HellCat ransomware hits 4 companies by exploiting Jira credentials stolen through infostealer malware, continuing their global attack spree.

Cybersecurity researchers at Hudson Rock have identified a new wave of cyber attacks by the HellCat ransomware group, this time targeting four companies across the United States and Europe. The common thread? Stolen Jira credentials, extracted by **infostealer malware** long before the actual breaches took place.

****Who Got Hit****

On April 5, 2025, HellCat posted proof of the breaches to their leak site, complete with countdown timers and their signature **“Jiraware < < 3!!”** tagline. According to their posts, they’ve stolen internal files, emails, and financial records, and they’re threatening to leak or sell the data if the companies don’t meet their demands.

The new victims include:

*   **Asseco Poland (Poland)** – a major IT solutions provider
*   **HighWire Press (USA)** – a platform serving scholarly publishers
*   **Racami (USA)** – a firm focused on customer communications tech
*   **LeoVegas Group (Sweden)** – an online gaming and betting company

****How They Got In****

According to Hudson Rock’s **report** shared with Hackread.com, the company traced every one of these breaches back to the same root cause: Jira credentials stolen by infostealer malware. These malware variants, **StealC**, **Raccoon, Redline**, and **Lumma Stealer**, harvested login info from infected employee machines months (sometimes years) before the actual attacks.

Once HellCat got their hands on those credentials, they logged into each company’s **Atlassian Jira environment**. From there, they moved through internal systems, grabbed sensitive data, and kicked off their typical ransomware process.

This isn’t a new tactic for them. HellCat has previously used the same method to breach Jaguar Land Rover, Telefonica, Schneider Electric, and Orange, among others. It’s a pattern: find credentials in infostealer logs, access Jira, exfiltrate data, and demand ransom.

Compromised infrastructure of US-based firm Racami (Screenshot: Hudson Rock)

It’s also worth pointing out that a **recent report** from Hudson Rock also revealed how infostealers, some sold for as little as $10, have compromised critical infrastructure worldwide. Even more concerning, the affected systems include employee machines at the FBI, Lockheed Martin, Honeywell, and branches of the US military.

****Why Jira?****

Jira is more than just a project management tool. In many companies, it’s the main system connected to development workflows, customer data, internal documentation, and system access controls. If attackers can get into Jira, they can often get into just about everything else.

That’s exactly what makes it such a high-value target for ransomware groups like HellCat. And because many organizations don’t treat Jira accounts with the same level of security as, say, email or VPN access, it becomes an easy win for attackers.

****The Bigger Problem: Infostealers****

Researchers believe that HellCat’s modus operandi only works because infostealer malware infect user devices and steal saved logins, cookies, session tokens, and more. The data is either **sold on dark web markets** or used directly by groups like HellCat.

Hudson Rock’s own data, based on over 30 million infected systems, shows that thousands of companies have Jira-related credentials stored in infostealer logs. In these latest cases, the stolen credentials were just sitting there, unmonitored and unchanged, giving HellCat all the time it needed to prepare the breach.

****What Companies Should Be Doing****

There are some steps companies can take to reduce the risk of attacks like these. First, it’s important to monitor for infostealer infections using tools that can flag stolen credentials before they’re used. If any signs of malware show up, compromised logins should be reset immediately, access reviewed, and suspicious activity tracked closely.

Jira, in particular, needs to be locked down with multi-factor authentication, restricted access, and proper network segmentation to limit how far an attacker can get if they break in. And since many of these infections start with phishing or bad downloads, regular employee training goes a long way in preventing them in the first place.

Nevertheless, HellCat isn’t doing anything out of the box because they don’t have to. As long as organizations leave stolen credentials unchecked and keep using single-layer authentication for tools like Jira, groups like HellCat will keep taking over.

HellCat Ransomware Hits 4 Firms using Infostealer-Stolen Jira Credentials

Online gaming has become an integral part of modern entertainment, with millions of players connecting from all over…

Online gaming has become an integral part of modern entertainment, with millions of players connecting from all over the world to immerse themselves in **virtual worlds**, participate in competitive matches, or simply relax with friends.

However, while gaming offers exciting experiences, it also exposes players to a range of cybersecurity threats and privacy risks. The risks are real, from data breaches and identity theft to malware infections and in-game scams.

This article will explore the common cybersecurity risks in online gaming and provide practical strategies to avoid them.

****Why Online Gaming Is a Target for Cybercriminals****

The online gaming industry has grown exponentially in recent years, with global revenues expected to reach $200 billion by 2025. This massive audience makes it an attractive target for cybercriminals.

Hackers and scammers exploit **vulnerabilities in gaming platforms**, user accounts, and in-game assets to make illicit gains. Gamers often store sensitive information, such as credit card details, addresses, and personal identifiers, which can be used for malicious purposes if compromised.

Furthermore, the popularity of multiplayer games and the constant online interaction provide ample opportunities for social engineering attacks and the spread of malware.

****Common Cybersecurity Risks in Online Gaming********Phishing Scams****

Phishing is one of the most common types of attacks targeting online gamers. Cybercriminals often impersonate game developers, customer support teams, or even fellow players to trick individuals into revealing sensitive information, such as login credentials or financial details.

****How to Avoid Phishing Scams:****

*   **Be cautious with emails and messages**: Always verify the sender’s email address or message source before clicking on any links or attachments. Legitimate gaming companies rarely ask for sensitive information via email.

*   **Check website URLs**: Before logging into any gaming platform, ensure that the website’s URL is correct and starts with “https://” to confirm it’s secure.

*   **Enable two-factor authentication (2FA)**: Most major gaming platforms offer 2FA, which provides an extra layer of security by requiring a second form of verification (such as a code sent to your phone) when logging in.

****Account Hacking and Credential Stuffing****

Many gamers use the same login credentials across multiple sites, making them easy targets for hackers who can obtain this information in a breach.

Credential stuffing attacks occur when hackers use previously leaked usernames and passwords from one breach to access accounts on other platforms.

****How to Avoid Account Hacking:****

*   **Use unique passwords**: Create strong, unique passwords for each gaming account to make it harder for hackers to gain access.

*   **Utilize password managers**: Password managers can generate and store complex passwords for all your accounts, reducing the risk of password reuse.

*   **Enable two-factor authentication (2FA)**: As mentioned earlier, 2FA is essential for protecting your accounts from unauthorized access.

****Malware and Ransomware****

Malware can be introduced into gaming systems in several ways, such as through malicious links, downloads, or third-party applications. Cybercriminals can **disguise malware as a legitimate game** or cheat tool to gain control of a gamer’s device, steal information, or lock it until a ransom is paid.

****How to Avoid Malware:****

*   **Download games from trusted sources**: Always download games and updates from official sources like the game developer’s website or recognized gaming platforms (e.g., Steam, PlayStation Store, Xbox Live).

*   **Use antivirus software**: Install reliable antivirus software that can detect and block harmful files and applications before they infect your system.

*   **Avoid third-party tools**: Be cautious when using third-party mods, cheat tools, or unofficial game servers, as they can often contain malware.

****In-Game Scams and Fraud****

Online gaming environments are ripe for scams, especially in multiplayer games with virtual economies. Scammers often target players by promising rare **in-game items**, currency, or cheats in exchange for real money, but once the transaction is made, the scammer disappears.

****How to Avoid In-Game Scams:****

*   **Stick to official transaction platforms**: Only buy in-game items or currency through trusted, official sources such as the game’s marketplace.

*   **Beware of “too good to be true” offers**: If someone promises rare items for an unreasonably low price, it’s likely a scam.

*   **Report suspicious behavior**: Many games have built-in reporting systems for fraudulent players. Always report suspicious activity to the developers or moderators.

****Social Engineering and Doxxing****

Social engineering attacks exploit a player’s trust, often through manipulation and deceit, to gain access to private information.

One of the more alarming risks is doxxing, where cybercriminals gather personal details about a gamer (such as real names, addresses, and phone numbers) and publish them online with malicious intent.

****How to Avoid Social Engineering and Doxxing:****

*   **Limit personal information sharing**: Avoid sharing personal details (like full name, address, or phone number) in online gaming communities, forums, or chat rooms.

*   **Review privacy settings**: Adjust privacy settings on gaming platforms and social media accounts to restrict who can access your information.

*   **Be cautious of friend requests**: Only accept friend requests or direct messages from people you know or trust in the game.

****DDoS Attacks****

Distributed Denial-of-Service (**DDoS**) attacks involve overwhelming a gaming server or player’s network with massive amounts of traffic, causing disruptions, lag, or crashes.

These attacks can also be used as a form of extortion, with hackers threatening to shut down a server unless a ransom is paid.

****How to Avoid DDoS Attacks:****

*   **Use VPN services**: A VPN can help mask your IP address and prevent attackers from targeting your network.

*   **Play on secure servers**: Opt for gaming platforms and servers that implement strong anti-DDoS measures.

*   **Monitor traffic patterns**: If you manage a gaming server, regularly monitor traffic and set up intrusion detection systems (IDS) to detect unusual activities.  
    

****How to Protect Yourself and Your Data in Online Gaming****

To safeguard your data and protect your gaming experience, here are some additional proactive measures you can take:

****Stay Updated****

Game developers frequently release patches and security updates to address vulnerabilities. Always keep your game software, gaming platforms, and operating systems up to date.

****Use a VPN for Gaming****

A **VPN for gaming** can significantly enhance your online security by masking your IP address and encrypting your internet connection. This helps prevent DDoS attacks and protects your personal information from being exposed to malicious players.

Additionally, a VPN allows you to bypass geo-restrictions, ensuring that you can access games and content from around the world securely.

****Use Secure Payment Methods****

When making in-game purchases, consider using secure payment methods like credit cards, PayPal, or trusted digital wallets instead of debit cards or direct bank transfers. These methods often provide better fraud protection.

****Educate Yourself on Cyber Hygiene****

Good cyber hygiene habits go a long way in securing your online presence. Regularly change passwords, check for unusual account activity, and avoid reusing passwords across different platforms.

****Practice Good Online Behavior****

Always exercise caution when interacting with other players online. Avoid clicking on suspicious links, be careful when downloading files, and never share personal information during gameplay.

****Protecting Yourself****

The thrill of online gaming should not come at the expense of your privacy and security. Cybersecurity risks, such as phishing, malware, account hacking, and in-game scams, are prevalent in the gaming world.

However, you can reduce your exposure to these threats by following best practices like enabling two-factor authentication, using strong passwords, avoiding suspicious links, and exercising caution when interacting with others.

Top/Featured Image by Tyler Lagalo on Unsplash!

Online Gaming Risks and How to Avoid Them

A new Neptune RAT variant is being shared via YouTube and Telegram, targeting Windows users to steal passwords and deliver additional malware components.

Cybersecurity researchers from CYFIRMA have revealed a new version of Neptune RAT, a remote administration tool targeting Windows devices. Marketed on platforms like GitHub, Telegram, and YouTube with claims of being the “Most Advanced RAT,” the malware is attracting both newcomers to cybercrime and seasoned hackers looking for a ready-made tool.

****What Is Neptune RAT?****

Neptune RAT is written in Visual Basic .NET and is designed to take control of a victim’s Windows computer. Although its creator says the software is provided for “educational and ethical purposes,” the tool’s capabilities suggest otherwise.

Designed to steal user credentials, replace cryptocurrency wallet addresses, and even lock files with ransomware features, Neptune RAT gives attackers comprehensive control over an infected system.

****How It Spreads****

The malware is distributed freely on social platforms. Rather than releasing the source code, the developer hides the executable file, making the analysis more complicated. Some of the malicious code even replaces parts of its strings with Arabic characters and emojis, which complicates reversing efforts by researchers. In its free version, Neptune RAT automatically generates PowerShell commands to download and run additional components hosted on file hosting service such as catbox.moe.

****Dangerous Capabilities****

Neptune RAT comes with a mix of modules that work together to compromise Windows computers, including the following:

*   **Credential Theft and Clipboard Hijacking:** The malware includes a password grabber that extracts login details from applications and popular web browsers. It also monitors the clipboard to detect cryptocurrency wallet addresses, replacing them with the attacker’s own.

Screenshot from NaptuneRAT’s official website (Credit: Hackread.com)

*   **Ransomware and System Damage:** Once activated, the RAT can encrypt files on the victim’s computer, extending their extensions to “.ENC, ”and drop an HTML file with ransom information. It may even corrupt system components like the Master Boot Record if an attacker wishes to render the system unusable.

*   **Evasion and Persistence:** To avoid being removed, the malware modifies registry values and adds itself to the Windows Task Scheduler. It also checks if it’s running in a virtual environment and stops execution if a virtual machine is detected. This combination of techniques helps it maintain a persistent foothold on the system.

*   **Additional Modules:** Separate DLL files add further capabilities, including bypassing user account controls, stealing data from various email and browser applications, and even enabling live screen monitoring.

Screenshot from NaptuneRAT’s official website shows the full list of its capabilities (Credit: Hackread.com)

****Protecting Your System****

Since Neptune RAT uses different strategies, both individuals and organizations need to act quickly to protect themselves. The best approach starts with some simple practices: only download software from sources you trust, make sure Windows and all your programs, especially security tools, are kept up to date, and regularly back up any important data.

It’s also a good idea to use anti-virus software that can keep an eye on both file changes and network activity, giving you better protection against anything suspicious.

****Expert Insight****

Satish Swargam, Principal Security Consultant at Black Duck in Burlington, Massachusetts, offered his perspective on Neptune RAT’s evolution. He explained that the malware uses advanced techniques to extract sensitive data from users, spreading through platforms like GitHub, Telegram, and YouTube in ways that slip past standard security tools.

“This tool is especially concerning because it can deploy ransomware to lock your files, leading to major interruptions for businesses until the ransom is paid. It also lets hackers spy on screens in real time and even swap clipboard contents with their own cryptocurrency wallet addresses,” Swargam noted.

He added that as the malware continues to add new features, similar to those shared online under the banner of educational software, organizations need to maintain constant monitoring, deploy strong endpoint defenses, and implement active threat detection measures to reduce the risk of compromise.

Neptune RAT Variant Spreads via YouTube to Steal Windows Passwords

USA secures extradition of criminals from 9 countries, including two brothers behind Rydox, a dark web market for stolen data and hacking tools.

The United States has successfully extradited a group of fugitives from nine countries to face charges ranging from murder and child abuse to running dark web cybercrime marketplaces and drug trafficking rings. The extradited fugitives came from the following countries:

1.  Israel
2.  Spain
3.  Mexico
4.  Kosovo
5.  Canada
6.  Thailand
7.  Colombia
8.  Germany
9.  Honduras

The extradited individuals include fugitives who’d evaded capture for over a decade, as well as newer suspects accused of exploiting the anonymity of the dark web. Here’s a breakdown of the most notable cases:

**Ardit and Jetmir Kutleshi, 26 and 28** (Kosovo → Pennsylvania): The brothers are accused of running Rydox, a dark web marketplace that sold stolen credit cards, hacked social media accounts, and tools for identity theft. Their platform allegedly fueled millions in fraud losses before law enforcement shut it down.

**Roberto Avina-Casillas, 30** (Mexico → Ohio): After 11 years on the run, Avina-Casillas now faces murder charges.

**Justin David Lanoue, 44** (Canada → Utah): A Canadian fugitive wanted since 2015 for child abuse charges in Utah.

**Dominik Rydz, 24** (Germany → Michigan): A Polish national accused of sexually assaulting a woman at a party in Michigan in 2023 and imprisoning her against her will. Rydz initially fled to Poland, then Germany, where he was nabbed via an Interpol Red Notice.

**Olof Kyros Gustafsson, 31** (Spain → California): Dubbed “El Silencio,” this Swedish entrepreneur allegedly ran a bizarre online scam: selling fake Pablo Escobar-branded flamethrowers, cellphones, and other nonexistent products to investors worldwide. Prosecutors say he pocketed millions by exploiting the late drug lord’s notorious reputation.

**Tien Vy Tai Truong, 46** (Thailand → California): A suspected kingpin in a methamphetamine trafficking ring, Truong allegedly tried to broker a deal with an undercover DEA agent to ship 200 pounds of meth to Australia. His arrest in Thailand marks a rare win in disrupting Asia-Pacific drug pipelines.

****Rydox Dark Web Marketplace****

Rydox was a cybercrime marketplace operating on the dark web from approximately February 2016 until its seizure in December 2024. It functioned as a platform for the sale of stolen personal information, access devices, and various cybercrime tools.

Over its operational period, Rydox facilitated more than 7,600 transactions, generating at least $230,000 in revenue. The marketplace offered over 321,000 products to a user base exceeding 18,000 individuals.

Items available for purchase included personally identifiable information (PII) such as names, addresses, and Social Security numbers; stolen credit card details; login credentials; and cybercrime tools like scam pages and spamming tutorials.

In December 2024, an international law enforcement operation led by the U.S. Department of Justice, in collaboration with authorities from Kosovo, Albania, and Malaysia, resulted in the seizure of Rydox’s domain and the arrest of its administrators. Kosovo nationals Ardit Kutleshi, 26, and Jetmir Kutleshi, 28, were apprehended in Kosovo and faced extradition to the United States to face charges, including identity theft and money laundering.

The seized Rydox dark web marketplace

A third individual, Shpend Sokoli, was arrested in Albania and was expected to be prosecuted there. Additionally, servers hosting the Rydox marketplace were seized in Kuala Lumpur, Malaysia, and approximately $225,000 in cryptocurrency linked to the defendants was confiscated.

The extradition of the Kutleshi brothers signals that law enforcement is stepping up its game in targeting the administrators of these illegal marketplaces, not just the end users. Additionally, the Gustafsson case shows how cybercriminals can exploit trust and celebrity culture (in this case, the Pablo Escobar brand) to deceive victims. This goes on to show why users must verify the legitimacy of online investments and products, especially when they seem too good to be true.

Brothers Behind Rydox Dark Web Market Extradited to US

Austin, TX, USA, 7th April 2025, CyberNewsWire

**Austin, TX, USA, April 7th, 2025, CyberNewsWire**

Deep visibility into malware-siphoned data can help close gaps in traditional defenses before they evolve into major cyber threats like ransomware and account takeover

SpyCloud, the leading identity threat protection company, today released new analysis of its recaptured darknet data repository that shows threat actors are increasingly bypassing endpoint protection solutions: 66% of malware infections occur on devices with endpoint security solutions installed. SpyCloud offers integrations with leading endpoint detection and response (EDR) products, such as Crowdstrike Falcon and Microsoft Defender, that close this detection gap.

EDRs play a vital role in detecting, protecting against, and responding to threats on enterprise devices. Despite advanced AI detection and telemetry analysis offered in today’s EDR solutions, modern infostealer malware is designed to evade even the most sophisticated defenses, using tactics like polymorphic malware, memory-only execution, and exploitation of zero-day vulnerabilities or outdated software. The data speaks for itself: nearly one in two corporate users were already the victim of a malware infection in 2024, and in the year prior, malware was the cause of 61% of all breaches. 

SpyCloud’s findings underscore that while EDR and antivirus (AV) tools are essential and block a wide range of security threats, no security solution can block 100% of attacks. Organizations need to take a layered approach to close the gaps before attacks progress deeper into their environments, resulting in events like ransomware and account takeover.  

> “When a malware infection goes undetected, the consequences can be catastrophic,” said Damon Fleury, Chief Product Officer at SpyCloud. “We are in an arms race at the endpoint, where attackers are constantly evolving their tactics to skirt detection. SpyCloud provides a critical line of defense – uncovering infostealer infections that evade EDRs and AVs, detecting when stolen data begins circulating in the criminal underground, and automatically feeding that intelligence back to the EDR to quarantine the device and begin the post-infection remediation process.”

By closing this visibility gap, SpyCloud EDR integrations provide a new and powerful protection mechanism. Once malware exfiltrates credentials, personally identifiable information (PII), or session cookies, that stolen data becomes a launchpad for further entrenchment and compromise. SpyCloud helps stop cybercrime before it happens by identifying these identity risks early, mapping them back to impacted users, devices, and applications, and sending actionable intelligence to an organization’s EDR for response and remediation.  

> “As identity becomes the security perimeter, organizations need more than device-level protection; they need insight into what their endpoint solutions are missing,” added Fleury. “SpyCloud’s expertise in accessing malware logs before they’re broadly circulated among criminals enables faster, more targeted responses needed to address infections, prevent lateral movement, and block disruptive follow-on activities like admin lockout and ransomware deployment.”

To learn more about how SpyCloud can augment endpoint security strategy and remediate malware infections that EDRs and AVs may miss, users can **register to join SpyCloud’s upcoming virtual event on April 10**, where experts will walk through the data, explain the attack chain in detail, and demo how SpyCloud’s EDR integrations work in real-world scenarios. 

**About SpyCloud**

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated holistic identity threat protection solutions leverage advanced analytics to proactively prevent ransomware and account takeover, safeguard employee and consumer accounts, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights, users can visit spycloud.com.

**Contact**

**Emily Brown**  
**REQ on behalf of SpyCloud**  
**\[email protected\]**

SpyCloud Research Shows that Endpoint Detection and Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections

New Xanthorox AI hacking platform spotted on dark web with modular tools, offline mode, and advanced voice, image, and code-based cyberattack features.

A sophisticated new artificial intelligence (AI) platform tailored for offensive cyber operations, named Xanthorox AI, has been identified by cybersecurity firm SlashNext. First appearing in late Q1 2025, Xanthorox AI is reportedly circulating within cybercrime communities on darknet forums and encrypted channels.

According to SlashNext’s investigation, shared with Hackread.com ahead of its publishing on Monday, Xanthorox stands out from previous malicious AI tools like WormGPT, FraudGPT and EvilGPT due to its independent, multi-model framework. The system is based on five distinct AI models optimized for specific cyber operations.

These models are hosted on private servers under the seller’s control rather than public cloud infrastructure or openly accessible APIs. This unique setup sets Xanthorox AI apart from previous malicious tools that often relied on existing large language models (LLMs).

Xanthorox AI is a fully custom-built platform that uses “fully custom-built language models” instead of established models like LLaMA or Claude. It is promoted as a modular system capable of code generation, vulnerability exploitation, data analysis, and integrated voice and image processing, enabling automated and interactive attacks.

Its modular design allows for future updates or the replacement of specific functionalities. Xanthorox AI also has built-in voice and image handling modules. It can perform live internet search scraping using over 50 engines, offering up-to-date information. It also offers offline functionality, allowing users to use it without a constant network connection. The platform also emphasizes data containment to eliminate third-party AI data collection risks.

The toolkit includes the Xanthorox Coder, which automates tasks such as code creation and script development, while Xanthorox Vision adds visual intelligence by allowing users to upload images or screenshots for analysis. Reasoner Advanced aims to replicate human-like decision-making, supporting tasks requiring logical consistency and persuasive communication.

The platform also facilitates voice-based interaction through real-time voice calls and asynchronous voice messaging, allowing hands-free command and control. Overall, Xanthorox AI offers a versatile hacking assistant representing a significant advancement in cyberattack capabilities, enabling more precise and scalable phishing campaigns and malware creation.

Screenshot: SlashNext

“Xanthorox AI presents itself as a comprehensive, all-in-one hacking tool, powered by a modular architecture designed to support a wide range of cybercrime operations. From an attacker’s perspective, Xanthorox AI hits most of the marks needed for a versatile hacking assistant,” researchers wrote in their blog post.

Its emergence highlights the importance of adopting advanced AI-powered detection technologies, including AI-powered threat detection platforms capable of behavioural anomaly analysis and signature-less malware identification, email security solutions employing AI-based content and intent analysis, and network security measures incorporating AI-driven intrusion detection and prevention systems.

Casey Ellis, Founder at Bugcrowd, a San Francisco-based leader in crowdsourced cybersecurity, called it “a fascinating development,” noting that the cybercriminal ecosystem works like any service industry, with specialized groups and “startups” creating competitive advantages. He highlighted the thought and R&D behind the toolkit, the local model tuning that avoids reliance on major vendors, and praised the expert mix as the most effective way to build a flexible AI-powered attack platform.

Xanthorox AI Surfaces on Dark Web as Full Spectrum Hacking Assistant

Crypto software wallets are invincible in the micro range. If you own multiple crypto assets, you need safe and reliable wallets, too.

Crypto wallets offer an extra layer of security against **malicious attacks** targeting everyday users. It’s not always easy to open your online crypto account every time you want to make a payment, and many merchants still don’t support direct crypto transactions. That’s where digital wallets step in. They make payments easier, but in 2025, the biggest concern around crypto wallets is safety.

That’s why it makes sense to focus on wallets that are both cost-effective and secure. Before choosing one, it’s important to understand how its security system works. At the same time, the wallet should be flexible enough to let you buy, sell, or stake crypto without hassle.

There are over a hundred crypto wallets available this year, but we’re going to focus on 10 that stand out as some of the safest options.

****1: Zengo****

The wallet has more than 380 coins. As you can do frequent transactions, we would categorize it as a hot wallet. Meanwhile, it is not a hardware-compatible wallet. The cost of maintaining the wallet is 19.99 every month. However, the annual subscription is only $129. 

They claim that they have been providing services to over 1.5 million customers and “0 wallets” have been hacked.

****Special features** **

It is the best wallet for security-conscious users. The strong and integrated security design can stop any kind of phishing crimes or bad entry gates. 

The company says that there are 1.5 billion customers who have had zero wallet attacks to date. 

****Benefits** **

Firstly, you get a secure infrastructure with this wallet. Moreover, you will get weekly software updates. You can easily buy or sell Crypto from the wallet. Therefore, it is a good option to keep your fiat currency in it. 

****Limitations** **

The price of the wallet is slightly on the higher side. Moreover, no hardware devices are compatible with it. Lastly, it allows only third-party access for withdrawals. 

Understandably, this measure is important from a security point of view. But it is stunted from the utility point of view. 

****2: Coinbase** **

This wallet can support more than 5500 cryptocurrencies. It is a hot wallet for sure. Like the previous one, it has no hardware wallet compatibility. But the best part is that it is a free wallet. This is the reason why it is more popular among users. Moreover, Coinbase has over **90 govt crypto assets** too. 

****Why should beginners use it?****

Beginners can use it for practice. It has easy navigation. You can use it on the website as well. Meanwhile, you can easily download it from various platforms and start using it without any concern. But it is the best option for the low-cost beginners. 

The company charges 0 network fees either. Plus, you can customize and minimize the wallet anytime. If you check the **BTC heatmap, you’ll see that Bitcoin has most of the investors’ shares**. Hence, you need a free wallet source for Bitcoin investors. 

****Benefits** **

It is the best option for beginners. Moreover, it is a low-cost platform with various amenities. You can trade more than 5500 coins over it. 

****Limitations** **

The wallet code is not an open-source code. You cannot generateay new address for every single transaction. It is not comfortable with the hardware assets. However, you can connect your ledger wallet to transfer assets. 

****3: Exodus****

The coin supports more than 281 currencies. It is a hot wallet for sure. However, the best part is that it is hardware-compatible. It is free of cost, too. 

****Why choose it?****

You can choose it as it makes slots to manage individual digital currencies on your mobile platform itself. The fiat payment methods are also separate. You can find them easily in your wallet. 

Lastly, you can use it to purchase or sell your coins. At the same time, you can swap or stake the coins easily. But the best part is that you can do all of these directly from your mobile phone. 

****Benefits** **

The platform offers intuitive integration across mobile and desktop. It also offers the same to and from any browser platform. The software wallet is compatible with hardware wallets like Trezor.

So, it is an exceptional quality which premium wallets also don’t offer often. 

****Limitations** **

Customer support is very limited. It is available through email only. There is no in-house exchange policy with this wallet. Lastly, it is not an open-source option.

****4: Electrum****

It is a bitcoin-only wallet. On that note, it is one of the major downsides of this wallet. However, you can treat it as a hot as well as a cold wallet. Moreover, it is hardware-compatible. But the best part is that it is free of cost.

****Why Should You Choose It?****

You should choose a wallet that’s tailored to secure your Bitcoin. And that’s Electrum for you. Moreover, the Electrum app is available over a range of platforms. 

****Benefits****

Firstly, it is a free and downloadable wallet option. At the same time, it is well compatible with all the hardware wallets. Lastly, its source code is auditable. You may also peer review the codes and send suggestions. 

****Limitations** **

The biggest drawback of the platform is that it does not have the best trading features. So, buying, selling, and staking are not options you can pursue on this platform. You may simply keep your Bitcoin safe here. 

Moreover, there are no customer support options here. You will get community support at best. Lastly, you need genuine technical expertise to develop your wallet. 

This wallet is widely used for managing Ethereum and ERC-20 tokens. It is a hot wallet and works as a browser extension or mobile app. While it doesn’t support hardware wallet integration by default, it can be connected to devices like Ledger. One major reason for its popularity is its simple interface and easy access to decentralized apps.

****Why Should You Choose It?****

If you’re working mostly with Ethereum and related tokens, MetaMask is a smart choice. It’s user-friendly, supports quick access to decentralized apps, and works smoothly across both mobile and browser platforms.

****Benefits****

MetaMask is free to use and easy to install on both desktop and mobile devices. It offers seamless access to Ethereum-based dApps, supports custom tokens, and can be connected to hardware wallets like Ledger for added security. It’s also open-source, so developers can review and contribute to its code.

****Limitations****

MetaMask is limited to Ethereum and ERC-20 tokens, so it’s not ideal if you deal with a wide range of cryptocurrencies. It doesn’t offer built-in options for staking or advanced trading. Customer support is minimal, and new users might find the interface a bit technical at first.

****6: Trust Wallet****

The wallet supports more than 10,000 cryptocurrencies, including all major tokens and coins. It is a hot wallet designed for frequent on-the-go transactions. Trust Wallet is not tied to any specific hardware wallet by default, but it does support hardware integration through third-party connections. The wallet is free to download and use, with no monthly subscription costs.

It’s owned by Binance, which adds a layer of credibility. The wallet has been downloaded over 60 million times and has maintained a strong track record with no major security breaches reported.

****Special features****

Trust Wallet is known for its built-in Web3 browser that lets users interact with decentralized apps (dApps) directly from within the wallet. It also supports staking of various coins and offers a secure backup feature using a single recovery phrase.

The wallet runs with a strong emphasis on user privacy. No personal data or KYC is needed to set up or use it.

****Benefits****

Trust Wallet is a beginner-friendly wallet that supports a huge range of assets. It includes built-in staking, token swapping, and direct access to dApps. It’s available on both Android and iOS platforms, and it also supports NFTs across multiple blockchains.

Since it’s backed by Binance, there’s strong ongoing development, regular security updates, and integration with popular tools.

****Limitations****

The wallet doesn’t come with its own in-house customer support; users rely on community forums or Binance channels for help. Although it can connect with Ledger, it’s not fully optimized for hardware wallet security. Also, as a mobile-only wallet, it may not suit users looking for a full desktop experience.

Lastly, being owned by Binance may raise concerns for users looking for more decentralized control.

The Crypto.com DeFi Wallet supports over 1000 cryptocurrencies and is designed as a hot wallet, allowing users to make frequent transactions with ease. It’s non-custodial, meaning users have full control over their private keys. While it isn’t tied directly to a hardware wallet, it can integrate with Ledger devices for added security. The wallet is completely free to use with no subscription or maintenance costs.

The wallet is part of the broader Crypto.com ecosystem, which has tens of millions of users globally. It is separate from the centralized Crypto.com app, giving users the option to keep their assets fully decentralized.

****Special features****

One of the standout features is the ability to stake and earn rewards on various assets directly from the wallet. It also includes token swapping, DeFi access, and NFT storage. Users get full control over their keys, with backup options via a recovery phrase.

The wallet is also open-source, which means its code is publicly auditable, a major plus for transparency and community trust.

****Benefits****

The wallet provides access to decentralized finance without sacrificing usability. You can connect it easily with the Crypto.com exchange or app for seamless transfers. There’s a built-in swap function that supports multiple chains, and the app is available on both iOS and Android.

Another benefit is the ability to stake coins directly from the wallet and earn passive income. The user interface is clean and intuitive, especially for users already familiar with Crypto.com’s services.

****Limitations****

Although the wallet offers Ledger integration, it’s not natively built for hardware security, so users must go through extra steps to sync. There’s no desktop version of the wallet; it’s mobile only, which might not suit all users.

Also, as with most DeFi wallets, there’s no way to recover your funds if you lose your recovery phrase. And while support exists, it may not be as responsive as that of fully centralized platforms.

****8: BitBox02****

BitBox02 is a hardware wallet that supports major cryptocurrencies like Bitcoin, Ethereum, and Litecoin, along with ERC-20 tokens. It’s a cold wallet, which means it stores your assets offline for maximum protection. Unlike hot wallets, it’s not meant for frequent daily transactions. It is a paid device, with a one-time cost of around $129, depending on where you buy it.

Developed by Shift Crypto, a Swiss company, BitBox02 is known for its strong focus on privacy, security, and open-source principles. It’s available in two versions: Bitcoin-only and multi-coin, giving users the option to choose based on their needs.

****Special features****

BitBox02 comes with a built-in screen and touch sensors for transaction confirmation, and it uses a microSD card for backup instead of the traditional 12 or 24-word recovery phrase. This makes backup and restoration more straightforward and secure for some users.

The wallet’s firmware and companion app are open-source, which allows for public audits and community contributions, a solid trust factor for security-focused users.

****Benefits****

As a cold wallet, BitBox02 offers high-end security. Your private keys never touch an internet-connected device. The use of a microSD card for encrypted backups is a unique feature that enhances safety and user convenience.

The device is lightweight, portable, and works with Windows, macOS, and Linux. It also supports Tor for added privacy, and users can verify all addresses on the device screen before sending transactions.

****Limitations****

BitBox02 isn’t ideal for those looking for a wallet for everyday use; it’s designed for long-term holding and security, not frequent trading. The supported coins list is more limited compared to some multi-coin software wallets.

It also doesn’t support mobile use; it must be connected to a computer. Finally, while the microSD backup system is secure, it’s a less familiar method that could confuse users accustomed to seed phrases.

****9: SafePal S1****

The SafePal S1 is a hardware wallet supporting over 10,000 cryptocurrencies, including Bitcoin (BTC), Ethereum (ETH), Binance Coin (BNB), and various ERC-20 tokens. As a cold storage device, it keeps assets offline, enhancing security. The wallet operates independently without direct integration with other hardware wallets. Priced at $49.99, it offers a cost-effective solution for secure crypto storage.

****Special Features****

The SafePal S1 employs a 100% air-gapped signing mechanism, ensuring complete offline operation without Bluetooth, Wi-Fi, NFC, or USB connections. It features an EAL 5+ independent secure element, a true random number generator, multiple layers of security sensors, and an anti-tampering self-destruct mechanism. Additionally, its compact design, comparable to a credit card, enhances portability.

****Benefits****

Users benefit from managing unlimited tokens within a single device, with support for over 100 blockchains and continuous additions. The wallet integrates seamlessly with the SafePal App, providing access to decentralized applications (DApps) and facilitating cross-chain swaps and trades. Its user-friendly interface supports 15 languages, catering to a global audience.

****Limitations****

While the SafePal S1 offers robust security features, it lacks direct USB connectivity, relying solely on QR code scanning for transactions, which may be less convenient for some users. Additionally, as a hardware wallet, it requires physical possession for access, which might not suit users who prefer software-based solutions. Furthermore, being a relatively newer entrant in the hardware wallet market, it may not have the same extensive track record as some established competitors.

****10: Ledger Nano X****

The Ledger Nano X is a hardware wallet that supports over 5,500 cryptocurrencies, including major assets like Bitcoin (BTC), Ethereum (ETH), and Binance Coin (BNB). As a cold storage device, it keeps your private keys offline, providing enhanced security. The Nano X is compatible with both desktop and mobile devices via Bluetooth connectivity. Priced at $149, it offers a comprehensive solution for managing a diverse crypto portfolio.

****Special Features****

The Nano X features Bluetooth Low Energy (BLE) connectivity, allowing users to manage their crypto assets on the go through the Ledger Live app on smartphones. It incorporates a Secure Element (SE) chip, ensuring that private keys remain isolated and protected from potential threats. The device can install up to 100 apps simultaneously, accommodating a wide range of cryptocurrencies.

****Benefits****

The Ledger Nano X offers extensive support for a vast array of cryptocurrencies, making it suitable for users with diverse portfolios. Its Bluetooth functionality enhances user experience by enabling wireless management of assets via mobile devices. The integration with the Ledger Live app provides a unified platform for buying, selling, swapping, and staking various cryptocurrencies. Additionally, the device’s robust security features, including the Secure Element chip and custom operating system, offer peace of mind to users.

****Limitations****

While Bluetooth connectivity adds convenience, some users may have concerns about potential security risks associated with wireless connections. However, Ledger emphasizes that only non-sensitive data is transmitted via Bluetooth, and private keys never leave the device. The device’s price point of $149 may be considered high compared to other hardware wallets. Additionally, the battery is not replaceable, which could affect the device’s longevity.

Top Crypto Wallets of 2025: Balancing Security and Convenience

NSA and global cybersecurity agencies warn fast flux DNS tactic is a growing national security threat used in phishing, botnets, and ransomware.

A collaborative effort by international cybersecurity agencies, including the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ), has highlighted a critical security issue known as Fast Flux.

According to a joint advisory, both cybercriminals and state-sponsored actors are exploiting this new technique, which allows them to conceal malicious server locations and maintain persistent command and control (C2) infrastructure and has been declared a national security threat.

****Understanding fast flux****

Fast flux’s core mechanism lies in the dynamic manipulation of Domain Name System (DNS) records. By rapidly altering the IP addresses associated with a single domain, attackers effectively obfuscate the true location of their malicious servers. This rapid rotation renders traditional IP-based blocking methods ineffective, as the target IP address becomes obsolete almost immediately.

Research reveals that cybercriminals are employing two methods of fast flux- Single flux and Double flux. Single flux involves linking a single domain name to numerous, frequently rotated IP addresses, ensuring that even if one IP is blocked, the domain remains accessible.

Single Flux (Source: CISA)

Conversely, Double flux further enhances this obfuscation by also frequently changing the DNS name servers responsible for resolving the domain, adding another layer of anonymity.

Double Flux (Source: CISA)

“These techniques leverage a large number of compromised hosts,” CISA notes, often forming botnets, which act as proxies to hide the malicious traffic’s origin.

****Malicious Applications and the Role of Bulletproof Hosting****

CISA emphasizes that Fast Flux is not solely used for maintaining C2 communications. It plays a significant role in phishing campaigns, making social engineering websites difficult to take down.

Furthermore, “bulletproof hosting” (BPH) providers, who disregard law enforcement requests, are increasingly offering it as a service to their clients. This allows for the seamless operation of malicious activities like botnet management, fake online shops, and credential theft, all while providing a layer of protection against detection and takedown, and has been used in Hive and Nefilim ransomware attacks. One BPH provider even advertised the service’s ability to bypass Spamhaus blocklists, highlighting its appeal to cybercriminals. 

****Detection and Mitigation****

The agencies strongly recommend a multi-layered approach to detect and mitigate “fast flux” attacks. This includes leveraging threat intelligence feeds, implementing anomaly detection for DNS query logs, analyzing DNS record time-to-live (TTL) values, monitoring for inconsistent geolocation, and using flow data to identify unusual communication patterns.

 For organizations, agencies recommend DNS and IP blocking, reputational filtering, enhanced monitoring and logging, and phishing awareness training as potent mitigation strategies. It is crucial for organizations to coordinate with their Internet service providers and cybersecurity providers, particularly Protective DNS (PDNS) providers, to implement these measures, the advisory concludes.

John DiLullo, CEO at Deepwatch, a San Francisco, Calif.-based AI+Human Cyber Resilience Platform, commented on the latest development, stating: This latest advisory will hit many organizations like a double espresso. Any enterprise relying on IP reputation as a credible means of securing their infrastructure or proprietary data is a soft target for this type of exploit.”

“Fortunately, correlative detection techniques, especially those leveraging ‘low and slow’ Machine Learning methods, can defeat these intrusions handily. However, many companies’ infrastructures simply aren’t there yet. This is a significant wake-up call,” he warned.

NSA and Global Allies Declare Fast Flux a National Security Threat

A hacker, previously linked to the Tracelo breach, now claims to have breached Twilio’s SendGrid, leaking and selling data on 848,000 customers, including contact and company info.

A hacker using the alias Satanic is claiming responsibility for what could be a major breach involving SendGrid, a cloud-based email delivery platform owned by **Twilio**.

According to a post made earlier today, Thursday, April 3, 2025, on Breach Forums, a popular cybercrime platform, Satanic is offering the allegedly stolen data for $2,000 and has shared a sample to support the claim. In the post, the hacker stated:

> _“We would like to announce the breach of the largest Email Hosting Provider – SendGrid is cloud-based email infrastructure provides businesses with email delivery management. (3 April 2025).”_

Screenshot credit: Hackread.com

****What’s allegedly included in the breach?****

Satanic claims the database includes full customer and company information for 848,960 entities. Hackread.com’s research team analysed the sample data provided by the hacker, which included the following information:

*   Customer emails, phone numbers, physical addresses, cities, states, countries, social media profiles, and LinkedIn IDs

*   Company-level data such as domain names, revenue, employee counts, SEO performance, hosting providers, and rankings from services like Cloudflare and Tranco

*   Financials like revenue, operating income, net income, and other business metrics

*   Employee data and some public-facing executive details

*   Information on company tech stacks, including CMS platforms, payment solutions, and CRM tools

Additionally, among the companies listed in the sample data are Bank of America, Bazaarvoice, and the BBC. The data appears to be structured and highly detailed and includes dozens of metadata fields that go far beyond just contact information.

Each entry features web analytics metrics, internal email addresses (including those of high-level staff), phone numbers, geolocation data, and even insights into backend technologies and accessibility compliance. If the data is authentic, this could be more than a traditional leak.

Sample data leaked by the hacker (Screenshot credit: Hackread.com)

****Satanic’s track record****

This isn’t the first time that Satanic has been tied to a major data breach. In September 2024, the same hacker was behind the **Tracelo incident**, where personal data on 1.4 million users of a smartphone geolocation tracking service was leaked online. Beyond high-profile breaches, Satanic is also known in underground communities for distributing infostealer logs via Telegram.

****Twilio’s recent breach history****

This would also not be the first time Twilio, SendGrid’s parent company, has been associated with data exposures. **On July 4, 2024**, the hacker group ShinyHunters leaked a dataset containing 33 million phone numbers belonging to users of Twilio Authy, a two-factor authentication app.

Then, **in September 2024**, a separate breach exposed 12,000 call records through a third-party tool used by a Twilio customer. While neither incident confirmed a direct compromise of Twilio’s infrastructure, they did raise questions about data security.

****Still unconfirmed****

At the time of writing, Hackread.com has reached out to Twilio for comment. It’s important to note that these are unverified claims made by a hacker, and no official confirmation has been issued by Twilio or SendGrid.

However, given the nature of the sample and the profile of the individual making the claims, security teams and impacted organizations may want to take a closer look.

This is a developing story.

Hacker Claims Twilio’s SendGrid Data Breach, Selling 848,000 Records

Cybersecurity researchers at Jscamblers have uncovered a sophisticated web-skimming campaign targeting online retailers. The campaign utilizes a legacy…

Cybersecurity researchers at Jscamblers have uncovered a sophisticated **web-skimming** campaign targeting online retailers. The campaign utilizes a legacy application programming interface (**API**) to validate stolen credit card details in real time before transmitting them to malicious servers. This technique allows attackers to ensure they are only harvesting active and valid card numbers, significantly increasing the efficiency and potential profit of their operations.

According to Jscrambler’s analysis, shared with Hackread.com, this web-skimming operation has been ongoing since at least August 2024. The attack starts with the injection of malicious JavaScript code, designed to mimic legitimate payment forms, into the checkout pages of targeted websites. This code captures customer payment information as it is entered. The second phase involves obfuscation using a base64-encoded string, which conceals crucial URLs from static security analyses, such as those performed by Web Application Firewalls (**WAFs**).

The key innovation in this campaign lies in its use of a deprecated version of the **Stripe API**, a popular payment processing service, to verify the card’s validity before the data is sent to the attackers’ servers. In the third stage, the legitimate Stripe iframe is concealed and replaced with a deceptive imitation, and the “Place Order” button is cloned, hiding the original. The entered payment data is validated using Stripe’s API, and card details, if confirmed, are quickly transmitted to a drop server controlled by the attackers. The user is then prompted to reload the page following an error message.

Researchers have identified that affected online retailers are primarily those using popular e-commerce platforms like **WooCommerce**, **WordPress**, and **PrestaShop**. They also observed **Silent Skimmer** variants, but not consistently.  Around 49 affected merchants, a figure suspected to be an underestimate, were identified, along with two domains used to serve the attack’s second and third stages. An additional 20 domains on the same server were also detected. Jscrambler reported that 15 of the compromised sites had addressed the issue.

Further probing revealed that the skimmer scripts are dynamically generated and tailored to each targeted website, indicating a high degree of sophistication and automated deployment. Researchers employed a brute-forcing technique, manipulating the Referrer header, to identify additional victims.

In one instance, the skimmer impersonated a Square payment iframe while in some other instances, the skimmer injected payment options, such as cryptocurrency wallets, dynamically inserting fake **MetaMask** connection windows. The wallet addresses associated with these attempts showed little to no recent activity, though.

In their **blog post**, researchers have warned Merchants to implement real-time webpage monitoring solutions to detect unauthorized script injections, whereas Third-Party Service Providers (TPSPs) can enhance security by adopting hardened iframe implementations to prevent iframe hijacking and form modifications.

Screenshot of the Iframed fake square payment form

“Jscrambler’s research team continues to track this campaign, and we urge all online merchants to prioritize security measures against client-side threats,” researchers concluded.

Source

HackRead