Lazarus hits cryptocurrency exchange with fake installer and macOS malware 10401

Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of Fallchill, including one from US-CERT.

To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS.

The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms.

Trojanized cryptocurrency trading application

Thanks to Kaspersky Lab’s malicious-behavior detection technology, implemented in its endpoint security software, we were able to reassemble the stages of infection and trace them back to their origin. This helped us understand that one of Lazarus’ victims was infected with malware after installing a cryptocurrency trading program. We also confirmed that the user installed this program via a download link delivered over email.

Trojanized trading application for Windows

Including malicious code into distributed software and putting that on a website would be too obvious. Instead, the attackers went for a more elaborate scheme: the trojan code was pushed out in the form of an update for a trading application.

A legitimate-looking application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and looked genuine. This application is an all-in-one style cryptocurrency trading program developed by Celas.

Screenshot of Celas Trade Pro

When we started this research, any user could download the trading application from the Celas website. Checking the installation package downloaded from the website confirmed the presence of a very suspicious updater.

Installation package download page

We have analyzed the following Windows version of the installation package:

MD5: 9e740241ca2acdc79f30ad2c3f50990a
File name: celastradepro_win_installer_1.00.00.msi
File type: MSI installer
Creation time: 2018-06-29 01:16:00 UTC

At the end of the installation process, the installer immediately runs the Updater.exe module with the “CheckUpdate” parameter. This file looks like a regular tool and most likely will not arouse the suspicion of system administrators. After all, it even contains a valid digital signature, which belongs to the same vendor. But the devil is in the detail, as usual.

The code writer developed this project under the codename “jeus”, which was discovered in a PDB path included in the updater and used as unique HTTP multipart message data separator string. Because of this, and the fact that the attacked platforms include Apple macOS, we decided to call this Operation AppleJeus.

Properties of the shady updater tool included in the package are:

MD5: b054a7382adf6b774b15f52d971f3799
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
Known file name: %Program Files%\CelasTradePro\Updater.exe
Link Time: 2018-06-15 10:56:27 UTC
Build path: Z:\jeus\downloader\downloader_exe_vs2010\Release\dloader.pdb

The main purpose of Updater.exe is to collect the victim’s host information and send it back to the server. Upon launch, the malware creates a unique string with the format string template “%09d-%05d” based on random values, which is used as a unique identifier of the infected host. This malware collects process lists, excluding “[System Process]” and “System” processes and gets the exact OS version from the registry value at “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion”. It seems that such values only exist from Windows 10, so we assume that the author developed and tested it on Windows 10.

  • ProductName: Windows OS version
  • CurrentBuildNumber: Windows 10 build version
  • ReleaseID: Windows 10 version information
  • UBR: Sub version of Windows 10 build
  • BuildBranch: Windows 10 build branch information

The code encrypts the collected information with the hardcoded XOR key (“Moz&Wie;#t/6T!2y“) before uploading it to the server.

Data encryption routine

The code sends the victim’s information to a webserver using HTTP and the following URL:
www.celasllc[.]com/checkupdate.php

The server is a legitimate looking website owned by the developer of the program: Celas LLC. At this point we were not able to conclude with high confidence whether the server was compromised by the threat actor or had belonged to the threat actor from the beginning. To learn more about the server, please read the “Infrastructure” section below.

The malware used a hardcoded User-Agent string “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)” and fixed a multipart form data separator string “jeus“.

Using encryption, the custom separator string wouldn’t be a red flag for a legitimate application, but sending a request with the context-irrelevant string “get_config”, as well as uploading collected system information as “temp.gif”, mimicking a GIF image with a magic number in the header, definitely made us raise our eyebrows.

Communication with the C2 server

After successfully uploading data, the updater checks the server response. If the server responds with HTTP code 300, it means the updater should keep quiet and take no action. However, if the response is HTTP code 200, it extracts the payload with base64 and decrypts it using RC4 with another hardcoded key (“W29ab@ad%Df324V$Yd“). The decrypted data is an executable file that is prepended with the “MAX_PATHjeusD” string.

During our research, we found other similar files. One was created on August 3rd and another on August 11th. The PDB path shows that the author keeps improving this updater tool, apparently forked from some stable version released on July 2, 2018 according to the internal directory name.

Additional trojanized sample #1 Additional trojanized sample #1
Installation package MD5 4126e1f34cf282c354e17587bb6e8da3 0bdb652bbe15942e866083f29fb6dd62
Package creation date 2018-08-03 09:57:29 2018-08-13 0:12:10
Dropped updater MD5 ffae703a1e327380d85880b9037a0aeb bbbcf6da5a4c352e8846bf91c3358d5c
Updater creation date 2018-08-03 09:50:08 2018-08-11 7:28:08
Updater Build path H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000009\Release\dloader.pdb H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000006\Release\dloader.pdb

Note the TManager directory in the PDB path from the table. It will pop up again in another unexpected place later.

Trojanized trading program for macOS

For macOS users, Celas LLC also provided a native version of its trading app. A hidden “autoupdater” module is installed in the background to start immediately after installation, and after each system reboot. It keeps contacting the command and control (C2) server in order to download and run an additional executable from the server. The communication conforms to the Windows version of the updater and is disguised as an image file upload and download, while carrying encrypted data inside.

We have analyzed the following installation file:

MD5: 48ded52752de9f9b73c6bf9ae81cb429
File Size: 15,020,544 bytes
File Type: DMG disk image
Known file name: celastradepro_mac_installer_1.00.00.dmg
Date of creation: 13 July 2018

Once the Cellas Trade Pro app is installed on macOS, it starts the Updater application on the system load via a file named “.com.celastradepro.plist” (note that it starts with a dot symbol, which makes it unlisted in the Finder app or default Terminal directory listing). The “Updater” file is passed the “CheckUpdate” parameter on start.

Celas Trade Pro app plist file (Apple Property List)

The command-line argument “CheckUpdate” looks redundant from a code analysis perspective: there is no other argument that the application expects. In the absence of all arguments, it doesn’t do anything and quits. This may or may not be way to trick sandboxes that could automatically execute this trojan updater, with no suspicious activity produced without such a “secret” extra argument. The choice of a benign string such as “CheckUpdate” helps it to hide in plain sight of any user or administrator looking into running processes.

The trojanized updater works similar to the Windows version in many ways. Both applications are implemented using a cross-platform QT framework. Upon launch, the downloader creates a unique identifier for the infected host using a “%09d-%06d” format string template. Next, the app collects basic system information, which for macOS is done via dedicated QT classes:

  • Host name
  • OS type and version
  • System architecture
  • OS kernel type and version

The process of encrypting and transferring data is the same as in the Windows version. This information is XOR-encrypted with hardcoded 16-byte static key “Moz&Wie;#t/6T!2y”, prepended with GIF89a header and uploaded to the C2 server via HTTP POST and the following URL:

https://www.celasllc[.]com/checkupdate.php

POST request template strings

The module relies on a hardcoded User-Agent string for macOS:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Once the server replies, it checks the HTTP response code. HTTP response code 300 indicates that the server has no task for the updater and the application terminates immediately. If the HTTP response is code 200, then the updater gets the data in the response, decodes it from base64 encoding and decrypts it using RC4 with the hardcoded static key “W29ab@ad%Df324V$Yd“. It calculates the MD5 of the decoded and decrypted data, which is compared to a value stored inside, to verify the integrity of the transferred file. After that, the payload is extracted and saved to a hardcoded file location “/var/zdiffsec“, sets executable permissions for all users and starts the app with another secret hardcoded command-line argument “bf6a0c760cc642“. Apparently the command-line argument is the way to prevent the detection of its malicious functionality via sandboxes or even reverse engineering. We have previously seen this technique adopted by Lazarus group in 2016 in attacks against banks. As of 2018, it is still using this in almost every attack we investigated.

Downloaded payload

According to data from Kaspersky Security Network, the threat actor delivered the malicious payload using one of the shadowy updaters described above. We found a malicious file created at the same host:

MD5: 0a15a33844c9df11f12a4889ae7b7e4b
File Size: 104,898,560 bytes
File Type: PE32+ executable (GUI) x86-64, for MS Windows
Known file name: C:\Recovery\msn.exe
Link time: 2018-04-19 13:30:19

Note the unusually large size for an executable file. We believe that it was inflated with junk data on purpose to prevent easy download or transfer over the internet.

Searching for the reason for the malware’s appearance on the system revealed that there was an additional process responsible for producing several files before this malware was launched, suggesting a trojan dropper in action. The main function of this malware is to implant the Fallchill backdoor loader linked to several files. Upon launch, the malware checks one of the command-line arguments passed to it. The malware chooses one of the service names located in the following registry value as a disguise:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs

This value includes a list of several dozen standard system service names.

The randomly chosen service name is used to name the dropped file and newly registered Windows service. Let’s refer to this randomly chosen service name as [service]. The malware contains references to several files inside:

  • The file passed as argument: contains a 16-byte key
  • msncf.dat: Encrypted configuration data
  • msndll.tmp: Encrypted Fallchill loader
  • msndll.dat: Encrypted Fallchill backdoor (payload for the loader)
  • [service]svc.dll: Fallchill backdoor loader
  • [service].dat: Copy of msndll.dat

A mix of the above-mentioned files produces the final backdoor known as Fallchill. A more detailed procedure for technical specialists is as follows:

  1. Check whether the command-line argument points to a file of 16 byte size.
  2. Read the file passed via the command-line argument. The contents of this file contains a crypto key, which we will call the main key.
  3. Open the msncf.dat file (configuration file). If the file size equals 192 bytes, read the content of the file.
  4. Open msndll.tmp file and decrypt it using the main key.
  5. Create the [service]svc.dll file and fill it with pseudo-random data.
    1. The malware fills the file with 10,240 bytes of pseudo-random data, and iterates (rand() % 10 + 10240) times. This is why it produces files which are at least 104,851,000 bytes.
  6. Copy the 16-byte main key at the end of the [service]svc.dll file.
  7. Encrypt the [service].dat file name with the main key and append it at the end of [service]svc.dll.
  8. Overwrite the beginning of [service]svc.dll with data decrypted from msndll.tmp.
  9. Move msndll.dat file to [service].dat.
  10. Delete temporary files: msndll.tmp, msncf.dat, msndll.log.
  11. Timestamp [service]svc.dll and [service].dat files.
  12. Register [service]svc.dll as a Windows service.
  13. Save a copy of data from msncf.dat file in the following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description.

Infection process diagram

Fallchill backdoor loader

We confirmed that the following malware was created on the infected host using the method described above:

Fallchill backdoor loader:

MD5: e1ed584a672cab33af29114576ad6cce
File Size: 104,878,356 bytes
File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Known file name: C:\Windows\system32\uploadmgrsvc.dll
Link time: 2018-01-18 01:56:32

Encrypted Fallchill backdoor:

MD5: d8484469587756ce0d10a09027044808
File Size: 143,872 bytes
File Type: encrypted data
Known file name: C:\Windows\system32\uploadmgr.dat

Upon starting, uploadmgrsvc.dll reads 276 bytes from the end of its own executable file. The first 16 bytes of this 276-byte data are used as a decryption key, and the remaining 260 bytes contain the encrypted file path used by the backdoor.

Data at the end of the loader module

After decryption of the last 260-bytes, the malware retrieves the name or path of the file that contains the actual backdoor body in encrypted form.

Decrypted file name in the end of loader module

The malware reads the specified file and decrypts it using the same decryption routine. This is how the executable code of the backdoor is produced in memory and executed by the loader. Below is the meta information about the decrypted final payload in memory:

MD5: d7089e6bc8bd137a7241a7ad297f975d
File Size: 143,872 bytes
File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Link Time: 2018-03-16 07:15:31

We can summarize the Fallchill backdoor loading process as follows:

Loading the Fallchill backdoor

As mentioned previously, the final payload belongs to a Fallchill malware cluster formerly attributed to the Lazarus APT group. Upon launching, this malware resolves the API function addresses at runtime, and reads the C2 server address from the registry value created during the installation stage:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description

If there is no configuration value, the malware falls back to a default C2 server address.

  • 196.38.48[.]121
  • 185.142.236[.]226

This is a full-featured backdoor that contains enough functions to fully control the infected host. Some of its network protocol commands are described below.

Command ID Description
0x8000 Write current time and configuration data to registry key
0x8001 Send configuration data
0x8002 Replace configuration data in the fixed registry value
0x8003 Execute Windows command, store output in temp file and upload contents to C2
0x8006 Show current working directory
0x8007 Change current working directory
0x8008 Collect process information
0x8009 Terminate process
0x8010 Start new process
0x8011 Create process with security context of the current user
0x8012 Connect to specified host/port
0x8013 Get drive information
0x8014 Directory listing
0x8015 Search a file
0x8019 Write data to a specified file
0x8020 Read contents of specified file and upload to C2 server
0x8021 Compress multiples files to a temp file (name start with ZD) and upload to C2
0x8023 Wipe specific file
0x8025 Copy file time from another file time (timestamping)
0x8026 Shutdown malware service and self-delete
0x8043 Send “Not Service” unicode string to C2 server (communication test?).

This set of capabilities is very common for many Lazarus backdoors, which have been seen in other attacks against banks and financial industry in the past years.

Infrastructure

While working on the incident of the cryptocurrency company’s breach, we were curious about the legal status of the Celas LLC company that developed this trojanized trading application.

Celas LLC main homepage.

The website had a valid SSL certificate issued by Comodo CA. However, note that the certificate from this webserver mentions “Domain Control Validated”, which is a weak security verification level for a webserver. It does not mean validation of the identity of the website’s owner, nor of the actual existence of the business. When certification authorities issue this kind of certificate they only check that the owner has a certain control over the domain name, which can be abused in certain ways.

Below is the WHOIS record of the “celasllc.com” domain. The domain name was registered by an individual named “John Broox” with registrant email address “johnbroox200@gmail[.]com”.

The same name of “John Broox” was used inside the installation package of the macOS version of the trading application. The Info.plist properties file describes the package as follows:

It looks at first sight like a legitimate WHOIS record, but something doesn’t really add up here. The domain celasllc.com was the only domain registered with this email address and was exclusively used for domain registration.

The registrant used the Domain4Bitcoins service to register this domain, apparently paying with cryptocurrency. According to open-source intelligence, the address of the WHOIS information is fake, unless it’s the owner of a ramen shop running a cryptocurrency exchange software development studio on the side.

View of the location referred in the WHOIS record. Image source: Google Maps.

The server hosting celasllc.com (185.142.236.213) belongs to the Blackhost ISP in the Netherlands.

WHOIS record of cellasllc.com server

Coincidentally, the Fallchill malware authors also preferred to use the same hosting company to host their C2 server. Moreover, the Celas LLC web server and one of the C2 servers of the Fallchill malware are located in the same network segment of this ISP:

  • Celas LLC infrastructure:
    • 185.142.236.213Netherlands Blackhost Ltd. AS174 COGENT-174
  • Fallchill malware C2 server:
    • 196.38.48[.]121: South Africa Internet Solutions AS3741
    • 185.142.236[.]226: Netherlands Blackhost Ltd. AS174 COGENT-174
  • Additional attacker’s server from telemetry
    • 80.82.64[.]91: Seychelles Incrediserve Ltd AS29073
    • 185.142.239[.]173: Netherlands Blackhost Ltd. AS174 COGENT-174

However, when you look into Celas Trading Pro application’s digital signature, including its “Updater”, you will find that this certificate was also issued by Comodo CA, which refers to a company address in the United States.

According to open-source data, this address doesn’t belong to a real business, and looks on maps like a meadow with a small forest and small real estate offering nearby.

Location of Cellas LLC, according to its digital certificate

Real estate history of that address

Pivoting the infrastructure a little further brings up some more suspicious things. It appears that the domain referred to two IPs, one of which was linked to a few other suspicious domains, according to PassiveDNS.

Cellas LLC linked infrastructure

The owners of the linked infrastructural elements preferred to use several interesting services for hosting domain registration. All these service providers offer a certain level of anonymity to their customers. Most of them accept Bitcoins as a main payment method to keep their customers anonymous. This is very uncommon for companies running a legitimate business.

Hosting services linked to Celas LLC:

  • Blackhost (https://black.host/)
  • Liberty VPS (https://libertyvps.net/)

Domain registration services linked to Celas LLC:

  • Domains4Bitcoins (https://www.domains4bitcoins.com/)
  • NameCheap (https://www.namecheap.com/)
  • ChangeIP (https://www.changeip.com/)
  • Njalla (https://njal.la/)

All the facts above can make the more sceptical among us doubt the intentions of Celas LLC and the legitimacy of this business. Of course, these facts alone would not be enough to accuse Celas LLC of committing a crime.

Attribution

Kaspersky Lab has previously attributed the Fallchill malware cluster to Lazarus group when it attacked the financial sector around the world. It was also confirmed by other security vendors, and the national CERT of US.

RC4 key from the older Fallchill

Fallchill malware uses a RC4 algorithm with a 16-byte key to protect its communications. The key extracted from the Fallchill variant used in the current attack is DA E1 61 FF 0C 27 95 87 17 57 A4 D6 EA E3 82 2B.

Current RC4 key of Fallchill

We were able to confirm that some of older Fallchill malware variants used exactly the same RC4 key. Below are Fallchill malware samples that used the same key (the compilation timestamp may indicate the date of malware creation).

MD5 Timestamp
81c3a3c5a0129477b59397173fdc0b01 2017-05-26 23:37:04
6cb34af551b3fb63df6c9b86900cf044 2017-06-09 17:24:30
21694c8db6234df74102e8b5994b7627 2017-11-07 17:54:19
5ad7d35f0617595f26d565a3b7ebc6d0 2015-10-24 01:52:11
c501ea6c56ba9133c3c26a7d5ed4ce49 2017-06-09 03:59:43
cafda7b3e9a4f86d4bd005075040a712 2017-11-07 17:54:33
cea1a63656fb199dd5ab90528188e87c 2017-06-12 19:25:31
6b061267c7ddeb160368128a933d38be 2017-11-09 17:18:06
56f5088f488e50999ee6cced1f5dd6aa 2017-06-13 08:17:51
cd6796f324ecb7cf34bc9bc38ce4e649 2016-04-17 03:26:56

Same C2 server with older Fallchill

We have confirmed that the C2 server addresses (196.38.48[.]121, 185.142.236[.]226) used in this attack have been used by the older variant of Fallchill.

MD5 Timestamp
94dfcabd8ba5ca94828cd5a88d6ed488 2016-10-24 02:31:18
14b6d24873f19332701177208f85e776 2017-06-07 06:41:27
abec84286df80704b823e698199d89f7 2017-01-18 04:29:29

Overlap of C2 infrastructure

Apparently, the attackers using the Fallchill malware continue to reuse code and C2 server infrastructure over and over again.

According to Kaspersky Security Network, Fallchill was not the only malware used in this attack. There was another backdoor that was used by the threat actor. We omit a full description of this backdoor in the current report to keep the write-up to an acceptable length, but we would like to highlight two important things discovered in it. First, this backdoor was created on 2018-07-12 and revealed an already familiar directory, “TManager”, which we previously saw in the Updater.exe application from the Cellas Trading Pro suite:

H:\DEV\TManager\all_BOSS_troy\T_4.2\T_4.2\Server_\x64\Release\ServerDll.pdb

Second, what is probably one of the most interesting findings to come from this additional backdoor was discovered hidden in hardcoded headers used to communicate with C2 server. The Accept-Language HTTP header string revealed a language code associated with North Korea. In our experience, this is something we normally don’t see in malware.

Accept-Language: ko-kp,ko-kr;q=0.8,ko;q=0.6,en-us;q=0.4,en;q=0.2

Accept-Language HTTP header value in the body of the backdoor

Conclusions

The Lazarus APT group’s continuous attacks on the financial sector are not much of a surprise to anyone. A lot of research has been done and published about such attacks. However, we think this case makes a difference. Recent investigation shows how aggressive the group is and how its strategies may evolve in the future.

First of all, Lazarus group has entered a new platform: macOS. There is steadily growing interest in macOS from ordinary users, especially in IT companies. Many developers and engineers are switching to using macOS. Apparently, in the chase after advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have macOS malware tools. We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once.

We cannot say with full certainty whether Celas LLC was compromised and the threat actor abused it to push malware through an update mechanism. However, the multiple successful Lazarus attempts to compromise supply chain companies suggest that it will keep exploring this infection method. From all angles, the Celas LLC story looks like the threat actor has found an elaborate way to create a legitimate looking business and inject a malicious payload into a “legitimate looking” software update mechanism. Sounds logical: if one cannot compromise a supply chain, why not to make fake one?

This should be a lesson to all of us and a wake-up call to businesses relying on third-party software. Do not automatically trust the code running on your systems. Neither good looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors. Trust has to be earned and proven. Stay safe!

Previous ArticleNext Article

The Solana Surge: How Print Protocol is Revolutionizing DeFi with Secure Trading and Revenue Sharing 3076

As the Solana Summer and the overall crypto market continue to evolve, the landscape of decentralized finance (DeFi) remains in constant flux. The period of late 2023 and early 2024 marked a significant resurgence in the crypto markets, with Solana ($SOL) at the forefront, reminiscent of past booms in the blockchain industry.

One of the standout phenomena driving this resurgence was the wave of Solana memecoins, notably $BONK and $WIF, which ignited a meme-mania across the community. This surge in activity not only drew considerable attention to the Solana blockchain but also solidified its reputation as a prime destination for developers and investors alike.

Why Solana? Why Now?

For those new to the world of DeFi and Solana, understanding the basics is crucial. Solana is like a super-fast, magical playground where people can create and trade digital tokens safely and quickly. Now, these tokens are getting more popular and valuable, especially with fun, catchy names like $BONK and $WIF.

Print Protocol on Solana seamlessly integrates into this burgeoning ecosystem by offering unique features designed to empower everyday investors. At the heart of this platform is PrintDex, a decentralized exchange (DEX) that prioritizes user security and fairness. PrintDex incorporates sophisticated anti-bot mechanisms and maximum wallet limits, ensuring that users can trade tokens without the fear of being overwhelmed by large wallet dumps that can destabilize markets. This means that even those new to crypto trading, the average Joe, can engage in trading with confidence and peace of mind, knowing their investments are safeguarded against manipulative practices and constant dumping.

Moreover, PrintDex goes beyond just providing a safe trading environment. By holding $PRINT tokens, users can benefit from an innovative H2E (Hold to Earn) model, and a Revenue Share Model, where they earn a share of the revenue generated by PrintDex. This model transforms passive holding into a lucrative venture, offering a steady rewards stream derived from the exchange’s trading activities. As a result, Print on Solana not only democratizes access to secure trading but also allows investors to share in the success and growth of the platform, making it a compelling choice for both seasoned traders and newcomers alike.

Why Print?

Through all the chaos and memes the team at $PRINT (@PrintProtocol) figured out the first ever auto-rewards token to reward holders in $SOL, to the success of a 30M MC all-time-high. Before $PRINT launched in late January of this year, a taxed token had never existed on-chain, let alone one with a working auto-rewards script. Using Token-2022, a token program on the Solana Blockchain, the team was able to bring something innovative to Solana users.

As 2024 has passed, Print Protocol has continued its long-term development, putting their focus into continued innovation through a relatively unexplored feature of Solana, Transfer Hook Extensions.

All of this has led to the team recently rolling out ‘PrintDEX’ (https://www.printdex.io/), the first ever Decentralized Exchange on Solana to offer maximum transaction limits, max wallet limits, taxes and more, all through Token-2022 support and transfer hook extensions.

In addition to rewarding holders through an 8% token tax, the team has also recently implemented Revenue Sharing through transactional fees on the DEX. A nominal 0.0005 $SOL fee is accumulated for every transaction on PrintDEX with 60% going directly back to holders in $SOL.

As development on the DEX continues, the backend team at $PRINT hold public X/Twitter spaces a few times a month to update the community and discuss the outlook for Print Protocol. The team will be in attendance at Solana Breakpoint this fall and continues to build robust partnerships and support within the Solana community.

Learn more about Print Protocol here:
X: https://x.com/PrintProtocol
X: https://x.com/printdexSol
Telegram: https://t.me/printsolana
Website: https://printsolana.com/
DEX: https://www.printdex.io/

Dora Announces Progression Into A Unified Multichain and MultiVM Explorer 4163

Dora 2.0 Update Allows searchability across 10+ chains alongside bridging, and swapping across all supported chains & expansion into new VM ecosystems

Dora, the unified search, discovery, & action engine for the multichain world, is excited to announce a series of significant upgrades to its services, which will provide Dora users with a unified search view, and actions interface to enable bridging and swapping for more than 10 chains, including Ethereum, Base, Rari, Xai, Palm Network, Gnosis, Scroll, and more. Current blockchain services can be highly siloed, with significant barriers or friction for interoperability, innovation and liquidity. The launch of the Dora 2.0 Update is a key step in Dora’s vision to support the progression towards a multichain and multiVM world by providing an unfragmented and unified multichain experience. Due to Dora’s recent agreement with Movement and Fluent, Dora will also progress to be the first multiVM block explorer. This will make Dora the only block explorer that allows users to not only search EVM chains but also review their SVM, Wasm, and Move interactions within the same interface, streamlining the user experience and reducing the complexity of managing and reviewing transactions.

The announcement encompasses three key updates:

  • Dora Search – Unified Multichain Search Capabilities: Dora 2.0 allows Dora to seamlessly integrate new chains into their platform, progressing Dora from a single chain search engine to a unified multichain discovery engine, with initial support for over 10 chains.
  • Dora Actions – Multichain, bridging, and swapping: Dora 2.0 will provide Dora users a unified interface for onchain actions, called Dora Action. This will support bridging, and swapping across all chains that integrate with Dora, providing a seamless user experience.
  • Dora Profiles – Multichain Portfolio View: Starting in Q3 2024 Dora 2.0 will offer users visibility on all their transactions, collections and interactions across the multichain world in one unified view.
  • Dora MultiVM Discovery Engine & Block Explorer: Starting in Q3 2024, Dora 2.0 is expanding into new Virtual Machine Ecosystems such as Move with Movement, and SVM & Wasm with Fluent, becoming the first unified MultiVM block explorer & search engine.

“Dora 2.0 is a key step in our vision to provide an unfragmented and unified multichain and now multiVM experience,” said Bunny, CEO and Co-Founder of Dora. “We believe that mass adoption of crypto is contingent on reducing the barriers and frictions between the constantly growing number of chains. Users should be able to access any ecosystem they want without having to undertake the technical complexities to get onboarded into a new chain. We look forward to continuing to expand the number of chains supported on Dora in the coming weeks and months, and continuing Dora’s expansion into multiVM with Movement, Fluent, and other virtual machines .”

As part of the Dora’s new capacity for multichain bridging, minting and swapping, Dora is proud to partner with Privy as a wallet service provider and Decent for the execution of cross-chain swaps and transactions.

“Dora is consistently on the cutting edge of crypto, and they pioneered the first multichain block explorer with real-time latency. This was a generational leap ahead for the industry but especially so for a few groups – in particular, we’ve heard from many gaming and NFT customers that those 2 qualities are especially important when it comes to how they build their product and community. We are excited to expand into the MultiVM world with them.” Kevin Li, Goldsky CEO & Co-Founder

“At SimpleHash, we strongly believe that Dora is at the forefront of the crypto world, leading the charge with a superior user experience and being multichain native – their values align with ours, which is why we’re so proud to support them,” said SimpleHash Founder, Olly Wilson. “They’re doing important work to make navigating the world of crypto and onboarding the next wave of a billion users easier. We look forward to continuing our work into new VM ecosystems like Movement & Fluent.”

The announcement follows Dora’s recent closure of a $5.5M Early Stage Funding Round co-led by Dragonfly and Lemniscap.

About Dora

Dora is the Unified Discovery Engine for the Multichain World. We collaborate with a multitude of blockchain networks and rollup teams to provide comprehensive block explorer and search solutions. Our mission is to enhance the accessibility of on-chain data through innovative search capabilities, driving discovery and mass adoption of blockchain technology.

For more information, users can visit about.ondora.xyz

Masa Launches LLM-Powered AI Data Subnet on Bittensor, Bringing Hundreds of Developers into the Ecosystem 4901

Masa also becomes the first live token in the Bittensor Subnet Ecosystem, introducing a new dual-token reward structure to incentivize contributors and democratize AI development.

Masa, a decentralized AI network where people earn by contributing data, today announced the launch of an AI Data Subnet on Bittensor, a protocol pioneering the decentralized production of artificial intelligence. Masa will leverage Bittensor’s peer-to-peer machine intelligence network to supercharge AI data aggregation, transformation, and access. Together, this empowers a world of Fair AI powered by the people, where AI developers can build anything, anywhere with the world’s data.

The AI sector of the crypto industry is projected to reach $10.2 billion in revenue by 2030, according to a research report from VanEck, while centralized AI has a projected market share value of $1.8 trillion by 2030. However, there is a clear demand for decentralized players, as the essential components of AI including compute, models, and data, should not be monopolized by centralized entities.

Value Proposition of the Masa Bittensor Subnet

Bittensor has amassed a $10 billion AI ecosystem since its launch in March 2023. Institutional validators, such as DCG subsidiary Foundry and Polychain, collectively staked a total of 5.7 million – or $1.8 billion worth of – $TAO. Bittensor operates through a central network consisting of smaller, specialized sub-networks, each dedicated to different areas of AI. With its sophisticated TAO economic model that incentivizes the production of high-value AI subnets, Bittensor is a significant player in the DeAI space.

Masa enables people from all over the world to contribute data and compute to AI development, without centralized control. Masa allows AI developers to build anything, anywhere with the world’s data. It facilitates the fair, open, and permissionless contribution of AI training data, compute, and bandwidth.

Similar to Bittensor’s incentive mechanism, Masa contributors – validators and workers – are rewarded based on the value of their contribution to the network, using game-theoretical frameworks that optimize a contributor’s utility on the network. This ensures an effective system that uses economic incentives to drive growth and the equitable expansion of Fair AI.

The Masa Bittensor Subnet provides real-time and static, structured, annotated, and vectorized data from a variety of data sources critical for AI development, such as X (Twitter), Discord, diarized speech (e.g. podcasts, YouTube, TikTok), gated web data (e.g. New York Times), and public web data (e.g. Google Search).

Real-time data can be used to build robust datasets or directly in system prompts for current context. Static data sets are constantly updated and stored by subnet workers for further processing into vectors to fuel Retrieval Augmented Generation (RAG) in AI agents. These data sets are processed and annotated using agentic data pipelines that employ fine-tuned LLMs trained on JSON and other formats to deliver high-quality outputs from volatile data inputs. AI developers have been using Masa data for a wide range of use cases, such as capturing trading signals and building hyper-personalized AI companions.

The Masa and Bittensor communities can participate using low-power devices to run a Masa worker node from laptops, servers, or future mobile devices by contributing compute and bandwidth from anywhere in the world.

$MASA Joins Bittensor Subnet Ecosystem as First and Only Live Token

Masa’s token, $MASA, now becomes the only live token for any subnet in the Bittensor ecosystem. In addition, Masa Protocol and Masa Bittensor Subnet validators and workers can earn dual-token staking rewards in $MASA and $TAO. Masa Foundation-owned TAO from operating the subnet will be used to support $MASA through buybacks or distributions as part of the emissions schedule.

Masa was the first AI project to debut on CoinList in 2024 via a 17-minute public sale in March. Over the last 2 years, Masa has grown to over 1.6 million contributors and over 100 developers in its network, where individuals earn by contributing data. Masa’s ecosystem of contributors, developers, and validators is expected to significantly enhance Bittensor’s performance and utility.

“As an early crypto builder and adopter who participated in Ethereum’s ICO in 2014, Bittensor reminds me of Ethereum’s ecosystem circa 2017,” said Brendan Playford, Co-founder of Masa. “While Bittensor is still in its early days, it has the potential to surpass Ethereum’s growth, fueled by the rapid expansion of Decentralized AI. DeAI has the potential to become even bigger than Bitcoin. At Masa, we are integrating into the Bittensor ecosystem to exponentially accelerate the development of Decentralized AI, with data serving as the new currency of Fair AI.”

To date, Masa has raised $18 million backed by DCG, Anagram, Republic Digital, Animoca, and was incubated by Binance and Hashkey.

“The launch of Masa’s subnet underscores the growing momentum in decentralized AI. We proudly support Masa as they advance both decentralized and broader AI development, which aligns deeply with our belief in the power of decentralized technologies,” said Evan Malanga, VP Strategy at DCG.

To participate in the Masa Bittensor Subnet, users can visit Masa’s website.

About Masa

Masa is a decentralized AI network, where people earn by contributing data. AI developers can build anything, anywhere with the world’s data. Users are welcome to join Masa’s mission to create Fair AI, powered by the people.

Cosmic Kittens (CKIT) Unveils Revolutionary Blockchain Gaming Experience 5956

Cosmic Kittens (CKIT) is a new face in blockchain gaming that combines space-themed NFT cats with attractive P2E rewards.

Cosmic Kittens (CKIT) is set to make waves in the blockchain gaming sector with its innovative approach, merging space-themed NFT cats with engaging Play-to-Earn (P2E) mechanics. Built on the Ethereum blockchain, CKIT aims to revolutionize the GameFi landscape by blending meme coin appeal with the robust functionalities of Non-Fungible Tokens (NFTs).

Cosmic Kittens (CKIT): Pioneering a New Era in Crypto Gaming

Cosmic Kittens (CKIT) is not just another entrant in the crypto gaming arena; it’s a project with a vision to redefine the GameFi ecosystem. By integrating meme coins with NFTs, CKIT offers a unique gaming experience where NFTs are more than collectibles; they are the key to a futuristic gaming world. In the Cosmo Kittania Universe, players will nurture their NFT cats, known as Cosmic Kittens, each boasting unique abilities and traits. The gameplay involves caring for these galactic, superpowered NFTs, enhancing their strength and capabilities through attentive care and selective breeding, reminiscent of classics like Tamagotchi, Nintendogs, and Pokémon.

Economic Opportunities in Cosmic Kittens (CKIT) GameFi Ecosystem

Cosmic Kittens (CKIT) offers multiple monetization avenues within its GameFi ecosystem, providing players with high-value crypto assets and numerous ways to earn. These include:

  • NFT Kitten Trading: Players can buy, sell, and trade their unique NFT kittens in a dynamic marketplace.
  • CKIT Token Staking: Stake CKIT tokens to earn rewards and unlock exclusive game features.
  • Rocket Rewards Program: Participate in special missions and challenges to earn additional rewards.
  • Cosmic Sanctuary: A haven where NFT kittens can rest, rejuvenate, and enhance their abilities.
  • Breeding and Evolution: Enhance your NFT kittens by breeding them to produce new, more powerful offspring.

Presale Launch and Market Impact

Launched in 2024, Cosmic Kittens (CKIT) has quickly gained attention in the crypto gaming community. Its presale has been highly anticipated, reflecting the growing interest in immersive GameFi experiences that also offer substantial rewards. Analysts predict that the GameFi market, projected to reach $800 billion by 2030, will provide fertile ground for CKIT’s growth and success.

About Cosmic Kittens (CKIT)

Cosmic Kittens (CKIT) is a trailblazing project in the cryptocurrency gaming space, offering a unique blend of NFT and meme coin dynamics. By leveraging the booming GameFi market, CKIT provides players with a distinctive gaming experience enriched with high-value rewards and innovative gameplay mechanics.

For more information about Cosmic Kittens (CKIT) and to participate in the presale, visit:

Website: https://cosmickittens.online/

The Canton Network’s Global Synchronizer and Canton Coin Go Live 6173

Leading market participants powering the Canton Network proudly announce the go-live of the Global Synchronizer, the Canton Network’s decentralized interoperability infrastructure. This launch marks a pivotal step towards unlocking the full potential of synchronized financial markets, providing first-of-its-kind connectivity for the tokenization and frictionless exchange of regulated financial assets and liabilities. The Global Synchronizer is going live after ten years of technological development, nearly a year of extensive testing— including powering the recent Canton Pilot program—and following each of the anchoring Network participants, known as super validators, voting in favor of the launch.

There is a growing industry need to deliver near-term efficiencies for the highest concentrations of tokenized assets, while also facilitating new opportunities as more applications and liquidity are brought on-chain. Canton Network delivers on both value propositions: it features the highest number of live use cases of real-world assets and is the only network that can handle the on-chain privacy, control, and interoperability of participants and their corresponding asset flows.

Organizations are engaging in the Network in a range of ways—including running a super validator, running a node, joining the Global Synchronizer Foundation, or running an application on the Network. Current participants in these various points of engagement include: 7RIDGE, Bitwave, Brale, Broadridge, Calastone, Copper.co, Cumberland DRW, Dfns, Digital Asset, EquiLend, Global Blockchain Business Council, Gravity Team, Hashnote, Hidden Road, Hydra X, InfStones, IntellectEU, Kaleido, LendOS, Liberty City Ventures, MPCH, Obsidian Systems, Ownera, QCP, SBI Digital Asset Holdings, Taurus, The Tie, Tradeweb, Validation Cloud, XBTO, XVentures, and Zodia Custody.

Revolutionizing Financial Connectivity

For the first time, market participants can harness the power of synchronized financial markets through the Global Synchronizer. The Global Synchronizer enhances interoperability on the Canton Network, an innovative public-permissioned blockchain network designed with the privacy and controls essential to facilitating the exchange of regulated financial assets. The Global Synchronizer is operated and governed in a decentralized manner, with internet-like scalability, ensuring that no single party controls the service and there is no single point of failure; thereby harnessing the benefits of decentralized finance. This transformative infrastructure is set to revolutionize the way financial transactions are conducted, offering enhanced efficiency, reduced operational costs, and minimized risks.

“Canton Network participants have taken a long-term strategic view on what was needed to enable the modernization of synchronized global capital markets,” said Yuval Rooz, CEO and Co-Founder of Digital Asset. “Industry-leading firms have convened over the past year for the initial launch and subsequent testing of the Canton Network. We are excited to see the governance and incentive mechanisms in place to facilitate the adoption and use of the Network as it goes live.”

Open Governance with Linux Foundation and the Global Synchronizer Foundation

In conjunction with the Global Synchronizer’s operational go-live, the Linux Foundation is supporting the Global Synchronizer Foundation as an official project. The Global Synchronizer Foundation is an independent U.S.-based entity composed of forward-thinking market participants dedicated to ensuring that the Global Synchronizer is governed transparently in a decentralized manner with organizational neutrality to maintain its integrity. The Linux Foundation will support the Global Synchronizer Foundation under an open governance model that fosters trust and neutrality.

Introducing Canton Coin: Accelerating Connected Capital Markets

The Global Synchronizer includes a utility token, called Canton Coin, which is used to pay traffic fees for using the Global Synchronizer. Canton Coin can be minted by app builders and infrastructure providers who bring utility to the Global Synchronizer ecosystem, marking the first time a public network has rewarded both infrastructure providers and app developers. It is designed to incentivize third parties to build applications utilizing the Global Synchronizer, rewarding connections that accelerate connected capital markets. Network participants can use Canton Coin for Canton-native operations between participants and across applications globally on a 24×7 basis.

Hyperledger Splice: The Springboard for Additional Decentralized Infrastructure on the Canton Network

The Global Synchronizer is the first decentralized infrastructure for the Canton Network. To encourage additional infrastructure development, Digital Asset has open-sourced the core technology for decentralized Canton synchronization domains, including a native utility token– the same technology that powers the Global Synchronizer and Canton Coin. The technology is maintained by Hyperledger Labs under the name Splice to ensure that anyone seeking to set up their own decentralized synchronization domain for the Canton Network can do so freely.

About the Canton Network

The Canton Network is the financial industry’s first and only public chain that can achieve on-chain privacy, control, and interoperability, making it the most suitable network for institutional assets. The Network launched for testing with the participation of a group of leading financial institutions, infrastructure providers, technology firms, and consultants in August 2023. Initially built upon Digital Asset’s technology, the Network’s controls, governance, and app development have been open-sourced and decentralized to be managed by all participants, with the goal of fostering greater innovation and Network utility. The Canton Network’s design overcomes the shortfalls of existing blockchain networks by enabling previously siloed systems in finance to become interoperable and synchronized in ways that had been impossible before. Offering the privacy and controls required for highly regulated organizations, the Canton Network creates a safe environment in which assets, data, and cash can move freely across applications in real-time, unlocking new efficiencies and powering innovation.

Raiinmaker Brings Decentralized AI Network to Life With Mainnet Launch 7160

Raiinmaker, the Web3 and AI technology company, has today launched on Mainnet, introducing advanced security features, enhanced scalability, and improved interoperability with other blockchains to its AI-powered network.

The launch of the Mainnet follows the completion of a successful testnet. This phase saw unprecedented participation with more than 100,000 Raiinmaker AI Super App mobile users now training generative AI directly from their iOS or Android phones and earning fractional rewards based on the value of their contributions to decentralized AI models and infrastructure. In the three months since its testnet launch, Raiinmaker app users have minted 120,000 NFTs and generated 270,000 pieces of AI art. Additionally, the network boasts 300,000 total desktop users and 215,000 independent validators, with more than 19 million transactions made on the network to date, and 57,000 users signed up with verified KYC.

J.D. Seraphine, CEO and Founder of Raiinmaker, said: “The Raiinmaker Mainnet launch marks the true awakening of a decentralized AI network powered by humans. We saw unprecedented participation in our testnet phase, a sign of not only the widespread interest in compelling AI programs, but also validation for Raiinmaker’s vision to reward people fairly for their contribution to shaping the future of AI. This technical milestone sets us up to spread this mission across more networks and to positively impact the lives of more people.”

At the same time, Raiinmaker welcomes accomplished senior executives Jennifer Booze and Wyatt Hilkene to its team. Joining from Polygon Labs, where she served as Global Head of Business Development, Booze previously held senior roles at leading technology companies such as Apple, Oracle Data Cloud, and TikTok, as well as Sequoia-backed Drawbridge. In her new role as Head of Business Development & Partnerships, she will be responsible for driving business growth as Raiinmaker enters a new chapter post-Mainnet launch.

Commenting on her appointment, Jennifer Booze, new Head of Business Development & Partnerships at Raiinmaker said: “I’m thrilled to join Raiinmaker at this transformative moment when decentralized AI is reshaping our future. Raiinmaker is at the forefront, driving innovation that not only advances the field but also incentivizes participation, enabling a model to learn and evolve in a democratized manner.”

In addition, Hilkene has been named Head of Operations at Raiinmaker. He has more than 10 years of experience in building pioneering networks and products focused on the interplay between the physical and digital worlds. Prior to his time at Raiinmaker, Hilkene served as Director of Operations at 4K Protocol, a venture-backed RWA protocol, where he spearheaded 4K’s operations and Web3 strategy.

Wyatt Hilkene, Head of Operations at Raiinmaker commented, “Joining Raiinmaker at this pivotal moment is incredibly exciting. I have tremendous faith in the exceptional team and technology behind Raiinmaker and I am honored to join its ranks. The Raiinmaker network’s potential to drive innovation and widespread adoption of both AI and blockchain is unparalleled. I look forward to helping lead the team through our Mainnet launch and beyond.”

This is the latest in a string of high-profile announcements for Raiinmaker, who unveiled its $7.5 million seed round earlier this year.

For more information, visit raiinmaker.com.

J.D. Seraphine, Jennifer Booze, and Wyatt Hilkene are available for interview upon request.

About Raiinmaker

Raiinmaker is accelerating the next generation of Web3 utilizing decentralized AI and a human-powered network.

Raiinmaker’s distributed AI training network integrates the scalability of Web3 with decentralized AI, redefining value creation based on digital identity, behavior, and reputation. Powered by the Raiinmaker Network, the Raiinmaker AI Super App boasts more than 100,000 users and aims to revolutionize the monetization of users’ contributions to AI infrastructure across sports, gaming, and entertainment by equipping users with the ability to train AI from their smartphones. The app also provides seamless integration for users with native Web3 features including Identity Verification, NFT Minting, Token Creation, and AI-Powered Smart Contracts.

Learn more at www.raiinmaker.com.