- Topic
395 Popularity
5k Popularity
5k Popularity
9k Popularity
24k Popularity
2k Popularity
33k Popularity
20k Popularity
32k Popularity
129k Popularity
- Pin
- 🎉 A Warm Welcome to Dr.Han on Gate Square!
Dr.Han — Founder of Gate and a seasoned crypto industry observer — is now officially sharing insights on Gate Square!
📢 Follow Dr.Han and like or comment on his latest post for a chance to win!
👉 Post: https://www.gate.com/post/status/11966645
👉 Profile: https://www.gate.com/profile/Dr_Han
🎁 Giveaway Alert:
We’ll randomly select 10 lucky users from those who follow + like/comment to receive a limited-edition Gate T-shirt — the same style worn by Dr.Han!
(If shipping is unavailable in your region, a $50 Futures Voucher will be provided instead.)
�
- 🔥 Gate Square #Gate Alpha Third Points Carnival# Trading Sharing Event is Live!
Share Alpha trading highlights screenshots with #Gate Alpha Trading Share# to split $100!
🎁 10 lucky users * 10 USDT each
📅 July 4, 4:00 – July 20, 16:00 UTC+8
Don’t forget—the main Alpha Points Carnival prize pool is up to $1,000,000!
Trade and post for double the chances to win!
Learn more: https://www.gate.com/announcements/article/45908
- 🎉 Gate xStocks Trading is Now Live! Spot, Futures, and Alpha Zone – All Open!
📝 Share your trading experience or screenshots on Gate Square to unlock $1,000 rewards!
🎁 5 top Square creators * $100 Futures Voucher
🎉 Share your post on X – Top 10 posts by views * extra $50
How to Participate:
1️⃣ Follow Gate_Square
2️⃣ Make an original post (at least 20 words) with #Gate xStocks Trading Share#
3️⃣ If you share on Twitter, submit post link here: https://www.gate.com/questionnaire/6854
Note: You may submit the form multiple times. More posts, higher chances to win!
📅 July 3, 7:00 – July 9,
- #GateSquareGiveaway# - Spot the Differences 👀
GM ☕ Our frog friend has two slightly different mornings—can you find all the changes?
💰 $10 Futures Voucher * 5 winners
To join:
🔹Follow Gate_Square
🔹Like this post and drop your answer in the comments
📅 Ends at 16:00 PM, July 7 (UTC)
Fake Zoom link triggers million-dollar level Crypto Assets theft Hacker funding flow exposed
Fake Zoom Meeting Link Triggers Massive Crypto Assets Theft Incident
Recently, several users reported a phishing attack disguised as a Zoom meeting link. One victim lost up to a million dollars in Crypto Assets after clicking on the malicious link and installing software. In response to this incident, the security team conducted an in-depth analysis and tracked the flow of funds from the hackers.
Link Analysis
Hackers use domain names similar to "app.us4zoom.us" to disguise themselves as legitimate Zoom meeting links. The page closely resembles the actual Zoom meeting interface, and when users click the "Start Meeting" button, it triggers the download of a malicious installation package instead of launching the local Zoom client.
By probing the domain, the address of the hacker's monitoring logs was discovered. After decryption, it was found that this is a log of attempts to send messages via the Telegram API, using the Russian language. The site has been online for 27 days, the hacker may be Russian, and has been looking for targets to deploy malware since November 14, then monitoring whether the target clicks the download button on the phishing page through the Telegram API.
Malware Analysis
The malicious installation package is named "ZoomApp_v.3.14.dmg". When opened, it will诱导 the user to execute the malicious script ZoomApp.file in Terminal and require inputting the local machine password.
After decoding the execution content of the malicious file, it was found to be a malicious osascript script. This script searches for and runs a hidden executable file named ".ZoomApp". Disk analysis of the original installation package indeed revealed this hidden executable file.
Malicious Behavior Analysis
Static Analysis
Upload the binary file to the threat intelligence platform for analysis, which has been flagged as malicious. Through static disassembly analysis, it was found that the entry code is used for data decryption and script execution. The data portion is mostly encrypted and encoded.
After decryption, it was found that the binary file ultimately executes a malicious osascript that collects user device information and sends it to the backend. The script enumerates different plugin ID path information, reads computer KeyChain information, collects system information, browser data, Crypto Assets wallet data, Telegram data, Notes data, and Cookie data, etc.
The collected information will be compressed and sent to servers controlled by hackers. Since the malware induces users to enter their passwords while running and collects KeyChain data, hackers may obtain users' wallet mnemonics, private keys, and other sensitive information, thereby stealing assets.
The IP address of the hacker's server is located in the Netherlands and has been flagged as malicious by the threat intelligence platform.
Dynamic Analysis
Dynamically execute the malicious program in a virtual environment and analyze the process, observing that the malicious program collects local data and sends data to the backend's process monitoring information.
Fund Flow Analysis
Analysis of the hacker address provided by the victim reveals that the hacker profited over 1 million USD, including USD0++, MORPHO, and ETH. Among them, USD0++ and MORPHO were exchanged for 296 ETH.
The hacker address previously received small ETH transfers, suspected to be for providing transaction fees. The source address transferred small amounts of ETH to nearly 8,800 addresses, possibly being a "platform specifically providing transaction fees."
296.45 ETH from the stolen funds has been transferred to a new address. This address is involved in multiple chains, and the current balance is 32.81 ETH. The main ETH transfer paths include transferring to multiple addresses, partially exchanging for USDT, and transferring to exchanges such as Gate.
These extended addresses are associated with multiple trading platforms such as Bybit, Cryptomus.com, Swapspace, Gate, and MEXC for future transfers, and are linked to several addresses marked as Angel Drainer and Theft. Some ETH still remains on a certain address.
USDT transaction traces show that funds were transferred to platforms such as Binance, MEXC, and FixedFloat.
Security Recommendations
This type of attack combines social engineering attacks and Trojan attack techniques, and users need to be particularly vigilant. It is recommended to carefully verify the meeting link before clicking, avoid executing software and commands from unknown sources, install antivirus software, and update it regularly. Users can refer to relevant safety manuals to enhance their awareness of network security and protection capabilities.