The cybersecurity landscape took a sharp turn on March 20, 2025, as stolen data from the Oracle Cloud Infrastructure breach appeared for sale on BreachForums. A threat actor operating under the handle “rose87168” listed approximately six million records, potentially impacting over 140,000 Oracle cloud tenants. For cryptocurrency users and businesses relying on cloud infrastructure, this incident carries significant implications that extend well beyond traditional enterprise security.
The Exploit Mechanics
The attack exploited CVE-2021-35587, a critical Java vulnerability in Oracle Fusion Middleware that had been known since 2020. Despite its age, the flaw remained unpatched in Oracle’s legacy Gen 1 servers, also known as Oracle Cloud Classic. These servers, officially deprecated and last actively used in 2017, continued running as part of Oracle’s infrastructure, creating a persistent blind spot. The initial entry point was the endpoint login.(region-name).oraclecloud.com, which hosted sensitive credentials for Single Sign-On and Lightweight Directory Access Protocol services. Attackers gained access to authentication systems that facilitated broader lateral movement across the cloud environment. The vulnerability allowed unauthenticated attackers network-level access without requiring valid credentials, making it particularly dangerous for any organization whose authentication layers depended on these legacy systems.
On the same day, Kaspersky researchers Boris Larin and Igor Kuznetsov reported a separate but equally concerning discovery: a Chrome zero-day vulnerability, tracked as CVE-2025-10585, that was being actively exploited by North Korea’s Lazarus Group to steal cryptocurrency. This was the sixth actively exploited Chrome zero-day patched by Google in 2025 alone, highlighting the sustained focus of state-sponsored actors on browser-based attack vectors to compromise crypto wallets and exchange accounts.
Affected Systems
The Oracle breach exposed a wide range of sensitive data, including usernames, email addresses, hashed passwords, encrypted SSO and LDAP credentials, Java Key Store files, and Enterprise Manager JPS keys. The stolen data dated back at least 16 months, suggesting the attackers maintained persistent access from January 2025 through early March. For cryptocurrency businesses using Oracle Cloud, this means compromised authentication credentials could have provided attackers with access to internal systems, potentially including wallet management infrastructure, API keys, and administrative panels.
The Lazarus Chrome zero-day affected all Chromium-based browsers and could be triggered simply by visiting a malicious website. Cryptocurrency users who accessed web-based wallets or exchanges through an unpatched browser were at particular risk.
The Mitigation Strategy
Organizations and individuals should take immediate steps to protect themselves. First, if you or your organization uses Oracle Cloud services, rotate all credentials associated with Oracle accounts immediately, including API keys, SSO tokens, and LDAP passwords. Enable hardware-based multi-factor authentication wherever possible. For the Chrome zero-day, update to the latest browser version immediately. Google has released an out-of-band patch addressing CVE-2025-10585. Consider using a separate, hardened browser exclusively for cryptocurrency transactions. Monitor wallet activity and exchange login logs for any unauthorized access attempts originating from unfamiliar IP addresses.
Lessons Learned
The Oracle breach underscores a fundamental problem in cloud security: legacy systems that remain operational long after their official deprecation create invisible attack surfaces. Organizations must conduct regular audits of all cloud assets, including deprecated services, and enforce strict decommissioning timelines. The Lazarus Chrome zero-day reinforces the importance of browser security as a first line of defense for cryptocurrency users. State-sponsored groups are investing heavily in browser exploits because they know most crypto interactions happen through web interfaces. BTC was trading at approximately $84,167 and ETH at $1,982 on this date, making even a small percentage of compromised wallets highly lucrative for attackers.
User Action Required
Cryptocurrency users should immediately update their browsers, rotate any Oracle Cloud credentials, enable hardware security keys for two-factor authentication on all exchanges and wallets, and review recent login activity. Organizations should audit their cloud infrastructure for legacy components and ensure all known vulnerabilities, regardless of the perceived risk level of the affected systems, are patched promptly.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified cybersecurity professionals for specific guidance.
CVE-2021-35587 was known since 2020 and still unpatched in 2026. legacy infra is a ticking time bomb
a CVE from 2020 still open in 2026 on deprecated servers handling SSO credentials. Oracle should be liable for negligence here, no excuses
cve_hunter_ nailed it. if 2020 CVEs are still live in 2026, every cloud providers audit process needs a complete overhaul. this isnt a bug, its a policy failure
6 million records from deprecated servers that were last used in 2017. Oracle has some serious explaining to do
^ deprecation does not mean decommission apparently. if your cloud provider keeps old servers running with known CVEs, your self-custody setup is the only real security
rose87168 listing 6 million records on BreachForums like its a normal Tuesday. the dark web marketplace for cloud credentials is out of control
140k tenants potentially exposed. wonder how many crypto companies were running on Oracle Cloud Classic without knowing
the login.(region).oraclecloud.com endpoint sitting there with SSO creds on unpatched infra is a blueprint for every nation state attacker. oracle got off easy with just 6M records