Cybersecurity Highlights: Malware Targets Binance, Telegram’s New Tools, and More

We have compiled the most significant cybersecurity news of the week.

Turkish Hackers Develop Malware Targeting Binance and MetaMask

Researchers at Cleafy discovered Android malware DroidBot, capable of stealing data from 77 cryptocurrency and banking applications. Among the targets:

• exchanges Binance, KuCoin, Kraken;
• wallet MetaMask;
• banking services BBVA, Unicredit, Santander, BNP Paribas, and Credit Agricole.

Developed by Turkish hackers, the trojan disguises itself as Google Chrome, Google Play Store, or Android Security. Its functionality includes keylogging, overlaying, SMS interception, and a VNC module for remote control of the infected device.

A key aspect of DroidBot’s operation is the abuse of Android accessibility services to monitor user actions and simulate swipes and taps on behalf of the malware.

The malware has been active since June 2024, offering builders to third-party operators for $3000 a month with customization options for specific targets.

Analysis of one botnet revealed 776 unique infections in the UK, Italy, France, Turkey, Portugal, and Germany. 

The malware is in an intensive development stage, expanding its geographical attack range.

Telegram to Use IWF Tools to Combat Child Pornography

The British Internet Watch Foundation (IWF) will provide Telegram with tools for the proactive detection and removal of child sexual abuse images under an agreement.

.@telegram joins the IWF in cracking down on child sexual abuse imagery on the platform.

Telegram will deploy new tools to proactively prevent child sexual abuse imagery from being spread in public parts of its platform.https://t.co/wGEjzGFsee

— Internet Watch Foundation (IWF) (@IWFhotline) December 4, 2024

This includes the organization’s databases and a service for collecting “hashes”—unique digital fingerprints of known illegal images and videos. Additionally, IWF will directly report criminal content found in public parts of Telegram, including AI-generated material.

The foundation combats the spread of child sexual abuse images online through partnerships with law enforcement, governments, the public, and internet companies worldwide. It often faces criticism for generating excessive false complaints, secrecy, and ineffective technical solutions. 

Fake Conferencing Software Emptied Web3 Specialists’ Wallets

Researchers at Cado Security Labs discovered the Meeten malware for stealing cryptocurrency, disguised as a conferencing application. The attacks target Web3 sector workers.

Cado Security Labs has discovered a new malware campaign targeting Web3 workers with a sophisticated scam using AI-generated content to appear legitimate.

Read more in our latest blog post: https://t.co/Pj8Y82kaKY

— Cado (@CadoSecurity) December 6, 2024

The campaign began in September 2024. The brand name of the fake application changed multiple times, but for each, hackers created official websites and social media accounts filled with AI-generated content. 

The malware has Windows and macOS versions. Once on a computer, it transmits to hackers:

• Telegram credentials;
• bank card details;
• cookies, history, and autofill data from browsers like Google Chrome, Opera, Brave, Microsoft Edge, Arc, CocCoc, and Vivaldi;
• information about Ledger, Trezor, Phantom, and Binance wallets;
• system information.

Moreover, the sites are equipped with a script requesting a crypto wallet connection, allowing asset theft before the software is actually downloaded.

Germany Shuts Down Two Darknet Marketplaces and Encrypted Messenger

German authorities shut down the servers of the country’s largest darknet marketplace, Crimenetwork, and arrested its technical administrator. Since 2012, the platform traded in stolen data, drugs, and forged documents. It had over 100,000 users and more than a hundred sellers.

According to law enforcement, from 2018 to 2024, transactions on Crimenetwork exceeded 1000 BTC and 20,000 Monero (€93 million or ~$98 million at the time of writing). The operators’ commission profit was at least $5 million.

The 29-year-old admin of Crimenetwork was arrested, charged with running a criminal platform and drug trafficking. Authorities seized luxury cars and cryptocurrencies worth about €1 million.

Additionally, Germany halted the operations of the darknet marketplace Manson Market, which sold stolen account and payment data, as well as personal information. These details were obtained through a network of phishing online stores. At least 57 victims suffered losses exceeding €250,000. 

Cybercrime network dismantled in ????????!

? 50+ servers seized
? 200 terabytes of digital evidence secured
? 2 suspects arrested

An effort coordinated by Europol.

? https://t.co/aqfi2tPOCg pic.twitter.com/Stigwn0Tiz

— Europol (@Europol) December 5, 2024

The investigation team seized 50 servers and over 200 TB of documents with evidence of criminal activity. More than 80 storage devices, mobile phones, computers, as well as cash and cryptocurrencies worth €63,000 were confiscated. Two suspected operators of Manson Market were arrested in Germany and Austria. 

Another operation coordinated by Europol led to the shutdown of the encrypted messaging platform Matrix. It facilitated illegal activities for at least 8,000 users in 33 languages worldwide. The service allowed encrypted video calls, transaction tracking, and anonymous web browsing.

Forty servers were disabled in France and Germany, and five suspects were arrested in Spain and France. One of them, a 52-year-old Lithuanian citizen, is believed to be the owner and main operator of Matrix.

Authorities seized 970 encrypted phones, €145,000 ($152,500) in cash, €500,000 ($525,000) in cryptocurrencies, and four vehicles.

CP3O Admits to Illegal Cryptocurrency Mining Worth $1 Million

Nebraska resident Charles O. Parks III, known as CP3O, admitted to using cloud computing services for cryptocurrency mining. The affected companies are presumably Amazon and Microsoft.

According to the case materials, from January to August 2021, CP3O mined Ethereum, Litecoin, and Monero worth approximately $970,000 from various accounts. He did not pay the $3.5 million bill for provider services.

Parks was arrested in April and faces up to 20 years in prison. 

Teen Arrested in the US for Alleged Hacks on Gemini and KuCoin Clients

US authorities arrested 19-year-old Remington Goy Oglethorpe, linked to the cybercriminal group Scattered Spider. He is accused of hacking an American financial institution and two unnamed telecommunications companies.

According to the investigation, the hacker, known as remi, breached internal networks through phishing employees of targeted organizations. By posing as benefits providers, schedule change requests, or HR inquiries, he tricked them into visiting malicious sites and entering login credentials for work computers. 

From October 2023 to May 2024, Oglethorpe, after gaining access to telecom systems, sent over 8.6 million phishing SMS to steal recipients’ cryptocurrency. Some of these attacks targeted clients of the Gemini and KuCoin exchanges.

During a search of the hacker’s home, his iPhone contained screenshots of phishing messages, credential collection pages, and crypto wallets with tens of thousands of dollars in digital currencies.

Programmer Suspects FSB of Installing Spyware on His Phone 

Citizen Lab specialists examined the mobile phone of a Russian programmer, which was confiscated by FSB officers during a 15-day arrest, and found secretly installed spyware. The malware posed as a legitimate Android app, Cube Call Recorder.

Read our new report: “Something to Remember Us By: Device Confiscated by Russian Authorities Returned With Monokle-type Spyware Installed”

✍️ by @cooperq, @PDXbek, and @jsrailtonhttps://t.co/XPkogcCndq https://t.co/U6pT0t9xiq pic.twitter.com/1BfvAo2woJ

— The Citizen Lab (@citizenlab) December 5, 2024

The program had unlimited access to the device through a wide range of permissions. Its features included:

• standby location tracking;
• access to SMS, contact lists, calendar entries, and messenger correspondence;
• recording phone calls, screen activities, and video via the camera;
• extracting messages, files, and passwords, including through keylogging;
• executing shell commands, decrypting data, and installing APK packages.

Citizen Lab believes the malware is a new version of the Monokle spyware, developed by employees of the Special Technology Center LLC in St. Petersburg.

Also on ForkLog:

• Developers of meme heroine Hawk Tuah’s token suspected of exit scam.
• Polish police explained claims against former WEX head Dmitry Vasiliev.
• OpenAI introduced a Pro version of o1 for $200 a month. Researchers suspected it of deceiving people.
• Garantex, Russia Today, Ryuk: UK shut down Russian cryptocurrency laundering network.
• Hackers attacked Solana developers through JavaScript library substitution.
• Phantom crypto wallet “freed” users from seed phrases.
• Corporate fraud icon Enron “resurrected,” community intrigued by tokens.
• Former Celsius CEO admitted guilt on two of seven charges.
• Share of BNB Chain blocks affected by “sandwich bots” hit a record.
• Russian Ministry of Internal Affairs uncovered a scheme with fake crypto ATMs.
• Hydra founder sentenced to life in Russia.

What to Read Over the Weekend?

We explain the types of cryptocurrency pyramids and what attracts people to them.