This was the firm’s fourth breach in 12 months, and happened in August of 2024. While no Fidelity accounts were compromised, personal information was exposed. Malware attacks targeting crypto users are also still on the rise, with tens of thousands of devices being infected. Meanwhile, Mango Labs filed a lawsuit against two executives for embezzling $10 million from its DAO, and prosecutors are seeking an 18-month prison sentence for Heather Morgan for laundering funds from the 2016 Bitfinex hack.
Fidelity Battles New Data Breach
Fidelity Investments recently confirmed a data breach that compromised the personal information of more than 77,000 of its customers. On Oct. 9, the company reported the breach to Maine’s attorney general, and revealed that 77,099 customers were affected. This is still only a small portion of its overall 51.5 million customer base.
The breach happened between Aug. 17 and 19 when an attacker accessed customer names and other personal identifiers through two newly established customer accounts. Fidelity was able to stop the unauthorized access on Aug. 19 after detecting the breach. The firm stated that no Fidelity accounts were accessed during the incident and that external security experts helped in resolving the issue.
In response, Fidelity is offering free credit monitoring and identity restoration services for two years to those who were impacted by the breach. The service will be provided by TransUnion Interactive, and it will help detect any unusual activity that could affect personal financial situations. Fidelity also advised the affected customers to stay vigilant and to regularly review their financial statements for any signs of fraudulent activity or identity theft.
Interestingly, this was Fidelity’s fourth data breach in the last 12 months. The previous incidents happened on March 4, March 18, and July 19.
Fidelity has become very active in the crypto space, and even launched spot Bitcoin and Ethereum ETFs in the United States earlier this year. The Fidelity Wise Origin Bitcoin Fund has seen close to $10 billion in flows since its launch on Jan. 11. The Fidelity Ethereum Fund has attracted about $445 million since its launch on July 23.
Bitcoin ETF flow (Source: Farside Investors)
Fidelity Investments was not the only data breach victim this year. There were a number of other high-profile incidents in 2024, including data breaches at OpenAI and telecommunications giant AT&T, which affected more than 100 million customers in AT&T's case.
Cryptojacking Malware Hits Thousands
In addition to data breaches, people also need to be on the lookout for malware. A recent malware attack infected tens of thousands of devices to mine and steal cryptocurrency. Unfortunately for the hackers, they only ended up netting around $6,000.
According to cybersecurity firm Doctor Web, the malware was disguised as legitimate software like office programs, game cheats, and online trading bots. It infected more than 28,000 users, primarily in Russia, but also in Belarus, Uzbekistan, Kazakhstan, Ukraine, Kyrgyzstan, and Turkey.
Despite the widespread infection, the attackers were able to steal only a relatively small amount of crypto. Doctor Web shared that the true earnings from crypto mining by the malware’s creator is still unknown.
The malware spread through fraudulent GitHub pages and YouTube video descriptions containing malicious links. Once a device was infected, the malware hijacked computing resources to mine crypto and included a “clipper” feature that monitored crypto wallet addresses copied to the clipboard. The malware then replaced the copied addresses with those controlled by the attacker, which allowed them to intercept and steal funds.
Malware attack (Source: Doctor Web)
The malware employed some very advanced techniques to avoid detection, like using password-protected archives to bypass antivirus scans, disguising itself as legitimate system components, and executing malicious scripts through legitimate software.
In September, crypto exchange Binance issued a warning about clipper malware, and pointed out that there was an increase in activity during late August that resulted in serious financial losses for affected users. Doctor Web also advised users to rather avoid installing pirated software, which was a common method through which the malware spread.
Clipboard-jacking malware has been a threat since the 2017 crypto bull market and has evolved and changed to combine multiple malicious functions to make it harder to detect.
Mango Labs Sues Executives Over Embezzlement
Meanwhile, Mango Labs filed a lawsuit against John Kramer and Maximilian Schneider, and accused them of embezzling $10 million from the Mango decentralized autonomous organization (DAO). The lawsuit was filed in the United States District Court of Puerto Rico, and alleges that Kramer and Schneider, who both hold trusted positions in the DAO, conspired to profit illicitly while buying bankrupt FTX's holdings of the DAO's MNGO governance tokens on behalf of the organization.
A few unknown people are also accused of aiding Kramer and Schneider. Mango Labs promised to serve them through their crypto wallets if their identities stay unknown.
According to the lawsuit, Kramer and Schneider promised to buy FTX’s MNGO tokens for the DAO at a good price to prevent bad actors from getting their hands on them. However, the pair secretly bought the tokens around April 1, 2024, and deposited them anonymously into the DAO's treasury.
Later, Kramer proposed that governance members sell their MNGO tokens back to the DAO at an inflated price. This proposal was passed on April 30, and resulted in the Mango DAO paying $2.5 million for 72.8 million MNGO tokens. Mango Labs quickly detected the deceit and urged Kramer and Schneider to return the tokens to the DAO at cost. The defendants refused and continued pressuring Mango Labs to drop its claims.
The lawsuit charges them with breach of fiduciary duty, fraud, misrepresentation, and unjust enrichment. It also demands monetary and punitive damages, restitution, and the return of wrongfully obtained funds.
This lawsuit was filed after the conviction of Avraham Eisenberg, who exploited the DAO for $110 million and was found guilty of wire fraud and commodities manipulation. Additionally, Mango Markets is under investigation by the US Commodity Futures Trading Commission. On Sept. 27, the DAO settled charges with the SEC regarding unregistered securities, and agreed to pay $700,000 and destroy all MNGO tokens.
'Razzlekhan' Could Serve 18 Months
Although crime is keeping the crypto community on its feet, the justice system is hard at work to right the wrongs of these criminals. Prosecutors recommended an 18-month prison sentence for Heather Morgan, who is also known as "Razzlekhan" for her role in laundering 120,000 Bitcoin stolen during the 2016 Bitfinex hack.
In an Oct. 9 filing, prosecutors requested leniency due to Morgan’s cooperation after her and her husband Ilya Lichtenstein’s plea deal in July of 2023. Morgan pled guilty to money laundering and fraud in August, and could face up to 10 years in prison. However, prosecutors described her as a “lower-level participant” compared to Lichtenstein, who admitted to orchestrating the hack.
Prosecutor recommend 18 month sentence
Morgan learned of Lichtenstein's involvement in 2020 and helped launder the funds. The couple used very sophisticated methods, including non-compliant crypto exchanges and darknet markets, to hide their tracks. Morgan also used some of the stolen Bitcoin to buy gold coins, which she later buried.
Prosecutors are also asking Morgan to return the seized assets, which are valued at more than $6 billion. Her sentencing is scheduled for Nov. 15, a day after Lichtenstein’s.
