{"id":21848,"date":"2025-03-08T07:00:00","date_gmt":"2025-03-08T05:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/ripple-co-founder-wallet-hack-ethereum-stealing-pypi-package-and-other-cybersecurity-highlights\/"},"modified":"2025-03-08T07:00:00","modified_gmt":"2025-03-08T05:00:00","slug":"ripple-co-founder-wallet-hack-ethereum-stealing-pypi-package-and-other-cybersecurity-highlights","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/ripple-co-founder-wallet-hack-ethereum-stealing-pypi-package-and-other-cybersecurity-highlights\/","title":{"rendered":"Ripple co-founder wallet hack, Ethereum-stealing PyPI package, and other cybersecurity highlights"},"content":{"rendered":"<p>We have compiled the week\u2019s key cybersecurity stories.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>ZachXBT linked a $23.6 million crypto seizure to the hack of Ripple\u2019s co-founder\u2019s wallet.<\/li>\n<li>A malicious package on PyPI was found stealing Ethereum.<\/li>\n<li>Fake DeepSeek sites spread stealers and backdoors.<\/li>\n<li>Telegram Stars and NFTs are driving account theft.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\"><strong>ZachXBT linked a $23.6 million crypto seizure to the hack of Ripple co-founder\u2019s wallet<\/strong><\/h2>\n<p>US authorities <a href=\"https:\/\/legacy.www.documentcloud.org\/documents\/25555236-merged_42402_-1-1741359918\">seized<\/a> $23.6 million in cryptocurrencies stolen after an online password manager was breached in 2022. According to court filings, from June 2024 to February 2025 law enforcement tracked the pilfered assets across OKX, Payward Interactive, Inc. (operated by Kraken), WhiteBIT, AscendEX Technology SRL, Ftrader Ltd (operated by FixedFloat), SwapSpace LLC and Rabbit Finance LLC (operated by CoinRabbit).<\/p>\n<p>Investigators did not name the password manager, but the complaint says the platform suffered \u201ctwo major data breaches\u201d in August and November 2022. That timeline aligns with incidents at LastPass.<\/p>\n<p>On-chain sleuth ZachXBT <a href=\"https:\/\/t.me\/investigations\/232\">wrote<\/a> the seizure is connected to the <a href=\"https:\/\/forklog.com\/en\/news\/ripple-suspected-of-losing-112-million-in-hack\">theft of $150 million<\/a> (283 million XRP) from Ripple co-founder Chris Larsen in January 2024.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cThe reason for Larsen\u2019s wallet compromise was storing private keys in LastPass. Until now, he had not publicly disclosed the cause of the theft,\u201d the researcher noted.<\/p>\n<\/blockquote>\n<p>LastPass, in comments to <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/us-seizes-23-million-in-crypto-stolen-via-password-manager-breach\/\">Bleeping Computer<\/a>, said that, so far, law enforcement \u201chas not provided any compelling evidence linking any cryptocurrency thefts to our incident.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><strong>Malicious package on PyPI found stealing Ethereum<\/strong><\/h2>\n<p>Researchers at Socket discovered a malicious Python Package Index (PyPI) package, \u201cset-utils,\u201d that steals Ethereum private keys. Since January 2025 it has been downloaded more than 1,000 times, though the number of potential victims may be significantly higher.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">? The Socket Research team has discovered a malicious PyPI package stealing Ethereum private keys by exfiltrating them through blockchain transactions via the Polygon RPC. <a href=\"https:\/\/t.co\/0VMfXHcXpT\">https:\/\/t.co\/0VMfXHcXpT<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Python?src=hash&#038;ref_src=twsrc%5Etfw\">#Python<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Ethereum?src=hash&#038;ref_src=twsrc%5Etfw\">#Ethereum<\/a><\/p>\n<p>\u2014 Socket (@SocketSecurity) <a href=\"https:\/\/twitter.com\/SocketSecurity\/status\/1897393165080175004?ref_src=twsrc%5Etfw\">March 5, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The package masquerades as a Python utility, imitating the popular \u201cpython-utils\u201d (712 million downloads) and \u201cutils\u201d (23.5 million installs). The attacks target blockchain developers using the \u201ceth-account\u201d library to manage wallets, Python-based DeFi projects and Ethereum-enabled Web3 applications.<\/p>\n<p>The attackers hook into standard Ethereum wallet-creation functions to intercept private keys as they are generated on a compromised device. Funds are exfiltrated via the Polygon blockchain.<\/p>\n<p>At the time of writing, the malicious package has been removed from PyPI. Users who imported it into their projects are advised to take action and move assets to a safe address.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Fake <\/strong><strong>DeepSeek sites spread stealers and backdoors<\/strong><\/h2>\n<p>Kaspersky Lab specialists found several clusters of phishing pages cloning the official <a href=\"https:\/\/forklog.com\/en\/news\/deepseek-the-new-ai-front-runner-and-culprit-behind-cryptos-sell-off\">DeepSeek<\/a> chatbot website.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"ru\" dir=\"ltr\">\u0417\u043b\u043e\u0432\u0440\u0435\u0434 \u0432\u043c\u0435\u0441\u0442\u043e DeepSeek<\/p>\n<p> \u0420\u0435\u043b\u0438\u0437 \u044f\u0437\u044b\u043a\u043e\u0432\u043e\u0439 \u043c\u043e\u0434\u0435\u043b\u0438 DeepSeek R1 \u0441\u0442\u0430\u043b \u0432\u0430\u0436\u043d\u044b\u043c \u0441\u043e\u0431\u044b\u0442\u0438\u0435\u043c\u2026 \u0434\u043b\u044f \u043a\u0438\u0431\u0435\u0440\u043f\u0440\u0435\u0441\u0442\u0443\u043f\u043d\u0438\u043a\u043e\u0432. \u0412 \u0441\u0436\u0430\u0442\u044b\u0435 \u0441\u0440\u043e\u043a\u0438 \u043e\u043d\u0438 \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u043e\u0432\u0430\u043b\u0438 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u043a\u0430\u043c\u043f\u0430\u043d\u0438\u0439, \u0446\u0435\u043b\u044c \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u2014 \u0437\u0430\u0440\u0430\u0437\u0438\u0442\u044c \u043a\u0430\u043a \u043c\u043e\u0436\u043d\u043e \u0431\u043e\u043b\u044c\u0448\u0435 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u043e\u0432 \u0441\u0442\u0438\u043b\u0435\u0440\u0430\u043c\u0438 \u0438 \u0431\u044d\u043a\u0434\u043e\u0440\u0430\u043c\u0438, \u0437\u0430\u043c\u0430\u0441\u043a\u0438\u0440\u043e\u0432\u0430\u0432\u0448\u0438\u0441\u044c \u043f\u043e\u0434 \u043f\u043e\u043f\u0443\u043b\u044f\u0440\u043d\u044b\u0439 \u043d\u043e\u0432\u044b\u0439 \u0418\u0418.<\/p>\n<p>?\ufe0f\u200d\u2640\ufe0f\u2026 <a href=\"https:\/\/t.co\/MqQg4rV2dc\">pic.twitter.com\/MqQg4rV2dc<\/a><\/p>\n<p>\u2014 Kaspersky (@Kaspersky_ru) <a href=\"https:\/\/twitter.com\/Kaspersky_ru\/status\/1897595220969111683?ref_src=twsrc%5Etfw\">March 6, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>In the first campaign, fake sites distributed a Python stealer by prompting installation of a non-existent DeepSeek client for Windows. The malware siphons browser cookies and sessions, logins and passwords for various services, files with specified extensions, and cryptocurrency wallet information.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXfhbb37iSIuUlpsyhbqjcztMiRhI5JPd1TFXwy7qVLuvPCygjFUw4m2IYKZWoQ8hK-_XeH63XuLvM9nevS20ca78oWG6OUqyUM1X70yDEG1Ko53AUXPAGmpjG3-i151pWhe9KBICg?key=a0xHzcM6QpfvCKlrsOGU7MxA\" alt=\"\u0422\u0430\u0439\u043d\u0430 \u0432\u0437\u043b\u043e\u043c\u0430 \u044d\u043a\u0441-\u0433\u043b\u0430\u0432\u044b Ripple, \u043a\u0440\u0430\u0436\u0430 Ethereum \u0432 \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0435 \u0438 \u0434\u0440\u0443\u0433\u0438\u0435 \u0441\u043e\u0431\u044b\u0442\u0438\u044f \u043a\u0438\u0431\u0435\u0440\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438\"\/><figcaption class=\"wp-element-caption\">Screenshot of a fake site. Data: Kaspersky Lab.<\/figcaption><\/figure>\n<p>In the second scheme, the main vector for distributing links to fraudulent sites was X. One post, published in the name of an Australian company, garnered 1.2 million views and more than a hundred reposts.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXf6mGPWXNkapspYjUE9WS90ukBVHeKyA6dl9NdJiMDEzOxCmxpIL9WgZj-X-Vwe2R43ubDE6w53GGpHNjGgU8XrFB95r9aPwn6U8CiAJBHuF0wBAVk8gdtrXUR_u0DcXGLn_4CMCQ?key=a0xHzcM6QpfvCKlrsOGU7MxA\" alt=\"\u0422\u0430\u0439\u043d\u0430 \u0432\u0437\u043b\u043e\u043c\u0430 \u044d\u043a\u0441-\u0433\u043b\u0430\u0432\u044b Ripple, \u043a\u0440\u0430\u0436\u0430 Ethereum \u0432 \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0435 \u0438 \u0434\u0440\u0443\u0433\u0438\u0435 \u0441\u043e\u0431\u044b\u0442\u0438\u044f \u043a\u0438\u0431\u0435\u0440\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438\"\/><figcaption class=\"wp-element-caption\">Data: Kaspersky Lab.<\/figcaption><\/figure>\n<p>The third campaign targets technically savvy users. The payload is disguised as the Ollama framework for running large language models locally. Ultimately, it installs a modified Farfli backdoor on the victim\u2019s device.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Britain to probe TikTok and Reddit over children\u2019s data handling<\/strong><\/h2>\n<p>The UK Information Commissioner\u2019s Office (ICO) <a href=\"https:\/\/ico.org.uk\/about-the-ico\/media-centre\/news-and-blogs\/2025\/02\/investigations-announced-into-how-social-media-and-video-sharing-platforms-use-uk-children-s-personal-information\/\">launched an investigation<\/a> into TikTok, Imgur and Reddit regarding compliance with the privacy of underage users.<\/p>\n<p>At this stage the watchdog is assessing whether any data-protection laws were breached, and what information the services use to estimate user age.<\/p>\n<p>If sufficient evidence of violations is found, the ICO intends to seek explanations from the companies before deciding on any enforcement action.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Telegram Stars and NFTs are fuelling account theft<\/strong><\/h2>\n<p>Analysts at F6 <a href=\"https:\/\/t.me\/f6_cybersecurity\/3552\">recorded<\/a> a rise in account theft on the Telegram messenger. In the second half of 2024, a single group stole more than 1.24 million accounts, up 25.5% on the same period of 2023.<\/p>\n<p>Among the targets are the Telegram Stars digital currency and collectible virtual gifts, including NFTs. They are typically transferred to mule accounts and sold.<\/p>\n<p>The average price of accounts registered to Russian numbers is about 160 rubles. The amount varies depending on the presence of a premium subscription, admin rights in channels and the number of chats.<\/p>\n<p>To build phishing pages, attackers use web panels or Telegram bots. Users are lured with cash prizes, security warnings, gift premium subscriptions, polls or access to private channels.<\/p>\n<p>Often, as part of a combo scheme, a stolen account automatically begins spreading scam links. These lead to phishing pages ostensibly for compiling a CV. To \u201csend it to the employer,\u201d you must sign in via Telegram.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Apple users in 117 countries notified of spyware attacks<\/strong><\/h2>\n<p>Apple notified users in 117 countries that they were targets of precision attacks using mobile spyware. Amnesty International experts reported the alerts.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">?NEW: Apple threat notifications <\/p>\n<p>Apple have just sent a new round of notifications to individuals targeted by highly-invasive mobile spyware.<\/p>\n<p>Reach out to our team at <a href=\"https:\/\/twitter.com\/amnesty?ref_src=twsrc%5Etfw\">@Amnesty<\/a>&#8216;s Security Lab or trusted experts if you received this critical warning.<a href=\"https:\/\/t.co\/h0jQRXcziE\">https:\/\/t.co\/h0jQRXcziE<\/a><\/p>\n<p>\u2014 Amnesty Tech (@AmnestyTech) <a href=\"https:\/\/twitter.com\/AmnestyTech\/status\/1897355124890329141?ref_src=twsrc%5Etfw\">March 5, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Such notifications typically do not disclose the identities of the attackers or the specific countries affected.<\/p>\n<p>In 2024 Apple sent similar notifications twice.<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>Garantex <a href=\"https:\/\/forklog.com\/en\/news\/garantex-halts-operations-following-usdt-wallet-freeze\">suspended operations<\/a> due to a USDT freeze. The US Department of Justice published a <a href=\"https:\/\/forklog.com\/en\/news\/us-justice-department-reports-on-garantex-domain-seizure\">report<\/a> on the investigation. An expert explained the <a href=\"https:\/\/forklog.com\/en\/news\/expert-analyzes-impact-of-garantex-wallet-blockade\">implications<\/a>.<\/li>\n<li>A <a href=\"https:\/\/forklog.com\/en\/news\/outdated-1inch-smart-contract-vulnerability-leads-to-5-million-loss-hacker-returns-assets\">vulnerability<\/a> in an outdated 1inch smart contract led to a $5 million loss. The hacker returned the assets.<\/li>\n<li>In Russia, cryptocurrencies were called <a href=\"https:\/\/forklog.com\/en\/news\/russian-official-labels-cryptocurrencies-as-sanctions-evasion-tool\">\u201ca tool to circumvent sanctions\u201d<\/a>.<\/li>\n<li>Argentina\u2019s prosecutor\u2019s office took <a href=\"https:\/\/forklog.com\/en\/news\/argentine-prosecutor-moves-to-freeze-100-million-linked-to-libra\">measures to freeze<\/a> $100 million linked to LIBRA.<\/li>\n<li>Wallets of the Nemesis darknet marketplace <a href=\"https:\/\/forklog.com\/en\/news\/us-sanctions-target-darknet-marketplace-nemesis-wallets\">came under US sanctions<\/a>.<\/li>\n<li>Bybit urged ParaSwap to <a href=\"https:\/\/forklog.com\/en\/news\/bybit-urges-paraswap-to-return-profits-from-lazarus-transactions\">return profits<\/a> from Lazarus transactions.<\/li>\n<li>An OnlyFans model was the victim of an armed <a href=\"https:\/\/forklog.com\/en\/news\/onlyfans-model-targeted-in-armed-crypto-heist\">attack<\/a> over cryptocurrency.<\/li>\n<li>Bybit\u2019s CEO: <a href=\"https:\/\/forklog.com\/en\/news\/bybit-ceo-20-of-stolen-assets-have-gone-dark\">20% of stolen assets<\/a> \u201cwent into the shadows.\u201d<\/li>\n<li>THORChain swap volume <a href=\"https:\/\/forklog.com\/en\/news\/thorchain-swap-volume-surpasses-4-6-billion-following-bybit-hack\">exceeded $4.6 billion<\/a> after the Bybit hack.<\/li>\n<li>Scammers tricked Britons into revealing seed phrases and <a href=\"https:\/\/forklog.com\/en\/news\/fraudsters-deceive-britons-out-of-seed-phrases-steal-1-2-million-in-cryptocurrency\">stole<\/a> $1.2 million in crypto.<\/li>\n<li>A court <a href=\"https:\/\/forklog.com\/en\/news\/court-dismisses-sec-lawsuit-against-hex-founder\">dismissed a lawsuit<\/a> by the SEC against the HEX founder.<\/li>\n<li>In the US, more than 1,200 bitcoin ATMs were <a href=\"https:\/\/forklog.com\/en\/news\/over-1200-bitcoin-atms-shut-down-in-the-us-over-three-days\">shut down<\/a> in three days.<\/li>\n<li>Ronaldinho launched the STAR10 token. Smart-contract researchers warned of <a href=\"https:\/\/forklog.com\/en\/news\/ronaldinho-launches-star10-token-amidst-smart-contract-risk-warnings\">risks<\/a>.<\/li>\n<li>Victims of a <a href=\"https:\/\/forklog.com\/en\/news\/us-authorities-to-return-8-2-million-to-crypto-scam-victims\">crypto scam<\/a> in the US will receive $8.2 million back.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\"><strong>What to read this weekend?<\/strong><\/h2>\n<p>We examine the negative impact of memecoins on the crypto industry.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have compiled the week\u2019s key cybersecurity stories. ZachXBT linked a $23.6 million crypto seizure to the hack of Ripple\u2019s co-founder\u2019s wallet. A malicious package on PyPI was found stealing Ethereum. Fake DeepSeek sites spread stealers and backdoors. Telegram Stars and NFTs are driving account theft. ZachXBT linked a $23.6 million crypto seizure to the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":21847,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-21848","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"110","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/21848","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=21848"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/21848\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/21847"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=21848"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=21848"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=21848"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}