$150m in losses at Coinbase, a crackdown on CaaS markets and other cybersecurity news

A roundup of the week’s key cybersecurity news.

ZachXBT reports “multiple thefts” of Coinbase user funds

An unknown attacker used social engineering to steal 110 cbBTC ($11.5m) on Base from a Coinbase user. As reported by on-chain sleuth ZachXBT, the incident occurred in December 2024.

The funds were withdrawn in three transactions, converted to Ethereum, laundered through a series of flash swaps and then commingled with other assets stolen from Coinbase.

Over the past year, social-engineering scams at Coinbase led to losses of more than $150m, he found. The hackers relied on data leaks, email spoofing and phone-number swaps.

The researcher promised to share details of “many recent thefts” soon.

A trojanised version of DogWifTools drained memecoin holders’ wallets

The DogWifTools platform for promoting meme tokens on Pump.fun suffered a supply-chain attack. An attacker compromised the project’s GitHub and replaced versions 1.6.3 through 1.6.6 with trojanised builds, gaining access to users’ hot and cold wallets. Preliminary losses exceeded $10m, reports Bleeping Computer.

The developers confirmed the incident on Discord. They are investigating, hardening the project’s security and hope to restore customer trust.

Commentators on X suspected the team of a rug pull, though they offered no concrete evidence. One reason for the accusations is that DogWifTools does not restrict the launch of potentially fraudulent memecoins.

Community members also noted the software’s broad permission requests — thereby the hacker could presumably access photos of identity documents and use them to compromise exchange accounts.

insane work by the @dogwiftools team (easily the most popular bundling tool)

they scammed the scammers for $10m+

their tool asked for very intrusive permissions on your computer

now they are using ID pics stored on computers of scammers locally to cash out users funds lmao… pic.twitter.com/eeUunlZM3K

— solboy (@0x5OLBOY) January 28, 2025

A user calling himself JizzyGroup, who claims to have organised the attack, says he “did not steal any personal data” and that the $10m figure is “completely inaccurate”.

Just to clarify a few things.

A: We did not steal any user data. ONLY @dogwiftools wallet files locally stored.

B: We are not doing any identity theft, or using passwords, because there was none stolen.

C: We are not responsible for the $UFD incident.

—с (@JizzyGroup) January 28, 2025

A sweeping operation dismantled the Cracked and Nulled hacker-forum ecosystem

Authorities in eight countries shut down Cracked and Nulled — two of the largest hacker forums with more than 10m users. In Operation Talent, 17 servers and 12 domains were seized, and two suspects were arrested in Spain. Police confiscated about €300,000 in cash and cryptocurrencies.

According to the US Department of Justice, the platforms sold stolen credentials, documents and other tools for cybercrime and fraud.

Since 2016, Nulled posted a total of 43m listings for illicit goods. The marketplace’s annual revenue was about $1m.

Cracked operated from March 2018, publishing 28m listings and generating around $4m in revenue. At least 17m victims in the United States were affected by its activities.

Law enforcement also took down ancillary services: the payment processor SellIX used by Cracked, and the hosting service StarkRDP, which was promoted on both platforms.

One of those arrested — 29-year-old Argentine citizen Lucas Son — is the suspected administrator of Nulled. He faces up to 30 years in prison.

Italy blocks DeepSeek

Italy’s regulator Garante blocked citizens’ access to the Chinese chatbot DeepSeek after it failed to obtain information from the developers on the use of personal data.

The information provided was deemed “wholly insufficient”. DeepSeek said the company does not operate in Italy and that European legislation does not apply to it.

The chatbot became unavailable for download in Apple’s App Store and Google Play in Italy on January 29, Reuters noted.

Facebook classified Linux as malware

Facebook is blocking posts that mention Linux-related topics, sites or groups. Its moderation system flags them as “malware” and a “cybersecurity threat”. One affected organisation, DistroWatch, noticed the issue.

It encountered a block when trying to place an advert for its open-source software site. Some user accounts were also restricted after mentioning Linux in posts.

The block began on January 19. DistroWatch attempted to appeal, without success.

Ironically, Facebook itself runs much of its infrastructure on Linux and frequently advertises for specialist developers.

ChatGPT’s safety filter failed a “time-travel”

The Time Bandit vulnerability allows forcing ChatGPT to bypass safety rules — to share nuclear information, make weapons and code malware. This was reported by cybersecurity researcher David Kushmar, writes Bleeping Computer.

For a jailbreak, a question needs to be framed so that ChatGPT does not know what year it is. Using this approach, journalists managed to make a programmer in 1789 provide instructions for creating polymorphic malware with modern tools.

Researchers at the CERT Coordination Center also confirmed that Time Bandit worked best in tests with time frames from 1800 to 1900.

OpenAI has already taken steps to fix the vulnerability.

The EU imposes sanctions on GRU hackers

The EU Council imposed sanctions on three hackers from Russia’s Main Directorate of the General Staff (GRU) for their role in cyberattacks on Estonian government institutions in 2020.

According to the authorities, officers of Unit 29155 Nikolai Korchagin, Vitaly Shevchenko and Yuri Denisov stole thousands of confidential documents after breaching several ministries. These included trade secrets, medical records and other classified information.

The sanctions entail asset freezes and travel restrictions, as well as a ban on financing by EU citizens and organisations.

Also on ForkLog:

• In England, a gang of cryptocurrency extortionists was sentenced to a combined 76 years in prison.
• The “mem-token factory” Pump.fun was sued.
• A Kyiv court upheld the block of the Kuna exchange at the request of the BEB. Founder Mikhail Chobanyan announced the closure of the platform. 
• Personal data of DeepSeek users leaked online.
• DeepSeek was suspected of stealing data from OpenAI.
• Reuters: France has launched an investigation into Binance.
• Media named the ransom demanded for the kidnapped Ledger co-founder.
• KuCoin was fined $300m.
• Brazil’s regulator blocked World’s payouts over biometrics.
• A Sui holder lost $29m in a hack.

What to read this weekend?

Together with CoinEx, we explain the key considerations when choosing a trading platform.