Here are the week’s most significant cybersecurity news stories.
- A Russian involved in laundering cryptocurrency for Lazarus was arrested in Argentina.
- The US has sanctioned Russian cybersecurity companies.
- Experts have identified the creator of Styx Stealer, targeting Bitcoin wallets.
Russian National Arrested in Argentina for Laundering Cryptocurrency for Lazarus
The Argentine Federal Police arrested a 29-year-old Russian citizen in Buenos Aires, accused of laundering cryptocurrency for various criminals, including North Korean hackers Lazarus. The identification of the suspect was aided by the analytics firm TRM Labs.
According to La Nacion, the accused laundered funds through cryptocurrency exchanges and mixers, then converted assets into fiat. People reportedly visited his apartment daily with bags.
Among other transactions, the Russian handled part of the $100 million stolen from the Horizon cross-chain bridge by Lazarus hackers in the summer of 2022.
Investigations revealed that as of December 18, 2023, the individual had acquired over 1.3 million USDT for Russian rubles and conducted 2,463 cryptocurrency transfers via Binance Pay, totaling more than $4.5 million.
Surveillance had been ongoing since November 2023. The suspect changed apartments monthly. His last location was identified with information provided by Binance.
All electronic devices, two cryptocurrency wallets with assets worth $121,000, and $15 million in cash were seized from the apartment.
Experts Identify Creator of Styx Stealer Targeting Bitcoin Wallets
Researchers at Check Point tracked and exposed the developer of the malware Styx Stealer, which targets password theft, system information, browser autofills, Telegram and Discord data, and cryptocurrency wallets. Vulnerable brands include Armory, Atomic, Bytecoin, Coinomi, Jaxx, Electrum, Exodus, and Guarda.
Are you interested in how cybercriminals are exposed? Our latest research reveals a major OpSec fail by the Styx Stealer developer, leading to critical intel that unmasked hackers behind Styx Stealer and one of the Agent Tesla campaigns.https://t.co/yLUdOJEcjs
— Check Point Research (@_CPResearch_) August 16, 2024
Styx Stealer is distributed via subscription with payments in cryptocurrencies. Check Point specialists tracked eight wallets associated with the hacker. In just two months—from April to June—these wallets received approximately $9,500 in various coins.
The malware’s creator was identified as Turkish hacker Sty1x. He inadvertently revealed personal data while debugging the stealer using a Telegram bot token provided by a participant in the Agent Tesla spam campaign.
Researchers gained access to his messenger account, email, and contacts. They also identified 54 clients who used the malware.
US Sanctions Russian Cybersecurity Companies
OFAC expanded sanctions to include 400 Russian legal and physical entities.
The publication “Durov’s Code” noted that the list includes a significant number of firms related to IT and cybersecurity:
- Atol;
- DiaSoft;
- Digital Compliance;
- Digital Security Service;
- AI Research Institute;
- CyberService;
- Basalt;
- Rustech TD;
- Vladimir Radio Communication Design Bureau;
- Center for Financial Technologies;
- Soft Plus;
- Radiofeed Systems;
- Radioline;
- MTS RED;
- CRT;
- CRT Soft.
Sanctions were also imposed on over a hundred companies from China, UAE, Turkey, and Switzerland, which enabled Russia to circumvent previously imposed restrictions.
Toyota Confirms Customer Data Breach Due to Third-Party Leak
A user named ZeroSevenGroup released a 240 GB archive allegedly obtained from hacking a branch of the automaker Toyota in the US. The perpetrator claims the dump contains employee and customer information, as well as contracts and financial data.
According to Bleeping Computer, the files were stolen or at least created on December 25, 2022, possibly indicating they were obtained from a backup server.
In a comment to the publication, Toyota confirmed the incident at an unnamed third-party organization, indirectly affecting its customers. They are cooperating with all affected parties and providing assistance as needed.
Company representatives emphasized that Toyota Motor North America’s systems were “not hacked or compromised.”
Russian Ransomware Group Member Charged in the US
The US Department of Justice charged 33-year-old Latvian citizen Denis Zolotarev with money laundering, wire fraud, and extortion as part of the Russian group Karakurt.
The gang began operations in mid-2021, engaging in data theft without using encryption tools.
According to case materials, Zolotarev used the alias Sforza_cesarini and acted as a negotiator. He is linked to at least six extortion incidents involving US organizations from August 2021 to November 2023. One of these companies paid Karakurt a ransom of over $1.3 million.
The suspect’s identity was established through cryptocurrency tracking, communication analysis, and data from Rocket.Chat obtained via a warrant. Zolotarev was arrested in December 2023 in Georgia and extradited to the US earlier this month.
Russian Communications Watchdog Blames DDoS for Messaging App Outages, Experts Skeptical
On August 21, Russian residents reported widespread issues accessing messaging apps Telegram, WhatsApp, and several other services, including Discord, Skype, Facebook Messenger, AnyDesk, GitHub, Wikipedia, Steam, Cloudflare, and Yandex Cloud.
In a comment to Forbes, representatives of Roskomnadzor attributed the outage to a DDoS attack on Russian operators. However, experts doubted the agency’s statement.
“How could a DDoS attack be organized against all operators in Russia? […] And how do you explain that only messengers and a few other resources went down, while everything else (including VPNs, by the way) remained operational? Roskomnadzor is lying,” wrote the author of the Telegram channel “ZaTelecom” Mikhail Klimarev.
On August 23, outages affected Telegram, WhatsApp, and Viber. Klimarev suggests that authorities have begun testing technology to block messengers.
Also on ForkLog:
- Organizer of a $4 billion crypto scam arrested in Turkey.
- Report: 77% of hacked cryptocurrencies have not recovered in value.
- McDonald’s Instagram account hacked to promote a fake meme coin.
- Co-founder of the FutureNet Bitcoin pyramid arrested in Montenegro.
- MakerDAO user lost $55 million in a phishing attack.
- DOGS team warned of a fake meme coin listing on exchanges.
- Binance announced the use of AI against fraudsters.
- Bull Checker extension stole meme tokens from users.
- Expert suggested a $238 million hack of unknown creditor Genesis Trading.
- Vitalik Buterin sent $1.05 million in ETH to the Railgun mixer.
- American filed a lawsuit against Google for losing $5 million through a crypto app.
- Optimism Foundation disabled fraud protection due to vulnerabilities.
Weekend Reading Suggestions
Top 10 cringe-makers in the crypto industry we’d rather not remember at the upcoming ForkLog 100x online conference.