hijacking

Hackers have launched Android malware attacks in Brazil by spoofing a phishing page that mimics the Google Play Store. Currently, all known victims are located in Brazil.The attackers set up a phishing website that closely resembles Google Play, enticing users to download a fake application called "INSS Reembolso." Once installed, the application releases hidden malicious code in stages and loads it directly into memory, leaving no visible files on the device, which makes it highly stealthy. One of the core functions of the malware is cryptocurrency mining, with an embedded XMRig mining program compiled for ARM devices that silently connects to the attacker's controlled mining server in the background. The program monitors battery level, temperature, and device usage status, dynamically adjusting mining behavior to evade detection, and bypasses Android's background process management mechanism by looping silent audio files.Some variants also include banking trojans that can overlay fake pages on the USDT transfer interface of Binance and Trust Wallet, silently replacing the recipient address. Additionally, the malware supports various remote control commands such as recording, screenshotting, keylogging, and remote locking of the device.

According to DL News, police in the Île-de-France region of France arrested two teenagers (aged 15 and 17) and a 35-year-old man, all suspected of carrying out two armed kidnappings targeting cryptocurrency holders on March 10 in the Île-de-France region.Reports indicate that the first incident occurred in the Essonne department in the southern suburbs of Paris, where the suspects, wearing masks and carrying small explosive devices, attempted to break into the home of a cryptocurrency holder but failed. About 30 minutes later, another incident took place in the Seine-et-Marne department, where the suspects successfully broke into the home of a female cryptocurrency holder, kidnapped her family, and stole jewelry; it has not been disclosed whether cryptocurrency assets were also stolen.The police subsequently tracked the suspects' vehicle, deploying about 100 armed special police officers and two police helicopters to pursue them, intercepting the vehicle after approximately 6 hours and discovering the stolen jewelry inside. Prosecutors have charged the three individuals with extortion, organized crime, armed robbery, property damage, and kidnapping. Currently, the 17-year-old suspect and the 35-year-old man are in custody awaiting trial, while the 15-year-old suspect is under judicial supervision, and prosecutors have appealed this decision.

The RWA tokenization platform OpenEden announced on X platform that it has fully restored DNS control over its official domain and its subdomains, and platform operations have returned to normal.OpenEden stated that its official website experienced unauthorized record modifications at the DNS level, leading to domain hijacking. After a joint investigation with security partners and infrastructure service providers, it was confirmed that this incident did not affect any smart contracts, internal systems were not compromised, core applications remain intact, and reserve assets were also unaffected. All reserve assets can be independently verified through Chainlink's Proof of Reserve, and measures to enhance domain and infrastructure security will be strengthened.

ClawdBot (now renamed Moltbot) founder Peter Steinberger posted on social media that the issue of his GitHub account being hijacked has been resolved, and this issue only affected personal accounts, not organizational accounts. He specifically reminded users to be wary of about 20 impersonating X scam accounts.

According to 23pds, the Chief Information Security Officer of Slow Fog Technology, a new type of security vulnerability has emerged in the Snap Store application store on the Linux platform. Hackers are taking over application publisher accounts by hijacking expired domain names and embedding malicious code into cryptocurrency wallet applications.Attackers monitor and register developer accounts in the Snap Store associated with expired domain names, using these domain emails to trigger password resets, thereby taking over the established publisher identity with long-term credibility. The tampered applications disguise themselves as well-known cryptocurrency wallets such as Exodus, Ledger Live, or Trust Wallet, with interfaces nearly indistinguishable from the originals.Currently, it has been confirmed that the publisher domains storewise[.]tech and vagueentertainment[.]com have been hijacked. These malicious applications lure users into entering their "wallet recovery mnemonic." Once users submit this information, sensitive data will be sent to the attackers' servers, resulting in the theft of digital assets.

According to Slow Mist's Yu Sin, some users may not have received the Monad airdrop and are advised to check whether the wallet address bound on the airdrop claim page claim.monad.xyz is the expected address.Yu Sin stated that if the bound address is not what the user expected, they may have encountered a similar issue as user Onefly (@Onefly) — the wallet address was bound to a hacker's address, causing the official airdrop to be sent to the hacker. Yu Sin revealed that a white hat hacker had previously synced a related vulnerability with him, which has a prerequisite: if someone hijacks the user's session on the Monad airdrop claim page, they can change the claim wallet address without further confirmation.

According to Aerodrome, the domain hijacking attack that the agreement previously encountered was fully mitigated in less than 4 hours, with user losses amounting to approximately $700,000.It is reported that within 2 minutes of the first malicious transaction being detected, major wallets such as MetaMask and Coinbase Wallet began displaying warnings. Losses were limited to users who connected and signed transactions during the active period of the malicious website. Currently, the team is working with security consultants and corporate registrars, and the domain is expected to be migrated and reopened next week. Additionally, the Aero and Velo foundations are developing plans to provide grants proportional to the losses for affected users.

The DeFi protocol Balancer is currently under attack, with losses exceeding $116.6 million across multiple chains, and the attack on Balancer is still ongoing.According to the on-chain AI analysis tool CoinBob, the historical security incidents of Balancer are as follows:June 2020 Flash Loan Attack: Attackers exploited a compatibility issue between the deflationary token (STA/STONK) and Balancer's smart contracts, repeatedly calling swapExactAmountIn to drain the liquidity pool, ultimately profiting $523,600.August 2023 V2 Pool Vulnerability: The Balancer V2 pool suffered multiple flash loan attacks due to a code vulnerability, with total losses reaching $2.1 million. The team urgently paused the affected pools and advised users to withdraw their funds, but some funds that were not withdrawn in time were still exploited.September 2023 Frontend Hijacking Attack: Hackers gained control of Balancer's frontend through BGP/DNS hijacking, tricking users into authorizing malicious contracts, resulting in a loss of $238,000. On-chain detective ZachXBT traced the funds to address 0x645710Af050E26bB96e295bdfB75B4a878088d7E.2023 Euler Incident Impact: Due to a vulnerability in Euler Finance, Balancer's bbeUSD pool suffered a loss of $11.9 million, accounting for 65% of the pool's TVL. The team took protective measures to limit liquidity withdrawals.2024 Velocore Attack Association: The Velocore vulnerability exploited Balancer-style CPMM pools, resulting in a loss of $6.8 million. Balancer's technical architecture was indirectly implicated due to cross-protocol integration.

ChainCatcher message, cryptocurrency developer Zak Cole disclosed that a new type of phishing attack is targeting the X (formerly Twitter) accounts of members of the crypto community. This attack disguises itself as an authorization request from the Google Calendar app, tricking users into granting full account control permissions. Attackers exploit the application authorization mechanism of the X platform, completely bypassing passwords and two-factor authentication.MetaMask security researchers have confirmed that this attack is active in the wild. Users are advised to visit the connected apps page on X to check and revoke any suspicious "Calendar" app authorizations to ensure account security.

According to ChainCatcher news reported by Decrypt, Charles O. Parks III, a man from Nebraska, USA (online name "CP3O"), has been sentenced to one year and one day in prison for orchestrating an illegal "crypto hijacking" scheme worth $3.5 million. He illegally mined by stealing cloud computing resources, profiting nearly $1 million, which he used to purchase luxury goods.Parks has paid a $500,000 fine and a Mercedes-Benz, with the amount of restitution pending. It is reported that he disguised himself as an educational platform to deceive cloud service providers into granting him computing resources for mining Ethereum, Litecoin, and Monero, and laundered money through exchanges and banks.

ChainCatcher news, according to Cointelegraph, Ukrainian police recently arrested a 35-year-old man, accusing him of carrying out a large-scale cryptocurrency hijacking operation.According to a police statement, the man had been hacking into over 5,000 client accounts of an international hosting company since 2018, unauthorizedly using their server resources for cryptocurrency mining, resulting in losses of approximately $4.4 million for the company. During a search of the suspect's residence, multiple computer devices, mobile phones, bank cards, as well as cryptocurrency wallets and hacking software were discovered. The suspect currently faces charges of unauthorized interference with electronic information network operations, which could result in a maximum sentence of 15 years in prison. The investigation into the case is still ongoing.

ChainCatcher message, Slow Mist founder Yu Xian stated that the current DNS hijacking issue with Curve has not yet been resolved, and the attackers are also phishing for mnemonic phrases through fake wallet pop-ups, making their methods even more covert.This issue once again points to the domain service provider iwantmyname, which also caused a similar incident in 2022.

ChainCatcher news, according to Cointelegraph, the DeFi protocol Curve Finance has issued an urgent warning that its official website curve.fi has suffered a DNS hijacking attack, redirecting users to a malicious phishing site. This is the second security threat the platform has faced within a week, following the hacking of its official X account on May 5.Blockchain security company Blockaid detected that attackers may have implemented a front-end attack by tampering with DNS resolution records, advising users to immediately stop all transaction signing operations. The Curve team has contacted the domain registrar for urgent handling and confirmed that the smart contracts are unaffected, but they remind users that there is still a risk of asset theft when interacting with the platform.

ChainCatcher news, the DEX Ambient on the Scroll chain announced on platform X that it has fully compensated all victims who recently suffered phishing attacks due to domain hijacking, with payments made in ETH, as there is no secure way to send tokens to these addresses. Users are advised to transfer their assets to a new wallet.ChainCatcher previously reported that the DEX protocol Ambient Finance on the Scroll chain stated on platform X that the domain has been hijacked and is currently working with the banning team and the domain registrar to resolve the issue as soon as possible. The contract is completely secure, and funds are safe. However, please do not interact with the Ambient Finance frontend until further notice.

ChainCatcher message, the DEX protocol Ambient Finance on the Scroll chain stated on platform X that the domain has been hijacked and is currently working with the ban team and the domain registrar to resolve the issue as soon as possible. The contract is completely safe, and funds are secure. However, please do not interact with the Ambient Finance frontend until further notice.

ChainCatcher news, DeFi yield market Pendle has released an analysis of the domain hijacking incident, stating that the website building platform Squarespace purchased all domain registrations and customer accounts from Google Domains in June 2023, leading to domain migration. Recently, attackers exploited a vulnerability in Squarespace to hijack domains hosted on its platform, including Pendle's domain. According to ICANN's policy, these domains will be unable to be transferred from Squarespace to other registrars in about 20 days.Forty minutes after the domain hijacking occurred, the Pendle development team successfully regained full control of the domain and took all necessary measures to ensure normal operations were restored. The Pendle protocol and smart contracts were unaffected, and funds are secure.

ChainCatcher news, according to the Slow Mist blockchain hacking archive statistics, from October 1 to October 7, 2023, a total of 10 security incidents occurred, with an increase in DNS hijacking attacks and Discord hacking incidents. The specific events are as follows:Galxe (2023-10-06): Unauthorized access obtained through DNS hijacking led to the misappropriation of visitor funds, affecting 1,120 users. Loss: approximately $270,000;MCT (2023-10-06): DNS domain hijacking allowed private keys to be uploaded to a fraudulent domain. Preventive measures are recommended. Loss: not specified;Fake CommEx tokens (2023-10-06): A large amount of liquidity was removed in a rug pull, with the deployer extracting approximately $154,000;friend.tech (2023-10-05): Four users faced SIM swap attacks, resulting in significant losses. Loss: approximately $385,000;Stars Arena (2023-10-05): The platform's smart contract had a major security vulnerability, leading to the theft of a large amount of funds. Loss: approximately $3 million;DePay (2023-10-05): The platform faced a flash loan attack, resulting in relatively small theft. Loss: $827;Metropolis World (2023-10-05): The platform's Discord server was hacked. Loss: unspecified;GEMIE (2023-10-02): The Discord server was hacked, leading to phishing links being shared. Users are advised not to interact. Loss: not specified;VendX (2023-10-02): Another instance of a Discord server being hacked. Loss: not specified;Fake EigenLayer tokens (2023-10-01): A fake token exit scam that brought huge profits to the deployer. Loss: approximately $300,000.

According to ChainCatcher news, monitoring by Beosin's Beosin EagleEye security risk monitoring, early warning, and blocking platform shows that Galxe is suspected to have suffered a DNS hijacking attack, resulting in a large amount of user funds being stolen. The currently reported stolen funds involve multiple cryptocurrencies, primarily sent to the address 0x4103baBcFA68E97b4a29fa0b3C94D66afCF6163d, which has collected over $70,000 in virtual currency. Almost all of the funds were eventually converted to ETH and sent to the address 0x1c0e96Ef2A82b573B826B4138DF9c126AA4d1825, while some funds were sent to the address 0x412f10AAd96fD78da6736387e2C84931Ac20313f, and part of the funds entered FixedFloat. The image shows the fund statistics for the address 0x4103baBcFA68E97b4a29fa0b3C94D66afCF6163d.

ChainCatcher news, according to SlowMist Intelligence, balancer.fi is currently under a BGPHijacking attack. Accessing the website and linking a wallet may result in a phishing attack. According to CloudFlare's BGP Origin Hijack-17957, the ASN victim list includes AS13335, which is associated with balancer.fi. Currently, accessing the website will trigger a phishing security warning from CloudFlare.Here is the analysis of this incident by the SlowMist security team:Query the DNS resolution records of the domain balancer.fi (https://bgp.tools/dns/balancer.fi). The A records show addresses 104.21.37.47 and 172.67.203.244. The BGP AS region number for these two IP addresses is AS13335, which belongs to CloudFlare.According to CloudFlare's records (https://radar.cloudflare.com/routing/anomalies/hijack-17957), AS13335 is on the list of ASs involved in the BGP Origin Hijack attack.It was found that the HTTPS certificate for balancer.fi has been replaced with the attacker's certificate.Currently, accessing https://app.balancer.fi will trigger a phishing security warning from CloudFlare.Analysis shows that there is malicious JavaScript code on the frontend of app.balancer.fi (https://app.balancer.fi/js/overchunk.js).Users connecting their wallets to app.balancer.fi will have their balances automatically checked by the malicious script, leading to phishing attacks.After analysis by MistTrack, the malicious addresses are as follows:0x00006DEAcd9ad19dB3d81F8410EA2B45eA5700000x645710Af050E26bB96e295bdfB75B4a878088d7E0x0000626d6DC72989e3809920C67D01a7fe030000The SlowMist security team reminds users that the BGP attack against balancer is still ongoing, and they should temporarily stop accessing the balancer website to avoid being attacked.