Cryptohack Roundup: Step Finance, CrossCurve Exploits

Every week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, Step Finance and CrossCurve hacks, the United States sanctioned U.K.-registered exchanges over Iran ties, forfeiture finalization of funds linked to Helix, Coinbase data breach, 2025’s illicit crypto flows and a UK regulator banned Coinbase ads.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

Step Finance said hackers stole about $40 million in digital assets after compromising devices used by company executives, breaching several treasury wallets.

The Solana-based decentralized finance analytics and trading platform detected the incident and notified authorities. It recovered $4.7 million so far. Step Finance paused some operations and advised users not to interact with its STEP token while it investigates and works on a remediation plan.

Cross-chain liquidity protocol CrossCurve said attackers exploited a smart contract vulnerability to drain about $3 million across multiple networks. The project urged users to halt all interactions while it investigates. Security analysts said the flaw involved a gateway validation bypass in the ReceiverAxelar contract, allowing spoofed cross-chain messages to trigger unauthorized token unlocks.

The United States blacklisted Zedcex and Zedxion, two U.K.-registered cryptocurrency exchanges, marking the first time entire digital asset platforms have been sanctioned under Iran-related authorities.

The Department of Treasury’s Office of Foreign Assets Control said the exchanges processed funds for Iran’s Islamic Revolutionary Guard Corps, which the U.S. and European Union designate as a terrorist organization. OFAC also sanctioned Iranian financier Babak Morteza Zanjani, accusing him of laundering money for the regime after his release from prison. Analysis published by TRM Labs in January concluded that exchanges appear to operate as a single enterprise and wallets linked to the exchanges processed roughly $1 billion associated with the Islamic Revolutionary Guard Corps (see: Cryptohack Roundup: UK Crypto Firms Tied to Iran Sanctions).

The U.S. Department of Justice finalized the forfeiture of more than $400 million in assets tied to Helix, a darknet cryptocurrency mixer accused of laundering proceeds from illegal online markets. Federal prosecutors said a court order transferred legal ownership of seized cryptocurrencies, real estate and financial accounts to the government.

Prosecutors said Helix processed at least 354,468 bitcoin between 2014 and 2017, worth roughly $300 million at the time, largely to help users conceal illicit funds. Helix operator Larry Dean Harmon pleaded guilty to money laundering conspiracy in 2021 and received a three-year prison sentence in 2024.

Coinbase confirmed a December insider breach in which a contractor improperly accessed the personal data of around 30 customers, BleepingComputer reported. The company said it detected the activity last year, terminated the contractor’s access, notified affected users and offered identity theft protection while also informing regulators. The confirmation followed brief Telegram posts by a threat group showing screenshots of Coinbase’s internal support tools.

Illegal cryptocurrency flows surged to a record $158 billion in 2025, up 145% from 2024 and reversing three years of decline, said TRM Labs.

The jump came even as illicit activity’s share of total on-chain volume edged down to 1.2%. TRM attributed the rise to sanctions-linked activity tied to Russia-associated networks, broader use of crypto by nation-states such as Russia, Iran and Venezuela, and improved attribution and intelligence sharing.

Hackers stole $2.87 billion across 150 incidents, led by a $1.46 billion Bybit breach, while scams drew about $35 billion. Ransomware activity stayed elevated but below prior peaks.

The U.K. Advertising Standards Authority banned a video advertisement and three Coinbase posters, ruling that they were socially irresponsible. The ads, displayed in London transport hubs in August, drew 35 complaints for downplaying crypto risks and implying that cryptocurrency could address personal financial hardship.

The campaign used the line “everything is just fine” alongside scenes highlighting job losses, high living costs and inaccessible home ownership.

The regulator said this framing positioned Coinbase as an alternative to traditional finance and suggested crypto as a solution to economic problems. Coinbase reportedly said it respects the ruling but disagreed with it, arguing the ads aimed to spark debate about financial systems rather than offer simplistic fixes.