Site iconSite icon ForkLog

Dirty money still washes through CEX, a WhatsApp privacy flaw, and other cybersecurity news

ForkLog
Dirty money still washes through CEX, a WhatsApp privacy flaw, and other cybersecurity news

A round-up of the week’s key cybersecurity stories.

  • Investigation: criminals keep laundering funds via CEX.
  • American pleads guilty to laundering $25m.
  • A serious privacy flaw found in WhatsApp.
  • Military dismantles a second scam compound in Myanmar.

Investigation: laundering continues via CEX

The International Consortium of Investigative Journalists (ICIJ) published a report titled The Coin Laundry, revealing how criminal syndicates wash funds through major CEX.

According to the ICIJ, crypto exchanges continue to process crime-linked transactions despite regulatory oversight. The report highlights Huione Group, a network tied to human trafficking and scams in Asia. Reporters say at least $408m flowed from it to Binance.

OKX, which in February 2025 admitted violating US law, continued to “receive hundreds of millions of dollars” from the same sources as Binance. More than $161m arrived after the US Treasury labelled Huione a “primary money laundering concern,” the investigation says.

With 37 media partners across 35 countries, the ICIJ compiled hundreds of crypto addresses linked to North Korean hackers, Russian money-laundering schemes and Chinese drug networks. An analysis of tens of thousands of transactions found criminal groups actively used accounts on Binance, Coinbase, OKX, HTX, KuCoin and other exchanges.

“The crypto industry has effectively built a parallel shadow financial system in which exchanges continue to profit from dubious transactions while victims of crimes are left with no real chance of recovering losses.”, the authors concluded.

American pleads guilty to laundering $25m

A 45-year-old California resident pleaded guilty to laundering at least $25m stolen in a fraud scheme, according to a US Department of Justice release.

According to the department, Kunal Mehta was part of a group active from October 2023 to March 2025. On 18 August 2024 the perpetrators stole more than 4,100 BTC (over $230m at the time) from a victim in Washington, DC. The conspirators converted most of the funds into Monero but made mistakes that allowed investigators to link the transactions to the stolen assets.

In 2024, Mehta set up several shell companies to legitimise the proceeds, the DOJ said. He received partially “clean” cryptocurrency and sent it to partners who executed more complex schemes. The money then returned to accounts of legitimate firms connected to him.

A serious flaw found in WhatsApp

Researchers at SBA Research uncovered a serious privacy issue in WhatsApp. They collected data from 3.5bn user accounts due to a lack of request rate limits, Wired reports.

Enumeration via the web client reached up to 100m phone numbers per hour. Ultimately, researchers obtained profile photos for 57% of accounts and “About” text for 29%.

They notified Meta in April and deleted the harvested data, according to the outlet. The company, however, did not fix the flaw until October.

Media suggested attackers could have had similar access earlier. Meta told Wired there was no sign of abuse and that only “public data” were exposed.

Country statistics showed a high share of profiles with open information:

The report also notes that WhatsApp is banned in China, Myanmar, North Korea and several other countries. Even so, the team found millions of active accounts tied to numbers from these regions.

Source: SBA Research.

Some cryptographic keys appeared hundreds of times, and for 20 US numbers the cipher consisted entirely of zeros. The experts suggested the cause was the use of unofficial or modified WhatsApp clients, not a flaw in the service itself.

Source: SBA Research.

A closer look at accounts with identical keys showed many appeared fraudulent. The researchers argue the core problem is the identification model—phone numbers are ill-suited for the role.

According to a Meta announcement, WhatsApp developers are already testing usernames as a more private alternative.

Myanmar military dismantles a second scam compound

Myanmar’s military has expanded a sweeping operation against crypto-scam compounds, dismantling a second major hub in the city of Shwe Kokko, Nikkei Asia reports.

On 25 October, KK Park was targeted. Authorities detained 346 foreign nationals and seized about 10,000 mobile phones used in fraud schemes.

Google warns of a Chrome vulnerability

On 17 November, Google warned of a dangerous vulnerability in the Chrome browser.

Specialists said the flaw stems from improper handling of a certain data type in the V8 JavaScript engine, causing memory corruption. An attacker could exploit it via a web page to execute malicious code.

The company added that attackers had already attempted to exploit the issue. Google recommended promptly checking for an updated browser version:

Cloudflare explains a major outage

Service problems at Cloudflare that led to significant client outages on 18 November were not the result of a hack, company representatives said.

Initially, the infrastructure giant cited a “spike in unusual traffic,” raising fears of a breach. Cloudflare’s CTO, Dane Knecht, later rejected that theory.

An internal review found a service-management error in the bot-mitigation function after a routine configuration change, which propagated to other systems.

Cloudflare serves about 19% of all active websites and the online services of 35% of Fortune 500 firms. The incident affected millions of users.

Also on ForkLog:

What to read this weekend?

In a new feature, ForkLog explores the ideas and life of one of privacy’s leading ideologues, the creator of Signal, Moxie Marlinspike.

Exit mobile version