The Containment Era is here. →Explore

aviatrix logoAviatrix
Under Active Attack
Industry Category

Cryptocurrencies

Breach intelligence, attack campaigns, and threat reports targeting the Cryptocurrencies sector.

5 threat reports
Page 1 of 1

Explore Other Sectors

Accounting
Aerospace/Aviation
Agriculture
Airlines/Aviation
Animation
Apparel/Fashion
Architecture/Planning
Artificial Intelligence
Artificial Intelligence/Machine Learning
Arts/Crafts
Automotive
Aviation/Aerospace
Banking/Mortgage
Biotechnology/Greentech
Blockchain/Cryptocurrency
Broadcast Media
Broadcasting Media
Broadcasting/Media
Building Materials
Business Supplies/Equipment
Capital Markets/Hedge Fund/Private Equity
Chemical
Chemicals
Civic/Social Organization
Civil Engineering
Cloud Computing
Cloud Computing/SaaS
Cloud Services
Commercial Facilities
Commercial Real Estate
Computer Games
Computer Hardware
Computer Networking
Computer Software/Engineering
Computer/Network Security
Construction
Consulting
Consumer Electronics
Consumer Goods
Consumer Services
Cosmetics
Cosmetics
Critical Manufacturing
Cryptocurrencies
Customer Services
Cybersecurity
Dairy
Dating/Personal Services
Defense/Space
Design
E-Learning
Education Management
Electrical/Electronic Manufacturing
Emergency Services
Energy
Energy/Oil/Solar/Greentech
Entertainment/Movie Production
Environmental Services
Events Services
Facilities Services
Farming
Fashion/Apparel
Financial Services
Fine Art
Fishery
Food Production
Food/Beverages
Fortune 500 companies
Franchising
Fundraising
Gambling/Casinos
Gaming
Gaming/Casinos
Government Administration
Government Facilities
Government Relations
Graphic Design/Web Design
Health Care / Life Sciences
Higher Education/Acadamia
Hospitality
Human Resources/HR
Import/Export
Individual/Family Services
Industrial Automation
Information Services
Information Technology/IT
Insurance
International Affairs
International Trade/Development
Internet
Investment Banking/Venture
Investment Management/Hedge Fund/Private Equity
Judiciary
Law Enforcement
Law Practice/Law Firms
Legal Services
Legislative Office
Leisure/Travel
Logistics/Procurement
Luxury Goods/Jewelry
Machinery
Management Consulting
Manufacturing
Maritime
Marketing/Advertising/Sales
Mechanical or Industrial Engineering
Media Production
Medical Equipment
Medical Practice
Military Industry
Mining/Metals
Mobile
Museums/Institutions
Music
Newspapers/Journalism
Non-Profit/Volunteering
Oil/Energy/Solar/Greentech
Online Publishing
Outsourcing/Offshoring
Package/Freight Delivery
Parking
Pharmaceuticals
Philanthropy
Photography
Plastics
Political Organization
Primary/Secondary Education
Professional Training
Public Relations/PR
Public Safety
Publishing Industry
Railroad Manufacture
Real Estate/Mortgage
Recreational Facilities/Services
Religious Institutions
Renewables/Environment
Research Industry
Restaurants
Retail Industry
Robotics
Rural Healthcare
Security/Investigations
Semiconductors
Sporting Goods
Sports
Staffing/Recruiting
Supermarkets
Technology
Technology/IT
Telecommunications
Think Tanks
Toys and Games
Transportation
Travel/Tourism
Trucking/Freight
Utilities
Venture Capital/VC
Warehousing
Water and Wastewater
Water and Wastewater Systems
Water and Wastewater Treatment
Water, Waste, Steam, and Air Conditioning Services
Water/Wastewater Management
Water/Wastewater/Utilities
Wholesale
Wireless

Cryptocurrencies Threat Reports

Showing 15 / 5 reports
New macOS ClickFix Attack Silently Mounts DMGs to Deploy Infostealer
Impact· MEDIUM
Financial Services

New macOS ClickFix Attack Silently Mounts DMGs to Deploy Infostealer

In June 2026, a new macOS ClickFix campaign emerged, utilizing Terminal commands to silently download, mount, and execute info-stealing malware from malicious disk image (DMG) files. This attack infects Mac devices with the Atomic macOS Stealer (AMOS), which exfiltrates browser credentials, cryptocurrency wallet data, Keychain information, messaging app data, and user documents. The campaign begins with a fake CAPTCHA page instructing users to open Terminal and paste a malicious command, leading to the automatic execution of the malware. This method represents an evolution in ClickFix attacks, combining social engineering with automated malware deployment to enhance stealth and effectiveness. The significance of this incident lies in the increasing sophistication of social engineering attacks targeting macOS users. By leveraging trusted system utilities and deceptive prompts, attackers can bypass traditional security measures and user vigilance. This trend underscores the need for enhanced user education, robust endpoint protection, and continuous monitoring to detect and mitigate such evolving threats.

2 days ago

Kill Chain

IC
Initial Compromise(high)
PE
Privilege Escalation(medium)
LM
Lateral Movement(medium)
C&C
Command & Control(medium)
E
Exfiltration(high)
I
Impact(high)
Read Report
Mastra AI Supply Chain Attack: A Wake-Up Call for Software Security
Impact· HIGH
Computer Software/Engineering

Mastra AI Supply Chain Attack: A Wake-Up Call for Software Security

In June 2026, Microsoft identified a significant supply chain attack targeting the Mastra AI ecosystem, attributed to the North Korean state-sponsored group Sapphire Sleet (also known as BlueNoroff). The attackers compromised an npm maintainer account, 'ehindero,' with publishing privileges across the Mastra package environment. They published malicious updates for over 140 packages within the @mastra scope, introducing a malicious dependency named 'easy-day-js,' a typosquat of the legitimate 'dayjs' JavaScript library. Upon installation, this dependency executed a post-install hook deploying a malware dropper on developers' devices, aiming to steal sensitive credentials, API keys, authentication tokens, and cryptocurrency wallets. The second-stage payload was a cross-platform information stealer designed to target Windows, Linux, and macOS systems, collecting host information, browser histories, installed applications, running processes, and checking for 166 cryptocurrency wallet browser extensions, including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink. The malware employed different persistence methods depending on the operating system, such as Windows Registry Run keys, macOS LaunchAgents, and Linux systemd services. Microsoft observed that systems communicating with the attackers' command-and-control servers exhibited follow-on activity consistent with Sapphire Sleet's previous campaigns, including the deployment of a PowerShell backdoor, additional persistence mechanisms, Microsoft Defender exclusions, and a malicious Windows service granting SYSTEM privileges. This incident underscores the evolving tactics of North Korean threat actors in targeting the software supply chain to facilitate credential theft and cryptocurrency asset exfiltration. Organizations are urged to enhance their supply chain security measures and remain vigilant against such sophisticated attacks.

5 days ago

Kill Chain

IC
Initial Compromise(high)
PE
Privilege Escalation(high)
LM
Lateral Movement(medium)
C&C
Command & Control(high)
E
Exfiltration(high)
I
Impact(high)
Read Report
International Authorities Dismantle 'AudiA6' Cryptocurrency Laundering Service
Impact· HIGH
Financial Services

International Authorities Dismantle 'AudiA6' Cryptocurrency Laundering Service

In June 2026, an international law enforcement operation dismantled 'AudiA6,' a cryptocurrency laundering service that allegedly processed over $389 million in illicit funds between 2022 and 2025. The service facilitated the laundering of proceeds from ransomware attacks and other cybercrimes by obfuscating transaction origins through complex routes, returning 'cleaned' funds to users for a commission. The operation led to the arrest of two individuals in Georgia, the seizure of 25 domains, 80 vehicles and properties, and the freezing of approximately $897,000 in cryptocurrency assets. This takedown underscores the growing global collaboration in combating cyber-enabled financial crimes and highlights the increasing scrutiny on cryptocurrency platforms used for illicit activities. Organizations are urged to enhance their monitoring of cryptocurrency transactions and implement robust compliance measures to detect and prevent money laundering activities.

2 weeks ago

Kill Chain

IC
Initial Compromise(high)
PE
Privilege Escalation(medium)
LM
Lateral Movement(medium)
C&C
Command & Control(medium)
E
Exfiltration(high)
I
Impact(high)
Read Report
NodeCordRAT Trojan Exposed in npm Bitcoin-Themed Packages (2026)
Impact· medium
Computer Software/Engineering

NodeCordRAT Trojan Exposed in npm Bitcoin-Themed Packages (2026)

In November 2025, cybersecurity researchers uncovered a sophisticated supply chain attack involving malicious npm packages—'bitcoin-main-lib', 'bitcoin-lib-js', and 'bip40'—that distributed the remote access trojan NodeCordRAT. Uploaded by the threat actor 'wenmoonx', these packages mimicked legitimate BitcoinJS repositories, leveraging npm’s postinstall scripts to deliver malware hidden in 'bip40'. NodeCordRAT enabled attackers to exfiltrate Chrome credentials, cryptocurrency wallet seed phrases, and sensitive files to Discord-controlled servers, using Discord’s API for covert communication and command execution. This multi-OS campaign potentially impacted thousands of developers before takedown. The incident stands out for its abuse of trusted open-source components, increasing concern across the software supply chain. Its methodology highlights the growing sophistication of attacker tradecraft leveraging developer ecosystems and API-based covert channels, making such threats relevant for all organizations relying on open-source dependencies.

5 months ago

Kill Chain

IC
Initial Compromise(high)
PE
Privilege Escalation(medium)
LM
Lateral Movement(low)
C&C
Command & Control(high)
E
Exfiltration(high)
I
Impact(medium)
Read Report
North Korean Hackers Deploy Blockchain Malware via EtherHiding
Impact· medium
Computer Software/Engineering

North Korean Hackers Deploy Blockchain Malware via EtherHiding

In early 2025, North Korean state-backed threat actors, specifically UNC5342, leveraged a new malware distribution technique called 'EtherHiding' to conduct advanced social engineering attacks against software and web developers. Utilizing smart contracts on public blockchains like Ethereum and Binance Smart Chain, the attackers embedded JavaScript payloads, allowing them to deliver and update malware with anonymity and resistance to takedowns. The lures involved fake job interviews that convinced victims to run malicious code, ultimately resulting in the in-memory deployment of the JADESNOW and InvisibleFerret malware for credential theft, financial data exfiltration, and ongoing espionage. This breach is particularly significant as it marks the first known nation-state operation using EtherHiding to evade detection and persistently update attack tools on-chain. The campaign signals a macro shift to blockchain-based malware delivery, complicating threat intelligence, response, and regulatory postures in the face of evolving infostealer and espionage techniques.

5 months ago

Kill Chain

IC
Initial Compromise(high)
PE
Privilege Escalation(medium)
LM
Lateral Movement(low)
C&C
Command & Control(high)
E
Exfiltration(high)
I
Impact(medium)
Read Report
[ INCIDENT RESPONSE // UNDER ATTACK? ]

Stop Active Cloud Data Exfiltration

Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.

Under Attack

Looking for threats in a different sector?

Browse All Threat Reports