Ripple co-founder wallet hack, Ethereum-stealing PyPI package, and other cybersecurity highlights

We have compiled the week’s key cybersecurity stories.

ZachXBT linked a $23.6 million crypto seizure to the hack of Ripple co-founder’s wallet

US authorities seized $23.6 million in cryptocurrencies stolen after an online password manager was breached in 2022. According to court filings, from June 2024 to February 2025 law enforcement tracked the pilfered assets across OKX, Payward Interactive, Inc. (operated by Kraken), WhiteBIT, AscendEX Technology SRL, Ftrader Ltd (operated by FixedFloat), SwapSpace LLC and Rabbit Finance LLC (operated by CoinRabbit).

Investigators did not name the password manager, but the complaint says the platform suffered “two major data breaches” in August and November 2022. That timeline aligns with incidents at LastPass.

On-chain sleuth ZachXBT wrote the seizure is connected to the theft of $150 million (283 million XRP) from Ripple co-founder Chris Larsen in January 2024.

“The reason for Larsen’s wallet compromise was storing private keys in LastPass. Until now, he had not publicly disclosed the cause of the theft,” the researcher noted.

LastPass, in comments to Bleeping Computer, said that, so far, law enforcement “has not provided any compelling evidence linking any cryptocurrency thefts to our incident.”

Malicious package on PyPI found stealing Ethereum

Researchers at Socket discovered a malicious Python Package Index (PyPI) package, “set-utils,” that steals Ethereum private keys. Since January 2025 it has been downloaded more than 1,000 times, though the number of potential victims may be significantly higher.

? The Socket Research team has discovered a malicious PyPI package stealing Ethereum private keys by exfiltrating them through blockchain transactions via the Polygon RPC. https://t.co/0VMfXHcXpT #Python #Ethereum

— Socket (@SocketSecurity) March 5, 2025

The package masquerades as a Python utility, imitating the popular “python-utils” (712 million downloads) and “utils” (23.5 million installs). The attacks target blockchain developers using the “eth-account” library to manage wallets, Python-based DeFi projects and Ethereum-enabled Web3 applications.

The attackers hook into standard Ethereum wallet-creation functions to intercept private keys as they are generated on a compromised device. Funds are exfiltrated via the Polygon blockchain.

At the time of writing, the malicious package has been removed from PyPI. Users who imported it into their projects are advised to take action and move assets to a safe address.

Fake DeepSeek sites spread stealers and backdoors

Kaspersky Lab specialists found several clusters of phishing pages cloning the official DeepSeek chatbot website.

Зловред вместо DeepSeek

Релиз языковой модели DeepSeek R1 стал важным событием… для киберпреступников. В сжатые сроки они организовали несколько кампаний, цель которых — заразить как можно больше компьютеров стилерами и бэкдорами, замаскировавшись под популярный новый ИИ.

?️‍♀️… pic.twitter.com/MqQg4rV2dc

— Kaspersky (@Kaspersky_ru) March 6, 2025

In the first campaign, fake sites distributed a Python stealer by prompting installation of a non-existent DeepSeek client for Windows. The malware siphons browser cookies and sessions, logins and passwords for various services, files with specified extensions, and cryptocurrency wallet information.

In the second scheme, the main vector for distributing links to fraudulent sites was X. One post, published in the name of an Australian company, garnered 1.2 million views and more than a hundred reposts.

The third campaign targets technically savvy users. The payload is disguised as the Ollama framework for running large language models locally. Ultimately, it installs a modified Farfli backdoor on the victim’s device.

Britain to probe TikTok and Reddit over children’s data handling

The UK Information Commissioner’s Office (ICO) launched an investigation into TikTok, Imgur and Reddit regarding compliance with the privacy of underage users.

At this stage the watchdog is assessing whether any data-protection laws were breached, and what information the services use to estimate user age.

If sufficient evidence of violations is found, the ICO intends to seek explanations from the companies before deciding on any enforcement action.

Telegram Stars and NFTs are fuelling account theft

Analysts at F6 recorded a rise in account theft on the Telegram messenger. In the second half of 2024, a single group stole more than 1.24 million accounts, up 25.5% on the same period of 2023.

Among the targets are the Telegram Stars digital currency and collectible virtual gifts, including NFTs. They are typically transferred to mule accounts and sold.

The average price of accounts registered to Russian numbers is about 160 rubles. The amount varies depending on the presence of a premium subscription, admin rights in channels and the number of chats.

To build phishing pages, attackers use web panels or Telegram bots. Users are lured with cash prizes, security warnings, gift premium subscriptions, polls or access to private channels.

Often, as part of a combo scheme, a stolen account automatically begins spreading scam links. These lead to phishing pages ostensibly for compiling a CV. To “send it to the employer,” you must sign in via Telegram.

Apple users in 117 countries notified of spyware attacks

Apple notified users in 117 countries that they were targets of precision attacks using mobile spyware. Amnesty International experts reported the alerts.

?NEW: Apple threat notifications

Apple have just sent a new round of notifications to individuals targeted by highly-invasive mobile spyware.

Reach out to our team at @Amnesty‘s Security Lab or trusted experts if you received this critical warning.https://t.co/h0jQRXcziE

— Amnesty Tech (@AmnestyTech) March 5, 2025

Such notifications typically do not disclose the identities of the attackers or the specific countries affected.

In 2024 Apple sent similar notifications twice.

Also on ForkLog:

• Garantex suspended operations due to a USDT freeze. The US Department of Justice published a report on the investigation. An expert explained the implications.
• A vulnerability in an outdated 1inch smart contract led to a $5 million loss. The hacker returned the assets.
• In Russia, cryptocurrencies were called “a tool to circumvent sanctions”.
• Argentina’s prosecutor’s office took measures to freeze $100 million linked to LIBRA.
• Wallets of the Nemesis darknet marketplace came under US sanctions.
• Bybit urged ParaSwap to return profits from Lazarus transactions.
• An OnlyFans model was the victim of an armed attack over cryptocurrency.
• Bybit’s CEO: 20% of stolen assets “went into the shadows.”
• THORChain swap volume exceeded $4.6 billion after the Bybit hack.
• Scammers tricked Britons into revealing seed phrases and stole $1.2 million in crypto.
• A court dismissed a lawsuit by the SEC against the HEX founder.
• In the US, more than 1,200 bitcoin ATMs were shut down in three days.
• Ronaldinho launched the STAR10 token. Smart-contract researchers warned of risks.
• Victims of a crypto scam in the US will receive $8.2 million back.

What to read this weekend?

We examine the negative impact of memecoins on the crypto industry.