The New Sophisticated Malware Menace Targeting Your Crypto Wallet

Crypto crime picked up right where it left off in 2023 with new malware being introduced, DeFi protocol exploits, and even the SEC having its own brush with cyber criminals.

Crime never sleeps, and this has certainly been the case in the crypto industry in 2024. Kaspersky Labs discovered a new malware targeting macOS users, particularly those downloading pirated software. In the decentralized finance (DeFi) sector, Concentric, a liquidity manager on the Arbitrum network, suffered a major exploit resulting in a loss of more than $1.8 million. This attack was linked to a previous exploit on the OKX decentralized exchange. Additionally, the U.S. Securities and Exchange Commission (SEC) fell victim to a SIM swap scam, leading to a false announcement about Bitcoin ETFs on its X account.

macOS Users Beware of Wallet-Wiping Malware

Kaspersky Labs recently discovered a new form of malware that targets macOS users, particularly those who download pirated software. This malware, which enters computers through unauthorized software installations, specifically targets hot Bitcoin and Exodus wallets. By replacing these wallets with infected versions, the malware gains access to the user's cryptocurrency and personal data.

In their research, Kaspersky's team found that this malware belongs to a new "family" of trojan proxies, which was first identified in December last year. The method involves compromising legitimate apps downloaded from unauthorized sources. These cybercriminals exploit the tendency of users seeking cracked apps to disable security features on their machines, making them very vulnerable to malware installation.

This malware primarily affects macOS versions 13.6 and above. It operates by tricking the user into entering their computer security password into an activator box. Additionally, when a user tries to open their crypto wallets, the malware accesses the private keys of these wallets.

Kaspersky researchers realized that the malware was still being developed as they were investigating it. Despite its basic approach, the malware is considered "seriously ingenious." Its final payload is a backdoor that allows the running of scripts with administrator privileges. It also replaces installed Exodus and Bitcoin crypto wallet applications with infected versions. These versions are designed to steal secret recovery phrases the moment the wallet is unlocked.

To avoid becoming an unfortunate victim to this malware campaign, Kaspersky urged macOS users to download software only from trusted websites, keep their operating systems updated, and use very strong security solutions on their computers.

It is also worth noting that hackers have been known to disguise malware as legitimate wallets on online stores or fake websites, a tactic that has become so common that the United States Federal Bureau of Investigation (FBI) issued warnings about it.

Concentric DeFi Protocol Suffers Major Exploit

Meanwhile, the decentralized finance (DeFi) sector also took a hit as Concentric, a liquidity manager application on the Arbitrum network, fell victim to an exploit. The attack involved a social engineering scheme that compromised the private key of the protocol's deployer account. This breach allowed the attacker to manipulate the system by upgrading the vaults, minting new Liquidity Provider (LP) tokens, and ultimately draining the vaults of their assets.

Concentric's team reported that the attack resulted in a loss of more than $1.8 million. They urged users to revoke approvals from all vault addresses, a precautionary step to prevent even further damage.

Further investigation by the blockchain security firm CertiK revealed a concerning link between this incident and a previous exploit on the OKX decentralized exchange that occurred on Dec. 13, 2023. The wallet used in the Concentric exploit was found to be connected to the one used in the OKX incident, which could suggest a possible link between the two attacks.

The technical details of the Concentric exploit reveal a calculated approach by the attacker. They exploited the adminMint function on a Concentric contract to create 0.001 CONE-1 tokens and repeatedly used the 'burn' function to redeem these tokens for funds from the AlgebraPool. This allowed them to acquire various ERC-20 tokens, which were then exchanged for Ether (ETH).

In response to this crisis, the Concentric team launched a thorough investigation and is committed to issuing a detailed post-mortem report. This report is expected to outline the vulnerability that was exploited and propose measures to address it.

The Gamma Protocol, another liquidity manager, also suffered an attack on Jan. 4. Nearly $500,000 was stolen through a smart contract vulnerability. However, this attack differed in its method and is not believed to be connected to the Concentric exploit.

SEC Hit by SIM Swap Scam

Not even the United States Securities and Exchange Commission (SEC) is immune to the whims of cyber criminals. The regulator recently revealed that it was the victim of a sophisticated "SIM swap" attack.

This incident led to a false announcement on Jan. 9 regarding the approval of Spot Bitcoin exchange-traded funds (ETFs). According to an SEC spokesperson, the attack unfolded when an unauthorized individual gained control of the SEC's cellphone number linked to their account. This was done through a SIM swap attack, a method where attackers manipulate a telecom carrier to reassign a phone number to a new device.

Two days after the incident, the SEC, in consultation with their telecom carrier, was able to identify exactly what happened. The attackers, having control over the SEC's phone number, reset the password for the SEC's official Twitter account (@SECGov). This security breach led to the false post about Bitcoin ETFs.

Further investigation revealed that six months before the attack, a staff member had disabled multi factor authentication on the account because of access issues. The security measure was not reinstated until after the Jan. 9 incident. Despite the breach, the SEC remained firm on the fact that there was no evidence to suggest that the attackers had accessed any other SEC systems, data, or social media accounts.

Law enforcement is actively investigating how the attackers persuaded the carrier to change the SIM for the account and how they knew which phone number was associated with the SEC’s Twitter account.