Blockchain & Cryptocurrency,
Cryptocurrency Fraud,
Fraud Management & Cybercrime
Also: NodeCordRAT Malware, North Korean QR-Phishing Campaign
This week, Information Security Media Group highlights significant cybersecurity incidents concerning digital assets. Notably, two U.K. cryptocurrency exchanges face allegations of facilitating Iranian sanctions evasion, the emergence of NodeCordRAT malware distributed through npm packages, and FBI warnings about North Korean QR-code phishing campaigns. In 2025, illicit cryptocurrency transactions surged to $154 billion, and U.S. President Donald Trump has denied any possibility of pardoning Sam Bankman-Fried.
See Also:
OnDemand | NSM-8 Deadline July 2022: Keys for Quantum-Resistant Algorithms Implementation
U.K. Crypto Exchanges Linked to IRGC Sanctions Evasion
U.K.-based cryptocurrency platforms Zedcex and Zedxion have emerged as pivotal actors in a network allegedly supporting Iran’s Islamic Revolutionary Guard Corps (IRGC). This conclusion stems from thorough analyses conducted by TRM Labs which highlighted that both exchanges appeared to operate jointly despite being registered separately, sharing management and operational resources. Between 2023 and 2025, wallets affiliated with these exchanges processed nearly $1 billion related to IRGC activities, peaking at 87% of their transaction volume in 2024.
The connections to Babak Zanjani, an Iranian financier under previous sanctions for laundering oil revenues, illustrate the depth of the operations. Transaction data indicates a dominance of stablecoin transactions via the Tron blockchain, thereby positioning Zedcex as a clearing hub rather than a conventional retail exchange. Notably, there were direct transfers over $10 million to an individual designated by the U.S. as a financier for Houthi militants.
Distribution of NodeCordRAT Malware via Malicious NPM Packages
Recent research identified three malicious npm packages, uploaded by a user known as “wenmoonx,” which served as conduits for the dissemination of a new remote access Trojan, NodeCordRAT. These packages—bitcoin-main-lib, bitcoin-lib-js, and bip40—were designed to mimic legitimate Bitcoin ecosystem components and garnered thousands of downloads from developers before their deletion in November.
According to Zscaler ThreatLabz, once installed, NodeCordRAT can exploit Discord servers for command-and-control communications and has the capability to compromise Google Chrome credentials, API tokens, and cryptocurrency wallet seed phrases, including those from MetaMask, underscoring the pervasive risks to the developers who inadvertently installed the packages.
FBI Issues Alert on North Korean QR-Code Phishing Campaigns
The FBI has issued an advisory regarding North Korean hackers employing malicious QR codes in targeted phishing campaigns aimed at U.S. and international entities. The agency associates these activities with the Kimsuky group, also known as APT43, which utilizes a technique termed “quishing.” This method aims to redirect individuals to mobile devices to bypass traditional email security mechanisms.
During May and June, Kimsuky exploited QR codes in various campaigns by posing as diplomats and think tank staff members to solicit sensitive information, generate fraudulent secure links, and harvest credentials from Google accounts through deceptive login pages. The threat group is noted for taking advantage of DMARC misconfigurations to enhance the legitimacy of their phishing attempts, thereby significantly increasing the potential for successful attacks, including the theft of session tokens which could compromise multi-factor authentication and further facilitate their phishing activities.
Illicit Cryptocurrency Activity Reaches $154 Billion in 2025
Illicit cryptocurrency operations soared to unprecedented levels in 2025, with state actors increasingly leveraging criminal networks to circumvent global financial restrictions. The findings from a Chainalysis report indicate that illicit addresses received approximately $154 billion throughout the year, representing a notable 162% increase from the prior year, predominantly driven by sanctions evasion activities. This figure is anticipated to rise as additional illicit addresses are uncovered, emphasizing the ongoing challenges posed by state-linked activities.
Prominent among these activities, North Korean hackers reportedly stole $2 billion, primarily from a notorious $1.5 billion exploit on Bybit. Russia utilized the ruble-backed A7A5 stablecoin extensively, while networks aligned with Iran and organized crime in China played significant roles in these operations, predominantly within the growing realm of cross-border crypto crime involving stablecoins which constituted 84% of illicit transaction volume.
Trump Declines to Pardon Ex-FTX CEO Sam Bankman-Fried
President Donald Trump has reportedly stated that he will not grant clemency to Sam Bankman-Fried, the former CEO of FTX, despite speculation regarding possible pardons for various individuals involved in controversial cases. In an interview with The New York Times, Trump clarified that Bankman-Fried would not be included in his considerations for clemency.
Bankman-Fried was convicted of multiple charges related to fraud and conspiracy following the collapse of FTX in 2023 and is currently serving a 25-year prison term. This decision marks a departure from Trump’s previous actions to grant pardons, such as those for former Binance CEO Changpeng Zhao and Silk Road founder Ross Ulbricht. Trump also reiterated his commitment to the broader cryptocurrency sector, which continues to be a focal point in his political narrative.
