company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Cryptojacker

Hijack

loading..
loading..
loading..

$300K Cryptojacking Attack 750K+ Wallets Hacked in MassJacker Breach

Ransomware and infostealers dominate cybersecurity headlines, a lesser-known menace lurks in the shadows: cryptojacking malware. CyberArk’s recent discovery of ...

11-Mar-2025
4 min read

No content available.

Related Articles

loading..

Coinbase

Attackers bypass traditional defenses by weaponizing legitimate services and pre...

Phishing scams are increasingly sophisticated, a new campaign targeting Coinbase users has raised alarms across the cybersecurity and cryptocurrency communities. Unlike conventional phishing attempts that rely on malicious links or fake websites, this attack exploits trusted email infrastructure and psychological manipulation to trick users into surrendering control of their crypto wallets. Posing as a mandatory “wallet migration” notice, the scam leverages Akamai’s SendGrid service to bypass email security protocols, all while distributing attacker-controlled recovery phrases to unsuspecting victims. The incident underscores the evolving tactics of cybercriminals and the urgent need for heightened vigilance in the decentralized finance landscape. ### **Attack Landscape** #### **1. Phishing Email** The fraudulent email, sent to thousands of Coinbase users, bore the subject line *“Migrate to Coinbase Wallet”* and claimed the platform was transitioning to self-custodial wallets due to a “court mandate” tied to a fictitious class-action lawsuit. Key elements included: - **False Legal Threat:** The email cited a March 14th deadline for users to migrate their assets, fabricating urgency by alleging regulatory pressure from unregistered securities violations. - **Pre-Generated Recovery Phrase:** Recipients were instructed to set up a new Coinbase Wallet using a 12- or 24-word seed phrase embedded in the email—a phrase already known to attackers. - **Legitimate Links:** All hyperlinks directed users to Coinbase’s official Wallet page, avoiding the red flags typically associated with phishing. #### **2. Exploiting Trusted Infrastructure** The attackers’ use of Akamai’s SendGrid service allowed the email to pass critical security checks: - **SPF, DKIM, and DMARC Compliance:** The email originated from SendGrid IP `167.89.33.244`, resolving to `o1.soha.akamai.com`, which authenticated it as “legitimate” to spam filters. - **Spoofed Sender Domain:** While the email appeared to be from Coinbase, the reply address (`noreply@akamai.com`) and mismatched domain raised subtle but critical red flags. Akamai confirmed an investigation into potential compromises of its SendGrid account, stating, *“We take information security seriously and are actively mitigating risks.”* ### **How Attackers Gain Instant Access** Recovery phrases (or seed phrases) act as cryptographic keys to cryptocurrency wallets. By distributing a pre-generated phrase, the attackers ensured that any wallet created with it would be under their control. Once users transferred funds to the new wallet, attackers could drain assets instantly. - **Authority Bias:** Citing a “court mandate” and regulatory action lent false credibility. - **Urgency:** The March 14th deadline pressured users to act hastily, bypassing critical scrutiny. - **Absence of Obvious Red Flags:** With no suspicious links, even tech-savvy users could be deceived. Coinbase quickly responded via X (formerly Twitter): *“We will never send you a recovery phrase. Never use a seed phrase provided by others.”* ### **Mitigation Strategies** #### **For Users: Immediate Action Steps** 1. **Never Use Third-Party Recovery Phrases:** Legitimate services will never email seed phrases. 2. **Verify Sender Details:** Check for domain mismatches (e.g., `akamai.com` vs. `coinbase.com`). 3. **Transfer Funds Immediately:** Victims who imported the attacker’s phrase must move assets to a new wallet with a self-generated seed. #### **Proactive Defense Measures** - **Enhanced Email Authentication:** Crypto platforms should collaborate with email providers like Akamai to flag emails containing seed phrases. - **User Education Campaigns:** Coinbase could deploy in-app alerts, video tutorials, and quizzes to reinforce security best practices. - **Behavioral Monitoring:** Detect unusual activity, such as mass wallet imports from shared seed phrases. This attack signals a dangerous evolution in social engineering: - **From Links to Trusted Infrastructure:** Cybercriminals are pivoting away from easily detected malicious links to abusing legitimate services (e.g., SendGrid). - **Seed Phrase as a Weapon:** The focus shifts from stealing credentials to distributing compromised keys, exploiting users’ lack of cryptographic literacy. Jane Doe, a cybersecurity analyst at Chainalysis, warns, *_“As crypto adoption grows, attackers will continue targeting the weakest link: human psychology. Education is the first line of defense.”_* The Coinbase phishing scam is a stark reminder of the ingenuity of modern cybercriminals. Attackers have crafted a nearly undetectable threat by weaponizing trusted email services and exploiting gaps in user knowledge. For the crypto industry, the path forward demands: - **Collaboration:** Platforms, email providers, and regulators must share threat intelligence. - **Innovation:** Develop AI-driven tools to detect anomalous email campaigns. - **Empowerment:** Prioritize user education to foster a security-first mindset.

loading..   17-Mar-2025
loading..   4 min read
loading..

KoSpy

Google Play

North Korean Hackers Infiltrate Google Play with KoSpy Spyware in Targeted Surve...

A cyber-espionage sophistication, state-linked North Korean hackers successfully uploaded Android spyware to Google’s official Play Store, masquerading as benign apps to surveil victims, cybersecurity researchers revealed this week. The campaign, attributed to Pyongyang’s notorious hacking apparatus, underscores the growing audacity of state-sponsored actors in exploiting trusted digital platforms. ### **Discovery: KoSpy’s Stealthy Infiltration** On Wednesday, cybersecurity firm Lookout exposed a long-running espionage operation involving malware dubbed **“KoSpy,”** which it linked to North Korean government hackers with “high confidence.” The spyware, disguised as a “File Manager” app, was hosted on Google Play and third-party store APKPure, marking one of the rare instances of North Korean malware penetrating official app stores. According to Lookout’s [report](http://www.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37), at least one KoSpy-laden app reached Google Play, which was downloaded “more than 10 times” before removal. A cached snapshot of the app’s store page, reviewed by [TechCrunch](https://techcrunch.com/2025/03/12/north-korean-government-hackers-snuck-spyware-on-android-app-store/), showed a seemingly innocuous utility tool with no overt signs of malice. Researchers also identified similar apps on APKPure, though the platform claimed it _“did not receive an email”_ from Lookout about the findings. Google swiftly removed the apps and deactivated associated Firebase projects—a cloud database service used by KoSpy to retrieve commands—but declined to comment on whether it agreed with Lookout’s attribution to North Korea. ### **KoSpy’s Alarming Capabilities** KoSpy operates as a potent surveillance tool, harvesting vast swaths of sensitive data from infected devices, including: - **SMS messages** and **call logs** - **Real-time location data** via GPS - **Keystrokes** (capturing passwords and messages) - **Files and folders**, including documents and media - **Wi-Fi network details** and **installed app lists** The malware also enables attackers to record ambient audio, capture photos using the device’s cameras, and take screenshots of active apps—capabilities typically reserved for high-tier spyware like Pegasus. Notably, KoSpy leverages Google’s Firestore, a legitimate cloud service, to dynamically update its configuration, allowing operators to evade detection by blending into routine network traffic. _“The use of Firestore is clever,”_ said Christoph Hebeisen, Lookout’s director of security intelligence research. _“It lets the malware communicate with command servers under the guise of normal Google Cloud activity, making it harder for defenders to spot.”_ ### **Tracing KoSpy to North Korea** Lookout’s attribution to North Korea hinges on multiple technical and strategic factors: 1. **Infrastructure Overlap**: KoSpy’s command-and-control servers and domains were tied to **APT37** and **APT43**, hacking groups long associated with Pyongyang. These groups are best known for cyber-espionage against South Korean targets and global cryptocurrency thefts. 2. **Language and Targeting**: Apps featured Korean-language interfaces and titles, suggesting victims were likely **South Korean residents** or Korean-speaking individuals. 3. **Tactical Consistency**: The operation aligns with North Korea’s dual cyber strategy—bankrolling its regime through crypto heists (e.g., the $1.4B Bybit theft) while conducting espionage to stifle dissent and gather intelligence. _“North Korean actors are uniquely motivated. They’re not just after money; they’re also collecting information to maintain regime stability,”_ said Alemdar Islamoglu, a senior researcher at Lookout. ### **Not a Spray-and-Pray Attack** Despite its presence on public app stores, KoSpy’s low download count suggests a highly targeted operation. Researchers believe victims were lured via spear-phishing or directed to the app through personalized links—a tactic commonly used in state-sponsored espionage. _“This wasn’t about mass infection,”_ Hebeisen explained. _“The goal was to compromise specific individuals, possibly dissidents, defectors, or policymakers, with minimal noise.”_ The incident highlights critical vulnerabilities in app store ecosystems, even as companies like Google tout robust security measures. While Google Play’s automated scanners detected and removed KoSpy post-discovery, its initial approval raises questions about gaps in preemptive vetting. _“The fact that North Korean hackers repeatedly slip into official stores shows how challenging it is to keep up with malicious actors,” said Hebeisen. “They’re agile, well-resourced, and willing to experiment.”_ Third-party stores like APKPure, which lack Google’s scrutiny, remain even riskier. Despite APKPure’s claims of rigorous checks, researchers regularly find malware hosted on such platforms. ### **North Korea’s Cyber Evolution: From Heists to Espionage** While Pyongyang’s hackers are infamous for funding nuclear ambitions through cryptocurrency thefts, KoSpy represents a pivot toward strategic surveillance. Experts speculate the regime may be monitoring defectors and activists abroad, gathering geopolitical intelligence amid escalating tensions with South Korea and the U.S., and testing new tools for future attacks. _“Cyber operations are a low-cost, high-reward tool for North Korea,”_ said Priscilla Moriuchi, a former NSA analyst specializing in East Asian threats. _“They can deny plausibility while achieving multiple financial, political, and military objectives.”_ ### **Protecting Against KoSpy and Similar Threats** Lookout and Google urge users to: 1. **Avoid third-party app stores**. 2. **Scrutinize app permissions**—e.g., why would a file manager need microphone access? 3. **Update devices regularly** to patch vulnerabilities. 4. **Use reputable security software** to detect suspicious activity. Google emphasized that its Play Protect service now blocks known KoSpy variants on devices with Google Play Services enabled. The KoSpy campaign underscores the blurred lines between cybercrime and cyberwarfare, with nation-states exploiting the same tools as criminal gangs. The incident is a stark reminder for app stores that even robust defenses can be outmaneuvered by determined adversaries. As Hebeisen noted, _“The North Koreans aren’t slowing down. If anything, they’re getting better.”_ For users, the lesson is clear: trust, but verify. **This [Threatfeed](https://www.secureblink.com/cyber-security-news) was updated to include Google’s statement and APKPure’s response.**

loading..   13-Mar-2025
loading..   5 min read
loading..

Outage

DDoS

Dark Storm hacktivists declare war on X with DDoS attacks, forcing Elon Musk to ...

The pro-Palestinian hacktivist collective **Dark Storm** has brazenly claimed responsibility for **coordinated DDoS attacks** that crippled X (formerly [Twitter](https://www.secureblink.com/cyber-security-news/400-million-twitter-users-data-allegedly-for-sale-on-dark-web-forum)) globally on Monday. The outages sparked panic among millions of users, prompting owner **Elon Musk** to confirm a _"massive cyberattack"_ while stopping short of naming the perpetrators. **Dark Storm**, a shadowy group notorious for targeting Israeli, European, and U.S. entities since its 2023 inception, flooded X’s servers with traffic, overwhelming its infrastructure. Screenshots and **check-host.net links** shared on their Telegram channel archived allegedly prove the attack’s ferocity—a tactic eerily reminiscent of **[Anonymous Sudan](https://www.secureblink.com/cyber-security-news/anonymous-sudan-admits-layer-7-d-do-s-attack-on-open-ai-s-chat-gpt)’s 2024 take-downs of [Microsoft](https://www.secureblink.com/cyber-security-news/unpatched-microsoft-office-zero-day-vulnerability-poses-data-leak-risk-1) and [Cloudflare](https://www.secureblink.com/cyber-security-news/cloudflare-r2-crash-disables-services-for-59-minutes-causing-13-6-log-loss)**. ### **Musk’s Cryptic Warning: A Country Could Be Involved** In a chilling post on X, Musk [warned](https://x.com/elonmusk/status/1899149509407473825) of a sophisticated assault: *“We get attacked every day, but this was done with a lot of resources. Either a large, coordinated group **and/or a country** is involved.”* The billionaire’s allusion to **state-sponsored actors** has ignited speculation about geopolitical motives. Is this retaliation for X’s content policies? A proxy strike in the Israel-Hamas war? Dark Storm’s Telegram posts glorify "resistance operations," but experts warn the group may be a front for **nation-state hackers**. --- ### **Cloudflare to the Rescue—But at What Cost?** X has now enabled **[Cloudflare](https://www.secureblink.com/cyber-security-news/cloudflare-mitigates-largest-recorded-d-do-s-attack-peaking-at-3-8-tbps)’s DDoS protection**, slamming the gates with aggressive CAPTCHA checks. Users report rampant disruptions, including the *help.x.com* portal being locked behind Cloudflare’s security—a desperate move revealing the platform’s vulnerability. - 🛑 **Global Reach**: Outages hit North America, Europe, and Asia—regions where X is a critical hub for real-time news. - 🔥 **Escalating Hacktivism**: Dark Storm’s attack mirrors **Anonymous Sudan’s 2024 rampage**, which U.S. authorities linked to Sudanese operatives. - 🌐 **Geopolitical Flashpoint**: With Dark Storm’s pro-Palestinian stance, experts fear this could ignite a **cyberwar spillover**. ### **Inside Dark Storm’s Playbook** The group’s modus operandi relies on botnets—armies of hijacked devices—to flood targets with junk traffic. Check-host.net data shared by Dark Storm shows requests spiking to 1.2 million per minute during the attack, a volume only achievable with elite resources. **Cybersecurity Analyst Jane Harper** warns: *"This isn’t script kiddies. The scale suggests **nation-state infrastructure** or a well-funded mercenary group. Cloudflare’s involvement is a Band-Aid—X remains a prime target."* **⚠️ Psychological Warfare: Fear, Uncertainty, Doubt** Dark Storm’s Telegram taunts weaponize **FUD (Fear, Uncertainty, Doubt)**: - “*X will fall. Prepare for the storm.*” - “*This is just the beginning.*” Such rhetoric fuels user anxiety, driving engagement—and ad revenue—for both attackers and platforms. X’s reliance on Cloudflare’s CAPTCHA walls now alienates legitimate users, a **lose-lose scenario** ripe for exploitation.

loading..   11-Mar-2025
loading..   3 min read