Federal prosecutors have linked the theft of $150 million in cryptocurrency from a crypto platform to the 2022 LastPass breaches. The hackers allegedly exploited vulnerabilities exposed in the LastPass hacks to steal a developer's decryption key, ultimately gaining access to the crypto platform's "hot" wallets. The indictment doesn't name the victimized crypto platform, but describes it as a "virtual currency exchange based in the United States." Two individuals, Russian national Ruslan Akhmetshin and an unnamed co-conspirator, are charged with money laundering and conspiracy to commit computer fraud. The indictment details Akhmetshin's alleged role in converting the stolen cryptocurrency into Bitcoin and then routing it through various channels to obscure its origin.
Huntress Labs researchers uncovered a campaign where Russian-speaking actors impersonated the Electronic Frontier Foundation (EFF) to distribute the Stealc information-stealing malware. Using a fake EFF domain and mimicking the organization's visual branding, the attackers lured victims with promises of privacy-enhancing tools, instead delivering a malicious installer. This installer deployed Stealc, designed to pilfer sensitive data like passwords, cookies, and cryptocurrency wallet information. The campaign leveraged the legitimate cloud storage service MEGA and utilized Pyramid, a new command-and-control framework, to manage infected machines. This represents a concerning trend of threat actors exploiting trusted organizations to distribute increasingly sophisticated malware.
Hacker News users discussed the sophistication of the Stealc malware operation, particularly its use of Telegram for command-and-control and its rapid iteration to incorporate features from other malware. Some questioned the attribution to Russian actors solely based on language, highlighting the prevalence of Russian speakers in the cybersecurity world regardless of nationality. Others pointed out the irony of using "EFF" in the impersonation, given the Electronic Frontier Foundation's focus on privacy and security. The effectiveness of the multi-stage infection process, including the use of legitimate services like Discord and Telegram, was also noted. Several commenters discussed the blog post's technical depth, appreciating the clear explanation of the malware's functionality and the investigation process. Finally, some users expressed skepticism about the actual impact of such malware, suggesting the targets are likely low-value and the operation more opportunistic than targeted.
Cybersecurity firm Kaspersky Lab has hired Igor Prosvirnin, a former bulletproof hosting provider operating under the moniker "Prospero." Prosvirnin and his company were notorious for harboring criminal operations, including malware distribution and spam campaigns, despite repeated takedown attempts. Kaspersky claims Prosvirnin will work on improving their anti-spam technologies, leveraging his expertise on the inner workings of these illicit operations. This move has generated significant controversy due to Prosvirnin's history, raising concerns about Kaspersky's judgment and potential conflicts of interest.
Hacker News users discuss Kaspersky's acquisition of Prospero, a domain known for hosting malware and spam. Several express skepticism and concern, questioning Kaspersky's motives and the potential implications for cybersecurity. Some speculate that Kaspersky aims to analyze the malware hosted on Prospero, while others worry this legitimizes a malicious actor and may enable Kaspersky to distribute malware or bypass security measures. A few commenters point out Kaspersky's past controversies and ties to the Russian government, furthering distrust of this acquisition. There's also discussion about the efficacy of domain blacklists and the complexities of cybersecurity research. Overall, the sentiment is predominantly negative, with many users expressing disbelief and apprehension about Kaspersky's involvement.
Thailand plans to cut off electricity to several border towns leased to Chinese businesses that are allegedly operating as centers for online scams, many targeting Chinese citizens. These compounds, reportedly employing forced labor, are linked to various illegal activities including gambling, cryptocurrency fraud, and human trafficking. This action follows pressure from the Chinese government to crack down on these operations and aims to disrupt these illicit businesses.
HN commenters are skeptical that cutting power will significantly impact the scam operations. Several suggest the scammers will simply use generators, highlighting the profitability of these operations and their willingness to invest in maintaining them. Others question the Thai government's true motivation, speculating about corruption and potential kickbacks from allowing the scams to continue. Some discuss the broader geopolitical context, mentioning the coup and the difficulty of exerting influence over the border regions. A few comments also delve into the technical aspects, discussing the feasibility of cutting power selectively and the potential for collateral damage to legitimate businesses and residents. The overall sentiment is one of doubt regarding the effectiveness of this measure and cynicism towards the Thai government's declared intentions.
Thailand has disrupted utilities to a Myanmar border town notorious for housing online scam operations. The targeted area, Shwe Kokko, is reportedly a hub for Chinese-run criminal enterprises involved in various illicit activities, including online gambling, fraud, and human trafficking. By cutting off electricity and internet access, Thai authorities aim to hinder these operations and pressure Myanmar to address the issue. This action follows reports of thousands of people being trafficked to the area and forced to work in these scams.
Hacker News commenters are skeptical of the stated efficacy of Thailand cutting power and internet to Myanmar border towns to combat scam operations. Several suggest that the gangs are likely mobile and adaptable, easily relocating or using alternative power and internet sources like generators and satellite connections. Some highlight the collateral damage inflicted on innocent civilians and legitimate businesses in the affected areas. Others discuss the complexity of the situation, mentioning the involvement of corrupt officials and the difficulty of definitively attributing the outages to Thailand. The overall sentiment leans towards the action being a performative, ineffective measure rather than a genuine solution.
The FBI and Dutch police have disrupted the "Manipulaters," a large phishing-as-a-service operation responsible for stealing millions of dollars. The group sold phishing kits and provided infrastructure like bulletproof hosting, allowing customers to easily deploy and manage phishing campaigns targeting various organizations, including banks and online retailers. Law enforcement seized 14 domains used by the gang and arrested two individuals suspected of operating the service. The investigation involved collaboration with several private sector partners and focused on dismantling the criminal infrastructure enabling widespread phishing attacks.
Hacker News commenters largely praised the collaborative international effort to dismantle the Manipulaters phishing gang. Several pointed out the significance of seizing infrastructure like domain names and bulletproof hosting providers, noting this is more effective than simply arresting individuals. Some discussed the technical aspects of the operation, like the use of TOX for communication and the efficacy of taking down such a large network. A few expressed skepticism about the long-term impact, predicting that the criminals would likely resurface with new infrastructure. There was also interest in the Dutch police's practice of sending SMS messages to potential victims, alerting them to the compromise and urging them to change passwords. Finally, several users criticized the lack of detail in the article about how the gang was ultimately disrupted, expressing a desire to understand the specific techniques employed by law enforcement.
A hacker tricked approximately 18,000 aspiring cybercriminals ("script kiddies") by distributing a fake malware builder. Instead of creating malware, the tool actually infected their own machines with a clipper, which silently replaces cryptocurrency wallet addresses copied to the clipboard with the attacker's own, diverting any cryptocurrency transactions to the hacker. This effectively turned the tables on the would-be hackers, highlighting the risks of using untrusted tools from underground forums.
HN commenters largely applaud the vigilante hacker's actions, viewing it as a form of community service by removing malicious actors and their potential harm. Some express skepticism about the 18,000 figure, suggesting it's inflated or that many downloads may not represent active users. A few raise ethical concerns, questioning the legality and potential collateral damage of such actions, even against malicious individuals. The discussion also delves into the technical aspects of the fake builder, including its payload and distribution method, with some speculating on the hacker's motivations beyond simple disruption.
KrebsOnSecurity reports on a scheme where sanctioned Russian banks are using cryptocurrency to access the international financial system. These banks partner with over-the-counter (OTC) cryptocurrency desks, which facilitate large transactions outside of traditional exchanges. Russian businesses deposit rubles into the sanctioned banks, which are then used to purchase cryptocurrency from the OTC desks. These desks, often operating in countries with lax regulations, then sell the cryptocurrency on international exchanges for foreign currencies like dollars and euros. Finally, the foreign currency is transferred back to accounts controlled by the Russian businesses, effectively circumventing sanctions. The process involves layers of obfuscation and shell companies to hide the true beneficiaries.
HN commenters discuss the complexities of Russia's relationship with cryptocurrency, particularly given sanctions. Some highlight the irony of Russia seemingly embracing crypto after initially condemning it, attributing this shift to the need to circumvent sanctions. Others delve into the technicalities of moving money through crypto, emphasizing the role of over-the-counter (OTC) desks and the difficulty of truly anonymizing transactions. Several express skepticism about the article's claims of widespread crypto usage in Russia, citing the limited liquidity of ruble-crypto pairs and suggesting alternative methods, like hawala networks, might be more prevalent. There's debate about the effectiveness of sanctions and the extent to which crypto actually helps Russia evade them. Finally, some comments point out the inherent risks for individuals using crypto in such a volatile and heavily monitored environment.
A French woman was scammed out of €830,000 (approximately $915,000 USD) by fraudsters posing as actor Brad Pitt. They cultivated a relationship online, claiming to be the Hollywood star, and even suggested they might star in a film together. The scammers promised to visit her in France, but always presented excuses for delays and ultimately requested money for supposed film project expenses. The woman eventually realized the deception and filed a complaint with authorities.
Hacker News commenters discuss the manipulative nature of AI voice cloning scams and the vulnerability of victims. Some express sympathy for the victim, highlighting the sophisticated nature of the deception and the emotional manipulation involved. Others question the victim's due diligence and financial decision-making, wondering how such a large sum was transferred without more rigorous verification. The discussion also touches upon the increasing accessibility of AI tools and the potential for misuse, with some suggesting stricter regulations and better public awareness campaigns are needed to combat this growing threat. A few commenters debate the responsibility of banks in such situations, suggesting they should implement stronger security measures for large transactions.
Brian Krebs's post details how a single misplaced click cost one cryptocurrency investor over $600,000. The victim, identified as "Nick," was attempting to connect his Ledger hardware wallet to what he thought was the official PancakeSwap decentralized exchange. Instead, he clicked a malicious Google ad that led to a phishing site mimicking PancakeSwap. After entering his seed phrase, hackers drained his wallet of various cryptocurrencies. The incident highlights the dangers of blindly trusting search results, especially when dealing with valuable assets. It emphasizes the importance of verifying website URLs and exercising extreme caution before entering sensitive information like seed phrases, as one wrong click can have devastating financial consequences.
Hacker News commenters largely agreed with the article's premise about the devastating impact of phishing attacks, especially targeting high-net-worth individuals. Some pointed out the increasing sophistication of these attacks, making them harder to detect even for tech-savvy users. Several users discussed the importance of robust security practices, including using hardware security keys, strong passwords, and skepticism towards unexpected communications. The effectiveness of educating users about phishing tactics was debated, with some suggesting that technical solutions like mandatory 2FA are more reliable than relying on user vigilance. A few commenters shared personal anecdotes or experiences with similar scams, highlighting the real-world consequences and emotional distress these attacks can cause. The overall sentiment was one of caution and a recognition that even the most careful individuals can fall victim to well-crafted phishing attempts.
A 19-year-old, Zachary Lee Morgenstern, pleaded guilty to swatting-for-hire charges, potentially facing up to 20 years in prison. He admitted to placing hoax emergency calls to schools, businesses, and individuals across the US between 2020 and 2022, sometimes receiving payment for these actions through online platforms. Morgenstern's activities disrupted communities and triggered large-scale law enforcement responses, including a SWAT team deployment to a university. He is scheduled for sentencing in March 2025.
Hacker News commenters generally express disgust at the swatter's actions, noting the potential for tragedy and wasted resources. Some discuss the apparent ease with which swatting is carried out and question the 20-year potential sentence, suggesting it seems excessive compared to other crimes. A few highlight the absurdity of swatting stemming from online gaming disputes, and the immaturity of those involved. Several users point out the role of readily available personal information online, enabling such harassment, and question the security practices of the targeted individuals. There's also some debate about the practicality and effectiveness of legal deterrents like harsh sentencing in preventing this type of crime.
Summary of Comments ( 17 )
https://news.ycombinator.com/item?id=43296656
Hacker News commenters discuss the implications of the LastPass breach, focusing on the seemingly lax security practices that allowed the attackers to compromise a DevOps engineer's home computer and subsequently gain access to critical infrastructure. Several express frustration with password managers in general, highlighting the inherent risk of placing all eggs in one basket. Some question the plausibility of a DevOps engineer having access to decryption keys on a home machine, while others debate the efficacy of multi-factor authentication (MFA) against sophisticated attacks. The conversation also touches on the potential for insider threats and the difficulty of securing home networks against determined attackers. Some commenters find the timeline presented by the DOJ dubious, suggesting a longer period of compromise than officially acknowledged.
The Hacker News comments section for the article "Feds Link $150M Cyberheist to 2022 LastPass Hacks" contains several compelling discussions related to the implications of the breach.
Several commenters discuss the apparent lack of technical details released by LastPass and the Justice Department. They express frustration that the exact mechanisms of the attack, how the hackers ultimately gained access to decrypt user vaults, and the specific vulnerabilities exploited are still unclear. This lack of transparency fuels speculation and limits the ability to learn from the incident. Some users question whether this lack of detail is intentional on LastPass's part to avoid further damage to their reputation.
A significant thread focuses on the use of cloud backups and the potential risks they pose if not properly secured. Commenters highlight the importance of encrypting backups with a separate key not stored in the same environment as the backed-up data. The LastPass incident, where developer backups were seemingly compromised, serves as a cautionary tale about the potential consequences of failing to implement robust backup security measures.
Some commenters analyze the potential implications for password managers in general. They debate whether the LastPass incident indicates systemic issues with password managers as a whole or if it's solely a result of LastPass's specific security failings. The discussion touches upon the trade-off between convenience and security, with some suggesting alternative approaches like hardware security keys or distributed password management systems.
Another point of discussion revolves around the severity of the consequences for LastPass users. Some users argue that the potential for complete vault decryption is a catastrophic failure, while others downplay the impact, suggesting that the number of users actually affected by the $150 million heist is likely small. The conversation highlights the differing perspectives on the acceptable level of risk associated with password managers.
Finally, a few comments express skepticism about the link between the LastPass hacks and the $150 million cryptocurrency heist, pointing out that the indictment doesn't provide concrete evidence directly connecting the two events. They suggest the possibility that the indictment might be leveraging the high-profile LastPass breach to add weight to their case. This skepticism underscores the need for more transparency from law enforcement and LastPass to solidify the alleged connection.