Caio César

So, let me get this straight. The $280m Drift hack took six months of: - Attending crypto conferences. - Meeting the team in person. Multiple times. - Depositing $1M of their own capital to build trust. - Sharing a GitHub link. The biggest DeFi exploit of the year started at a networking event with complimentary drinks.

i've been hacked and traced the malware's wallet to see how much money they actually made from this new exploit (if you use Next.js/React, READ THIS!) I woke up to a terrifying email from Hetzner: "Netscan Detected." my server was blocked and a botnet was using my IP to attack others i dug into the logs and what I found the anatomy of the attack: 1) The Symptoms: I logged into htop and saw the mess: - CPU usage: 361% - A process named ./3ZU1yLK4 running wild - Random connections to an IP in the Netherlands my server wasn't serving my app anymore; it was mining crypto for someone else! 2) The Culprit: It wasn't a random SSH brute force. It was inside my Next.js container the malware was sophisticated it renamed itself nginxs and apaches to look like web servers it even had a "killer" script that hunted down other hackers' miners to kill the competition 3) The "Root" Cause (literally): Probably the recent React/Next.js CVE-2025-66478 exploit was the entry point (my project was running on "next": "15.5.4", behind cloudflare dns, but their recent fix didn't work apparently) but the fatal error was mine: my Docker container was running as ROOT Coolify deploys like this automatically when using Nixpacks, and I never changed it... so because of USER root, the malware could install cron, systemd, and persistence scripts to survive reboots meaning, it was able to infect my whole server, from a single Next.js docker! 4) The Forensics: I ran docker diff on the container - the hacker didn't just run a script, they installed a whole toolset.. - /tmp/apaches.sh (The installer) - /var/spool/cron/root (The persistence) - /c.json (The wallet config) 5) The Fix: I killed the container, scrubbed the host, and extracted the malware for analysis. but the real fix is in the Dockerfile. if you are deploying Node/Next.js, DO NOT use the default (root), you must: - RUN adduser --system nextjs - USER nextjs if you have Docker on ROOT and didn't update the exploited react version, you'll be hacked soon check your containers NOW. Run: docker exec <container_id> id (or get the full list first: docker stats --no-stream) If it says uid=0(root), you are one vulnerability away from being a crypto-miner host. (it's easy to notice when hacked, it will be a command running on the top CPU%, using all your hardware resources) 6) The Money: I dug deeper and recovered the config file (c.json) - Wallet: A Monero (XMR) address: 831abXJn8dBdVe5nZ*** - Pool: auto.c3pool . org and ofc i tracked the hacker’s wallet on the mining pool 7) The Scale: My server wasn't alone. It was just 1 of 415 active zombies in this botnet they are burning the CPU of 400+ cloud servers... to earn... guess how many millions? $4.26/day on the image attached you can see: "Total Paid: 0.00", meaning this campaign just started. I caught them on Day 1. i also tracked back the server where they hosted the malware, and by inspecting the code, I found several comments in Chinese, so I guess that's their origin im rebuilding from scratch on a fresh VPS. the lesson was expensive, but at least I caught it before the hosting nuked my account permanently... PS: I have the IP for all the other machines mining with that malware, not sure how I can help them, but feel free to contact me if ur doing infosec stay safe

Today, we released our full post-mortem on the recent exploit. I encourage everyone to read it to understand what happened, how we responded, and our path forward. This is not the end. We remain fully dedicated to our recovery efforts and are exploring every avenue to restore value to affected users. User safety has always been our highest priority, and we're taking every lesson from this incident to build stronger safeguards. More details will follow as we progress. Thank you for your patience and trust during this time! 🙏🏼

⚠️ Banco Central enquadra operações com criptomoedas no mercado de câmbio e deixa o IOF no radar da Receita Federal. Com a inclusão de quatro tipos de operações no mercado de câmbio (confira no próximo card), o diretor de Regulação disse que a Receita Federal vai definir como ficará a cobrança do IOF. O Banco Central incluiu no mercado de câmbio as seguintes operações com cripto: 1 - Pagamentos e transferências internacionais com cripto. 2 - Transferências ligadas ao uso internacional de cartões de cripto. 3 - Transferências entre exchanges e carteiras próprias (autocustódia). 4 - Compra, venda ou troca de criptos atreladas a moedas fiduciárias. O passo seguinte depende da Receita Federal, que vai definir como será a cobrança do IOF.

De acordo com a Resolução BCB nº 520/2025, as exchanges estrangeiras que atuam no Brasil terão até 270 dias, contados a partir de 2 de fevereiro de 2026, para transferir suas operações e clientes para uma empresa sediada no país e autorizada a funcionar pelo Banco Central. Com isso, todas as corretoras que funcionarem no Brasil também terão que reportar à Receita Federal.

Other: Q: Total supply and initial circulating supply? A: Total supply: 1,000,000,000 tokens. Initial circulating supply: 480,000,000 tokens. Q: Total supply of Liquidity Distributor NFTs? A: 10% of total supply. Q: Is there a minimum number of points to be eligible under the LP stimulus plan allocation? A: Yes, you will need at least 100k points to be eligible. Q: If my wallet is compromised, is there a way that I can change my address to receive my airdrop? A: If your wallet is compromised, you have the option to report your wallet and forfeit all MET allocations tied to the wallet on https://t.co/JgXQ9e6tc8. There is no option to submit a new address.