CoinMonks Market Updates and Miscellaneous Articles

A collection of market updates, and various articles from CoinMonks, including articles not directly related to cryptocurrency.

Morning Market Update | 13.06.2025

🌍 Geopolitical Shockwaves & Market Turmoil⚔️ Global markets are in freefall after Israel launched airstrikes on Iran’s nuclear sites, killing top Iranian military officials and scientists. The US500 sank -1.2%, US100 -1.4%, and US30 -1.1%. Israel declared a state of emergency, and Tehran has vowed retaliation — including reported drone incursions. Talks on Iran’s nuclear programme have collapsed. Washington distanced itself, urging calm while securing its regional assets.📉 Investors fled to safety: • US 10Y Treasury yield fell for a 4th day, now at 4.34% • Gold and Treasuries in strong demand • Oil prices jumped a staggering +9%, the biggest surge in over 3 years ⚠️🌏 Asia-Pacific markets tumbled: • MSCI Asia Pacific: -1.1% • 🇯🇵 Topix: -1% • 🇦🇺 ASX 200: -0.4% • 🇭🇰 Hang Seng: -0.7% • 🇨🇳 Shanghai Comp: -0.7% Japan’s May industrial production also disappointed (-1.1% MoM).💱 Forex Market: • USD recovered slightly in risk-off mood • CHF surged: USD/CHF fell -0.6% to 0.8056 • EUR/USD: -0.5% to $1.1523 • GBP/USD: -0.6% to $1.3537 • AUD/USD: -1.2% | NZD/USD: -1.1% 💥₿ Crypto not spared: • Bitcoin: -1.6% to $104,271 • Ethereum: -4.7% to $2,517🧭 All eyes now on Iran’s next move — markets brace for potential escalation and continued volatility.#NordFX #MarketUpdate #Geopolitics #Oil #Forex #Bitcoin #Gold #SafeHaven #Iran #Israel #USD #Stocks #Inflation #Tariffs📉 Morning Market Update | 13.06.2025 was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.

The Conspiracy to Permantly Silence Joseph Lathus — Apache County’s Abuse of N-Road…

The Conspiracy to Permantly Silence Joseph Lathus — Apache County’s Abuse of N-Road Classifications as a Weapon of RetaliationWhen civil rights are under attack, it often doesn’t come with fanfare or flashing lights. Sometimes, it comes with the quiet mislabeling of roads, the misuse of engineering records, and the deliberate targeting of a cancer survivor by the very authorities sworn to protect him. This is the story of Joseph William Lathus, and the pattern of conspiracy orchestrated by Apache County, Arizona — a campaign that now borders on attempted murder under color of law.Exhibit A: The N-Road DeceptionApache County roads designated with an “N” (e.g., N3543, N3548) are not public roads in the legal sense. They are easements granted by subdivision plats, not formally accepted into the Apache County Maintained Road Inventory.📎 SOURCE: Apache County’s own Public Works website states:“N-Roads are not maintained by the County and are not considered public thoroughfares unless formally adopted.”🔗https://www.apachecountyaz.gov/Living-in-Apache-County#:~:text=Apache%20County%20maintains%20about%20800,Natural%20DisastersDespite this, Apache County Sheriff’s deputies routinely label these roads “County Roads” in their report against Joseph Lathus, deliberately misleading courts and the public. In the March 2023 incident, this lie was central to the fabricated charge of “Obstructing a Public Thoroughfare” against Joseph Lathus — even though the road was never maintained, patrolled, or accepted by the County.Exhibit B: False Police Narrative and Forced Gate EntryDeputy Thomas Pacl authored a report (Supplement 1, Case #23-040328) claiming:That Joseph “obstructed” public access, even though N3543 was a private easement;That the “Concho Lakeland HOA” was unrecognized by the county — a legally irrelevant statement meant to delegitimize lawful civil association;That no warrant was obtained, but the gate was lifted anyway “to conduct a welfare check” — despite no emergency existing.📎 EXHIBIT IMAGE: [Attached scan of Pacl’s report]📎 EXHIBIT IMAGE: [Image of locked gate with HOA sign]📎 EXHIBIT IMAGE: [Apache County’s road inventory page showing N-roads not listed]This sequence of actions culminated in a retaliatory contempt charge, after Joseph paid the citation and filed appeals. The County wasn’t seeking law and order — they were seeking silence.Exhibit C: Medical Retaliation = Attempted MurderAt the time of the criminal citation and later contempt proceedings, Joseph Lathus was recovering from oral cancer surgery. He had:A skin graft in his mouth,Numbness from nerve damage,Difficulty eating and speaking,An active need for post-surgical monitoring.Apache County knew all of this.They moved forward anyway….This isn’t just indifference. It’s an intentional act to incarcerate a vulnerable man, knowing his condition could deteriorate or kill him in jail. It meets the federal definition of deliberate indifference, and under 18 U.S.C. § 242, may qualify as a criminal civil rights offense.Conclusion: This is a Conspiracy, Not an OversightApache County’s treatment of Joseph Lathus reveals a coordinated civil and criminal conspiracy to criminalize lawful property management, deny ADA protections, and use misclassified road easements to punish a civil rights plaintiff.The goal was not justice. The goal was submission.This article urges:Federal civil rights review by the DOJ,An audit of Apache County’s road classifications and legal training,Full accountability of deputies, county attorneys, engineers, and judges involved.📣 A public easement is not a public highway.📣 Cancer is not a death sentence — unless Apache County is your jailer.📣 Justice for Joseph Lathus must start now.For more information, view Joseph’s legal filings in Case 3:24-cv-08233 in the U.S. District Court for Arizona.“If the law becomes a weapon against the innocent, it is no longer justice — it is persecution. And when persecution wears a badge, the people must raise their voice.”The Conspiracy to Permantly Silence Joseph Lathus — Apache County’s Abuse of N-Road… was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.

Maple Protocol’s outperformance set to continue

Maple Finance‘s TVL has grown 5x this year to $2.2bn, market cap and token price followed accordingly. A quick peer valuation suggests more juice is left in the tank. Time to take a closer look at the protocol value drivers, profitability, valuation, opportunities and risks.What does Maple do?Maple aims to bring asset management on chain, by creating a decentralised marketplace consisting of 3 verticals.Stablecoin pools: users deposit USDC and USDT and get syrupUSDC & USDT in return, added with a c.6.5% APY on their deposit. The syrup tokens are composable into other DeFi protocols such as Compound and Balancer, allowing users to further boost APY.High yield secured pools contain top cryptocurrencies apart from BTC and ETH, yielding 9.2%Blue chip pools are secured by BTC and ETH Maple protocol earns 30% of the interest, which is reinvested into token buybacks, staking yield, and retained earnings to further expand growth. This creates a sustainable revenue flywheel that is organic (i.e. limited incentive campaigns are used to boost TVL, underpinning earnings sustainability). TVL is likely more sticky as a result.What sets it apart from peers?TradFi credibility: Maple’s management has a TradFi background and uses this credibility to get business with TradFi firms. The recent SEC comments regarding the creation of a supportive environment for DeFi is a major tailwind and Maple’s connections makes it well positioned to source additional growth.Composability of the syrup token into other applications such as Compound, Aave, Balancer allows it to boost APY on stablecoins in an organic way (not sponsored!!).Institutional level compliance and security: KYC, overcollateralised pools, credit approval by delegates, allowing it to bridge TradFi to DeFi.ValuationDespite its recent growth, Maple is currently still only trading at 0.24x its TVL, making it cheaper versus its average broader peer group which trade at 0.72x TVL. As Maple is increasingly targeting institutional demand and RWA involvement, it is fair to compare it more with Ondo Finance and Blackrock’s BUIDL, which trade at significantly higher multiples, suggesting a further growth in price could be on the card.What could explain/justify its valuation discount versus peers?Firstly, the market may place less credibility to the stickiness of its credit pools. LP’s which are attracted by incentive campaigns which tend to be dilutive (paid out of inflation) may withdraw their funds after campaigns have ended. Currently, Maple has 2 $500k campaign supporting the syrup and SOL pools. This is limited versus the size of the protocol which suggests deposited capital and its returns are organic and sustainable.Secondly, large upcoming dilutive events may weigh on valuations: a high c.95% of Maple’s tokens are into circulation, meaning future dilution is muted so also this does not justify the current discount versus peers.TokenomicsAs opposed to many other DeFi protocols, MPL isn’t just a governance token — it is also set to share in the economic upside of the protocol:20% of protocol revenue is allocated to token buybacks and staking rewards. Although on the lower side, an increase in this percentage can underpin a further valuation rerating.~95% of supply is already in circulation, with ~45% staked. Current staking yields range 2.8–5%, though still partially inflated by emissions.syrupUSDC benefits users via yield, but not directly through MPL appreciation. They do get indirect exposure via the governance token and have a say on treasury spending (think token buybacks or higher staking yields) Crucially, no major unlocks are coming.RisksMarket risk: despite overcollateralisation, a very sharp drop in collateral (BTC, ETH, and other blue chip cryptocurrencies) could threaten pool solvency.Profitability limits: With 70% of fees going to delegates, protocol margins are slimRegulatory risk: this is more likely to be a catalyst with the new SEC administrationGrowth ceiling: With syrupUSDC already ~67% utilized and other pools at 100%, further attraction of funds will be needed to further grow revenue. The team is well connected in this respect and both visibility and regulatory momentum is increasing.Positive catalysts: growth, growth and more growthvia more integrations for syrupUSDx in the DeFi side and on the LP side. Momentum is already therevia the expansion of BTC-backed credit and US Treasury strategiesgrowing institutional borrower base (exchanges, market makers, family offices). Maple has strong knowhow of both DeFi and CeFi and its network makes it well positioned to bridge the gap between both.potential governance moves to improve MPL utility or revenue shareConclusionDeFi is getting into the spotlight and is well positioned for structural growth. CeFi positive regulatory frameworks are coming and Maple is a protocol that is well positioned to profit from the large wall of money that is likely going to flow on chain. It recent growth metrics underpin the recent price appreciation, but as its fundamentals are growing rapidly, its valuation does not screen expensive versus peers.@maplefinance@syrupsid@syrupfi@joe_defiMaple Protocol’s outperformance set to continue was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.

All Been Crypto — Week 13 June 2025

All Been Crypto — Week 13 June 2025A roundtrip week where we looked to break new ATHs and then corrected back to the 105k level BTC +2% Wow with ETH even pushing higher before settling at 2500 +3% Wow. Outperformers were blue chip DeFi tokens UNI +30% and AAVE +15% while FET -10% despite the latest breed of treasury companies now also including one for FET. More BTC treasury news too much for me to keep up, Coinbase teaming up with AMEX for a branded card and hot on heels of Circles blockbuster IPO we have Gemini and Bullish filing. SocGen, BofA are touting stablecoins, Walmart and Amazon are mulling and even the DTCC, the main clearinghouse for US. stock market, is exploring issuing a stablecoin. Enjoy reading!Bat Tai Chi — [email protected]:SEC withdrew controversial custody rules proposalsThe new Chair of the SEC is pro crypto and continues to clean up Gary Genslers ‘mess’. This week the agency formally withdrew several proposed rules with regards to custody and DeFi. Paul Atkins even came out with a strong statement supporting the right of self custody. The previous rules would have applied exchange requirements to DeFi protocols basically outlawing them as permissionless smart contracts are very hard to comply with KYC regulation. The withdrawal doesn’t come as a surprise to us now given how the new administration is in favor of our industry but shows how far we have come already.Bitcoin core pushed OP_RETURN upgradeNow if you are not deep into Bitcoin code upgrades you might have missed this but within the community this was a hefty debate and of course some will even compare it with the blocksize wars that resulted in the BCH fork. I’ll break it down for you very simple. OP_RETURN is a way to inscribe data into a block. The way it does that it by allowing users to append metadata to a Bitcoin transaction without affecting its financial function. This metadata can include things like text, pictures, or digital signatures. The size has been quite small only 83 bytes per OP_RETURN and only 84kb per block but the new upgrade to BitcoinCore will now allow up to 4MB. It not just brings back the old debate on ‘spam’ or non monetary transactions on Bitcoin but also the political debate on code upgrade with Bitcoin core and of course it reminds us that while the core software of Bitcoin remains untouchable there are of course code upgrades continuously being made and as adoption and prices go up the stakes get higher too. Many Maxis opposed to this and are now sour at the Bitcoin Core Devs too alleging them picking sides. It’s very topical the debate still till now and I find it fascinating that while Larry Fink keeps distributing BTC exposure via iBIT to Mum & Pop very few understand the “BitcoinCore”.Twitter (X) partnering with PolymarketX formerly Twitter is natively integrating Polymarket as its official prediction partner. Polymarket has claimed to fame during the US election where volumes went through the roof and prices accurately reflected shifts in sentiment way ahead of polls. Many expected a fading of the platform since post election volumes of course dropped. Well most metrics are still far below where we were last year but this X deal could significantly change that. Elon loves it and obviously doesn’t care that it’s run on Polygon, in fact probably most users won’t yet it will be the prime case for account abstraction. Might go as far as saying that prediction markets are the 3rd main use case for crypto. Besides BTC store of value, and stablecoins as eurodollars, but then again betting is also similar to the onchain casino called DeFi.QUOTES:The right to have self-custody of one’s private property is a foundational American value that should not disappear when one logs onto the internet. I am in favor of affording greater flexibility to market participants to self-custody crypto assets, especially where intermediation imposes unnecessary transaction costs or restricts the ability to engage in staking and other on-chain activities.SEC Chair — Paul AtkinsThe bull case becomes that over time young people care about it more than than old people so gold slowly gets replaced by Bitcoin. If you look at gold’s market cap and Bitcoin’s market cap, Bitcoin has a long way to go, 10x, and so that’s 1mm Bitcoin just to be where gold isGalaxy Digital founder and CEO — Mike NovogratzBIG update — As the largest holder of POL and someone who dedicated his life to development and success of Polygon from the very beginning, I have decided to take full control of Polygon Foundation and will be its CEO going forward. […] I’ve always stayed away from moving into the CEO role because I’ve been focused on building PF as an institutionally governed foundation. But right now, Polygon needs clear direction and focused execution and that means stepping up.Polygon Founder — Sandeep NailwalAll Been Crypto — Week 13 June 2025 was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.

The Bitcoin Supply Crisis No One’s Talking About

Everything is changing much faster than the human mind can catch up with.Continue reading on Coinmonks »

DeFi Marketing Costs in 2025: A Complete Pricing Breakdown

Let’s face it DeFi isn’t the underdog anymore. It’s crowded, competitive, and constantly evolving. In 2025, we’re looking at thousands of protocols all fighting for the same spotlight, and that means one thing: if your project isn’t marketing itself smartly, it’s practically invisible. Gone are the days when a few tweets or a basic website could generate buzz. With stricter platform policies, declining organic reach, and a user base that’s way more selective than it used to be, DeFi teams can’t afford to “wing it” anymore. Marketing has become a make-or-break investment and yes, it comes with a price tag.That’s where this guide comes in. We’re not just tossing around fluffy advice. You’ll get real insights into what it actually costs to market a DeFi project in 2025. We’re talking detailed pricing on everything from influencer campaigns and airdrops to PR placements, paid ads, and community management. But we won’t stop there. You’ll also walk away with smart strategies, planning tips, and a clear sense of how to build a budget that delivers real traction not just vanity metrics. Think of this as your all-in-one handbook for navigating DeFi marketing without burning through your funds. Ready? Let’s break it down.The 2025 DeFi Marketing Landscape: What’s ChangedLet’s be real DeFi in 2025 is nothing like it was a couple of years ago. Back then, just launching a token was enough to turn heads. Fast forward to now, and you’re competing with over 2,000 new DeFi protocols launched in the past year alone. The space is saturated, and the audience? They’ve seen it all. If your project isn’t bringing fresh value and a sharp marketing game, you’re already behind.DeFi marketing services in 2025 is all about strategy over splurge master your budget to outpace the competition and scale with confidence.The organic reach that once gave small teams a fighting chance is fading fast. Twitter’s algorithm is tougher, Discord is noisy, and Telegram? Even more cluttered. Paid growth has stepped in to fill the gap but that also means you need a bigger budget just to be seen. On top of that, compliance regulations are tightening across the board. Ads on platforms like Google and Meta now face crypto-specific restrictions, making it harder to launch campaigns without getting flagged or banned.And here’s the kicker: users are more skeptical than ever. Thanks to rug pulls and scams, trust has become a currency of its own. That means projects are spending more just to prove they’re legit think audits, transparent content, community support, and PR. In short, trust-building isn’t a nice-to-have anymore it’s a core marketing cost.Where Your Budget Goes: The Essential DeFi Marketing ChannelsNow that you’ve seen how the landscape has shifted, let’s break down where your marketing dollars actually go in 2025. Spoiler: it’s not just about influencers or fancy landing pages anymore. Here’s where serious DeFi projects are investing:Community Building (Telegram, Discord, Reddit) This is your foundation. Think of Telegram and Discord as your real-time engagement hubs, where users expect direct access to the team. You’ll need active moderators, daily content, and structured conversations. Reddit, meanwhile, is great for organic buzz and trust-building but it requires thoughtful content and consistent moderation.Influencer Marketing (X Threads, YouTube, Quote Tweets) Influencers still hold weight but the game has changed. In 2025, it’s about niche relevance over follower count. Micro-influencers on X (Twitter) are driving higher engagement, especially when they break down protocols in threads. YouTube explainers remain powerful for onboarding, and paid quote tweets from big names are still pricey but effective when timed with announcements.Performance Ads (Coinzilla, Google, Crypto Ad Networks) If you’re not running ads, you’re invisible. But with Google tightening restrictions on crypto keywords, many teams are shifting to niche platforms like Coinzilla or Bitmedia. CPM rates range from $10 to $60, depending on the format and placement. Banner ads, sponsored newsletter spots, and pop-unders are all part of the mix now.Content Marketing (SEO Blogs, Explainer Videos, On-Chain Guides) Long-form content isn’t just for search it’s also about education. In a trust-starved market, SEO-optimized blogs that explain your protocol in plain English go a long way. Combine that with video explainers or even TikToks (yep, DeFi is there too), and you’ve got a content stack that builds both authority and conversion.Public Relations (Press Releases, Guest Features, Podcasts) Want credibility? Get covered. Press releases in crypto media (like Cointelegraph or CryptoSlate) cost anywhere from $500 to $5,000. But that’s just the start. Securing guest posts or podcast interviews with Web3 thought leaders adds real weight and gets you in front of new, qualified users.Web3 Events (AMAs, Twitter Spaces, Virtual & IRL) Events aren’t just buzz-generators they’re trust signals. Hosting AMAs in partner communities, joining Twitter Spaces with influencers, or setting up booths at crypto conferences are all ways to engage deeper. They take time, money, and planning but the ROI, especially for user acquisition, can be significant.Airdrops and Rewards (Referrals, Bounties, Token Incentives) Let’s be honest everyone loves free tokens. But airdrops aren’t just giveaways anymore. Smart projects tie them to actions like wallet creation, social sharing, or governance participation. Referral programs and bounties also drive viral growth, but beware: budget for bots and filters to avoid gaming.Pricing Breakdown by Channel (What Marketers Really Pay)So, what does DeFi marketing really cost in 2025? Let’s break it down by category so you can see where your funds will actually go. Spoiler: it’s not cheap but it doesn’t have to drain your treasury either.Community Management ($2,000–$8,000/month) This is your frontline. Whether it’s Discord, Telegram, or Reddit, you need active moderators who don’t just kick spammers they engage users, answer questions, and build culture. A basic setup might cost $2,000 a month, but if you want a round-the-clock global team, expect to pay $5,000 to $8,000.Influencers ($500–$50,000/post) This one’s a wide range and for good reason. A micro-influencer with a niche but loyal following might charge $500 for a Twitter thread. A top-tier YouTube creator or well-known DeFi personality? You’re looking at five figures. The trick is to focus on audience quality over follower count.Paid Ads ($10–$60 CPM, $2–$5 CPC) Ad rates in the crypto niche are always premium. Banner ads on platforms like CoinGecko or CoinMarketCap run between $10 and $60 per thousand impressions. If you’re running CPC (cost per click) campaigns through crypto-specific ad networks, expect rates around $2–$5 per click. It adds up fast, so watch your targeting.PR Placements ($300–$5,000/article) Getting featured in well-known crypto publications isn’t cheap, but it’s still one of the most effective ways to boost credibility. Budget-friendly placements might cost a few hundred bucks, while top-tier sites like Cointelegraph or Decrypt can charge several thousand for a single article.Content Creation ($100–$1,000/blog or video) This includes SEO blogs, whitepapers, YouTube videos, and everything in between. Freelance writers might charge $100 for a quick piece, while high-quality video explainers or in-depth guides can go up to $1,000 or more. Good content builds trust, so this isn’t where you want to cut corners.Airdrops & Incentive Campaigns ($10,000+ per round) Airdrops are still a crowd-puller, but they’ve become more strategic. Budget at least $10K if you want to run a campaign that attracts real users, not just bots. Tie participation to smart actions wallet creation, staking, referrals, or governance votes to make it worthwhile.Tools & Automation Platforms ($500–$5,000/month) Think analytics dashboards, community automation, email marketing tools, KYC platforms, and campaign trackers. Most early-stage projects can get by with $500–$1,000/month. At scale, tools like HubSpot, Sprout Social, or on-chain analytics platforms can push your budget to $5,000/month or more.Total Marketing Budget Examples by Project StageNot every DeFi project is working with a unicorn-sized wallet. Here’s how typical budgets look across different stages of growth, so you can plan accordingly.Bootstrapped Startup (Pre-launch): $5,000–$15,000/month If you’re pre-launch, your focus is on building hype and credibility. Expect to allocate:$2,000–$4,000 for community setup and management$1,000–$3,000 for influencers or early KOLs$1,000 for a content writer and blog setup$500–$2,000 for small airdrop or incentive pushRemaining budget toward design, basic PR, or toolsLean and smart is the name of the game here. You’re not trying to go viral you’re trying to show up, be seen, and start building a trusted brand.Growth Phase (Launch to Product-Market Fit): $15,000–$50,000/month Now you’re live and trying to scale. Budgets usually shift toward:$5,000–$10,000 for influencer campaigns$4,000–$8,000 for community and mod teams$5,000–$10,000 in paid ads and PR$2,000–$5,000 for content creation and distribution$2,000–$10,000 for well-structured airdrop or referral programsTools and tracking eat up another $1,000–$3,000/monthThis is the phase where you need consistent visibility. Budgeting gets a little more aggressive, but so does the payoff if you execute right.Scaling Protocol (Series A and Beyond): $50,000–$150,000+/month At this level, you’re playing in the big leagues. Projects here often include:$20,000–$50,000 on premium influencers and video creators$10,000–$20,000 for global community ops across time zones$10,000+ in paid ad campaigns across multiple networks$5,000–$10,000 for multi-lingual content and translation$10,000–$20,000 in recurring PR and sponsored placements$5,000+ in analytics, social listening, automation, and security toolsHidden Costs You Didn’t See ComingYou’ve got your budget mapped out. Influencers? Check. Paid ads? Check. Content and PR? All set. But here’s the kicker DeFi marketing in 2025 comes with a bunch of hidden costs that don’t show up in pitch decks or agency quotes. These can drain your funds faster than you think if you’re not careful.Token Volatility: The Budget Shifter Pricing your campaigns in your native token might sound smart until your token tanks 40% overnight. Suddenly, your influencer campaign costs twice as much, or worse, your ad deal falls apart. Token volatility isn’t just a market problem it’s a marketing problem too. Always keep stablecoin buffers to hedge these swings.Legal & Compliance Reviews You might think, “We’re decentralized, we’re good.” But platforms, ad networks, and even influencers are getting stricter about legal clarity. That means lawyers. Whether it’s a quick review of your whitepaper or full KYC/AML compliance for ad platforms, legal consulting fees can add up to thousands per month. Ignore it, and risk being blacklisted.Bot Traffic & User Acquisition Fraud Think your airdrop brought 20,000 new users? Dig a little deeper and you might find half of them are bots or multi-wallet farmers. Without proper filters and tools, you’re throwing money at fake growth. You’ll need bot protection tools and some manual vetting both of which cost time and money.Unvetted Influencers = Reputation Damage Partnering with the wrong influencer can tank your credibility. In 2025, the space is flooded with shillers posing as experts. If one of them gets caught in a rug pull, and your name is on their feed? Guilt by association. Vett every KOL like you’d vet a developer no shortcuts.“Shadow Budgets” for Crisis Control Here’s one most teams won’t admit they have a secret stash set aside for when things go sideways. A hacked smart contract, a nasty Reddit thread, or an X scandal? You’ll need instant PR support, crisis comms, or even a full-scale reputation management campaign. Plan for the worst even if it never comes.How to Get More from Every Dollar: ROI Optimization TacticsNow for the good news: you can squeeze more ROI from every marketing dollar with a few smart moves. It’s not about spending less it’s about spending smarter.Start Small, Scale Smart Before you throw $10K into a campaign, run a micro test. Whether it’s a $500 influencer thread or a week-long ad sprint, small batch testing helps you find what works before you scale. Measure clicks, conversions, and retention not just impressions.Own Your Audience Stop renting attention from ad platforms. Build assets you control. Grow your email list, nurture your Discord server, and create Telegram communities that stick. These channels cost nothing to reach once you build them and they convert better because they trust you.Create Loops, Not Silos Don’t let marketing channels work in isolation. Tie influencers to airdrops, link Discord invites to content releases, and make your incentive programs reward participation across platforms. When users engage in multiple ways, they’re more likely to stick around and spend.Track What Actually Matters Forget likes and impressions. Track CAC (Customer Acquisition Cost), LTV (Lifetime Value), and retention especially on-chain behavior. Wallet analytics, smart contract interactions, and governance participation are far more telling than social metrics.Leverage Grants & DAO Treasuries Why spend your own funds when the ecosystem can help? Apply for foundation grants, partner with DAOs, or co-launch campaigns with layer-1 chains. Many networks have marketing budgets to support promising dApps they just need a solid proposal.Case Studies: Real Marketing Campaign Budgets That WorkedLet’s move beyond theory and talk results. These real-world examples show how different DeFi projects got creative with their budgets and saw serious traction.Case 1: A $25K/Month DEX Launch Focused on Community First One decentralized exchange kicked off with a strong belief: community is everything. Instead of dropping their budget on paid ads, they went all-in on Telegram and Discord management, AMAs, and a steady flow of educational content.$10K/month went to experienced mods and community leads across multiple time zones$5K funded weekly contests and meme bounties$7K was used for SEO-optimized blog content and explainer videos$3K kept social media buzzing with short-form clips and trending postsThe result? A loyal core user base that did most of the marketing themselves through word of mouth. No flashy influencers just organic traction.Case 2: A Yield Farming Protocol That Onboarded 100K Users with $60K A DeFi yield aggregator had one goal: massive user growth in a short time. Their strategy? Marry influencers with incentives.$35K went to tiered influencer campaigns (YouTube reviews, Twitter threads, TikTok explainers)$20K funded an airdrop tied to wallet activity and referral signups$5K handled analytics, fraud protection, and campaign monitoringWith the influencer buzz driving traffic and the airdrop giving users a reason to stay, the platform hit 100,000 wallets within two months. The key? They staggered the drops to avoid farming abuse and boosted engagement with social rewards.Case 3: A DAO Token Launch That Nailed 3x ROI via Twitter Spaces and PR This DAO didn’t throw money at ads. Instead, they focused on community-led storytelling and press.$8K went into scheduling a series of high-traffic Twitter Spaces with influential builders and researchers$10K was used to secure PR spots on CoinDesk, Bankless, and smaller niche blogs$2K was dedicated to designing beautiful, shareable infographics for X and TelegramThe rest was managed internally with a lean in-house teamThey tracked engagement per channel and realized Twitter Spaces alone accounted for 70% of traffic during launch week proof that conversation sometimes beats promotion.How to Build a Smart DeFi Marketing Budget PlanNow that you’ve seen how others are spending, let’s talk about building your own plan. It doesn’t have to be complicated it just needs to be intentional.Start with Your North Star Metrics Define what success looks like. Is it customer acquisition cost (CAC)? Token ROI? CPM (Cost Per Mille)? Lifetime value (LTV)? Choose the ones that matter most for your growth stage and structure your goals around them.Map Budget by Funnel Stage Think of your budget like a user journey:Awareness: Influencers, PR, social adsEngagement: Community events, AMAs, Discord activityConversion: Landing pages, airdrops, referral bonusesLoyalty: Retargeting, email flows, governance participationAllocate spend across each stage. Most early-stage projects spend too much on awareness and forget retention costs real money too.Assign Roles Clearly Who’s handling what? Don’t let things fall through the cracks. Assign budgets and deliverables to a mix of:In-house teams for core brand voice and communityAgencies for PR, influencer outreach, and scalingFreelancers for quick-turn blogs, video scripts, or ad creativesMixing internal and external teams keeps your operations flexible and lean.Don’t Forget the Chaos Buffer Crypto moves fast and breaks often. Set aside 10–20% of your monthly budget as a contingency fund. You might need it for:Legal reviews after a last-minute partnershipFUD control if a tweet goes sidewaysAdjusting campaigns during market dipsPreparedness is your best defense.Monitor, Measure, Modify Review performance monthly. What’s converting? What’s flopping? Use on-chain data, website analytics, and social engagement to spot trends. Don’t be afraid to shift resources if something’s working better than expected.ConclusionIn 2025, DeFi marketing isn’t just a cost it’s a strategic investment that can make or break your project. With increasing competition, tighter regulations, and a more discerning user base, success demands more than a flashy campaign it requires careful budgeting, deep understanding of each channel’s ROI, and readiness for the unexpected. Whether you’re launching a new protocol or scaling a mature platform, the key lies in blending smart spend allocation, data-driven decisions, and community-driven engagement. Nail your marketing strategy now, and you won’t just survive the DeFi wave you’ll lead it.DeFi Marketing Costs in 2025: A Complete Pricing Breakdown was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.

The 2024 Crypto Crime Report

More than $8.3 billion was stolen by crypto hackers and fraudsters in 2024, with at least 519 crypto-related crimes recorded throughout the year.May 2024 saw the largest monthly losses, totaling nearly $580 million, primarily due to the DMM Bitcoin hack, the biggest crypto heist of the year.Crypto Crime Monthly Losses 2024One common feature shared across 2022, 2023, and now 2024 is that, contrary to popular belief, scam-related activities — not hacks — have been the most devastating for the crypto space. In 2024 alone, $5.84 billion was lost to scams, accounting for over two-thirds (70.3%) of the total amount drained from both retail investors and Web3 actors alike.Monthly Crypto Crime Typology 2024This figure probably barely scratches the surface of the true scale of crypto scams in 2024. Scams like crypto Ponzi schemes can take time to unravel and are often only discovered a year or more later, as seen with the $1 billion Novatech FX Ponzi scheme. Additionally, the total global financial damage caused by pig butchering scams in 2024 is still unknown, with losses reported sporadically.Additionally, although exit scams appear to have dropped significantly in 2024, with the number of such crimes recorded being approximately 60% lower than in 2023, this decline may not accurately reflect the true state of exit scams in the crypto space. A blind spot emerged in 2024, making data collection on exit scams particularly challenging — a topic we will address in detail below.Meanwhile, hacks accounted for 293 incidents, marking an all-time high since 2022, with losses exceeding $2.5 billion.Over 120,000 victims fell prey to crypto phishing attacks, with more than $1 billion siphoned through these schemes, setting a new record!Top Crypto Crimes by Type 2024The only silver lining is that the amount recovered after hacks and scams has shattered all previous records, with a total of $426.7 million successfully reclaimed.This feat was made possible thanks to a technological leap in blockchain forensics, making it much easier to trace criminal activity. Increased collaboration among key crypto players, such as CEXs and Tether, along with initiatives from within the blockchain security community, have been crucial in preventing criminals from getting away with their crimes. Notably, this effort took shape through the Security Alliance (SEAL) initiative.While 2023 proved to be a year rich in crypto criminal twists, with the emergence of new threats, 2024 truly distinguished itself by the persistence of those threats, which escalated to unprecedented levels. This was especially evident on the scam front, with address poisoning and wallet drainers as a ‘scam-as-a-service’ reaching new heights. While a largely unaddressed brute force attack vulnerability on crypto wallets has banked more than $260 million in the past two years.The persistence of the same actors was also notable, particularly with North Korean threat groups, which wreaked havoc through a variety of methods and increasingly sophisticated technological tools, resulting in the theft of $1.3 billion.Nevertheless, 2024 also had its share of new developments, with the emergence of at least two serial hackers specializing in private key exploits, while money laundering found two new homes through which proceeds from crypto scams and hacks are made the whitest whites and the brightest brights.This year also witnessed a surge in targeted surgical attacks on individual owners of high-value wallets, with four such attacks collectively resulting in losses of $556 million. These attacks employed a range of tactics, from private key exploits to address poisoning and social engineering.Our 2024 report on crypto crime is a comprehensive analysis, delving deeply into the most significant developments of the year, to provide an accurate overview of the events that shaped the realm of crypto crime in 2024.Table of ContentsI. 2024 Crypto Hacks Landscape: Private Key Exploits and DPRK’s Reign, Oracle Breaches Persist, and the Rise of Insider Threats1 — Private Key Exploits: 2024’s Most Lucrative Hack, Driven by DPRK Activities and the Persistent Threat of Brute Force Attacks2 — Oracle Exploit: The Unexpected Crypto Hack Guest of 20243 — The Enemy Within: How Not Keeping Track of Who Has Access to What Can Lead to Fatal LossesII. 2024 Crypto Scams: Billions Lost by Retail Investors to Wallet Drainers, Address Poisoning, and Exit Scams1– 2024, The Year of Crypto Wallet Drainers2 — Address Poisoning: A Persistent and Destructive Threat3 — Pump.Fun: The BlindSide of Rug Pull ActivitiesIII. Crypto Money Laundering: The Rise of Two Devastating New Players in 20241 — Railgun: A 2024 Rising Star in Money Laundering2 — Huione Group: The New Epicenter of Pig-Butchering and Crypto Money LaunderingI. 2024 Crypto Hacks Landscape: Private Key Exploits and DPRK’s Reign, Oracle Breaches Persist, and the Rise of Insider Threats2024 solidified the hacking trends set in 2023, with private key exploits firmly dominating the crypto criminal landscape, accounting for a staggering $1.2 billion in losses. Smart contract exploits also set a new record for the number of incidents, with 100 reported, though the total stolen was far lower than could be expected, barely breaching the $196 million mark.Top Crypto Hacks of 2024Flash loan attacks claimed the third spot on the crypto hack podium, experiencing their worst year since 2022. In that year, 48 exploits resulted in $278 million in losses. However, after a record-breaking $316 million stolen through 72 incidents in 2023, the number of attacks — and the loot — dropped significantly in 2024, with only $123 million taken across 48 hacks.Private key exploits occurred just as often, but resulted in losses ten times greater than flash loan attacks.Over the past two years, DPRK threat groups have led the charge in private key hacks and associated losses, leveraging a highly effective social engineering machine. However, the growing frequency and scale of losses suggest that private key exploits are no longer their exclusive domain — they’ve become a go-to tactic for a broad spectrum of crypto criminals.Oracle exploits, as for them, should have been left in the H2 2022 to Q3 2023 dust, but have been persistently present throughout 2024.Similarly, hacks linked to ‘enemies from the inside’ have continued to surface, and harshly question the security practices adopted by key players in the crypto space.Private key exploits, oracle exploits, and insider hacks are the primary topics we will dive into in the section dedicated to the crypto hacking landscape, with a particular focus on private key exploits.1 — Private Key Exploits: 2024’s Most Lucrative Hack, Driven by DPRK Activities and the Persistent Threat of Brute Force AttacksPrivate key exploits have been the most profitable crypto hack for the second consecutive year, with at least $1.2 billion lost to them — double the amount from last year, across 47 attacks, nearly double the 24 attacks in 2023.If they were one of the most commonly used exploits, it’s because they represent the surest route to scoring big in the crypto space for hackers and scammers alike, who target both crypto retail investors and crypto actors.Web3 companies are particularly vulnerable to devastating private key exploits, as a 2024 report from Web3 firm De.Fi reveals. According to the report, governance framework mispractice poses a threat to 75% of top tokens.Only 16.6% of the contracts analyzed were managed by multisig wallets, which require multiple private keys to approve any transaction. Multisig is not even a sophisticated security tool; using it is the most basic security step of any protocol to safeguard against inside jobs, social-engineered or not, scams, and hacks.Although this report primarily concerns tokens, it accurately represents the lax approach to security practice in the entire Web3 landscape. A lack of security measures proves to be a key factor in most private key exploits through social engineering or otherwise, as sometimes only one compromised wallet is needed to compromise a whole protocol or CEX.A private key governance security so lax, that, for instance, FTX faced a $447 million hack in November 2022, where the attackers reportedly simply sim-swapped one individual to gain access to the private keys and wallet from which they would withdraw the funds from FTX’s coffer.Later, it would be revealed that FTX stored private keys without encryption.The lax security practices have become the Achilles’ heel of the crypto space, and North Korea’s state-sponsored crypto hacking groups quickly caught on. They have since become the private key boogeymen, usually raking in the biggest hack of the year title through these exploits. 2024 wasn’t an exception.The surge in gains for 2024 can largely be attributed to a shift in targets, with centralized exchanges (CEXs) now in focus. The Japanese exchange DMM Bitcoin alone accounted for over $308 million in losses, marking it as the largest hack of the year.Unsurprisingly, the main actors behind both the high-profit private key hacks and the shift in targets are, as you might expect, none other than the unchallenged crypto boogeymen themselves: DPRK threat groups.In the early days of the crypto era, centralized exchanges were a security nightmare, making them the perfect target for criminals, as we recount extensively in our report ‘Mt. Gox Unveiled: The Real Story a Decade After the Collapse.’Since then, much has changed, and CEXes have now taken on the allure of impregnable fortresses.Naturally, DeFi protocols — with too often minimal security processes — become then the target of choices. A DPRK group made its biggest coup and, conversely, operated the biggest crypto crime ever committed by exploiting the Ronin network for $624 million.But it appears DPRK threat groups have found the holes in those impregnable fortresses and are actively breaking in.2024 was also the year when a fuller picture of DPRK crypto criminal activities was unraveled, revealing a scope beyond the simple “hacks” we’ve witnessed in previous years, which also intersect in part with private key exploit activity.Concurrently, it appears at least two new serial hackers specializing in private key exploits set out to inflict even more damage on the crypto space.2024 was also marked by the continuation of successful brute force attacks linked to the LastPass leak uncovered last year, with tens of millions vanishing from crypto users’ wallets. Additionally, it saw what appears to be the (a priori) largest recorded private key exploit suffered by a single individual, with $112.5 million lost.In the following sections of this report, we will dive deeper into each of these developments 2024 witnessed, with DPRK state-sponsored criminal activities as our main focus.I. The DPRK Private Key Exploit Threat: New Targets and Methods2024 has been the best year ever for North Korea when it comes to profiting from their criminal activities in the crypto space, according to Chainalysis.They reportedly doubled their gains in just one year, with an astounding $1.3 billion stolen across 47 incidents — more than double the $660 million stolen across 20 incidents in 2023, and surpassing their own 2022 record of $1.1 billion.Among these incidents, at least 12 were private key exploits, accounting for over $724 million.Source: ChainalysisBut not only has the frequency of successful attacks accelerated at an intense pace, the scale of these attacks has also increased, with incidents of $50 million to $100 million — and beyond — occurring much more frequently than in 2023, according to Chainalysis data.Source: ChainalysisThe most interesting part, though, is that alongside those hundreds of millions of attacks, Chainalysis also recorded a growing density of DPRK hacks at lower amounts, most notably around $10,000 in value.Source: ChainalysisThey are seemingly related to Operation Wagemole, which we will discuss soon, and that led, in some instances, to private key exploits.At the heart of those criminal operations, the Lazarus Group is often pointed out.A — Who is the Lazarus GroupFamously known for being behind the biggest crypto heist in history, the North Korea state-sponsored hackers group Lazarus seems, at first sight, to have heavily plagued the crypto space with more than $3,5 billion stolen in the past 4 years.But their might goes well beyond the crypto space. They have actually been plaguing the whole world for the last 17 years.The hackers of the Lazarus group belong to the Reconnaissance General Bureau (RGB), a military intelligence division of North Korea, usually recognized by aliases such as Advanced Persistent Threat 38 (APT 38) and Hidden Cobra. As per North Korean defector Kim Kuk-song, internally, the unit is referred to as the 414 Liaison Office.But the full scope of Lazarus Group activity is heavily debated, as it is extremely complicated to define its true contours. According to the website Lazarusholic, which dutifully databases everything related to the Lazarus Group, at least 187 “actors” are linked to the group.Defining what constitutes a subgroup of Lazarus, what is a byproduct of their direct orders, and what is relatively related to their activity is a conundrum of epic proportions.DPRK Threat Group Actors — Source: LazarusholicIn their September 2024 report on DPRK threat groups, Cybersecurity company Unit42 notes that the Lazarus Group has become the default umbrella term for cybersecurity attacks attributed to North Korea.When, ‘Lazarus Group activities’ reported are, in fact, the sum of the work of multiple specialized groups operating under the tutelage of the RGB. Unit42 reports at least six such groups: Alluring Pisces, Selective Pisces, Jumpy Pisces, Slow Pisces, Gleaming Pisces, and Sparkling Pisces.Source: Unit42Out of those six groups, four are linked to crypto criminal activities. One, however, is a special case: Sparkling Pisces, also known as APT43, Emerald Sleet, Kimsuky, or THALLIUM. Their primary focus is espionage, but their crypto-related activities are usually limited to one area: money laundering through crypto cloud mining — a subject we have discussed at length in our report on them.North Korea Launders Dirty Crypto through Clouds. Wait, What?The groups that are of interest to us are Alluring Pisces (APT38, Bluenoroff, Sapphire Sleet), Gleaming Pisces (Citrine Sleet), and Slow Pisces (Jade Sleet, UNC4899) whose activities over the years have been at the heart of the damage attributed to what is reported as the ‘Lazarus Group’ in the crypto space, especially when it comes to private key exploits. These groups are typically identified by the criminal cybersecurity tools they develop, specialize in, and use to launch campaigns.According to cybersecurity firm Mandiant’s 2022 report, ‘Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations,’ which also harshly points out the trend of lumping together ‘sometimes even all of the North Korean APTs — merely as “Lazarus Group,”’ the activities attributed to the Lazarus Group are actually more closely related to ‘Lab 110,’ identified as North Korea’s main hacking unit within the 3rd Bureau, which specializes in foreign intelligence under the RGB. Even more specifically, it is the activity of the TEMP.Hermit group that is associated with the Lazarus Group.Source: MandiantThey focus on attacking government, defense, telecommunications, and financial sectors globally to gather strategic intelligence for North Korea according to Mandiant research.The ‘Lazarus Group’ has traditionally been labeled as responsible for some of the largest cyberattacks worldwide. Their activities date back as early as 2007, with ‘Operation Flame,’ which aimed to disrupt and sabotage the South Korean government.Through the years, their attacks appeared to serve a double aim: disrupting states and structural national companies and systems, as well as banking in much-needed funds to be funneled to North Korea’s coffers.Classic cyberattack tactics employed vary from spear-phishing, watering hole attacks, droppers, malware, backdoors to exploiting zero-day vulnerabilities.Their most well-known exploits were the highly-press-covered Sony Pictures hack in 2014, which took place as retaliation against the company for producing an extremely satirical movie about North Korea’s president Kim Jong-Un, ‘The Interview.’https://medium.com/media/d416644ebadeb14e5b5980f51518dc9c/hrefThe latest global cyberattack targeted a Windows rootkit vulnerability, enabling the Lazarus group to gain extensive control over affected systems by suspending protected process light processes found in Microsoft Defender, Crowdstrike Falcon, and HitmanPro platforms.To understand the extent of their cyber criminal activity, when the BBC decided to cover the Lazarus Group, they needed to produce no fewer than 19 podcast episodes, and this only covers the tip of the iceberg.Source: BBCThe ‘Lazarus Group,’ which has become the go-to actor to which most DPRK APT crypto activities are linked, appears at first glance to be a vast organization with a seemingly infinite range of cyberattacks.For clarity, since not every cryptocurrency-related criminal activity we will discuss is clearly associated with one of the three DPRK threat groups previously mentioned, and could be the actual work of the Lazarus Group, we will use the term ‘Lazarus Group’ to refer to attacks that have not been definitively attributed to any of them but have been widely reported as the work of the Lazarus Group.When it comes to perpetuating crypto crimes, DPRK threat groups have over the years developed a very distinct criminal signature. This may suggests tight collaboration and coordinated efforts among them, all while exploring a wide range of cryptocurrency money-laundering techniques.The Lazarus Group started its crypto heist journey with a bang when they forced the South Korean Bitcoin exchange Youbit to declare bankruptcy following two hacks perpetrated against it in 2017. These hacks had led to the successive loss of 4,000 Bitcoin and 17% of their assets.Over the following years, the Lazarus Group mainly focused on creating, deploying, and marketing multiple malicious cryptocurrency and bogus blockchain platforms, while hacking cryptocurrency actors from time to time. For instance, in 2018, they siphoned $530 million from the Japanese cryptocurrency exchange Coincheck.However, by 2020, the crypto landscape had changed. This year marked the entry of cryptocurrencies into a whole new dimension, bringing in a flow of new entrants and funds. More than ever before, the crypto space was bursting at the seams with money, which, in turn, made the DPRK units known as the Lazarus Group as well as the Lazarus Group intensify their attacks in a bid to get their hacked part of the pie.Lazarus Group’s members Jon Chang Hyok (31), Kim Il (27), and Park Jin Hyok (36) charged by the U.S. for Over $1.3 Billion Cryptocurrency Heist in 2021 — Source: The Hacker NewsOver the following years, the DPRK threat groups were successful in implementing a peculiar tactic that allowed them to score big on private key exploits: social engineering.B — Social Engineering , Fake Jobs and Operation Contagious InterviewAlluring Pisces, Gleaming Pisces and Slow Pisces have all operated private key exploits through malware they have each developed.Applejeus is the malware signature of Gleaming Pisces, it is primarily used to distribute trojanized crypto trading applications as part of supply chain attacks. Since 2018, these fake apps tricked users into installing malicious software, which then stole private keys and credentials, allowing the group to drain victims’ cryptocurrency wallets.Once installed, the malware deploys a backdoor which used remote access trojans (RATs) and custom malware loaders to maintain access and escalate privileges.AppleJeus focuses on stealing wallet.dat files, which store private keys in some wallets like Bitcoin Core. It also uses keylogging and clipboard hijacking to steal private keys and credentials when users copy them — bad habits that, unfortunately, many crypto users still have. Some versions of AppleJeus deployed memory-scraping techniques to extract private keys from applications before they were encrypted.In its latest iteration, Applejeus, has been found to be exploiting a zero-day vulnerability in the Chromium browser engine, identified as CVE-2024–7971 in August 2024. CVE-2024–7971 allowed executed arbitrary code, facilitating the deployment of AppleJeus malware through malicious websites or compromised applications.But it’s private key exploits through social engineering that has truly become DPRK crypto villain signature.It was through a simple PDF and a fake job offer that the largest crypto heist and private key theft in history took place in 2022, when the Ronin Bridge lost an astounding $624 million.The culprit? Slow Pisces, also known as Jade Sleet (UNC4899), and their in-house-developed tool, TraderTraitor — a set of trojanized crypto trading apps designed to deliver custom malware that enables attackers to steal private keys, wallet credentials, and sensitive financial data.Making its first known appearance in 2022, TraderTraitor bears eerie similarities to AppleJeus in its malicious tactics, with the main difference being its distribution method.While AppleJeus empties the wallets of crypto retail investors, TraderTraitor is used in social engineering campaigns that target crypto firm employees and developers through fake job phishing schemes.Fake job phishing lies at the heart of the social engineering tactics behind DPRK private key exploits.Dubbed “Contagious Interview” by Unit 42 researchers, it involves attackers posing as employers to trick software developers into installing malware during the interview process, potentially leading to various types of theft.The operation closely mirrors ‘Operation Dream Job,’ carried out by the Lazarus Group (Hidden Cobra/TEMP.Hermit) starting 2020. It targets professionals in defense, aerospace, nuclear, and technology sectors with enticing ‘dream job’ offers. These offers prompted the installation of trojanized Virtual Network Computing (VNC) apps, allowing the Lazarus Group to siphon sensitive intelligence and establish persistent access.The choice to implement a similar social engineering strategy could explain the confusion around who is truly behind the crypto criminal activities linked to DPRK.This social engineering strategy has been a key element in some of the most significant heists orchestrated by the DPRK groups, netting them billions.The compromise of private keys by the DPRK groups is often not recognized by the victim parties, especially centralized entities, until the FBI, a security researcher, or a security company comes forward to unveil it. The specific details of how it occurred are most of the time never fully disclosed, except for one case: the CoinsPaid hack.Similar to the Ronin case, the private key exploit was made possible through malware implemented via ingenious social engineering tactics.On July 22nd, 2023, the “Lazarus Group” stole $37 million from the Estonia-based cryptocurrency payments firm CoinsPaid via LinkedIn.According to CoinsPaid’s post-mortem report, the Lazarus Group initially attempted to breach their systems through conventional hacking methods starting in March 2023.After months without success, they reverted to their successful tactic: the fake job offer route.CoinsPaid Hack Timeline — Source: CoinsPaidThey dangled extremely appealing high-salary job offers in front of CoinsPaid’s employees, with compensation ranging from 16,000–24,000 USD a month, and waited for an employee to fall into their trap.An inattentive? Unaware of the risk? Employee took the bait and had a fake job interview with them, during which he was asked to download software to complete a technical task.Unfortunately, he did not conduct his job interview using his own personal computer but instead used one that provided access to CoinsPaid’s infrastructure.The “software” was a malicious code that allowed the Lazarus Group “to gain remote control of a computer for the purpose of infiltrating and accessing CoinsPaid’s internal systems,” per CoinPaid.After gaining access to CoinsPaid’s infrastructure, they were able to successfully open a backdoor that “allowed them to create authorised requests to withdraw funds from CoinsPaid hot wallets.”Source: CoinsPaidThat’s how $37 million was lost to the “Lazarus Group.” Although the malware behind the hack was not disclosed, it is alleged to be TraderTraitor, with SlowPisces as the masterminds.This technique of finding weaknesses in people rather than code has proven to be fruitful.The contagious interview approach has been used and reused over and over. And has proven yet again how efficient it could be, as it is a mix of fake job offer and supply chain attack that brought down DMM Bitcoin to its knees.DMM Bitcoin: The Biggest Private Key Exploit of 2024 Enabled by a More Sophisticated Social Engineering ApproachOn May 31st, 2024, centralized Japanese crypto exchange DMM Bitcoin announced that they fell victim to an exploit through which a staggering $308 million was lost.About the exploit itself, DMM Bitcoin chose to stay rather tightlipped, barely acknowledging that it was linked to an “unauthorized leak” from a company wallet, and that during their investigation, some of their services would be unavailable.Source: EllipticThankfully, there were enough traces left on-chain to discern what could have gone down that day.Through blockchain forensics, the blockchain security company Beosin discovered that the attack transaction was actually a simple direct asset transfer of funds from a DMM Bitcoin wallet to the attacker’s wallet.The second clue was that the attacker’s address mimicked the first and last characters of an address used as a DMM management address.From these clues, two main scenarios emerged.The first one: a multi-sig private key exploit. There was no “exploit” per se through this transaction, as it was a simple transfer of assets, typical of a private key exploit. Nevertheless, the transfer could also potentially indicate the exploitation of the signature service of DMM Bitcoin, underlined Beosin.Attack Transaction — Source: Blockchain.comThe second scenario is an address spoofing attack. As mentioned earlier, the attacker’s address and the DMM Bitcoin address looked similar, at least on the surface. This could indicate that, for an unknown reason, the transaction was initiated by DMM Bitcoin, but instead of the $308 million being transferred to another DMM Bitcoin address, the sender was led to send the funds to the attacker’s address.The mimicry of a DMM address could also be explained by the attacker trying to avoid security screening that could have stopped the transfer authorization within the DMM ecosystem.The most likely scenario seemed to be a private key exploit, as the transferred amount is enormous, and the norm for any transfer of this extent is to send some funds as a test. It’s also hard to envision that a crypto exchange of this size would not whitelist their addresses. Plus, DMM Bitcoin themselves chose to address this hack as an “unauthorized leak,” hinting that it was more likely than not a private key leak.After the hack, the attacker quickly dispatched the funds through ten Bitcoin wallets.Source: EllipticOn July 15th, crypto sleuth ZachXBT alleged that the DMM Bitcoin hack was the work of the Lazarus Group after investigating the case and detecting ‘similarities in laundering techniques and off-chain indicators’ with Lazarus.It took six months after the hack for the (almost) full extent of the truth to emerge. In December 2024, just weeks after DMM Bitcoin announced its forced closure following the attack, Japan’s National Police Agency and Tokyo Metropolitan Police Department disclosed that TraderTraitor was the malicious tool responsible for draining DMM Bitcoin’s assets.The attack was meticulously planned, with Slow Pisces exploiting vulnerabilities in DMM’s infrastructure — specifically targeting Ginco, a Japan-based cryptocurrency wallet provider that manages DMM Bitcoin’s holdings.In March 2024, a Ginco employee was targeted by a fake recruiter on LinkedIn. The recruiter lured the employee into clicking a link to a malicious Python script disguised as a pre-employment test hosted on GitHub. After copying the script to their personal GitHub account, the employee’s system was compromised.Unfortunately for DMM Bitcoin, this employee had access to Ginco’s wallet management system. TraderTraitor allower the impersonation of the tricked employee and the full access to Ginco’s unencrypted communications system. Slow Pisces then bided their time, waiting for a genuine transaction request from a DMM staff member that came in late-May 2024.Probably to improve the possibility of success of their heist, Slow Pisces took the extra precaution of creating a spoofed address of the address to which the funds should have been sent to, hoping to bypass security screening of addresses or to confuse Ginco long enough to take off.Source: CertikCertik reported that the spoofed wallet had transacted with the DMM Bitcoin wallet once before the attack.After the hack, as initially reported, Slow Pisces transferred the funds to intermediary Bitcoin addresses before they were reconsolidated through the Bitcoin CoinJoin Mixing Service, according to Chainalysis. After some bridge-hopping, they sent the funds to be laundered through Huione Group, a new player in the crypto money laundering industry, which we explore in-depth in this report.Money Laundering of DMM Bitcoin Heist — Source: ChainalysisThe combination of a private key exploit and a supply chain attack in the DMM Bitcoin case is particularly notable. Like other centralized exchanges (CEXs) and major DeFi protocols, DMM Bitcoin relied on third-party services like Ginco for security. However, by outsourcing security, they also outsourced the associated risks. These third-party services can become an Achilles’ heel — vulnerabilities that might not even exist without them.If there’s one thing DPRK groups are known for, it’s adaptability.Since their fake job offer tactic became widely known in the crypto space over the past two years, they’ve developed alternative social engineering strategies, as we’ve just seen — incorporating supply chain attacks or finding new ways to deploy private key-stealing malware.That’s exactly what Radiant Capital learned the hard way when they lost over $50 million on October 16th, 2024, to yet another DPRK private key heist.This time, Citrine Sleet was behind the attack. On September 11th, a Radiant Capital developer received what seemed like an innocuous Telegram message from a supposed former contractor, asking if they could kindly review a new project. The message included a zip file and a domain that spoofed the contractor’s legitimate website, that was passed around to other developers of the Radiant Capital team.According to Mandiant’s research for Radiant Capital, the zip file contained malware named INLETDRIFT developed by Citrine Sleet, “which established a persistent macOS backdoor while displaying a legitimate-looking PDF to the user.”Unbeknownst to them, the zip file compromised multiple devices, opening the door wide open to Citrine Sleet and allowing them to display benign transaction data on the front-end while executing malicious transactions in the background.Beyond their new and sophisticated approach to social engineering attacks, DPRK groups have paired these malicious efforts with the development of even stronger hacking tools, as we’ve just seen with the Radiant Capital hack.Bypassing Security Through Continuous Technological Innovation2024 was a year of innovation for them, bringing their infiltration tools to an even higher standard, making their attacks even more funds-and-intel deadly than ever.The Nexera protocol fell victim to a devastating private key exploit, resulting in a multi-million dollar loss in 2024. The root cause? The North Korean BeaverTail malware.During Unit42’s investigation of Contagious Interview, they discovered two new families of DPRK-made malware, which they named BeaverTail and InvisibleFerret.They introduces new capabilities, allowing Contagious Interview to inflict greater financial damage, and with greater efficiency, from all participants in the crypto space. Their expanded targeting now ranges from DeFi protocols to individual crypto users, with private key theft threatening popular wallets like Rabby.How BeaverTail Operates —BeaverTail’s core functionality revolves around the theft of sensitive information from compromised machines.As an info stealer, DPRK threat actors have deployed BeaverTail in multiple campaigns aimed at ensnaring job seekers through various deceptive tactics.Even when it was only “a JavaScript-based information stealer,” Beaver was already a powerful tool.Once installed, BeaverTail performs initial reconnaissance on the infected system. It then downloads a secondary tool known as InvisibleFerret.This secondary tool is a Python-based backdoor that significantly enhances BeaverTail’s capabilities. InvisibleFerret includes features such as keylogging, data exfiltration, and remote control, allowing the malware to harvest a broad range of sensitive data.Source: Unit42“As an information stealer, BeaverTail targets cryptocurrency wallets and credit card information stored in the victim’s web browsers. As a loader, BeaverTail retrieves and runs the next stage of malware, InvisibleFerret.”— Palo AltoThe BeaverTail-InvisibleFerret integration allows the attackers to conduct more comprehensive and persistent attacks, increasing the overall impact of the malware.Since its first iteration, BeaverTail has evolved into a more complex and dangerous threat.The malware now includes a native macOS variant designed to masquerade as legitimate software, such as MiroTalk, a video-conferencing application. This new iteration of BeaverTail was identified in July 2024.The malware is adept at disguising itself as legitimate software, tricking users into downloading and executing it.The trojanized version of MiroTalk mimics the legitimate video conferencing service while actually delivering the malware.Image 1: Trojanized Version of MiroTalk — Image 2: Scam Repo Alert By Victims of Trojanized MiroTalk-BeaverTrail attack I Source: Unit42Functionality and Features of macOS’ BeaverTail —BeaverTail’s primary objective is to extract valuable information, particularly targeting cryptocurrency-related data. The malware focuses on capturing browser extension IDs for popular cryptocurrency wallets, paths to user browser data, and macOS keychain information. This data is crucial for cybercriminals seeking to compromise cryptocurrency assets.The newer macOS variant of BeaverTail operates as a native Mach-O executable, offering a more stealthy and efficient means of infection compared to its JavaScript predecessor.The malware’s behavior includes communicating with specific API endpoints, indicative of its sophisticated data exfiltration and command-and-control operations.The evolution from the old JavaScript-based BeaverTail to the new native versions represents a significant advancement in the malware’s capabilities and sophistication.1.Old BeaverTail (JavaScript-Based) — The earlier iteration of BeaverTail was distributed primarily through JavaScript files embedded within Node Package Manager (NPM) packages.Source: Unit42This version used obfuscated JavaScript to evade detection, operating within the constraints of a web environment.It was designed to target browsers and extract information related to cryptocurrency wallets and other sensitive data.The use of JavaScript made it somewhat less efficient and more easily detectable compared to compiled executables.2.New BeaverTail — The newer version of BeaverTail is a native executable tailored for a specific operating system: macOS. For macOS, the malware is now a Mach-O executable.These native versions offer several advantages over the JavaScript variant, including deeper system integration, more efficient execution, and improved stealth.Native executables can bypass some of the security mechanisms designed to protect against JavaScript-based threats and offer more robust capabilities for data exfiltration and system control.But even worse, just a few weeks ago, Group-IB Threat Intelligence uncovered that a Windows variant of the malware, similar to the macOS version, is now also active.The New Windows Version of BeaverTail —The Windows variant of BeaverTail represents a significant development in the malware’s evolution. Building on the capabilities of its predecessors, this new version extends BeaverTail’s reach beyond macOS, targeting Windows operating systems with sophisticated tactics.Deployment and OperationThe Windows version, identified as FCCCall.exe and mimicking the legitimate “FreeConferenceCall.com” app, was part of a campaign observed by Group-IB Threat Intelligence between late July and early August 2024. This campaign is similar to the earlier operation that trojanized the MiroTalk application.It also operates similarly to its macOS counterpart, performing functions such as data exfiltration and payload execution. This version also leverages the InvisibleFerret backdoor to enhance its capabilities, including keylogging and remote access.Expansion of Targeting and ScopeThe introduction of the Windows version and the expansion of targeting capabilities signify a strategic evolution in BeaverTail’s operations. The malware now targets a broader range of browser extensions and cryptocurrency wallets, including new entries such as Kaikas, Rabby, Argent X, and Exodus web3, as reported by Group-IB Threat Intelligence.The differences in deployment and functionality between the two versions highlight BeaverTail’s versatility and the attackers’ ability to adapt their tactics to various platforms. Each version is optimized for its target environment, enhancing the malware’s effectiveness and making detection more challenging.This expansion shows that BeaverTail’s operators are intent on targeting a broader spectrum of victims’ cryptocurrency assets. The widened scope highlights the malware’s adaptability and the attackers’ determination to maximize their data theft operations, now extending their reach from small retail investors to large-scale “whale” targets.The Emergence of OtterCookie, COVERCATCH, and Operation99 —On December 26th, 2024, NTT Security Japan revealed that Contagous Interview has been newly armed with another cyber-weapon, code name: OtterCookie.According to them, OtterCookie, introduced in September 2024 and updated in November, is delivered through a loader that executes JavaScript from JSON data. It infects systems via Node.js projects, npm packages from GitHub or Bitbucket, as well as Qt and Electron app files.The first version of OtterCookie was designed to steal Ethereum private keys. Its updated version not only improved this function but also enabled the theft of clipboard data and the execution of reconnaissance commands, discovered NTT. It is either deployed by itself or alongside BeaverTail.Source: NTT Security JapanSimilarly, Mandian reported in September 2024, that DPRK threat actors have been observed leveraging LinkedIn to target professionals, particularly developers, through fake job recruitment schemes, yet again.But in these attacks, they send ZIP files containing the COVERTCATCH malware disguised as Python coding challenges.Social Engineering Trap of Linkedin — Source: MandiantOnce executed, the malware compromises the target’s macOS system by downloading a second-stage payload that establishes persistence via Launch Agents and Launch Daemons.In January 2025, another such operation was revealed by Security Scorecard, codenamed ‘Operation 99,’ based on the names of the payloads Payload99/73 and Brow99/73. Fake LinkedIn profiles posing as recruiters lure Web3 developers into cloning malicious GitLab repositories, designed to exfiltrate sensitive data, such as source code, configuration files, API keys, and cryptocurrency wallet credentials.Fake DPRK Recruiter — Source: SecurityScorecardThe malware effervescence surrounding the Contagious Interview operation strongly indicates that the crypto space can expect more diverse and intensified exploit campaigns aimed at mapping the entire crypto ecosystem and exploiting every vulnerability — whether existing or newly created (by them) — to siphon off every available fund through private key exploits.Social engineering and private key-stealing malware are not the only DPRK threats to contend with when it comes to private key exploits. The name of this threat? Operation Wagemole.C — Operation WAGEMOLE and DPRK IT Workers Gone RogueDubbed ‘Wagemole’ by Unit 42, but also known as Famous Chollima, Nickel Tapestry, and UNC5267, the operation involves DPRK threat actors infiltrating organizations through unauthorized employment, with the dual aims of financial gain and espionage.According to South Korea’s Ministry of Foreign Affairs, the operation is linked to the 313th General Bureau.Unit 42 revealed that North Korean moles are using fake resumes to target a wide range of U.S. companies and freelance job marketplaces, utilizing different U.S. VoIP numbers for contact.The reason lies in Article 25 of U.N. Security Council Resolution 2375 that prohibits the employment of North Korean workers, particularly in situations where they are being paid wages that might fund the regime or its activities, including cyberattacks.DPRK workers resumes link to well-maintained GitHub and LinkedIn profiles, making the accounts appear legitimate through frequent updates and interactions.These fraudulent job seekers target on-site jobs but claim to be U.S.-based while temporarily abroad due to COVID, allowing them to ‘work remotely’ for many months — long enough to siphon intelligence and funds.Their activities extend beyond the U.S., targeting global freelance markets, including Africa. Unit 42 has also identified that they use multiple accounts on various platforms and attempt to buy or borrow high-reputation accounts to conceal their true identities and win job bids.Wagemole Operation Proofs Collected by Unit 42 — Source: Unit 42DPRK IT workers have brought in at least $600 million annually to the North Korean regime, according to a 2024 UN Security Council report.Source: IC3First identified at the end of 2023 in the crypto space by Unit42, 2024 was a turning point in revealing how far the DPRK IT rot had spread.An August 2024 report from crypto investigator ZachXBT acted as a detonator. It revealed that DPRK workers had infiltrated countless crypto projects, with some of them maliciously siphoning at least $7.7 million from crypto entities in just a few weeks.Fake Employees Data — Source: ZachXBTA few weeks later, Coindesk published a groundbreaking investigation titled ‘How North Korea Infiltrated the Crypto Industry,’ revealing that DPRK IT workers had been employees at crypto companies under fake identities as far back as 2018, “successfully navigating interviews, passing reference checks, even presenting impressive histories of code contributions (on Github).”According to Coindesk, ‘every hiring manager approached by CoinDesk for this story acknowledged that they had interviewed suspected North Korean developers, hired them unwittingly, or knew someone who had.’In their interview, Zaki Manian, who unknowingly hired two DPRK workers for the Cosmos Hub blockchain in 2021, revealed to Coindesk:‘The percentage of incoming resumes, job applicants, or people wanting to contribute — any of that stuff — that are probably from North Korea is greater than 50% across the entire crypto industry. […] Everyone is struggling to filter out these people.’In December 2024, the CEO of Morpho Labs revealed that at least 1 in 5 candidates they interviewed could be identified as DPRK IT workers.Source: Paul FrambotCoindesk’s investigation also revealed the surprisingly diverse profile of DPRK IT workers, ranging from highly dedicated individuals who did great work to below-average ones. In some cases, multiple IT workers posed as a single person. From those who exhibited almost immediate suspicious behavior to the ‘Employee of the Year’ award holders, the diversity in profiles and approaches can be easily explained away.The primary objective of the operation is long-term financial gain, and the Web3 ecosystem provides an ideal environment for this. In the US, senior Web3 developers can earn approximately $180,000 annually, with salaries soaring up to $250,000 — making it the perfect target, which is why the operation is called ‘Wage-Mole.Most agents work solo, so depending on the opportunity and their hacking skills, staying low and collecting wages is often the best and most financially rewarding strategy. This is particularly true for older DPRK developers who have been in the field for nearly seven years and have built a legitimate work portfolio in the crypto space.This explains why, despite DPRK IT workers’ deep infiltration into the space, crypto hacks related to the Wagemole Operation have been almost non-existent — until 2024, which saw a slew of them, including private key exploits.The first and most notable of these is the Munchable hack, which occurred in March 2024. During the attack, Munchables lost an estimated $62.5 million after a contract was maliciously altered. ZachXBT quickly uncovered that the four attackers identified were, in fact, one individual — a DPRK Web3 developer listed on GitHub as ‘Werewolves0493.’But unlike his hacking colleagues from the 3rd Bureau, who have never returned the money they stole in crypto history, this individual quickly returned the stolen funds after being outed. As for the why, nobody truly has the answer.On September 16th, the DeFi protocol Delta Prime fell victim to a private key exploit that cost them over $6 million.ZachXBT revealed that Delta Prime was among the infiltrated targets he had identified back in August. Delta Prime had informed him they had removed all the North Korean moles, but it seemed it was already too late, as the protocol had already been compromised.Source: NeftureBarely 10 days later, on September 25th, DeFi protocol Truflation announced that, despite their multi-sig protocol, they suffered a $5.6 million private key exploit.When interviewed by CoinDesk, Truflation was one of the most outspoken projects that had hired DPRK IT workers.They shared that in 2023, more than a third of its workers were DPRK IT workers. They first hired a certain “Ryuhei” through Telegram, who was allegedly based in Japan. On the cusp of his recruitment, they were soon flooded by applicants, and they recruited four more DPRK Web3 developers, allegedly from the US, Canada, and Singapore.ID sent by one of the DPRK IT workers to Truflation — Source: CoindeskThey were recruited after sending their IDs, sharing their GitHub repositories, and successfully passing technical tests. But it didn’t take long before Stefan Rust, founder of Truflation, started noticing bizarre discrepancies — like Ryuhei pretending to be stuck in the middle of an earthquake in Japan when none was happening, multiple missed calls, and someone who was certainly not him picking up the phone — different voice, no Japanese accent.It took one of their investors to reveal the full truth: they had hired DPRK IT workers. They immediately removed them once identified, ran extensive tests, and ramped up security — but it seems to have been in vain.What’s intriguing about both cases is that Delta Prime and Truflation were in discussions with CoinDesk while CoinDesk investigators and ZachXBT were probing the DPRK operatives, even attempting to communicate directly with the workers in Coindesk case. One theory regarding the timing of the hack is that the concurrent investigations may have triggered the attack. It was maybe only a matter of time before the affected teams could notice the DPRK backdoors after being alerted — so they acted swiftly.Another such story came to light in January 2025, regarding a private key exploit carried out in 2024 by an infiltrated DPRK IT worker.On March 29th, 2024, Solana owners experienced a full-blown panic as Solana wallets appeared to be drained left and right.Initially, suspicion fell on BONKbot, a popular Telegram trading bot, as the cause of the drain. However, they denied the claims. Subsequent investigation by their team revealed a common factor among the victims: they had all imported their private key into a compromised app.Source: BonkbotAlthough they chose not to reveal the compromised app, soon enough all the victims could be traced back to the Solareum project.Solareum affirmed they were not exploited, nor the cause of the drain. They stated that they were certainly not executing an exit scam as they “DO NOT steal money,” and that they were “the victim here.”Source: SolareumThat was at 5:11PM.At 5:37 PM, in a comment, not even in a post, they announce that “There maybe a chance we got exploited.”Source: SolareumTwenty-five hours after sending this message, they addressed their community, which had just been drained of over $1,4 million — about 30% of their userbase — , in a Telegram post.In it, they announced the closure of their operations, offering no explanation for the incident, no post-mortem report on the exploit, no guidance on how to prevent further victimization of their users, and no compensation plan, despite their earlier assurance to do so if the drain originated from them.Source: SolareumTheir farewell message displayed a staggering lack of sensitivity as they cited ‘a combination of insufficient funds, evolving market trends, and a recent security breach to our systems’ as justification for their actions.They claimed, ‘Over the past months, we have made concerted efforts to secure additional funding, adapt to market changes, and fortify our security measures. Despite these endeavors, the recent security breach has compromised the integrity of our systems, and we can no longer guarantee the safety of our users due to the lack of funds.’What kind of company, whether it be in Web2 or Web3, closes shop 24 hours after an undisclosed hack and disregards their responsibility to their users in the same breath? We’ll let you answer that.Ultimately, it took almost a year for the truth to come out.The US Department of Justice revealed that less than four months before the hack, the Solareum team had unknowingly hired a North Korean developer. Taylor Monahan, lead security researcher at MetaMask, had discovered through her blockchain forensics effort that the fun flows indicated there were “major overlaps with prior thefts involving DPRK IT workers.”In December 2024, the Solareum team had announced that they were onboarding a new developer.D — A Russian Connection to the Disappearance of DPRK APT Criminal Activities in H2 2024?One notable development in DPRK groups’ activities in 2024 was the near disappearance of hacking operations in the second half of the year.According to Chainalysis, the explanation for this shift lies in the international geopolitical landscape, particularly a recent realignment of alliances — most notably, the strengthening of the North Korean-Russian partnership.Source: ChainalysisOn June 19th, 2024, Russia and DPRK signed a mutual defense pact, ‘The Treaty on Comprehensive Strategic Partnership.Source: NK NewsThe pact came at a time of growing strategic collaboration between the two countries in recent years, including Russia’s defrosting of DPRK assets and the deployment of North Korean troops in Ukraine. For Chainalysis, the timing could not be more suspicious and suggests that, in addition to redirecting military resources in favor of Russia, North Korea could also be redirecting its cyber resources.This theory is not implausible by any means, but the first half of 2024 also seemed, at first glance, to be almost devoid of DPRK group activities — until many hacks ultimately pointed back to them.II. The Persistent Threat of LastPass: Over $260 Million Stolen in Two YearsOver $263 million have been lost to private key exploits involving thousand of victims over the past two years. The root cause: LastPass.Since 2023, crypto retail investors have been suffering wallet drain that comes from password manager service LastPass who is, allegedly, leaking away seed phrases.Blockchain Security Researchers revealed in September 2023 that hundreds of wallets have been silently siphoned for more than $35 million due to LastPass’ encrypted vaults being cracked and offering access to the seed phrases stored within.This discovery was made possible thanks to Taylor Monahan, who was on the hunt for six months, looking for a cue that would explain how so many “security-conscious” and long-term crypto users could see their wallets being siphoned out of the blue with nothing to indicate it could be due to security breaches or wallet drainers.Source: Tayvano_ TwitterShe was able to successfully connect the dots to a single common point: LastPass Vault.Movement of stolen cryptos from individuals who used LastPass to store their crypto seed phrases showing a common denominator — Source: Tayvano_ on TwitterIn November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users.The 150 victims of this unidentifiable crypto heist had all stored their secret seed phrase on LastPass.Furthermore, it could all be traced back to a unique signature linked to monthly crypto heists of two to five million dollars that date back to December 2022, one month after the LastPass breach was revealed.Leading blockchain security researchers allege that some of LastPass’ encrypted vaults were cracked to access to the crypto credentials stored within.Since then, victims have been piling up.On May 2024, Monahan announced that the loss breached through the $250 million threshold.Source: Tayvano_ TwitterIn the latest LastPass “attack” around December 17th, crypto sleuth ZachXBT reported that more than 100 wallets had been siphoned for over $12.38 million in matter of hours.Source: ZachXBTCrypto users who have yet to take the necessary security measures to ensure their previous LastPass use won’t lead to a private key exploit are sitting ducks. There is no reason whatsoever to believe that the LastPass attacker(s) will stop in their efforts to crack into LastPass’ encrypted vaults, offering access to the seed phrases stored within.2025 is likely to be yet another fruitful criminal year for them.III. The Chris Larsen Case: The Biggest Private Key Exploits Suffered By An IndividualWhen it was discovered that Chris Larsen, chairman of Ripple, had his entire wallet wiped out in January 31st, 2024, and no explanation about the how was forthcoming from the victim, it appeared highly likely that his private keys had been compromised, and even more likely that it was done through social engineering.https://medium.com/media/42f2a55d9214204694fef8dc1b94f704/hrefThe reason is that when it comes to private key exploits, there are not many ways to go about it. The other tactics we shared earlier had an extremely low probability of being involved in this case. Revelations made by Hacken a week after the exploit only confirmed the initial hunch shared by the crypto community.Furthermore, given that no statement has been made to explain this astounding loss, and considering that in most cases involving social engineering and the theft of private keys victims are tight-lipped, it is not far-fetched to allege that a socially engineered private key exploit is the reason behind Chris Larsen’s hack and the ensuing silence.The methodology — colossal crypto theft associated with private keys compromised through social engineering — could have suggested that DPRK threat groups could be yet again behind the hack. However, the escape routes chosen by the hacker(s) — MEXC, Gate, Binance, Kraken, OKX, HTX, HitBTC — tend to prove otherwise.According to the blockchain security firm SlowMist, those groups has adopted new ways to launder money and cash out in the year 2023, steering away entirely from mainstream centralized exchanges, which have taken on a very proactive role in stopping the laundering of high-profile hacks in the crypto space over the past two years.A very wise approach, one would say, as the Binance team succeeded in freezing $4.2 million worth of XRP stolen by Chris Larsen’s exploiter.Blockchain security company Hacken’s report on the case suggested, without directly admitting it, that everything points to an inside job from within Ripple’s team, making it even easier for them to succeed in tricking Chris Larsen.Social engineering can indeed be carried out by friends, family members or colleagues as it involves manipulating individuals into divulging confidential information, performing actions, or providing access to systems or resources that they typically wouldn’t do under normal circumstances.Well, despite all signs pointing to a social engineering case, it was revealed in March 2025 that Chris Larsen had in fact lost $150 million due to the LastPass breach, which we have just discussed at length.IV. Unveiling Two New Serial Private Key Exploit Hackers2024 saw the emergence of two new serial private key hack threat actors. The first made off with over $95 million, while the second mimics DPRK threat groups.The BtcTurK CaseOn June 22nd, 2024, the Turkish centralized crypto exchange BtcTurk saw ten of their hot wallets siphoned for more than $90 million. Thankfully for their customers, the entirety of the stolen funds belonged to BtcTurk.Source: cnews24After the attack, they asked Binance for help in freezing the stolen assets that had been laundered through the exchange. Binance CEO Richard Teng announced they successfully froze over $5.3 million from the BtcTurk hack.According to blockchain security company Halborn, ‘the attack was likely made possible by compromised private keys.’Unfortunately, BtcTurk chose not to disclose any information about how this exploit was able to successfully take place.The only relevant and interesting information reported was from crypto sleuth ZachXBT. After investigating the case, they discovered that two hours before the BtcTurk hack, the attacker exploited crypto casino Sportsbet, with the same the attack pattern for more than $3.5 million. They found that the stolen funds from both hacks ultimately commingled.Later on, ZachXBT revealed that its blockchain forensics sleuthing led them straight to the CEX Coinbase, where the attacker successfully laundered over $38.1 million.Source: ZachXBTA New Copycat Serial HackerOn February 27th, 2024, the crypto inheritance firm Serenity Shield experienced the theft of 6.9 SERSH tokens from one of its MetaMask wallets, causing the token price to plummet by 99%.Although originally valued at $5.6 million, the attacker was only able to sell them for $586,000.The MetaMask wallet was compromised after private keys were leaked.What makes this hack stand out is that crypto sleuth Zachxbt uncovered a link between this hack and two others that took place in December 2023 and January 2024: the $2.7 million OKX exploit and the $1.8 million Concentric Finance hack.According to his investigation, those three hacks are connected on-chain!Theft addresses collected by ZachXBT:0x26b30F457f1e97E3DA22b9f43Fc03F3FA4D3F2ca0x29D473678B19edb5a419a13554Ca93851604477F0x93a8b27C8DC2089BB071c22491a715DcB381F554In March 2024, another two projects fell victim to the attacker’s clutch: Cloud AI for $360,000 and MurAll for an undisclosed amount.Connections between the hacks — Source: Cloud AIWhich would mean the crypto community has another serial hacker on the loose.Like any good serial offender, they have been using the same modus operandi in their heists: gaining access to private keys through social engineering.The root cause of the exploit is the compromise of the deployer wallet through a targeted social engineering attack.Although Serenity Shield has yet to share an account of how the private keys were leaked, what occurred is likely exactly or a variation of the Concentric Finance case.Concentric Finance is a yield aggregator project from which around $1.8 million was drained from the project vaults on January 22, 2024.The attacker targeted a member of the Concentric Finance team who had access to a key vulnerability vector: the deployer wallet. The attacker posed as a recruiter on a professional networking platform. During the recruitment process, they were asked to download software under the guise of a routine skill assessment.Unfortunately for Concentric Finance, this software was, in fact, malware that ultimately gave the attacker access to the private keys of the deployer’s wallet.Although the amounts stolen during those hacks may seem insignificant in a space where hundreds of millions are drained during hacks, those exploits could merely be a playground on which the hacker or group of hackers is training before targeting larger prey.The social engineering technique they used is exactly the same as in Contagious Interview.The last thing the crypto space needs is another hacking group capable of wiping out $3,5 billion in three years from crypto actors.The only good news, though, is that they apparently haven’t even learned to properly obfuscate their tracks, allowing blockchain forensics to trace back those five hacks to a single entity.ConclusionThe versatility of private key exploits, along with the colossal stakes associated with them, necessitates that every user and actor in the crypto ecosystem implement a high-security regime and maintain a keen awareness of the constantly evolving threats they face.Multisigs are not the safeguard they were once thought to be, and supply chain attacks are proving to be a new actively used backdoor through which private key exploits can be successfully executed.The security measures against private key exploit attacks must be significantly strengthened to effectively counter the evolving threats posed by DPRK-linked groups, which have made private key exploits their preferred attack vector.They proved this yet again at the beginning of 2025, which started with a private key bang, when over $85 million was siphoned from yet another CEX. The initial investigation suggests that this could very well be a DPRK operation, marking their thunderous comeback, with Jade Sleet and their TraderTraitor highly suspected of being behind the heist.2 — Oracle Exploit: The Unexpected Crypto Hack Guest of 2024Nearly $404 million has been lost by DeFi protocols over the past three years due to oracle exploits. In 2024 alone, more than $53 million was stolen through this method — though it falls short of the $220 million lost in 2022 and the $131 million in 2023, it remains an exceptionally high figure for this type of exploit.Oracle exploits, after all, aren’t designed to thrive in bull market environments.So what’s behind the hefty oracle exploit heist of 2024?Oracles have become a crucial tool for the DeFi ecosystem. Through smart contracts, they take off-chain real-world data and connect them with blockchains.For DeFi actors, oracles act as a middleman that allows them, among other things, to access financial data about assets and markets. Those data are then used to, for example, provide the pricing of assets in real-time for liquidity pools that are used to facilitate decentralized trading and lending.The Oracle’s job is not to be the source of information but to verify external data sources and then relay that information.Consequently, a hacker “only” has to change the truth that will be relayed by the oracle to a DeFi liquidity pool, whose equilibrium is based on this oracle information, to be able to siphon it.Oracle Exploit Modus OperandiAn oracle manipulation is, at its core, a two-step attack.The first step is to manipulate pool(s) used as price oracle(s) by a DeFi protocol to artificially inflate a token’s price by swapping/buying a vast amount of it.Then go to the lending pool connected to this price oracle and open an under-collateralized position that will allow him to fly away with the excess money gained, thanks to the manufactured price discrepancy he created.To illustrate this, let’s say that 1000 ETH = 1000 sUSD. In a scenario where the oracle has not been manipulated, and a lending pool requires depositing in collateral 120% of the value borrowed, you will need to deposit 1200 eth to receive 1000 sUSD.However, if the hacker manipulates the pool(s) used as an oracle by buying en masse eth so that 1000 eth would then be worth 2000 sUSD, he only has to go to the lending protocol using this compromised oracle and deposit 1200 eth to receive 2000 sUSD.That is what happened in substance in the most talked about oracle manipulation of 2022, the $100M Mango Market hack.In a simplified summary, Avraham Eisenberg — who was the hacker behind the Solana DeFi trading platform Mango Markets — funded his wallet with $5M USDC, which he used to purchase 483 units of perpetual contracts in Mango token (MNGO). This drove the price of MNGO X30 from $0.03 to $0.91, increasing the value of his Mango tokens to $423M. Step one, complete.After artificially inflating the collateral value of his account, he proceeded to drain Mango Markets’ lending pools by taking massive loans totaling approximately $117M in Bitcoin, Solana, and more. Step two, complete.The oracles used by Mango Markets worked as intended, but since the source of truth was compromised, it was possible for Avraham Eisenberg to take an extremely under-collateralized loan.This attack was self-funded, but as previously stated in our article dedicated to flash loan attacks, where once price/market manipulation was the preserve of “whales” like Avraham Eisenberg, flash loans now give the ability to a much larger pool of people to exploit oracles.The Bear Market: An Oracle Exploit FacilitatorOracle manipulation cost $220 million in 2022, and its victims were many from algorithmic market maker to yield optimizer. 2022 saw a steep rise in oracle manipulation and a brutal chute in total value locked (TVL) for oracle providers.The multiplicity of oracle exploits in 2022 resulted in several experts reevaluating the relevance of oracles in DeFi, and Chainlink, which has been dominating the oracle market, lost an astounding $48 billion in TVL in 2022, from $56,7 billion to $8,7 billion between January 1st and December 31st, 2022.Since 2022, over $404 million has been lost in oracle-related incidents across 32 cases. Of these, 16 incidents occurred in 2022, resulting in a loss of $220 million. The number of incidents and the total loss decreased significantly in 2023, with losses halving compared to the previous year. In 2024, over $53 million has already been lost due to 8 oracle exploit-related incidents.The collapse of oracle exploits in terms of both loss and incidence is directly due to the ecosystem required for oracle exploits to thrive. Oracle exploits are the go-to crypto hack in a bear market, by excellence.If whales and non-whales could gorge on oracle exploits in 2022, it is because oracles were made vulnerable due to the bear market.Bear market means low liquidity, and low liquidity provides the best condition for oracle manipulation.In a bull market, when there is a substantial quantity of liquidity, oracle exploits are difficult to carry out: the amount of input required to manipulate the price of a token successfully is much higher.Hackers choose to go for an Oracle exploit when, according to Alexander Wlezien, co-founder of DeFi Platform Friktion Labs,“The economic cost of price manipulation must be far above extractable economic value.”Hence, extreme manipulations are made easier and cheaper if there is low liquidity and increase hackers’ incentive to undertake these sorts of exploits.New or relatively unknown tokens usually have little liquidity to begin with, and become even more illiquid during a bear market, making them prime targets for criminals. A hacker can have a monumental price impact by taking significant positions in illiquid tokens, like in the Mango Market case.By its scale, the Mango Market case acted as an eye-opener.It drove the decentralized lending protocol Compound to pause the supply of four tokens (YFI, ZRX, BAT, and MKR) as lending collateral on its platform to protect its users against price manipulation in the week following the attack.One month later, Open Source Liquidity Protocol Aave temporarily suspended lending markets for 17 tokens to fend off volatility risks after the Mango Market hacker tried a repeat attack on Aave and almost stole $60 million on CRV using USD Coin.The bear market provides fertile ground for oracle exploits, but the 2023 downturn in criminal activity, amidst a bear market, strongly indicates that DeFi protocols, following in the footsteps of Compound and Aave, successfully took preemptive measures to make themselves less vulnerable to such attacks.Where oracle exploits could have continued to wreak havoc during the persistently bearish market in 2023, they actually underperformed.Now, in 2024, with the lessons learned from oracle security in 2022 and the high liquidity levels as the crypto market rebounded in a bull market, oracle exploits should have turned into a crypto criminal activity species on the verge of extinction.But oracle-related criminal incidents remained consistent between 2023 and 2024, despite a lower overall monetary gain. The reason for this is unfortunately very simple: DeFi protocols that barely meet, or outright neglect, basic security standards.Top 3 Oracle Exploits of 2024 by Level of NeglectFor this 2024 report, we have selected the top three oracle exploits that were direct byproducts of either sheer negligence, playing security Russian roulette, or basic security fumbling.Here they are, ranked from the worst to the least outrageous neglect of security.I — Alpaca Finance: An Unbelievable Oracle Exploit StoryCalling the Alpaca Finance incident an oracle exploit might seem far-fetched to some, as what is considered an ‘oracle’ in the Alpaca Finance protocol could hardly be called one.When, on November 28th, the Thena token was listed on Binance and skyrocketed from $0.26 to over $4 within minutes, the $THE token on Alpaca Finance 2.0 saw a sudden price spike that wasn’t captured by Alpaca’s ‘oracle.’Once the price was updated, positions borrowing $THE became ‘underwater,’ according to Alpaca’s own words. During the gap between Binance’s listing and the Alpaca oracle update, some traders were able to borrow $THE with under-collateralized positions.Despite Alapaca claims that the exploit “only” amounted to $116,000, over $2,82 million was reportedly lost by its users by blockchain security researchers.A closer look at why Alpaca’s ‘oracle’ failed the protocol so spectacularly reveals an astounding truth. While Alpaca advertised a relatively sound and secure oracle in their documentation, the reality is that their oracle is allegedly nothing more than manually updating prices based on CoinGecko every 30 minutes — allegations that seem highly likely, as they did not deny it, either in discussions with people outright accusing them or in their post-mortem.Instead, they deflected the question.Source: TwitterTheir repeated main argument surrounding this multi-million-dollar debacle is that ‘the listing has to actually happen first before oracle feeds can report its price change. […] Fast oracle feeds can’t exist to report prices of token listings that don’t yet exist. […].’While they are not wrong in principle, as Rekt.news rightfully questioned in their report on the hack: ‘[…] their solution of manual updates for an “isolated” market suggests they missed the bigger picture — if you can’t properly price an asset, maybe don’t offer lending against it.’Especially when you have such an archaic, lengthy, and risky method being passed off as an ‘oracle,’ which immediately exposes your users to undue risk.What’s most terrifying about this affair is that Alpaca Finance used to be a multi-hundred-million-dollar protocol, with its TVL even breaching the $800 million threshold — meaning they possibly operated with an oracle barely dignified for use in a high school student’s DeFi project to manage an astronomical fortune.Alpaca Finance TVL — Source: DeFiLlamaIt seems the only reason Alpaca Finance did not fumble with the oracle, for a much higher price tag sooner, is pure sheer luck.II — Polter Finance — Copy-Paste Code, Zero Audits, and a Costly HackOn November 17th, 2024 Fantom-based Polter Finance DeFi was exploited for $12 million through an oracle manipulation attack.The Polter Finance team caused the issue by introducing an oracle manipulation vulnerability when they chose to use spot prices directly from decentralized exchanges, specifically the SpookySwap V2/V3 pool prices, for their newly launched BOO token oracle.The BOO token was newly launched and obviously lacked liquidity, making the use of SpookySwap pool prices extremely vulnerable to manipulation in low-liquidity pools.A simple flash loan is enough to turn spot prices into faulty oracles.And that’s exactly what the attacker did. Using a flash loan, they launched their attack, draining Polter’s liquidity pools and siphoning off the entire $12 million worth of tokens on the platform.What made people’s eyebrows rise up to their hairlines wasn’t just the beginner-level security mistake that crashed their entire protocol. It was the fact that this rookie error perfectly aligned with the abysmal security measures the protocol was “armed” with.Polter Finance deemed security audits unnecessary after simply copy-pasting the audited Geist code to operate their protocol.Instead of conducting a security audit on a protocol that held the trust and millions of dollars of user funds — since there is no such thing as a perfect copy-paste of another protocol, as every protocol implements its own parameters and unique adjustments — they chose to provide Geist’s audit in lieu of their own.Their audacity, if one chooses to call it that, was certainly well rewarded.Polter Finance’s “Audit” Page — Source: Polter FinanceOn top of that, Polter Finance has faced accusations of possibly inflating the reported funds lost in the hack. Their police report claimed higher losses, but blockchain forensics have only been able to confirm that around “only” $8.7 million was actually siphoned from the protocol.To close this edifying case, we borrow the words of Rekt.news: “When will they learn that ‘fork and pray’ isn’t a security strategy?”III. UwU lend: The Back-to-Back Double HackOn June 10th, 2024, UwU Lend, a liquidity market protocol, lost over $23 million when an attacker exploited not one, but five vulnerabilities in its price oracle system.In typical oracle exploit modus operandi, the hacker first took on an impressive $3.796 billion flash loan scattered around numerous DeFi protocols.The attacker exploited a critical weakness in UwU Lend’s oracle system. While the platform’s contract is a fork of AAVE V2, it modified the oracle logic to borrow assets at one rate and liquidate them at an inflated rate. This system relied on the median of 11 price sources, five of which were vulnerable to manipulation through Curve Finance pools: FRAXUSDe, USDeUSDC, USDeDAI, GHOUSDe, and USDecrvUSD.The attacker used a flash loan to open a leveraged position with a large amount of sUSDE, while the rest of the funds were used to manipulate the price of sUSDE through the aforementioned price sources. This allowed the attacker to borrow sUSDE at a rate of 0.99 and liquidate the position at a manipulated rate of 1.03.Source: Nick L. FranklinAfter repaying the flash loan, the attacker made off with over $23 million.Although the protocol was audited by blockchain security service PeckShield, it appears the oracle security review was ‘out of scope.’ As PeckShield noted in their audit: ‘Note that UWU assumes a trusted price oracle with timely market price feeds for supported assets, and the oracle itself is not part of this audit.’It seems they only addressed the potential for oracle exploits in the protocol’s low-liquidity pools.Source: PeckshieldIt was highly negligent of UwU Lend to completely bypass security screening for their oracle system, especially since Curve itself loudly advises, to whoever would be wise enough to listen, against using its pools as standalone price sources due to their high vulnerability to manipulation, despite the safeguards in place.Source: QuillsAuditA combination of low liquidity and the lack of price correction — just like in UwU Lend’s case — making a protocol primed to be oracle slaughtered.But the story doesn’t end there. On June 12th, the UwU Lend team claimed that their oracle issue was resolved, stating the vulnerability was “unique to the sUSDE market oracle.” They unpaused the protocol, only to be hit again by another oracle exploit the very next day.On June 13th, the same attacker, in an almost criminally poetic turn, used the stolen funds from the previous hack to carry out a second attack on six UwU Lend asset pools: uDAI, uWETH, uCRVUSD, uLUSD, uFRAX, and uUSDT. This was possible because UwU Lend still treated the attacker’s stolen funds as valid collateral.According to blockchain security company MetaTrust Labs, the hacker used 60 million $uSUSDE from the first hack as collateral to drain the pools, making off with an additional $3.7 million.ConclusionThose three Oracle exploits are a manifestation of a more profound issue that spans across the entire crypto community: the lack of care and investment in securing DeFi protocols. This is why reentrancy attacks, which should be rare — if not extinct — continue to victimize users year after year, with at least 11 instances in 2024 alone, resulting in over $35 million stolen. Additionally, the crypto space experienced no fewer than 100 smart contract exploits in 2024, many of which could have been prevented with basic, yet often overlooked, security practices, such as properly auditing upgraded smart contracts.A perfect illustration of this cavalier attitude is Hyperliquid, an over $3.4 billion platform. In December 2024, Taylor Monahan, a highly respected figure in blockchain security, revealed that DPRK groups had been testing Hyperliquid through a range of actions. After reaching out to them, she was met with dismissive, mocking responses and discovered that their bug bounty program was virtually non-existent, consisting only of opening a ticket on Discord.https://medium.com/media/57689cd6091bc395b687547f19334e48/hrefAfter she published her research on Twitter, Mudit Gupta revealed that Hyperliquid had a single point of failure through their bridge, which is only controlled “by two 3-of-4 hot wallet multisigs, managed by a single binary.” Meanwhile, Rekt.news uncovered that their security architecture could only be found “buried in a single page of a GitHub repo — not on their website, not in their docs. No rewards structure, no clear process, no formal program.”They responded to Taylor Monahan’s post with increased derision, fueled by their fanboys who partook in mocking her findings. Well, they were the only ones laughing, as the rest of the community pulled over $210 million in funds following the announcement, causing HYPE (Hyperliquid token) to tumble by 21%.3 — The Enemy Within: How Not Keeping Track of Who Has Access to What Can Lead to Fatal LossesIf there is a lesson to be learned from H1 2024, it is this: private keys, critical data, and access offboarding processes are absolute necessities.Disregarding the security risk posed by an ex-employee or contractor simply because their identity is known is a fatal mistake. One should never underestimate the audacity of fraudsters; the risk of public accusation alone is often insufficient to deter them from committing criminal acts.The Wilder World Game ExploitThis is something the Wilder World game failed to do.On March 16th, 2024, the Wilder World game, a blockchain game, witnessed $1.8 million disappear from its digital coffers.The reason? An attacker managed to upgrade the project’s legacy contracts and transfer $WILD and $MEOW tokens to themselves after gaining access to the Wilder World deployer’s private key.The alleged attacker is a former contractor who, for reasons unknown, retained access to this critical private key. It appears the team either completely forgot who had been entrusted with this crucial asset or failed to implement adequate security measures to safeguard against a single private key causing such extensive damage to the project.Aside from the Wilder World exploit, there were even more significant breaches orchestrated by disgruntled ex-employees, nearly resulting in an $80 million loss for one entity and a $110 million loss in FDV for another.Holograph Exploit: $14,4 Million Lost to a Sloppy Rogue DevOn June 13th, Holograph fell victim to yet another exploit perpetrated by an ex-insider. Due to unauthorized admin access of a proxy wallet, the attacker minted $14.4 million worth of the protocol’s native token, HLG, and then quickly sold them, crashing the HLG price by 79.4%, amounting to approximately $110 million in FDV(token total value).The attacker used five centralized exchanges — Backpack, Gate, Bybit, Bitget, and KuCoin — to sell the freshly minted one billion HLG tokens and got away with $1.3 million. Meanwhile, around 200 million HLG tokens were successfully frozen by the centralized exchanges.Although little was known about the attack, on the day of the exploit some already argued that it was the job of a “rogue dev,” as one of the ethereum address linked to the hack was “acc01ade.eth,” a pseudonym which matched with a known contractor for Holograph.Source: TwitterA quick search on social media reveals that the pseudonym ‘acc01ade’ matches on Twitter, LinkedIn, and even on the blockchain data platform Dune, with a developer involved in the Holograph projectSource: Linkedin https://www.linkedin.com/in/acc01ade/Source: DuneSource: TwitterThe Opeansea page matching the Ethereum address of the attacker, acc01ade.eth, is directly linked to the Twitter account acc01de, which is in turn directly linked to the Dune account mainly dedicated to Holograph data.It is not far-fetched to allege that the person behind the LinkedIn account of the same name, which claims to have worked for Holograph, and all the other accounts, is a unique person who works or used to work at Holograph.Source: OpenseaWeeks after the exploit, on July 2nd, Holograph published a post-mortem after collaborating with blockchain security firm Halborn on the exploit. They confirmed that the self-proclaimed “super shadowy coder” acc01ade, described as a “disgruntled former contractor,” was behind the attack without disclosing his full identity.The hack was not a spur-of-the-moment event; Halborn and Holograph revealed that it had been months in the making, starting in April 2024. They were able to take their time to unravel the plan because the attacker had “admin access to Holograph Protocol v1 contracts, which was later used as a backdoor.Step-by-step breakdown of the preparation of the hack — Source: HolographThere were no details given about when the former contractor was laid off nor why, or why he had still admin access so it’s difficult to determine if the attacker was still employed when he prepared the attack or if he became an “ex-contractor” only after being discovered as the mastermind behind the attack.It’s not the first time the overuse of a pseudonym has led to the downfall of a criminal. That’s how Ross Ulbricht, the man behind Silk Road — the biggest crypto-powered dark market of its time — had his identity ultimately revealed, leading to his arrest and imprisonment.Pump.Fun Exploit: A Flopped $80 Million Revenge Plot?Source: TwitterOn May 16th, 2024, Pump.fun,a Solana-based memecoin generator that has been enjoying immense success over the past months, lost $2 million to an attacker through a flash loan attack.The matter of who was behind the attack was quickly unveiled, as within minutes of the attack the attacker took to Twitter to reveal that he was behind the attack!Source: TwitterIn a rather chaotic thread, he explained that he was a disgruntled Pump.fun employee because his Pump.fun bosses were “the kind of horrible bosses that witness you wreck your hand, ask you what happened, u said the glass table gotchu, and they go ‘is that table ok?’ is not the type of ppl you want front n center as the face of blockchain.”He then jumped into a Twitter space to share his woes and claimed that he ‘just kind of wanted to kill Pump.fun because it’s something to do… It’s inadvertently hurt people for a long time,” reports Web3isgoingjustgreat.His shenanigans didn’t stop there. In his original thread, he announced that he would airdrop $80 million (the amount he first assumed he would get to thieve) in stolen funds to random wallets. He actually did, as many people took to Twitter to share receiving the airdrop and thanking STACCoverflow for being a ‘Robinhood.’”Source: Twitter (1,2)After the attack, Pump.fun shared that they were working with law enforcement on the attack, to which STACCoverflow replied, ‘Neener neener neener.’‘Neener Neener Neener’ was somehow an apt reply, as STACCoverflow was already doxxed and was publicly known as Jarett Reginald Dunn.He knew the cops would come after he outed himself as the attacker and was apparently politely waiting for them when they came to pick him up on May 17th in Covent Garden, London.He was allegedly arrested and detained by law enforcement in London, held for 20 hours, and charged with “theft from employer for $2 million with conspiracy of another $80 million.” He was later released on bail under the condition that he returns for an interview with the Criminal Investigation Department on August 16th and refrains from being involved with Pump.fun, he himself shared with crypto media Decrypt.On June 4th, Dunn took to Twitter again to share more about his motivation behind the hack. His revenge apparently stemmed from his Pump.fun bosses refusing to let him get a full-time side job at a different company even though the contract he signed never stated he was forbidden to seek employment elsewhere. And stopped him from earning the salary “new hires at Pump” received as he was struggling to live properly in London due to his inability to budget.Source: TwitterHe also explained to Decrypt in great detail that he has been going through challenging times regarding his mental health over the past three years and is currently hospitalized for mental health concerns.He also thinks he has the perfect “get out of jail” card up his sleeve, as he argued that the funds were stolen from Pump.fun customers and not Pump.fun itself, thus the Pump.fun case has no foundation.When we first reported on the case, we concluded, ‘Well, on this, the future will reveal if his trump card was one or a dud.’ As it happens, the future has come and gone, and the trump card turned out to be a dud. On the day of his sentencing, facing more than seven years in prison, Dunn withdrew his guilty plea, causing his legal team to quit. He is facing even more time in prison.In the meantime, although Dunn didn’t abscond with $80 million, he still successfully accomplished his mission of restoring Pump.fun’s peg. Pump.fun’s reputation did take a hit, as a hack is never a good look when you’re in charge of millions of dollars. In a police report, Pump.fun stated that they had lost their ability to close a $20 million funding round due to the hack, as potential investors raised concerns about the company’s management, crypto newspaper Decrypt revealed.Two other cases in the close past are also reminder of the necessity of controling who has access to what.The first one is the Starchi staking case.An employee who was undergoing a multi-month process of termination due to questions about ‘his honesty and integrity’ witnessed a wallet under his control being ‘compromised’ and maliciously used to upgrade the staking smart contract, resulting in a $412,000 loss.The Starchi team seemed to oscillate between openly accusing him of orchestrating the incident and ‘only’ strongly suggesting his involvement in the hack.Source: Starter LabsThis may seem obvious, but if you’re doubting the moral compass of a person who has access to the very crux of your activity and ensuing survival, you have to lock them out of the possibility of any destructive wrongdoing as soon as possible.The second case is the unfamous 2023 Ledger Connect Kit hack.It is the perfect illustration of the disastrous consequences of not keeping track of who has access to critical company data. Because even if your employees do not have a single scammer bone in them, it does not mean that a malicious actor cannot profit off them.The Ledger Connect Kit library is a highly sought-after tool facilitating the seamless connection of hardware wallets to web browsers and various platforms. This essential utility enjoys widespread popularity among decentralized applications (Dapps) within the crypto space, including renowned platforms like Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash.On December 14th, 2023, Angel Drainer, a crypto ‘drainer-as-a-service,’ swiped $600,000 from those Dapps users after they succeeded in phishing a former Ledger employee who still had access to Ledger NPMJS, a platform for hosting code packages for developers.Angel Drainer only had to switch the legitimate Ledger Connect Kit library with their malicious one, and voilà, $600,000 was gone in a blink.Private keys and critical data offboarding processes are an absolute necessity.II. 2024 Crypto Scams: Billions Lost by Retail Investors to Wallet Drainers, Address Poisoning, and Exit Scams2024 has been truly unkind to web3 retail investors. Way too many of them have been cleaned out by both scammers and hackers.While, as previously reported, obtaining a precise and accurate figure for the total funds lost by retail investors remains an incredibly challenging task, criminal reports suggest that at least $5.84 billion were wiped from their wallets. Of this, at least $4 billion was lost to pig-butchering scams, over a billion to phishing schemes — including wallet drainers and address poisoning — and $444 million to exit scams.It must be said that the state of the crypto market in 2024 really helped those fraudsters score big.The bull run that kicked off at the end of 2023, peaking with Bitcoin hitting a new ATH of $73,738 on March 14, 2024, brought in a flood of liquidity from both seasoned crypto enthusiasts and a wave of eager new retail investors. The promise that 2024 would be the year Bitcoin shattered the $100,000 barrier (which it did!), combined with the explosive activity in the memecoin supercycle, transformed the ghost town that was the crypto market in 2023 into an effervescent hub of transactional activity!Source: DuneMany of these newcomers are ignorant of crypto’s treacherous waters, making them extremely vulnerable and ideal targets for scammers. Seasoned traders, on the other hand, are just as, if not more, susceptible to the FOMO siren call after enduring a long and traumatic bear market, which created an ideal environment for scammers to victimize retail investors.With Q3 2024 witnessing the biggest phishing heist in crypto history, it marks the second-largest crypto crime of the year, following the $308 million DMM Bitcoin exploit, which involved $243 million stolen from a single victim.The heist was a “highly sophisticated social engineering attack,” a phishing scam that targeted a single individual. The victim was a creditor of the defunct crypto trading firm Genesis.On the day of the attack, in August 2024, he received a call from a spoofed number, with the scammers posing as Google Support to compromise his personal accounts, according to ZachXBT’s investigation. Shortly after, the victim was contacted again, this time by the scammers posing as Gemini support. They informed him that his Gemini account had been hacked and instructed him to reset his 2FA and transfer funds from his Gemini account.After much persuasion, the victim used AnyDesk to share his screen, allowing the scammers to access and leak his private keys from his Bitcoin Core.His attackers successfully stole $243 million and immediately attempted to disperse the funds across multiple wallets before transferring them to over 15 exchanges, according to ZachXBT’s research.Phishing through social engineering has been at the heart of many bountiful crypto heists, one of them extremely sophisticated, almost succeeding in wiping out $125 million from a single individual, as we recounted previously in Story of an Almost $100M Crypto Heist.Story of an Almost $100M Crypto HeistAlthough they remain impressive in their approach and the size of their gains, social engineering is currently an infinitesimal part of the crypto phishing scene.At the center of the crypto phishing bulldozing machine are wallet drainers, offered as a scam-as-a-service, which we will tackle in detail in the first section.This will be followed by our breakdown of address poisoning activity in 2024. Although this threat began to take shape in 2023, 2024 marked the year it truly took off, after undergoing a round of sophistication we will explore, rising to become one of the biggest threats retail investors faced in 2024.We will conclude our tour of the crypto scam landscape with our report on the two-click memecoin generator Pump.fun, which has likely transformed into the crypto exit scam hotspot just months after its launch — Pump.fun turning into Pump.dump.1 — 2024, The Year of Crypto Wallet DrainersCrypto wallet drainers, such as Scam-as-a-Service, opened the phishing Pandora’s box at the end of 2022, and no one has known how to close it since. This has made 2024 the deadliest year yet in terms of funds stolen, with over $494 million reportedly lost — a 67% increase from last year, according to ScamSniffer.ScamSniffer also revealed that the attacks concerned more than 332,000 crypto addresses, with Permit signatures as the most successful attack vectors.Source: ScamSnifferOn average, wallet drainers made between 10,000 and 14,000 victims monthly, with March 2024 recording the highest-paying month for wallet drainers, with $75 million stolen. ScamSniffer additionally found that the largest single phishing attack through a wallet drainer reached over $55.4 million.Source: ScamSnifferBut 2024 wasn’t just rich in stolen funds for the wallet drainer community; it was also rich in plot twists! Wallet drainers go by many names — deceitful ones like “Angel” or “Pink,” meme-like ones like “Monkey,” and very explicit ones like “Inferno.”Although “Pink Drainer” may not sound like a name that strikes fear into anyone’s heart, SAAS drainers are a crypto monster that has been wreaking absolute havoc in the lives of crypto retail investors — many of whom have never even heard of them.Source: ScamSnifferThey also have their distinctive features and crowds. The space saw multiple shifts throughout the year, with a deep impact on the scammer community and their potential victims — ranging from a spectacular departure to successful comebacks, and deadly newcomers making their first impactful foray into the space.AceDrainer, 2024 Newcomer — Source: CYFIRMADespite their record-breaking year, the crypto waters have been turbulent for wallet drainers this year, who have had to contend with multiple life-threatening challenges — challenges that could ultimately make 2025 the first year to see a major downturn for them.In our report on wallet drainers, we will explore how these elusive yet ever-present entities operate and how they managed to achieve such a successful phishing year in 2024 — from their genesis to the multifaceted threat they have become today.I. The Genesis of Wallet Drainers as A Scam-As-A-ServiceWhen, in the old days, one needed to be blockchain-savvy to be able to construct a tool from scratch so that in two clicks their victims’ wallet could be drained, SAAS broke down this barrier.So that all, even you reader, could be able to create a flourishing crypto phishing scam business.It’s not even said in jest.1 — Scam-as-a-Service, The Democratization of Crypto Phishing ScamsSAAS: Fraud at the Fingertips of EveryoneIn its most coarse and unsophisticated expression, to implement a phishing scam you only need an “anonymous” website, a simple google search and you will find tons of websites at the ready to help you create it in less than 10 steps.Then you only have to design a crude landing page which are the standards for crypto scams as their “phishing hook” pertain to giveaways, airdrops or mints which are often a landing page affair by legit actors too.The last step is to hide your wallet drainer behind the “claim your airdrop” button and voilà!That’s how (schematically) your average Joe can turn into a high-caliber crypto fraudster.Today, most SaaS drainers offer an all-in-one scam solution, taking care of every step — a turnkey draining operation, if you will.Now, let’s rewind a bit.How one comes by a crypto wallet drainer kit?As for everything scammy under the Milky Way’s sun, you will find it on Telegram.Telegram, aptly named the “Scammers Paradise,” is where the crews behind those crypto phishing kit openly sell them to all and asundry!Ad from Inferno Drainer on Telegram — Source: Group IBAs per cybersecurity firm Guardio Labs’ latest report, when once to have access to scam tools one had to got through hoops and loops like succeeding in having access in “only on invite-only forums in the Dark web, hidden behind Tor Onion networks.”Today, no such hassle exists.You only need to type what you’re looking for in Telegram’s search bar and you’re ready to embark in your criminal journey:“This messaging app has transformed into a bustling hub where seasoned cybercriminals and newcomers alike exchange illicit tools and insights creating a dark and well-oiled supply chain of tools and victims’ data. Free samples, tutorials, kits, even hackers-for-hire — everything needed to construct a complete end-to-end malicious campaign.” — Guardio LabsIn their research, Guardio even demonstrated how they were able to mount a “successful mass attack” for $230.“From 230$ to at least 2350$ — This is exactly why phishing is such a good “business”” — Guardio LabsThe SAAS’s Business ModelPink Drainer, Angel Drainer, Inferno Drainer, and the likes seems to have adopted the same business model.They offer to individuals and phishing teams that allow them to drain crypto wallets on a turnkey basis, for an initial hefty deposit and claiming a 20–30% cut of the future phishing loot.In blockchain security firm Slowmist’s report on Angel Drainer, it was revealed that it demanded from its “customers” $40,000 deposit along with a 20% fee justified by the wholesome phishing service offered by Angel Drainer like automatic site cloning tool with linked drainer, multiple chains supports,…As illustrated by this Angel Drainer’s “ad”:Angel Drainer Service Fees — Source: SlowmistAccordingly to Scam Sniffer report, in 2023, their drainer fees allowed those crypto SAAS to bank in at least $47 million. In 2024, they are frolling with the $150 million mark! DATA AVOne must admit that’s quite the genius criminal plan.The masterminds behind these drainers need to do absolutely nothing to rake in the cash.They never endanger their own safety and anonymity while their customers are the ones investing time in mounting and running sometimes very expensive phishing scam campaigns and taking the risk to be exposed.SAAS Ecosystem — An Ever Changing Landscape Since Its InceptionAlthough crypto wallet drainers are extremely lucrative, the SAAS players are ever changing.One of the most well-known, if not the first recorded SAAS crypto wallet drainer, Monkey Drainer was active from August 2022 to February 28th, 2023.After a $16 million successful run, made from more than 18,000 victims and a 30% cut, the Monkey Drainer crew closed up the shop after they were exposed by crypto-sleuth ZachXBT.Probably trying to escape the spotlight, they announced their “retirement” with plenty of dramatic flair:Monkey Drainer’s retirement message — Source: TelegramNow, did they really retire or did they choose to rebirth themselves under a new name? Only time will tell.That’s one suspicious timing that could raise the question of whether Monkey Drainer really retired or if they chose to rebirth themselves under a new name — or names. And in this case, under which?Venom and Pussy Drainers that appeared just a month before Monkey Drainer’s retirement were able to claim their brutally abandoned customers.In the month following the disappearance of Monkey Drainer, at least four drainer crews invested the landscape: Inferno Drainer, MS Drainer, Pink Drainer and Angel Drainer, while Venom disappeared in April 2023.Source: ScamSnifferIn November 2023, the most damaging wallet drainer kit of crypto history so far then, Inferno Drainer, announced that they would also retire!“A big thank you to everyone who has worked with us. We hope you can remember us as the best drainer that has ever existed and that we succeeded in helping you in the quest to make money. Goodbye.” — Inferno DrainerBut, this time around, breaking with their forefathers’ tradition, they choose not to shut down.All files, servers, and devices related to their kit would keep running so that their faithful customers would have the time to transition smoothly to a new wallet drainer, or so they said.The direct consequence of this move is that, with no date annouced for the final unplug, scammers kept on actively using it, and reaped in two months about $30 million, stolen from around 40,000 new victims.Figures of victims and funds stolen on January 29th, 2023 by ScamSniffer — Source: DuneAs seen in the schema below, one alarming trend linked to those SAAS is the steep increase in phishing scams deployed.The scale and speed have escalated alarmingly. For instance, Monkey drained $16 million over a span of 6 months, while Inferno Drainer outpaced this significantly, looting $81 million in just 9 months in 2023.Wallet Drainers Trends by ScamSnifferComparatively, it took the Monkey Drainer kit six months to drain $16 million, while the Inferno Drainer broke the $100 million threshold while not even running for 10 months, and after “retirement.”In 2022, crypto SAAS made almost five times more in a month, than in 2023. 2024 will break every record yet as we will see below.2–2023: The Perfect Landscape to Catapult Wallet Drainers as a SaaSWe discussed in the first half how scam/drainer-as-a-service facilitated a significant shift in the crypto criminal topography by providing access to the crypto space even to non-crypto savvy aspiring criminals.This is not only true for newcomers but also enables Web2 scammers to bridge the technology gap and enter the Web3 space, with its fat crypto wallets ripe for exploitation.Those kits likely caused an influx of new scammers into the space for which crypto wallet draining was now at their fingertips and consequently increasing by leaps and bounds the frequency and magnitude of such incidents.But there were also other circumstances that explain away the vertigo- inducing loss we must thank them for.MethodologyThe fraudsters only need to lure their victims through Google and Twitter phishing ads, mass spam on social media, phishing links in hacked Discord or Twitter accounts, or through social engineering and direct messages (DMs) on social media platforms, and the deal is done.Detailed overview of Inferno Drainer’s workflow — Source: Group IBIf an individual click on the link in a scammy Twitter post, they have most likely FOMOed and have convinced themselves that the airdrop is legit.We discussed in detail what is psychologically at play when a person is faced by an opportunity to get rich quick in this report:BAYC Holders Keep Getting Rekted, We Know Why.In short, nothing could be easier.And it has been made even easier with the takeover of Twitter by Elon Musk, with the introduction of the blue/gold check account as well as a less strict attitude on who can run ads on their platform. Now they freely promote their phishing scams on their platform, as well as efficiently impersonate an account by buying the gold check.Consequently, the Twitter crypto space is now saturated with phishing scams. One can rarely go a day without encountering one, increasing the risk of falling for such scams.ContextThe state of the crypto market in 2023 really helped those fraudsters score big.The beginning of the year 2023 was still entrenched in the crypto winter, creating perfect victimization conditions, with distraught and weary retail investors on the lookout for THE opportunity that would allow them to redeem themselves, while simultaneously having most of their coins sitting in their wallets out of fear of losing even more.The crypto winter was succeeded by an ongoing crypto spring, which also created favorable settings for fraudsters, with the community trying to get into new explosive trends, causing pretty intense FOMO. This was notably illustrated during the meme coins season triggered by the $PEPE coin, when $PEPE’s market capitalization surpassed $1 billion in May.ImpunityBut, what is most likely to explain the success of running phishing scams in the crypto space among crypto criminals, is the apparent absolute lack of judiciary consequences for the scammers.They enjoy total impunity.Not only their victims are scattered around the world, making it hard to mobilize police and justice on their cases, they master obfuscating methods that allowed them to hide away their ill-gained funds, and their identity.To be able to trace them back, and even hope to bring them to court, blockchain forensics and international police cooperation is needed.The probability of such much ressources being mobilized for a person who misclicked are close to none.Creating the perfect criminal landscape.In 2023, SaaS wallet drainers emerged as a major threat in the crypto ecosystem, becoming the most significant danger to retail investors. These tools could efficiently turn anyone — even you, dear reader, if your moral compass wavered — into a crypto phishing god.By 2024, the threat had escalated, with wallet drainers raking in nearly half a billion dollars in stolen funds. This catapulted them to the position of the second most dangerous crypto menace, trailing only private key exploits and surpassing smart contract exploits.But 2024 wasn’t only about record-breaking thefts. The SaaS wallet drainer ecosystem saw notable shifts in both actors and techniques, as well as the raising of the timid hope that the Pandora’s box opened by these wallet drainers might one day be sealed shut.II. 2024’s Ever-Shifting Wallet Drainers Landscape: Musical Chairs, The Great Chase, and the Money Laundering Conundrum2024 was even more eventful than 2023, and it was hard to keep up with wallet drainer providers blinking in and out, turning 2024 in a rather ridiculous game of wallet drainers musical chairs.Pink Drainer, contrary to its cute name, has been a devastating force in the crypto space since 2023, with more than $85 million stolen from crypto wallets through their SaaS wallet drainers.To everyone’s relief, they announced that they would retire promptly in May 2024.But the relief was short lived. Because guess who was back days after this announcement? Inferno Drainer, the crypto wallet boogeyman.Meanwhile, 2024 saw Violet Drainer ‘retire,’ while Ace Drainer made a splash with its debut. Angel Drainer apparently suffered a small setback before coming back stronger than ever, at the perfect time for Inferno Drainer to retire yet again, but this time around handing over their legacy to them.This ever-changing landscape is not the byproduct of whims; rather, it seems to be deeply rooted in the rising challenges that wallet drainer providers have faced this year.Even the game of musical chairs they have been engaged in could have been used to rise and meet those challenges.I — Pink Drainer: A Wallet Drainer Created by a Fake Security Researcher Targeting Chinese Citizens Tips Its HatPink Drainer stands out from the wallet drainer crowd not only for its successful run, but also due to the atypical figure who led it.As reported earlier, Pink Drainer had successfully been used to steal more than $85 million during its short 14-month run.Funds Stolen by Pink Drainer — Source: ScamSnifferMost of it was stolen since the “departure” of Inferno Drainer in November 2023.Funds Stolen by Pink Drainer By Month — Source: ScamSnifferAccording to their retirement message, it was time for them to retire as they had “reached their goals” of breaking through more than $75 million, stolen through Pink Drainer, according to crypto sleuth ZachXBT.Source: ZachXBT’s TelegramUnlike Inferno Drainer, they promised a total shutdown of operations and stated they did not plan to come back to the wallet drainer scene.They even expressed a wish for their clients to go outside, touch grass, and enjoy their ill-gained funds, because one must “enjoy what this world has to offer,” rather than being overly focused on defrauding unsuspecting victims.However, crossing this random milestone may have been a cover to simply explain away that Pink, the developer of Pink Drainer, has simply been burnt out and quit!A few months ago, Pink, who has been the most talkative wallet drainer participant to date, apparently shared his then-current woes with a reporter from Magazine.Magazine revealed:“In a now-deleted Telegram message to Magazine, Pink admits to his deteriorating physical and mental health.The draining scheme has become all-consuming for Pink, leading to lost sleep and a singular focus on nothing else.”After those messages, Pink stopped interacting with the press.This happened barely two months before the retirement announcement.Somehow, the brutal disappearance of Pink and Pink Drainer could have been expected given the peculiarity of this personage.Before opening shop, Pink was allegedly known as “Blockdev” and ran the Twitter account @ChainThreats, as further revealed by Magazine. For months, he apparently played the good Samaritan, going up against wallet drainers under the guise of being a security researcher.He multiplied DDoS attacks or hacks against the then king of wallet drainers, “Monkey Drainer,” and was acclaimed by the community for it.Source: Magazine by CointelegraphOne of his last Twitter post reads:“I can say with a high degree of certainty that I have identified the person behind “monkey-drainer.eth,” aka the person facilitating one of the largest wallet draining campaigns the crypto community has seen thus far. Stay posted.”Source: Magazine by CointelegraphIn retrospect, it looks like he was just trying to take down his competitors out in the open, under the cover of fighting wallet drainers.Unfortunately for Pink, this cover-up was blown when he was busy going after the Venom Drainer alongside a security researcher named Fantasy, founder of the blockchain security firm Blockmage Labs.Fantasy revealed to Magazine that, during this pursuit, Pink inadvertently exposed his identity by utilizing a Pink Drainer wallet, the very month he launched Pink Drainer.After the blow-up, he vanished, never to be seen again under the “Blockdev” alias.People who interacted with him reported him as condescending. In his exchanges with the Magazine, Pink revealed that he apparently doesn’t “phish anyone, [he] just codes,” that scam “victims” are apparently not victims but “participants” that lose money for others to gain.We’re sure the victims who collectively lost more than $85 million are now enlightened by this statement, and accept their loss as being part of the grand scheme of things.What’s more intriguing is that Pink openly revealed who their target demographic was: ‘Chinese nationals who aren’t really supposed to be doing this whole DeFi thing in the first place,’ and apparently, everyone else who got siphoned through Pink Drainer outside of this demographic was unfortunately ‘caught in the crossfire.’Pink has also been busy moving his funds around since his retirement, with MistTrack once again on his trail.Source: MistTrackBlockchain security firm PeckShield has also reported that on the day of the shutdown, Pink Drainer addresses had staked 18.1 million DAI on Spark.A move in accordance with what Pink revealed in a magazine about his stolen fund management preference: to keep the funds in the stablecoin DAI and “watch the pile grow,” rather than immediately cashing it out.Will Pink deliver on his promise of quitting the wallet drainer game? Will he ultimately revive the ashes of Pink Drainer, stronger than ever after banking away his funds? Or will he come back under a new alias as a fake blockchain security researcher?Only time will tell.2 — Inferno Drainer: The Undying Crypto Wallet Boogeyman?Inferno Drainer had been “back” for only a few days, and they were already making headlines with a single retail investor losing close to $7 million in a permit phishing scam linked back to their draining kit.As previously shared, Inferno Drainer, due to its huge popularity among scammers, remained actively used even during its retirement.Over the six months it was ‘retired,’ scammers reaped approximately $100 million, stolen from around 50,000 new victims, according to data from blockchain security firm ScamSniffer.Funds Stolen By May 2024 Through Inferno Drainer — Source: ScamSnifferThey were banking even more during their inactive period than they did before, very likely profiting off the bull run of January 2024, with its influx of massive liquidity and new entrants.Source: ScamSnifferWhen Inferno Drainer announced their comeback, not even days after Pink Inferno closed down shop, they claimed that during their absence, more than $125 million had been drained by their clients, amounting to over $250 million stolen through them in the space of one year.$70 million more than the figure reported by ScamSniffer. So, what’s true? What’s a sales pitch? Who knows!The most interesting part of their comeback message is that, in the same breath, they claim that their clients are at the root of their comeback.They state that it was the loyalty of their clients post-shutdown that “made it clear they desired [their] return,” and that “major competitors shutting down” and “incompetent drainers” attempting to resell the drainer would penalize them.It reads as if it was almost against their will, and they have to return at the drop of a hat to save their poor scammers, sorry, clients.Which is in sharp contrast with the beginning of their message, where they state white on black that during the past 6 months they were buzy “operating privately, making drainer and team way much better,” and that they were coming back better than ever with “new staff, new ways to work, new support and new features.”In short, they never retired.They just “paused” their drainer to improve it away from scrutinity.Inferdo Drainer Comeback Message — Source: Plum on TwitterBut Inferno Drainer hasn’t only been busy bringing to the table a new, even more powerful turnkey wallet drainer offer with ‘free web dev & hosting’ included over the past months.They have also had their hands full trying to obfuscate their tracks and cash out their ill-gotten funds.https://medium.com/media/c6ce08e8253b0b8beed92260406d3636/hrefAlthough unfortunately for them, MistTrack, a crypto security company, has been meticulously trailing them and keeping tabs!Inferno Drainer Tracks — Source: Mistrack’s TwitterAlthough at first glance, this information may not seem crucial, it is actually very telling. Inferno Drainer, like Pink Drainer, was much more active in moving around its funds and attempting money laundering once it was no longer under scrutiny.The (in)ability of wallet drainer providers to cash out the monetary fruits of their malicious endeavors has been one of the challenges they have faced.As they were hunted by blockchain security companies and crypto sleuths, who followed and froze funds while breathing down the necks of the members of ‘the best drainer that has ever existed,’ Inferno Drainer, this scrutiny was likely the cause of their forced closure at the end of October 2024.3 — Wallet Drainers: From Predators to PreysSince 2024, wallet drainer providers have faced numerous challenges, with the most anecdotal being:Scammer Scammed — Pink Drainer suffered a magnificent, if not poetic, turn of events, losing funds to another scammer. Pink fell victim to a basic scam — address poisoning — which led them to accidentally send 10 ETH to the scammer’s wallet in late JuneSource: MistTrackThwarted TON Shift — In 2024, the TON blockchain experienced remarkable growth, with daily active addresses increasing by 3,435% and daily transactions rising twelvefold. This surge is attributed to successful integrations with social media platforms, the launch of popular projects like Notcoin and Hamster Kombat, and a significant increase in total value locked (TVL), which reached $741.3 million by September. Its newly acquired popularity, and questionable security, brought it to the attention of wallet drainer providers, some seeing in it a new drainer eldorado. Unfortunately for them, their dubious dream has been thwarted, as reported by a wallet drainer provider focused on the TON network. According to the provider, TON’s lack of ‘whales’ and its relatively small community make it incompatible with dreams of quick riches.Source: ScamSnifferBesides these trifles, wallet drainer providers had to contend with very thorough and motivated blockchain security companies and independent crypto sleuths bent on sniffing them out, uncovering their true identities, and thwarting every attempt to safely cash out.Investigators Closing DownThe crypto landscape of 2022 and that of 2024 are like night and day when it comes to security. In the past two years, blockchain security providers, independent investigators, and crypto actors such as CEXs and stablecoins have come together to build a rampart against crypto criminals.Gone are the days when criminals could come in, commit the deed, cash out at a CEX, and disappear into the sunset.The year 2022 marked the worst year in crypto history, with hacks, scams, and multi-million-dollar rug pulls occurring almost daily — pure chaos.This led to widespread discussions and actions, with security providers ramping up tools to protect retail investors. People and companies came together to form a sort of ‘911’ blockchain security network, with entities like SealOne and other blockchain security firms, even competitors, collaborating.Another focus was on improving how to alert and collaborate with key crypto actors regarding the malicious use of their platforms, aiming to encourage their active participation in hindering these activities — by freezing assets and engaging in investigations to help uncover those behind the crimes.Running a hack or scam in 2024 carries a higher risk of detection. This has significantly contributed to the increase in cases this year, with hackers being forced to return stolen funds in exchange for a meager bug bounty after their identities were uncovered, or in some cases, none at all.This also applies to crypto wallet drainer providers, even more so because they suffer from one huge Achilles’ heel: their fee addresses. Every time a scammer successfully ensnares their victim using one of the wallet drainers, the usage fees of the drainer are sent to fee addresses belonging to the wallet drainer provider.That makes obfuscation extremely difficult, as those threat actors’ addresses are immediately identified. Then, investigators only have to follow the money.Angel Drainer and Inferno Drainer were both in the sights of blockchain security investigators this year, and one appears to have been snipped down for good.Inferno DrainerBy the end of October 2024, Inferno Drainer, armed with its newly improved version, showed no sign of slowing down in attracting new scammers, with the number of decentralized applications (DApps) using the Inferno Drainer tool tripling to 40,000 by July 2024, and new malicious DApps increasing from 800 to 2,400 per week, according to Blockaid.Inferno reached unprecedented highs, with almost 216,000 victims and $246,5 million stolen in 18 months — of which, 6 months of retirement. Banking in more than $165 million in less than 10 months.Source: DuneBy October 2024, Inferno Drainer had reached its firmament. That was also when they shut down for good (or at least, it appears so).But it was no case of “exiting at the zenith of their success.” Rather, they were left with little choice.On October 16th, two successive events sounded the death knell for Inferno Drainer. A Cointelegraph Magazine investigation revealed deep ties between Inferno Drainer and Konpyl, a Dubai-based CEO allegedly implicated in a series of scams, including the Inferno Drainer-linked fake Rabby wallet incident that siphoned $1.6 million.Source: CointelegraphIn the same breath, USDT stablecoin issuer Tether, froze three Inferno Drainer wallets at the request of a law enforcement agency.Source: CointelegraphIt seems this double attack on two fronts was enough to spook them into quitting only days after!They announced they were quitting without explaining why. Unlike Pink Drainer, however, they chose to hand over their tech to their rival Angel Drainer ‘as they have shown they could be trusted with handling a drainer and big hits, without ever scamming or backdooring.’The move followed the transfer of over $1 million from their fee address to multiple new addresses.Inferno Drainer Retirement Announcement — Source: ScamSnifferAfter the announcement, Inferno Drainer’s fee address was replaced with Angel Drainer’s, suggesting that this was not another false retirement scheme.Although it is impossible to say with certainty that the hunt, in which they found themselves as the prey, was solely responsible for triggering their shutdown, blockchain security experts seem to agree that this is likely the case.In an interview with Cointelegraph, Fun, founder of Scam Sniffer, shared:“For their safety, shutting down was inevitable. […] Whether it’s Inferno Drainer or Pink Drainer, they’re just services used by scammers. The real perpetrators are hidden behind these drainer names.”Emphasizing the disproportionate burden placed on wallet drainer providers, who shoulder nearly the entire risk while earning only a modest 20–30% cut. This makes them primary targets for investigators and law enforcement, who view shutting down these providers as essential to dismantling the broader scamming industry.A similar perspective was shared by Cos, founder of MistTrack, in the same Cointelegraph article:“We think [drainers are shutting down] because they have earned too much. If they continue, it’s only a matter of time before law enforcement finds them or their accomplices.”Nevertheless, that could be an umpteenth strategy to have their hunters off their tails, regroup and come back under a new drainer months away from now.Angel DrainerIn July 2024, Angel Drainer was declare to have been shut down by the press.This new development came just after Match Systems, a blockchain intelligence and anti-money laundering firm, announced they have made leaps and bounds “in identifying the individuals behind this group [Angel Drainer].”According to Match Systems, not even two hours after their announcement, Angel drainer showed signs of having suspended its operations and was no longer available to their users.Source: CyberNewsWell, the respite was short-lived, as they came back stronger than ever just a few months later, raising questions about whether Inferno Drainer might ultimately follow the same path.However, wallet drainer providers faced more than just the challenge of being sniffed out from behind the blockchain’s cloud of pseudonymity, where they have been hiding.The Cashing Out and Money Laundering ConundrumIn 2024, the SaaS drainer ecosystem became a high-risk business, with the watchful eyes of the crypto community tracking every move, while they had to contend with diminishing monetary gains.The fault lies with wallet drainers, who, like the broader crypto criminal community, are facing growing challenges in peacefully cashing out and laundering their ill-gotten funds.Notably, blockchain security companies like MistTrack and Scam Sniffer are keeping a very close eyes on them, following, tracking, documenting, and blacklisting addresses used by them.An incredible effort that has helped block wallet drainer providers from cashing out and money laundering. In July, Inferno Drainer tried to use Railgun to launder more than $600,000, but was thwarted in their attempt by the protocol after it was made known to them. The drainer’s stolen funds were sent back to them.Source: MistTrack TwitterWell, Railgun was rather incentivized in acting after MistTrack was on their case, calling them out multiple times due to several drainers laundering money through their protocol, especially in Q1 2024.Source: MistTrackThis is a good demonstration of the level of scrutinity every fund moves made by wallet drainer providers were subjected to.Wherever they tried to channel their funds through, they were efficiently tracked.Source: MistTrack TwitterThe degree of sophistication of their obfuscation method over this past year is in sharp contrast with how layback they were when they started.In October 2023, Slowmist released a report on Angel Drainer, which details, notably, the exit route they chose for their funds. They were primarily processed through Binance, with a small amount going through mixers like Tornado Cash. Essentially, they gave little thought to how to cash out safely.Angel Drainer Money Exit Route — Source: SlowmistStarting in 2024, Angel Drainer shifted tactics. According to cybersecurity firm Brandefense’s report, Breaking the Angel’s Wing, the group made several changes in Q1 2024 to obscure their tracks, including the use of temporary wallets that were discarded once a specific volume or usage period was reached.They also focused on cashing out primarily through KuCoin, a crypto exchange recently indicted for failing to implement an anti-money laundering (AML) program in compliance with U.S. regulations. Kucoin is alleged to have enabled the laundering of over $5.39 billion, possibly linked to various criminal activities.They also ramped up their use of the eXch crypto exchange. eXch is an automatic exchange, which is frequently used for money laundering due to its ability to facilitate quick, anonymous transactions and asset swaps with minimal oversight, making it easier to obfuscate the origins of illicit funds.While Angel Drainer has escalated their cashing-out strategy, Pink Drainer, as previously reported, chose to park their funds in DAI, possibly to ride out the scrutiny storm.Meanwhile, Inferno Drainer has been fumbling, as evidenced by their decision to use USDT, which ultimately led to some of their funds being frozen.You can dive into our report on why DAI is favored over USDT for crypto money laundering if you’d like to learn more about the subject:Why DAI is Favored Over USDT for Crypto Money LaunderingOnly two weeks after handing over their operations to Angel Drainer, Inferno Drainer, as they did during their first break, busied themselves with trying to cash out.This time, they decided to return to Money Laundering 101 by enthusiastically using Tornado Cash.If they thought that announcing their scammy shop shut down would be enough to throw investigators off their tail and allow them to secretly launder their funds, they were in for a surprise. As soon as they started to actively launder, Blockchair immediately reported the movements.Source: Blockcaid TwitterThe SAAS model has been both a boon and a torn in the side of wallet drainer providers.The fee system that uncovers their fee addresses leads investigators directly to their door. With blockchain forensics technology improving by leaps and bounds over the past three years, and the engagement of blockchain security in fighting crypto criminals, wallet drainer providers have become hunted prey.The Technology BottleneckAs if it wasn’t enough, blockchain security solutions have also grown to adapt to the threat posed by wallet drainers.From apps like Nefture, Wallet Guard and Pocket Universe to user-security services integrated directly into wallets like Blockaid, the ability for wallet drainers and their clients to successfully operate a scam is heavily challenged.Source: Wallet GuardSo much so that one wallet drainer provider, Violet Drainer, was forced to shut down because of them in April 2024. According to their farewell post, Blockaid was the main culprit: “We have shut down because of Blockaid and the low hit-success rate,” they declared.They further explained that scammers should avoid draining on chains popular with Blockaid users and instead move to greener pastures, like the Bitcoin network.Violet Drainer Goodbye Post — Source: CointelegraphWell, since the wallet drainer industry has continued to flourish and profit since then, that’s a very dire outlook that doesn’t reflect the reality of the ecosystem as a whole. Rather, it’s a good example of how rudimentary drainers are now being weeded out by blockchain security companies because they are too low on the technology development scale to bank out first and grow in sophistication over time.This is excellent news. Nevertheless, the strongest wallet drainer providers do not intend to go down without a fight; both security companies and drainers are engaged in a fierce technological arms race.The growth in sophistication of security solutions is mirrored by a similar evolution from both wallet drainer providers and users, as demonstrated by the devastating return of Inferno Drainer, with 2024 offering a wealth of such examples.4 — The Increased Sophistication of Wallet-Drainer Attack VectorsAs crypto wallets become more secure and Web3 users grow more aware of malicious techniques, it becomes increasingly challenging for attackers to trick victims into authorizing a malicious drainer transaction. Now, cybercriminals are developing more sophisticated methods to deceive users.They are more incentivized than ever to invest in and develop novel attacks, as the crypto space has never been as bountiful as it is now.In February 2024, a fake “Raby” wallet app posing as DeBank’s Rabby Wallet was discovered on the Apple App Store, tricking users who trust with closed eyes the App store screening process, into entering their credentials and exfiltrating their funds.The app, which remained on the store for four days, caused victims to lose an estimated $1.6 million before it was removed by Apple.Fake Rabby Wallet on App Store: — Source: Vladimir S.In April 2024, over 2,000 WordPress websites were found by MalwareHunterTeam to have been injected with crypto drainers, following a previous discovery, one month earlier, by Sucuri of nearly 1,000 sites used for brute-force attacks.These compromised sites injected malicious scripts prompting crypto scam ads, stealing assets from wallets like Coinbase, Ledger, MetaMask, Trust Wallet, and Safe Wallet once connected to Web3 sites.In September 2024, it was revealed that, in the same vein as the fake Rabby Wallet scam, an app disguised as the legitimate WalletConnect tool on Google Play evaded detection for over five months, tricking users into authorizing transactions and exfiltrating at least $70,000 from 150 identified victims through the MS Drainer.Source: Check Point ResearchWith fake positive reviews and stealthy techniques, the app was running since May 2024 and was downloaded over 10,000 times before it was discovered by Check Point Research.Malicious Application Workflow — Source: CheckpointThe use of fake apps and a focus on mobile devices appears to be one of the strategies developed by scammers to counter the growing challenges of tricking victims into authorizing malicious drainer transactions through “traditional channels.”On October 30, 2024, attacker(s) compromised several online crypto app front-ends by injecting malicious code into the Lottie Player animation library, used by major brands like Apple and Disney.This supply chain attack caused decentralized finance apps like 1inch and TEN Finance to display pop-ups designed to trick victims into having their funds siphoned away through a wallet drainer called Ace Drainer.In the same month, a sponsored Google ad falsely promoting Sony’s blockchain project, Soneium, was exposed as a crypto wallet drainer by Scam Sniffer on October 22. The ad directed users to a phishing site with a nearly identical domain name, using sophisticated evasion techniques to bypass Google’s security and trick victims into visiting the malicious page.Over the past year, there has been a growing number of successful malicious ads on platforms like Google and DuckDuckGo, serving as hideaways for wallet drainers.But on the most impressing demonstration of came from Angel Drainer in September 2024, a malicious actor quite like no other.III. Angel Drainer, a Wallet Drainer Like No OtherAlthough incredibly impressive by the extent of its criminal success, the Inferno Drainer crew is not the most intriguing. This title is owned by Angel Drainer.Angel Drainer, a Different Actor?SaaS providers are pure criminal genius because the crews behind them have to do virtually nothing.Now, for reasons unknown, the seemingly Russian-based drainer Angel does not hesitate to dirty its own hands. We do not know if they are motivated by greed or something more, but their direct involvement in the Ledger Connect kit hack is notable.According to blockchain security firm SlowMist, Angel Drainer was not only used as a SaaS tool, but the team behind it orchestrated the entire affair in July 2023 by compromising hundreds of DeFi protocols using the Ledger Connect Kit, draining over $600,000 in a two-hour period.Although a $600,000 heist may seem laughable compared to the half-billion-dollar hacks seen in the crypto space, this brief (two-hour) hack was extremely impactful due to its scale, with hundreds of protocols involved, and the targets chosen: Ledger, a longstanding blockchain security powerhouse, and its tool, which has been fundamental to countless mainstream and respected crypto actors.For hours, the entire community was literally frozen.No one dared to even blink, terrified by the idea of losing everything. The shock value of this hack was immeasurable. So, what does it signify?Is Angel Drainer on the path to evolving from a ‘passive’ devilish tool to an active crypto villain?Further investigation by Slowmist seems to confirm this. According to their research, the ‘Angel Drainer gang’ was behind the Balancer DNS hijacking attack in September 2023, as well as the Galxe DNS hijacking attack in October 2023.Angel Drainer also stands apart for both its structure and sophistication.Angel Drainer: A Technologically Advanced and Highly Hierarchized ThreatHierarchy of AffiliatesAccording to Brandefense’s report, Breaking the Angel’s Wing, Angel Drainer clients refered to as “affiliates” follow a rigid hirerachy structure.There are 5 levels, from Newbie to Diamond, each level giving access to different private chat rooms on Telegram and additional benefits. Each level is achieved by succeding in stealing a certain amount of digital asset using Angel Drainer. Ruby, the first level after Newbie ask $10,000 to be able to reach it. Diamon, $5 million.By May 2024, Brandefense had recorded more than 5,700 affiliates registered through Angel Drainer. Angel Drainer appears to offer top-quality service.Welcoming its affiliates with a sleek UX, Angel Drainer allows them to create customized wallet drainers in just a few steps, ready to wreak havoc on unsuspecting victims.Steps To Create An Angel Drainer Malware — Source: BrandefenseAfter the malware is customized to meet the affiliate’s needs, it is uploaded to the site ‘decue.la,’ ready for download, according to Brandefense’s research.By May 2024, Angel Drainer offered over 193 phishing website templates targeting 169 different blockchain projects and was linked to 10,000 phishing websites, 900 of which were dedicated to PEPE, according to further Brandefense findingsSophisticated FeaturesTo help their affiliates succeed, Angel Drainer is equipped with both simulator detection and a security bypass, according to the report. The simulator detection feature identifies tools like PocketUniverse, Revoke Cash, WalletGuard, FireProxy, and Stelo, while the security bypass circumvents Coinbase and MetaMask protections under specific conditions: non-simulator environment, non-mobile device, and use of MetaMask or Coinbase Wallet.To help furthermore sidestep security alerts, Angel Drainer use its own brand of EtherHiding.Once the first malware is activated, AngelDrainer injects a second malicious file. The first malicious file sends a request to a Angel Drainer owned smart contract using a special code format called Hex (hexadecimal), and upon the smart contract’s response, a harmful file named “fallback.js” is loaded into the victim’s browser.This technique, by hiding the second malicious code, can potentially helps obfuscate the harmful nature of the Angel Drainer kit from security detection. Additionally, the decentralized and immutable nature of blockchain prevents the malicious smart contract from being blocked or taken down.After it was announced by the press that Angel Drainer had shut down in July 2024, Angel Drainer made itself scarce and came back stronger than ever in September 2024 with AngelX.AngelX, launched on August 31st, quickly deployed over 300 malicious dApps within four days, targeting users on vulnerable blockchains like TON and Tron. With its enhanced user interface and control panel, AngelX allows now scammers to even more easily create and distribute customized phishing dApps, making detection more challenging.Number of Malicious dApps Deployed — Source: BlockaidAccording to Blockaid, AngelX is a security nightmare due to its high evasion rate, with more than 90% of AngelX dApps going undetected by most security providers. Already a wallet drainer on steroids, AngelX’s “acquisition” of Inferno Drainer brings together the worst of the top-tier wallet drainers, leveling up its ability to inflict maximum damage.ConclusionJanuary 2025 data on wallet drainers is out, confirming the irresistible downturn trend the wallet drainer ecosystem has been experiencing since Q4 2024, with barely $10 million stolen. This may come as a surprise, as the crypto space has never been as flooded with money as it is today.Source: ScamSniffer (Dune)A key detail, though, is that the number of victims has remained roughly the same throughout H2 2024.We can propose two theories to explain the drop, both of which could be at play simultaneously.The first theory is that the pool of victims themselves has dropped in ‘financial quality.’ This could be because more seasoned crypto investors have gradually ramped up their security over the past year, as well as crypto wallet providers improving their protections, making them less likely to fall prey to scams related to wallet drainers. This leaves mainly the new ‘little fish’ swimming in the crypto shark pools, more vulnerable to being caught in these scammers’ nets.The second theory that could explain why scammers’ netting ability is reduced to targeting more inexperienced crypto investors lies in the departure of Inferno Drainer and the subsequent takeover by Angel Drainer.As we previously explained, Angel Drainer is a tightly organized enterprise, and it seems the Inferno Drainer takeover didn’t go as planned for Inferno’s clients. If we are to believe a rather enraged post by one of Inferno’s users on Twitter, Angel Drainer didn’t open its doors to the massive influx of Inferno Drainer users. Instead, it could have screened who would become a client and who would not.Source: TwitterAngel Drainer is nothing if not meticulous and cautious. This filtering strategy could be part of a safety system they put in place — a strategy where they would rather miss out on gains than risk being exposed by users getting too close to the sun’s rays, irradiating from their halo.Unfortunately for scammers, Angel Drainer and Inferno Drainer are the most sophisticated drainers to date. This means scammers have to rely on less powerful, more easily caught wallet drainers — ones that are more likely to be flagged by security watchdogs to carry out their fraud, which could directly impact the funds they are (un)able to steal.Unless a new player emerges with a high degree of scam sophistication, capable of bypassing security system improvements as they roll out, or unless Angel Drainer becomes even more advanced and opens its front doors, it’s possible that 2025 could see a significant reduction in losses linked to wallet drainer activities.However, the potential coordination between powerful and efficient wallet drainer entities — taking turns while others regroup to ultimately return even fiercer and more sophisticated — could be an extremely worrying trend if it persists into 2025.Lastly, while it may seem anecdotal, there appears to be a Russian connection among some wallet drainers. At least high-profile drainers like MS Drainer, Angel Drainer, and Ace Drainer have been identified as Russian-based by blockchain security researchers, suggesting that Russia could be a hotspot for the crypto wallet drainer industry.2 — Address Poisoning: A Persistent and Destructive ThreatMay 2024 started with a big bang when a single address lost over $72 million to address poisoning.2024 has been the year of phishing overall with the $1 billion threshold being bulldozoned through, but address poisoning also took its share of the lion with at the very least $210 million stolen. The largest single poisoning attack amounted to no less than $129 million.This figure is likely far from the true amount stolen, as data collection around address poisoning — due to its specific modus operandi — remains difficult to compile.The scam, initially identified by SlowMist in December 2022 and gaining prominence since due to its increasing success, began by tricking crypto users interacting with stablecoins into sending their funds to a fraudulent address. This scheme is commonly referred to as the ‘zero-value TransferFrom’ scam, stablecoin scam or ‘address poisoning’ scam.Address poisoning is a phishing attack in which the scammer manipulates the victim’s transaction history, inserting a fraudulent address that closely resembles the victim’s legitimate address. The fake address often matches the prefix and suffix of the victim’s original address, causing them to mistakenly send funds to the scammer.Since its inception in late 2022, the scam has undergone significant modifications, evolving from a costly and ineffective method to the much more sophisticated and profitable crypto scam that has devatated the crypto space in 2024.I — Address Poisoning in Its Infancy: A Surprisingly Ineffective ScamThe initial modus operandi was both ingeniously simple and widely ineffective.1.Finding the victims — Potential victims of these scams are people who choose to copy addresses directly from the blockchain or their transaction history. Scammers tracked individuals who had a history of frequently transmitting stablecoins to alternative wallets.2.Crafting spoofing addresses — Vanity addresses generators like Profanity allow users to have some parts of an address (prefix and/or suffix generally) to include their name or whatever they choose. Here, the scammers only have to generate an address whose prefix and suffix matches the address used by their victims to send funds and voilà, they have built their hooks.3.Hijacking the victim’s wallet — Typically, executing a transaction from a victim’s wallet requires an attacker to possess the victim’s private key. However, SlowMist revealed that certain token contracts like USD Coin (USDC) suffer from a potential security loophole: an attacker can initiate a transaction from any wallet without the need for the private key or prior approval from the owner.An examination of the code for USD Coin (USDC) on Etherscan demonstrates the functionality of the “TransferFrom” function, which permits any actor to transfer coins from a separate individual’s wallet provided that the quantity of coins being transferred does not surpass the amount approved by the address owner.Source: SlowMistAs a result, an attacker may initiate a transaction from any wallet of their preference, without requiring the private key or obtaining prior authorization from the owner, as long as the value of the transaction is less than or equal to zero.TL;DR: Even without having the victim’s private key, they can confirm a transaction from the victim’s wallet and create fake transactions.4.The waiting game — Once they have “poisoned” their potential victims with these fraudulent addresses, they only have to wait for them to copy/paste these addresses and send their funds away to them thinking they’re sending it to a correct deposit address.At first glance, the situation may have seemed dire, with the possibility of a mass draining of funds. Quickly it appeared that the severity of the scam would not be as extensive as it could have been expected.Research firm Elliptic even dared to call it ‘an attempted scam.Based on their research published in January 2023, although a large number of zero-value transactions may appear on block explorer records, most of these attempts did not result in actual victimization.Despite the widespread prevalence of this scam on blockchains like Ethereum, BSC, and Tron from November 2022 to January 2023, with over 176,000 zero-value transactions initiated by approximately 150 scammers, their combined wallets “only” had over $1.5 million in income. Out of this $1.5 million, scammers had spent over $710,000 in gas fees, resulting in an overall profit of just under $800,000, or approximately $5,500 per scammer…Source: EllipticIn short, at that time they only made barely enough to cover the fees associated with their scam.The Evolution of Address Poisoning: A Successful Shift in TacticsIn response to this looming threat, block explorers — who were put on the spot — attempted to gray out these transactions to alert potential victims that their wallet had been compromised.Source: EllipticCrypto wallets like Rabby, developed in-built safety to protect their users from address poisoning attack by implementing whitelisting of addresses and first time transfer to addresses.Rabby Wallet Protection Against Address Poisoning — Source: Rabby WalletDespite both proactive actions and the crypto community’s awareness of this menace, address poisoners seem to have found new potion recipes concocted to bewitch new victims.Scammers are nothing if not creative when it comes to bypassing security hurdles, and quickly put the original version of the scam aside for more sophisticated — though sometimes costlier — strategies.Address Poisoning via Addresses Generated through Create2In a report on an address poisoner successfully stealing over $5 million from 21 victims, ScamSniffer revealed that the attacker notably used CREATE2 to generate their spoofed addresses.CREATE2 itself doesn’t allow a scammer to create an address that looks like another address in the sense of mimicking a specific address, as a vanity address generator might. However, CREATE2 introduces a way to generate predictable contract addresses. The attacker can choose a target address pattern by manipulating the parameters used in CREATE2.By using CREATE2, a scammer could select a specific salt (a random value used in the contract creation process) that, when combined with the contract bytecode, generates an address like 0x123…abc or something very close.By generating a contract address that matches or closely resembles the well-known address (0x123…abc), the scammer can poison the address space.It’s important to note that in most cases of address spoofing, the manipulated portion of the address typically lies within the first 6 characters and the last 4 characters, as these are the parts most crypto wallets choose to display.In the case revealed by ScamSniffer, a quick glance at Etherscan immediately exposes the deception, as the discrepancy between the spoofed address and the legitimate one becomes apparent. This is because, following the rise of address poisoning cases, Etherscan now displays the first 8 characters and the last 8 characters of the address.Address Poisoning Attack on Etherscan — Source: ScamSnifferHowever, most crypto users interact with addresses primarily through their crypto wallets, as was the case in this scam. Within the Safe Wallet, the address discrepancy disappears, as shown below.Same Address Poisoning Attack but on Safe Wallet — Source: ScamSnifferCREATE2 is commonly used in conjunction with fake tokens.The Use of Fake Tokens and UnicodeIn its initial iteration, address poisoning involved initiating a ‘zero-value’ ‘transferFrom’ transaction with a legitimate stablecoin, but was soon partly replaced by transfers of fake tokens.These are typically used to mimic a past transaction involving the spoofed address to a T, usually just hours after the initial transaction. In the case we have just explored, the transaction history shows that 1,499,900 USDC was transferred from the victim’s wallet to the spoofed address, mimicking a transaction that occurred just hours earlier.In another case reported by the security company Aegis, we observe the same pattern occurring.The victim sent $60,000 USDT to the address 0xC3fA(eDd3)…(0b56)59Da5. Ten hours later, the scammer mimicked the transaction using a spoofed address, 0xC3FA(88CB)…(F672)59eA5, along with a fake $USDT token. Eleven hours later, the victim copied and pasted what she thought was the latest transaction address and sent $100,000 USDT to the scammer.Source: AegisTo avoid scam token detection, scammers have found a workaround.A simple trick can bypass many security measures: Unicode.Unicode is a universal character encoding standard that allows computers to display text and symbols from many different languages and writing systems. It includes a vast range of characters, such as letters, numbers, punctuation, and even emojis.Scammers may try to make their fake tokens resemble USDC/USDT by using similar symbols or names. However, token symbols like “USDC” are also usually displayed using Unicode characters.Scammers can use Unicode characters that look like the original token’s symbol but are technically different characters. For example, the scammer might use “U̷S̷D̷C̷”, which includes special Unicode characters that resemble the letters “USDC” but are different under the surface.Alternatively, they might replace part of the name or symbol with another similar-looking Unicode character, making it appear visually identical but technically distinct.In the $5 million address poisoning case, ScamSniffer revealed that although the token appeared as USDC to the victim in their Safe Wallet, the real token name was “𝐔𝐒𝐃𝁾.”Same Address Poisoning Attack but on Safe Wallet — Source: ScamSniffer𝐔 → 𝗨 (Mathematical Bold Capital U)𝐒 → 𝗦 (Mathematical Bold Capital S)𝐃 → 𝗗 (Mathematical Bold Capital D)𝁾 → 𝗖 (Mathematical Bold Capital C)That’s probably why on the Safe Wallet the letters for the fake USDC coin appears in bold.This technique allows them both to impersonate USDC/USDT while in some cases bypass security filtering systems for scam tokens that are not looking specifically to tokens impersonating other tokens through Unicode.Crypto Dusting: The Recycling of an Old StrategyAnother tool at the disposal of address poisoners, which steers away from stablecoins and mimicking past transactions, is crypto dusting.Initially, the primary goal of crypto dusting was to deanonymize cryptocurrency users. In a dusting attack, a minute quantity of cryptocurrency, commonly referred to as “dust,” is deliberately dispersed across a significant number of addresses. By exploiting the inherent transparency of the blockchain, attackers aimed to compromise the privacy of cryptocurrency owners.The objective of crypto dusting was not the direct theft of cryptocurrency, as a mere dusting attempt could not achieve such a result in its first iteration. Instead, attackers aim to link the target’s address with other addresses, enabling comprehensive surveillance of the user’s behaviors, potential wealth, and financial activities associated with those addresses.Beyond simple espionage, crypto dusting can be used for extortion and/or phishing, targeting the most lucrative wallets in an attempt to siphon funds.Within the realm of address poisoning, crypto dusting has shown considerable promise. Rather than mimicking a past transaction from the victim to the spoofed address with fake tokens, a scammer using crypto dusting will send small amounts of real cryptocurrency through a spoofed address.While this is a primitive technique, it can ultimately involve a significant investment for the scammer, depending on the scope and frequency of their attacks. However, this strategy has the advantage of bypassing most security filters, as it doesn’t involve “zero-value” transactions that can be hidden by crypto wallet providers, nor does it use fake tokens that can be filtered out or easily spotted by users.Although potentially costly, this strategy has proven to be effective, as demonstrated in a case disclosed by ScamSniffer in September 2024. In that instance, the victim lost nearly $650,000 after copy-pasting a spoofed address that had dusted their transaction history with just $0.02 — only one hour and 31 minutes after the mimicked address received approximately $2,300.Address Poisoning Attack through Crypto Dusting — Source: ScamSnifferBypassing the Fund-Sending Security CheckThe basic technique used by crypto users with large amounts of funds, long before address poisoning even existed, was to send test funds to the address they intended to use for a major transfer, just to ensure they wouldn’t send it to the wrong address.Since the rise of address poisoning, this has become a more standardized practice due to the increased risks involved.Well, scammers have also found their way around this issue.In November 2024, blockchain security company Web3 Antivirus revealed how a victim lost $111,500 to a scammer, despite sending test funds to a poisoned address.https://medium.com/media/b9679d58f60fa48c95fab0bf8c037508/hrefAccording to Web3 Antivirus’ analysis, the scammer mimicked a transfer using their spoofed address to poison the victim’s history.The victim decided to test the poisoned address by sending $10 USDT to it. The scammer then sent the $10 they had received to the legitimate address they had spoofed.Scammer sending $10 USDT back to the legitimate address they spoofed — Source: Web3 AntivirusWhen the victim checked their wallet, they saw that they had received the $10 USDT they had just sent. Feeling safe, they then proceeded to send $111,500 to the poisoned address — straight into the scammer’s pocket.Unless the scammer was seated and alert when the victim sent the funds — an unlikely, though possible, scenario — this strategic move could have been executed through automated responses.In fact, much of the hard work in address poisoning attacks seems to have been eliminated through the use of address poisoning toolkits.The Address Poisoning ToolkitsWhile we discussed the use of fake tokens, if you have eagle eyes, you may have spotted a bizarre occurrence.Source: AegisJust four hours after the victim transferred $100,000 to the spoofed address 0xC3FA(88CB)…(F672)59eA5, an exact copy of this transaction appeared in the victim’s transaction history — this time with a spoofed address of the spoofed address?!There is no rhyme or reason for the scammer to do this, as the victim would never copy-paste the poisoned address again. Rather, it strongly suggests that the victim’s address was still under automated poisoning attacks by the scammer.In their research on address poisoning, published in October 2024, Chainalysis pointed out that an entire scam industry has emerged around address poisoning, primarily through the sale of address poisoning toolkits available on darknet marketplaces and Telegram.Like wallet drainer toolkits, address poisoning kits provide the sophistication of blockchain attacks at the fingertips of many, automating most of the process — from spoof address generation to dusting automation for targeted addresses. The scammer simply has to choose their preferred strategy and let the toolkit implement it.The Scope of the Victims: A Shift Toward More Targeted, High-Value AddressesThe increase in successful high-value address poisoning attacks since the beginning of 2024, seemingly on a weekly basis, largely suggests that address poisoners have shifted their tactics. Initially, it seemed they were casting a wide net with their phishing attempts, but the evolving nature of their strategies — more time- and resource-intensive — may have pushed them toward a more surgical approach in targeting victims.This shift was partly confirmed by the Chainalysis report previously mentioned. While most scams tend to target non-crypto-savvy users, some address poisoners have focused on a different strategy, going after ‘more active crypto users with larger wallet balances, more transactions, and a longer on-chain history than the average Ethereum wallet holder,’ according to Chainalysis.In their report, they conducted extensive research into the $72 million address poisoning case that took place in May 2024 (which we will discuss shortly). They traced it back to 8 “seeder” wallets and 82,031 potential seeded addresses. According to Chainalysis, this address poisoning campaign alone accounted for just under 1% of new Ethereum addresses created between January and May 2024.Source: ChainalysisThe most interesting part is that data collected by Chainalysis pointed out that the address poisoning attacks specifically targeted highly experienced users with large amounts of funds in their wallets:“On average, victim wallet balances exceeded $338,900, with a median balance closer to $1,000. These wallets had also participated in an average of 598 transfers and had been active on-chain for about 512 days.”Source: ChainalysisAlthough wealthy individuals in crypto are common, they are not an endless resource. This means that sometimes, the same victim can be targeted by multiple attackers through various attacks or be attacked through multiple strategies by the same attacker.In January 2025, ScamSniffer recorded a successful poisoning attack resulting in a loss of almost $58,000 for the victim. A closer look at the victim’s transaction history revealed that, after making a $47,242 USDC transaction to 0x5195…80D9, the victim was targeted by 5 different address poisoning attempts, two crypto dusting attacks, and three fake token attacks (two, if we account that one was repeated with the same spoofed address). The victim ultimately fell for the last fake token poisoning attack and sent the funds.Source: ScamSnifferIf we go back to the fake token case revealed by Aegis, there again, no less than 8 attempts can be recorded mixing, zero-value attack, crypto dusting and fake USDT. With notably the same spoofed address creating three different transactions in the history mimicking the very same transaction.Source: AegisA single prime target address can receive dozens to hundreds of address poisoning attacks.In both cases, it’s difficult to ascertain whether different attackers are targeting the same victim, or if it’s a rather ingenious strategy by the same attacker to multiply their tactics and flood the history with multiple attempts, aiming to confuse their victim and push them into making a costly mistake.Those targeted attacks have proven to be efficient, bringing two exceptional address poisoning attacks in 2024 that amount to no less than $200 million.II — Higher Attack Ratio, Higher Bounties?The last quarter of 2024 saw hundreds of thousands of address poisoning attempts on a weekly basis, according to data collected by blockchain security company Blockaid.Source: BlockaidThis graphic reveals an interesting trend. In the first half of Q4 2024, it’s unsurprising that address poisoning attempts were concentrated around Ethereum and Arbitrum, the main blockchains home to “crypto whales,” aligning with the overall trend we’ve just discussed.However, starting at the end of October, the BNB Chain and Polygon became the primary targets of these attacks. The key characteristic of these chains is their reputation as “cheap” networks in terms of transaction fees, which makes the operational costs of scams on these chains extremely low — particularly useful when the core of the criminal activity involves poisoning transaction histories.One theory, based on the timing of these attacks, is that the perpetrators may have aimed to capitalize on the US election period, which sees significant crypto movement as users bet in and out. The strategy could have been to shift their focus to less affluent users, targeting a larger number of individuals at minimal cost in the hopes of increasing their chances of success — even if the individual gains were smaller.Out of these many address poisoning attempts recorded, a few successful and costly ones surface here and there. For example, on November 25th, 2024, ScamSniffer reported a successful $3.08 million address poisoning attack. The attacker used an address with the first four characters, ‘4yfu,’ matching the victim’s future deposit wallet, sent about 0.000001 SOL (a measly $0.00025), and contaminated the victim’s address. The victim then unwittingly sent 7 million PYTH tokens to the scammer the very next day.Source: LookOnChainSurgical address poisoning attacks targeting wealthy crypto users and more opportunistic, lower-value attacks can coexist, as each scammer has their preferred strategy. In fact, low profits multiplied by a large number of victims can be just as, if not more, profitable than aiming for big payouts.High profits come with a greater risk of detection, particularly from motivated victims who have lost significant amounts of funds.This was evident in the two high-profile address poisoning attacks that occurred in 2024.The May 2024 $72 Million Address Poisoning AttackOn May 3rd, 2024, a person fell victim to an address poisoning attack that would go down in history as the largest address poisoning heist at the time, with $72.7 million lost to the scammer after the victim transferred 1,155 wrapped Bitcoin to the malicious address.What happened can be summed up as a stroke of extremely bad luck. The victim first successfully completed a test transfer of $149 to the legitimate address starting with 0xd9A1b. Afterward, they mistakenly copy-pasted the wrong address — the poisoned one that mimicked 0xd9A1b.Address Poisoning Breakdown — Source: ChainalysisThe victim tried to negotiate the return of the funds in exchange for a 10% ‘bug bounty,’ an attempt that was proven unsuccessful. Blinded by greed, the attacker thought they could take off safely with everything — how mistaken they were.Message sent by the victim to the attacker — Source: ChainalysisThe entire blockchain security community was on the case, and soon enough, there was talk of the exploiter returning the funds, minus the $7.2 million kept as a bug bounty. On May 10th, almost all of the stolen funds were returned by the attacker, who was barely able to make off with $3 million due to token appreciation.Two weeks later, it was discovered that the prompt return of funds was not due to a change of heart from the scammer but rather because, despite trying to obfuscate their tracks as much as possible, their identity was partly revealed through the discovery of their “device fingerprint,” as reported by Match Systems CEO Andrey Kutin.Six months later, another address poisoning attack occurred, this time with nearly double the amount stolen in the May 2024 case.The November 2024 $129 Million Address Poisoning AttackOn November 20th, 2024, the victim decided to transfer out around $129.7 million from the address TGrS7QNCf85X2B6ddvGZY2MF9VwvFn6XAE to TMStAjRQHDZ8b3dyXPjBv9CNR3ce6q1bu8.They began by sending an initial $100 USDT to test the address TMStaj…6q1bu8. After the transaction was successfully completed, the victim opted to transfer the full $129.7 million almost immediately.Unbeknownst to them, just after their test transaction, the scammer had crypto dusted their wallet with $1 USDT using an address mimicking the one they tested, TMStaj…6q1bu8.When they copied and pasted the destination address for their funds, they unknowingly picked the spoofed address. The spoofed address wasn’t even well-crafted, as only the last 6 digits matched, while the first part didn’t resemble the legitimate address at all, starting with THcTxQ instead of TMStaj.Source: CertikFortunately for the victim, the address poisoner sent back $116.7 million within an hour, and four hours later, the remaining $12.97 million.The two-part transfer and the amount of the second transfer — $12.97 million — seem to indicate that the attacker initially considered taking a 10% ‘bug bounty’ cut but then thought better of it.Source: SlowMist via ScamSnifferThe most likely reason they sent everything back is fear — fear of being tracked down by the victim, who has the resources, as well as by the blockchain forensics community and law enforcement, especially given the enormous amount stolen, which would paint a huge target on their back.ConclusionAlthough almost inoffensive in its infancy, address poisoning has evolved into a financially lethal threat for countless victims. The pools of its victims, much like the pool of its prey, are growing at an accelerated pace, fueled by the constant innovations scammers develop and the effective automation of their methods. If this continues, there’s no reason to believe that crypto users will be spared in 2025 from the poisonous touch of this scam.3 — Pump.Fun: The Blind Side of Rug Pull ActivitiesOn paper, exit scams have dropped by over 64% year-over-year, which should bring joy to the crypto community. But does this signal that scammers have decided to abandon an industry that amounted to almost half a billion in 2024 for greener, and more lawful pastures? No.Rather, the data surrounding them largely eludes us today. At the epicenter of this crisis is Pump.fun and other copy-paste memecoin generators.Pump.fun has been nothing short of a crypto cultural reset, if not a full crypto cultural movement in 2024 — for the better, some would claim; for the worse, others would scream.At the heart of the issue is the industrial-scale operation through which exit scams seem to be produced and, often, left unreported.Pump.fun initially built its reputation on the claim that it was a rug-free platform, but despite this laudable aspiration, it ultimately became the favorite haven for rug pullers, with unaccounted rugs possibly numbering in the thousands.I — Pump.fun: the Memecoin Making of Solana in 2024Created in January 2024, Pump Fun quickly became a central piece of the Solana memecoin craze.Traditionally, when crypto users wanted to invest in a memecoin, they would first research one associated with a trending or potentially popular meme. Next, they might ensure it’s not a potential rug-pull by checking for scammer contract backdoors. After buying into the memecoin, users would engage with its community to help boost its visibility and value.Memecoin creators, for their part, needed to master both the technical aspects and invest heavily to make their coin known and successful. Pump.fun came in and tore down this model.Pump.fun offers instantly tradeable tokens, allowing users to launch and trade coins immediately without waiting for liquidity or approvals. It uses a bonding curve model for Solana and Blast tokens, dynamically adjusting liquidity based on demand.Additionally, Pump.fun has a built-in safety mechanism against rug pulls, ensuring fair launches with no pre-sales or team allocations to reduce scam risks.Coins are created in matter of minutes. Creating one incured $2 at the beginning, but since August it’s now free, shifting the $2 fee to the first buyer.Pump.fun charges a 1% fee on all buy and sell transactions.Source: Pump.funAfter a slow start in the first two months following its launch, it took off when all eyes turned to Solana memecoins, and people wanted to capitalize on the craze before it faded. With its free and easy currency creation, and low fees for both creators and buyers, Pump.fun appeared to be a crypto godsend the degen community had awaited all its life.Crypto users are creating new memecoins at an insane pace, clocking in more than 70,000 tokens launched in 24 hours since January 2025. A total of more than 2.7 million memecoins have been created in 7 months, and over 8,8 million in 12 months.Source: DuneOver the past four months, between 60–70% of tokens launched on Solana were created through Pump.fun, with some also appearing on copy-paste platforms like Moonshot. Pump.fun has contributed between 45–50% of Solana’s monthly fees over the past few months. In November 2024, they crossed the $3 billion weekly volume threshold for the first time and flipped Solana and Ethereum in 30-day revenue in January 2025, amassing $116.72 million.Pump Fun Tokens Vs Other Solana Tokens — Source: DuneThe continuous rise of new successful memecoins on Pump.fun — such as Billy, Smoking Chicken Fish (SCF), Michi (MICHI), and Moo Deng (MOODENG) — steadily increased its popularity in 2024.Its latest Q4 2024 success, Goatseus Maximus (GOAT), has been breaking records. GOAT peaked at nearly an $870 million market cap and reached almost $450 million in 24-hour trading volume after the announcement of its future listing on Binance, just two weeks after its creation.GOAT, an ‘AI’ memecoin, has sparked a new trend focused on AI-themed memecoins. Similarly, Pump.fun has housed multiple memecoin trends throughout the year, from livestream-themed coins to celebrity meta coins.As of this report, Pump.fun has crossed $150 million in revenue within only 10 months, solely from its 1% transaction fee — indicating that over $15 billion has been traded on the platform.It has been dominating 50–60% of decentralized exchange transactions on Solana since October 2024.Source: DuneMemecoin activity on Solana, Pump.fun related and not, has been doing wonder for Solana which has been capturing 86% of the market share in token generation.New Tokens Appearing on DEXs — Source: The BlockShare of New Token Appearing on DEXs — Source: The BlockRivals who are trying to emulate Pump.fun’s thunderous success, like SunPump, created by Justin Sun on the Tron network, have been challenging its dominance. With a wave of memecoiners crashing on the Tron shore, thinking Tron memecoins could be the new meta, August and September have been a bit rocky, while SunPump drove the TRON blockchain’s Q3 revenue to a record $151.2 million.But continuous stories of how a crypto trader turned $5,000 into $1.5 million by randomly investing in GOAT flooding the space, coupled with the new AI meta the platform triggered in October, brought Pump.fun and Solana memecoin back to the top.Fees collected by Pump.fun, Moonshot and Sunpump — Source: DuneIn fact, Pump.fun has very much become a hall of memories where moments of coming together around trends and pop culture — often crossing oceans and continents — are tokenized, and astonishingly, many of them successfully so.Every pop culture moment, from politics to viral TikTok memes, carries within it the potential to generate tens of millions, if not hundreds. Pump.fun has become a kind of register for all of these moments, with token creators and investors jumping on every cultural opportunity that arises.Pump.fun has become the cultural heartbeat of the crypto ecosystem, where coin metas are created and buried.Making Pump.fun the epicenter of cryptocoin creation.And scam creation, tooII — The Pump.fun Solana Memecoin Rug FestivalThe Solana memecoin kingdom, as a whole, is rotten by countless scam projects.In March 2024, at the beginning of the Solana meme coin craze, cryptosleuth ZachXBT took note of the top Solana presales that were launched — 33 in total, amounting to $149 million.Only one month later, upon revisiting these projects, he discovered that twelve of the Solana presale meme coins he had recorded had been subjected to rug pulls, resulting in losses exceeding $26.7 million.Solana Memecoin Rug Pull List — Source: ZachXBTIt is likely that since then, additional projects have rug-pulled.This also comes as no surprise, as Solana memecoin or not, the memecoin landscape is probably the most heavily plagued with rug pulls, which often come in the form of copycat projects, similar to NFT scam projects.Hipmob copycat projects — Source: Pump.funMeanwhile, the astronomical numbers Pump.fun is doing are not a measure of success, except for their own bank account. According to Dune Analytics, 98.7% of memecoins on Pump.fun fail to even ‘graduate’ — meaning they are not officially listed on a DEX after reaching a threshold oscillating between a $69,000–$73,000 market cap.Successful Launch on Pump.fun — Source: DuneCrypto News research reveals that only 0.76% of Pump.fun wallets made $1,000 or more in profits. According to Crypto News, out of the 29,601,462 total wallets they investigated, “a majority experienced negative outcomes.”To illustrate the probability of generating profit by investing in Pump.fun memecoins, they created a probability comparison table. There is a 0.76% chance of making a $1,000 profit, which drops to 0.046% for making $10,000 — less likely than becoming a NASA astronaut for an investor. A $1 million profit has a 0.00054% chance, about as likely as being killed by a meteorite impact.Profit Probability on Pump.fun — Source: Crypto NewsMoreover, despite Pump.fun’s claim that “Pump prevents rugs by making sure that all created tokens are safe. Each coin on Pump is a fair launch with no presale and no team allocation,” rugs happen — plenty of them.In fact, as the saying goes among memecoiners, the surest way to make money on Pump.fun is to become the scammer: “100% winrate.”Pump.fun combines the best token scam-making process — cheap and quick — with the perfect crowd: people who believe they can make it big on Pump.fun, because it’s where the memecoin dream happens. Supercharged by FOMO, they are prime targets for victimization.Pump.fun’s Rug Pull Modus OperandiInstead of traditional crypto token scam methods, on Pump.fun, the coin developer(s) (and their associate(s)) will “snipe” the coin when it’s launched.This technique, known as “mass sniping,” employs tools like DogWiffTools to trick potential buyers into perceiving high demand for a token. Automated systems are used to simulate activity across multiple wallets, giving the illusion of widespread buying and artificially driving up the token’s price.$SHAR Mass Sniping by Bubblemaps — Source: BubblemapsWash trading, volume bots, and microbuys mimicking organic buying are key to attracting investor interest in scam tokens. dApps and Telegram bots tracking Pump.fun coin activities help identify the next “big thing” on the market, which is then pushed to users by placing it at the top of their feed or triggering Telegram alert bots.On Pump.fun Advanced, tokens are propelled to a key status: “King of the Hill.” This title is given to coins that breach the $32,500 market cap threshold, after which they are pinned at the top of the Pump.fun feed. Coins that show promise of soon “graduating” to Raydium are highlighted there.This also serves to alleviate the fear of pump-and-dump schemes for Pump.fun users. Although driven by FOMO, buyers will at least check how much the “dev” holds in the project and the holding ratio of the top 10 holders. If a scammer can successfully spread out their holdings and simulate organic trading volume, they can entrap their victims much more smoothly and on a larger scale.It may be a basic strategy, but it’s an efficient one. Coins on Pump.fun are usually “ultrajeeted” — there’s often a very short window, sometimes just hours, from listing to explosion, allowing them to acquire the necessary market cap to be graduated to Raydium.Pump.fun users who wish to gamble big and win even bigger by betting on the pre-graduate stage of a coin won’t have the time to thoroughly research wallets or identify megabotting and wash trading strategies. Most of them don’t even know what to look for to begin with.Once unsuspecting investors have bought in at inflated prices, the scammer will then dump-rug.One of them recounted to crypto YouTuber NFT Nate that they can execute a “dump all” command “which sells off their holdings in a single, rapid transaction,” crashing the token price and effectively rugging.https://medium.com/media/8200b16646df72d63312bf3b3a76a3ba/hrefThere are two types of pump-and-dump schemes. One we will call “silent rugs.” These occur before the token graduates to the Raydium DEX and fly under the radar.Scammers who operate these schemes can make a profit despite capped gains because they produce pump-and-dumps at an industrial scale, with a fully automated workflow of endless, successive pump-and-dump cycles. They create, they snipe, they scam, they dump. Rinse and repeat.On January 10th, 2025, for the sake of this report, we studied the behavior of 17 coins that were listed at the very top of the “about to graduate” list around the same time. As a disclaimer, our findings should not be considered empirical data and should not be used to draw broad, far-reaching conclusions.Ten of the coins exhibited strong signs of being pump-and-dump schemes. In fact, we live-observed a dump of the $BBLLM coin that appeared to last less than 30 seconds. Most of them were live for only hours, other lasted for days.Image Source: Pump.fun AdvancedThe other type of pump-and-dump scheme occurs after graduation, when the token has gained traction. These tokens are potentially identifiable because they will drop by 80% in just 5 minutes. Others will dump in two or three stages. Depending on its initial success in attracting real investors during its Pump.fun era and the crowd it was able to draw in (or not) once it graduated to Raydium, the scammer will either dump within the hour of graduation or let the scam run for up to 8 hours.The dive to zero often appears more organic because the scammer has successfully found exit liquidity through their victims. Out of the 17 coins observed, 6 appear to have potentially gone down this path.Typology of rug strategy offered in Pump.fun scam kit — Source: Short Form KingIn total, out of the 17 coins we studied, 10 seem to be pre-graduation pump-and-dumps, 6 appear to be potential post-graduation pump-and-dumps, and at the time of writing, only one coin seems to be stagnating in the pre-graduation limbo, but finally dumped in minutes on January 14th. It’s a 100% rate of top coins on pump.fun exhibiting pump-and-dump behavior.The issue is that there has been no data collection or research conducted regarding the criminal activity currently taking place on Pump.fun, which leads to a distorted view of the exit scams happening within the crypto ecosystem.When looking at exit scam incidents throughout 2024, especially in comparison to previous years, they appear to have drastically decreased, almost to the point of a mere trickle.However, this represents a misleading understanding of the extensive, industrial-scale exit scams currently occurring, particularly with memecoin activity on Pump.fun.The only exit scams related to pump.fun that make it into the news and data are the high-profile cases, such as the following alleged half-billion dollar pump-and-dump.$HAWK — The Half-Billion Dollar Pump-and-DumpOne of the most infamous alleged pump-and-dumps of 2024 was the HAWK token.The token was launched by Haliey Welch, known as the “Hawk Tuah girl,” after she gained instant TikTok fame for using this peculiar expression — we will not go into detail about why here…Haliey Welch, known as the “Hawk Tuah girl” — Source: IssuesWelch launched the token on Pump.fun with claims that it was “not just a cash grab,” but hours later, the token’s value skyrocketed to a mind-blowing $500 million before crashing below $50 million in less than 30 minutes.97% of the supply released during the HAWK launch was immediately sniped by clustered wallets, driving the value to half a billion and causing the ensuing price crash.Despite Welch’s team denying any sales, claiming they had not sold any tokens, blockchain data appears to show that 81% of the total supply was controlled by wallets linked to her team. These wallets quickly sniped up the token at launch, driving up the price, before dumping their holdings, causing the dramatic crash.The community quickly accused the team of misleading statements, with claims that insiders had been selling tokens from the very beginning. Blockchain analysis tools, such as Bubblemaps, revealed the concentration of token holdings, further fueling suspicions of manipulation.Hawk Tuah Pump-and-Dump Wallet Cluster — Source: BubblemapsBeyond the overuse of Pump.fun as token scam launching platform, it’s new statute as the place to be to become memecoin rich has had scammer directly use it on much larger fraud scale.Pump.fun Side Effects — Fueling Social Media HacksAlthough Instagram and Twitter hacks have been a constant in the crypto landscape since 2022, 2024 saw a shift in who was targeted. Whereas NFTs and DeFi projects were once the primary focus, most of these hacks in 2024 target high-profile brands and individuals who have little to do with crypto to begin with.These hacks are typically carried out by serial perpetrators who have mastered the process.And most of them use Pump.fun as a tool to extract maximum value from their scams. By posting the contract address of the scam token instead of the typical link leading to a crypto wallet drainer, which most crypto users have grown accustomed to recognizing, fraudsters first bypass the scam alarms that would normally be triggered by such links.But it also adds two additional vectors of victimization. Beyond the initial victims tricked through social media hacks into investing money into the scam token via Pump.fun, investors on the lookout for the next big coin on Pump.fun are alerted to this new token making a stratospheric jump, pulling in additional victims. The same happens once the token is listed on Raydium, pulling in more victims until the scammer dumps on them.A thorough investigation by crypto sleuth ZachXBT in November 2024 revealed that one such serial scammer was behind at least nine account compromises over the past few months, accounting for $3.5 million lost by crypto users.List of Hacks Allegedly Operated by Serpent — Source: ZachXBT’s TwitterAmong them were hacks targeting McDonald’s, Usher, SPX 6900, and Wiz Khalifa. After the hacks, posts promoting the scam coins on the Pump.fun meme coin launchpad were made.Phishing Posts on McDonalds and Usher Social Media Pages — Source: ZachXBT’s TwitterThe token GRIMACE, from the McDonald’s hack, brought in over $690,000!Following the blockchain tracks left by the scammer, ZachXBT was not only able to connect all of them together, but they also led him to the person allegedly behind them: Serpent, a former pro Fortnite player from Australia.Serpent apparently has a profound issue with staying on the right side of morality, as he was dismissed from the league after investigations revealed he cheated in 2020.Four years later, he was caught once again in amoral dealings, but with a crypto twist this time.Overtime announcement over Serpent dismissal — Source: ZachXBT’s TwitterHis career as a fraudster, however, didn’t start with this slew of hacks.ZachXBT was able to trace his tracks further back to two rug pulls. The first was a project called DAPE, launched in March 2022. The second occurred a few months before the McDonald’s hack, in March 2024, when he launched the project ERROR. He made off with 29 ETH but was banned from Twitter for this latest rug pull.One of the reasons ZachXBT was able to connect all these dots is Serpent’s vice, which ultimately led to his downfall: gambling.“Serpent gambles millions of dollars on Roobet, Stake, BC Game, and Shuffle each month, frequently screensharing with friends on Discord,” ZachXBT reported. Unfortunately for Serpent, the people with whom he shared his wins forwarded the recordings of him sharing multiple deposit and withdrawal addresses he used during those screenshares.It was also revealed that Serpent didn’t operate those scams alone. ZachXBT linked a certain “DEX” from Massachusetts to the Andy Ayrey case.According to the rather discombobulated ramblings of the accused, when he tried to explain away his involvement, Serpent used his network to leverage their CEX/Binance accounts to manipulate and gain the scam tokens he created.He also revealed at least one other accomplice of Serpent in the Wiz Khalifa case, while presenting himself as a somewhat innocent opportunist.Serpent’s Alleged Accomplice Declaration of Innocence — Source: ZachXBT’s TwitterZachXBT has sent a detailed report on the case to a victim of one of the account compromises with which he has been working with, hopefully justice will be brought to Serpent’s victims.ConclusionMemecoins on Pump.fun are not more scammy because they are produced on the platform; they are simply the perfect representation of the core scam activity found across the memecoin landscape in the broader crypto sphere.There’s a bizarre irony in the fact that a platform, which initially claimed to be designed to be scam-free and allow users to safely invest in memecoins — gaining its user base on that promise — has, within just a few months, turned into the go-to-scam place for crypto fraudsters.An entire criminal ecosystem has been built around Pump.fun, with everything a criminal would need to scam unsuspecting victims from bundle tools to botting.Pump.fun has (un)expectedly become the beating heart of the token scam industry.Yes, memecoiners no longer have to rely on classic smart contract-based exit scams and honeypot scams. Through Pump.fun, they are no less vulnerable — if not more.Can it be said that Solana’s record-breaking volume this year is partly fueled by memecoin scams? Yes.The only good news we can offer is for blockchain security researchers. Blockchain analytics provider Chainalysis recently announced that its coverage of Solana tokens will now include memecoins created on Pump.fun. This brings hope that data surrounding exit scam activity on the platform could eventually be produced, offering us the true measure of the crypto rug pull landscape.III. Crypto Money Laundering: The Rise of Two Devastating New Players in 2024New developments have shaken up the crypto money laundering scene in 2024 with the emergence of two significant players embroiled in the criminal trade of laundering funds from high-profile hacks and scams. However, that’s where the similarities end.One of these new entrants, Railgun, appears to be an unwilling participant, dragged into this criminal trade against its will.In contrast, Huione has not only actively expanded its money laundering operations but is also on track to establish a nearly foolproof criminal system — one that places crypto money laundering at its core. If left unchecked, Huione could become the ultimate stop for crypto money laundering in the years to come.1 — Railgun: A 2024 Rising Star in Money LaunderingRailgun has been hailed by Vitalik Buterin as a regulatory-friendly privacy tool, and he even uses it himself.Yet, at the same time, crypto criminals, especially the notorious North Korean hacker groups, have been exploiting it to launder millions in stolen funds, putting this claim to the test.Source:Tornado Cash’s semi-demise has made it much more complicated to use for both retail users and criminals, leaving a void that some have used Railgun to fill.The platform has been gaining momemtum as a go-to obfuscation tool.Vitalik’s endorsement in 2024, likely unintended, has only amplified its appeal for those looking to hide ill-gotten gains, for a very distinctive reason.The rise of Railgun popularity for money laundering and its entanglement with crypto criminals could possibly bring Railgun to its knees by the authorities, like many other privacy tools over the last two years.I — The Evolution of the Money Laundering Landscape In CryptoTo understand how Railgun found its way as a tool for money laundering, we have to rewind a bit and examine the evolution of the money laundering landscape over the past years.Blockchain is touted as an incredible innovation that guarantees trustless transactions because it operates as an open ledger. The issue is that, by itself, the only privacy it offers is pseudonymity. You don’t have to provide your identity to interact with the blockchain; you are your wallet addresses. However, everything you do can be traced: who you interact with, what you do with your funds, what goes in, what goes out, and how.For a long time, this was not an issue for crypto criminals and those using crypto to launder their ill-gotten funds, as the crypto world was surrounded by an indecipherable aura that made everyone, including the authorities, think that crimes were impossible to track.It was through the groundbreaking 2013 research led by Sarah Meiklejohn that it was revealed Bitcoins were, in fact, traceable, in “A Fistful of Bitcoins: Characterizing Payments Among Men with No Names.” Coincidentally, the same year, the first major crypto crime case broke out when Silk Road, the largest black market operating with Bitcoin via the Tor network, was shut down by the FBI after they traced the organization back to its founder.2013 was the year that broke the mystique of Bitcoin and blockchain for the authorities.However, outside of huge cases like the half-billion-dollar collapse of Mt. Gox, ransomware, and the like, authorities didn’t bother much with criminal activities on the blockchain for many years to come.Crypto was still a niche thing, after all, and tracing back crimes required a lot of expenditure, as it was an art in its infancy. Most crypto crimes probably didn’t warrant such efforts in the eyes of the police worldwide.This lack of attention to what happened on the blockchain made the crypto scene a lawless Wild West where everyone could do more or less what they wanted without facing judicial and financial consequences.And what were criminals looking for at that time? Quick and easy cash out.What was the best way to go about it? Using centralized exchanges.Most of them, if not all, didn’t implement any form of KYC, and nobody was looking for them anyway, so they didn’t even try to obfuscate their tracks before cashing out in CEXs.And CEXs did nothing whatsoever to stop them.This continued until the beginning of a crackdown that would have significant repercussions across the entire crypto industry at the turn of 2019–2020.The 2020 crypto landscape was nothing like 2013. Crypto was no longer a niche; it was something your grandpa would ask about how to get into during the Christmas season.The cumulative effect of an explosion in adoption by the average Joe, massive losses to crypto crimes amounting to billions between 2019–2020, its increased role in high-profile cybercrime like ransomware, and the extreme sophistication of tracking tools like Chainalysis and Elliptic, which allow law enforcement to map fund movements in a few clicks, created an alignment of the stars that would profoundly transform the crypto Wild West status quo for years to come.2020 was a pivotal year that marked the beginning of a new, hostile paradigm for crypto criminals.CEXs now actively implement KYC, cooperate with police agencies, freeze funds, and conduct training on how to catch crypto criminals, all in a race to avoid regulatory penalties and not pay for years of behaving as if the law would never catch up to them.This forced criminals to find new avenues to hide their funds.Although the following graphic focuses on crypto services used by crypto drainers over the past four years, it perfectly embodies what took place on the money laundering crypto scene between 2020 and 2024. It shifted from most funds being cashed out through CEXs to crypto criminals finding new services to launder their money.Source: ChainalysisAnd the obfuscation service that found resounding success with them was Tornado Cash!Launched in December 2019, in the midst of the regulatory and police crackdown, Tornado Cash was a mixer that promised to obscure a transaction on the blockchain by sending it through a “complex, semi-random series of dummy transactions” and by commingling one payment with others.As a result, it would become unclear to whom funds were being directed and challenging to trace them back to a source.Mixers turn the very transparent blockchain technology into a murky black box, making them an obvious choice for crypto criminals.It took one year for Tornado Cash to find its audience, but by 2021, Tornado Cash exploded, and at its peak in October 2021, its total value locked (TVL) was $1.17 billion.Tornado Cash TVL — Source: DefiLlamaThe huge amount of traffic generated by Tornado Cash creates an incredible unvirtuous circle: the more people use it, the easier it is to hide transactions. Consequently, more people will want to use it, and so on and so forth.Unsurprisingly, then it became the go-to place for criminals. In 2022 alone, Tornado Cash was linked to at least 58 hacks resulting in $1.38 billion in losses.But 2022 was also the year it took a tremendous blow.On August 8th, 2022, OFAC designated Tornado Cash as a ‘sanctioned entity,’ essentially banning its use for U.S. users. U.S. users risk becoming criminal offenders and may face monetary fines ranging from a few thousand dollars to several million, along with prison sentences of up to 30 years.The immediate reaction was for many web3 entities, like decentralized derivatives exchange dYdX, to almost immediately ban addresses associated with Tornado Cash.Tornado Cash TVL — Source: DefiLlamaIn a matter of weeks, Tornado Cash liquidity pools decreased by approximately 60%, its monthly users fell by over 50%, and its TVL dropped from $460.6 million in August 2022 to $168.25 million by January 2023.Tornado Cash seemed to be no longer a money laundering Eldorado, and some crypto criminals tried to find other paths.Among them, Railgun.II — Tornado Cash Vs RailgunTornado Cash and Railgun are both privacy-focused services, but they differ in their underlying technologies, use cases, and the specific ways they provide privacy.TechnologyTornado Cash — Tornado Cash utilizes zero-knowledge proofs (zk-SNARKs) to ensure that transactions are anonymous. When a user deposits funds into Tornado Cash, they receive a secret note. Later, when they withdraw the funds, they use this note to prove they are entitled to the funds without revealing their identity.Railgun — Railgun was created in 2021, and uses zero-knowledge rollups to provide privacy for transactions. This technology allows for bundling multiple transactions into a single proof, improving scalability and reducing gas fees.Source: FeiXaoHaoPrivacy AbilitiesTornado Cash — Tornado Cash is designed to improve the privacy of Ethereum transactions. Users can deposit ETH or ERC-20 tokens into the Tornado Cash smart contract and withdraw them to a different address, breaking the on-chain link between the sender and the recipient.Tornado Cash acts as a decentralized mixer where users’ funds are pooled together, and the zk-SNARKs technology ensures that individual transactions are anonymized when funds are withdrawn.Tornado Cash users retain control over their funds and privacy by holding the secret note.As explained earlier, Tornado Cash ‘s obfuscation ability is based on its ability to draw in a massive amount of funds and activities.Railgun — Railgun is designed to enable private interactions with DeFi protocols. It allows users to make transactions, trade, and interact with DeFi applications while maintaining privacy. It also includes a wallet service called Railway that has integrated features.Railgun provides a set of smart contracts that enable users to conduct those private transactions. These contracts shield transaction details from the public blockchain, ensuring privacy for users engaging in DeFi activities.Railgun’s privacy feature is bound on the adoption by various DeFi protocols and the broader ecosystem.In summary, Tornado Cash is primarily a decentralized mixer for Ethereum transactions, focusing on providing anonymity by breaking the on-chain link between deposits and withdrawals using zk-SNARKs, while Railgun is designed to offer privacy for DeFi transactions, enabling users to engage with various DeFi protocols privately using zero-knowledge rollups and reduce costs transactions.They are tailored to different aspects of the ecosystem. Tornado Cash is more about anonymizing simple transactions, while Railgun focuses on providing a private DeFi experience.III — The Criminal and Mainstream Rise of RailgunSince 2023, Railgun has been profiting off Tornado Cash’s partial demise.The Rise of the Criminal Use of RailgunRailgun made a big bang entry onto the crypto scene in January 2023.No one seemed to have ever heard of it before multiple reports revealed that the multi-billion-dollar North Korean hacker group Lazarus had switched from Tornado Cash to Railgun, making headlines.The Lazarus Group had used Railgun to launder over $60 million from the $100 million Harmony Horizon Bridge exploit they orchestrated back in June 2022.According to research conducted by the blockchain security company Elliptic, approximately 70% of the funds sent through Railgun by January 2023 were traced back to the Harmony hack.Source: EllipticWas the Lazarus Group drunk on Soju when they chose Railgun?One must ask this question because you would have to have lost all sense of money laundering acumen to attempt laundering money through a service where most of the mixed funds will end up being your own, as obfuscation simply will not occur.The substantial volume of Ether passing through Railgun made money laundering ineffective, and it was as easy as pie to trace the Lazarus Group’s pilfered funds to three cryptoasset exchanges. Upon being alerted, Binance and Huobi identified, blocked, and seized a portion of the laundered funds.Despite this downturn, which should have made criminals think twice before using Railgun, there were still some crypto criminals willing to give it a shot despite its limited privacy due to its low transaction volume, such as the FTX exploiter and Maestro Hacker. However, these cases were few and far between.Source: MistTrackBut month later, Railgun would receive an unexpected endorsement that would change its course, and bring back Railgun on the money laundering criminal map.The Mainstream Rise of Railgun aka Thank You Vitalik!Despite multiple blockchain security experts and even the FBI confirming that the Lazarus Group used Railgun, they have fervently denied it. It’s a rather brazen attitude, but they couldn’t confess to it and get away with an ‘oopsie’ in front of regulatory bodies.Any involvement with the Lazarus Group has led to a breakdown of privacy tools over the past two years.After the Lazarus Debacle, the Railgun days were rather peaceful, and the bull market since the beginning of 2024 brought in some much-needed liquidity.Then, on April 15th, 2024, Railgun took the center stage again, but this time for all the right reasons.That day, Ethereum co-founder Vitalik Buterin took to Twitter to explain that “Privacy is normal” and that Railgun’s approach to privacy made it “much harder for bad actors” to exploit it, after Wu Blockchain reported a 100 ETH transfer Vitalik made using Railgun on the same day. It was later reported that he had been using Railgun on multiple occasions over the past months.Source: TwitterThis huge stamp of legitimacy approval propelled Railgun to a significant spike in volume and users, recording its highest-ever weekly volume on Ethereum on May 27th. It went above $47 million!Source: DuneSimultaneously, Railgun’s TVL skyrocketed, almost reaching $100 million just weeks after Vitalik’s tweet.Source: DeFiLlamaUnsurprisingly, though, this heightened volume meant that Railgun was now a potentially effective money laundering tool, and crypto criminals picked up on it.This effectively sabotaged Railgun’s PR campaign.IV — Railgun PR Privacy Campaign and The Limits of Proof of InnocenceEscaping The Regulatory CrackdownWhen the January 2023 Lazarus Group scandal broke out, six months after the Tornado Cash ban, some of the headlines read: ‘Is Crypto Privacy Project Railgun Next on OFAC’s Crypto Sanctions Hit List?’Well, despite its involvement with the Lazarus Group, Railgun has been left seemingly, uncharacteristically unbothered.In the meantime, authorities have been busy.In August 2023, the US Department of Justice (DOJ) charged more Tornado Cash developers for their involvement in money laundering. In December 2023, the Sinbad coin mixer was sanctioned and taken down by global authorities due to its entanglement with the Lazarus Group.In April 2024, the DOJ arrested two co-founders of Samourai Wallet, a Bitcoin wallet with a built-in crypto mixer. A month later, a Dutch court found Tornado Cash developer Alexey Pertsev guilty of laundering $2.2 billion in illicit assets. While the European Union seriously discussed banning crypto mixers and privacy tokens altogether.Simultaneously, a crackdown on privacy coins like Monero and Zcash over the past two years has led to certain exchanges not listing, delisting, or imposing restrictions on privacy coins, such as Coinbase, Huobi, Binance, and Bittrex.While Railgun was not under OFAC’s scrutiny, likely in an effort to avoid the same fate as Tornado Cash and others that followed, it embarked on a mission to become the figurehead of the right-to-privacy movementThey seize every opportunity that presents itself, such as speaking at the Virtual Currency Symposium — the largest international conference for law enforcement agencies focused on crypto crimes — in August 2023, and promoting in the crypto press the goodwill of US senators and the FBI concerning crypto privacy in May 2024.The argument they put forth to persuade authorities is very simple but effective, and it can be found in their launch announcement message from 2021:“Crypto should at the very least have the same level of privacy mainstream banking options provide.”Probably out of all the arguments one can make for privacy, this one has the ability to break through “normies” guard. It’s an argument that hits home because anyone would be gripped with dread or something similar if they imagined all their bank transactions aired out for anyone to see.Put that way, the right to privacy seems a given, and it should also be within the realm of possibility for crypto users.The latest intervention by Brian Nelson, the Treasury’s Under Secretary for Terrorism and Financial Intelligence, during the Consensus crypto conference on May 30th, 2024, seems to indicate that privacy advocates like Railgun have been making headway. Nelson recognized the legitimacy of financial privacy on public blockchains:“From our perspective, we believe that there is a difference between obfuscation and anonymity enhancing services that support privacy — we of course totally recognize that, in the context of public blockchains…that there would be a desire to have a certain degree of privacy. […] In that spirit, we want to work closely with industry to identify and collaborate on tools that can enhance privacy.” — CoindeskDespite the increasing acknowledgment by authorities of the nuances around crypto privacy, there is one crucial question privacy tools must answer: ‘What about the baddies?’Railgun believes they have the ultimate trump card to evade regulatory scrutiny with their Private Proofs of Innocence.Proof of Innocence and its LimitsRailgun Project co-founder Alan Scott may have been awfully confident in Railgun’s ability to sidestep authorities’ crackdown in an interview with DL News he did in May 2024.Regarding the Tornado Cash situation, he said, ‘I do find it unfortunate that those dudes are in jail,’ but also mentioned that ‘there are a lot of people developing privacy who aren’t in trouble.’ He then cited privacy projects like Aztec and Zcash, implying that Railgun itself was beyond the reach of regulatory bodies.Let’s set the record straight: firstly, the ‘dudes’ in Aztec and Zcash do not offer the same services as Railgun.Aztec is a privacy-first zkRollup on Ethereum that builds privacy tooling for public blockchains. As mentioned earlier, Zcash is a privacy coin.Secondly, also as mentioned earlier, Zcash, like other privacy coins, has been targeted over the past years. In January 2024 alone, they had to go through hoops and loops to avoid being delisted by Binance and hope to survive another day. Aztec, on the other hand, had to take multiple preemptive measures, restrict, or shut down some of its popular services to try to survive another day.t’s actually false to claim that these privacy services are escaping regulatory scrutiny and that they are somehow better than Tornado Cash, and that’s why their ‘dudes’ are not in jail.This arrogance apparently stems from one single tool: its ‘Proof of Innocence’ feature.Source: TwitterIn May 2023, four months after being discovered as the Lazarus Group’s unfortunate money laundering sidekick, Railgun announced the Private Proof of Innocence. It’s a tool for Railgun users to maintain their privacy while proving that they have not interacted with malicious actors.Utilizing a zero-knowledge proof system, Railgun ensures that incoming funds aren’t related to illegal activity and profiles of known malicious entities.The Proof of Innocence, as a ZK computation, only checks if funds, deposits, and withdrawals are not on a specific list. Besides this verification, generating a Proof of Innocence doesn’t disclose any user details like addresses, balances, or transaction history.If the verification confirms no links to addresses on the OFAC list, for example, the funds are cleared for processing without privacy constraints.This approach allows users to cryptographically demonstrate that their funds originate from legitimate sources, shielding them from wallets associated with theft or illicit activities while preserving their anonymity.In Railgun’s own words: “In this way, it shifts the paradigm of assurance from prohibition to a provable presumption of innocence.”Source: RailgunApparently, crypto criminals didn’t get the memo and have been increasingly using Railgun since (unsurprisingly) April 2024, especially wallet crypto drainer groups. MistTrack, a blockchain security company specializing in crypto tracing, has qualified Railgun as the ‘official/unofficial [money laundering] tool for them.’Source: MistTrack and Certik on TwitterOn June 2nd, 2024, even the worldwide-known crypto sleuth ZachXBT called out Railgun in the comment section of a since-deleted Twitter post promoting their privacy pools. He pointed out that despite their privacy pools being live, funds from the Poloniex hack operated by the Lazarus Group back in 2023 have been flooding Railgun, according to his investigation.Source: TwitterRailgun hid behind the OFAC list provided by Chainalysis, claiming in short that they were not responsible for missed criminal reports. To this, Zach replied that the Poloniex funds were impossible to miss as they have been ‘spiking up the volume immensely,’ holding Railgun accountable.They then deleted their original post, most likely to prevent people from scrolling and discovering the legitimate issues ZachXBT had raised.To try to salvage their reputation and save themselves, they quickly and heavily hinted at allowing law enforcement and crypto security experts worldwide to update the list of addresses used by malicious actors in real-time, without having to wait for the slower and often incomplete official OFAC list.On November 28th, 2024, they announced the onboarding of key blockchain security experts and players, which will further enrich and strengthen their PPOI through the vast pool of data they continuously collect.Source: TwitterTo enhance risk detection, Railgun implements a one-hour Unshield-Only Standby Period for tokens after they are shielded into the system. During this time, the only available action is to ‘unshield’ the tokens back to the original shielding wallet. This measure allows Railgun to update its list of persona non grata addresses, providing time for List Providers like Elliptic or ScamSniffer to refresh their data. The goal is to prevent bad actors from quickly laundering funds on the platform.Unfortunately, it’s still not enough, not only is Proof of Innocence dependent on third-party input, but a crypto criminal can also bypass it with minimal address hopping — just one stop, really — before immediately using Railgun, reports Anchain.Since Proof of Innocence primarily checks whether an address is flagged as illicit before entering the shielded pool, any quick, intermediate hop can potentially bypass this check.According to Anchain:“Despite Railgun’s claims, a single transfer to a “clean” wallet can bypass their entire security framework.Since the proof only considers the transaction history of the wallet in question, users can perform a single-hop transfer to obscure the connection to a flagged wallet. Once the funds are in the new wallet, the user can interact with Railgun, and any Proof of Innocence will show that the “clean” wallet has no involvement with the suspicious transactions — despite originating from a flagged source.”This could leave Proof of Innocence dead in the water, as the potential for immediate tracking, reporting, and input for every crypto crime seems quite infeasible, especially when there are delays in detecting hacks or, in the case of scam proceeds, even more challenges in tracking them.Furthermore, aside from OPAC and its U.S.-centric focus on criminal activities, the entities it collaborates with tend to concentrate on crimes strictly within the crypto ecosystem, rather than addressing global criminal activities that use cryptocurrencies to launder and obfuscate ill-gotten funds. This leaves a glaring blind spot in the true criminal coverage of the blockchain.In January 2025, blockchain security firm zeroShadow revealed that Railgun was also used in the money laundering proceeds of yet another DPRK heist, the $10 million hack of Coinstats.Source: LinkedinIn a nutshell, Proof of Innocence, in its current form, can not entirely prevent criminals from using Railgun to launder money.So what are the chances that it will prevent authorities from knocking on Railgun’s door?Despite its recent improvement, as of now, Private Proofs of Innocence appear to be more of a flimsy barrier than a shield against global regulatory scrutiny.ConclusionThere is a saying in the crypto space: “Crypto is only good if it works for criminals.”Why?Because the intense criminal use of a cryptocurrency is proof that core blockchain values like privacy, decentralization, and censorship resistance are ensured.This also applies to crypto services. Criminals’ endorsement of Railgun can be interpreted as proof that it deserves a Satoshi Nakamoto Medal.However, that’s an endorsement they would likely prefer not to receive, as it absolutely sabotages their right-to-privacy but law-abiding PR campaign.Railgun is arguably the most motivated and active decentralized platform working to tackle money laundering activities, particularly those tied to high-profile and publicized crypto crimes.In 2024, the scammer behind the largest phishing heist targeting an individual, resulting in a loss of $243 million — which we covered in the chapter dedicated to crypto scams — attempted to use Railgun to launder the proceeds of their crime. About two hours after ZachXBT’s revelation, Railgun explained that the scammer’s funds were ‘unshielded’ after they failed to generate a PPOI proof.Source: TwitterOn February 12th, 2025, Railgun found itself once again in the spotlight after the hacker behind an almost $10 million heist sent the stolen funds directly to Railgun. It seems that the Unshield-Only Standby Period provided enough critical time for the hacker’s address to be blacklisted on Railgun, as there was a 1-hour and 9-minute window between the funds being sent to Railgun and Railgun sending all of the hack proceeds back to the hacker.The day following the hack, Vitalik Buterin — who may be Railgun’s ultimate fan — took the time to publicly acclaim Railgun for the efficiency of the PPOI.Source: TwitterRailgun’s motivation to combat money laundering appears to stem from a strong ambition to establish itself as the leading ‘compliance-safe’ platform for crypto retail investors, actors, and hedge funds seeking to safeguard the privacy of their transactions. Aiming to capture a significant share of the crypto market’s attention and activity, ultimately positioning Railgun as a dominant force in the space.Unless Railgun intends to play both sides by publicly seducing legitimate actors, while discreetly banking in criminal fees, Railgun, if pursuing its AML efforts, could lose its newly acquired ‘gateway to money laundering’ reputation.This may come sooner rather than later, as they publicly disclosed on December 30th, 2024, that an improved version of PPOI, ‘Private Proofs of Innocence v2,’ was on the roadmap for 2025.Source: Twitter2025 could also be a turning point for Railgun in terms of scrutiny, as political developments in the U.S. at the end of 2024 may dissipate the doom-laden regulatory cloud that has been hovering over its head since its inception.First, the election of Donald Trump is ushering in a seismic shift in the crypto regulatory landscape. His ‘crypto czar,’ David Sacks, announced in early February 2024 that the Trump administration would herald ‘a golden age in digital assets,’ with crypto as a ‘week-one priority’ and the ‘era of blocking crypto innovation is over.’ TL;DR: The effervescent crypto regulatory activities of the Biden administration have come to an end.Two weeks earlier, the first ripple of this seismic shift hit U.S. courts and the crypto space when the U.S. District Court for the Western District of Texas overturned the OFAC sanctions against Tornado Cash, two and a half years later.Coindesk reported that in the appeal, OFAC was accused of overstepping its ‘statutory authority’ by blacklisting Tornado Cash: ‘We hold that Tornado Cash’s immutable smart contracts (the lines of privacy-enabling software code) are not the “property” of a foreign national or entity, meaning (1) they cannot be blocked under IEEPA, and (2) OFAC overstepped its congressionally defined authority.’At least on the U.S. side of the globe, Railgun may have been granted a temporary reprieve from scrutiny — long enough to potentially evolve into a privacy tool free from criminal interference through continued innovation, which could ultimately ensure its wealth and longevity.While Railgun may quickly turn from a rising star in money laundering to a fallen one, another new crypto money laundering player that similarly emerged in 2024 is on the opposite trajectory, set to become a supernova.2 — Huione Group: The New Epicenter of Pig-Butchering and Crypto Money LaunderingA new money laundering tool has been making waves in the crypto space in 2024, and it all traces back to the criminal organizations behind the pig-butchering scam and Cambodian rulers.The yearly $64 billion pig butchering scam industry has been so uncannily successful that it needed its own money laundering ecosystem.Soon enough, North Korea threat groups and other crypto criminals became aware of a peculiar piece of this money laundering edifice that was unlike any other: Huione.Huione could be traced back to the Cambodian prime minister’s cousin.Elliptic’s latest investigation, along with findings from the United Nations Office on Drugs and Crime and Radio Free Asia, as well as a deep dive into the genesis of pig butchering, reveal that the Cambodian prime minister’s cousin’s involvement with a high-profile crypto money laundering tool is not a fluke.Huione could soon become the biggest challenge faced by crypto crime fighters around the world.I — Huione Guarantee: One of the Backbones of the $64 Billion-a-Year Pig Butchering Scam IndustryIn July 2024, blockchain security firm Elliptic disclosed findings from their investigation into the success of pig butchering scams, which led them to Huione Guarantee (汇旺担保), a branch of Huione Group, a Cambodian conglomerate.Huione Guarantee has emerged as a rapidly growing center for money laundering and illicit trading, heavily utilized by criminal organizations in Southeast Asia, particularly for pig butchering schemes.Huione Guarantee features a unique setup: it acts as an escrow service for all transactions that take place on its platform, a Chinese-language marketplace consisting of a vast network of thousands of instant messaging app channels, each managed by an individual merchant. Their role as a guarantor helps combat fraud, or so they say.But can fraud truly be prevented if you do not “participate in nor understand the specific business of customers” nor you can verify or guarantee the “origin of funds or goods?”Source: EllipticIn reality, a closer examination of its seemingly legitimate business facade revealed that, according to Elliptic, Huione Guarantee — established in 2021 when the pig butchering business was already deeply rooted in Cambodia and beginning its meteoric rise — has become a criminal haven for pig butchering schemes.Huione “merchants” provide technology, data, money laundering services, and logistical and operational tools specifically for cyber scam operators and centers. Their offerings include:Development services to create fraudulent crypto investment websites that appear legitimate to victims of pig butchering.AI deepfake software to impersonate identities and ensnare targets in elaborate traps.Targeted data, including worth and contact details, to pursue high-value victims.“Huione Guarantee merchants offering web development of cryptocurrency investment sites of the type used in pig butchering scams (left), personal data of individuals around the world for targeting by scammers (middle) and AI face changing software advertised for use in scams (right).” — Source: EllipticTorture equipment. As detailed in our report on pig butchering scams, most of the pig-butchering “scammers” are actually victims of cyber-enslavement, forced under duress and torture to carry out scams globally while imprisoned in industrial-scale scam centers. Huione merchants also play a role in this, providing various torture tools. According to Elliptic, items such as tear gas, electric batons, and electronic shackles are sold on Huione. These tools are used to maintain absolute control over their primary victims, who are referred to as “dogs” by both merchants and scam centers.“Advertisements on Huione Guarantee for electric shock shackles (left) and electric batons (right), which the merchants suggest are to be used on scam compound workers.” — Source: EllipticThe most significant aspect of Huione Guarantee, both in terms of the volume of dealings and merchant activity and its relevance to the crypto criminal landscape, is money laundering.According to Elliptic, money laundering services are openly and “explicitly” offered on the platform, “including accepting payments from victims around the world, transferring it across borders, and converting it to other assets including cash, stablecoins, and Chinese payment apps.”Money launderers also openly discuss “the types of fraud proceeds that they are willing to launder, based on the perceived risk of having the funds frozen by financial institutions or law enforcement.”“(Top) a Huione Guarantee merchant offers to launder proceeds of fraud including pig butchering scams. (Bottom) another merchant specializes in the laundering of sextortion scams (“se敲” — translated here as “se knock”)” — Source: EllipticIt’s no wonder that money laundering is such a flourishing industry on the Huione Guarantee platform, as the proceeds from pig butchering scams alone bring in at least $64 billion annually for the criminal organizations behind them, according to the “Transnational Crime in Southeast Asia Report” published in 2024 by the United Nations Office on Drugs and Crime. Cambodia, alongside Laos and Myanmar, is at the epicenter of it all.Source: Transnational Crime in Southeast Asia Report by UNODCSource: Transnational Crime in Southeast Asia Report by UNODCThe cryptocurrency that serves as the cornerstone of the entire pig butchering scheme and the associated money laundering activities is the USDT stablecoin. It is also the preferred currency on the Huione Guarantee platform, where payments are predominantly accepted in USDT, although some fiat transfers are accepted to a certain extent.According to the UNODC report, USDT is the “preferred choice for regional cyber fraud operations and money launderers alike due to its stability and the ease, anonymity, and low fees of its transactions.”However, their flawed belief that USDT is somehow more difficult to trace led to their downfall in many pig butchering cases. And that’s how, by tracing USDT flows, Elliptic was able to gain an almost complete picture of Huione Guarantee’s inflows and outflows, discovering that crypto wallets used by Huione Guarantee and its merchants have accumulated at the very least $11 billion since 2021.Based on Elliptic’s decryption of thousands of messages across the Huione Guarantee platform and months of investigation, Huione Guarantee’s “predominant role is to act as an illicit marketplace.” The logical conclusion is that most, if not all, of the $11 billion found “relates to illicit activity,” primarily stemming from pig butchering scam-related activities.“Value of USDT received by cryptocurrency wallets known to be used by Huione Guarantee and its merchants. These figures should be considered as lower bounds of the true volume of transactions on the platform.” — Source: EllipticIf Huione Guarantee ever prevented fraud, well, it seems it was to prevent its criminal clients from one-upping each other and to forcefully ensure, as an escrow service, that there would be honor among thieves.They have been so good at making good on their promise of “providing all-around transaction protection for both buyers and sellers” that it has caught the attention of malicious actors outside of Southeast Asia, across borders, including the infamous North Korean state-sponsored hacking groups.II — Huione Group: The Latest Money Laundering Playground for DPRK Threat Group(s)Five days after Elliptic’s initial report on Huione Guarantee, crypto sleuth ZachXBT revealed that his latest investigation connected Huione to the Lazarus Group, which has siphoned more than $3.5 billion from the crypto space in the last three years through countless exploits.One such exploit occurred on May 31, 2024, when the centralized Japanese crypto exchange DMM Bitcoin fell victim to a private key exploit, resulting in a staggering loss of $308 million. This hack is the biggest crypto heist recorded since the November 2022 FTX hack and the sixth biggest crypto heist in history.By following the financial tracks left by the attackers, ZachXBT identified the money laundering patterns and off-chain indicators as belonging to the Lazarus Group.One of the techniques used by the Lazarus Group to launder the stolen funds was the use of Huione Guarantee in early July 2024, with more than $35 million disappearing through it.Source: ZachXBTIn the same thread, ZachXBT revealed that Huione Guarantee was used for its money laundering capabilities in a different crypto criminal case: the 2023 $31 million crypto investment fraud Fintoch. ZachXBT was able to trace millions from this exit scam heist going through Huione.This revelation may have come as no surprise to UNODC investigators, as they unveiled 7 months earlier that they found traces of the Lazarus Group apparently operating a money laundering pivot to Southeast Asia.Through on-chain investigation, they spotted multiple instances where the Lazarus Group was “sharing money-laundering and underground banking networks with fraudsters and drug traffickers in Southeast Asia” by using the same “foundational pieces” of the criminal banking architecture of the area: casinos and crypto exchanges.Finding the Lazarus Group entangled with Huione Guarantee, another “foundational piece” of the Southeast Asia money laundering ecosystem, seems like a given conclusion.As fate would have it, the very day after ZachXBT’s revelation, a Reuters report revealed that the FBI had discovered the Lazarus Group had laundered at least $150,000 between June 2023 and February 2024 through a sister branch of Huione Guarantee: Huione Pay.The $150,000 laundered were the proceeds of three high-profile hacks orchestrated by the Lazarus Group in 2023: Atomic Wallet, Alphapo, and Coinspaid, which together totaled more than $200 million.According to blockchain security firm TRM Labs, after these hacks, the Lazarus Group massively converted the stolen funds to USDT on the Tron blockchain, which were then sent “to exchanges, services, and OTC — one of which was Huione Pay.”Comparing the $150,000 laundered through Huione over a prolonged timeline at the end of 2023 and the beginning of 2024 with the $35 million laundered in just the early days of July, a plausible theory is that the Lazarus Group was testing Huione to see if it could serve as a new money laundering route.Since they returned to it with a colossal amount to launder this time around, it must be concluded that the trial period was very conclusive and in favor of adopting Huione as a key step in their money laundering process.But the Lazarus Group’s involvement with the Huione Group may have triggered law enforcement’s attention. The U.S., in particular, has been aggressively targeting North Korea’s alleged crypto-criminal activities and has taken down or brought to heel every entity found to be actively laundering money, such as Tornado Cash and Samurai Wallet.And this translated into the Huione Group facing some disturbance from an unlikely source: Tether, the entity behind USDT.USDT is issued by Tether Limited, a centralized company that controls the issuance and redemption of the token. This centralization introduces points of failure and regulatory scrutiny.As a centralized entity, Tether Limited is subject to regulatory oversight and must comply with various legal and financial regulations.Tether Limited has the ability to freeze USDT tokens on certain addresses, and blacklist addresses entirely.But as we reported earlier, USDT has nevertheless become the “preferred choice” of currency in Southeast Asia, with the UNODC revealing that more than $17 billion in USDT annually is connected to criminal activities.The use of USDT in myriad crypto criminal activities worldwide has regulators breathing down Tether’s neck, prompting them to be more proactive in dealing with the overwhelming use of their currency in criminal proceeds.In one such case, Tether “voluntarily” froze USDT worth $225 million “linked to an international human trafficking syndicate in Southeast Asia responsible for a global ‘pig butchering’ romance scam.” In the Huione Group case, Tether, “on a direct request from law enforcement,” blacklisted a wallet with 29.62 million USDT on Tron connected to Huione Guarantee. Around $14 million flowed into this wallet from the DMM Bitcoin hack, reported ZachXBT.Frozen Funds by Tether — Source: BitraceBlockchain security company Bitrace reported that after the funds were frozen, the Huione Group “activated a new business address” and transferred 114,800 USDC stablecoins from the original TRON wallet.On one hand, the Lazarus Group brought in millions and, as a crypto money laundering trendsetter, will attract a flock of new users to the Huione Group. On the other hand, they have brought increased international scrutiny to their operations.III — Huione Group: Emerging as a Crypto Criminal Mastodon in H2 2024Since the Elliptic revelation in July 2024, Huione has transformed itself into one of the most dangerous criminal hubs worldwide. Elliptic publicly airing their dirty business may have been the trigger (or the accelerator) of a structural transformation designed to eliminate any form of third-party vulnerabilities and turn it into an impregnable fortress.First, Elliptic reported in their additional report on Huione, published in January 2025, that Huione Guarantee has attempted to separate itself from the Huione Group in what can only be described as a feeble attempt. The marketplace rebranded itself as ‘Haowang Guarantee,’ citing ‘development needs,’ while Huione Pay removed any mention of Huione Guarantee being a subsidiary from its website — a merely cosmetic move, as they reaffirmed that ‘Huiwang Group is still one of the company’s strategic partners and shareholders.’Their ‘rebranding’ also included a disclaimer from Huione Guarantee stating that it takes ‘no responsibility’ for what transpired on its platform, as we previously mentioned. It now seemingly has a ‘bottom line.’ Funds acquired through ‘U theft, human trafficking, drug-related activities, firearms and ammunition, terrorism and violence, financial flow business involving the United States, and cross-chain currency mixing and laundering’ are ‘not accepted.’Besides these questionable rebranding tweaks, Huione developed four key pieces of infrastructure, making them criminally unstoppable: their own stablecoin, their own messaging app, their own crypto exchange, and even their own blockchain!USDH: The Huione Group StablecoinAs just explained, Huione and its users’ reliance on the stablecoin USDT has already backfired on them. To avoid the risk of future fund freezes by Tether, they have chosen to develop their own stablecoin and become self-reliant.Elliptic revealed that, two months after the freeze, they unveiled their home-made, US dollar-backed stablecoin, USDH, which is touted as perfect for the ‘prevention of asset freezing,’ as it is ‘not restricted by traditional regulatory agencies’ and thus doesn’t suffer from ‘transfer restrictions of traditional digital currencies.’USDH “ads” — Source: EllipticSource: USDH(Huione) WebsiteA new stablecoin is useless if it cannot be exchanged for fiat or other cryptocurrencies — it needs a market.Huione Crypto and Huione ChainUnsurprisingly, when Huione announced the launch of its stablecoin USDH in September, it also introduced its own crypto exchange, Huione Crypto.While awaiting potential adoption by other exchanges — whether centralized or decentralized platforms with little concern for the stablecoin’s questionable origins — Huione Crypto is designed to serve as the backbone of USDH. Elliptic reports that the exchange supports various assets, including Bitcoin, Ether, TRX, SOL, and Dogecoin.In its effort to solidify a “perfect closed loop of USDH exchange,” Huione has developed its own blockchain, Huione/Xone Chain, following fundamental ICO-like steps in exchange for its native token, HC. Additionally, Elliptic notes that USDH has been issued on leading blockchains, including Ethereum, BSC, and Tron.Their developing spree does not end here as they also developed their own DEX and crypto wallet!Nevertheless, unless Huione intends to print unbacked magic internet money, leading to massive undercollateralization of USDH and a future market crash, it needs substantial adoption and a massive influx of liquidity to become sustainable and a relevant tool for money laundering — something that could have been somewhat thwarted by recent developments.After the new Huione revelation of Elliptic in January 2025, Apple and Google took down most of Huione apps including Huione Crypto which are now unavailable.Source GoogleThis could be seen as a minor setback, as it only requires the extra step of downloading the app through APK & APK Bundles on Android, or IPA files and jailbreaking on iOS. For motivated actors, this amounts to nothing.By blocking easy access for retail investors who might have entered the exchange and purchased USDH — bringing in additional liquidity and ‘clean money’ — this takedown may have weakened its potential.Attracting legitimate investors appears to have been part of their strategy, as revealed in February 2025, when it came to light that Certik, one of the most popular and recognized blockchain auditors, was deceived into auditing USDH.Certik co-founder Ronghui Gu disclosed that a third-party agency, rather than representatives of Huione Group, had contacted them directly, completely blindsiding the firm.It may seem insignificant, but in our report Smart Contract Audits Are Used to Scam You, we explain how, over the years, auditing companies have been exploited to lure victims into investing in fraudulent projects. These audits are often perceived by the community as a stamp of legitimacy and security, making them a powerful tool for promoting scams and capturing the attention of retail investors.Smart Contract Audits Are Used to Scam YouThat Huione chose Certik is very telling, as there is no higher seal of approval. In line with other projects that have exploited auditing firms, Huione had little concern for the security of its contract — they simply needed the “audit completed” label from Certik to go and run with it, immediately using it as a marketing tool to attaract unsuspecting investors into their stablecoin.Source: CertikIn response, Certik added a “Warning” label at the top of the USDH audit page on their website, stating:“This project, along with the company behind it, has been identified by multiple sources as one of the largest illicit online marketplaces. It is strongly advised to avoid engaging with this project. Stay informed and exercise caution.”ChatMe : Huione’s TelegramThe final piece of this impressive, self-reliant criminal biosphere is the launch of their own version of Huione’s beating heart: Telegram.Although Telegram is known for its complacency toward fraudulent activities on its platform, the scale of Huione’s criminal operations, its use by high-profile threat groups, and its central role in today’s pig-butchering industry could lead to significant law enforcement and regulatory pressure on Telegram — pressure even they might struggle to resist.The app was launched just one month after Elliptic’s revelation in August, with functionality similar to Telegram, while of course offering the same bots ‘used by Huione Guarantee to operate its marketplace,’ according to Elliptic’s investigation. As the messaging app is tailor-made to serve Huione’s illicit activities, their homegrown blockchain is also integrated into ChatMe.Despite most of Huione Group’s apps being kicked out by Apple and Google, Huione Pay and ChatMe have survived the culling, with ChatMe still readily available on both Android and iOS at press time.Source: Apple StoreAn Unfathomable GrowthSince Elliptic’s revelation in July 2024, Huione Guarantee has experienced unparalleled growth in the second half of the year.One might have expected that the global exposure of Huione Guarantee — revealing it for what it truly was, along with the criminal pyramid behind it — would have at least temporarily deterred criminals, especially under the weight of heightened scrutiny.Yet, the very opposite occurred.First, Huione Guarantee was thrust into the spotlight — not only attracting the attention of law enforcement and anti-crime organizations but also catching the eye of criminals worldwide. Many may have discovered Huione’s vast fraud ecosystem through the revelations, which inadvertently acted as an unintentional advertising stunt.Second, Huione’s response to the exposure may have further emboldened its vendors and clients while enticing new entrants. Instead of laying low, scaling back, or going into hiding, Huione tripled down — throwing its resources into building an unstoppable criminal hub designed to shield its users — a fully “closed-loop” system that would drastically reduce the chances of tracking and dismantling their clients’ operations.From a criminal perspective, Huione’s resilient attitude and commitment to creating the ultimate criminal haven are worthy of every praise.Whatever the cause(s) may be, it translated into the number of Huione Guarantee users breaching through the 900,000 threshold, reveals Elliptic.Not only Elliptic recorded that since their first investigation, it had grown its monthly inflows by 51%, but that over $89 billion had been received to address connected to Huione Groups, its vendors, and other Huione group related activities, while Huione Guarantee itself processed over $24 billion in transactions for the year 2024.“Value of cryptocurrency received by wallets used by Huione Guarantee and its vendors.” — Source: EllipticThey also discovered that a gambling Telegram bot was used to launder proceeds totaling nearly $6 billion.Huione’s recent surge in activity has officially turned Huione Guarantee into ‘the largest online illicit marketplace to have ever operated,’ according to Elliptic’s findings — nearly five times the size of its closest competitor in the dark web marketplace.Illicit Marketplaces Inflows — Source: EllipticNow, an important question must be asked: How is it that a public entity that is openly part of the Southeast Asia criminal matrix can operate openly for three long years, functioning in all matters and purposes as the shadiest darknet black market?The answer is disturbingly simple: the Huione Group is linked to Cambodia’s ruling family, the Hun family.IV — Huione Group and Pig-Butchering: The Cambodian Hun Family ConnectionThe Hun Family and The Huione GroupThe most important piece of the Huione puzzle was revealed through Elliptic’s discovery. The Huione Group, behind Huione Guarantee, is directly linked to the Hun family through one of its branches, Huione Pay. One of Huione Pay’s co-directors, Hun To, is a cousin of the current Cambodian prime minister.According to Elliptic, Hun To is currently entrenched in criminal affairs, as he is reportedly under investigation by Australian authorities for involvement in heroin trafficking and money laundering. He is also alleged to have connections with Chinese organized crime and scam compounds.Hun To is also known as “the family’s fixer for all things they would rather not come into public view,” per Radio Free Asia.Hun To — Source: Radio Free AsiaAs the saying goes, the company doesn’t fall far from its director.Huione Pay is a payments and foreign exchange business that is an intrinsic part of the Huione Guarantee architecture. It was even publicly touted as such before the Elliptic report was published, after which all references to it were erased from the Huione Pay website.Huione Guarantee being referenced on Huione Pay Website — SourceAccording to Elliptic research, the Huione Group not only facilitates large-scale cyber scam operations in Southeast Asia through Huione Guarantee but also supports these criminal activities to their conclusion. They achieve this by establishing a highly effective money laundering mechanism through Huione International Payments, a component of Huione Pay.This entity acts as a merchant on Huione Guarantee and provides global money laundering services for the proceeds of crime. While investigating this branch of the Huione structure, Elliptic collected proofs that it touted its ability to launder money linked to “fine chat,” cyber scams that includes pig butchering, and that one its representative openly discussed laundering $2 million from a “fine chat,” for a 10.5% fee.“A Huione Guarantee user asks for help laundering $2 million from a “quick kill” i.e. a scam. A representative of Huione International Payments, part of Huione Pay, responds and clarifies that their service is operated by Huione.” — Source: EllipticAs of now, the exact amount of criminal proceeds that have passed through Huione Pay, in addition to Huione Guarantee, is not known. However, since it has been operating silently and successfully, one thing is certain based on Elliptic’s investigation: the Huione Group, as a whole, is a key criminal player in the area.Another certainty is that a deep dive into the pig butchering economy in Cambodia since 2022 reveals that the existence and success of the Huione Group are far from being a simple case of a prime minister’s cousin going rogue.The Hun Family and the Pig-Butchering IndustryFollowing the FBI’s disclosure of the Lazarus Group’s involvement with Huione Pay, the company’s response was to feign ignorance, claiming they were unaware of the connection and stressing that Hun To’s role as director did not involve “day-to-day oversight” of Huione Pay’s operations.The National Bank of Cambodia, on the other hand, asserted its authority by stating it “would not hesitate to impose any corrective measures” against Huione Pay, as the company is not permitted to engage in or trade crypto. Whether the National Bank is merely putting on a show or genuinely unaware of the situation in their country remains unclear.However, crumbs of evidence have been left behind, and following these leads reveals a disturbing picture of Cambodia today.Revisiting the origins of pig butchering scams, recent findings by Elliptic and the UNODC report allow us to connect the dots, revealing that the Cambodian government appears to be a key enabler of these criminal activities.All investigations and reports on pig butchering genesis, reveals one truth: this industry could have been nipped in the bud, when it was first born in Cambodia, instead of thriving to the scale it does today.If criminal organization scammers were able to implement successfully, in plain sight, armed compounds with thousands of enslaved people in them, it’s because local authorities turned a blind eye to what was happening, a Propublica report revealed. These cyberfraud operations in Cambodia often have links “not just to organized crime but also to the country’s political and business elites.”In many cases “these scamming companies are backed up by senior Cambodian officials who benefit financially from these corrupt companies”, said Phil Robertson, deputy Asia director of Human Rights Watch.That’s how, in a very burlesque fashion, these scam facilities, which are housed “in everything from office buildings to garish casino complexes”, can also be found diagonally across the street from the summer residence of the Cambodian prime minister. This is where the White Sand Palace, a gambling establishment, also houses pig-butchering operations on multiple floors.“The White Sand Palace in Sihanoukville is only a block or so from the prime minister’s summer residence.” Source: PropublicaAlthough the discovery of the White Sand Palace, so close to the Prime Minister, initially seemed to reflect only the audacity of the criminal organizations behind pig butchering, two years later it appears to have another story to tell.The UNODC’s May 2024 report reveals that, in Myanmar as well as in Cambodia, “criminal interests have almost completely captured the state apparatus,” which has led to “the proliferation of disaggregated webs of scam centers spanning major urban centers as well as more remote locations that are difficult for outside investigators or civil society to access.”It also refers an intrinsic report published by Radio Free Asia which has uncovered how deeply illicit economic actors have penetrated Cambodia’s formal economy.The Prince Group Holdings, a prominent Chinese-owned conglomerate in Cambodia, has been exposed for its involvement in human trafficking, money laundering, scamming, and illegal offshore gambling linked back to pig butchering activities among others. Despite its CEO Chen Zhi obtaining Cambodian citizenship, the Chinese authorities began scrutinizing the Prince Group in 2020, setting up a special task force in Beijing to investigate its extensive cross-border gambling operations.“Chen Zhi was a backer of “The Prey,” Cambodia’s first attempt at producing its own Hollywood-style action movie. (The Prey” / Altered Vision Films — Kongchak Pictures)” — Source: Radio Free AsiaThe Prince Group is implicated in eight criminal cases across three Chinese provinces, including fraud, scams, illegal gambling, forced sex work, and money laundering. Its Jinbei complex, located near Cambodia’s border with Vietnam and managed by an affiliate, is connected to at least 83 criminal cases in nine Chinese provinces, with 63 of these in Henan Province alone.Additionally, Radio Free Asia reported that the Golden Fortune Science and Technology Park, built by the Prince Group and now hosting cyber-scam operations, is managed by executives allegedly connected to the Prince Group.According to Radio Free Asia: “under Cambodian patronage, the Prince Group netted billions.”The most shocking part? Chen Zhi — according to Cambodian royal decrees found by RFA — was granted a role equivalent to that of a secretary of state as an adviser to the Interior Ministry, then became an adviser to former Prime Minister Hun Sen and now holds the same position under Hun Sen’s successor and son, Prime Minister Hun Manet.“Chen Zhi stands with Cambodia’s then-Prime Minister Hun Sen after Chen was made “neak oknha” on July 20, 2020. (Prince Holding Group)” — Source: Radio Free AsiaRadio Free Asia also revealed that one of the Prince Group key speciality is money laundering.So it’s no surprising that during our investigation for this article, we fortunately stumbled on the Prince Group, this time around on none other than on Huione Pay page, the money laundering machine directly linked to the prime minister family.Source: Huione PayNo wonder then that Cambodia became the beating heart of the Pig-butchering industry and had the US State Department downgrade “Cambodia to the lowest tier on its annual assessment of how well countries are meeting standards for eliminating human trafficking” in July 2022.Under international criticism, and after some denial and foot-dragging, Cambodia finally took steps to dismantle the pig-butchering industry within its borders in September 2022.Multiple crackdown operations were carried out every week, freeing cyber slaves and protecting unsuspecting people from getting pig butchered.Or so it appeared.But then again, it should come as no surprise. Given everything revealed so far, pig-butchering advocacy groups on the ground have reported otherwise.In an interview with Voice of America in March 2024, Tola Moeun, executive director of the Phnom Penh-based Center for Alliance of Labor and Human Rights, stated, “From our observation, online scamming has not decreased. We don’t know why there has been no clear action, and we continue to see this happening.” An anonymous observer added, “It is clear that the volume of trafficking into Cambodia for forced scamming is back to pre-September 2022 levels and maybe exceeding that.”Reports indicate that authorities have not shut down operations; instead, these operations were only temporarily relocated while Cambodia was under scrutiny from the international community and China.Since then, Sihanoukville, once the epicenter of pig butchering and nearly a ghost town after the “crackdown,” has experienced a massive return of scam centers. A new wave of foreigners, future victims of cyber enslavement, now arrives daily, going straight from the airport to the militarized scam compounds where they will be imprisoned.For the enslavement victims, the situation is even worse than in 2022, as NGOs report that “identifying and rescuing victims has become more challenging.” This difficulty is partly due to the Cambodian government’s absolute denial of the true scale of the operations, treating it almost as a case closed after announcing that only 300 cases of “confinement” have been discovered since September 2022. The Cambodian Interior Ministry set up a “hotline” for scam victims, which multiple insiders reported has made “the rescue process more opaque,” and the Cambodian authorities have effectively “cut off the role of the NGOs for help,” according to Tola.Cindy Dyer, U.S. Ambassador-at-Large to Monitor and Combat Trafficking in Persons, openly stated that “There’s no way we could see the scale of operation in Cambodia without there being both low-level and high-level complicity. High-level government officials may be at the forefront. The low-level enforcement officers know who owns these things.”Another public figure who is not afraid of saying it as they see it is Australian MP Julian Hill. As previously mentioned, Hun To has been embroiled in multiple criminal cases in Australia. Hill, exasperated by Hun To’s shenanigans in Australia, spoke in Parliament last March, arguing that Hun To and other politically connected Cambodian figures “should never again be granted visas to visit Australia. It’s no secret that Hun To has his finger in lots of pies — drug trafficking, illegal deforestation, animal trafficking, illegal gambling. Most recently, we’ve heard reports he’s dipping his toes into human trafficking [referring to pig butchering], as well. That’s diversifying, isn’t it?”The one who cannot openly say things they would probably adore to say is China. China has been the main driving force in dismantling the pig butchering industry and pushing hard against “laxist” countries deeply involved in it. But according to Radio Free Asia, “Any attempt to charge Chen [Zhi] directly, then, would necessarily implicate Cambodia’s top law enforcement official and embarrass both the former and current prime ministers. Beijing spent decades of diplomatic effort and billions of dollars turning the Hun dynasty into one of China’s most ardent friends.”Conclusion“The principal local enforcement challenge in the key [pig butchering] host countries is undoubtedly political, not technological,” says the UNODC report.This statement couldn’t be more accurate as all evidence points to Cambodia’s ruling family and complicit officials playing a key role in turning Southeast Asia into “the global ground zero, the primary testing ground, for high-tech money laundering and cybercrime operations.”Huione Pay wrote the following as an introduction: “Under the regional background of ASEAN economic integration and China’s ‘One Belt, One Road,’ the Group is actively expanding its branches and partnership strategies to form a financial network that covers key cities in Cambodia and facilitates strategic cooperation between Southeast Asia, Hong Kong, Macao, and Taiwan […].”Source: HuionePayWell, it seems what they are truly bent on is becoming a cornerstone of a criminal version of the “One Belt, One Road.”The Huione Group may seem unstoppable, especially if even China does not dare step on the toes of Cambodia’s Hun family, which could attract waves of crypto criminals and their hundreds of millions in ill-gotten funds straight to the Huione money laundering machine.One thing is almost certain: if the Lazarus Group continues using the Huione Group, and Huione does nothing about it, it could ultimately trigger a political battle between the US and Cambodia.CONCLUSIONThe crypto criminal landscape is nothing if unpredicatable. Who could have guessed last year that the timid launch of a memecoin generator would bring about both Solana explosion and become the go-to place to launch pump-and-dump scams by the ten of thousands,or that Inferno Drainer would come back from the dead and be instrumental in the groundbreaking number wallet drainers did this year, to die again (maybe definitely) by the end of the year, or that addess poisoning would transform itself into the impressive threat it has become today over the past year ?The crypto space has never been safer than it is today.But the financial and popular paradigm shift that Bitcoin crossing the 100,00 threshold, and its massive institutional adoption in 2024, calling in even more liquidityn more investments from older investors like new entrants, the digital easiness through which funds can be stolen, turn the crypto space into the ultimate criminal dream.The crypto criminal landscape is nothing if not unpredictable. Who could have foreseen that last year’s modest launch of a memecoin generator would not only fuel Solana’s explosive growth but also become the epicenter for tens of thousands of pump-and-dump scams? Or that Inferno Drainer would rise from the dead, playing a pivotal role in this year’s record-breaking amount of funds stolen through wallet drainers, only to (perhaps permanently) vanish once again? Or that address poisoning — once a niche scam — would evolve into one of the most formidable threats in the space?Ironically, the crypto space has never been safer than it is today. Yet, with Bitcoin shattering the $100,000 barrier in 2024, triggering a seismic shift in financial and popular sentiment, while attracting unprecedented institutional adoption throughout 2024, the stakes have never been higher. More liquidity, more investments — both from seasoned financiers and eager newcomers — paired with the frictionless ease of digital theft, have turned crypto into the ultimate criminal playground.A place where every criminal dream can come true.Crypto actors and investors won’t just have to battle familiar threats like DPRK-backed groups — they’ll also likely face an unprecedented surge of new malicious players, drawn in by the immense incentives. Hacking, scamming, phishing, and even kidnapping for ransom could reach new heights, making the space more treacherous than ever before.📍Noteworthy Stories of 2024Solana’s Institutional Surge: From Memecoin Playground to Wall Street’s New Darling?Mt. Gox Unveiled: The Real Story a Decade After the CollapseOff-Exchange Settlement (OES): A New Pillar in Crypto Investment Security ArchitectureEthena’s USDe Explained: No Terra-Luna, but Major Risks ExistWhy DAI is Favored Over USDT for Crypto Money LaunderingWhen Crypto Scams Sponsored The Premier LeagueDating Apps Are a Crypto Scammer’s ParadiseThe Multi-Million MEV Bot Scam IndustryNew Crypto Scam in Town: Point RunningAbout usNefture is a Web3 real-time security and risk prevention platform that detects on-chain vulnerabilities and protects digital assets, protocols and asset managers from significant losses or threats.Nefture core services includes Real-Time Transaction Security and a Threat Monitoring Platform that provides accurate exploits detections and fully customized alerts covering hundreds of risk types with a clear expertise in DeFi.Today, Nefture proudly collaborates with leading projects and asset managers, providing them with unparalleled security solutions.Book a demo 🤝The 2024 Crypto Crime Report was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.

10 Proven Ways AI Agents Can Boost Your Business Income

In today’s competitive digital economy, businesses must do more than just keep up — they need to optimize, automate, and scale smartly. Enter AI Agents — intelligent systems built to perform tasks, automate processes, and engage with users with little to no human input. From customer support to sales outreach, AI agents are transforming the way companies operate — and most importantly, they are significantly boosting revenue. Let’s dive into 10 proven ways AI agents can help your business increase income, scale efficiently, and stay ahead of the curve.1. Automating Customer Support to Improve Satisfaction and RetentionOne of the most popular applications of AI agents is in customer support automation. These AI agents, often in the form of chatbots or virtual assistants, handle thousands of customer queries instantly, 24/7.By providing quick, accurate responses, AI agents enhance customer satisfaction — leading to higher retention rates and increased lifetime customer value.Revenue Impact:Faster support = happier customers = repeat purchases. Reducing churn even by a small percentage can lead to a significant increase in long-term income.2. Upselling and Cross-Selling with Intelligent RecommendationsAI agents are excellent at analyzing customer behavior and purchase history in real-time. They can recommend products or services that align with user preferences — right when customers are most likely to buy.Whether it’s suggesting accessories during checkout or upgrading a service plan, AI agents make upselling and cross-selling more personalized and effective.Revenue Impact:Companies using AI-powered recommendation engines have seen sales increase by up to 30%, according to McKinsey.3. Improving Lead Qualification and ConversionAI agents can engage website visitors and qualify leads instantly by asking targeted questions, capturing contact details, and even scheduling demos. This means your sales team focuses only on high-quality leads — saving time and improving conversion rates.Revenue Impact:Better lead qualification means shorter sales cycles, fewer missed opportunities, and more revenue per sales rep.4. Reducing Operational Costs Through Task AutomationRoutine tasks like data entry, report generation, or scheduling can consume significant team bandwidth. AI agents automate these operations with speed and accuracy — reducing the need for large operational teams.Revenue Impact:Lower operational costs directly boost net income. AI automation can reduce labor costs by 30–40% in some industries.5. Enhancing Personalization Across Marketing ChannelsToday’s customers expect personalized experiences, and AI agents deliver just that. By analyzing user behavior across touchpoints, AI agents can create tailored email campaigns, website content, and product offerings.Revenue Impact:Personalization drives up to 80% higher engagement and significantly increases conversion rates, making every marketing dollar more effective.6. Scaling Customer Engagement Without Hiring More StaffAI agents can handle unlimited conversations simultaneously. Whether you’re launching a new campaign or handling a seasonal traffic surge, AI agents scale customer engagement without the need for additional hires.Revenue Impact:Scaling conversations without scaling headcount means you can grow revenue without increasing overhead.7. Boosting Sales With Real-Time Support and Follow-UpAI sales agents can follow up with leads via email, chat, or SMS in real-time — without human delay. They can answer objections, provide information, and gently push the lead toward conversion.Revenue Impact:Quicker follow-up means less cold leads and higher deal closures, directly increasing sales performance.8. Enabling 24/7 Sales and Support Coverage GloballyAI agents don’t sleep. They provide round-the-clock support to customers across time zones, ensuring no sales opportunity or support request is missed.Revenue Impact:With 24/7 operations, businesses can serve international markets and generate income even while they sleep.9. Providing Insights That Drive Revenue StrategyAI agents don’t just act — they analyze. They collect and report valuable data about customer interactions, pain points, and product interest. This helps businesses optimize pricing, offers, and communication strategies.Revenue Impact:Data-driven decisions based on AI agent insights lead to smarter marketing, better product positioning, and increased conversion.10. Launching AI-Powered Products and ServicesSome businesses are now offering AI agents as part of their product lineup — like virtual financial advisors, learning assistants, or booking agents. By developing and monetizing AI-driven services, companies create entirely new revenue streams.Revenue Impact:Monetizing AI directly turns it from a cost center to a revenue-generating product, with high scalability potential.How to Get Started with AI Agents?If you’re not yet using AI agents, here are key steps to begin:a) Identify Revenue BottlenecksLook for areas in your sales, support, or marketing pipeline where delays or inefficiencies are affecting revenue.b) Choose the Right Use CasePick a high-impact use case like customer support automation, lead generation, or sales engagement.c) Select a Suitable AI Agent PlatformOpt for a platform that supports no-code/low-code AI agent development, integrates with your CRM and tools, and allows customization.d) Train and OptimizeEnsure your AI agents are trained with the right data, prompts, and responses. Monitor performance and continuously improve.AI Agent Platforms to ConsiderSome popular AI agent tools for businesses include:Intercom AI — Support chatbots with lead captureDrift — AI for sales conversationHubSpot AI — Smart CRM automationKore.ai — Conversational AI for enterprise automationCustom AI Agent Studios — Develop GPT-based AI agents tailored to your workflows using custom AI studios.Real-World Results: Case StudiesE-commerce Brand: Increased sales by 25% using AI chatbots for upselling during checkout.SaaS Company: Reduced support costs by 35% after deploying AI agents for Tier 1 queries.Consulting Firm: Closed deals 2x faster by using AI agents to follow up with leads and schedule meetings.These results are not anomalies — they’re happening across industries as AI agents evolve.Final ThoughtsAI agents are no longer just hype — they deliver real business value and revenue impact across industries. Whether you’re a startup aiming to scale or an enterprise optimizing operations, AI agents can increase your income while reducing costs.The key is to start small, focus on measurable outcomes, and scale your AI strategy based on results. In an age where agility and efficiency determine winners, AI agents offer the ultimate competitive edge.10 Proven Ways AI Agents Can Boost Your Business Income was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.

How to Build an AI Agent to Turn Videos into Blog Posts?

How to Build an AI Agent to Turn Videos into Blog Posts?In an era dominated by short-form videos and long-form written content, bridging the gap between visual media and textual output has become a powerful strategy for content marketers, educators, and businesses. Videos often carry rich insights — but without a written counterpart, they remain underutilized in search engines and repurposing workflows.Enter the AI Agent — a purpose-built, intelligent system that automates the process of converting videos into well-structured blog posts. In this guide, we’ll walk you through how to build an AI agent that turns videos into blogs, from transcription to topic extraction to final formatting.What Is an AI Agent?An AI Agent is a software system powered by artificial intelligence (typically large language models and automation logic) that can observe, decide, and act. Unlike static tools, AI agents are dynamic — they can process inputs (like videos), perform multi-step reasoning (like summarizing), and produce contextual outputs (like blog articles).Building an AI agent for video-to-blog transformation means automating the following steps:✦Extracting video/audio content✦Transcribing speech to text✦Understanding the key themes and context✦Structuring the information into coherent blog content✦Formatting it in a readable, SEO-optimized formatLet’s explore how to build this.Step 1: Define the Workflow of the AI AgentThe first step is outlining what your AI agent will do. Here’s a standard flow:Input: Video (YouTube, MP4, or URL)Speech-to-Text: Transcribe spoken contentContent Understanding: Use NLP to extract key themes, topics, and insightsOutline Generation: Create blog structure (intro, sections, conclusion)Content Creation: Draft blog sections using AIPost-Processing: Apply formatting, SEO keywords, grammar checksOutput: Ready-to-publish blog postYou’ll also need to define where each part runs — some in the cloud, some locally, and others via third-party APIs.Step 2: Choose the Right Tools and Tech StackBuilding this AI agent requires combining various tools:🔸 AI/ML Models:OpenAI GPT-4 or Claude for blog generationWhisper API or AssemblyAI for video transcription🔸 Programming Languages:Python (most popular for AI agent orchestration)🔸 Frameworks:LangChain / LlamaIndex (for chaining AI tasks)Haystack (for document pipelines)FastAPI (to build the web interface)🔸 Hosting:AWS Lambda, Google Cloud Functions, or Vercel for serverless deploymentStep 3: Extract Audio and TranscribeUse ffmpeg to extract audio from the video file:ffmpeg -i video.mp4 -q:a 0 -map a audio.mp3Then feed the audio to a transcription API:Option 1: Whisper (OpenAI)import openaiaudio_file = open("audio.mp3", "rb")transcript = openai.Audio.transcribe("whisper-1", audio_file)Option 2: AssemblyAIUpload and transcribe audio using their REST API.Transcription turns your video into a text-rich resource ready for processing.Step 4: Clean and Segment the TranscriptOnce you get the transcript, clean up issues like:✦Filler words (“uh,” “you know”)✦Incomplete sentences✦Speaker tags (optional)Then segment it based on topics using topic modeling with spaCy or GPT.You can use GPT to summarize by sections:prompt = "Split the transcript below into topic-based sections and summarize each one in 3-4 lines."Step 5: Generate a Blog OutlineFeed the segmented transcript into an AI model and generate a blog structure. A simple prompt to GPT-4 could be:“Based on the transcript, create an outline for a blog post with an introduction, 3–5 main sections, and a conclusion.”The response will look like:Example Outline:Introduction: What the video is about✦Key Takeaway 1✦Key Takeaway 2✦Case Study or Example from the video✦Actionable Tips✦ConclusionThis outline is the skeleton for your blog.Step 6: Draft Blog Content With GPTOnce the outline is ready, you can prompt the AI to generate each section:prompt = f"""Using the transcript and the outline section titled '{section_title}', generate a 300-word blog section. Make it professional, clear, and SEO-friendly."""You can loop through each section and generate the body content dynamically.Optional Enhancements:✦Use embeddings (like OpenAI Embeddings) to better match context✦Use agents to fact-check or pull supporting dataStep 7: Format, Polish, and Optimize for SEOOnce you have the content:✦Run Grammarly API or LanguageTool to clean grammar✦Use tools like Yoast SEO API or SurferSEO for keyword optimization✦Add headers (<h2>, <h3>), bullet points, and metadata for blog CMSExample Formatting Function:def format_blog(content): return content.replace("n", "nn").replace("**", "")You can even automate title and meta description generation using: python Copy Editprompt = "Generate an SEO-optimized blog title and 160-character meta description for this blog content."Automate with an AI Agent FrameworkNow that your steps work individually, combine them using:LangChain (Python)LangChain helps orchestrate multiple AI steps:from langchain.chains import SequentialChainchain = SequentialChain( chains=[transcription_chain, summarization_chain, generation_chain], input_variables=["video_input"], output_variables=["blog_output"])You can create agents with memory, tools, and conditional logic, making it modular and adaptive.Step 8: Test, Refine, and ScaleBefore going live:✦Test with various video types: interviews, tutorials, webinars✦Refine prompts based on quality feedback✦Monitor performance, cost per generation, and SEO resultsYou can track output quality by measuring:✦Readability (Flesch score)✦Keyword density✦Organic traffic improvement (Google Analytics or Search Console)Real-World Use Cases1. YouTubersConvert video content into blog posts to improve search visibility and repurpose long-form ideas.2. EdTech CompaniesTurn lectures or course videos into study guides and blog resources.3. Product CompaniesRepurpose demo videos into blog tutorials and user documentation.4. Marketing AgenciesBatch-convert webinar recordings into SEO-friendly thought leadership content.Bonus: Add UI for Non-Technical UsersUse Streamlit or Gradio to make a drag-and-drop interface for clients or team members:import streamlit as stst.title("Video to Blog Converter")uploaded_file = st.file_uploader("Upload your video")You can connect it to the backend AI agent via API for real-time blog generation.Future EnhancementsMultilingual Support: Add translation layersVoice Tone Control: Let users choose tone: casual, formal, technicalYouTube API Integration: Direct input from YouTube URLsCMS Integration: Publish to WordPress or Medium automaticallyFinal ThoughtsBuilding an AI agent to turn videos into blog posts is not just possible — it’s incredibly powerful. It saves time, boosts SEO, repurposes content effectively, and helps scale brand authority.By combining tools like Whisper, GPT-4, LangChain, and basic Python scripting, you can create an agent that:✦Understands your video content✦Extracts insights✦Writes human-like blogs✦Optimizes for engagement and visibilityIn today’s content-driven world, automating blog generation from video isn’t a gimmick — it’s a business advantage. If you’re ready to stop wasting your video content’s full potential, now is the time to build your AI agent.How to Build an AI Agent to Turn Videos into Blog Posts? was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.

One Platform. Multiple Markets. Infinite Possibilities.

Step into the world of global trading with NordFX — where every trader, from beginner to pro, finds the perfect tools to grow 📊💡💱 Trade everything from Forex to Stocks, Indices, Crypto, and Commodities — all from one account! 📲 Platforms: MetaTrader 4, MetaTrader 5, and the powerful web terminal🎯 Choose your ideal account: 🔵 Pro Account — From just $10, commission-free, user-friendly ⚫ Zero Account — From $100, ultra-tight 0.0 pips spreads, ECN access 🧪 Plus: A $10,000 demo account to practise risk-free!⚡ Enjoy instant execution, leverage up to 1:1000, and support for crypto deposits & withdrawals 🚀 🛠️ Smart tools: stop-loss, take-profit, margin monitoring — everything you need to trade with confidence!📈 Whether you prefer detailed charting on MT5, trusted execution on MT4, — NordFX has it all.🌟 Ready to explore your trading potential?👉 Sign up now: 🔗 https://account.nordfx.com/account/register?id=1187185#NordFX #ForexTrading #CryptoTrading #MetaTrader #GlobalMarkets #OnePlatform #FinancialFreedom #ZeroSpreads #TradeSmart #NordFXPro🚀 One Platform. Multiple Markets. Infinite Possibilities. 🌍📈 was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.

️Pentagon Eyes Microsoft Copilot as AI Arms Race Heats Up

[Our AI Business Services] — [Advertise with Us!]Friday’s here, and so are rising temperatures, rising tensions, and rising defense contracts. As global conflicts escalate, AI companies are rushing into the defense sector, landing lucrative deals that raise both opportunity and concern. We break down who’s cashing in and what it means for the world. Also, is Meta AI a mess, and why is your data at risk, and should AI be mandatory in schools? Ohio State says yes — we dig into the debate📰 News and Trends.Is Meta AI leaking your info🧰 AI Tools — Summer CampsPentagon Eyes Microsoft Copilot as AI Arms Race Heats UpWill AI be Mandatory for All Students🧠 Learning Corner — How AI is created📰 AI News and TrendsGoogle DeepMind launched an artificial intelligence weather-forecasting tool that it said is better at predicting cyclones than existing systemsAI is making health care safer in the remote Amazon where overburdened clinics and pharmacists use AI to catch dangerous errors this could become a big positive for remote areas worldwideDisney and Universal are suing Midjourney meanwhile…The TikTok parent’s new model tops leaderboards for both text-to-video and image-to-video tasks, beating Google’s Veo 3 and OpenAI’s SoraMattel is teaming up with OpenAI to create AI-enabled toys, but don’t expect to unwrap a ChatGPT Barbie this winter holiday yet.🌐 Other Tech newsCongress Demands Answers on Data Privacy Ahead of 23andMe SaleBrazil is courting investors to develop its vast rare-earth deposits as it looks to become an alternative to China, the world’s biggest producerWorld Bank lifts ban on funding nuclear energy in boost to industryShopify partners with Coinbase and Stripe in landmark stablecoin dealBioengineered tooth “grows” in place to look and feel like the real thingUS air traffic control still runs on Windows 95 and floppy disksShareIs Meta AI leaking your personal infoMeta’s new standalone AI app is under fire for exposing users’ private chats publicly, often without them realizing. The app includes a “share” button that makes it easy to post text, audio, or images from conversations with Meta AI, but many users appear unaware their content is going public.Examples of what’s been shared publicly include:Audio clips about flatulenceLegal questions including names of people involved in crimesSensitive medical or legal informationHome addresses and personal dataBizarre AI-generated images (e.g., Mark Zuckerberg with a pregnant belly)The app doesn’t clearly explain privacy settings or warn users if their content will be posted publicly, especially for those logged in via Instagram with public profiles.The App isnt doing very well, only 6.5 million downloads since its April 29 launch, which is a small figure for Meta. The company launched a tool with minimal privacy guardrails, and it’s quickly becoming a viral embarrassment full of sensitive disclosures and trolling content, raising serious concerns about user awareness and data safety. If all the data shared on Facebook, Whatsapp and Instagram is at risk, this can be a fatal fail for such a tech behemoth. As we always say, be very careful what you share on social media.Share Yaro on Ai and Tech Trends🧰 AI ToolsSummer CampsCampNavigator — Smart filters and personalized search based on age, interests, and budget. Families looking for camps across the U.S., including STEM, sports, and artsActivityHero — Personalized recommendations and scheduling based on preferences and past behavior. Local day camps, enrichment programs, and after-school activitiesZein Childcare Camp Finder (U.K. / Intl.) — Matches expat families with age-appropriate camps and bilingual staff using filters. International families and multilingual kids in EuropeSawyer — Recommendation engine based on user profiles and reviews. Urban families looking for creative and educational camps in major citiesSummerCamps.com — Smart search that adapts to filters like sports, tech, sleepaway, and special needs. Nationwide camp discovery, including niche and specialty programsDownload our list of 1000+ Tools for free.Pentagon Eyes Microsoft Copilot as AI Arms Race Heats UpMicrosoft is preparing to launch a secure version of its AI tool, Copilot, for the U.S. Department of Defense (DoD) by summer 2025. This AI assistant, embedded in Microsoft 365 apps like Word, Excel, and PowerPoint, is being tailored to meet the DoD’s strict security and compliance standards, including deployment via GCC High, the U.S. government’s secure cloud platform.Microsoft has not named the customer, but internal discussions suggest a client with over 1 million Microsoft 365 licenses is adopting Copilot — pointing strongly to the Pentagon, which employs 2.1 million military personnel and 770,000 civilian workers.Strategic ContextThe rising global and domestic security tensions are fueling a defense investment and companies eager to participate and get government contract. For example the recent Israel-Iran military escalation and nuclear threats, continued war in Gaza, National Guard deployments amid civil unrest in U.S. cities are acceleration this trend.Tech Giants Fueling Defense InnovationBeyond Microsoft, several companies are rapidly scaling their defense offerings, and alliances likr Anduril and Meta which partnered to design, build, and field a range of integrated XR products that provide warfighters, will become more common. Some examples:Palantir — Predictive AI, battlefield intel systems; over $1.9B in gov contractsAnduril — Autonomous drones, AI targeting; valued at $12B+Shield AI — AI copilots for fighter jets; used by Air Force and NavySkydio — U.S.-made autonomous drones replacing banned foreign UAVsAmazon (AWS) — Secure hosting for CIA, DoD; part of $9B JWCCSpaceX (Starlink) — Satellite comms for Ukraine, missile trackingRebellion Defense — AI for battlefield decision-making and simulationEpirus — AI-powered anti-drone energy weaponsAs military AI adoption accelerates, Microsoft’s secure Copilot rollout marks a pivotal step in embedding generative AI into defense operations. It also underscores a how Big Tech is no longer just a vendor, it’s becoming part of the defense infrastructure.Share🚀 Bring Your Website to Life with an AI ChatbotWe just created a chatbot for this newsletter. I want to create one for you.Save time and invest it where it matters most — your growth.We’ll build a custom AI chatbot trained on your content (PDFs, site, FAQs) that answers customer questions 24/7, captures leads, and cuts your support load in half.✔️ Built in 48 hours✔️ No coding needed✔️ Fully branded for your business👉 Check ours live here📩 Contact us to get startedLet’s build your chatbot and turn your site into a smart assistant.Will AI be Mandatory for All StudentsStarting Fall 2025, Ohio State University will require every student to use AI in the classroom as part of a new initiative to build “AI fluency.” The goal is for students to be “bilingual” in both their major and AI application, according to Provost Ravi Bellamkonda.To accomplish this, students must take an AI skills seminar tailored to their major (e.g., using AI to draft lesson plans in education). Faculty like philosophy professor Steven Brown encourage open AI use, including ChatGPT-based assignments. OSU joins schools like Duke University, which now offers unlimited ChatGPT and its own “DukeGPT.”Students love it, but some critics have voiced their opinions critics, they have shared that AI still suffers from factual errors, hallucinations, and lacks expert-level reasoning and it should be used with care. Some studies link AI use in education to lower grades and reduced critical thinking and mandatory adoption may normalize flawed tech as indispensable before long-term risks are fully understood.OSU is betting big that AI will be essential to the future workforce — but not everyone agrees it’s ready for the classroom.Refer a friend🧠 Learning Corner.How AI is created by Andrej Karpathyhttps://medium.com/media/02dab0082c5bf15b92cc2d0f976e4d88/href🛰️Pentagon Eyes Microsoft Copilot as AI Arms Race Heats Up was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.

Disclaimer: Blockes News is an AI-powered aggregator that summarizes content from original news outlets. All rights and ownership of the articles and media belong to their respective sources. We do not create or alter the news — we simply highlight and link to the original stories for your convenience and awareness. Always refer to the original source for full details. We only display content provided in the summary section of RSS feeds. If you are a content owner and wish to have your material removed, please contact us.

Please let us know if you find this helpful