We have collected the most important cybersecurity news of the week.
- A crypto clipper was distributed using fake reputation on GitHub and YouTube.
- A USB worm self-propagated through hidden Windows shortcuts to steal cryptocurrency.
- South Korean law enforcement dismantled a crypto-laundering network serving a Cambodian syndicate.
- Researchers discovered a new Android trojan for stealing cryptocurrency.
A crypto clipper was distributed using fake reputation on GitHub and YouTube
An unknown attacker launched a large-scale malware distribution campaign, using legitimate marketing techniques to create a fake "reputation economy." This was reported by specialists at Check Point Research.
The ultimate goal of the attacks is to deploy crypto clippers disguised as trading tools in the Solana and Pump.fun ecosystems, as well as software for predicting betting outcomes.
According to the experts, the clipper itself is written in Rust and targets the Windows and macOS operating systems. The malware covertly and continuously monitors the device's clipboard. When it detects a copied cryptocurrency wallet address, the software instantly swaps it for the attacker's details, redirecting the digital assets.
To gain the trust of victims — mainly crypto investors and online gamers — the hacker built a complex cross-platform infrastructure of "Ghost Networks." Analysts recorded coordinated activity on the VirusTotal platform: a cluster of fake accounts left positive comments and likes en masse in order to falsely classify malicious files as safe.
Similar metric manipulation is also used on other resources:
- GitHub and SourceForge. The attacker runs a network of accounts to cross-promote repositories. On SourceForge, the download counter was artificially inflated to 44,000 using a farm of Android devices;
- YouTube. A channel with more than 91,000 subscribers is used to advertise the software. The tutorial videos are created using AI voice generators and are accompanied by faked positive comments;
- Media. To legitimize the tool, the hacker uses press-release distribution services (for example, EIN Presswire), whose publications are then automatically reprinted by partner news sites.
Check Point researchers emphasized that the manipulation of crowdsourcing platforms points to a dangerous shift in social-engineering tactics. The successfully tested scheme of cross-platform reputation inflation could in the future be used for the mass distribution of ransomware and more sophisticated infostealers.
A USB worm self-propagated through hidden Windows shortcuts to steal cryptocurrency
Microsoft experts revealed details of a self-replicating malware distribution campaign aimed at cryptocurrency holders.
The infection process is triggered when the victim opens a modified shortcut file (.LNK) on a USB drive. After launch, the worm covertly downloads additional payloads from a command server located in the .onion domain zone.
The malware scans the local system for user documents. Upon finding them, the program hides the originals and replaces them with malicious shortcuts bearing identical names. As a result, the software is activated every time the user tries to open their working files. To self-propagate, the worm creates a scheduled task that monitors ports. As soon as a new USB drive is inserted into the computer, the virus instantly copies itself to the external media.
The stealer enters its active phase only if "Task Manager" is not running on the system. It establishes a connection with the command server through a built-in Tor executable and monitors the clipboard every half-second for sensitive data:
- 12- and 24-word BIP39 seed phrases;
- addresses of Bitcoin wallets (including Legacy, P2SH, Bech32 and Taproot), Ethereum, Tron and Monero.
When it detects a copied address, the program instantly swaps it for the attacker's details. To deceive the victim, the algorithm picks wallets whose initial characters visually match the original ones.
In addition to clipboard interception, every ten seconds the virus takes five screenshots and sends them to the hackers using the Curl utility. On a special server command, the software can download and execute arbitrary JavaScript scripts on the infected machine.
The activity of this USB worm has been continuously recorded since at least February. Researchers emphasized that the most obvious indicators of infection are behavioral rather than signature-based. The main "red flags" of a compromise are suspicious background activity of the wscript.exe and cscript.exe processes, unexpected launches of Curl, PowerShell and cmd.exe, as well as unauthorized network connections to localhost:9050 (the standard Tor proxy-server port).
South Korean law enforcement dismantled a crypto-laundering network serving a Cambodian syndicate
South Korean law enforcement detained 23 suspects in a case of laundering funds for a Cambodian phishing organization. This was reported by Newsis.
The scheme was carried out through a complex transaction-routing network using both domestic South Korean and foreign cryptocurrency exchanges. According to the investigation, from February 2024 to April 2025 the group moved about 11.1 million USDT.
Police pointed to the colossal scale of the infrastructure involved: to launder the money, the attackers used about 11,300 different accounts. These transit accounts were directly linked to stolen funds totaling approximately $17 million, which the criminals obtained as a result of 265 incidents.
During the police raids, criminal proceeds worth 650 million won (about $430,000) were seized. At the same time, the active phase of the law-enforcement operation is not yet complete: the suspected organizer of the group is still at large. An Interpol "red notice" has already been issued for him, implying an international search and extradition.
Researchers discovered a new Android trojan for stealing cryptocurrency
Security researchers at Zimperium discovered a trojan for Android aimed at stealing cryptocurrency.
According to the analysts, the arsenal of the Rokarolla malware comprises 137 remote commands. The toolkit makes it possible to intercept PIN codes, read and send SMS, manipulate the clipboard to steal digital assets, and forcibly disable the OS's built-in protection mechanisms.
The software is distributed through malicious websites masquerading as installers of popular services such as TikTok and Google Chrome.
In the first stage, the victim downloads a program that visually mimics the Google Play Protect system component. Using this disguise, the dropper uses social engineering to force the user to grant it access to "Accessibility." Having obtained permission, the malware deploys the main payload and, first of all, disables the real Play Protect scanner.
Rokarolla downloads fake HTML authorization pages from its server for each active application from the target list. When the victim opens a legitimate crypto wallet, the trojan instantly overlays it with a fake window and intercepts all entered details.
In addition, a separate overlay exactly mimics the standard Android lock screen. This allows the software to steal a PIN code, password or pattern key, giving the operators the ability to control the smartphone even in a locked state. To steal cryptocurrency, the trojan uses a built-in clipper: it covertly monitors the clipboard and swaps copied wallet addresses for the attackers' details, redirecting transactions.
To overcome two-factor authentication, Rokarolla reads all SMS on the device and can send messages on its own, intercepting one-time banking codes. Moreover, by setting itself as the default application for calls and SMS, the trojan is able to block incoming calls — so a warning call from the bank's anti-fraud system simply will not reach the owner.
Experts emphasized that the main protection against such threats is heightened vigilance when granting "Accessibility" permissions, since it is precisely these that launch the entire attack chain.
Crypto scam organizers used couriers to collect cash
Attackers have begun hiring couriers to collect funds from victims whose transactions are blocked by banking security systems. The FBI reported on this new tactic of operators of cryptocurrency "pig butchering" schemes.
Usually such frauds begin with scammers contacting potential victims through social networks, dating sites and messengers, gaining their trust, and then luring them into fake investment schemes.
Having convinced the victim to withdraw cash (for example, under the pretext of a temporary account "freeze"), the scammers send a courier to the person who trusted them. A pre-agreed password or the serial number of a specific dollar bill is used for identification. Having received the money, the hackers simulate an increase in the balance in the victim's virtual wallet and start the cycle anew, demanding new contributions to pay fictitious "taxes" on the withdrawal of funds.
According to FBI data for 2025, cryptocurrency and investment fraud remains the "most destructive form" of cybercrime in the US: it accounted for 49% of all incidents, with total damage of $8.6 billion.
A vulnerability in wireless earphones allowed hackers to eavesdrop on iPhone users
Apple released a firmware update for the Beats Studio Buds wireless earphones that closes a high-severity vulnerability.
The flaw, reported by SentinelOne experts back in January, allowed attackers to secretly connect to the device and use the built-in microphone for spying.
The issue, which received the identifier CVE-2025-20701, is related to incorrect authorization in the Bluetooth audio SDK from chip developer Airoha. The defect allows a hacker within Bluetooth range to remotely connect their own equipment to the earphones without the user's knowledge or consent — provided that the headset is not yet paired and is actively searching for connections. The vulnerability was successfully eliminated in Beats firmware update version 1B211.
According to the specialists, the exploit can be activated via standard Bluetooth or the low-energy protocol (BLE) without any authentication. In addition to eavesdropping, the attack gives attackers almost full control over the device: it allows reading and overwriting the earphones' RAM and flash memory. Moreover, hackers can hijack established trust relationships with previously paired smartphones, which opens a vector for the development of more sophisticated multi-stage attacks.
Also on ForkLog:
- An outdated contract in the Aztec network was hacked for $2 million.
- Kentucky, following other states, filed a lawsuit against Polymarket.
- The United Kingdom will ban social networks for children under 16.
- The Supreme Court of the Russian Federation recognized cryptocurrency as an object of theft.
- Bitbank threatened blocks for transactions related to Polymarket.
What to read over the weekend?
Ideas that change the world are almost always born on the periphery — among people whom their contemporaries consider eccentrics. In a new piece, ForkLog explored why pioneers, like Jack Parsons, often remain in the shadow of the revolutions they brought about.
Source: ForkLog
Новости в мире криптовалют
Random quote about money
"Надо покупать соразмерно выгоде и убытку. Если не хочешь разориться, не трать не поступивших доходов."
Interesting posts in other sections of the blog
* to search the proxy database, just enter a country name, e.g. Russia, USA, Thailand