There are many risks associated with selling items on online marketplaces that individuals and organizations should be aware of when conducting business on these platforms.

Tuesday, February 25, 2025 06:17

*   There are many risks associated with selling items on online marketplaces that individuals and organizations should be aware of when conducting business on these platforms. 
*   Many of the general recommendations related to the use of these platforms are tailored towards purchasing items; however, there are several threats to those selling items as well.
*   Recent phishing campaigns targeting sellers on these marketplaces have leveraged the platforms’ direct messaging feature(s) to attempt to steal credit card details for sellers’ payout accounts.
*   Shipment detail changes, pressure to conduct off-platform transactions, and attempted use of “friends and family” payment options are commonly encountered scam techniques, all of which seek to remove the seller protections usually afforded by these platforms.
*   There are several steps that sellers can take to help protect themselves and their data from these threats. Being mindful of the common scams and threats targeting sellers can help sellers identify when they may be being targeted by malicious buyers while it is occurring so that they can take defensive actions to protect themselves.

The emergence of online marketplaces has facilitated the convenient exchange of goods between individuals and organizations around the world. It has also provided a means for people to easily resell items, enabling them to recapture value from assets they may not otherwise wish to maintain ownership of. The type of new and used items sold via marketplaces varies widely, and platforms such as Ebay, Facebook Marketplace, Reverb, and others are extremely popular avenues for selling everything from $15 vintage tissue boxes to $40,000 Gibson Les Paul guitars. You can even find $70,000,000 domains targeting affluent individuals with above-average BMIs being sold on online marketplaces.

When we think about online safety in the context of these platforms, we often concentrate the majority of our efforts and recommendations on the threats targeting buyers. In many cases, scammers are also actively targeting the people selling items on these platforms as well. From an adversarial perspective, it makes sense to target sellers, as these are likely to be individuals with large amounts of cash sitting in their accounts as they frequently receive payments for items they sell. Likewise, adversaries can easily monitor the public listings of seller accounts to identify when high-value items are listed, as well as when they are sold, so that they can identify when a target could reasonably be expected to receive an influx of cash into their accounts. 

Likewise, many platforms train their sellers to expect frequent, unsolicited account verification prompts delivered in any number of ways, which provides the perfect pretext for scammers seeking to take advantage of this pool of targets. From a detection and analysis standpoint, these types of attacks are often difficult to effectively combat, as platform providers, intelligence analysts, and law enforcement agencies are forced to primarily rely on self-reporting from victims to quantify the scope and impact of these types of threats. Let’s break down a few examples of some of the most common scams that target the individuals or organizations selling products on online marketplaces.

We created this handy guide for you to share with anyone you know who sells online:

**Phishing and malware scams**

While some scams attempt to fraudulently steal items, others are primarily aimed at stealing financial information from sellers by leveraging the platform’s messaging feature(s) as a mechanism to directly communicate with them for the purposes of phishing or malware distribution. In some cases, phishing is used to compromise the seller account itself, enabling the attacker to manipulate listings, shipments, modify automated payout settings, and communicate with current and previous buyers to conduct additional fraudulent activities. In other cases, phishing is used to obtain financial information, such as bank account or credit card information, that can be used to steal money from the seller.

**Payout account verification scams**

In a recent example, a /r/guitarpedals user reported that they had received a suspicious direct message on their Reverb seller account. The message was crafted to appear as if it was sent from the Reverb team itself. It informs the seller that their item has sold and prompts them to complete account verification to ensure that they receive payment for the item(s) they have sold.

A hyperlink, present in the message (and shown below), attempts to leverage Reverb’s own redirection functionality to direct victims who click on the hyperlink to a malicious web server under the attacker’s control.

This technique uses percent encoding, an obfuscation technique, to mask the destination of the redirect and make it appear as if the link is pointing to the legitimate Reverb website.

This URL, when accessed, returns an HTTP/302 redirection to another attacker-controlled web server, but ultimately the victim receives the following landing page. The attacker has put effort into making sure it appears legitimate and mimics what the victim expects to see. A chat message prompts the victim to complete the verification process by following the on-screen instructions.

A “Receive Funds” button has been positioned behind the chat popup shown in the previous screenshot. When the victim clicks this button, they are presented an input form and prompted to provide the credit card information necessary to verify their desired payout account. Throughout this process, additional chat message popups are delivered to lend credibility to the process.

Since this is the account the seller would like to use to receive payments for items sold on the platform, it likely also contains any funds associated with previous sales, and will likely frequently receive lump sums when future items are sold, presenting a myriad of opportunities for attackers to monetize the account and assets within it, now or in the future. For example, if a threat actor successfully obtains credit card details for a seller account with multiple high-value items actively listed, they can simply wait until an item sells before attempting to monetize it.

Assuming the victim enters valid credit card details, a message will be displayed requesting additional information.

The additional information in this case is the balance of the account that is being “verified.” A new chat message appears, prompting the user to enter the balance in their account, presumably so that the attacker can more effectively prioritize which accounts to empty first.

Assuming the victim enters their balance information, they are presented with the following message letting them know that it will take a period of time before they notice any changes to their accounts.

At this point, the adversary has obtained credit card details that they can then monetize however they choose. It’s important to note that while this particular example targeted sellers using the Reverb platform, most other online marketplaces experience similar threats as well. We have also observed Reverb often taking rapid response actions when attempting to send messages containing percent-encoded hyperlinks, indicating that the platform is aware of the issue and has put in place some mechanisms to help reduce the frequency and quantity of these types of messages on the platform.

Reverb also presents warning messages to let users know when they are being redirected to a third-party domain, as shown in the screenshot below. 

It is important to always validate the destination of hyperlinks received from unsolicited sources and to limit access to off-platform resources when conducting business on online marketplaces.

It is also important to note that direct messaging within marketplaces is not the only mechanism used for this type of scam. Below is a screenshot of an email received by a Shopify storefront owner attempting to convince them to verify their payout account information, similar to the previous example described above.

Below is another example. In this case, the threat actor has sent an email claiming that the seller has received a chargeback claim from a customer and prompting them to take action. Since chargebacks are often received for a variety of reasons, sellers may be more easily convinced to provide account or credit card information when prompted with a claim related to a chargeback.

If an email is received from an online marketplace, the platform will typically also provide warning messages, banners, and other mechanisms to alert sellers of the same issue. In the case that a seller receives an unexpected email related to payment issues, sellers should attempt to resolve issues directly on the platform rather than accessing content or responding to the email. 

**Scams to remove seller protection**

When selling new or used items using online marketplaces, one of the most important elements influencing platform and payment method selection for many people are the seller protection policies in place. These policies often provide protection from common types of fraudulent claims that may be made by buyers, such as non-receipt, damage, etc. In order to remain in effect, they generally require both the buyer and seller to perform the transaction following certain requirements that enable proper resolution should an issue arise. 

In an effort to remove these protections and make it easier to successfully monetize their scam(s), scammers posing as buyers will often attempt to convince sellers to conduct portions of the transaction “off-platform,” as this will void the protection policy that would otherwise be in place using a variety of different pretexts and themes. Likewise, some scammers target the shipping part of the transaction process, attempting to convince sellers to modify the shipping to void the seller protection policy afforded by the platform. By removing the ability for the seller to leverage the protection policy afforded by the platform used to sell the item, many of the normal recourse steps usually taken when dealing with fraudulent buyers are no longer available to the seller.

**Off-platform transactions**

Scammers also frequently use a variety of pretexts to attempt to convince sellers to perform the financial transaction associated with an item purchase using third-party platforms separate from the one on which an item was originally listed. They will attempt to trick victims into moving to an alternative mechanism for performing the transaction so that the seller loses most of the protection(s) afforded by the marketplace. 

In many cases, scammers will use additional pressures, such as time sensitivity, urgency, or manipulated screenshots showing failed transaction attempts, to convince sellers to perform transactions using alternative means, such as wire transfers or money transfer platforms, where seller protections are limited and—in the case of fraud—most recourse options are no longer available. 

There are countless examples of different pretexts being used in varying capacities, all ultimately for the same purpose, to convince sellers to leave the marketplace to perform the transaction elsewhere so that seller protections against fraudulent activity on the part of the buyer are removed.

**Shipment detail changes**

Since a seller account’s past and current item listings are easily accessible from the seller’s profile, it is easy for adversaries to leverage information contained within these listings (**_including photos_**) when building pretexts that are used to target the individual operating the seller account. One common way that adversaries leverage this information is by tailoring their messaging to account for both active and recently sold listings related to the seller they are communicating with. 

In the screenshot below, a scammer is contacting sellers on Ebay claiming to be an individual who purchased an item recently sold by the seller(s). The scammer hopes that by timing their message properly, they can take advantage of sellers who may not be paying close attention to the username listed in the message. For many sellers who are managing large numbers of listings, it can often be overwhelming to maintain many different streams of communication and/or multiple transactions simultaneously, leading them to respond quickly or otherwise take action (like modifying shipping instructions) without properly validating the content of the message.

Online reports indicate that it is not uncommon to receive these types of unsolicited messages, regardless of whether a seller has recently sold an item, which may be due to some level of automation being used to generate and transmit the messages. 

If the seller is convinced to change the destination address for the shipment due to receipt of one of these scam messages, the item that was sold may be shipped to an address under the attacker’s control. The attacker is then able to monetize the item while the original buyer does not receive the item that they purchased. Many of the protections afforded by online marketplace are lost when the shipping address used does not reflect what was present on the order at time of purchase, opening the seller to additional exposure as the buyer’s loss will still need to be resolved.

**The "friends and family" option**

Social media sites like Reddit have become very popular for posting used items to solicit interest from other users of a given subreddit. In some subreddits, there are even official or unofficial “Want to Buy / Want to Sell” (WTB/WTS) threads, where users can list items they are selling or items they would like to purchase. This creates an ideal pool of potential victims for scammers seeking to target users of these platforms.

Since Reddit is not an online marketplace, the transactions associated with this activity typically take place using money transfer platforms, such as Paypal, Zelle, or Venmo. Scammers will often leverage compromised accounts on these money transfer platforms when communicating with sellers (or buyers), often attempting to convince them to use the “friends and family” (or equivalent) payment option available on many of these platforms. Often, sending or receiving money with this option enabled removes many of the mechanisms in place to protect sellers from chargebacks and other fraudulent activity. Sellers should never enable this option when processing payments for goods they may sell via online marketplaces, social media sites, or in any transaction where protection against fraud is desired. 

In some cases, this method may be combined with other methods seeking to convince sellers to perform transactions outside of established platforms, then once the seller has agreed, scammers can leverage this option to further remove seller protections.

**Recommendations**

Most of the online literature related to defending against the scams pervasive on online marketplaces is geared towards the buyer experience. Recent trends in social media reporting indicate that sellers are also being increasingly targeted. While some of the scams faced by sellers resemble those faced by buyers, there are many that are unique. It is important that individuals or organizations leveraging online storefronts and/or marketplaces be aware of these threats so that they can prevent themselves from falling victim. 

It is extremely important that online marketplace accounts be protected with multi-factor authentication (MFA) whenever the platform supports this capability. This will provide an enhanced layer of security in cases where the account credentials are compromised as an additional authentication factor will still be needed to successfully access the account. 

When posting listings for items, be mindful of any photos that accompany the listing. Not unlike posting images to other social media platforms, items or objects in the background may unintentionally disclose sensitive information that could be used for malicious purposes. The information provided could also be leveraged to create more convincing or effective pretexts for later scam activities targeting the seller(s).

Avoid using third party services or platforms when conducting business transactions on online marketplaces. Take advantage of the protections afforded by the platform and avoid taking any actions that may jeopardize them. Reasonable buyers will be willing and able to conduct business following the standard platform transaction process. Sellers should avoid feeling pressured or worried about losing a sale and insist that the transaction take place in accordance with the policies of the online marketplace platform.

Verify the account associated with any messages received on online marketplaces. Always spend the time to validate that the message was actually received from the account of the buyer who purchased any recently sold items. Likewise, most platform support teams will not contact users via direct messaging for account verification or other sensitive processes as most of the time, these processes are directly supported by the platform itself. If a seller receives a direct message purporting to be from the platform itself, caution should be exercised and the message should be validated by contacting the support team separately using the information published on the marketplace website.

Sellers should also avoid modifying destination shipping addresses after orders have been placed. If a buyer asks to change the shipping address for an item they recently purchased, sellers should consider suggesting that they change their address using the online marketplace itself and contact support facilitate the change prior to shipping. This helps ensure that the seller is not deviating from the order that was placed, and helps ensure that they do not lose the seller protections afforded by the platform.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**Indicators of Compromise**

IOCs for this research can also be found at our Github repository here.

Your item has sold! Avoiding scams targeting online sellers

Cary, NC, 25th February 2025, CyberNewsWire

**Cary, NC, February 25th, 2025, CyberNewsWire**

 INE, the leading provider of networking and cybersecurity training and certifications, today announced its recognition as an enterprise and small business leader in online course providers and cybersecurity professional development, along with its designation as the recipient of G2’s 2025 Best Software Awards for Education Products. This category of awards ranks the world’s top 50 software education products based on authentic reviews from more than 100 million G2 users. 

> “We are thrilled to be recognized for a second consecutive year by G2’s Best Software Awards,” said Dara Warn, CEO of INE. “This is not only a testament to INE’s robust educational offerings but also underscores our dedication to empowering enterprise teams and professionals with the skills they need to thrive in a challenging digital landscape. We are proud to set the standard for quality and effectiveness in cybersecurity and technical education, as evidenced by the success of our students.”

G2’s Best Software Awards rank the world’s best software companies and products based on verified user reviews and publicly available market presence data. Fewer than 1% of vendors listed on G2 are named to the list. 

> “The 2025 Best Software Award winners represent the very best in the industry, standing out for their exceptional performance and customer satisfaction. The stakes for choosing the right business software are higher than ever,” said Godard Abel, co-founder & CEO at G2. “With over 180,000 software products and services listings and 2.8 million verified user reviews in the G2 marketplace, we’re proud to help companies navigate these critical choices with insights rooted in authentic customer feedback. Congratulations to this year’s honorees!”

G2 badges, released quarterly, recognize INE’s strong performance compared to competitors in specific areas, including its enterprise cybersecurity training and certification offerings, the depth and breadth of its online learning library, and global impact. INE earned the following G2 badges for Winter 2025:

*   **Fastest Implementation, Online Course Providers**
*   **Leader, Cybersecurity Professional Development**
*   **Leader, Online Course Providers**
*   **Leader, Technical Skills Development**
*   **Enterprise Leader, Online Course Providers**
*   **Small Business Leader, Online Course Providers**
*   **Leader, Asia Online Course Providers**
*   **Leader, Asia Pacific Online Course Providers**
*   **Momentum Leader, Technical Skills Development**
*   **Momentum Leader, Online Course Providers**
*   **Small Business High Performer, Technical Skills Development**
*   **High Performer, India Online Course Providers**
*   **High Performer, Europe Online Course Providers**
*   **High Performer, Asia Technical Skills Development**

INE was recently named to Security Boulevard’s list of the Top 10 Hacking Certifications for both the Certified Professional Penetration Tester (eCPPT) and Web Application Penetration Tester eXtreme (eWPTX) certifications. The list showcases some of the best ethical hacking certifications for cybersecurity professionals. 

In reviewing the eCPPT, reviewers noted: 

*   The realistic experience
*   A robust training program
*   Its credentials to boost employability in Europe (specifically noted as “remarkable”). 

In reviewing the eWPTX, reviewers applaud: 

*   The challenging nature of the exam
*   Requiring advanced methodologies and skills in creating exploits that “modern tools couldn’t fathom.” 

With a suite of the best cybersecurity certifications and training programs designed for teams and individuals, INE continues to lead in developing cybersecurity professionals equipped with real-time, hands-on experience to manage cyber threats and security incidents. Our award-winning cybersecurity software and comprehensive training in network security, cloud security, and risk management, prepare learners to become certified ethical hackers (CEH), certified information systems security professionals (CISSP), and more, solidifying our reputation as the trusted partner in cybersecurity excellence and threat intelligence.

**About INE:** 

INE is the premier provider of online technical training for the IT industry. Harnessing the world’s most powerful hands-on lab platform, cutting-edge technology, global video distribution network, and world-class instructors, INE is the top training choice for Fortune 500 companies worldwide, and for IT professionals looking to advance their careers. INE’s suite of learning paths offers an incomparable depth of expertise across cybersecurity, cloud, networking, and data science. INE is committed to delivering the most advanced technical training on the planet, while also lowering the barriers worldwide for those looking to enter and excel in an IT career. 

**Contact**

**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

INE Secures Spot in G2’s 2025 Top 50 Education Software Rankings

In the epic US-Russian prisoner swap last summer, Vladimir Putin brought home an assassin, spies, and another prized ally: the man behind one of the biggest insider trading cases of all time.

This Russian Tech Bro Helped Steal $93 Million and Landed in US Prison. Then Putin Called

Cybersecurity researchers are warning of a new campaign that leverages cracked versions of software as a lure to distribute information stealers like Lumma and ACR Stealer.
The AhnLab Security Intelligence Center (ASEC) said it has observed a spike in the distribution volume of ACR Stealer since January 2025.
A notable aspect of the stealer malware is the use of a technique called dead drop

New Malware Campaign Uses Cracked Software to Spread Lumma and ACR Stealer

A new information-stealing malware, ACRStealer, is leveraging legitimate platforms like Google Docs and Steam to carry out its…

A new information-stealing malware, ACRStealer, is leveraging legitimate platforms like Google Docs and Steam to carry out its attacks, according to research from the AhnLab Security Intelligence Center (ASEC). This malware, which initially appeared in mid-2024 as a beta version, has seen a significant increase in distribution since 2025, with February’s volume mirroring January’s and indicating a potential surge.

It is worth noting that, according to Hudson Rock’s report, infostealers have become the biggest threat to critical infrastructure. The report reveals that computers belonging to the US Army, Navy, and even the FBI have been compromised, with stolen data available on the dark web for as little as $10.

In the ongoing campaign, ASEC’s monitoring confirms that ACRStealer is spread through software cracks and key generators, commonly used for software piracy, and the malware is frequently disguised as these illegal programs. 

While Lumma Stealer and Vidar have been dominant infostealers distributed this way, researchers observed that ACRStealer’s presence is growing rapidly. According to their report, the distribution trend of ACRStealer from June 2024 to February 2025 indicates a dramatic rise in 2025.

Platforms used to distribute the infostealer disguised as a crack (Screenshot via AhnLab).

ACRStealer boasts a range of malicious capabilities. It can detect installed antivirus solutions, steal cryptocurrency wallets and login credentials, extract browser data, harvest FTP credentials, and read all text files. This stolen information allows cybercriminals to target financial assets and personal accounts. Stolen credentials grant access to email, social media, and banking services. This data can also be used for identity theft or sold on dark web markets.

A key feature is ACRStealer’s C2 server communication. Instead of embedding the server’s IP, it uses a Dead Drop Resolver (DDR). This method involves the malware contacting a legitimate service, such as Google Docs or Steam, to retrieve the C2 server’s domain. ASEC has identified several platforms used as intermediary C2s, including Steam, telegra.ph, and various forms of Google Docs (Forms and Presentations).

This approach allows attackers to easily change the C2 domain if it is compromised without needing to update the malware itself. They simply modify the information within the intermediary C2. 

The actual C2 domain, retrieved from the intermediary C2, is combined with a hardcoded UUID (Universally Unique Identifier) to create the URL for downloading encrypted configuration data. This data contains crucial information like target programs, additional malware URLs, file extensions, and target extension IDs.

The configuration file specifies a wide range of data to be stolen, including browser data, text files, cryptocurrency wallets, FTP information, chat program information, email client information, remote program information, terminal program information, VPN information, password manager information, database (DB) information, and browser extension plugin information. 

Also, it targets numerous programs, from browsers like Chrome and Firefox to cryptocurrency wallets like Binance and Electrum, chat programs like Telegram and Signal, and various browser plugins. Collected files are often compressed before transmission.   

AhnLab’s research highlights ACRStealer’s adaptable approach, constantly changing platforms and the locations of C2 information within them. It operates as Malware-as-a-Service (MaaS), making infection tracking difficult. 

However, preventative measures can be taken. This involves avoiding websites distributing cracks and key generators, and downloading software only from official sources. Additionally, be cautious with links and attachments in unsolicited communications, enable multi-factor authentication (MFA) for added security, and maintain an active anti-malware solution.

Hackers Use Google Docs and Steam to Spread ACRStealer Infostealer

Payment Orchestration Platforms streamline transactions by routing payments through multiple providers, reducing costs, boosting approval rates, and enhancing…

Payment Orchestration Platforms streamline transactions by routing payments through multiple providers, reducing costs, boosting approval rates, and enhancing security.

****How Does Payment Orchestration Work?****

A Payment Orchestration Platform (POP) functions as an intelligent intermediary between merchants and multiple payment service providers (PSPs). It facilitates seamless payment transactions by dynamically selecting the best route for each payment, optimizing approval rates, reducing costs, and enhancing security.

By leveraging real-time analytics and machine learning, POPs improve transaction efficiency by identifying the most reliable and cost-effective payment pathway. Additionally, advanced security protocols, such as tokenization and AI-driven fraud detection, protect customer data. With payment orchestration, businesses can scale efficiently while maintaining high-security standards and minimizing transaction failures.

****Core Functions of Payment Orchestration Services****

According to Akurateco, a payment orchestration service, core functions of payment orchestration services offer several functions:

*   **Multi-Provider Connectivity**: Payment orchestration platforms seamlessly integrate with multiple PSPs, acquirers, and alternative payment methods. Instead of requiring businesses to establish individual connections, the platform offers a single integration point that enables access to various payment providers. This flexibility ensures firms can easily expand into new markets without undergoing extensive technical adjustments.

*   **Intelligent Transaction Routing**: Dynamic payment routing directs each transaction to the optimal payment provider based on predefined parameters such as transaction amount, geographical region, historical approval rates, and real-time risk assessment. Businesses can enhance approval rates and reduce unnecessary payment processing fees by routing transactions through the most reliable and cost-effective channels.

*   **Security & Compliance**: Security remains a top priority in digital transactions. Payment orchestration platforms employ multiple layers of protection, including:
    *   **Tokenization and encryption** to safeguard sensitive payment information.
    *   **AI-powered fraud detection** to identify and mitigate suspicious transactions in real-time.
    *   **Multi-factor authentication (MFA)** for added security.
    *   **Compliance with global regulations,** such as PCI DSS 3.2 and GDPR, ensures businesses meet legal and industry standards.

*   **Automated Retry & Failover Mechanisms**: If a transaction fails due to provider issues, a Payment Orchestration Platform automatically retries the transaction with an alternative acquirer or PSP. This ensures continuity in payment processing, minimizes failed transactions and improves overall revenue retention. The automated failover mechanism is particularly beneficial for subscription-based businesses and eCommerce merchants, where transaction reliability directly impacts customer experience and retention rates.

*   **Real-Time Analytics & Reporting**: Payment orchestration platforms provide businesses with actionable insights through advanced analytics dashboards. Companies can track approval rates, monitor payment trends, and identify cost-saving opportunities in real time. This level of transparency allows merchants to optimize their financial strategies and make data-driven decisions to improve profitability.

****Business Benefits of Payment Orchestration****

*   **Increased Approval Rates**: By leveraging intelligent transaction routing and failover mechanisms, payment orchestration platforms significantly improve approval rates. Payments are directed to providers with the highest probability of success, reducing declines and enhancing customer satisfaction.

*   **Lower Payment Processing Costs**: Businesses can minimize transaction fees by selecting the most cost-effective payment service providers for each transaction. Competitive acquirer selection helps reduce unnecessary expenses, ultimately increasing profitability.

*   **Faster Market Expansion**: Supporting multiple payment providers and localized payment methods allows businesses to enter new markets without the technical challenges of integrating with multiple PSPs. This accelerates global expansion and ensures a seamless payment experience for international customers.

*   **Enhanced Customer Experience**: A smooth, frictionless payment process improves the overall customer journey. Businesses can foster trust and long-term customer relationships with reduced transaction failures, secure payments, and support for various payment options.

****Akurateco: A Leader in Payment Orchestration****

Akurateco is a cutting-edge white-label Payment Orchestration Platform designed to simplify and optimize payment processing. Offering strong fraud prevention, multi-acquirer support, and advanced analytics, Akurateco helps businesses manage their transactions efficiently and securely.

****Why Businesses Trust Akurateco****

*   **Smart Routing & AI Optimization** – Advanced algorithms analyze transaction patterns and direct payments to the most successful processing routes, improving approval rates and minimizing costs.

*   **Global Payment Method Support** – Seamless integration with leading international and local PSPs ensures businesses can accept payments across diverse markets without additional complexity.

*   **Advanced Fraud Prevention** – AI-powered fraud detection and risk assessment tools minimize fraudulent activities, protecting both businesses and customers.

*   **Scalable & Customizable Solutions** – Whether a startup or an enterprise, Akurateco offers tailored solutions that adapt to unique business needs, ensuring maximum flexibility and scalability.

*   **Seamless Integration & Real-Time Reporting** – The platform provides a single integration point, reducing technical overhead while offering comprehensive transaction insights to drive informed business decisions.

****Final Thoughts****

Adopting a Payment Orchestration Platform is crucial for businesses looking to simplify payment processing, reduce costs, and increase revenue. By consolidating payment providers, automating transaction routing, and enhancing security, payment orchestration platforms empower businesses to achieve seamless financial operations.

A leading provider like Akurateco offers innovative and secure payment solutions that enable companies to unlock new growth opportunities while ensuring reliable and secure transactions. Businesses that invest in payment orchestration today will be well-positioned to succeed in the competitive digital market of tomorrow.

Featured Image via Pixabay/Megan RX

How Payment Orchestration Enhances Business Efficiency

One month into his second term, President Trump's actions to shrink the government through mass layoffs, firings and withholding funds allocated by Congress have thrown federal cybersecurity and consumer protection programs into disarray. At the same time, agencies are battling an ongoing effort by the world's richest man to wrest control over their networks and data.

Trump 2.0 Brings Cuts to Cyber, Consumer Protections

Investigators link the $1.4B Bybit hack to North Korea’s Lazarus Group, exposing a major crypto heist tied to state-backed cybercrime and money laundering.

Bybit, the world’s second-largest cryptocurrency exchange, suffered a devastating $1.4 billion Ethereum (ETH) hack from a cold wallet breach on February 21, 2025. In the days following the attack, independent blockchain investigator ZachXBT traced the stolen funds directly to North Korea’s Lazarus Group, a notorious state-backed hacking organization. His findings were confirmed by Arkham Intelligence, a blockchain analysis firm, and shared with the Bybit team for further investigation.

****ZachXBT Uncovers Lazarus Group’s Crypto Trail****

On February 21 at 19:09 UTC, Arkham tweeted that ZachXBT had submitted definitive proof linking the attack to the Lazarus Group. His submission included detailed test transactions, connected wallet addresses, forensic graphs, and timing analyses; all of which suggested the hack was premeditated.

The next day, February 22, ZachXBT posted further evidence revealing that Lazarus had not only executed the Bybit hack but had also directly connected the stolen funds on-chain to the recent Phemex hack, which occurred on February 20. He identified a key overlapping address **(**0x33d057af74779925c4b2e720a820387cb89f8f65**)** where funds from both hacks had been commingled, effectively proving the same entity was responsible.

****On-Chain Evidence of Lazarus Group’s Activity********Bybit Hack Transactions (Feb 22, 2025):****

*   0xc963e65b9ec39b11076f78990c31f29aaa80705c75312dafd1748479e3e94ed0
*   0x411374feedcfa560335f00c0fcfa0a3906fdcc33687e6f924dd78ebecc45cd00

****Phemex Hack Transactions (Feb 20, 2025):****

*   0x6262a3339842240aeebae4ebfe338dbc771aa0e2df8f5a1ebcd7f9b090bedfe3

ZachXBT later tweeted that, before these transactions surfaced, he and another blockchain investigator, Josh from CF (Cryptoforensic Investigators), had already traced Bybit-related testing addresses that were involved in laundering funds from the Phemex hack via Tron. Their findings helped them secure a bounty from Arkham, which had launched a reward for anyone who could identify the Bybit hackers.

> Lazarus Group just connected the Bybit hack to the Phemex hack directly on-chain commingling funds from the intial theft address for both incidents.
> 
> Overlap address:  
> 0x33d057af74779925c4b2e720a820387cb89f8f65
> 
> Bybit hack txns on Feb 22, 2025:… pic.twitter.com/dh2oHUBCvW
> 
> — ZachXBT (@zachxbt) February 22, 2025

****New Findings Connect Bybit Hack to BingX Hack****

Later on February 22, ZachXBT made another major revelation: Lazarus Group had also linked an address used in the September 2024 BingX hack to the same cluster of addresses responsible for the Bybit and Phemex hacks. This means that the three hacks: Bybit, BingX, and Phemex, are all connected through on-chain transactions.

****Overlap Address:****

*   0xd555789b146256253cd4540da28dcff6e44f6e50

****Bybit Hack Transaction:****

*   0x4a366130118d750715c2d35fdc07509cf943fcc988fa5e6d02211e3d5472796e

****BingX Hack Transaction:****

*   0x93424aa87731bb9b1d8cc1f708d2ac9f3faf914f368a00494d87cba3e7719e8c

> Lazarus Group just linked an address tied to the BingX hack to this same cluster a few minutes ago which now connects the Bybit, BingX, & Phemex hacks on-chain.
> 
> Overlap  
> 0xd555789b146256253cd4540da28dcff6e44f6e50
> 
> Bybit hack txn:… pic.twitter.com/CGh7pB31Xa
> 
> — ZachXBT (@zachxbt) February 22, 2025

****Investigators Publish 920+ Addresses Linked to the Hack****

On February 22 at 9:05 PM UTC, ZachXBT tweeted that he had spent the entire day graphing the laundering movements of the stolen Bybit funds. He also made 920+ theft-linked wallet addresses publicly available to help exchanges and security teams block illicit transactions.

Bybit responded to his findings with a tweet on February 23 at 9:17 AM, thanking ZachXBT for his work, stating: “Big shoutout to @ZachXBT for always keeping the space sharp. 👀🔍 Your work didn’t go unnoticed—much respect.”

****Bybit Resumes Operations and Warns of Scammers****

Despite the massive theft, Bybit announced that deposits and withdrawals on the platform had returned to normal. However, the exchange warned users of scammers impersonating Bybit employees, urging them to verify all communications and avoid sharing personal information.

“Scammers are out there pretending to be Bybit employees. Stay sharp! Bybit will never ask for your personal info, deposits, or passwords,” Bybit tweeted.

****Coordinated Effort Freezes $42.89M in Stolen Funds****

A coordinated global effort among crypto security teams led to the freezing of $42.89 million in stolen assets within a single day. According to ByBit’s tweet, several key players in the industry, including stablecoin issuers and exchanges, helped track and block the movement of the hacked funds.

****Funds Frozen by Various Entities:****

*   **ChangeNOW:** Froze 34 ETH
*   **Circle:** Assisted with crucial clues
*   **THORChain:** Blocked the blacklist
*   **FixedFloat:** Froze 120K USDC + USDT
*   **Avalanche (AVAX):** Froze 0.38755 BTC
*   **Bitget:** Blocked the blacklist and froze 84 USDT
*   **Tether:** Flagged an address and froze 181K USDT
*   **CoinEx:** Blocked the blacklist and provided key insights

Bybit acknowledged and praised these companies for their swift response, stating that their efforts were essential in tracking and freezing the hacked funds.

****Who is the Lazarus Group?****

The Lazarus Group is a state-sponsored North Korean hacking organization responsible for some of the biggest cyber heists in history. First identified in the early 2010s, the group has been linked to multiple high-profile financial and cyber attacks, including the 2014 Sony Pictures hack, the 2017 WannaCry ransomware attack, and a long list of crypto exchange breaches.

Their primary objective is stealing funds to support North Korea’s heavily sanctioned economy, which struggles under international financial restrictions. According to intelligence agencies and blockchain analytics firms, Lazarus has stolen over $3 billion in cryptocurrency since 2018, with much of the funds being funnelled into North Korea’s nuclear weapons program and military operations.

The group typically executes attacks through social engineering, phishing, and exploiting security vulnerabilities in crypto platforms. Their laundering methods often involve mixing services, decentralized exchanges, and cross-chain swaps to cover transaction trails before cashing out.

Nevertheless, the ByBit incident is one of the largest crypto hacks in history, backing concerns about security vulnerabilities in centralized exchanges. The rapid response from blockchain investigators like ZachXBT, exchanges, and security teams has helped mitigate the impact, but the attack further highlights the sophisticated tactics of hacking groups like Lazarus.

With Bybit now operational again, the industry remains on high alert as investigations continue into the laundering of the stolen funds.

1.  **North Korean Hackers Team Up with Play Ransomware**
2.  **Lazarus Group Exploits Chrome 0-Day for Crypto Theft**
3.  **KnowBe4 Tricked into Hiring North Korean Hacker as IT Pro**
4.  **Elite North Korean Hackers Breach Russian Missile Developer**
5.  **North Korean APT37 Unleashes Dolphin Backdoor on South Korea**

Investigators Link $1.4B Bybit Hack to North Korea’s Lazarus Group

OpenAI on Friday revealed that it banned a set of accounts that used its ChatGPT tool to develop a suspected artificial intelligence (AI)-powered surveillance tool.
The social media listening tool is said to likely originate from China and is powered by one of Meta's Llama models, with the accounts in question using the AI company's models to generate detailed descriptions and analyze documents

OpenAI Bans Accounts Misusing ChatGPT for Surveillance and Influence Campaigns

Several government departments are investigating TP-Link routers over Chinese cyberattack fears, but the company denies links.

If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Please also consider subscribing to WIRED

TP-Link is one of the most popular router manufacturers in the US, but the company is facing a potential ban due to security concerns about its links to China. A December report from The Wall Street Journal revealed that the US Commerce, Defense, and Justice Departments are investigating TP-Link, though no evidence of deliberate wrongdoing has yet emerged.

“We are a US company,” Jeff Barney, president of TP-Link told WIRED, “We have no affiliation with TP-Link Tech, which focuses on mainland China, and we can prove our separateness.”

The investigation was sparked by a letter from John Moolenaar, a Republican for Michigan, and Raja Krishnamoorthi, a Democrat of Illinois. Both are on the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party. They outlined concerns that Chinese state-sponsored hackers may be able to compromise TP-Link’s routers more easily than other brands and thereby infiltrate US systems, and that TP-Link is subject to Chinese law, meaning it can be forced to hand over sensitive US information by Chinese intelligence officials.

Photograph: Simon Hill

TP-Link was founded in China in 1996 by two brothers, and TP-Link USA was established in 2008. It wasn’t until 2022 that the Chinese and US wings began to split. The process of moving the 170 subsidiaries and all the related ownership out of Hong Kong and into the United States was delayed by the pandemic, says Barney, but it was divested and restructured by 2024.

TP-Link now has headquarters in California and Singapore and manufactures in Vietnam. It researches, designs, develops, and manufactures everything except chipsets in-house, according to Barney. “Our entities in China are governed directly by us, our employees badged by us, secured by us, in our own facilities.” He also says TP-Link has shared documentation with investigators and that its factory in Vietnam was audited by US retail partners like Walmart, Best Buy, and Costco.

“Everybody has a Nexus in China,” Barney says. He claims that American rival Netgear uses Chinese ODMs (original device manufacturers) to build its products and that even Apple relies on manufacturing in China. Netgear says its routers are manufactured in Taiwan, Vietnam, and Thailand, not China.

**Competition Concerns**

The WSJ report suggests that TP-Link has a leading 64.9 percent share of the US router market, but TP-Link disputes this. The company claims its share hovered around 20 percent for the last few years, but jumped to a 36.5 percent unit share and a 30.7 percent dollar share in 2024. But even TP-Link’s lower estimate shows a company in the ascendancy. This dominance has been driven by aggressively low prices and a relatively early roll-out of Wi-Fi 7 routers, perceived by some as a concerted effort to flood the US market.

“Technology should not be exorbitant,” Barney says. “We're trying to democratize these products.”

However, the wide product range raises questions, with many wondering how TP-Link can profit from routers sold at such low prices compared to the competition. Former CNET reviewer Dong Ngo explores this point on the in-depth router review website, Dong Knows.

Concerns about the links between Chinese companies and its government are nothing new. The ban on Huawei’s networking equipment and US sanctions came after years of cybersecurity concerns and intellectual property lawsuits brought by US companies. The TikTok ban is not being enforced by President Donald Trump’s administration, but owner ByteDance is still under pressure to divest its US operations. These situations can be tricky for the average person to navigate because the lines between shoddy security, Chinese espionage, US protectionism, and the growing trade war are distinctly blurry and are not mutually exclusive.

It’s no secret that US competitor Netgear has been lobbying the US government on “cybersecurity and strategic competition with China.” Netgear has had a tough couple of years after adopting a premium pricing strategy that did not resonate with consumers. It has also been embroiled in litigation against TP-Link for patent infringement, resulting in TP-Link paying a $135 million settlement in September 2024.

**Are TP-Link Routers Secure?**

TP-Link has signed CISA’s “Secure by Design” pledge and is part of the Technical Exchange Group. It has a vulnerability disclosure program, where independent researchers and the security community can report potential issues to security@tp-link.com. It claims report response time was 8.4 days on average in 2023, with patches released in an average of 38.5 days. The company is also planning to launch a bug bounty program.

Barney claims TP-Link’s rate of vulnerabilities per product is significantly lower than many of its peers, including Netgear and Cisco, citing public data collected by Finite State, an independent US cybersecurity company, from CVE Details, VulDB, and CISA (Cybersecurity and Infrastructure Security Agency), but not everyone agrees.

“TP-Link does not have a great reputation for patching vulnerabilities or working with security researchers, which does raise alarm bells,” Pieter Arntz, malware intelligence researcher for Malwarebytes told WIRED via email.

Photograph: TP-Link; Data Source: U.S. Cybersecurity and Infrastructure Security Agency

TP-Link was criticized in a recent Microsoft report over a “password spraying” hack that mostly impacted its routers, and the report suggested Chinese “nation-state threat actor activity.” Barney says these were end-of-service products and that Asus and Netgear routers were also impacted.

Other incidents include a Check Point Research exposé of a malicious firmware implant for TP-Link routers, linked to a Chinese state-sponsored “advanced persistent threat” group dubbed “Camaro Dragon.” Cyfirma researchers also found TP-Link router vulnerabilities for sale on underground forums.

“It’s also a challenge because regardless of the home router vendor, there will always be vulnerabilities found,” Arntz says.

A part of the problem with older routers is that the onus is often on the user to download and install updates, and this is rarely automatic or as simple as clicking on “update,” which means many patches are never installed, creating vulnerable devices for any savvy cybercriminals or nation-states. Even months after TP-Link released patches for a vulnerability on its popular Archer AX21 router, hackers continue to scan for and exploit it on unpatched routers.

These security concerns are moot in the face of built-in backdoors. Backdoors can be pieces of code or even hardware added to the circuit board that enables remote parties to gain access and potentially control the device. There’s no evidence that TP-Link devices have backdoors, but, as Ngo points out, when you use an online account with your router, you are already giving the company access through the front door. Whether remote connectivity is justified by the need for automatic software updates, remote control access, or other features for users, it effectively gives the manufacturer access to your router.

**Should You Worry?**

Ultimately, the concern isn’t so much about the Chinese government or other malicious actors spying on your web browsing habits—though that is possible—it’s the idea they might employ your router as a part of a botnet to launch a cyberattack on a US government agency or major service provider.

The NSA has been concerned about Chinese hackers for some time now, and China's Salt Typhoon spies continue to infiltrate US internet service providers and telecommunications companies. Speaking on the _NatSec Tech_ podcast recently, former special assistant to the president and cybersecurity coordinator on the US National Security Council, Rob Joyce, likened TP-Link routers to a Trojan Horse and suggested China is pre-positioning for a potentially devastating attack on US infrastructure.

While some cybersecurity experts suggest a ban is imminent, Barney is confident that TP-Link routers won’t be banned. Investigations are ongoing. Even if the government doesn't find anything or decides against a ban, it won’t publicly clear TP-Link. It’s more likely the investigation will fade from the news.

Photograph: Simon Hill

For owners of a TP-Link router or anyone considering buying one, it all boils down to trust. We've tested and recommend several TP-Link routers and Deco mesh systems in our buying guides because they offer good value and great performance. But we continually update our guides and will monitor the situation before deciding whether we need to reconsider those recommendations.

There’s no easy fix because all the major router manufacturers have issues with vulnerabilities, and most of them require you to use an online account. You can go down the rabbit hole with router security, or seek out security-focused brands like Firewalla, but expect to pay more for your equipment in both time and money.

Even if you stick with what you have, there are steps you can take to be more secure online. We recommend using a VPN service and learning a little about router settings. Malwarebytes’ Arntz says the most secure router is the one on which you are comfortable changing the settings: credentials, firewall options, and especially installing updates.

Here’s his advice for home TP-Link router owners who are concerned:

*   First, update your login credentials. Ensure you have moved away from the default login credentials set by the router manufacturer (or internet provider). Make this password different from your Wi-Fi name and password. And remember, length equals strength when it comes to passwords.
*   Second, patch your device and set a reminder to check regularly for firmware updates.
*   Third, turn on the firewall and Wi-Fi encryption. You can find these settings by logging into your router from its app or website.
*   Finally, consider purchasing a new router from a different vendor with a less problematic history.

TP-Link also manufactures a wide range of smart home devices marketed under the Tapo brand, including everything from security cameras to water leak detectors. These are not part of the current investigation, which seems to be focused solely on routers. TP-Link says it has applied to the FCC’s Cyber Trust Mark program administered by UL Solutions, which ensures that internet-of-things devices are tested and labeled secure. Sadly, there is no such program for routers.

Tag

#intel