ChainCatcher news, according to the Slow Mist security team, on July 2, a victim reported that they used an open-source project hosted on GitHub ------ zldp2002/solana-pumpfun-bot the day before, and subsequently their crypto assets were stolen. After analysis by Slow Mist, it was found that in this attack, the attacker disguised themselves as a legitimate open-source project (solana-pumpfun-bot) to lure users into downloading and running malicious code. Under the guise of boosting the project's popularity, users unknowingly ran a Node.js project with malicious dependencies, leading to the leakage of wallet private keys and asset theft. The entire attack chain involved multiple GitHub accounts working in coordination, expanding the scope of dissemination and enhancing credibility, making it highly deceptive. At the same time, such attacks combine social engineering and technical means, making it difficult to completely defend against them within organizations.Slow Mist advises developers and users to be highly vigilant about unknown GitHub projects, especially when it involves wallet or private key operations. If debugging is indeed necessary, it is recommended to run and debug in an isolated environment that does not contain sensitive data.

ChainCatcher news, according to News.bitcoin, the latest TRM cryptocurrency crime report shows that in the first half of 2025, cryptocurrency theft cases surged, with at least 75 attacks resulting in over $2.1 billion stolen, nearly matching the total for 2024 and exceeding the record set in the first half of 2022. However, the report indicates that the $1.5 billion Bybit hack that occurred in February accounted for nearly 70% of the total losses. Aside from the massive losses in February, January, April, May, and June were the only four months with losses exceeding $100 million. Only March had losses below $100 million.The report concluded: "In the first half of 2025, crimes committed by groups linked to North Korea accounted for $1.6 billion of the stolen funds, approximately 70% of all stolen funds." Meanwhile, the TRM team found that in the first half of 2025, infrastructure attacks such as private key and mnemonic phrase theft or front-end intrusions accounted for over 80% of the stolen funds. On the other hand, protocol vulnerabilities accounted for 12%, highlighting the persistent vulnerabilities in DeFi smart contracts.

ChainCatcher news, according to Cointelegraph, South Korean internet security agencies have revealed that North Korean hackers are now using ChatGPT to automate cryptocurrency theft.

ChainCatcher message, according to the monitoring by Shield, the arbitrage bot PrintMoney was hacked on the BNB Chain, resulting in a loss of $2 million worth of cryptocurrency.

ChainCatcher news, according to Decrypt, the threat intelligence research company Cisco Talos reported on Wednesday that North Korean hackers are targeting cryptocurrency professionals by deploying a new Python remote access Trojan named "PylangGhost" through fake interviews disguised as recruiters from companies like Coinbase and Uniswap. This malware is associated with the notorious North Korean hacking group "Famous Chollima" (also known as "Wagemole").The malware can steal credentials from over 80 browser extensions, including Metamask and 1Password, and achieve persistent remote access. The attacks primarily target Windows systems and macOS users, while Linux systems have not been affected by the current wave of attacks.

ChainCatcher message, Slow Mist founder Yu Xian stated, "To verify the situation of WeChat account theft, attackers use leaked account passwords (various leaked data may be found) combined with the target user's frequently contacted friends (even those who have just been added as friends or interacted in groups) to obtain a 6-digit verification code to carry out the theft. Attackers often strike late at night, focusing on scams in the cryptocurrency OTC market. It is recommended to be cautious when adding friends on WeChat, change passwords promptly, and pay attention to WeChat's abnormal login risk alerts."

ChainCatcher news, according to Kyodo News, Japanese Prime Minister Shigeru Ishiba plans to propose strengthening the crackdown on malicious cyber activities such as North Korea's theft of cryptocurrency at the G7 summit to be held in Canada from June 15 to 17. This will be the first time the G7 summit discusses the issue of North Korea stealing cryptocurrency.According to several Japanese government officials, this move aims to enhance regulation through multinational cooperation and cut off North Korea's channels for illegally obtaining cryptocurrency funds through cyberattacks, which are believed to be used for the development of weapons of mass destruction.

ChainCatcher message, Slow Mist Yuxian updated on social media, stating, "Got it back, didn't follow the official required steps. It seems they just refunded me... Happy Ending...For other friends who have had this experience, if you haven't received your funds back, you can email the official inquiry (the official email is in the message where your funds were transferred), you can follow the required steps in the official reply (for example, you may need to pay to register for their Cloud or set up Alby Hub, etc.), but perhaps you can also do nothing like I did and get it back directly.The amount is small, but the nature is serious. If the official had left a message informing us of the retrieval method when they transferred our funds, the nature would have been very different."

ChainCatcher message, Slow Mist's Yu Xian posted on platform X, stating that the "most High" users of the new mechanism EIP-7702 are actually coin theft gangs (not phishing gangs), which facilitate the automatic transfer of related funds from wallet addresses with leaked private keys/mnemonic phrases... Over 97% of EIP-7702 delegations are authorized to such coin theft contracts.

ChainCatcher message, Cetus officially released a report on the theft incident stating that on May 22, Cetus encountered a sophisticated smart contract attack targeting the CLMM liquidity pool. Cetus took immediate measures to mitigate the impact.The attacker exploited an undiscovered vulnerability in an open-source library, lowering the pool price to build positions in the high-price area, and utilized an overflow check flaw to inject inflated liquidity with very few tokens. Subsequently, they repeatedly executed liquidity removal operations to extract assets from the pool, continuously exploiting unverified calculation functions to carry out the attack, ultimately successfully stealing funds.To jointly maintain the maximum interests of the entire ecosystem, with the support of most Sui validator nodes, Cetus urgently froze two Sui wallet addresses of the attacker, which contained the majority of the stolen funds. The remaining stolen funds have been exchanged by the hacker and cross-chain transferred to the Ethereum mainnet.Cetus is collaborating with the Sui security team and several auditing firms to re-examine the contracts and conduct a multi-party joint audit to ensure the safe restoration of CLMM services after verification is completed. At the same time, Cetus will strengthen on-chain monitoring, initiate additional audits, and regularly publish security reports. To compensate affected LPs, Cetus is working with ecosystem partners to develop a recovery plan and is calling on Sui validators to support on-chain voting to expedite the return of user assets and rebuild confidence. While legal proceedings continue, Cetus is also providing the attacker with a white hat return opportunity. Cetus will soon issue a final ultimatum to them. Any updates will be transparently communicated to the community by Cetus.

ChainCatcher news, Slow Mist's official release on the Cetus theft incident analysis indicates that the core of this event is that the attacker carefully constructed parameters to cause an overflow while bypassing detection, ultimately exchanging a very small amount of tokens for a massive amount of liquidity assets.Slow Mist stated that the attacker precisely calculated and selected specific parameters, exploiting the flaw in the checked_shlw function to obtain liquidity worth billions at the cost of just 1 token. This is an extremely sophisticated mathematical attack. The Slow Mist security team advises developers to rigorously verify all boundary conditions of mathematical functions in smart contract development.Previously, on May 22, according to community news, the liquidity provider Cetus on the SUI ecosystem was suspected of being attacked, with a significant drop in liquidity pool depth and multiple token trading pairs on Cetus experiencing declines, with estimated losses exceeding $230 million. Subsequently, Cetus issued a statement indicating that an incident was detected in the protocol, and for safety reasons, the smart contract has been temporarily suspended while the team investigates the incident.

ChainCatcher message, encrypted KOL AB Kuai.Dong@_FORAB tweeted that, according to community news and confirmation from several industry insiders, the Cetus project, which experienced a theft incident on the evening of May 22, is operated by the same team that ran the DeFi project Crema Finance on the Solana chain in 2022. Crema was under the spotlight due to a theft incident but ultimately managed to recover most of the funds.In 2022, Crema was attacked, resulting in a loss of approximately 9.6 million dollars. After the incident, the attacker returned about 8 million dollars. According to an announcement from the U.S. Attorney's Office for the Southern District of New York, the hacker involved was subsequently arrested and sentenced, with the relevant timing and amount information matching the incident at that time.

ChainCatcher message, Sui official stated: "We have learned that Cetus has experienced a theft incident. We will actively support the Cetus team in their ongoing investigation and will provide further updates as soon as possible."

ChainCatcher news, Slow Mist's Chief Information Security Officer @im23pds stated that the preliminary analysis of the Cetus theft suggests a vulnerability caused by a computational precision issue.

ChainCatcher news, according to on-chain data, the liquidity protocol Cetus Protocol on the Sui chain was hacked, with assets stolen exceeding 150 million dollars.

ChainCatcher news, according to the U.S. Department of Justice, law enforcement agencies have jointly seized the LummaC2 malware infrastructure with Microsoft and multiple international organizations, involving 5 domains and over 2,300 related sites. LummaC2 specifically steals sensitive information such as cryptocurrency wallet recovery phrases and bank account details, and has been used in at least 1.7 million attempted information thefts.

ChainCatcher news, according to Cointelegraph, Paraguayan law enforcement has disclosed that three Chinese nationals have been expelled for illegal entry and one Paraguayan suspect has been arrested. This group is suspected of attempting to steal from the cryptocurrency mining site of Teratech SA in Coronel Bogado. The prosecution stated that the three expelled individuals had no legal entry records and are suspected of entering illegally through the borders of Brazil or Bolivia.Paraguayan prosecutor Irene Rolón pointed out that the arrested Paraguayan suspect, Nahun María Velázquez Garcete, has now been charged with serious theft, and the case is still under further investigation.It is reported that the mining site is located near the Itaipu Hydroelectric Power Plant, which attracts many cryptocurrency mining operations due to its abundant hydroelectric resources.The prosecution is verifying the specific relationship between the three expelled individuals and the involved company. The specific details of the case's losses and the suspects' injuries have not yet been disclosed.