disguise

Recently, the internet police in Taizhou, Zhejiang, China reported a fraud case disguised as "metaverse" and "virtual currency."The criminal gang promoted facial recognition payment devices, initially attracting users through a points system, then luring investors to purchase their self-issued "air coins." They continuously siphoned off funds through methods such as locking assets, manipulating prices, and "currency swapping," ultimately defrauding over 130 investors of approximately 35 million yuan. The court determined that the defendants committed fraud with the intent of illegal possession, with the amount being particularly large, sentencing them to 10 years in prison and a fine of 200,000 yuan.

According to a report from the security agency Socket's Threat Research Team, a malicious Chrome extension named "MEXC API Automator" has been available in the Chrome Web Store since September 1, 2025, capable of stealing users' newly created API keys from the cryptocurrency exchange MEXC and sending them to a Telegram bot controlled by the attacker.The extension lures users with the promise of trading automation, automatically generating MEXC API keys with withdrawal permissions without the user's knowledge, while hiding the display of these permissions in the interface, subsequently leaking the keys along with their ciphertext. This allows attackers to gain complete control over the victim's MEXC account, executing trades, initiating automatic withdrawal operations, and transferring assets within the account. As of the report's publication, the extension is still available for download in the Chrome Web Store, and the research team has reported and flagged this extension to Google.

According to market news, a sophisticated phishing attack targeting Cardano users is spreading announcements disguised as the "Eternl Desktop" wallet, luring users to download and install a malicious MSI file containing remote control tools.The attackers have forged an official tone and referenced NIGHT and ATMA token incentives, using the domain download.eternldesktop.network to distribute unsigned installation packages. Security researchers revealed that the file contains the LogMeIn Resolve component, which allows for remote command execution and persistent system control. Users are advised to obtain wallet software only through official channels.

The Chief Information Security Officer of Slow Fog, 23pds, shared that the MacSync Stealer malware, active on the macOS platform, has shown significant evolution, with user assets already being stolen.The forwarded article mentions that it has upgraded from early low-threshold inducement methods like "dragging to terminal" and "ClickFix" to code signing and notarized Swift applications by Apple, significantly enhancing its concealment. Researchers found that the sample spreads in the form of a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, disguising itself as instant messaging or utility applications to induce users to download. Unlike previous versions, the new version does not require any terminal operations from the user; instead, a built-in Swift helper pulls and executes encoded scripts from a remote server, completing the information theft process.The malware has completed code signing and has been notarized by Apple, with the developer team ID being GNJLS3UYZ4, and the relevant hash has not been revoked by Apple during analysis. This means it has a higher "trustworthiness" under the default macOS security mechanisms, making it easier to bypass user vigilance. The research also found that the DMG is unusually large, containing bait files such as LibreOffice-related PDFs to further reduce suspicion.Security researchers point out that such information-stealing Trojans often target browser data, account credentials, and cryptocurrency wallet information. As malware begins to systematically abuse Apple’s signing and notarization mechanisms, the risks of phishing and private key leakage for cryptocurrency users in the macOS environment are on the rise.

According to The Block, the Brooklyn District Attorney's Office announced on Friday that a 23-year-old Brooklyn man has been charged with 31 counts for allegedly carrying out a phishing scam that stole approximately $16 million in cryptocurrency from about 100 Coinbase users.Ronald Specter, a resident of Sheepshead Bay, is charged with first-degree grand larceny and money laundering. Prosecutors allege that Specter impersonated a Coinbase representative to contact victims, warning them that their assets were at risk of a hacking attack. He is accused of tricking users into transferring their assets to a new wallet that he secretly controlled, and then laundering the funds through cryptocurrency mixers, exchange services, and gambling platforms.

According to the official WeChat account of the Shanghai headquarters of the People's Bank of China, recent illegal activities have been reported where criminals impersonate "digital yuan promotion" and "recruiting promoters" to lure the public into group chats and conduct "exams" and "courses" for brainwashing, implementing pyramid scheme fraud. The central bank reiterated that there is no speculation space for digital yuan, no commission subsidies exist, and no promoter exams have been set up.The public should be vigilant against inducements such as "high returns" and "referring others," avoid clicking on unknown links, and refrain from joining unfamiliar groups to prevent financial losses. If fraud is encountered, it should be reported to the police immediately.

Moonrock Capital founder Simon Dedic posted on X commenting on Circle's acquisition of Axelar, stating: "Another acquisition, another RUG. Circle acquires Axelar but explicitly excludes the foundation and AXL tokens, which is simply a criminal act. Even if it doesn't violate the law, it goes against ethics. If you are a founder looking to issue tokens: treat them like equity or get lost."Previously, Circle announced the acquisition of Axelar's initial development team, Interop Labs, but Axelar Network, Axelar Foundation, and AXL tokens are not included in this acquisition.

The Xinhua News Agency's WeChat public account forwarded a safety reminder announcement previously released by the WeChat Security Center: "Recently, the WeChat platform has received user complaints that some WeChat accounts are involved in organizing pyramid schemes, fraud, and other illegal activities within WeChat groups.Such behaviors disguise themselves under the pretense of national asset unfreezing, national policies and engineering projects, as well as blockchain virtual currencies, stablecoins, etc., using high returns as bait to lure users into joining WeChat groups. They encourage users within the group to invite others, post suspicious links to download fraudulent apps, engage in daily check-ins, meeting courses, and other brainwashing activities, ultimately leading to fraud. The aforementioned behaviors seriously infringe upon users' property rights."

The WeChat Security Center stated that it has recently received user complaints about certain WeChat accounts engaging in illegal activities such as organizing pyramid schemes and fraud within WeChat groups. Such activities disguise themselves under the pretense of national asset unfreezing, national policies, and engineering projects, as well as blockchain virtual currencies and stablecoins, using high returns as bait to lure users into joining WeChat groups. Within these groups, users are encouraged to invite others, post suspicious links to download fraudulent apps, engage in daily check-ins, attend meetings and courses, and other brainwashing activities, ultimately leading to fraud. These actions seriously infringe upon users' property rights.Once such behavior is discovered and verified, the platform will take action based on relevant national laws and regulations, as well as the "Tencent WeChat Software License and Service Agreement" and "WeChat Personal Account Usage Specifications," among other platform agreements and rules. Depending on the severity of the violations, related accounts will be subject to a tiered approach to handling, with repeated offenders potentially facing permanent login restrictions, and confirmed violating WeChat groups will have their group functions disabled.

According to the GoPlus Chinese community, a malicious Chrome extension named "Safery: Ethereum Wallet" has been discovered, which is stealing user assets. This extension was released on November 12, 2024, disguised as a simple and secure Ethereum wallet, but it contains a built-in backdoor.The attack method is highly covert: the malicious extension encodes the user's mnemonic phrase into a Sui address and broadcasts microtransactions through a Sui wallet controlled by the attacker to steal the mnemonic phrase. The attacker's email is kifagusertyna@gmail[.]com. Currently, this malicious extension has not been removed from the Chrome Web Store.

ChainCatcher news, according to the Shanghai Procuratorate's official WeChat account, the Shanghai Public Security Bureau has arrested a fraud gang disguised as so-called "cryptocurrency masters." This gang colluded in advance with relevant virtual currency investment and financial management platforms, agreeing on profit-sharing conditions—charging commissions based on the amount of investment losses incurred by clients on the platform.Driven by profit, they launched a meticulously planned scam operation. Some members were responsible for widely posting low-cost virtual currency exchange advertisements on social media, forums, and other platforms, casting a huge net and waiting for those eager for wealth to take the bait.Once someone took the bait, another group of members would quickly strike, posing as "investment experts" to befriend the victims. They would first establish a rapport with the victims, then send forged investment profit screenshots, with seemingly real profit data acting as enticing bait, gradually lowering the victims' guard and gaining

ChainCatcher news, EurekaTrading founder Kuan Sun tweeted a review of how he nearly lost $13 million due to a phishing attack: On September 2, 2025, approximately $13 million in assets in his wallet were almost stolen by the Lazarus hacker group. The security team acted urgently and ultimately recovered the funds.The incident was triggered by what appeared to be a normal Zoom meeting invitation, which was actually a carefully arranged phishing trap. The hackers exploited "acquaintance" relationships, deepfake videos, and a forged Rabby plugin to tailor the attack against the victim, Venus. Under the mistaken belief in the fake plugin, the victim executed a withdraw, putting the assets at risk of being transferred along with liabilities. PeckShield, SlowMist, Venus, and multiple security teams responded quickly, pausing the protocol and investigating risks, ultimately preventing the theft of funds. Hardware wallets are not foolproof; there are still risks of plugin and frontend hijacking; Zoom links, upgrade pop-ups, and acquaintance relationships can all serve as entry points for attacks.

ChainCatcher news, according to Decrypt, the FBI has issued an urgent warning stating that scammers are posing as law firms and government employees to carry out secondary scams against victims of cryptocurrency fraud. Criminals exploit precise details about the victims to gain trust, demanding payment of "service fees" or inducing clicks on phishing links. By 2024, deepfake technology is expected to account for 40% of high-value cryptocurrency fraud cases.

ChainCatcher news, according to Decrypt, Binance's Chief Security Officer Jimmy Su revealed that North Korean hacker groups are the biggest threat currently facing the cryptocurrency industry, as they attempt to infiltrate Binance daily by disguising themselves as job seekers.It is reported that these hackers use voice changers and deepfake technology for video interviews, posing as developers from Europe or the Middle East. Su stated that a clear characteristic for identifying such attackers is the consistent delay during video calls, which is caused by the use of translation and voice-changing tools.

ChainCatcher message, Slow Mist Cosine posted a warning on X, indicating a recent surge in phishing email attacks targeting X users. The subject of the attack emails is "New login to X From XXX," which can bypass Gmail's spam filter.Attackers forge account abnormal login notifications to guide users to click on links such as "Change your password" or "Review the apps," which actually redirect to X's third-party application authorization page. Once users authorize, attackers can gain tweet posting and forwarding permissions, thereby manipulating the user's account to post content without their knowledge.Users need to be highly vigilant about such emails, avoid trusting abnormal login alerts, and refrain from clicking on email links or authorizing unknown applications.

ChainCatcher message, Slow Mist CISO @im23pds tweeted a reminder to be wary of scams disguised as official cold wallet crypto lottery activities. Criminals are impersonating official accounts on the X platform, claiming to give away free Ledger and other cold wallets, and actually sending "brand new sealed" real devices, luring users into lowering their guard. The real trap often lies within the device itself or the accompanying initialization instructions, which may involve tampered devices or social engineering to induce users to leak their recovery phrases.

ChainCatcher message, Slow Mist founder Yu Xian posted, "Everyone beware of @osiris_guard, this so-called Web3 security plugin, it is a malicious plugin. If installed on Chrome, this malicious plugin will replace links, causing users to download well-known programs that turn into Trojan programs, leading to computer compromise. Ultimately, it results in wallets being stolen and related key accounts being wiped out, with similar outcomes, but with more variations in the scams. Detailed analysis is ongoing."

ChainCatcher message, Slow Mist issued a security alert stating that recently multiple users received text messages disguised as "well-known exchanges," with the content "Your withdrawal verification code is xxx. If this was not you, please call xxx for assistance." After users called back, they were informed of a "security vulnerability" and were transferred to someone claiming to be "hardware wallet support," luring users to visit a phishing website and enter their mnemonic phrases, resulting in the theft of cold wallet assets. Users should be cautious and take preventive measures.

ChainCatcher message, according to Cointelegraph, the Kaspersky report indicates that a dangerous malware is disguising itself as a Microsoft Office add-on on the SourceForge platform, specifically targeting cryptocurrency users for attacks. This malware employs clipboard hijacking techniques to automatically replace the cryptocurrency wallet addresses copied by users with the attacker's address, resulting in funds being directly transferred to the hacker's account. Security experts remind users to carefully verify wallet addresses when conducting cryptocurrency transactions to ensure transaction safety.

ChainCatcher news, Slow Mist Technology's Chief Information Security Officer 23pds posted on X platform, warning cryptocurrency users to be cautious of trojans disguised as TradingView cracked versions. Recently, AMOS and Lumma information stealers are spreading through Reddit posts, specifically targeting cryptocurrency users to steal wallets and personal data, with victims including Mac and Windows users.