Here are the most significant cybersecurity news highlights from the past week.

  • Over 700 browser-based crypto wallets have come under threat from an info stealer.
  • The UK has imposed sanctions on Xinbi and scam camps in Southeast Asia.
  • Malware exploited Solana for cryptocurrency data theft and phishing.
  • A cyberattack on an ignition interlock manufacturer restricted vehicle access.

Over 700 Browser-Based Crypto Wallets Targeted by Info Stealer

The new info stealer Torg Grabber targets sensitive information from 850 browser extensions, including cryptocurrency wallets, password managers, note-taking apps, and two-factor authentication tools, report cybersecurity researchers at Gen Digital.

Initial access is gained using a ClickFix technique: attackers intercept the clipboard and trick users into executing a malicious PowerShell command.

The list of vulnerable extensions includes 728 crypto wallets such as MetaMask, Phantom, and TrustWallet.

Torg Grabber also collects data from Discord, Telegram, Steam, VPN tools, email services, and desktop versions of crypto applications.

In addition to these capabilities, the malware can:

  • create a digital fingerprint of the hardware;
  • analyze installed software (including 24 antivirus programs);
  • take screenshots of the desktop;
  • steal files from the "Desktop" and "Documents" folders;
  • execute arbitrary code on the infected device.

Since late 2025, criminals have been using a more effective HTTPS connection through Cloudflare's infrastructure. They have taught the stealer to bypass cookie protections in Chrome, Brave, Edge, Vivaldi, and Opera.

According to experts, 334 samples were compiled from December 2025 to February 2026, and new command servers are registered weekly.

The UK Imposes Sanctions on Xinbi and Scam Camps in Southeast Asia

On March 26, the UK government imposed sanctions on the cryptocurrency marketplace Xinbi and individuals linked to scam camps in Southeast Asia.

Authorities stated that the platform facilitates the sale of stolen personal data and provides tools for finding victims, including satellite internet equipment. The measures restrict the network's access to financial channels.

The sanctions also affected Legend Innovation, operator of #8Park—a major scam camp in Cambodia. It is estimated that up to 20,000 forced laborers are held there. The restrictions include the company's director, Eang Soklim, and individuals connected to the Prince Group financial network.

According to Chainalysis, transactions exceeding $19.9 billion passed through Xinbi from 2021 to 2025.

In India, law enforcement arrested Sunil Nellat Ramakrishnan, also known as Krish, on suspicion of trafficking individuals to fraudulent crypto centers in Myanmar.

Authorities claim he was a key figure in transporting victims from Delhi to Bangkok under the pretense of legitimate employment in Thailand. People were forcibly moved to the Myawaddy area, specifically to the KK Park complex.

Searches at the suspect's residence linked him to human trafficking operations in Cambodia.

Malware Used Solana for Cryptocurrency Data Theft and Phishing

Cybersecurity researchers at Aikido reported a new phase of the GlassWorm campaign. Hackers are distributing phishing code kits that steal developer data and install remote access trojans.

GlassWorm gains access through malicious packages published in npm, PyPI, GitHub repositories, and the Open VSX marketplace.

Operators also hack the accounts of maintainers of popular projects to inject poisoned updates.

Instead of hardcoding the command server's address directly into the virus code (where it can be easily found and blocked), hackers used a hiding method or "dead drop" and concealed it in the Solana blockchain.

The loader connects to the network and checks predefined crypto wallets for transactions with a specific text note—memo. Once the loader finds it, it extracts the masked link, decrypts it, and connects to the remote server. The malware does not infect systems with Russian localization.

Decrypting the memo field in the Solana blockchain reveals the hackers' remote server link. Source: Aikido.

The second phase of the attack includes:

  • stealing and collecting data, exfiltrating crypto wallets, and profiling the system;
  • transmission. The collected data is compressed into a ZIP archive and sent to an external server;
  • payload delivery. After data transmission, the attack chain pulls in two additional components.

The first is a file for detecting USB devices. When a user connects a hardware wallet, a phishing window appears:

  • for Ledger—a fake configuration error with 24 fields for entering the recovery phrase;
  • for Trezor—a message about "firmware verification failure" and forced emergency reboot with similar input fields.

The second component is a JavaScript RAT. The address for its download is extracted through an event description in Google Calendar (another variant of a "dead drop").

Its tasks include running a hidden remote desktop module, stealing data from browsers, and executing arbitrary JavaScript code.

Additionally, the trojan forcibly installs the Google Docs Offline extension. It collects the tree of active tabs, history up to 5000 entries, screenshots, and clipboard content. The extension also monitors crypto exchanges, such as Bybit, tracking authorization tokens and device IDs.

Cyberattack on Ignition Interlock Manufacturer Restricted Vehicle Access

Hackers targeted Intoxalock—a provider of ignition interlock systems for vehicles in the US. Due to the disruption of device functionality, some owners were unable to start their cars, reports the publication "Hacker".

Intoxalock produces devices that users convicted of driving under the influence must install. To start the engine, users must blow into a tube to check the permissible blood alcohol level. If the limit is exceeded, the vehicle will not start. In some states, the system also records GPS coordinates and systematically photographs the driver.

According to media reports, the device requires mandatory calibration approximately once a month. However, due to the cyberattack, calibration became impossible, and drivers with expired checks were locked out. In Connecticut alone, the issue affected 7-10% of users.

The company extended the authorization period at service centers by 10 days, but the extension did not apply to all device versions and not in all states.

On March 22, the system was restored. Intoxalock's management promised to compensate users' expenses, including vehicle towing.

Researcher Discovers Trojan in AI App LiteLLM

A malware for credential theft was found in the popular AI app LiteLLM. This was reported by researcher Callum McMahon from FutureSearch.

LiteLLM allows developers to connect to hundreds of different neural networks and manage subscription payments. The project has over 40,000 stars on GitHub, thousands of forks, and downloads reach 3.4 million per day.

According to McMahon, the virus infiltrates the system through a third-party software package that LiteLLM relies on. The researcher suspected his computer was infected when it suddenly shut down right after loading the software. A flaw in the malware itself caused a system crash, revealing the presence of the hacker's software.

McMahon and renowned developer Andrej Karpathy concluded that the virus was created using vibe coding without careful verification.

How the malware operated:

  • stole all possible credentials;
  • used them to access other accounts and packages to gather even more passwords;
  • spread through the chain, capturing new systems.

According to TechCrunch, LiteLLM's website features badges for passing major security certifications SOC2 and ISO 27001, issued after an audit by Delve. The company positions itself as an AI-based service that automates cybersecurity checks.

Media reports indicate that Delve was previously accused of generating fake data for reports, using questionable auditors, and misleading clients about their security.

Oh damn, I thought this WAS a joke

… but no, LiteLLM *really* was "Secured by Delve" (the company that rubber stamped all of these audits, and seems to have been on the edge of fraudulent auditing, but useless for sure)

And so unsurprisingly LiteLLM was compromised, badly https://t.co/P7FZrsagAb

— Gergely Orosz (@GergelyOrosz) March 24, 2026

LiteLLM developers managed to eliminate the threat within hours of the infected version's release. The company has begun an investigation in collaboration with Mandiant.

Also on ForkLog:

  • Co-founder of Fenbushi Capital offered a reward for the return of $42 million stolen.
  • ZachXBT accused Circle of mistakenly freezing 16 wallets.
  • Irish authorities gained access to bitcoins worth €30 million.
  • A hacker attack on Resolv crashed the USR stablecoin.
  • Google identified a chain of DarkSword exploits for hacking iPhones.

What to Read This Weekend?

In a new article, ForkLog discusses how Russian authorities plan to monitor every crypto transaction within the country and why Bitcoin wallet keys will need to be shared with a digital depository.