UNC1069, a North Korean threat group, has been exploiting social engineering tactics and AI tools to infiltrate cryptocurrency companies. Their recent attack involved a compromised Telegram account, a fake Zoom meeting with a deepfake video, and multiple malware families to harvest sensitive data. The operation highlights a significant evolution in their methods since 2018.

A coordinated effort has released over 67,000 fake npm packages since early 2024, aimed at flooding the registry rather than stealing data. The malicious packages use JavaScript scripts that require manual execution to propagate, creating a self-replicating network that burdens the platform. Researchers link this activity to a monetization scheme involving TEA tokens.

Researchers found a harmful Chrome extension called Crypto Copilot that secretly siphons Solana from users during transactions. It injects hidden fees into swaps on the Raydium exchange, transferring funds to an attacker's wallet without user knowledge. The extension remains available for download, despite its malicious behavior.

GoBruteforcer is a botnet attacking cryptocurrency databases to brute-force user passwords for various services. Its operators exploit weak credentials and misconfigured servers to expand their control, utilizing a mix of common usernames and a persistent malware infrastructure. Recent activities also show attempts to identify blockchain accounts with funds.

Researchers found that open source packages on npm and PyPI were infected with malware that stole wallet credentials from dYdX developers and users. The malicious code captured seed phrases and device fingerprints, leading to potential irreversible theft of cryptocurrency. The attack affected multiple versions of the compromised packages.

This article details an organized cybercriminal operation that primarily targets cryptocurrency users and Web3 employees through sophisticated malware and social engineering tactics. The gang, linked to multiple traffer groups, has generated at least $2.4 million in theft, using fake applications and extensive infrastructure to deliver their attacks.

Researchers have uncovered two new Android malware families, FvncBot and SeedSnatcher. FvncBot targets banking users in Poland, using advanced techniques for data theft, while SeedSnatcher aims to steal cryptocurrency wallet seed phrases and intercept SMS for two-factor authentication.

A threat actor known as WhiteCobra has infiltrated the Visual Studio marketplace and Open VSX registry with 24 malicious extensions designed to steal cryptocurrency. The group uses deceptive tactics to make these extensions appear legitimate, leading to significant financial losses, including a recent incident involving a core Ethereum developer. Researchers emphasize the need for improved verification processes to protect users from such sophisticated attacks.

Slow Pisces, a North Korean state-sponsored threat group, has stolen over $1 billion from the cryptocurrency sector in 2023 by targeting developers through disguised job offers on LinkedIn. They use malware hidden within coding challenges and have been linked to significant thefts from cryptocurrency companies, prompting action from GitHub and LinkedIn to remove malicious accounts. The malware employs advanced techniques like YAML deserialization to evade detection and execute additional payloads.

Two malicious Rust packages, faster_log and async_println, were downloaded nearly 8,500 times from Crates.io and designed to steal cryptocurrency private keys by scanning developers' systems for sensitive information. Discovered by security researchers at Socket, the packages were removed and their publishers banned, urging affected developers to clean their systems and secure their digital assets.

Researchers from Safety have discovered infostealer malware targeting Russian cryptocurrency developers through npm packages designed to appear legitimate. These malicious packages, which aim to extract sensitive information such as cryptocurrency credentials, are linked to servers in the USA, raising suspicions of state-sponsored activity against Russia's ransomware operators. Developers in the Solana ecosystem are advised to secure their software supply chains to mitigate these threats.

Hacking groups, including those affiliated with the North Korean government, are utilizing a new method called EtherHiding to distribute malware via public cryptocurrency blockchains. This technique embeds malware within smart contracts, providing a decentralized and nearly untouchable platform for cybercriminals to operate, thus enhancing the resilience against law enforcement actions.

North Korean threat actor UNC5342 has begun using a technique called EtherHiding to deliver malware and steal cryptocurrency, marking a significant evolution in nation-state cyber threats. This method involves embedding malicious JavaScript within smart contracts on public blockchains, allowing attackers to retrieve payloads stealthily and without leaving a trace. The ongoing social engineering campaign targets developers with fake job offers to facilitate these attacks.

North Korea is reportedly targeting cryptocurrency job seekers to distribute malware designed to steal passwords. These cyber operations aim to exploit the growing interest in crypto jobs, leveraging social engineering tactics to infect potential candidates' devices. The initiative reflects North Korea's ongoing efforts to fund its regime through cybercrime activities.

A new Linux malware named Koske uses seemingly harmless panda JPEG images to deploy sophisticated malware directly into system memory, leveraging vulnerabilities in exposed JupyterLab instances. The malware, believed to be developed with AI assistance, deploys cryptocurrency miners and employs advanced tactics to maintain persistence and evade detection. Researchers warn that the adaptability of Koske could lead to even more dangerous variants in the future.

Threat actors have exploited SourceForge to distribute fake Microsoft Office add-ins that install malware, including cryptocurrency miners and clipboard hijackers, on victims' computers. Over 4,600 systems, primarily in Russia, have been affected by this campaign, which involved deceptive project pages mimicking legitimate tools. Users are advised to download software only from trusted sources and verify files before execution.

Fake cryptocurrency exchange advertisements on Facebook have been spreading malware, posing significant risks to unsuspecting users. These malicious ads are designed to deceive individuals into downloading harmful software, leading to potential data breaches and financial losses. Users are urged to remain vigilant and report suspicious ads to protect themselves from such threats.