hacker

According to Reuters: Hackers linked to Iran claim to have hacked the email of the FBI director.

Hackers have launched Android malware attacks in Brazil by spoofing a phishing page that mimics the Google Play Store. Currently, all known victims are located in Brazil.The attackers set up a phishing website that closely resembles Google Play, enticing users to download a fake application called "INSS Reembolso." Once installed, the application releases hidden malicious code in stages and loads it directly into memory, leaving no visible files on the device, which makes it highly stealthy. One of the core functions of the malware is cryptocurrency mining, with an embedded XMRig mining program compiled for ARM devices that silently connects to the attacker's controlled mining server in the background. The program monitors battery level, temperature, and device usage status, dynamically adjusting mining behavior to evade detection, and bypasses Android's background process management mechanism by looping silent audio files.Some variants also include banking trojans that can overlay fake pages on the USDT transfer interface of Binance and Trust Wallet, silently replacing the recipient address. Additionally, the malware supports various remote control commands such as recording, screenshotting, keylogging, and remote locking of the device.

Bitcoin payment service provider Bitrefill disclosed on platform X that it suffered a cyberattack on March 1, 2026, resulting in a customer data breach. The attack originated from a compromised employee's laptop and allowed the attackers to access certain databases and cryptocurrency wallets.Investigations revealed that the attack method was highly similar to past attacks on cryptocurrency companies by the North Korean DPRK Lazarus/Bluenoroff hacker group. Approximately 18,500 purchase records involved limited customer information (email, cryptocurrency payment addresses, and IP metadata), with about 1,000 records having customer name information stored in an encrypted format, but potentially accessible. Bitrefill stated that customers do not need to take special actions but are advised to be vigilant for unusual information.Bitrefill further added that it has currently shut down related systems for isolation and is collaborating with security experts, on-chain analysts, and law enforcement. Operations have nearly returned to normal. The company emphasized that it is long-term profitable and financially robust enough to absorb this loss and will continue to strengthen cybersecurity measures, including internal access controls, monitoring, and emergency response mechanisms.

Slow Fog's Yu Xian posted on platform X: "A group hacking incident is occurring, hacker address: 0x913efc2062984288a0a083cd42b3a3422c07fcef, the hacker has currently profited $85,000, and this amount is still increasing. According to community feedback, this group mainly consists of yield farmers, and private keys/mnemonic phrases have been collected in advance by the hacker. The hacker is consolidating related funds. If you are using the MoreLogin fingerprint browser, please be cautious, but there is currently no evidence that MoreLogin or related plugins are the issue."

According to market news, a hacker group in China has experienced internal strife due to disputes over the distribution of stolen goods. Members publicly revealed that they had stolen approximately $7 million in cryptocurrency assets through supply chain attacks, targeting platforms such as the cryptocurrency wallet Trust Wallet.According to the leaked information, the group operated under the name of the cybersecurity company Wuhan Anshun Technology, publicly engaging in activities such as vulnerability discovery, network offense and defense, and security services, while internally actually involved in activities related to the theft of cryptocurrency assets and other gray market operations. Team members claimed they obtained mnemonic phrases in bulk and scanned multi-chain assets, including Ethereum, BNB Chain, Arbitrum, etc., through supply chain vulnerabilities in the Electron client, plugin reverse engineering, and automation tools.The whistleblower stated that the team had developed automated tools to scan mnemonic phrase assets in bulk and used remote control programs to steal wallet data, subsequently transferring and splitting the funds. The related attacks reportedly involved 37 types of tokens across multiple blockchain networks. The trigger for the exposure of this incident was an internal dispute over the distribution of stolen goods.The whistleblower claimed to have had conflicts with the team leader over unfair profit distribution and publicly presented relevant evidence after the promised severance compensation was not fulfilled, planning to turn themselves in to law enforcement. Currently, the related accusations have not been officially confirmed, and the details of the incident are still under further investigation. Industry insiders pointed out that this incident once again highlights the security risks of cryptocurrency wallet supply chains and plugins, as well as the trend of targeted attacks against high-value users.

According to market news, a wallet that received 7,447 ETH (16.29 million USD) from Tornado Cash, "0x7a7," is suspected to be the mastermind behind the CAKE/THE liquidation cascade event on Venus Protocol.The attacker deposited this ETH as collateral into Aave, borrowing 9.92 million USD in stablecoins; subsequently, they hoarded THE tokens and allegedly inflated their price on centralized exchanges; then deposited 36.1 million THE into Venus and borrowed assets such as BTC, BNB, and CAKE; about 40 minutes later, the price of THE plummeted, triggering a chain liquidation. Ultimately, Venus Protocol incurred 2.15 million USD in bad debt (with 1.18 million CAKE and 1.84 million THE still outstanding); the attacker extracted approximately 5.07 million USD in assets from this. Their actual profit may have come from short positions opened on centralized exchanges during the price crash.

White hat hacker f4lc0n posted on the X platform revealing that he discovered a "critical" vulnerability in the Injective protocol that could lead to over $500 million in assets being directly withdrawn from the blockchain. However, the project team only offered him a $50,000 bounty, far below the planned maximum limit of $500,000 for this level of severity.f4lc0n stated that the vulnerability allows any user to empty any account on the blockchain without special permissions. After submitting a report through Immunefi, the Injective team initiated a mainnet upgrade vote the next day to fix the vulnerability, but they were "unreachable" for the following three months.Currently, f4lc0n has disputed the amount of the bounty and stated that the $50,000 bounty has not yet been paid. He announced that he will allocate 10% of future bug bounty earnings to continue publicizing this matter until Injective pays the compensation as per the standard.

A wallet address that received 7,447 ETH (approximately $16.29 million) from Tornado Cash, "0x7a7," is suspected to be behind the CAKE/THE liquidation cascade event on Venus Protocol.The attacker borrowed $9.92 million in stablecoins using ETH as collateral on Aave, then hoarded a large amount of THE and allegedly manipulated the price upwards on centralized exchanges, subsequently depositing 36.1 million THE into Venus to borrow assets like BTC, BNB, and CAKE.About 40 minutes later, the price of THE collapsed, triggering a series of liquidations, resulting in $2.15 million in bad debts for Venus. The attacker extracted approximately $5.07 million in assets, with actual profits potentially being higher—mainly from short positions on centralized exchanges during the crash.

Letsbonk.Fun founder Tom issued an urgent warning that the project's domain name has currently been hijacked by hackers. The hackers implanted an asset theft program (Drainer) at the domain level by controlling a team member's account. Tom advises all users not to visit or use any bonkfun-related domains until further notice to prevent asset loss.

According to BlockSec monitoring, its system detected a suspicious transaction targeting the MT-WBNB liquidity pool on BSC, with an estimated loss of approximately $242,000. The reason lies in a flaw in the buyer restriction mechanism: under deflationary mode, normal buying operations are reverted, while the router/trading pair is whitelisted, allowing attackers to bypass restrictions through router swaps and liquidity removal to obtain MT from the trading pair.The attacker then sold MT to accumulate pendingBurnAmount and called distributeFees() to directly destroy MT from the trading pair, artificially inflating the price, and then exchanged MT back to WBNB for profit. Additionally, a recommendation rule allowing the transfer of the first 0.2 MT to bypass buyer restrictions enabled the attacker to initiate the attack.

Security research organization Ctrl-Alt-Intel disclosed that a group of hackers suspected to be linked to North Korea has targeted staking platforms, exchange software vendors, and cryptocurrency exchanges.The attackers exploited the React2Shell vulnerability (CVE-2025-55182) and compromised cloud environments using obtained AWS access credentials, enumerating resources such as S3, EC2, RDS, EKS, and ECR, and extracting keys and credentials from Secrets Manager, Terraform files, Kubernetes configurations, and Docker containers. Researchers stated that the attackers downloaded 5 Docker images and stole source code, including components related to ChainUp clients.The attack infrastructure involved a South Korean server 64.176.226[.]36 and the domain itemnania[.]com. The report indicated that this activity is consistent with North Korean-related attack characteristics, but the attribution confidence level is moderate, and the source of the AWS credentials remains unclear.

GoPlus Chinese community issued a warning on platform X, stating that North Korean hackers have published a set of 26 malicious packages to the npm registry. These malicious packages come with an installation script ("install.js") that automatically executes during the package installation process, running malicious code located in "vendor/scrypt-js/version.js".The malicious code downloads and executes a remote access trojan (RAT) via the same malicious URL, implementing malicious activities such as keylogging, clipboard theft, browser credential collection, TruffleHog secret scanning of Git repositories, and SSH key theft. This incident is related to a North Korean hacking activity known as "Famous Chollima".

The cybersecurity agency Moonlock Lab reports that crypto hackers have recently upgraded their "ClickFix" attack method, beginning to impersonate venture capital firms to contact target users through social platforms and lure them into executing malicious code to steal crypto assets.Attackers disguise themselves as fake venture capital firms such as SolidBit, MegaBit, and Lumax Capital, sending collaboration invitations via LinkedIn and guiding victims to fake Zoom or Google Meet meeting links. The pages embed a fake Cloudflare "I am not a robot" verification button, which, when clicked, copies malicious commands to the clipboard and tricks users into pasting and executing them in the terminal, thus completing the attack. Researchers point out that this method circumvents traditional security mechanisms by "making victims execute commands themselves."Meanwhile, hackers are also hijacking browser extensions to carry out attacks. John Tuckner, founder of cybersecurity company Annex Security, revealed that the Chrome extension QuickLens, after changing ownership on February 1, released a new version containing malicious scripts two weeks later, triggering ClickFix attacks and stealing user data. The extension had about 7,000 users and has since been removed from the store. Reports indicate that the hijacked extension scans crypto wallet data and mnemonic phrases, and scrapes Gmail content, YouTube channel data, and web login or payment information.

According to Cointelegraph, hackers are using the "ClickFix" attack method to steal cryptocurrencies, with the latest two attacks involving impersonating venture capital firms and hijacking browser extensions.Cybersecurity company Moonlock Lab reports that scammers impersonate fake VCs such as SolidBit, MegaBit, and Lumax Capital, contacting users via LinkedIn to offer collaboration opportunities, then directing them to click on fake Zoom and Google Meet links. After clicking the link, users are led to a page with a forged Cloudflare "I'm not a robot" verification box; clicking this box copies malicious commands to the clipboard and prompts users to open a terminal to paste the so-called verification code, thus executing the attack.Moonlock Lab points out that this method turns victims into execution mechanisms, bypassing defenses in the security industry. Meanwhile, hackers are also spreading malware by hijacking the Chrome extension QuickLens. This extension allows users to run Google Lens searches directly in the browser, and after ownership was transferred, the new version contains malicious scripts that can initiate ClickFix attacks and steal information.The extension has about 7,000 users, and once hijacked, it searches for cryptocurrency wallet data and recovery phrases to steal funds, as well as scraping Gmail inbox content, YouTube channel data, and login credentials or payment information entered in web forms. The extension has been removed from the Chrome Web Store. The ClickFix technique has been popular among hackers since last year, forcing victims to manually execute malicious payloads, affecting thousands of businesses and multiple industries worldwide.

According to Cointelegraph, the decentralized anonymous lottery protocol Foom Cash lost approximately $2.26 million in funds due to a security vulnerability exploit, but white hat hackers intervened in time to help recover $1.84 million (about 81% of the stolen funds).This security incident stemmed from a critical error during the deployment of Foom Cash, specifically involving a Groth16 verifier configuration issue that allowed attackers to submit forged proofs to the protocol.A white hat hacker known as Duha identified the vulnerability and quickly protected the funds on the Base chain, while the security company Decurity was responsible for the rescue of funds on Ethereum. In return, Foom Cash paid the white hat hacker a bounty of $320,000 and paid Decurity a security fee of $100,000.

According to GoPlus monitoring, the account abstraction solution Holdstation suffered a supply chain attack, where the attacker stole developer session tokens, bypassed two-factor authentication, and injected malicious code into application updates, resulting in the theft of user funds.The attack resulted in a loss of 462,000 USDT, with the attacker's address being 0xcbfA60B39cfAeaE475f649fB6705bD477219bF8d. The Holdstation team has suspended services, committed to 100% compensation for affected users, and is working with security teams to investigate the incident, while also posting messages on-chain, hoping to encourage the attacker to return the funds through a bug bounty program.

According to Bloomberg Terminal, a hacker used Claude to infiltrate the Mexican government system, stealing 150 GB of sensitive data, including taxpayer and voter records.Researchers at Gambit Security stated that the attackers utilized artificial intelligence to find vulnerabilities, write attack scripts, and automate the theft process, ultimately bypassing security measures through repeated "jailbreaking" attempts. This security breach affected multiple agencies in Mexico, and artificial intelligence is accelerating cybercrime.

Hackers are stealing cryptocurrency users' assets by placing fake Windows 11 update ads on Facebook. These ads use professional Microsoft branding and, when clicked by users, lead to a cloned Microsoft website where malware is subsequently downloaded.The malware installs a framework called "LunarApplication" on the victim's computer, specifically designed to steal cryptocurrency wallet seed phrases, login credentials, and other sensitive information. Hackers use geofencing technology to bypass data center IP addresses, preventing automated scanners from detecting the attack.