Are they brave or stupid? Malware targeting Russian crypto hackers found

• Researchers uncover two packages carrying an infostealer
• The victims are apparently Russian, and attackers American
• This prompted the researchers to speculate if the targets were Russian crypto hackers

Two malicious packages were recently discovered on the npm package manager platform targeting software developers on the Solana ecosystem.

However the discovery, attribution, and potential targets of the malware have made researchers speculate if this was a state-sponsored attack.

Solana is a blockchain designed for decentralized applications and cryptocurrencies. It is similar to Ethereum in many aspects, which is why it is often described in the crypto community as the “Ethereum killer”.

Targeting devs? Or hackers? Or both?

Recently, security researchers from Safety found two npm packages: “solana-pump-test” and “solana-spl-sdk”.

Both were submitted by the same author, and both contained identical code – and according to Safety, when these packages were installed, they ran scripts that exfiltrated sensitive information from compromised devices, including private keys that granted the attackers access to crypto funds.

Safety says that the victims – the developers that downloaded and ran the infostealers – were located in Russia.

The attackers, on the other hand, seem to be located in the United States, based on the IP addresses where the exfiltrated data was relayed.

These things were enough for the researchers to ask if this was a US-backed threat actor targeting Russia, probably due to currently strained geo-political relations between the two powers.

But npm, as a platform, is not Russian, or managed by the Russians. The npm platform is run by npm, Inc., a company that was originally independent but is now a subsidiary of GitHub, which itself is owned by Microsoft.

Still, Russia has multiple state-sponsored and affiliated threat actors known to target cryptocurrency users, or large enterprises which are then forced to make ransom payments in crypto. Groups such as Evil Corp, Sandworm, and APT28 (Fancy Bear) have been linked to campaigns that either exfiltrate cryptocurrency or deploy ransomware for financial gain.

Therefore, it is not too far-fetched to speculate if this attack was aimed at crypto criminals, as well as regular crypto developers.

Via The Register

You might also like

• Crypto hacker steals $14.5 billion in Bitcoin using a gaming PC and nobody notices for five years
• Take a look at our guide to the best authenticator app
• We’ve rounded up the best password managers