Daily Vecsignal - Claude's Dark Code: When AI Helps Hackers Empty Your Crypto Wallet

 May 01, 2026 | VECS News


Cybersecurity researchers have uncovered a chilling new attack vector targeting the cryptocurrency ecosystem. North Korea's state-sponsored hacking group Famous Chollima successfully tricked Anthropic's Claude Opus large language model into adding malicious code to an open-source crypto trading project called openpaw-graveyard. The malware codenamed PromptMink has been actively stealing wallet credentials system information and SSH keys since September 2025 with the attack reaching full potency in February 2026 .


The breach occurred through a seemingly routine software update on February 28 2026. A commit co-authored by Anthropic's Claude Opus LLM added a dependency called "@validate-sdk/v2" to the openpaw-graveyard project which is an autonomous AI agent that trades cryptocurrency on Solana and creates on-chain social identities . The package was listed on npm as a utility SDK for hashing and validation. But security researchers at ReversingLabs discovered that its real function was to plunder sensitive secrets from compromised environments including crypto wallet credentials and private keys .


What makes this attack particularly alarming is the sophisticated two-layer deception strategy that proved especially effective against AI coding assistants. The hackers deployed first-layer packages such as "@solana-launchpad/sdk" and "@meme-sdk/trade" which contained no malicious code at all. These acted as bait establishing credibility within the npm ecosystem over many months . The second-layer packages hidden as dependencies carried the actual malware payload. When security researchers reported and removed one malicious package the hackers simply published a replacement on the same day using identical version numbers thereby preserving the reputation of their bait packages .


The malware has evolved significantly since its first appearance in September 2025. Early versions were simple JavaScript-based info-stealers that scanned recursively for .env and .json files. Later iterations grew to 85MB Node.js single executable applications which the attackers called SEAs . The current version consists of compiled Rust payloads specifically designed to evade detection. Once installed PromptMink searches for cryptocurrency wallet configuration files steals credentials compresses entire project source codes for exfiltration and drops SSH keys on Linux and Windows machines to establish permanent remote access .


The financial impact has been devastating. According to Cryptopolitan the operation has already stolen over $800,000 from more than 500 Ethereum wallets in just the past 24 hours of active campaign periods . The hackers specifically target Web3 developers and small crypto projects people who hold significant funds but lack the enterprise-grade security infrastructure of major exchanges. The malware prioritizes high-value assets first ensuring maximum financial damage before victims realize what has happened .


Vladimir Pezo a security researcher at ReversingLabs who analyzed the PromptMink campaign explained why AI agents are particularly vulnerable to this attack method. Famous Chollima writes unusually detailed documentation for its malicious packages knowing that AI coding assistants will read those descriptions and recommend the packages without suspicion . This technique which researchers call LLM Optimization abuse is more effective against AI agents than human developers because AI systems place high trust in well-documented packages regardless of their actual legitimacy .


The broader threat landscape has shifted dramatically. Bybit Security Operations Center disclosed in April 2026 a separate but related macOS malware campaign targeting users searching for Claude Code. Attackers used SEO poisoning to elevate malicious domains in Google search results redirecting developers to spoofed installation pages . The malware targeted more than 250 browser-based wallet extensions and multiple desktop wallet applications including Trojanized versions of Ledger Live and Trezor Suite . This demonstrates that crypto trading tools are under coordinated attack from multiple vectors all leveraging the popularity of AI coding assistants.


David Zong Head of Group Risk Control and Security at Bybit issued a stark warning about the future of cybersecurity in crypto. Looking to the future we will face an AI war. Using AI to defend against AI is an inevitable trend . His comments reflect a growing consensus among security professionals that the same generative AI tools empowering developers are now being weaponized by state-sponsored hacking groups. Bybit reported that AI-assisted security workflows reduced malware analysis time from six to eight hours to under 40 minutes but this defensive acceleration must match the speed of AI-powered attacks .


Marcus Hutchins the security researcher famous for disabling the WannaCry ransomware worm offered direct commentary on what this means for the crypto industry. These operators don't have the skills to write code. They don't have the skills to set up infrastructure. AI is actually enabling them to do things that they otherwise just would not be able to do . His analysis cuts to the heart of the threat. The barrier to entry for sophisticated crypto theft has collapsed. Attackers who previously could not execute complex supply chain attacks can now delegate the technical work to AI models while focusing on social engineering strategies.


For cryptocurrency investors the implications are direct and severe. Every developer who uses AI coding assistants is now a potential entry point for supply chain attacks. Every npm package is a potential trap. The separation between traditional cybercrime and crypto-focused attacks has effectively eroded. As ReversingLabs noted the infrastructure once dedicated exclusively to credential theft is now routinely repurposed to host wallet-phishing content . Investors must assume that any crypto trading tool connected to AI-assisted development could be compromised and that the age of hybrid AI-powered crypto threats has fully arrived. The only defense is extreme vigilance regular token approval revocation and the fundamental recognition that in this new threat landscape trust is no longer a viable strategy.

Komentar

Posting Komentar

Postingan populer dari blog ini

Daily Vecsignal - THE MACHINE ECONOMY AWAKENS: HOW RIPPLE, METAMASK, AND MASTERCARD ARE BUILDING CRYPTO'S AI FUTURE

 THE MACHINE ECONOMY AWAKENS: HOW RIPPLE, METAMASK, AND MASTERCARD ARE BUILDING CRYPTO'S AI FUTURE June 14, 2026 | VECS News A powerful consortium of blockchain and traditional finance giants—Ripple, MetaMask, and Mastercard—is coalescing around a transformative vision that positions cryptocurrency not as a speculative human asset, but as the native transactional layer for autonomous artificial intelligence agents. This collaborative architecture, revealed through parallel development roadmaps and cross-platform integration announcements, aims to create a seamless financial ecosystem where AI agents can independently discover each other, negotiate service contracts, execute micropayments, and settle disputes on-chain without requiring human approval for every individual transaction. Ripple's XRP Ledger provides the high-throughput, low-cost settlement layer capable of processing thousands of agent-generated transactions per second at a fraction of a cent. MetaMask, the dominant...
Baca selengkapnya

Daily Vecsignal - Ripple Powers European Banks for Joint Euro Stablecoin Launch

 April 25, 2026 | VECS News A consortium of twelve European banks including ING, UniCredit, and BNP Paribas is preparing to launch a euro-denominated stablecoin in late 2026, built entirely on Ripple’s blockchain infrastructure in a direct challenge to dollar-backed digital assets. In a development that fundamentally reshapes the digital asset landscape, three systemically important European banks are moving to launch a joint euro stablecoin during the second half of 2026 . The initiative, led by Amsterdam-based Qivalis and supported by custody giant Fireblocks, will operate under the European Union’s Markets in Crypto-Assets Regulation (MiCAR) framework. Unlike fragmented national experiments, this consortium represents a unified institutional front to embed blockchain directly into core banking operations, marking the first time major retail banks have collaborated on a shared digital currency infrastructure. The technical architecture relies on Ripple’s XRP Ledger (XRPL), select...
Baca selengkapnya

Daily Vecsiganl - Scammers Weaponize Telegram Mini Apps as Crypto Fraud Traps

 May 05, 2026 | VECS News A sophisticated fraud operation has turned Telegram’s popular Mini App feature into a weapon for crypto scammers. Cybersecurity researchers have uncovered a large-scale scheme that uses Telegram bots and embedded Mini Apps to create convincing fake investment platforms, impersonate well-known brands, and distribute Android malware to unsuspecting users . The platform, dubbed FEMITBOT by researchers at CTM360, represents a new evolution in crypto fraud that exploits user trust in the messaging platform itself. The mechanics of the scam are deceptively simple yet highly effective. When a user interacts with a malicious Telegram bot and clicks "Start," the bot launches a Mini App that displays a phishing page directly within Telegram’s built-in WebView . Victims never leave the Telegram app, making the fake interfaces appear more legitimate than traditional phishing links sent via email or text message. Inside these Mini Apps, victims are shown dashboar...
Baca selengkapnya