Tag:

Hackers

Decrypt logo
NFT Gaming

Bug Bounties Hit Limits as AI Puts Crypto Hackers on Equal Footing

by admin



In brief

  • Mitchell Amador, CEO of Immunefi, told Decrypt at Token2049 in Singapore that AI tools once limited to security firms are now accessible to groups like Lazarus, enabling massive attacks.
  • Bug bounties have paid out over $100 million but have “hit the limits” as there aren’t “enough eyeballs” to provide necessary coverage, he said
  • The $1.4 billion Bybit hack bypassed smart contract security by compromising infrastructure, exposing gaps where defenders are “not doing so hot,” Amador said.

AI has handed crypto attackers the same tools defenders use, and the results are costing the industry billions, experts say.

Mitchell Amador, CEO of Immunefi, told Decrypt during the start of Token2049 week in Singapore that AI has turned vulnerability discovery into near-instant exploitation, and that the advanced auditing tools his firm built are no longer exclusive to the good guys.

“If we have that, can the North Korean Lazarus group build similar tooling? Can Russian Ukrainian hacker groups build similar such tooling?” Amador asked. “The answer is that they can.”



Immunefi’s AI auditing agent outperforms the vast majority of traditional auditing firms, but that same capability is within reach of well-funded hacking operations, he said.

“Audits are great, but it’s nowhere near enough to keep up with the rate of innovation and the rate of the compounding improvement of the attackers,” he said.

With over 3% of total value locked stolen across the ecosystem in 2024, Amador said that while security is no longer an afterthought, projects “struggle to know how to invest and how to allocate resources there effectively.” 

The industry has moved from “a prioritization problem, which is a wonderful thing, into it being a knowledge and educational problem,” he added.

AI has also made sophisticated social engineering attacks dirt cheap, according to Amador. 

“How much do you think that phone call costs?” he said, referring to AI-generated phishing calls that can impersonate colleagues with disturbing accuracy. “You can execute that for pennies with a well-thought-out system of prompts, and you can execute those en mass. That is the scary part of AI.”

The Immunefi CEO said groups such as Lazarus likely employ “at least a few hundred guys, if not probably low thousands working around the clock” on crypto exploits as a major revenue source for North Korea’s economy. 

“The competitive pressures stemming from North Korea’s annual revenue quotas” drive operatives to protect individual assets and “outperform colleagues” rather than coordinate security improvements, a recent SentinelLABS intelligence report found.

“The game with AI-driven attacks is that it speeds up the rate at which something can go from discovery to exploit,” Amador told Decrypt. “To defend against that, the only solution is even faster countermeasures.”

Immunefi’s response has been to embed AI directly into developers’ GitHub repositories and CI/CD pipelines, catching vulnerabilities before code reaches production, he noted, while predicting this approach will trigger a “precipitous drop” in DeFi hacks within one to two years, potentially reducing incidents by another order of magnitude.

Dmytro Matviiv, CEO of Web3 bug bounty platform HackenProof, told Decrypt that “manual audits will always have a place, but their role will shift.”

“AI tools are increasingly effective at catching ‘low-hanging fruit’ vulnerabilities, which reduces the need for large-scale manual reviews of common mistakes,” he said. “What remains are the subtle, context-dependent issues that require deep human expertise.”

To defend against AI-powered attacks, Immunefi has implemented a whitelist-only policy for all company resources and infrastructure, which Amador said has “arrested thousands of these attempted spear phishing techniques very effectively.” 

But this level of vigilance isn’t practical for most organizations, he said, noting “we can do that at Immuneify because we are a company that lives and breathes security and vigilance. Normal people can’t do that. They have lives to live.”

Bug bounties hit a wall

Immunefi has facilitated over $100 million in payouts to white-hat hackers, with steady monthly distributions ranging from $1 million to $5 million. However, Amador told Decrypt that the platform has “hit the limits” as there aren’t “enough eyeballs” to provide the necessary coverage across the industry.

The constraint isn’t just about researcher availability, as bug bounties face an intrinsic zero-sum game problem that creates perverse incentives for both sides, according to Amador. 

Researchers must reveal vulnerabilities to prove they exist, but they lose all leverage once disclosed. Immunefi mitigates this by negotiating comprehensive contracts that specify everything before disclosure occurs, Amador said.

Meanwhile, Matviiv told Decrypt that he doesn’t think “we’re anywhere close to exhausting the global pool of security talent,” noting that new researchers join platforms annually and progress quickly from “simple findings to highly complex vulnerabilities.”

“The challenge is making the space attractive enough in terms of incentives and community for those new faces to stick around.”

Bug bounties have likely reached their “zenith in efficiency” outside of net-new innovations that don’t even exist in traditional bug bounty programs, Amador added. 

The company is exploring hybrid AI solutions to give individual researchers greater leverage to audit more protocols at scale, but these remain in R&D.

Bug bounties remain essential as “a diverse, external community will always be best positioned to discover edge cases that automated systems or in-house teams miss,” Matviiv noted, but they’ll increasingly work alongside AI-powered scanning, monitoring, and audits in “hybrid models.”

The biggest hacks aren’t coming from code

While smart contract audits and bug bounties have matured considerably, the most devastating exploits are increasingly bypassing code entirely. 

The $1.4 billion Bybit hack earlier this year highlighted this shift, Amador said, with attackers compromising Safe’s front-end infrastructure to replace legitimate multi-sig transactions rather than exploiting any smart contract vulnerability.

“That wasn’t something that would have been caught with an audit or bug bounty,” he said. “That was a compromised internal infrastructure system.”

Despite security improvements in traditional areas like audits, CI/CD pipelines, and bug bounties, Amador noted that the industry is “not doing so hot” on multi-sig security, spear phishing, anti-scam measures, and community protection.

Immunefi has launched a multi-sig security product that assigns elite white-hat hackers to manually review every significant transaction before execution, which it said would have caught the Bybit attack. But he acknowledged it’s a reactive measure rather than a preventative one.

This uneven progress explains why 2024 became the worst year for hacks despite improvements in code security, as hack patterns follow a predictable mathematical distribution, making single large incidents inevitable rather than anomalous, Amador said. 

“There’s always going to be one big outlier,” he said. “And it’s not an outlier, it’s the pattern. There’s always one big hack per year.”

Smart contract security has matured considerably, Matviiv said, but “the next frontier is definitely around the broader attack surface: multi-sig wallet configurations, key management, phishing, governance attacks, and ecosystem-level exploits.”

Effective security requires catching vulnerabilities as early as possible in the development process, Amador told Decrypt

“Bug bounty is the second most expensive, the most expensive being the hack,” he said, describing a hierarchy of costs that increases dramatically at each stage.

“We’re catching bugs before they hit production, before they even hit an audit,” Amador added. “It would never even be included in an audit. They wouldn’t waste their time with it.”

While hack severity remains high, Amador said that “the incidence rate is going down, and the level of severity of most of the bugs is going down, and we’re catching more and more of these things in the earlier stages of the cycle.”

When asked what single security measure every project at Token2049 should adopt, Amador called for a “Unified Security Platform,” addressing multiple attack vectors.

That’s essential, as fragmented security essentially forces projects to “do the research yourself” on products, limitations, and workflows, he said. 

“We are not yet to the point where we can handle trillions and trillions of assets. We’re just not quite there at prime time.”

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.



Source link

0 comments
0 FacebookTwitterPinterestEmail
Decrypt logo
Crypto Trends

UK’s New Digital ID Scheme ‘Target for Hackers’

by admin



In brief

  • The UK government has unveiled a mandatory Digital ID scheme, set to be introduced by 2029 at the latest.
  • Some experts highlighted privacy and security risks, particularly if biometric data is included.
  • Other ID and verification experts suggest that a nationwide scheme consolidates personal data, making it less exposed to potential hacks.

The announcement of the UK’s nationwide Digital ID scheme has divided tech experts, with privacy advocates highlighting the dangers of mission creep and security risks.

British Prime Minister Sir Keir Starmer this week announced the mandatory Digital ID scheme, requiring anyone who wishes to work in the UK to carry digital identification on their mobile phones.

Unveiled by Starmer at the Global Progressive Action Conference in London, the Digital ID is expected to be rolled out by the end of the current Parliament, which is scheduled to close in 2029.

Yet figures working within the tech sector have mixed views on whether the scheme will be a net gain for data security.

“Putting all of someone’s identity, biometrics, and access to services into one central system doesn’t just create a bigger target for hackers—it means that if that system is breached, everyone is at risk,” said Rob Jardin, chief digital officer at privacy-first decentralized VPN platform NymVPN.

Jardin underlined the risk that would come from including any biometric data—which cannot be changed in the event of a hack—in the ID scheme, while pointing to the possibility of mission creep.

“A digital ID might start as a simple way to prove who you are, but over time, it could quietly expand into tracking where you go, what you do, or even controlling access to services,” he said.

How will the UK’s Digital ID work?

The digital ID is expected to include a person’s photo, name, date of birth and residency status.

The UK Government is considering ways of enabling non-smartphone users to participate in the scheme, and will be launching a three-month consultation later in the year on best practice for delivering the service. The consultation will explore whether additional information such as addresses should be included.

Speaking at the Global Progressive Action Conference, Starmer said that the scheme is necessary to reduce illegal immigration and, in particular, the numbers of people working illegally in the UK.

I know you’re worried about the level of illegal migration into this country.

Digital ID is another measure to make it tougher to work illegally here, making our borders more secure.

Ours is a fairer Britain, built on change, not division.

— Keir Starmer (@Keir_Starmer) September 26, 2025

“Digital ID is an enormous opportunity for the UK,” he said. “It will make it tougher to work illegally in this country, making our borders more secure.”

Members of opposition parties in the UK have criticized the plans, with Liberal Democrat leader Sir Ed Davey saying that the scheme would “add to our tax bills and bureaucracy, whilst doing next to nothing” to reduce the migrant boat crossings that have become a hot topic in England.

Addressing security concerns

While some tech experts have highlighted the potential security risks involved in the Digital ID scheme, others working in relevant areas suggested that a properly designed Digital ID system could end up being more secure than existing methods for identification.

“When security concerns are addressed with advanced cryptography and continuous monitoring, they create a more resilient national infrastructure,” said Cindy van Niekerk, CEO of UK-based ID and verification firm Umazi.

As an example, Van Niekerk suggested that digital ID will save the need to email a scan of your passport to service providers and/or prospective employers, something which can be exposed to hacks and data leaks.

“Digital ID eliminates this by using cryptographic credentials that prove identity without exposing personal data,” she told Decrypt. “Citizens control what information is shared and when, creating genuine privacy protection rather than the illusion of it.”

Elaborating on this point, van Niekerk said that UK citizen data is currently stored across “hundreds of insecure databases” in the public and private sector, and that an adequate Digital ID system would consolidate verification while distributing storage, reducing the risk of mass data breaches.

“Estonia’s digital ID system, which has been in operation since 2002, today has approximately 1.4 million users and in the 23 years, has only had one incident, but emerged stronger because its decentralised architecture prevented wholesale data loss,” she explained.



Decentralizing digital IDs

The example of Estonia could be instructive, since some experts argue that decentralization may be vital in delivering an ID scheme in a robust and secure way.

“Strong legal protections and transparency matter, but the real safeguard is building systems in a decentralized way—meaning no single authority controls all the data, and individuals always hold the keys to their own data,” said Jardin. “Done right, decentralised digital IDs could deliver convenience and trust without turning into a tool of surveillance we later regret.”

This emphasis on decentralization is something that van Niekerk largely agreed with, although she also underlined the important role that quantum computing could end up playing in any nationwide ID system.

“The UK can deploy quantum-resistant algorithms from day one, avoiding the billions of retrofitting costs other countries will face later,” she said.

She also explained that a decentralized architecture would enhance any quantum resilience the UK digital ID scheme could ultimately include.

“Distributed systems using post-quantum cryptography create multiple protection layers,” she said. “Even if one cryptographic method is compromised, redundant quantum-safe protocols maintain system integrity.”

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.





Source link

0 comments
0 FacebookTwitterPinterestEmail
Decrypt logo
GameFi Guides

North Korean Hackers Drain $1.2M From Seedify Bridge

by admin



In brief

  • North Korean hackers compromised Web3 gaming incubator Seedify’s cross-chain bridge, draining $1.2 million across BNB Chain networks.
  • The attack exploited a developer’s private key to mint unauthorized SFUND tokens through an audited bridge contract that should have prevented such minting.
  • Blockchain sleuth ZachXbt linked the theft addresses to past North Korean “Contagious Interview” incidents through on-chain analysis

North Korean state-affiliated hacker groups have claimed another victim in the DeFi sector, exploiting Web3 gaming incubator Seedify Fund’s token bridge infrastructure to steal $1.2 million while devastating the platform’s native token SFUND across multiple exchanges.

The attack on Tuesday targeted Seedify’s cross-chain bridge on BNB Chain, allowing hackers to mint unauthorized tokens and systematically drain liquidity pools across Ethereum, Arbitrum, and Base networks before converting proceeds on BNB Chain, the platform said in its official statement.

Today at approximately 12:05 UTC, a DPRK state-affiliated group known for many hacks in Web3 gained access to one of our developer’s private keys. Using these, they were able to mint a large amount of SFUND tokens through a bridge contract that had previously passed audit.

The…

— Seedify (@SeedifyFund) September 23, 2025

“The Seedify theft addresses are tied onchain to past Contagious Interview incidents (DPRK),” blockchain sleuth ZachXBT tweeted following the breach, linking the the attack to an ongoing campaign that has claimed over 230 victims between January and March alone, per a recent SentinelLABS intelligence report.

The SFUND token has plunged nearly 35% in the last 24 hours, now trading at $0.28, according to CoinGecko data. It was trading at $0.42 before the hack was reported.

“DPRK/Lazarus decided to take everything we built over 4.5 years in one hack,” Seedify founder Meta Alchemist tweeted in response to the breach.

“The Seedify hack stemmed from a compromised developer key that let DPRK-linked actors mint unauthorized $SFUND tokens via a bridge contract,” Hakan Unal, Senior Security Operations Center Lead at Cyvers, told Decrypt.



“This contract should not have been able to mint these tokens without any token being bridged,” Seedify explained in its official statement, revealing the fundamental vulnerability that allowed unauthorized token creation.

“The hacker wallets connect on-chain to prior DPRK operations, highlighting how aggressive their ongoing rampage across Web3 has become,” Unal explained, recommending platforms monitor on-chain activity and enforce multi-signature approvals.

The crypto industry mobilized quickly in response, with Binance founder Changpeng Zhao (CZ) saying security experts helped freeze $200,000 at HTX exchange, and “the rest seem to remain on-chain.”

Talked to a few security guys in the industry. I believe they were able to help track it and froze $200k at HTX, the rest seem to remain on-chain. Looks like North Korea DPRK.

Major CEXs probably have these addresses on blacklists now. Good luck!

— CZ 🔶 BNB (@cz_binance) September 24, 2025

‘Contagious Interview’ campaign threat actors operate in “coordinated teams with real-time collaboration, likely using Slack and multiple intelligence sources such as Validin, VirusTotal, and Maltrail” to monitor their infrastructure exposure, SentinelLABS said.

The report also found that despite DPRK hackers “thoroughly examining threat intelligence and identifying artifacts that can be used to discover their infrastructure,” they “did not implement systematic, large-scale changes to make it harder to detect,” instead quickly deploying new infrastructure when disrupted.

“The competitive pressures stemming from North Korea’s annual revenue quotas” drive operatives to protect individual assets and ‘outperform colleagues’ rather than coordinate security improvements,” the cybersecurity firm said.

A recent Cisco Talos intelligence report showed that North Korean groups are continuing to refine their attacks with new malware like “PylangGhost,” targeting crypto professionals through fake Coinbase and Uniswap job postings.

With known DPRK-related losses in 2024 totaling $1.3 billion, the ByBit hack’s $1.5 billion alone has already made 2025 “by far their most successful year to date,” according to Chainalysis’ 2025 Crypto Crime Mid-year Update.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.





Source link

0 comments
0 FacebookTwitterPinterestEmail
Microsoft Entra ID hero image
Gaming Gear

This serious Microsoft Entra flaw could have let hackers infiltrate any user, so patch now

by admin



  • Actor tokens allowed cross-tenant impersonation without logging or security checks
  • CVE-2025-55241 enabled Global Admin access via deprecated Azure AD Graph API
  • Microsoft patched the flaw in September 2025; actor tokens and Graph API are being phased out

Security researchers have found a critical vulnerability in Microsoft Entra ID which could have allowed threat actors to gain Global Administrator access to virtually anyone’s tenant – without being detected in any way.

The vulnerability consists of two things – a legacy service called “actor tokens”, and a critical Elevation of Privilege bug tracked as CVE-2025-55241.

Actor tokens are undocumented, unsigned authentication tokens used in Microsoft services to impersonate users across tenants. They are issued by a legacy system called Access Control Service (ACS) and were originally designed for service-to-service (S2S) authentication.


You may like

Deprecating and phasing out

According to security researcher Dirk-jan Mollema who discovered the flaw, these tokens bypass standard security controls, lack logging, and remain valid for 24 hours, which makes them exploitable for unauthorized access without detection.

Mollema demonstrated that by crafting impersonation tokens using public tenant IDs and user identifiers, he could access sensitive data and perform administrative actions in other organizations’ environments.

These actions included creating users, resetting passwords, and modifying configurations – all without generating logs in the victim tenant.

“I tested this in a few more test tenants I had access to, to make sure I was not crazy, but I could indeed access data in other tenants, as long as I knew their tenant ID (which is public information) and the netId of a user in that tenant,” Mollema explained.

As it turns out, Azure AD Graph API, a deprecated system that’s slowly being phased out, was accepting the tokens from one tenant and applying them to another, bypassing conditional access policies and standard authentication checks.

Mollema reported the issue on Microsoft, which acknowledged it in mid-July 2025, and patched within two weeks. CVE-2025-55241 was given a severity score of 10/10 (critical), and was officially addressed on September 4.

Azure AD Graph API is being deprecated, while the tokens, which Microsoft refers to as “high-privileged access” mechanisms used internally, are being phased out.

Via BleepingComputer

You might also like



Source link

0 comments
0 FacebookTwitterPinterestEmail
North Korean Hackers Hit Crypto Sector With BeaverTail Malware
Crypto Trends

North Korean Hackers Hit Crypto Sector With BeaverTail Malware

by admin


  • How it works 
  • Growing threat 

According to a recent report by The Hacker News, North Korean hackers are attempting to trick non-developer job applicants within the cryptocurrency sector with the BeaverTail malware, which steals logins and crypto wallets, and InvisibleFerret. 

Both macOS and Windows users should avoid strange downloads from GitHub or Vercel as well as suspicious scripts.  

How it works 

Unfortunate applicants who fall for the sham run “fix” commands that disguise bogus microphone or camera errors when recording a short video on a fake website created by the attackers. This is a common trick used by North Koreans, which should be automatically treated as a red flag. 

With the help of the aforementioned commands, the attackers then run a payload that installs BeaverTail and InvisibleFerret as a bundle. 

What is notable is that North Korean attackers used to target primarily tech-savvy developers with BeaverTail, but they have now changed their targets. The new version is a ready-to-run program, meaning that it is no longer necessary for JavaScript or Python to be installed on the victim’s machines.  

You Might Also Like

The usage of harmless-looking decoy files also makes it more challenging for security tools to actually detect them. Some parts of the malware are also hidden in password-protected files. 

Growing threat 

The recent malware has been linked to North Korean attackers since BeaverTail was previously used by them. Moreover, some IPs are associated with the hermit kingdom. 

As reported by U.Today, Binance CEO Changpeng Zhao recently took to X (formerly Twitter) to warn about North Korean hackers posing as job candidates, potential employers, and users. 



Source link

0 comments
0 FacebookTwitterPinterestEmail
Binance's CZ Issues Crucial North Korea Hackers Security Warning
GameFi Guides

Binance’s CZ Issues Crucial North Korea Hackers Security Warning

by admin


  • CZ’s warning about NK hackers
  • Their methods

Changpeng Zhao, also known as CZ, has taken to his X account to publish a vital security warning for the crypto community.

CZ revealed in detail how these seasoned hackers work, warning the community to stay secure and avoid falling for their digital traps.

CZ’s warning about NK hackers

In his tweet, CZ reminded the crypto audience on X that North Korean hackers are difficult to deal with since they are “advanced, creative, and patient.” Zhao says that what he says in his tweet comes from both his personal experience and what he has heard about those cyber criminals, as he revealed the methods those hackers use to gain access to users’ personal data and crypto on exchanges and personal wallets.

Their methods

The first method they used is posing as job candidates seeking a position in a victim’s company. They thereby get their foot in the door. They usually prefer to apply for roles as developers or in positions related to the finance or cybersecurity spheres.

These North Korean hackers are advanced, creative and patient. I have seen/heard:

1. They pose as job candidates to try to get jobs in your company. This gives them a “foot in the door”. They especially like dev, security, finance positions.

2. They pose as employers and try to… https://t.co/axo5FF9YMV

— CZ 🔶 BNB (@cz_binance) September 18, 2025

The second method is that they pretend to be employers who are trying to interview victims or make an offer to employees. While conducting an “interview,” they pretend they have a problem with Zoom and offer to click on a link to download an “update.” This link usually contains a virus that helps them to gain control over the future victim’s device. Another option here is that they give a person a coding question and then send some “sample code” to them.

Another trick NK hackers love to use is posing as users having problems and sending malicious links in a letter to customer support. Those links also contain a virus.

Finally, CZ says, cyber cons can pay one’s employees or bribe them or outsource vendors to let hackers access certain crucial data. CZ mentioned that, just a short while ago, a major Indian outsourcing service suffered a hacker attack. As a result, the user data of a major U.S. exchange was leaked, and users lost more than $400 million worth of their personal crypto.

CZ concluded his tweet with a warning to all crypto exchanges and wallets: “Train your employees to not download files, and screen your candidates carefully.”





Source link

0 comments
0 FacebookTwitterPinterestEmail
Scam Alert: Uniswap V4's Bunni DEX Loses Millions to Hackers
NFT Gaming

Scam Alert: Uniswap V4’s Bunni DEX Loses Millions to Hackers

by admin


Malicious actors in the cryptocurrency space remain a constant threat to the sector and are not moved by market conditions as they strike during bull and bearish market conditions. Within the last 24 hours, Uniswap V4’s Bunni decentralized exchange (DEX) has been attacked by hackers.

Hackers exploit Bunni DEX vulnerability

According to an update from PeckShieldAlert, a blockchain security firm that monitors the crypto space, hackers have exploited a vulnerability on Bunni DEX. This has led to the hackers stealing approximately $2.4 million worth of assets.

You Might Also Like

Critical details of who the attackers could be and the different crypto assets stolen have not been revealed. However, the theft, occurring in the midst of an ongoing bull market, is poised to affect investors who use the exchange.

As of press time, a message from Bunni on their official X handle acknowledged the “security exploit” and precautionary measures taken so far. According to the DEX, their team is currently investigating the incident and will provide details as soon as investigations are concluded.

🚨 The Bunni app has been affected by a security exploit. As a precaution, we have paused all smart contract functions on all networks. Our team is actively investigating and will provide updates soon. Thank you for your patience.

— Bunni (@bunni_xyz) September 2, 2025

It has, however, paused all smart contract functions on all networks while this is ongoing. Bunni has called for patience on the part of its users.

Are there security concerns over Uniswap V4 ecosystem?

The compromise on Bunni DEX by these hackers reemphasizes the need for exchanges to pay attention to safeguarding funds on their platform. This suggests that malicious actors are always scanning the crypto space and attempting to steal. Failure to secure protocols could lead to loss of funds.

You Might Also Like

Interestingly, in February 2025, Uniswap launched a new V4 protocol that included gas efficiency. Some users have wondered if it has also strengthened its security features to protect exchanges in its ecosystem.

U.Today has consistently reported on scam alerts and activities of hackers with emphasis on how to avoid falling victim to their exploits and safeguarding funds.





Source link

0 comments
0 FacebookTwitterPinterestEmail
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Gaming Gear

Hackers are looking to steal Microsoft logins using some devious new tricks – here’s how to stay safe

by admin



  • A new phishing scheme successfully bypasses most security tools
  • It abuses ads and Microsoft’s Active Directory Federation Services tool
  • It is designed to steal login credentials, so users should take care

Cybercriminals have found a clever way to make phishing sites look like legitimate login pages, successfully stealing Microsoft credentials, experts have warned.

Cybersecurity researchers at Push Security recently published an in-depth report on how the scam works, outlining how the attackers created fake login pages that mimicked authentic Microsoft 365 sign-in screens.

Then, instead of sending victims directly to the site, which would probably get flagged by security solutions and quickly blocked, they used a Microsoft feature called Active Directory Federation Services (ADFS). Companies normally use it to connect their internal systems to Microsoft services.


You may like

How to stay safe

By setting up their own Microsoft account, and configuring it with ADFS, Microsoft’s service is tricked to redirect users to the phishing site, while making the link look legitimate because it starts with something like ‘outlook.office.com’.

Furthermore, the phishing link was not being distributed by email, but rather – malvertising. Victims were searching for “Office 265” which was presumably a typo, and were then taken to an Office login page. The ad also used a fake travel blog – bluegraintours[.]com – as a middle step to hide the attack.

The way the entire campaign was set up made it particularly dangerous. With the link looking like it was coming from Microsoft, and it successfully bypassing many security tools checking for bad links – its success rate was probably higher compared to “traditional” phishing.

Furthermore, since it doesn’t rely on email, the usual email filters couldn’t catch it. Finally, the landing page could even bypass multi-factor authentication (MFA), which made it even more dangerous.

In order to prevent such scams from causing any real harm, IT teams should block ads, or at least monitor ad traffic, and watch for redirects from MIcrosoft login pages to unknown domains.

Finally, users should be careful when typing in search terms – a simple typo can lead to a fake ad that can result in device compromise and account takeover.

Via BleepingComputer

You might also like



Source link

0 comments
0 FacebookTwitterPinterestEmail
Nearly half of stolen $1.4b from Bybit now untraceable 
GameFi Guides

How Coinbase Protects Data from North Korean Hackers

by admin



In an interview with Stripe’s John Collison, Coinbase CEO Brian Armstrong shared details on tactics North Korean hackers use to infiltrate Coinbase. Attempts by deceptive agents to bribe the exchange’s support team or get jobs at Coinbase resulted in stricter security standards. What did we learn about hackers from the DPRK?

Summary

  • In a new interview, Brian Armstrong emphasized that North Korea is trying to infiltrate tech companies with a large number of its agents disguised as remote IT workers.
  • Armstrong said it feels like around 500 new agents graduate from special schools every quarter.
  • According to Armstrong, threat actors are trying to bribe the Coinbase support team with hundreds of thousands of dollars to get private info.
  • Coinbase had to tighten up its security standards while hiring new people. Only the fingerprinted employees with U.S. citizenship and family in-country can access sensitive info.
  • Previously, investigators found out that the DPRK is constantly trying to get its agents hired in tech companies so they can steal cryptocurrency there. Stolen crypto is thought to be used as funding for the North Korean nuclear program.

North Korea takeaways from Armstrong’s interview

On Aug. 20, 2025, the Stripe YouTube channel released a new video. In it, Collison and Armstrong, who are the heads of Stripe and Coinbase, have a conversation about notable trends in the cryptocurrency space.

Collison asked Armstrong what the general tech public does not appreciate about the cybercrime landscape, and Armstrong’s nearly immediate response was “a lot of North Korean agents are trying to work at these companies,” most of the time remotely.

Armstrong said that while companies are working with law enforcement and get notified about some candidates as “known actors,” it feels like 500 more agents graduate from “some kind of school” in the DPRK each quarter, and infiltrating tech companies is their “whole job.”

He emphasized that he does not blame individuals for becoming agents:

“In many of these cases, it’s not the individual person’s fault. Their families will be coerced or detained if they don’t cooperate. So actually, they’re the victim as well in many cases.”

During online job interviews, the DPRK agents usually have some kind of a coach around who assists them, so Coinbase employees have to demand that candidates turn on the camera to make sure they are talking with a real person and no one is nearby to give instructions.

If an employee needs to access any sensitive system, they are required to come to the U.S. in person for orientation. Coinbase limits access to sensitive data by allowing only fingerprinted employees with U.S. citizenship and family in-country. Such a strict approach is dictated by increased security concerns associated with the DPRK infiltration attempts. 

Another concern voiced by Armstrong during the interview is the cases when threat actors were trying to bribe Coinbase support team agents, offering hundreds of thousands of dollars in exchange for smuggling in personal phones, taking screen photos, and sharing other types of data. To address the risk of leaks resulting from bribery, Coinbase had to increase control over the support team and move customer support offices to the U.S. and Europe. Armstrong said:

“[We] really started to make a deterrent in the sense of, when we catch people doing this – and we red‑team it consistently — we don’t walk them out the door — they go to jail. We try to make it very clear that you’re destroying the rest of your life by taking this, even if you think it’s some life‑changing amount of money, it’s not worth going to jail.”

Another measure is putting out a $20 million bounty for information that could help arrest or convict attackers. Armstrong emphasized that Coinbase is not only going after insiders but targets the threat actors themselves.

What is known about hackers from the DPRK?

During the same interview, Armstrong said that “DPRK is very interested in stealing crypto,” and this statement cannot be underestimated. According to a blockchain analyst company, Elliptic, the hacking of a crypto exchange, ByBit, by North Korean hackers was the biggest heist in history. Hackers from the infamous Lazarus Group associated with the DPRK managed to steal $1.46 billion in crypto assets. Since 2017, the DPRK has stolen over $5 billion in crypto.  Allegedly, 40% of the North Korean military’s nuclear program is funded via stolen cryptocurrencies. Over $300 million of money stolen from ByBit was probably used to fund nuclear weapons.

The North Korean hackers use diverse tactics to steal crypto and launder money. On Aug. 13, 2025, a prominent anonymous crypto sleuth using the ZachXBT handle on X shared documents leaked from the North Korean hackers who pretended to be IT workers in Western companies. 

The leak revealed that five agents have been operating 30 fake identities and had bogus LinkedIn and Upwork IT worker accounts. They were communicating mostly in English and using various Google services to conduct their operations, buying accounts on job platforms, serial security numbers, etc. Some of the screenshots of the browser history of these agents reveal low levels of tech competency. According to ZachXBT, hiring a North Korean agent is “100% negligence.” In his opinion, figuring out that the candidate is a DPRK agent is not that hard.

However, despite the fact that the DPRK agents are bad at work and get fired quickly, they find new jobs; usually, several agents are taking positions at the same company simultaneously, and eventually manage to steal crypto.

6/ I am closely monitoring five other larger clusters of DPRK ITWs but will not share those addresses publicly since they are active.

One thing to note is the number does not include exploits conducted by them on projects (LND, ChainSaw, Favrr, Munchables, Dream, etc)

They… pic.twitter.com/kIbFewIM8b

— ZachXBT (@zachxbt) July 2, 2025

North Korean hackers used to launder stolen assets via Binance and Coinbase, but had to find other ways as these exchanges increased KYC/AML scrutiny. They developed a chain of over-the-counter brokers. Also, Korean hackers use crypto mixer platforms that obfuscate transaction data. In relation to the Lazarus Group activity, the U.S. Treasury named such mixer platforms as Sinbad, Tornado Cash, and Blender.

According to ZachXBT, public company Circle, which is a prime competitor of Tether, is neglecting the use of its stablecoin USDC in the DPRK-related money laundering operations, being the only company that didn’t freeze flagged wallets when ZachXBT brought up the connection. The company eventually froze the addresses involved in hacking months later. The Circle CEO, Jeremy Allaire, responded to ZachXBT’s criticism by saying that the company would not freeze addresses solely based on ZachXBT’s investigation. The request from the law enforcement was necessary.

5/ USDC was sent directly from Circle accounts to three addresses in this cluster.

It’s 1 hop from an address blacklisted by Tether in April 2023 tied to Hyon Sop Sim.

Other DPRK ITW clusters currently have decent sized quantities of USDC sitting.

I think it’s misleading… pic.twitter.com/vGCcMZX6wL

— ZachXBT (@zachxbt) July 2, 2025

ZachXBT accuses Circle of allowing Korean hackers to use USDC so that the company will earn via transaction fees. Similar claims were made against the MetaMask wallet, which was allegedly involved in the DPRK money laundering operations.

While ZachXBT dismisses the sophistication of the DPRK agents when they try to infiltrate tech companies, Coinbase has its reasons to be cautious. Given that Coinbase is responsible for the custody of over 2.2 million bitcoins, which is more than 10% of the total supply, extensive control over the works may not seem unnecessary. 





Source link

0 comments
0 FacebookTwitterPinterestEmail
Close