Cybersecurity Highlights: HACKED Token Scam, Tor’s Anonymity Challenge, and More

Here are the week’s most significant cybersecurity news stories.

Compromised X Accounts Exploited for HACKED Token Pump & Dump

On September 18, unknown hackers breached hundreds of major X accounts to execute a Pump & Dump scheme involving the scam token HACKED on the Solana blockchain. This was reported by Bleeping Computer.

Among the affected accounts were People Magazine (7.8 million followers), MoneyControl (1.4 million), and the EUinmyRegion account managed by the European Commission (~100,000 followers). The publication speculated that the breach might have occurred due to a compromised API key or third-party applications linked to the accounts.

The posts included a link to the token address and urged users to “pump it together and profit.” 

At its peak, the token’s market capitalization exceeded $166,000, but at the time of writing, it stands at $2,062.

The wallet was labeled as “spam” at the request of on-chain detective ZachXBT.

Tor Asserts Browser Security Amid De-anonymization Reports

German law enforcement has reportedly found a way to de-anonymize cybercriminals using the Tor browser through temporal analysis, according to local publication Panorama. 

This method does not exploit software vulnerabilities but allows authorities to trace traffic back to individuals through prolonged monitoring.

Temporal analysis was notably used to identify administrators of the largest darknet site for child pornography, Boystown. They and a highly active user were arrested in May 2021.

In response, the Tor team stated that since the aforementioned investigation, the network has significantly expanded, and new tool versions offer adequate protection and anonymization measures. They claim that temporal analysis can be effectively countered. 

Marko Polo Hackers Devised Over 30 Cryptocurrency Theft Schemes

The cybercriminal group Marko Polo, utilizing a vast network of info-stealers, is actively targeting individuals and companies worldwide to steal cryptocurrencies, according to a report by Recorded Future. 

See more

https://t.co/tereFMFM5p

— Recorded Future (@RecordedFuture) September 17, 2024

Through platforms like Zoom, Discord, and OpenSea, the hackers execute over 30 different fraudulent schemes and deploy more than 50 unique malicious payloads, infecting tens of thousands of devices globally. 

Their primary targets are influencers in the cryptocurrency and online gaming sectors. They employ social engineering tactics, spreading phishing job and partnership offers.

Marko Polo’s arsenal includes a range of malware for Windows and macOS (HijackLoader, Stealc, Rhadamanthys, and Atomic macOS Stealer) with diversified attack vectors, making the threat cross-platform.

Anonymous Messenger Ghost Ceases Operations, Creator Arrested

Europol, in collaboration with colleagues from nine countries, dismantled the Ghost messenger, which criminals used for drug trafficking and money laundering.

See more

?Europol has teamed up with law enforcement from 9 countries to take down a criminal encrypted communication platform.

?‍♀️Law enforcement is committed to ensuring that crime cannot operate in the shadows.

More details in our press release ⤵️https://t.co/9DReLgVNym pic.twitter.com/TntLxXJoSb

— Europol (@Europol) September 18, 2024

The application featured advanced security and anonymization functions, including three levels of encryption and a self-destructing message system. Subscriptions could be purchased with cryptocurrency.

The investigation into Ghost began in March 2022. Authorities found servers in France and Iceland, platform operators in Australia, and their financial assets in the United States. 

The operation resulted in 51 arrests across several countries, the destruction of a drug lab, and the seizure of weapons, illegal substances, and over €1 million ($1.1 million) in cash.

The main operators face five charges, with potential sentences totaling up to 26 years in prison.

US Expands Sanctions on Predator Spyware Developers

The OFAC added five individuals and one company to its sanctions list, linked to the development and distribution of the commercial spyware Predator. 

The sole entity listed is the British Virgin Islands-based Aliada Group, which acted as a transaction intermediary for Intellexa, the developer of Predator. Aliada Group is led by Intellexa Consortium founder Tal Jonathan Dilian.

The individuals include: 

• Felix Bitzios — majority shareholder and manager of Intellexa;
• Merom Harpaz — senior executive director of Intellexa;
• Andrea Nicola Constantino Hermes Gambazzi — owner of Thalestris Limited, Intellexa’s parent company;
• Panagiota Karaoli — director of several Thalestris subsidiaries;
• Artemis Artemiou — general manager and board member of Hungarian company Cytrox Holdings (part of the Intellexa consortium).

The US authorities accuse them of cyber activities threatening national security, foreign policy, and financial stability.

All US assets of the listed individuals and company are frozen, and US citizens are prohibited from engaging in any transactions with them.

The previous sanctions package against Predator-related individuals was introduced in March 2024.

Ukraine Restricts Telegram for Government and Military Use

On September 19, the NSDC banned officials, military personnel, and critical infrastructure operators from using the Telegram messenger on official devices. 

The head of Ukraine’s GUR MO, Kyrylo Budanov, provided evidence of Russian intelligence services accessing users’ personal correspondence, including deleted messages, and personal data.

Security agencies believe Russia actively uses Telegram for cyberattacks, phishing, malware distribution, geolocation tracking, and missile strike coordination.

NSDC Secretary Oleksandr Lytvynenko emphasized that the restriction applies to “official correspondence for official purposes on official devices.”

“The decision is advisory for the government but does not affect official Telegram channels of state authorities,” he added.

Russian Ministry Denies Vulnerability in Electronic Summons Registry

An anonymous cybersecurity expert discovered a serious vulnerability in the electronic summons registry launched in Russia on September 18, allowing access to personal data of any citizen with a “Gosuslugi” account, reports Novaya Gazeta Europe.

According to the expert, data was displayed to an authorized user after sending an API request with a citizen’s identifier on “Gosuslugi.” This identifier could be guessed as it “is generated by a predictable algorithm.”

The vulnerability exposed: 

• Full name;
• Date and place of birth;
• Registration address;
• Passport details;
• SNILS and TIN;
• Information on issued documents and insurance.

The Russian Ministry of Digital Development denied the existence of a vulnerability, claiming “reliable protection” of user data and “impossibility of hacking the portal.”

However, the publication found that the issue was fixed about an hour after their article was published. The site began verifying if the ID of the requested and authorized users matched.

Also on ForkLog:

• YouTube channel of India’s Supreme Court hacked to promote crypto scam.
• US arrests suspects in theft of 4,100 BTC from lender Genesis.
• Chainalysis CEO: AI will aid in investigating crypto crimes.
• Bitcoin exchange BingX hacked, losses exceed $43 million.
• Banana Gun developers share details of Telegram bot hack.
• Worldcoin to implement facial recognition technology.
• Germany shuts down 47 illegal Bitcoin exchanges.
• Attackers target Ethena protocol interface.
• Bloomberg: Cencora paid hackers a record $75 million in Bitcoin.
• Crypto projects NanoBit and CoinW6 accused of social media fraud.
• Binance warns of address spoofing threat due to malware.
• Leak of DeltaPrime crypto broker’s private key leads to $6 million loss.
• Stablecoin issuers freeze about $5 million linked to Lazarus Group.

Weekend Reading Suggestions

Explore transaction censorship and ponder why entire companies and communities sacrifice decentralization.