FlagThis - #cryptosecurity

A pro-Israel hacktivist group known as Predatory Sparrow has claimed responsibility for a cyberattack on Nobitex, Iran's largest cryptocurrency exchange. The attack resulted in the theft and destruction of approximately $90 million in cryptocurrency. The group stated that Nobitex was targeted for allegedly financing terrorism and evading international sanctions for the Iranian regime. This incident highlights the increasing cyber conflict between Israel and Iran, with hacktivist groups playing a significant role in disruptive operations.

The hackers reportedly sent the stolen funds to inaccessible blockchain addresses, effectively "burning" the cryptocurrency and taking it out of circulation. Blockchain analysis firm Elliptic confirmed the transfer of over $90 million to multiple vanity addresses containing variations of "F--kIRGCterrorists" within their public key. This symbolic act suggests the intention was to send a political message rather than financial gain. It has been noted that Nobitex has over 10 million customers, raising concerns about the potential impact of the breach.

The attack on Nobitex follows a recent claim by Predatory Sparrow of hacking Bank Sepah, another major Iranian financial institution. These cyberattacks come amid escalating tensions and exchanges of airstrikes between Israel and Iran. Cybersecurity experts warn of a growing digital conflict unfolding behind the scenes, with the potential for broader spillover effects. The situation emphasizes the vulnerability of cryptocurrency exchanges to sophisticated cyberattacks and the need for enhanced cybersecurity measures.


References :

• infosec.exchange: LorenzoFB post on Infosec Exchange about the group claiming responsibility for Iranian Bank Hack.
• techcrunch.com: TechCrunch article on pro-Israel hacktivist group claiming responsibility for Iranian bank hack
• Risky Business Media: Risky Bulletin: Israel-linked hackers claim Iran bank disruption
• techcrunch.com: Iran’s largest crypto exchange Nobitex said it was hacked and funds drained. Pro-Israel hacking group Predatory Sparrow claimed responsibility for the hack, which saw the group steal and destroy some $90 million in cryptocurrency from the Iranian exchange.
• CyberScoop: Iran’s financial sector takes another hit as largest crypto exchange is targeted
• fortune.com: The hackers, who call themselves Predatory Sparrow, sent the funds to likely inaccessible blockchain addresses, burning the cryptocurrency.
• Zack Whittaker: Iran’s largest crypto exchange Nobitex said it was hacked and funds drained. Pro-Israel hacking group Predatory Sparrow claimed responsibility for the hack, which saw the group steal and destroy some $90 million in cryptocurrency from the Iranian exchange.
• www.nftgators.com: Pro-Israeli Hacker Group Drains $90M from Iranian Crypto Exchange Nobitex
• bsky.app: My latest for BBC Persian: 'Predatory Sparrow' hackers stole $90 million from Iranian cryptocurrency company to 'send a message'.
• WIRED: Israel-Tied Predatory Sparrow Hackers Are Waging Cyberwar on Iran’s Financial System
• NFTgators: Pro-Israeli Hacker Group Drains $90M from Iranian Crypto Exchange Nobitex.
• Metacurity: Metacurity reports on the Predatory Sparrow group's activities, including the Nobitex attack and other Iranian targets.
• Risky Business Media: Tom Uren and Patrick Gray talk about a Minnesota man who used people-search services to locate, stalk and eventually murder political targets. They also discuss purported hacktivist group Predatory Sparrow weighing in on the Iran-Israel conflict. It has attacked Iran’s financial system including a bank associated with the Iranian Revolutionary Guard Corp and also burnt USD$90 million worth of cryptocurrency from an Iranian exchange This episode is also available on Youtube.
• aboutdfir.com: Pro-Israel hackers drained $90 million from Iran crypto exchange, analytics firm says
• SecureWorld News: Israel–Iran Conflict Escalates in Cyberspace: Banks and Crypto Hit, Internet Cut
• www.metacurity.com: Israeli-linked hackers seized and burned $90 million from Iran's Nobitex exchange
• aboutdfir.com: Pro-Israel hackers drain $90 million from Iran crypto exchange, analytics firm says 
• The Hacker News: Iran's State TV Hijacked Mid-Broadcast Amid Geopolitical Tensions; $90M Stolen in Crypto Heist
• CyberScoop: This article reports on the cyberattack claimed by Predatory Sparrow against Iran's Bank Sepah.

Classification:

• HashTags: #IranHack #CryptoSecurity #PredatorySparrow
• Company: Iran
• Target: Nobitex
• Attacker: Predatory Sparrow
• Product: Nobitex
• Feature: Data Theft and Destruction
• Malware: encryption.exe
• Type: Hack
• Severity: Major

A new "ClickFake Interview" campaign, attributed to the Lazarus Group, is targeting professionals in the cryptocurrency sector with fraudulent job offers. Security researchers at Sekoia discovered the operation, revealing that threat actors impersonate recruiters on platforms like LinkedIn and X (formerly Twitter) to lure victims into fake job interviews. These interviews are designed to trick candidates into opening malicious documents or clicking on compromised links, ultimately leading to malware infection and potential data theft.

The malware, dubbed "ClickFix" or sometimes distributed through the GolangGhost backdoor, grants attackers remote access to compromised systems. This allows the Lazarus Group to steal sensitive information, including cryptocurrency wallet credentials, execute arbitrary commands, and maintain persistent access. Sekoia warns that this campaign reflects a new Lazarus strategy targeting cryptocurrency industry employees, even those with limited technical expertise, making them less likely to detect malicious activity during the interview process. Professionals are advised to verify recruiter identities, avoid downloading files from unknown sources, and utilize endpoint protection to mitigate risks.


References :

• : New “ClickFake Interview” campaign attributed to the Lazarus Group targets crypto professionals with fake job offers
• www.scworld.com: ClickFix technique leveraged in new crypto-targeted Lazarus attacks
• Virus Bulletin: Sekoya researchers discovered a ClickFake Interview campaign targeting job seekers with fake job interview websites. The infrastructure aligns with technical indicators linked to the Contagious Interview campaign and delivers GolangGhost backdoor for Windows & macOS
• Security Risk Advisors: Lazarus Uses “ClickFake Interviewâ€� to Distribute Backdoors via Fake Crypto Job Websites
• The Hacker News: Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware

Classification:

• HashTags: #ClickFake #Lazarus #Backdoor
• Company: Secoia
• Target: job seekers
• Attacker: Lazarus
• Product: interview
• Feature: fake interviews
• Malware: GolangGhost
• Type: Espionage
• Severity: Major