We’ve compiled the most significant cybersecurity news from the past week.

  • A user lost $282 million in cryptocurrency due to a fake tech support scam.
  • LastPass password manager users were targeted by phishing attacks.
  • Thousands have left scam camps in Cambodia.
  • Law enforcement has identified the leader of a ransomware group.

User Loses $282 Million in Cryptocurrency Due to Fake Tech Support

On January 10, 2026, one of the largest social engineering attacks was recorded: a victim lost Bitcoin and Litecoin worth $282 million. This was highlighted by on-chain investigator ZachXBT.

On January 10, 2026 at around 11 pm UTC a victim lost $282M+ worth of LTC & BTC due to a hardware wallet social engineering scam.

The attacker began converting the stolen LTC & BTC to Monero via multiple instant exchanges causing the XMR price to sharply increase.

BTC was also…

— ZachXBT (@zachxbt) January 16, 2026

The user provided the seed phrase for their hardware wallet to a scammer posing as a Trezor support employee. Once access was gained, the hacker withdrew 2,050,000 LTC and 1,459 BTC.

The attacker used the decentralized protocol THORChain to convert the assets into Monero, leading to a local pump in its price. ZeroShadow specialists quickly tracked the transaction chain and froze about $700,000.

LastPass Users Targeted by Phishing Attacks

On January 20, LastPass developers warned users about a new phishing campaign disguised as maintenance notifications.

Hackers are sending emails urging users to urgently create a backup of their password vault within 24 hours. The notification includes a link that supposedly leads to a page for creating an encrypted backup, but clicking the "Create Backup Now" button redirects users to a phishing site.

This way, the attackers aim to steal the victims' master passwords. Experts believe the malicious campaign began on January 19.

Thousands Leave Scam Camps in Cambodia

In the past week, thousands of people, including victims of human trafficking, have left scam centers in Cambodia amid a crackdown by authorities on crime. This was reported by BBC.

Phnom Penh has initiated a new round of efforts to restore order in scam camps—large complexes where hundreds of people participate in fraudulent schemes, stealing billions from victims worldwide.

According to experts, many end up in such places through deception, while some work there voluntarily.

On January 15, a businessman named Khuong Li was arrested in Cambodia on suspicion of illegal recruitment and exploitation, fraud, and money laundering. In March 2023, he was featured in a BBC Eye investigation about fraudulent centers in Southeast Asia.

The program highlighted a complex in the resort town of Sihanoukville owned by Li, where workers were lured into a labor camp from other countries, forced to work at night, and engage in fraud.

Law Enforcement Identifies Leader of Ransomware Group

Law enforcement agencies in Germany and Ukraine have identified the leader of the Black Basta ransomware group as 35-year-old Russian Oleg Nefedov. Interpol and Europol have placed the criminal, known online as tramp and kurva, on their most wanted list, reports Ukraine's Cyber Police.

Source: Europe’s most wanted.

Investigators have established Nefedov's connection to the now-disbanded Conti syndicate, which Black Basta directly succeeded after rebranding in 2022.

During raids in the Ivano-Frankivsk and Lviv regions, two group members were arrested, specializing in hacking secure systems and stealing passwords. They provided initial access to the networks of large corporations, paving the way for data encryption and subsequent multimillion-dollar ransom demands.

Digital storage devices and significant amounts of cryptocurrency were seized during the searches.

Source: Office of the Prosecutor General of Ukraine.

Since its inception, Black Basta has attacked over 700 organizations, including critical infrastructure: the German defense contractor Rheinmetall, the European branch of Hyundai, and the British telecom company BT Group.

Hackers Target Chrome and Edge Users

The KongTuke group has begun widespread distribution of a malicious extension called NexShield for Chrome and Edge. This was reported by cybersecurity researchers at Huntress.

According to specialists, the malware masquerades as a lightweight ad blocker. The extension intentionally overloads memory and CPU, causing tabs to freeze and the browser to crash, forcing users to seek ways to restore their systems.

After a forced restart, NexShield displays a fake security window offering to scan the system.

Source: Huntress.

Under the guise of a solution, the software prompts users to copy a command to the clipboard and execute it in the Windows command line. In reality, this step launches a script that downloads a new remote access trojan—ModeloRAT.

Source: Huntress.

Experts indicate that the primary target is the corporate sector. The virus has a 60-minute delay to avoid suspicion and primarily activates in organizational domain networks. Once inside, ModeloRAT allows attackers to conduct deep reconnaissance, modify the system registry, install third-party software, and covertly control the victim's computer.

Huntress researchers noted that simply removing the extension from the browser will not resolve the issue, as the trojan is deeply embedded in the system. They recommended that PC owners conduct a full antivirus scan and never execute commands suggested by websites or extensions.

Zendesk Support Cloud Service Floods Users with Spam After Breach

Users worldwide have become targets of a mysterious wave of spam originating from unsecured systems of the Zendesk support cloud service. On January 18, victims reported receiving hundreds of emails.

There’s some exploit or mass-scale abuse with @Zendesk right now… I just got EIGHT HUNDRED emails from them over the course of about an hour.

They’re all scams sent from different Zendesk instances. Many bypassed iCloud’s Junk filters. pic.twitter.com/nWXr2nFtg3

— Nick Oates (@nickoates_) January 18, 2026

It appears that the messages do not contain malicious links or explicit phishing attempts. However, the sheer volume and chaotic nature of the distribution raise concerns among recipients.

The emails feature bizarre subject lines: some mimic requests from law enforcement or content blocking demands, while others offer free Discord Nitro or contain pleas for help.

According to BleepingComputer, the emails are generated by support platforms of companies using Zendesk for customer service. Attackers exploited a loophole that allows unauthorized users to send requests for automated responses.

Among the affected companies are Discord, Tinder, Riot Games, Dropbox, CD Projekt (2k.com), Maya Mobile, NordVPN, the Tennessee Department of Labor, Lightspeed, CTL, Kahoot, Headspace, and Lime.

Zendesk representatives informed the publication that they have implemented new security features to detect and prevent such spam in the future. 

Also on ForkLog:

  • Hackers stole $48 million in confiscated bitcoins from the South Korean prosecutor's office.
  • Developers of Trove Markets performed a rug pull after the ICO.
  • Former Alameda Research head Caroline Ellison will be released on January 28.
  • Hackers extracted $7 million from Saga and crashed native stablecoins.
  • In SlowMist a "future attack" was discovered in the Linux store.
  • Chainalysis introduced a tool for automating threat tracking in blockchains.
  • The DeFi protocol Makina Finance was hacked for $5 million.
  • Experts called a major hack a "death sentence" for 80% of protocols.

What to Read This Weekend?

Elena Vasilieva invites ForkLog readers to don their tinfoil hats to understand how conspiracy theories have become the foundation of the digital economy, why Larry Fink is scarier than reptilians, and what DYOR has in common with religious ecstasy.