Cyble researchers have identified new Linux malware that combines Mirai-derived DDoS botnet capabilities with a stealthy fileless cryptominer, enabling both network disruption and financial profit in the same threat campaign. “This campaign represents a sophisticated and financially motivated operation combining botnet propagation with stealthy cryptomining,” Cyble threat intelligence researchers wrote in a blog post today. Stealthy techniques and processes allow the new Mirai variant to conduct its mischief in secret. “The attacker employs multiple advanced techniques—including raw-socket scanning, masqueraded processes, internal localhost IPC, dynamic DNS resolution, and fileless miner configuration—to evade detection and maintain long-term persistence on compromised devices,” the researchers said.

Linux Malware Combines Mirai Botnet with XMRig Cryptominer

Combining Mirai-based DDoS botnet capabilities with XMRig-based cryptomining capabilities reflects a growing trend of “hybrid monetization strategies, where threat actors maximize ROI by leveraging infected devices not only for botnet attacks but also for illicit cryptocurrency mining,” the researchers wrote. Organizations operating Linux servers, cloud workloads, or exposed IoT devices “should prioritize hardening and continuous monitoring to mitigate their risk,” they said. The malware uses a multi-stage infection chain that begins with a downloader delivering architecture-specific V3G4/Mirai binaries across x86_64, ARM, and MIPS systems. The second stage, Mddos.x86_64, is a statically linked and UPX-packed Executable and Linkable Format (ELF) file with stripped symbols, “making static inspection more complicated,” Cyble said. After executing and gathering system information, the Linux malware moves into stealth mode, renaming its process to appear as a system daemon (systemd-logind), detaching from the terminal, and launching parallel worker threads for attack operations, command and control (C2) communication, and inter-process communication (IPC) coordination. “A key characteristic of this botnet variant is its use of raw TCP sockets, allowing precise crafting of SYN packets for high-velocity SSH scanning campaigns,” the researchers said. At the same time, worker threads resolve the C2 domain (baojunwakuang[.]asia) via repeated queries to Google Public DNS (8.8.8.8) to maintain command channels. “This multi-threaded DNS resolution strategy is typical of Mirai-style bots, allowing the malware to maintain connectivity and receive commands while executing attacks in parallel,” the researchers wrote.

Fileless Cryptominer

In the third stage, the malware deploys a covert Monero cryptominer by downloading a UPX-packed XMRig binary from the IP 159.75.47[.]123 and stores it in /tmp/.dbus-daemon to masquerade as a legitimate process. Instead of a local configuration file, the miner obtains its configuration dynamically from the C2 server, “enabling real-time updates to wallet addresses, mining pools, and algorithms while leaving no on-disk artifacts” and hindering forensic analysis. “Unlike typical miner deployments that embed a static configuration file on disk ... this sample requests runtime configuration data directly from the C2 server,” the Cyble researchers said. That technique allows the threat actors to avoid exposing wallet addresses, pool endpoints and algorithms during static analysis while dynamically rotating mining parameters and preventing visibility of miner settings on the infected host. During execution, the miner connects to the C2 server to make a configuration request, and the server responds with a JSON blob containing the pool URL, wallet address, algorithm, and thread count. The full Cyble blog includes recommendations for defenders, MITRE ATT&CK techniques, and indicators of compromise (IoCs).

European law enforcement agencies have taken down an illegal cryptocurrency mixing service that they say has been used to facilitate cybercrime and money laundering. The operation to take down the cryptocurrency mixing service ‘Cryptomixer’ was conducted between November 24 and 28 and was announced today by Europol, which assisted Swiss and German law enforcement agencies in the action. The operation resulted in the seizure of three servers in Switzerland, 12 terabytes of data, €25 million in Bitcoin, and the cryptomixer[.]io domain. Law enforcement placed a seizure banner on the website after the takeover. “Mixing services such as Cryptomixer offer their clients anonymity and are often used before criminals redirect their laundered assets to cryptocurrency exchanges,” Europol said. “This allows ‘cleaned’ cryptocurrency to be exchanged for other cryptocurrencies or for FIAT currency through cash machines or bank accounts.”

Cryptocurrency Mixing ‘A Service to Obfuscate the Origin of Criminal Funds’

Europol called Cryptomixer “A service to obfuscate the origin of criminal funds.” “Cryptomixer was a hybrid mixing service accessible via both the clear web and the dark web,” the European law enforcement agency stated. “It facilitated the obfuscation of criminal funds for ransomware groups, underground economy forums and dark web markets. Its software blocked the traceability of funds on the blockchain, making it the platform of choice for cybercriminals seeking to launder illegal proceeds from a variety of criminal activities, such as drug trafficking, weapons trafficking, ransomware attacks, and payment card fraud.” Since its launch in 2016, Europol says that more than €1.3 billion in Bitcoin were mixed through the service. Deposited funds from users were pooled “for a long and randomised period” before they were redistributed to their destination addresses. “As many digital currencies provide a public ledger of all transactions, mixing services make it difficult to trace specific coins, thus concealing the origin of cryptocurrency,” the agency said.

Action Follows ChipMixer Takedown in 2023

Europol was also involved in the multi-national takedown of the crypto mixing service “ChipMixer” in 2023, an operation that involved four European countries and the U.S. ChipMixer was considered the largest mixing service of its time, and was suspected to have facilitated the laundering of 152,000 Bitcoins, worth an estimated €2.73 billion at the time. The joint law enforcement operations in both cases was part of EMPACT, the European Multidisciplinary Platform Against Criminal Threats, which aims to address the most important threats posed by organized and international crime affecting the EU.

The U.S. Justice Department has announced the sentencing of Samourai Wallet’s two co-founders for their role in knowingly transmitting more than $237 million in criminal proceeds through the cryptocurrency-mixing platform Authorities say the platform’s design enabled users to mask the origin of funds tied to drug trafficking, darknet marketplaces, cyber intrusions, fraud schemes, sanctioned jurisdictions, murder-for-hire operations, and child exploitation sites. Nicolas Roos, Attorney for the United States acting under 28 U.S.C. § 515, said the outcomes “send a clear message that laundering known criminal proceeds—regardless of whether the funds are in fiat or cryptocurrency—will face serious consequences.”

Five- and Four-Year Prison Terms

U.S. District Judge Denise L. Cote sentenced CEO Keonne Rodriguez to five years in prison on August 6, 2025, and CTO William Lonergan Hill to four years on November 19, 2025. Both were convicted of participating in a conspiracy to operate an unlicensed money-transmitting business that knowingly processed criminal proceeds. In addition to prison time, each will serve three years of supervised release and pay a $250,000 fine. They have jointly forfeited more than $6.3 million, representing the fees Samourai earned through the illicit transactions.

How Samourai Wallet Enabled Large-Scale Laundering

According to court documents, Rodriguez and Hill began building Samourai Wallet in 2015 with features designed to hide transaction origins. Two core services—Whirlpool and Ricochet—played a central role:

• Whirlpool mixed Bitcoin among batches of users, obscuring transaction histories and preventing investigators and exchanges from tracing the original source.
• Ricochet added intentional “hops” between sending and receiving addresses, complicating blockchain analysis and further distancing funds from their origins.

Between Ricochet’s launch in 2017 and Whirlpool’s expansion in 2019, more than 80,000 Bitcoin—valued at over $2 billion at the time—moved through Samourai’s infrastructure. Prosecutors emphasized that the volume of transactions showed how deeply the platform was embedded in criminal financial flows.

Promotion to Criminal Users

Evidence presented in court showed that both co-founders actively encouraged use of Samourai Wallet on darknet forums, encrypted channels, and social media. Hill allegedly promoted Whirlpool on Dread, a marketplace forum, positioning it as a superior method to “clean dirty BTC.” Rodriguez, in a separate 2020 exchange, urged hackers involved in a major social media breach to route their stolen funds through Samourai. In private WhatsApp messages, Rodriguez reportedly described mixing as “money laundering for bitcoin.” Samourai’s own internal marketing material classified its target users as “Dark/Grey Market participants.”

Global Investigation and International Support

The investigation involved multiple international partners, including Europol, the Portuguese Judicial Police, and the Department of Justice’s Office of International Affairs. Hill was arrested in Portugal and extradited in July 2024. Rodriguez was taken into custody in the United States. The FBI, IRS-Criminal Investigation, and several European agencies contributed to evidence collection, digital forensics, and cross-border coordination

 

Cybercriminals continue to target the cryptocurrency industry, this time with an exploit that affected the Balancer decentralized finance platform, with total losses exceeding $100 million and involving several exchanges that use the software across multiple chains. Some of the money was recovered, but over $90 million has been converted to Ethereum by the criminals, likely as part of their laundering process.

This is the worst year ever for crypto hacks, with billions in losses so far. I specifically predicted that crypto was to be a big target in my 2025 Cybersecurity Predictions (you can find them here: https://matthewrosenquist.substack.com/p/10-cybersecurity-predictions-for or https://www.linkedin.com/pulse/10-cybersecurity-predictions-2025-matthew-rosenquist-ejy4c ) and this trend will hold true for 2026. The simple fact is that crypto is growing in users, total value – market cap is over $3 trillion, and innovative financial instrument use-cases.

Cybercriminals are attracted to money and their efforts to locate and exploit vulnerabilities can result in a windfall of money. I am drafting my 2026 Cybersecurity Predictions and I can already see how various vectors are converging on continued targeting and theft of cryptocurrency properties. Users and investors in this space should apply caution and make sure the services they are dealing with employ mature cybersecurity practices and are trustworthy!

Stay tuned for my full 2026 Cybersecurity Predictions! Follow me on LinkedIn and Substack to be notified when they are published.

The post Crypto Exchanges Hacked Again – for Over $100 Million appeared first on Security Boulevard.

WazirX, one of India’s popular cryptocurrency exchanges, is set to restart its operations on October 24, nearly 15 months after a cyberattack forced the platform to halt all activities. The decision to resume trading follows the approval of WazirX’s restructuring plan by Singapore’s High Court. In July 2024, WazirX experienced a devastating cyberattack that resulted in the loss of approximately 45% of its crypto assets, valued at $234 million. This breach compelled the platform to suspend its operations indefinitely, leaving its user base without access to trading or withdrawals during a period when the cryptocurrency market witnessed substantial growth. Token prices surged across the board, increasing the stakes for users awaiting the platform’s reopening.

Court Approval and Restructuring Scheme 

Earlier this year, WazirX proposed a restructuring scheme aimed at recovering and redistributing tokens covering nearly 85% of creditors’ balances. This plan requires majority approval from its user base. Following a re-vote in August, a striking 95.7% of voting creditors, accounting for 94.6% by value, endorsed the revised scheme.  The High Court of Singapore officially sanctioned the restructuring plan in mid-October, paving the way for the exchange’s return to the market. This court’s approval was a critical step for WazirX, as it legitimizes the company’s approach to restoring user funds and relaunching services. 

WazirX Relaunch Strategy and User Benefits 

WazirX’s comeback will begin with selecting crypto-to-crypto trading pairs, along with the USD/INR pair, with plans to expand market offerings gradually. To incentivize users during this relaunch phase, WazirX is introducing a "Restart Offer," which waives trading fees across all pairs for users.  While the exchange token rebalancing page is currently live, enabling users to view their adjusted holdings, WazirX is still finalizing features related to withdrawals and trading. In preparation for the relaunch, the platform completed a series of technical updates, including token swaps, mergers, delisting, migration, and any necessary rebranding.  To upgrade security and transparency moving forward, WazirX has partnered with BitGo, a well-known digital asset trust company, to safeguard users’ funds more effectively. 

Reaffirming Commitment 

Nischal Shetty, the founder of WazirX, addressed the community on the occasion of the relaunch. Expressing gratitude for the users’ patience during the difficult period, Shetty highlighted the company’s dedication to making cryptocurrency accessible to every Indian.  “This isn’t just a return to operations; it’s a reinforcement of our integrity, which we’ve always strived for,” Shetty remarked. His message underscored the exchange’s determination not only to resume trading but to emerge stronger and more reliable in the crypto landscape.  The resumption of WazirX’s operations marks a notable recovery from one of the most challenging periods the exchange has faced. The cyberattack in mid-2024 had a profound impact on both the company and its users, but the successful court-approved restructuring and partnership with BitGo suggest a more secure and transparent future.