Tim Heath Bites Back During Attempted Crypto Kidnapping

Australian crypto billionaire Tim Heath revealed that he narrowly escaped a violent kidnapping attempt in Estonia in 2024 after biting off part of the attacker’s finger.

Arrest

Heath’s attackers were part of a seven-person team that used forged documents and disguises. They ambushed Heath at his apartment with the intent to extort his crypto holdings. In response, he spent over $3 million on security and is seeking legal restitution. 

Separately, cybersecurity firm Sentinel Labs uncovered a North Korean hacking campaign targeting Apple users in the crypto sector by using Nim-based malware to steal sensitive data. Meanwhile, the US Justice Department is investigating a former DigitalMint employee for allegedly profiting from ransomware deals.

Crypto Billionaire Fights Off Kidnappers

Australian crypto billionaire Tim Heath narrowly escaped a violent kidnapping attempt in Estonia last year, according to details that were revealed in an Estonian court. Heath founded the Estonia-based Yolo Group and its venture capital arm Yolo Investments, and was ambushed in July of 2024 by two men posing as painters in the stairwell of his apartment building. 

The court heard that Heath fought off one of the attackers—former boxer and wrestler Allahverdi Allahverdiyev—by biting off part of his index finger during a 30-second struggle. Heath managed to break free and retreat to his apartment, though he lost a tooth in the process. The attackers fled the scene and abandoned their getaway van nearby. Part of the severed finger was later found about 100 meters from the site of the attack.

Tim Heath

Tim Heath (Source: Sydney Morning Herald)

The kidnapping plot was planned for months by a group of seven individuals, prosecutors allege. Heath was reportedly stalked in person and via GPS tracking before the attack. 

The suspects entered Estonia using forged Georgian passports and purchased disguises from local hardware stores to pose as workers. Their plan was to abduct Heath, transport him to a rented sauna house, and force him to transfer his crypto holdings. A hacker was also allegedly enlisted to help in accessing the funds.

Two suspects—Allahverdiyev and Georgian citizen Ilgar Mamedov—are currently on trial in Estonia. Allahverdiyev told the court he was promised €100,000 for the job but claimed he never intended to go through with it and tried to call off the plan. Mamedov is accused of being the getaway driver, and denies involvement. He says he ended up in Estonia by accident while traveling.

Suspects

Two suspects (Source: Sydney Morning Herald)

Authorities are still looking for two additional suspects, including alleged mastermind Najaf Najafli, while three other people involved have yet to be identified. A few weeks after the attempted abduction, Heath reportedly received a threatening message via Telegram that included photos of his apartment and a demand for 30 Bitcoin—which was then worth about $3.3 million. Though the kidnappers made no further contact after Heath ignored the message, prosecutors warn the threat may still be active.

Since the incident, Heath spent more than $3.1 million on private security and relocated to a new residence. His legal team is now seeking reimbursement for these costs from the defendants. According to the Australian Financial Review Rich List, Heath’s net worth is estimated at 2.46 billion Australian dollars, or roughly $1.61 billion.

New Malware Hits Apple Devices in Crypto Attack

In addition to kidnappings, the crypto community should also look out for North Korean hackers who are targeting Apple devices with new strains of malware. They are specifically aimed at cryptocurrency companies, according to cybersecurity firm Sentinel Labs

The attackers impersonate trusted people on messaging platforms like Telegram, luring victims into a fake Zoom meeting via a Google Meet link. They then send a malicious file disguised as a Zoom update. When executed on a Mac, the file installs malware known as “NimDoor,” which is designed to steal crypto wallet data and browser credentials.

Fake update

(Source: Sentinel Labs)

What makes this campaign particularly concerning is the use of the programming language Nim, which is a relatively obscure language that allows malware to operate across Windows, macOS, and Linux systems without modification. Its rarity and technical features make Nim-compiled malware much harder for antivirus systems to detect. While North Korean threat actors previously experimented with languages like Go and Rust, researchers shared that Nim offers faster compilation, ease of cross-platform deployment, and more effective evasion techniques.

The malware includes a credential-stealing payload that collects browser data, system information, and even Telegram’s encrypted local database along with its decryption keys. It uses a delayed activation strategy to evade detection by security software. This campaign builds on similar efforts by North Korean hacking group BlueNoroff, which Huntress linked to malware capable of bypassing Apple’s memory protections to inject keylogging and screen recording tools.

One of the payloads, CryptoBot, serves as a comprehensive infostealer with an emphasis on compromising crypto-related browser extensions and wallets. Adding to the concern, blockchain security firm SlowMist recently identified a wave of fake Firefox extensions that are designed to extract cryptocurrency wallet credentials.

Security researchers warn that macOS is no longer immune to cyber threats. Over the past few years, Apple’s operating system has become an increasingly attractive target for state-sponsored hackers because of its growing adoption and perceived invulnerability. 

Ex-Ransomware Negotiator Under Federal Investigation

The US Justice Department launched a criminal investigation into a former employee of DigitalMint, a firm that helps victims of ransomware attacks negotiate and make payments to hackers. The individual is accused of striking unauthorized deals with cybercriminals and taking a cut of the cryptocurrency used in ransom payments. 

DigitalMint President Marc Grens confirmed the probe, and explained that the employee was “immediately terminated” once the allegations surfaced. According to Grens, the investigation is solely focused on the former employee and DigitalMint itself is not a target. He added that the company has been cooperating fully with law enforcement and acted quickly to protect its clients and inform affected stakeholders.

DigitalMint is based in Chicago, and is registered with the US Financial Crimes Enforcement Network. It claims to have a client base that includes Fortune 500 companies. 

The incident took place during a decline in ransomware payments. According to cyber response firm Coveware, only 25% of targeted companies paid ransom demands in the final quarter of 2024, down from 32% in Q3 and 36% in Q2. This is a sharp drop compared to 2019, when 85% of victims paid. 

Ransomware outcomes

(Source: Coveware)

Coveware attributes the trend to stronger cybersecurity practices, better backup and recovery systems, and a growing resistance to rewarding criminal behavior. The firm also pointed to heightened law enforcement activity and regulatory guidance discouraging payments as possible contributing factors.

The US Treasury also recently sanctioned Russia-based Aeza Group for allegedly hosting ransomware operations and info-stealing malware. The action included sanctions against the group’s leadership and a connected crypto wallet

Meanwhile, Chainalysis reported that total ransomware-related crypto payments fell by 35% in 2024, dropping from $1.25 billion in 2023 to $815 million.