The Hack of the Former Ripple CEO, the Theft of Ethereum in a Library, and Other Cybersecurity Events

• ZachXBT linked the seizure of $23.6 million worth of cryptocurrencies to the hacking of a Ripple co-founder’s wallet.
• Ethereum stealing software was found in the PyPI library.
• Websites with fake DeepSeek spread stylers and backdoors.
• Telegram Stars and NFT were the reasons behind the account theft.

ZachXBT has linked the seizure of $23.6 million in cryptocurrencies to the hacking of a Ripple co-founder’s wallet

U.S. authorities seized $23.6 million in cryptocurrencies stolen due to the hacking of an online password manager in 2022. According to court documents, between June 2024 and February 2025, law enforcers traced the stolen assets to exchanges OKX, Payward Interactive, Inc. (operated by Kraken), WhiteBIT, AscendEX Technology SRL, Ftrader Ltd (operated by FixedFloat), SwapSpace LLC, and Rabbit Finance LLC (operated by CoinRabbit).

While investigators did not name a specific online password manager, the complaint states that the platform suffered ”two major data breaches” in August and November 2022. That timeline coincides with the incidents of the LastPass service.

ZachXBT’s onchain detective wrote that the seizure is related to the theft of $150 million (283 million XRP) from Ripple co-founder Chris Larsen in January 2024.

In turn, representatives of LastPass in a comment Bleeping Computer said that at this point, law enforcement officials ”have not provided any conclusive evidence linking any cryptocurrency thefts to our incident.”

Ethereum stealing software has been found in the PyPI library

Socket researchers have discovered a malicious Python Package Index (PyPI) ”set-utils” package stealing Ethereum private keys. It has been downloaded more than 1,000 times since January 2025, but the number of potential victims could be much higher.

The package masquerades as a Python utility, mimicking the popular ”python-utils” with 712 million downloads and ”utils” with 23.5 million installations. The attacks target blockchain developers using the ”eth-account” library to manage wallets, DeFi Python-based projects and Web3 Ethereum-enabled applications.

Attackers tap into standard Ethereum wallet creation functions to intercept private keys as they are generated on the compromised device. Funds are withdrawn via the Polygon blockchain.

As of this writing, the malicious package has been removed from PyPI. Users who downloaded it to their projects are advised to take action and move assets to a secure address.

FakeDeepSeek sites spread stylers and backdoors

Kaspersky Lab experts have detected several groups of phishing pages copying the official site of chatbot DeepSeek

In the first campaign, the fake resources distributed a Python styler by installing a non-existent DeepSeek client for Windows. The malware steals cookies and sessions from browsers, logins and passwords from accounts of various services, files with specified extensions, and information about cryptocurrency wallets.

In the second scheme, the main vector for distributing links to fraudulent sites was social network X. One of the attackers’ tweets on behalf of an Australian company garnered 1.2 million views and more than a hundred reposts.

The third campaign targets technically advanced users. The downloadable malicious payload masquerades as the Ollama framework for running large language models on local capacity. As a final step, it installs a modified Farfli backdoor on the victim’s device.

Britain to investigate TikTok and Reddit for handling children’s data

The UK Information Commissioner’s Office (ICO) has launched an investigation into TikTok, Imgur and Reddit regarding the privacy of underage users;

At this stage, the agency is investigating whether there have been any violations of data protection laws, as well as what information the services use to estimate the age of users.

If sufficient evidence of breaches of the law is found, the ICO intends to seek clarification from the companies before making a final decision on the measures to be taken against them.

Telegram Stars and NFT were the causes of account theft

F6 analysts recorded an increase in the number of account thefts in the messenger Telegram. In the second half of 2024, just one group of attackers stole more than 1.24 million accounts, up 25.5% compared to the same period in 2023.

Among the attackers’ targets are the digital currency Telegram Stars and collectible virtual gifts, including NFT. As a rule, they are transferred to fake accounts and sold;

The amount varies depending on the presence of a premium subscription, administrative rights in channels, and the number of dialogs.

Attackers use web panels or Telegram bots to create phishing resources. Users are lured with cash prizes, security alerts, premium subscriptions, votes, or access to private channels.

Often, as part of a combo scheme, a stolen account will automatically start spreading fraudulent links. They lead to phishing pages supposedly for creating a resume. Authorization via Telegram is required to ”send it to an employer”.

Apple users from 117 countries have been notified of spyware attacks

Apple has notified users from 117 countries that they have been subjected to targeted attacks using mobile spyware. This was reported by Amnesty International experts.

Traditionally, such mailings do not reveal the identity of the attackers or the specific countries affected.

Apple has sent similar notifications twice in 2024.

What to read this weekend?

Let’s understand the negative impact of meme-coins on the crypto-industry;

https://coinpaper.com/7684/the-path-of-meme-tokens-from-jokes-to-scam