North Korean Hackers Use AI-Enhanced Smart Contract Malware, Physical Crypto Attacks Surge as Phishing Fades

TL;DR

• North Korean hackers embed malware in blockchain smart contracts via UNC5342 group, leveraging Ethereum and Binance Smart Chain to evade detection and distribute InvisibleFerret payloads
• ShinyHunters breached Resecurity’s honeypot, exfiltrating 28,000+ consumer records and impersonating victims to exploit Vietnam’s National Credit Information Center (CIC) data leak
• Cisco in advanced talks to acquire Axonius for $2 billion to consolidate endpoint security visibility, following Armis’ $7.75B sale to ServiceNow and expanding its cyber asset management portfolio
• TCG TPM 2.0 HMAC scheme detected and prevented bus snooping attacks by encrypting TPM session keys via tpm_buf_append_hmac_session, mitigating hardware-level interposer threats on Windows and Linux systems
• AI-powered browser extensions now enable on-device summarization and drafting, raising privacy concerns over data leakage, hallucinations, and unregulated access to sensitive web content via Gemini and Claude APIs
• Physical crypto attacks surged in 2025 with 215 documented cases globally, escalating to armed home invasions targeting investors, while phishing losses dropped 83% to $83.85M due to wallet drainer mitigation

North Korean Hackers Use Smart Contract Upgrades to Evade Detection and Steal Billions in Crypto

North Korean state-sponsored group UNC-5342 embeds the InvisibleFerret malware in Ethereum and Binance Smart Chain smart contracts using proxy-upgrade mechanisms. These upgrades rewrite encrypted payload storage slots, evading signature-based detection. At least 20 contract upgrades were observed between March and June 2025, each altering the hidden storage address (e.g., 0x8a3c…).

What is the scale of financial impact?

In 2025, North Korean actors stole an estimated $2.02 billion in cryptocurrency, with approximately 51% attributed to UNC-5342’s smart contract exploits. The $1.4 billion Bybit breach in February 2025 is directly linked to this group via transaction clustering and code reuse.

How is the malware delivered and executed?

InvisibleFerret operates as a file-less loader, retrieving additional modules via encrypted DNS queries. No binaries are written to disk, rendering traditional endpoint security ineffective. Forensic detection requires monitoring DNS traffic from wallet-connected devices for high-entropy, low-TTL queries to known C2 domains.

What technical patterns enable detection?

A consistent storage-slot fingerprint (e.g., 0xdeadbeef…) is used across multiple contracts on EVM-compatible chains. This provides a reliable indicator of compromise for blockchain explorers like Etherscan and BSCScan. Identical 3KB bytecode snippets appear on both Ethereum and Binance Smart Chain, enabling cross-chain attribution.

Where is this threat expanding?

Early deployments of the same technique have been detected on Arbitrum (Q1 2026) and Optimism (Q2 2026). Regulatory pressure from MiCA and the U.S. Public-Integrity in Prediction Markets Act has incentivized actors to embed malicious logic directly on-chain, bypassing off-chain audit trails.

What mitigation strategies are effective?

• On-chain analytics: Flag contracts with more than three upgrades in 30 days and scan for non-standard storage writes matching the UNC-5342 fingerprint.
• Network monitoring: Baseline DNS traffic from wallet-connected IPs; alert on anomalous query entropy.
• Exchange custodians: Require multi-sig approval for transactions interacting with flagged contracts; blacklist those with known storage-slot patterns.
• Developer hygiene: Enforce hardware-backed signing and weekly rotation of API keys for deployment services.
• Regulatory coordination: Share IoCs with blockchain explorers to expose upgrade history in public APIs.

What future developments are anticipated?

Proxy-upgrade velocity is expected to increase to ≥3 upgrades per month. AI-assisted code polymorphism is under development to vary bytecode signatures while preserving functionality. Regulatory requirements for on-chain audits may emerge by 2027, potentially forcing exchanges to reject unverified proxy contracts.

Honeypot Breach Exposes Synthetic Data Used to Impersonate Victims in Vietnam Credit System

Threat actors compromised Resecurity’s high-interaction honeypot, exfiltrating 28,000+ real consumer records and using 190,000 synthetic payment transactions to construct credible victim personas. These personas were then used to query Vietnam’s National Credit Information Center (CIC), enabling impersonation-based data extraction.

What was the true actor behind the breach?

Initial attribution to ShinyHunters was later refuted by forensic analysis. Evidence from logs, Telegram disclosures, and threat-intel feeds confirms the operation was conducted by Scattered Lapsus$ Hunters (SLH). The misattribution reflects a deliberate false-flag tactic to confuse response efforts.

Where was the infrastructure located?

The attack originated from infrastructure in Egypt (IPs 156.193.212.244, 102.41.112.148), with VPN egresses routed through Russia and the UK. Command-and-control communications occurred via Telegram and WhatsApp, indicating a multi-jurisdictional operational model.

What systems were impacted?

Only the honeypot environment was breached; Resecurity’s production systems remain uncompromised. However, the breach exposed critical weaknesses in credential segregation between decoy and live environments. The exfiltrated real consumer data poses direct risks of identity theft and fraudulent credit applications in Vietnam.

How was synthetic data weaponized?

Synthetic payment records were not merely test data—they served as credible proxies to bypass CIC authentication. This represents a new attack vector: using fabricated data to mask real identity theft, complicating fraud detection for credit systems globally.

What are the implications for future attacks?

• Honeypots are increasingly treated as credential sources, not just intelligence tools.
• Synthetic-data marketplaces will expand to supply realistic victim profiles.
• False-flag attribution will become more common to evade legal consequences.
• CIC and similar systems must implement API rate-limiting, multi-factor verification, and synthetic-profile anomaly detection.

What actions are recommended?

• Resecurity: Isolate honeypot credentials from production systems; enforce zero-trust token policies.
• CIC (Vietnam): Require multi-factor authentication for bulk queries; monitor for synthetic-data patterns.
• Threat-intel teams: Publish IOCs with clear SLH attribution.
• Law enforcement: Coordinate cross-border takedowns targeting Egyptian IPs and Telegram channels.
• All organizations using honeypots: Treat decoy credentials as high-value assets; rotate weekly and log all external usage.

The breach underscores a shift in cybercrime tactics: deception is no longer defensive—it is offensive, scalable, and increasingly effective against institutional trust systems.

AI Browser Extensions Raise Privacy Risks Through Cloud-Backed Summarization and API Exposure

Most AI-powered browser extensions marketed as "on-device" still rely on cloud-based inference via Gemini 3 Flash and Claude Opus 4.5 APIs when processing large inputs. This creates hidden data flows that expose page content, browsing history, and AI-generated drafts to external servers.

What evidence confirms data leakage risks?

• In 2025–2026, over 8 million users were affected by malware campaigns such as DarkSpectre and AITOPIA, which exploited legitimate extensions to exfiltrate chat transcripts and URLs.
• Multiple incidents involved stolen API keys embedded in extensions, enabling attackers to trigger costly LLM calls and access sensitive content.
• The UrbanVPN Proxy breach demonstrated how seemingly benign updates can introduce silent data harvesting.

Are local inference claims reliable?

Developer documentation from late 2025 confirms that extensions advertising "local-first" inference typically retain cloud fallback for prompts exceeding token limits. This undermines privacy assurances and mirrors patterns seen in prior proxy-based breaches.

How are regulators responding?

• The EU’s proposed AI-by-Design framework classifies unrestricted page content access as a high-risk activity.
• The U.S. FTC has labeled such extensions as high-risk data processors, triggering enforcement reviews.
• Google has issued a privacy-by-design checklist for Chrome Web Store submissions, effective December 2025.

What technical controls are needed?

• Disable cloud fallback by default; require explicit user opt-in for remote inference.
• Implement real-time logging of outbound requests (timestamp, endpoint, payload hash) accessible via extension UI.
• Integrate hallucination guards that highlight AI-generated text and enable one-click verification against original source content.
• Replace embedded API keys with runtime environment variable injection and prefer on-device models (e.g., Llama-cpp, Whisper-cpp).

What changes are expected by end of 2026?

• Q1 2026: Chrome Web Store mandates privacy-impact metadata for extensions accessing page content and calling LLM APIs.
• Q2 2026: First U.S. class-action lawsuit filed over undisclosed Gemini data leakage; $15M settlement expected.
• Q3 2026: Major browsers deploy sandboxed LLM APIs that limit token exposure and enforce local processing.
• Q4 2026: 45% of top 100 AI extensions adopt true on-device summarization, driven by regulatory pressure and user awareness.

What should developers and organizations do now?

Adopt data minimization, purpose limitation, and transparent consent workflows. Conduct third-party security audits before publication. Monitor EU and U.S. regulatory updates and update extension manifests within 30 days of changes.

Physical Crypto Attacks Surged 95% in 2025 as Phishing Losses Plummeted 83%

Documented physical attacks on crypto holders rose from 110 in 2024 to 215 in 2025, with armed home invasions accounting for 55% of incidents—a rise of 83% year-over-year. The surge correlated with spikes in privacy coin valuations, particularly Zcash (+861%) and Monero (+123%), which criminals target for their untraceable nature. Europe and Asia-Pacific accounted for 70% of violent incidents, with France, Italy, and Japan reporting the highest frequencies. Regression analysis indicates 45% of attack frequency variance aligns with total crypto market cap, confirming a loot-incentive dynamic.

Why did phishing losses drop 83% to $83.85M?

Phishing-related losses fell from $494M in 2024 to $83.85M in 2025, with victim counts declining 68%. This decline followed the universal deployment of wallet-drainer mitigation systems across major exchanges and DApp gateways by October 2025. These systems blocked automated extraction of funds from compromised wallets, rendering traditional phishing ineffective. Attackers have since shifted to low-value EVM exploits and permit-signature scams, but losses have stabilized near $70–80M.

Why is underreporting masking the true scale of physical threats?

SEC enforcement actions in early 2025, including $2.6B in penalties, led to a 30-percentage-point drop in reporting rates—from 70% to 30%. Victims fear retaliation, insurance denial, or legal exposure. This underreporting inflates the hidden attack pool and impedes law enforcement response. Mandatory reporting proposals in the EU and US may increase documented cases by 50% in 2026.

What are the implications for security posture?

Digital defenses have succeeded against phishing, but physical vulnerabilities remain unaddressed. Investors storing hardware wallets at home face escalating risk. Exchanges should extend drainer protections to permit-based attacks and share anonymized threat data with police. Regulators must mandate physical theft reporting and fund forensic labs for hardware wallet analysis. Law enforcement should deploy blockchain analytics for immediate asset tracing and form cross-border task forces targeting privacy-coin seizures.

What actions reduce physical risk?

• Store hardware wallets in certified safe-deposit boxes
• Install multi-factor physical security (alarms, motion sensors)
• Diversify holdings between custodial and non-custodial solutions

These measures can reduce successful home invasion success rates by approximately 40%.

What is the outlook for 2026?

Physical attacks are projected to rise another 30% in Q1 2026 without targeted security campaigns. Phishing losses will stabilize at $70–80M. Insurance premiums, up 22% in Q4 2025, are expected to flatten as insurers integrate physical-risk modeling. A balanced approach—securing both digital and physical vectors—is now essential to mitigate a professionalizing threat ecosystem.