CyberSecurity news

FlagThis - #cryptotheft

@cyberpress.org //

FreeDrain Crypto Phishing Network Steals Credentials - FreeDrain is a large-scale phishing operation exploiting free publishing platforms to steal cryptocurrency globally by using aggressive SEO manipulation and sophisticated layered redirection techniques.
A joint investigation by SentinelLABS and Validin has exposed a massive cryptocurrency phishing operation named "FreeDrain." This industrial-scale network has been siphoning digital assets for years by exploiting weaknesses in free publishing platforms. FreeDrain utilizes aggressive SEO manipulation, free-tier web services like gitbook.io, webflow.io, and github.io, along with sophisticated layered redirection techniques to lure unsuspecting victims. The operation's primary goal is to steal cryptocurrency wallet login credentials and seed phrases, often resulting in rapid fund exfiltration.

FreeDrain operators achieve high search engine rankings by creating over 38,000 malicious subdomains on trusted platforms, including Amazon S3 and Azure Web Apps. These subdomains host lure pages that often feature AI-generated content and screenshots of legitimate wallet interfaces. When users search for wallet-related queries, they are redirected through comment-spammed URLs and custom redirector domains to highly convincing phishing clones. These phishing pages frequently include live chat widgets manned by real human operators who encourage victims to submit their credentials.

Researchers believe the operators are based in the UTC+05:30 timezone (Indian Standard Time) and work standard weekday hours. The sophistication of FreeDrain lies in its scale, automation, and ability to avoid traditional phishing email delivery vectors. Victims are funneled from benign-seeming search queries directly to malicious pages ranked at the top of major search engines. Validin first became aware of FreeDrain on May 12, 2024, after a victim reported losing approximately 8 BTC (around $500,000 at the time) to a phishing site.

Recommended read:
References :
Bill Toulas@BleepingComputer //

Hackers Abuse Zoom's Remote Control for Crypto Theft - ELUSIVE COMET is exploiting Zoom's remote control feature in social engineering attacks to steal cryptocurrency by tricking users into granting remote access.
A new wave of sophisticated cyberattacks is targeting individuals and organizations, with the threat actor known as ELUSIVE COMET exploiting a little-known Zoom feature to steal millions in cryptocurrency. The attacks leverage Zoom's remote control functionality, initially designed for accessibility, to gain unauthorized access to victims' computers during seemingly legitimate business calls. ELUSIVE COMET, identified by the Security Alliance, has incorporated this feature into their social engineering attacks, targeting individuals within the cryptocurrency community, impersonating venture capital firms, podcast hosts, and even Bloomberg Crypto representatives.

The attack unfolds with attackers contacting potential victims via Twitter DMs or email, inviting them to participate in Zoom video conferences. During screen sharing, the attackers request remote control access while simultaneously changing their display name to "Zoom" to mimic a system notification. If victims, often distracted, grant permission, the attackers gain full control of the computer, enabling them to install malware, exfiltrate sensitive data, or steal cryptocurrency. One notable victim, Jake Gallen, CEO of NFT platform Emblem Vault, reportedly lost around $100,000 and control of his accounts after his computer was compromised using this technique.

Security experts are advising users to disable the Zoom remote control feature if it is not needed, as well as the entire Zoom accessibility suite. Trail of Bits, a cybersecurity research firm whose CEO was also targeted, recommends a multi-layered defense strategy. This includes aggressive machine learning prevention settings, mandatory upgrades to the latest macOS versions, hardware security keys for Google Workspace accounts, company-wide password management, and a preference for Google Meet over Zoom due to its stronger security features. Organizations can also deploy Privacy Preferences Policy Control (PPPC) profiles to prevent exploitation of this vulnerability.

Recommended read:
References :
  • cyberinsider.com: Zoom’s Remote Control Feature Exploited in ELUSIVE COMET Attacks
  • Cyber Security News: Zoom Remote Control Feature Exploited to Access Victims’ Computers—with Permission
  • www.helpnetsecurity.com: The Zoom attack you didn’t see coming
  • cyberpress.org: Zoom Remote Control Feature Exploited to Access Victims’ Computers—with Permission
  • Cyber Security News: Hackers Leverage Zoom’s Remote Control Feature to Gain Users’ System Access
  • Risky.Biz: Risky Bulletin: Zoom has a remote control feature and crypto thieves are abusing it
  • Risky Business Media: Risky Bulletin: Crypto-thieves abuse Zoom's remote control feature
  • CyberInsider: Zoom’s Remote Control Feature Exploited in ELUSIVE COMET Attacks
  • cybersecuritynews.com: Hackers Leverage Zoom’s Remote Control Feature to Gain Users’ System Access
  • bsky.app: Newsletter: https://news.risky.biz/risky-bulletin-zoom-has-a-remote-control-feature-and-crypto-thieves-are-abusing-it/ -Crypto-thieves abuse secret Zoom remote control feature
  • ciso2ciso.com: CISO2CISO reports on North Korean Cryptocurrency Thieves Caught Hijacking Zoom
  • BleepingComputer: Hackers abuse Zoom remote control feature for crypto-theft attacks
  • www.scworld.com: Zoom Remote feature exploited in North Korean crypto theft operations
  • www.bleepingcomputer.com: A hacking group dubbed 'Elusive Comet' targets cryptocurrency users in social engineering attacks that exploit Zoom's remote control feature to trick users into granting them access to their machines.
  • The DefendOps Diaries: The 'Elusive Comet' Cyber Threat: A Deep Dive into Cryptocurrency Attacks
  • bsky.app: A hacking group dubbed 'Elusive Comet' targets cryptocurrency users in social engineering attacks that exploit Zoom's remote control feature to trick users into granting them access to their machines. https://www.bleepingcomputer.com/news/security/hackers-abuse-zoom-remote-control-feature-for-crypto-theft-attacks/
  • BleepingComputer: A hacking group dubbed 'Elusive Comet' targets cryptocurrency users in social engineering attacks that exploit Zoom's remote control feature to trick users into granting them access to their machines.
  • bsky.app: A hacking group dubbed 'Elusive Comet' targets cryptocurrency users in social engineering attacks that exploit Zoom's remote control feature to trick users into granting them access to their machines.
  • Anonymous ???????? :af:: A hacking group dubbed 'Elusive Comet' targets cryptocurrency users in social engineering attacks that exploit Zoom's remote control feature to trick users into granting them access to their machines.
  • SecureWorld News: Hackers Exploit Zoom's Remote Control Feature in Cryptocurrency Heists
  • BleepingComputer: A hacking group dubbed 'Elusive Comet' targets cryptocurrency users in social engineering attacks that exploit Zoom's remote control feature to trick users into granting them access to their machines.
  • Malware ? Graham Cluley: Smashing Security podcast #414: Zoom.. just one click and your data goes boom!
  • Malwarebytes: Zoom attack tricks victims into allowing remote access to install malware and steal money
  • www.itpro.com: Hackers are using Zoom’s remote control feature to infect devices with malware
  • malware.news: Zoom attack tricks victims into allowing remote access to install malware and steal money
  • bsky.app: A hacking group dubbed 'Elusive Comet' targets cryptocurrency users in social engineering attacks that exploit Zoom's remote control feature to trick users into granting them access to their machines.
  • hackread.com: Hackers Use Zoom Remote-Control to Steal Crypto
  • blog.trailofbits.com: Experts observed an ongoing Elusive Comet campaign targeting individuals interested in cryptocurrency through the remote control feature in Zoom.
  • Smashing Security: Graham explores how the Elusive Comet cybercrime gang are using a sneaky trick of stealing your cryptocurrency via an innocent-appearing Zoom call, and Carole goes under the covers to explore the extraordinary lengths bio-hacking millionaire Bryan Johnson is attempting to extend his life.
  • The Register - Security: Elusive Comet is using a sneaky trick of stealing your cryptocurrency via an innocent-appearing Zoom call.
Pierluigi Paganini@securityaffairs.com //

Chinese Phones Ship with Crypto Stealing WhatsApp Clones - Cheap Chinese Android phones are being shipped with pre-installed malware that replaces cryptocurrency wallet addresses in the clipboard with those of the attackers.
A new cybersecurity threat has emerged, with cheap Chinese Android phones being shipped with pre-installed malware disguised as popular messaging apps like WhatsApp and Telegram. These trojanized applications contain cryptocurrency clippers, malicious programs designed to replace copied wallet addresses with those controlled by the attackers. This allows the theft of cryptocurrency during transactions without the user's knowledge. The campaign, active since June 2024, targets low-end devices, often mimicking premium brands like Samsung and Huawei, with models such as "S23 Ultra," "Note 13 Pro," and "P70 Ultra." At least four of the affected models are manufactured under the SHOWJI brand.

These counterfeit phones often spoof their technical specifications, falsely displaying that they are running the latest Android version and have improved hardware to avoid detection. According to researchers at Doctor Web, the infected devices ship with modified versions of WhatsApp that operate as clippers. These malicious programs quietly swap out wallet strings for popular coins like Ethereum and Tron whenever users send or receive them through chat. Victims remain unaware as the malware displays the correct wallet address on the sender’s screen but delivers the wrong one to the receiver, and vice versa, until the money disappears.

The attackers have expanded their reach beyond WhatsApp and Telegram, with researchers identifying nearly 40 fake applications, including crypto wallets like Trust Wallet and MathWallet, and even QR code readers. The malware is injected using a tool called LSPatch, allowing modifications without altering the core app code, which helps evade detection and survive updates. Doctor Web reports that the malware hijacks the app update process to retrieve an APK file from a server under the attacker's control and searches for strings in chat conversations that match cryptocurrency wallet address patterns.

Recommended read:
References :
  • hackread.com: Pre-Installed Malware on Cheap Android Phones Steals Crypto via Fake WhatsApp
  • securityaffairs.com: Chinese Android phones shipped with malware-laced WhatsApp, Telegram apps
  • The Hacker News: Chinese Android Phones Shipped with Fake WhatsApp, Telegram Apps Targeting Crypto Users
  • hackread.com: Pre-Installed Malware on Cheap Android Phones Steals Crypto via Fake WhatsApp
Graham Cluley@Graham Cluley //

Scattered Spider Member Pleads Guilty to Theft - Scattered Spider cybercrime group member, Noah Urban, pleaded guilty to cryptocurrency theft charges, involving conspiracy, wire fraud, and identity theft, and stealing hundreds of thousands of dollars from investors.
Noah Urban, a 20-year-old from Palm Coast, Florida, has pleaded guilty to charges related to cryptocurrency thefts, conspiracy, wire fraud, and identity theft. Urban, known online as "King Bob," was a key member of the notorious Scattered Spider hacking gang. The charges stem from two federal cases, one in Florida and another in California. Urban's activities involved orchestrating sophisticated attacks, including SIM swapping, to steal hundreds of thousands of dollars in cryptocurrency from investors. He was arrested in January 2024, and during the raid, he reportedly attempted to wipe his computer and social media history in an effort to destroy evidence.

The cybercriminal's operations involved stealing victims' personal information and using it to hijack their phone numbers through SIM swap fraud. This allowed Urban and his accomplices to bypass two-factor authentication and gain unauthorized access to cryptocurrency wallets. They then transferred the cryptocurrency to their own accounts, netting significant profits. Urban's activities also extended to leaking songs from famous music artists after breaking into the accounts of music industry executives, disrupting planned album releases and causing financial and emotional strain on the artists involved.

As part of his plea agreement, Urban has agreed to forfeit his jewelry, currency, and cryptocurrency assets. He will also pay US $13 million in restitution to 59 victims. Urban is expected to be sentenced within the next 75 days. He faces a potentially long prison term, which will include an additional two-year sentence for aggravated identity theft, as it cannot be served concurrently with other charges. Other suspected members of the Scattered Spider gang remain under investigation, highlighting the ongoing efforts to combat this cybercriminal syndicate.

Recommended read:
References :
  • bsky.app: Wild details here from a Scattered Spider hacker who pleaded guilty last week. Noah Urban from Florida was known online as 'King Bob' (yes from the Minions movie) and was making insane money from his hacking gang from the age of just 17...
  • DataBreaches.Net: A 20-year-old Palm Coast man linked to a massive cybercriminal gang pleaded guilty in a Jacksonville federal courtroom Friday morning to charges including conspiracy and wire fraud.
  • Cyber Security News: Noah Michael Urban, a 20-year-old Palm Coast resident known online as “King Bob,†pleaded guilty on April 7, 2025, to charges related to an extensive cryptocurrency theft operation.
  • securityaffairs.com: Noah Urban, a 20-year-old from Palm Coast, pleaded guilty to conspiracy, wire fraud, and identity theft in two federal cases, one in Florida and another in California.
  • www.bitdefender.com: Noah Urban, a 20-year-old man linked to the Scattered Spider hacking gang, pleaded guilty to charges related to cryptocurrency thefts.
  • cyberpress.org: A 20-year-old Palm Coast resident known online as “King Bob,” pleaded guilty on April 7, 2025, to charges related to an extensive cryptocurrency theft operation.
  • Cyber Security News: A 20-year-old Florida man identified as a key member of the notorious "Scattered Spider" cybercriminal collective has pleaded guilty to orchestrating sophisticated ransomware attacks and cryptocurrency theft schemes targeting major corporations.
  • The Register - Security: Alleged Scattered Spider SIM-swapper must pay back $13.2M to 59 victims
  • gbhackers.com: A 20-year-old Noah Urban, a resident of Palm Coast, Florida, pleaded guilty to a series of federal charges in a Jacksonville courtroom.
  • www.404media.co: Wild details here from a Scattered Spider hacker who pleaded guilty last week.
  • www.scworld.com: Scattered Spider persists with use of Spectre RAT, new phishing kit
rohansinhacyblecom@cyble.com //

New Android Banking Trojan Crocodilus Steals Credentials - Crocodilus, a novel Android banking trojan, targets over 750 applications, including banking, finance, cryptocurrency, and e-commerce apps globally spreading via phishing sites masquerading as Google Chrome.
A new Android banking trojan called Crocodilus has been discovered, targeting users in Spain and Turkey. Cybersecurity experts warn that this sophisticated malware employs advanced techniques like remote control, black screen overlays, and data harvesting through accessibility logging. Crocodilus is designed to facilitate device takeover and conduct fraudulent transactions, masquerading as Google Chrome to bypass Android 13+ restrictions.

Once installed, Crocodilus requests access to Android's accessibility services and connects to a remote server for instructions and a list of targeted financial applications. The malware steals banking and crypto credentials by displaying HTML overlays and monitors all accessibility events to capture screen contents, including Google Authenticator details. Crocodilus conceals malicious activities using a black screen overlay and muting sounds to avoid detection.

Recommended read:
References :
  • cyble.com: TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications
  • thehackernews.com: New Android Trojan Crocodilus Abuses Accessibility to Steal Banking and Crypto Credentials
  • gbhackers.com: “Crocodilusâ€� A New Malware Targeting Android Devices for Full Takeover
  • securityaffairs.com: The new Android trojan Crocodilus exploits accessibility features to steal banking and crypto credentials, mainly targeting users in Spain and Turkey.
  • ciso2ciso.com: Cybersecurity researchers have discovered a new Android banking malware called Crocodilus that’s primarily designed to target users in Spain and Turkey.
  • BleepingComputer: A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access.
  • The DefendOps Diaries: Discover how Crocodilus malware exploits Android devices, threatening cryptocurrency security with advanced RAT capabilities and social engineering.
  • cointelegraph.com: Android malware ‘Crocodilus’ can take over phones to steal crypto
  • Talkback Resources: TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications
  • www.scworld.com: Advanced Crocodilus Android trojan emerges Widely known cryptocurrency wallets, as well as banks in Spain and Turkey, have already been targeted in attacks involving the novel sophisticated Crocodilus Android trojan, which combines bot and remote access trojan capabilities to facilitate banking and cryptocurrency credential compromise, according to Security Affairs.
  • Metacurity: The new Android trojan Crocodilus exploits accessibility features to steal banking and crypto credentials, mainly targeting users in Spain and Turkey.
  • Blog: New Crocodilus malware snaps up crypto wallets
  • thecyberexpress.com: Cyble researchers have discovered a new Android banking trojan that uses overlay attacks and other techniques to target more than 750 applications, including banking, finance, cryptocurrency, payment, social media, and e-commerce applications.
  • securityonline.info: Android Under Attack: Crocodilus Trojan Captures OTPs from Google Authenticator
  • www.cysecurity.news: New Android Banking Trojan 'Crocodilus' Emerges as Sophisticated Threat in Spain and Turkey
rohansinhacyblecom@cyble.com //

Crocodilus Malware Steals Android Crypto Wallet Keys - Crocodilus, a new Android malware, targets cryptocurrency users in Spain and Turkey, stealing banking and crypto credentials using accessibility features and remote control.
A new Android malware named Crocodilus has been discovered targeting cryptocurrency users, primarily in Spain and Turkey. Cybersecurity researchers have found that Crocodilus employs sophisticated techniques, including remote control capabilities, black screen overlays, and advanced data harvesting through accessibility logging. The malware is designed to steal banking and cryptocurrency credentials, posing a significant threat to Android users in these regions.

Crocodilus tricks users into divulging their cryptocurrency wallet seed phrases by displaying a fake warning urging them to back up their keys to avoid losing access. It also exploits accessibility features to monitor app launches, display overlays to intercept credentials, and capture screen contents, including Google Authenticator OTP codes. This allows attackers to gain full control of wallets and drain assets. The malware also features call and SMS control, device admin and persistence, social engineering, and remote commands and settings update capabilities.

ThreatFabric researchers note that Crocodilus exhibits a high level of maturity for a newly discovered threat, demonstrating advanced device takeover capabilities. The malware is distributed via a proprietary dropper that bypasses Android 13 security protections and installs the malware without triggering Play Protect. Analysis of the source code suggests that the malware author is Turkish-speaking.

Recommended read:
References :
  • BleepingComputer: A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access.
  • securityaffairs.com: Experts warn of the new sophisticate Crocodilus mobile banking Trojan
  • thehackernews.com: Cybersecurity researchers have discovered a new Android banking malware called Crocodilus that's primarily designed to target users in Spain and Turkey.
  • BleepingComputer: A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access.
  • www.scworld.com: Advanced Crocodilus Android trojan emerges Widely known cryptocurrency wallets, as well as banks in Spain and Turkey, have already been targeted in attacks involving the novel sophisticated Crocodilus Android trojan, which combines bot and remote access trojan capabilities to facilitate banking and cryptocurrency credential compromise, according to Security Affairs.
  • Blog: New Crocodilus malware snaps up crypto wallets
  • The420.in: Crypto Under Attack: Crocodilus Malware Targets Android Users
  • securityonline.info: Android Under Attack: Crocodilus Trojan Captures OTPs from Google Authenticator
  • www.cysecurity.news: New Android Banking Trojan 'Crocodilus' Emerges as Sophisticated Threat in Spain and Turkey
Thomas Brewster,@Thomas Fox-Brewster //

LastPass Breach Linked to $150M Crypto Theft - The DOJ has linked a $150 million cryptocurrency theft to the 2022 LastPass data breach, tracing the cyberheist to cracked master passwords; stolen XRP is now worth $716 million.
Federal agents have linked a $150 million cryptocurrency heist to the 2022 LastPass data breach. U.S. authorities have seized over $23 million in cryptocurrency related to the January 2024 theft from a Ripple crypto wallet, with investigators believing hackers who breached LastPass in 2022 were responsible. These findings align with those published by KrebsOnSecurity in September 2023, which highlighted a series of six-figure cyberheists resulting from cracked master passwords stolen from LastPass.

The U.S. Secret Service and FBI investigations support the conclusion that the same attackers behind the LastPass breach used a stolen password from the victim's online password manager to access their cryptocurrency wallet. The stolen XRP, initially valued at $150 million, is now worth $716 million. The Secret Service continues to trace the funds through various exchanges, noting that the scale and rapid dissipation of funds required multiple malicious actors, consistent with the online password manager breaches and attacks on other victims.

Recommended read:
References :
  • bsky.app: U.S. authorities have seized over $23 million in cryptocurrency linked to the theft of $150 million from a Ripple crypto wallet in January 2024. Investigators believe hackers who breached LastPass in 2022 were behind the attack.
  • BrianKrebs: New, by me: Feds Link $150M Cyberheist to 2022 LastPass Hacks In September 2023, KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022. In a court filing this week, U.S. federal agents investigating a spectacular $150 million cryptocurrency heist said they had reached the same conclusion.
  • krebsonsecurity.com: Feds Link $150M Cyberheist to 2022 LastPass Hacks
  • The DefendOps Diaries: The Seizure of $23 Million in Cryptocurrency: A Detailed Analysis of the Ripple Wallet Hack Linked to LastPass Breach
  • Thomas Fox-Brewster: Feds Suspect LastPass Hackers Stole $150 Million In Crypto From One Person
  • securityaffairs.com: Feds seized $23 million in crypto stolen using keys from LastPass breaches
  • www.scworld.com: LastPass hack leveraged to facilitate $150M crypto heist
Thomas Brewster,@Thomas Fox-Brewster //

LastPass Hack Linked to $150 Million Crypto Theft - Federal investigators link a $150 million cryptocurrency theft to the 2022 LastPass data breach, where stolen master passwords were used to access and drain a Ripple XRP wallet.
Federal investigators have linked the 2022 LastPass data breach to a $150 million cryptocurrency theft from a Ripple XRP wallet in January 2024. Authorities believe the hackers exploited stolen master passwords to gain unauthorized access to the wallet. The stolen XRP, initially valued at $150 million, is now worth an estimated $716 million due to fluctuations in the cryptocurrency market.

U.S. law enforcement has seized over $23 million in cryptocurrency connected to the theft. The U.S. Secret Service and FBI are actively investigating the case and working to recover the remaining stolen funds. Security researchers had previously identified a pattern of similar crypto heists linked to the LastPass breach, suggesting a broader impact of the password manager vulnerability. The incident highlights the significant risks associated with compromised password management systems.

Recommended read:
References :
  • bsky.app: US authorities have seized over $23 million in cryptocurrency linked to the theft of $150 million from a Ripple crypto wallet in January 2024. Investigators believe hackers who breached LastPass in 2022 were behind the attack.
  • krebsonsecurity.com: KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022.
  • The DefendOps Diaries: The Seizure of $23 Million in Cryptocurrency: A Detailed Analysis of the Ripple Wallet Hack Linked to LastPass Breach
  • Thomas Fox-Brewster: The stolen XRP is now worth $716 million. The Secret Service is trying to claw it back from unknown hackers.
  • www.bleepingcomputer.com: U.S. authorities have seized over $23 million in cryptocurrency linked to the theft of $150 million from a Ripple crypto wallet in January 2024. Investigators believe hackers who breached LastPass in 2022 were behind the attack.
  • Metacurity: Hack of LastPass in 2022 led to massive theft of XRP, now worth nearly $700 million
  • securityaffairs.com: US authorities seized $23M in crypto linked to a $150M Ripple hack, suspected to have been carried out by hackers from the 2022 LastPass breach.
  • www.scworld.com: LastPass hack leveraged to facilitate $150M crypto heist
Cynthia B@Metacurity //

Lazarus Group Launders $1.4B Stolen from Bybit Exchange - The Lazarus Group laundered 100% of the $1.4 billion stolen from the Bybit cryptocurrency exchange, indicating a high level of operational efficiency in their money laundering infrastructure.
References: infosec.exchange , Metacurity , ...
The Lazarus Group, a North Korean hacking organization, has reportedly laundered 100% of the $1.4 billion stolen from the Bybit cryptocurrency exchange. This information was initially reported by The Record and other cybersecurity news outlets. The stolen funds, in the form of Ethereum (ETH), were moved to new addresses, which is the first step in laundering cryptocurrency.

This rapid laundering of such a large sum indicates a high level of operational efficiency by the North Korean hackers. Ari Redbord, a former federal prosecutor and senior Treasury official, described this event as showing “unprecedented level of operational efficiency.” He also suggested that North Korea has expanded its money laundering infrastructure or that underground financial networks, especially in China, have improved their ability to handle illicit funds. This situation underscores the increasing sophistication of North Korea's cybercrime activities and their ability to quickly process stolen cryptocurrency.

Recommended read:
References :
  • infosec.exchange: NEW: The (allegedly North Korean) hackers behind the Bybit crypto heist have already laundered all the stolen Ethereum, which was worth $1.4 billion.
  • Metacurity: Lazarus Group hackers have laundered 100% of the $1.4 billion they stole from Bybit
  • Resources-2: FBI Confirms North Korean Lazarus Group Behind $1.5 Billion Bybit Crypto Heist
  • : North Korea Targeting Crypto Industry, Says FBI
  • fortune.com: How North Korea cracked Bybit’s crypto safe to steal $1.5 billion in a record heist
  • Kaspersky official blog: How to store cryptocurrency after the Bybit hack | Kaspersky official blog
Ojukwu Emmanuel@Tekedia //

Bybit Exchange Hacked for $1.46 Billion by Lazarus - The Bybit cryptocurrency exchange suffered a significant security breach resulting in losses of $1.46 billion in Ethereum, with the Lazarus Group suspected to be behind the attack.
The Bybit cryptocurrency exchange has reportedly suffered a massive security breach, with hackers allegedly linked to North Korea making off with $1.4 billion in Ethereum. This incident is being called potentially the largest crypto theft in history. Experts from multiple blockchain security companies have confirmed that the stolen Ethereum has already been moved to new addresses, marking the initial phase of money laundering.

Ari Redbord, a former federal prosecutor and senior Treasury official, highlighted the "unprecedented level of operational efficiency" displayed by the hackers in rapidly laundering the stolen funds. He suggested that North Korea might have expanded its money laundering infrastructure or that underground financial networks, particularly in China, have enhanced their capacity to process illicit funds. The FBI has also linked North Korea-linked TraderTraitor as responsible for the $1.5 Billion Bybit hack

Recommended read:
References :
  • Sergiu Gatlan: Forensic investigators have discovered that North Korean Lazarus hackers stole $1.5 billion from Bybit after first breaching a Safe{Wallet} developer machine.
  • Secure Bulletin: The Lazarus Group, a notorious North Korean state-sponsored hacking collective, has once again demonstrated its sophistication and audacity with a staggering $1.5 billion cryptocurrency heist targeting Bybit, a major crypto exchange.
  • securityaffairs.com: The FBI confirmed that North Korea is responsible for the record-breaking cyber heist at the crypto exchange Bybit.
  • infosec.exchange: Hacked crypto exchange Bybit is offering $140 million in bounties to anyone who can help locate and freeze the stolen ethereum. Bybit also disclosed preliminary results of investigations, which reveal hackers breached a developer’s device at a wallet platform Safe Wallet.
  • SecureWorld News: Bybit Hack: FBI Attributes to North Korea, Urges Crypto Sector to Act
  • The Register - Security: FBI officially fingers North Korea for $1.5B Bybit crypto-burglary
  • PCMag UK security: FBI Blames North Korea for Massive $1.4 Billion Cryptocurrency Heist
  • Zack Whittaker: your weekly ~ this week in security ~ is out: • North Korea's record-breaking $1.4B crypto heist
  • www.cysecurity.news: Bybit Suffers Historic $1.5 Billion Crypto Hack, Lazarus Group Implicated
  • infosec.exchange: NEW: The (allegedly North Korean) hackers behind the Bybit crypto heist have already laundered all the stolen Ethereum, which was worth $1.4 billion. Ari Redbord, former federal prosecutor and senior Treasury official, told me this laundering shows “unprecedented level of operational efficiency,â€� but there's more steps they need to take to cash out. “This rapid laundering suggests that North Korea has either expanded its money laundering infrastructure or that underground financial networks, particularly in China, have enhanced their capacity to absorb and process illicit funds,â€� said Redbord.
  • The Record: Experts from multiple blockchain security companies said that North Korean hackers were able to move all of the ETH coins stolen from Bybit to new addresses — the first step taken before the funds can be laundered further
  • The Record: A provincial court in Barcelona has ordered that three former senior executives at NSO Group be indicted for their alleged role in a high-profile hacking scandal in which at least 63 Catalan civil society members were targeted with the company’s surveillance technology
  • Know Your Adversary: News item discussing the massive Bybit crypto theft, potentially the largest in history.
  • Metacurity: Lazarus Group hackers have laundered 100% of the $1.4 billion they stole from Bybit
  • The Hacker News: Safe{Wallet} Confirms North Korean TraderTraitor Hackers Stole $1.5 Billion in Bybit Heist
Ojukwu Emmanuel@Tekedia //

Bybit Cryptocurrency Heist by Lazarus Group - The Lazarus Group, a North Korean state-sponsored hacking group, stole $1.46 billion in crypto assets from Bybit, compromising a developer’s device at Safe{Wallet} and leading Bybit to offer a $140 million bounty.
On February 21, 2025, the cryptocurrency exchange Bybit suffered a massive security breach resulting in the theft of approximately $1.46 billion in crypto assets. Investigations have pointed towards the Lazarus Group, a North Korean state-sponsored hacking collective, as the perpetrators behind the audacious heist. The FBI has officially accused the Lazarus Group of stealing $1.5 billion in Ethereum and has requested assistance in tracking down the stolen funds.

Bybit has declared war on the Lazarus Group following the incident and is offering a $140 million bounty for information leading to the recovery of the stolen cryptocurrency. CEO Ben Zhou has launched Lazarusbounty.com, a bounty site aiming for transparency on the Lazarus Group's money laundering activities. The attack involved exploiting vulnerabilities in a multisig wallet platform, Safe{Wallet}, by compromising a developer’s machine, enabling the transfer of over 400,000 ETH and stETH (worth over $1.5 billion) to an address under their control.

Recommended read:
References :
  • The Register - Security: The FBI has officially accused North Korea's Lazarus Group of stealing $1.5 billion in Ethereum from crypto-exchange Bybit earlier this month, and asked for help tracking down the stolen funds.
  • Secure Bulletin: The Lazarus Group, a notorious North Korean state-sponsored hacking collective, has once again demonstrated its sophistication and audacity with a staggering $1.5 billion cryptocurrency heist targeting Bybit, a major crypto exchange.
  • SecureWorld News: On February 21, 2025, the cryptocurrency world was rocked by the largest crypto heist in history. Dubai-based exchange Bybit was targeted in a malware-driven attack that resulted in the theft of approximately $1.46 billion in crypto assets.
  • Tekedia: Bybit, a leading crypto exchange, has declared war on “notoriousâ€� Lazarus group, a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. This is coming after the crypto exchange experienced a security breach resulting in the unauthorized transfer of over $1.4 billion in liquid-staked crypto assets.
  • ChinaTechNews.com: North Korea was behind the theft of approximately $1.5bn in virtual assets from a cryptocurrency exchange, the FBI has said, in what is being described as the biggest heist in history.
  • iHLS: Largest-Ever Crypto Heist steals $1.4 Billion
  • techcrunch.com: The FBI said the North Korean government is ‘responsible’ for the hack at crypto exchange Bybit, which resulted in the theft of more than $1.4 billion in Ethereum cryptocurrency.
  • PCMag UK security: The FBI is urging the cryptocurrency industry to freeze any transactions tied to the Bybit heist. The FBI has the $1.4 billion cryptocurrency at Bybit to North Korean state-sponsored hackers after security researchers reached the same conclusion.
  • Talkback Resources: FBI Says North Korea Hacked Bybit as Details of $1.5B Heist Emerge [net] [mal]
  • thehackernews.com: Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers
  • PCMag UK security: FBI Blames North Korea for Massive $1.4 Billion Cryptocurrency Heist
  • www.pcmag.com: FBI Blames North Korea for Massive $1.4 Billion Cryptocurrency Heist
  • SecureWorld News: FBI Attributes Bybit Hack: FBI Attributes to North Korea, Urges Crypto Sector to Act
  • Dan Goodin: InfoSec Exchange Post on the FBI attribution to the Lazarus group and Bybit hack
  • bsky.app: Forensic investigators have discovered that North Korean Lazarus hackers stole $1.5 billion from Bybit after first breaching a Safe{Wallet} developer machine. The multisig wallet platform has also confirmed these findings in a statement issued today.
  • Wallarm: Lab Wallarm discusses how Bybit’s Real-Time Blacklisting Is Thwarting a $1.5B Crypto Heist
  • infosec.exchange: NEW: Hacked crypto exchange Bybit is offering $140 million in bounties to anyone who can help locate and freeze the stolen ethereum. Bybit also disclosed preliminary results of investigations, which reveal hackers breached a developer’s device at a wallet platform Safe Wallet.
  • securityaffairs.com: FBI: North Korea-linked TraderTraitor is responsible for $1.5 Billion Bybit hack
  • Cybercrime Magazine: Bybit Suffers Largest Crypto Hack In History
  • www.cnbc.com: Details on the attack in a news article
  • The Register - Security: Bybit declares war on North Korea's Lazarus crime-ring to regain $1.5B stolen from wallet
  • Sergiu Gatlan: Forensic investigators have discovered that North Korean Lazarus hackers stole $1.5 billion from Bybit after first breaching a Safe{Wallet} developer machine. The multisig wallet platform has also confirmed these findings in a statement issued today.
  • gbhackers.com: Researchers Uncover $1.4B in Sensitive Data Tied to ByBit Hack by Lazarus Group
  • infosec.exchange: NEW: After security researchers and firms accused North Korea of the massive Bybit hack, the FBI follows suit. North Korean government hackers allegedly stoled more than $1.4 billion in Ethereum from the crypto exchange.
  • www.cysecurity.news: Bybit Suffers Historic $1.5 Billion Crypto Hack, Lazarus Group Implicated
  • infosec.exchange: Bybit, that major cryptocurrency exchange, has been hacked to the tune of $1.5 billion in digital assets stolen, in what’s estimated to be the largest crypto heist in history.
  • BleepingComputer: Bybit, a major cryptocurrency exchange, has fallen victim to a massive cyberattack, with approximately $1.5 billion in cryptocurrency stolen. The breach is believed to be the largest single theft in crypto history.
  • Taggart :donor:: Cryptocurrency exchange Bybit suffered a massive security breach, resulting in the loss of $1.5 billion in digital assets. The hack compromised the exchange's cold wallet and involved sophisticated techniques to steal the funds.
  • www.cysecurity.news: CySecurity News report on the Bybit hack, its implications, and the potential Lazarus Group connection.
  • The420.in: The 420 report on Bybit theft
  • infosec.exchange: Details of the Bybit hack and Lazarus Group's involvement.
  • Talkback Resources: Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers
  • securityaffairs.com: The FBI confirmed that North Korea is responsible for the record-breaking cyber heist at the crypto exchange Bybit.
  • Zack Whittaker: Grab some coffee — your weekly ~ this week in security ~ is out: • North Korea's record-breaking $1.4B crypto heist
  • infosec.exchange: Infosec Exchange post about Bybit crypto heist.
  • The Record: Experts from multiple blockchain security companies said that North Korean hackers were able to move all of the ETH coins stolen from Bybit to new addresses — the first step taken before the funds can be laundered further
  • infosec.exchange: The (allegedly North Korean) hackers behind the Bybit crypto heist have already laundered all the stolen Ethereum, which was worth $1.4 billion.
  • Metacurity: Lazarus Group hackers have laundered 100% of the $1.4 billion they stole from Bybit
Oluwapelumi Adejumo@CryptoSlate //

Bybit Suffers Record-Breaking $1.5 Billion Crypto Heist - Cryptocurrency exchange Bybit suffered a major data breach, resulting in the theft of over $1.5 billion in digital currency, suspected to be the Lazarus Group exploiting vulnerabilities in Safe.global.
Cryptocurrency exchange Bybit has confirmed a record-breaking theft of approximately $1.46 billion in digital assets from one of its offline Ethereum wallets. The attack, which occurred on Friday, is believed to be the largest crypto heist on record. Bybit disclosed that a highly sophisticated attack resulted in the theft of more than Rs 11,972 crores in digital assets.

The theft targeted an Ethereum cold wallet, involving a manipulation of a transaction from the cold wallet to a warm wallet. This allowed the attacker to gain control and transfer the funds to an unidentified address. The incident highlights the rising trend of cryptocurrency heists, driven by the allure of profits and challenges in tracing such crimes.

Recommended read:
References :
  • www.techmeme.com: ZachXBT: crypto exchange Bybit has experienced $1.46B worth of "suspicious outflows"; Bybit CEO confirms hacker took control of cold ETH wallet
  • CryptoSlate: The crypto exchange ByBit has been hacked, and roughly $1.5 billion in Ethereum (ETH) has been stolen — making this one of the biggest hacks in history.
  • infosec.exchange: NEW: Crypto exchange Bybit said it was hacked and suffered a loss of around $1.4 billion (~401,346 ETH) at the time of the hack.
  • PCMag UK security: The Bybit exchange lost 400,000 in ETH, or about $1.4 billion, before the price began to slide, making it the biggest crypto-related hack in history.
  • techcrunch.com: TechCrunch reports on the Bybit hack, disclosing a loss of approximately $1.4 billion in Ethereum.
  • ciso2ciso.com: In a major cybersecurity incident, Bybit, the world’s 2nd-largest crypto exchange suffered a $1.4 billion ETH hack from a cold wallet breach.
  • ciso2ciso.com: Bybit Hack: $1.4B Stolen from World’s 2nd Largest Crypto Exchange – Source:hackread.com
  • cryptoslate.com: ByBit suffers $1.5 billion Ethereum heist in cold wallet breach
  • www.coindesk.com: Bybit experiences USD1.46B in suspicious outflows
  • BleepingComputer: Cryptocurrency exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
  • The Cryptonomist: 3 Best Bybit Alternatives As Top CEX Is Hacked
  • Gulf Business: ‘Worst hack in history’: Dubai crypto exchange Bybit suffers $1.5bn ether heist
  • Anonymous ???????? :af:: Cryptocurrency exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
  • www.bleepingcomputer.com: Hacker steals record $1.46 billion in ETH from Bybit cold wallet
  • Techmeme: Bybit Loses $1.5B in Hack but Can Cover Loss, CEO Confirms (Oliver Knight/CoinDesk)
  • Reportboom: Report on the Bybit crypto heist, detailing the incident and security recommendations.
  • thehackernews.com: Report on the Bybit hack, highlighting the scale of the theft and its implications.
  • reportboom.com: Reportboom article about Bybit's $1.46B Crypto Heist.
  • www.it-daily.net: Bybit hacked: record theft of 1.5 billion US dollars
  • Protos: News about the Bybit cryptocurrency exchange being hacked for over \$1.4 billion.
  • The420.in: On Friday, cryptocurrency exchange Bybit disclosed that a highly sophisticated attack resulted in the theft of more than Rs 11,972 crores in digital assets from one of its offline Ethereum wallets—the largest crypto heist on record.
  • TechSpot: The hackers stole the crypto from Bybit's cold wallet, an offline storage system.
  • Talkback Resources: Crypto exchange Bybit was targeted in a $1.46 billion theft by the Lazarus Group, highlighting the rising trend of cryptocurrency heists driven by the allure of profits and challenges in tracing such crimes.
  • www.bleepingcomputer.com: Cryptocurrency exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
  • www.the420.in: The420.in: Biggest Crypto Heist Ever: Bybit Loses Rs 12,000+ Crore in Sophisticated Ethereum Wallet Attack!
  • www.cnbc.com: This report discusses the Bybit hack, detailing the amount stolen and the potential impact on the crypto market.
  • www.engadget.com: This news piece reports on the massive crypto heist from Bybit, highlighting the scale of the incident and the impact on the crypto market.
  • Techmeme: Arkham says ZachXBT submitted proof that North Korea's Lazarus Group is behind Bybit's $1.5B hack, which is the largest single theft in crypto history
  • BrianKrebs: Infosec exchange post describing Bybit breach.
  • Talkback Resources: Bybit cryptocurrency exchange suffered a cyberattack resulting in the theft of $1.5 billion worth of digital currency, including over 400,000 ETH and stETH, with potential vulnerabilities in the Safe.global platform's user interface exploited.
  • securityaffairs.com: SecurityAffairs reports Lazarus APT stole $1.5B from Bybit, it is the largest cryptocurrency heist ever.
  • gulfbusiness.com: ‘Worst hack in history’: Dubai crypto exchange Bybit suffers $1.5bn ether heist
  • techcrunch.com: Crypto exchange Bybit says it was hacked and lost around $1.4B
  • Tekedia: The cryptocurrency industry has been rocked by what is now considered the largest digital asset theft in history, as Bybit, a leading crypto exchange, confirmed on Friday that hackers stole approximately $1.4 billion worth of Ethereum (ETH) from one of its offline wallets.
  • blog.checkpoint.com: What the Bybit Hack Means for Crypto Security and the Future of Multisig Protection
  • Dan Goodin: Crypto exchange Bybit said it was hacked and suffered a loss of around $1.4 billion (~401,346 ETH) at the time of the hack.
  • BleepingComputer: Crypto exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
  • Security Boulevard: North Korea’s Lazarus Group Hacks Bybit, Steals $1.5 Billion in Crypto
  • bsky.app: Elliptic is following the money on this ByBit hack - the biggest theft ot all time. “Within 2 hours of the theft, the stolen funds were sent to 50 different wallets, each holding approximately 10,000 ETH. These are now being systematically emptiedâ€�.
  • Talkback Resources: Talkback Post about the $1.5B Bybit Hack: The Era of Operational Security Failures Has Arrived
  • infosec.exchange: Reports that North Korean hackers stole $1.4 billion in crypto from Bybit.
  • securityboulevard.com: North Korea's notorious Lazarus Group reportedly stole $1.5 billion in cryptocurrency from the Bybit exchange in what is being called the largest hack in the controversial market's history.
  • billatnapier.medium.com: One of the Largest Hacks Ever? But Will The Hackers Be Able To Launder The Gains?
  • thecyberexpress.com: thecyberexpress.com - Details on Bybit Cyberattack.
  • Matthew Rosenquist: This may turn out to be the biggest hack in history! $1.5 BILLION.
  • PCMag UK security: The $1.4 billion at Bybit—the largest known cryptocurrency heist in history—has been traced to the notorious Lazarus North Korean hacking group.
  • www.nbcnews.com: Hackers steal $1.5 billion from exchange Bybit in biggest-ever crypto heist: Blockchain analysis firm Elliptic later linked the attack to North Korea’s Lazarus Group, a state-sponsored hacking collective
  • www.pcmag.com: Researchers spot the $1.4 billion stolen from Bybit moving through cryptocurrency wallets that were used in earlier heists attributed to North Korea's Lazarus hacking group.
  • siliconangle.com: $1.5B in cryptocurrency stolen from Bybit in attack linked to North Korean hackers
  • www.americanbanker.com: Nearly $1.5 billion in tokens lost in Bybit crypto exchange hack
  • SiliconANGLE: SiliconAngle reports on the details of the Bybit hack and links it to North Korean hackers.
  • techcrunch.com: TechCrunch reports on the massive crypto heist, citing research that points to North Korean hackers as perpetrators.
  • OODAloop: Reports that North Korea’s Lazarus Group APT is Behind Largest Crypto Heist Ever
  • : Looming Shadows: $1.5 Billion Crypto Heist Shakes Confidence in Security Measures
  • Schneier on Security: Schneier on Security covers the North Korean Hackers Stealing $1.5B in Cryptocurrency.
  • Dataconomy: How the Bybit hack shook the crypto world: $1.5B gone overnight
  • be3.sk: Looming Shadows: $1.5 Billion Crypto Heist Shakes Confidence in Security Measures
  • Risky Business Media: Risky Business #781 -- How Bybit oopsied $1.4bn
  • cyberriskleaders.com: Bybit, a leading exchange, was hacked for USD1.4 billion in Ethereum and staked Ethereum, sending shockwaves through the digital asset community.
  • www.csoonline.com: Independent investigation finds connections to the Lazarus Group.
  • Cybercrime Magazine: Bybit suffers the largest crypto hack in history
  • www.theguardian.com: Cyberattackers believed to be affiliated with the state-sponsored threat group pulled off the largest crypto heist reported to date, stealing $1.5 billion from exchange Bybit.
  • bsky.app: Forensic investigators have discovered that North Korean Lazarus hackers stole $1.5 billion from Bybit after first breaching a Safe{Wallet} developer machine. The multisig wallet platform has also confirmed these findings in a statement issued today.
  • Sergiu Gatlan: Forensic investigators have discovered that North Korean Lazarus hackers stole $1.5 billion from Bybit after first breaching a Safe{Wallet} developer machine. The multisig wallet platform has also confirmed these findings in a statement issued today.
  • SecureWorld News: SecureWorld reports on the Bybit hack, attributing it to the Lazarus Group.
  • OODAloop: The Largest Theft in History – Following the Money Trail from the Bybit Hack
  • gbhackers.com: Researchers Uncover $1.4B in Sensitive Data Tied to ByBit Hack by Lazarus Group
  • Secure Bulletin: Lazarus group’s Billion-Dollar Bybit heist: a cyber forensics analysis
  • Talkback Resources: " THN Weekly Recap: From $1.5B Crypto Heist to AI Misuse & Apple’s Data Dilemma [mal]
  • infosec.exchange: NEW: Hacked crypto exchange Bybit is offering $140 million in bounties to anyone who can help locate and freeze the stolen ethereum.
  • CyberInsider: Record $1.5 billion Bybit hack undermines trust in crypto security
  • The Register - Security: Cryptocurrency exchange Bybit, just days after suspected North Korean operatives stole $1.5 billion in Ethereum from it, has launched a bounty program to help recover its funds.
  • PCMag UK security: The malicious Javascript code used in the attack could secretly modify transactions for Safe{Wallet}, a cryptocurrency wallet provider. The suspected North Korean hackers who $1.4 billion in cryptocurrency from Bybit pulled off the heist by infiltrating a digital wallet provider and tampering with its software.
  • techcrunch.com: Last week, hackers stole around $1.4 billion in Ethereum cryptocurrency from crypto exchange Bybit, believed to be the largest crypto heist in history. Now the company is offering a total of $140 million in bounties for anyone who can help trace and freeze the stolen funds. Bybit’s CEO and
  • securityaffairs.com: The FBI confirmed that North Korea is responsible for the record-breaking cyber heist at the crypto exchange Bybit.
  • The Register - Security: The FBI has officially accused North Korea's Lazarus Group of stealing $1.5 billion in Ethereum from crypto-exchange Bybit earlier this month, and asked for help tracking down the stolen funds.
  • techcrunch.com: The FBI has said the North Korean government is “responsibleâ€� for the hack at crypto exchange Bybit, which resulted in the theft of more than $1.4 billion in Ethereum cryptocurrency.
  • Talkback Resources: FBI Says North Korea Hacked Bybit as Details of $1.5B Heist Emerge [net] [mal]
  • PCMag UK security: FBI Blames North Korea for Massive $1.4 Billion Cryptocurrency Heist
  • The420.in: Rs 1.27 trillion Stolen: Bybit Joins the Ranks of Crypto’s Largest Thefts – Full List Inside
  • Talkback Resources: Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers [mal]
  • Tekedia: Bybit Declares War on “Notoriousâ€� Lazarus Group After $1.4B Hack, Offers $140m Reward
  • SecureWorld News: The FBI officially attributed the massive to North Korea's state-sponsored hacking group, TraderTraitor, more commonly known as the infamous Lazarus Group.
  • ChinaTechNews.com: North Korea was behind the theft of approximately $1.5bn in virtual assets from a cryptocurrency exchange, the FBI has said, in what is being described as the biggest heist in history.
  • Wallarm: API Armor: How Bybit’s Real-Time Blacklisting Is Thwarting a $1.5B Crypto Heist

Posts

Blogs

Research Tools