Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: cryptocurrency (6 articles)Clear

AI-assisted audit finds 4-year Zcash flaw enabling unlimited counterfeit coins

A critical flaw in Zcash's Orchard privacy pool, the system that lets people send the ZEC cryptocurrency while hiding amounts and parties, could have let an attacker mint unlimited counterfeit coins without detection. Security researcher Taylor Hornby, hired by developer Shielded Labs to probe the code, found it on May 29 using Anthropic's Claude Opus 4.8 model paired with a custom auditing tool, and wrote a working exploit within a day. The bug had survived four years and multiple expert reviews. An emergency fix shipped by June 1. Because the pool hides balances, there is no way to prove whether anyone exploited it earlier.

Check
If you run a Zcash node, operate an exchange listing ZEC, or hold funds in the Orchard shielded pool, confirm your software version against the June 2026 emergency release.
Affected
Zcash Orchard shielded pool, active since May 2022. Node operators, exchanges, and wallets running pre-fix software exposed to undetectable double-spend and counterfeiting of ZEC.
Fix
Upgrade to the emergency-patched Zcash node release published by June 1, 2026, and follow Shielded Labs guidance on the proposed network upgrade adding supply-accounting checks.

JINX-0164 targets crypto firms with LinkedIn recruiter lures and macOS AUDIOFIX malware - lateral move into CI/CD code distribution

Wiz has documented JINX-0164, a previously undocumented financially-motivated threat actor targeting cryptocurrency firms via recruitment-themed social engineering and bespoke macOS malware since at least mid-2025. The chain starts with credible LinkedIn profiles offering virtual meetings; victims are steered to a rogue teleconference page that delivers a malicious 'meeting client.' A bash script then pulls AUDIOFIX, a Python-based macOS infostealer and RAT, from apple.driver-store[.]com. The payload is architecture-aware (Intel and Apple Silicon), saved as ChromeUpdater, masquerades as the system audio daemon coreaudiod, and persists via launchctl. AUDIOFIX moves laterally from developer laptops into code-distribution and CI/CD infrastructure, modifying source code to steal wallets at scale.

Check
Train developer and finance teams against LinkedIn recruiter approaches followed by 'meeting client' downloads. Hunt macOS endpoints for ChromeUpdater, coreaudiod imposters, and launchctl-loaded LaunchDaemons.
Affected
Cryptocurrency firms and crypto-adjacent developers using macOS, especially with access to CI/CD or code-distribution infrastructure. LinkedIn recruitment lures are the dominant initial vector.
Fix
Apply Wiz IoCs including apple.driver-store[.]com. Restrict launchctl persistence to known LaunchDaemons. Require strong identity attestation before any new meeting-client install. Audit CI/CD signing keys.

Lazarus RemotePE memory-only RAT targets DeFi and crypto firms - DPAPILoader + RemotePELoader chain, Hell's Gate, ETW patching

NCC Group's Fox-IT has documented RemotePE, a previously private cross-platform RAT used by the North Korea-linked Lazarus Group against DeFi, financial, and cryptocurrency organizations. The chain starts with social engineering on Telegram (impersonating a trading-firm employee with fake Calendly and Picktime meeting links), then drops DPAPILoader (Iassvc.dll) which uses Windows DPAPI to decrypt RemotePELoader. That loader fetches RemotePE entirely in memory from aes-secure[.]net, evading EDR via Hell's Gate and ETW patching. RemotePE itself is a C++ RAT supporting six command categories. Fox-IT believes the toolset is reserved for high-value, long-dwell access leading to large-scale financial theft. Activity dates from mid-2023.

Check
Hunt for Iassvc.dll on Windows endpoints (especially DeFi-adjacent developer machines). Search EDR for outbound traffic to aes-secure[.]net. Review Telegram and Calendly social-engineering reports from your finance and crypto teams.
Affected
Financial-services, DeFi, and crypto firms - Lazarus' primary targets. Initial access via Telegram impersonation of trading-firm employees and fake Calendly / Picktime meeting links.
Fix
Block aes-secure[.]net at egress. Train finance and developer teams against Telegram-initiated meeting requests with crypto/trading themes. Deploy EDR rules detecting Hell's Gate syscall patterns and ETW patching.

Megalodon GitHub Actions attack scans 5,561 repos for CI/CD secrets; polymarketdev publishes nine wallet-stealer npm packages

SafeDep has detailed Megalodon, a GitHub Actions attack that scans 5,561 repositories for usable CI/CD secrets and credentials by submitting malicious pull requests that contain crafted workflow files. The campaign appears unrelated to the recent TeamPCP supply-chain wave. Separately, a throwaway npm account 'polymarketdev' published nine packages within 30 seconds (polymarket-trading-cli, polymarket-terminal, polymarket-trade, polymarket-auto-trade, polymarket-copy-trading, polymarket-bot, polymarket-claude-code, polymarket-ai-agent, polymarket-trader) that, on postinstall, present a fake wallet onboarding prompt and exfiltrate Ethereum and Polygon private keys to a Cloudflare Worker at polymarketbot.polymarketdev.workers[.]dev. The malicious packages remain live on npm at time of publication.

Check
Search GitHub Actions audit logs for unfamiliar workflow files added via pull requests since May 21. Search npm install logs for any polymarket-* package.
Affected
5,561 GitHub repositories specifically targeted by Megalodon malicious pull requests. Any Ethereum or Polygon developer who installed polymarket-* npm packages exposed wallet keys.
Fix
Restrict workflows triggered by pull_request_target. Pin GitHub Actions to full commit SHAs not tags. Treat any system that ran polymarket-* packages as compromised; rotate wallet keys immediately.

North Korean hackers used Claude AI to add malicious npm dependencies to legitimate-looking projects and stole crypto wallet credentials from developers who installed them

North Korea's Famous Chollima group (also called Void Dokkaebi) is using Anthropic's Claude Opus to write malicious npm packages and slip them into developer environments. ReversingLabs found the group had registered a fake Florida LLC, set up a real-looking developer firm, and used Claude to add a package called @validate-sdk/v2 as a dependency to a legitimate-looking utility SDK. When developers installed the parent package, the dependency executed code that stole their cryptocurrency wallet credentials. The campaign progressed from simple JavaScript info-stealers (5KB) to full Node.js executables (85MB) bundling Claude-generated deception code.

Check
If your organization handles cryptocurrency, treat every npm or PyPI dependency as untrusted by default - particularly utility SDKs offered by unfamiliar publishers.
Affected
Cryptocurrency companies and developers, especially those whose machines hold wallet credentials, signing keys, or CI/CD access to crypto infrastructure. Web3 startups, blockchain developers, fintech engineers. The targeting is industry-specific, but the technique (AI-generated trojan dependencies inside legitimate-looking SDKs) will be copied by other groups.
Fix
Pin npm and PyPI dependencies to specific commit SHAs and require manual review for any new dependency added to a crypto-handling project. For high-risk developers, use ephemeral build environments that don't carry wallet credentials. Block ipfs-url-validator.vercel[.]app and the @validate-sdk publisher namespace. Treat any 'utility SDK' from an unfamiliar US LLC formed in the past 12 months with extra suspicion.

North Korean hackers are recording fake Zoom meetings with real crypto executives, then using the footage and AI-generated lookalikes to scam the next target

North Korea's BlueNoroff group has built a self-reinforcing deepfake pipeline that turns each victim into the lure for the next attack. Arctic Wolf documented the pattern: attackers send a Calendly invite that looks like a normal business meeting, then quietly swap the Google Meet link for a typo-squatted Zoom URL. When the target joins, a fake Zoom interface secretly records their webcam feed while a clipboard-injection attack drops malware. The captured footage is mixed with AI-generated lookalikes (built using ChatGPT for synthetic portraits) and recycled into the next attack. Arctic Wolf found 950 files in BlueNoroff's media server. 80% of identified targets are crypto executives.

Check
Brief every executive in your organization that any 'Zoom SDK update' prompt asking them to copy and paste commands into their terminal during a meeting is a North Korean malware drop.
Affected
Cryptocurrency executives, Web3 founders, and CEOs at fintech and blockchain companies - 45% of identified targets are CEOs and founders, 80% are in crypto or adjacent sectors. Anyone whose webcam footage was exfiltrated by BlueNoroff is now appearing as a fake meeting participant targeting their professional network.
Fix
Train executives that any 'SDK update' prompt during a meeting is hostile - real Zoom and Teams never ask users to paste commands into terminals. Verify out-of-band before joining any meeting from an unsolicited Calendly link. Block known BlueNoroff infrastructure (Petrosky Cloud LLC AS400897 and the 80 typosquat domains in Arctic Wolf's IoCs). Consider a dedicated meeting device for high-risk executives.