Darknet crypto millions, another Coinbase setback and other cybersecurity developments

Here are the week’s key cybersecurity developments.

Authorities seize hundreds of millions of dollars in cryptocurrency from drug network

Law enforcement in 10 countries seized $200m in fiat and cryptocurrencies and arrested 270 people allegedly tied to a large network of drug and weapons traffickers, the U.S. Department of Justice said. 

Authorities confiscated more than two tonnes of drugs, 144 kg of fentanyl-laced substances and 180 firearms.

U.S. prosecutors charged several major vendors, including the operators of Nemesis and Incognito Markets, who used cryptocurrency to sell opioids and conceal proceeds.

Malicious crypto utilities found among Chrome extensions

Security researchers at DomainTools discovered more than 100 malicious Chrome extensions masquerading as legitimate applications, including crypto utilities, YouTube tools, VPNs and AI assistants. 

Installing them risks account takeover, theft of personal data and monitoring of network activity. Ultimately they provide attackers with a backdoor into the infected browser, giving them broad scope for exploitation.

Stolen session cookies can enable compromise of legitimate VPN devices or company accounts, opening access to corporate networks for larger-scale attacks.

Google removed most of the extensions, though some remained in the Chrome Web Store at the time of writing.

Lumma crypto-stealer loses thousands of domains and part of its servers

U.S. agencies seized the Lumma stealer’s control panel; counterparts in Europe and Japan neutralised parts of the malware’s infrastructure; and Microsoft, via court action, blocked about 2,300 of its domains.

Active since late 2022, the threat spread via GitHub comments and deepfake-generation sites. Subscriptions ranged from $250 to $1,000.

After a breach, Lumma can steal data from browsers and applications, including crypto wallets, cookies, credentials, passwords and credit cards. The stealer has extensive detection-evasion capabilities.

Separately, Europol took down about 300 servers, neutralised 650 domains and issued arrest warrants for 20 cybercriminals linked to Bumblebee, Lactrodectus, QakBot, DanaBot, TrickBot and WARMCOOKIE. More than €21.2m was seized, including €3.5m in cryptocurrency.

Media report dozens of U.S. government victims from hacked Signal clone 

Hackers who breached in early May a modified Signal client from TeleMessage intercepted messages from more than 60 senior U.S. officials, Reuters reported.

Victims included first responders, customs officers, several members of the U.S. diplomatic corps, at least one White House staffer and a Secret Service member. 

According to the report, on 4 May the attackers compromised a TeleMessage server. The company makes encrypted modifications of well-known messengers. Access to internal infrastructure allowed them to dump 410 GB of user messages in under 20 minutes. 

The intruders also accessed internal correspondence of staff at the Coinbase cryptocurrency exchange. However, platform representatives said they did not use the messenger to transmit critically important client information.

The organisation DDoSecrets announced access for researchers and journalists to a database including TeleMessage users’ correspondence and metadata.

EU sanctions web host Stark Industries and a Roskomnadzor unit

The Council of the EU added to its sanctions list the web-hosting provider Stark Industries and two of its executives—CEO Yuriy Nekuliti and owner Ivan Nekuliti—for facilitating cyberattacks on behalf of Russia. 

“They acted as enablers of various actors sponsored by and linked to the Russian state to carry out destabilising activities, including interference in information manipulation and cyberattacks against the EU and third countries,” the statement said.

Stark Industries is registered in the United Kingdom and provides VPS/VDS servers in the UK, the Netherlands, Germany, France, Turkey and the U.S. The provider accepts payments including bitcoin, Ethereum, Monero and Dash.

Experts link numerous disinformation campaigns and DDoS attacks in Russia’s favour to servers operated by Stark Industries and other services provided by the Nekuliti brothers.

Also sanctioned was a Roskomnadzor entity — the FSUE “Main Radio Frequency Centre” — for involvement in electronic warfare through GPS jamming and spoofing in the Baltic states, as well as for disrupting civil aviation.

Vietnam to block Telegram over refusal to cooperate

Vietnam’s technology ministry accused the Telegram messenger of refusing to cooperate with law enforcement and ordered it blocked nationwide by 2 June, Reuters reported. 

Authorities say 68% of 9,600 channels and groups on the messenger in Vietnam violate the law, allegedly spreading “toxic” information, publishing anti-government materials and facilitating crimes including fraud and drug trafficking.

The statement stressed that Telegram has not registered its operations in the country, does not remove prohibited content at police request and does not provide the government with user data for criminal investigations.

Also on ForkLog:

• Hackers drained $11m from the Cetus pool on Sui; the team offered $6m for the return of funds.
• Hackers created a malicious clone of Ledger Live for macOS.
• Anthropic trained chatbots to ‘snitch’ on users.
• Researchers built an AI system to prevent ‘poisoning’ attacks on addresses.
• A hacker linked to the $300m Coinbase theft swapped $45m via Thorchain.
• Coinbase disclosed the number of users affected by the data leak.
• edgeX launched an ecosystem focused on a non-custodial design and trader privacy.
• A World Liberty Financial executive was charged with fraud.
• Confiscation and tokenisation: Russia prepared draft laws on digital assets.
• The author of “The Bitcoin Standard” backed an initiative to fight spam on-chain.
• Criminals have begun targeting the families of crypto entrepreneurs.
• Bloomberg: in a replay of Coinbase, hackers targeted Binance and Kraken.

What to read this weekend?

NoOnes P2P platform founder Ray Youssef told ForkLog about the project’s security overhaul and offered advice for crypto maximalists.