Risky Bulletin: North Korean Hackers Steal $1.5 Billion from Bybit
Host: risky.biz | Release Date: February 24, 2025

Introduction

In this episode of Risky Bulletin, host Claire Aird, prepared by Catalyn Kimpanu, delves into the latest and most pressing cybersecurity incidents from around the globe. This summary encapsulates the key discussions, insights, and conclusions drawn during the episode, providing a comprehensive overview for listeners and non-listeners alike.

Major Cyber Heist: Bybit Breach by North Korean Hackers

Timestamp: [00:04]

The episode kicks off with a significant security breach involving North Korean hackers who successfully stole over $1.5 billion in cryptocurrency assets from Bybit, the world's second-largest cryptocurrency exchange. Claire Aird highlights that this incident marks the largest crypto heist in history.

Details of the Attack:

• Infiltration Strategy: The attackers meticulously penetrated Bybit's network, conducting an in-depth study of the company's internal procedures.
• Targeted Employees: By identifying and targeting employees responsible for approving transactions, the hackers deployed malware and malicious smart contracts.
• Execution of the Heist: On the day of the attack, staff members were deceived by a counterfeit user interface, leading them to sign malicious transactions unknowingly.

Bybit's Response:

• Bybit has pledged to allocate 10% of the recovered funds to individuals who assist in the asset recovery process.
• The stolen funds are reportedly being laundered by the North Korean hackers, complicating the recovery efforts.

Quote:
Claire Aird states, “Friday's hack was the largest crypto heist in history.” [00:04]

Apple’s Security Policy Change in the UK

Timestamp: [00:04]

Apple has announced the discontinuation of its advanced data protection feature for iCloud users in the United Kingdom. Launched in 2022, this feature allowed users to encrypt their iCloud content stored on Apple’s servers.

Reason for the Change:

• The decision follows requests from UK security services for special access to user data, prompting Apple to disable the feature.
• Existing users are required to disable advanced data protection by a specified deadline, although the exact date has yet to be announced.

Quote:
Claire Aird mentions, “Apple’s decision was announced after security services in the UK requested special access to user data earlier this year.” [00:04]

US Cyber Command Overhaul Initiated by Defense Secretary Pete Hegseth

Timestamp: [00:04]

In a move signaling a shift towards more aggressive cyber operations, US Defense Secretary Pete Hegseth has ordered the US Cyber Command to develop a comprehensive overhaul plan within the next 45 days. This comes after the Pentagon’s initial plan, approved at the end of the Biden administration, set a deadline of 180 days for the overhaul.

Context:

• Hegseth is among several new Trump appointees advocating for intensified cyber strategies.
• Last week, former NSA and Cyber Command head, General Paul Nakasone, warned that the US is trailing its adversaries in cyberspace, underscoring the urgency of the command's restructuring.

Quote:
Claire Aird reports, “Hegseth is one of many new Trump officials who've called for more aggressive US cyber operations.” [00:04]

Ransomware Attack on Palau’s Ministry of Health and Human Services

Timestamp: [00:04]

The Killin Ransomware group has claimed responsibility for a cyberattack targeting Palau's Ministry of Health and Human Services. This marks Palau’s third ransomware incident in six years, following previous attacks in 2019 and 2020.

Impact:

• Officials have stated that hospital care remains unaffected despite the breach.
• The Australian government previously intervened by deploying teams to assist Palau in rectifying vulnerabilities in spyware applications.

Security Breach in Stalkaware Apps: Cocospy and Spyic

Timestamp: [00:04]

A vulnerability in the stalkerware applications Cocospy and Spyic has led to the leakage of customer email addresses. Discovered by an anonymous security researcher, the flaw allowed tracking of user sign-ups.

User Base:

• CocoSpy: Approximately 1.8 million users
• Spyic: Around 875,000 users

Both applications share infrastructure with the Chinese mobile app developer 711 ICU, as previously reported.

Belgian Cybersecurity Alert: Fake Security Audits

Timestamp: [00:04]

Belgium's cybersecurity agency has issued a warning to local companies regarding scammers posing as officials offering fake cybersecurity audits. These fraudsters claim affiliation with a non-existent federal cybercrime service and, upon agreement, install unauthorized equipment on targeted networks—potentially Dropbox devices, although the agency’s release lacks specificity.

Removal of Malicious Chrome Extensions

Timestamp: [00:04]

A suite of 16 malicious Chrome extensions has been purged from the Google Web Store. These extensions, posing as legitimate utilities like screen capture tools, ad blockers, and emoji keyboards, were designed to inject advertisements and manipulate search engine results.

Scale of Distribution:

• Identified by GitLab's security team, the extensions amassed over 3.2 million downloads before removal.

Quote:
Claire Aird notes, “A cluster of 16 malicious Chrome extensions has been removed from the Google Web Store.” [00:04]

Zero-Day Vulnerability in Parallels Desktop

Timestamp: [00:04]

Security researcher Mickey Jin has disclosed a critical zero-day vulnerability in Parallels Desktop, a popular virtualization product. The vulnerability, named tsforge, enables bypassing software licensing controls and can activate all versions of Microsoft Windows and Office.

Background:

• The vulnerability circumvents a patch for an earlier bug, allowing attackers to gain root access on Parallels desktop deployments.
• Jin revealed the issue after both Parallels and its vulnerability handler, ZDI, failed to address the problem for over seven months.

Esports Stream Defrauds via Hacked YouTube Accounts

Timestamp: [00:04]

Cybercriminals are exploiting hacked YouTube accounts to live stream esports competitions, embedding malicious QR codes within the streams. These codes redirect viewers to phishing sites designed to steal Steam credentials or access crypto wallets.

Cases Identified:

• Security firm Bitdefender detected such malicious streams during at least two Counter-Strike tournaments.
• While the technique isn’t new, its application in the esports domain is an emerging threat.

Quote:
Claire Aird explains, “Scammers are using hacked YouTube accounts to live stream esports competitions and defraud viewers.” [00:04]

Social Media Bias in German Elections

Timestamp: [00:04]

Research by Global Witness reveals that platforms Twitter and TikTok disproportionately recommended content related to Germany's AfD (Alternative for Germany) party in the lead-up to parliamentary elections. Specifically:

• Twitter: 64% of political content recommended was linked to AfD.
• TikTok: A staggering 78% of recommended political content was AfD-related.
• Overall, right-wing content significantly overshadowed left-wing narratives, aligning with findings from recent DFR Lab research.

Chinese Security Firm TOPSEC’s Role in Internet Censorship

Timestamp: [00:04]

A leaked internal document from TOPSEC, a Chinese security firm, unveils its involvement in enforcing Internet censorship. According to Sentinel One, TOPSEC provides services to both government agencies and private sector companies, offering an API that detects and blocks content related to political criticism, violence, and pornography to comply with China's stringent internet regulations.

Extradition of Brazilian Man for Cryptocurrency Ponzi Scheme

Timestamp: [00:04]

US authorities have extradited a Brazilian national, Dover Braga, from Switzerland to face charges related to a $290 million cryptocurrency Ponzi scheme. Braga operated the investment platform Trade Coinclub from 2016 until its collapse in 2018, which left investors without returns.

Charges:

• Running a bitcoin Ponzi scheme.
• Failure to report earnings to the IRS.
• Potential sentencing of up to 20 years in prison if convicted.

MassGrave's Universal Exploit Targets Microsoft Software

Timestamp: [00:04]

A group of software crackers known as MassGrave has developed a universal exploit named tsforge, capable of bypassing software licensing controls to activate all versions of Microsoft Windows and Office. This exploit targets the Microsoft software protection platform and has been integrated into the group's piracy toolkit, now available for public download.

Quote:
Claire Aird concludes, “A team of software crackers named MassGrave has deployed a universal exploit that can bypass software licensing controls and activate all versions of Microsoft Windows and Office.” [00:04]

Conclusion

This episode of Risky Bulletin underscores the escalating sophistication and frequency of cyber threats globally, ranging from large-scale financial heists and ransomware attacks to software vulnerabilities and misinformation campaigns. The discussions emphasize the critical need for robust cybersecurity measures, proactive threat intelligence, and international cooperation to mitigate these pervasive risks.

For more insights and updates on cybersecurity, tune into future episodes of Risky Bulletin.