{"id":20995,"date":"2025-02-08T07:00:00","date_gmt":"2025-02-08T05:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/telegrams-perilous-security-4-7m-hit-to-metamask-and-okx-and-other-cybersecurity-developments\/"},"modified":"2025-02-08T07:00:00","modified_gmt":"2025-02-08T05:00:00","slug":"telegrams-perilous-security-4-7m-hit-to-metamask-and-okx-and-other-cybersecurity-developments","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/telegrams-perilous-security-4-7m-hit-to-metamask-and-okx-and-other-cybersecurity-developments\/","title":{"rendered":"Telegram\u2019s perilous \u2018Security\u2019, $4.7m hit to MetaMask and OKX, and other cybersecurity developments"},"content":{"rendered":"<p>We round up the week\u2019s most important cybersecurity news.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>MetaMask and OKX extensions in the AdsPower browser were compromised.<\/li>\n<li>Telegram users were warned about messages from an account named \u201cSecurity\u201d.<\/li>\n<li>A trojan targeting Bitcoin wallets slipped into app stores.\u00a0<\/li>\n<li>Hundreds of AI developers downloaded a stealer disguised as DeepSeek.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\"><strong>MetaMask and OKX extensions in the AdsPower browser hit by an attack<\/strong><\/h2>\n<p>On January 21 hackers mounted a supply-chain attack on the privacy-focused AdsPower browser. According to the latest expert findings, the malicious code ultimately targeted the MetaMask and OKX wallet extensions.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Might be one to watch for more information. Some info points to MetaMask (!) and OKX including malicious libraries. Based on the dates provided it could be OKX 3.39.9 and MetaMask 12.10.1. Will look into it deeper. <a href=\"https:\/\/t.co\/htzB4nJ7df\">https:\/\/t.co\/htzB4nJ7df<\/a><\/p>\n<p>\u2014 tuckner (@tuckner) <a href=\"https:\/\/twitter.com\/tuckner\/status\/1887159293884899466?ref_src=twsrc%5Etfw\">February 5, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><a href=\"https:\/\/x.com\/evilcos\/status\/1882990667062002081\">According to<\/a> SlowMist analysts, the attackers embedded a backdoor in the browser that siphoned off seed phrases and private keys to steal cryptocurrencies.<\/p>\n<p>The incident went unnoticed for three days, after which AdsPower developers removed the code and the targeted extensions from users\u2019 browsers. Potential victims were notified and advised to move funds to safe addresses.\u00a0<\/p>\n<p>Preliminary estimates put losses at around $4.7m. The investigation continues.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Telegram users warned about messages from an account named \u201cSecurity\u201d<\/strong><\/h2>\n<p>F.A.C.C.T. Threat Intelligence analysts <a href=\"https:\/\/t.me\/F_A_C_C_T\/3502\">reported<\/a> a surge in a Telegram account-takeover scheme in which criminals send messages from a user called \u201cSecurity\u201d, with the messenger\u2019s logo as the avatar. The aim is to convince the target that there has supposedly been an unauthorised login to their account.<\/p>\n<p>The message contains a link \u201cto enhance data protection\u201d. Following it opens a phishing site that asks the user to authorise in Telegram via QR code. If the victim complies, the attackers gain access to the account.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXcG4g0ksTEOTXwXWB360rRIuti6O7jXsMDxoLYtc277ALjvVsjZfabhBeoTNkfx5pVUQA-2rbolq7pnwByEytmUKvx9SyA8JHA3xcuphPBTWL8FvvyzeTrb-WYjgktgZGlRRqzTLw?key=m_qAfYD-c-VvWkLkMD5xEQYb\" alt=\"Dangerous \u2018security\u2019 in Telegram, $4.7m hit to MetaMask and OKX, and other cybersecurity developments\"\/><figcaption class=\"wp-element-caption\">Screenshot of the scammers\u2019 message. Source: F.A.C.C.T.\u00a0<\/figcaption><\/figure>\n<p>In 2023, a similar service offering full export of messages and content was advertised for $17,000 (over 1.5m roubles).<\/p>\n<h2 class=\"wp-block-heading\"><strong>Trojan targeting Bitcoin wallets found in app stores<\/strong><\/h2>\n<p>Kaspersky Lab experts discovered SparkCat, a trojan aimed at stealing crypto wallet data, in the App Store, Google Play and on unofficial platforms.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">\u26a0\ufe0f A new mobile threat is on the rise! The <a href=\"https:\/\/twitter.com\/hashtag\/SparkCat?src=hash&#038;ref_src=twsrc%5Etfw\">#SparkCat<\/a> malware is stealing sensitive data from iOS and Android users through OCR technology. Find out how it works and how to protect yourself. ?\ufe0f?<\/p>\n<p>? Read more: <a href=\"https:\/\/t.co\/RuXVT7jSus\">https:\/\/t.co\/RuXVT7jSus<\/a><br \/> <a href=\"https:\/\/twitter.com\/hashtag\/MobileSecurity?src=hash&#038;ref_src=twsrc%5Etfw\">#MobileSecurity<\/a> <a href=\"https:\/\/t.co\/y4TZFhiDev\">pic.twitter.com\/y4TZFhiDev<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/1887838930654953763?ref_src=twsrc%5Etfw\">February 7, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The malware spreads as part of trojanised messengers, AI assistants and food-delivery apps.<\/p>\n<p>Once on a device, SparkCat requests access to view photos. It can analyse text in images in the gallery using optical character recognition (OCR). When it finds a recovery phrase for crypto wallets, it sends the image to the attackers. Other data visible in screenshots\u2014such as message content or passwords\u2014are also at risk.<\/p>\n<p>SparkCat targets users in the UAE, Europe and Asia. Apps with the embedded malicious module have been downloaded more than 242,000 times by Android users alone.<\/p>\n<p>After Kaspersky notified them, Google and Apple removed the trojanised apps from their stores.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Hundreds of AI developers downloaded a stealer masquerading as DeepSeek<\/strong><\/h2>\n<p>Positive Technologies researchers <a href=\"https:\/\/global.ptsecurity.com\/analytics\/pt-esc-threat-intelligence\/malicious-packages-deepseeek-and-deepseekai-published-in-python-package-index\">found<\/a> two malicious packages, deepseek and deepseekai, in the Python Package Index (PyPI), masquerading as tools for AI developers.<\/p>\n<p>When run on a computer, the software stole user and system data as well as <span data-descr=\"application programming interface\" class=\"old_tooltip\">API<\/span> keys and permissions to access other infrastructure resources.<\/p>\n<p>After being notified, PyPI immediately quarantined the packages and soon completely removed them. Despite the swift response, they were downloaded by 222 developers, including in the US, China, Russia, Germany, Hong Kong and Canada.<\/p>\n<p>Because of the risk of compromise, affected developers were advised to rotate API keys, authentication tokens and passwords immediately.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Spanish police seized 50 crypto wallets from a suspect in hacks of NATO and the UN\u00a0<\/strong><\/h2>\n<p>In Alicante, a suspect <a href=\"https:\/\/www.policia.es\/_es\/comunicacion_prensa_detalle.php?ID=16448\">was detained<\/a> and placed under house arrest over breaches at no fewer than 40 public and private organisations in Spain and the United States. The investigation into the cyberattacks has been under way since January 2024.<\/p>\n<p>According to the agency, the suspect gained access to internal documents and databases containing personal information on employees and clients, and later sold them on hacker forums. Victims included Spain\u2019s Civil Guard and Ministry of Defence, NATO, the UN, the US Army and several universities.<\/p>\n<p><iframe loading=\"lazy\" width=\"560\" height=\"315\" src=\"https:\/\/www.youtube.com\/embed\/B2_0rEKVU0E?si=KlGuxQo707_T9IyF\" title=\"YouTube video player\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/p>\n<p>During a search of the suspect\u2019s home, police found and seized several computers, electronic devices and 50 cryptocurrency wallets containing various digital assets.\u00a0<\/p>\n<p>On the combined counts, the suspect faces up to 20 years in prison. Investigators are checking for links to other crimes and possible accomplices.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Russia\u2019s tax service explains how it stores data on Bitcoin mined domestically<\/strong><\/h2>\n<p>Russia\u2019s Federal Tax Service will restrict access to information about mined cryptocurrencies and miners\u2019 address identifiers, the deputy Anton Gorelkin <a href=\"https:\/\/t.me\/webstrangler\/4011\">said<\/a> on his Telegram channel.\u00a0<\/p>\n<p>According to him, entrepreneurs are concerned about the safety of highly sensitive data, including wallet information. Gorelkin agreed that a leak could be \u201ca big gift to geopolitical opponents\u201d.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cAt the FTS they assured me that the information is stored in a separate internal secure system, and access to it is seriously restricted even within the agency, and obtaining it from outside is practically impossible,\u201d the official wrote.<\/p>\n<\/blockquote>\n<p>Citing specialists, Gorelkin concluded that the risk of sensitive data leaking from the tax authority\u2019s internal systems \u201cis reduced to zero today\u201d.<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>Phishers updated their methods for hunting Phantom users.<\/li>\n<li>Tornado Cash developer Alexey Pertsev will be released on February 7.<\/li>\n<li>Bitcoin ransomware revenues fell from $1.25bn to $813m.<\/li>\n<li>A Coinbase executive suggested Kraken may reveal the identity of Satoshi Nakamoto.<\/li>\n<li>Media: Durov\u2019s case will not reach court before 2026.<\/li>\n<li>Users lost funds due to a memecoin ad on Jupiter\u2019s hacked X account.<\/li>\n<li>Deribit will halt services for Russian clients to comply with sanctions.<\/li>\n<li>In Ukraine, a crypto project \u201cwith 1,045% annual returns\u201d was added to the unreliable list.<\/li>\n<li>Ripple explained the reasons for the XRP Ledger outage.<\/li>\n<li>DeepSeek under prohibition: in which countries the Chinese AI is restricted.<\/li>\n<li>Over two months, Coinbase customers lost more than $65m to scammers.<\/li>\n<li>A Canadian was charged with stealing $65m from KyberSwap and Indexed Finance.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\"><strong>What to read this weekend?<\/strong><\/h2>\n<p>Together with a \u201cShard\u201d expert, we examine how a liquidity provider can avoid losing seed capital and enriching fraudsters.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We round up the week\u2019s most important cybersecurity news. MetaMask and OKX extensions in the AdsPower browser were compromised. Telegram users were warned about messages from an account named \u201cSecurity\u201d. A trojan targeting Bitcoin wallets slipped into app stores.\u00a0 Hundreds of AI developers downloaded a stealer disguised as DeepSeek. MetaMask and OKX extensions in the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":20994,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-20995","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"36","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/20995","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=20995"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/20995\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/20994"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=20995"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=20995"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=20995"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}