steal

According to the "Мошеловка" platform, scammers impersonate authorized brokers of the Moscow Exchange through social media, luring users to click phishing links under the pretext of "testing cryptocurrency trading channels," resulting in theft of funds and information. The Moscow Exchange emphasizes that all official trading must be conducted through licensed brokers, and there are no exclusive cryptocurrency purchasing channels for ordinary users.According to data from the Russian IT company "Shard," in 2025, Russian users are expected to lose approximately 234 million rubles due to cryptocurrency phishing, accounting for 62% of the total losses in cryptocurrency assets that year.

"On-chain detective" ZachXBT published a case analysis stating that in a cryptocurrency asset case involving an Indian scam gang, the relevant individuals reported the case to law enforcement after their assets were frozen, drawing attention. The incident began when a user sought help, claiming that approximately 5.73 BTC (about $475,000) was frozen on Changelly in March 2025.Subsequent on-chain analysis revealed that these funds could be traced back to multiple social engineering attacks and theft cases related to Bitcoin ATMs targeting U.S. users, with a total amount involved exceeding $1 million and several elderly victims. The investigation showed that the individual provided multiple changing explanations for the source of the funds, including "loan," "boss transfer," and "investment from 2014-2015," and there were significant contradictions in the evidence chain.More concerning is that this user had previously filed a police report in India in December 2025, attempting to recover the frozen funds (case number 3207-P/2025). Subsequent on-chain evidence collection and email data analysis indicated that they might be a "mule" for transferring funds, with some bank documents inconsistent with their identity information. ZachXBT noted that such cases demonstrate that social engineering attacks and cross-border fund transfers continue to occur and remind users to avoid interacting with funds from suspicious sources to prevent triggering compliance freezes or legal risks.

Microsoft's Threat Intelligence team has announced a Windows clipboard trojan threat that has been active since February 2026. This malware combines "worm-like propagation + clipboard hijacking + Tor anonymous communication" to target digital asset users for attacks.

The Microsoft Security Blog reported that the Microsoft security research team discovered a new type of cryptocurrency stealing Trojan named Crypto Clipper. This malware has been active since February 2026, primarily spreading through USB devices that infect Windows users with malicious .lnk shortcuts. Crypto Clipper has a built-in Tor client that connects to .onion hidden services via a local SOCKS5 proxy, enabling covert C2 communication. Its main functions include high-frequency monitoring of the clipboard, stealing mnemonic phrases and private keys, replacing cryptocurrency transfer addresses, capturing screenshots and uploading them, as well as receiving remote code execution commands.Microsoft stated that this malware has worm propagation capabilities, automatically hiding original documents on USB drives and generating malicious shortcuts with the same name, while also creating scheduled tasks for persistent control. Researchers detected it as Trojan:Win32/CryptoBandits.A and recommended that users disable autorun for removable devices, restrict script interpreter execution permissions, and closely monitor localhost:9050 Tor proxy traffic and abnormal clipboard access behaviors.

According to Slow Fog's disclosure, a new variant of Shai-Hulud Hades has been found attacking PyPI. The malicious package drops a .pth file that executes automatically when Python starts, and checks if Bun is installed locally; if not installed, it downloads the official Bun binary from GitHub Releases, and then executes a multi-layer obfuscated JavaScript payload to steal credentials from GitHub, npm, AWS, and cloud services.Slow Fog stated that this variant uses the same RSA public key and infrastructure as previous Shai-Hulud attacks, and has capabilities such as encrypted exfiltration, persistence, CI/CD injection, and GitHub Actions injection.

According to Bits.media, the reward pool of the NovaBox platform was hacked on June 9 on Ethereum, resulting in a loss of approximately 56.73 ETH, affecting over 130 deposit users. The attacker drained the pool's funds from 65.11 ETH to 0.09 ETH in a single transaction, accounting for about 99.86%.Security company F12 stated that the incident was not due to a smart contract vulnerability, but rather a flaw in the reward distribution mechanism. The attacker borrowed 427.5 WETH through an Aave V3 flash loan, exploiting a loophole in NovaBox's mechanism of distributing dividends before updating balances when users deposit or withdraw. The hacker first deposited a small amount of NOVA tokens to trigger the dividend calculation, then deposited a large amount of ETH, significantly increasing the actual share. However, since the system did not update the balance in time, dividends were still calculated based on the previous small share, while payments were made based on the new large share, resulting in approximately 145.82 ETH of "phantom dividends," which drained the reward pool.

On-chain investigator Specter issued a security warning that a certain old liquidity pool of the Solana DeFi protocol Raydium is suspected to have been attacked, with the attacker stealing approximately $1.34 million in assets, mainly including USDC, RAY, and wSOL. The hacker has transferred the stolen funds to Ethereum via a bridge and subsequently deposited them into Tornado Cash for mixing.

According to Cryptopolitan, a new type of macOS malware named Reaper is spreading through fake download pages of applications like WeChat and Miro, targeting the theft of cryptocurrency wallet data, browser passwords, and sensitive documents. This malware exploits the AppleScript URL to trigger the system's built-in script editor, hiding malicious code through ASCII art and spaces. After users click the run button, a fake Apple security update pop-up lures victims into entering their computer passwords.Reaper targets desktop cryptocurrency applications such as Ledger Live, Trezor Suite, and Exodus, modifying the internal code of wallets to intercept future transactions and redirect funds. It also steals saved credentials from Chrome, Firefox, and Edge, extracting files like .docx, .pdf, and .wallet from the desktop and documents folder. Reaper also installs a backdoor disguised as a Google software update directory for persistent attacks. Security experts advise users to verify download links, avoid entering passwords in unexpected pop-ups, and immediately close the page if a website requests to open the script editor.

According to a report by Knews, on June 7, the Supreme People's Procuratorate disclosed a new type of virtual currency theft case. A man from Shandong, Zhang, had long assisted an acquaintance, Feng, in handling virtual currency transactions. After gaining Feng's trust, he proactively suggested that Feng switch to a more convenient digital wallet. The asset mnemonic (key) of this type of wallet is generated by randomly selecting 12 combinations from 2048 commonly used English words, which is the core password for storing virtual currency.Taking advantage of the moment when Feng was copying the mnemonic, Zhang memorized 11 complete words solely by sight and strong memory, and also noted the first letter of the last word. That night, relying on fragmented memory to repeatedly test and combine, he successfully unlocked Feng's digital wallet and transferred 107 bitcoins, later selling them for an illegal profit of 660,000 yuan. The court ultimately sentenced him to ten years and nine months in prison for theft and imposed a fine of 100,000 yuan.

Recently, the People's Procuratorate of Licang District, Qingdao City, Shandong Province, China, handled a Bitcoin theft case. The defendant, Zhang, obtained the mnemonic phrase while assisting an acquaintance in registering a virtual currency wallet, and later transferred 107 BTC in multiple transactions, equivalent to over 50 million yuan at current market prices. Zhang argued that his actions were a "protective takeover," but the prosecution found that he transferred the stolen BTC through multiple trading platforms and exchanged it for over 660,000 yuan. The Licang District Court sentenced Zhang to 10 years and 9 months in prison for theft and imposed a fine of 100,000 yuan; the second instance upheld the original judgment.Reports indicate that the prosecutor handling the case strictly adhered to laws and judicial policies, and after in-depth analysis, concluded that although China's regulatory policies deny the legal currency status of virtual currencies, they do not negate their property attributes, nor do they prohibit citizens from legally holding and circulating them. Bitcoin requires investment in computing power, funds, and other costs to acquire, which gives it economic value; rights holders can achieve exclusive control and management through private keys and mnemonic phrases, aligning with the core characteristics of "property" in criminal law, making it a target for theft. In determining the amount, since virtual currencies have no official pricing, the Licang District Procuratorate discarded market price estimates and used the actual proceeds from the crime of over 660,000 yuan as the amount for theft, ensuring accurate conviction, appropriate sentencing, and unity of guilt and punishment.

A man in Florida, USA, was arrested for allegedly stealing approximately $1.9 million worth of Bitcoin by using the mnemonic phrase of his former employer's hardware wallet. Police stated that the unauthorized transfer of the stolen funds occurred in 2020, when the suspect still had access to critical security information.

On-chain analyst "b-block" posted on social media on Monday that a counterfeit Uniswap website is stealing funds from multiple wallets, with assets held by the scammers valued at over $400,000. Stacy Muur, founder of the Web3 marketing agency Green Dots, shared screenshots of false sponsored results from search engines, criticizing Google for ignoring this issue for years, leading to fake links ranking above real ones, resulting in users continuously being scammed.According to Etherscan data, the two flagged addresses hold a total of about 146 ETH, valued at approximately $306,000. DeFiLlama pointed out that fake ads on Google are a common source of phishing attacks. The crypto nonprofit organization Security Alliance (SEAL) reported in April that phishing activities on Google searches significantly increased in March, with attackers deploying highly deceptive fake ads by paying for or hijacking legitimate ad accounts, using seemingly real URLs to bypass Google's automatic checks, and loading malicious payloads through hidden iframes.SEAL has blocked over 356 malicious ad links and stated that the volume of Google ads deployed by attackers has remained stable for over a year, with no slowdown in attack activities. Reports indicate that between March 13 and 30 alone, a total of $1.27 million was stolen. Additionally, earlier this month, there were malicious ad campaigns targeting Mac users that utilized Google ads and the AI chatbot Claude for shared chats. Malwarebytes also reported that Facebook is similarly a hotspot for fake ads and scams.

According to Blockaid monitoring, the cross-chain routing protocol Squid is currently under continuous attack on the SquidRouterModule on the Ethereum and Base networks. Within about two hours of the attack, 86 Gnosis Safe wallets have been emptied, with losses amounting to approximately 3 million dollars.The attacker subsequently exchanged all stolen tokens for DAI through their controlled Uniswap V3 liquidity pool and consolidated them into a single address. Currently, this consolidated wallet holds approximately 3.07 million dollars in DAI.

The Fuzhou City Cangshan District People's Procuratorate disclosed that a man was sentenced to 12 years and 7 months in prison for theft after stealing 4 Bitcoins from others and illegally profiting about 900,000 yuan, with a fine of 300,000 yuan. The second instance upheld the original verdict.The case shows that at the end of 2020, Wang entrusted Lin to assist in cashing out the Bitcoins he held. During the process of accessing Wang's Bitcoin wallet hard drive and computer, Lin stole the wallet's "private key" and related data, transferring 4 Bitcoins into his own name, and subsequently sold them for profit. In 2024, after Wang discovered abnormal asset activity, he reported it to the police, and Lin was subsequently arrested.The procuratorial authority stated that although current regulations clearly indicate that virtual currencies do not have the status of legal tender, Bitcoins possess value, manageability, and transferability, meeting the general characteristics of "property" in criminal law, and are subject to property crime. Relevant infringement actions will also be held criminally accountable.

According to Livecoins, the property crime investigation department DEIC of São Paulo, Brazil, in collaboration with the electricity company CPFL Piratininga, conducted an operation that seized approximately 1,400 Bitcoin mining machines suspected of operating with stolen electricity. It is estimated that the amount of stolen electricity is enough to supply about 2,000 households for a month. Although Bitcoin mining is not illegal in Brazil, the focus of the actions by CPFL and DEIC is on the theft of electricity.

The Chief Information Security Officer of Slow Fog, 23pds, disclosed on platform X that node-ipc has been compromised again. The released three malicious versions of node-ipc (9.1.6, 9.2.3, 12.1) carry the same credential-stealing payload, with the package being downloaded over 10 million times per week.

According to the blockchain security organization SlowMist (@SlowMist_Team), a highly complex npm worm named "Mini Shai-Hulud" is spreading through well-known developer projects such as TanStack, UiPath, and DraftLab, as monitored by their threat monitoring system MistEye. Attackers hijack GitHub credentials to publish malicious packages disguised as legitimate updates, embedding a hidden script router_init.js that runs silently in CI/CD environments like GitHub Actions, specifically designed to steal CI/CD keys, cloud infrastructure keys, and cryptocurrency wallet information, using GitHub's own infrastructure for data exfiltration.SlowMist has synchronized relevant threat intelligence (IOC) with clients and recommends that projects using the affected packages immediately check their CI/CD pipelines for the presence of the router_init.js file, rotate all exposed GitHub, cloud service, and cryptocurrency credentials, and continuously monitor for abnormal background activities in the development environment.

According to market news, Microsoft's security research team has discovered that attackers have been inducing users to run malicious terminal commands by publishing fake macOS troubleshooting guides since the end of 2025, thereby stealing cryptocurrency wallets, iCloud data, and passwords saved in browsers.These fake guides are published on platforms such as Medium, Craft, and Squarespace, targeting common user issues like freeing up disk space or fixing system errors, and tricking users into copying and pasting malicious commands into the terminal, which automatically downloads and runs malware. This social engineering technique, named ClickFix, bypasses macOS's Gatekeeper security mechanism because the victims are actively executing the commands.The malware families involved include AMOS, Macsync, and SHub Stealer, which can steal cryptocurrency wallet keys from Exodus, Ledger, and Trezor, as well as usernames and passwords saved in Chrome and Firefox. In some cases, attackers also delete legitimate wallet applications and replace them with trojan versions. Apple has added a protective feature in macOS version 26.4 to prevent the pasting of potentially malicious commands.

Former Singapore Navy personnel Zhang Rongxuan (35 years old, phonetic) was sentenced to six years and ten months in prison after stealing 1.7 million Tether (nearly 2.3 million Singapore dollars) from a friend's cold wallet, which he spent on luxury watches, gambling, and paying off a mortgage.It is reported that Zhang Rongxuan was a member of the Naval Diving Unit at the time of the incident, holding the rank of captain. After getting to know the victim, he also co-managed a non-fungible token trading platform with friends, which is affiliated with Upstairs Research Pte Ltd and owned by DiGi Selection Holdings Pte Ltd. After security companies tracked the cryptocurrency wallet, Zhang Rongxuan admitted that he committed the crime due to suffering significant losses from the collapse of the FTX exchange.

According to The Block, North Korea has denied allegations of its involvement in cryptocurrency theft, calling the claims "absurd defamation" and a "political tool." The statement was released by state media, emphasizing that necessary measures will be taken to safeguard national interests.However, data from blockchain analysis firm TRM Labs shows that hacker groups associated with North Korea have stolen approximately $577 million, accounting for about 76% of global cryptocurrency theft losses during the same period. This includes two major attack incidents on KelpDAO (approximately $292 million) and Drift Protocol (approximately $285 million).TRM pointed out that the related attacks are mainly associated with the Lazarus Group and its sub-organizations. Since 2017, the cumulative scale of cryptocurrency theft linked to North Korea has exceeded $6 billion. U.S. and international agencies generally believe that such funds are used to support military and missile programs. Meanwhile, the U.S. Treasury has recently imposed sanctions on related individuals and entities, involving approximately $800 million in illegal fund flows for 2024.