Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions versions 0.2.116 through 1.0.23 are vulnerable. For Jetbrains IDE plugins, Claude Code [beta] versions 0.1.1 through 0.1.8 are vulnerable.  

In VSCode (and forks), exploitation would allow an attacker to read arbitrary files, see the list of files open in the IDE, get selection and diagnostics events from the IDE, or execute code in limited situations where a user has an open Jupyter Notebook and accepts a malicious prompt. In JetBrains IDEs, an attacker could get selection events, a list of open files, and a list of syntax errors.

**Remediation**

We released a patch for this issue on June 13th, 2025. Although Claude Code auto-updates when you launch it and auto-updates the extensions, you should take the following steps (the exact steps depend on your IDE).

**VSCode, Cursor, Windsurf, VSCodium, and other VSCode forks**
Extension Name: Claude Code for VSCode

Instructions:

1. Open the list of Extensions (View->Extensions)
2. Look for Claude Code for VSCode among installed extensions
3. If you have a version < 1.0.24, click “Update” (or “Uninstall”)
4. Restart the IDE 

**All JetBrains IDEs including IntelliJ, PyCharm, and Android Studio**
Plugin name: Claude Code [Beta]

Instructions:

1. Open the Plugins list
2. Look for Claude Code [Beta] among installed extensions
3. Update (or Uninstall) the plugin if the version is < 0.1.9
4. Restart the IDE

Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions versions 0.2.116 through 1.0.23 are vulnerable. For Jetbrains IDE plugins, Claude Code \[beta\] versions 0.1.1 through 0.1.8 are vulnerable.

In VSCode (and forks), exploitation would allow an attacker to read arbitrary files, see the list of files open in the IDE, get selection and diagnostics events from the IDE, or execute code in limited situations where a user has an open Jupyter Notebook and accepts a malicious prompt. In JetBrains IDEs, an attacker could get selection events, a list of open files, and a list of syntax errors.

**Remediation**

We released a patch for this issue on June 13th, 2025. Although Claude Code auto-updates when you launch it and auto-updates the extensions, you should take the following steps (the exact steps depend on your IDE).

**VSCode, Cursor, Windsurf, VSCodium, and other VSCode forks**  
Extension Name: Claude Code for VSCode

Instructions:

1.  Open the list of Extensions (View->Extensions)
2.  Look for Claude Code for VSCode among installed extensions
3.  If you have a version < 1.0.24, click “Update” (or “Uninstall”)
4.  Restart the IDE

**All JetBrains IDEs including IntelliJ, PyCharm, and Android Studio**  
Plugin name: Claude Code \[Beta\]

Instructions:

1.  Open the Plugins list
2.  Look for Claude Code \[Beta\] among installed extensions
3.  Update (or Uninstall) the plugin if the version is < 0.1.9
4.  Restart the IDE

**References**

*   GHSA-9f65-56v6-gxw7

GHSA-9f65-56v6-gxw7: Claude Code Improper Authorization via websocket connections from arbitrary origins

### Impact
XSS - Errors in filters from website page change detection watches were not being filtered.

### Patches

0.50.4

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-hwpg-x5hw-vpv9: ChangeDetection.io XSS in watch overview

DUBAI, United Arab Emirates, 23rd June 2025, CyberNewsWire

**DUBAI, United Arab Emirates, June 23rd, 2025, CyberNewsWire**

*   Five dedicated bug bounty programs upgraded across 1inch core components, including smart contracts, wallet and infrastructure.
*   A community-first approach to strengthening DeFi security and resilience.

1inch, the leading DeFi aggregator, has launched an upgraded bug bounty initiative, covering five key areas of its platform, with rewards of up to $500,000. Through this initiative 1inch demonstrates its commitment to maintaining the highest level of security across its smart contracts, wallet, dApp, developer tools and infrastructure.

As DeFi continues to mature, so does the interdependence and complexity of its protocols – as well as the potential for vulnerabilities that are yet to be discovered. From smart contract exploits to infrastructure-level weaknesses, projects must contend with an ever-widening attack surface. By leveraging the efforts of the global white-hat hacker and security researcher community, 1inch aims to strengthen its architecture and encourage responsible disclosure.

**Community-Driven Security at Scale**

Each of the following bounty programs has a clearly defined scope and multi-tiered rewards to encourage maximum participation and impact:

**Bug bounty program 1: 1inch smart contracts – rewards of up to $500,000**

The 1inch ecosystem is built on interconnected smart contracts that aggregate liquidity from various decentralized exchanges to execute optimal token swaps. A detailed explanation of the program and rewards is available here.

**Bug bounty program 2: 1inch Wallet – rewards of up to $100,000**

This bounty program is centered on possible vulnerabilities in 1inch Wallet, a multi-chain non-custodial DeFi crypto wallet with an easy interface for secure storage and transactions. A detailed explanation of the program and rewards is available here.

**Bug bounty program 3: 1inch Developer Portal – rewards of up to $100,000**

The focus of this bounty program is the 1inch Developer Portal, a Web3 cloud SaaS (software as a service) platform featuring multiple APIs. A detailed explanation of the program and rewards is available here.

**Bug bounty program 4: 1inch dApp – rewards of up to $50,000**

The 1inch dApp is the No. 1 DeFi aggregator, offering access to the deepest liquidity and the best token swap rates on various DEXes. Its unique features include partial fill and the ability to find the best swap paths across multiple liquidity sources. A detailed explanation of the program and rewards is available here.

**Bug bounty program 5: 1inch infrastructure – rewards of up to $20,000**

This program focuses on identifying vulnerabilities that impact the 1inch platform’s overall infrastructure, complementing product-specific programs that are described above. A detailed explanation of the program and rewards is available here.

**Sergej Kunz, Co-founder of 1inch, said** “Through our new bug bounty programs, we invite external experts and white-hats to test the strength of our defenses. Even the most skilled in-house security teams, such as ours, can benefit from fresh perspectives. Better to pay bounties than pay for breaches.”

**About 1inch**

1inch accelerates decentralized finance with a seamless crypto trading experience for 23M users. Beyond being the top platform for low-cost, efficient token swaps with $1B in daily trades, 1inch offers a range of innovative tools, including a secure self-custodial wallet, a portfolio tracker for managing digital assets, a developer portal to build on its cutting-edge technology, and even a debit card for easy crypto spending. By continuously innovating, 1inch is simplifying DeFi for everyone. 

Website | Twitter/ X | Explore Blog

**Contact**

**PR lead**  
**Pavel Kruglov**  
**1inch Labs**  
**\[email protected\]**

1inch rolls out expanded bug bounties with rewards up to $500K

Last month, Telegram banned black markets that sold tens of billions of dollars in crypto scam-related services. Now, as those markets rebrand and bounce back, it’s done nothing to stop them.

One month ago, the messaging app Telegram summarily beheaded the online industry of Chinese-language crypto scam services: It banned virtually all accounts related to the first and second most popular marketplaces for vendors offering money laundering, stolen data, and a variety of other illicit wares to the vast criminal enterprises carrying out investment scams from compounds across Southeast Asia.

Then, Telegram watched impassively as those black marketeers rebranded, rebuilt, and returned to business as usual on the messaging service's platform.

On Monday, crypto tracing firm Elliptic published a new report showing how the industry of Telegram-based Chinese-language black markets for crypto scammers has bounced back in the wake of Telegram's takedown last month of the two biggest of those bazaars, known as Haowang Guarantee and Xinbi Guarantee. Before Telegram banned the two markets' channels and usernames on May 13, they had together enabled a staggering $35 billion in transactions, much of which represented money laundering by crypto scam operations that steal billions from Western victims and force tens of thousands of people to carry out scams in forced labor compounds across Cambodia, Myanmar, and Laos. Since Telegram's purge, however, Elliptic has found that other smaller markets have now grown to almost entirely fill the vacuum those two key marketplaces left behind—and Telegram appears to have no plans to stop them.

In particular, one market called Tudou Guarantee, partially owned by Huione Group, the same parent company as the now-defunct Haowang Guarantee, has more than doubled in size, likely taking in many of the scammer-friendly services displaced by Telegram's bans and again enabling those fraudsters' billions of dollars a year in illicit revenue. Its main channel now has 289,000 users by Elliptic's count, close to the 296,000 users that Haowang Guarantee had at the time Telegram banned it. Xinbi Guarantee, too, has relaunched on new channels and regained hundreds of thousands of users, Elliptic says. In terms of sales, Tudou is now enabling around $15 million a day in crypto payments, close to the $16.4 million Haowang was facilitating daily, according to Elliptic.

“Telegram recognized this was illicit activity and the kind they didn't want to be hosting, and so they deleted the channels and banned the associated usernames. But it was clear that these people wouldn't just give up, that they would transfer to different marketplaces,” says Tom Robinson, Elliptic's cofounder. “These scammers have inflicted misery on millions of victims around the world, stealing billions of dollars. Unless these marketplaces are actively pursued, they will continue to flourish.”

Elliptic shared posts with WIRED from Tudou Guarantee—now by some measures the biggest black market on the internet—which show examples of money laundering services, offers of scam website development, and vendors selling stolen personal data that scammers use for targeting. Another Tudou post explicitly offers prostitution, including references to possible minors: “Students, queens, lolita,” the post states next to pictures of young women. “All available!!”

WIRED reached out to Tudou Guarantee for comment via an administrator's Telegram account but didn't receive a response.

Before they were taken down by Telegram, Xinbi Guarantee and Haowang Guarantee displayed similar posts offering explicitly illegal services in all those categories and more. Like the newly ascendant Tudou Guarantee, those other “Guarantee” marketplaces didn't directly sell services, but instead offered escrow and deposit features that prevent vendors from defrauding customers.

When WIRED asked Telegram in May about a report from Elliptic that focused on Xinbi Guarantee's criminal offerings, Telegram responded with a broad purge: It banned not only Xinbi's accounts but also those of Haowang Guarantee, the much larger market that had persisted for three years, enabled around $27 billion in transactions, and sold scam industry services as explicit as the batons and shackles used to imprison forced laborers in scam compounds.

In a statement sent to WIRED at the time, Telegram spokesperson Remi Vaughn wrote that “communities previously reported to us by WIRED or included in reports published by Elliptic have all been taken down,” and added that “criminal activities like scamming or money laundering are forbidden by Telegram's terms of service and are always removed whenever discovered.”

Since then, however, Elliptic has continued to share its findings about apparent money laundering activity on ten other markets, including Tudou Guarantee, in a Telegram group that included a WIRED reporter and a Telegram spokesperson. Yet Telegram didn't take down any of the accounts related to the black markets Elliptic highlighted. Xinbi Guarantee has, in fact, rebuilt at new accounts without even rebranding. It still hasn't faced new account bans, despite Telegram itself stating that the market's content violated its terms of service.

In a statement to WIRED, a Telegram spokesperson defended the company's apparent decision not to ban the rebounding black markets. “The channels in question predominantly involve users from China, where rigid capital controls often leave citizens with little choice but to seek alternative avenues for moving funds internationally,” the statement reads. "We assess reports on a case-by-case basis and categorically reject blanket bans—particularly when users are attempting to circumvent oppressive restrictions imposed by authoritarian regimes. We remain unwavering in our commitment to safeguarding user privacy and defending fundamental freedoms, including the right to financial autonomy.”

Elliptic's Robinson rejects that argument. “We've been researching these marketplaces for nearly two years now, and they're not about helping people achieve financial autonomy,” Robinson says. “These are marketplaces that primarily facilitate money laundering for the proceeds of fraud and other illicit activity."

Erin West, a former prosecutor who now leads the nonprofit Operation Shamrock, an organization focused on disrupting crypto scam operations, states her accusation against Telegram more simply. “These are bad guys, enabling bad-guy business on their bad-guy platform,” West argues. “They have the ability to shut down a scam economy and the trafficking of human beings. Instead, they’re hosting Craigslist for crypto scammers.”

Telegram's seemingly inconsistent approach to banning crypto-scam black markets may have less to do with its principles of “financial autonomy” than with trying not to run afoul of the US government, says Jacob Sims, a visiting fellow at Harvard University's Asia Center. In early May, the US Treasury's Financial Crimes Enforcement Network officially labeled Huione Group a “primary money laundering concern.” Sims argues that designation, which referred directly to Haowang Guarantee but not Tudou Guarantee, may have spurred Telegram to take action—and that it may take another similar move at the government level to push Telegram to act again.

“Ultimately, last month's crackdown shows how disruptive Telegram can be when it does cooperate, but it also shows how fast the scammers are going to adapt,” Sims says. “There's no real legal culpability that tech companies have for what happens on their platform unless there's a specific case brought to their attention by law enforcement. And so, until that changes, I just don't know what incentive they have to be proactive.”

_Updated at 2:30 pm ET, June 23, 2025: Clarified the period during which Haowang Guarantee had approximately 296,000 users._

Telegram Purged Chinese Crypto Scam Markets—Then Watched as They Rebuilt

A series of fraudulent text messages impersonating state Departments of Motor Vehicles (DMVs) has spread throughout the United…

A series of fraudulent text messages impersonating state Departments of Motor Vehicles (**DMVs**) has spread throughout the United States tricking thousands of Americans into handing over sensitive personal and financial information.

According to Check Point Research, the campaign first identified in May 2025 used spoofed SMS messages and fake websites to exploit public trust in local authorities and collect data on a large scale.

****Unpaid Tolls and Threats of License Suspension****

Victims reported receiving texts warning of unpaid toll violations or legal penalties. The messages urged immediate action, threatening consequences such as license suspension. Included was a link directing recipients to what appeared to be a state DMV site. In reality, these were convincing clones, designed to match the visual identity of each targeted state.

Once on the fake site, victims were asked to pay a small fee and enter personal details including full name, address, email, phone number and credit card information. While the payment amount was often under seven dollars, the real damage came from the data collection.

****A Well-Built Scam Network****

The infrastructure behind the attack was anything but random. Most of the fraudulent sites followed a clear naming pattern that mimicked real DMV URLs. According to Check Point’s **blog post**, a large number of domains were hosted on the same IP address, 49.51.75162, which has a known history of malicious activity. The sites focused on high-population states like California, Texas, New York, and Florida. However, States directly impacted by the campaign included:

*   Texas
*   Florida
*   Georgia
*   New York
*   California
*   New Jersey
*   Pennsylvania

Despite the wide distribution of domains and hosting servers, the **phishing kit** used was consistent. Each fake DMV site loaded the same set of JavaScript, CSS, and image files. The design work, behaviour, and codebase point to a centralized development effort, not the work of independent copycats.

Examples of some of the fake DMV texts scam messages received by users

****Evidence Points to China-Based Threat Actor****

Check Point researchers have spotted several indicators linking this operation to a China-based group. All domains shared name servers from a Chinese provider alidns.com, and the SOA contact email pointed to hichina.com.

Additionally, source code comments were written in Chinese, and the phishing kit itself matched patterns found in a toolkit known as “Lighthouse,” previously used by Chinese threat actors from the **Smishing Triad** in attacks targeting US DMVs.

Although direct attribution is always difficult, the overlap in infrastructure, coding language, and phishing toolkit suggests a well-resourced operation likely running from **China** or by Chinese-speaking operators.

****Impact and Public Response****

CPR noted that the scope of this attack is among the most extensive **smishing campaigns (SMS Phishing)** in the US this year. The FBI’s Internet Crime Complaint Center (IC3) received over 2,000 related complaints in just one month. Cybersecurity researchers believe the real number of victims is much higher, as many may have dismissed the incident due to the low dollar amount involved.

The story reached national outlets including **CBS News**, causing officials to act quickly. DMV and Department of Transportation websites across multiple states issued public warnings. They reminded residents that toll-related matters are never handled via unsolicited texts and urged victims to report the scams.

****What You Can Do****

This campaign is just another example of how a malicious text message, small dollar amounts, and the appearance of government authority can still trick thousands of unsuspected users. Therefore, users and organisations must pay attention to what they are responding to and following these tips:

*   Block abuse-prone domain extensions such as .cfd and .win.
*   Proactively alert the public about scams through official channels.
*   Go directly to the official DMV website by typing the URL in your browser.
*   Do not click on links in unexpected text messages about fines or legal matters.
*   Report scam messages to 7726 (SPAM) and file complaints at reportfraud.ftc.gov.

Fake DMV Texts Scam Hit Thousands in Widespread Phishing Campaign

Russian hackers have convinced targets to share their app passwords in very sophisticated and targeted social engineering attacks.

Russian hackers have bypassed Google’s multi-factor authentication (MFA) in Gmail to pull off targeted attacks, according to security researchers at Google Threat Intelligence Group (GTIG).

The hackers pulled this off by posing as US Department of State officials in advanced social engineering attacks, building a rapport with the target and then persuading them into creating app-specific passwords (app passwords).

App passwords are special 16-digit codes that Google generates to allow certain apps or devices to access your Google Account securely, especially when you have MFA enabled.

Normally, when you sign in to your Google account, you use your regular password plus a second verification step like a code sent to your phone. But since some older or less secure apps and devices—like certain email clients, cameras, or older phones—are unable to handle this extra verification step, Google provides app passwords as an alternative way to sign in.

However, because app passwords skip the second verification step, hackers can steal or phish them more easily than a full MFA login.

In an example provided by CitizenLab, the attackers initially made contact by posing as a State Department representative, inviting the target to a consultation in the setting of a private online conversation.

Although the invitation came from a Gmail account, it CCed four @state.gov accounts, giving a false sense of security and making the target believe that other people at the State Department had monitored the email conversation.

Most likely, the attacker fabricated those email addresses, knowing that the State Department’s email server accepts all messages and does not send a bounce response even if the addresses do not exist.

As the conversation unfolded and the target showed interest, they received an official looking document with instructions to register for an “MS DoS Guest Tenant” account. The document outlined the process of  “adding your work account… to our MS DoS Guest Tenant platform,” which included creating an app password to “enable secure communications between internal employees and external partners.”

So, while the target believes they are creating and sharing an app password to access a State Department platform in a secure way, they are actually giving the attacker full access to their Google account.

The targets of this campaign, which ran for months, were prominent academics and critics of Russia, and was set up with so much attention for details and skill that the researchers suspect the attacker was a Russian state-sponsored entity.

**Be safe, avoid app passwords**

Now that this bypass is known, we can expect more social engineering attacks leveraging app-specific passwords in the future. Here’s how to stay safe:

*   Only use app passwords when absolutely necessary. If you have the opportunity to change to apps and devices that support more secure sign-in methods, make that switch.
*   The advice to enable MFA still stands strong, but not all MFA is created equal. Authenticator apps (like Google Authenticator) or hardware security keys (FIDO2/WebAuthn) are more resistant to attacks than SMS-based codes, let alone app passwords.
*   Regularly educate yourself and others about recognizing phishing attempts. Attackers often bypass MFA by tricking users into revealing credentials or app passwords through phishing.
*   Keep an eye on unusual login attempts or suspicious behavior, such as logins from unfamiliar locations or devices. And limit those logins where possible.
*   Regularly update your operating system and the apps you use to patch vulnerabilities that attackers might exploit. Enable automatic updates whenever possible so you don’t have to remember yourself.
*   Use security software that can block malicious domains and recognize scams.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Gmail&#8217;s multi-factor authentication bypassed by  hackers to pull off targeted attacks 

Malware hidden in fake Minecraft Mods on GitHub is stealing passwords and crypto from players. Over 1,500 devices may be affected, researchers warn.

A new malware campaign has been targeting Minecraft players through fake mod downloads, according to recent findings from Check Point Research (CPR). Shared through GitHub and disguised as popular **Minecraft cheat mods**, the files carry a layered infection that can steal everything from saved passwords to cryptocurrency.

**Malware Hidden Inside Mods**

The campaign, which surfaced in March 2025, focused on active players using mods to enhance their gameplay. Mods like Oringo and Taunahi, widely known in the Minecraft cheat community, were mimicked to attract downloads. But instead of extra features, these files installed malware in three stages.

According to CPR’s **blog post**, first came a Java-based downloader. After confirming the user was running Minecraft and not a sandboxed or virtual environment, it dropped the download of a second-stage stealer which harvested login credentials and other sensitive files.

The final payload, a more advanced spyware tool, dug even deeper. It scanned for data in Discord, Steam, Telegram, web browsers and **crypto wallets.** It could also take screenshots and collect technical details from the infected machine. Data stolen through this campaign was then sent out over Discord, making the exfiltration hard to detect.

****Russian-Speaking Attacker Suspected****

Hints from the malware’s code, including Russian-language comments and UTC+3-based activity patterns, point to a Russian-speaking threat actor. The operation was linked to a group Check Point referred to as the Stargazers Ghost Network, a malware delivery system that uses a distribution-as-a-service model. The same system was **previously seen in July 2024** distributing malware through more than 3,000 fake GitHub accounts.

In the latest Minecraft scam, CPR’s research also traced the campaign across several GitHub repositories, each posing as legitimate mod tools. This helped the malware gain reach while avoiding immediate suspicion. Based on internal traffic analysis, the researchers estimate that at least 1,500 devices may have been compromised so far.

Malicious GitHub repositories (Image via CPR)

****Why Minecraft Was the Perfect Target****

Minecraft’s global popularity makes it a prime target for these kinds of attacks. With over 200 million monthly active users and more than a million modders, the game has built an extensive infrastructure of user-created content. Many players are young and may not be well-equipped to spot fake downloads, especially when they’re presented as performance boosters or cheats.

The modding community thrives on open sharing, but that openness has become a vulnerability. Attackers are betting that users won’t double-check the origin of a mod if it looks familiar.

This is why in October 2021, Minecraft was identified as **the most malware-infected game** after researchers found 44,335 compromised devices and over 300,000 malware cases targeting its players.

****What Players Should Do****

This attack is just another example of how familiar online platforms, especially those used by younger audiences, are being turned into distribution channels for malware. If you’re a Minecraft player or a parent of one, now’s a good time to check your devices and habits:

*   Stick to mods from well-known and verified platforms.
*   Make sure your antivirus and security updates are current.
*   Avoid any mod claiming to offer hacks, cheats or automation.
*   Monitor accounts linked to Discord, gaming platforms or crypto wallets for suspicious activity.

Fake Minecraft Mods on GitHub Found Stealing Player Data

Scammers used Inferno Drainer to steal $43,000 in crypto from 110 CoinMarketCap users through a fake wallet prompt embedded in the site’s front-end.

A coordinated crypto theft operation targeting CoinMarketCap users has been exposed after leaked images surfaced from a Telegram channel known as TheCommsLeaks. The attack used a convincing wallet connection prompt embedded in CoinMarketCap’s own interface, tricking users into handing over access to their wallets. The result? more than $43,000 worth of crypto funds drained in hours.

According to Tammy H, a Senior Threat Intelligence Researcher and Certified Dark Web Investigator at Flare.io, a Canada-based cybercrime intelligence firm, the attack was carried out using Inferno Drainer, a known wallet-draining toolkit that’s been linked to previous campaigns.

****A Pop-Up with a Price****

The method was simple but effective. Users visiting CoinMarketCap were presented with a prompt asking them to “Verify Your Wallet” to access features. It looked identical to legitimate pop-ups seen on the platform, giving users no reason to doubt it. However, once connected, wallets were quietly emptied of whatever assets they held.

Video credit: apoorv.eth on X (Twitter)

A source cited in the leak claimed the prompt appeared across nearly every page on the site. “Make it where it appears on every page,” read one message. “Most people have coins pinned… the second they render the site.”

The attacker seemed focused on increasing visibility and maximizing wallet connections. Some reports suggest that even the connect button began malfunctioning due to being rendered too many times.

****Inside the Leak****

As per Tommy H’s analysis, the Telegram channel TheCommsLeaks began sharing details around 7:30 PM local time on June 20. The messages included screenshots showing a live dashboard used by the attacker. These visuals displayed wallet connections, token transfers and total values drained in real time.

Early numbers showed 67 successful hits and over 1,300 wallet connections. The payout was already past $21,000 within the first wave. By the time the campaign ended, the final haul had climbed to $43,266, drained from 110 victims.

Tokens siphoned off included SOL, XRP, EVT, and smaller coins like PENGU and SHDW. One transaction involving $1,769 in XRP was linked to a wallet visible on BscScan, offering public confirmation of the theft.

However, the researcher noted that not every attempt succeeded. Logs from the attacker’s toolkit also showed multiple failed drains, typically due to wallets holding unsupported tokens or negligible balances.

Attackers on Telegram

****What Happened on CoinMarketCap?****

After growing speculation over whether the attack came from a spoofed domain, CoinMarketCap addressed the issue directly. In a statement published on X, the company said a doodle image displayed on their homepage had triggered malicious code through an embedded API call. This vulnerability caused the unauthorized wallet prompt to appear for some users.

The company confirmed that its security team responded immediately after detecting the issue. The malicious content was removed, and internal systems were patched to prevent further abuse.

“All systems are now fully operational, and CoinMarketCap is safe and secure for all users,” the company stated, adding that it continues to monitor the situation and provide support.

This incident goes on to show how small interface changes, even those involving something as harmless as a homepage doodle, can be leveraged for large-scale damage. While the use of a legitimate platform’s own environment to deploy malicious prompts is extremely concerning, it reflects how easily trust in familiar interfaces can be misused.

In a separate incident reported by Hackread just last week, scammers exploited search ads to trick users into calling fake support numbers shown on real websites like Apple and PayPal. Though technically unrelated, both cases show how attackers rely on user assumptions about what’s safe to interact with online.

For now, users are advised to avoid connecting wallets directly through pop-ups and verify any prompt against the platform’s official guidance. If something looks familiar, that doesn’t always mean it’s safe.

Scammers Use Inferno Drainer to Steal $43K from CoinMarketCap Users

The social network started experiencing global outages within minutes of Donald Trump posting details of a US military strike on Iran.

Truth Social malfunctioned on Saturday night amid President Donald Trump’s announcement that the United States had bombed Iran’s nuclear facilities.

Starting around 8 pm ET on Saturday, attempts to load the social network, which is owned by Trump Media & Technology Group (TMTG), displayed error messages. “Network failed,” a message on Truth Social reads. “Please try again.”

Trump’s initial Truth Social announcement that the United States had entered Israel’s war against Iran posted at 7:46 pm ET, stating that the US had waged a “very successful attack on the three Nuclear sites in Iran, including Fordow, Natanz, and Esfahan.” Trump’s account on the social media platform X posted a screenshot of the bombing announcement at 7:53 pm ET.

“All planes are now outside of Iran air space. A full payload of BOMBS was dropped on the primary site, Fordow,” Trump continued. “All planes are safely on their way home. Congratulations to our great American Warriors. There is not another military in the World that could have done this. NOW IS THE TIME FOR PEACE! Thank you for your attention to this matter.”

Trump frequently shares posts to Truth Social about issues of national and international importance. The president appeared to post multiple times after news of the US bombings against Iran were first announced. Trump’s stake in Truth Social’s parent company, TMTG, is currently worth more than $2 billion.

DownDetector, a website that crowdsources service outages, saw an influx of reports of Truth Social going down around 8 pm. The reason for the apparent outage was not immediately clear. NetBlocks, which monitors internet accessibility, posted on BlueSky just before 9 pm ET: “Truth Social is experiencing international outages for many users after US President Donald Trump announces strikes on three nuclear sites in Iran; incident not related to country-level internet disruptions or filtering.”

Truth Social did not immediately respond to WIRED’s requests for comment.

US and Iranian officials, speaking on the condition of anonymity, confirmed to The New York Times that US forces had conducted airstrikes on the Fordo and Natanz facilities. The condition of the US targets were not yet confirmed as of just before 9 pm ET.

Israel first began bombing targets in Iran on June 13. The two countries have repeatedly targeted each other since.

On Wednesday, Truth Social reportedly sent an email to at least some users encouraging them to follow Trump’s account. The email read in part, “If you aren’t following President Donald J. Trump on Truth Social, you’re missing an essential resource for navigating world affairs today.”

Trump will hold a televised address at 10 pm ET, according to the White House press secretary, Karoline Leavitt.

Truth Social Crashes as Trump Live-Posts Iran Bombing

A new FS-ISAC and Akamai report warns that sophisticated DDoS attacks are severely impacting the global financial sector, leading to multi-day outages. Learn about these evolving threats and how institutions can strengthen defences.

A new joint report released today by FS-ISAC, a non-profit organization focused on financial cybersecurity, and Akamai Technologies, a leading cybersecurity and cloud company, reveals a worrying trend: Distributed Denial-of-Service attacks (DDoS attacks) are increasingly targeting the global financial sector.

These attacks aim to overwhelm online services, disrupting customer access and business operations, ultimately eroding trust and impacting profits. The report, shared with Hackread.com, emphasises the growing sophistication and strategic nature of these cyber threats.

****Evolving Attack Strategies and Key Findings****

According to the report, the financial services sector was the primary target for large-scale DDoS attacks in 2024, which involved flooding a system with massive amounts of traffic, with a notable surge in October 2024. Attacks specifically targeting the application layer of financial services grew by 23% between 2023 and 2024.

The report also notes a rise in more precise attacks against financial firms’ Application Programming Interfaces (APIs) with a 58% rise observed between 2023-24 which allow different software to communicate, and their customer-facing websites.

These targeted assaults are harder to spot because they mimic normal user behaviour, indicating a higher level of skill among cybercriminals. In 2024, a single attack campaign targeting multiple banks resulted in service disruptions that lasted for several days, illustrating the severe impact these incidents can have.

Teresa Walsh, FS-ISAC’s Chief Intelligence Officer, commented on this shift, stating, “DDoS attacks are becoming increasingly sophisticated, evolving from simple network flooding to targeted, multi-dimensional assaults that exploit intricate vulnerabilities across the entire supply chain.”

The use of DDoS-for-Hire services, where attackers can pay others to launch attacks, is also common. Geopolitical events, such as the Hamas-Israel and Russia-Ukraine conflicts, have also fuelled an increase in hacktivism, where cyberattacks are carried out for political reasons.

On the other hand, the Asia Pacific region experienced a sharp rise in these large-scale attacks, accounting for 38% of all volumetric DDoS attacks in 2024, a significant jump from 11% in 2023.

****Building Stronger Defences****

To help financial institutions better prepare, FS-ISAC and Akamai have introduced a five-level DDoS Maturity Model. This model helps organizations evaluate their current strengths and weaknesses in defending against DDoS attacks, allowing them to identify areas for improvement, prioritize investments, and boost their ability to withstand these threats.

Steve Winterfeld, Advisory CISO at Akamai, emphasized the ongoing nature of the threat: “Threat actors will continue to leverage DDoS attacks to exploit the security of our institutions.” He highlighted that effective defences involve implementing mitigation strategies, maintaining strong cybersecurity practices, and adopting industry best practices.

It must be noted that this collaboration is part of Akamai’s involvement in FS-ISAC’s Critical Providers Program, launched in 2022 to enhance supply chain security within the financial sector.

Tag

#web