FlagThis - #crypto

The U.S. Secret Service, in collaboration with international law enforcement agencies, has seized the domain of the Russian cryptocurrency exchange Garantex. This action was part of an ongoing investigation and involved agencies such as the Department of Justice's Criminal Division, the FBI, Europol, the Dutch National Police, the German Federal Criminal Police Office, the Frankfurt General Prosecutor's Office, the Finnish National Bureau of Investigation, and the Estonian National Criminal Police. The Secret Service confirmed the seizure of website domains associated with Garantex's administration and operation.

The seizure warrant was obtained by the US Attorney's Office for the Eastern District of Virginia. Garantex had previously been sanctioned by the U.S. in April 2022, due to its association with illicit activities. Authorities have linked over $100 million in transactions on the exchange to criminal enterprises and dark web markets, including substantial sums connected to the Conti ransomware gang and the Hydra online drug marketplace.


References :

• bsky.app: The US Secret Service has seized the domain of the sanctioned Russian cryptocurrency exchange Garantex in collaboration with the Department of Justice's Criminal Division, the FBI, and Europol.
• The Register - Security: International cops seize ransomware crooks' favorite Russian crypto exchange
• infosec.exchange: UPDATE: Secret Service spokesperson told us that it "has seized website domains associated with the administration and operation of Russian cryptocurrency exchange, Garantex as part of an ongoing investigation."
• Zack Whittaker: NEW: Russian crypto exchange Garantex has been seized by the U.S. Secret Service during an international law enforcement operation. FBI declined to comment; Secret Service didn't respond, but Garantex's domain is now pointing to nameservers run by the Secret Service. More from :
• securityaffairs.com: International law enforcement operation seized the domain of the Russian crypto exchange Garantex
• The Register - Security: Uncle Sam charges alleged Garantex admins after crypto-exchange web seizures
• infosec.exchange: NEW: The U.S. government has accused two administrators of Russian crypto exchange Garantex of facilitating money laundering for terrorists and cybercriminals. Aleksej Besciokov and Aleksandr Mira Serda allegedly knew they were helping ransomware hackers as well as DPRK's Lazarus Group. Besciokov is also accused of conspiracy to violate U.S. sanctions.
• The Hacker News: U.S. Secret Service Seizes Russian Garantex Crypto Exchange Website
• infosec.exchange: NEW: U.S. Secret Service and other international law enforcement agencies have seized the website of Russian crypto exchange Garantex. Garantex had previously been sanctioned by the U.S. government for being associated with ransomware gangs like Conti and darknet markets, as well as by the European Union for ties to sanctioned Russian banks.
• The DefendOps Diaries: International Collaboration in the Takedown of Garantex
• Threats | CyberScoop: The Department of Justice also indicted two men tied to the exchange.
• BleepingComputer: The administrators of the Russian Garantex crypto-exchange have been charged in the United States with facilitating money laundering for criminal organizations and violating sanctions.
• techcrunch.com: US charges admins of Garantex for allegedly facilitating crypto money laundering for terrorists and hackers
• Metacurity: Law enforcement took down hacker-friendly Russian crypto exchange Garantex
• www.scworld.com: Global law enforcement crackdown hits Russian crypto exchange Garantex
• securityonline.info: Secret Service-Led Operation Seizes Garantex Cryptocurrency Exchange
• techcrunch.com: Russian crypto exchange Garantex seized by law enforcement operation
• Jon Greig: US officials charged Aleksej Besciokov and Aleksandr Mira Serda on Friday for their roles at Garantex They also made copies of Garantex’s customer and accounting databases before servers were seized by German and Finnish officials
• infosec.exchange: NEW: After authorities took down the domains of Russian crypto exchange's Garantex, and charged two of its administrators for facilitating money laundering, the company is now inviting customers for “face-to-face meetingsâ€� at its headquarters. 🤔
• hackread.com: Garantex Crypto Exchange Seized, Two Charged in Laundering Scheme
• techcrunch.com: Following takedown operation, Garantex invites customers to ‘face-to-face’ Moscow meeting
• BrianKrebs: Scoop: Alleged Co-Founder of sanctioned cryptocurrency exchange Garantex arrested in India. Authorities in India today arrested the alleged co-founder of Garantex, a cryptocurrency exchange sanctioned by the U.S. government in 2022 for facilitating tens of billions of dollars in money laundering by transnational criminal and cybercriminal organizations. Sources close to the investigation told KrebsOnSecurity the Lithuanian national Aleksej Besciokov, 46, was apprehended while vacationing on the coast of India with his family.
• krebsonsecurity.com: Authorities in India today arrested the alleged co-founder of Garantex, a cryptocurrency exchange sanctioned by the U.S. government in 2022 for facilitating tens of billions of dollars in money laundering by transnational criminal and cybercriminal organizations. Sources close to the investigation told KrebsOnSecurity the Lithuanian national Aleksej Besciokov, 46, was apprehended while vacationing on the coast of India with his family.
• Security | TechRepublic: Long Arm of the Law Comes for Russian Crypto: Why Secret Service Seized Garantex
• BleepingComputer: Garantex crypto exchange admin arrested while on vacation
• Chainalysis: International Action Dismantles Notorious Russian Crypto Exchange Garantex
• The DefendOps Diaries: International Crackdown on Garantex: Implications for the Crypto Industry

Classification:

• HashTags: #Garantex #Cryptocurrency #Ransomware
• Company: Garantex
• Target: Garantex
• Product: Cryptocurrency exchange
• Feature: money laundering
• Type: Hack
• Severity: Major

Cybersecurity analysts have uncovered a sophisticated campaign exploiting a fake Zoom installer to deliver BlackSuit ransomware across Windows-based systems. The attack, beginning with a malicious download from a website mimicking the teleconferencing application Zoom, lures unsuspecting victims into installing malware capable of crippling entire networks. When the victim clicked the “Download” button, they unknowingly triggered a chain reaction of events.

The fake installer, crafted with Inno Setup, hides the d3f@ckloader, a Pascal-based loader. After gaining initial access, the attackers deploy Brute Ratel and Cobalt Strike for lateral movement, using QDoor to facilitate RDP access. After 9 days, they deploy the BlackSuit ransomware across the network, deleting Volume Shadow Copies to hinder data recovery efforts before encrypting files and dropping ransom notes. The attackers also used WinRAR to compress file share data and uploaded the archives to Bublup, a cloud storage service for data exfiltration.


References :

• bsky.app: The notorious North Korean Lazarus hacking group has reportedly adopted 'ClickFix' tactics to deploy malware targeting job seekers in the cryptocurrency industry, particularly centralized finance (CeFi).
• BleepingComputer: North Korean hackers adopt ClickFix attacks to target crypto firms
• Cyber Security News: Hackers Exploit Zoom Installer to Gain RDP Access and Launch BlackSuit Ransomware Attack
• gbhackers.com: Beware! A Fake Zoom Installer Drops BlackSuit Ransomware on Your Windows Systems
• Virus Bulletin: The DFIR Report researchers look into a fake Zoom installer that used d3f@ckloader & IDAT loader to drop SectopRAT, which dropped Cobalt Strike & Brute Ratel after 9 days. For later movement the threat actor used QDoor & finally deployed BlackSuit ransomware.
• Osint10x: Fake Zoom Ends in BlackSuit Ransomware
• securityonline.info: Fake Zoom, Real Ransom: Nine-Day Malware Intrusion Ends with BlackSuit Ransomware Blast
• bsky.app: Lazarus adopts ClickFix technique.
• Cyber Security News: Lazarus Hackers Use Fake Interviews “ClickFake†to Infect Windows & macOS with GO Malware
• : New “ClickFake Interview†campaign attributed to the Lazarus Group targets crypto professionals with fake job offers
• gbhackers.com: Weaponized Zoom Installer Used by Hackers to Gain RDP Access and Deploy BlackSuit Ransomware
• BleepingComputer: Report of the Lazarus Group adopting the ClickFix technique for malware deployment.
• Virus Bulletin: Sekoya researchers discovered a ClickFake Interview campaign targeting job seekers with fake job interview websites. The infrastructure aligns with technical indicators linked to the Contagious Interview campaign and delivers GolangGhost backdoor for Windows & macOS
• www.scworld.com: ClickFix technique leveraged in new crypto-targeted Lazarus attacks

Classification:

• HashTags: #Ransomware #BlackSuit #Malware
• Company: Multiple
• Target: Windows users
• Product: Zoom
• Feature: Fake Zoom installer
• Malware: BlackSuit Ransomware
• Type: Ransomware
• Severity: Disaster

OKX Web3 has suspended its DEX aggregator services following reports of abuse by the North Korean Lazarus hackers. The Lazarus Group, known for conducting a $1.5 billion crypto heist, triggered this action. The suspension is aimed at implementing security upgrades to prevent further abuse and protect users from illicit activities like money laundering.

OKX's response includes implementing advanced security technologies, such as multi-factor authentication and machine learning algorithms, to predict and prevent potential security breaches. The company is also collaborating with regulatory authorities to align its security measures with international standards, including stricter Know Your Customer protocols and enhanced transaction monitoring systems. These steps are part of a comprehensive security overhaul aimed at fortifying the platform against sophisticated cyber threats.


References :

• bsky.app: Bsky Social - OKX Web3 has decided to suspend its DEX aggregator services to implement security upgrades following reports of abuse by the notorious North Korean Lazarus hackers, who recently conducted a $1.5 billion crypto heist.
• BleepingComputer: Infosec Exchange - OKX Web3 has decided to suspend its DEX aggregator services to implement security upgrades following reports of abuse by the notorious North Korean Lazarus hackers, who recently conducted a $1.5 billion crypto heist.
• BleepingComputer: BleepingComputer - OKX suspends DEX aggregator after Lazarus hackers try to launder funds
• The DefendOps Diaries: OKX's Strategic Response to Cyber Threats: A Comprehensive Security Overhaul
• bsky.app: OKX Web3 has decided to suspend its DEX aggregator services to implement security upgrades following reports of abuse by the notorious North Korean Lazarus hackers, who recently conducted a $1.5 billion crypto heist.
• bsky.app: OKX Web3 has decided to suspend its DEX aggregator services to implement security upgrades following reports of abuse by the notorious North Korean Lazarus hackers, who recently conducted a $1.5 billion crypto heist.
• securityonline.info: Web3 Laundering Fears: OKX Suspends Platform Amidst Scrutiny
• www.scworld.com: OKX tool leveraged by Lazarus Group briefly taken down

Classification:

• HashTags: #Cybersecurity #LazarusGroup #Crypto
• Company: OKX
• Target: OKX, Crypto Users
• Attacker: North Korean Lazarus Group
• Product: OKX Web3
• Feature: DEX aggregator services
• Type: Hack
• Severity: Major