Security firm Blockaid announced after the hack that Inferno Drainer was behind the attack. Meanwhile, the FBI arrested Eric Council Jr. for hacking the SEC’s X account in January and posting false Bitcoin ETF approval news that caused market disruptions. Additionally, US prosecutors recommended reduced sentences for Ilya Lichtenstein and Heather Morgan, who were both involved in the 2016 Bitfinex hack. The reduced sentences were recommended because of their cooperation with law enforcement.
Hackers Target Ambient Finance
On Oct. 17, the front end of the decentralized trading protocol Ambient Finance was hacked. The team quickly warned its users against interacting with the site, connecting wallets, or signing any transactions.
The incident involved the hacking of the website domain. Ambient Finance described it as an isolated issue, and also assured its customers that their contracts and funds were unaffected. Not long after the breach, the team was able to regain control of the domain, but still advised users to wait for the "all clear" before resuming normal activities.
The security firm Blockaid revealed that the attack involved the notorious Inferno Drainer, which is a malware suite that is notorious for stealing digital assets. According to Blockaid, the command and control (C2) server responsible for launching the attack was created 24 hours before the hack, which indicated that the operation was fairly well planned.
Unfortunately, the Ambient Finance hack is part of a much broader trend of increasingly sophisticated malware targeting the crypto sector. Even Apple’s macOS, which was once considered less vulnerable, has faced a surge in malware attacks. In August of 2024, cybersecurity firms identified a new form of malware called "Cthulhu Stealer," which masquerades as a legitimate macOS program to steal sensitive data and private keys, emptying crypto wallets.
The rise in malware attacks extends beyond macOS. In September, McAfee Labs also uncovered "SpyAgent," which is malware targeting Android devices that uses optical character recognition to extract sensitive information from images, like photos of private keys. SpyAgent was distributed through links that were sent through text messages, leading to downloads of seemingly harmless applications that were, in fact, the malware. Researchers found more than 280 fraudulent applications linked to SpyAgent.
Additionally, the cybersecurity firm Facct discovered a method of distributing malware through automated emails. This approach involved modifying the legitimate XMrig mining software, which allowed attackers to mine cryptocurrencies using the compromised devices of unsuspecting victims.
Hacker Arrested for Fake Bitcoin ETF Post
Luckily, the hackers targeting the crypto industry do not always get away with their crimes. A 25-year-old man from Athens, Alabama, named Eric Council Jr., was arrested by the FBI for his involvement in hacking the Securities and Exchange Commission’s (SEC) official X account in January of 2024. Council Jr. now faces charges of conspiracy to commit aggravated identity theft and access device fraud.
The authorities allege that Council Jr. was part of a group that was responsible for hacking the SEC’s X account and posting a fake message on Jan. 9 of 2024 which claimed that the SEC approved the first Bitcoin exchange-traded funds (ETFs) in the United States. This false announcement led to a surge in Bitcoin's price by more than $1,000, and caused serious market disruption. SEC Chair Gary Gensler quickly shared that the news was false and that the commission did not approve any such products as the account was compromised.
The hacker gained control of the SEC's account using a "SIM swap" attack, which is a method where a hacker transfers a victim's phone number to their own SIM card to bypass two-factor authentication. This allowed Council Jr. to access accounts and manipulate the SEC’s X account.
US Attorney Matthew Graves recently pointed out the severity of SIM swapping schemes, and stated that they can result in major financial losses and leaks of sensitive information. In this case, the hackers used the phone access to manipulate financial markets.
Council Jr. is known by online aliases like “Ronin,” “Easymunny,” and “AGiantSchnauzer,” and was able to get some personal information and an ID template from his co-conspirators. By using this information, he created a fake ID with his own card printer and used it to buy a SIM card linked to the victim’s phone number at a store in Huntsville, Alabama. He later bought an iPhone with cash and used it, along with the SIM card, to retrieve access codes for the SEC’s X account.
The fake SEC post (Source: X)
Council Jr. then provided these codes to his co-conspirators, who posted the fake message. In exchange, he received payment in Bitcoin. After the attack, he drove to Birmingham to return the iPhone for cash. The FBI investigation also revealed that Council Jr. conducted internet searches that were related to the SEC hack, SIM swapping, and signs of being investigated by law enforcement.
Interestingly, the SEC approved the launch of 11 Bitcoin ETFs just one day after the hacking incident took place. These funds now manage more than $63.5 billion in assets.
Prosecutors Seek Lighter Sentence for Bitfinex Hacker
United States prosecutors recommended a reduced prison sentence for Ilya Lichtenstein, who admitted to stealing 120,000 Bitcoin from Bitfinex in 2016. Prosecutors suggested he serve only five years instead of the original 20.
The recommendation was filed on Oct. 15 in a Washington, DC Federal Court. Lichtenstein's reduced sentence was recommended because of his lack of prior criminal history and his “substantial assistance” to law enforcement, which helped in multiple investigations.
Prosecutor’s sentencing memorandum
Earlier in the month, prosecutors also advocated for a reduced sentence for Lichtenstein’s wife and accomplice, Heather Morgan. They proposed she serve 18 months for her role in laundering the stolen crypto also due to her cooperation. While Lichtenstein laundered 25,111 Bitcoin out of the stolen 120,000, prosecutors still acknowledged that his efforts to erase incriminating evidence did not seriously obstruct the investigation.
Despite his cooperation, prosecutors asked for a much longer sentence than Morgan's. This was done mainly because of Lichtenstein’s extensive planning and his involvement in other criminal activities, like stealing $200,000 from another crypto exchange. They argued that a stronger sentence was necessary to dissuade him from any future cybercrimes. Although the couple helped recover the remaining stolen funds, prosecutors knew that it was law enforcement’s actions, and not any genuine remorse, that made these recoveries possible.
Lichtenstein’s actions were described as emblematic of a new generation of young cybercriminals, and prosecutors even warned that normalizing such behavior could diminish the impact on victims. Additionally, they requested the court to mandate the return of all crypto assets that were seized from Lichtenstein’s wallet as restitution to Bitfinex, including about 95,000 Bitcoin, 117,400 Bitcoin Cash, 117,400 Bitcoin Satoshi Vision, and 118,100 Bitcoin Gold. All of this is currently worth more than $6 billion.
The couple was initially suspected only of laundering the hack’s proceeds, but Lichtenstein later admitted to being the hacker. Sentencing dates are set for Nov. 14 for Lichtenstein and Nov. 15 for Morgan.