North Korean hackers steal $1.5 billion from Bybit in record crypto heist

Bybit, a major cryptocurrency exchange, has confirmed the theft of $1.5 billion in Ethereum after an attack on February 21st. The FBI has attributed the breach to North Korea’s Lazarus Group, making it the largest crypto heist to date.

The hackers exploited a vulnerability in Bybit’s Ethereum cold wallet, manipulating the Safe{Wallet} platform to authorize a fraudulent transaction. Over 400,000 ETH and stETH were transferred to an unknown address.

Since the breach, blockchain investigators have traced links between Bybit’s stolen funds and previous Phemex, BingX, and Poloniex hacks, all tied to Lazarus Group.

Bybit has reassured users that all other wallets remain secure, and withdrawals are being processed despite delays. The FBI has issued a public alert, urging cryptocurrency services to block transactions from 51 Ethereum addresses linked to the attack, as North Korean hackers attempt to launder the stolen assets.

Have I Been Pwned adds 284 million stolen accounts from infostealer malware

The Have I Been Pwned (HIBP) data breach notification service has added 284 million compromised accounts stolen by infostealer malware and shared on a Telegram channel named “ALIEN TXTBASE”.

HIBP founder Troy Hunt discovered the accounts while analyzing 1.5TB of stealer logs, containing 23 billion rows of data, including 493 million unique website and email address pairs. HIBP has also added 244 million new passwords to its Pwned Passwords database.

The stolen credentials, likely collected from multiple breaches and credential stuffing attacks, were verified before being added. New APIs now allow domain owners and website operators to search for compromised customer accounts.

Regular users can check if their email was included through HIBP notifications, but full details remain private for security reasons. This follows past additions, including 12 million Zacks Investment accounts earlier this month and 441,000 RedLine malware-stolen accounts in 2021.

Britain leads Europe in malware attacks, says new report

A new report by NordVPN has revealed that the UK has the highest rate of malware attacks in Europe, with over 669 million malware incidents blocked last year. The report highlights a surge in cyber threats, particularly through phishing emails, malicious links, and software vulnerabilities.

Cybercriminals frequently impersonate major brands like Google, Facebook, and Microsoft to steal personal information. Google was the most imitated brand in 2024, with 85,000 fake URLs detected. Digital scams also spike during the holiday season, with 54 million scams blocked from August to December.

Free video hosting sites like YouTube and Dailymotion, along with anime streaming platforms, pose major security risks. NordVPN blocked 1.5 billion malware infection attempts on these sites in 2024.

We advise users to verify links, be wary of phishing emails, and keep software updated to prevent cyberattacks.

EncryptHub targets global organisations with spear-phishing attacks

The cyber threat actor EncryptHub (aka Larva-208) has been compromising organisations worldwide through spear-phishing and social engineering attacks since June 2024, according to a Prodaft report. The group has breached at least 618 organisations, deploying RMM software, infostealers like Stealc and Rhadamanthys, and ransomware.

EncryptHub is affiliated with RansomHub and BlackSuit but also uses a custom PowerShell encryptor in some attacks. The group mimics corporate VPN login pages for Cisco AnyConnect, Fortinet, Microsoft 365, and others, capturing credentials and multi-factor authentication (MFA) session cookies in real time.

They host phishing sites on bulletproof hosting providers and have acquired over 70 domains to increase credibility. Once inside, EncryptHub installs RMM tools like AnyDesk and TeamViewer to maintain access and steal data.

Prodaft warns that EncryptHub’s advanced social engineering tactics and obfuscation techniques make it a major cyber threat to high-value targets.

3.2 million users compromised in Chrome extension hijack

A major security breach has affected over 3.2 million Chrome users, with 16 popular extensions, including Adblock for Chrome and WAToolkit, hijacked to inject malicious scripts for fraud and affiliate traffic manipulation.

Security researchers found that attackers compromised developer accounts, using supply chain attacks to distribute malicious updates without user awareness. The hijacked extensions, originally designed for ad blocking, screen capture, and emoji keyboards, were modified to steal data, modify HTTP requests, and inject ads into webpages.

The attack exploited Chrome extension permissions like host access and scripting controls, making it difficult to detect. Researchers linked the infrastructure to previous phishing campaigns that targeted trusted software developers.

Google has removed the malicious extensions, but users are advised to uninstall affected extensions and review extension permissions carefully before installing. Security experts warn that supply chain attacks on trusted software remain a growing cyber threat.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.