ChainCatcher news, researchers from the cybersecurity company Checkmarx have issued a warning about a dangerous malware uploaded to the Python Package Index (PyPI) that steals private keys. According to the company, this malware was automatically uploaded by suspicious users through several different packages, designed to mimic decoding applications of popular wallets and other mainstream industry products like MetaMask, Atomic, TronLink, and Ronin.The malware is cleverly embedded in various parts of the packages. Since this malware appears to be harmless code, it is essentially undetectable. However, upon closer inspection, once an unsuspecting user calls specific functions embedded in the package, certain parts of the data will allow hackers to control cryptocurrency wallets and transfer funds.

ChainCatcher News, the U.S. Department of Health and Human Services Cybersecurity Coordination Center (HC3) recently released an overview of the Trinity ransomware targeting sensitive data. Attackers use phishing emails, malicious websites, and software vulnerabilities to trick victims into installing the ransomware on their computers. It then searches for and collects sensitive information on the computer and sends it to the hackers. The ransomware also encrypts the victim's files using algorithms, rendering them unusable.After encrypting the files, the ransomware generates a notification informing the victim that it has extracted and encrypted their data and demands a ransom in exchange for the decryption key. The notification also tells the victim that they have 24 hours to pay in cryptocurrency, or their data will be leaked.HC3 stated that the Trinity ransomware targets critical infrastructure, such as healthcare providers. The government agency reported that seven organizations have already fallen victim to this ransomware. "According to HC3, at least one healthcare facility in the U.S. has recently become a victim of the Trinity ransomware," HC3 reported.

ChainCatcher news, the U.S. Attorney's Office stated in a release that Indiana man Evan Light pleaded guilty on Monday to charges of conspiracy to commit wire fraud and conspiracy to commit money laundering, and stole cryptocurrency worth over $37 million from nearly 600 victims.Court documents show that in February 2022, Light was involved in a cyber intrusion that targeted an investment holding company located in Sioux Falls, South Dakota. The documents also allege that Light was accused of stealing personal information, which he then used to steal assets from hundreds of victims.The statement said, "Under Light's control, the stolen cryptocurrency was subsequently transferred around the world, including to multiple mixing services and gambling websites, to conceal his identity and hide the virtual currency."

According to ChainCatcher news, as reported by Decrypt, Bitcoin company Swan has filed a lawsuit in the U.S. District Court for the Central District of California, accusing its former employees (including former executives) of colluding with Tether to steal its Bitcoin mining business worth billions of dollars. Swan claims that these former employees stole the company's highly proprietary Bitcoin mining monitoring software code, vendor and business partner resources, and collectively resigned to establish a competing company named Proton Management.The lawsuit alleges that Tether played a significant role in this conspiracy by sending Swan a "default notice," providing "legal cover" for this hostile takeover. Swan is seeking a permanent injunction from the court against Proton to prevent further interference with Swan's mining operations and is demanding that the former employees return the stolen equipment and "confidential materials." Swan has requested a jury trial, with the specific amount of damages to be determined at trial.

ChainCatcher News, the U.S. Department of Justice today released an indictment, accusing 20-year-old Malone Lam and 21-year-old Jeandiel Serrano of conspiring to steal and launder over 4,100 bitcoins, worth approximately $230 million.It is reported that the two suspects were arrested last night and will appear in U.S. District Courts in the Southern District of Florida and the Central District of California, respectively.The indictment states that since August 2024, Lam, Serrano, and their accomplices gained access to victims' cryptocurrency accounts through fraudulent means and transferred the funds to accounts they controlled. They then laundered the proceeds through mixing services, exchanges, and VPNs, using the funds for international travel, nightclubs, luxury cars, and other luxury goods. Currently, the FBI and the Criminal Investigation Division of the IRS are conducting an ongoing investigation into the case.

ChainCatcher news, an official at Seattle-Tacoma International Airport said on Wednesday that hackers demanded $6 million in Bitcoin from the airport operator in exchange for files stolen during a cyberattack last month, which were released on the dark web this week. The official stated that the Port of Seattle, which owns and operates the airport, has decided not to pay.The airport's aviation director, Lance Lyttle, said the airport previously linked the attack to a ransomware group called Rhysida, and the FBI is now conducting a criminal investigation. "On Monday, the hackers posted a copy of eight files stolen from the Port system on the dark web and sought 100 Bitcoins to purchase this data."Lyttle told a U.S. Senate committee that the airport appeared to have thwarted the attack, but the hackers were able to encrypt some data.

ChainCatcher news, recently, McAfee discovered a new type of Android malware named SpyAgent, which can steal users' private keys by taking screenshots and using optical character recognition (OCR) technology on text within images. This malware spreads through malicious links in text messages; when users click the link, they are directed to a page disguised as a legitimate website and prompted to download a seemingly trustworthy application. Once installed, the malware can access users' contacts, messages, and local storage permissions. Currently, SpyAgent primarily targets South Korean users and has been found in over 280 fraudulent applications. Additionally, malware attacks are on the rise in 2024. The Cthulhu Stealer, discovered in August, affected MacOS systems and stole users' cryptocurrency wallet information. In the same month, Microsoft patched a vulnerability in Google Chrome that had been used by the North Korean hacker group Citrine Sleet to disguise fake cryptocurrency exchanges and spread malware through fraudulent job applications. The Federal Bureau of Investigation (FBI) has issued a warning, alerting the public that the cryptocurrency industry is becoming a primary target for North Korean hackers.

ChainCatcher message, Ethereum co-founder Vitalik Buterin responded on the X platform to "currently all major L2 networks in the mainnet can technically steal user funds," stating an important detail: the rules of Phase 1 require that code can only be overturned when the security council reaches a voting threshold of 75%, and the members preventing a quorum (i.e., ≥ 26%) must come from outside the company. Both Optimism and Arbitrum meet this requirement. Therefore, these organizations cannot unilaterally steal funds.

ChainCatcher message, Chief Information Officer @im23pds posted on social media that, according to the attack intelligence received regarding cryptocurrency practitioners, a new phishing method has emerged that impersonates Apple to deceive users into providing their iCloud information. The phishers use the pretext of "iPhone ID error, requesting users to enable two-factor authentication" to trick users into giving up their iCloud accounts, thereby recovering accounts or keys and stealing user assets.

ChainCatcher news, Cyber Capital founder Justin Bons posted on the X platform, stating that Ethereum is in decline, while L2 is "dancing on its grave."Bons pointed out that since the implementation of EIP-4844 (Proto-Danksharding), Ethereum's fee revenue has significantly decreased and cannot keep up with the rate of inflation. Meanwhile, the usage and fee revenue of L2 networks have reached new highs, lobbying to maintain Ethereum's low capacity. Bons believes this constitutes a "parasitic relationship." He stated that L2 networks are effectively stealing users and fee revenue from Ethereum by masquerading as "the same as Ethereum" to attract users.Bons predicts that L2 networks will eventually migrate or become independent L1 networks, while Ethereum will gradually decline. He criticized Ethereum's leadership for "selling out" its own interests for the sake of L2 networks, arguing that this exposes systemic issues in governance. Bons warned that if Ethereum were to achieve breakthrough L1 expansion in the future, it could lead to a collapse in the token and equity prices of all L2 networks, thus giving L2 networks an incentive to prevent Ethereum's expansion.

ChainCatcher news, according to Cointelegraph, Apple Mac users have recently received warnings about a new type of malware called "Cthulhu Stealer," which can steal users' personal information and cryptocurrency wallets. Cybersecurity company Cado Security stated, "There is a common belief that macOS is immune to malware. While macOS is known for its security, related malware has been on the rise in recent years.""Cthulhu Stealer" appears in the form of an Apple disk image (DMG) and disguises itself as legitimate software such as CleanMyMac and Adobe GenP. When users open the file, the macOS command line tools used to run AppleScript and JavaScript prompt users to enter their passwords, including a prompt for the password to the Ethereum wallet MetaMask. "Cthulhu Stealer" can also target other cryptocurrency wallet software, including wallets from Coinbase, Wasabi, Electrum, Atomic, Binance, and Blockchain Wallet.

ChainCatcher news, according to Cointelegraph, the cybersecurity company Moonlock warns that the AMOS trojan targeting Mac users can now clone the Ledger Live software and may soon clone other wallet applications.According to a report from cybersecurity company Moonlock Lab on August 5, the program is making a comeback, and the company found that it is being advertised through Google Adsense. In the ads, it disguises itself as popular MacOS programs, including the screen sharing application Loom, the user interface design tool Figma, the VPN Tunnelblick, and the instant messaging application Callzy. The developers of these applications have not authorized the counterfeit version of the AMOS malware.

ChainCatcher news, according to a report from Bernama on Saturday, last week, three local residents and four foreigners were arrested and detained for allegedly providing electricity for Bitcoin mining operations through electricity theft.The report stated that the police chief of Sepang, ACP Wan Kamarul Azran Wan Yusof, indicated that these individuals had no prior criminal records, and the authorities' aim is to "investigate illegal Bitcoin mining activities involving electricity theft."Local police added that they seized 52 Bitcoin mining devices and other electronic equipment, with a total estimated value of 250,000 Malaysian Ringgit (RM), equivalent to 57,000 USD.

ChainCatcher news, according to Cointelegraph, cybersecurity solution provider Check Point Research has discovered a new malware called Styx Stealer. This malware can steal a large amount of data through a mechanism known as "cutting," including cryptocurrency.The malware can be rented for free on the developer's website, and because it relies on a vulnerability in Microsoft Windows Defender that was patched last year, Windows users with the latest operating systems will not be affected by this malware.Check Point Research identified eight wallets that are believed to belong to the Turkish Styx Stealer developer, who received approximately $9,500 in cryptocurrency as payment during the first two months of the malware's operation. Styx Stealer was launched in April, charging $75 per month and $350 for a lifetime subscription.

ChainCatcher news, Yixing has cracked a case of theft of virtual currency, where the perpetrator illegally obtained access to another person's virtual currency wallet with the intent to possess it unlawfully. The prosecuting attorney discovered that in order to secretly gain access to others' virtual wallets, the defendant Wang conspired with others to create a website that appeared to be a blockchain project to obtain the management rights of the victim Ms. Pan's wallet. According to statistics, Wang transferred 130,000 virtual currencies from Ms. Pan's account to cash out into his own bank card, causing Ms. Pan an economic loss of over 900,000 yuan. Recently, the Yixing City Prosecutor's Office filed a public prosecution, and the court sentenced the defendant Wang to eleven years in prison for theft and imposed a corresponding fine.

ChainCatcher message, according to Scam Sniffer monitoring, in the past few days, a certain drainer has stolen over 7000 TON. It uses origin spoofing to impersonate StonFi, with approximately 3 victims affected every minute.

ChainCatcher news, according to the official WeChat account of Ping An Xuhui, employees of Company A, Zhang, Dong, and Liu, decided in early March 2023 to add a backdoor program to a certain virtual currency wallet software to obtain user private keys. By the end of May 2023, after saving the stolen private keys and the corresponding digital wallet addresses, the three destroyed the servers and databases, agreeing that these private keys could only be used to illegally obtain users' virtual currency two years later. The three illegally obtained more than 27,000 mnemonic phrases and over 10,000 private keys, successfully converting more than 19,000 digital wallet addresses. In April 2024, the Xuhui District People's Court sentenced defendants Liu, Zhang A, and Dong to three years in prison for illegally obtaining data from computer information systems, and fined them 30,000 yuan.However, strangely, the reporter Ou was not stolen from by the aforementioned three (not yet at the agreed time). Upon investigation, it was found that in another virtual wallet software platform used by Ou, a backdoor program was also implanted by Zhang B, who had previously worked at Company A. In July 2021, he wrote a piece of code in the client code to collect user private keys and mnemonic phrases. When users traded virtual currency, the code would automatically obtain the mnemonic phrases or private keys used by the user for signing operations and send them to Zhang B's email.In April 2023, due to personal financial pressure, Zhang B learned Ou's virtual wallet address through the illegally obtained mnemonic phrases and private keys, transferring all the virtual currency to his own wallet address. Zhang B illegally obtained more than 6,400 user private keys and mnemonic phrases, and was sentenced to three years in prison for illegally obtaining data from computer information systems, and fined 50,000 yuan.It is worth noting that Company A is suspected to be the original Huobi company. In 2023, due to former employees setting up Trojans, some users' mnemonic phrases or private keys of iToken (original Huobi wallet) have been leaked. HTX responded that the Trojan was set up by former Huobi employees before the acquisition, stealing others' mnemonic phrases and private keys. HTX stated that it is cooperating with the Shanghai Public Security Bureau to conduct investigations and evidence collection.