We’ve compiled the most significant cybersecurity news from the past week.

  • Hackers compromised users of the password manager Dashlane.
  • A vulnerability was discovered in the Trezor Safe 7 cryptocurrency wallet chip.
  • Chinese hackers are targeting Europe.
  • Fraudsters tricked AI support into transferring rare Instagram accounts to them.

Hackers Compromise Dashlane Users

Attackers managed to bypass two-factor authentication (2FA) and download encrypted vaults containing Dashlane users' credentials. This was reported by the password manager's developer.

The campaign began on May 31, 2026, targeting API endpoints for registering new devices. The hackers initiated a brute-force attack on six-digit one-time codes sent to victims via email or generated in authentication apps.

Although Dashlane's automated security systems detected anomalies and temporarily blocked targeted accounts, the attackers managed to guess the correct codes for a small number of victims. After passing 2FA verification, the hackers authorized their devices in users' profiles, allowing the app to automatically download complete copies of the encrypted vaults.

According to the company, fewer than 20 users were affected by the incident. The internal infrastructure and servers of Dashlane were not compromised. The company has implemented additional verification levels and blocks for suspicious traffic.

Experts emphasized that the stolen password databases remain inaccessible to hackers without the victim's master password. Thanks to ZKP architecture and strong encryption, the data is protected from rapid cracking.

Since the vaults are now physically on the hackers' servers, they can utilize unlimited computing power for local cracking. This situation closely resembles the LastPass incident in 2022.

Vulnerability Found in Trezor Safe 7 Chip

Security chip developer Tropic Square revealed a vulnerability in its TROPIC01 product, used in the Trezor Safe 7 hardware cryptocurrency wallet.

The issue was discovered by the Ledger Donjon security research team during an independent audit. They successfully executed a Laser Fault Injection attack in a lab setting, which allowed them to bypass firmware signature verification and extract some secret data protected by the chip.

Based on Donjon's report, Tropic Square identified a complex method to exploit this vulnerability to extract another secret related to TROPIC01's PIN code functions.

Trezor representatives explained in a letter to ForkLog that even with this additional finding, compromising just the chip is insufficient to access the Trezor Safe 7 PIN code. Moreover, users' private keys and seed phrases are not stored on TROPIC01. To exploit this vulnerability, an attacker would need full physical access to the victim's wallet, expensive specialized equipment, and expert knowledge.

Trezor stated that users do not need to take any action, as the wallet's design effectively mitigates this risk in practice.

Chinese Hackers Target Europe

Since March 2026, the intensity of attacks by the Chinese hacker group TA4922 has reached unprecedented levels, expanding their targets to organizations in Europe. This was reported by Proofpoint.

Previously, the group focused solely on East Asia, but recent campaigns have shifted their focus to commercial and government organizations in Germany, Italy, the UK, and South Africa.

Number of attacks by TA4922 by country. Source: Proofpoint.

Experts indicate that for initial system breaches, hackers use high-quality localized phishing lures mimicking payroll notifications, tax audits, VAT declarations, and messages from HR departments. In addition to email, the attackers seek contact with victims through messaging apps like WhatsApp, LINE, and Microsoft Teams.

In their latest attacks, they deployed a previously unknown remote access trojan called Atlas. This backdoor possesses a wide range of spying functions:

  • comprehensive system reconnaissance and fingerprinting;
  • targeted file exfiltration;
  • keystroke logging and screenshot capture;
  • audio and video recording through the victim's peripheral devices;
  • remote power management of the system.

Additionally, Atlas is equipped with sandbox bypass mechanisms: it checks registry keys and usernames for signs of Microsoft Defender Application Guard and the CExecSvc service.

The group also has a new loader, RomulusLoader, for stealthily launching remote administration utilities like AnyDesk and the popular Chinese tool SyncFuture. Concurrently, the use of the Python installer SilentRunLoader has been observed, aimed at stealing session cookies and passwords from Google Chrome.

Proofpoint suspects that TA4922 is utilizing large language models (LLMs) to accelerate software development, as indicated by the abundance of specific comments and structural patterns in the code characteristic of AI.

Fraudsters Tricked AI Support into Transferring Rare Instagram Accounts

Some Instagram users lost access to their accounts due to a critical vulnerability in Meta's AI support architecture, according to BleepingComputer.

Attackers managed to exploit the platform's protective mechanisms, including two-factor authentication (2FA), by manipulating the AI assistant.

The attacker initiated the standard password recovery protocol, claiming that the account had been hacked. When Instagram's automated system requested identity verification via video, the hackers used a deepfake created from images of the victim.

According to reports, the attackers also employed a VPN to simulate the victim's usual geolocation, allowing them to bypass built-in server-side security checks. Afterward, the attacker forcibly changed the email address linked to the account and reset the password.

Compromised accounts included unique and short usernames like @hey, @korn, @e, and @f, as well as the profile of app researcher Jane Manchun Wong and a page previously used by the White House team during the Obama administration. The value of such rare digital assets on the black market is estimated in the tens of thousands of dollars.

my instagram (@ korn) was stolen overnight via the Meta AI exploit and was subsequently disabled.

it was Meta Verified, facial scan verified, and had 0 TOS violations.

the account is the sole source of my income.

i spent 6 hours trying to get human support and meta's support… pic.twitter.com/k5x846H8AG

— korn (@kornbuilds) June 1, 2026

Victims reported difficulties in regaining access to their accounts due to a lack of human support. The owner of the account @korn shared that he spent over six hours communicating with a chatbot that sent him four non-functional links in a row.

Meta's Vice President of Communications, Andy Stone, stated that "the issue has been resolved, and the security of affected accounts has been ensured," without providing further details.

InfoStealer in Minecraft Infected 116,000 Users

McAfee discovered a large-scale campaign called WeedHack, which has affected over 116,000 Minecraft users.

Experts report that the malware spreads through infected mods and clients, promoted via SEO poisoning in search queries and on YouTube.

WeedHack operates on a CaaS model and, in its basic version, steals Minecraft session IDs, browser passwords, cryptocurrency wallet data, and Telegram and Discord account information for free. The premium version, priced at $5 per month, provides full remote access to the victim's PC.

Resource with the WeedHack malware. Source: McAfee.

Additionally, according to Have I Been Pwned, data from 64,000 users of the cheat service Atlas Menu for Grand Theft Auto V leaked online at the end of May. The incident resulted in the theft of email addresses, usernames, passwords, and IP addresses. The hacker posted the stolen database on GitHub.

Also on ForkLog:

  • Researchers created an adaptive AI worm.
  • Aave tightened listing after the rsETH incident of $293 million.
  • A white hat hacker unlocked $2 million in a 2016 smart contract.
  • The FBI uncovered a network of scam centers and seized $8 billion in bitcoins.

What to Read This Weekend?

At ForkLog's request, Roman Korolev, author of the Telegram channel “Dark Cultural Studies,” explored how apocalyptic prophets of the “digital concentration camp” transitioned from being marginalized to mainstream.