Latest news with #ByBit
Mint
4 days ago
- Business
- Mint
Why are North Korean hackers such good crypto-thieves?
FEBRUARY 21st was a typical day, recalls Ben Zhou, the boss of ByBit, a Dubai-based cryptocurrency exchange. Before going to bed, he approved a fund transfer between the firm's accounts, a 'typical manoeuvre" performed while servicing more than 60m users around the world. Half an hour later he got a phone call. 'Ben, there's an issue," his chief financial officer said, voice shaking. 'We might be hacked…all of the Ethereum is gone." Independent investigators and America's Federal Bureau of Investigations (FBI) soon pointed the finger at a familiar culprit: North Korea. Hackers from the hermit kingdom have established themselves as one of the biggest threats to the crypto-industry—and as a crucial source of revenue for Kim Jong Un's regime, helping it to weather international sanctions, to pamper its elites and to fund its missile and nuclear-weapons programmes. In 2023 North Korean hackers made away with a total of $661m, according to Chainalysis, a crypto-investigations firm; they doubled the sum in 2024, racking up $1.34bn across 47 separate heists, an amount equivalent to more than 60% of the global total of stolen crypto. The ByBit operation indicates a growing degree of skill and ambition: in a single hack, North Korea swiped the equivalent of $1.5bn from the exchange, the largest-ever heist in the history of cryptocurrency. North Korea's plunder is the payoff from a decades-long effort. The country's first computer-science schools date back to at least the 1980s. The Gulf War helped the regime recognise the importance of networked technology for modern warfare. Talented maths students were put into special schools and given reprieves from mandatory annual countryside labour, says Thae Yong Ho, a senior North Korean diplomat who defected in 2016. Originally envisaged as a tool for espionage and sabotage, North Korea's cyber-forces began to focus on cybercrime in the mid-2010s. Mr Kim is said to call cyberwarfare 'an all-purpose sword". Stealing crypto involves two main phases. The first is breaching a target's systems—the digital equivalent of finding an underground passageway to a bank's vaults. Phishing emails can insert malicious code. North Korean operatives pose as recruiters and entice software developers to open infected files during fake job interviews. Another approach involves using fake identities to get hired at remote IT jobs with foreign companies, which can be a first step to accessing accounts. 'They've become really good at finding vulnerabilities through social engineering," says Andrew Fierman of Chainalysis. In the ByBit case, hackers compromised the computer of a developer working for a provider of digital wallet software. Once stolen, the cryptocurrency has to be laundered. Dirty money is spread across multiple digital wallets, combined with clean funds and transferred between different cryptocurrencies, processes known in the industry as 'mixing" and 'chain hopping". 'They're the most sophisticated crypto launderers we've ever come across," says Tom Robinson of Elliptic, a blockchain-analytics firm. Finally, the stolen funds need to be cashed out. A growing array of underground services, many linked to Chinese organised crime, can help with this. Fees and interdictions by law enforcement reduce the overall take, but North Korea can expect to receive 'definitely 80%, maybe 90%" of the funds it steals, says Nick Carlsen, a former FBI analyst now with TRM Labs, a blockchain-intelligence firm. North Korea has several strengths. One is talent. This could appear counterintuitive: the country is desperately poor and ordinary citizens have severely restricted access to the internet or even computers. But 'North Korea can take the best minds and tell them what to do," says Kim Seung-joo of the school of cybersecurity at Korea University in Seoul. 'They don't have to worry about them going to work at Samsung." At the International Collegiate Programming Contest in 2019, a team from a North Korean university came eighth, beating those from Cambridge, Harvard, Oxford and Stanford. Those talents are also exploited. North Korean hackers work around the clock. They are unusually brazen when they strike. Most state actors seek to avoid diplomatic blowback and 'operate like they're in Ocean's 11: white gloves, get in without anyone noticing, steal the crown jewel, get out without being noticed," says Jenny Jun of the Georgia Institute of Technology. North Korea does not 'place a premium on secrecy—they're not afraid to be loud." For the North Korean regime, stolen crypto has become a lifeline, especially as international sanctions and the covid-19 pandemic crimped their already limited trade. Crypto-thievery is a more efficient way to earn hard currency than traditional sources, such as overseas labourers or illegal drugs. The United Nations Panel of Experts (UNPE), a monitoring body, reported in 2023 that cyber-theft accounted for half of North Korea's foreign-currency revenue. North Korea's digital plunder last year was worth more than three times the value of its exports to China, its main trade partner. 'You take what took millions of labourers, and you can replicate that with the work of a few dozen people," says Mr Carlsen. Those funds prop up the regime. Hard currency is used to purchase luxury goods to keep elites in line. It also probably funds weapons. The majority of North Korea's stolen crypto is thought to flow into its missile and nuclear-weapons programmes. Cryptocurrency investigators are getting better at tracking stolen funds along the blockchain. Mainstream cryptocurrency exchanges and stable-coin issuers often co-operate with law enforcement to freeze stolen funds. In 2023 America, Japan and South Korea announced a joint effort aimed at countering North Korean cybercrime. America has sanctioned several 'mixing" service providers that North Korea has used. Yet authorities remain a step behind. After America sanctioned North Korea's favoured mixers, the hackers switched to others offering similar services. Tackling the problem requires multilateral efforts across governments and the private sector, but such collaboration has been fraying. Russia used its UN veto to gut the UNPE last year. President Donald Trump's cuts to American development aid have hit programmes aimed at building cyber-security capacity in vulnerable countries. By contrast, the North Korean regime is throwing ever more resources at cybercrime. South Korea's intelligence services reckon its cybercrime force grew from 6,800 people in 2022 to 8,400 last year. As the crypto-industry expands in countries with weaker regulatory oversight, North Korea has an increasingly 'rich target environment", says Abhishek Sharma of the Observer Research Foundation, an Indian think-tank. Last year, Mr Sharma notes, North Korea attacked exchanges based in India and Indonesia. North Korea is already known to be making use of artificial intelligence in its operations. AI tools can help make phishing emails more convincing and easier to produce at scale across many languages. They can also make it easier to infiltrate companies as remote tech workers. Bad days like Mr Zhou's may become increasingly typical.
Scoop
09-05-2025
- Business
- Scoop
Weaponizing Facebook Ads: Inside The Multi-Stage Malware Campaign Exploiting Cryptocurrency Brands
A persistent malvertising campaign is plaguing Facebook, leveraging the reputations of well-known cryptocurrency exchanges to lure victims into a maze of malware. Since Bitdefender Labs started investigating, this evolving threat has posed a serious risk by deploying cleverly disguised front-end scripts and custom payloads on users' devices, all under the guise of legitimate cryptocurrency platforms and influencers. This report unveils how the attackers use advanced evasion tactics, mass brand impersonation, and sophisticated user-tracking methods to bypass conventional defences and maintain a large pool of victims. Key Findings Ongoing attack: This malvertising campaign has been operating for several months, consistently producing new advertisements. It heavily leverages the imagery and trust associated with cryptocurrency brands, and it remains active with fresh ads appearing regularly. Front-end–back-end collaboration: Malware is delivered via covert communication between the malicious website's front end and local host, a method that evades detection by most security vendors. By orchestrating malware deployment through a seemingly harmless intermediary, attackers remain stealthy. Mass brand impersonation: Researchers at Bitdefender Labs identified hundreds of ads impersonating trusted cryptocurrency exchanges and trading platforms, including Binance and TradingView. By mimicking well-known brands, the attackers drastically increase the odds that victims will click the malicious ads. Advanced tracking and evasion: The threat actors use sophisticated anti-sandbox checks, only delivering malware to users who meet specific demographic or behavioural profiles. Query parameters related to Facebook Ads are used to detect legitimate victims, while suspicious or automated analysis environments receive benign content. Campaign and malware delivery: Cybercriminals use Meta's ad network to tout quick financial gains and crypto bonuses, with some ads seeking to bolster credibility by featuring the image of public figures such as Elon Musk, Zendaya, and Cristiano Ronaldo (with whom Binance teamed up to release an NFT collection). Clicking one of these ads redirects victims to a site that impersonates a known cryptocurrency platform (Binance, TradingView, ByBit, SolFlare, MetaMask, MEXC, etc.), instructing them to download a 'desktop client'. However, if the site detects suspicious conditions (e.g., missing ad-tracking parameters or an environment typical of automated security analysis), it displays harmless, unrelated content instead. Here's what Bitdefender Labs researcher Ionut Baltariu noticed about the tracking and filtering techniques threat actors use in this campaign: Users cannot load the root website No malicious content will be displayed for users who loaded the website without the specific query parameters of the Facebook ads – some examples being utm_campaign, utm_content, fbid, cid If the user is not logged into Facebook or if the IP address and operating system don't interest the attackers, the website will not display malicious content. Users will be served with unrelated content instead. The same might happen if the victim does not fit the behavioural profile the threat actors seek (e.g., male, interests in technology and cryptocurrency). Newer variants take a step further, prompting users to open the site using Microsoft Edge; opening it with other browsers leads to random, non-malicious content, further complicating detection efforts. One particularly deceptive instance is a Facebook clone that mirrors TradingView's official Facebook page. From the profile pictures to posts and comments touting a free 'Annual Ultimate Subscription', everything is fabricated, except for the central buttons that redirect victims to the real Facebook website. The Scale of the Campaign Researchers have uncovered hundreds of Facebook accounts promoting these malware-delivering pages, all pushing financial benefits. In one notable example, a single page ran over 100 ads in a single day (April 9, 2025). While many ads are quickly removed, some garner thousands of views before takedown. Targeting is frequently fine-tuned, like focusing on men aged 18+ in Bulgaria and Slovakia – to maximise impact. In this example, we can see an ad that specifically targeted 18+ years old men, with success in Bulgaria and Slovakia. How the Malware Works All analysed malware samples had the name ' and measured around 800 kb. After installation, the malicious software would open the page of the impersonated entity through msedge_proxy.exe. Victims also receive a suspicious DLL file that launches a local .NET-based server on ports 30308 or 30303 (in a newer version). This server offers two enabling remote payload execution and customised data exfiltration via WMI queries: /set (or /s in newer versions) /query (or /q in newer versions) The /set route receives a payload in XML format through the request body that can be executed through Task Scheduler, while the /query route allows the execution of custom WMI queries, exfiltrating the machine ID and WMI query responses. Interestingly, the sample does not seem to start other processes that might use this simple API. After all, if it had been wanted, data could have already been exfiltrated. This is where an interesting script from the Front-End (the malicious page) comes into effect. While carefully analysing the requests made by the website after it loads, one might not see anything that raises suspicions. However, when investigating the loaded resources, a malicious script can be found: After deobfuscating, this script creates a SharedWorker that solves the mystery of the lonely localhost:30308 server. Inside the shared worker, we can see a /query route with three WMI queries. Furthermore, the script also suppresses output from common console commands. The shared worker communicates with the parent script (using the postMessage function) to fully orchestrate the malware deployment using the localhost server. Moreover, it uses another API from which it gathers the initial malicious file and future payloads, guaranteeing custom and possibly ever-evolving payloads. After receiving the WMI query results, the FrontEnd script can choose to also use the /set route to schedule a task for execution. In the analysed case sample, the /set command was used to further execute multiple encoded PowerShell scripts. This chain of encoded commands concluded with a script that downloaded another malicious payload from two possible C&C servers. For an indefinite period of time, the PowerShell script retrieves other scripts from the C2 servers ($APIs) and executes them, sleeping for limited amounts of time between requests. An example of executed scripts proceeds to exfiltrate further data from the infected system, such as installed software, available GPUs, the geographical location from HKEY_CURRENT_USER\Control Panel\International\Geo and system, OS and BIOS information (doubling the effort done in the first stage, done using WMI queries from the Front-End script). Depending on the exfiltrated payload (the C2 might deploy custom payloads depending on the type of victim, with possible inferences being made about dynamic analysis attempts), the malicious APIs can return other malicious scripts. One example we have encountered is a PowerShell that further downloads a build, a series of executables and a .jsc file. If the exfiltrated data resembles an automated flow or a sandboxing environment, we have observed 'malicious' payloads that only execute a sleep command for hundreds of hours on end, indicating that the infection chain is likely to end at that step. Conclusions This campaign showcases a hybrid approach, merging front-end deception and a localhost-based malware service. By dynamically adjusting to the victim's environment and continuously updating payloads, the threat actors maintain a resilient, highly evasive operation. During analysis, Bitdefender was one of the few security solutions detecting both the malicious DLL and the front-end scripts with generic signatures. Multiple layers of obfuscation, sandbox checks, and real-time payload evolution make this campaign a sophisticated challenge for researchers and security providers. Throughout the analysis we have faced and uncovered multiple techniques that prevent end-to-end analysis of the threat – from the measures taken on the malicious websites (displaying non-malicious content based on traffic metadata), to anti-sandbox actions (for example, the looped PowerShell task would not download the final payload in dynamic analysis environments). Combined with the social engineering potential of Facebook Ads and cryptocurrency hype, it underscores how otherwise 'common' threats can reach new levels of complexity. Bitdefender Detections – Malicious DLLs – Malicious JavaScript files on the websites – Malicious JavaScript in the final-stage payload Early activation of these signatures blocked thousands of infection attempts globally, protecting Bitdefender customers from falling prey to this campaign. How users can stay safe: Scrutinise Ads: Be cautious with any ad offering free software or incredible financial gains. Always verify the source before clicking links or downloading content. Use Official Sources Only: Download software directly from the vendor's website. Examples from this campaign include official pages for TradingView, Binance, and MetaMask. Use Dedicated Scam and Link-Checking Tools: Bitdefender Scamio and Link Checker can help you verify a website's legitimacy before you click or share. These tools provide an additional layer of defence by scanning URLs and alerting you to potential scams or malicious content. Keep Security Software Updated: Choose a reputable security solution capable of detecting evolving threats. Regular updates ensure you have the latest protection mechanisms. Beware of Browser Restrictions: If a page insists on using a specific browser or looks suspiciously polished while being otherwise non-functional, close it immediately.
Yahoo
03-04-2025
- Business
- Yahoo
Pi Network's Token Drops 77% to Near All-Time Low as 126.6 Million Coins Unlock in April
Pi Network's token, PI, is nearing its all-time low, trading at $0.6722, just above its February low of $0.6152. The token has lost 77% of its value since reaching a peak of $2.98 in February, with a 25% drop in the past week. Analysts attribute the decline to the continuous unlocking of tokens, increasing supply while demand remains weak. Over 126.6 million PI tokens are set to be unlocked this month, adding to the 4.9 billion already in circulation. The network has been unlocking an average of 133 million tokens per month, with another 1.54 billion set to be released over the next year. Obchakevich Research founder Alex Obchakevich said the drop in value was expected, stating, 'Monthly unlocks exceed demand, which greatly affects the value of the token.' While some investors hope for a rebound, others remain skeptical due to the project's limited liquidity and uncertainty over its long-term potential. Pi Network recently held PiFest 2025, an event aimed at increasing the token's adoption. Over 125,000 sellers and 58,000 merchants participated, with more than 1.8 million Pioneers using PI for transactions across cafes, boutiques, auto shops, and freelance services. Despite the event's success, the price continues to fall, raising doubts about the project's ability to sustain real-world use. Meanwhile, the broader crypto market is thriving, with Bitcoin surpassing $85,000 and Ethereum holding steady above $1,850, making PI's decline even more notable. Technical indicators suggest further downside risk for PI. The token is trading within a descending triangle, a pattern that typically signals continued decline unless there is a strong breakout. The Relative Strength Index (RSI) has fallen to 26.18, indicating oversold conditions, but with no signs of an immediate reversal. PI has also dropped below the 20-period Exponential Moving Average (EMA), another bearish signal. Analysts predict the price could retest $0.6152 or even fall below $0.50 if selling pressure continues. A potential rally could push PI toward $1.53, but only if buying interest picks up significantly. Pi Network was launched in 2019 as a mobile-first blockchain, allowing users to mine PI through a referral-based system. It remained untradable for years until its mainnet launch, after which it was listed on Bitget, OKX, and MEXC. However, concerns over liquidity and usability persist. ByBit CEO Ben Zhou has been openly critical of the project, stating, 'Yes, I still think you are a scam, and no, ByBit will not list scam.' Despite the current downturn, Obchakevich believes Pi Network has potential if it can survive the current instability. 'The project certainly has the potential to compete with the top 10 projects in the future,' he said Sign in to access your portfolio
Yahoo
10-03-2025
- Business
- Yahoo
North Korean hackers cash out hundreds of millions from $1.5bn ByBit hack
Hackers thought to be working for the North Korean regime have successfully converted at least $300m (£232m) of their record-breaking $1.5bn crypto heist to unrecoverable funds. The criminals, known as Lazarus Group, swiped the huge haul of digital tokens in a hack on crypto exchange ByBit two weeks ago. Since then, it's been a cat-and-mouse game to track and block the hackers from successfully converting the crypto into usable cash. Experts say the infamous hacking team is working nearly 24 hours a day - potentially funnelling the money into the regime's military development. "Every minute matters for the hackers who are trying to confuse the money trail and they are extremely sophisticated in what they're doing," says Dr Tom Robinson, co-founder of crypto investigators Elliptic. Out of all the criminal actors involved in crypto currency, North Korea is the best at laundering crypto, Dr Robinson says. "I imagine they have an entire room of people doing this using automated tools and years of experience. We can also see from their activity that they only take a few hours break each day, possibly working in shifts to get the crypto turned into cash." Elliptic's analysis tallies with ByBit, which says that 20% of the funds have now "gone dark", meaning it is unlikely to ever be recovered. The US and allies accuse the North Koreans of carrying out dozens of hacks in recent years to fund the regime's military and nuclear development. On 21 February the criminals hacked one of ByBit's suppliers to secretly alter the digital wallet address that 401,000 Ethereum crypto coins were being sent to. ByBit thought it was transferring the funds to its own digital wallet, but instead sent it all to the hackers. Ben Zhou, the CEO of ByBit, assured customers that none of their funds had been taken. The firm has since replenished the stolen coins with loans from investors, but is, in Zhou's words, "waging war on Lazarus". ByBit's Lazarus Bounty programme is encouraging members of the public to trace the stolen funds and get them frozen where possible. All crypto transactions are displayed on a public blockchain, so it's possible to track the money as it's moved around by the Lazarus Group. If the hackers try to use a mainstream crypto service to attempt to turn the coins into normal money like dollars, the crypto coins can be frozen by the company if they think they are linked to crime. So far 20 people have shared more than $4m in rewards for successfully identifying $40m of the stolen money and alerting crypto firms to block transfers. But experts are downbeat about the chances of the rest of the funds being recoverable, given the North Korean expertise in hacking and laundering the money. "North Korea is a very closed system and closed economy so they created a successful industry for hacking and laundering and they don't care about the negative impression of cyber crime," Dr Dorit Dor from cyber security company Check Point said. Another problem is that not all crypto companies are as willing to help as others. Crypto exchange eXch is being accused by ByBit and others of not stopping the criminals cashing out. More than $90m has been successfully funnelled through this exchange. But over email the elusive owner of eXch - Johann Roberts - disputed that. He admits they didn't initially stop the funds, as his company is in a long-running dispute with ByBit, and he says his team wasn't sure the coins were definitely from the hack. He says he is now co-operating, but argues that mainstream companies that identify crypto customers are betraying the private and anonymous benefits of crypto currency. North Korea has never admitted being behind the Lazarus Group, but is thought to be the only country in the world using its hacking powers for financial gain. Previously the Lazarus Group hackers targeted banks, but have in the last five years specialised in attacking cryptocurrency companies. The industry is less well protected with fewer mechanisms in place to stop them laundering the funds. Recent hacks linked to North Korea include: The 2019 hack on UpBit for $41m The $275m theft of crypto from exchange KuCoin (most of the funds were recovered) The 2022 Ronin Bridge attack which saw hackers make off with $600m in crypto Approximately $100m in crypto was stolen in an attack on Atomic Wallet in 2023 In 2020, the US added North Koreans accused of being part of the Lazarus Group to its Cyber Most Wanted list. But the chances of the individuals ever being arrested are extremely slim unless they leave their country.
Saudi Gazette
10-03-2025
- Business
- Saudi Gazette
North Korean hackers cash out hundreds of millions from $1.5bn ByBit hack
SEOUL — Hackers thought to be working for the North Korean regime have successfully cashed out at least $300m (£232m) of their record-breaking $1.5bn crypto heist. The criminals, known as Lazarus Group, swiped the huge haul of digital tokens in a hack on crypto exchange ByBit two weeks ago. Since then, it's been a cat-and-mouse game to track and block the hackers from successfully converting the crypto into usable cash. Experts say the infamous hacking team is working nearly 24 hours a day — potentially funnelling the money into the regime's military development. "Every minute matters for the hackers who are trying to confuse the money trail and they are extremely sophisticated in what they're doing," says Dr Tom Robinson, co-founder of crypto investigators Elliptic. Out of all the criminal actors involved in crypto currency, North Korea is the best at laundering crypto, Dr Robinson says."I imagine they have an entire room of people doing this using automated tools and years of experience. We can also see from their activity that they only take a few hours break each day, possibly working in shifts to get the crypto turned into cash."Elliptic's analysis tallies with ByBit, which says that 20% of the funds have now "gone dark", meaning it is unlikely to ever be US and allies accuse the North Koreans of carrying out dozens of hacks in recent years to fund the regime's military and nuclear 21 February the criminals hacked one of ByBit's suppliers to secretly alter the digital wallet address that 401,000 Ethereum crypto coins were being sent thought it was transferring the funds to its own digital wallet, but instead sent it all to the Zhou, the CEO of ByBit, assured customers that none of their funds had been firm has since replenished the stolen coins with loans from investors, but is in Zhou's words "waging war on Lazarus".ByBit's Lazarus Bounty programme is encouraging members of the public to trace the stolen funds and get them frozen where crypto transactions are displayed on a public blockchain, so it's possible to track the money as it's moved around by the Lazarus the hackers try to use a mainstream crypto service to attempt to turn the coins into normal money like dollars, the crypto coins can be frozen by the company if they think they are linked to far 20 people have shared more than $4m in rewards for successfully identifying $40m of the stolen money and alerting crypto firms to block experts are downbeat about the chances of the rest of the funds being recoverable, given the North Korean expertise in hacking and laundering the money."North Korea is a very closed system and closed economy so they created a successful industry for hacking and laundering and they don't care about the negative impression of cyber crime," Dr Dorit Dor from cyber security company Check Point problem is that not all crypto companies are as willing to help as exchange eXch is being accused by ByBit and others of not stopping the criminals cashing than $90m has been successfully funnelled through this over email the elusive owner of eXch — Johann Roberts — disputed admits they didn't initially stop the funds, as his company is in a long-running dispute with ByBit, and he says his team wasn't sure the coins were definitely from the says he is now co-operating, but argues that mainstream companies that identify crypto customers are abandoning the private and anonymous benefits of crypto Korea has never admitted being behind the Lazarus Group, but is thought to be the only country in the world using its hacking powers for financial the Lazarus Group hackers targeted banks, but have in the last five years specialised in attacking cryptocurrency industry is less well protected with fewer mechanisms in place to stop them laundering the hacks linked to North Korea include:The 2019 hack on UpBit for $41mThe $275m theft of crypto from exchange KuCoin (most of the funds were recovered)The 2022 Ronin Bridge attack which saw hackers make off with $600m in cryptoApproximately $100m in crypto was stolen in an attack on Atomic Wallet in 2023In 2020, the US added North Koreans accused of being part of the Lazarus Group to its Cyber Most Wanted list. But the chances of the individuals ever being arrested are extremely slim unless they leave their country. — BBC
