ALL POSTS

Key Findings AI agents are moving capital autonomously across crypto markets, enabling retail users to execute sophisticated trading strategies previously requiring institutional infrastructure A documented case shows $300 converted to $2.3 million in four months through agent-executed strategies Agents operate without human approval at each step, fundamentally different from traditional finance architecture Critical security vulnerability exists: agents must access private k

Key Findings * International law enforcement dismantled SocksEscort proxy network * Network compromised approximately 369,000 IP addresses worldwide * Cybercriminals used service to route fraudulent activities and hide identity * $3.5 million in cryptocurrency seized * Infected over 8,000 home and small business routers * Caused millions in financial losses across multiple victims Background SocksEscort operated as a malicious proxy service from 2009, systematically infecting

Key Findings: Aeternum is a C++ botnet loader that uses the Polygon blockchain as its command-and-control (C2) infrastructure. The botnet stores its instructions in smart contracts on the Polygon blockchain, making its C2 effectively permanent and resistant to traditional takedown methods. Infected machines poll public RPC endpoints, read the on-chain instructions, and execute them, allowing the botnet operators to manage multiple contracts and payloads simultaneously. Blockc

Key Findings Aeternum C2 is a new botnet that uses the Polygon blockchain to store encrypted command-and-control (C2) instructions. This approach makes Aeternum's C2 infrastructure effectively permanent and resistant to traditional takedown methods. The malware works by writing commands to be issued to infected hosts into smart contracts on the Polygon blockchain. The bots then read those commands by querying public remote procedure call (RPC) endpoints, with the commands man

Key Findings North Korea-linked threat actor UNC1069 has been observed targeting the cryptocurrency sector to steal sensitive data The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive victims UNC1069 has a history of conducting social engineering campaigns for financial gain using fake meeting invites and posing as investors from reput

Key Findings On February 6, 2026, South Korean cryptocurrency exchange Bithumb accidentally credited 620,000 bitcoins (worth around $40 billion) to 695 customer accounts instead of the small rewards (worth around $1.40) they were supposed to receive. The error occurred due to a system configuration mistake during a promotional event, where the payment unit was mistakenly set as "BTC" instead of "Korean won". Bithumb was able to recover 99.7% of the mistakenly distributed bitc

Key Findings: The U.S. government has seized over $400 million in assets linked to the notorious darknet cryptocurrency mixer Helix. The assets include cryptocurrencies, real estate, and other monetary holdings previously owned by Helix's Ohio-based operator, Larry Dean Harmon. Helix processed an estimated 354,468 bitcoins, worth around $311 million at the time, through over 1.2 million transactions between 2014 and 2017. The service was popular among darknet drug dealers and

Key Findings The second iteration of the Shai-Hulud (aka Sha1-Hulud) supply chain attack in November 2025 was likely responsible for the hack of Trust Wallet's Google Chrome extension. The attack resulted in the theft of approximately $8.5 million in cryptocurrency assets from 2,520 wallet addresses. The attacker obtained full access to the Chrome Web Store (CWS) API key, allowing them to upload a trojanized version of the extension with a backdoor capable of harvesting users

Key Findings Cybersecurity researchers have discovered a malicious Chrome extension named "Crypto Copilot" that injects hidden Solana transfer fees into Raydium swap transactions. The extension silently appends an extra transfer instruction to each swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade amount to an attacker-controlled wallet. The malicious behavior is concealed through obfuscation techniques, and the extension's user interface only shows the legitimate