Researchers identified malware targeting Russian cryptocurrency developers, specifically within the Solana ecosystem. The threat actor, 'cryptohan', created npm packages that masquerade as legitimate tools designed to locate Solana SDK components. These malicious packages function as infostealers, gathering sensitive information such as cryptocurrency token details, which is then transmitted to command and control servers with connections to the USA. The origins and targets suggest a potential connection to state-sponsored actors, particularly as they align with the activities of Kremlin-backed ransomware groups.
The threat actor known as 'cryptohan' has created npm packages that target the Solana cryptocurrency ecosystem and pretend to 'scan' for Solana SDK components.
These infostealers retrieve sensitive information such as cryptocurrency token details and forwarded it to command and control servers with US linked IP addresses.
Researchers suspect that the use of the name 'cryptohan' aims to provide an illusion of legitimacy, rather than representing a single entity.
The malicious npm packages indicate potential state-sponsored efforts to disrupt Russian cryptocurrency developers, raising concerns about links to Kremlin-supported ransomware operations.
Collection
[
|
...
]