{ "id": "476d6677-8f2d-4f5e-979c-61d3725ee672", "created_at": "2026-04-06T00:19:39.71423Z", "updated_at": "2026-04-10T03:24:29.674597Z", "deleted_at": null, "sha1_hash": "aa21e703e3e3e09a9e73779afab9f52ebb728632", "title": "Hacker Breaches Syscoin GitHub Account and Poisons Official Client", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1044085, "plain_text": "Hacker Breaches Syscoin GitHub Account and Poisons Official Client\r\nBy Catalin Cimpanu\r\nPublished: 2018-06-15 ยท Archived: 2026-04-05 14:19:15 UTC\r\nA hacker gained access to the GitHub account of the Syscoin cryptocurrency and replaced the official Windows client with a\r\nversion containing malware.\r\nThe poisoned Syscoin Windows client contained Arkei Stealer, a malware strain specialized in dumping and stealing\r\npasswords and wallet private keys. This malware is also detected as Trojan:Win32/Feury.B!cl.\r\nSyscoin developers are now warning Syscoin users who downloaded version 3.0.4.1 of the Syscoin client between June\r\n09th, 2018 10:14 PM UTC and June 13th, 2018 10:23 PM UTC that their systems might be infected with malware.\r\nhttps://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/\r\nPage 1 of 4\n\nhttps://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThe affected files are (version number included in the file name is 3.0.4, but they install version 3.0.4.1):\r\nsyscoincore-3.0.4-win32-setup.exe\r\nsyscoincore-3.0.4-win64-setup.exe\r\nOnly Syscoin Windows client affected\r\nHackers only tampered with the Windows client and no other files available in the v3.0.4.1 release, which also included Mac\r\nand Linux clients, along with the adjacent source code.\r\nThe Syscoin clients are installed on an operating system and allow users to run a Syscoin node, which they can use to mine\r\nnew Syscoin cryptocurrency or manage Syscoin funds.\r\nThe incident came to light yesterday when the Syscoin team received a warning from users that Windows Defender\r\nSmartScreen was marking downloads of the Syscoin Windows client as malicious.\r\nWhat users need to do\r\nAfter a thorough investigation of the report, the Syscoin team discovered that a hacker compromised one of its developers'\r\nGitHub accounts, and took actions to remove the malicious files and warn users.\r\nAll Windows users should identify their installation date:\r\nRight-click on syscoin-qt.exe in C:\\Users[USERNAME]\\AppData\\Roaming\\SyscoinCore or view in detailed list\r\nmode and make a note of the modified date.\r\nOR go to Settings-\u003eApps and make a note of the installation date.\r\nIf the modified/installation date is between June 9th, 2018, and June 13th, 2018, take the following precautions:\r\nBackup any important data including wallets onto another storage medium outside of the affected computer. Treat\r\nthis data cautiously as it may contain infectious code.\r\nRun an up-to-date virus scanner on your system to remove the threat.\r\nPasswords entered since the time of the infection should be changed from a separate device after ensuring the threat\r\nhas been removed.\r\nFunds in unencrypted wallets or wallets that had been unlocked during the infection period, should be moved to a\r\nnewly generated wallet on a secure computer.\r\nUsers who downloaded the Syscoin client between the above-mentioned interval but did not install it are advised to delete it\r\nand redownload a clean version.\r\nWhile there are online guides with instructions on how to remove this particular malware strain, it's probably a better idea if\r\nusers wiped and reinstalled the entire OS, just to be on the safe side.\r\nThe Syscoin team also announced that all of its developers with access to its GitHub account would also be forced to use\r\ntwo-factor authentication (2FA) and perform routine (file signature) checks of the files offered for download to detect\r\nsimilar incidents where hackers replace files in the future.\r\nhttps://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/\r\nhttps://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/\r\nPage 4 of 4\n\npasswords and wallet Syscoin developers private keys. This malware are now warning Syscoin is also detected as Trojan:Win32/Feury.B!cl. users who downloaded version 3.0.4.1 of the Syscoin client between June\n09th, 2018 10:14 PM UTC and June 13th, 2018 10:23 PM UTC that their systems might be infected with malware.\n Page 1 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/" ], "report_names": [ "hacker-breaches-syscoin-github-account-and-poisons-official-client" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434779, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aa21e703e3e3e09a9e73779afab9f52ebb728632.pdf", "text": "https://archive.orkl.eu/aa21e703e3e3e09a9e73779afab9f52ebb728632.txt", "img": "https://archive.orkl.eu/aa21e703e3e3e09a9e73779afab9f52ebb728632.jpg" } }