A massive data breach involving infostealer malware has exposed approximately 149 million accounts, including those of cryptocurrency users. This breach highlights the increasing need for robust security measures in the crypto space.

Uncovered Data: A Closer Look

Cybersecurity expert Jeremiah Fowler uncovered the breach, revealing millions of stolen credentials, including crypto exchange Binance accounts. The exposed database contained login information for major platforms like Facebook, Instagram, and Netflix, with 420,000 credentials linked to Binance users.

Understanding the Infostealer Threat

Infostealer malware silently extracts login data from compromised devices. Unlike a direct breach of Binance’s systems, this malware collects data from users’ devices, posing a significant risk to crypto wallets and online accounts. Binance emphasized that their internal systems were not compromised.

The breach included 48 million Gmail accounts, 17 million Facebook accounts, and 3.4 million Netflix accounts, among others. This incident underscores the global threat posed by credential-stealing malware, which can target financial services and government-linked domains.

Preventive Measures for Users

To combat the infostealer threat, users should employ antivirus software and conduct regular security scans. Binance advises users to use hardware-based multi-factor authentication (MFA) and maintain secure password practices to safeguard their accounts.

In response to such threats, Binance actively monitors dark web activities, alerts affected users, and initiates security measures like password resets.

Infostealer Malware Escalates

Originally reported by Kaspersky, this malware variant disguises itself as game cheats, targeting cryptocurrency wallets and browser extensions. It has attacked accounts on over 80 crypto exchanges, including Coinbase and Crypto.com.

To mitigate risks, users should keep their software updated and be cautious about suspicious downloads, especially those related to gaming or cryptocurrency apps.

As cyber threats evolve, staying informed and proactive is crucial for safeguarding digital assets.

The post Infostealer Data Breach: 149M Accounts Exposed – Critical Alert appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.

Understanding the Stealka Crypto Infostealer

Unveiled by Kaspersky, the Stealka crypto infostealer is a sophisticated piece of malware that specifically targets Microsoft Windows users. Disguised as game cheats and mods, this malware has been silently hijacking accounts, stealing cryptocurrencies, and installing crypto miners on unsuspecting users’ computers since its discovery in November.

The malware’s distribution channels include legitimate platforms like GitHub, SourceForge, and Google Sites. It’s often cloaked as mods for popular games such as Roblox, or software cracks for applications like Microsoft Visio. Kaspersky researcher Artem Ushkov highlighted the use of artificial intelligence in creating deceptive websites that appear professional, further aiding in the spread of this malware.

Targeted Data and Potential Risks

The Stealka crypto infostealer is armed with an extensive arsenal of capabilities, making it a formidable threat. Its prime targets include data from browsers built on the Chromium and Gecko engines, putting over 100 browsers, including Chrome, Firefox, and Edge, at risk.

The malware focuses on extracting autofill data such as sign-in credentials, addresses, and payment card details. It also compromises the settings and databases of 115 browser extensions related to crypto wallets, password managers, and two-factor authentication services. Among the 80 crypto wallets at risk are popular options like Binance, Coinbase, and MetaMask.

Moreover, messaging apps like Discord and Telegram, email clients, password managers, and even VPN applications are vulnerable to this malware.

Protecting Yourself from Stealka

To safeguard against the Stealka crypto infostealer, Kaspersky advises using reliable antivirus software and password managers, rather than storing passwords within browsers. Users should avoid pirated software and unofficial game mods, which are common carriers of this malware.

Cloudflare has reported alarming statistics, with over 5% of emails globally containing malicious content. A significant portion includes phishing links, and many HTML attachments are deemed malicious. These figures underscore the importance of vigilance in digital interactions.

In conclusion, the Stealka crypto infostealer represents a growing threat in the digital landscape, particularly for crypto enthusiasts. Staying informed and adopting robust security practices are essential steps in countering such cyber threats.

The post Stealka Crypto Infostealer: 5 Shocking Insights into Video Game Mods appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.

A Closer Look at the USDT Theft

In a move to safeguard the interests of affected companies, the DOJ has filed civil forfeiture complaints to reclaim $15.1 million in Tether’s USDT, which was illicitly obtained by North Korean hackers in 2023. These funds were traced back to Advanced Persistent Threat 38 (APT38), a notorious North Korean hacking group responsible for several high-profile cryptocurrency heists.

The funds were seized by the FBI in March 2025, and the DOJ is now seeking court approval to return the assets to their rightful owners. Although the specific incidents are not elaborated upon, the circumstantial evidence points to a series of hacks, including the $100 million theft from Poloniex in November 2023, the $37 million hack of CoinsPaid in July 2023, and the $60 million attack on Alphapo, among others.

How U.S. Citizens Facilitated the Breach

The DOJ revealed that four U.S. citizens and one Ukrainian national played a pivotal role in assisting North Korean hackers. These individuals, including Audricus Phagnasay, Jason Salazar, Alexander Paul Travis, and Erick Ntekereze Prince, admitted to wire fraud conspiracy. They provided their identities to the hackers and hosted company laptops at their residences, creating the illusion that these workers were based in the United States. Ukrainian national Oleksandr Didenko also pleaded guilty to similar charges.

These schemes allowed North Korean IT workers to fraudulently secure employment at over 136 U.S. companies, generating more than $2.2 million in revenue for North Korea. This operation resulted in the theft of identities from over 18 U.S. citizens, further highlighting the extensive reach of these cybercriminal activities.

Implications and Ongoing Efforts

The DOJ continues to trace and seize stolen virtual currencies as North Korean hackers persist in laundering funds through various channels like virtual currency bridges and exchanges. The regime’s reliance on cryptocurrency theft, alongside remote IT worker schemes, represents a significant violation of international sanctions.

In 2025 alone, North Korean hackers have amassed over $2 billion in cryptocurrency, according to an analysis by Elliptic. This positions the regime as one of the most prolific players in global crypto theft operations.

The DOJ’s actions underscore the ongoing threat posed by North Korean cyber activities and the critical importance of international cooperation to combat such threats effectively. As the digital landscape continues to evolve, robust security measures and vigilant monitoring remain essential to safeguarding against these sophisticated cybercrimes.

The post North Korean Hackers’ Amazing $15M USDT Theft Unveiled appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.

In a recent advisory, Apple disclosed that the image processing vulnerability has been addressed in updates for macOS Sonoma 14.7.8, macOS Ventura 13.7.8, iPadOS 17.7.10, macOS Sequoia 15.6.1, iOS 18.6.2, and iPadOS 18.6.2. The tech company acknowledged that this vulnerability may have been exploited in sophisticated attacks against selected individuals.

Understanding the Zero-Click Exploit

Cybersecurity experts highlight the zero-click exploit as particularly dangerous for crypto users. This vulnerability can be exploited without any user interaction, making it an attractive target for attackers aiming to access crypto-integrated systems. Such access could lead to financial losses through irreversible transactions.

Juliano Rizzo, CEO at cybersecurity firm Coinspect, explained that an attachment delivered via iMessage could be processed automatically, leading to a device compromise. Attackers could then access wallet data, posing a direct threat to cryptocurrency holders.

Apple Vulnerability Details

The Apple vulnerability affects the Image I/O framework, crucial for reading and writing image file formats. Improper implementation allows attackers to write to out-of-bounds memory areas, potentially executing malicious code on targeted devices.

This vulnerability compromises device security by allowing unauthorized memory access. With device memory holding all active programs, attackers can alter these programs, executing their malicious instructions.

Advice for Crypto Holders

For high-value targets using vulnerable devices for key storage, Rizzo advises migrating to new wallet keys if there are signs of compromise or targeting. He emphasizes securing primary accounts like email and cloud services to prevent further exploitation.

“While patching is critical, immediate account lockdown should not be delayed,” Rizzo notes. He also mentions that system logs, though difficult to interpret, could theoretically reveal anomalies. However, Apple and similar vendors are best positioned to detect exploitation and inform victims directly.

Crypto users must stay vigilant and implement security measures to protect their assets from such vulnerabilities. Regular updates and awareness of potential threats are crucial in maintaining the security of digital currencies.

The post Apple Vulnerability: 5 Ultimate Secrets to Secure Your Crypto Devices appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.

The malicious extensions, once installed, are programmed to steal user wallet credentials. “We have connected over 40 different extensions to this active and live campaign,” Koi Security stated.

The campaign, which has been running since at least April, uploaded the most recent extensions last week. These fraudulent extensions allegedly extract wallet credentials directly from the targeted sites and upload them to a remote server under the attacker’s control.

The report also highlighted how the campaign uses ratings, reviews, branding, and functionality to win user trust by posing as genuine and thus boost installation rates. Some applications even boasted hundreds of fake five-star reviews.

The deceptive extensions used the same names and logos as the real services they were mimicking. In several cases, the threat actors cloned the official extensions’ open-source code and integrated their malicious code. This deceptive strategy maintained the expected user experience while minimizing the chances of immediate detection.

While Koi Security stated that “attribution remains speculative,” they pointed to “multiple signals indicating a Russian-speaking threat actor.” These signals include Russian language comments in the code and metadata found in a PDF file sourced from a malware command-and-control server associated with the incident. “Although not definitive, these artifacts suggest that the campaign may be the work of a Russian-speaking threat actor group.”

To minimize risk, Koi Security advised users to only install browser extensions from verified publishers and to manage extensions as full software assets, using allowlists and monitoring for unexpected behavior or updates.

The post Malicious Cryptocurrency Wallet Clones Target Mozilla Firefox Users appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.

The Swiss Financial Market Supervisory Authority (FINMA) identified the Yuh platform, inclusive of crypto trading, as a primary target for fraudulent schemes conducted by scammers. Marc Buerki, Swissquote’s CEO, acknowledged the surge in fraudulent activities to AI technologies, which simplify the initiation of malicious campaigns. He also assured that their internal systems remained unaffected by the counterfeit websites.

Despite attempts to reach out, Cointelegraph had not received a response from the company at the time of publishing. Fraudulent activities continue to plague the crypto sector, leading to billions of dollars in annual collective losses for users and deterring potential market entrants from acquiring digital assets.

So far in 2025, onchain incidents have resulted in losses approximating $2.1 billion. A significant portion of these losses can be attributed to wallet compromises and phishing attacks. With an increase in data leaks, it is crucial for users to stay alert,” stated cybersecurity firm CertiK in May.

Phishing attacks, social engineering strategies, deceptive websites, online impersonation, and address poisoning scams consistently rank among the most prevalent tactics used by threat actors to trick users and misappropriate funds. In April, a senior citizen was targeted in a $330 million heist through a social engineering scam, as per onchain investigator ZachXBT. This theft was categorized as the fifth-largest crypto loss in history.

Even experienced industry experts are falling victim to intricate social engineering scams. In June, crypto venture capitalist Mehdi Farooq, an investment associate at Hypersphere, revealed that a phishing attack had depleted the majority of his life savings.

The post Swissquote Pressured by Regulators to Combat Crypto Fraud and Impersonation Efforts appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.

The report drew attention to the arrests of three individuals in Israel, allegedly engaged in espionage activities for Iran, which involved surveillance, propaganda, and intelligence collection. The intriguing aspect of this case is that the alleged operatives were remunerated using digital assets, a rarely seen method of payment in state-sponsored espionage.

“Digital assets enable cross-border transactions without the need for traditional banking systems, which makes them an ideal tool for covert operations,” TRM Labs stated in their report.

One of the suspects, 28-year-old Dmitri Cohen, was purportedly paid $500 in cryptocurrency for each completed task by Iranian intelligence services. TRM Labs pointed out that these arrests occurred shortly after Nobitex, Iran’s largest crypto exchange, was hacked.

Despite no official confirmation of a connection between the hack and the arrests from Israeli authorities, TRM Labs suggests a potential correlation based on the timing and tactical profile.

The Nobitex hack occurred on June 18, where hot wallets across several networks were emptied, resulting in over $90 million in cryptocurrency asset losses. Notably, the pro-Israeli hacker group Gonjeshke Darande claimed responsibility for this cyber attack.

The group has a history of disrupting and collecting intelligence from Iranian-affiliated platforms. According to TRM Labs, the sequence of events, including Israeli strikes, the Nobitex breach, and the arrests, raises the potential that Israeli cyber units may have exploited the Nobitex data for intelligence purposes.

While direct public evidence linking the Nobitex breach to the espionage investigations is lacking, TRM Labs suggests that the theory aligns with known tactics used by Israeli cyber defense teams and Gonjeshke Darande’s operational history.

At the time of the hack, onchain analytics platform Chainalysis identified Nobitex as a critical player in Iran’s sanctioned crypto space, with numerous ties to illicit activities.

“Nobitex’s role goes beyond being a local exchange; it serves as a vital hub within Iran’s heavily sanctioned crypto ecosystem, providing access to global markets for users isolated from traditional finance,” Chainalysis report stated.

Previous onchain investigations have linked Nobitex to nefarious actors, including ransomware operators affiliated with the IRGC and sanctioned Russian crypto exchanges.

The post Israeli Cyber Units Potentially Involved in $90 Million Nobitex Hack for Espionage, Suggests TRM Labs appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.

In a recent announcement, Hacken revealed that the leaked private key was linked to an account with minting capacity on both Ethereum and BNB Chain. This security loophole led to an unauthorized production and subsequent dumping of HAI on decentralized exchanges, triggering a price drop from $0.015 to a meager $0.000056. At present, HAI is trading at $0.00026.

Despite the breach, Hacken’s team has successfully taken control of and deactivated the compromised minting account. Yet, it’s estimated that the cybercriminal still made away with tokens worth at least $250,000.

Hacken confirmed that the core infrastructure remains unaffected and secure, with the compromise limited to the private keys. The leak occurred during architectural modifications to the company’s blockchain bridge, ironically designed to prevent such incidents.

The company has temporarily suspended bridge transactions on Ethereum and BNB Chain as a safety measure. They also issued a warning about non-existent airdrops and scam posts.

Post-hack tokens purchased on the affected networks, BNB Smart Chain and Ethereum, will not be included in the new tokenomics, as stated by Hacken CEO Dyma Budorin.

Hacken’s long-term aim is to convert HAI into a regulated financial instrument, combining token utility with equity rights. All legitimate user balances are traceable and those holding HAI tokens will have the option to swap later.

A report by blockchain security firm PeckShield revealed that hackers pilfered over $1.63 billion worth of crypto in the first quarter of 2025. Similarly, liquid staking protocol Meta pool also fell victim to a comparable exploit recently.

The post Devastating Security Breach: Hacken Token Suffers 99% Plunge after $250K Cyberattack appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.

Recent activities, however, indicate that the Trojan has extended its scope, striking victims in Poland, Spain, Argentina, Brazil, Indonesia, India, and the US, as per the latest data from ThreatFabric’s Mobile Threat Intelligence (MTI) team.

In Poland, the malware exploited Facebook Ads to circulate deceptive loyalty apps. Users who clicked on the advertisement were redirected to harmful websites that delivered a Crocodilus dropper, evading Android 13+ security measures. Facebook’s transparency data reveals that these ads reached thousands of users within one to two hours, primarily targeting those aged 35 and above.

Once installed, Crocodilus overlays fraudulent login screens over authentic banking and crypto apps. In Spain, it poses as a browser update, targeting nearly all major banks. Apart from its geographical expansion, Crocodilus has also acquired new skills. These include the ability to alter infected devices’ contact lists, enabling hackers to add phone numbers labeled as “Bank Support” for potential social engineering attacks.

Another significant enhancement is an automated seed phrase collector targeting cryptocurrency wallets. The Crocodilus malware is now capable of extracting seed phrases and private keys more accurately, providing attackers with pre-processed data for quick account takeovers.

The developers have also bolstered Crocodilus’ defenses with deeper obfuscation. The newest variant combines packed code, extra XOR encryption, and deliberately complex logic to thwart reverse engineering. MTI analysts have also noted smaller campaigns focusing on cryptocurrency mining apps and European digital banks as part of Crocodilus’ increasing interest in crypto.

Related to this, an April 22 report by crypto forensics and compliance firm AMLBot disclosed that crypto drainers, malware designed to pilfer cryptocurrency, are becoming more accessible as the ecosystem evolves towards a software-as-a-service business model.

The report revealed that malware spreaders can rent a drainer for as little as 100 to 300 USDt (USDT). On May 19, it was disclosed that Procolored, a Chinese printer manufacturer, had been distributing Bitcoin-stealing malware along with its official drivers, using USB drivers to distribute contaminated software and uploading the compromised software to cloud storage for global access.

The post Crocodilus Malware Expands Reach Globally, Targets Crypto and Banking Platforms appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.

The group has set its sights on various exchanges, including Phemex and Bybit, and they even attempted to deceive a BitMEX staff member by proposing a bogus project as a disguise for a phishing attempt to implant harmful software on the staff member’s device. However, BitMEX is now retaliating by delving into the malevolent code deployed by the hacker group.

BitMEX has unearthed serious loopholes that exchanges can leverage to safeguard their assets. This includes revealing the group’s tracking databases and originating IP addresses, which allows BitMEX to monitor its functioning hours and single out key players crucial to the group’s operations.

The BitMEX team has distinguished different levels for the hackers, ranging from novice hackers performing phishing tasks to experts assigned to conduct post-exploitation procedures. The BitMEX blog post proposes various real-time security breach detection measures, including an internal monitoring system for identifying infections.

BitMEX’s sudden interest in cybersecurity stems from a Lazarus Group member reaching out to a BitMEX employee on LinkedIn with a proposition to participate in a counterfeit NFT project. This audacious phishing attempt prompted BitMEX to probe deeper into the matter, which resulted in a chance to analyze live Lazarus code.

BitMEX researchers uncovered a Lazarus Supabase, which contained data related to the malware, such as username, hostname, operating system, geolocation, timestamp, and IP address. With this data, BitMEX identified various devices as either a developer or test machine based on their operational frequency.

While most of the developers utilized VPNs to conceal their location, one developer made an error revealing the actual IP address of the machine, which is located in Jiaxing, China. BitMEX considers this a significant lapse that could potentially unveil the hacker’s identity.

BitMEX has now developed a script to automatically analyze the Supabase and search for operational errors. After all, even hackers are prone to mistakes, which can prove to be their downfall. BitMEX’s astute analysis of Lazarus Group’s operations will continue to enhance their cybersecurity measures and protect their platform.

The post Unveiling Lazarus Group’s Secrets: BitMEX Developers Dive Deep into Hackers’ Database appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.