US feds crack down on Russian cryptocurrency exchange Garantex

IMPORTANT PUBLISHING NOTICE: Metacurity will be on summer break starting August 18 and will resume publication on September 2. Stay safe out there, folks, and we'll see you in September!

While we're on break, please consider supporting Metacurity

Metacurity has been a labor of love for years, and I’m so grateful for your readership. Your support can help ensure I can continue delivering the carefully curated weekly long-reads and daily digests of the most critical developments in cybersecurity.

If you find value in what Metacurity offers, please consider upgrading to a paid subscription. We also provide corporate subscription options, and soon we’ll be introducing affordable sponsorship opportunities—perfect for promoting your events or products to a highly engaged audience.

To learn more, feel free to reach out at cynthia@metacurity.com.

Thank you so much for being part of the Metacurity community.

If you can't commit to a subscription, please consider donating what you can afford to help keep Metacurity free to all.

A part of intensified efforts to halt the flow of ransomware payments via cryptocurrency platforms, the US Treasury Department imposed sanctions on Russian cryptocurrency exchange Garantex, its successor Grinex, and related affiliates, while the State Department targeted its leaders for arrest with financial rewards.

Treasury's Office of Foreign Assets Control re-designated Garantex for sanctions, accusing its operators of processing more than $100 million in illicit transactions since 2019.

The State Department announced financial rewards totaling up to $6 million for information leading to the arrest or conviction of Garantex’s leaders, including up to $5 million for Russian national Aleksandr Mira Serda, the exchange’s co-founder and chief commercial officer.

Authorities expanded their targeting of Garantex, its leaders, and associated companies following a sweeping international law enforcement operation in March when officials seized three domains linked to the exchange, confiscated servers, froze more than $26 million in cryptocurrency, and indicted its leaders.

One of those leaders, Aleksej Besciokov, was arrested in March while on vacation in India shortly after the Justice Department unsealed indictments against him and Mira Serda, officials said. OFAC also imposed sanctions on Sergey Mendelev, co-founder of Garantex, and Pavel Karavatsky, co-owner and regional director of Garantex.

“According to the US Secret Service and FBI, Garantex received hundreds of millions in criminal proceeds and was used to facilitate various crimes, including hacking, ransomware, terrorism, and drug trafficking, often with substantial harm to US victims,” Tammy Bruce, spokesperson for the State Department, said.

Before Garantex moved its operations and funds to Grinex following the globally coordinated law enforcement disruption, the exchange received millions of dollars in cryptocurrency from Russia-linked ransomware affiliates. Officials traced those transactions to Conti, Black Basta, LockBit, Ryuk, NetWalker, and Phoenix Cryptolocker.  (Matt Kapko / CyberScoop)

Related: Treasury Department, State Department, Washington Examiner, The Record, Rolling Out, Cointelegraph, CoinDesk, Bleeping Computer, Cointelegraph, CCN, TRM, The Street, cryptonews

The US Justice Department unsealed warrants to seize $2.8 million in cryptocurrency from a wallet controlled by someone accused of deploying ransomware to steal data and then demand payment.  

The DOJ said those warrants were unsealed in district courts in the Eastern District of Virginia, the Central District of California, and the Northern District of Texas. In all, the warrants allow prosecutors to seize crypto, $70,000 in cash, as well as a luxury car.

Prosecutors say Ianis Aleksandrovich Antropenko targeted people, businesses, and organizations globally using ransomware and would withdraw their data and often "demand a ransom payment to 'decrypt the victim’s data, refrain from publishing it, or arrange the data’s deletion." (Sarah Wynn / The Block)

Related: Justice Department, KDFW, WFAA

Polish Deputy Prime Minister Krzysztof Gawkowski, who is also digital affairs minister, said that a large unnamed Polish city could have had its water supply cut off on Wednesday as a result of a cyberattack.

"At the last moment, we managed to see to it that when the attack began, our services had found out about it and we shut everything down. We managed to prevent the attack, he said. He added that Poland manages to thwart 99% of cyberattacks.

Poland has said that its role as a hub for aid to Ukraine makes it a target for Russian cyberattacks and acts of sabotage. Gawkowski has described Poland in the past as the "main target" for Russia among NATO countries. (Alan Charlish, Anna Koper / Reuters)

Related: AFP, Onet

As first reported in Israeli publication N12, Iran-backed hackers successfully infiltrated the personal phone of Ayelet Shaked, Israel’s former justice minister, after Shaked clicked on a link, which enabled the hackers to gain full control of her phone.

Shaked was previously warned of the Iranian attempts by former Shin Bet head Nadav Argaman. 

"The matter is being handled by security officials," Shaked said following the incident. (Jerusalem Post)

Related: The Times of Israel, Ynet News, Israel National News

Turkish cryptocurrency exchange BtcTurk has halted withdrawals amid reports suggesting that the platform has lost $48 million due to a hack.

Cybersecurity firm Cyvers reported that it had detected $48 million worth of digital assets, including Ether, involved in unusual activity.

“Our system detected multiple alerts across ETH, AVAX, ARB, BASE, OP, MANTLE, and MATIC networks,” Cyvers reported, adding that the attacker had moved the assets to two addresses and begun swapping them.

BtcTurk subsequently halted deposits and withdrawals, citing a “technical issue” with hot wallets, reporting that trading and local currency withdrawals and deposits remained intact.

BtcTurk highlighted that most exchange assets are held in secure cold wallets, assuring the public that user assets are unaffected by the suspected attack. (Helen Partz / Cointelegraph)

Related: Bitcoinist, The Register, The Record, CryptoSlate, CoinDesk, Web3IsGoingJustGreat

Bitcoin-focused meme coin launchpad Odin.fun was exploited for 58.2 BTC or around $7 million in a liquidity manipulation attack targeting its automated market-making tool.

Blockchain security firm PeckShield first flagged suspicious transfers from the Bitcoin-powered protocol.

An Odin.fun community member using the handle “web3xiaoba” said the attackers manipulated liquidity by adding tokens such as SATOSHI to drive up prices, then pulled their liquidity to cash out in Bitcoin.

On-chain data showed the platform’s bitcoin reserves falling from 291 BTC to 232.8 BTC in less than two hours.

Eight hours after the breach, Odin.fun co-founder Bob Bodily confirmed the exploit and said the team was still assessing the scale of losses.

However, he acknowledged that the company’s treasury could not fully cover the damage, though remaining platform funds were secure. Bodily explained that the vulnerability came from a flaw introduced in the platform’s most recent update to its automated liquidity market-making system.

Several threat actors, which he linked to groups in China, exploited the bug to siphon Bitcoin from the protocol. (Rony Roy / Invezz)

Related: CryptoEconomy, CryptoRank, CoinCentral, CoinMarketCap, Web3IsGoingJustGreat

Wilkins Estrella, a former business clerk at a Bronx hospital, and Charlene Marte, of the Bronx, pleaded guilty to a multi-year fraud scheme that used data stolen from hospital patients to file false claims for pandemic-related relief funds.

They admitted to conspiring to commit wire fraud and bank fraud. Prosecutors said the pair used stolen personally identifiable information, including names and Social Security numbers, to open fraudulent debit card accounts and secure nearly $1 million in COVID-19 stimulus payments and unemployment benefits.

Mr. Estrella, who also pleaded guilty to a separate charge of wrongfully disclosing protected health information, accessed more than 4,000 patient records during his time at the hospital.

Both defendants face up to 30 years in prison on the conspiracy charge. Mr. Estrella faces an additional sentence of up to 10 years for the HIPAA violation. They have agreed to pay more than $950,000 in restitution and forfeiture. (Naomi Diaz / Becker's Hospital Review)

Related: Justice Department, Med-Net Concepts, Pix11, Hoodline, DataBreaches.net

The FBI updated its alert about fake lawyers defrauding victims of cryptocurrency scams, adding due diligence measures to help victims by providing a list of red flag indicators for potential victims to detect the scheme.

The FBI’s Internet Crime Complaint Center (IC3) has previously warned that fraudsters were posing as lawyers from fictitious law firms and using social media and messaging services to defraud victims of cryptocurrency scams.

The FBI requested potential victims of fraudulent law firm scams to report the suspicious activity to their local FBI field office and IC3. (Kevin Poireault / Infosecurity Magazine)

Related: IC3, Cointelegraph, Decrypt, CyberInsider, CryptoRank

Researchers at Trend Micro report that at least a dozen ransomware gangs have incorporated kernel-level EDR killers into their malware arsenal, allowing them to bypass almost every major endpoint security tool on the market, escalate privileges, and ultimately steal and encrypt data before extorting victims into paying a ransom.

One of the most recent examples includes the operators of Crypto24, a new-ish ransomware that has been deployed against nearly two dozen companies in the US, Europe, and Asia since April, according to the miscreants' leak site.

The criminals target high-profile companies in financial services, manufacturing, entertainment, and technology, and after gaining initial access to victim organizations, one way they evade detection is by using a customized version of RealBlindingEDR.

RealBlindingEDR is an open-source tool designed to disable endpoint detection and response products, and Crypto24's custom version is programmed to disable kernel-level hooks from a hardcoded list of 28 security vendors. These include Sophos, Trend Micro, Kaspersky, Malwarebytes, Bitdefender, Broadcom/Symantec, SentinelOne, Cisco, Fortinet, and Citrix.

The tool retrieves the security company's name from driver metadata, compares it to the hardcoded list, and if there's a match, it disables callbacks, rendering the EDR products useless. (Jessica Lyons / The Register)

Related: TrendMicro, Bleeping Computer

Evoking the Signalgate controversy of earlier this year, members of a law enforcement group chat, including Immigration and Customs Enforcement (ICE) and other agencies, inadvertently added a random person to the group called “Mass Text,” where they exposed highly sensitive information about an active search for a convicted attempted murderer, seemingly marked for deportation.

The texts included an unredacted ICE “Field Operations Worksheet” that provides detailed information about the target they were looking for, and the texts showed ICE pulling data from a DMV and license plate readers (LPRs), according to screenshots of the chat obtained and verified by 404 Media. The person accidentally added to the group chat is not a law enforcement official or associated with the investigation in any way, and said they were added to it weeks ago and initially thought it was a series of spam messages.

The person accidentally added to the group chat, which appears to contain six people, said they had no idea why they had received these messages and shared screenshots of the chat with 404 Media. (Joseph Cox / 404 Media)

Related: Daily Beast, r/technology, The Verge

Sources say a Japan Securities Dealers Association (JSDA) panel is looking to start discussions on whether and how member brokers can identify and act against accounts owned by phishing scammers, after fraudulent trades worth more than $4 billion rattled the nation’s stock market.

 The JSDA’s Internet Brokers Council, which comprises about 30 of the nation’s major brokers, is weighing inviting officials from the Tokyo Stock Exchange and police to hear how they are planning to tackle the problem, they said.

Criminals started hijacking online brokerage accounts in Japan and using them to drive up penny stocks around the world earlier this year. The trend peaked in April and has been tapering off. Through July, there were over 8,000 fraudulent transactions, totaling about ¥620.5 billion ($4.2 billion). (Takashi Nakamichi / Bloomberg)

Proofpoint researchers created a new FIDO downgrade attack against Microsoft Entra ID that tricks users into authenticating with weaker login methods, making them susceptible to phishing and session hijacking.

FIDO passkeys are a passwordless authentication method based on the FIDO2 and WebAuthn standards, designed to eliminate the weaknesses of passwords and traditional multi-factor authentication (MFA).

These weaker login channels are vulnerable to adversary-in-the-middle phishing attacks that employ tools like Evilginx, enabling attackers to snatch valid session cookies and hijack the accounts.

Although the attack doesn't prove a vulnerability in FIDO itself, it shows that the system can be bypassed, which is a crucial weakness.

The new downgrade attack created by Proofpoint researchers employs a custom phishlet within the Evilginx adversary-in-the-middle (AiTM) framework to spoof a browser user agent that lacks FIDO support.

Specifically, the researchers spoof Safari on Windows, which is not compatible with FIDO-based authentication in Microsoft Entra ID. (Bill Toulas / Bleeping Computer)

Related: Proofpoint, SC Media, Petri, Biometric Update, Cyber Insider, Dark Reading

Due to last month's hack at the Dutch Public Prosecution Service, some speed cameras are currently out of service, including some fixed speed cameras, average speed checks, and flexible speed cameras along A and N roads, or motorways and non-motorways.

The Public Prosecution Service was hacked in mid-July. The organization, therefore, disconnected all its systems from the internet. The speed cameras themselves were not hacked, however.

A spokesperson for the Public Prosecution Service's Central Processing Department indicates that it's standard procedure to disable speed cameras occasionally. "This happens regularly. For example, for an inspection or when the speed camera is relocated."

Due to last month's hack, the Public Prosecution Service cannot reactivate the speed cameras that were disabled according to normal procedures. "Besides the fact that it's impossible because the systems are down, we also don't want to try because of the hack," the spokesperson said. It's unclear how many speed cameras are affected. (NOS)

Related: NL Times, DutchNews, Leeuwarder Courant

More than 300 auto recycling businesses in North America were hit by a LockBit ransomware attack on August 6 that was targeted using SimpleHelp, a program that allows remote access to computer systems.

Victims saw their digital databases scrambled and received ransom notes demanding payment in bitcoin in exchange for restored access.

Plazec Auto Recycling, near Hamilton, Ontario, and Miller’s Auto Recycling in Fort Erie, Ontario, and Mark’s Parts in Ottawa, are known to be affected. According to the Automotive Recyclers of Canada, most of the businesses affected have since regained access to their data. (Gideon Scanlon / Collision Repair Magazine)

Related: Canadian Auto Recyclers, r/sysadmin

Researchers at Trend Micro report that a previously uncatalogued ransomware strain is targeting public sector and aviation organizations in the Middle East, with the threat actor using techniques similar to a previously documented hacking group likely based in China known as Earth Baxia.

Operators of the ransomware, which appends encrypted files with a .Charon extension, use techniques reminiscent of a nation-state threat actor. Charon hackers choose their targets rather than attacking opportunistically, says analysis from Trend Micro. In Greek mythology, Charon ferries dead souls into the underworld.

A "distinctive DLL sideloading methodology" points to potential overlap with a China-based threat actor, Trend Micro says. (Akshaya Asokan / BankInfoSecurity)

Related: Trend Micro, Industrial Cybersecurity, Dark Reading, CSO Online, The Record, Security Affairs, SC Media

Every day, Binance is inundated with fake resumes that it’s certain were written by would-be North Korean attackers, the crypto exchange’s chief security officer, Jimmy Su, said.

In his view, nation-state actors from North Korea are the single most significant threat facing companies in the crypto industry today.

Su explained that North Korean attackers have been an issue throughout the exchange’s eight-year existence, but recently, the hackers have upped their game when it comes to crypto.

“Our tracking used to [show] that the actor, the operative, will have a resume, and they mostly either have a Japanese or Chinese surname,” Su explained. “But now, with AI and events in AI, they are able to fake to appear to be any kind of developer. More recently, we have seen them be candidates from Europe, from the Middle East. What they do is they actually use a voice changer during their interviews, and the video was a deepfake.”

“The only real good detection is that they almost always have a slow internet connection,” he added. “What's happening is that the translation and the voice changer are working during the call … that’s why they are always delayed.” (Ryan S. Gladwin / Decrypt)

Related: Binance Square, ITC.ua

The maintainers of the federated secure chat protocol Matrix are warning users of a pair of "high severity protocol vulnerabilities," addressed in the latest version, saying patching them requires a breaking change in servers and clients.

"Last month we issued 'pre-disclosure: upcoming coordinated security fix for all Matrix server implementations,' describing a coordinated release to fix two high-severity protocol vulnerabilities," Jim Mackenzie, veep for trust and safety at the Matrix.org Foundation, said.

"That release is now available as of 1700 UTC on August 11, 2025. Server updates are now available, and MSCs & spec updates will follow on Thursday, August 14, 2025, bringing us to version 1.16 of the spec later in the month, and introducing room version 12."

Matrix, which boasted a conservatively estimated 60 million users, plus around 500,000 government users, back in 2022, isn't a chat platform; it's an open standard for a real-time communication protocol built atop HTTP and WebRTC, designed to make it easy for client apps from any vendor to interoperate using a decentralized federation system. (Gareth Halfacree / The Register)

Related: CSO, The Record, SC Media

Due to the data breach at the Clinical Diagnostics laboratory, which conducts the cervical cancer screening program, the names and addresses of women living in shelters for women have also been exposed.

The shelters in question were informed by RTL Nieuws about the leaked private information and confirmed that the women had lived there.

This involves several women from multiple shelters. Keeping their identity and whereabouts secret can be crucial for them, as in many cases, there is a direct threat from their (ex-)partner or family. (RTL)

Related: NL Times

The US government acknowledged in federal court for the first time that the Internal Revenue Service is sharing taxpayer data with Immigration and Customs Enforcement, as the Trump administration intensifies its deportation campaign.

The notice was filed on Aug. 12 in US District Court for the District of Columbia by a pair of Justice Department officials. It mentioned the deal forged earlier this year between the IRS and the Department of Homeland Security, establishing the basis for tax data to be used in deportation efforts.

A Treasury spokesperson said the data-sharing arrangement between IRS and DHS has been "litigated and determined to be a lawful application of Section 6103, which provides for information sharing by the IRS in precise circumstances associated with law enforcement requests."

Then a senior DHS official said in a statement that the redacted agreement "outlines a process to ensure that sensitive taxpayer information is protected, while allowing law enforcement to effectively pursue criminal violations."

Experts, though, say the ongoing data sharing between the IRS and immigration authorities reverses longstanding taxpayer protections originally established by Congress. "This is a blow in decades of precedent that the IRS is not going to disclose taxpayer information except in extremely limited circumstances," said Tom Bowman, policy counsel at the Center for Democracy and Technology. (Joseph Zeballos-Roig / Quartz)

Related: Court Listener, CNN

Cybersecurity giant F5 is laying off more than 100 employees between its offices in Seattle and the Spokane area, the company disclosed in an SEC filing.

The cuts hit the Seattle-based company’s product teams to “better align resources with important customer needs,” an F5 spokesperson said in an emailed statement.

“As part of these changes, selected roles were eliminated, while other employees were placed into new roles supporting strategic growth areas,” the spokesperson said. “All impacted employees are being provided with assistance to support their transition to new roles internally or their next steps outside F5.” (Alex Halverson / Seattle Times)

Related: SEC, BizJournals, GeekWire, CRN, OpenTools, Channel Futures

Accenture Plc is buying Australian cybersecurity firm CyberCX, its largest acquisition to date in the sector, to boost operations in the Asia-Pacific region in a deal estimated to be worth A$1 billion ($650 million).

Private equity fund BGH Capital owns melbourne-based CyberCX. It operates a network of cybersecurity operations centers across Australia and New Zealand and has offices in London and New York. (Mark Anderson / Bloomberg Law)

Related: Reuters, Business Wire, WebProNews, Capital Brief, Australian Financial Review, Business Wire, Cyber Daily, Australian Security Magazine, CRN, Investing.com, The Economic Times, r/cybersecurity

Rest in Peace

Margaret Boden, a British philosopher and cognitive scientist who used the language of computers to explore the nature of thought and creativity, leading her to prescient insights about the possibilities and limitations of artificial intelligence, died at age 88 on July 18 in Brighton, England.

Best Thing of the Day: PA's AG Is Back in Action

Attorney General Dave Sunday announced that the Office of Attorney General’s website www.attorneygeneral.gov is back online and near full functionality following a cyber incident.

Worst Thing of the Day: They Released the 'Don't Release' Folders

The Interlock gang's leak of data it stole from Box Elder County, Utah, exposed data related to virtually every function of the Box Elder County sheriff’s office, including homicide investigations, the jail, the SWAT team, and investigations by a narcotics strike force, all kept within folders titled “Don’t Release."

Closing Thought