Lazarus hits cryptocurrency exchange with fake installer and macOS malware 10853

Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of Fallchill, including one from US-CERT.

To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS.

The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms.

Trojanized cryptocurrency trading application

Thanks to Kaspersky Lab’s malicious-behavior detection technology, implemented in its endpoint security software, we were able to reassemble the stages of infection and trace them back to their origin. This helped us understand that one of Lazarus’ victims was infected with malware after installing a cryptocurrency trading program. We also confirmed that the user installed this program via a download link delivered over email.

Trojanized trading application for Windows

Including malicious code into distributed software and putting that on a website would be too obvious. Instead, the attackers went for a more elaborate scheme: the trojan code was pushed out in the form of an update for a trading application.

A legitimate-looking application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and looked genuine. This application is an all-in-one style cryptocurrency trading program developed by Celas.

Screenshot of Celas Trade Pro

When we started this research, any user could download the trading application from the Celas website. Checking the installation package downloaded from the website confirmed the presence of a very suspicious updater.

Installation package download page

We have analyzed the following Windows version of the installation package:

MD5: 9e740241ca2acdc79f30ad2c3f50990a
File name: celastradepro_win_installer_1.00.00.msi
File type: MSI installer
Creation time: 2018-06-29 01:16:00 UTC

At the end of the installation process, the installer immediately runs the Updater.exe module with the “CheckUpdate” parameter. This file looks like a regular tool and most likely will not arouse the suspicion of system administrators. After all, it even contains a valid digital signature, which belongs to the same vendor. But the devil is in the detail, as usual.

The code writer developed this project under the codename “jeus”, which was discovered in a PDB path included in the updater and used as unique HTTP multipart message data separator string. Because of this, and the fact that the attacked platforms include Apple macOS, we decided to call this Operation AppleJeus.

Properties of the shady updater tool included in the package are:

MD5: b054a7382adf6b774b15f52d971f3799
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
Known file name: %Program Files%\CelasTradePro\Updater.exe
Link Time: 2018-06-15 10:56:27 UTC
Build path: Z:\jeus\downloader\downloader_exe_vs2010\Release\dloader.pdb

The main purpose of Updater.exe is to collect the victim’s host information and send it back to the server. Upon launch, the malware creates a unique string with the format string template “%09d-%05d” based on random values, which is used as a unique identifier of the infected host. This malware collects process lists, excluding “[System Process]” and “System” processes and gets the exact OS version from the registry value at “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion”. It seems that such values only exist from Windows 10, so we assume that the author developed and tested it on Windows 10.

  • ProductName: Windows OS version
  • CurrentBuildNumber: Windows 10 build version
  • ReleaseID: Windows 10 version information
  • UBR: Sub version of Windows 10 build
  • BuildBranch: Windows 10 build branch information

The code encrypts the collected information with the hardcoded XOR key (“Moz&Wie;#t/6T!2y“) before uploading it to the server.

Data encryption routine

The code sends the victim’s information to a webserver using HTTP and the following URL:
www.celasllc[.]com/checkupdate.php

The server is a legitimate looking website owned by the developer of the program: Celas LLC. At this point we were not able to conclude with high confidence whether the server was compromised by the threat actor or had belonged to the threat actor from the beginning. To learn more about the server, please read the “Infrastructure” section below.

The malware used a hardcoded User-Agent string “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)” and fixed a multipart form data separator string “jeus“.

Using encryption, the custom separator string wouldn’t be a red flag for a legitimate application, but sending a request with the context-irrelevant string “get_config”, as well as uploading collected system information as “temp.gif”, mimicking a GIF image with a magic number in the header, definitely made us raise our eyebrows.

Communication with the C2 server

After successfully uploading data, the updater checks the server response. If the server responds with HTTP code 300, it means the updater should keep quiet and take no action. However, if the response is HTTP code 200, it extracts the payload with base64 and decrypts it using RC4 with another hardcoded key (“W29ab@ad%Df324V$Yd“). The decrypted data is an executable file that is prepended with the “MAX_PATHjeusD” string.

During our research, we found other similar files. One was created on August 3rd and another on August 11th. The PDB path shows that the author keeps improving this updater tool, apparently forked from some stable version released on July 2, 2018 according to the internal directory name.

Additional trojanized sample #1 Additional trojanized sample #1
Installation package MD5 4126e1f34cf282c354e17587bb6e8da3 0bdb652bbe15942e866083f29fb6dd62
Package creation date 2018-08-03 09:57:29 2018-08-13 0:12:10
Dropped updater MD5 ffae703a1e327380d85880b9037a0aeb bbbcf6da5a4c352e8846bf91c3358d5c
Updater creation date 2018-08-03 09:50:08 2018-08-11 7:28:08
Updater Build path H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000009\Release\dloader.pdb H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000006\Release\dloader.pdb

Note the TManager directory in the PDB path from the table. It will pop up again in another unexpected place later.

Trojanized trading program for macOS

For macOS users, Celas LLC also provided a native version of its trading app. A hidden “autoupdater” module is installed in the background to start immediately after installation, and after each system reboot. It keeps contacting the command and control (C2) server in order to download and run an additional executable from the server. The communication conforms to the Windows version of the updater and is disguised as an image file upload and download, while carrying encrypted data inside.

We have analyzed the following installation file:

MD5: 48ded52752de9f9b73c6bf9ae81cb429
File Size: 15,020,544 bytes
File Type: DMG disk image
Known file name: celastradepro_mac_installer_1.00.00.dmg
Date of creation: 13 July 2018

Once the Cellas Trade Pro app is installed on macOS, it starts the Updater application on the system load via a file named “.com.celastradepro.plist” (note that it starts with a dot symbol, which makes it unlisted in the Finder app or default Terminal directory listing). The “Updater” file is passed the “CheckUpdate” parameter on start.

Celas Trade Pro app plist file (Apple Property List)

The command-line argument “CheckUpdate” looks redundant from a code analysis perspective: there is no other argument that the application expects. In the absence of all arguments, it doesn’t do anything and quits. This may or may not be way to trick sandboxes that could automatically execute this trojan updater, with no suspicious activity produced without such a “secret” extra argument. The choice of a benign string such as “CheckUpdate” helps it to hide in plain sight of any user or administrator looking into running processes.

The trojanized updater works similar to the Windows version in many ways. Both applications are implemented using a cross-platform QT framework. Upon launch, the downloader creates a unique identifier for the infected host using a “%09d-%06d” format string template. Next, the app collects basic system information, which for macOS is done via dedicated QT classes:

  • Host name
  • OS type and version
  • System architecture
  • OS kernel type and version

The process of encrypting and transferring data is the same as in the Windows version. This information is XOR-encrypted with hardcoded 16-byte static key “Moz&Wie;#t/6T!2y”, prepended with GIF89a header and uploaded to the C2 server via HTTP POST and the following URL:

https://www.celasllc[.]com/checkupdate.php

POST request template strings

The module relies on a hardcoded User-Agent string for macOS:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Once the server replies, it checks the HTTP response code. HTTP response code 300 indicates that the server has no task for the updater and the application terminates immediately. If the HTTP response is code 200, then the updater gets the data in the response, decodes it from base64 encoding and decrypts it using RC4 with the hardcoded static key “W29ab@ad%Df324V$Yd“. It calculates the MD5 of the decoded and decrypted data, which is compared to a value stored inside, to verify the integrity of the transferred file. After that, the payload is extracted and saved to a hardcoded file location “/var/zdiffsec“, sets executable permissions for all users and starts the app with another secret hardcoded command-line argument “bf6a0c760cc642“. Apparently the command-line argument is the way to prevent the detection of its malicious functionality via sandboxes or even reverse engineering. We have previously seen this technique adopted by Lazarus group in 2016 in attacks against banks. As of 2018, it is still using this in almost every attack we investigated.

Downloaded payload

According to data from Kaspersky Security Network, the threat actor delivered the malicious payload using one of the shadowy updaters described above. We found a malicious file created at the same host:

MD5: 0a15a33844c9df11f12a4889ae7b7e4b
File Size: 104,898,560 bytes
File Type: PE32+ executable (GUI) x86-64, for MS Windows
Known file name: C:\Recovery\msn.exe
Link time: 2018-04-19 13:30:19

Note the unusually large size for an executable file. We believe that it was inflated with junk data on purpose to prevent easy download or transfer over the internet.

Searching for the reason for the malware’s appearance on the system revealed that there was an additional process responsible for producing several files before this malware was launched, suggesting a trojan dropper in action. The main function of this malware is to implant the Fallchill backdoor loader linked to several files. Upon launch, the malware checks one of the command-line arguments passed to it. The malware chooses one of the service names located in the following registry value as a disguise:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs

This value includes a list of several dozen standard system service names.

The randomly chosen service name is used to name the dropped file and newly registered Windows service. Let’s refer to this randomly chosen service name as [service]. The malware contains references to several files inside:

  • The file passed as argument: contains a 16-byte key
  • msncf.dat: Encrypted configuration data
  • msndll.tmp: Encrypted Fallchill loader
  • msndll.dat: Encrypted Fallchill backdoor (payload for the loader)
  • [service]svc.dll: Fallchill backdoor loader
  • [service].dat: Copy of msndll.dat

A mix of the above-mentioned files produces the final backdoor known as Fallchill. A more detailed procedure for technical specialists is as follows:

  1. Check whether the command-line argument points to a file of 16 byte size.
  2. Read the file passed via the command-line argument. The contents of this file contains a crypto key, which we will call the main key.
  3. Open the msncf.dat file (configuration file). If the file size equals 192 bytes, read the content of the file.
  4. Open msndll.tmp file and decrypt it using the main key.
  5. Create the [service]svc.dll file and fill it with pseudo-random data.
    1. The malware fills the file with 10,240 bytes of pseudo-random data, and iterates (rand() % 10 + 10240) times. This is why it produces files which are at least 104,851,000 bytes.
  6. Copy the 16-byte main key at the end of the [service]svc.dll file.
  7. Encrypt the [service].dat file name with the main key and append it at the end of [service]svc.dll.
  8. Overwrite the beginning of [service]svc.dll with data decrypted from msndll.tmp.
  9. Move msndll.dat file to [service].dat.
  10. Delete temporary files: msndll.tmp, msncf.dat, msndll.log.
  11. Timestamp [service]svc.dll and [service].dat files.
  12. Register [service]svc.dll as a Windows service.
  13. Save a copy of data from msncf.dat file in the following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description.

Infection process diagram

Fallchill backdoor loader

We confirmed that the following malware was created on the infected host using the method described above:

Fallchill backdoor loader:

MD5: e1ed584a672cab33af29114576ad6cce
File Size: 104,878,356 bytes
File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Known file name: C:\Windows\system32\uploadmgrsvc.dll
Link time: 2018-01-18 01:56:32

Encrypted Fallchill backdoor:

MD5: d8484469587756ce0d10a09027044808
File Size: 143,872 bytes
File Type: encrypted data
Known file name: C:\Windows\system32\uploadmgr.dat

Upon starting, uploadmgrsvc.dll reads 276 bytes from the end of its own executable file. The first 16 bytes of this 276-byte data are used as a decryption key, and the remaining 260 bytes contain the encrypted file path used by the backdoor.

Data at the end of the loader module

After decryption of the last 260-bytes, the malware retrieves the name or path of the file that contains the actual backdoor body in encrypted form.

Decrypted file name in the end of loader module

The malware reads the specified file and decrypts it using the same decryption routine. This is how the executable code of the backdoor is produced in memory and executed by the loader. Below is the meta information about the decrypted final payload in memory:

MD5: d7089e6bc8bd137a7241a7ad297f975d
File Size: 143,872 bytes
File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Link Time: 2018-03-16 07:15:31

We can summarize the Fallchill backdoor loading process as follows:

Loading the Fallchill backdoor

As mentioned previously, the final payload belongs to a Fallchill malware cluster formerly attributed to the Lazarus APT group. Upon launching, this malware resolves the API function addresses at runtime, and reads the C2 server address from the registry value created during the installation stage:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description

If there is no configuration value, the malware falls back to a default C2 server address.

  • 196.38.48[.]121
  • 185.142.236[.]226

This is a full-featured backdoor that contains enough functions to fully control the infected host. Some of its network protocol commands are described below.

Command ID Description
0x8000 Write current time and configuration data to registry key
0x8001 Send configuration data
0x8002 Replace configuration data in the fixed registry value
0x8003 Execute Windows command, store output in temp file and upload contents to C2
0x8006 Show current working directory
0x8007 Change current working directory
0x8008 Collect process information
0x8009 Terminate process
0x8010 Start new process
0x8011 Create process with security context of the current user
0x8012 Connect to specified host/port
0x8013 Get drive information
0x8014 Directory listing
0x8015 Search a file
0x8019 Write data to a specified file
0x8020 Read contents of specified file and upload to C2 server
0x8021 Compress multiples files to a temp file (name start with ZD) and upload to C2
0x8023 Wipe specific file
0x8025 Copy file time from another file time (timestamping)
0x8026 Shutdown malware service and self-delete
0x8043 Send “Not Service” unicode string to C2 server (communication test?).

This set of capabilities is very common for many Lazarus backdoors, which have been seen in other attacks against banks and financial industry in the past years.

Infrastructure

While working on the incident of the cryptocurrency company’s breach, we were curious about the legal status of the Celas LLC company that developed this trojanized trading application.

Celas LLC main homepage.

The website had a valid SSL certificate issued by Comodo CA. However, note that the certificate from this webserver mentions “Domain Control Validated”, which is a weak security verification level for a webserver. It does not mean validation of the identity of the website’s owner, nor of the actual existence of the business. When certification authorities issue this kind of certificate they only check that the owner has a certain control over the domain name, which can be abused in certain ways.

Below is the WHOIS record of the “celasllc.com” domain. The domain name was registered by an individual named “John Broox” with registrant email address “johnbroox200@gmail[.]com”.

The same name of “John Broox” was used inside the installation package of the macOS version of the trading application. The Info.plist properties file describes the package as follows:

It looks at first sight like a legitimate WHOIS record, but something doesn’t really add up here. The domain celasllc.com was the only domain registered with this email address and was exclusively used for domain registration.

The registrant used the Domain4Bitcoins service to register this domain, apparently paying with cryptocurrency. According to open-source intelligence, the address of the WHOIS information is fake, unless it’s the owner of a ramen shop running a cryptocurrency exchange software development studio on the side.

View of the location referred in the WHOIS record. Image source: Google Maps.

The server hosting celasllc.com (185.142.236.213) belongs to the Blackhost ISP in the Netherlands.

WHOIS record of cellasllc.com server

Coincidentally, the Fallchill malware authors also preferred to use the same hosting company to host their C2 server. Moreover, the Celas LLC web server and one of the C2 servers of the Fallchill malware are located in the same network segment of this ISP:

  • Celas LLC infrastructure:
    • 185.142.236.213Netherlands Blackhost Ltd. AS174 COGENT-174
  • Fallchill malware C2 server:
    • 196.38.48[.]121: South Africa Internet Solutions AS3741
    • 185.142.236[.]226: Netherlands Blackhost Ltd. AS174 COGENT-174
  • Additional attacker’s server from telemetry
    • 80.82.64[.]91: Seychelles Incrediserve Ltd AS29073
    • 185.142.239[.]173: Netherlands Blackhost Ltd. AS174 COGENT-174

However, when you look into Celas Trading Pro application’s digital signature, including its “Updater”, you will find that this certificate was also issued by Comodo CA, which refers to a company address in the United States.

According to open-source data, this address doesn’t belong to a real business, and looks on maps like a meadow with a small forest and small real estate offering nearby.

Location of Cellas LLC, according to its digital certificate

Real estate history of that address

Pivoting the infrastructure a little further brings up some more suspicious things. It appears that the domain referred to two IPs, one of which was linked to a few other suspicious domains, according to PassiveDNS.

Cellas LLC linked infrastructure

The owners of the linked infrastructural elements preferred to use several interesting services for hosting domain registration. All these service providers offer a certain level of anonymity to their customers. Most of them accept Bitcoins as a main payment method to keep their customers anonymous. This is very uncommon for companies running a legitimate business.

Hosting services linked to Celas LLC:

  • Blackhost (https://black.host/)
  • Liberty VPS (https://libertyvps.net/)

Domain registration services linked to Celas LLC:

  • Domains4Bitcoins (https://www.domains4bitcoins.com/)
  • NameCheap (https://www.namecheap.com/)
  • ChangeIP (https://www.changeip.com/)
  • Njalla (https://njal.la/)

All the facts above can make the more sceptical among us doubt the intentions of Celas LLC and the legitimacy of this business. Of course, these facts alone would not be enough to accuse Celas LLC of committing a crime.

Attribution

Kaspersky Lab has previously attributed the Fallchill malware cluster to Lazarus group when it attacked the financial sector around the world. It was also confirmed by other security vendors, and the national CERT of US.

RC4 key from the older Fallchill

Fallchill malware uses a RC4 algorithm with a 16-byte key to protect its communications. The key extracted from the Fallchill variant used in the current attack is DA E1 61 FF 0C 27 95 87 17 57 A4 D6 EA E3 82 2B.

Current RC4 key of Fallchill

We were able to confirm that some of older Fallchill malware variants used exactly the same RC4 key. Below are Fallchill malware samples that used the same key (the compilation timestamp may indicate the date of malware creation).

MD5 Timestamp
81c3a3c5a0129477b59397173fdc0b01 2017-05-26 23:37:04
6cb34af551b3fb63df6c9b86900cf044 2017-06-09 17:24:30
21694c8db6234df74102e8b5994b7627 2017-11-07 17:54:19
5ad7d35f0617595f26d565a3b7ebc6d0 2015-10-24 01:52:11
c501ea6c56ba9133c3c26a7d5ed4ce49 2017-06-09 03:59:43
cafda7b3e9a4f86d4bd005075040a712 2017-11-07 17:54:33
cea1a63656fb199dd5ab90528188e87c 2017-06-12 19:25:31
6b061267c7ddeb160368128a933d38be 2017-11-09 17:18:06
56f5088f488e50999ee6cced1f5dd6aa 2017-06-13 08:17:51
cd6796f324ecb7cf34bc9bc38ce4e649 2016-04-17 03:26:56

Same C2 server with older Fallchill

We have confirmed that the C2 server addresses (196.38.48[.]121, 185.142.236[.]226) used in this attack have been used by the older variant of Fallchill.

MD5 Timestamp
94dfcabd8ba5ca94828cd5a88d6ed488 2016-10-24 02:31:18
14b6d24873f19332701177208f85e776 2017-06-07 06:41:27
abec84286df80704b823e698199d89f7 2017-01-18 04:29:29

Overlap of C2 infrastructure

Apparently, the attackers using the Fallchill malware continue to reuse code and C2 server infrastructure over and over again.

According to Kaspersky Security Network, Fallchill was not the only malware used in this attack. There was another backdoor that was used by the threat actor. We omit a full description of this backdoor in the current report to keep the write-up to an acceptable length, but we would like to highlight two important things discovered in it. First, this backdoor was created on 2018-07-12 and revealed an already familiar directory, “TManager”, which we previously saw in the Updater.exe application from the Cellas Trading Pro suite:

H:\DEV\TManager\all_BOSS_troy\T_4.2\T_4.2\Server_\x64\Release\ServerDll.pdb

Second, what is probably one of the most interesting findings to come from this additional backdoor was discovered hidden in hardcoded headers used to communicate with C2 server. The Accept-Language HTTP header string revealed a language code associated with North Korea. In our experience, this is something we normally don’t see in malware.

Accept-Language: ko-kp,ko-kr;q=0.8,ko;q=0.6,en-us;q=0.4,en;q=0.2

Accept-Language HTTP header value in the body of the backdoor

Conclusions

The Lazarus APT group’s continuous attacks on the financial sector are not much of a surprise to anyone. A lot of research has been done and published about such attacks. However, we think this case makes a difference. Recent investigation shows how aggressive the group is and how its strategies may evolve in the future.

First of all, Lazarus group has entered a new platform: macOS. There is steadily growing interest in macOS from ordinary users, especially in IT companies. Many developers and engineers are switching to using macOS. Apparently, in the chase after advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have macOS malware tools. We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once.

We cannot say with full certainty whether Celas LLC was compromised and the threat actor abused it to push malware through an update mechanism. However, the multiple successful Lazarus attempts to compromise supply chain companies suggest that it will keep exploring this infection method. From all angles, the Celas LLC story looks like the threat actor has found an elaborate way to create a legitimate looking business and inject a malicious payload into a “legitimate looking” software update mechanism. Sounds logical: if one cannot compromise a supply chain, why not to make fake one?

This should be a lesson to all of us and a wake-up call to businesses relying on third-party software. Do not automatically trust the code running on your systems. Neither good looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors. Trust has to be earned and proven. Stay safe!

Previous ArticleNext Article

Zepz launches Sendwave Wallet to give customers the power of stablecoins in everyday transactions 189

  • The Sendwave Wallet is a globally accessible, stablecoin-backed peer-to-peer cross border money solution.
  • Built on trusted stablecoin infrastructure from Circle, Solana, and Portal, the wallet reduces challenges like currency devaluation and access.
  • The wallet gives Sendwave customers more control over their money, enabling them to send money in seconds within the Sendwave network.

Zepz, the global payments group behind WorldRemit and Sendwave, has announced the launch of the Sendwave Wallet, a globally accessible stablecoin-backed peer-to-peer cross border money solution. This digital wallet empowers customers to seamlessly send, store, and spend funds across Africa and more than 100 countries worldwide, leveraging stablecoin technology to provide a stable value while offering near-instant, reliable, and affordable transfers within the Sendwave ecosystem.

Changing the game for customers

With the Sendwave Wallet, customers can quickly open a digital dollar balance in the Sendwave app and send, receive, or deposit funds. Their balance is held securely in the wallet in a digital currency, designed to maintain a stable value and pegged to the US dollar, giving them flexibility and the confidence to plan, support loved ones, and build financial stability over time.

“The financial lives of cross-border communities are far more complex and personal than traditional remittance transactions,” said Mark Lenhard, CEO of Zepz. “With Sendwave Wallet, we’re giving customers throughout the Global South a trusted, intuitive way to control their money. This is about stability, choice, and dignity for the communities we serve. Today, Sendwave is moving beyond remittances to more holistically support the financial lives of our customers”.

Combining the power of stablecoins with everyday money

At the core of the Sendwave Wallet are stablecoins, providing a secure way to hold value and move money in near real-time without the typical complexities of a “crypto” wallet . This helps customers avoid the currency swings that can erode their hard-earned money.

Backed by Zepz’s decade-long global payout network, customers can withdraw USDC funds through trusted partners into fiat currency to pay for everyday basic needs. In the future, customers will be able to use their USDC balances directly through cards and QR codes, a step beyond what most wallets offer.

Zepz has combined the expertise of leading web3 players to help bring this pioneering vision to life including: Circle the company behind USDC, Solana as the high-speed, low-cost, scalable blockchain network, and Portal as the provider of borderless wallet infrastructure.

Shaping what’s next

Zepz is continuing to build its customer offering beyond traditional remittances, with plans to enable customers to earn rewards on deposits, spend their balance with payment cards globally and pay bills, giving them practical ways to use digital dollars for daily needs.

About Zepz

Zepz powers two leading global remittance brands, WorldRemit and Sendwave, to build the next generation of cross-border payments. Serving over 9 million customers across 5,000 corridors, Zepz is transforming how money moves across borders by making it faster, safer and more convenient.

Gostex Launches AI-Powered White-Label Payments Suite 173

Gostex today announced the launch of an AI-powered, white-label fintech suite designed to help financial institutions and enterprise merchants improve authorization rates, reduce fraud losses, and streamline operations. The initial release includes an AI-optimized payment gateway, a support system, and an enterprise management module. The suite focuses on smart routing, real-time risk scoring, automated reconciliation, behavioral biometrics, device fingerprinting, and policy-driven compliance to address false declines, fraud, and scaling challenges in modern payments.

“Gostex exists to make advanced fintech capabilities accessible as configurable, enterprise-grade building blocks,” said Stanislav Pak, CEO of Gostex. “The mission is to empower institutions with white-label solutions that accelerate growth, enhance customer experience, and reduce operational risk – without forcing a trade-off between speed and governance. Strategically, the focus is on measurable outcomes: higher approvals with fewer false declines, shorter onboarding cycles, and operating models that scale predictably across markets.”

“From an engineering perspective, the mandate was reliability, security, and practical integration,” said Sevak Petrosian, CTO of Gostex. “Targets include 99.9% service availability, bank-grade security controls, and APIs that integrate cleanly into real-world environments. The architecture emphasizes real-time anomaly detection, policy automation for KYC/AML workflows, and detailed telemetry, so teams can adjust routing and risk in minutes rather than months. The result is a platform designed for low latency, high throughput, and consistent performance under peak loads.”

Product Highlights

  1. Payment Gateway (AI-Optimized): Smart routing selects optimal acquirers and payment paths based on live performance signals; real-time risk scoring helps reduce false declines; automated reconciliation and enriched reporting streamline finance operations; cross-border optimization improves international authorization performance.
  2. Support System: Always-on NLP assistance for customers and operators, with configurable workflows for dispute handling and verifications; predictive analytics highlight emerging fraud patterns and operational bottlenecks; multilingual capabilities support distributed teams and global user bases.
  3. Card Management: Behavioral biometrics and device fingerprinting strengthen fraud defenses while preserving user experience; granular policy controls and automated compliance checks help standardize controls across products and geographies; real-time analytics provide portfolio-level insight for faster decision-making.

Use Cases

  1. Approval Uplift: Dynamic routing and model-driven risk scoring reduce soft declines and optimize authorization performance across acquirers and geographies.
  2. Fraud Loss Reduction: Behavioral signals and device intelligence reinforce rule-based controls, enabling earlier detection of high-risk activity with fewer false positives.
  3. Operational Efficiency: Automated reconciliation, case-management workflows, and unified analytics help finance and support teams resolve issues faster and close periods with greater accuracy.
  4. Scalable Expansion: API-first design, environment isolation, and configuration as code support rapid regional rollouts and partner integrations without disruptive refactors.

About Gostex

Gostex is a fintech software company offering white-label solutions for payments optimization, and enterprise management. The platform emphasizes reliability, bank-grade security controls, and measurable business outcomes for banks, payment service providers, and enterprise merchants across the region. Gostex solutions are delivered with clear SLAs, telemetry-rich observability, and integration patterns designed for real-world enterprise environments.

Ethereum Foundation Moves Entire $650M+ Treasury to Safe Multisig 166

EF completes full treasury migration to Safe smart accounts, joining Vitalik Buterin as key Safe user + Safe smart accounts cross 750M transactions milestone.

The Ethereum Foundation has completed the migration of its full treasury, over 160,000 ETH worth approximately $650 million to Safe{Wallet}, following months of successful DeFi testing. Safe{Wallet}, operated by Safe Labs (a fully owned subsidiary of the Safe Foundation), is the crypto industry’s trusted smart account standard for multisig wallets, securing billions of dollars in assets for institutions, DAOs, and projects.

The move follows the Foundation’s June 2025 treasury policy announcement, which committed to actively participating in Ethereum’s DeFi ecosystem. Since February, the EF had been testing Safe with a separate DeFi-focused account, dogfooding protocols including Aave, Cowswap, and Morpho as part of their strategy to support applications built on Ethereum.

After testing a 3-of-5 multisig configuration on January 20th, the Foundation has now consolidated its remaining ETH holdings into Safe, completing the transition from their previous custom-built multisig solution. This implementation enables the Ethereum Foundation to actively participate in DeFi via Safe while maintaining battle-tested security standards, marking another step toward Safe’s vision of moving the world’s GDP onchain through battle-tested self-custody infrastructure.

“Safe has proven safe and has a great user experience, and we will transfer more of our funds here over time,” the Ethereum Foundation announced, indicating this is the beginning of a deeper commitment to the Safe smart account standard.

Safe’s Momentum

The timing is notable: Safe has just crossed 750 million transactions (751,062,286 as of today) with over 57.5 million Safes created across multiple chains. The protocol has emerged as crypto’s de facto standard for multisig wallets, securing billions in institutional and DAO treasuries. Safe also counts Ethereum co-founder Vitalik Buterin among its prominent users, who revealed in May 2024 that he stores over 90% of his personal crypto holdings in a Safe multisig wallet. Vitalik has used Safe since at least 2024 for personal security, advocating for what he calls “decentralizing your own security.”

Beyond individual users, Safe has attracted major institutional adoption. Trump-backed World Liberty Financial has processed over $3.02 billion in transaction volume through the Safe smart accounts, onchain data shows. Across this period, Liberty’s Safe accounts executed 347 transactions, reflecting consistent institutional use even amid broader market shifts. The figures position Liberty as one of the largest institutional users of Safe’s onchain infrastructure to date.

This growing pattern of major institutions choosing Safe for treasury operations reinforces its position as the leading secure infrastructure layer for digital assets.

Safe’s Milestones:

  • Ethereum Foundation: $650M+ treasury secured
  • Trump-backed World Liberty Financial has processed over $3 Billion via Safe smart accounts
  • Over $65B+ in total assets stored
  • 750M transactions executed
  • 300+ networks supported
  • 200+ ecosystem projects built on the Safe smart account standard
  • 57M accounts deployed

Part of Broader “DeFiPunk” Strategy

The migration reflects the EF’s June 2025 treasury policy, which outlined plans to actively deploy treasury assets into “battle-tested, immutable, audited, permissionless protocols” while maintaining a 2.5-year operational buffer. The policy marked a shift from the Foundation’s historically conservative approach, committing to both enhance financial sustainability and support key Ethereum applications.

The treasury policy targets spending approximately 15% of treasury funds annually, gradually reducing to a sustainable 5% baseline over five years, while prioritizing security, open-source principles, and financial sovereignty aligned with what the Foundation calls “Defipunk” values.

The migration marks a powerful alignment: Ethereum’s core steward now uses the same infrastructure it supports, dogfooding the ecosystem it helps build.

Bitcoin’s First Major L2 Since Lightning Launches After Two Years of Development 180

Arkade Brings Ark Protocol to Mainnet and Announces Native Asset Framework, Marking a Pivotal Moment in Bitcoin’s Evolution as Programmable Money.

Ark Labs today launched Arkade to public beta, introducing Bitcoin’s first scaling layer for programmable finance since Lightning Network’s debut nearly a decade ago. Alongside the mainnet launch, the company announced Arkade Assets, a native asset framework designed to bring stablecoins and other tokens to Bitcoin’s execution layer, with planned Tether USDT support.

Two years after the Ark protocol announcement captured developers’ imagination, the launch represents a milestone in Bitcoin scaling innovation. While numerous layer-2 proposals emerged in recent years, most remain in research and development phases. Arkade, built on Ark’s foundation, becomes the first major initiative from this wave to deliver working mainnet infrastructure without security tradeoffs.

“The Bitcoin L2 landscape has been full of promises but light on shipping,” said Marco Argentieri, CEO of Ark Labs. “Today’s release marks the beginning of Bitcoin’s evolution as programmable money.”

Introducing Arkade Assets: Bringing Stablecoins Home to Bitcoin

In a significant expansion of Arkade’s capabilities, Ark Labs today unveiled Arkade Assets, a framework that extends Arkade’s virtualization architecture to support multiple asset types.

Arkade Assets represents an important milestone for Bitcoin’s evolution as a programmable financial platform. While stablecoins have become essential infrastructure for digital finance, with over $200 billion in circulation, most activity has migrated to alternative chains due to Bitcoin’s limited programmability. Ark Lab intends to reverse this trend.

“Tether pioneered stablecoins on Bitcoin over a decade ago, but the ecosystem lacked the infrastructure to support the sophisticated applications users demand,” said Argentieri. “Arkade finally provides that foundation. We’re building the rails to bring stablecoins back to the world’s most secure blockchain, where they belong.”

From Lightning Alternative to Application Platform

Originally positioned as an alternative to popular Bitcoin scaling solution Lightning, Ark’s virtualization approach revealed potential beyond simple offchain payments. Arkade, the protocol’s first implementation, shows how this architecture can unlock advanced financial applications with no changes to Bitcoin.

“We realized we weren’t just building another payment rail,” explained Alex Bergeron, Ecosystem Lead. “Arkade supports lending protocols, trading platforms, and smart wallets directly on Bitcoin. These are applications that were previously impossible without wrapped tokens or custodial compromises.”

Virtualizing Bitcoin to Unlock Programmable Money

Bitcoin’s $2 trillion market cap cements its status as digital gold, yet its financial services potential remains untapped. Inherent constraints at the base layer have limited the asset to a narrow set of use cases and left the financial application market open to Ethereum and other competitors.

“Arkade unlocks Bitcoin’s full potential without compromising what makes it valuable” said Argentieri. “By virtualizing Bitcoin’s transaction layer, we’re enabling developers to build directly on Bitcoin, not around it.”

Instead of changing Bitcoin’s consensus rules or creating separate chains, Arkade abstracts its fundamental building block, the UTXO, into a virtual environment where it retains Bitcoin’s security properties but gains new capabilities. All user assets are secured by presigned transactions allowing control of their funds at all times and removing the need for risky bridge infrastructure. Developers can build sophisticated financial primitives in a modern development environment: structured yield products, credit markets, and advanced derivatives systems.

Roadmap

Arkade’s public beta delivers core protocol functionality. Virtual Transaction Outputs (VTXOs) enable instant offchain execution while maintaining unilateral exit paths to Bitcoin. Batch settlement compresses thousands of operations into single Bitcoin transactions, dramatically reducing costs. Lightning Network integration through Boltz enables seamless swaps between Arkade and Lightning liquidity.

Launch partners include Breez, BTCPayServer, Boltz, BullBitcoin, Lendasat and LayerZ Wallet.

The public beta represents the beginning of a broader rollout. Ark Labs will expand Arkade’s capabilities over the coming months, adding enhanced scripting environments, additional security mechanisms, and support for more complex financial primitives.

“We’re not just launching a product. We’re establishing infrastructure for the next decade of Bitcoin development,” said Bergeron. “Every major financial application needs a programmable foundation. That’s what we’re building.”

Developers can explore Arkade at arkadeos.com and access integration documentation at docs.arkadeos.com.

About Arkade

Arkade, developed by Ark Labs, is a Bitcoin-native operating system designed to unlock trillions in idle capital and enable Bitcoin as a programmable financial platform. Combining off-chain speed with on-chain security, Arkade allows developers to build decentralized applications for payments, trading, and capital markets—such as Bitcoin-backed loans, margin trading, and derivatives like options and structured products—while preserving Bitcoin’s core principles of decentralization and user control. By eliminating the need for bridges, wrapped tokens, or custodial risks, Arkade provides instant, low-cost tools to power diverse financial interactions with native Bitcoin liquidity. Backed by investors including Draper Associates, Axiom, Fulgur Ventures, and top angel investors, Ark Labs is positioning Arkade as the decentralized backend for institutional liquidity, enabling Bitcoin to power diverse financial interactions.

ANOME Unveils AnoMEME: A Meme Token Card LaunchPad Built on ERC-404: Where Meme Tokens Become Meme Cards 151

ANOME, the Web3 ecosystem uniting NFTs, GameFi, and DeFi, today announced the upcoming launch of AnoMEME, a core subsystem within the ANOME ecosystem that redefines how meme tokens are created, used, and experienced on-chain.

In the fast-moving world of crypto, speed and creativity determine who shapes the narrative. ANOME’s AnoMEME platform is a bold answer to that challenge — a first-of-its-kind LaunchPad where meme tokens are born as playable, ownable Meme Cards, powered by the innovative ERC-404 standard that merges fungible and non-fungible functionality into a single asset class.

From Token Launches to Cultural Creation

Traditional meme-token platforms end the journey the moment a contract is deployed. AnoMEME marks the beginning of a new one.

With just a few clicks, creators can connect their wallet, name their meme, upload artwork, and deploy a fully functional ERC-404 token, instantly creating a Meme Card: a tradeable, on-chain representation of their idea that evolves as the community grows. As a fully on-chain LaunchPad,

AnoMEME lowers the barrier between token issuance and cultural participation, enabling anyone to launch a meme token in minutes, no coding required, and instantly transform it into a playable asset within the ANOME ecosystem.

Every Meme Card minted on AnoMEME is not only a token but also a game-ready asset. It can battle other Meme Cards, serve as the foundation for NFT collections, and power future gameplay mechanics: all while existing transparently and verifiably on-chain.

This is where meme creation transcends speculation: when issuing a token is no longer just issuing a token, but the beginning of creating a new world.

A New Layer of Utility, Culture, and Engagement

To maintain balance, Meme Cards will operate in a dedicated battle system separate from ANOME’s official cards. This allows creators and communities to experiment, compete, and build their own ecosystems, without impacting the core gameplay economy.

The result is a new paradigm for meme tokens: assets that are functional, interactive, and culture-driven. By combining the virality of meme tokens with on-chain utility and community-driven storytelling, AnoMEME fosters deeper user engagement, stronger liquidity potential, and continuous cultural co-creation, positioning itself at the center of the next wave of meme innovation.

Launching Soon

AnoMEME — Where Meme Tokens Become Meme Cards — is set to launch on the BNB Smart Chain in the coming weeks.

Follow @Anome_Official and visit anome.xyz to join the next evolution of the meme economy.

Discover the Best Anonymous Ripple Exchanges for You 795

16 10 2025 1

TL;DR: Anonymous Ripple exchanges let you trade XRP without the usual sign-up steps, giving you more privacy. They’re ideal if you want faster access without lengthy verifications. Just keep an eye on security, because with fewer checks, you need to handle your funds carefully.

Explore anonymous Ripple exchanges

Anonymous Ripple exchanges often skip the usual Know Your Customer (KYC) process. This means you don’t have to submit ID documents or wait for approval before you start trading. Many users prefer these non-KYC platforms because they can jump right in and enjoy swift conversions, especially if they need to move digital assets quickly.

Why are they so popular? The appeal lies in privacy. When you’re buying or selling XRP without handing over personal details, you’re less concerned about data breaches or identity theft. This approach can be especially handy if you live in a region with restrictive crypto rules. However, minimal account verification can also open the door for shady activities. That’s why it’s wise to research every platform’s background and security features before committing funds.

Compare pros and cons

Below is a quick overview of what you can expect:

16 10 2025 3

You’ll notice a clear trade-off. If you value privacy over everything else, non-KYC platforms may be a good fit. But keep in mind you’ll need to manage more of your own security and due diligence.

Check essential features

When picking an anonymous XRP platform, it helps to pinpoint what you really need. Here are some things to watch out for:

  • Security measures: Look for mentions of Two-Factor Authentication (2FA) and cold storage options. Non-custodial or decentralized models give you direct control of your keys, which can reduce hacking risks.
  • User-friendly interface: If you’re new to crypto, choose a site that explains each step clearly. Something with a clean layout and helpful tutorials saves loads of frustration.
  • Asset range: Some platforms don’t just focus on Ripple. They may allow cross chain swaps for tokens from Ethereum, BNB Chain, or Polygon, making it easier to diversify.
  • Reputation and reviews: Check user experiences if possible. While anonymous platforms typically lack big regulatory oversight, you can still gauge reliability from community feedback.

Try Baltex.io exchange

Baltex.io is a non-custodial exchange that aims to deliver a straightforward experience. Since it’s non-custodial, you hold your private keys, which offers an extra layer of security. You don’t need to open an account or reveal personal details, so privacy stands out as a main perk.

Additionally, the interface supports cross chain crypto swaps, which is great news if you often move between different blockchains. This sort of flexibility is appealing for both newbies and seasoned traders, since it cuts down the hassle tied to multiple wallets and networks.

Review top FAQs

Below are common questions that pop up when choosing an anonymous exchange for Ripple:

1. How do I secure my funds on a non-KYC platform?
Always activate 2FA if available, and consider a hardware wallet for long-term storage. Staying vigilant with phishing attempts (fake websites or emails) also helps.

2. Can I buy other cryptos on these exchanges?
Many non-KYC platforms allow you to trade multiple assets. Some specialize in cross chain swaps, which means they support tokens from differing blockchains.

3. What are the risks of non-KYC exchanges?
With little to no regulatory oversight, you rely on the platform’s reputation, community feedback, and your own caution. Strictly verifying that the site is trustworthy can save you from hacks.

4. Why should I consider Baltex.io?
Baltex.io is non-custodial, meaning you control your private keys. It also offers cross chain swaps and a user-friendly interface, which is particularly helpful if you want a simple entry point into anonymous XRP trading.

Whether you’re after total privacy, quick setup, or a broader range of crypto assets, anonymous Ripple exchanges can offer a unique advantage. Just remember that the responsibility for your funds largely rests on you. Research, stay alert, and pick a platform with solid security practices. Good luck with your trading!