This Crypto Firm Was Hacked By A Single Poisoned File
By 813 Staff
A major product shift is underway — This Crypto Firm Was Hacked By A Single Poisoned File, according to The Hacker News (@TheHackersNews) (in the last 24 hours).
Source: https://x.com/TheHackersNews/status/2031023919742992558
The breach that compromised a major Southeast Asian cryptocurrency exchange last week didn't start with a sophisticated zero-day or a phishing email. It began, according to internal documents and incident response reports, when a senior developer used Apple's AirDrop feature to share what he believed was a legitimate software library with a colleague. That file, as reported by The Hacker News (@TheHackersNews), was a trojanized package planted by the advanced persistent threat group tracked as UNC4899. The developer, working from a coffee shop, accepted the AirDrop request from a nearby, seemingly innocuous device name, inadvertently bypassing multiple network security layers designed to stop external threats.
Engineers close to the project say the rollout of the firm's new wallet infrastructure has been anything but smooth, with teams under intense pressure to meet launch deadlines. This created an environment where developers, seeking to quickly solve dependencies, may have relaxed standard operational security protocols. The trojanized library established a backdoor, allowing UNC4899 to move laterally from the developer's laptop into the company's core development and staging environments. The threat actors then deployed custom malware designed to intercept transaction signing processes and manipulate blockchain addresses, potentially enabling the theft of funds during customer withdrawals. The exact financial impact remains unconfirmed, as the forensic audit is ongoing.
This incident matters because it highlights a critical shift in attack vectors targeting high-value tech and finance sectors. Perimeter defenses are increasingly robust, so adversaries are focusing on the human element and trusted communication channels like AirDrop, which operates outside corporate email and web filters. For startups and established firms alike, especially those handling digital assets, it underscores the vulnerability inherent in developer workflows and the dangers of "shadow IT" practices, even when performed with good intentions. A secure network is irrelevant if the breach vector is a feature built into every employee's Apple device.
What happens next involves a painful and public remediation. The exchange has temporarily halted withdrawals, a move that has shaken user confidence. Security teams are now racing to complete their investigation, identify all compromised systems, and determine if customer keys were exposed. The broader industry is watching for the final report, which will likely force a re-evaluation of bring-your-own-device policies and the use of proximity-based sharing services in professional settings. Whether UNC4899 successfully exfiltrated funds, and how the exchange will cover any losses, remains the most pressing unanswered question for its users and investors.
Source: https://x.com/TheHackersNews/status/2031023919742992558
