Invest ideasNews
22 Apr 2026, 12:20
Lazarus Group has become especially dangerous with new Mach-O Man attack: CertiK
North Korea's Lazarus Group has a new attack vector that allows it to exploit an apparently routine business call as a gateway into a target's systems.
22 Apr 2026, 12:16
XRP Price Prediction as $1.90 Target Emerges and Altcoin Volume Dominance Tops 51% on Binance
XRP Squeezes Below Resistance as Breakout Pressure Builds Toward $1.90 XRP is starting to break out of its prolonged compression phase, with market structure quietly shifting toward a cautious bullish bias. According to analyst Zenith Zoro, a confirmed close above $1.55 could open the door to a move toward $1.90. The shift in price action signals more than just a bounce, it points to XRP moving out of a defensive posture and into the early stages of a bullish trend. XRP continues to defend the $1.30 support zone, a level that has repeatedly absorbed selling pressure and stabilized price action through recent volatility. Trading at $1.45 , according to CoinCodex, the market isn’t showing signs of weakness, it’s tightening. Price is compressing within a narrow range, with steady accumulation and fading downside momentum. This kind of structure typically signals a market building energy beneath the surface, often preceding a decisive expansion move rather than a breakdown. Strengthening the bullish case, XRP has pushed back above its $1.41 realized price, a key on-chain benchmark often linked to trend confirmation. Historically, reclaiming this level has signaled the start of sustained upside moves. With momentum building, some analysts now see a path toward $2.24, provided buyers continue to defend current support and maintain control of the trend. XRP Compression Tightens as Altcoin Liquidity Surges to 51% Beyond XRP, the broader market backdrop is clearly turning. According to analyst Xaif Crypto, altcoin volume dominance on Binance has jumped to 51% from just 31% in early March, a sharp rotation that signals capital is steadily flowing back into altcoins. While Bitcoin remains stuck in sideways chop, this shift suggests traders are quietly repositioning for higher-risk, higher-reward opportunities across the altcoin market. The central question is whether XRP is carving out a true base or merely stalling before another fake-out. Sentiment is improving and price action is tightening, setting up a pivotal moment where the next few sessions could define whether this evolves into a sustained breakout or slips back into another range. If rising demand aligns with renewed capital flowing into altcoins, XRP could shift from quiet consolidation into a more decisive trend. Therefore, the bullish case hinges on holding the $1.30 support. A breakdown below that level would undermine the structure and pull price back into uncertainty. For now, XRP sits at a critical inflection point, caught between accumulation and distribution, as the market waits to see whether this compression resolves into expansion or stalls into sideways drift.
22 Apr 2026, 12:15
WTI Price Forecast: Resilient Recovery Seeks to Conquer Critical 20-Day EMA
BitcoinWorld WTI Price Forecast: Resilient Recovery Seeks to Conquer Critical 20-Day EMA In a notable display of resilience, the benchmark West Texas Intermediate (WTI) crude oil futures contract staged a significant intraday recovery during the early March 2025 trading session. After initially shedding value, the commodity found strong buying interest, striving decisively to return above its technically crucial 20-day Exponential Moving Average (EMA). This price action underscores the ongoing tug-of-war between bullish and bearish forces in the global energy complex, set against a backdrop of shifting supply dynamics and persistent geopolitical tensions. WTI Price Forecast: Technical Battle at the 20-Day EMA The 20-day Exponential Moving Average represents a vital short-term sentiment gauge for traders and analysts. Consequently, a sustained break above this level often signals strengthening bullish momentum, while failure can indicate continued near-term pressure. The recent recovery attempt follows a period of consolidation, where prices tested lower support levels. Market participants are now closely monitoring whether this rebound possesses the volume and conviction needed for a confirmed breakout. Technical indicators provide a mixed but evolving picture. For instance, the Relative Strength Index (RSI), a key momentum oscillator, has moved away from oversold territory. Furthermore, trading volume patterns during the recovery phase will be critical for validation. Several key technical levels now define the immediate WTI price forecast: Resistance: The 20-day EMA, followed by the recent swing high near $82.50 per barrel. Support: The session’s intraday low, aligned with the 50-day Simple Moving Average around $78.00. Key Zone: The $80.00 psychological level remains a focal point for market sentiment. Fundamental Drivers Behind Crude Oil’s Volatility The technical struggle mirrors a complex fundamental landscape. Firstly, the Organization of the Petroleum Exporting Countries and allies (OPEC+) has maintained its production discipline into 2025. However, market concerns linger regarding potential compliance slippage and increased output from non-OPEC producers. Secondly, global inventory data, particularly from the U.S. Energy Information Administration (EIA), continues to show unpredictable weekly draws and builds, injecting volatility. Moreover, demand-side factors exert significant influence. Economic data from major consumers like China, the United States, and the European Union directly impacts the WTI price forecast. Recent manufacturing PMI figures and central bank policy statements regarding inflation and growth are carefully scrutinized. Additionally, the gradual energy transition affects long-term demand projections, even as short-term consumption remains robust in key sectors. Geopolitical Risk Premiums and Supply Chain Factors Geopolitical tensions in key oil-producing regions consistently embed a risk premium into crude prices. Any escalation in conflict or disruption to maritime transit chokepoints can trigger rapid price spikes. Conversely, diplomatic progress or a perceived reduction in supply risks can quickly erase that premium. Simultaneously, logistical factors, including refinery maintenance schedules and pipeline capacity, create regional price disparities that influence the broader WTI benchmark. The U.S. strategic petroleum reserve (SPR) policy also remains a market factor. Government statements about replenishment or potential releases are monitored for their impact on domestic supply. Furthermore, the relative strength of the U.S. dollar, as oil is priced in dollars globally, creates an inverse relationship; a stronger dollar makes oil more expensive for holders of other currencies, potentially dampening demand. Comparative Analysis: WTI vs. Other Global Benchmarks WTI’s performance does not occur in isolation. Its price action is frequently compared to other major benchmarks like Brent Crude and Dubai/Oman. The spread between WTI and Brent, for example, reflects differences in regional supply-demand balances, quality, and transportation costs. Recently, this spread has remained within a historically narrow range, indicating a relatively balanced Atlantic Basin market. Benchmark Key Trading Hub Recent Price (approx.) Primary Driver WTI Cushing Cushing, Oklahoma, USA $80.50/bbl US inventory, pipeline flows Brent Dated North Sea $84.00/bbl Global supply, geopolitical risk Dubai Crude Middle East $83.20/bbl Asian demand, OPEC+ policy Expert Market Sentiment and Trader Positioning According to weekly Commitments of Traders (COT) reports published by the Commodity Futures Trading Commission (CFTC), managed money positions—often representing hedge funds and other large speculators—have shown a cautious but not bearish stance. A reduction in net-long positions preceded the recent dip, but the data does not yet show a massive build in net-short bets. This positioning suggests a market that is waiting for a clearer fundamental or technical catalyst before committing to a sustained directional trend. Investment bank analysts have issued a range of WTI price forecasts for 2025, with year-end targets generally clustered between $75 and $90 per barrel. Their models weigh variables like expected GDP growth, OPEC+ behavior, and non-OPEC supply growth. The consensus view highlights balanced risks, with potential upside linked to unexpected supply outages and downside linked to a sharper-than-expected global economic slowdown. Conclusion The immediate WTI price forecast hinges on the commodity’s ability to secure a daily close above the 20-day EMA. While the early March 2025 recovery is a positive technical development, it requires confirmation. The broader trajectory will ultimately be dictated by the interplay of disciplined OPEC+ supply management, the health of the global economy, and unforeseen geopolitical events. Market participants should prepare for continued volatility, using key moving averages like the 20-day EMA as important, but not sole, indicators of near-term trend direction. FAQs Q1: What does the 20-day EMA represent in oil trading? The 20-day Exponential Moving Average (EMA) is a technical indicator that smooths out price data over the last 20 days, giving more weight to recent prices. It acts as a dynamic support or resistance level, helping traders identify the short-term trend direction and potential reversal points for WTI crude oil. Q2: Why did WTI crude oil prices fall initially in this session? Initial losses can be attributed to a combination of factors, including a stronger U.S. dollar, which makes oil more expensive for foreign buyers, bearish weekly inventory data from a private industry report, or profit-taking following a prior rally. The specific catalyst often emerges from real-time news flow. Q3: How do geopolitical events affect the WTI price forecast? Geopolitical tensions in major oil-producing regions (like the Middle East) or along critical shipping routes (like the Strait of Hormuz) create a “risk premium.” This premium is an additional amount added to the oil price due to fears of potential supply disruptions, causing prices to rise on escalation and fall on de-escalation. Q4: What is the difference between WTI and Brent crude oil? WTI (West Texas Intermediate) is a lighter, sweeter crude oil primarily produced in the U.S. and priced at the Cushing, Oklahoma hub. Brent is a blend from North Sea fields and serves as the global benchmark. The price difference, or spread, reflects transportation costs, quality differentials, and regional supply-demand balances. Q5: Where can I find reliable data for my own WTI price analysis? Key sources include the U.S. Energy Information Administration (EIA) for official inventory and production data, the Commodity Futures Trading Commission (CFTC) for trader positioning reports, and trading platforms for real-time price charts and technical indicators. Major financial news outlets also provide analysis and context. This post WTI Price Forecast: Resilient Recovery Seeks to Conquer Critical 20-Day EMA first appeared on BitcoinWorld .
22 Apr 2026, 12:15
Volo Protocol suffers $3.5 mln exploit in April’s third crypto hacking incident
The Volo Protocol was exploited for $3.5 million in a major security breach.
22 Apr 2026, 12:14
North Korea’s Lazarus Group launches new malware kit targeting macOS users in crypto, fintech
The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation. In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them. Inside the Mach-O Man malware The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation. In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them. Inside the Mach-O Man malware The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. Mach-O man malware installation on fake apps. Source: AnyRun After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation. In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them. Inside the Mach-O Man malware The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem. In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves. Upon execution, the code installs a binary named teamsSDK.bin. The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic. Mach-O man malware installation on fake apps. Source: AnyRun After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation. In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them. Inside the Mach-O Man malware The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem. In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves. Upon execution, the code installs a binary named teamsSDK.bin. The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic. Mach-O man malware installation on fake apps. Source: AnyRun After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation. In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them. Inside the Mach-O Man malware The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. North Korea’s hackers go after Mac users As reported, this attack leverages the trust employees have placed in their regular communication tools, such as Zoom, Microsoft Teams, and Google Meet. This has made everyday collaboration into an avenue for system-level attacks. The first step is a carefully crafted social engineering lure through Telegram. This lures the victim – developers, executives, and decision makers in the fintech and crypto space – into an urgent meeting invite by a compromised colleague’s account. Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem. In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves. Upon execution, the code installs a binary named teamsSDK.bin. The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic. Mach-O man malware installation on fake apps. Source: AnyRun After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation. In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them. Inside the Mach-O Man malware The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. North Korea’s hackers go after Mac users As reported, this attack leverages the trust employees have placed in their regular communication tools, such as Zoom, Microsoft Teams, and Google Meet. This has made everyday collaboration into an avenue for system-level attacks. The first step is a carefully crafted social engineering lure through Telegram. This lures the victim – developers, executives, and decision makers in the fintech and crypto space – into an urgent meeting invite by a compromised colleague’s account. Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem. In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves. Upon execution, the code installs a binary named teamsSDK.bin. The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic. Mach-O man malware installation on fake apps. Source: AnyRun After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation. In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them. Inside the Mach-O Man malware The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. North Korea’s Lazarus Group has launched advanced malware targeting macOS devices. Mach-O Man, as it is called, is designed to go against crypto companies, fintech organizations, and key execs using Macs for financial transactions. The attack was first identified in the middle of April 2026. It uses popular workplace apps such as Zoom, Microsoft Teams, and Google Meet to launch social engineering attacks. North Korea’s hackers go after Mac users As reported, this attack leverages the trust employees have placed in their regular communication tools, such as Zoom, Microsoft Teams, and Google Meet. This has made everyday collaboration into an avenue for system-level attacks. The first step is a carefully crafted social engineering lure through Telegram. This lures the victim – developers, executives, and decision makers in the fintech and crypto space – into an urgent meeting invite by a compromised colleague’s account. Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem. In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves. Upon execution, the code installs a binary named teamsSDK.bin. The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic. Mach-O man malware installation on fake apps. Source: AnyRun After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation. In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them. Inside the Mach-O Man malware The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. North Korea’s Lazarus Group has launched advanced malware targeting macOS devices. Mach-O Man, as it is called, is designed to go against crypto companies, fintech organizations, and key execs using Macs for financial transactions. The attack was first identified in the middle of April 2026. It uses popular workplace apps such as Zoom, Microsoft Teams, and Google Meet to launch social engineering attacks. North Korea’s hackers go after Mac users As reported, this attack leverages the trust employees have placed in their regular communication tools, such as Zoom, Microsoft Teams, and Google Meet. This has made everyday collaboration into an avenue for system-level attacks. The first step is a carefully crafted social engineering lure through Telegram. This lures the victim – developers, executives, and decision makers in the fintech and crypto space – into an urgent meeting invite by a compromised colleague’s account. Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem. In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves. Upon execution, the code installs a binary named teamsSDK.bin. The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic. Mach-O man malware installation on fake apps. Source: AnyRun After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation. In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them. Inside the Mach-O Man malware The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999. The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.” Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface. Lazarus Group’s devastating legacy in crypto and US tech The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States. This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO , the $285 million theft from Drift, and $235 million from WazirX. The crypto card with no spending limits. Get 3% cashback and instant mobile payments. Claim your Ether.fi card.
22 Apr 2026, 12:13
Can the $100K PIERVERSE Binance competition spark recovery?
PIERVERSE (PIER) has seen sharp volatility over the past few days, transitioning from a strong rally into a correction before stabilising in a recovery range. The price swings followed market reaction to earlier speculation and the launch of a new trading competition. The token initially surged from $0.429 to a peak of $1.49, before reversing sharply. It has since stabilised around $0.9311, indicating a partial recovery after the pullback, though volatility remains elevated. Sharp rally followed by aggressive correction The first major move in PIERVERSE came when the token climbed rapidly from $0.429 to $1.49. The rally unfolded in a short timeframe and was driven by intense speculative inflows and its listing on Upbit , one of the largest cryptocurrency exchanges in South Korea. That listing triggered a significant repricing phase, culminating in an all-time high of $1.49 on April 20, 2026. However, the move was short-lived. Once the price reached its peak, selling pressure increased sharply, leading to a near-full retracement of the advance. PIERVERSE dropped back toward the $0.69 region, effectively erasing most of the rally gains in a single corrective phase. This type of price action is typically seen when early buyers and short-term traders exit positions after a fast upward move, especially in markets where liquidity is concentrated around event-driven speculation rather than steady accumulation. Despite the steep correction, the token did not continue lower for long. Bulls gradually returned to the market, helping stabilise the price near the $0.90 region, where it currently trades around $0.926. $100K trading competition adds a second wave of activity Binance Wallet has launched the Pieverse Protocol Trading Competition on Binance Alpha, and during the promotion periods, users can trade PIEVERSE in their Binance Wallet (Keyless) or via Binance Alpha to receive exclusive token rewards. Since the competition began, trading volume has remained elevated, with daily activity exceeding $115 million at press time. This level of turnover reflects strong participation from traders responding to incentives rather than passive holding behaviour. The competition has helped prevent a deeper decline after the correction, instead pushing the market into a tighter consolidation range between approximately $0.86 and $0.98. While it has not created a new breakout, it has clearly increased liquidity and reduced downward pressure in the short term. Market behaviour shows ongoing consolidation after volatility The current price structure suggests that PIERVERSE is still working through a post-expansion stabilisation phase. After moving from $0.429 to $1.49, and then correcting sharply, the market is now attempting to form a temporary base above the $0.90 level. Trading activity remains elevated, but direction remains uncertain. Although the $100K competition has helped maintain liquidity, it has not been enough to establish a sustained upward trend. The market is also being influenced by broader crypto conditions, particularly Bitcoin’s performance , which continues to affect liquidity flows into altcoins. In periods of Bitcoin strength, altcoins like PIERVERSE typically experience improved short-term momentum, while weakness tends to expose fragile support levels. PIERVERSE price forecast The key level to watch in the short term is $0.8630. This zone acts as the immediate support boundary for the current consolidation structure. As long as PIERVERSE holds above this level, the market may continue to stabilise and attempt a rebound. If support holds, the next upside targets are $0.99 and $1.08. A move through these levels would indicate improving short-term momentum and could allow the price to test $1.28, which remains a strong resistance area based on prior selling pressure. On the downside, a clean breakdown below $0.8630 would shift focus toward $0.8456, which represents the next liquidity area where buyers may attempt to step in again. Continued weakness below that level would suggest that the post-rally correction phase is extending further. The post Can the $100K PIERVERSE Binance competition spark recovery? appeared first on Invezz
