We’ve compiled the most important cybersecurity news from the past week.

  • Hackers have devised a scheme for subtly swapping Bitcoin addresses.
  • A new Android Trojan has been disguised as IPTV applications.
  • Trezor and Ledger users received phishing letters.
  • A researcher exposed major companies tracking Chrome users through extensions.

Hackers Have Devised a Scheme for Subtly Swapping Bitcoin Addresses

Criminals have begun to subtly swap Bitcoin addresses under the guise of a lucrative cryptocurrency arbitrage deal. The scheme was uncovered by experts at BleepingComputer.

The campaign is built on promises of huge profits from a supposed "arbitrage vulnerability" found on the cryptocurrency exchange platform Swapzone. In reality, hackers deploy malicious code that modifies the swap process directly in the victim's browser.

Typically, ClickFix-style attacks target operating systems: users are tricked into executing commands in PowerShell to "fix Windows errors," leading to the installation of stealers or ransomware. In this case, the target is a specific browser session.

According to media reports, this is one of the first documented instances of using ClickFix mechanics to manipulate web pages for direct cryptocurrency theft.

To promote the fraudulent campaign, hackers leave comments on various posts on the popular text storage service Pastebin.

They advertise a "leaked hacking documentation" that allegedly allows users to earn $13,000 in two days, attaching a link to the resource. The "guide" in Google Docs describes a scheme for obtaining inflated exchange amounts in specific BTC pairs.

BleepingComputer's observations revealed that the document is continuously viewed by one to five people simultaneously, indicating active engagement with the scheme.

The fake guide instructs users to:

  1. Visit the Swapzone website.
  2. Copy JavaScript code from a third-party resource.
  3. Return to the Swapzone tab, enter javascript: in the address bar, paste the copied code, and hit Enter.

This method utilizes the browser's javascript: URI function, allowing code execution in the context of the open site. Analysis showed that the primary script loads a second, heavily obfuscated payload. It injects itself into the Swapzone page, replacing legitimate Next.js scripts responsible for transaction processing:

  • Address swapping. The malicious script contains a list of the hackers' Bitcoin addresses, substituting one of them for the real deposit address generated by the exchange;
  • Visual deception. The code alters displayed exchange rates and payout amounts on the screen, creating the illusion that the "arbitrage scheme" is genuinely working;
  • Outcome. The victim sees the familiar interface of a legitimate service but sends money to the hacker's Bitcoin wallet.

A New Android Trojan Disguised as IPTV Applications

A new piece of malware for Android masquerades as an IPTV viewing app to steal digital identities and access victims' bank accounts. This was reported by cybersecurity researchers at ThreatFabric.

The Massiv virus employs overlay windows and keystroke logging to collect sensitive data. It can also establish full remote control over the infected device.

During the campaign, Massiv targeted a Portuguese government app related to Chave Móvel Digital — the national digital authentication and signature system. Data stored in these services could be used to bypass identity verification (KYC) procedures, access bank accounts, and other government and private online services.

According to ThreatFabric, there have been instances of bank accounts and services being opened in the victim's name without their knowledge.

Massiv provides operators with two modes of remote control:

  • Screen streaming — uses the Android MediaProjection API to broadcast real-time screen activity;
  • UI-tree mode — extracts structured data through the Accessibility Service.

The second mode allows attackers to see text, interface element names, and their coordinates. This enables them to click buttons and edit text fields on behalf of the user. More importantly, this method bypasses screenshot protection often built into banking and financial applications.

Researchers noted an interesting trend: the use of IPTV applications as "bait" for infecting Android devices has sharply increased over the past eight months.

Such applications often violate copyright, making them unavailable on Google Play. Users are accustomed to downloading them as APK files from unofficial sources and installing them manually.

According to the report, the campaign targets residents of Spain, Portugal, France, and Turkey.

Trezor and Ledger Users Received Phishing Letters

Users of Trezor and Ledger have started receiving ordinary letters sent by criminals posing as manufacturers of hardware cryptocurrency wallets.

According to cybersecurity expert Dmitry Smilyants, the letter he received looked like an official notification from Trezor's security department.

On branded letterhead, the client was asked to complete a mandatory procedure: scan a QR code and finish verification on a special website by a certain date. Failure to comply threatened the user with losing access to wallet features.

In the comments to the post, other earlier phishing cases allegedly from Ledger representatives surfaced. Both letters created a sense of urgency, pushing victims to act immediately.

at least they could have worked on a better phishing page 😭😭

even plaintext seed words sent to telegram api…

trezor.authentication-check[.]io/black/ pic.twitter.com/fa85203awR

— Who said what? (@g0njxa) February 12, 2026

The QR codes in the letters led to malicious sites mimicking the official Trezor and Ledger setup pages. In the final stage, users were coerced into entering their seed phrase to "confirm ownership of the device."

Researcher Exposed Major Companies Tracking Chrome Users Through Extensions

A researcher under the pseudonym Q Continuum discovered 287 Chrome extensions that transmit all browsing history data to third-party companies. Their total number of installations exceeded 37.4 million.

Using an automated testing system, the specialist examined 32,000 plugins from the Chrome Web Store. As a result, more than 30 companies were found to be collecting data.

The analyst believes that extensions offering convenient and useful tools are, in fact, unjustifiably requesting access to browsing history. Some of them also encrypt data, making detection difficult.

According to the specialist, part of the data collection is formally outlined in privacy policies. However, not all users pay adequate attention to them.

The researcher identified Similarweb, Semrush, Alibaba Group, ByteDance, and the Similarweb-affiliated entity Big Star Labs as data collectors.

Extensions under suspicion include the Stylish theme customizer and ad blockers (Stands AdBlocker and Poper Blocker, CrxMouse), as well as Similarweb's own extension (SimilarWeb: Website Traffic & SEO Checker).

About 20 million installations out of 37.4 million could not be linked to specific data recipients.

In Similarweb's privacy policy, data collection is documented. The company claims to anonymize information on the client side, although it also states that "some of this data may include personal and confidential information depending on search queries and viewed content."

Data Breach at Popular Adult Toy Maker

The Japanese company Tenga has sent notifications to customers about a data security breach. This was reported by TechCrunch.

According to the statement, "an unauthorized party gained access to the professional email of one of our employees," which opened the hacker's access to incoming message contents. This potentially allowed them to view and steal customer names, email addresses, and correspondence history, which "may have included order details or support inquiries."

The hacker also sent spam messages to the contact list of the compromised employee, including the company's customers.

After the news broke, a Tenga representative told TechCrunch that, according to technical expertise results, the breach affected "approximately 600 people" in the U.S.

Tenga is a global supplier of adult products. Given the nature of the products, order details and support inquiries likely contain personal information that many customers would prefer to keep private.

The company has taken several protective measures:

  • Resetting the credentials of the compromised employee;
  • Implementing multi-factor authentication across all its systems — a basic security feature that prevents account access even with a stolen password.

The company representative declined to specify whether two-factor authentication was enabled on the email account before the breach.

651 Suspects Arrested in Africa During Cybercrime Operation

Law enforcement agencies in African countries arrested 651 suspects and seized over $4.3 million during a joint operation against investment fraud. This was reported by Interpol.

The goal of Red Card 2.0 was to target cybercriminal groups involved in financial losses totaling over $45 million. Authorities from 16 countries seized 2,341 devices and blocked 1,442 malicious websites, domains, and servers.

Key results by country:

  • Nigeria. Police dismantled an investment fraud network that recruited youth for phishing attacks, identity theft, and fake investment schemes. Over 1,000 fraudulent social media accounts were removed. Six gang members were also arrested for using stolen employee credentials to hack a major telecommunications provider;
  • Kenya. 27 suspects were detained during an investigation into groups that lured victims into fake investment projects through social media and messaging apps;
  • Côte d'Ivoire. 58 individuals were arrested as part of the fight against mobile loan applications that used hidden fees and illegal debt collection methods.

Also on ForkLog:

  • OpenAI released a benchmark for assessing AI agents' ability to hack smart contracts.
  • Vibe coding through Claude Opus led to the hacking of the DeFi project Moonwell.
  • Figure acknowledged a data leak of customer personal information.
  • South Korean police lost 22 BTC from a cold wallet.

What to Read This Weekend?

In the novel "Blindsight," Canadian biologist and writer Peter Watts proposed a radical hypothesis: intelligence can be effective without consciousness. Nearly 20 years after the book's publication, this thesis accurately describes generative AI.

In a new article, ForkLog explored the mistakes we make when humanizing algorithms.