Here is a roundup of the week’s most significant cybersecurity news.
- “Zoom conference” infiltrates crypto wallets.
- FBI identifies culprits behind the $308 million DMM Bitcoin exchange hack.
- Analysts uncover cases of voluntary biometric compromise.
- UN adopts its first Cybercrime Convention.
“Zoom Conference” Infiltrates Crypto Wallets
Several users fell victim to phishing software disguised as a Zoom application. The perpetrators have already profited over $1 million in various cryptocurrencies. Analysts at SlowMist dissected the attack.
⚠️Beware of phishing attacks disguised as Zoom meeting links!? Hackers collect user data and decrypt it to steal sensitive info like mnemonic phrases and private keys. These attacks often combine social engineering and trojan techniques. Read our full analysis⬇️… pic.twitter.com/kDExVZNUbv
— SlowMist (@SlowMist_Team) December 27, 2024
Victims received links to video conferences, and the opened page precisely mimicked the Zoom interface. In reality, it initiated the download of malicious software capable of stealing system information, browser cookies, Telegram account data, seed phrases, and cryptocurrency wallet keys.
The hacker’s address examined by experts received over $1 million in USD0++, MORPHO, and ETH. Small amounts were transferred to 8800 related wallets, presumably used for fee payments. Most of the stolen funds — 296.45 ETH — were sent to a new address. Its balance at the time of writing was 32.81 ETH.
SlowMist found that funds from the last wallet were sent to Binance, MEXC, FixedFloat, and other exchanges.
The hacker’s server IP address is located in the Netherlands and is currently flagged as malicious by threat analysis platforms.
FBI Identifies Culprits Behind $308 Million DMM Bitcoin Exchange Hack
The May hack of the Japanese cryptocurrency exchange DMM Bitcoin was orchestrated by state-sponsored North Korean hackers known as TraderTraitor, also referred to as Jade Sleet, UNC4899, and Slow Pisces, according to the FBI.
The bureau reports that the attack began in March when one of the hackers posed as a recruiter on LinkedIn and contacted an employee of Ginco, a Japanese developer of corporate cryptocurrency wallet software. The employee had access to the employer’s asset management system.
The hacker sent a job offer, including a preliminary test on GitHub. The employee copied the provided malicious Python code, compromising the work computer.
Subsequently, TraderTraitor requested a transaction in his name, resulting in the loss of 4502.9 BTC ($308 million at the time of the attack).
Analysts Uncover Cases of Voluntary Biometric Compromise
Hackers are bypassing KYC checks using genuine biometric data purchased from users. They have already amassed a “significant collection of identity documents and corresponding facial images,” according to analysts at iProov.
? EXPOSED: Criminal networks aren’t stealing identities anymore.
They’re buying them. Legally. With cash.
And because these are REAL documents freely given, traditional fraud checks are useless.
Watch how this works ? [VIDEO] or Read more: https://t.co/0mX1VSf9my pic.twitter.com/X2KR4tJ61t
— iProov (@iProov) December 23, 2024
The acquired information is used in fraud against various financial institutions.
Researchers warned that the combination of legitimate documents and genuine matching biometric data makes it “extremely difficult” to detect fraudsters using traditional verification methods.
Ransomware Duo Targets Small and Medium Businesses in Russia
The Russian-speaking hacker group Masque, active since January 2024, conducted a series of ransomware attacks on Russian companies, demanding ransoms in cryptocurrencies. This was reported by F.A.C.C.T.
The initial vector in most cases was exploiting vulnerabilities in publicly accessible services like VMware Horizon. Ransomware programs LockBit 3 (Black) and Babuk (ESXi) were then installed on the compromised server.
For communication with victims, the attackers used the Tox messenger.
Since the beginning of the year, the group has conducted at least 10 attacks on small and medium businesses. The initial ransom amount was 5-10 million rubles in Bitcoin or Monero.
Cl0p Ransomware Targets 66 Victims
Cl0p ransomware operators demanded that 66 organizations, affected by the Cleo data theft in October, pay a ransom within 48 hours to prevent information leaks. This was reported by Bleeping Computer.
According to the cybercriminals, each victim was contacted directly and invited to a secure chat for negotiations. The hackers also provided email addresses for contact.
An unspecified number of other affected firms have already reached out to Cl0p.
193 UN Member States Adopt Historic Cybercrime Convention
After five years of negotiations, the UN General Assembly adopted the first Cybercrime Convention. It aims to enable swift, coordinated, and more effective responses to unlawful online activities.
The convention regulates access to and exchange of electronic evidence to facilitate investigations and prosecutions. Member states will also gain access to 24/7 operational assistance, including support in investigations, identification, freezing, seizure, and return of crime proceeds, as well as extradition.
The document mandates states to develop measures to reduce cybercrime risks and threats. This includes training for public and private sectors, offender rehabilitation programs, and victim assistance.
Russia Sets Conditions for Blocking WhatsApp
WhatsApp faces a potential block in Russia in 2025 if it fails to comply with local laws, particularly regarding the storage of user communication data and providing it upon request to the FSB. This was stated by Senator Artem Sheikin to RIA Novosti.
According to him, the service currently has “no contact” with Russian law enforcement, and authorities expect changes.
The senator noted that if WhatsApp meets Roskomnadzor’s requirements, nothing will change for users. Previously, WhatsApp was forcibly added to the register of information dissemination organizers.
The issue of blocking is within the competence of RKN and is not currently under discussion, clarified in the State Duma.
Also on ForkLog:
- Once again: ChatGPT experiences a global outage.
- Animoca Brands becomes the latest victim of hackers on social network X.
- Russia to begin tracking cryptocurrency exchanges through mules.
- X account hacker earns $500,000 from crypto scam.
- Meme coin boom attracts scammers to the Solana network — Hacken report.
- Media: Resident of Chernomorsk scammed in Bitcoin purchase for 43,000 hryvnias.
- Creators of S-Group network with $100 million damage arrested in Russia.
- Nokia files patent for digital asset encryption module.
- Seed phrases in YouTube comments: Analysts reveal new scam.
- Cyber threats from North Korea cause a net outflow of $249 million from Hyperliquid.
- US fraudulent NFT creators face 60 years in prison.
- Media uncover sale of Bitcoin conference participant data.
- X users suspect impending Hyperliquid hack.
- Italy fines OpenAI €15 million for privacy violations.
- HEX founder placed on international wanted list.
- Trust Wallet developers fix bug zeroing user balances.
Weekend Reading Suggestions
Exploring whether “Satoshi’s shield” can withstand the quantum threat to Bitcoin.