Cryptocurrency exchange Bybit revealed on Friday (February 21) that an unknown attacker had stolen almost $1.5 billion worth of cryptocurrency from the exchange.

Experts have said this is the largest ever theft from a cryptocurrency platform.

“The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic,” Bybit said. “As a result, the attacker was able to gain control of the affected ETH cold wallet and transfer its holdings to an unidentified address.”

The cold wallet contained $1.46 billion worth of the Ethereum cryptocurrency, almost double what was stolen in the previous biggest reported cryptocurrency hack, the $620 million stolen from Axie Infinity’s Ronin network bridge in March 2022.

Bybit has said that all its other cold wallets and client funds are safe and that the exchange continues to operate as normal. It also said its security team is investigating the incident, and that it welcomes help from anyone with expertise to track down the funds.

Researchers have found over 200 GitHub projects masquerading as a wide range of software and tools that were created as a part of a malware campaign called GitVenom that has been going on for at least two years. The campaign used these carefully crafted but fake GitHub projects to spread malicious files to unsuspecting users who think they may be cloning legitimate software projects.

The repositories look extremely convincing and come complete with legit-looking readme files, many commits to make them look like active projects that people have worked on, as well as Watchers, Forks, and Stars, again to make it look like people are interested in the projects. Given the quality of the project contents and the number of them in use, the researchers reckoned that the sites were created with help from genAI tools.

Another interesting feature of the campaign is the use of multiple development languages for implementing the malicious code spread by the projects, including C, C#, C++, JavaScript, and Python. This was believed to be done to help evade detection by code review or scanning tools.

If a victim downloads the content from the fake projects and executes it, it may result in the downloading and execution of malware, including various infostealing Trojans, remote access Trojans (RATs), and backdoors. The attackers behind the campaign are particularly interested in cryptocurrency theft, installing a clipboard hijacking tool to detect and switch wallet addresses when a victim is performing a transaction. One of the Bitcoin wallets associated with the attackers has amassed a total of 5 BTC so far.

A new Linux backdoor dubbed Auto-Color was used in attacks between November and December 2024 to target universities and government organizations in North America and Asia.

Auto-Color is highly evasive, difficult to remove, and capable of maintaining access for extended periods, explained Palo Alto Networks’ Unit 42 researchers.

While the initial infection vector is unknown, the attack begins with the execution of a file disguised with benign names like”door”, “egg”, and “log.” If the malware runs with root privileges, it installs a malicious library implant (libcext.so.2), disguised as the legitimate libcext.so.0 library, copies itself to a system directory (/var/log/cross/auto-color), and modifies ‘/etc/ld.preload’ to ensure the implant executes before any other system library. If root access isn’t available, the malware still executes but skips the persistent mechanisms.

The malware decrypts command-and-control (C&C) server information using a custom encryption algorithm and validates the exchange via a random 16-byte value handshake. Custom encryption is used for obfuscation of C&C server addresses, configuration data, and network traffic, while the encryption key changes dynamically with each request to make detection more difficult.

Auto-Color can perform the following actions:

• Open a reverse shell, allowing the operators full remote access

• Execute arbitrary commands on the system

• Modify or create files to expand the infection

• Act as a proxy, forwarding attacker traffic

• Modify its configuration dynamically

The malware also has rootkit-like features and has a built-in “kill switch” that allows the attackers to delete infection traces from compromised machines to impede investigations.

Threat actors are using a new JavaScript obfuscation method in phishing attacks targeting affiliates of an American political action committee (PAC).

The attacks, which were uncovered by Juniper Threat Labs, utilize invisible Unicode characters to represent binary values. The technique involves exploiting the invisible Unicode characters Hangul half-width (U+FFA0) and Hangul full-width (U+3164). ASCII characters in the JavaScript payload are converted into an 8-bit binary representation and the binary values in it are replaced with invisible Hangul characters. The obfuscated code is stored as a property in a JavaScript object, and since Hangul filler characters are rendered as blank space, the payload in the script looks empty.

A bootstrap script retrieves the payload using a JavaScript Proxy get() trap. When the property is accessed, the Proxy converts the invisible characters back into binary and reconstructs the original JavaScript code.

The attacks, which took place in early January 2025, “were highly personalized, including non-public information, and the initial JavaScript would try to invoke a debugger breakpoint if it were being analyzed, detect a delay, and then abort the attack by redirecting to a benign website,” according to Juniper.

The Chinese nation-state-backed Salt Typhoon advanced persistent threat (APT) group gained access to core Cisco networking infrastructure by abusing a known security flaw tracked as CVE-2018-0171 and by obtaining stolen credentials, according to a new report from Cisco about the late 2024 hacking campaign aimed at major U.S. telecommunications companies.

“The threat actor then demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods, maintaining access in one instance for over three years,” said Cisco, describing the hackers as highly sophisticated and well-funded.

CVE-2018-0171 is a vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software that can allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device.

Apart from CVE-2018-0171, Cisco said it found no evidence that other known vulnerabilities have been weaponized by Salt Typhoon. However, a recent report from Recorded Future claimed that the APT group had exploited flaws tracked as CVE-2023-20198 and CVE-2023-20273 to infiltrate networks.

The U.S. is “increasingly behind” in cyberspace, with adversaries “continuing to be able to broaden the spectrum of what they’re able to do to us,” according to the former Cyber Command and National Security Agency chief, retired General Paul Nakasone.

Chinese state-backed actors are continually breaching U.S. telecoms organizations and other critical infrastructure targets, while the high level of ransomware activity illustrated that the country was “unable to secure our networks”.

Nakasone was speaking at the DistrictCon cybersecurity conference in Washington DC this weekend. He predicted that attacks would eventually lead to sabotage and outages. “We are starting to see the beginnings of the bleed from the non-kinetic to the kinetic for cyber operations,” he said. “What’s next is that we are going to see cyberattacks against a series of platforms being able to actually down platforms with ones and zeros”.

Attackers are reported to be targeting Microsoft 365 accounts with a password spray attack using the Basic Authentication method to sign in.

Basic Authentication is a less secure method for authentication that is used for service-to-service authentication and legacy protocols like POP, IMAP, and SMTP. The technique does not require any interaction from the user and usually does not require multi-factor authentication (MFA), which makes it an easier route for carrying out password spraying attacks.

Researchers believe that the recent attacks have come from a China-linked threat actor leveraging a 130,000 strong botnet to target Microsoft 365 users globally. Analysis of command and control infrastructure used in these attacks suggests a China origin for these attacks. China-linked threat actors have been highly active in targeting internet connected devices for building botnets for use in numerous attacks.

Microsoft has been attempting to phase out the use of Basic Authentication for many years, with support for it being removed from a growing list of protocols and services since at least 2019. This year, in September 2025, it plans to remove Basic Authentication for Client Submission (SMTP AUTH) in Exchange Online to close off more routes for potential attacks.

Notorious North Korean hacking group Lazarus (aka Appleworm) was behind last week’s record-breaking $1.46 billion hack of the Bybit cryptocurrency exchange.

“Funds stolen from Bybit are being commingled with funds from multiple Democratic People’s Republic of Korea-attributed thefts,” according to Tom Robinson, co-founder and chief scientist at Elliptic. Lazarus has been behind multiple cryptocurrency hacks in recent years, though this Bybit hack is by far the biggest one.

The hack occurred last Friday (February 21), as we reported in Monday’s TLB. The hackers were able to intercept a transfer between one of Bybit’s cold (or offline) Ethereum wallets to one of their hot (or online) wallets. The root cause of the attack is being investigated, with it having been speculated that it may have been caused by the exploit of a vulnerability in the user interface of the Safe.global platform used by Bybit.

Crypto experts have said that this hack is also notable due to the speed with which Lazarus has been laundering the stolen funds. Within two days of the attack, Lazarus had reportedly funneled $160 million through illicit channels, putting it beyond the point of being recovered.

Lazarus is believed to carry out these attacks on cryptocurrency exchanges in order to steal money to fund the government regime in the isolated North Korea.