We’ve compiled the most significant cybersecurity news from the past week.

  • A prisoner managed to transfer $290,000 in cryptocurrency that had been confiscated from him.
  • Interpol intercepted $293 million and arrested nearly 6,000 individuals.
  • Researchers found that free VPNs often spy on users instead of protecting them from tracking.
  • The US authorities secretly paid hackers 9.4 BTC.

Prisoner Transfers $290,000 in Confiscated Cryptocurrency

Convicted Bulgarian citizen Rosen Yosifov orchestrated an illegal transfer of $290,000 in cryptocurrency while serving his prison sentence. The US Department of Justice reported that these assets had previously been confiscated.

In 2021, the Eastern District Court of Kentucky sentenced Yosifov, the owner of the cryptocurrency exchange RG Coins, to 111 months in prison for his involvement in a large-scale online auction fraud scheme that laundered approximately $5 million in cryptocurrency. The court also ordered him to pay over $2.6 million in restitution to the victims.

According to investigators, this new incident occurred in January 2024. While in custody, Yosifov conspired to move digital assets. To obscure his tracks and prevent authorities from recovering the funds, he routed transactions through multiple cryptocurrency exchanges and mixers.

If found guilty of the new charges, including concealment of assets and conspiracy, he could face up to 25 years in prison.

Interpol Intercepts $293 Million and Arrests Nearly 6,000 People

Interpol summarized the results of the global operation First Light 2026, aimed at combating transnational fraud and social engineering.

Law enforcement agencies from 97 countries participated in the coordinated efforts. The active phase of investigations and raids lasted from January 15 to April 30, 2026. The main targets were organized groups specializing in investment scams, business email compromise, romance scams, and extortion.

To effectively track and halt illegal financial flows, agencies actively utilized the I-GRIP (Global Rapid Intervention of Payments) mechanism. This system allowed investigators to quickly freeze not only traditional bank transactions but also transfers to cryptocurrency wallets.

As part of the operation:

  • 5,811 suspects were arrested;
  • assets worth $293 million were confiscated and intercepted;
  • the identities of over 15,600 alleged participants in criminal schemes were established;
  • more than 31,000 bank accounts and cryptocurrency wallets were blocked;
  • over 23,700 criminal cases were uncovered;
  • more than 142,000 victims were identified worldwide.

The agency's report highlights significant local incidents. One of the largest was uncovered by Thai law enforcement, who arrested two suspects involved in laundering proceeds from a romance scam. During the investigation, authorities discovered a cryptocurrency wallet that processed over $122.5 million in illegal funds in just 10 months. To obscure their tracks and complicate transactions, the criminal network converted fiat into digital assets and used complex cross-chain swaps.

In Sri Lanka, authorities conducted mass raids on local scam centers, arresting hundreds of their employees.

In Eswatini, local police, with the support of an operational group, dismantled a network involved in illegal online casinos and money laundering.

Source: Interpol.

During one of the searches, authorities discovered a realistic setup of a Brazilian police station, complete with fake uniforms, signs, and equipment, which was used for sophisticated video extortion schemes.

Researchers: Free VPNs Often Spy on Users Instead of Protecting Them

In a pilot study, researchers analyzed over 280 free VPNs from Google Play. The results were discouraging: many services failed to meet basic security tasks, with the total number of downloads for problematic apps exceeding 2.4 billion.

A group of researchers from the University of Michigan, the University of New Mexico, and the Indian Institute of Technology in Delhi used the MVPNalyzer platform, designed for automated auditing of mobile VPNs. During the traffic analysis, they identified critical architectural flaws:

  • Tunnel interception. Five apps downloaded configuration files via unencrypted HTTP protocol, allowing an attacker on the same network (e.g., public Wi-Fi) to replace the file and redirect all user traffic to a server controlled by hackers;
  • Data leaks. 29 apps (about 360 million installations) allowed DNS query leaks, revealing visited websites, while six services leaked browser traffic outside the encrypted tunnel. Four apps even established connections without encryption;
  • De-anonymization. 169 apps did not mask their traffic at all. Government censors or providers can easily identify and block such connections, although two-thirds of these services advertised successful circumvention of blocks.
Source: MVPNalyzer.

Experts noted that instead of protecting against tracking, free VPNs often spy on users. Over 80% of apps connected to advertising servers. Among them, 76 apps transmitted the device's unique advertising identifier (Advertising ID) and metadata (phone model, OS version, and screen parameters) to create a digital fingerprint. One app even sent precise GPS coordinates of the device to third-party servers.

When examining OpenVPN configurations, it was found that 89% of services used only one authentication method instead of two. One in five apps relied on outdated and vulnerable Blowfish and Triple DES ciphers, and several apps had tunnel encryption forcibly disabled.

Experts pointed out that “Verified” badges and security marks in Google Play often serve merely as marketing gimmicks and do not guarantee software reliability.

US Authorities Secretly Paid Hackers 9.4 BTC

On June 13, 2025, a government entity in the US (presumably the Union County administration in Ohio) paid cybercriminals from the Kairos group a ransom of approximately 9.44 BTC (~$1 million at the time of the incident). This was reported by researchers from Ransom-ISAC.

By analyzing negotiation logs and on-chain data, experts found that the hackers threatened to publish stolen confidential information about citizens. A distinctive feature of the incident was the hackers' complete abandonment of traditional ransomware; the infrastructure was not encrypted, and the attack was reduced to direct extortion based on the fact of leaking 2 TB of information.

The hackers' initial demand was $3 million. They pressured the victim, threatening to publish the prosecutor's office folder (which would help the criminals avoid prosecution), social security numbers, financial data, and fingerprints. After a month of negotiations, the amount was reduced to $1 million.

Upon receiving the payment, the criminals fragmented the transfer and routed the funds through a chain of wallets, directing them to deposit addresses linked to exchanges Bybit, OKX, and the Russian service BELQI.

As proof of the “deal,” Kairos provided only a list of files marked for deletion, which experts believe offers no real guarantees.

Excerpt from Kairos's correspondence with the victim after receiving the ransom. Source: Ransom-ISAC.

Experts noted a global shift in cybercrime tactics: hacker syndicates are increasingly moving towards pure theft and extortion, as this frees them from the need to maintain complex encryption software. The Kairos group has currently ceased public activity, but associated cryptocurrency wallets continued to move funds until May 2026.

Hackers Turned Users' Devices into Proxy Nodes to Conceal Actions and Subsequent Attacks

Hackers infected users' computers and smartphones, secretly turning them into residential proxy nodes, which were then rented out to other cybercriminals. The activities of the Lurking Lizard group were reported by experts from Infoblox.

To spread malware, hackers used installers of popular programs embedded with trojans. In one campaign, they distributed an infected version of the archiver 7-Zip through a domain with a name similar to the legitimate one. Additionally, the group disguised viruses as WhatsApp installers, video downloaders from TikTok and YouTube, and malicious VPN services. The hacker-associated mobile app wirevpn — Fast Unlimited Proxy has already surpassed 1 million downloads.

According to Infoblox, the Lurking Lizard infrastructure, operational since at least August 2022, consists of over 230 fake domains. The criminals actively intercept expired network addresses to use their history in search engines to promote malware.

After forming a large proxy botnet, the group moved to monetization. Lurking Lizard posed as well-known proxy providers: IPIDEA, SmartProxy, IP Royal, and 911Proxy. Additionally, they controlled a network of fake websites with “independent reviews” that redirected clients to underground stores.

Source: Infoblox.

Analysts noted that illegal proxy networks are becoming an increasingly serious threat. Foreign IP addresses are used to conceal traces of hacker attacks, which can lead to legitimate user traffic being blocked by providers or flagged as suspicious.

Also on ForkLog:

  • Socket found a key-stealing version of the Injective SDK in npm.
  • Researchers described the risk of botnets based on hallucinations of AI agents.
  • The EU reinstated the Chat Control message scanning regime.
  • Experts urged a review of old smart contracts due to AI.
  • Coinspect warned of a threat to thousands of cryptocurrency wallets.
  • An Ethereum user lost nearly 1 million USDT to phishing.
  • Researchers learned to slow down AI models with logical traps.
  • AI identified an anonymous text by Vitalik Buterin.
  • BonkDAO lost $20 million due to a malicious proposal.
  • CertiK estimated losses in the crypto industry from hacks at $1.32 billion over six months.
  • The DeFi protocol Summer.fi was hacked for $6 million.

What to Read This Weekend?

In the new "Cryptorium" cards, we discuss the emergence of federated systems and why they are now used not only by enthusiasts and advocates of anonymity but also by entire corporations, military, and government agencies.