Cryptohack Roundup: Garantex Operator Arrested

Every week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, Garantex admin arrested, hackers used npm packages to steal crypto data and deployed MassJacker malware to steal coins, infected victims with $Trump lures. Also, U.S. authorities seized hacked Ripple funds and the California attorney general warned about scams.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

Indian authorities on Wednesday arrested Aleksej Besciokov, an alleged administrator of the now-shuttered, illicit crypto exchange Garantex. U.S. federal prosecutors indicted Besciokov and Garantex co-founder Aleksandr Mira Serda of knowingly facilitating the laundering of illicit cryptocurrency tied to ransomware, hacking and terrorism. Besciokov faces additional charges of violating sanctions and conspiracy to operate an unlicensed money-transmitting business. Cybersecurity reporter Brian Krebs reported Indian police nabbed Besciokov while he was vacationing on the coast of India with his family.

Garantex processed at least $96 billion in transactions since 2019. U.S., German and Finnish law enforcement agencies last week seized its website and froze over $26 million in crypto. The exchange claims to be holding in-person meetings in Moscow to compensate clients using unseized Russian assets.

Besciokov, a Lithuanian national, is set to appear in an Indian court on Monday, with likely extradition to the United States. Mira Serda is reportedly at large in the UAE.

Garantex was sanctioned by the U.S. in 2022.

Researchers identified six malicious npm packages linked to North Korea’s Lazarus Group, designed to steal credentials, deploy backdoors and extract cryptocurrency data, discovered the Socket research team. Downloaded 330 times, the tool for installing JavaScript modules and Node.js packages uses typosquatting to trick developers into installing them.

Disguised as validation and event-handling tools, the malware extracts browser credentials, login data and cryptocurrency wallet information. It also deploys BeaverTail malware and the InvisibleFerret backdoor, previously used in fake job scams. The malware systematically scans infected systems, targeting stored passwords, cookies and crypto wallets like Solana and Exodus. The malicious packages remain active on npm and GitHub.

A clipboard hijacking campaign dubbed MassJacker is using over 778,000 cryptocurrency wallet addresses to steal digital assets from compromised computers. Discovered by CyberArk, the operation has already funneled over $300,000 into a single Solana wallet. The attackers employ clipboard hijacking malware, or clippers, which replace copied cryptocurrency addresses with attacker-controlled ones, tricking victims into sending funds to the wrong wallet.

MassJacker is distributed through pirated software site pesktop.com using a multi-stage infection process that involves the Amadey bot, multiple loaders and advanced obfuscation techniques. The malware eventually injects itself into a legitimate Windows process to evade detection. CyberArk said the operation could be linked to a specific threat group or operating as malware-as-a-service.

Cybercriminals are exploiting the hype around cryptocurrency and politics in a phishing campaign that impersonates Binance and promises free $Trump meme coins – only to infect victims with the ConnectWise RAT within two minutes.

Researchers at Cofense said that attackers are using social engineering tactics, including mimicking Binance’s branding, incorporating a “risk warning” in emails and creating a convincing phishing site to distribute the malware. Unlike typical ConnectWise RAT infections, which take time before attackers act, these cybercriminals monitor infections in real time, enabling them to take over compromised devices almost instantly. U.S. President Donald Trump launched $Trump days before his inauguration on Jan. 20 into a second term.

The phishing emails claim users can earn 2,000 $Trump coins by completing tasks like installing Binance’s desktop app, verifying their account and making an initial deposit. But the download link installs the ConnectWise RAT, which then steals saved passwords from browsers like Microsoft Edge.

U.S. authorities seized more than $23 million in cryptocurrency linked to the $150 million theft from a Ripple wallet in January last year. Investigators suspect the attack was carried out by hackers who exploited private keys stolen during the 2022 LastPass breach.

Between June 2024 and February, law enforcement traced the stolen funds to multiple cryptocurrency exchanges, including Kraken, OKX, WhiteBIT and CoinRabbit. A newly unsealed forfeiture complaint shows that U.S. Secret Service agents believe attackers cracked encrypted password vaults stolen in the LastPass breach, gaining access to victims’ crypto wallets. No evidence of device compromise was found.

Authorities did not name the victim, although details align with the theft from Ripple co-founder Chris Larsen. Crypto investigator ZachXBT first connected the seized funds to Larsen’s stolen XRP.

California Attorney General Rob Bonta warned Golden State denizens about the rise of fraudulent cryptocurrency websites and pledged continued enforcement against romance scams. Often operated by international fraudsters, the scams lure victims into fake investment schemes, showing fabricated profits before stealing their funds. The California Department of Justice last year shut down 42 fraudulent crypto websites, preventing at least $6.5 million in losses.

Authorities advise consumers to be cautious of red flags, such as unrealistic returns, lack of contact details, stolen images and inconsistent business information.