Tag:

hacker

Radiant Capital hacker doubles $53M stash via ETH trading

by admin August 20, 2025

The hacker behind last year’s $53 million Radiant Capital exploit has nearly doubled the value of the stolen funds through a well-timed Ethereum trading strategy.

Summary

The Radiant Capital hacker increased stolen funds from $53M to $94M through ETH and DAI trading.
The October 2024 attack exploited Radiant’s multisig wallet using macOS malware.
Attribution points to North Korea-linked AppleJeus, with little chance of recovery.

According to on-chain analyst EmberCN’s Aug. 19 X post, the hacker had earlier sold 9,631 Ethereum (ETH) at an average of $4,562 for 43.9 million Dai (DAI), only to buy back 2,109.5 ETH for $8.64 million DAI once prices pulled back to $4,096.

The wallet now holds 14,436 ETH and 35.29 million DAI, a portfolio worth $94.63 million. This represents a gain of more than $41 million over the initial value of the stolen funds. Blockchain analytics firm Lookonchain noted that the decision to keep most of the assets in ETH during its rally played a major role in the increased balance.

啊，好家伙，这 Radiant Capital 黑客竟然玩起波段来了😂：
他不是在一周前以 $4,562 的均价卖出了 9,631 枚 ETH 换成 4393.7 万 DAI 嘛。
这几天 ETH 回调了，他在过去 1 小时里又用 $864 万 DAI 以 $4,096 的价格重新买回了 2109.5 枚 ETH…

现在 Radiant Capital 黑客持有 14,436 枚 ETH+3529 万… https://t.co/hO4MbNPrjd pic.twitter.com/ihLYhpmNAV

— 余烬 (@EmberCN) August 20, 2025

From $53 million heist to $94 million stash

The October 2024 breach of Radiant Capital, a multi-chain decentralized finance protocol, was one of the most damaging attacks of the year. By compromising the multisignature wallet of its core team through a macOS-specific malware called INLETDRIFT, the attacker siphoned tokens from lending pools on Arbitrum (ARB) and BNB (BNB) Chain.

At the time, the stolen assets were quickly converted into 21,957 ETH, then valued at about $53 million when Ethereum was trading near $2,500. Rather than liquidating the holdings, the hacker held ETH as its price climbed. In recent weeks, the attacker executed several trades to increase exposure.

Radiant Capital hack attribution and ongoing risks

The attack has been linked by some blockchain security experts to North Korea’s AppleJeus group, known for targeting exchanges and DeFi protocols. Radiant Capital worked with the FBI, Chainalysis, and Web3 security firms like SEAL911 and ZeroShadow after the hack, but recovery prospects remain slim as the funds continue to move through Ethereum-based trading activity.

The October incident marked the second breach of Radiant in 2024, following a smaller $4.5 million flash loan exploit earlier that year. It underscored persistent security risks in DeFi, which has already seen significant losses in 2025.

With over $94 million now under control, the attacker’s next move will be closely watched by analysts and security teams.

Source link

August 20, 2025 0 comments

Bitcoin capital markets platform Avalon Labs burns 80M AVL, slashing circulating supply by 44%

NFT Gaming

Over $90M stolen from Iran’s Nobitex exchange burnt by hacker

by admin June 19, 2025

After breaching Iran’s largest crypto exchange, the pro-Israel hacker group Gonjeshke Darande claimed to have destroyed more than $90 million in digital assets taken from Nobitex’s wallets.

In a June 18 update via X, the group said it had burned the funds across multiple blockchains using “vanity addresses” that contain no recoverable private keys, effectively rendering the assets permanently inaccessible.

This follows the high-profile exploit of Nobitex, in which over $90 million in Bitcoin (BTC), Ethereum (ETH), Dogecoin (DOGE), and other tokens were drained from hot wallets. The attackers had originally framed the breach as a direct response to Nobitex’s alleged role in helping the Iranian regime circumvent sanctions and fund terrorism.

12 hours ago
8 burn addresses burned $90M from the wallets of the regime’s favorite sanctions violation tool, Nobitex.

12 hours from now
The source-code of Nobitex will be open to the public, and Nobitex’s walled garden will be without walls. Where do you want your assets to be?…

— Gonjeshke Darande (@GonjeshkeDarand) June 18, 2025

The group, also known as Predatory Sparrow, tied the hack to ongoing military and cyber tensions between Iran and Israel, which intensified following Israeli airstrikes on Tehran’s nuclear sites days earlier. Blockchain security platforms like Chainalysis quickly confirmed that the stolen assets had not been transferred to mixers or exchanges, but rather to irretrievable addresses with inflammatory labels.

Some of the addresses included phrases like “FuckIRGCTerroristsNoBiTEX,” targeting Iran’s Islamic Revolutionary Guard Corps. One Bitcoin wallet used in the attack is provably unspendable due to its invalid checksum. On Ethereum, tokens were sent to the “0x…dead” burn address commonly used to retire supply permanently.

In response, Nobitex issued a fresh statement acknowledging the burn. The exchange said that user assets are safe in cold storage and that the situation is now under control. Nobitex clarified that as a precaution, its staff had also emptied hot wallets. It reiterated that no customer funds would be lost, citing its reserve fund and insurance pool.

Nobitex Announcement No. 4 – Regarding the Security Incident

As part of Nobitex’s ongoing response to the recent security incident, we would like to inform our users that the situation is now under control. All external access to our servers has been completely severed.

If you…

— Nobitex | نوبیتکس (@nobitexmarket) June 18, 2025

The attackers have also threatened to release the source code and internal infrastructure data of Nobitex, which could worsen the situation for Iran’s leading cryptocurrency platform, which has over 11 million users. Gonjeshke Darande warned that any assets left on the platform would be at risk if users did not withdraw immediately.

Despite having no financial motivation, the hack has far-reaching implications. The intentional destruction of more than $90 million worth of digital currency demonstrates how state-level conflicts have turned crypto infrastructure into a new battlefield.

Source link

June 19, 2025 0 comments

GameFi Guides

‘Pro-Israel Hacker Group’ Drains, Burns $90 Million From Iranian Bitcoin Exchange

by admin June 18, 2025

In brief

Hackers stole over $85 million from Iranian exchange Nobitex, using politically charged wallet names and exploiting access controls.
The group claiming responsibility, Predatory Sparrow, called Nobitex a tool of the Iranian regime and threatened to leak internal data within 24 hours.
Nobitex suspended access, confirmed cold wallets are safe, and pledged to cover losses while working with FATA police to recover funds.

A pro-Israel hacking group has claimed responsibility for breaching Iran’s largest crypto exchange, draining more than $90 million in digital assets while warning of further attacks on what they described as regime-linked financial infrastructure.

The attack on Nobitex, first reported by blockchain investigator ZachXBT on Wednesday morning, saw hackers exploit multiple blockchain networks using provocatively named wallet addresses including “TKFuckiRGCTerroristsNoBiTEXy2r7mNX” on the Tron network.

The stolen assets included $49.3 million on Tron, $24.3 million on EVM-compatible chains, $2 million in Bitcoin, and $6.7 million in Dogecoin, according to blockchain security firm Cyvers.

🚨ALERT🚨Our system has detected multiple suspicious transactions across several networks involving @nobitexmarket.
The total loss currently around $85M, distributed as follows:
$49.3M on the $Tron network
$24.3M on $EVM-compatible chains
$2M on the $BTC network
$6.7M on $DOGE
A… pic.twitter.com/rh85bnGMme

— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) June 18, 2025

“The breach at Nobitex appears to stem from a critical failure in access controls, allowing attackers to infiltrate internal systems and drain hot wallets across multiple blockchains,” said Hakan Unal, senior security operations lead at Cyvers.

“Yet, surprisingly, the stolen funds remain unmoved,” Unal told Decrypt.

“The funds were essentially burned permanently and cannot be touched unless stablecoin issuers were to reissue the centralized stablecoins,” ZachXBT reported.

According to blockchain analytics firm Elliptic, “creating vanity addresses with text strings as long as those used in this hack is computationally infeasible,” meaning that the hackers do not control the private keys for the addresses in question—effectively burning the funds in order to make a political statement.

The hacking group Gonjeshke Darande, also known as Predatory Sparrow, claimed responsibility for the attack in a tweet Wednesday.

“The Nobitex exchange is at the heart of the regime’s efforts to finance terror worldwide, as well as being the regime’s favorite sanctions violation tool,” the group declared, threatening to release the exchange’s source code and internal data within 24 hours.

The hack represents the latest escalation in cyber warfare between Israel and Iran, targeting financial systems that Western intelligence agencies say help Tehran circumvent international sanctions.

Nobitex serves as a critical gateway for crypto transactions in Iran, where traditional banking faces severe restrictions.

“Nobitex identified unauthorized access to parts of its infrastructure, specifically affecting our internal communication systems and a portion of our hot wallet,” Nobitex tweeted while confirming the breach in its official statement.

The exchange said it suspended platform access for a security audit and said most user funds remain safe in cold wallets.

Nobitex noted that it is working with the Iranian Cyber Police, also known as FATA, and other agencies to recover assets and has pledged to cover any losses through its insurance fund and reserves.

The hack comes on the heels of Gonjeshke Darande’s recent cyberattack on Iran’s Bank Sepah, which caused widespread banking disruptions across the country.

The IRGC-affiliated Sepah Bank was targeted by a cyberattack, causing disruptions in several branches with reports of depositors unable to withdraw funds, the IRGC’s Fars News reports.

The hacker group Predatory Sparrow, who has been accused of having ties to Israel, claimed… pic.twitter.com/iyjYqUT6r9

— Ariel Oseran أريئل أوسيران (@ariel_oseran) June 17, 2025

Predatory Sparrow has previously targeted Iranian steel mills and gas stations, establishing a pattern of attacking infrastructure they claim supports the Iranian regime.

$2.1 billion stolen in crypto cyberattacks this year

Nobitex’s breach adds to 2025’s mounting crypto security breaches, with more than $2.1 billion in digital assets stolen this year according to blockchain security firm CertiK.

Wallet breaches, though representing only 23 cases documented this year, have proven the most financially devastating attack method, causing $1.6 billion in damages, the firm said.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.

Source link

June 18, 2025 0 comments

Sui LP provider Cetus allegedly drained of $11m SUI, hack or bug?

GameFi Guides

Hacker group Rare Werewolf hijacks Russian devices to mine crypto and steal data

by admin June 11, 2025

A cybercriminal group known as Rare Werewolf is running a targeted phishing campaign against Russian and CIS-based companies, hijacking devices to mine crypto and steal sensitive data.

Kaspersky’s research revealed that the APT group Rare Werewolf, also known as “Librarian Ghouls” and “Rezet,” has remained consistently active through May, carrying out a relentless campaign that targets organizations across Russia and the CIS.

The group uses phishing emails disguised as communications from legitimate organizations to deceive victims into opening malicious attachments. Once these files are executed, the attackers gain remote access to the device, exfiltrate sensitive data (such as credentials and crypto wallet info), and then deploy Monero (XMR) crypto miners to exploit the system’s processing power.” To avoid detection, they schedule the compromised machine to automatically wake up at 1 AM and shut down at 5 AM, ensuring their activities go unnoticed.

Kaspersky reports that the group mainly targets industrial enterprises, with engineering schools also being of particular interest. The phishing emails are written in Russian and typically contain attachments with Russian-language filenames and decoy documents, which suggests that the group’s primary victims are based in Russia or are Russian speakers.

Source: PDF document imitating a payment order | securelist.com

Kaspersky’s investigation also uncovered several domains that might be linked to the Librarian Ghouls campaign, although they have low confidence in this connection. Among the domains still active at the time were users-mail[.]ru and deauthorization[.]online, both of which hosted phishing pages. These pages, created with PHP scripts, were designed to steal login credentials for the popular Russian e-mail service Mail.ru.

Source: Example of a phishing page associated with the APT campaign | securelist.com

As of the release of Kaspersky’s research, the Librarian Ghouls APT campaign remains active, with ongoing attacks observed as recently as last month.

Source link

June 11, 2025 0 comments

Game Reviews

New Max Docuseries Explores The World’s Most Wanted Teen Hacker

by admin June 8, 2025

Image: Petteri Sopanen / Yle Yle News

Ten years after Elon Musk’s Twitter account was giving out free Teslas and the PlayStation Network was shut down, the then-teenage hacker behind it all is finally having his story told. The trailer for the new Max docuseries, Most Wanted Teen Hacker, previews how Finnish hacker Julius Kivimäki’s cyber exploits will be laid out with Mr. Robot-esque theatrics.

The Top 10 Most-Played Games On Steam Deck: August 2023 Edition

It only takes a 55-second teaser to grasp how much of a movie-level villain Kivimäki was in real life. Beyond the PSN and Musk hacks, he “triggered a U.S. Air Force alert by forcing a passenger jet to make an emergency landing,” according to the trailer. Seconds after that revelation, an FBI agent attests that Kivimäki revealed he had law enforcement sent to the families of FBI agents by making fake emergency phone calls, an act known as “swatting,” because “he thought it was fun, and he enjoyed hurting or seeing people suffer.” The teaser even features an unidentified man, presumably a victim of Kivimäki’s hacks, who vows to kill him the second the two are in the same location.

The documentary will not only have victims of his hacks, fellow hackers, SWAT team members, and FBI agents, but also the incarcerated Kivimäki himself. The first of four episodes will be released in September, but brushing up on the news of Kivimäki’s hacking spree will give you a better understanding of the criminal at the center of the doc more than any teaser could. In 2024, Kivimäki was sentenced to six years and three months in prison for hacking Finnish private psychotherapy service provider Vastaamo in 2020 and blackmailing thousands of patients with the threat of revealing their deepest, darkest secrets. He also committed a mind-boggling 50,700 cyber break-ins from 2012 to 2013, when he was 15 and 16 years old, respectively.

Kivimäki looks devoid of all emotion or sense of accountability in the teaser, calling the charges against him “bullshit.” We’ll delve deeper into the emotionless steel trap that is his mind later this fall when we see how movie-quality villainry can have real-world consequences.

Source link

June 8, 2025 0 comments

Gaming Gear

A Hacker May Have Deepfaked Trump’s Chief of Staff in a Phishing Campaign

by admin May 30, 2025

For years, a mysterious figure who goes by the handle Stern led the Trickbot ransomware gang and evaded identification—even as other members of the group were outed in leaks and unmasked. This week German authorities revealed, without much fanfare, who they believe that enigmatic hacker kingpin to be: Vitaly Nikolaevich Kovalev, a 36-year-old Russian man who remains at large in his home country.

Closer to home, WIRED revealed that Customs and Border Protection has mouth-swabbed 133,000 migrant children and teenagers to collect their DNA and uploaded their genetic data into a national criminal database used by local, state, and federal law enforcement. As the Trump administration’s migrant crackdown continues, often justified through invocations of crime and terrorism, WIRED also uncovered evidence that ties a Swedish far-right mixed-martial-arts tournament to an American neo-Nazi “fight club” based in California.

For those seeking to evade the US government surveillance, we offered tips about more private alternatives to US-based web browsing, email, and search tools. And we assembled a more general guide to protecting yourself from surveillance and hacking, based on questions our senior writer Matt Burgess received in a Reddit Ask Me Anything.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

The FBI is investigating who impersonated Susie Wiles, the Trump White House’s chief of staff and one of the president’s closest advisers, in a series of fraudulent messages and calls to high-profile Republican political figures and business executives, The Wall Street Journal reported. Government officials and authorities involved in the probe say the spear-phishing messages and calls appear to have targeted individuals on Wiles’ contact list, and Wiles has reportedly told colleagues that her personal phone was hacked to gain access to those contacts.

Despite Wiles’ reported claim of having her device hacked, it remains unconfirmed whether this was actually how attackers identified Wiles’ associates. It would also be possible to assemble such a target list from a combination of publicly available information and data sold by gray-market brokers.

“It’s an embarrassing level of security awareness. You cannot convince me they actually did their security trainings,” says Jake Williams, a former NSA hacker and vice president of research and development at Hunter Strategy. “This is the type of garden-variety social engineering that everyone can end up dealing with these days, and certainly top government officials should be expecting it.”

In some cases, the targets received not just text messages but phone calls that impersonated Wiles’ voice, and some government officials believe the calls may have used artificial intelligence tools to fake Wiles’ voice. If so, that would make the incident one of the most significant cases yet of so-called deepfake software being used in a phishing attempt.

It’s not yet clear how Wiles’ phone might have been hacked, but the FBI has ruled out involvement by a foreign nation in the impersonation campaign, the bureau reportedly told White House officials. In fact, while some of the impersonation attempts appeared to have political goals—a member of Congress, for instance, was asked to assemble a list of people Trump might pardon—in at least one other case the impersonator tried to trick a target into setting up a cash transfer. That attempt at a money grab suggests that the spoofing campaign may be less of an espionage operation than a run-of-the-mill cybercriminal fraud scheme, albeit one with a very high-level target.

Source link

May 30, 2025 0 comments

Sui-based Cetus Protocol offers $6M bounty to hacker after $223M exploit

GameFi Guides

Cetus Protocol offers hacker $6M bounty after $223M exploit

by admin May 23, 2025

Cetus Protocol, the largest decentralized exchange on the Sui blockchain, is offering a $6 million bounty to the hacker behind a massive $223 million exploit that occurred on May 22.

In a May 22 follow-up statement accompanied by an on-chain message, the Cetus team confirmed they had identified the attacker’s Ethereum wallet and offered a “whitehat settlement” to recover user funds. The hacker is being asked to return 20,920 ETH and all frozen assets on Sui (SUI) in exchange for keeping 2,324 Ethereum (ETH), worth approximately $6 million, and immunity from legal action.

Cetus said this is a time-sensitive offer and that if the funds are off-ramped or mixed, the deal is off. The team is coordinating with law enforcement, cybercrime specialists, the Sui Foundation, and regulators including FinCEN and the U.S. Department of Defense. Inca Digital, a cybersecurity firm, is leading the negotiation efforts.

📜 Dear Sui community, thank you for your patience while our team works on the incident investigation and resolution.
Since taking the actions indicated in our previous announcement, we have also done the following:
1. We engaged the broader ecosystem, Sui team, and related… https://t.co/Gs1EWXZ6AD
— Cetus🐳 (@CetusProtocol) May 22, 2025

The breach exploited a vulnerability in Cetus’ pricing mechanism and impacted its concentrated liquidity market maker pools. The attacker used spoof tokens, which are fake or low-value assets with manipulated metadata, to inject tiny amounts of liquidity into trading pools.

Because of the distortion of those pools’ internal accounting, the hacker was able to take out substantial quantities of valuable tokens, such as SUI and USD Coin (USDC), at incorrect exchange rates.

The attacker deceived the system into believing the pools were balanced by carefully timing these spoof token deposits with complex flash swaps and price manipulation. As a result, they were able to drain substantial real assets without supplying equivalent value.

Cetus had reportedly passed recent security audits prior to the hack. However, by exploiting internal pricing logic and economic assumptions rather than simple code errors, the attacker’s method evaded typical vulnerability scans.

After initially draining $11 million from an SUI/USDC pool, the attacker quickly intensified the attack. They bridged more than $60 million in stolen funds to Ethereum and bought over 21,900 ETH. They currently have millions of SUI, ETH, and stablecoins in their wallets.

The Sui ecosystem was severely damaged by the exploit. Smaller tokens like AXOL, HIPPO, and SQUIRT lost almost all of their value, while the SUI token dropped as much as 15%. CETUS, the token of Cetus, fell 20–33%. Trading volumes surged as users scrambled to withdraw funds.

Cetus has paused smart contracts following the hack the hack and is attempting to secure its platform. The incident raises questions about the security of DeFi protocols on newer chains like Sui and Aptos (APT). Although these ecosystems offer innovation, analysts warn that vulnerabilities in complex DeFi logic remain a persistent risk.

Source link

May 23, 2025 0 comments

Crypto Trends

Alleged Coinbase hacker trolls ZachXBT with on-chain message after swapping $42.5m BTC

by admin May 22, 2025

Crypto sleuth ZachXBT revealed that the hacker accused of stealing Coinbase customer data left him a taunting message on-chain after swapping $42.5 million worth of BTC for ETH on THORChain.

In a broadcast message sent to his Investigations Telegram channel, on-chain investigator ZachXBT claimed to have received a message sent from a hacker accused of swindling more than $300 million worth of crypto assets from users. The message was sent to his on-chain Ethereum (ETH) account.

“The threat actor who stole $300M+ from Coinbase users by paying customer support just began trolling me on-chain with this message,” said ZachXBT in his Telegram message.

The message was sent from an address simply named Fake_Phishing1158790 and contained the words “L bozo” and what appeared to be a link to a YouTube video showing the viral internet short clip of former NBA athlete James Worthy smoking a cigar after a Lakers win.

“Smoking that ZachXBT pack,” one user commented under the YouTube video, indicating they were led to the video after seeing the on-chain message addressed to the crypto sleuth.

The message was linked to the alleged hacker’s recent on-chain transaction, which consisted of swapping $42.5 million worth of BTC (BTC) for ETH via THORChain.

The Coinbase user data exploit was first disclosed by the exchange on May 15. The hacker was believed to have bribed customer support staff to steal sensitive user data.

According to Coinbase, the attacker was able to get ahold of phone names, addresses, phone numbers, government-issued IDs, and other account data. The exchange claimed that the exploit only affected less than 1% of users.

After firing the customer service workers involved, the company estimated the breach could cost up to $400 million to resolve. The attackers had asked for a $20 million ransom from the crypto exchange. Coinbase refused to pay the $20 million ransom and is offering a bounty for anyone who can track down the attacker.

Source link

May 22, 2025 0 comments

Crypto Trends

Coinbase hacker trolls ZachXBT onchain after $42.5M THORChain swap

by admin May 22, 2025

The hacker behind the data breach targeting Coinbase users mocked blockchain investigator ZachXBT with an onchain message following a major crypto swap.

On May 21, the hacker used Ethereum transaction input data to write “L bozo,” followed by a meme video of NBA player James Worthy smoking a cigar.

The message came after the attacker swapped about $42.5 million from Bitcoin (BTC) to Ether (ETH) via THORChain.

ZachXBT flagged the message on his Telegram channel, linking it to the same entity responsible for the Coinbase data breach affecting at least 69,400 users.

Coinbase hacker trolling ZachXBT. Source: ZachXBT.

On May 22, blockchain security firm PeckShield reported that the hacker had continued to move funds, swapping 8,697 ETH for 22 million Dai (DAI). A separate but closely linked address, which received 9,081 ETH via THORChain, also converted the assets into 23 million DAI.

Related: DOJ is investigating Coinbase data breach— Report

Coinbase hit with lawsuits after breach

The Coinbase breach, first reported in a filing with the Maine Attorney General’s office, occurred in December 2024 and was discovered on May 11. The stolen data includes names, home addresses and other personal information.

Following the disclosure, the attackers demanded a $20 million ransom in Bitcoin to prevent the release of the stolen data. Coinbase refused and instead offered a $20 million bounty for information leading to the identification of the hackers.

The company estimates a potential financial impact between $180 million and $400 million due to remediation costs and customer compensation.

Coinbase has also faced a wave of lawsuits following the revelation. At least six legal complaints were filed on May 15 and 16, with plaintiffs accusing the exchange of failing to implement adequate security measures and mishandling its response to the breach.

Related: Coinbase data leak could put users in physical danger: TechCrunch founder

THORChain under scrutiny for criminal use

The Coinbase hacker’s use of THORChain to swap $42.5 million worth of Bitcoin into Ether comes as the protocol faces growing scrutiny over its role in facilitating illicit transactions.

In March, the platform came under fire after its swap volume surged following the $1.4 billion Bybit hack. The protocol generated over $5 million in revenue after processing $5.4 billion in swap volume, with over $1 billion moved in a single day.

Blockchain security firms identified North Korea’s Lazarus Group as the main suspect, using THORChain to launder a significant portion of the stolen funds.

Source: Lookonchain

The controversy intensified when a THORChain developer, known as “Pluto,” resigned after a vote to block transactions linked to Lazarus was overturned.

Magazine: TradFi is building Ethereum L2s to tokenize trillions in RWAs: Inside story

Source link

May 22, 2025 0 comments