TheDinarian
News • Business • Investing & Finance
Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies
thedinarian
April 14, 2023
post photo preview

(Dinarian Note: Whenever possible, ALWAYS go directly to the source versus clicking on an email link or google ad. Note: When searching on Google, the first 3 or 4 results are ads, do NOT use those. Also, ALWAYS double-triple check your pasted wallet address when withdrawing funds and ALWAYS use a VPN and Antivirus-Malware program, especially when you own crypto. Having cold storage is great, but when sending-recieving funds you are vunerable. Question everything, even if it seems legit.)

Trustwave SpiderLabs uncovered a new strain of malware that it dubbed Rilide, which targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera.

Rilide malware is disguised as a legitimate Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges.

Rilide is not the first malware SpiderLabs has observed using malicious browser extensions. Where this malware differs is it has the effective and rarely used ability to utilize forged dialogs to deceive users into revealing their two-factor authentication (2FA) and then withdraw cryptocurrencies in the background. During our investigation into Rilide’s origins, we uncovered similar browser extensions being advertised for sale. Additionally, we found that part of its source code was recently leaked on an underground forum due to a payment dispute.

Malicious Campaigns Leading to Rilide Stealer Extension

SpiderLabs uncovered two malicious campaigns leading to the installation of the Rilide extension.

Figure 1. Infection Chains Leading to the Execution of the Rilide Extension

Campaign 1: Ekipa RAT Installing Rilide Stealer

One of the Rilide samples identified by Trustwave SpiderLabs was distributed through a malicious Microsoft Publisher file. This file is part of Ekipa RAT, a Remote Access Trojan (RAT), designed for targeted attacks and often sold on underground forums.

We previously described Ekipa RAT in one of our blogs. It is important to note that Microsoft Publisher was not affected by Microsoft's decision to block macros from executing files downloaded from the Internet. As a result, when a user attempted to open a Publisher file, they would receive a warning but could still enable the execution of malicious content by clicking the ‘Enable Macros’ button. On 14 February 2023, Microsoft issued an update that resolved the Publisher security flaw. With the implementation of the ‘Mark of the Web’ feature on the .pub file, users are now left with only one option, ‘Disable Macros,’ which should have been the case all along.

Any association between the threat actors behind Ekipa RAT and those using the Rilide infostealer remains unclear. However, it is probable that Ekipa RAT was tested as a means of distribution for Rilide, before finally switching to Aurora stealer.

Figure 2. Publisher’s macro and Document_Open procedure executing remote Excel Workbook

Three tasks were configured on the C2 server:

  1. Download payload from hxxps://nch-software[.]info/1/2[.]exe to %temp% directory as.txt
  2. Change downloaded file’s extension to .exe
  3. Execute the payload.

File 2.exe is a Rust-based loader, responsible for installing the Rilide extension for Chromium-based browsers.

Campaign 2: Aurora Stealer Abusing Google Ads

Aurora is a Go-based stealer, which was initially spotted being advertised in April 2022 as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums. The malware is designed to target data from multiple web browsers, cryptocurrency wallets, and local systems.

Recently, the threat actors behind Aurora have been observed abusing the Google Ads platform to spread the malware. According to a report published by Cyble, campaigns mimicking legitimate Team Viewer installers have been utilized to deploy Aurora. As reported by @1ZRR4H and @malwrhunterteam, Aurora was also spread via another campaign that imitated an NVIDIA Drivers installer. A downloaded sample was packed with Themida, a well-known commercial protector for executables. We used the UnpacMe service to unpack the sample.

Figure 3. Aurora campaign imitating the NVIDIA Drivers installer as shown in 1ZRR4H’s Twitter post

Restoring Function Names

The Aurora Stealer sample was stripped of debugging symbols, thus making the analysis harder. Since Go binaries are statically linked, which means that all the necessary libraries are included in the compiled binary, the number of potential functions to analyze is large. However, the original function names can be restored from the pclntab structure, as described in the CUJOAI Senior Threat Researcher Dorka Palotay’s post. Using the go_func.py script for Ghidra we were able to restore the functions names.

How an Aurora Module Downloaded Rilide Stealer

One of the eight grabbing modules, configured in the analyzed sample, contained a base64 encoded blob of data storing the URL for the Rilide Rust-based loader. The payload, hosted on Discord CDN, was saved to the %temp% directory with filename <10-alpahnumeric-characters>.exe and executed via start-process PowerShell cmdlet.

Figure 4. Part of Aurora Stealer routine downloading and executing Rilide loader

The Common Link Between Two Campaigns

The Rilide Rust-based loader samples analyzed as part of the Aurora campaign were packed with a VMProtect commercial packer. After unpacking the samples and analyzing strings contained in the binary, we found multiple references to Windows paths in the C:\Users\ilide\ directory. The same username was observed in the PDB Path of the Rilide sample obtained from the Ekipa RAT campaign.

Figure 5. The same username in a path found in Rilide Rust-based loaders samples from both campaigns.

Rilide Stealer Extension Targeting Chromium-Based Browsers

Rilide leverages a Rust loader used to install the extension if a Chromium-based browser is detected. Rilide mimics benign Google Drive Extensions and abuses several built-in chrome functionalities. The loader modifies LNK shortcut files opening targeted browsers, so that they are executed with parameter --load-extension pointing to the dropped malicious Rilide extension.

Figure 6. Rilide Stealer extension mimicking Google Drive and looking at its manifest revealing the configured permissions

Rilide’s background script attaches a listener to the tabs.onActivated and webRequest.onHeadersReceived events and removes the Content Security Policy (CSP) directive for all requests. This allows the extension to perform an XSS attack and load external resources that would otherwise be blocked by the CSP. The app script adds another listener to the DOMContentLoaded event and retrieves a list of targeted domains from the C2. If the current domain matches any of the listed targets, designated scripts are injected into the webpage.

Figure 7. Configuration list indicating targets such as email services and cryptocurrency exchanges.

Additionally, the background script carries out regular checks on the browsing history and exfiltrates URLs that are matched against the targeted domain list. Moreover, it is capable of capturing and exfiltrating screenshots of the currently active tabs on demand.

Figure 8. Rilide Stealer Execution Flow and Functionalities

Automatic Cryptocurrency Withdrawal

Rilide’s crypto exchange scripts support automatic withdrawal function. While the withdrawal request is made in the background, the user is presented with forged device authentication dialog in order to obtain 2FA. Email confirmations are also replaced on the fly if the user enters the mailbox using the same web browser. The withdrawal request email is replaced with a device authorization request tricking the user into providing the authorization code.

Figure 9. Withdrawal Requests replaced with Authorize New Device emails in Gmail mailbox

Figure 10. Content of the original and forged email. The verification code was extracted from the original message body.

We found no substantial variations in the code between the samples dropped by Ekipa RAT and used in the Aurora Stealer campaign. Both campaigns utilized a Rust dropper, and the functionalities of the browser plugins are nearly the same.

Figure 11. Code differences between Rilide Stealer plugin samples, both using the same C2 server

Rilide Stealer Origins

In the course of our research, we have encountered several stealer extensions for sale that advertised capabilities closely resembling those of the Rilide samples. However, we were unable to definitively link any of them to Rilide. One noteworthy finding was a botnet sale advertisement from an underground forum dated March 2022. Although the advertised functionalities matched those of Rilide, the botnet also included additional features such as a reverse proxy and ad clicker. Notably, the botnet's automatic withdrawal function supported the same exchanges observed in the Rilide samples.

Figure 12. Underground forum post advertising sale of botnet with Rilide-like capabilities

On February 27, 2023, a member of the same underground forum posted a link to the source code for the Rilide extension, reportedly due to an unresolved payment dispute. The leaked source closely resembles that used in the Aurora Stealer campaign but did not contain any of the injected scripts observed in the campaign sample.

Figure 13. Underground forum post, dated February 27, 2023, containing a link to part of the Rilide extension source code.

Notably there is one feature implemented that is missing in the later versions - swapping cryptocurrency wallet addresses in the clipboard. The list of addresses to be replaced is hard coded in the source code.

Figure 14. Clipboard hijacking routine in the analyzed sample from the forementioned forum post.

Pivoting on the Command-and-Control domain ashgrrwt[.]click hard coded in the sample, we identified additional Rilide loaders leading us to the GitHub user gulantin.

Figure 15. Github repository storing multiple Rilide loader and extension samples

Repositories created by this user contain loaders for the Rilide extension, but they are not Rust-based. The sample in the repository named ‘77’ is a .NET extension loader only for the Chrome browser, unlike the later Rust-based version that works for all Chromium-based browsers. Other loaders found in repositories 19 and 789 are based on Advanced Installer – a legitimate Windows Installer Packaging Tool for MSI installers.

Figure 16. Extension loading routine of the custom .NET loader from gulantin’s repository 77

The address contained in the domain variable that is supposed to store the C2 domain suggests that this version of a loader was still under development when submitted to GitHub.

Figure 17. Part of JavaScript configuration in the Rilide extension hosted on GitHub

Conclusions:

The Rilide stealer is a prime example of the increasing sophistication of malicious browser extensions and the dangers they pose. Disguised as a legitimate Google Drive extension, Rilide provides threat actors with the ability to carry out a wide range of malicious activities, including monitoring browsing history, capturing screenshots, and injecting malicious scripts to steal funds from cryptocurrency exchanges.

While the upcoming enforcement of manifest v3 may make it more challenging for threat actors to operate, it is unlikely to solve the issue entirely as most of the functionalities leveraged by Rilide will still be available.

Informational overload can dull our ability to interpret facts accurately and make us more vulnerable to phishing attempts. It is important to remain vigilant and skeptical when receiving unsolicited emails or messages, and to never assume that any content on the Internet is safe, even if it appears to be.

Ultimately, it is crucial to stay informed and educated about the latest cybersecurity threats and best practices to minimize the risk of falling victim to phishing attacks.

Indicators of Compromise:

Publisher File:

File name

Hash Type

Hash

Tes7777.pub

SHA256

0e31ff6406b03982581246b7dd60f3b96edcf0bd007b31766954df001fd68f69

SHA1

e049f56198c23d86e9083142bfe80042e21d4b8e

MD5

558104b26ccadec3d3eb2925113387a6


Aurora Stealer:

File name

Hash Type

Hash

PackageLauncher.exe

SHA256

e623984143e0dc6e35c79869ab1521c6714e588e8e648606496f8372ca0d8416

SHA1

b1c100d5a99ae34ccb3654c7b7f8573376a44fd9

MD5

c28a180de1f80c8c98d0904e64142bef

-

SHA256

ebd72806abd354f3162eec0991d127f993a5dde1a0c719b47087c9ee0edefeaf

SHA1

abaaa2644b1e84e8b39119988dd711572377c839

MD5

1baaeedd1a26edf4fa79ded370e3d19a

 

Rilide Loader:

File name

Hash Type

Hash

2.exe

SHA256

0f11aeecbde1f355d26c9d406dad80cb0ae8536aea31fdddaf915d4afd434f3f

SHA1

b4b918a5898463dad1c7d823e0b3f828bac15aad

MD5

0a4f321c903a7fbc59566918c12aca09

waBp.exe

SHA256

8342b134cddeaf34ce05bafa9e860dacf6cd01b85fd00147d90a350516c055e5

SHA1

25f3fb6d2dab206a5e9b2c0ef26ec6d6a56c5767

MD5

561797d7e5cf956e33735180d93be5b6

 

Rilide Extension:

File name

Hash Type

Hash

background.js

SHA256

4cc83be0fa496855d244050616ee2e86b044a9bc87bc5ca70b305986c1ba3bb8

SHA1

70167e7e5d71fba7d92796324b488c0fb9727712

MD5

766d020e902b6470d0510e5c6cfcd6e8

background.js

SHA256

55251c725e9f6f51b8db7a631b54dd85b1b59d644c3219e03ceffb0c49cd00a4

SHA1

a39d252e7927ae1adf518e6a3dd08f37e7ee7c26

MD5

d9cca3dd5bdaeb0466d52821b584602b

background.js

SHA256

1b01c3e554700e1282c7fdd2dcb54314516ee1f0c5eef3560cdbabc1ba776293

SHA1

ffebf78a9692293a23f9a477ea8a79f7f6ef5aa2

MD5

9e5f43b2dc1606e27fa0cfdfb4e363d2

app.js

SHA256

a28c623d120a76dcfeef9504eaeefabac9d33f292576ccf012fa458b8d7bc6ef

SHA1

a46586bfe22f4d84cd9174238740af275bf50c69

MD5

740606987f4d588c89d0a5b68648e31e

app.js

SHA256

8989f4244667626728c6c0083422ff714cb622c92c35a53f9cb1e9891f4528ff

SHA1

5012e783b2ee29cb40b04a10d1a40d0bfda683d9

MD5

1c54dd00bc7cc52b60ad4a46e2fb3a77

vpn.js

SHA256

170a13a7a8757336babe857804fa24b6cb20aaa9593b32546d7151f23095a510

SHA1

eafdc35b233600ef552b87e684faa3ab3396eae9

MD5

d54fa225b07298ec34be872cd4ebf4ae

manifest.json

SHA256

bb57a504e0b821552344cecb3da9ecdd0d61817264617a4917d6f5e64a1df7e5

SHA1

0cb1d9c2a3c8b776ef1e3ec1316fbf595ced7863

MD5

baee9ba0b94ea1e2b2e566fc8a615554

manifest.json

SHA256

d70e933e10e667ae7ef6e68a625c447be8aabe9b29affdad999c969bd8769003

SHA1

84db08e3dcbe40c7cbc998a77788f7303d4a2905

MD5

99dc4073f2fe91f48fd16bc65e7dcbc2

binance.js

SHA256

c8939f8d6237fcc17d486981a800b1e7e9974377de21d7e76677babe8ed536af

SHA1

f689396c73055e99a06e002c39e3a74d3d402607

MD5

2cc204564b68c5a98b1ff68d861b66c5

bitget.js

SHA256

2e310391d77022bcc708c354140319718777ca35efdfb76d6c80cb9de8c8091e

SHA1

05536aa80f8280ddc31be5c0ac3ca995f2190a0a

MD5

646b9404a29febe9f3741797b79e300c

blockchain.js

SHA256

4bbb0584eed0c082b5c43d3f259f37cf1a0b64eabb485e85090951a6566d98d4

SHA1

28ae2440c56350f65b607e4e99b67a2632db873b

MD5

253f4319673673d2bf5285558a6903df

bybit.js

SHA256

9dca66f52f31dca921fb238bd36bfc1b1a59d3e4af7b071da9bc4c6bf294e402

SHA1

61acdad59223a9eb0b392ccd085db1e49700d65

MD5

50e363409ba77b20fb6f0bce4eff7b1

coinbase.js

SHA256

4df0f18a7e05518bbe93758e751f1f462fef212cdc786c7217d50ddbda14efb5

SHA1

39f546a4ec94e63e603e3c2481fecab2b5e8a475

MD5

c1f40584e4ac391d97218ce137a63fb3

ftx.js

SHA256

ef20c929f5204b223b6e53dc406ea0bcd76d9e98c9ae4942037902883d4bb22a

SHA1

0ead1d32ce6b15c4a90373fce58d1554035cd40f

MD5

ebce63fdc8ef245f117f06ada3ba0f6d

huobi.js

SHA256

e1ad66cc0244fc075e0aabe0fd19502d4c9617829b90aa210e74be1d915275d2

SHA1

2449e4b27d778f6a4ffc00bb7b73926ac2c54e8a

MD5

4abe60d2c3506f4767e163d135f89f92

kraken.js

SHA256

a7f0fdfdfdf1ef65799fd2114bf5c1e133a8b7635b498b334553fbb64b218a05

SHA1

ec6de82efa93e59da148f4d696efcfca851e051e

MD5

b85c5659e946b5d7ad78410356288928

okx.js

SHA256

68278b40b59b1b0db2f814d2d864f0b9c2b4285f5795d22cabf60715f922989c

SHA1

415d790b54ca8e374f37fdbb00090110b823ba18

MD5

ff4e2df1a46d49862ab2a0af830a007e

gmail.js

SHA256

2f947644c7752ba014eae7971b247be60249a6088923c66ffe9886a7f5c5fe1c

SHA1

add0d61399c8c47f8ac73dc83cc83dfa31cddeca

MD5

c0e120778853f0a4865e006a07cd728a

 

Phishing Websites:

Malware

Domain

Aurora

nvidia-graphics[.]top

 

C2 Servers:

Malware

Domain

Ekipa RAT

nch-software[.]info

Aurora

45[.]15[.]156[.]210

Rilide

vceilinichego[.]ru

Rilide

ashgrrwt[.]click

 

Wallet Addresses:

Cryptocurrency

Address

BTC

bc1qkczacyp5jq29s5kaphth4asu8cv2y4u4gdgj7q

BTC

bc1qsjg8dqx6ga30h6szjd8dv2wg50ch50qrey4t7j

BTC

1KqequymujeNJuyB4gH7oJSFTB3En3Hf5n

ETH

0xDBc1330056E2F5e2FB11FB3C96dE2c44B313eA8d

LTC

LRYpzmnqBVozkbzJhTWndzYDPfjmNPyaLv

XRP

rUPTadzFN6LS662Z2d2AvNyqU1xwg2japJ

TRON

THiD8hFLiEyULVKLp3DSbBXQSbR3MQxm4X

DOGE

D5asYfjtbTtFmFkrEwqVgbJKYv9YT7Tgjh

Link

community logo
Join the TheDinarian Community
To read more articles like this, sign up and join my community today
0
What else you may like…
Videos
Podcasts
Posts
Articles
thedinarian@thedinarian
December 01, 2025
🚨 “WHAT HAPPENED IN CRYPTO TODAY” – COINTELEGRAPH’S DAILY WRAP 🚨

Cointelegraph’s live-blog snapshot (edition: 27 Nov 2025) packs the market-moving headlines, on-chain sparks and policy sound-bites that ricocheted through crypto in 24 hrs – from a surprise Basel stablecoin concession to a record open-interest print on BTC futures.

🔑 Key Headlines

🔹️ Basel Boost: BCBS officially dropped the punitive 1 250 % risk-weight for bank-held stablecoins (Tether, USDC) and replaced it with a tiered 20 %–100 % framework – unleashing a 2.4 B intraday rally in stablecoin issuer tokens and bank-centric DeFi plays.

🔹️ BTC Open Interest Record: Aggregate perpetual & futures OI hit 53.8 B (Deribit + CME + Binance) – 7 % above April peak – as whales added 1.1 B long exposure ahead of Friday’s 0-DTE expiry; funding flipped +18 % annualised.

🔹️ Nasdaq Tokenized Equities Live: Nasdaq’s ATS-Clearing hybrid went live with 3 private-company tokens; first trade executed 4.3 M face value in T+0 settlement, marking the first regulated U.S. exchange to custody & ...

00:00:06
Reply
thedinarian@thedinarian
November 30, 2025
🚨The Greatest HEIST ever to happen on American soil and then the world🚨

The Greatest HEIST ever to happen on American soil and then the world. CENTRAL BANKING. THE FEDERAL RESERVE. Not Federal. No Reserves. A gigantic Ponzi Scheme of fraud, debt and slavery.

We cannot be truly free until THE FEDERAL RESERVE IS ERADICATED.

That’s EXACTLY what’s coming… 1000% HAPPENING!

00:01:56
Reply
thedinarian@thedinarian
November 30, 2025
It Comes Over Night🤯

StabilityAI Founder Emad Mostaque: Billionaires are building bunkers because they know AI unemployment will cause social collapse. He argues, the job losses start next year and nobody knows where they end. "it comes over night". Is there anyone left who denies the impact on labor market and society?

00:00:55
Reply
thedinarian@thedinarian
October 31, 2024
👉 Coinbase just launched an AI agent for Crypto Trading

Custom AI assistants that print money in your sleep? 🔜

The future of Crypto x AI is about to go crazy.

👉 Here’s what you need to know:

💠 'Based Agent' enables creation of custom AI agents
💠 Users set up personalized agents in < 3 minutes
💠 Equipped w/ crypto wallet and on-chain functions
💠 Capable of completing trades, swaps, and staking
💠 Integrates with Coinbase’s SDK, OpenAI, & Replit

👉 What this means for the future of Crypto:

1. Open Access: Democratized access to advanced trading
2. Automated Txns: Complex trades + streamlined on-chain activity
3. AI Dominance: Est ~80% of crypto 👉txns done by AI agents by 2025

🚨 I personally wouldn't bet against Brian Armstrong and Jesse Pollak.

👉 Coinbase just launched an AI agent for Crypto Trading
Reply
thedinarian@thedinarian
9 hours ago

BREAKING 🚨: U.S. Banks

Fed Reserve just pumped $13.5 Billion into the U.S. Banking System through overnight repos 🤯 This is the 2nd largest liquidity injection since Covid and surpasses even the peak of the Dot Com Bubble 👀 Probably Fine, carry on

post photo preview
Reply
thedinarian@thedinarian
14 hours ago
Via Jungle Inc

🚨 Something strange is happening on the XRP Ledger.

We’re seeing huge bursts of AccountSet transactions: thousands of new wallets initialized at once, multi-sig flags being set, key rotations, and entire wallet clusters spinning up in rapid waves.

This isn’t normal user activity.
It looks like infrastructure being prepared:
•segregated accounts
•institutional sub-accounts
•automated wallet-creation scripts
•new custodial vault structures
•compliance-driven account setups

This is the kind of on-chain footprint you see when a major exchange is preparing new products.

My hypothesis:
With Robinhood completing its $200M purchase of Bitstamp, one of the only EU/UK licensed exchanges, these transaction patterns look like they’re quietly laying the foundation for a Robinhood x Bitstamp derivatives exchange.

Futures. Options. Leverage.

Something big is being wired up behind the scenes.

https://x.com/jungleincxrp/status/1995255364288397516

Reply
thedinarian@thedinarian
14 hours ago

🇺🇸 U.S. SEC to review tokenization rules with Coinbase, BlackRock, Galaxy Digital, and Robinhood joining the discussion.

post photo preview
post photo preview
post photo preview
post photo preview
Reply
thedinarian@thedinarian
November 30, 2025
post photo preview
XDC Network's acquisition of Contour Network

XDC Network's acquisition of Contour Network marks a silent shift to connect the digital trade infrastructure to real-time, tokenized settlement rails.

In a world where cross-border payments still take days and trap trillions in idle liquidity, integrating Contour’s trade workflows with XDC Network Blockchains' ISO 20022 financial messaging standard to bridge TradFi and Web3 in Trade Finance.

The Current State of Cross-Border Trade Settlements

Cross-border payments remain one of the most inefficient parts of global finance. For decades, companies have inter-dependency with banks and their correspondent banks across the world, forcing them to maintain trillions of dollars in pre-funded nostro and vostro balances — the capital that sits idle while transactions crawl across borders.

Traditional settlement is slow, often 1–5 days, and often with ~2-3% in FX and conversion fees. For every hour a corporation can’t access its own cash increases the cost of financing, tightens liquidity that could be used for other purposes, which in turn slows economic activity.

Before SWIFT, payments were fully manual. Intermediary banks maintained ledgers, and reconciliation across multiple institutions limited speed and volume.

SWIFT reshaped global payments by introducing a secure, standardized messaging infrastructure through ISO 20022 - which quickly became the language of money for 11,000+ institutions in 200 countries.

But SWIFT only fixed the messaging — not the movement. Actual value still moves through slow, capital-intensive correspondent chains.

Regulated and Compliant Stablecoin such as USDC (Circle) solves the part SWIFT never could: instant, on-chain settlement.

Stablecoin Settlement revamping Trade and Tokenization

Stablecoin such as USDC is a digital token pegged to the US Dollar, still the most widely used currency for trade, enabling the movement of funds instantly 24*7 globally - transparently, instantly, and without the need for any intermediaries and the need to lock in trillions of dollars of idle cash.

Tokenized settlement replaces multi-day reconciliation with on-chain finality, reducing:

  • Dependency on intermediaries
  • Operational friction
  • Trillions locked in idle liquidity

For corporates trapped in long working capital cycles, this is transformative.

Digital dollars like USDC make the process simple:

Fiat → Stablecoin → On-Chain Transfer → Fiat

This hybrid model is already widely used across remittances, payouts, and treasury flows.

But one critical piece of global commerce is still lagging:

👉 Trade finance.

The Missing link is still Trade Finance Infrastructure.

While payments innovation has raced ahead, trade finance infrastructure hasn’t kept up. Document flows, letters of credit, and supply-chain financing remain siloed, paper-heavy, and operationally outdated.

This is exactly where the next breakthrough will happen - and why the recent XDC Network acquisition of Contour is a silent revolution.

It transforms to a new era of trade-driven liquidity through an end-to-end digital trade from shipping docs to payment confirmation – one infrastructure that powers all.

The breakthrough won’t come from payments alone — it will come from connecting trade finance to real-time settlement rails.

The XDC + Contour Shift: A Silent Revolution

  • Contour already connects global banks and corporates through digital LCs and digitized trade workflows.
  • XDC Blockchain brings a settlement layer built for speed, tokenization, and institutional-grade interoperability and ISO 20022 messaging compatibility

Contour’s digital letter of credit workflows will be integrated with XDC’s blockchain network to streamline trade documentation and settlement.

Together, they form the first end-to-end digital trade finance network linking:

Documentation → Validation → Settlement all under a single infrastructure.

XDC Ventures (XVC.TECH) is launching a Stable-Coin Lab to work with financial institutions on regulated stablecoin pilots for trade to deepen institutional trade-finance integration through launch of pilots with banks and corporates for regulated stable-coin issuance and settlement.

The Bottom Line

Payments alone won’t transform Global Trade Finance — Trade finance + Tokenized Settlement will.

This is the shift happening underway XDC Network's acquisition of Contour is the quiet catalyst.

Learn how trade finance is being revolutionised:

https://www.reuters.com/press-releases/xdc-ventures-acquires-contour-network-launches-stablecoin-lab-trade-finance-2025-10-22/

Source

🙏 Donations Accepted, Thank You For Your Support 🙏

If you find value in my content, consider showing your support via:

💳 Stripe:
1) or visit http://thedinarian.locals.com/donate

💳 PayPal
2) Simply scan the QR code below 📲 or Click Here

🔗 Crypto Donations Graciously Accepted👇
XRP: r9pid4yrQgs6XSFWhMZ8NkxW3gkydWNyQX
XLM: GDMJF2OCHN3NNNX4T4F6POPBTXK23GTNSNQWUMIVKESTHMQM7XDYAIZT
XDC: xdcc2C02203C4f91375889d7AfADB09E207Edf809A6

 

Read full Article
Reply
thedinarian@thedinarian
November 30, 2025
post photo preview
Inside The Deal That Made Polymarket’s Founder One Of The Youngest Billionaires On Earth🌍

One year ago, the FBI raided Polymarket founder Shayne Coplan’s apartment. Now, the college dropout is a billionaire at age 27.

In July, Jeffrey Sprecher, the 70-year-old billionaire CEO of Intercontinental Exchange, the parent company of the New York Stock Exchange, sat at Manhatta, an upscale restaurant in the financial district overlooking the sprawling New York City skyline from the 60th floor. As a sommelier weaved through tables pouring wine, in walked Shayne Coplan—in a T-shirt and jeans, clutching a plastic water bottle and a paper bag with a bagel he’d picked up en route. Sprecher chuckles as he recalls his first impression of the boyish, eccentric entrepreneur: “An old bald guy that works at the New York Stock Exchange, where we require that you wear a suit and tie, next to a mop-headed guy in a T-shirt that's 27.” But Sprecher was fascinated by Polymarket, Coplan’s blockchain-based prediction market, and after dinner, he made his move: “I asked Shayne if he would consider selling us his company.”

Prediction markets like Polymarket let thousands of ordinary people bet on future events—the unemployment rate, say, or when BitCoin will hit an all-time high. In aggregate, prediction market bets have proven to be something of a crystal ball with the wisdom of the crowd often proving itself more prescient than expert opinion. For instance, Polymarket punters predicted that Trump would prevail in the 2024 presidential election, when many national pundits were sure that Kamala Harris would win.

Coplan initially turned down Sprecher’s buyout offer. But discussions led to negotiations and eventually a deal. In October, Intercontinental announced it had invested $2 billion for an up to 25% stake in the company, bringing the young solo founder the balance he was looking for. “We're consumer, we’re viral, we're culture. They’re finance, they’re headless and they’re infrastructure,” Coplan tells Forbes in a recent interview.

At the same time, Coplan announced investments from other billionaires including Figma’s Dylan Field, Zynga’s Mark Pincus, Uber’s Travis Kalanick and hedge fund manager Glenn Dubin. A longtime Red Hot Chili Peppers fan, Coplan even convinced lead singer Anthony Kiedis to invest after a mutual acquaintance brought the musician to Coplan’s apartment one day. “He's buzzing my door, and I’m like, ‘holy shit,'” Coplan recalls, his bright blue eyes widening. “I love their music. A lot of the inspiration [for my work] comes from the music that I listen to.”

Thanks to the deals, Polymarket’s valuation quickly shot to $9 billion, making the 2025 Under 30 alum the world’s youngest self-made billionaire, with an estimated 11% stake worth $1 billion. His reign was short: twenty days later, he was overtaken as the youngest by the three 22-year-old founders of AI startup Mercor.

Young entrepreneurs are minting ten-figure fortunes faster than ever. In addition to the Mercor trio and Coplan, 15 other Under 30 alumni—including ScaleAI cofounder Lucy Guo, Reddit’s Steve Huffman and Cursor’s cofounders—became billionaires this year, while Guo’s cofounder Alexandr Wang and Robinhood’s Vlad Tenev (both former Under 30 honorees) regained their billionaire status after having fallen out of the ranks.

The budding billionaire has long been fascinated by markets and tech. When he was just 14, Coplan emailed the regional Securities and Exchange Commission office to ask how to create new marketplaces. “I did not get a response, but it’s a really funny email,” he says, grinning playfully as he thinks of his younger self. “It just shows that this stuff takes over a decade of percolating in your mind.”

Two years later, Coplan showed up at the offices of internet startup Genius uninvited after multiple emails of his asking for an internship went ignored. At age 16—at least a decade younger than anyone in that office—he secured his first job after making a memorable impression with his “wild curls” and “encyclopedic knowledge of billionaire tech entrepreneurs.” “If he chooses to become a tech entrepreneur, which seems likely, I have no doubt that we’ll be seeing his name again in the press before long,” Chris Glazek, his manager at the time, wrote in Coplan’s college recommendation letter.

Coplan went on to study computer science at NYU, but dropped out in 2017 to work on various crypto projects that never took off. In 2020, he founded Polymarket to create a solution to the “rampant misinformation” he saw in the world: The company’s first market allowed users to bet on when New York City would reopen amid the pandemic. He soon expanded into elections and pop culture happenings, among other events.

But it didn’t take long for the company to butt heads with regulators. In January 2022, Polymarket paid a $1.4 million fine to the Commodity Futures Trading Commission for offering unregistered markets. It was also ordered to block all U.S. users, but activity on Polymarket skyrocketed particularly during the 2024 U.S. presidential election, with bets totaling $3.6 billion. A week after the election, the FBI raided Coplan's apartment and seized his devices as part of an investigation into a possible violation of this agreement. Shortly after, Coplan posted on his X account that he saw the raid as “a last-ditch effort” from the Biden administration “to go after companies they deem to be associated with political opponents.”

In July, the Department of Justice and CFTC dropped the investigations—after which Sprecher reached out to Coplan for dinner—and less than a week later, Polymarket announced it had acquired CFTC-licensed derivatives exchange QCX to prepare for a compliant U.S. launch. QCX applied to be a federally-registered exchange in 2022—an application that was left dormant for three years before receiving approval less than two weeks before the acquisition was announced. When asked about the timing of the deal, Coplan points to CFTC acting chairwoman Caroline Pham, who President Trump tapped to lead the agency in January. “Caroline deserves a lot of credit for getting every single license that had been paused for no reason approved, as acting chairwoman in less than a year,” he says. Coplan had realized an acquisition might be the only way for Polymarket to legally operate in the U.S. as early as 2021 due to the lengthy federal approval process, a source familiar with the deal told Forbes.

Just two months after the acquisition and days after Donald Trump Jr. joined Polymarket’s advisory board, the company received federal approval to launch in the U.S. (Trump Jr. has also served as a strategic advisor to Polymarket’s main competitor Kalshi since January.)

Polymarket’s rapid rise has drawn critics. Dennis Kelleher, co-founder and CEO of Washington-based financial advocacy group Better Markets, told Forbes in an email that the current administration’s deregulation around prediction markets has unlocked a regulatory “loophole” to enable “unregulated gambling” under the CFTC, “which has zero expertise, capacity or resources to regulate and police these markets.” Kelleher added that with backing from the Trump family “who are directly trying to profit on this new gambling den… the massive deregulation and crypto hysteria will almost certainly end badly for the American people.”

Investors and businesses are scrambling to seize the moment of deregulation. “We had opportunities to invest in events markets earlier, but there was a lot of risk,” Sprecher says, listing the regulatory changes in favor of crypto and prediction markets under the current administration. “This was the moment to invest if we wanted to still be early in the space.”

In the last few months, Trump’s Truth Social and sportsbook FanDuel, as well as cryptocurrency exchanges Crypto.com, Coinbase and Gemini all announced their own plans to offer prediction markets. Robinhood CEO Vlad Tenev said prediction markets, which were integrated into its platform in March, were helping drive record activity for the retail brokerage in its third quarter earnings call.

“People are starting to realize right now that the opportunities are endless,” says Dubin, the billionaire hedge fund veteran who invested in Polymarket earlier this year. He points to sports betting companies, which have been regulated by states as gambling activity and taxed accordingly. States like New York can tax up to 51% of sportsbooks’ revenue, but federally-regulated prediction markets can bypass state laws, avoiding taxes and operating in all 50 states. With the realization that prediction markets could upend the sports betting industry—which brought in $13.7 billion in revenue in 2024—businesses are quickly jumping on board despite pushback from state gambling regulators. In October, both Polymarket and Kalshi secured partnerships with sportsbook PrizePicks and the National Hockey League, and Polymarket announced exclusive partnerships with sportsbook DraftKings and the Ultimate Fighting Championship.

The disruption won’t be limited to sports betting. Alongside its investment, Intercontinental’s tens of thousands of institutional clients including large hedge funds and over 750 third-party providers of data will soon have access to Polymarket data, as it gets integrated into Intercontinental’s products such as indices to better inform investment decisions. It also hopes to work with Polymarket to work on initiatives around tokenization—or converting financial assets into digital tokens on blockchain technology—to allow traders on Intercontinental’s exchanges to trade more flexibly at all hours of the day, Sprecher says. What’s more, in November, Google Finance announced it would integrate Polymarket and Kalshi data into its search results, while Yahoo Finance also announced an exclusive partnership with Polymarket.

Despite flashy investors, partnerships and a record $2.4 billion of trading volume in November, Polymarket has yet to launch in the U.S. or turn a profit. Coplan and his investors have hinted at ways the company could make money one day—selling its data, charging fees to users, launching a cryptocurrency token (similar to Ethereum or Bitcoin)—but decline to confirm any specifics. For now, the only thing that’s certain is the bet Coplan is making on himself. “Going for it and having it not pan out is an infinitely better outcome than living your life as a what if,” he says.

Standing across from the New York Stock Exchange building, Coplan tilts his head up as he watches a massive banner with Polymarket’s logo get hoisted onto the exterior of the building. It’s been five years since founding. One year since the FBI raid. He’s taking it all in. “Against all odds,” the bright blue banner reads, rippling in the wind alongside three American flags protruding from the building.

Source

🙏 Donations Accepted 🙏

If you find value in my content, consider showing your support via:

💳 Stripe:
1) or visit http://thedinarian.locals.com/donate

💳 PayPal
2) Simply scan the QR code below 📲 or Click Here

🔗 Crypto Donations Graciously👇
XRP: r9pid4yrQgs6XSFWhMZ8NkxW3gkydWNyQX
XLM: GDMJF2OCHN3NNNX4T4F6POPBTXK23GTNSNQWUMIVKESTHMQM7XDYAIZT
XDC: xdcc2C02203C4f91375889d7AfADB09E207Edf809A6

Read full Article
Reply
thedinarian@thedinarian
November 29, 2025
post photo preview
Epstein-Linked Emails Expose Funding Ties to Bitcoin Core Development — Here Is What the Documents Reveal
  • Newly released emails show Jeffrey Epstein helped fund MIT’s Digital Currency Initiative, which supported Bitcoin Core development.
  • The documents also confirm that Leon Black donated to MIT’s Media Lab through Epstein-directed channels.
  • The revelations reshape part of Bitcoin’s early institutional funding history and highlight long-hidden influence from controversial donors.

Newly unsealed emails from the House Oversight Committee have shed fresh light on Jeffrey Epstein’s hidden financial influence inside MIT’s Media Lab — and more importantly, how some of that money flowed into Bitcoin Core development. The correspondence reveals that Joichi Ito, then-director of the MIT Media Lab, relied on Epstein-connected “gift funds” to rapidly launch the Digital Currency Initiative (DCI) in 2015, the research hub that became one of the primary sources of funding for Bitcoin’s core developers.

Emails Show Epstein-Connected Money Helped Launch MIT’s Digital Currency Initiative

In the newly surfaced emails, Ito directly thanked Epstein for the financial help that allowed MIT to “move quickly and win this round,” referring to the formation of DCI — a program explicitly designed to provide long-term support for Bitcoin Core contributors after the collapse of the Bitcoin Foundation. Ito’s forwarded message to Epstein described how the foundation’s implosion left core developers without stable funding, creating an opening for MIT to bring them under its umbrella.

He explained that three major developers — including Wladimir van der Laan and Cory Fields — agreed to join MIT, calling it “a big win for us.” The email also highlighted early support from prominent academics, including cryptographer Ron Rivest and IMF economist Simon Johnson. Epstein simply replied: “gavin is clever.”

Funding Numbers Reveal a Much Larger Financial Trail

MIT publicly claimed that Epstein donated $850,000 to the institution, with $525,000 flowing to the Media Lab. But journalist Ronan Farrow later reported the true figure was closer to $7.5 million — including a $5 million anonymous donation connected to Epstein associate Leon Black. The new emails appear to confirm that Black not only donated, but did so through Epstein’s direction.

One email from Ito to Epstein reads: “We were able to keep the Leon Black money, but the $25K from your foundation is getting bounced by MIT back to ASU.”

 

Epstein responded: “No problem — trying to get more black for you.”

The documents reveal Epstein’s influence reached deeper into Bitcoin circles than previously acknowledged, even including early conversations with Brock Pierce — another figure with documented ties to both Epstein and controversy surrounding early crypto foundations.

MIT’s Internal Concerns and the Fallout

The emails also expose MIT’s internal unease around anonymous or reputationally risky donations. After the scandal broke, Ito resigned in 2019. MIT later tightened donation policies, warning that “everything becomes public” eventually — a statement that now seems prophetic given this week’s disclosures.

Developers like Wladimir van der Laan say they were unaware of the extent of Epstein’s involvement and noted that DCI’s funding transparency “was not great back in the day.” The Media Lab and DCI declined to comment.

Source

🙏 Donations Accepted 🙏

If you find value in my content, consider showing your support via:

💳 Stripe:
1) or visit http://thedinarian.locals.com/donate

💳 PayPal
2) Simply scan the QR code below 📲 or visit HERE

🔗 Crypto Donations👇
XRP: r9pid4yrQgs6XSFWhMZ8NkxW3gkydWNyQX
XLM: GDMJF2OCHN3NNNX4T4F6POPBTXK23GTNSNQWUMIVKESTHMQM7XDYAIZT
XDC: xdcc2C02203C4f91375889d7AfADB09E207Edf809A6

Read full Article
Reply
See More
Available on mobile and TV devices
google store google store app store app store
google store google store app tv store app tv store amazon store amazon store roku store roku store
Powered by Locals