Crypto

Warning Crypto Investors—This Malicious Code Could Empty Your Wallet

Published

1 year ago

December 19, 2024

Press Room

Warning Crypto Investors—This Malicious Code Could Empty Your Wallet

Bitcoin emblem over a graph.

getty

Recent reports have uncovered a series of malicious extensions in the Visual Studio Code, or VSCode, marketplace, targeting software developers and cryptocurrency enthusiasts with sophisticated attacks designed to compromise their systems and steal sensitive data. VSCode is a popular code editor used by millions of developers worldwide.

Security researcher Amit Assaraf recently revealed how attackers are exploiting the VSCode marketplace. Assaraf uncovered extensions that appeared to offer valuable features but were, in fact, Trojan horses for malware. One extension, masquerading as an official Zoom integration, seemed legitimate, boasting numerous installs and positive reviews. However, upon installation, the extension downloaded a malicious script from a Russian server, executing unauthorized commands on victims’ machines.

The attackers had carefully crafted their extensions to look authentic. They used fake reviews, linked to reputable repositories, and inflated download counts to make the tools appear credible—practices that can lull even experienced developers into a false sense of security.

Crypto in the VSCode Crosshairs

Further investigations revealed that this malicious activity is part of a broader campaign targeting developers working in blockchain and cryptocurrency environments. Reporting from BleepingComputer noted that some of these extensions claimed to support Ethereum development or blockchain toolkits. They also provided the following list of ones that were submitted to the VSCode marketplace:

EVM.Blockchain-Toolkit
VoiceMod.VoiceMod
ZoomVideoCommunications.Zoom
ZoomINC.Zoom-Workplace
Ethereum.SoliditySupport
ZoomWorkspace.Zoom (three versions)
ethereumorg.Solidity-Language-for-Ethereum
VitalikButerin.Solidity-Ethereum (two versions)
SolidityFoundation.Solidity-Ethereum
EthereumFoundation.Solidity-Language-for-Ethereum (two versions)
SOLIDITY.Solidity-Language
GavinWood.SolidityLang (two versions)
EthereumFoundation.Solidity-for-Ethereum-Language

Adding to these findings, researchers at ReversingLabs uncovered how the VSCode campaign overlaps with similar malicious activity in the npm package repository. An npm package is a piece of reusable code that can be easily shared, distributed and integrated into software projects. These packages are used to build applications faster by reusing common functionalities, rather than writing everything from scratch. In their report, ReversingLabs explained how attackers often use multiple platforms to spread their malware, creating a more extensive attack surface that targets developers across ecosystems.

The Vulnerabilities Of The VSCode Ecosystem

While VSCode is celebrated for its versatility and user-friendly extension system, these same features make it a prime target for attackers. The issues stem from several vulnerabilities within the extension ecosystem:

Unverified Publishers: Most of the extensions in the VSCode marketplace come from unverified publishers. This leaves developers with little assurance about an extension’s authenticity.
Trust in Metrics: Developers often rely on install counts and reviews to gauge an extension’s credibility. Attackers exploit this trust by inflating these metrics and posting fake reviews.
Limited Oversight: Despite Microsoft’s efforts to monitor and remove malicious extensions, the sheer volume of offerings in the marketplace makes it challenging to detect threats promptly.

VSCode: A Secondary Threat

Cryptocurrency wallets, whether stored on a computer or secured with a hardware wallet, are critical tools for managing digital assets. While these wallets are designed to protect private keys and transactions, the surrounding software environment—such as VSCode—can introduce vulnerabilities that put funds at risk, especially for wallets stored on a computer. Recent discoveries of malicious VSCode extensions demonstrate how a compromised development environment can lead to significant crypto losses, even for those who believe their wallets are secure.

The VSCode Threat to Computer Wallets

For users storing cryptocurrency on a desktop wallet, the risks posed by malicious VSCode extensions are immediate and direct. Here’s how it can happen:

Keystroke Logging: A malicious VSCode extension, installed unknowingly, can quietly monitor and log every keystroke. If a user types in their wallet password, private keys or recovery phrases, this sensitive information is captured and sent to the attacker. Even the most secure desktop wallet becomes vulnerable if its credentials are exposed.
Clipboard Hijacking: During transactions, users often copy and paste wallet addresses to avoid manual errors. Malware embedded in a VSCode extension can intercept clipboard activity, replacing the intended wallet address with the attacker’s. Without double-checking the address, the user may unknowingly send funds directly to the hacker.
Fake Prompts or Interfaces: Some malicious extensions inject phishing-style prompts into the software environment, asking users to “verify” their wallet credentials or seed phrases. These prompts appear legitimate, but the data entered is captured by the attacker.
Manipulated Transactions: For developers working with blockchain APIs, malicious extensions can intercept and alter transaction details. For instance, if a wallet is used to send funds programmatically, an attacker could change the destination address or transaction parameters without the user noticing.

Imagine a blockchain developer using VSCode to build an app that integrates with their desktop wallet for testing purposes. They install an extension claiming to simplify Ethereum contract deployment. Unbeknownst to them, the extension is malicious. It begins logging keystrokes and steals the wallet password. When the developer initiates a test transaction, the extension intercepts the API call and replaces the intended recipient address with one controlled by the attacker. The funds are irretrievably sent to the wrong destination.

These revelations are a wake-up call for developers and platform administrators alike. The trust users place in extension marketplaces is being weaponized. Relying on trust metrics alone—such as download counts or reviews—is not sufficient. Developers must remain vigilant and take proactive measures to protect their environments and their cryptocurrency.

Click to comment

Crypto

Debate Brews Over Crypto Kiosks As Lawmakers Consider Potential Ban

Published

4 hours ago

February 27, 2026

Press Room

Debate Brews Over Crypto Kiosks As Lawmakers Consider Potential Ban

Lawmakers Consider Crypto ATM Ban as Scam Losses Rise — Including in Central Minnesota

Minnesota lawmakers are considering banning cryptocurrency kiosks as scam losses continue to rise across the state—including in Central Minnesota.

There are currently about 350 crypto kiosks operating statewide, located in places like gas stations, convenience stores, and grocery stores. These machines allow users to deposit cash and convert it into cryptocurrency, which can then be sent electronically.

Law enforcement officials say scammers are increasingly directing victims to use these kiosks because once the money is sent, it is extremely difficult—if not impossible—to recover.

Police say scams often begin with a phone call, text, or online message. In many cases, scammers pose as government officials, tech support workers, or even romantic partners. Victims are eventually told to withdraw cash and deposit it into a crypto kiosk to “protect” their money or resolve a supposed emergency.

Central Minnesota has seen similar cases. Because St. Cloud serves as a regional hub for shopping and services, crypto kiosks are available locally, giving scammers access points to target area residents.

Some say kiosks also serve legitimate users

Despite the concerns, crypto kiosks do offer legitimate benefits. They allow people to purchase cryptocurrency quickly using cash, without needing a traditional bank account, credit card, or online exchange. Supporters say this can make cryptocurrency more accessible, especially for people who prefer cash transactions or have limited access to banking services.

Crypto kiosks can also be used to send money quickly, including international transfers, without relying on traditional wire services. Some users view them as a convenient way to invest in cryptocurrency or move money electronically without going through a bank.

Companies that operate the machines say the vast majority of transactions are legitimate and that kiosks include warnings about scams. They argue the focus should be on stopping scammers, not banning the machines entirely.

Lawmakers weighing next steps

Supporters of the proposed ban say removing the kiosks could help prevent fraud and protect vulnerable residents, particularly older adults. Law enforcement officials told lawmakers that crypto kiosk scams have resulted in significant financial losses statewide.

Minnesota passed regulations in 2024 requiring some safeguards, including limits on deposits for new users and refund requirements in certain fraud cases. But officials say scammers have continued to adapt.

The bill remains under consideration at the Capitol.

In the meantime, authorities urge Central Minnesota residents to be cautious. Officials emphasize that legitimate government agencies, law enforcement, and businesses will never ask someone to deposit cash into a cryptocurrency kiosk.

As cryptocurrency becomes more common, lawmakers are now weighing whether the risks to consumers outweigh the convenience and accessibility these machines provide.

10 (More) Hilariously Bad Google Reviews of Central MN Landmarks

Crypto

Cryptocurrency Investment Fraud: Bizman loses Rs 2.6 cr to crypto, investment fraud | Hyderabad News – The Times of India

Published

16 hours ago

February 26, 2026

Press Room

Hyderabad: A 69-year-old businessman from Somajiguda lost 2.65 crore allegedly in a cryptocurrency and stock investment fraud. Based on his complaint, Hyderabad Cyber Crime police have registered a case.The complainant was first contacted by a fraudster posing as Ramya Krishnan on Aug 30, 2025 through Facebook. She persuaded the victim to invest in a cryptocurrency and stock trading platform, Polyus Finance PFP Gold, hosted at the domain pfpgoldfx.vip, promising high returns to finance his proposed resort and apparel ventures.Fraudsters provided the victim a contact number for daily communication and sent screenshots showing notional profits credited in his wallet in USDT cryptocurrency. To build trust, the fraudster even allowed the victim a token withdrawal of 4,300 on Sept 12, 2025.Encouraged, the victim transferred over 2.65 crore in 10 transactions between Sept 10 and Dec 39, 2025 to various current accounts provided by the accused.When he attempted to withdraw his ‘earnings’, the accused demanded an additional 15% conversion commission. After he refused, the website became inaccessible and calls to the fraudsters went unanswered.Realising that he was duped, the victim filed an online report on the National Cybercrime Reporting Portal (NCRP) before approaching the Cyber Crime police on Feb 25.Based on his complaint, a case was registered under Sections 66C and 66D of the Information Technology Act and Sections 111(2)(b) (Organised crime), 318(4) (Cheating), 319(2) (Cheating by personation), 336(3) (Forgery for purpose of cheating), 338 (Forgery of valuable security, will, etc.) and 340(2) (Using as genuine a forged document or electronic record) of the Bharatiya Nyaya Sanhita on Wednesday. Police were analysing financial transactions to identify and arrest the accused.

Crypto

Terror groups receive $1.7b. from Iran through Binance | The Jerusalem Post

Published

1 day ago

February 26, 2026

Press Room

Terror groups receive .7b. from Iran through Binance | The Jerusalem Post

Iranians were able to access more than 1,500 Binance accounts last year, and $1.7 billion was transferred from two of them to terrorist proxies, The New York Times reported Monday.

That was a potential violation of global sanctions, the report said, citing company records and documents collected by internal investigators.

The cryptocurrency exchange site reportedly fired or suspended at least four employees cited in the internal investigation. The company blamed “violations of company protocol” relating to its clients’ data, the Times reported.

The report came days after The Jerusalem Post spoke with experts from blockchain intelligence platform NOMINIS.io about how the Iranian regime was evading Western sanctions through cryptocurrencies.

The regime maintains a steady income using cryptocurrency through oil sales to Russia and China, NOMINIS CEO Snir Levi said at the time.

Binance founder Changpeng Zhao, who pleaded guilty to failing to implement a program to prevent money laundering, arrives for his sentencing in federal district court in Seattle, Washington. (credit: REUTERS/Deborah Bloom)

Regarding the latest scandal, he told the Post this week: “The latest allegations about Binance come months after the lawsuit by the victims’ families of October 7 – the ongoing Balva [versus] Binance case.

The majority of the allegations can be easily confirmed by on-chain data. There are thousands of cases where money has been sent and received to and from wallets that have clear connections to Iran.”

Binance founder Changpeng Zhao is being sued by the families of American victims and hostages of the October 7 massacre. He has been accused of knowingly enabling Hamas, Hezbollah, Palestinian Islamic Jihad, and Iran’s Islamic Revolutionary Guard Corps to transfer more than $1b. through its platform, including more than $50 million after the October 7 massacre.

Zhao pleaded guilty to anti-money-laundering violations in connection with Binance in 2023. US President Donald Trump pardoned him last October.

“They say what he did was not even a crime,” Trump told reporters last October. “It wasn’t a crime. That he was persecuted by the Biden administration, and so I gave him a pardon at the request of a lot of very good people.”

Binance representative Rachel Conlan said the accounts linked to the $1.7b. in Iranian transactions have been removed and the relevant authorities were informed.

“Any suggestion that Binance knowingly allowed sanctionable activity to continue unchecked is incorrect and defamatory,” she said, despite Zhao’s earlier admission of anti-money-laundering violations.

More than half a dozen compliance officials have left Binance, including a sanctions manager and the leader of the enterprise compliance team, over the past few months, the Times reported.

“No investigator was dismissed for raising compliance concerns or for reporting potential sanctions issues,” Conlan said in a statement to The Guardian.

Democrat senator opens inquiry into cryptocurrency company

While Conlan insisted there was no wrongdoing, US Sen. Richard Blumenthal (D-Connecticut) opened an inquiry into Binance on Tuesday, seeking records of the company’s dealings in Hong Kong , where funds have previously been transferred in a network against sanctions.

“Binance appears to have ignored warnings and recommendations to prevent Iranian money-laundering schemes on its cryptocurrency exchange,” Blumenthal wrote in a letter to Binance co-chief executive Richard Teng.

“According to documents obtained by the Times and the Journal, Binance was even warned that Hexa Whale was financing terrorist organizations such as the Yemeni Houthis, and internal investigators found cryptocurrency transfers to wallets associated with Iran’s Islamic Revolutionary Guards Corps and payments to crew members of Russia’s sanctions-evading shadow fleet of oil tankers,” he wrote.

“Instead of actually preventing illicit use, Binance has sought to evade accountability and influence the White House through lobbying and a financial partnership with World Liberty Financial (WLFI), the cryptocurrency firm owned by the sons of President Trump and his special envoy Steve Witkoff… This influence campaign has worked: In May 2025, the Securities and Exchange Commission announced that it was dismissing a lawsuit against Binance for lying to regulators and mishandling funds, followed in October by the stunning Presidential pardon of founder Changpeng Zhao.”

“The scale of the newly revealed illicit transfers – uncaught until nearly $2 billion flowed to sanctioned entities – and the unexplained firing of internal investigators call into question Binance’s compliance with American sanctions and banking laws, and its 2023 agreement to resolve the previous federal investigation,” Blumenthal wrote.