Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies

TheDinarian

News • Business • Investing & Finance

April 14, 2023

(Dinarian Note: Whenever possible, ALWAYS go directly to the source versus clicking on an email link or google ad. Note: When searching on Google, the first 3 or 4 results are ads, do NOT use those. Also, ALWAYS double-triple check your pasted wallet address when withdrawing funds and ALWAYS use a VPN and Antivirus-Malware program, especially when you own crypto. Having cold storage is great, but when sending-recieving funds you are vunerable. Question everything, even if it seems legit.)

Trustwave SpiderLabs uncovered a new strain of malware that it dubbed Rilide, which targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera.

Rilide malware is disguised as a legitimate Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges.

Rilide is not the first malware SpiderLabs has observed using malicious browser extensions. Where this malware differs is it has the effective and rarely used ability to utilize forged dialogs to deceive users into revealing their two-factor authentication (2FA) and then withdraw cryptocurrencies in the background. During our investigation into Rilide’s origins, we uncovered similar browser extensions being advertised for sale. Additionally, we found that part of its source code was recently leaked on an underground forum due to a payment dispute.

Malicious Campaigns Leading to Rilide Stealer Extension

SpiderLabs uncovered two malicious campaigns leading to the installation of the Rilide extension.

Figure 1. Infection Chains Leading to the Execution of the Rilide Extension

Campaign 1: Ekipa RAT Installing Rilide Stealer

One of the Rilide samples identified by Trustwave SpiderLabs was distributed through a malicious Microsoft Publisher file. This file is part of Ekipa RAT, a Remote Access Trojan (RAT), designed for targeted attacks and often sold on underground forums.

We previously described Ekipa RAT in one of our blogs. It is important to note that Microsoft Publisher was not affected by Microsoft's decision to block macros from executing files downloaded from the Internet. As a result, when a user attempted to open a Publisher file, they would receive a warning but could still enable the execution of malicious content by clicking the ‘Enable Macros’ button. On 14 February 2023, Microsoft issued an update that resolved the Publisher security flaw. With the implementation of the ‘Mark of the Web’ feature on the .pub file, users are now left with only one option, ‘Disable Macros,’ which should have been the case all along.

Any association between the threat actors behind Ekipa RAT and those using the Rilide infostealer remains unclear. However, it is probable that Ekipa RAT was tested as a means of distribution for Rilide, before finally switching to Aurora stealer.

Figure 2. Publisher’s macro and Document_Open procedure executing remote Excel Workbook

Three tasks were configured on the C2 server:

Download payload from hxxps://nch-software[.]info/1/2[.]exe to %temp% directory as.txt
Change downloaded file’s extension to .exe
Execute the payload.

File 2.exe is a Rust-based loader, responsible for installing the Rilide extension for Chromium-based browsers.

Campaign 2: Aurora Stealer Abusing Google Ads

Aurora is a Go-based stealer, which was initially spotted being advertised in April 2022 as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums. The malware is designed to target data from multiple web browsers, cryptocurrency wallets, and local systems.

Recently, the threat actors behind Aurora have been observed abusing the Google Ads platform to spread the malware. According to a report published by Cyble, campaigns mimicking legitimate Team Viewer installers have been utilized to deploy Aurora. As reported by @1ZRR4H and @malwrhunterteam, Aurora was also spread via another campaign that imitated an NVIDIA Drivers installer. A downloaded sample was packed with Themida, a well-known commercial protector for executables. We used the UnpacMe service to unpack the sample.

Figure 3. Aurora campaign imitating the NVIDIA Drivers installer as shown in 1ZRR4H’s Twitter post

Restoring Function Names

The Aurora Stealer sample was stripped of debugging symbols, thus making the analysis harder. Since Go binaries are statically linked, which means that all the necessary libraries are included in the compiled binary, the number of potential functions to analyze is large. However, the original function names can be restored from the pclntab structure, as described in the CUJOAI Senior Threat Researcher Dorka Palotay’s post. Using the go_func.py script for Ghidra we were able to restore the functions names.

How an Aurora Module Downloaded Rilide Stealer

One of the eight grabbing modules, configured in the analyzed sample, contained a base64 encoded blob of data storing the URL for the Rilide Rust-based loader. The payload, hosted on Discord CDN, was saved to the %temp% directory with filename <10-alpahnumeric-characters>.exe and executed via start-process PowerShell cmdlet.

Figure 4. Part of Aurora Stealer routine downloading and executing Rilide loader

The Common Link Between Two Campaigns

The Rilide Rust-based loader samples analyzed as part of the Aurora campaign were packed with a VMProtect commercial packer. After unpacking the samples and analyzing strings contained in the binary, we found multiple references to Windows paths in the C:\Users\ilide\ directory. The same username was observed in the PDB Path of the Rilide sample obtained from the Ekipa RAT campaign.

Figure 5. The same username in a path found in Rilide Rust-based loaders samples from both campaigns.

Rilide Stealer Extension Targeting Chromium-Based Browsers

Rilide leverages a Rust loader used to install the extension if a Chromium-based browser is detected. Rilide mimics benign Google Drive Extensions and abuses several built-in chrome functionalities. The loader modifies LNK shortcut files opening targeted browsers, so that they are executed with parameter --load-extension pointing to the dropped malicious Rilide extension.

Figure 6. Rilide Stealer extension mimicking Google Drive and looking at its manifest revealing the configured permissions

Rilide’s background script attaches a listener to the tabs.onActivated and webRequest.onHeadersReceived events and removes the Content Security Policy (CSP) directive for all requests. This allows the extension to perform an XSS attack and load external resources that would otherwise be blocked by the CSP. The app script adds another listener to the DOMContentLoaded event and retrieves a list of targeted domains from the C2. If the current domain matches any of the listed targets, designated scripts are injected into the webpage.

Figure 7. Configuration list indicating targets such as email services and cryptocurrency exchanges.

Additionally, the background script carries out regular checks on the browsing history and exfiltrates URLs that are matched against the targeted domain list. Moreover, it is capable of capturing and exfiltrating screenshots of the currently active tabs on demand.

Figure 8. Rilide Stealer Execution Flow and Functionalities

Automatic Cryptocurrency Withdrawal

Rilide’s crypto exchange scripts support automatic withdrawal function. While the withdrawal request is made in the background, the user is presented with forged device authentication dialog in order to obtain 2FA. Email confirmations are also replaced on the fly if the user enters the mailbox using the same web browser. The withdrawal request email is replaced with a device authorization request tricking the user into providing the authorization code.

Figure 9. Withdrawal Requests replaced with Authorize New Device emails in Gmail mailbox

Figure 10. Content of the original and forged email. The verification code was extracted from the original message body.

We found no substantial variations in the code between the samples dropped by Ekipa RAT and used in the Aurora Stealer campaign. Both campaigns utilized a Rust dropper, and the functionalities of the browser plugins are nearly the same.

Figure 11. Code differences between Rilide Stealer plugin samples, both using the same C2 server

Rilide Stealer Origins

In the course of our research, we have encountered several stealer extensions for sale that advertised capabilities closely resembling those of the Rilide samples. However, we were unable to definitively link any of them to Rilide. One noteworthy finding was a botnet sale advertisement from an underground forum dated March 2022. Although the advertised functionalities matched those of Rilide, the botnet also included additional features such as a reverse proxy and ad clicker. Notably, the botnet's automatic withdrawal function supported the same exchanges observed in the Rilide samples.

Figure 12. Underground forum post advertising sale of botnet with Rilide-like capabilities

On February 27, 2023, a member of the same underground forum posted a link to the source code for the Rilide extension, reportedly due to an unresolved payment dispute. The leaked source closely resembles that used in the Aurora Stealer campaign but did not contain any of the injected scripts observed in the campaign sample.

Figure 13. Underground forum post, dated February 27, 2023, containing a link to part of the Rilide extension source code.

Notably there is one feature implemented that is missing in the later versions - swapping cryptocurrency wallet addresses in the clipboard. The list of addresses to be replaced is hard coded in the source code.

Figure 14. Clipboard hijacking routine in the analyzed sample from the forementioned forum post.

Pivoting on the Command-and-Control domain ashgrrwt[.]click hard coded in the sample, we identified additional Rilide loaders leading us to the GitHub user gulantin.

Figure 15. Github repository storing multiple Rilide loader and extension samples

Repositories created by this user contain loaders for the Rilide extension, but they are not Rust-based. The sample in the repository named ‘77’ is a .NET extension loader only for the Chrome browser, unlike the later Rust-based version that works for all Chromium-based browsers. Other loaders found in repositories 19 and 789 are based on Advanced Installer – a legitimate Windows Installer Packaging Tool for MSI installers.

Figure 16. Extension loading routine of the custom .NET loader from gulantin’s repository 77

The address contained in the domain variable that is supposed to store the C2 domain suggests that this version of a loader was still under development when submitted to GitHub.

Figure 17. Part of JavaScript configuration in the Rilide extension hosted on GitHub

Conclusions:

The Rilide stealer is a prime example of the increasing sophistication of malicious browser extensions and the dangers they pose. Disguised as a legitimate Google Drive extension, Rilide provides threat actors with the ability to carry out a wide range of malicious activities, including monitoring browsing history, capturing screenshots, and injecting malicious scripts to steal funds from cryptocurrency exchanges.

While the upcoming enforcement of manifest v3 may make it more challenging for threat actors to operate, it is unlikely to solve the issue entirely as most of the functionalities leveraged by Rilide will still be available.

Informational overload can dull our ability to interpret facts accurately and make us more vulnerable to phishing attempts. It is important to remain vigilant and skeptical when receiving unsolicited emails or messages, and to never assume that any content on the Internet is safe, even if it appears to be.

Ultimately, it is crucial to stay informed and educated about the latest cybersecurity threats and best practices to minimize the risk of falling victim to phishing attacks.

Indicators of Compromise:

Publisher File:

File name	Hash Type	Hash
Tes7777.pub	SHA256	0e31ff6406b03982581246b7dd60f3b96edcf0bd007b31766954df001fd68f69
	SHA1	e049f56198c23d86e9083142bfe80042e21d4b8e
	MD5	558104b26ccadec3d3eb2925113387a6

Aurora Stealer:

File name	Hash Type	Hash
PackageLauncher.exe	SHA256	e623984143e0dc6e35c79869ab1521c6714e588e8e648606496f8372ca0d8416
	SHA1	b1c100d5a99ae34ccb3654c7b7f8573376a44fd9
	MD5	c28a180de1f80c8c98d0904e64142bef
-	SHA256	ebd72806abd354f3162eec0991d127f993a5dde1a0c719b47087c9ee0edefeaf
	SHA1	abaaa2644b1e84e8b39119988dd711572377c839
	MD5	1baaeedd1a26edf4fa79ded370e3d19a

Rilide Loader:

File name	Hash Type	Hash
2.exe	SHA256	0f11aeecbde1f355d26c9d406dad80cb0ae8536aea31fdddaf915d4afd434f3f
	SHA1	b4b918a5898463dad1c7d823e0b3f828bac15aad
	MD5	0a4f321c903a7fbc59566918c12aca09
waBp.exe	SHA256	8342b134cddeaf34ce05bafa9e860dacf6cd01b85fd00147d90a350516c055e5
	SHA1	25f3fb6d2dab206a5e9b2c0ef26ec6d6a56c5767
	MD5	561797d7e5cf956e33735180d93be5b6

Rilide Extension:

File name	Hash Type	Hash
background.js	SHA256	4cc83be0fa496855d244050616ee2e86b044a9bc87bc5ca70b305986c1ba3bb8
	SHA1	70167e7e5d71fba7d92796324b488c0fb9727712
	MD5	766d020e902b6470d0510e5c6cfcd6e8
background.js	SHA256	55251c725e9f6f51b8db7a631b54dd85b1b59d644c3219e03ceffb0c49cd00a4
	SHA1	a39d252e7927ae1adf518e6a3dd08f37e7ee7c26
	MD5	d9cca3dd5bdaeb0466d52821b584602b
background.js	SHA256	1b01c3e554700e1282c7fdd2dcb54314516ee1f0c5eef3560cdbabc1ba776293
	SHA1	ffebf78a9692293a23f9a477ea8a79f7f6ef5aa2
	MD5	9e5f43b2dc1606e27fa0cfdfb4e363d2
app.js	SHA256	a28c623d120a76dcfeef9504eaeefabac9d33f292576ccf012fa458b8d7bc6ef
	SHA1	a46586bfe22f4d84cd9174238740af275bf50c69
	MD5	740606987f4d588c89d0a5b68648e31e
app.js	SHA256	8989f4244667626728c6c0083422ff714cb622c92c35a53f9cb1e9891f4528ff
	SHA1	5012e783b2ee29cb40b04a10d1a40d0bfda683d9
	MD5	1c54dd00bc7cc52b60ad4a46e2fb3a77
vpn.js	SHA256	170a13a7a8757336babe857804fa24b6cb20aaa9593b32546d7151f23095a510
	SHA1	eafdc35b233600ef552b87e684faa3ab3396eae9
	MD5	d54fa225b07298ec34be872cd4ebf4ae
manifest.json	SHA256	bb57a504e0b821552344cecb3da9ecdd0d61817264617a4917d6f5e64a1df7e5
	SHA1	0cb1d9c2a3c8b776ef1e3ec1316fbf595ced7863
	MD5	baee9ba0b94ea1e2b2e566fc8a615554
manifest.json	SHA256	d70e933e10e667ae7ef6e68a625c447be8aabe9b29affdad999c969bd8769003
	SHA1	84db08e3dcbe40c7cbc998a77788f7303d4a2905
	MD5	99dc4073f2fe91f48fd16bc65e7dcbc2
binance.js	SHA256	c8939f8d6237fcc17d486981a800b1e7e9974377de21d7e76677babe8ed536af
	SHA1	f689396c73055e99a06e002c39e3a74d3d402607
	MD5	2cc204564b68c5a98b1ff68d861b66c5
bitget.js	SHA256	2e310391d77022bcc708c354140319718777ca35efdfb76d6c80cb9de8c8091e
	SHA1	05536aa80f8280ddc31be5c0ac3ca995f2190a0a
	MD5	646b9404a29febe9f3741797b79e300c
blockchain.js	SHA256	4bbb0584eed0c082b5c43d3f259f37cf1a0b64eabb485e85090951a6566d98d4
	SHA1	28ae2440c56350f65b607e4e99b67a2632db873b
	MD5	253f4319673673d2bf5285558a6903df
bybit.js	SHA256	9dca66f52f31dca921fb238bd36bfc1b1a59d3e4af7b071da9bc4c6bf294e402
	SHA1	61acdad59223a9eb0b392ccd085db1e49700d65
	MD5	50e363409ba77b20fb6f0bce4eff7b1
coinbase.js	SHA256	4df0f18a7e05518bbe93758e751f1f462fef212cdc786c7217d50ddbda14efb5
	SHA1	39f546a4ec94e63e603e3c2481fecab2b5e8a475
	MD5	c1f40584e4ac391d97218ce137a63fb3
ftx.js	SHA256	ef20c929f5204b223b6e53dc406ea0bcd76d9e98c9ae4942037902883d4bb22a
	SHA1	0ead1d32ce6b15c4a90373fce58d1554035cd40f
	MD5	ebce63fdc8ef245f117f06ada3ba0f6d
huobi.js	SHA256	e1ad66cc0244fc075e0aabe0fd19502d4c9617829b90aa210e74be1d915275d2
	SHA1	2449e4b27d778f6a4ffc00bb7b73926ac2c54e8a
	MD5	4abe60d2c3506f4767e163d135f89f92
kraken.js	SHA256	a7f0fdfdfdf1ef65799fd2114bf5c1e133a8b7635b498b334553fbb64b218a05
	SHA1	ec6de82efa93e59da148f4d696efcfca851e051e
	MD5	b85c5659e946b5d7ad78410356288928
okx.js	SHA256	68278b40b59b1b0db2f814d2d864f0b9c2b4285f5795d22cabf60715f922989c
	SHA1	415d790b54ca8e374f37fdbb00090110b823ba18
	MD5	ff4e2df1a46d49862ab2a0af830a007e
gmail.js	SHA256	2f947644c7752ba014eae7971b247be60249a6088923c66ffe9886a7f5c5fe1c
	SHA1	add0d61399c8c47f8ac73dc83cc83dfa31cddeca
	MD5	c0e120778853f0a4865e006a07cd728a

Phishing Websites:

Malware	Domain
Aurora	nvidia-graphics[.]top

C2 Servers:

Malware	Domain
Ekipa RAT	nch-software[.]info
Aurora	45[.]15[.]156[.]210
Rilide	vceilinichego[.]ru
Rilide	ashgrrwt[.]click

Wallet Addresses:

Cryptocurrency	Address
BTC	bc1qkczacyp5jq29s5kaphth4asu8cv2y4u4gdgj7q
BTC	bc1qsjg8dqx6ga30h6szjd8dv2wg50ch50qrey4t7j
BTC	1KqequymujeNJuyB4gH7oJSFTB3En3Hf5n
ETH	0xDBc1330056E2F5e2FB11FB3C96dE2c44B313eA8d
LTC	LRYpzmnqBVozkbzJhTWndzYDPfjmNPyaLv
XRP	rUPTadzFN6LS662Z2d2AvNyqU1xwg2japJ
TRON	THiD8hFLiEyULVKLp3DSbBXQSbR3MQxm4X
DOGE	D5asYfjtbTtFmFkrEwqVgbJKYv9YT7Tgjh

Link

Join the TheDinarian Community

To read more articles like this, sign up and join my community today

What else you may like…

Videos

Podcasts

Posts

Articles

Dinarian888@dinarian888

June 09, 2026

💎 Institutional Adoption 🤖 🚀 Agent 🤝 Agent 💎

Jacob Steeves just described what Bittensor becomes in 3 to 5 years.

Most people are not ready for this answer.

He called it a hive mind.

Not a network. Not a protocol. A self-optimizing intelligence market where agents mine the subnets, agents build the subnets, agents continuously optimise the subnets, and humans become optional in the process.

Read that again.

The system was always designed to eventually strip away the human layer entirely and run as a pure abstract incentive market.

That is not a roadmap item. That is the original vision finally becoming technically possible because of where AI agents are right now.

Here is what makes this different from every other AI crypto narrative.

Bittensor does not just talk about decentralised AI. It repeatedly beats state of the art.

It takes a specific domain, builds a well-defined market for it, aggregates global talent around solving it, and produces results that beat every centralised competitor.

AI detection. Inference at a lower cost than any centralised ...

00:21:13

Dinarian888@dinarian888

June 07, 2026

🚨 SCIENTISTS JUST COMPLETED A KEY PART OF A 100-YEAR-OLD THEORY PROPOSED BY ERWIN SCHRÖDINGER.

For nearly a century, physicists and mathematicians have struggled to fully explain one of the most everyday experiences in human life: Color

Now researchers at Los Alamos National Laboratory say they have finally filled in a major missing piece of Schrödinger’s color theory by uncovering a hidden geometric structure that governs how humans perceive color.

The surprising finding?

Hue, saturation, and lightness are not just cultural or learned concepts. They appear to emerge directly from the underlying mathematics of human color perception itself.

In other words: The way you experience color may be deeply rooted in geometry.

Why this matters:

🔹️ More accurate and efficient display technologies

🔹️ Better imaging and color reproduction systems

🔹️ New insights into human perception and neuroscience

🔹️ A clearer mathematical framework for how information is structured in perception

For over 100 years, one incomplete mathematical element prevented Schrödinger’s vision from being ...

00:00:10

Dinarian888@dinarian888

June 07, 2026

🚨 Ivermectin was only for horses and cows? 🚨

🚨 Remember when the media laughed and told you that Ivermectin was only for horses and cows? They knew it was made for humans since 1987...🚨

This is what they didn't want you to know...

1 – Prevents damage caused by drugs created with mRNA technology, blocks the entry of the Spike Protein into cells and, if the person was vaccinated, can treat the damage already produced through Ivermectin.

2 – It only has beneficial effects and no harmful effects in the treatment of the C virus. In fact, even before entering the cell, it has already destroyed the virus in the blood.

3 – It has a very potent anti-inflammatory action and has a powerful impact on traumatic and orthopedic injuries, strengthens muscles and has no side effects like corticosteroids.

4 – Treats autoimmune diseases such as: rheumatoid arthritis, ankylosing spondylitis, fibromyalgia, psoriasis, Crohn's disease, allergic rhinitis.

5 – Improves immunity levels in cancer patients and treats Simple Herpes and Herpes Zoster, plus reduces the frequency of sinusitis and ...

00:01:42

Dinarian888@dinarian888

May 31, 2026

🚨 Chutes is being framed as a Hyperliquid-style breakout for decentralized AI inference, with live revenue, verified GPU infrastructure, and a direct challenge to centralized cloud AI 🚨

Chutes is gaining attention as a decentralized AI inference platform that claims to combine real usage, cryptographic verification, confidential computing, and open-source infrastructure into a working production system. The thesis is simple: instead of trusting Big Tech clouds with AI workloads, users get a distributed compute layer built around verification and privacy.

🔑 Key points

🔹 Chutes is live in production and reportedly scaled to more than 1,170 active GPU nodes, including large numbers of Nvidia H200s and Blackwell-class hardware.

🔹 The platform says it has processed nearly 38 trillion tokens since launch across 53 deployed applications and more than 700,000 registered users.

🔹 The team reportedly cut unprofitable usage programs, reduced total token volume, and still improved revenue efficiency, with revenue per GPU rising sharply after removing subsidized traffic.

🔹 Chutes is using post-quantum cryptography, trusted execution environments, and Nvidia confidential ...

TAODAILY.IO

Chutes Is Doing to AI Inference What Hyperliquid Did to Finance - The TAO Daily

Chutes deliberately cut their GPU fleet from 1,700 H200s down to 700. They killed the free tier on OpenRouter that was driving 20 billion

🚨 Chutes is being framed as a Hyperliquid-style breakout for decentralized AI inference, with live revenue, verified GPU infrastructure, and a direct challenge to centralized cloud AI 🚨

Dinarian888@dinarian888

May 31, 2026

🚨 JPMorgan’s criticism of the CLARITY Act is fueling a fresh power struggle over who gets to write America’s crypto rules 🚨

A new clash is emerging between legacy finance and crypto legislation after JPMorgan CEO Jamie Dimon reportedly warned that the CLARITY Act could let crypto firms offer bank-like products without bank-level oversight. The dispute is quickly turning into a larger fight over regulation, competitiveness, and who controls the future architecture of digital finance in the United States.

🔑 Key points

🔹 Jamie Dimon reportedly called the CLARITY Act a threat to the financial system, arguing it could allow crypto firms to offer yield-like products while avoiding the capital, reserve, and oversight burdens traditional banks face.

🔹 Senator Cynthia Lummis pushed back publicly, framing the issue as a global strategic race and warning that if the U.S. does not set digital asset standards, other powers will.

🔹 The core tension is whether the bill creates legitimate regulatory clarity or simply opens the door to regulatory arbitrage for crypto platforms operating outside the traditional banking...

TECHGAGED.COM

JPMorgan’s CLARITY Act Concerns Spark a New Crypto Showdown

The battle over who writes the rules of digital finance just became considerably louder. JPMorgan CEO Jamie Dimon has declared the CLARITY Act a direct threat t

Dinarian888@dinarian888

October 31, 2024

👉 Coinbase just launched an AI agent for Crypto Trading

Custom AI assistants that print money in your sleep? 🔜

The future of Crypto x AI is about to go crazy.

👉 Here’s what you need to know:

💠 'Based Agent' enables creation of custom AI agents
💠 Users set up personalized agents in < 3 minutes
💠 Equipped w/ crypto wallet and on-chain functions
💠 Capable of completing trades, swaps, and staking
💠 Integrates with Coinbase’s SDK, OpenAI, & Replit

👉 What this means for the future of Crypto:

1. Open Access: Democratized access to advanced trading
2. Automated Txns: Complex trades + streamlined on-chain activity
3. AI Dominance: Est ~80% of crypto 👉txns done by AI agents by 2025

🚨 I personally wouldn't bet against Brian Armstrong and Jesse Pollak.

Dinarian888@dinarian888

2 hours ago

ChatGPT developer OpenAI confidentially files for IPO 🔊

Dinarian888@dinarian888

2 hours ago

Anyone else find the timing of this a bit late? 🤔

🚨 Bank of America warns it may be time to take profits as markets turn red 🚨

Bank of America is telling investors the recent market setup may favor locking in gains instead of chasing more upside. The note arrives as sentiment softens and risk assets cool off after a strong run.

🔑 Key highlights:

🔹️ Bank of America says the current market environment may be a good time to take profits.

🔹️ The warning comes as markets flash red and risk appetite weakens.

🔹️ Investors are being urged to reassess exposure after a strong rally.

🔹️ The call reflects growing caution around near-term market momentum.

🎯 Bottom Line: Bank of America’s message is simple: with markets turning softer, trimming profits may be the smarter move.

https://finance.yahoo.com/markets/stocks/articles/bofa-warns-time-profits-red-170459030.html

Dinarian888@dinarian888

2 hours ago

Google $GOOGL and Nvidia $NVDA are considering Intel as a backup chip manufacturer. 🔊 🖥

Dinarian888@dinarian888

June 06, 2026

How USDC Wins the Hyperliquid Deal🤔

USDC "wins" the Hyperliquid deal by securing dominant distribution and deeper integration into one of crypto's fastest-growing on-chain perpetuals platforms, in exchange for sharing most of the USDC reserve yield (up to ~90%) back with Hyperliquid.

Background on the Deal: Hyperliquid had ~$5–6B in USDC deposits (a huge chunk of total USDC supply, often cited around 7–8%). Previously, the interest/yield on those reserves (~$180–250M annually at prevailing rates) mostly flowed to Circle (issuer) and Coinbase (key partner/treasury handler), with little returning to Hyperliquid.

In late 2025, Hyperliquid ran an RFP for a native stablecoin (USDH) to capture that revenue. Native Markets won the community vote, and USDH launched as an "Aligned Quote Asset" (AQA).

In May 2026, Native Markets sold USDH brand assets to Coinbase. USDH is being sunsetted over time (with feeless conversions/redemptions to USDC/fiat), and USDC becomes the primary/official Aligned Quote Asset on Hyperliquid. Coinbase acts as the main treasury deployer; Circle handles minting, redemptions, and cross-chain (e.g., CCTP).

How USDC Wins: 🔑 Key Advantages

Massive, sticky distribution in a high-growth venue: Hyperliquid is a leading on-chain perp DEX. USDC gains preferred status as the quote asset for most trading pairs, reducing friction vs. bridging/swapping other stables. This concentrates liquidity, improves efficiency, and funnels more capital flows through USDC.

Deep on-chain integration: Builds on prior Native USDC + CCTP launches. Coinbase's involvement adds fiat on/off-ramps and institutional trust. USDC was already dominant (~95% of stables on the platform); this formalizes and expands it.
Regulatory and brand alignment: Ties USDC to a high-profile, high-volume platform at a time when USDC has gained transaction volume momentum (surpassing USDT in some months post-regulatory clarity like GENIUS). It strengthens USDC's positioning vs. USDT (which dominates on centralized venues like Binance).
Longer-term consolidation play: Analysts see this as part of stablecoin market consolidation around established players with liquidity and infrastructure. Fewer conversion layers = better efficiency for USDC.

The Trade-Off (and Hyperliquid's Win)Hyperliquid gets ~90% of the reserve yield (estimates: $135–160M+ annually at current balances, potentially scaling to $300–500M with growth), funneled into protocol revenue/HYPE buybacks. This is roughly double what they got from USDH and turns stablecoin balances into a resilient revenue stream (less volatile than trading fees).

For Circle/Coinbase, they give up a big share of yield (analysts estimate $60–80M hit to combined EBITDA) but retain/expand USDC's role as the backbone stable on a major platform. It's a strategic distribution win over building or competing with a new native coin.

🎯Bottom Line: USDC trades some margin for premier, high-volume real estate in perpetuals/DeFi trading—the exact use case driving massive on-chain dollar demand. This cements its lead in the evolving stablecoin wars, especially as platforms demand better economics. The deal highlights shifting power dynamics: big platforms now negotiate hard for yield share.

🙏 Donations Accepted, Thank You For Your Support 🙏

If you find value in my content, consider showing your support via:

💳 Stripe:
1) or visit http://thedinarian.locals.com/donate

💳 PayPal:
2) Simply scan the QR code below 📲 or Click Here:

🔗 Crypto Donations Graciously Accepted👇

XRP: r9pid4yrQgs6XSFWhMZ8NkxW3gkydWNyQX
XLM: GDMJF2OCHN3NNNX4T4F6POPBTXK23GTNSNQWUMIVKESTHMQM7XDYAIZT
XDC: xdcc2C02203C4f91375889d7AfADB09E207Edf809A6

Read full Article

Dinarian888@dinarian888

May 17, 2026

Handshake Wants to Be the Front Door to Bittensor’s Agent Economy

In this Beanstock interview, Harry Jackson of Subnet 58 (Handshake) lays out a thesis that’s worth understanding even if you never buy a single SN58 alpha token. He also explained where Bittensor’s agentic layer is heading.

We wrote the high-value distillation:

Table of Contents

The one-line thesis

Handshake wants to be the front door to the agent economy on Bittensor. The Amazon-like gateway where AI agents discover, pay for, and stack together skills from across all 128 subnets.

Why this matters now

There’s a critical distinction Harry emphasized: AI is intelligence, but agents need tooling. An LLM without payment rails, plugins, and workflow infrastructure is “a young person trying to cut a tree down with a pen knife.”
Agent-to-agent commerce is on the edge of going viral. Harry’s prediction for the tipping point: a woman in her 40s lets her agent do her shopping end-to-end (research, stock check, autonomous payment), posts it to social media, and it becomes the “four-minute mile” moment everyone copies.
Bittensor is uniquely positioned because agents don’t care about marketing or pretty UIs. They only care about best-in-class products and services. That’s exactly what Bittensor’s 128 subnets produce.

The product reality (what’s currently shipping)

Handshake is live with paying users generating a few thousand USD in revenue as of today. The business model: 2% of every transaction on the platform.
The flywheel is Amazon-like: better skills → more agents arrive → providers get distribution → more skills get added → cycle repeats.
The headline product on the way is Axiom. This is an agent that trades subnets while you sleep. Built around the realization that what the Bittensor community wants from agents isn’t generic skills; it’s more TAO. Each “hole” they find in the agent becomes a new tradeable skill on the marketplace.

The investment angles (read these carefully)

The moat is data, not distribution. Every workflow run by an agent generates failure data, success data, payment data. No outside competitor can replicate that without running the marketplace itself.
The metric Harry tells you to judge them on is revenue. Not agent count. Not user count. Revenue, which is publicly visible on-chain via the front page of their site. He’s basically inviting investors to hold him to it.

The pitch for emissions: the biggest TAM in Bittensor is the agent market, and Handshake is the most integrated subnet, meaning if Handshake wins, the subnets it routes to all win too. Bullish on agents + bullish on Bittensor = bullish on Handshake by transitive logic.

Where Harry stands on the Conviction

On the conviction upgrade and locked alpha: he’s fine with it. Handshake is a revenue-focused company, so locked alpha isn’t a survival issue. He acknowledges it’ll be harder on research-stage subnets that need to raise external capital, but argues most subnet founders are thinking long-term, not short-term extraction.
On the broader vibe: he just got back from Bittensor events in Spain and San Francisco. He observed that the overwhelming reality of the ecosystem is people working hard to build the best products. “It’d be a lot easier in some ways to build a company outside of Bittensor.” The only reason to do it on Bittensor is if you actually want the moonshot.

Full interview below:

🙏 Donations Accepted, Thank You For Your Support 🙏

If you find value in my content, consider showing your support via:

💳 Stripe:
1) or visit http://thedinarian.locals.com/donate

💳 PayPal:
2) Simply scan the QR code below 📲 or Click Here:

🔗 Crypto Donations Graciously Accepted👇

XRP: r9pid4yrQgs6XSFWhMZ8NkxW3gkydWNyQX
XLM: GDMJF2OCHN3NNNX4T4F6POPBTXK23GTNSNQWUMIVKESTHMQM7XDYAIZT
XDC: xdcc2C02203C4f91375889d7AfADB09E207Edf809A6

Read full Article

Dinarian888@dinarian888

May 10, 2026

🚨The State Of Bittensor (TAO)🚨

Greg Schvey | COO at Yuma Group

Last week at the @YumaGroup Summit I had the opportunity to present on The State of Bittensor. That presentation is in the thread below. If you choose to read it, I'd ask that you keep the following three things in mind:

This is just one guy's view of what was the most relevant for a 25-minute talk; a difficult filter for such a dynamic industry.
The slides were designed to supplement a talk; I've done my best to replicate what I recall of the talk in the accompanying X posts.
The topic of the Summit was "The Tipping Point" - a candid assessment of what could lead to Bittensor's breakout success and what evidence we see of that today - which also thematically anchored this presentation.

Let's dive in:

We are in the most important race in human history – the race for intelligence itself. AI has advanced beyond the point of no return. As an example of what I mean: Ramp is a widely used financial services platform for companies. They looked at spending and revenue across their clients since the launch of ChatGPT: Companies who did not spend on AI have had flat revenue for the last three years. The top quartile of AI spenders have grown revenue by more than 100%.

We are already at the point where investing in AI is a matter of survival. But what exactly are we getting for the hundreds of billions being spent? Right now, its overwhelmingly going to corporations who have repeatedly shown they don’t have our best interest in mind.

Claude Opus 4.6 – the leading deep thinking model, had a measured hallucination rate of 16% in February. Then, without telling anyone, Anthropic throttled its reasoning – presumably to reduce GPU utilization – and didn’t tell anyone. Hallucinations climbed to 33% - a 98% increase.

They only admitted it after third party benchmarking proved it. And they were still charging everyone at the same price the whole time. Even since my talk last week, they've supposedly been found to be throttling people simply because HERMES.md was in their commits. You may say, "well there are solid open source options..."

Yes, open source models have gotten very good, but they’re not immune to capture either. Try asking DeepSeek what happened in Tiananmen Square and then let me know if that’s the intelligence you want to trust.

This needs to be addressed right now or it will be too late. To give you a sense of what I mean, this is a chart of the total annual commits on GitHub. That’s 500% growth since the launch of ChatGPT in 2022. From 200M per year to a one billion in 2025. 2026 is on track for **14 billion** The genie is out of the bottle – there is no going back; we are already at the exponential inflection point.

This reminds me of many years ago: Bitcoin shined a light on how much our rights were impacted when we became dependent on private companies to run our day-to-day lives.

Your right to privacy? That doesn’t extend to your bank account. Your "money" is just a ledger at a private company, available for interrogation and suspension at any time. Bitcoin gave us back the sovereignty of our wealth.

Similarly, we’ve depended on things like privacy of our medical records and attorney client privilege for our entire lives. What do you think is going to happen when a private company’s servers are giving you legal and medical advice? Who are you going to trust for that intelligence? The company that lobotomized its top model? The model constrained by the foreign governments? As I said at the beginning, we’re in the most important race in human history and Bittensor well may be our best shot at winning.

One of the things about having a different model to produce intelligence is it requires an economic system suited to it. Subnets are the intelligence and economic engines that drive Bittensor’s value. That’s why the Summit was themed around The Tipping Point: understanding how subnets can reach breakout success and what we can do to help.

To summarize Bittensor's intelligence economics: miners create intelligence for which they earn subnet tokens. In many cases they sell those tokens to fund operations, putting downward pressure on token prices and decreasing the incentive to mine (similar to bitcoin). In parallel, if that intelligence is being used to generate real world value, one of the parties who benefits from that value (e.g. the Operator monetizing it, institutions using intelligence commodities to advance their research, etc.) can buy the subnet tokens to keep token prices elevated and sustain the miner incentive.

Investors get to participate in this process, often supporting token prices before the commercial value of intelligence is realized, and/or subsequently holding an asset that parties gaining fundamental value from the intelligence (eg Operator or others) will need to purchase at some point in the future if they want to maintain sufficient incentives for the intelligence machine to continue running.

For Bittensor to succeed, this value loop has to work. So, to understand the State of Bittensor, we have to take a look at how that’s going today and what that means for the network overall.

One of the many unique features of Bittensor is that subnets are native to the protocol. That is not the case on most crypto networks where the true utility lives in smart contracts with no direct tie to network value.

As an example, Polymarket has seen 800% growth in volume this year. Users can bet any arbitrarily large amount of value on Polymarket for a few cents of network fees. There is nothing tying that to value of the network’s native token, which is down 80% over the same period as Polymarket’s amazing success.

Conversely, Bittensor subnets are intrinsically linked to $TAO. If you want $1,000 worth of subnet exposure, you first need $1,000 of TAO. We analyzed subnet pool data surrounding the announcement of @tplr_ai's recent training run and normalized across them by indexing them to a starting level of 100.

As shown by the orange line, there was no material change in pool size for non-Templar subnets over the observation period. There was however, major inflow into Templar’s pool. Given Bittensor’s unique network model, we saw a direct correlation to the change in TAO price over the same period. As value flows into subnets, the whole network benefits. A rising boat lifts the tide, so to speak.

That can go both ways. When Sam left, we saw something similar in reverse; as value was exfiltrated from the network, it started in Covenant subnets and dragged TAO down with it. You know what else we saw in the data though? For all of the noise about concerns of Bittensor’s future, the other subnet pools were mostly unchanged.

The event was interesting because it reminded me of the early days of bitcoin: people would say Bitcoin was only used by drug dealers on the internet. I'd stare at them aghast because in the same breath they told me that an open, permissionless network was used to reliably move money anywhere in the world in minutes by the most untrustworthy people on the planet and yet they didn't understand how the technical feat required to achieve that would create tremendous value.

The Covenant situation is similar: people were concerned about the operator's exit, rather than realizing the only reason we care is because a ground-breaking technical innovation was achieved. But even bigger than that: Bittensor has 128 subnets currently, each striving to generate value for themselves and, transitively, the network as well.

And we’re seeing that occur – Templar was not unique in that regard. The same pattern emerged around the Intel publication on @TargonCompute. The non-Targon pools remained largely unchanged. Targon saw heavy inflows. TAO price climbed with it.

Again: rising boats lift the tide. And there are many boats in Bittensor right now.

We’re seeing major technical innovations at an increasing rate.

Just a few examples from the last couple weeks:

@QuasarModels just announced a custom attention architecture targeting 5M token context windows.

@IOTA_SN9 developed a technique that compresses data flowing between distributed GPUs by 128x with little to no loss in training quality, increasing viability of training large AI models across internet-connected machines worldwide.

We're seeing the building blocks start to form whereby competitive large generalized models can eventually be built. In the meantime, we're also witnessing more targeted, niche players start to pull ahead in their respective fields.

During the presentation, I gave the example of @resilabsai achieving 90% accuracy on their home valuation model, making it the most performant open source model and quickly approaching state of the art. Quite literally as I was explaining this during the talk, @markjeffrey pointed out they had just achieved 98% accuracy.

In the time between when I prepared the presentation and actually presented, they went from best open source to at or near state of the art - only further highlighting the unique value of Bittensor's open, competitive intelligence creation cycle.

And the tech that’s being built on Bittensor is getting real attention from serious players. Again, just a few examples of many: Harvard partnered with @Chutes on research about AI inference efficiency. Valeo – an auto company with $20B in annual revenue – is working with @natix on an AI model for self-driving cars. @zeussubnet- the weather forecasting subnet, is the only party in the world allowed to use data WeatherXM’s network of global weather sensors for commercial purposes. And there are in fact many subnets already commercializing their intelligence.

Most of us are already aware of Chutes seven-figure ARR, but a few other examples:

@LeadpoetAI– which uses their Bittensor subnet to source sales leads, announced earlier this year that they crossed $1M ARR

@Bitcast_network– the content creation platform built on their subnet competition – is already operating profitably

@lium_io– a hardware subnet – has bought more than 4,000 TAO worth of their token

Remember the economic model I outlined earlier; we’re seeing real evidence that it’s starting to work across many subnets. Intelligence built on Bittensor, capturing value in the real economy, and bringing it back into the network.

Action shot of this slide courtesy of @Tom_dot_b

That’s why when we look at Bittensor we like to look at Total Network Value (TNV);

$TAO market cap is only part of the story in Bittensor. TNV = market cap of TAO + market cap of subnets – tao in the pools [as not to double count] The actual value of this network is already higher than most people realize. And notably, subnets make up an increasing proportion of TNV – recently crossing 35% - as value continues to flow into the pools.

Interestingly, we recently noticed a change in TNV: In particular, despite all the volatility in TAO, the dramatic subnet issuance curves, etc. - the combined subnet market cap had been remarkably consistent around $750 million for most of the last year, until recently.

It’s nearly doubled over the last few months – a clear breakout in the trend. If you were looking for Tipping Point, it might look something like this...

I hear a lot that that value is relatively concentrated in the largest subnets. And the market cap distribution does indeed reflect that, but that’s not necessarily a bad thing.

This is the market cap distribution of the S&P 500. Many healthy economic systems tend towards Pareto distributions. And so what if some subnets are worth more? As we showed earlier, this is an ecosystem that will win or lose *together* And we’re seeing that play out every day.

We track announcements of subnets utilizing each others infrastructure and intelligence. Just as an example, we identified at least eight subnets who announced that they use Chutes for inference. But we have dozens of similar examples of cross-subnet collaboration across many subnets like

@hippius_subnet, @TargonCompute and others.

What’s notable about this:

1. Collaboration seems to be happening at an increasing pace as subnets continue to mature and build out contiguous pipelines of AI infrastructure

2. Keeping money circulating within an economy creates a money multiplier. Capital circulating within a single economy without leaving creates economic value for each party it passes through, without having to bring in new capital. That’s uniquely possible here because of the diversity of infrastructure built on Bittensor.

This network is not 128 discrete growth drivers; it’s increasingly functioning as an interconnected graph, which has substantially more stickiness and value And the pace is about to increase dramatically:

We’re starting to see increasing agents operating on Bittensor: subnets mined by agents, subnets operated by agents...

Consider the Bittensor value flywheel:

-An intelligence goal is established

-Miners compete to achieve the goal

-That produces intelligence

-Intelligence generates value

That’s happening today, as we’ve seen earlier in this discussion.

As agents get more capable, that flywheel spins faster and faster. Permissionless entry means any agent can compete. Protocol-native economic incentives mean good work gets rewarded. Bittensor is uniquely advantaged for agentic speed over guarded, centralized alternatives with corporate procurement cycles.

That also means exploits will be found faster. But, it also means solutions that harden the network against them will be found faster as well.

Accordingly the impact of the network primitives – incentives, accessibility, governance, security, reliability, and all the infrastructure we’re building around the network - have an exponentially larger impact. It is critical that we get these right. The time to nail this, is right now. If we don’t someone else will.

The good news is, for now, Bittensor seems to be in the lead The 30-day moving average of Daily active wallets just crossed a record, approaching 10,000 Up 100% just in the last year.

We’re also seeing subnet ownership increasingly diversify and distribute. The median number of holders of subnet tokens at 2,000 is a 10x increase since the dtao launch a year ago. And at Yuma, we spend a lot of effort and resources to help broaden that access.

Yuma currently partners with 16 custodian and wallet providers to bring Bittensor access to the masses As an institutional-grade validator, the relationships and service we offer give them the confidence to make TAO staking available to millions of end users.

During the Summit, we announced that BitGo’s clients will now have access to subnet token staking through our partnership, making subnet investing available to customers of one of the world’s largest custodians.

We also help people gain access to subnets via investment vehicles. The Yuma Composite Fund gives investors access to a market-cap weighted portfolio of subnets through traditional investment structures. The Yuma Large Cap Fund gives investors concentrated exposure to Bittensor's largest subnets.

Our institutional asset management team handles everything from initial subnet token purchases, to portfolio rebalancing, custody, and reporting. The appeal for institutions is obvious, but even for the Bittensor native, it’s an amazingly simple way to get access to a broadly diversified portfolio, rebalanced regularly.

Between the breakout performance of subnets, the attractive staking rewards, and benefits of diversification, the Yuma funds have outperformed TAO materially year to date [as of when the presentation was created] Nearly 3x outperformance relative to TAO.

And last but definitely not least, our subnet accelerator has helped a wide range of companies access Bittensor. We help them acquire subnet slots, design incentives, provide marketing assistance, review pitch decks, make introductions to other investors, etc. At Yuma we deeply believe in the power of subnets and have helped many of the network's leading intelligence providers start and succeed.

Disclaimer: For informational purposes only. Nothing herein should be construed as financial, investment, legal, or tax advice. This material does not constitute an offer to sell or a solicitation of an offer to buy any securities or tokens. Investing in digital assets involves significant risk, including the potential loss of principal. Subnet tokens do not represent equity or ownership interests in any entity. Performance comparisons and index references are illustrative only and not indicative of future results. Charts and indices are based on methodologies and assumptions that may change and may not reflect actual market conditions or liquidity.

Source

🙏 Donations Accepted, Thank You For Your Support 🙏

If you find value in my content, consider showing your support via:

💳 Stripe:

1) or visit http://thedinarian.locals.com/donate

💳 PayPal:

2) Simply scan the QR code below 📲 or Click Here:

🔗 Crypto Donations Graciously Accepted👇

XRP: r9pid4yrQgs6XSFWhMZ8NkxW3gkydWNyQX
XLM: GDMJF2OCHN3NNNX4T4F6POPBTXK23GTNSNQWUMIVKESTHMQM7XDYAIZT
XDC: xdcc2C02203C4f91375889d7AfADB09E207Edf809A6

Read full Article

Available on mobile and TV devices