Lazarus hits cryptocurrency exchange with fake installer and macOS malware 10548

Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of Fallchill, including one from US-CERT.

To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS.

The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms.

Trojanized cryptocurrency trading application

Thanks to Kaspersky Lab’s malicious-behavior detection technology, implemented in its endpoint security software, we were able to reassemble the stages of infection and trace them back to their origin. This helped us understand that one of Lazarus’ victims was infected with malware after installing a cryptocurrency trading program. We also confirmed that the user installed this program via a download link delivered over email.

Trojanized trading application for Windows

Including malicious code into distributed software and putting that on a website would be too obvious. Instead, the attackers went for a more elaborate scheme: the trojan code was pushed out in the form of an update for a trading application.

A legitimate-looking application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and looked genuine. This application is an all-in-one style cryptocurrency trading program developed by Celas.

Screenshot of Celas Trade Pro

When we started this research, any user could download the trading application from the Celas website. Checking the installation package downloaded from the website confirmed the presence of a very suspicious updater.

Installation package download page

We have analyzed the following Windows version of the installation package:

MD5: 9e740241ca2acdc79f30ad2c3f50990a
File name: celastradepro_win_installer_1.00.00.msi
File type: MSI installer
Creation time: 2018-06-29 01:16:00 UTC

At the end of the installation process, the installer immediately runs the Updater.exe module with the “CheckUpdate” parameter. This file looks like a regular tool and most likely will not arouse the suspicion of system administrators. After all, it even contains a valid digital signature, which belongs to the same vendor. But the devil is in the detail, as usual.

The code writer developed this project under the codename “jeus”, which was discovered in a PDB path included in the updater and used as unique HTTP multipart message data separator string. Because of this, and the fact that the attacked platforms include Apple macOS, we decided to call this Operation AppleJeus.

Properties of the shady updater tool included in the package are:

MD5: b054a7382adf6b774b15f52d971f3799
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
Known file name: %Program Files%\CelasTradePro\Updater.exe
Link Time: 2018-06-15 10:56:27 UTC
Build path: Z:\jeus\downloader\downloader_exe_vs2010\Release\dloader.pdb

The main purpose of Updater.exe is to collect the victim’s host information and send it back to the server. Upon launch, the malware creates a unique string with the format string template “%09d-%05d” based on random values, which is used as a unique identifier of the infected host. This malware collects process lists, excluding “[System Process]” and “System” processes and gets the exact OS version from the registry value at “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion”. It seems that such values only exist from Windows 10, so we assume that the author developed and tested it on Windows 10.

  • ProductName: Windows OS version
  • CurrentBuildNumber: Windows 10 build version
  • ReleaseID: Windows 10 version information
  • UBR: Sub version of Windows 10 build
  • BuildBranch: Windows 10 build branch information

The code encrypts the collected information with the hardcoded XOR key (“Moz&Wie;#t/6T!2y“) before uploading it to the server.

Data encryption routine

The code sends the victim’s information to a webserver using HTTP and the following URL:
www.celasllc[.]com/checkupdate.php

The server is a legitimate looking website owned by the developer of the program: Celas LLC. At this point we were not able to conclude with high confidence whether the server was compromised by the threat actor or had belonged to the threat actor from the beginning. To learn more about the server, please read the “Infrastructure” section below.

The malware used a hardcoded User-Agent string “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)” and fixed a multipart form data separator string “jeus“.

Using encryption, the custom separator string wouldn’t be a red flag for a legitimate application, but sending a request with the context-irrelevant string “get_config”, as well as uploading collected system information as “temp.gif”, mimicking a GIF image with a magic number in the header, definitely made us raise our eyebrows.

Communication with the C2 server

After successfully uploading data, the updater checks the server response. If the server responds with HTTP code 300, it means the updater should keep quiet and take no action. However, if the response is HTTP code 200, it extracts the payload with base64 and decrypts it using RC4 with another hardcoded key (“W29ab@ad%Df324V$Yd“). The decrypted data is an executable file that is prepended with the “MAX_PATHjeusD” string.

During our research, we found other similar files. One was created on August 3rd and another on August 11th. The PDB path shows that the author keeps improving this updater tool, apparently forked from some stable version released on July 2, 2018 according to the internal directory name.

Additional trojanized sample #1 Additional trojanized sample #1
Installation package MD5 4126e1f34cf282c354e17587bb6e8da3 0bdb652bbe15942e866083f29fb6dd62
Package creation date 2018-08-03 09:57:29 2018-08-13 0:12:10
Dropped updater MD5 ffae703a1e327380d85880b9037a0aeb bbbcf6da5a4c352e8846bf91c3358d5c
Updater creation date 2018-08-03 09:50:08 2018-08-11 7:28:08
Updater Build path H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000009\Release\dloader.pdb H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000006\Release\dloader.pdb

Note the TManager directory in the PDB path from the table. It will pop up again in another unexpected place later.

Trojanized trading program for macOS

For macOS users, Celas LLC also provided a native version of its trading app. A hidden “autoupdater” module is installed in the background to start immediately after installation, and after each system reboot. It keeps contacting the command and control (C2) server in order to download and run an additional executable from the server. The communication conforms to the Windows version of the updater and is disguised as an image file upload and download, while carrying encrypted data inside.

We have analyzed the following installation file:

MD5: 48ded52752de9f9b73c6bf9ae81cb429
File Size: 15,020,544 bytes
File Type: DMG disk image
Known file name: celastradepro_mac_installer_1.00.00.dmg
Date of creation: 13 July 2018

Once the Cellas Trade Pro app is installed on macOS, it starts the Updater application on the system load via a file named “.com.celastradepro.plist” (note that it starts with a dot symbol, which makes it unlisted in the Finder app or default Terminal directory listing). The “Updater” file is passed the “CheckUpdate” parameter on start.

Celas Trade Pro app plist file (Apple Property List)

The command-line argument “CheckUpdate” looks redundant from a code analysis perspective: there is no other argument that the application expects. In the absence of all arguments, it doesn’t do anything and quits. This may or may not be way to trick sandboxes that could automatically execute this trojan updater, with no suspicious activity produced without such a “secret” extra argument. The choice of a benign string such as “CheckUpdate” helps it to hide in plain sight of any user or administrator looking into running processes.

The trojanized updater works similar to the Windows version in many ways. Both applications are implemented using a cross-platform QT framework. Upon launch, the downloader creates a unique identifier for the infected host using a “%09d-%06d” format string template. Next, the app collects basic system information, which for macOS is done via dedicated QT classes:

  • Host name
  • OS type and version
  • System architecture
  • OS kernel type and version

The process of encrypting and transferring data is the same as in the Windows version. This information is XOR-encrypted with hardcoded 16-byte static key “Moz&Wie;#t/6T!2y”, prepended with GIF89a header and uploaded to the C2 server via HTTP POST and the following URL:

https://www.celasllc[.]com/checkupdate.php

POST request template strings

The module relies on a hardcoded User-Agent string for macOS:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Once the server replies, it checks the HTTP response code. HTTP response code 300 indicates that the server has no task for the updater and the application terminates immediately. If the HTTP response is code 200, then the updater gets the data in the response, decodes it from base64 encoding and decrypts it using RC4 with the hardcoded static key “W29ab@ad%Df324V$Yd“. It calculates the MD5 of the decoded and decrypted data, which is compared to a value stored inside, to verify the integrity of the transferred file. After that, the payload is extracted and saved to a hardcoded file location “/var/zdiffsec“, sets executable permissions for all users and starts the app with another secret hardcoded command-line argument “bf6a0c760cc642“. Apparently the command-line argument is the way to prevent the detection of its malicious functionality via sandboxes or even reverse engineering. We have previously seen this technique adopted by Lazarus group in 2016 in attacks against banks. As of 2018, it is still using this in almost every attack we investigated.

Downloaded payload

According to data from Kaspersky Security Network, the threat actor delivered the malicious payload using one of the shadowy updaters described above. We found a malicious file created at the same host:

MD5: 0a15a33844c9df11f12a4889ae7b7e4b
File Size: 104,898,560 bytes
File Type: PE32+ executable (GUI) x86-64, for MS Windows
Known file name: C:\Recovery\msn.exe
Link time: 2018-04-19 13:30:19

Note the unusually large size for an executable file. We believe that it was inflated with junk data on purpose to prevent easy download or transfer over the internet.

Searching for the reason for the malware’s appearance on the system revealed that there was an additional process responsible for producing several files before this malware was launched, suggesting a trojan dropper in action. The main function of this malware is to implant the Fallchill backdoor loader linked to several files. Upon launch, the malware checks one of the command-line arguments passed to it. The malware chooses one of the service names located in the following registry value as a disguise:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs

This value includes a list of several dozen standard system service names.

The randomly chosen service name is used to name the dropped file and newly registered Windows service. Let’s refer to this randomly chosen service name as [service]. The malware contains references to several files inside:

  • The file passed as argument: contains a 16-byte key
  • msncf.dat: Encrypted configuration data
  • msndll.tmp: Encrypted Fallchill loader
  • msndll.dat: Encrypted Fallchill backdoor (payload for the loader)
  • [service]svc.dll: Fallchill backdoor loader
  • [service].dat: Copy of msndll.dat

A mix of the above-mentioned files produces the final backdoor known as Fallchill. A more detailed procedure for technical specialists is as follows:

  1. Check whether the command-line argument points to a file of 16 byte size.
  2. Read the file passed via the command-line argument. The contents of this file contains a crypto key, which we will call the main key.
  3. Open the msncf.dat file (configuration file). If the file size equals 192 bytes, read the content of the file.
  4. Open msndll.tmp file and decrypt it using the main key.
  5. Create the [service]svc.dll file and fill it with pseudo-random data.
    1. The malware fills the file with 10,240 bytes of pseudo-random data, and iterates (rand() % 10 + 10240) times. This is why it produces files which are at least 104,851,000 bytes.
  6. Copy the 16-byte main key at the end of the [service]svc.dll file.
  7. Encrypt the [service].dat file name with the main key and append it at the end of [service]svc.dll.
  8. Overwrite the beginning of [service]svc.dll with data decrypted from msndll.tmp.
  9. Move msndll.dat file to [service].dat.
  10. Delete temporary files: msndll.tmp, msncf.dat, msndll.log.
  11. Timestamp [service]svc.dll and [service].dat files.
  12. Register [service]svc.dll as a Windows service.
  13. Save a copy of data from msncf.dat file in the following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description.

Infection process diagram

Fallchill backdoor loader

We confirmed that the following malware was created on the infected host using the method described above:

Fallchill backdoor loader:

MD5: e1ed584a672cab33af29114576ad6cce
File Size: 104,878,356 bytes
File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Known file name: C:\Windows\system32\uploadmgrsvc.dll
Link time: 2018-01-18 01:56:32

Encrypted Fallchill backdoor:

MD5: d8484469587756ce0d10a09027044808
File Size: 143,872 bytes
File Type: encrypted data
Known file name: C:\Windows\system32\uploadmgr.dat

Upon starting, uploadmgrsvc.dll reads 276 bytes from the end of its own executable file. The first 16 bytes of this 276-byte data are used as a decryption key, and the remaining 260 bytes contain the encrypted file path used by the backdoor.

Data at the end of the loader module

After decryption of the last 260-bytes, the malware retrieves the name or path of the file that contains the actual backdoor body in encrypted form.

Decrypted file name in the end of loader module

The malware reads the specified file and decrypts it using the same decryption routine. This is how the executable code of the backdoor is produced in memory and executed by the loader. Below is the meta information about the decrypted final payload in memory:

MD5: d7089e6bc8bd137a7241a7ad297f975d
File Size: 143,872 bytes
File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Link Time: 2018-03-16 07:15:31

We can summarize the Fallchill backdoor loading process as follows:

Loading the Fallchill backdoor

As mentioned previously, the final payload belongs to a Fallchill malware cluster formerly attributed to the Lazarus APT group. Upon launching, this malware resolves the API function addresses at runtime, and reads the C2 server address from the registry value created during the installation stage:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description

If there is no configuration value, the malware falls back to a default C2 server address.

  • 196.38.48[.]121
  • 185.142.236[.]226

This is a full-featured backdoor that contains enough functions to fully control the infected host. Some of its network protocol commands are described below.

Command ID Description
0x8000 Write current time and configuration data to registry key
0x8001 Send configuration data
0x8002 Replace configuration data in the fixed registry value
0x8003 Execute Windows command, store output in temp file and upload contents to C2
0x8006 Show current working directory
0x8007 Change current working directory
0x8008 Collect process information
0x8009 Terminate process
0x8010 Start new process
0x8011 Create process with security context of the current user
0x8012 Connect to specified host/port
0x8013 Get drive information
0x8014 Directory listing
0x8015 Search a file
0x8019 Write data to a specified file
0x8020 Read contents of specified file and upload to C2 server
0x8021 Compress multiples files to a temp file (name start with ZD) and upload to C2
0x8023 Wipe specific file
0x8025 Copy file time from another file time (timestamping)
0x8026 Shutdown malware service and self-delete
0x8043 Send “Not Service” unicode string to C2 server (communication test?).

This set of capabilities is very common for many Lazarus backdoors, which have been seen in other attacks against banks and financial industry in the past years.

Infrastructure

While working on the incident of the cryptocurrency company’s breach, we were curious about the legal status of the Celas LLC company that developed this trojanized trading application.

Celas LLC main homepage.

The website had a valid SSL certificate issued by Comodo CA. However, note that the certificate from this webserver mentions “Domain Control Validated”, which is a weak security verification level for a webserver. It does not mean validation of the identity of the website’s owner, nor of the actual existence of the business. When certification authorities issue this kind of certificate they only check that the owner has a certain control over the domain name, which can be abused in certain ways.

Below is the WHOIS record of the “celasllc.com” domain. The domain name was registered by an individual named “John Broox” with registrant email address “johnbroox200@gmail[.]com”.

The same name of “John Broox” was used inside the installation package of the macOS version of the trading application. The Info.plist properties file describes the package as follows:

It looks at first sight like a legitimate WHOIS record, but something doesn’t really add up here. The domain celasllc.com was the only domain registered with this email address and was exclusively used for domain registration.

The registrant used the Domain4Bitcoins service to register this domain, apparently paying with cryptocurrency. According to open-source intelligence, the address of the WHOIS information is fake, unless it’s the owner of a ramen shop running a cryptocurrency exchange software development studio on the side.

View of the location referred in the WHOIS record. Image source: Google Maps.

The server hosting celasllc.com (185.142.236.213) belongs to the Blackhost ISP in the Netherlands.

WHOIS record of cellasllc.com server

Coincidentally, the Fallchill malware authors also preferred to use the same hosting company to host their C2 server. Moreover, the Celas LLC web server and one of the C2 servers of the Fallchill malware are located in the same network segment of this ISP:

  • Celas LLC infrastructure:
    • 185.142.236.213Netherlands Blackhost Ltd. AS174 COGENT-174
  • Fallchill malware C2 server:
    • 196.38.48[.]121: South Africa Internet Solutions AS3741
    • 185.142.236[.]226: Netherlands Blackhost Ltd. AS174 COGENT-174
  • Additional attacker’s server from telemetry
    • 80.82.64[.]91: Seychelles Incrediserve Ltd AS29073
    • 185.142.239[.]173: Netherlands Blackhost Ltd. AS174 COGENT-174

However, when you look into Celas Trading Pro application’s digital signature, including its “Updater”, you will find that this certificate was also issued by Comodo CA, which refers to a company address in the United States.

According to open-source data, this address doesn’t belong to a real business, and looks on maps like a meadow with a small forest and small real estate offering nearby.

Location of Cellas LLC, according to its digital certificate

Real estate history of that address

Pivoting the infrastructure a little further brings up some more suspicious things. It appears that the domain referred to two IPs, one of which was linked to a few other suspicious domains, according to PassiveDNS.

Cellas LLC linked infrastructure

The owners of the linked infrastructural elements preferred to use several interesting services for hosting domain registration. All these service providers offer a certain level of anonymity to their customers. Most of them accept Bitcoins as a main payment method to keep their customers anonymous. This is very uncommon for companies running a legitimate business.

Hosting services linked to Celas LLC:

  • Blackhost (https://black.host/)
  • Liberty VPS (https://libertyvps.net/)

Domain registration services linked to Celas LLC:

  • Domains4Bitcoins (https://www.domains4bitcoins.com/)
  • NameCheap (https://www.namecheap.com/)
  • ChangeIP (https://www.changeip.com/)
  • Njalla (https://njal.la/)

All the facts above can make the more sceptical among us doubt the intentions of Celas LLC and the legitimacy of this business. Of course, these facts alone would not be enough to accuse Celas LLC of committing a crime.

Attribution

Kaspersky Lab has previously attributed the Fallchill malware cluster to Lazarus group when it attacked the financial sector around the world. It was also confirmed by other security vendors, and the national CERT of US.

RC4 key from the older Fallchill

Fallchill malware uses a RC4 algorithm with a 16-byte key to protect its communications. The key extracted from the Fallchill variant used in the current attack is DA E1 61 FF 0C 27 95 87 17 57 A4 D6 EA E3 82 2B.

Current RC4 key of Fallchill

We were able to confirm that some of older Fallchill malware variants used exactly the same RC4 key. Below are Fallchill malware samples that used the same key (the compilation timestamp may indicate the date of malware creation).

MD5 Timestamp
81c3a3c5a0129477b59397173fdc0b01 2017-05-26 23:37:04
6cb34af551b3fb63df6c9b86900cf044 2017-06-09 17:24:30
21694c8db6234df74102e8b5994b7627 2017-11-07 17:54:19
5ad7d35f0617595f26d565a3b7ebc6d0 2015-10-24 01:52:11
c501ea6c56ba9133c3c26a7d5ed4ce49 2017-06-09 03:59:43
cafda7b3e9a4f86d4bd005075040a712 2017-11-07 17:54:33
cea1a63656fb199dd5ab90528188e87c 2017-06-12 19:25:31
6b061267c7ddeb160368128a933d38be 2017-11-09 17:18:06
56f5088f488e50999ee6cced1f5dd6aa 2017-06-13 08:17:51
cd6796f324ecb7cf34bc9bc38ce4e649 2016-04-17 03:26:56

Same C2 server with older Fallchill

We have confirmed that the C2 server addresses (196.38.48[.]121, 185.142.236[.]226) used in this attack have been used by the older variant of Fallchill.

MD5 Timestamp
94dfcabd8ba5ca94828cd5a88d6ed488 2016-10-24 02:31:18
14b6d24873f19332701177208f85e776 2017-06-07 06:41:27
abec84286df80704b823e698199d89f7 2017-01-18 04:29:29

Overlap of C2 infrastructure

Apparently, the attackers using the Fallchill malware continue to reuse code and C2 server infrastructure over and over again.

According to Kaspersky Security Network, Fallchill was not the only malware used in this attack. There was another backdoor that was used by the threat actor. We omit a full description of this backdoor in the current report to keep the write-up to an acceptable length, but we would like to highlight two important things discovered in it. First, this backdoor was created on 2018-07-12 and revealed an already familiar directory, “TManager”, which we previously saw in the Updater.exe application from the Cellas Trading Pro suite:

H:\DEV\TManager\all_BOSS_troy\T_4.2\T_4.2\Server_\x64\Release\ServerDll.pdb

Second, what is probably one of the most interesting findings to come from this additional backdoor was discovered hidden in hardcoded headers used to communicate with C2 server. The Accept-Language HTTP header string revealed a language code associated with North Korea. In our experience, this is something we normally don’t see in malware.

Accept-Language: ko-kp,ko-kr;q=0.8,ko;q=0.6,en-us;q=0.4,en;q=0.2

Accept-Language HTTP header value in the body of the backdoor

Conclusions

The Lazarus APT group’s continuous attacks on the financial sector are not much of a surprise to anyone. A lot of research has been done and published about such attacks. However, we think this case makes a difference. Recent investigation shows how aggressive the group is and how its strategies may evolve in the future.

First of all, Lazarus group has entered a new platform: macOS. There is steadily growing interest in macOS from ordinary users, especially in IT companies. Many developers and engineers are switching to using macOS. Apparently, in the chase after advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have macOS malware tools. We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once.

We cannot say with full certainty whether Celas LLC was compromised and the threat actor abused it to push malware through an update mechanism. However, the multiple successful Lazarus attempts to compromise supply chain companies suggest that it will keep exploring this infection method. From all angles, the Celas LLC story looks like the threat actor has found an elaborate way to create a legitimate looking business and inject a malicious payload into a “legitimate looking” software update mechanism. Sounds logical: if one cannot compromise a supply chain, why not to make fake one?

This should be a lesson to all of us and a wake-up call to businesses relying on third-party software. Do not automatically trust the code running on your systems. Neither good looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors. Trust has to be earned and proven. Stay safe!

Previous ArticleNext Article

SW Alliance: Dexter Quisenberry Launches AI DataMind to Empower Future Investors 3860

SW Alliance proudly announces the launch of its newest innovation, AI DataMind, a transformative platform integrating artificial intelligence and big data analytics into financial education and investment strategies. This cutting-edge tool is designed to equip users with unparalleled insights, enhancing decision-making precision and democratizing access to advanced financial technologies. AI DataMind is the latest milestone in SW Alliance’s mission to reshape how individuals approach financial markets while fostering societal advancement.

Innovating Financial Education with AI Technology

AI DataMind represents a significant leap forward in the integration of technology within financial education. By analyzing vast datasets and utilizing predictive algorithms, the platform provides users with actionable insights previously available only to institutional investors. Students and professionals can now make informed decisions with real-time data, identifying market trends, assessing risks, and optimizing strategies with greater accuracy.

This innovation aligns with Dexter Quisenberry’s vision for SW Alliance as a pioneer in blending theoretical knowledge with practical application. The platform serves as a cornerstone of the Alliance’s curriculum, ensuring students are equipped with modern tools to navigate the complexities of today’s financial landscape.

A Legacy of Educational Excellence

SW Alliance has established itself as a leader in financial education under Dexter Quisenberry’s stewardship. Rooted in a philosophy of “Student Interests First” and a commitment to practice-based learning, the institution offers a diverse range of courses. From foundational financial theories to advanced concepts like quantitative trading and AI integration, SW Alliance’s programs prepare students to excel in competitive global markets.

Beyond technical skills, the Alliance emphasizes critical thinking, adaptability, and innovation—qualities that define successful leaders in the financial industry. Graduates of SW Alliance are not only equipped to excel in their careers but also to contribute meaningfully to society.

Bridging Theory and Practice: Real-World Opportunities

SW Alliance’s robust partnerships with leading financial institutions ensure that students gain invaluable practical experience. Through internships and collaborative projects, students transition seamlessly from classroom learning to real-world application. These opportunities enable them to build professional networks, refine their skills, and gain insights into industry dynamics.

Dexter Quisenberry’s commitment to bridging education and employment has resulted in numerous success stories, with graduates emerging as influential figures in finance, investment, and entrepreneurship.

Championing Social Responsibility Through Education

In addition to its academic achievements, SW Alliance actively addresses societal challenges through strategic collaborations with businesses and government entities. These partnerships focus on reducing economic disparities, creating job opportunities, and fostering inclusive growth.

Dexter’s vision extends beyond financial education to encompass social responsibility. Initiatives such as community outreach programs, mentorship schemes, and scholarships for underprivileged students underscore the Alliance’s dedication to uplifting communities and fostering economic resilience.

Empowering Entrepreneurship and Financial Independence

SW Alliance also provides specialized training in investment and entrepreneurship, offering students the tools to pursue financial independence. Courses focus on practical skills like risk management, market analysis, and business strategy, empowering students to turn innovative ideas into successful ventures. Many graduates have realized their entrepreneurial dreams, contributing to economic growth and job creation.

Inspiring a Culture of Compassion

Responding to global challenges such as natural disasters and social crises, Dexter Quisenberry has championed philanthropic initiatives through SW Alliance. By establishing a charitable foundation, the institution supports affected communities and inspires students to prioritize humanitarian values.

This culture of compassion is deeply woven into the fabric of SW Alliance, reinforcing the idea that education is not only a means to personal success but also a tool for collective betterment.

A Vision for the Future

With the launch of AI DataMind and its continued commitment to education, innovation, and social responsibility, SW Alliance is poised to shape the next generation of leaders and innovators. Dexter Quisenberry’s visionary leadership ensures that the Alliance remains a beacon of progress, empowering individuals to achieve financial independence and driving societal transformation.

SW Alliance invites aspiring leaders, investors, and changemakers to join its journey of innovation and impact—transforming lives and communities for a brighter future.

Tidus Wallet Unleashes 3-click Cross-Chain Transfers with Mayan Swift and Wormhole Integration 3774

Tidus, the crypto everything app — a cutting-edge decentralized wallet, has announced its integration with the Mayan Swift SDK, powered by Wormhole. This new feature brings ultra-fast cross-chain transfers to Tidus users, providing a seamless and secure experience for both newcomers and decentralized finance (DeFi) power users.

With this integration, Tidus Wallet users can now access stablecoins such as USDC and USDT, as well as native tokens SOL and ETH, for bridging transfers between Ethereum and Solana blockchains. By the end of November 2024, Tidus will extend this cross-chain capability to include all EVM-compatible chains, allowing users to move assets seamlessly across multiple networks. This continued expansion reflects Tidus’ commitment to making DeFi accessible, affordable, and easy for everyone.

“Our integration with Mayan Swift and Wormhole is a major step forward in Tidus Wallet’s mission to simplify decentralized finance for everyone,” said Dan Mulligan, CEO, Founder at Tidus Wallet. “With this integration, we’re making cross-chain transfers as easy and cheap as possible, allowing users to move assets securely and seamlessly between Ethereum and Solana now—and soon across all EVM chains.”

Despite the rapid growth of decentralized finance, DeFi usage among retail users remains low due to complex processes and high transaction fees. Recent studies show that fewer than 5% of cryptocurrency holders actively use DeFi services, pointing to a significant gap in accessibility and usability. Tidus Wallet aims to close this gap by offering quick, low-cost, and user-friendly solutions that enable everyone to participate in DeFi without needing advanced technical knowledge.

Key Features of the Tidus Wallet Integration:

  • Cross-Chain Support: Transfer USDC, USDT, and ETH between Ethereum and Solana blockchains now, with support for all EVM chains by late November 2024.
  • Enhanced Security: Powered by the secure infrastructure of Wormhole and Mayan Finance, ensuring robust protection for users’ assets. Tidus allows the bridging to occur to your other wallet minimizing potential room for error. 
  • Low-Cost Transfers: Optimized for cost efficiency, minimizing gas fees for cross-chain transactions and taking no additional fees.
  • User-Friendly Interface: Intuitive design allows users to bridge assets in just three clicks, enhancing the DeFi experience for all levels of users.

Tidus Wallet is now available for download on the App Store, Google Play, and Chrome Web Store, allowing users to experience the future of decentralized finance from any device. By expanding to all EVM chains and focusing on a simplified user experience, Tidus is setting new standards in cross-chain asset management and aiming to make DeFi accessible to the masses.

For more information, visit tiduswallet.com and tidusdao.com.

About Tidus Wallet

Tidus Wallet is a decentralized wallet dedicated to providing a seamless, user-friendly experience for DeFi enthusiasts and newcomers alike. With a focus on security, innovation, and ease of use, Tidus Wallet aims to revolutionize how users manage and transfer assets in the decentralized finance ecosystem.

Sweat Your Way to Rewards: Live4Well Revolutionizes Wellness with Innovative “Exercise-to-Earn” Ecosystem 3991

The past decade has witnessed a dramatic shift in consumer behavior, with online shopping becoming the norm, further accelerated by the pandemic. Reward programs have sprung up everywhere, incentivizing spending and fostering brand loyalty. The core of cashback is to encourage consumers to develop a habit of continuous shopping through rewards. This same logic is beginning to take root in the field of sports and health.

GYMetaverse, the innovative team behind the successful Live4Well Genesis NFT collection, is disrupting the rewards landscape with the launch of its upgraded VIV PASS program. This groundbreaking “move-to-earn” ecosystem incentivizes healthy habits, transforming sweat equity into tangible rewards. Live4Well envisions a positive feedback loop where exercise leads to better health, and better health leads to tangible benefits, realizing the concept of “health as wealth.”

Pioneering the “Fitness Mileage” Concept: Earn Rewards for an Active Lifestyle

This inclusive program is open to users worldwide with zero barriers to entry. In just minutes, users can download the Live4Well mobile app and register for free access to the VIV Pass ecosystem. Initially, Sweat Points, the program’s reward currency, can be earned through three primary avenues:

  1. Daily Exercise — Users accumulate points by tracking steps and calories burned, turning daily workouts into rewarding experiences.
  2. Competition Participation — Points are awarded for participating in designated sporting activities, simply by uploading proof of participation.
  3. Health & Fitness Spending — Users can upload receipts for eligible purchases in the designated sports and wellness categories to earn additional Sweat Points.

Live4Well makes the benefits of exercise immediately tangible, converting effort into visible rewards. Accumulated Sweat Points can be redeemed for a variety of prizes, including cash vouchers, fitness products, and exercise classes. The Live4Well app also empowers users to track their fitness data and participate in engaging challenges.

Creating a Global Sharing Economy: A triple win for Users, Businesses, and the Industry

Live4Well’s vision extends beyond simply creating a health management platform. The “exercise-to-earn” concept fosters a mutually beneficial ecosystem:

  1. User Benefits — VIV PASS motivates individuals to adopt and maintain healthy exercise habits through a rewarding system.
  2. Business Advantages — The platform connects businesses with their target audience through community engagement and strategic partnerships, driving more effective product promotion.
  3. Industry Transformation — By creating a “move-to-earn” economy, Live4Well stimulates consumer spending, transforming calorie expenditure into a quantifiable reward unit. This innovative approach empowers businesses to generate revenue, expand operations, and seamlessly connect the virtual and physical worlds.

Since its inception, Live4Well’s fitness alliance ecosystem has continued to expand. With ongoing optimization of its operational framework, the VIV PASS ecosystem provides easy access and a tiered membership system, fostering a comprehensive wellness mechanism which stimulates consumer engagement, and builds a thriving global sharing economy.

To learn more, please visit: https://www.live4well.io

Draper Associates Backs Torram to Propel Decentralized Finance on Bitcoin 4933

Torram, pioneering institutional-grade decentralized finance (DeFi) infrastructure on Bitcoin, today announced a strategic investment from Draper Associates, the venture firm led by legendary crypto investor Tim Draper. Selected from over 200 applicants for the highly exclusive BitcoinFi Accelerator, Torram is now better positioned to capture the rapidly expanding institutional DeFi market as Bitcoin emerges as the leading blockchain for traditional finance.

The investment, led by Draper Associates with participation from Boost VC and Thesis, comes as institutional demand for Bitcoin-native DeFi solutions surges, with the DeFi market set to soar to $50 billion by 2025. Torram’s institutional-grade infrastructure enables banks, asset managers, and financial institutions to tap into Bitcoin’s security and $880 billion market cap through compliant DeFi solutions.

“We believe in Bitcoin and there’s now a gravitational pull towards Bitcoin,” said Tim Draper, Founder of Draper Associates. “It’s a critical time in global history, and we’re excited about these applications that are being built on the most important blockchain.”

Torram emerged as one of the top performers from Bitcoin Startup Labs’ pre-accelerator program and has now earned one of only eight spots in BitcoinFi Accelerator’s inaugural cohort. The exclusive 6-week program, backed by leading Bitcoin investors, provides $150,000 in initial funding alongside technical resources and strategic partnerships essential for scaling Bitcoin-native applications.

“Securing backing from visionaries like Tim Draper and Adam Draper validates our approach to bridging traditional finance (TradFi) with Bitcoin’s powerful capabilities,” said Vakeesan Mahalingam, CEO of Torram. “Their strategic guidance and deep network in both TradFi and crypto will be instrumental as we roll out our institutional DeFi infrastructure.”

Torram’s technology stack includes:

  • An institutional-grade decentralized oracle network
  • Advanced on-chain data indexing for real-time analytics
  • Proprietary security framework meeting institutional compliance requirements
  • Cross-chain infrastructure enabling seamless integration with existing systems

The company will launch its testnet in Q1 2025, with tier-1 banks and leading asset managers already committed to pilot programs. Early access to the testnet is in high demand and is limited to qualified institutions and partners.

For early investment opportunities or to learn more about how Torram is positioning itself to lead the Bitcoin DeFi revolution, visit torram.xyz.

Early-stage investors include:

  • Draper Associates
  • Blockchain Founders Fund
  • Boost VC
  • Side Door Ventures
  • Deep Ventures
  • Silvermine Capital
  • MH Ventures
  • Bitcoin Startup Lab

About Torram

Torram is building the foundational infrastructure that enables institutional-grade DeFi and real-world asset tokenization natively on Bitcoin. Torram empowers financial institutions to leverage Bitcoin’s unmatched security, transparency, and $880 billion of global liquidity through its decentralized oracle network, on-chain data indexing, and institutional-grade solutions.

Paribu announces digital asset custody service for institutional clients worldwide 4955

Paribu, Türkiye’s pioneering technology company in the crypto asset sector, has announced its new service, Paribu Custody, providing digital asset custody and management for institutional clients globally.

With independent wallets and a secure, end-to-end infrastructure, Paribu Custody will serve a wide range of organisations—including banks, financial institutions, cryptocurrency exchanges, decentralised finance entities, and blockchain-focused startups—seeking to securely store and self-manage their digital assets.

Unique custody infrastructure

Founded in 2017, Paribu provides fast, easy, and secure cryptocurrency trading services to its 7 million users and operates a registered custody company in Türkiye alongside its crypto asset trading platform. With Paribu Custody, it now offers digital asset custody services to institutional clients worldwide.

Cem Sağlam, Institutional Sales and Business Development Manager at Paribu, commented, “Developed by Paribu’s skilled engineers and software team, our service sets the standard for digital asset custody security in Türkiye, making Paribu unmatched in the field. Our proprietary ColdShield® technology positions Paribu Custody ahead of global competitors.”

Absolute security with multi-layered security architecture

Paribu’s ColdShield® technology, integrating MPC (Multi-Party Computation), SGX (Software Guard Extensions), and HSM (Hardware Security Module) technologies, divides customers’ private keys into multiple fragments and securely distributes them to separate parties. These distributed key parts are stored in a fully isolated environment, ensuring that no individual or organisation can access the complete private key.

With a multi-layered security architecture, ColdShield® technology prevents private key fragments from being reassembled, even during transfer. This design enables each party to generate partial signatures independently, eliminating single point of failure (SPoF) risks and providing clients with the highest level of asset security.

Cem Sağlam highlights that Paribu Custody, advancing even global standards, offers the ability to separate wallets into primary and proxy wallets, meeting diverse asset storage needs with options for cold, hot, and warm storage.

All platform processes are automatable via APIs. Additionally, the staking service enables organisations to conduct staking operations for crypto assets seamlessly, without requiring technical integration. Every process can be managed through the Paribu Custody mobile application, providing full control over each step—from transaction initiation to final signature approval.

Enables full regulatory compliance and reduces operational risk

Paribu Custody enables organisations to streamline Anti-Money Laundering and Anti-Terrorist Financing compliance controls through a single interface, supporting robust regulatory compliance processes. Comprehensive KYB (Know Your Business) procedures are conducted for all clients, ensuring adherence to legal standards and fostering a secure operational environment.

Banks and financial institutions can diversify their crypto asset offerings by leveraging Paribu Custody’s secure digital asset management solutions. Cryptocurrency trading platforms benefit from secure, compliant storage for client funds, while DeFi organisations can enhance asset security and reduce smart contract risks. Blockchain startups, meanwhile, can mitigate operational risks and ensure regulatory compliance through the secure storage of investor assets.

Paribu Custody is designed to securely store digital assets for today’s needs. Looking to the future, it is being developed to securely manage tokenised real-world assets (RWA) such as real estate, negotiable instruments, official documents, event tickets, and works of art, providing end-to-end corporate-level security.

Cem Sağlam concluded: “Paribu, the developer of Türkiye’s first independent blockchain project and the current setter of security standards in crypto asset custody, will continue to build the world of tomorrow.”

More information is available at www.paribu.com/custody.

zkVerify Introduces Decentralized SQL Verifier for Space and Time’s SXT Chain 5003

zkVerify delivers faster, cost-effective SQL data verification with enhanced security and privacy for data-intensive applications.

zkVerify, the modular blockchain for ZK-proof verification, has launched a decentralized proof verifier for Space and Time‘s Proof of SQL ZK coprocessor on SXT Chain. By leveraging zkVerify’s verification of SXT proofs, organizations can verify their ZK-proven SQL queries faster and more efficiently compared to Ethereum verification.

Space and Time’s Proof of SQL ZK coprocessor employs zero-knowledge proofs to validate SQL queries run against data stored on SXT Chain, its recently launched blockchain for ZK-proven data. zkVerify functions as a decentralized proof verifier within this system for Space and Time’s Proof of SQL, offering fast, on-chain confirmation of query accuracy without relying on any central authority.

Traditional smart contracts face limitations in accessing external or historical transaction data, which restricts their functionality. Space and Time’s SXT Chain addresses this by acting as a decentralized database that aggregates data across major blockchains—Ethereum, ZKsync, Bitcoin, Sui, Aptos, and Polygon, and proves it back to smart contracts with Proof of SQL. This setup enables trustless, cross-chain data processing, allowing smart contracts to efficiently query, analyze, and utilize data.

As concerns about data manipulation and AI-generated content increase, Space and Time, coupled with zkVerify’s technology, allow organizations to prove the integrity of their data without exposing the underlying information. For example, financial institutions can verify transaction records, healthcare providers can ensure patient data remains accurate, and AI applications can confirm the authenticity of their outputs—all using mathematical proofs instead of relying on trust alone.

Launched in October 2024, Space and Time’s SXT Chain testnet lets developers query historical data from major blockchains like Ethereum, Bitcoin, and Polygon, generating mathematical proofs that ensure data integrity. In August 2024, Space and Time raised $20 million in Series A with funding from Microsoft’s M12 Venture, Framework Ventures, Lightspeed Faction, Arrington Capital and Hivemind Capital.

How does it work?

Using zero-knowledge proofs to create a proof of correct computation, like Proof of SQL, has three essential elements: the actual data, the creation of the proof, and the verification of that proof. These components must work together in a rapid, straightforward, decentralized, and permissionless manner to enable a seamless, trustless system.

The Proof of SQL mechanism operates by generating a mathematical hash of a SQL table’s content, which is then used to generate a ZK proof that neither the table nor the queries run against have been tampered. Space and Time’s high-speed ZK coprocessor creates these proofs, and zkVerify is used to validate them using their public, decentralized blockchain. This enables businesses and decentralized applications to share data or query results with provable SQL database integrity, verifiable by anyone without relying on centralized entities.

In its role as the proof verifier, zkVerify adds a crucial layer of trust and security, ensuring that each SQL query validated by Proof of SQL on the SXT Chain is accurate and tamper-proof. With zkVerify, data queries and results can be trusted across the network, empowering advanced decentralized applications, such as DeFi platforms, data-intensive analytics, and Solidity smart contracts deployed directly on SXT’s ZK rollup. This integration amplifies the potential for on-chain applications by enabling access to verified, cross-chain data in real-time, paving the way for more sophisticated decentralized services.

Rob Viglione, CEO of Horizen Labs, the development studio behind zkVerify, said: “Zero-knowledge proofs redefine trust in digital systems by providing mathematical assurance of data integrity without exposing sensitive information. This technology allows businesses to verify the accuracy of their data transparently and securely, without relying on third-party auditors. For sectors like finance and healthcare, it’s a paradigm shift from ‘trust us’ to ‘we can prove it,’ bringing a new level of confidence to data handling.”

About zkVerify

zkVerify is a modular blockchain dedicated to efficiently verifying ZK proofs across diverse blockchain stacks, created for Ellipsis Distributed Systems by Horizen Labs. It enables any Layer 2 projects and dApp developers that utilize zero knowledge to scale rapidly and cost-effectively by drastically reducing proof verification costs without compromising network performance.

Designed for seamless integration with existing blockchain networks, zkVerify minimizes technical overhead and provides a developer-friendly environment. By simplifying the ZK proof verification process and reducing associated costs, zkVerify enhances the performance of existing blockchain networks and unlocks new capabilities within the broader Web3 ecosystem.

For more information, users can visit https://zkverify.io