CryptoHacks

#cryptohacks
Kaspersky warns new SparkKitty malware steals crypto seed phrase screenshots from iOS and Android using OCR technology to infiltrate App Store and Google Play.
Kaspersky researchers have discovered a sophisticated new mobile malware campaign called “SparkKitty” that successfully infiltrated both Apple’s App Store and Google Play, specifically targeting screenshots of crypto wallet seed phrase stored in users’ photo galleries.
The malware, which evolves from a previously identified SparkCat campaign, uses optical character recognition (OCR) technology to scan and exfiltrate images containing sensitive crypto wallet information from iOS and Android devices.
The campaign, which has been active since at least February 2024, has primarily targeted users in Southeast Asia and China through infected apps disguised as TikTok mods, crypto portfolio trackers, gambling games, and adult content applications that request photo gallery access under seemingly legitimate pretenses.

These cybercriminals successfully bypassed official app store security measures to deploy infected applications that appeared legitimate to automated screening and human reviewers.
Two prominent examples include Soex Wallet Tracker, which masqueraded as a portfolio management app and was downloaded over 5,000 times from Google Play, and Coin Wallet Pro, which marketed itself as a secure multi-chain wallet before being promoted through social media ads and Telegram channels.

How SparkKitty’s Seed Phrase Stealer Evaded IOS and Android Detection
On iOS devices, the malware typically disguised itself as modified versions of popular frameworks like AFNetworking or Alamofire, exploiting Apple’s Enterprise provisioning profile system that allows organizations to distribute internal apps without App Store approval.
While legitimate for corporate use, these Enterprise profiles provided cybercriminals with a pathway to install unsigned applications that could bypass Apple’s standard security screening processes.
In fact, they go as far as to create modified versions of legitimate open-source libraries that retain original functionality while adding malicious capabilities.

The corrupted AFNetworking framework, for example, maintained its original networking capabilities while secretly incorporating photo-stealing functionality through a hidden AFImageDownloaderTool class that activated during app loading through Objective-C’s automatic load selector mechanism.
This approach allowed the malware to remain dormant until specific conditions were met, such as users navigating to support chat screens where photo access requests would appear natural and less suspicious.
On Android platforms, the malware employed equally sophisticated distribution methods, embedding malicious code directly into app entry points while using legitimate cryptocurrency themes to attract target victims.
OCR Technology Turns Photos Into Digital Gold Mine
SparkKitty’s most dangerous feature is its sophisticated optical character recognition technology, which automatically identifies and extracts crypto-related information from victims’ photo galleries without requiring attackers to review them manually.
Unlike previous mobile malware that relied on bulk photo theft and manual analysis, SparkKitty employs Google ML (Machine Learning) Kit library integration to scan images for text patterns. It specifically searches for seed phrases, private keys, and wallet addresses that users commonly screenshot for backup purposes despite security recommendations against such practices.
As Kaspersky explained, the malware’s OCR implementation demonstrates advanced pattern recognition capabilities. It automatically filters images based on text content and sends only those containing crypto-related information to command-and-control servers.
The system looks for specific text blocks containing minimum word counts and character requirements, effectively distinguishing between casual photos and potentially valuable financial information.
This targeted approach reduces data transmission requirements while maximizing the value of stolen information, allowing attackers to process larger victim pools more efficiently.
Related campaigns discovered during Kaspersky’s investigation revealed even more sophisticated implementations, including versions targeting backup procedures by displaying fake security warnings instructing users to “back up your wallet key in the settings within 12 hours” or risk losing access to their wallets.
These social engineering overlays guide victims through accessing their seed phrases, allowing the malware’s Accessibility Logger to capture the information directly rather than relying solely on existing screenshots.
The broader implications extend beyond individual theft to include systematic crypto mining operations, as evidenced by related campaigns like the Librarian Ghouls APT group that combines credential theft with unauthorized Monero mining on compromised devices.
These dual-purpose attacks create ongoing revenue streams for cybercriminals, who steal existing crypto holdings and use victims’ computational resources to mine additional digital assets. Thus, compromised devices effectively become profit-generating infrastructure for extended periods.

Appreciate the work. Thank You. 👍 FOLLOW BeMaster BuySmart 🚀 TO FIND OUT MORE $$$$$ 🤩 BE MASTER BUY SMART 🤩

Both #CoinMarketCap and #Cointelegraph were compromised — showing fake WalletConnect pop-ups to steal user funds.
CMC: 110 wallets drained for $43K
CT: Fake airdrop pop-up injected
DO NOT connect your wallet unless you're 100% sure it's legit.
Hackers are now targeting trusted crypto sites.
Retweet to protect the community

#cryptohacks #CryptoNews $BTC $ETH

#cryptohacks
The phishing-style notification asked users to connect their wallets and approve ERC-20 token access, raising immediate red flags across the crypto community.
CoinMarketCap was hacked on Friday after a malicious popup appeared on its website, urging users to “verify” their wallets.
Key Takeaways:
CoinMarketCap was hacked after a fake wallet verification popup appeared on its site, triggering phishing concerns.
MetaMask and Phantom flagged the site as unsafe, warning users against connecting wallets.
The breach has revived criticism of CoinMarketCap’s security, nearly four years after its major data leak.
The phishing-style notification asked users to connect their wallets and approve ERC-20 token access, raising immediate red flags across the crypto community.
Wallet providers like MetaMask and Phantom quickly flagged the site as unsafe, with Phantom displaying a browser warning against using the platform.
CoinMarketCap Removes Malicious Popup
In a Friday post on X, CoinMarketCap confirmed the removal of the malicious popup. “We’ve identified and removed the malicious code from our site,” the platform said.
The company added that it is continuing to investigate the breach and is reinforcing its security measures to prevent similar incidents.

The malicious prompt, which triggered warnings from wallet providers like MetaMask and Phantom, reportedly asked users to connect their wallets and approve access to ERC-20 tokens.
Phantom’s browser extension even flagged CoinMarketCap as “unsafe to use,” raising concerns about the platform’s vulnerability.
Reports of the phishing attempt began circulating across crypto social media, with several users alerting others not to interact with the prompt.
Many suspected the attack was an attempt to steal wallet credentials through a fake interface mimicking a legitimate verification process.
The incident has reignited concerns about CoinMarketCap’s security, coming nearly four years after a 2021 data breach exposed the email addresses of over 3.1 million users.
That data was later discovered for sale on hacking forums, prompting criticism over the platform’s safeguards.

CoinMarketCap, owned by Binance, remains one of the most widely used resources in the crypto space, making it a prime target for malicious actors looking to exploit its credibility.
Users are urged to avoid connecting wallets to unsolicited prompts and to verify all interactions through official channels.
The company has not disclosed the source of the breach but has committed to ongoing security reviews.
Crypto Crime Turns Violent as Illicit Transactions Top $40B in 2024
Illicit cryptocurrency activity surged to at least $40.9 billion in 2024, according to Chainalysis, with the number likely to grow as more criminal-linked wallets are identified.
Hacks alone accounted for $2.2 billion in stolen assets, a 21% increase from the previous year.
North Korean-linked groups, including Lazarus and Tradetraitor, were behind over 60% of those thefts, with major incidents like the $300 million hack of Japan’s DMM Bitcoin exchange among their hits.
But the threats go beyond online exploits. Criminal groups are using crypto to fund and conceal a wider range of crimes—from investment scams and AI-enhanced romance frauds to drug trafficking and even physical violence.
In one alarming case on May 13, 2025, the daughter and grandson of Paymium’s CEO were nearly kidnapped in Paris by masked men.

FOLLOW ME 🚀 TO FIND OUT MORE $$$$$ 🤩 BE MASTER BUY SMART 🤩

💣 New Malware Targets Blockchain Workers — Fake Jobs, Real Threats! 🧠🔐

North Korean hackers are at it again — this time with a sneaky new trick targeting professionals in the crypto industry! 🇰🇵💻 A hacking group known as “Famous Chollima” (aka “Wagemole”) has been using fake job offers to lure crypto experts into downloading a nasty piece of malware called PylangGhost. According to Cisco Talos, this malware is designed to remotely control your computer and steal passwords from crypto wallets and browser extensions like MetaMask, 1Password, and more. 😨🔑
These cybercriminals are impersonating major companies like Coinbase and Uniswap by setting up fake websites and posing as recruiters. Once victims are hooked, they’re guided through a bogus interview process and tricked into running malicious code on their system — all under the pretense of installing a “video driver.” Once the malware is in, it grabs login details, takes screenshots, steals data, and keeps the door open for further attacks. 📷📂🕵️
This isn’t the first time North Korean hackers have pulled this kind of stunt. Similar scams were seen in April, where fake recruitment tests were used to hack developers in the crypto space. As crypto adoption grows, so does the interest from cybercriminals. So, if you're job-hunting in the blockchain world, double-check those offers and never run unknown code — your crypto stash could depend on it! 🔒🛡️
#cryptohacks #NorthKoreaHackers $BTC

18 червня 2025 року іранська криптовалютна біржа Nobitex, найбільша в країні, зазнала масштабного кібернападу, внаслідок якого було викрадено цифрових активів на суму понад $81 млн. Хакерська група Gonjeshke Darande (Predatory Sparrow), яку пов’язують з Ізраїлем, взяла на себе відповідальність за атаку. Зловмисники використали спеціально створені адреси гаманців, зокрема з написами на кшталт “FackIRGCTerroristsNoBiTEX”, щоб підкреслити політичний мотив нападу. Вони звинуватили Nobitex у сприянні іранському режиму в обході санкцій та фінансуванні тероризму.
Згідно з даними блокчейн-аналітика ZachXBT, основні втрати припали на мережу Tron, а також Bitcoin, Dogecoin та EVM-сумісні ланцюги. Хакери погрожують оприлюднити внутрішні дані біржі та вихідний код протягом 24 годин, закликаючи користувачів вивести кошти. Nobitex підтвердила атаку, запевнивши, що активи в холодних гаманцях залишилися недоторканими, та обіцяла компенсувати втрати через страховий фонд.
Цей інцидент є частиною ескалації кібервійни між Ізраїлем та Іраном на тлі загострення регіонального конфлікту. Атака підкреслює вразливість криптобірж у країнах із обмеженим регулюванням.
Слідкуйте за новинами крипторинку! Підписуйтесь на #MiningUpdates
#NobitexHack #CryptoNews #CyberWar #IranIsraelConflict #BlockchainSecurity #cryptohacks #Geopolitics #MiningUpdates

Iran’s biggest #crypto exchange #Nobitex has been hacked, with over $80 million drained from its hot wallets.
Blockchain detective ZachXBT tracked the funds across several chains like #Bitcoin #Tron #Dogecoin and Ethereum.
The funds were moved to suspicious vanity wallet addresses like:
1️⃣ TKFuckiRGCTerroristsNoBiTEXy2r7mNX
2️⃣ 0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead
3️⃣ 1FuckiRGCTerroristsNoBiTEXXXaAovLX
4️⃣ DFuckiRGCTerroristsNoBiTEXXXWLW65t
A hacker group called Predatory Sparrow (linked to Israel) claimed responsibility. They say Nobitex is helping Iran bypass sanctions and promised to leak private data and source code within 24 hours.
Stolen assets include:
▪️ Bitcoin
▪️ Ethereum
▪️ USDT
▪️ $TRX
▪️ $DOGE
▪️ $BNB Chain tokens
Nobitex confirmed the attack:
“Only hot wallets were affected. Cold storage is safe. Users will be fully compensated.”
⚠️ This is one of the biggest crypto hacks of 2025 and could increase tensions between Iran and Israel.
What to do:
If you’ve used Nobitex, withdraw your funds (if possible) and stay alert for official updates.

#cryptohacks