Cryptohack Roundup: Q1 Sees Record Hacks

Every week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, hack stats, Hamas crypto funds seizure, conclusion of Kraken, Consensys and Cumberland lawsuits, Kentucky dropped its Coinbase suit, Trump pardoned BitMex co-founders, Lazarus’s new tactics, and Crocodilus malware’s crypto targets.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

The crypto industry is closing out its worst quarter for hacks, with $1.64 billion in losses across 40 incidents, Immunefi said. This marks a 4.7 times increase from the first quarter of last year, largely due to the $1.46 billion Bybit hack, attributed to North Korea’s Lazarus Group.

Other hacks totaled $176 million, down nearly 50% year-on-year. Centralized finance bore the brunt, accounting for 94% of losses, while decentralized finance hacks – 38 out of 40 incidents – caused just $106.8 million in damages, a 69% year-on-year drop. BNB Chain overtook Ethereum as the most targeted network, with 19 attacks compared to 15 on Ethereum. Immunefi did not report any fraud-related losses this quarter, compared to $14.7 million lost to scams in Q1 last year.

The U.S. Department of Justice seized $200,000 in cryptocurrency tied to a Hamas terrorist-financing scheme. The funds, primarily in USDT, were allegedly laundered through crypto wallets and exchanges to benefit Hamas. Authorities traced the seized funds from Hamas-linked fundraising addresses, which reportedly moved over $1.5 million in virtual currency since October 2024. The operation involved directing supporters to donate to multiple wallets, with transactions processed by suspected financiers and brokers.

The U.S. Securities and Exchange Commission dismissed lawsuits against Kraken, Consensys and Cumberland DRW, filing joint stipulations to drop the cases with prejudice, preventing future litigation on the same claims. The SEC said that the decision reflects its ongoing regulatory shift rather than a judgment on the merits of the cases.

Kentucky’s Department of Financial Institutions withdrew its lawsuit against Coinbase, after accusing the exchange of violating state securities laws by offering digital asset staking services. The case was dismissed without prejudice, allowing the state to revisit the matter later. Coinbase’s Chief Legal Officer Paul Grewal urged Congress to adopt a federal crypto regulatory framework instead of state-by-state litigation. The move follows similar withdrawals by the attorney generals of Vermont and South Carolina. Kentucky Governor Andy Beshear days earlier signed into a law known as the “Bitcoin Rights” bill, protecting self-custody, mining operations and crypto payments.

U.S. President Donald Trump pardoned BitMex co-founders Arthur Hayes, Benjamin Delo and Samuel Reed, along with former executive Gregory Dwyer and the entity operating the exchange. BitMex reportedly confirmed the pardons in a statement to Reuters. The three founders had pleaded guilty in 2022 to failing to implement an anti-money laundering program under the Bank Secrecy Act. Prosecutors alleged they knowingly violated compliance laws between 2015 and 2020.

North Korea’s Lazarus Group adopted ClickFix tactics to spread malware, focusing on job seekers in centralized finance, Sekoia reported. ClickFix deceives targets by displaying fake errors on job-related websites, instructing them to run PowerShell or terminal commands that download and install malware. Lazarus impersonates major firms such as Coinbase, Kraken and Tether, luring victims through LinkedIn and X.

The group since February has shifted from developers to non-technical CeFi roles such as business developers and marketing managers. Victims attempting remote interviews encounter a fake webcam driver error, prompting them to execute a Go-based backdoor, GolangGhost, which steals credentials and grants remote access.

ThreatFabric researchers identified Crocodilus, a new Android banking malware that tricks users into revealing their cryptocurrency wallet seed phrases. The malware displays a fake warning, asking users to back up their wallet keys within 12 hours or risk losing access. Once victims navigate to their seed phrases, Crocodilus logs and steals the data, allowing attackers to take full control of the wallet.

Distributed through a proprietary dropper, Crocodilus bypasses Android 13 security protections, evading Play Protect and Accessibility Service restrictions. It intercepts banking credentials using screen overlays and executes 23 remote commands, including enabling call forwarding, sending SMS messages and controlling app navigation. Initially targeting users in Turkey and Spain, Crocodilus could expand its reach.