Lazarus hits cryptocurrency exchange with fake installer and macOS malware 10641

Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of Fallchill, including one from US-CERT.

To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS.

The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms.

Trojanized cryptocurrency trading application

Thanks to Kaspersky Lab’s malicious-behavior detection technology, implemented in its endpoint security software, we were able to reassemble the stages of infection and trace them back to their origin. This helped us understand that one of Lazarus’ victims was infected with malware after installing a cryptocurrency trading program. We also confirmed that the user installed this program via a download link delivered over email.

Trojanized trading application for Windows

Including malicious code into distributed software and putting that on a website would be too obvious. Instead, the attackers went for a more elaborate scheme: the trojan code was pushed out in the form of an update for a trading application.

A legitimate-looking application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and looked genuine. This application is an all-in-one style cryptocurrency trading program developed by Celas.

Screenshot of Celas Trade Pro

When we started this research, any user could download the trading application from the Celas website. Checking the installation package downloaded from the website confirmed the presence of a very suspicious updater.

Installation package download page

We have analyzed the following Windows version of the installation package:

MD5: 9e740241ca2acdc79f30ad2c3f50990a
File name: celastradepro_win_installer_1.00.00.msi
File type: MSI installer
Creation time: 2018-06-29 01:16:00 UTC

At the end of the installation process, the installer immediately runs the Updater.exe module with the “CheckUpdate” parameter. This file looks like a regular tool and most likely will not arouse the suspicion of system administrators. After all, it even contains a valid digital signature, which belongs to the same vendor. But the devil is in the detail, as usual.

The code writer developed this project under the codename “jeus”, which was discovered in a PDB path included in the updater and used as unique HTTP multipart message data separator string. Because of this, and the fact that the attacked platforms include Apple macOS, we decided to call this Operation AppleJeus.

Properties of the shady updater tool included in the package are:

MD5: b054a7382adf6b774b15f52d971f3799
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
Known file name: %Program Files%\CelasTradePro\Updater.exe
Link Time: 2018-06-15 10:56:27 UTC
Build path: Z:\jeus\downloader\downloader_exe_vs2010\Release\dloader.pdb

The main purpose of Updater.exe is to collect the victim’s host information and send it back to the server. Upon launch, the malware creates a unique string with the format string template “%09d-%05d” based on random values, which is used as a unique identifier of the infected host. This malware collects process lists, excluding “[System Process]” and “System” processes and gets the exact OS version from the registry value at “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion”. It seems that such values only exist from Windows 10, so we assume that the author developed and tested it on Windows 10.

  • ProductName: Windows OS version
  • CurrentBuildNumber: Windows 10 build version
  • ReleaseID: Windows 10 version information
  • UBR: Sub version of Windows 10 build
  • BuildBranch: Windows 10 build branch information

The code encrypts the collected information with the hardcoded XOR key (“Moz&Wie;#t/6T!2y“) before uploading it to the server.

Data encryption routine

The code sends the victim’s information to a webserver using HTTP and the following URL:
www.celasllc[.]com/checkupdate.php

The server is a legitimate looking website owned by the developer of the program: Celas LLC. At this point we were not able to conclude with high confidence whether the server was compromised by the threat actor or had belonged to the threat actor from the beginning. To learn more about the server, please read the “Infrastructure” section below.

The malware used a hardcoded User-Agent string “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)” and fixed a multipart form data separator string “jeus“.

Using encryption, the custom separator string wouldn’t be a red flag for a legitimate application, but sending a request with the context-irrelevant string “get_config”, as well as uploading collected system information as “temp.gif”, mimicking a GIF image with a magic number in the header, definitely made us raise our eyebrows.

Communication with the C2 server

After successfully uploading data, the updater checks the server response. If the server responds with HTTP code 300, it means the updater should keep quiet and take no action. However, if the response is HTTP code 200, it extracts the payload with base64 and decrypts it using RC4 with another hardcoded key (“W29ab@ad%Df324V$Yd“). The decrypted data is an executable file that is prepended with the “MAX_PATHjeusD” string.

During our research, we found other similar files. One was created on August 3rd and another on August 11th. The PDB path shows that the author keeps improving this updater tool, apparently forked from some stable version released on July 2, 2018 according to the internal directory name.

Additional trojanized sample #1 Additional trojanized sample #1
Installation package MD5 4126e1f34cf282c354e17587bb6e8da3 0bdb652bbe15942e866083f29fb6dd62
Package creation date 2018-08-03 09:57:29 2018-08-13 0:12:10
Dropped updater MD5 ffae703a1e327380d85880b9037a0aeb bbbcf6da5a4c352e8846bf91c3358d5c
Updater creation date 2018-08-03 09:50:08 2018-08-11 7:28:08
Updater Build path H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000009\Release\dloader.pdb H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000006\Release\dloader.pdb

Note the TManager directory in the PDB path from the table. It will pop up again in another unexpected place later.

Trojanized trading program for macOS

For macOS users, Celas LLC also provided a native version of its trading app. A hidden “autoupdater” module is installed in the background to start immediately after installation, and after each system reboot. It keeps contacting the command and control (C2) server in order to download and run an additional executable from the server. The communication conforms to the Windows version of the updater and is disguised as an image file upload and download, while carrying encrypted data inside.

We have analyzed the following installation file:

MD5: 48ded52752de9f9b73c6bf9ae81cb429
File Size: 15,020,544 bytes
File Type: DMG disk image
Known file name: celastradepro_mac_installer_1.00.00.dmg
Date of creation: 13 July 2018

Once the Cellas Trade Pro app is installed on macOS, it starts the Updater application on the system load via a file named “.com.celastradepro.plist” (note that it starts with a dot symbol, which makes it unlisted in the Finder app or default Terminal directory listing). The “Updater” file is passed the “CheckUpdate” parameter on start.

Celas Trade Pro app plist file (Apple Property List)

The command-line argument “CheckUpdate” looks redundant from a code analysis perspective: there is no other argument that the application expects. In the absence of all arguments, it doesn’t do anything and quits. This may or may not be way to trick sandboxes that could automatically execute this trojan updater, with no suspicious activity produced without such a “secret” extra argument. The choice of a benign string such as “CheckUpdate” helps it to hide in plain sight of any user or administrator looking into running processes.

The trojanized updater works similar to the Windows version in many ways. Both applications are implemented using a cross-platform QT framework. Upon launch, the downloader creates a unique identifier for the infected host using a “%09d-%06d” format string template. Next, the app collects basic system information, which for macOS is done via dedicated QT classes:

  • Host name
  • OS type and version
  • System architecture
  • OS kernel type and version

The process of encrypting and transferring data is the same as in the Windows version. This information is XOR-encrypted with hardcoded 16-byte static key “Moz&Wie;#t/6T!2y”, prepended with GIF89a header and uploaded to the C2 server via HTTP POST and the following URL:

https://www.celasllc[.]com/checkupdate.php

POST request template strings

The module relies on a hardcoded User-Agent string for macOS:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Once the server replies, it checks the HTTP response code. HTTP response code 300 indicates that the server has no task for the updater and the application terminates immediately. If the HTTP response is code 200, then the updater gets the data in the response, decodes it from base64 encoding and decrypts it using RC4 with the hardcoded static key “W29ab@ad%Df324V$Yd“. It calculates the MD5 of the decoded and decrypted data, which is compared to a value stored inside, to verify the integrity of the transferred file. After that, the payload is extracted and saved to a hardcoded file location “/var/zdiffsec“, sets executable permissions for all users and starts the app with another secret hardcoded command-line argument “bf6a0c760cc642“. Apparently the command-line argument is the way to prevent the detection of its malicious functionality via sandboxes or even reverse engineering. We have previously seen this technique adopted by Lazarus group in 2016 in attacks against banks. As of 2018, it is still using this in almost every attack we investigated.

Downloaded payload

According to data from Kaspersky Security Network, the threat actor delivered the malicious payload using one of the shadowy updaters described above. We found a malicious file created at the same host:

MD5: 0a15a33844c9df11f12a4889ae7b7e4b
File Size: 104,898,560 bytes
File Type: PE32+ executable (GUI) x86-64, for MS Windows
Known file name: C:\Recovery\msn.exe
Link time: 2018-04-19 13:30:19

Note the unusually large size for an executable file. We believe that it was inflated with junk data on purpose to prevent easy download or transfer over the internet.

Searching for the reason for the malware’s appearance on the system revealed that there was an additional process responsible for producing several files before this malware was launched, suggesting a trojan dropper in action. The main function of this malware is to implant the Fallchill backdoor loader linked to several files. Upon launch, the malware checks one of the command-line arguments passed to it. The malware chooses one of the service names located in the following registry value as a disguise:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs

This value includes a list of several dozen standard system service names.

The randomly chosen service name is used to name the dropped file and newly registered Windows service. Let’s refer to this randomly chosen service name as [service]. The malware contains references to several files inside:

  • The file passed as argument: contains a 16-byte key
  • msncf.dat: Encrypted configuration data
  • msndll.tmp: Encrypted Fallchill loader
  • msndll.dat: Encrypted Fallchill backdoor (payload for the loader)
  • [service]svc.dll: Fallchill backdoor loader
  • [service].dat: Copy of msndll.dat

A mix of the above-mentioned files produces the final backdoor known as Fallchill. A more detailed procedure for technical specialists is as follows:

  1. Check whether the command-line argument points to a file of 16 byte size.
  2. Read the file passed via the command-line argument. The contents of this file contains a crypto key, which we will call the main key.
  3. Open the msncf.dat file (configuration file). If the file size equals 192 bytes, read the content of the file.
  4. Open msndll.tmp file and decrypt it using the main key.
  5. Create the [service]svc.dll file and fill it with pseudo-random data.
    1. The malware fills the file with 10,240 bytes of pseudo-random data, and iterates (rand() % 10 + 10240) times. This is why it produces files which are at least 104,851,000 bytes.
  6. Copy the 16-byte main key at the end of the [service]svc.dll file.
  7. Encrypt the [service].dat file name with the main key and append it at the end of [service]svc.dll.
  8. Overwrite the beginning of [service]svc.dll with data decrypted from msndll.tmp.
  9. Move msndll.dat file to [service].dat.
  10. Delete temporary files: msndll.tmp, msncf.dat, msndll.log.
  11. Timestamp [service]svc.dll and [service].dat files.
  12. Register [service]svc.dll as a Windows service.
  13. Save a copy of data from msncf.dat file in the following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description.

Infection process diagram

Fallchill backdoor loader

We confirmed that the following malware was created on the infected host using the method described above:

Fallchill backdoor loader:

MD5: e1ed584a672cab33af29114576ad6cce
File Size: 104,878,356 bytes
File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Known file name: C:\Windows\system32\uploadmgrsvc.dll
Link time: 2018-01-18 01:56:32

Encrypted Fallchill backdoor:

MD5: d8484469587756ce0d10a09027044808
File Size: 143,872 bytes
File Type: encrypted data
Known file name: C:\Windows\system32\uploadmgr.dat

Upon starting, uploadmgrsvc.dll reads 276 bytes from the end of its own executable file. The first 16 bytes of this 276-byte data are used as a decryption key, and the remaining 260 bytes contain the encrypted file path used by the backdoor.

Data at the end of the loader module

After decryption of the last 260-bytes, the malware retrieves the name or path of the file that contains the actual backdoor body in encrypted form.

Decrypted file name in the end of loader module

The malware reads the specified file and decrypts it using the same decryption routine. This is how the executable code of the backdoor is produced in memory and executed by the loader. Below is the meta information about the decrypted final payload in memory:

MD5: d7089e6bc8bd137a7241a7ad297f975d
File Size: 143,872 bytes
File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Link Time: 2018-03-16 07:15:31

We can summarize the Fallchill backdoor loading process as follows:

Loading the Fallchill backdoor

As mentioned previously, the final payload belongs to a Fallchill malware cluster formerly attributed to the Lazarus APT group. Upon launching, this malware resolves the API function addresses at runtime, and reads the C2 server address from the registry value created during the installation stage:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description

If there is no configuration value, the malware falls back to a default C2 server address.

  • 196.38.48[.]121
  • 185.142.236[.]226

This is a full-featured backdoor that contains enough functions to fully control the infected host. Some of its network protocol commands are described below.

Command ID Description
0x8000 Write current time and configuration data to registry key
0x8001 Send configuration data
0x8002 Replace configuration data in the fixed registry value
0x8003 Execute Windows command, store output in temp file and upload contents to C2
0x8006 Show current working directory
0x8007 Change current working directory
0x8008 Collect process information
0x8009 Terminate process
0x8010 Start new process
0x8011 Create process with security context of the current user
0x8012 Connect to specified host/port
0x8013 Get drive information
0x8014 Directory listing
0x8015 Search a file
0x8019 Write data to a specified file
0x8020 Read contents of specified file and upload to C2 server
0x8021 Compress multiples files to a temp file (name start with ZD) and upload to C2
0x8023 Wipe specific file
0x8025 Copy file time from another file time (timestamping)
0x8026 Shutdown malware service and self-delete
0x8043 Send “Not Service” unicode string to C2 server (communication test?).

This set of capabilities is very common for many Lazarus backdoors, which have been seen in other attacks against banks and financial industry in the past years.

Infrastructure

While working on the incident of the cryptocurrency company’s breach, we were curious about the legal status of the Celas LLC company that developed this trojanized trading application.

Celas LLC main homepage.

The website had a valid SSL certificate issued by Comodo CA. However, note that the certificate from this webserver mentions “Domain Control Validated”, which is a weak security verification level for a webserver. It does not mean validation of the identity of the website’s owner, nor of the actual existence of the business. When certification authorities issue this kind of certificate they only check that the owner has a certain control over the domain name, which can be abused in certain ways.

Below is the WHOIS record of the “celasllc.com” domain. The domain name was registered by an individual named “John Broox” with registrant email address “johnbroox200@gmail[.]com”.

The same name of “John Broox” was used inside the installation package of the macOS version of the trading application. The Info.plist properties file describes the package as follows:

It looks at first sight like a legitimate WHOIS record, but something doesn’t really add up here. The domain celasllc.com was the only domain registered with this email address and was exclusively used for domain registration.

The registrant used the Domain4Bitcoins service to register this domain, apparently paying with cryptocurrency. According to open-source intelligence, the address of the WHOIS information is fake, unless it’s the owner of a ramen shop running a cryptocurrency exchange software development studio on the side.

View of the location referred in the WHOIS record. Image source: Google Maps.

The server hosting celasllc.com (185.142.236.213) belongs to the Blackhost ISP in the Netherlands.

WHOIS record of cellasllc.com server

Coincidentally, the Fallchill malware authors also preferred to use the same hosting company to host their C2 server. Moreover, the Celas LLC web server and one of the C2 servers of the Fallchill malware are located in the same network segment of this ISP:

  • Celas LLC infrastructure:
    • 185.142.236.213Netherlands Blackhost Ltd. AS174 COGENT-174
  • Fallchill malware C2 server:
    • 196.38.48[.]121: South Africa Internet Solutions AS3741
    • 185.142.236[.]226: Netherlands Blackhost Ltd. AS174 COGENT-174
  • Additional attacker’s server from telemetry
    • 80.82.64[.]91: Seychelles Incrediserve Ltd AS29073
    • 185.142.239[.]173: Netherlands Blackhost Ltd. AS174 COGENT-174

However, when you look into Celas Trading Pro application’s digital signature, including its “Updater”, you will find that this certificate was also issued by Comodo CA, which refers to a company address in the United States.

According to open-source data, this address doesn’t belong to a real business, and looks on maps like a meadow with a small forest and small real estate offering nearby.

Location of Cellas LLC, according to its digital certificate

Real estate history of that address

Pivoting the infrastructure a little further brings up some more suspicious things. It appears that the domain referred to two IPs, one of which was linked to a few other suspicious domains, according to PassiveDNS.

Cellas LLC linked infrastructure

The owners of the linked infrastructural elements preferred to use several interesting services for hosting domain registration. All these service providers offer a certain level of anonymity to their customers. Most of them accept Bitcoins as a main payment method to keep their customers anonymous. This is very uncommon for companies running a legitimate business.

Hosting services linked to Celas LLC:

  • Blackhost (https://black.host/)
  • Liberty VPS (https://libertyvps.net/)

Domain registration services linked to Celas LLC:

  • Domains4Bitcoins (https://www.domains4bitcoins.com/)
  • NameCheap (https://www.namecheap.com/)
  • ChangeIP (https://www.changeip.com/)
  • Njalla (https://njal.la/)

All the facts above can make the more sceptical among us doubt the intentions of Celas LLC and the legitimacy of this business. Of course, these facts alone would not be enough to accuse Celas LLC of committing a crime.

Attribution

Kaspersky Lab has previously attributed the Fallchill malware cluster to Lazarus group when it attacked the financial sector around the world. It was also confirmed by other security vendors, and the national CERT of US.

RC4 key from the older Fallchill

Fallchill malware uses a RC4 algorithm with a 16-byte key to protect its communications. The key extracted from the Fallchill variant used in the current attack is DA E1 61 FF 0C 27 95 87 17 57 A4 D6 EA E3 82 2B.

Current RC4 key of Fallchill

We were able to confirm that some of older Fallchill malware variants used exactly the same RC4 key. Below are Fallchill malware samples that used the same key (the compilation timestamp may indicate the date of malware creation).

MD5 Timestamp
81c3a3c5a0129477b59397173fdc0b01 2017-05-26 23:37:04
6cb34af551b3fb63df6c9b86900cf044 2017-06-09 17:24:30
21694c8db6234df74102e8b5994b7627 2017-11-07 17:54:19
5ad7d35f0617595f26d565a3b7ebc6d0 2015-10-24 01:52:11
c501ea6c56ba9133c3c26a7d5ed4ce49 2017-06-09 03:59:43
cafda7b3e9a4f86d4bd005075040a712 2017-11-07 17:54:33
cea1a63656fb199dd5ab90528188e87c 2017-06-12 19:25:31
6b061267c7ddeb160368128a933d38be 2017-11-09 17:18:06
56f5088f488e50999ee6cced1f5dd6aa 2017-06-13 08:17:51
cd6796f324ecb7cf34bc9bc38ce4e649 2016-04-17 03:26:56

Same C2 server with older Fallchill

We have confirmed that the C2 server addresses (196.38.48[.]121, 185.142.236[.]226) used in this attack have been used by the older variant of Fallchill.

MD5 Timestamp
94dfcabd8ba5ca94828cd5a88d6ed488 2016-10-24 02:31:18
14b6d24873f19332701177208f85e776 2017-06-07 06:41:27
abec84286df80704b823e698199d89f7 2017-01-18 04:29:29

Overlap of C2 infrastructure

Apparently, the attackers using the Fallchill malware continue to reuse code and C2 server infrastructure over and over again.

According to Kaspersky Security Network, Fallchill was not the only malware used in this attack. There was another backdoor that was used by the threat actor. We omit a full description of this backdoor in the current report to keep the write-up to an acceptable length, but we would like to highlight two important things discovered in it. First, this backdoor was created on 2018-07-12 and revealed an already familiar directory, “TManager”, which we previously saw in the Updater.exe application from the Cellas Trading Pro suite:

H:\DEV\TManager\all_BOSS_troy\T_4.2\T_4.2\Server_\x64\Release\ServerDll.pdb

Second, what is probably one of the most interesting findings to come from this additional backdoor was discovered hidden in hardcoded headers used to communicate with C2 server. The Accept-Language HTTP header string revealed a language code associated with North Korea. In our experience, this is something we normally don’t see in malware.

Accept-Language: ko-kp,ko-kr;q=0.8,ko;q=0.6,en-us;q=0.4,en;q=0.2

Accept-Language HTTP header value in the body of the backdoor

Conclusions

The Lazarus APT group’s continuous attacks on the financial sector are not much of a surprise to anyone. A lot of research has been done and published about such attacks. However, we think this case makes a difference. Recent investigation shows how aggressive the group is and how its strategies may evolve in the future.

First of all, Lazarus group has entered a new platform: macOS. There is steadily growing interest in macOS from ordinary users, especially in IT companies. Many developers and engineers are switching to using macOS. Apparently, in the chase after advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have macOS malware tools. We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once.

We cannot say with full certainty whether Celas LLC was compromised and the threat actor abused it to push malware through an update mechanism. However, the multiple successful Lazarus attempts to compromise supply chain companies suggest that it will keep exploring this infection method. From all angles, the Celas LLC story looks like the threat actor has found an elaborate way to create a legitimate looking business and inject a malicious payload into a “legitimate looking” software update mechanism. Sounds logical: if one cannot compromise a supply chain, why not to make fake one?

This should be a lesson to all of us and a wake-up call to businesses relying on third-party software. Do not automatically trust the code running on your systems. Neither good looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors. Trust has to be earned and proven. Stay safe!

Previous ArticleNext Article

ETH staking simplified: Simply Staking presents Ethereum staking dashboard 1193

Simply Staking’s new Ethereum staking program makes ETH staking easier than ever. Users can stake without holding 32 ETH, thanks to a user-friendly dashboard, secure Tier 3 data centers, and seamless wallet integration – removing barriers for both beginners and experienced crypto holders.

In the fast-paced blockchain world, running a validator or node is costly and complex – especially for ETH staking. Simply Staking’s dashboard tackles this challenge, making staking simple and accessible, helping decentralize Ethereum through broader participation from both new and experienced users.

ETH staking as simple as it gets

The trusted crypto staking provider Simply Staking manages nearly $1 billion in staked assets across networks like Polkadot and Cosmos. Known for reliable validator operations, it now brings that expertise to ETH staking, strengthening its commitment to a secure, inclusive blockchain ecosystem across multiple protocols.

The new ETH Staking dashboard streamlines onboarding and ensures top security through advanced data centers. By joining the staking pool, you earn rewards while supporting Ethereum 2.0’s scalability. Simply Staking welcomes all users, regardless of holdings, encouraging broader participation and driving the ongoing growth of the crypto economy.

Key highlights:

  1. Effortless staking: Simply Staking lets you stake ETH in a few steps – no specialized software needed, making crypto staking accessible to everyone.
  2. No 32 ETH requirement: Traditional staking needs 32 ETH to validate. Pooled staking lets users combine funds, enabling smaller holders to stake Ethereum and earn rewards together.
  3. Competitive reward rate: Through StakeWise, participants enjoy attractive staking rewards, appealing to both large investors and everyday enthusiasts.
  4. Unmatched security: Simply Staking operates Tier 3 data centers with 99.9% uptime, ensuring nodes stay secure and always online.
  5. Seamless ETH staking with direct wallet integration: Connect your crypto wallet directly to the dashboard – no extra logins or exchanges needed, reducing security risks and simplifying staking.

Why stake Ethereum with Simply Staking?

Staking needs reliable infrastructure and trusted partners. Simply Staking ensures strong performance across blockchains, backed by advanced data centers for secure Ethereum staking.

Simply Staking supports Ethereum 2.0’s consensus, helping secure and decentralize the network. With deep experience in large-scale crypto operations, we built a resilient system to balance workloads efficiently. Users enjoy reliable, high-performance staking across Ethereum, Polkadot, Cosmos, and more.

How the ETH staking dashboard works

  1. Visit the Platform: Navigate to the staking Dashboard on stake.simplystaking.com/eth to begin. The site is user-friendly, with key functions clearly accessible.
  2. Connect Your Wallet: The dashboard seamlessly integrates with your preferred crypto wallet, removing the need for third-party websites or bridge services. You stay in control of your private keys throughout the process.
  3. Select Your Amount of ETH you want to stake: Since the platform no longer requires 32 ETH, you’re free to stake ethereum with the amount of ETH that meets your goals – whether it’s a modest portion of your holdings or a larger investment.
  4. Confirm and Stake ETH: A few clicks finalize your participation. You start to earn rewards at a competitive reward rate almost immediately, with real-time updates available on staked balances and yields.
  5. Start earning rewards and participate in staking Ethereum.

This five-step process ensures simplicity for newcomers while offering experienced stakers strong security and clear metrics – all in one place. Easily track your ETH holdings and see exactly how much is staked at any time.

Supporting Ethereum’s growth

Ethereum staking strengthens the network by validating transactions, enhancing scalability, and supporting decentralization. As the second-largest blockchain, Ethereum powers countless decentralized applications, making it essential to the broader crypto ecosystem and ensuring its long-term security and resilience.

Historically, staking was often dominated by large holders or centralized platforms. Simply Staking changes this with a user-friendly, decentralized model. It offers easy onboarding while preserving asset custody, supporting Ethereum’s vision of an open, accessible network driven by diverse, active participants.

Start staking ETH today

Experience the future of ETH staking with Simply Staking. By removing historical barriers, delivering an appealing token reward rate, and prioritizing security through Tier 3 infrastructure, the company reimagines stake opportunities in the digital asset world.

This user-first design positions Simply Staking at the cutting edge of staking innovation, where trust and ease of use are paramount. Every aspect of the platform – from the polished interface to robust security protocols – reflects a commitment to providing the best possible staking environment. Crucially, participants are no longer compelled to need 32 ETH to contribute to the network’s evolution, aligning with Ethereum’s wider push for accessibility.

Ultimately, the platform’s mission is to ensure that anyone who wants to stake can do so securely, transparently, and profitably. As the ethereum 2.0 upgrade continues, more opportunities will arise for validators, and Simply Staking aims to remain an industry leader in facilitating these possibilities. For media inquiries or further details, visit stake.simplystaking.com/eth or simplystaking.com.

From veteran traders to newcomers, the platform stands as a testament to how thoughtful infrastructure and user-focused design can redefine digital asset engagement. Its proven reliability, commitment to decentralization, and active role in multiple blockchains make Simply Staking an ideal staking service provider for anyone looking to stake eth, expand their crypto portfolio, or simply explore the evolving potential of Ethereum’s consensus mechanism.

About Simply Staking

Simply Staking is a globally recognized leader in blockchain infrastructure provision and development, dedicated to the advancement and security of decentralized technologies. Founded in 2013 it focused on Proof of Work and Proof of Stake technologies. Over the years, it became one of the key contributors within the blockchain ecosystem since the genesis validator role in the Cosmos Hub in 2019. Their services span across validating, node operations, blockchain development, infra-monitoring tool creation, and data infrastructure management, catering to a wide array of networks and ecosystems.

Indexbit Exchange: Strengthening Data Security and Privacy Protection 1298

As digital transactions become increasingly vital in the global economy, Indexbit Exchange is reinforcing its commitment to data security and user privacy. With the growing demand for safer online financial services, Indexbit has implemented a series of advanced security measures to protect user information and ensure compliance with global data protection standards.

Enhancing Cybersecurity with Advanced Encryption

Indexbit Exchange has integrated state-of-the-art encryption protocols to safeguard user data against unauthorized access. The platform now utilizes multi-layered encryption techniques, ensuring that sensitive user information remains secure during transactions and data storage. Additionally, end-to-end encryption has been strengthened to prevent potential security breaches and data leaks.

Strict Compliance with Global Privacy Standards

To maintain a high level of trust and transparency, Indexbit adheres to internationally recognized data protection regulations. The platform follows General Data Protection Regulation (GDPR) guidelines and implements industry-best practices for handling user information. This commitment to regulatory compliance ensures that user data is handled with the utmost care and in accordance with legal requirements.

AI-Free Risk Monitoring and Threat Detection

Rather than relying on artificial intelligence, Indexbit has developed manual and algorithm-based security protocols to detect unusual activities and potential cyber threats. A dedicated cybersecurity team actively monitors transactions, identifying suspicious behavior and mitigating risks before they escalate. By focusing on proactive threat detection, Indexbit ensures that user accounts remain secure from fraud and unauthorized access.

Strengthening User Authentication and Access Controls

Recognizing the importance of secure user access, Indexbit Exchange has introduced multi-factor authentication (MFA) and biometric verification options. These features enhance account security by requiring multiple verification steps before granting access. Additionally, time-sensitive authentication codes further prevent unauthorized logins, providing an extra layer of protection for users.

Transparent Data Protection Policies

In an effort to maintain transparency, Indexbit has revised its data privacy policies to ensure users fully understand how their information is collected, stored, and used. The updated privacy policy clearly outlines users’ rights regarding their personal data, including the ability to manage, download, or request deletion of stored information.

Ongoing Security Audits and System Updates

To stay ahead of potential security threats, Indexbit Exchange undergoes regular third-party security audits and implements frequent system updates. These measures help ensure that the platform remains resilient against emerging cyber risks. Additionally, Indexbit collaborates with industry experts to refine its security framework and continuously improve data protection strategies.

Looking Ahead: A Safer Future for Digital Transactions

As data privacy and cybersecurity concerns continue to rise, Indexbit Exchange remains committed to protecting its users through advanced security measures and compliance with global privacy regulations. By prioritizing user safety and transparency, Indexbit is setting a new standard for secure and responsible digital financial services.

With a strong emphasis on data security, Indexbit Exchange provides a safe and reliable environment for users to conduct transactions with confidence, ensuring their personal and financial information remains protected at all times.

Plume and Stobox Partner to Provide a Turn-Key Tokenization for Issuers 1379

Plume Network, the first modular blockchain designed for real-world assets (RWAs), and Stobox, a leading provider of tokenization solutions, are joining forces to provide a seamless, turnkey business solution for asset issuers on Plume.

Through this long-term partnership, Stobox will integrate its battle-tested tokenization solutions with Plume’s Arc platform, streamlining the process for issuers to tokenize assets while ensuring compliance with security regulations across multiple jurisdictions.

By integrating Stobox’s enterprise API into Arc, Plume will enable institutions and enterprises to gain access to a fully compliant and scalable infrastructure for tokenizing multi-billion-dollar asset portfolios. Stobox’s solutions for enterprise clients will support sophisticated needs, allowing professional market players to navigate the complexities of blockchain-based asset issuance efficiently.

With more than 180 apps and protocols in its ecosystem, Plume fosters innovation and collaboration in the RWA space. Arc alone has over $5.5Bn of real-world assets committed to be tokenized and distributed. By leveraging Stobox’s deep expertise in tokenization and regulatory frameworks, the partnership will unlock new opportunities for institutions looking to expand the reach of real-world assets through the blockchain in a secure and compliant manner.

“Integrating Stobox’s solutions into Plume’s Arc enhances the capabilities of our Arc platform, ensuring that issuers can navigate compliance with ease,” said Luke Xiao, Head of Strategic Partnerships of Plume Network. “This partnership paves the way for enterprises to tokenize assets at an unprecedented scale.”

“By combining our regulatory expertise with Plume’s specialized blockchain infrastructure, we are setting new standards for compliant and scalable tokenization,” said Gene Deyev, CEO of Stobox. “With this, any business will be able to tokenize its assets or equity and immediately access vast financial markets onchain.”

Stobox has already helped tokenize over $500 million in assets across industries such as finance, mining, energy, and real estate. Stobox also developed one of the first enhanced methodologies for issuers conducting the STO properly optimized for all asset types, various feasible jurisdictions, and underlying asset classes that cover most of the cases for common business.

About Plume

Plume is the first fully integrated L1 modular blockchain focused on RWAfi, offering a composable, EVM-compatible environment for onboarding and managing diverse real-world assets. With 180+ projects on its private devnet, Plume provides an end-to-end tokenization engine and a network of financial infrastructure partners, simplifying asset onboarding and enabling seamless DeFi integration for RWAs. Learn more at https://www.plumenetwork.xyz/.

About Stobox

Stobox is a VASP-licensed and regulated tokenization provider that builds financial markets for small and medium-sized businesses. The company offers an all-in-one solution for tokenizing, investing, and trading real-world assets (RWA) and operates in multiple jurisdictions, including the United States. Since its launch in 2018, Stobox has successfully tokenized over $500 million in assets across the finance, mining, energy, and real estate sectors. For more information, visit https://www.stobox.io or follow @StoboxCompany on X.

Rekubit: Advanced Data Encryption Reinventing Security on Rekubit Exchange 1543

Rekubit has unveiled its latest breakthrough in digital security—an advanced data encryption system designed to protect sensitive information and optimize digital communications. This new encryption technology enhances data protection across multiple sectors, ensuring that businesses and individuals can securely transmit and store information without the risk of unauthorized access.

Strengthening Digital Protection with Cutting-Edge Encryption

With the growing volume of digital transactions and online communications, security concerns have become more pressing than ever. Rekubit’s newly developed encryption technology provides a sophisticated layer of protection that safeguards sensitive information from cyber threats. The system is designed to withstand potential security breaches while maintaining fast and efficient data transmission.

Unlike traditional encryption methods, Rekubit’s technology integrates adaptive security protocols that continuously evolve to counter new and emerging threats. By using dynamic key management and advanced cryptographic algorithms, this system significantly reduces the risk of data interception or manipulation. Businesses and individuals can now operate with greater confidence, knowing that their information is protected by state-of-the-art encryption.

Optimized Performance Without Compromising Security

One of the key challenges of advanced encryption systems is balancing security with speed and efficiency. Rekubit has addressed this issue by developing a system that ensures high-speed data processing without compromising security standards. This innovation is particularly beneficial for industries requiring real-time data protection, such as healthcare, finance, and telecommunications.

Additionally, the encryption system is designed to integrate seamlessly with existing digital platforms, making implementation simple and cost-effective. Users can enhance their security infrastructure without the need for extensive modifications to their current operations.

Expanding Security Solutions for Businesses and Individuals

Rekubit’s encryption technology is not limited to large enterprises—it is also designed to support individual users who require enhanced security for personal communications and transactions. Whether securing confidential business data or protecting personal messages, the system offers a comprehensive solution for users at all levels.

Beyond data transmission, Rekubit’s technology also enhances storage security. The encryption system ensures that stored information remains protected, reducing the risk of data leaks or unauthorized access. With data breaches becoming increasingly common, this innovation provides an essential tool for organizations and individuals looking to safeguard their digital assets.

Looking Ahead: Rekubit’s Commitment to Digital Security

As technology continues to evolve, Rekubit remains committed to advancing digital security solutions that address modern challenges. This latest encryption innovation is part of a broader initiative to enhance cybersecurity standards and provide users with the most effective protection available.

Moving forward, Rekubit plans to expand its security offerings with additional features, including AI-driven threat detection and advanced access control systems. By continuously improving its security infrastructure, Rekubit is setting a new benchmark for digital safety and resilience in an increasingly connected world.

For more information about Rekubit’s latest advancements in encryption technology, visit https://www.rekubit.com/

MiL.k migrates to Arbitrum for the full-scale expansion of global web3 business 1781

  • MiL.k decided to onboard on Arbitrum for accelerating its global business expansion
  • Arbitrum is the leading Ethereum layer 2 solution for various dApps and Web3 projects
  • Expected for the active collaboration with the Arbitrum ecosystem to strengthen partnerships with global blockchain projects primarily in Asia

Milk Partners (CEO Jayden Jo), which operates the blockchain-based loyalty integration platform MiL.k, announced on the 27th that it plans to migrate to Arbitrum, the world’s largest Ethereum Layer 2, to expand its global Web3 ecosystem.

MiL.k made the decision to move their mainnet from the Luniverse chain to Arbitrum One Chain to secure infrastructure optimized for the Web3 business in the fast-changing market and strengthen partnerships in the global blockchain ecosystem.

MiL.k is a DApp that supports the integration and exchange of reward points from various service companies. By solving the difficulties arising from different database and policies for each company with blockchain technology, it has introduced a new standard of point utilization, revolutionizing the market. MiL.k has rapidly grown by establishing a loyalty ecosystem in collaboration with major domestic and international service companies such as AirAsia (global airline), Yanolja (No.1 online travel agency in Korea), OK Cashback (loyalty system of SK Group, the second largest group in Korea), Lotte L-Point (loyalty system of Lotte Group), CU (market No.1 convenience store in Korea), and Megabox (top multiplex in Korea).

Through the Arbitrum migration, MiL.k plans to solidify its global presence by actively pursuing diverse web 3 partnerships within the Arbitrum ecosystem and global service companies. Arbitrum is the representative Ethereum Layer 2 solution which offers the highest scalability to more than 1,000 projects, including 420 DeFi projects, 33 AI & Depin projects, and 63 gaming projects. By leveraging Arbitrum’s technological strengths and global influence, MiL.k will accelerate the global business development and market penetration through marketing collaborations with various projects.

Both parties are planning to actively expand global business together based on the 1.5 million DApp users of MiL.k and the technical expertise and network of the Arbitrum Foundation. In particular, to strengthen the presence in global markets primarily in Asia, both parties plan to initiate various Web3-based marketing and business.

Jayden Jo, CEO of Milk Partners, stated, “This migration is a strategic decision that will accelerate MiL.k’s global expansion, going beyond a mere transition of the mainnet. Through the collaboration with Arbitrum, the positioning of the MiL.k will be a leading global web3 project.”

Meanwhile, even after migrating to the Arbitrum, MiL.k will maintain and strengthen its close collaboration with ‘Lamda 256’ operating company of the Luniverse chain. Both companies have agreed to actively cooperate to enhance stable blockchain infrastructure and services.

$Nut Presale is Coming—Here’s Why You Can’t Afford to Miss It 1929

They doubted Dogecoin in 2013. They dismissed Shiba Inu in 2020. And now? They’ll probably laugh at $NUT too—until it takes off. History has shown that the biggest meme coin winners are the ones who got in before the rest of the world caught on. With the $NUT presale opening on March 2nd, this is the chance to be ahead of the curve.

Meme coins aren’t just about charts—they’re about narratives, culture, and unstoppable community energy. $NUT brings all three, plus a roadmap built for the future. This isn’t just another meme coin—it’s a movement. Don’t sit on the sidelines and watch the story unfold. Be part of it.

This is one opportunity you don’t want to fade.

What is $NUT? The Meme Coin That’s More Than Just Hype

Built on Solana, $NUT is designed to be a high-speed, low-fee token that thrives on community engagement, cultural relevance, and future expansion. While it follows the tradition of meme coins like DOGE and SHIB, $NUT has its own unique vision—one that blends meme culture with highly ambitious future plans.

The roadmap teases massive ecosystem expansions, including:

  • NutFi – A decentralized finance (DeFi) suite powered by $NUT
  • NutVerse – The first-ever meme metaverse
  • NutFests – Exclusive IRL events for holders
  • Nut AI Agent – An AI-driven chatbot bringing unfiltered entertainment & unrivaled features

While the memes drive momentum, these planned features offer long-term growth potential, setting $NUT apart from generic meme coins.

Why Now Is the Perfect Time for $NUT’s Launch

The meme coin market is experiencing an unprecedented surge, with projects like PEPE, BONK, and WIF demonstrating the power of community-driven tokens. As demand for meme coins continues to grow, $NUT is launching at a pivotal moment—positioned to capture the momentum of this evolving sector.
Meme coins have evolved beyond internet jokes, solidifying themselves as a serious market category. With Dogecoin recently gaining a Grayscale Trust, institutional interest is entering the space, further legitimizing meme tokens as a viable asset class.

Solana’s rapid ecosystem expansion has also played a crucial role in this market shift. With lower transaction fees and a thriving developer community, new Solana-based tokens have consistently outperformed many Ethereum counterparts, making it the ideal environment for $NUT’s launch.

Beyond market dynamics, meme coins thrive on cultural relevance and FOMO-driven momentum. The best-performing tokens are not just financial instruments; they are viral movements that capture the crypto community’s collective imagination. $NUT is launching at the perfect time, leveraging this wave of interest to establish itself as the next major breakout.

With all the right factors aligning, $NUT is ready to make its mark in the meme coin space, offering a fresh and exciting opportunity for the crypto community.

How $NUT Creates Lasting Value for Holders

While $NUT launches as a pure meme token, its long-term vision extends far beyond the hype. The roadmap is designed to introduce real utility, ensuring lasting value for holders.

  • Deflationary Model – Future utilities, including NutFi, will incorporate token burns and staking mechanisms to create a sustainable ecosystem.
  • NutVerse & NFT Integrations – The first-ever meme metaverse will feature tradable NFTs and exclusive experiences, blending entertainment with digital ownership.
  • AI-Powered Engagement – The Nut AI Agent brings interactive utility, making $NUT more than just a collectible token—it becomes a functional part of the digital economy.
  • Real-World Events – NutFests will connect online communities with physical experiences, reinforcing $NUT’s cultural impact beyond the blockchain.

With these innovations, $NUT isn’t just another meme token—it’s a project built for long-term growth, community engagement, and evolving utility.

Why Getting in Early on $NUT Matters

In crypto, timing is everything—and early adopters of strong meme coins often see the biggest gains. Here’s why joining the $NUT presale is a rare opportunity:

  • Lowest Entry Price – Get in before $NUT hits exchanges.
  • Scarcity-Driven Demand – With a fixed 300M supply, competition will be fierce once presale ends.
  • Community-Powered Growth – A dedicated, aggressive community ready to drive momentum.
  • High Growth Potential – Early entries in top meme coins have seen 100x+ gains—$NUT aims to be the next breakout.

Final Chance: Don’t Miss the $NUT Presale

Meme coins have evolved beyond fleeting trends—they are now a driving force in the crypto landscape. $NUT is at the forefront of this movement, backed by massive early hype, a limited-supply presale, and a clear roadmap for long-term value. With a strong focus on community engagement and real utility, $NUT is more than just another meme coin—it’s a cultural phenomenon in the making. As the presale nears its close, early adopters have a rare opportunity to secure their position before demand surges.

The presale starts on March 2nd. Secure your spot now.

About Nut

$NUT is a fast, deflationary, meme-powered cryptocurrency designed for crypto enthusiasts seeking substantial gains and a legendary community. Built to capitalize on the power of memes, $NUT offers a unique opportunity for those looking to engage with a dynamic and ambitious project.

Website: https://www.nutcoin.meme/
X/Twitter: https://x.com/NUT_Verse
Telegram: https://t.me/nutofficialcommunity
Medium: https://medium.com/@Nut_Verse_