Three crypto stories in one week: the SEC’s X account was compromised via SIM swap and used to post a fake Bitcoin ETF approval — spiking BTC by $2,000 before the tweet was removed — while North Korea’s state-sponsored hackers confirmed $600 million stolen in 2023 (nearly a third of all global crypto theft), and a new Mirai-based botnet called NoahBot began brute-forcing SSH servers to deploy XMRig crypto miners at scale.
Stories Covered
SEC X Account SIM-Swapped: Fake Bitcoin ETF Tweet Moves Markets Before Being Deleted
On January 9, 2024, the official @SECgov account on X posted an announcement claiming the Securities and Exchange Commission had approved spot Bitcoin ETFs. The tweet was false — it was posted by attackers who had taken control of the account. It remained live for approximately 30 minutes before being removed. In that window, Bitcoin’s exchange rate spiked roughly $2,000. The following day, the SEC actually did approve 11 spot Bitcoin ETFs, which made the fake tweet a day-early preview of real news — and made the market manipulation window smaller than it would have been with a fully false claim. Malwarebytes reported that the attackers gained control of the account by obtaining the phone number associated with the @SECgov account through a third party, consistent with a SIM swap attack. In a SIM swap, an attacker contacts the victim’s mobile carrier, impersonates the account holder using information gathered from prior breaches or public sources, and convinces the carrier to transfer the victim’s phone number to a SIM card the attacker controls. Once the number transfers, the attacker can receive SMS verification codes, perform password resets, and bypass any account security that relies on SMS-based two-factor authentication.
The SEC did not have two-factor authentication enabled on the X account at the time of the compromise. This is the key technical failure: if app-based 2FA had been configured, a SIM swap would not have been sufficient to access the account, because the authentication token would have been generated by an authenticator app on a specific device rather than delivered via SMS to a phone number that could be hijacked. X offers non-SMS 2FA to premium subscribers via authenticator app or hardware key. The gap here was straightforward and preventable. For any account with significant public influence — particularly one capable of moving financial markets — app-based or hardware-key 2FA is the minimum acceptable configuration. SMS-based authentication is a single social-engineering call to a carrier away from being bypassed. The broader lesson from the pump-and-dump structure is that the attackers likely positioned in Bitcoin before posting the fake announcement and sold into the resulting spike, making the market manipulation the actual objective. The fake tweet was the mechanism, not the end goal.
North Korea Stole $600 Million in Crypto in 2023 — Nearly a Third of All Global Theft
Threat intelligence reporting confirmed that North Korea-affiliated hacking groups stole at least $600 million in cryptocurrency during 2023, accounting for nearly a third of all funds stolen in crypto attacks worldwide that year. The 2023 total represents a 30% reduction from 2022’s estimated $850 million haul, though researchers noted that additional breaches targeting the crypto sector in late 2023 could push the actual figure to approximately $700 million. Since 2017, North Korean state-sponsored hackers have stolen an estimated $3 billion in total from the cryptocurrency ecosystem. The funds are laundered through a consistent pattern: stolen assets are swapped into USDT or TRON and converted to hard currency through high-volume over-the-counter brokers. The U.S. Treasury Department sanctioned a crypto mixing service called Sinbad after it was found to have processed a portion of these proceeds, but North Korean groups have continued adapting their money laundering infrastructure as specific tools are shut down.
The scale of North Korea’s crypto theft operation represents state-sponsored cybercrime functioning as a primary revenue stream for a sanctioned government. These are not opportunistic criminal groups — they are organized, funded, and operating with the resources of a national intelligence apparatus applied to financial theft. The technical sophistication spans compromised private keys, wallet seed phrase theft, targeted malware campaigns, and social engineering against cryptocurrency platform employees. Crypto platforms present an unusual threat model: unlike a bank heist where physical constraints limit what can be taken, a successful private key compromise transfers assets instantly and irreversibly. There is no dispute process, no fraud reversal mechanism, and no central authority to halt a transaction. For individual holders, the implication is that private key hygiene — hardware wallets, offline seed phrase storage, and skepticism about phishing attempts impersonating exchange support — is the primary defense against the kind of operations North Korea is running at scale.
NoahBot: Mirai-Based SSH Brute-Forcer Deploys XMRig Crypto Miner at Scale
A new Mirai-derived botnet called NoahBot has been running a crypto mining campaign since early 2023, targeting internet-exposed SSH servers through dictionary-based brute-force attacks. Mirai’s source code was leaked in 2016 and has since spawned a continuous lineage of derived botnets — NoahBot is the latest in that line. The botnet’s spreader module scans for SSH servers susceptible to brute-force login, attempts to authenticate using common credential combinations, and on success writes an SSH public key to the victim server’s authorized keys file, establishing a persistent backdoor that survives password changes. The botnet then deploys an XMRig miner to consume the compromised server’s CPU resources for Monero mining. Unlike most mining botnets that embed the wallet address directly in the miner binary, NoahBot obfuscates its miner configuration and routes mining revenue through a custom mining pool, preventing security researchers from tracking the wallet address receiving the proceeds.
NoahBot also includes a wormable self-spreading capability, meaning it can propagate from newly infected hosts without additional attacker interaction. A worm is among the most dangerous malware capabilities because spread is not bounded by attacker capacity — each infected node becomes a new spreader, creating exponential growth potential until the worm runs out of vulnerable targets. Researchers also noted possible connections to P2P Infect, a Rust-based malware family recently updated to target routers and IoT devices. The use of Rust is significant from a detection standpoint: security tooling and behavioral signatures are more mature for malware written in older languages like C and Visual Basic; Rust and Go-based malware present fewer historical samples for antivirus vendors to train on, making detection harder in practice. SSH brute-force attacks targeting servers with weak or default credentials are not novel, but the combination of wormable spread, credential brute-forcing, SSH backdoor installation, and obfuscated wallet configuration in a single botnet represents a meaningfully more capable threat than earlier generation mining botnets. Exposing SSH to the internet with password authentication enabled — rather than key-only authentication and IP allowlisting — is the surface NoahBot is exploiting.
Leave a Reply