CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 28, 2026

Cryptohack Roundup: US Sanctions Hit Sinaloa Cartel Networks

Data Breach Today Archived May 28, 2026 ✓ Full text saved

Also: UK Sanctions HTX-Linked Entity This week, the U.S. sanctioned Sinaloa Cartel-linked networks, the U.K. sanctioned a HTX-linked entity, Syndicate Labs shuttered, Missouri sued CoinFlip, Verus attacker took a bounty deal, StablR was exploited and malicious packages targeted crypto developer systems.

Full text archived locally
✦ AI Summary · Claude Sonnet


    Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime Cryptohack Roundup: US Sanctions Hit Sinaloa Cartel Networks Also: UK Sanctions HTX-Linked Entity Rashmi Ramesh (rashmiramesh_) • May 28, 2026     Credit Eligible Get Permission Image: Shutterstock Every week, ISMG rounds up cybersecurity incidents in digital assets. This week, the U.S. sanctioned Sinaloa Cartel-linked networks, the U.K. sanctioned a HTX-linked entity, Syndicate Labs shuttered, Missouri sued CoinFlip, Verus attacker took a bounty deal, StablR was exploited and malicious packages targeted crypto developer systems. See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation US Sanctions Crypto Laundering Networks Linked to Sinaloa Cartel The U.S. Department of the Treasury sanctioned more than a dozen people and entities tied to two money laundering and drug trafficking networks connected to the Sinaloa Cartel. U.S. authorities said one of the groups converted proceeds from fentanyl trafficking into cryptocurrency for the cartel. Treasury identified Armando de Jesus Ojeda Aviles as the leader of a laundering network that handled proceeds from fentanyl and other narcotics sales. The agency also named Jesus González Penuelas as the head of a separate trafficking and laundering operation. The laundering network worked with Los Chapitos, a faction of the Sinaloa Cartel led by sons of imprisoned former cartel leader Joaquin Guzman Loera, aka "El Chapo." Investigators said the group collected cash in the United States, converted the money into cryptocurrency and transferred funds back to cartel leaders in Mexico. The sanctions freeze any U.S.-based assets linked to those designated and prohibit U.S. citizens and companies from conducting transactions with them. Any business owned at least 50% by sanctioned individuals is also blocked under the measures. UK Sanctions HTX-Linked Entity Over Russia Ties The United Kingdom imposed sanctions on Huobi Global, stating the company supported the Russian government by providing financial services connected to a business operating in a strategically important Russian sector. The U.K. government said it has "reasonable grounds" to suspect Huobi Global of supporting Russia through dealings involving A7 Limited Liability Company, the company behind the A7A5 token, a stablecoin that's a mainstay of Russian sanctions evasion (see: Grinex Collapse Won't Dent Russian Sanctions Busting). The sanctions also targeted Garantex Europe OU as part of a broader crackdown on organizations accused of helping Russia evade international sanctions. Huobi Global has since rebranded to HTX. A company spokesperson told The Block that the sanctioned entity is legally distinct from the exchange's current operations. HTX has previously faced regulatory scrutiny. Earlier this year, the Financial Conduct Authority launched legal proceedings against the exchange over alleged unlawful financial promotions on social media platforms and its website. Syndicate Labs Shuts Down as Rollup Market Contracts Ethereum infrastructure company Syndicate Labs said it will shut down after five years, citing a sharp decline in demand for its rollup technology. The company said the market has shifted toward customized blockchain networks built from scratch, leaving little demand for its existing framework. Syndicate said that the decision was unrelated to a recent exploit involving its cross-chain bridge in which attackers stole about 18.5 million SYND tokens worth roughly $330,000. The company said affected users were fully reimbursed using treasury reserves. Missouri Sues CoinFlip Over Crypto ATM Fraud Claims Missouri Attorney General Catherine Hanaway sued CoinFlip operator GPD Holdings, alleging the company enabled fraudulent cryptocurrency transactions through its ATM network while charging high fees to users. The lawsuit, filed in Jasper County Circuit Court, claims Missouri residents reported about 350 crypto ATM-related fraud cases over the past two years. State officials said losses linked to CoinFlip and similar kiosks could total millions of dollars. The state is seeking restitution, civil penalties of up to $1.826 million and a court order blocking the company from operating in Missouri. Hanaway described crypto ATMs as "getaway cars for fraud," saying that scammers use the machines to quickly move stolen funds. The complaint said fraud victims are often instructed to deposit cash into cryptocurrency kiosks and transfer the digital assets to wallets controlled by scammers. The filing says older adults on fixed incomes are especially vulnerable to these schemes. Founded in 2015, CoinFlip operates more than 140 cryptocurrency kiosks across Missouri in locations such as convenience stores, gas stations and vape shops. The lawsuit alleges the company charged transaction fees as high as 21.9%, including on transactions later linked to fraud. Verus Attacker Returns $8.5M After Bounty Deal An attacker behind the recent exploit of the Verus network returned 4,052.4 ETH worth about $8.5 million after the project offered a negotiated settlement. Blockchain security firm PeckShield said the returned funds account for 75% of the assets stolen from the Verus-ethereum bridge. The attacker kept 1,350 ETH, valued at roughly $2.8 million, as part of a bounty arrangement proposed by Verus core contributors. According to on chain data, the remaining funds were moved to a new wallet. The Verus team earlier offered the attacker a deal: return 4,052.4 ETH within 24 hours and the community would stop investigations, avoid legal action and publicly recognize the retained 1,350 ETH as a bounty payment. The exploit occurred on May 18, when attackers compromised the Verus-ethereum bridge and stole ETH, USDC and tBTC from the ethereum contract. Security platform Blockaid estimated losses at $11.58 million. PeckShield said the attacker drained 103.6 tBTC, 1,625 ETH and 147,000 USDC before swapping the assets for about 5,402 ETH (see: Verus Bridge Exploit Drains More Than $11M). StablR Stablecoins Lose Peg After $13.5M Exploit Stablecoins issued by StablR lost their pegs after attackers gained control of the company's minting system and created millions of dollars in unauthorized tokens before selling them on decentralized exchanges. Blockchain investigator ZachXBT first flagged the incident, estimating losses of around $10 million involving the EURR and USDR stablecoins. Security firm Blockaid later said the attackers compromised a private key tied to StablR's minting multisig wallet, which required only one of three signatures for approval. Blockaid said attackers added themselves as administrators, removed existing owners and minted 8.35 million USDR and 4.5 million EURR, worth about $13.5 million. They swapped roughly $10.4 million of the tokens for ETH on decentralized exchanges. Due to limited liquidity, initial profits were estimated at about $2.8 million, though later wallet activity suggested gains rose above $3 million. The attackers used administrative controls to blacklist and burn tokens held by counterparties, including roughly 2.7 million EURR from a wallet handling routine redemptions. StablR acknowledged the exploit and said it was working to contain the incident. Malicious Packages Target Crypto Developer Systems Researchers at Socket Security uncovered more than 34 malicious software packages spread across the npm, PyPI and Crates.io registries in a campaign targeting cryptocurrency developers working with ecosystems such as Aptos, Sui and Solana. The campaign, called TrapDoor, involved more than 384 package versions and included fake developer tools such as sui-framework-helpers, move-analyzer-build, crypto-credential-scanner and defi-risk-scanner. Socket Security said the malware was designed to steal sensitive data from developer systems, including SSH keys, crypto wallet files, AWS credentials, GitHub tokens and browser login information. The malicious packages executed automatically through common developer workflows, npm packages used post-install scripts, Python packages triggered on import and Rust packages relied on build scripts. Socket said attackers named the packages to resemble legitimate development and security tools commonly used in crypto, decentralized finance, artificial intelligence and cloud development environments. Although the campaign involved a relatively small number of packages, researchers described it as high impact because it targeted machines likely to store financial and authentication credentials.
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    May 28, 2026
    Archived
    May 28, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗