Seed-phrase poison, a contagious ‘Coinbase job’ ruse, and other cybersecurity news

We collected the week’s most important cybersecurity news.

Coinbase and Ledger customers targeted by seed-phrase phishing campaign

Researchers at SilentPush uncovered the PoisonSeed phishing campaign, which sends emails containing seed phrases to steal cryptocurrency.

First, attackers spin up spoofed pages of well-known mass-mailing platforms, including Mailchimp, SendGrid, HubSpot, Mailgun and Zoho. They use them to compromise corporate email accounts of various marketers and then send spam from those inboxes. The hackers focus on Coinbase customers and Ledger hardware‑wallet owners.

The messages typically mimic an urgent alert such as “Coinbase is moving to self-custody wallets” and include a seed phrase. Recipients are told to enter it when creating a new wallet to “safely transfer assets” as part of an update or migration.

If the target complies, the attacker gains full control of their funds.

North Korean hackers posed as HR managers from major crypto exchanges

Experts at Sekoia flagged a new ClickFix tactic adopted by the North Korean hacking group Lazarus Group to target jobseekers in AI and crypto.

Candidates receive invitations from fake interview sites. When they click through and view content, they encounter errors. The page offers to “fix” the issue by running PowerShell commands that fetch malware.

In this campaign the hackers impersonate well-known crypto projects, including Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood and Bybit.

Beyond stealing crypto, the malware can perform file operations and shell commands, exfiltrate cookies, browsing history and saved passwords, and collect system metadata.

Members of the group that breached NATO’s portal suggest their leader was arrested

One member of the SiegedSec hacking group, responsible for breaching NATO’s portal, the Heritage Foundation think-tank and a nuclear laboratory in Idaho, suggested that the FBI searched the home of their leader, known as vio, and arrested her. This was reported by Daily Dot, citing a March 26 tweet.

I regret to inform you that vio’s location was raided earlier today. She is no longer accessible, contactable, or reliable.

I’m available to address any inquiries you may have.

— . (@mewmrrpmeow) March 26, 2025

“I regret to inform you that vio’s location was raided this morning. She is no longer available, cannot be reached, and [her contact from this moment] is unreliable,” wrote the user under the handle mewmrrpmeow.

A day later, a new post noted that “the silence around the SiegedSec case is concerning”.

Details remain scarce. SiegedSec disbanded in July 2024 after leaders at the Heritage Foundation warned that information about the hackers had been passed to the FBI. The bureau has not publicly announced an investigation or any charges.

Europol shuts KidFlix platform with child abuse content

German law-enforcement, together with Dutch counterparts, took down one of the largest dark‑web platforms distributing CSAM materials, Kidflix. The operation began in 2022 and concluded on March 11, 2025, but details have only now been disclosed.

Over its course, 79 individuals were arrested, the identities of 1,393 suspects established, and more than 3,000 electronic devices seized. The site’s server was also confiscated.

Since its launch in 2021, Kidflix hosted more than 91,000 unique videos with a total length of 6,288 hours. Users exceeded 1.8 million. They paid for content in cryptocurrencies and could earn internal tokens for activity.

Case materials have been forwarded to investigative authorities in 35 countries for follow-up with suspects.

Paradigm dissects cases involving North Korea’s leading crypto hackers

Paradigm published a detailed report on North Korean cybercriminal groups behind attacks on organisations and individuals worldwide.

Beyond the best-known Lazarus Group, the researchers describe Contagious Interview and Wagemole, which run a scheme hiring IT staff. The hackers steal a wide range of data, including cryptocurrencies.

AppleJeus distributes malware disguised as trading apps and crypto utilities, while Dangerous Password uses social engineering to target holders of digital assets.

The most sophisticated, the analysts say, is TraderTraitor, which picks victims among bitcoin exchanges and major industry firms, compromising them via highly engineered spear‑phishing.

US TikTok ban delayed

On April 4, US President Donald Trump extended by 75 days the deadline for TikTok owner ByteDance to sell its US assets to avoid a block. The head of state expressed hope for continued “good‑faith cooperation with China”.

Reuters, citing sources, reported that the Chinese side paused the deal after 54% tariffs were imposed on imports of its goods into the US.

Also on ForkLog:

• OKX will pay Malta’s regulator a fine of $1.2m.
• A US court fined CLS Global $428,059 for sham trading.
• Since the start of 2024, the crypto industry has lost $3.83bn to hacks.
• UPCX halted operations after an unauthorized $70m outflow.
• The zkLend hacker reported the loss of 2,930 ETH on a phishing site.
• 0xbow implemented Vitalik Buterin’s idea for an alternative to Tornado Cash.
• Smartphones that steal cryptocurrency appeared in unofficial stores.
• Chainalysis reported dark‑web platforms returning to bitcoin.
• Iranian security forces stole cryptocurrency worth $21m.
• A “sly attack” on the SIR.trading protocol led to TVL being wiped out.
• Analysts revealed details of the attack on Venus Protocol involving oracle manipulation.
• Experts found an Android trojan targeting crypto wallets.
• The creator of LIBRA and MELANIA began selling off assets.

What to read this weekend?

In ForkLog’s monthly digest, we discuss the fallout from the Bybit breach with Irakli Dizenko, an expert in deploying HAPI crypto‑security tools.