Thai Crypto Billionaire's Escape, FBI Tokens, and Cybersecurity Events

We’ve compiled the most significant cybersecurity news from the past week.

• Thai investors have accused the head of 1000X of $42 million fraud.
• A co-founder of a $1 million crypto pyramid was arrested in Kyiv.
• The FBI seized websites of Iranian hackers following a massive attack on the medical sector.
• Nordstrom customers faced crypto fraud.

Thai Investors Accuse 1000X Head of $42 Million Fraud

Thai law enforcement is searching for billionaire and crypto pioneer Vorawat Narknawadi. This was reported by Thai PBS.

The case was initiated after users of the crypto platform 1000X filed a complaint with the police. The estimated damage is around 1.39 billion baht (~$42 million at the time of writing).

In March 2023, the SEC filed a complaint with the Cyber Crime Investigation Bureau, accusing Narknawadi of operating 1000X without a license. According to media reports, before launching his crypto business, he was the lead singer of the rock band DoubleDeep, whose members were actively involved in investments. Later, Narknawadi founded the Traderist community, where he provided free education on cryptocurrency trading to the public.

Thanks to investments, he has accumulated about 11,000 BTC since 2012. His company ACET was one of the fastest-growing in the industry.

Vorawat Narknawadi is listed among the top 5 Forex traders in Thailand. Source: Traders Union.

However, data from the Department of Business Development revealed another side of his activities. According to Creden Data, Narknawadi owns two companies: Bitnance Company (loss of ~30 million baht) and Great Begins Company (debt of ~5.8 million baht).

According to police, the billionaire has fled to the UAE, where he owns real estate, a hotel business, and other assets.

Co-Founder of $1 Million Crypto Pyramid Arrested in Kyiv

Ukrainian law enforcement has uncovered a group of scammers who organized a scheme to embezzle funds under the guise of crypto investments. A co-founder of the pyramid was arrested in Kyiv, reported the Cyber Police.

According to the investigation, since 2022, members of the group have established a network of financial pyramids across Ukraine. The fraudsters offered citizens the chance to invest in their own token, promising stable profits. In reality, profits were generated by attracting new investors, and payouts were made through a pyramid or binary commission system.

The founder and his wife promoted the project on Instagram, supported by other bloggers. The total damage caused by the scammers amounted to ~$1 million.

Law enforcement conducted searches at the suspects' residences in the Khmelnytskyi, Odesa, Chernihiv, and Poltava regions, seizing computer equipment, notes, and a vehicle.

One of the participants has been notified of suspicion of fraud, which carries a penalty of up to eight years in prison.

FBI Seizes Websites of Iranian Hackers After Major Medical Sector Attack

The FBI seized two websites used by the hacktivist group Handala following a devastating cyberattack on medical technology giant Stryker. This was reported by BleepingComputer.

No official statement has been released by law enforcement regarding the seizure. However, the DNS servers of the domains were switched to those typically used by the FBI during resource arrests.

According to media reports, Handala (also known as Handala Hack Team, Hatef, Hamsa) is an Iranian-linked hacktivist group that emerged in December 2023. Its operations are associated with the country’s Ministry of Intelligence and Security. It has participated in attacks on Israeli organizations using software designed to destroy data on Windows and Linux devices.

The seizures followed a massive cyberattack by Handala on March 11, 2026. The hackers compromised the Windows domain administrator account to reset around 80,000 devices, including personal computers and employees' mobile phones, to factory settings. According to the attackers, they managed to steal 50 terabytes of data before deletion.

After the incident, CISA urged American organizations to follow updated Microsoft recommendations to enhance security measures.

Nordstrom Customers Encounter Crypto Fraud

In the U.S., customers of the upscale fashion department store chain Nordstrom received fraudulent messages promising to double their crypto wallet balances. This was reported by BleepingComputer.

The emails claimed that the fraudsters would increase the cryptocurrency sent to a specified Bitcoin address by 200%. Victims were given two hours to act, creating a sense of urgency.

According to media reports, the messages came from an official source used by the company for marketing emails, indicating a security breach. Some customers noted that the email was sent to an address that had never been disclosed or leaked online.

As of March 18, the scammers had received over $5,600 in cryptocurrency. According to a blockchain explorer, the wallet contained only 0.00001386 BTC on March 20.

Scammers Distributing TRC-20 Tokens Posing as the FBI

On March 19, the FBI warned crypto investors about a new phishing scheme in which scammers were distributing fake tokens under the guise of the agency.

FBI New York encourages users of the Tron blockchain network to exercise caution if they encounter a token purported to be from the FBI. If you receive a token from an account with the details below, do not provide any identifying information to any website associated with such… pic.twitter.com/VF03sjM4VW

— FBI New York (@NewYorkFBI) March 19, 2026

Users received unknown TRC-20 standard coins labeled as "FBI tokens." Accompanying messages included ultimatums, claiming that the owner was suspected of money laundering and threatening to freeze their assets. To "avoid blocking," victims were directed to a third-party website for AML procedures and personal data disclosure.

The exact number of victims from this distribution is still being determined.

Also on ForkLog:

• The average loss from hacks in the crypto industry has reached $25 million.
• The hype around OpenClaw triggered a wave of phishing attacks on crypto wallets.
• The Lazarus group has been suspected of attacking the Bitrefill service.
• Venus Protocol lost $2 million due to manipulations with the THE token.

What to Read This Weekend?

In a new article, ForkLog explores why being away from gadgets and the internet is perfectly fine.