TronWeekly

Crypto World News

You are here: Home / Archives for News / Cyber Security

Cyber Security

Coinbase Launches $20M Bounty Countering Previous Ransom Threat

by

  • Coinbase refused to pay a $20 million ransom after a breach but instead launched a matching $20 million bounty to anyone who would help in convicting the hacker.
  • The hackers bribed overseas support staff to access limited user data, but so far, no passwords or funds were stolen.

Coinbase has taken their bold stand against cyber extortion by refusing to pay a $20 million ransom to unknown blackmailers. Recently, Coinbase faced a platform breach, and some attackers sent a message claiming that they had confidential information about the platform. 

The attack started on the 15th of May, when the CEO of Coinbase, Brian Armstrong, shared that the company received an email where the sender demanded $20 million. According to the email, the hackers warned that they would leak the private details of customers if the platform didn’t pay $20 million in Bitcoin. Instead of giving in, Armstrong made a public statement refusing to make the payments, but instead, he promised to hunt down those responsible.

How the Attackers Got Coinbase Customer Information

According to investigations done within the company, it is said that the attackers managed to get data from a few users by bribing Coinbase customer support services overseas, but the platform later confirmed that no passwords, wallets, or funds were affected. Armstrong also said that Coinbase will pay back all users who lost crypto through this attack. The company is also moving some of its support teams to new places, though Armstrong did not mention which ones will change.

During all of this, the company launched its own $20 million reward for anyone who can help find and convict the criminals. And as of the time of writing, law enforcement is now involved. Coinbase is also improving its safety systems to stop future threats. This move just shows Coinbase’s dedication to customer security and its zero-tolerance approach to digital blackmail. 

More Reading: Treasury Pressured as Democrats Probe Trump’s Shadowy Crypto Ties

Telegram Silently Dismantles $27B Darknet Giant Haowang Guarantee

by

  • Telegram has shut down Haowang Guarantee, the largest known darknet marketplace operating on its platform.
  • The platform was formerly Huione Guarantee, responsible for billions in illicit crypto transactions.
  • Telegram banned thousands of accounts linked to the marketplace on May 13, forcing its permanent closure.

Telegram has closed down the huge darknet marketplace Haowang Guarantee after prohibiting thousands of connected accounts and channels. This May 13 clampdown took down all infrastructure associated with it, rendering its crypto-powered criminal activities dysfunc­tional. Telegram’s enforcement action forced the platform, which used to be called Huione Guarantee, to close down officially.

For a long time, the marketplace functioned through Telegram and provided services for online fraud, cybercrimes, and large-scale cryptocurrency laundering. Telegram purged associated groups and vendor channels following reports to raise the alarm on the platform’s illegal activity and high volume of transactions. Therefore, the marketplace had lost its operational functionality and informed the user community about its permanent closure.

Blockchain company Elliptic found over $27 billion worth of contraband crypto-transactions connected to Haowang Guarantee, the majority processed through the stablecoin Tether. Telegram moved on after obtaining a data report in Wired and Elliptic describing the platform’s function in fraud ecosystems. Authorities had earlier stamped the platform as a money laundering outfit before it was shut down.

Telegram Takedown Ends Major Crypto Marketplace

Elliptic uncovered that Haowang Guarantee was a power behind scams, identity theft, and phony crypto services throughout Southeast Asia and the world. It supported infrastructure for pig butchering scams, deepfake tools, and scam call centers’ equipment. Telegram was this firm’s major communications channel, payments, and vendor management.

Huione Group owned the marketplace, processing more than $98 billion in crypto exchange over several years. Telegram channels associated with the group were vendor accounts, customer service bots, and private groups. These services facilitate activities prohibited by Telegram’s terms of service.

Thousands of accounts on Telegram were blocked, which compromised the operational backbone of Haowang Guarantee and hurt hundreds of affiliated vendors. The marketplace was unable to operate without access to its channels and users. This enforcement greatly diminished what was one of the biggest cybercrime havens in the world.

Xinbi Guarantee Grows as Telegram Stalls

Although the Haowang Guarantee has been shut down, the Xinbi Guarantee has emerged as a flourishing darknet market that functions on the Telegram base. Elliptic says that Xinbi has supported $8.4 billion worth of crypto transactions, predominantly through stablecoins. The most important channel for its illegal services is Telegram.

Researchers tied Xinbi to a U.S. company called Delinquent in January 2025. Telegram has not taken away Xinbi-related accounts yet, but analysts predict more account scrutiny after Haowang’s takedown. Tens of thousands of crypto addresses connected to Xinbi vendors have already been found.

The increasing use of Xinbi indicates sustained use of Telegram for crypto-supported black markets for cross-border financial crime. Elliptic cautioned that such platforms arise to create a China-based stablecoin money laundering network. Telegram continues to be under pressure to find and shut down these operations independently.

Lazarus Invades US Biz! Sanctions Shattered

by

  • North Korean Lazarus Group registered US shell companies Blocknovas LLC and Softglide LLC using false identities to target crypto developers with malware.
  • This marks a rare instance of North Korean hackers legally registering US firms to launch cyberattacks, successfully compromising multiple victims.
  • The registration by the RGB, which manages North Korea’s cyber warfare, violates US and UN sanctions aimed at restricting Pyongyang’s financial activities.

Lazarus, North Korea’s notorious hacker group, has spread its tentacles once again. According to Reuters, the group has set up two shell companies, Blocknovas LLC and Softglide LLC, in New Mexico and New York using false identities. They also opened a third business, called Angeloper Agency, which does not appear to be registered in the United States.

By posing as recruiters, the duo target job applicants, especially crypto developers, and spread malware into their software. Cybersecurity firm Silent Push called it a rare case of North Korean hackers legally registering U.S. firms to launch cyberattacks, successfully compromising multiple victims.

Lazarus
Lazarus Invades US Biz! Sanctions Shattered 2

The Lazarus Group is a part of the Reconnaissance General Bureau (RGB), which belongs to the Korean People’s Army (KPA). The RGB oversees all North Korean cyber warfare, including the hacks in the cryptocurrency industry. Besides Lazarus, RGB has other threat actors like AppleJeus, APT38, DangerousPassword, and TraderTraitor. 

Such activity shows the technical evolution of North Korean efforts in targeting the cryptocurrency sectors and funding the North Korean government. Besides stealing foreign currency via hacks, North Korea has reportedly dispatched thousands of IT workers abroad to bring in millions to finance Pyongyang’s nuclear missile programme, according to the United States, South Korea, and the United Nations.

Lazarus Exploiting Registration Loopholes for Illicit Activity

However, the presence of a North Korean-controlled company, registered by the RGB, in the United States is a gross violation of Office of Foreign Assets Control sanctions. It also violates United Nations sanctions that ban North Korean commercial activity designed to assist the isolated country’s government or military.

It shows how the current system allows for the easy formation of LLCs at the state level with minimal scrutiny of the true owners and their potential links to problematic foreign actors. This could easily be exploited for illicit activities, sanctions evasion, or other purposes detrimental to national security.

The FBI, on its part, has formed a separate unit to track and prevent these intrusions and has been conducting victim notifications for years now. Security experts like Samczsun, part of the SEAL 911 emergency response team, have actively worked with federal agents to identify and protect potential DPRK targets.

 

XRPL Hack Scare: What Developers Need to Know

by

  • The XRPL JavaScript library (v4.2.1-4.2.4, v2.14.2) had a vulnerability potentially stealing private keys. Update to v4.2.5 immediately.
  • Researcher Charlie Eriksen found a “backdoor” in the XRPL library, posing a “catastrophic” supply chain risk via compromised NPM versions.
  • Despite this dependency issue, the core Ledger boasts over 2.8 billion secure transactions and growing institutional adoption.

The XRP Ledger Foundation has recently discovered a security vulnerability in the JavaScript library (v4.2.1–4.2.4 and v2.14.2) used to interact with the ledger that could steal crypto private keys. The Foundation has upgraded the code, released the patched version, v4.2.5, and removed the previously compromised version.

image 216 1
Source: Aikido Security

While the issue affects only versions published on NPM, it poses a serious supply chain risk. The foundation has urged affected projects to update to the latest version. The issue was discovered by Aikido Security malware researcher Charlie Eriksen, who said this “backdoor” could lead to a “potentially catastrophic” supply chain attack.

XRP Ledger Devs and Projects—if you use the xrpl.js library, don’t update to or use ANY version 4.2.1 or higher. It’s compromised—any project utilizing the newest version is putting users and funds at risk! Please let EVERY project and developer know about this!

Cryptocurrencies are software projects that typically depend on external libraries, packages, or modules of pre-written code created by developers. These are the “code dependencies.” They handle specific functionalities, saving developers time and effort.

XRPL’s Robust Transaction History and Security Focus

Security experts have therefore emphasized the need to thoroughly examine and double-check these dependencies. This involves understanding what the external code does, where it comes from, its reputation, and whether it has known vulnerabilities.

“Double-check code dependencies, folks. In crypto, vigilance is as essential as innovation. Stay safe out there.”

Overall, the XRP Ledger has been proactive in tackling security threats and undertaking routine checks to look for any vulnerabilities. The blockchain has also seen robust growth, with adoption accelerating in multiple use cases. Institutions, decentralized finance (DeFi) platforms, and stablecoin issuers are all on-ramping more and more to XRPL’s infrastructure.

Jasmine Cooper, Head of Product at RippleX, recently highlighted network efficiency as the key driver of institutional attention. With more than 2.8 billion transactions settled and no security failures, XRPL is considered one of the most secure blockchain networks.

Bybit Teams Up with Zodia Custody to Offer Segregated Asset Storage for Institutional Clients

by

  • Bybit lost $1.45B in a February 2025 hack, prompting stronger institutional safeguards.
  • Zodia Custody ensures full asset segregation, backed by Standard Chartered and SBI.
  • New custody deal removes need to pre-fund accounts, reducing exchange-related risk.

Cryptocurrency exchange Bybit has named Zodia Custody as its new partner to strengthen security and custodial options for institutions. The collaboration would help enhance the security of the assets since the February 2025 cyber heist, which cost Bybit $1.45 billion worth of digital assets.

Strengthening Custodial Security for Institutional Clients

By partnering with Zodiac Custody, Bybit provides independent custody models to serve its institutional clients. Bybit allows institutional clients to trade their transactions through secure Zodia Custody accounts for asset storage. The independent fund segregation system creates two discrete vaults, which protect assets from co-mingling and reduce exchange-side risks.

Established in 2020, Zodia Custody receives financial backing from major institutions such as Standard Chartered Bank, SBI Holdings, and Northern Trust. It targets institutional investors by providing security measures and regulatory compliance through a specialized service design. With its solution, Zodia Custody enables institutional clients to eliminate the requirement of funding their exchange accounts in advance, thus reducing costs and reducing potential risks from keeping funds directly on the exchange.

A Response to Bybit’s Major Security Breach

This cooperation emerged shortly after Bybit encountered a security breach earlier this year. In February 2025, Bybit had its system vulnerabilities exploited by North Korean hackers commonly known as the Lazarus Group, who stole almost $1.5 billion worth of cryptocurrency. One of the largest in crypto history to date, this attack raised fears of security for digital assets on exchanges.

Bybit CEO Ben Zhou explained that about 20% of stolen funds remained untraceable because hackers utilized mixing services to hide their trail. This breach highlighted the need for strong security procedures as a warning to institutional investors, who are most likely to be attacked. Further, Bybit has worked hard to ensure that it has amplified its security in its system, which is one of the critical developments that entailed the partnership with Zodiac Custody.

The cooperation between Zodia Custody and Bybit creates a new standard for institutional cryptocurrency trading services. The partner agreement provides separate storage solutions and off-market payment platforms to overcome key security and capital effectiveness problems that institutional investors face. The regulatory-grade infrastructure at Zodia Custody provides secure trading solutions through SOC-certified systems, which allows institutions to operate in a fully compliant and safe environment.

Beyond Lazarus – North Korea’s”Dark Army” Stealing BILLIONS in Crypto

by

  • Lazarus Group, part of DPRK’s RGB, orchestrates major hacks, including Sony and Bank of Bangladesh, demonstrating high technical skill.
  • TraderTraitor’s WazirX and Bybit hacks show a pattern: social engineering and malicious code to seize cold wallet control.
  • FBI’s dedicated unit tracks DPRK hackers; experts urge strong security measures like 2FA and password managers for protection.

The bybit hack by North Korea’s Lazarus, deemed as “the biggest hack in the history of crypto,” sparked a huge outcry as no one expected such level of technical prowess from the state-funded actors. Samczsun, a pseudonymous “crypto white hat hacker,” believes it is crucial to understand how the DPRK hackers operate, and know their tactics and procedures to mount safety guardrails.

The Lazarus group is a part of the Reconnaissance General Bureau (RGB), which belongs to the Korean People’s Army (KPA). The RGB manages all North Korean cyber warfare, including the hacks in the cryptocurrency industry.

Besides Lazarus, RGB has other threat actors like AppleJeus, APT38, DangerousPassword, and TraderTraitor. The Lazarus group first came into notoriety in 2014 after the Sony Pictures Entertainment (Sony) hack. Enraged by Sony’s film on Kim Jong Un, the group stole terabytes of data and deleted the original copies.

North Korea’s Cyber Command Structure

Then in 2016, Lazarus compromised the Bank of Bangladesh’s internal network to access the SWIFT network and initiate transfer requests to the New York Federal Reserve, looting almost 1 billion USD. In all these incidents, the hacker group has shown a high level of technical adeptness before turning their attention to the cryptocurrency industry.

Lazarus
Source: ardizor

During this time, the DPRK cyberactivity industry began assigning different activities to these threat actors. For instance, APT38 targeted banks first in 2016, then cryptocurrency later. Then, in 2018, AppleJeus started spreading infected malware targeting cryptocurrency users.

Since 2023, AppleJeus began mounting complex supply chain attacks and later evolved into impersonating a trusted contractor. Likewise, Dangerous Password employed social engineering-based attacks within the cryptocurrency industry. However, the most lethal among them is TraderTraitor, which exclusively preys on exchanges and other companies with big reserves (Axie Infinity and Rain.com).

TraderTraitor’s Cold Wallet Tactics

In the recent WazirX hack, this threat actor tricked engineers into signing a transaction that transferred control of their cold wallet over to them. This attack resembles the Bybit hack, where TraderTraitor first breached the Safe Wallet infrastructure via a social engineering attack before sending malicious JavaScript to the cold wallet. 

When Bybit attempted to rebalancing their wallets, the malicious code was triggered, deceiving engineers to sign a transaction and hand over control of their cold wallet. Such brazen attacks have put TraderTraitor at the forefront of security agencies.

Countering the Threat

The FBI has established a separate unit to track and prevent these intrusions and has been conducting victim notifications for years now. Security experts like Samczsun, part of the SEAL 911 emergency response team, have actively worked with federal agents to identify and protect potential DPRK targets. 

With looming threats, on-chain sleuths recommend using a password manager and 2FA as the first line of defense against such increasingly sophisticated attacks.

Abracadabra.Money Hit by $13 Million Exploit Amid GMX Integration Breach

by

  • $13 million in Ethereum stolen from Abracadabra.Money’s GMX-integrated pools.
  • GMX’s core contracts remain secure, limiting the exploit to Abracadabra’s cauldrons.
  • Stolen funds moved from Arbitrum to Ethereum, dispersed across three addresses.

A massive security failure resulted in digital thieves obtaining approximately $13 million from decentralized finance operations. On March 25 PeckShield reported that attackers had struck Abracadabra.Money smart contracts alongside their GMX V2 integration during a network breach. The thieves transferred money through Arbitrum while moving the stolen 6,260 Ethereum (ETH) from the network to Ethereum via a blockchain bridge.

image 176
Source; Peckshield

The Impact on GMX and Abracadabra

Abracadabra.Money is a DeFi platform specializing in lending and borrowing and was the prominent protocol in the hack. Its protocol was hacked in Abracadabra’s “cauldrons,” smart contracts designed to facilitate DeFi activities including lending and liquidity provision. These cauldrons rely on GMX’s V2 liquidity pools, which were used in this instance, compromising the integration.

GMX’s core contracts initially experienced challenges yet GMX clarified this situation through one of its representatives. GMX communications contributor Jonezee assured the community about the safety of GMX contracts. Jonezee clarified that the breach affected only Abracadabra’s GMX V2 pools and did not impact the GMX platform. The released statement intended to reassure users regarding GMX’s general security framework.

Exploit Methodology and Stolen Funds Movement

Crypto forensics firm AMLBot provided insight into the mechanics of the hack. According to their investigation, the hacker funded an address using the Tornado Cash cryptocurrency mixer before the attack. The stolen Ethereum was then moved through the Arbitrum network and bridged to Ethereum. The stolen funds were subsequently distributed across three separate addresses.

image 176 1
Source: AMLBot

The breach at Abracadabra.Money only affected their smart contracts, but general concerns exist about security within integrated DeFi protocols. Abracadabra.Money experienced a security breach shortly after losing $6.49 million through a similar incident while its Magic Internet Money (MIM) stablecoin lost its peg to the US dollar.

After the breach the Abracadabra.Money team declared their commitment to investigating the incident. GMX users received confirmation that its contracts remained free from any issues. DeFi platforms are exposed to attack vulnerabilities mainly when working with multiple protocols. The investigation teams from GMX, alongside Abracadabra are dedicated to detecting the breach source while building prevention measures for future attacks.

Tornado Cash Cleared from OFAC Sanctions List, But Legal Challenges Continue

by

  • U.S. Treasury removes Tornado Cash from OFAC sanctions after court ruling on smart contracts.
  • Tornado Cash token surges 40% following U.S. Treasury’s delisting announcement.
  • U.S. Treasury maintains sanctions on Tornado Cash founder despite delisting addresses.

On March 21, 2025 the U.S. Treasury Department declared its decision to drop cryptocurrency service Tornado Cash from its sanctions list. The Office of Foreign Assets Control (OFAC) first placed Tornado Cash on its sanctions list in 2022 because it provided North Korean hackers and other criminal actors opportunities to cleanse stolen funds. The decision followed a federal court ruling made in late 2024 which stated that OFAC violated its regulatory power by sanctioning Tornado Cash smart contracts.

Legal Challenges and Court Rulings

Tornado Cash faced intensifying legal challenges when the government placed it on the sanctions list. Tornado Cash functions as an Ethereum-based platform for decentralized mixing which blends cryptocurrency payments between users thus creating difficult-to-track financial transactions. The U.S. government declared in 2022 that the cryptocurrency mixer allowed North Korean hacker group Lazarus along with other criminals to launder over $7 billion from its platform.

However, in November 2024 over a decision for the Fifth Circuit Court of Appeals stated that OFAC had overstepped its authority. The court said that the crypto mixer’s smart contracts were not “property” and cannot be restricted by using the International Emergency Economic Powers Act (IEEPA). This laid the precedent for the Treasury Department’s subsequent decision to de-list Tornado Cash from its list of Specially Designated Nationals (SDN). Furthermore, another recent legal decision in January 2025 further strengthened the idea that it was impossible to exert control over Tornado Cash as if it is stock.

image 161
Source; OFAC

Ongoing Concerns and Future Monitoring

The U.S. Treasury Department has ended sanctions against the cryptocurrency mixer but continues active monitoring of money laundering incidents that involve North Korean hacking groups. The Treasury Department warned about digital assets used by cybercriminals to steal funds from cryptocurrency platforms while the Lazarus Group remains among the top concerns.

Following the delisting announcement its token (TORN) value experienced a substantial increase that resulted in a price boost of 40% within a short period. Treasury Secretary Scott Bessent clarified that although the U.S. government would keep monitoring digital assets it would actively work to stop abuse. The Treasury kept a neutral attitude to cryptocurrency innovation yet emphasized that maintaining privacy must coexist with national security requirements.

Lazarus Group Transfers 400 ETH and Launches New Cyber Attacks

by

  • Lazarus Group transferred 400 ETH ($750,000) to Tornado Cash and laundered $2.91 billion through THORChain within the last five days.
  • They have also infected the NPM ecosystem with a harmful packages like “BeaverTail” to steal credentials and access crypto wallets 

Lazarus Group, linked to North Korea, continues to launder crypto by moving different tokens and using fresh malware to attack developers and steal digital assets.

On March 13, a  blockchain security company, CertiK shared a post on their  X account stating that they detected a  deposit of 400 ETH, which is valued at about $750,000, into Tornado Cash.

The funds transferred were linked to Lazarus Group’s activities on the Bitcoin network. The North Korean hacking organization has been involved in various crypto breaches, including the $1.4 billion Bybit attack in February.

Lazarus Group’s Use of Malware and Crypto Laundering Techniques 

Another cybersecurity firm has also found out that Lazarus Group released six harmful packages to infect developer systems, steal their credentials, access crypto data, and install hidden access points. 

According to the firm, the hackers targeted the Node Package Manager (NPM) ecosystem, which contains many JavaScript libraries. A particular Malware named “BeaverTail” was embedded in packages designed to look like real ones using typosquatting techniques to trick developers. 

So in simpler terms, The hackers attacked the NPM, a place with many JavaScript tools and hid a bad program called “BeaverTail” inside fake files to fool developers.

After the attack, the group tried to hide the stolen assets through different methods, including using THORChain, a decentralized exchange that does not need any identity verification. 

Reports show that within five days, about $2.91 billion passed through THORChain, which made it so difficult to track and recover the stolen funds.

Lazarus Group has been scamming different crypto founders with fake Zoom calls. They pose as investors,  send false meeting links and claim there are sound problems. Once the victims download a supposed fix, the malware infects their whole device. Most malware targets crypto wallets, especially Solana and Exodus.

Security experts say many have fallen for this trick. Chainalysis reports that the Lazarus Group has stolen over $1.3 billion in crypto from 47 attacks in 2024, more than twice the amount they stole in 2023. 

Related Reading | Avalanche Price Faces 24% drop: ETF Approval to Help Conditions