We’ve compiled the most significant cybersecurity news from the past week.
- Law enforcement conducted operations against scam centers in Europe, the UAE, and Thailand.
- Experts discovered a phishing toolkit with AI capabilities.
- Hackers from Drohobych sold Roblox player credentials for nearly 10 million hryvnias.
- A critical flaw in ransomware software leads to irreversible data loss.
Law Enforcement Targets Scam Centers in Europe, UAE, and Thailand
In a joint operation, law enforcement agencies from the US, China, the UAE, and Thailand shut down nine cryptocurrency scam centers and arrested 276 suspects. The US Department of Justice reported on this.
Those arrested in the UAE and Thailand employed “pig slaughtering” schemes. After gaining the victim's consent, they would cut off access to the “invested” cryptocurrency. The criminals also persuaded victims to borrow money from relatives and take out loans.
A Myanmar citizen, Tet Min Nyi, has been charged with conspiracy to commit fraud and money laundering. Authorities believe he was a manager and recruiter for a criminal organization known as Ko Thet Company. Members of the Sanduo Group and Giant Company are also awaiting trial.
In Europe last week, a network of scammers was dismantled, allegedly causing over 50 million euros in losses to victims worldwide.
A joint operation by Europol and Eurojust, initiated in June 2023, led to the arrest of 10 suspects and searches at three call centers and nine private residences in Austria and Albania.
According to investigators, victims were lured to fake investment platforms through ads on search engines and social media. In reality, the funds were funneled into an international money laundering scheme. In cases of secondary fraud, criminals would re-contact “clients,” offering to help recover lost assets, demanding an additional 500 euros in cryptocurrency as an upfront fee.
The fraudulent network was registered as a legitimate business with 450 employees. Operators worked in groups of six to eight, divided by language, earning a monthly salary of around 800 euros plus bonuses.
Experts Discover AI-Powered Phishing Toolkit
Cybersecurity specialists from Varonis uncovered a phishing toolkit called Bluekit. It provides attackers with over 40 templates mimicking popular services and includes a built-in AI assistant for drafting malicious campaigns.
The toolkit offers scripts targeting email services (Outlook, Hotmail, Gmail, Yahoo, ProtonMail), iCloud, GitHub, and the Ledger cryptocurrency wallet.
A key feature of Bluekit is its AI Assistant panel, which supports multiple AI models, including Llama, GPT-4.1, Claude, Gemini, and DeepSeek. This tool aids cybercriminals in composing phishing emails.
According to Varonis, this feature is still in the experimental phase. The tested attack draft had a useful structure but contained generic fields for links, placeholders for QR codes, and text that required refinement before use.
In addition to AI, Bluekit consolidates the entire attack cycle in one panel:
- Domain registration. Purchase and setup of addresses directly from the interface;
- Campaign management. Creation of phishing pages with realistic designs and logos of well-known brands like Zara, Zoho, and Ledger;
- Tuning. Blocking traffic via VPNs and proxies, cutting off automated analysis systems, and setting filters based on device fingerprints;
- Data interception. Transmitting stolen information via Telegram to private hacker channels.
The platform allows real-time tracking of victim sessions, including cookies, local storage, and active session status after login. This helps hackers adjust attacks for maximum effectiveness.
Experts believe that despite being in active development, the product is rapidly evolving and could gain widespread use.
Hackers from Drohobych Sold Roblox Player Credentials for Nearly 10 Million Hryvnias
Law enforcement in the Lviv region arrested fraudsters who stole Roblox accounts worth 10 million hryvnias, according to the Office of the Prosecutor General of Ukraine.
According to investigators, three residents of Drohobych promoted info stealers disguised as tools to enhance gameplay. Using malware, hackers gained access to victims' credentials.
The stolen credentials were verified using a special program (checker) that displayed account contents. From October 2025 to January 2026, over 610,000 accounts were filtered to find the most valuable ones. The data was sold for cryptocurrency on Russian platforms.
As a result of 10 searches, law enforcement seized equipment, records, over 2,500 euros, and about $35,000. The suspects have been charged with theft and cybercrime.
Critical Flaw in Ransomware Software Leads to Irrecoverable Data Loss
Experts from Check Point discovered a serious defect in the nonce handling mechanism of the VECT 2.0 ransomware. Instead of encrypting, the error leads to data destruction without recovery options.
The issue lies in how VECT 2.0 processes files larger than 128 KB. To speed up the process, the program splits objects into four parts and encrypts them separately. However, programming logic errors result in catastrophic consequences:
- All parts of the file use the same memory buffer for nonce output. Each newly generated key overwrites the previous one.
- As a result, only one part remains, which is written to disk.
- Only the last 25% of the file can be recovered. The first three parts of data cannot be decrypted because the unique numbers needed for this were irretrievably lost during processing.
Even if the victim pays the ransom, the attackers cannot decrypt the data since the deleted nonces are not transmitted to the hackers' servers.
Researchers noted that the 128 KB threshold is extremely low. Almost all valuable corporate information falls under this limit:
- Virtual machine images;
- Databases and backups;
- Office documents, spreadsheets, and email accounts.
This turns the malware from a ransomware into a mere data wiper, making ransom payments pointless. The flaw exists in all versions of VECT 2.0 — for Windows, Linux, and ESXi.
According to experts, VECT was actively advertised on the hacker platform BreachForums. Operators invited users to become partners and sent access keys via private messages.
Later, the group announced a partnership with TeamPCP — the team behind recent supply chain attacks on Trivy, LiteLLM, Telnyx, and the European Commission. The goal of the alliance was to use victims to deploy ransomware.
Hackers Exploit Qinglong Task Scheduler for Mining
Attackers exploited two authentication bypass vulnerabilities in the Qinglong task scheduler to secretly mine cryptocurrency on developers' servers. This was reported by cybersecurity experts from Snyk.
Qinglong is an open-source task management platform based on Python/JS, popular among Chinese developers.
The infection chain for remote code execution affected Qinglong versions 2.20.1 and later.
According to specialists, the root cause of the vulnerabilities lies in the mismatch between the authorization logic of the middleware and the routing behavior of the Express.js web framework. The authentication level assumed that certain URL patterns would always be processed in one way, while Express.js used another.
According to Snyk, the attackers' campaign began on February 7, 2026. Qinglong users were the first to detect a hidden malicious process named .FULLGC. To maintain stealth, its name mimics a standard resource-intensive task.
The miner utilized 85–100% of CPU power and targeted Linux, ARM64, and macOS systems. Qinglong developers have patched the vulnerability in PR 2941.
Also on ForkLog:
- April set a record for the number of hacks in the crypto industry.
- A hacker extracted over $5 million from the Wasabi protocol.
- In ZetaChain, details of a cross-chain attack on $334,000 were revealed.
- Hackers attacked the DeFi protocol Scallop.
- In Litecoin, block reorganization was conducted due to a zero-day vulnerability.
What to Read This Weekend?
For those who missed the most important news of the month, ForkLog has prepared a brief overview.