Extropy Security Bytes: w12 2025

The past week has been a stark reminder of how rapidly evolving technologies, especially AI, are reshaping the landscape of cybersecurity threats. From AI-driven crypto scams to sophisticated malware targeting digital wallets, attackers are leveraging cutting-edge tools to enhance their deception and efficiency. This edition of Security News (March 17th — 24th) dives into some of the most critical incidents, including the rise of AI-powered fraud, the StilachiRAT malware, the Wemix hack, and the latest in memecoin scams. Let’s break down what happened, how these attacks unfolded, and the steps you can take to stay protected.

The rise of AI bots in scams

There has been a significant increase in cryptocurrency scams leveraging artificial intelligence. This trend saw crypto scam revenue potentially reaching a record $12.4 billion in 2024.

Key Findings and Methods:

• AI Facilitates Sophistication and Scale: AI technologies are being embraced by crypto scammers due to their ability to impersonate individuals and generate realistic-looking content such as websites and listings. This allows for high-fidelity, low-cost, and highly scalable fraud that exploits human vulnerabilities.
• Impersonation and Fake Content: Scammers utilise AI service providers to create synthetic and fake identities, enabling them to impersonate real users and bypass identity verification controls. This includes generating realistic-looking websites, social media profiles, and even videos. One example cited is “face-changing services” offered for cryptocurrency.
• Automated Engagement: AI can generate automated responses to communicate with victims and answer their questions, making the scams more convincing.
• Malware Distribution: Scammers are using fake online personas, such as supposed crypto experts on platforms like YouTube, to promote software promising huge profits through AI-driven trading. Instead, victims are tricked into downloading malware, such as “infostealers,” which can steal sensitive information, passwords, and empty crypto wallets.
• Amplified Existing Scams: AI isn’t necessarily creating entirely new scam types but rather perfecting existing ones, such as “pig butchering” scams which saw a 40% year-over-year revenue jump. These scams involve building a relationship with the victim before convincing them to make fraudulent investments.
• Professionalization of Scams: Platforms like the Huione Guarantee forum act as “one-stop-shops for illicit actors needing technology,” contributing to the growing “professionalization” of the scam ecosystem. This forum has processed a substantial amount of crypto transactions and offers resources for scams and money laundering.
• Industrialization of Scams: The ease and efficiency AI brings to scam operations are leading to what can be described as the “industrialization” of scams, with pump-and-dump schemes running at factory scale.

Recommendations for Staying Alert:

The National Cyber Security Centre (NCSC) advises caution and suggests the following:

• Be sceptical about unsolicited crypto investment opportunities.
• Conduct thorough research before investing in crypto, not relying solely on company claims.
• Be aware of red flags such as promises of high yields without risks and pressure to invest quickly.
• Exercise caution when downloading software from unknown sources and be wary of executing command-line code after downloads.
• Report suspected crypto scams to the police and scam profiles to social media platforms.

Wemix hack

Blockchain gaming platform WEMIX was attacked on February 28th, 2025. Let’s break the attack down:

Key Technical Aspects of the Attack:

Exploited Vulnerability: The primary vulnerability exploited in the WEMIX hack was the insecure storage and subsequent theft of authentication keys. These keys were used for monitoring services on NILE, WEMIX’s NFT platform.

Method of Key Acquisition (Suspected): While the exact method of key acquisition remains unconfirmed, Wemade, the parent company of WEMIX, suspects that the attackers gained access to these authentication keys through a compromised shared repository. It is believed that a developer had uploaded the keys to this repository for more convenient access. This highlights a potential weakness in internal security practices related to credential management.

Attack Planning and Execution: The attackers demonstrated a significant level of planning, having infiltrated the network and stolen the keys approximately two months prior to executing the withdrawals. During the attack, they attempted fifteen withdrawals of WEMIX tokens, of which thirteen were successful. This suggests a thorough understanding of the WEMIX platform’s withdrawal mechanisms.

Stolen Assets: The successful withdrawals resulted in the theft of 8,654,860 WEMIX tokens, valued at approximately $6.1 million at the time of the incident.

Post-Exploitation Activity: Following the successful withdrawals, the stolen WEMIX tokens were swiftly laundered through various cryptocurrency exchanges.

Immediate Response: Upon identifying the hack on February 28th, 2025, WEMIX immediately shut down the affected server to prevent further unauthorized access. They also initiated a detailed analysis of the breach and filed a criminal complaint with the Seoul Metropolitan Police Agency’s Cyber Investigation Unit.

In conclusion, the WEMIX hack was a technically executed attack that leveraged compromised authentication keys, likely obtained from an insecure repository. The attackers demonstrated planning and efficiency in their actions, leading to a significant financial loss for the platform. WEMIX’s response included immediate containment, law enforcement involvement, and ongoing efforts to enhance the security of their infrastructure.

Four.meme second attack in 2025

The attack marks the second incident this year for Four.meme, this time it was a liquidity vulnerability attack that happened on March 18th, 2025.

Key Technical Aspects of the Attack:

Type of Attack: The attack was a sandwich attack that exploited a pre-launch vulnerability in the platform’s liquidity mechanism

Exploited Vulnerability: The core vulnerability laid in the transfer function of the Four.Meme token contract. This flaw allowed unlaunched, untransferable tokens to be freely moved to any address, including the predicted address of the PancakeSwap liquidity pool (LP) before it was officially created.

Attack Mechanism (Sandwiching): The attacker employed the following steps:

• Pre-Launch Token Acquisition: The attacker acquired a small amount of Four.Meme tokens before the official launch, likely via a function within the contract.
• Transfer to Predicted LP Address: Instead of holding these tokens, the attacker sent them to the non-existent PancakeSwap Pair address. This was possible due to the flaw in the transfer function.
• Front-Running Liquidity Addition: The attacker then front-ran the official liquidity addition transaction. This means they placed their buy order just before the platform’s intended liquidity was added to PancakeSwap.
• Liquidity Manipulation: By sending tokens to the pre-calculated pair address in advance, the attacker effectively initialised liquidity at an unintended price.
• Immediate Profit Extraction: Immediately after the platform added liquidity, the attacker executed a sell order, taking advantage of the price slippage created by their initial token transfer and the platform’s liquidity addition. This “sandwiches” the legitimate liquidity addition transaction between the attacker’s buy and sell orders.

Stolen Assets: The attack resulted in the theft of approximately $120,000 worth of digital assets, specifically at least 192 BNB (Binance Coin).

Post-Exploitation Activity: The stolen BNB was subsequently sent to the decentralised cryptocurrency exchange FixedFloat, a common tactic used to obfuscate the origin of illicitly gained funds.

Platform Response:

• Four.Meme suspended its launch function to investigate the security issue.
• They conducted a thorough security inspection and addressed the identified vulnerability, reinforcing system security.
• The launch function was resumed on March 18th, 2025, following the security updates.
• Four.Meme stated that compensation for affected users was underway.

Analysis by Security Firms: Web3 security firm ExVul and CertiK confirmed the sandwich attack and provided details on the exploitation and fund movement.

Hayden David, co-creator of the MELANIA and LIBRA coins, linked to WOLF meme coin scam

The WOLF meme coin was launched on March 8th and capitalised on rumours linking it to Jordan Belfort, the “Wolf of Wall Street”. Belfort has since denied any involvement.

The launch was linked to Hayden Davis, the co-creator of the previous MELANIA and LIBRA token scams. Davis is reportedly wanted by Interpol following the LIBRA token collapse, although this is not confirmed on Interpol’s public database. An Argentine prosecutor has requested an Interpol Red Notice.

Within a short period, WOLF’s market capitalisation peaked at $42 million.

Analysis revealed that 82% of the WOLF token’s supply was concentrated in insider wallets connected to Hayden Davis, a pattern similar to his previous scams.

The WOLF token plummeted by over 99% within two days, a classic indicator of a “rug pull” where insiders extract liquidity. This left retail investors with significant losses.

Blockchain analytics firms like Bubblemaps quickly traced the WOLF token back to Davis through his characteristic on-chain wallet patterns.

This scam follows a familiar playbook used by Davis in the LIBRA token scam, where insider wallets cashed out a substantial amount of liquidity, leading to a massive market cap wipeout. The MELANIA token also exhibited similar manipulative patterns.

The WOLF scam exemplifies how meme coins are increasingly being used for “retail value extraction” by insiders.

Despite facing legal pressure and public scrutiny from previous scams like LIBRA (which led to presidential impeachment calls in Argentina and a class action lawsuit), Davis continued with the launch of WOLF.

StilachiRAT Malware Steals Crypto Using Advanced Reconnaissance

StilachiRAT is a novel Remote Access Trojan (RAT) discovered by Microsoft Incident Response in November 2024. It employs sophisticated techniques for evading detection, maintaining persistence, and exfiltrating sensitive data, with a particular focus on cryptocurrency theft and system reconnaissance.

Key Technical Capabilities:

System Reconnaissance: StilachiRAT gathers comprehensive system information to profile the targeted system.

• It collects operating system details, hardware identifiers, and checks for camera presence.
• It identifies active Remote Desktop Protocol (RDP) sessions and lists running graphical user interface (GUI) applications.
• This information is collected using Component Object Model (COM) Web-based Enterprise Management (WBEM) interfaces via WMI Query Language (WQL). Examples of WQL queries include retrieving the serial number, checking for camera presence, and obtaining OS/system information (server, model, manufacturer).
• The malware creates a unique identification for the infected device derived from the system’s serial number and the attackers’ public RSA key, stored in the registry under a CLSID key.

Digital Wallet Targeting: It scans for configuration data of 20 different cryptocurrency wallet extensions for the Google Chrome browser, including popular options like Coinbase Wallet, Phantom, Trust Wallet, Metamask, OKX Wallet, and Bitget Wallet.

Credential Theft: The malware aims to steal user credentials. It extracts and decrypts saved credentials from Google Chrome, gaining access to usernames and passwords stored in the browser’s local state file using Windows APIs.

Command-and-Control (C2) Connectivity: StilachiRAT communicates with remote servers to receive commands. It establishes communication using TCP ports 53, 443, or 160007.◦This enables remote command execution and potentially SOCKS-like proxying.

Command Execution: The C2 server can instruct StilachiRAT to perform various actions. These include:

• System reboots
• Log clearing (clearing event logs)
• Registry manipulation (modification of Windows registry values).
• Application execution
• System suspension (sleep or hibernation using the SetSuspendState() API)
• Enumerating open windows to find a specific title bar text, potentially allowing access to GUI application contents.
• Credential theft (initiating the Google Chrome password stealing functionality).

Persistence Mechanisms: StilachiRAT employs several techniques to ensure it remains on the compromised system.

• It can be launched as a Windows service or a standalone component
• A watchdog thread monitors the presence of both the EXE and dynamic link library (DLL) files used by the malware by periodically polling for them. If these files are absent, they can be recreated from an internal copy.
• The Windows service component can be recreated by modifying relevant registry settings and restarting it through the service control manager (SCM)
• RDP Monitoring: The malware can monitor and interact with RDP sessions
• It captures foreground window information and duplicates security tokens to impersonate users. This is particularly risky on RDP servers hosting administrative sessions, potentially enabling lateral movement within networks
• It obtains the current session, enumerates other RDP sessions, accesses the Windows Explorer shell for each identified session, and duplicates its privileges or security token, gaining the capability to launch applications with these newly obtained privileges.

Data Collection: Beyond cryptocurrency and credentials, StilachiRAT collects other user data.

• It monitors active GUI windows, their title bar text, and file location, sending this information to the C2 server to potentially track user behaviour.
  — It can access and iterate through files in locations such as %USERPROFILE%\Desktop and %USERPROFILE%\Recent based on the same search expressions used for clipboard monitoring

Clipboard Monitoring: StilachiRAT continuously monitors the clipboard content.

• It can periodically read the clipboard, extract text based on search expressions, and exfiltrate this data.
• It specifically searches for sensitive information such as passwords and cryptocurrency keys

Anti-Forensic Measures and Evasion: StilachiRAT employs several techniques to hinder analysis and evade detection

• It exhibits anti-forensic behaviour by clearing event logs.
• It checks for certain system conditions to evade detection, including looping checks for analysis tools and sandbox timers that prevent its full activation in virtual environments.
• Windows API calls are obfuscated in multiple ways, and a custom algorithm is used to encode many text strings and values, significantly slowing down analysis

Mitigation Strategies:

Microsoft recommends several mitigation strategies to reduce the risk of StilachiRAT infection. These include:

• Downloading software only from official websites.
• Employing security software capable of blocking malicious domains and email attachments.
• Implementing a layered security approach combining multiple security measures.
• Understanding and mitigating the risks associated with RDP access.
• Being cautious of potentially malicious email attachments and links.

While not yet widely distributed, StilachiRAT’s advanced capabilities make proactive defence measures crucial. Microsoft continues to monitor the threat landscape and investigate the malware’s delivery vectors

As cyber threats grow more advanced, staying informed is more crucial than ever. The increasing role of AI in fraud and the continued exploitation of vulnerabilities in the crypto space highlights the importance of vigilance, security best practices, and ongoing threat intelligence. Whether it’s avoiding AI-generated scams, securing private keys, or recognizing manipulative trading schemes, proactive defence is key. Stay safe, stay sceptical, and stay ahead of the threats. Until next time!

Since 2017, Extropy has been at the forefront of blockchain security, auditing smart contracts across Ethereum and Zero-Knowledge (ZK) protocols. We have collaborated with leading ecosystems, including Base, Starknet, and MINA, ensuring their smart contracts are resilient, efficient, and secure.

We specialize in DeFi, on-chain games, and ZK applications, leveraging formal verification, static analysis, and deep manual reviews to uncover vulnerabilities before they become exploits. Whether you’re working with Solidity, Rust, Cairo, or zkVMs, our collaborative approach ensures your project meets the highest security standards.

- Website: security.extropy.io

- Email: info@extropy.io

Get in touch today — let’s build safer smart contracts together!