Cryptocurrency

Coordinated npm supply chain attack deploys 36 malicious packages masquerading as Strapi CMS plugins. Attackers target cryptocurrency platforms with Redis exploitation, credential harvesting, and persistent backdoors.

Kaspersky discovers new SparkCat malware variants on Apple App Store and Google Play that use OCR to steal cryptocurrency wallet recovery phrases from photo galleries.

Solana's Drift Protocol lost $285 million in 2026's largest DeFi hack. TRM Labs attributes the attack to North Korean actors who exploited oracle manipulation and pre-signed transactions.

Russian-linked AuraStealer infostealer operates 48 C2 domains, steals crypto wallets and 2FA tokens, and spreads through fake software activation videos on TikTok.

Britain becomes the first country to sanction Xinbi, a Telegram-based crypto marketplace that processed $19.9 billion for pig butchering scams and North Korean hackers.

New Torg Grabber infostealer targets 728 cryptocurrency wallet extensions and 103 password managers. Spreads via ClickFix clipboard hijacking with Cloudflare-based exfiltration.

Attackers compromised AppsFlyer's domain registrar to inject crypto-stealing JavaScript into their Web SDK. The malware swaps wallet addresses for Bitcoin, Ethereum, Solana, and more.

New infostealer MicroStealer uses NSIS, Electron, and Java in a layered delivery chain that bypasses most security tools. Targets browser credentials and crypto wallets.

SANS ISC documents phishing campaign using fabricated incident reports to steal MetaMask wallet credentials. Attackers host phishing pages on AWS S3.

North Korea's Lazarus Group targets blockchain developers with fake recruitment campaign distributing RAT malware through 36 poisoned npm and PyPI packages.

Google Mandiant exposes UNC1069's use of AI-generated deepfake video, compromised executive accounts, and ClickFix attacks to deploy macOS malware against cryptocurrency firms.

Security researchers uncover ClawHavoc campaign distributing Atomic Stealer through fake cryptocurrency and productivity tools on ClawHub marketplace.

Attackers exploited a validation flaw to send spoofed cross-chain messages and unlock tokens across Ethereum, Arbitrum, and six other networks.

DPRK hackers stole $2B in cryptocurrency in 2025 alone. Understanding Lazarus Group's operations helps defend against state-sponsored financial theft.

North Korean APT-Q-1 now combines fraudulent cryptocurrency job postings with ClickFix social engineering to deploy GolangGhost backdoor and BeaverTail stealer.

First macOS-focused wave of GlassWorm malware discovered on Open VSX marketplace, stealing cryptocurrency wallets, Keychain passwords, and developer credentials through trojanized extensions.

Cryptocurrency hardware wallet maker Ledger confirms customer data exposed after third-party payment processor Global-e suffers cloud system breach.

Popular text editor's download page was hijacked for four days in December, serving trojanized installers that steal browser credentials and crypto wallets.

The self-propagating VS Code extension worm now replaces Ledger Live and Trezor Suite with trojanized versions. Russian-speaking operators behind campaign.

Attackers pushed malicious update v2.68 to Chrome Web Store using leaked API key. Hundreds affected as seed phrases harvested via embedded analytics library.

Russian-developed infostealer now production-ready after December 16 release, targets browser credentials, crypto wallets, and messaging apps for $175/month.

DPRK-affiliated threat actors dominated crypto theft in 2025, accounting for 76% of exchange compromises with cumulative theft now exceeding $6.75 billion.