A new information-stealing malware, ACRStealer, is leveraging legitimate platforms like Google Docs and Steam to carry out its…

A new information-stealing malware, ACRStealer, is leveraging legitimate platforms like Google Docs and Steam to carry out its attacks, according to research from the AhnLab Security Intelligence Center (ASEC). This malware, which initially appeared in mid-2024 as a beta version, has seen a significant increase in distribution since 2025, with February’s volume mirroring January’s and indicating a potential surge.

It is worth noting that, according to Hudson Rock’s report, infostealers have become the biggest threat to critical infrastructure. The report reveals that computers belonging to the US Army, Navy, and even the FBI have been compromised, with stolen data available on the dark web for as little as $10.

In the ongoing campaign, ASEC’s monitoring confirms that ACRStealer is spread through software cracks and key generators, commonly used for software piracy, and the malware is frequently disguised as these illegal programs. 

While Lumma Stealer and Vidar have been dominant infostealers distributed this way, researchers observed that ACRStealer’s presence is growing rapidly. According to their report, the distribution trend of ACRStealer from June 2024 to February 2025 indicates a dramatic rise in 2025.

Platforms used to distribute the infostealer disguised as a crack (Screenshot via AhnLab).

ACRStealer boasts a range of malicious capabilities. It can detect installed antivirus solutions, steal cryptocurrency wallets and login credentials, extract browser data, harvest FTP credentials, and read all text files. This stolen information allows cybercriminals to target financial assets and personal accounts. Stolen credentials grant access to email, social media, and banking services. This data can also be used for identity theft or sold on dark web markets.

A key feature is ACRStealer’s C2 server communication. Instead of embedding the server’s IP, it uses a Dead Drop Resolver (DDR). This method involves the malware contacting a legitimate service, such as Google Docs or Steam, to retrieve the C2 server’s domain. ASEC has identified several platforms used as intermediary C2s, including Steam, telegra.ph, and various forms of Google Docs (Forms and Presentations).

This approach allows attackers to easily change the C2 domain if it is compromised without needing to update the malware itself. They simply modify the information within the intermediary C2. 

The actual C2 domain, retrieved from the intermediary C2, is combined with a hardcoded UUID (Universally Unique Identifier) to create the URL for downloading encrypted configuration data. This data contains crucial information like target programs, additional malware URLs, file extensions, and target extension IDs.

The configuration file specifies a wide range of data to be stolen, including browser data, text files, cryptocurrency wallets, FTP information, chat program information, email client information, remote program information, terminal program information, VPN information, password manager information, database (DB) information, and browser extension plugin information. 

Also, it targets numerous programs, from browsers like Chrome and Firefox to cryptocurrency wallets like Binance and Electrum, chat programs like Telegram and Signal, and various browser plugins. Collected files are often compressed before transmission.   

AhnLab’s research highlights ACRStealer’s adaptable approach, constantly changing platforms and the locations of C2 information within them. It operates as Malware-as-a-Service (MaaS), making infection tracking difficult. 

However, preventative measures can be taken. This involves avoiding websites distributing cracks and key generators, and downloading software only from official sources. Additionally, be cautious with links and attachments in unsolicited communications, enable multi-factor authentication (MFA) for added security, and maintain an active anti-malware solution.

Hackers Use Google Docs and Steam to Spread ACRStealer Infostealer

Payment Orchestration Platforms streamline transactions by routing payments through multiple providers, reducing costs, boosting approval rates, and enhancing…

Payment Orchestration Platforms streamline transactions by routing payments through multiple providers, reducing costs, boosting approval rates, and enhancing security.

****How Does Payment Orchestration Work?****

A Payment Orchestration Platform (POP) functions as an intelligent intermediary between merchants and multiple payment service providers (PSPs). It facilitates seamless payment transactions by dynamically selecting the best route for each payment, optimizing approval rates, reducing costs, and enhancing security.

By leveraging real-time analytics and machine learning, POPs improve transaction efficiency by identifying the most reliable and cost-effective payment pathway. Additionally, advanced security protocols, such as tokenization and AI-driven fraud detection, protect customer data. With payment orchestration, businesses can scale efficiently while maintaining high-security standards and minimizing transaction failures.

****Core Functions of Payment Orchestration Services****

According to Akurateco, a payment orchestration service, core functions of payment orchestration services offer several functions:

*   **Multi-Provider Connectivity**: Payment orchestration platforms seamlessly integrate with multiple PSPs, acquirers, and alternative payment methods. Instead of requiring businesses to establish individual connections, the platform offers a single integration point that enables access to various payment providers. This flexibility ensures firms can easily expand into new markets without undergoing extensive technical adjustments.

*   **Intelligent Transaction Routing**: Dynamic payment routing directs each transaction to the optimal payment provider based on predefined parameters such as transaction amount, geographical region, historical approval rates, and real-time risk assessment. Businesses can enhance approval rates and reduce unnecessary payment processing fees by routing transactions through the most reliable and cost-effective channels.

*   **Security & Compliance**: Security remains a top priority in digital transactions. Payment orchestration platforms employ multiple layers of protection, including:
    *   **Tokenization and encryption** to safeguard sensitive payment information.
    *   **AI-powered fraud detection** to identify and mitigate suspicious transactions in real-time.
    *   **Multi-factor authentication (MFA)** for added security.
    *   **Compliance with global regulations,** such as PCI DSS 3.2 and GDPR, ensures businesses meet legal and industry standards.

*   **Automated Retry & Failover Mechanisms**: If a transaction fails due to provider issues, a Payment Orchestration Platform automatically retries the transaction with an alternative acquirer or PSP. This ensures continuity in payment processing, minimizes failed transactions and improves overall revenue retention. The automated failover mechanism is particularly beneficial for subscription-based businesses and eCommerce merchants, where transaction reliability directly impacts customer experience and retention rates.

*   **Real-Time Analytics & Reporting**: Payment orchestration platforms provide businesses with actionable insights through advanced analytics dashboards. Companies can track approval rates, monitor payment trends, and identify cost-saving opportunities in real time. This level of transparency allows merchants to optimize their financial strategies and make data-driven decisions to improve profitability.

****Business Benefits of Payment Orchestration****

*   **Increased Approval Rates**: By leveraging intelligent transaction routing and failover mechanisms, payment orchestration platforms significantly improve approval rates. Payments are directed to providers with the highest probability of success, reducing declines and enhancing customer satisfaction.

*   **Lower Payment Processing Costs**: Businesses can minimize transaction fees by selecting the most cost-effective payment service providers for each transaction. Competitive acquirer selection helps reduce unnecessary expenses, ultimately increasing profitability.

*   **Faster Market Expansion**: Supporting multiple payment providers and localized payment methods allows businesses to enter new markets without the technical challenges of integrating with multiple PSPs. This accelerates global expansion and ensures a seamless payment experience for international customers.

*   **Enhanced Customer Experience**: A smooth, frictionless payment process improves the overall customer journey. Businesses can foster trust and long-term customer relationships with reduced transaction failures, secure payments, and support for various payment options.

****Akurateco: A Leader in Payment Orchestration****

Akurateco is a cutting-edge white-label Payment Orchestration Platform designed to simplify and optimize payment processing. Offering strong fraud prevention, multi-acquirer support, and advanced analytics, Akurateco helps businesses manage their transactions efficiently and securely.

****Why Businesses Trust Akurateco****

*   **Smart Routing & AI Optimization** – Advanced algorithms analyze transaction patterns and direct payments to the most successful processing routes, improving approval rates and minimizing costs.

*   **Global Payment Method Support** – Seamless integration with leading international and local PSPs ensures businesses can accept payments across diverse markets without additional complexity.

*   **Advanced Fraud Prevention** – AI-powered fraud detection and risk assessment tools minimize fraudulent activities, protecting both businesses and customers.

*   **Scalable & Customizable Solutions** – Whether a startup or an enterprise, Akurateco offers tailored solutions that adapt to unique business needs, ensuring maximum flexibility and scalability.

*   **Seamless Integration & Real-Time Reporting** – The platform provides a single integration point, reducing technical overhead while offering comprehensive transaction insights to drive informed business decisions.

****Final Thoughts****

Adopting a Payment Orchestration Platform is crucial for businesses looking to simplify payment processing, reduce costs, and increase revenue. By consolidating payment providers, automating transaction routing, and enhancing security, payment orchestration platforms empower businesses to achieve seamless financial operations.

A leading provider like Akurateco offers innovative and secure payment solutions that enable companies to unlock new growth opportunities while ensuring reliable and secure transactions. Businesses that invest in payment orchestration today will be well-positioned to succeed in the competitive digital market of tomorrow.

Featured Image via Pixabay/Megan RX

How Payment Orchestration Enhances Business Efficiency

A VPN enhances online privacy, encrypts data, and secures devices. Essential for remote work, it protects against cyber threats and ensures safer internet use.

A VPN has become an essential tool for those looking to enhance their online privacy and improve the security of their devices. In today’s age, it’s incredibly rare not to use our devices to connect to the internet. The web provides us with the ability to do almost anything, whether it be obtaining forms of entertainment, shopping online, or for educational purposes.

It’s also become a way in which many work, allowing many to work from home as they can connect to a network and do the roles their job description requires of them. However, as we continue to use the web, the need to remain secure has been emphasized.

Cybersecurity has become extremely important, especially for those handling sensitive data. Hackers will look to exploit vulnerabilities within security networks because of the information or funds that could be acquired. They may use it for their gains, whether financially or for other reasons. As a result, it has become a requirement for some firms to ensure their employees (remote or on their networks) use the best proxy server and VPN tools to protect themselves at all times.

****What benefits does using a VPN provide remote workers and promote safety?****

A VPN can be extremely useful for employees using the internet for their work, whether in an office on a network connection or when working remotely. Sometimes, they may have to connect to an intranet, which may require a VPN to access and ensure they have a secure network connection that can’t be penetrated.

Most will recognize or understand what a VPN can accomplish. At a basic level, many will associate it with being able to hide/mask the IP address being used, thus allowing them to access content being blocked in a certain location.

However, they offer so much, such as encryption technologies. In addition to masking the IP address, it will encrypt all of the data being used and traveling to and from your device when using the internet, creating an additional layer of security on top. Among the many advantages available, a VPN can:

*   **Encrypt all data**: As noted, all data transferred from a used device to the internet (and vice versa) is encrypted. This makes the tool extremely secure.

*   **The device is protected fully**: A VPN will provide overall protection across the entire device. This can be better as it will leave any potential security vulnerabilities that may be unknown unbreachable.

*   **Anonymity**: VPNs hide your IP address, making it harder to track your online activities. This can add a level of security to an individual who is looking to keep their information private.

****How should a VPN be used safely?****

Using a VPN today is a very simple task. Almost anyone can do so without guidance. Those who do need a little guidance (perhaps because they aren’t familiar with the tool) can also use them effectively with a helping hand.

Several key points should be thought of and followed to ensure the best and maximum protections are in place:

*   **Using a reliable and reputable service:** Many VPNs are available. As security is a priority, it can be a very good idea to take a look at each one’s security features and compare them. Reading reviews and using those that have a positive reputation with other users should be considered. These can be trusted more so than other options that might be available.

*   **Installing it correctly:** To ensure security, it’s important to install the tool correctly and ensure it works as designed. It is highly advisable to connect to a location as soon as you start web browsing, and it is also beneficial to connect the application to every device on the network; this can eliminate any potential vulnerabilities that skilled hackers may be able to exploit.

*   **Update regularly:** As technology continues to evolve, it’s important to try to stay ahead at all times. Security firms can often provide updates as they tackle cybersecurity threats. VPNs may occasionally require updating, as hackers often look to bypass or expose weak links within the connections. By updating regularly, you can keep them at bay.

Companies that deal with sensitive data and have a team of remote workers may already have VPN policies because of the nature of the information they handle. If they don’t already, they should look to introduce them to give themselves the best chance of ensuring everyone is on the same page and can reduce any possible threat that may exist. At the same time, offering training and guidance on using one can also limit the potential chances of misuse or incorrect use.

Staying safe is of the utmost importance, and with cybercrime continuing to rise as technology becomes more advanced, VPNs can be a company’s best friend.

Featured Image Via: Rawpixel/Freepik

1.  Proxy or VPN?
2.  Tools for Testing Your Proxy Servers
3.  Can You Secure Your Smartphone with a Proxy?
4.  Everything you need to know about VPN tracking
5.  What Is a Personal VPN? Features, Benefits and How It Works

How to utilize VPN for safe work and remote work environments

Crypto wallets are essential in keeping your cryptocurrency safe. There are different types of wallets available and choosing…

Crypto wallets are essential in keeping your cryptocurrency safe. There are different types of wallets available and choosing one can be confusing for so many investors. The three commonly used are mobile, desktop, and hardware wallets. 

Mobile and desktop wallets are called hot wallets, which means they are connected to the internet. Hardware wallets, on the other hand, are cold and thus don’t require Wi-Fi. However, all these wallets are non-custodial. You have the full responsibility of protecting your keys.

In this article, we will look at mobile, desktop, and hardware wallets to help you determine the best option for your investment. 

****Hardware Wallet****

Hardware crypto wallets offer offline protection. These are physical devices used to store your private keys. Since they are not connected to the internet or any other devices, hardware wallets are typically considered more secure, but they can be a little complicated to use. 

Modern hardware wallets are more refined. For example, if we look at the Tangem wallet review, you will learn that these devices are designed similarly to modern credit cards and use smartphone displays, making them convenient to carry around. 

Hardware wallets are ideal for large investments since they are highly secure and less susceptible to online attacks. It is best to buy these wallets from authorized dealers or the main company to avoid getting a counterfeit one. 

****Mobile Wallets****

Mobile crypto wallets are apps you can download on your phone to manage your cryptocurrency. It can be on your main phone or another mobile device. These wallets are very portable, enabling you to make transactions on the go. Most mobile wallets have a PIN and a recovery phrase to increase security. 

The major downside is walking around with your wallet is risky. You can easily lose your phone, which makes your wallet vulnerable to hacking. However, some people are adopting to use of a second phone as their mobile wallet which is more secure. The phone is often disconnected from WiFi and may even not include a plan. You only switch it on when making a transaction. 

Generally, mobile wallets are ideal for people who use crypto often, especially in small transactions. It is also a good option for beginners who don’t have a large investment. 

****Desktop Crypto Wallets****

Desktop wallets are software or programs you can install on your computer. Most wallets are compatible with common operating systems like Windows, Linux, and Mac. These are very similar to desktop wallets but some providers offer extra advantages. 

For example, some software wallets allow you to keep your keys offline on a USB drive, essentially functioning like hybrid crypto wallets. Desktop wallets are more secure than mobile ones but are not portable since it is not quite convenient to carry your desktops everywhere. 

The main risk is that if your device gets infected by a virus or malware, your crypto could be jeopardized. Desktop wallets are a good alternative for anyone looking for a secure wallet that is not for everyday use.

****Conclusion****

Choosing the best crypto wallet depends on your use and the size of the investment. For those who use crypto daily, mobile wallets are the best choice. If you want a foolproof, secure wallet, opt for hardware. However, if you are using browser-generated wallets watch out for security vulnerabilities like Randstorm which is currently impacting billions in crypto assets worldwide.

1.  Benefits of Using an Anonymous Bitcoin Wallet
2.  Biggest Crypto Scam Tactics and How to Avoid Them
3.  Power Plants to eWallets: ZTNA’s Role in the Gig Economy
4.  Study Finds AI Guesses Crypto Seed Phrases in 0.02 Seconds
5.  The Growing Importance of Secure Crypto Payment Gateways

Hardware Crypto Wallets vs. Mobile vs. Desktop: Which Should You Choose?

Bitdefender warns CS2 fans of scams using hijacked YouTube channels, fake giveaways, and crypto fraud. Protect your Steam account and avoid phishing traps.

Bitdefender Labs has uncovered a series of scams targeting the Counter-Strike 2 (CS2) community, exploiting major esports events like IEM Katowice 2025 and PGL Cluj-Napoca 2025.

According to Bitdefender’s investigation, shared with Hackread.com, cybercriminals are hijacking YouTube channels and impersonating popular professional players such as s1mple, NiKo, and donk to trick fans into fraudulent giveaways. These scams have several stages and aim to steal Steam accounts, cryptocurrency, and valuable in-game items.

First, scammers hack YouTube accounts, often those with established subscriber bases.  They then rebrand these channels to mimic well-known CS2 pros, removing original content.  

Next, they broadcast fake livestreams, using looped gameplay footage to create the illusion of a live event. These fake streams promote fake giveaways of CS2 skins, cases, or cryptocurrency, often using QR codes or malicious links to direct viewers to malicious websites. 

Fake CS2 impersonations, fraudulent skin giveaways, and hacked YouTube channels streaming deceptive livestreams (Source: Bitdefender).

These websites prompt victims to either log in with their Steam accounts, leading to inventory theft, or send cryptocurrency with promises of doubled returns, resulting in direct theft of digital assets. To appear more legitimate, scammers often post about the fake giveaways in the community section of the hijacked channel, disabling comments except for their own deceptive messages.

Bitdefender’s report found that scammers are also running cryptocurrency-doubling schemes. In these scams, they entice victims to send Bitcoin or Ethereum with the promise of doubling their investment. These schemes often use fake endorsements from CS.MONEY or professional players, falsely advertising substantial prize pools.

Some red flags include promises of doubling deposits, requests to send cryptocurrency up front, and a lack of verifiable association with legitimate esports organizations. These scams are strategically timed to coincide with major esports events like IEM Katowice and PGL Cluj-Napoca to maximize their reach.

“Scammers, tactics are evolving to exploit the hype surrounding major esports events. Whether they are stealing Steam inventories or cryptocurrency deposits, their goal is always financial gain at the expense of unsuspecting players. If there’s one thing gamers should remember is that in the world of CS2 and esports, nothing valuable comes for free!” they concluded.

Therefore, gamers should verify YouTube channels’ legitimacy by checking for content beyond livestreams and recent uploads and avoid clicking on suspicious links and QR codes. They also advise against CS2 giveaways, as legitimate ones are rare and typically hosted by official esports organizations.

Bitdefender also warns content creators, including those streaming esports and CS2, about potential phishing threats. Moreover, to protect your Steam account, enable Steam Guard Mobile Authenticator and Steam’s Multi-Factor Authentication. Regularly review login activity for unauthorized access, report suspicious activity or livestreams to YouTube and warn other gaming communities. 

1.  **Hackers Using Fake YouTube Links to Steal Login Data**
2.  **Malware in Fake Business Proposals Hits YouTube Creators**
3.  **New YouTube phishing scam using authentic email address**
4.  **“Get Paid to Like Videos” YouTube Scam Leads to Empty Wallets**
5.  **Hacked YouTube Channels Use Trump Assassination for Crypto Scam**

Hackers Hijack YouTube Channels to Target CS2 Fans with Fake Giveaways

Investigators link the $1.4B Bybit hack to North Korea’s Lazarus Group, exposing a major crypto heist tied to state-backed cybercrime and money laundering.

Bybit, the world’s second-largest cryptocurrency exchange, suffered a devastating $1.4 billion Ethereum (ETH) hack from a cold wallet breach on February 21, 2025. In the days following the attack, independent blockchain investigator ZachXBT traced the stolen funds directly to North Korea’s Lazarus Group, a notorious state-backed hacking organization. His findings were confirmed by Arkham Intelligence, a blockchain analysis firm, and shared with the Bybit team for further investigation.

****ZachXBT Uncovers Lazarus Group’s Crypto Trail****

On February 21 at 19:09 UTC, Arkham tweeted that ZachXBT had submitted definitive proof linking the attack to the Lazarus Group. His submission included detailed test transactions, connected wallet addresses, forensic graphs, and timing analyses; all of which suggested the hack was premeditated.

The next day, February 22, ZachXBT posted further evidence revealing that Lazarus had not only executed the Bybit hack but had also directly connected the stolen funds on-chain to the recent Phemex hack, which occurred on February 20. He identified a key overlapping address **(**0x33d057af74779925c4b2e720a820387cb89f8f65**)** where funds from both hacks had been commingled, effectively proving the same entity was responsible.

****On-Chain Evidence of Lazarus Group’s Activity********Bybit Hack Transactions (Feb 22, 2025):****

*   0xc963e65b9ec39b11076f78990c31f29aaa80705c75312dafd1748479e3e94ed0
*   0x411374feedcfa560335f00c0fcfa0a3906fdcc33687e6f924dd78ebecc45cd00

****Phemex Hack Transactions (Feb 20, 2025):****

*   0x6262a3339842240aeebae4ebfe338dbc771aa0e2df8f5a1ebcd7f9b090bedfe3

ZachXBT later tweeted that, before these transactions surfaced, he and another blockchain investigator, Josh from CF (Cryptoforensic Investigators), had already traced Bybit-related testing addresses that were involved in laundering funds from the Phemex hack via Tron. Their findings helped them secure a bounty from Arkham, which had launched a reward for anyone who could identify the Bybit hackers.

> Lazarus Group just connected the Bybit hack to the Phemex hack directly on-chain commingling funds from the intial theft address for both incidents.
> 
> Overlap address:  
> 0x33d057af74779925c4b2e720a820387cb89f8f65
> 
> Bybit hack txns on Feb 22, 2025:… pic.twitter.com/dh2oHUBCvW
> 
> — ZachXBT (@zachxbt) February 22, 2025

****New Findings Connect Bybit Hack to BingX Hack****

Later on February 22, ZachXBT made another major revelation: Lazarus Group had also linked an address used in the September 2024 BingX hack to the same cluster of addresses responsible for the Bybit and Phemex hacks. This means that the three hacks: Bybit, BingX, and Phemex, are all connected through on-chain transactions.

****Overlap Address:****

*   0xd555789b146256253cd4540da28dcff6e44f6e50

****Bybit Hack Transaction:****

*   0x4a366130118d750715c2d35fdc07509cf943fcc988fa5e6d02211e3d5472796e

****BingX Hack Transaction:****

*   0x93424aa87731bb9b1d8cc1f708d2ac9f3faf914f368a00494d87cba3e7719e8c

> Lazarus Group just linked an address tied to the BingX hack to this same cluster a few minutes ago which now connects the Bybit, BingX, & Phemex hacks on-chain.
> 
> Overlap  
> 0xd555789b146256253cd4540da28dcff6e44f6e50
> 
> Bybit hack txn:… pic.twitter.com/CGh7pB31Xa
> 
> — ZachXBT (@zachxbt) February 22, 2025

****Investigators Publish 920+ Addresses Linked to the Hack****

On February 22 at 9:05 PM UTC, ZachXBT tweeted that he had spent the entire day graphing the laundering movements of the stolen Bybit funds. He also made 920+ theft-linked wallet addresses publicly available to help exchanges and security teams block illicit transactions.

Bybit responded to his findings with a tweet on February 23 at 9:17 AM, thanking ZachXBT for his work, stating: “Big shoutout to @ZachXBT for always keeping the space sharp. 👀🔍 Your work didn’t go unnoticed—much respect.”

****Bybit Resumes Operations and Warns of Scammers****

Despite the massive theft, Bybit announced that deposits and withdrawals on the platform had returned to normal. However, the exchange warned users of scammers impersonating Bybit employees, urging them to verify all communications and avoid sharing personal information.

“Scammers are out there pretending to be Bybit employees. Stay sharp! Bybit will never ask for your personal info, deposits, or passwords,” Bybit tweeted.

****Coordinated Effort Freezes $42.89M in Stolen Funds****

A coordinated global effort among crypto security teams led to the freezing of $42.89 million in stolen assets within a single day. According to ByBit’s tweet, several key players in the industry, including stablecoin issuers and exchanges, helped track and block the movement of the hacked funds.

****Funds Frozen by Various Entities:****

*   **ChangeNOW:** Froze 34 ETH
*   **Circle:** Assisted with crucial clues
*   **THORChain:** Blocked the blacklist
*   **FixedFloat:** Froze 120K USDC + USDT
*   **Avalanche (AVAX):** Froze 0.38755 BTC
*   **Bitget:** Blocked the blacklist and froze 84 USDT
*   **Tether:** Flagged an address and froze 181K USDT
*   **CoinEx:** Blocked the blacklist and provided key insights

Bybit acknowledged and praised these companies for their swift response, stating that their efforts were essential in tracking and freezing the hacked funds.

****Who is the Lazarus Group?****

The Lazarus Group is a state-sponsored North Korean hacking organization responsible for some of the biggest cyber heists in history. First identified in the early 2010s, the group has been linked to multiple high-profile financial and cyber attacks, including the 2014 Sony Pictures hack, the 2017 WannaCry ransomware attack, and a long list of crypto exchange breaches.

Their primary objective is stealing funds to support North Korea’s heavily sanctioned economy, which struggles under international financial restrictions. According to intelligence agencies and blockchain analytics firms, Lazarus has stolen over $3 billion in cryptocurrency since 2018, with much of the funds being funnelled into North Korea’s nuclear weapons program and military operations.

The group typically executes attacks through social engineering, phishing, and exploiting security vulnerabilities in crypto platforms. Their laundering methods often involve mixing services, decentralized exchanges, and cross-chain swaps to cover transaction trails before cashing out.

Nevertheless, the ByBit incident is one of the largest crypto hacks in history, backing concerns about security vulnerabilities in centralized exchanges. The rapid response from blockchain investigators like ZachXBT, exchanges, and security teams has helped mitigate the impact, but the attack further highlights the sophisticated tactics of hacking groups like Lazarus.

With Bybit now operational again, the industry remains on high alert as investigations continue into the laundering of the stolen funds.

1.  **North Korean Hackers Team Up with Play Ransomware**
2.  **Lazarus Group Exploits Chrome 0-Day for Crypto Theft**
3.  **KnowBe4 Tricked into Hiring North Korean Hacker as IT Pro**
4.  **Elite North Korean Hackers Breach Russian Missile Developer**
5.  **North Korean APT37 Unleashes Dolphin Backdoor on South Korea**

Investigators Link $1.4B Bybit Hack to North Korea’s Lazarus Group

In a major cybersecurity incident, Bybit, the world’s 2nd-largest crypto exchange suffered a $1.4 billion ETH hack from…

In a major cybersecurity incident, Bybit, the world’s 2nd-largest crypto exchange suffered a $1.4 billion ETH hack from a cold wallet breach.

Bybit, the world’s second-largest cryptocurrency exchange, has confirmed today that it suffered a major security breach resulting in the theft of approximately $1.4 billion worth of Ethereum. The stolen funds were taken from one of the exchange’s cold wallets, which are designed to store cryptocurrency offline and are generally considered highly secure.

Bybit CEO Ben Zhou addressed the situation in a statement, acknowledging the incident and confirming that the company is currently conducting a thorough investigation to determine the exact cause of the breach and the extent of the damage.

While the details of the attack remain undisclosed pending the investigation, Zhou reassured users that Bybit has the financial capacity to cover the losses and that customer funds remain safe. He emphasized that trading and other platform operations are continuing as normal.

> Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss.
> 
> — Ben Zhou (@benbybit) February 21, 2025

The scale of the theft has, understandably, triggered widespread anxiety among Bybit users and the cryptocurrency market. Questions are being raised about how such a massive amount of cryptocurrency could be stolen from a cold wallet, which is typically isolated from the internet to protect against online attacks.

Questions are being raised regarding the potential involvement of sophisticated hacking techniques, insider threats, or a combination of both. The incident underscores the persistent security challenges facing the cryptocurrency industry, despite advancements in technology and security measures.

This massive hack comes at a time when the cryptocurrency market is already grappling with volatility and uncertainty. The news of the Bybit breach has further eroded investor confidence and has the potential to trigger a broader market downturn. The timing couldn’t be worse for Bybit, which has been striving to establish itself as a leading player in the competitive cryptocurrency exchange market.

****Involvement of the Lazarus Group****

According to ZachXBT, a crypto scam investigator, the hack has been linked to the notorious North Korean Lazarus Group, known for stealing Bitcoin on behalf of the government.  

> BREAKING: BYBIT $1 BILLION HACK BOUNTY SOLVED BY ZACHXBT
> 
> At 19:09 UTC today, @zachxbt submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP.
> 
> His submission included a detailed analysis of test transactions and connected wallets used ahead of… https://t.co/O43qD2CM2U pic.twitter.com/jtQPtXl0C5
> 
> — Arkham (@arkham) February 21, 2025

Nevertheless, Bybit offers a vast selection of over 753 cryptocurrencies, including major ones like Bitcoin (BTC), Ethereum (ETH), Solana (SOL), and XRP. On top, over 40 million people use the exchange. Therefore, the investigation into the hack is expected to be complex and lengthy, involving cybersecurity experts and potentially law enforcement agencies.

The outcome of this investigation will not only impact Bybit’s reputation but also have significant implications for the future of cryptocurrency security and investor trust in the digital asset space. This incident clearly shows the risks of investing in cryptocurrency and why crypto exchanges require strong security measures.

Bybit Hack: $1.4B Stolen from World’s 2nd Largest Crypto Exchange

TopSec data leak: 7000+ documents expose potential Chinese government surveillance and censorship practices. Learn about the key findings…

TopSec data leak: 7000+ documents expose potential Chinese government surveillance and censorship practices. Learn about the key findings and implications.

A data leak from TopSec, a prominent Chinese cybersecurity firm, has exposed details about the company’s operations and its probable involvement in internet censorship for the Chinese government. 

This was revealed by SentinelOne whose SentinelLABS threat research team analysed the leaked data including over 7,000 lines of work logs and code used for DevOps practices.  The data revealed scripts connecting to Chinese government hostnames, academic institutions, and news sites, suggesting TopSec’s services extend to a wide range of organizations.

The latest allegation against a Chinese company came just a few months after the United States sanctioned two Chinese firms, Integrity Technology Group and Sichuan Silence Information Technology, for cyber attacks and cybercrime.

TopSec, founded in 1995, provides monitoring, IT security, big data, and cloud services. The leaked documents, according to SentinelOne’s blog post shared with Hackread.com ahead of its publishing on Friday, mention several public and private sector organizations, likely its customers or partners.

On the public side, this includes agencies like the Municipal Commissions for Discipline Inspection and the Illegal and Harmful Information Reporting Center, both key players in China’s political system and online information control. On the private side, its clients range from banks to tech companies.

The documents also detail TopSec’s involvement in projects for Bureaus of the Ministry of Public Security in several cities, including Shanghai, suggesting their participation in monitoring website security and content.  One such project, the “Cloud Monitoring Service Project,” involved monitoring website security and content, with alerts for breaches or policy violations.

The data, submitted to a multi-scanner platform, includes employee work logs, scripts, and commands used for infrastructure administration, featuring DevOps technologies like Ansible, Docker, and Kubernetes.  Critically, hardcoded credentials were found, posing a significant security risk.

SentinelLABS researchers note that the data was disorganized and in Chinese. Their analysis was mainly focused on identifying technologies and examining references in commands and API data. 

“The leaked file is very large, and disorganized, and the formatting is inconsistent, which complicates analysis. It is highly likely that we have not identified all capabilities outlined in the leak. Our analysis approach focused on translating the Chinese language content, identifying known technologies, and identifying interesting references in the commands and API JSON artifacts,” the report revealed.

The leak contained code for initializing Docker images for security monitoring, potentially involving network monitoring probes with privileged access. Work logs referenced “Sparta,” a project handling sensitive word processing, indicating censorship keyword monitoring.  Sparta, using GraphQL APIs, appears to be an in-house solution tailored for Chinese language processing. Severe detection alerts were reportedly distributed via WeChat.

Example of work logs from the file with English translation (Screenshot from SentinelLabs)

TopSec offers web content monitoring services, including “Website Monitoring Service” and detection of events related to tampering, hidden links, and sensitive words. The “WebSensitive” event, is triggered by politically sensitive words.

Moreover, a task list focused on sensitive word monitoring in September 2023, with alerts sent to Zhao Nannan, whose background and subsequent career move suggest a link to political events.  

Coincidentally, the head of the Shanghai SASAC, where Zhao Nannan later worked, was under corruption investigation at the same time, raising questions about the reported “validated events.”  The Shanghai Municipal Commission for Discipline Inspection is a TopSec customer.

This leak, while its origin remains unclear, highlights the close ties between the Chinese government and private cybersecurity firms and emphasizes the importance of proper credential management and secure coding practices. Using secrets managers integrated with CI/CD pipelines can minimize the risk of credential exposure and subsequent compromise.

Leaked Files Tie Chinese Cybersecurity Firm to Government Censorship

Learn how to sue companies under GDPR for data misuse. Understand your rights, file complaints, and claim compensation…

Learn how to sue companies under GDPR for data misuse. Understand your rights, file complaints, and claim compensation for privacy violations.

Under the General Data Protection Regulation (GDPR), individuals have the right to sue and seek compensation if their personal data has been mishandled by a company. This comprehensive guide outlines the steps to take legal action against organizations that violate your data protection rights.

**Table of Contents**

1.  Understanding Your Rights Under GDPR
2.  Steps to Take Before Pursuing Legal Action
3.  Initiating Legal Proceedings
4.  Recent Developments and Notable Cases
5.  Considerations Before Suing
6.  Conclusion

****Understanding Your Rights Under GDPR****

The GDPR, implemented in 2018, empowers individuals to control how their data is used and processed. Article 82 of the GDPR specifically provides individuals with the right to receive compensation for material or non-material damage resulting from a company’s infringement of the regulation.

****Steps to Take Before Pursuing Legal Action****

*   **Contact the Organization**: If you believe your data has been mishandled, first reach out to the company responsible. Clearly outline your concerns and request information about how your data has been used or shared.

*   **Lodge a Complaint with a Data Protection Authority (DPA)**: If the organization’s response is unsatisfactory, you can file a complaint with your national DPA. They are obligated to investigate and inform you of the progress or outcome within three months.

*   **Gather Evidence**: Document all communications with the organization and the DPA. Collect any evidence that supports your claim, such as emails, letters, or records of unauthorized data disclosures.

****Initiating Legal Proceedings****

If the issue remains unresolved, you may consider taking legal action:

*   **Fill in the Complaint Form:** Before submitting your complaint, review the Data Protection Notice and the complaints checklist. You will need to fill out this form which will require details such as the EU institution, body, or agency involved, a description of the violation, what action you seek, the date of the incident, supporting evidence, and your personal information.

*   **File a Claim in Court**: You can bring an action directly before a court against the company. The court will evaluate whether the GDPR has been violated and determine the appropriate compensation for any damage suffered.

*   **Follow Expert Advice:** Consult with legal professionals specializing in GDPR and data protection laws to understand your rights, assess your case, and navigate the legal process effectively.

****Recent Developments and Notable Cases****

GDPR enforcement has led to significant fines and legal actions against companies:

*   **Meta Platforms**: In May 2023, Meta was fined €1.2 billion for transferring the personal data of European users to the United States without adequate protection mechanisms.

*   **Uber**: In August 2024, Uber faced a €290 million fine by the Dutch Data Protection Authority for improperly transferring European drivers’ data to the U.S., violating GDPR provisions.

*   **Facebook Data Breach**: A German court ruled in November 2024 that users affected by a 2018-2019 Facebook data breach are eligible for compensation, recognizing loss of control over personal data as grounds for damages. A hacker had leaked the personal data of 533 million Facebook users.

****Considerations Before Suing****

Before taking legal action under GDPR, it’s essential to assess the impact of the data breach on your personal and financial well-being. If the breach has resulted in material damage, such as financial loss or identity theft, you may have a stronger compensation case. However, even if there is no direct financial harm, non-material damage, such as emotional distress or reputational harm, can also be grounds for a claim.

Legal proceedings can be both costly and time-consuming, making it crucial to understand the potential expenses and commitments involved. Court cases may take months or even years to resolve, and the financial burden of legal fees should be carefully considered before proceeding. Seeking professional legal advice can help you evaluate whether your case is strong enough to justify the effort and costs.

In some situations, alternative dispute resolution methods like mediation or arbitration may be viable options. These approaches can offer a faster and less expensive resolution compared to lengthy court proceedings. Exploring these alternatives before initiating a lawsuit could save time, money, and stress while still holding the company accountable for its GDPR violations.

****Conclusion****

Exercising your rights under the GDPR is important in holding organizations accountable for the misuse of personal data. By following the appropriate steps and seeking professional legal advice, you can navigate the process of claiming compensation effectively. Staying informed about recent cases and developments will further empower you to protect your data privacy rights.

Feature Image via PixaBay/Sergeitokmakov

How to Sue a Company Under GDPR for Data Misuse and Privacy Violations

Fake browser update scams now target Mac, Windows, and Android users, delivering malware like FrigidStealer, Lumma Stealer, and…

Fake browser update scams now target Mac, Windows, and Android users, delivering malware like FrigidStealer, Lumma Stealer, and Marcher trojan through compromised websites.

Cybersecurity researchers at Proofpoint have identified two new cybercriminal groups behind a wave of fake browser update scams designed to infect users with malware. These groups, tracked as TA2726 and TA2727, are using compromised websites to trick visitors into downloading malicious software with now including a newly discovered Mac-specific information stealer called FrigidStealer.

****How the Attack Works****

The scam relies on web injects, a technique where attackers insert malicious code into legitimate websites. When users visit an infected site, they see a fake browser update prompt urging them to download and install an update. Instead of a real update, the download delivers malware that can steal sensitive data or install more dangerous payloads.

****TA2726 and TA2727****

TA2726 operates as a traffic seller, essentially providing this redirection service for other malicious actors. Researchers believe that TA2726 appears to be working alongside TA569, a previously known threat actor and once the main player in “fake update” campaigns. TA2727, on the other hand, according to Proofpoint’s blog post, is actively distributing malware itself, often employing the “fake update” ruse to trick users.

One recent campaign observed TA2727 delivering different malware based on the victim’s location. In the United States and Canada, users were directed to the SocGholish inject, which led to the installation of malware. But in Europe, Windows users encountered a fake browser update prompt that installed the Lumma Stealer, while Android users were targeted with the Marcher banking trojan.

****FrigidStealer macOS Malware****

The new FrigidStealer targets Mac users, and the attack starts with a fake update message that redirects them to a malicious file. If clicked, the file, disguised as a browser update (both Chrome and Safari), installs the information stealer. FrigidStealer then secretly harvests sensitive data like browser cookies, files related to passwords and cryptocurrencies, and even Apple Notes, just like the recently spotted new variant of the XCSSET malware.

Fake Safari and Chrome browser update websites delivering FrigidStealer (Via: Proofpoint)

The malware is written in Go and uses WailsIO, a framework that allows the fake update window to look realistic. It also bypasses Mac’s Gatekeeper security feature by requiring users to right-click and select “Open,” a common trick used by Mac malware authors.

****Windows and Android Users Also Targeted****

Mac users aren’t the only ones at risk. The same attack chain has been found delivering Marcher banking trojan for Android and Lumma Stealer and DeerStealer for Windows.

For Android users, clicking the update downloads Marcher, a banking trojan that has been active since 2013 and is designed to steal login credentials from banking apps. If a Windows user clicks the fake update, they receive an MSI installer that loads a trojanized DLL, ultimately running Lumma Stealer to extract credentials and financial data.

Users can still protect themselves by learning basic cybersecurity practices, learning how to spot a phishing email, avoiding third-party apps and tools, and scanning files and links on sites like VirusTotal or ANY.RUN.

Source

HackRead