We’ve gathered the most important cybersecurity news from the past week.
- Malware targeting macOS stole Telegram sessions and swapped cryptocurrency wallets.
- Hackers from Scattered Spider received prison sentences for hacking London's transport system.
- About 300 fake repositories on GitHub spread an infostealer.
- The U.S. charged operators of Russian Bulletproof hosting services Media Land and ML.Cloud.
Malware Targeting macOS Stole Telegram Sessions and Swapped Cryptocurrency Wallets
Experts from SlowMist revealed a sophisticated approach used by an infostealer for macOS to steal cryptocurrency. According to their findings, the malware intercepts authorized sessions in messaging apps and targets both software and hardware wallets.
Once on a device, the virus collects sensitive data: passwords from the macOS Keychain, cookies from Safari, hidden notes in Apple Notes, and databases from over a dozen cryptocurrency wallets and browser extensions.
How the malware operates:
- Account theft bypassing 2FA. The virus copies local session files from Telegram Desktop. This data allows hackers to access the victim's account on another Mac without entering a phone number, SMS code, or two-factor authentication password, as the system perceives the connection as a continuation of an already authorized session;
- Phishing. The software replaces legitimate applications for managing hardware wallets (Ledger Live and Trezor Suite) with exact copies. Their sole purpose is to trick users into entering their seed phrases.
According to specialists, the stolen databases are decrypted offline using passwords extracted from the infected Mac.
The infostealer targeted wallets such as Exodus, Atomic, Electrum, Wasabi, Monero, as well as full node clients (Bitcoin Core, Litecoin Core, Dash Core, and Dogecoin Core).
SlowMist urged users who suspect their Mac has been compromised to immediately force close all active sessions in Telegram settings, reauthorize, and change their passwords. To safeguard their crypto assets, experts recommended generating a new seed phrase on a clean device and urgently transferring all funds there.
Scattered Spider Hackers Sentenced for Hacking London’s Transport System
A court sentenced two key members of the hacker group Scattered Spider to five years and six months in prison. This was reported by the UK’s National Crime Agency (NCA).
20-year-old Talha Jubair and 18-year-old Owen Flowers were found guilty of hacking the IT infrastructure of Transport for London (TfL) in August 2024.
The attack on TfL, which provides transport services for 8.4 million Londoners, led to a massive failure: 148 internal systems went offline, disrupting Dial-a-Ride services, concessionary travel pass orders, digital payments, and refund systems. All 27,000 agency employees had to change their workplace passwords.
The direct damage and recovery costs for TfL amounted to £29 million. Authorities estimate that if the hackers had managed to completely shut down the transport network, the UK economy could have lost up to £56 billion.
Both perpetrators were arrested by NCA officers in September 2024, two weeks after the hack. During searches of Flowers' devices, investigators found not only evidence related to the TfL case but also proof of preparations for cyberattacks on American healthcare companies Sutter Health and SSM Health Care Corporation.
The NCA described Scattered Spider as “the most serious cyber threat to the UK in recent years.” In addition to the transport system attack, the group faces numerous other criminal charges:
- Retail raids. In July 2025, the NCA arrested four more gang members involved in hacking major UK retail chains, including Harrods, Marks & Spencer, and Co-op;
- Charges in the U.S. In September 2025, the U.S. Department of Justice indicted Jubair in absentia. According to American investigators, from May 2022 to September 2025, he was involved in hacking at least 120 networks in the U.S., including critical infrastructure and court systems;
- Extortion. In just one year (from August 2024 to July 2025), Jubair and his associates extorted over $115 million from victims worldwide.
About 300 Fake Repositories on GitHub Spread Infostealer
Hackers deployed 292 fake repositories on GitHub disguised as popular antivirus software, developer utilities, cryptocurrency services, and gaming programs. This was reported by specialists from Arctic Wolf.
Each fake repository contained a README file with a link to a phishing landing page. The download page used dynamic templates and automatically adjusted its design and headings to match the brand the victim was searching for.
Users were prompted to download a ZIP archive, the contents of which were regenerated every minute to evade signature analysis. Inside was an updater with a digital signature from WinGUP and a library containing the trojan libcurl.dll. Upon execution, the malware loaded and operated solely in memory.
Source: Arctic Wolf.Analysis revealed that the attackers used a modified version of the BoryptGrab stealer. The virus did not attempt to persist on the system and stole:
- data from 19 browsers and 32 cryptocurrency wallets;
- local sessions from Telegram, Steam, and Discord tokens;
- contents of the Windows Credential Manager;
- files from the desktop and Documents folder if their names were related to passwords, backups, or seed phrases.
Experts highlighted a dangerous feature: the malware bypasses Google Chrome's protection by directly injecting code into the browser's process.
Stolen data is archived and sent to a command server based in Russia. By the time of the report's publication, GitHub administration had removed most of the fraudulent repositories.
U.S. Charges Operators of Russian Bulletproof Hosting Services Media Land and ML.Cloud
The U.S. Department of Justice charged three Russian nationals with operating Bulletproof hosting services — Media Land and ML.Cloud.
According to the investigation, their infrastructure was used by major ransomware programs, including Lockbit, Blacksuit, and Play, causing over $62 million in damages to organizations worldwide.
Bulletproof hosting services deliberately ignored any complaints about malicious activity and law enforcement requests to remove content. Criminals used Media Land and ML.Cloud servers to deploy command servers, conduct phishing campaigns, DDoS attacks, and spread malware. Their infrastructure was located in various countries, including the U.S., China, the Netherlands, and Finland.
According to the indictment, roles in the criminal group were distributed as follows:
- Alexander Volosovik (known on dark web forums as Yalishanda) — owner of the Media Land hosting;
- Yulia Pankova — owner of ML.Cloud, responsible for legal support and financial matters;
- Kirill Zatolokin — responsible for collecting payments from cybercriminals.
The group's activities affected residents in at least 20 U.S. states. Among the victims were banks, schools, hospitals, government agencies, and media companies.
In response, the State Department announced a reward of $10 million for any information that helps uncover connections between these individuals or their companies with foreign governments, as well as information about their malicious activities.
Last November, the U.S., UK, and Australia already imposed strict sanctions against the individuals and their companies. In July, the EU officially joined the sanctions, including Media Land, ML.Cloud, and Alexander Volosovik in its first joint cyber sanctions package against Russia with the UK.
One of OkoBot’s Modules Specialized in Stealing Seed Phrases
Experts from Kaspersky Lab discovered the malicious OkoBot framework, targeting Windows users since at least April 2025. One of its modules, SeedHunter, is aimed at stealing seed phrases from owners of Ledger and Trezor hardware wallets.
Unlike most viruses that simply delete the original software and replace it with a fake copy, SeedHunter operates more subtly. It injects malicious code directly into the internal processes of already installed legitimate applications Ledger Live and Trezor Suite.
The module scans USB ports on the computer and remains dormant until the user physically connects a hardware wallet to the PC. Once the system recognizes the device, SeedHunter blocks the interface and displays a fake window over the original application, demanding the user enter their seed phrase. Since the request comes from within the official program, users let their guard down.
According to specialists, OkoBot infiltrates the victim's device through fraudulent ClickFix notifications in the browser or trojanized repositories on GitHub.
Source: Kaspersky Lab.In addition to SeedHunter, the framework carries over 20 malicious payloads for surveillance:
- deploys hidden SSH tunnels and modifies system files for invisible access to the computer;
- installs hidden browser extensions (including the Rilide stealer);
- uses keyloggers and secretly records video from the screen in MP4 format every time the victim opens password managers (1Password), local wallets (Exodus), or tabs with MetaMask.
Researchers recorded hundreds of infections in more than 25 countries, with Brazil, Vietnam, Canada, and Mexico leading the way. Meanwhile, the attackers’ servers do not target IP addresses from Russia and CIS countries, and comments in Russian were found in the code of SeedHunter's phishing pages.
Study of 85 Browser Cryptocurrency Wallets Revealed Tracking, De-Anonymization, and Address Leaks
Researchers from the DistriNet research group at KU Leuven in Belgium analyzed 85 popular browser cryptocurrency wallets with a total audience of over 35 million users in the Chrome Web Store.
The audit showed that the architecture of most of them allows third-party trackers to link user addresses, track their movements across the network, and de-anonymize their identities. Experts emphasized that these are not vulnerabilities or hacks, but legitimate features and standard behavior of the programs.
During tests, they identified three key privacy issues:
- Address linking. 17 wallets transmitted data in a way that allowed the provider's server to combine different addresses of a single user into a single profile;
- Tracking after logout. 36 out of 85 wallets revealed their presence to websites, creating a digital fingerprint. Many Web3 applications and wallets also failed to revoke access properly after disconnection;
- De-anonymization through hidden frames. A tracking script can invisibly load a trusted Web3 application, obtain the wallet address, and link it to the user's name, email, or browsing history.
Researchers notified developers about the tracking issue before publishing their work. As of summer 2026, only Coinbase Wallet, Coin98, and Hana Wallet had implemented fixes. Most major players, however, refused to acknowledge the vulnerability:
- MetaMask closed the report as a duplicate, calling the issue a “known nuance” whose fix would “break too many existing Web3 applications”;
- Rabby stated that for an attack, the malicious script would need to be present on two sites simultaneously, which is “practically impossible,” thus claiming “no vulnerability exists”;
- OKX acknowledged the technical correctness of the researchers but closed the request as “informational,” since data leaks occur without direct theft of money;
- Bybit, Backpack, and Core classified the risks as low or beyond the scope of their bug bounty programs.
Experts recommended regularly checking extension settings and manually clearing the “connected sites” list, as well as using isolated browser profiles for different activities.
Also on ForkLog:
- A survey revealed gaps in the protection of corporate AI agents.
- Media reports: a leak revealed data sources for Suno.
- Summer.fi will shut down its interface after a $6 million hack.
- Bonzo Lend lost $9 million due to an attack on a price oracle.
What to Read This Weekend?
In a new article, ForkLog explores how on-chain analysis combines with open-source intelligence, the tools used by crypto detectives, and where the line is drawn between investigation and surveillance.
