We’ve gathered the most important cybersecurity news from the past week.

  • Ukrainian authorities seized $8.3 million in crypto assets from hackers.
  • Analysts discovered a trojan that substitutes crypto addresses with a complex delivery method.
  • Kraken was extorted.
  • The FBI recovered messages from Signal after the app was deleted.

Ukrainian Authorities Seize $8.3 Million in Crypto Assets from Hackers

Law enforcement in Ukraine arrested a member of an international hacker group responsible for cyberattacks in Europe and the U.S. This was reported by Prosecutor General Ruslan Kravchenko.

According to the investigation, the criminals used malware to steal confidential information and documents for ransom. The funds were transferred to crypto wallets, then cashed out and laundered in Ukraine, particularly through real estate and luxury goods purchases.

The estimated damage exceeded $100 million. More than 30 searches were conducted during the investigation, resulting in the seizure of assets worth approximately $11.1 million, including residential properties, vehicles, $1 million in cash, and around $8.3 million in cryptocurrency.

Authorities also located an accomplice responsible for laundering the funds.

Analysts Discover Trojans for Crypto Address Substitution

A campaign distributing the ClipBanker trojan, which substitutes cryptocurrency wallet addresses in the clipboard, has been uncovered. This was reported by Kaspersky Lab researchers.

The malware disguises itself as a utility for redirecting application traffic through the Proxifier proxy server, commonly used by developers and system administrators.

According to analysts, a link to the infected GitHub repository ranks high in Google and Yandex search results.

The trojan is stealthily deployed during the installation of Proxifier using a fileless infection technique, where the code runs in memory. A script from the registry is then triggered by a task scheduler, leading to GitHub. From there, the chain retrieves a file with the code, which is injected into fontdrvhost.exe to deploy the final payload.

The primary function of ClipBanker is to monitor the clipboard for cryptocurrency wallet addresses and substitute them.

Experts report that since early 2025, over 2,000 users of Kaspersky Lab have encountered this threat, primarily in India and Vietnam.

Kraken Extorted

Kraken's Chief Information Security Officer Nick Percoco reported several incidents involving employees that led to the exchange being extorted.

Kraken Security Update

We are currently being extorted by a criminal group threatening to release videos of our internal systems with client data shown if we do not comply with their demands. It’s important to start with the most important points: our systems were never…

— Nick Percoco (@c7five) April 13, 2026

The criminals threatened to publish videos allegedly showing user data from the exchange.

According to the expert, Kraken's infrastructure was not breached, and client funds remained secure. He explained that the incident involved unauthorized access by support staff to restricted information.

Users whose data may have been affected by the leak were notified. Approximately 2,000 accounts (0.02% of the total client base) were impacted.

Percoco noted that in February 2025, a source informed the team about a video circulating in the cybercriminal community that demonstrated access to customer support systems. The investigation revealed that one support employee had been recruited by hackers, followed by a second similar incident.

Percoco assured that the exchange is actively cooperating with law enforcement in multiple jurisdictions and has provided them with collected evidence.

FBI Recovers Messages from Signal After App Deletion

The FBI recovered messages from the Signal messenger, even though they had been deleted and the app removed from an iPhone. This was reported by 404 Media.

In a court case regarding an attack on the ICE center in Alvarado, Texas, the FBI presented deleted messages from Signal as evidence. Reportedly, federal agents were able to recover data from the phone of defendant Lynette Sharp thanks to push notifications stored in iOS's internal database.

If Signal's settings allow message content to be displayed in previews on the locked screen, the text remains stored even after the app is deleted.

Signal has an option to prevent content from being displayed, but Sharp apparently did not utilize it.

Telegram co-founder Pavel Durov reacted to the news, stating that this is "yet another proof" that secret chats are the safest way to communicate.

Representatives from Signal confirmed receiving a request from 404 Media journalists but later stopped responding to inquiries. Apple declined to comment.

Obsidian Note-Taking App Becomes a Trojan Gateway

Experts from Elastic Security Labs discovered a campaign where fraudsters use the Obsidian note-taking app as bait. The virus's payload is represented by an unknown trojan called PHANTOMPULSE.

The targets of the attacks are employees of financial and cryptocurrency organizations. The hacking scheme unfolds as follows:

  1. The attackers pose as employees of a venture firm.
  2. Communication shifts to Telegram, where several "partners" discuss specialized services, creating an illusion of legitimacy.
  3. The victim is invited to connect to a cloud vault in Obsidian, supposedly containing a shared analytics dashboard.

To execute the malicious code, hackers use community software from Obsidian: Shell Commands (to run commands) and Hider (to conceal activity traces in the interface).

Since third-party plugins in Obsidian are disabled by default, hackers convince the victim to enable them. The malicious configuration of the vault file then automatically triggers commands.

On Windows, the attack activates a script that downloads and installs the PHANTOMPULSE virus.

Its features include:

  • created using AI;
  • uses Ethereum blockchain as a Dead Drop Resolver (DDR) to determine the command server address by decoding the latest transactions of a specific wallet;
  • collects telemetry, executes commands through code injection, takes screenshots, logs activities, can escalate privileges to SYSTEM level, and cover tracks.

On Apple systems, the trojan runs AppleScript, with Telegram serving as the DDR, allowing hackers to change domains if detected.

Also on ForkLog:

  • Drift received $127 million from Tether for compensating hacking victims.
  • Ledger published a security roadmap in the era of AI agents.
  • Fraudsters stole $9.5 million through a phishing app posing as Ledger in the App Store.
  • The U.S. Department of Justice began compensating OneCoin victims.
  • Regulators worldwide expressed concern over the capabilities of the new AI model Anthropic.
  • A hacker breached the Hyperbridge and released 1 billion Polkadot tokens.

What to Read This Weekend?

Promises, billions raised, and harsh realities: in a new piece, ForkLog reflects on the evolution of layer-one blockchains that attempted to take Ethereum's place.