin related in safeguarding their clients assets?

[GoldDigger]

It was reported that there's a trojan that harvest facial recognition data used for unauthorized access to bank accounts and crypto wallets too, and researchers dubbed it as a family of "GoldDigger".

Among these discoveries, there is an exceptionally rare occurrence – a new sophisticated mobile Trojan specifically aimed at iOS users, dubbed GoldPickaxe.iOS by Group-IB. The GoldPickaxe family, which includes versions for iOS and Android, is based on the GoldDigger Android Trojan and features regular updates designed to enhance their capabilities and evade detection. GoldPickaxe.iOS, Group-IB researchers found, is capable of collecting facial recognition data, identity documents, and intercepting SMS. Its Android sibling has the same functionality but also exhibits other functionalities typical of Android Trojans. To exploit the stolen biometric data, the threat actor utilizes AI-driven face-swapping services to create deepfakes. This data combined with ID documents and the ability to intercept SMS, enables cybercriminals to gain unauthorized access to the victim’s banking account – a new technique of monetary theft, previously unseen by Group-IB researchers in other fraud schemes.

https://www.group-ib.com/blog/goldfactory-ios-trojan/

And it really sounds very complex and complicated and it seems the Chinese did take time to create this trojan that mostly targets APAC region specially in Vietnam as it targets  targets more than 50 applications related to banking, e-wallets, and crypto-wallets.



So to our friends from South East Asean region, just be careful with your banking apps and crypto wallet in your mobile or even Pc or laptop. Do everything and learn safe practice as not to infect your machines with this trojan.

[Targeted crypto wallets:]

There is a new and sophisticated attack coming from cyber criminals. It's complicated because they are not hiding it, but instead taking advantage of legitimate online platforms, including GitHub, Vimeo, and Ars Technica, to host encoded payloads.

But for now, it's not known how the criminals were able to spread it in the wild because the victims needs to physically click a link from a USB drive. And when it is launched:

1. Executes a PowerShell script "explorer.ps1"
2. it retrieves an  intermediary payload, which decrypts into a URL and initiates an infection within the system by downloading 'EMPTYSPACE malware.
3. The intermediary payloads consist of text strings that, when decoded, reveal a URL for downloading the subsequent payload and facilitate communication with a C2C (Command and Control).



Targeted crypto wallets:



https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware

So this might be the right time now not to just be very careful on the USB drives that we are going to used or moving forward. As we have seen, criminals are getting really complex and refine with their attacks that even we can see it, we will never thought that those can be used to attack us.

https://www.justice.gov/opa/pr/three-individuals-charged-roles-189b-cryptocurrency-fraud-scheme

Not sure if there are victims of this fraud from our community. But then again, if you look at the jail time, it's 5 years for this criminals (for each count). So it's just another slap on their risk for this criminals. I mean they could get out in the next crypto bull run or maybe much earlier and then think again of another scams that they will pull off.

But we can't question the US authorities though, that's who justice is for them. This is a billion dollar scam, and not just those couple of millions.

And I say that if they don't return the money, then we might not call this justice after-all.

There is a group of cyber actors that targeted Mexican banking apps and crypto trading exchange and has been active in the wild right now. Not sure why Mexico and Latin-American countries, (Lat-Am), but they are financially motivated and targeting companies, gross revenues over $100M. They uses to lure their victims with the IDSE software update document:

Code:

guia_de_soluciones_idse.pdf

and

Code:

 IMSS payment system SIPARE

The infection process initiates with a ZIP file, which is disseminated through either phishing or a drive-by compromise. Inside this ZIP file is an MSI installer that deploys a .NET downloader. This downloader is responsible for verifying the victim's geographical location in Mexico.



And once you extract and executed this files you will be instructed to:



1.- EXTRACT THE CONTENT OF THE INSTALARPLUGINSIPARE.ZIP FILE
2.- RUN THE FILE CALLED "INSTALARPLUGIN"
3.- WHEN YOU FINISH THE INSTALLATION YOU WILL BE ABLE TO LOG IN NORMALLY

It checks ipinfo[.]io for a geolocation in Mexico, if MX is not in the response string then the downloader aborts itself.



This is just a warning to our Mexican members or those who are in Latin-American. I know that there are a lot of respected members here and maybe they can share this.

https://blogs.blackberry.com/en/2024/01/mexican-banks-and-cryptocurrency-platforms-targeted-with-allakore-rat

[What do we learn here?]

When we thought that MacOS is safe from crypto malwares, a new discovery says that this is not the case. Although the malware itself only targets newer version of the operating system, but still for us crypto enthusiast, this is very dangerous. The mode of infection is that if the user downloaded a crack or fake apple software, then you will be directed to this, a bogus Activator window that asks for the administrator password.



So once you give them permission, it will execute a program and then will communicate to their C2 (command and control), to downloaded a script.

And this script check for the presence of Bitcoin Core and Exodus wallet (so far only this two wallets) in your machine. It will then sends everything to the criminals C2 server, including, seed, mnemonic phrase, your balance, password and once they got the data, they will obviously drain your wallet.

What do we learn here?

Never ever downloaded fake or pirated software. You already have a powerful machine in your hand and you have like shell out thousands of dollars already, so why not just buy original software as not to compromise your expensive MacOS.

https://securelist.com/new-macos-backdoor-crypto-stealer/111778/

[CVE-2023-36025]

A known malware, called Phemedrone Stealer is on the circulation right now and trying to take advantage and exploited CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability.

The targets are cryptocurrency wallets:

• Armory
• Atomic
• Bytecoin
• Coinomi
• Jaxx
• Electrum
• Exodus
• Guarda

So the leverage here is that the criminals are going to hosts malicious internet shortcut files on Discord or other cloud services such as FileTransfer.io. And so once we click that shortcut files, it will connect to a controlled server by the hackers and then execute control panel item (.cpl) file. However, Microsoft Windows Defender should warn us about this shortcut url and what it will execute, but attackers also crafted a shortcut URL to evade everything.

We've seen a lot of shortcut files recently, and I suggest not to click anything specially from unknown source as we might be the next victims and then this criminals draining our wallets.

(https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html)

[What happened:]

What happened: Yearn Finance fake site

Website:

Code:

https://yeanr.finance/

Archived: https://archive.is/p6O4e

Whois Record for YEaNr.finance
How does this work?
Domain Profile
Registrant    REDACTED FOR PRIVACY
Registrant Org    WhoisGuard, Inc.
Registrant Country    pa
Registrar    NameCheap, Inc.
IANA ID: 1068
URL: https://www.namecheap.com/
Whois Server: whois.namecheap.com

(p)
Registrar Status    clientTransferProhibited
Dates    18 days old
Created on 2020-12-27
Expires on 2021-12-27
Updated on 2021-01-01    
 
Name Servers    DNS1.NAMECHEAPHOSTING.COM (has 1,008,481 domains)
DNS2.NAMECHEAPHOSTING.COM (has 1,008,481 domains)
   
 
Tech Contact    REDACTED FOR PRIVACY
REDACTED FOR PRIVACY,
REDACTED FOR PRIVACY, REDACTED FOR PRIVACY, REDACTED FOR PRIVACY, REDACTED FOR PRIVACY
(p) (f)
IP Address    162.0.209.74 - 82 other sites hosted on this server

So they took advantage of the mis spelling and created this malicious website. If you directly type it to your browser, and make the mistake, you will surely fall for this trap. So bookmark it and check even the spelling just to make sure.

[Dates 16 days oldCreated on 2020-12-25Expires on 2021-12-25Updated on 2020-12-25]

Be careful with this so called integration wallet around, I'm seriously doubt that it is work as design as you have to enter your seed or recovery phrase. I'm trying to find out if there is such real application out there, but so far I can't find any deducing that this is a malicious site who's intention to steal our crypto. Or if there is a legit site, this is obviously a clone and fake.

Code:

 https://www.integrationwallet.com/

Archive: https://archive.is/bLFE7

Not just bitcoin wallet, but almost all popular altcoins wallet like MEW and MetaMask. So be careful with this, if you have encounter it, kindly report it to Google or to the registrar themselves

Whois Record for IntegrationWallet.com
How does this work?
Domain Profile
Registrant    Registration Private
Registrant Org    Domains By Proxy, LLC
Registrant Country    us
Registrar    GoDaddy.com, LLC
IANA ID: 146
URL: http://www.godaddy.com
Whois Server: whois.godaddy.com

Registrar Status    clientDeleteProhibited, clientRenewProhibited, clientTransferProhibited, clientUpdateProhibited
Dates    16 days old
Created on 2020-12-25
Expires on 2021-12-25
Updated on 2020-12-25    

IP Address    165.227.12.111 - 8,962 other sites hosted on this server

And that IP address and its relations has a lot of flags.



https://www.virustotal.com/gui/ip-address/165.227.12.111/relations

[What happened:]

What happened: Fake Waves Airdrop

Website:

Code:

https://wave-airdrop.live/
https://wave-airdrop.live/WAVES/index.html

Archived: https://archive.is/naevS

Registrant    REDACTED FOR PRIVACY
Registrant Org    WhoisGuard, Inc.
Registrant Country    pa
Registrar    NameCheap, Inc.
IANA ID: 1068
URL: https://www.namecheap.com/
Whois Server: whois.namecheap.com

(p)
Registrar Status    clientTransferProhibited
Dates    30 days old
Created on 2020-12-10
Expires on 2021-12-10
Updated on 2020-12-15      

IP Address    198.54.125.171 - 873 other sites hosted on this server

Unfortunately, this site has been up in the last month, so I do hope that no one has fallen for this scheme. If we can just spend less than 5 minutes of your time to report this, then for sure we will clean crypto space one at a time.

[What Happened:]

What Happened: Fake and Phishing Walletconnect.org

Website:

Code:

https://wallet-connect.org/ 

Domain Name: WALLET-CONNECT.ORG
Registry Domain ID: D402200000015501490-LROR
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2020-12-19T18:40:53Z
Creation Date: 2020-12-19T18:40:44Z
Registry Expiry Date: 2021-12-19T18:40:44Z
Registrar Registration Expiration Date:
Registrar: NameCheap, Inc.
Registrar IANA ID: 1068
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +1.6613102107
Reseller:
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Registrant Organization: WhoisGuard, Inc.
Registrant State/Province: Panama
Registrant Country: PA
Name Server: DNS1.NAMECHEAPHOSTING.COM
Name Server: DNS2.NAMECHEAPHOSTING.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/)

For more information on Whois status codes, please visit https://icann.org/epp

The real website is: https://walletconnect.org/

This is a warning, double check if you are connected to the real website because the domain is very similar to the original one.