1. The fake apps are bundled with Realst malware, an information-stealing tool. These attacks target sensitive data, including cryptocurrency wallet credentials. These apps are expected to be linked to North Korea, as was the $50 million Radiant Capital exploit. Meanwhile, authorities have made some progress with the arrest of Dmitry V., former head of WEX, a cryptocurrency exchange linked to fraud and money laundering.



    Web3 employees threatened

  2. Web3 professionals are being targeted by a sophisticated malware campaign that uses fake meeting apps to steal sensitive information, including website credentials, applications, and cryptocurrency wallets. According to a report from Cado Security Labs, scammers are using artificial intelligence to create legitimate-looking websites and social media profiles for fraudulent companies.

  3. These platforms are used to trick targets into downloading a malicious meeting app. The app was previously called “Meeten,” but is now called “Meetio” and frequently rebrands. It previously operated under domains such as Clusee.com, Meeten.gg, and Meetone.gg.

  4. The app contains Realst information-stealing malware designed to extract critical information including Telegram IDs, banking details, and crypto wallet credentials, which are then sent to the attackers. The malware can also harvest browser cookies, autofill credentials for web browsers such as Google Chrome and Microsoft Edge, and even access data related to hardware wallets such as Ledger and Trezor, as well as Binance wallets.

  5. The campaign also uses social engineering tactics, with scammers sometimes posing as known contacts to build trust. In one case, a target reported being approached on Telegram by someone posing as a colleague and receiving a stolen investment presentation from his own company. Other victims reported attending calls related to Web3 projects, downloading the malware, and subsequently losing their cryptocurrency.

  6. Fake meeting app (Source: Cado Security)

  7. To further bolster their credibility, the scammers have created corporate websites filled with AI-generated blogs, product descriptions, and social media accounts on platforms like X and Medium. This use of AI allows them to produce highly convincing content very quickly, making their fraudulent operations seem legitimate and harder to detect. In some cases, their fake websites include JavaScript that can steal cryptocurrencies stored in web browsers before the malware is even downloaded.

  8. The campaign targets both macOS and Windows users and has been active for nearly four months. Similar scams have been observed in the cryptocurrency space. Investigator ZackXBT uncovered a group of 21 developers, believed to be North Korean, working on projects using fake identities. In September, the FBI also issued a warning about North Korean hackers deploying malware disguised as job offers to target cryptocurrency companies and decentralized finance platforms.

    North Korean group behind Radiant Capital breach

  9. Radiant Capital has revealed that the $50 million hack on its decentralized finance (DeFi) platform in October was orchestrated by a North Korean-linked hacker who infiltrated the platform using malware distributed via Telegram. The attacker posed as a trusted former contractor and sent a zip file to a Radiant developer on September 11 under the pretense of asking for feedback on a new project. Cybersecurity firm Mandiant, which is contracted by Radiant, confirmed with high confidence that the attack was carried out by a threat actor affiliated with the Democratic People’s Republic of Korea (DPRK).

  10. The malicious zip file appeared legitimate due to its commonality in business environments and was shared among developers. This allowed the malware to infect multiple devices.

  11. The attackers then took control of the private keys and smart contracts, forcing Radiant to shut down its lending operations on October 16. The malware also spoofed the lender’s legitimate website, further deceiving developers. While traditional verifications and transaction simulations revealed no irregularities, the attackers manipulated the front-end interface to display benign transaction data while executing malicious transactions in the background.

  12. The threat actor has been identified as “UNC4736” or “Citrine Sleet,” and is associated with North Korea’s Reconnaissance General Bureau and may be a subgroup of the infamous Lazarus group. Following the attack, $52 million of the stolen funds were transferred by the hackers on October 24. According to Radiant, even more advanced security measures, including hardware wallets, simulation tools like Tenderly, and industry standard operating procedures, were not enough against such a sophisticated threat.

  13. TVL radiant (Source: DefiLlama)

  14. This incident is the second major compromise for Radiant this year, and comes after a $4.5 million flash loan exploit in January. A crypto flash loan attack is a type of exploit on DeFi platforms where an attacker takes advantage of flash loans to manipulate market conditions or exploit vulnerabilities in smart contracts.

  15. Flash loans are unsecured loans that must be borrowed and repaid in a single blockchain transaction. Attackers use these loans to execute complex sequences of actions that can, for example, manipulate asset prices, trick smart contracts into releasing funds, or drain cash reserves. Because the loan and repayment occur almost instantly, the attacker can profit without risking their own capital.

  16. The series of hacks has seriously affected the platform's reputation, with its total value locked dropping from over $300 million at the end of last year to just $6.07 million as of December 9, according to DefiLlama.

    Polish authorities arrest former WEX chief Dmitry V.

  17. While cryptocrime remains a problem, authorities are working hard to bring these criminals to justice. Polish authorities arrested Dmitry V., the former head of Russian cryptocurrency exchange WEX, in Warsaw after an extradition request from the U.S. Department of Justice.

  18. Dmitry V.’s full name has not been released due to local laws. He is accused of fraud and money laundering during his time as head of WEX, the successor to BTC-e. The arrest was confirmed by a Polish police spokesperson, who said that Dmitry V. is in custody and awaiting extradition proceedings. If extradited to the United States, he could face a maximum prison sentence of 20 years.

  19. Dmitry V. has been arrested and released in several countries. In August 2021, he was detained in Poland, but released after 40 days. He was arrested again in Croatia in 2022 by Interpol at Zagreb airport after an extradition request from Kazakhstan. In 2019, Italian authorities arrested him, but he was later released when errors in the extradition request were discovered.

  20. WEX collapsed in 2018, leaving about $450 million unaccounted for. The platform was often described as a “dark” exchange and was known for its lack of identity verification and involvement in laundering funds from high-profile crypto hacks, including the Mt. Gox breach. At its peak, WEX processed more than $9 billion in transactions from more than a million users, many in the United States.

  21. This latest WEX arrest comes after the events with Alexander Vinnik, the former head of BTC-e, WEX’s predecessor. Vinnik was nicknamed “Mr. Bitcoin” and pleaded guilty to conspiracy to commit money laundering for activities between 2011 and 2017. He was arrested in Greece in 2017 and then extradited to the United States in 2022 after serving two years in a French prison.#ScamRiskWarning

    #ScamAlert #Web3 #CryptoNewss