Sumy’s fake bitcoin exchange, Telegram’s alleged FSB ties, and other cybersecurity news

We compiled the week’s key cybersecurity developments.

Sumy police detain creator of a fake bitcoin exchange

The National Police of Ukraine in Sumy Oblast exposed the alleged creator of a counterfeit cryptocurrency exchange who pocketed funds under the guise of bitcoin trading.

According to investigators, a 23-year-old resident of Kyiv Oblast simulated real transactions with digital assets and kept the money. The total loss exceeded 7.6 million hryvnias (~$184,000).

During a search, police seized cash, a mobile phone and a Lexus.

The suspect was charged with particularly large-scale fraud.

Citizens of three countries plead guilty to laundering $36.9m in crypto

Five people from China, the US and Turkey pleaded guilty to taking part in an international criminal group and laundering more than $36.9 million from cryptocurrency investment scams, Bleeping Computer reported.

Based in Cambodia, the accomplices found victims via social networks and dating services and acted on behalf of Axis Digital Limited. Funds were sent to an account at Deltec Bank in the Bahamas and then converted to USDT.

Some defendants have been in custody since 2024. They pleaded guilty to facilitating the laundering of stolen funds through US shell companies, international bank accounts and crypto wallets. They face five to 25 years in prison.

INTERPOL arrests 32 cryptostealer operators 

Law-enforcement agencies in 26 countries, led by INTERPOL, blocked more than 20,000 IP addresses and domains linked to infostealer operators in Southeast Asia.

20,000 malicious IPs and domains taken down in #INTERPOL infostealer crackdown

During Operation Secure law police from 26 countries worked to locate servers, map physical networks and execute targeted takedowns arresting 32 suspects linked to illegal cyber activities.

— INTERPOL (@INTERPOL_HQ) June 11, 2025

Forty-one servers with more than 100GB of data were seized; 32 people were arrested in Vietnam and Sri Lanka, including the leader of a group. Police found more than 300 million dong ($11,500) in cash.

The suspects are potentially tied to the RisePro, META Stealer and Lumma malware families, which steal browser credentials, passwords and cryptocurrency wallet contents.

Google patches potential phone-number leak

Researchers at Brute Cat reported a way to obtain Google users’ phone numbers via a legacy account-recovery form.

With JavaScript support disabled, two POST requests could reveal whether a phone number was linked to a Google account, based on the displayed profile name.

The flaw could have enabled wide-ranging phishing and SIM-swapping attacks.

Later, Google told Bleeping Computer it had patched the issue.

AI model defeated with a single character

HiddenLayer researchers reported a tokenization break of the LLM via input perturbation. A single extra character or a meaning-preserving word change let attackers bypass filters that detect malicious text input.

The attack is dubbed TokenBreak. Among tokenizers, only Unigram was not vulnerable.

Microphones leaked audio signals

Researchers at the University of Florida said it is possible to intercept radio signals carrying recorded information during audio processing by microphones in laptops, phones and smart speakers.

According to the team, microphones often switch on automatically during audio or video playback, regardless of user settings. Some remained active even when services appeared disabled, creating scope for persistent monitoring.

In experiments, the scientists achieved up to 94.2% accuracy in recognising spoken digits through a 25-centimetre concrete wall, with some transcriptions showing error rates as low as 6.5%.

Telegram responds to rumours of FSB ties 

Journalists at Vazhnye Istorii reported that Telegram’s server infrastructure is handled by Elektrontelekom and GlobalNet, which service secret FSB facilities. In their view, this gives those entities access to messages.

The investigation also claims that a vulnerability in the messenger’s protocol, allowing user activity and movement to be tracked worldwide, may have been created deliberately for Russia’s security services.

Telegram representatives, in a comment to the BBC, called the messenger a global company that “has contracts with dozens of different service providers worldwide,” but none of them “has access to data or confidential infrastructure.” 

“All Telegram servers are owned by Telegram and maintained by Telegram staff,” the company said.

They also added that the messenger “has never disclosed private messages to third parties, and its encryption has never been broken.”

Attack on QA job seekers nets hackers 14m rubles

Specialists at F6 reported a series of compromises of devices belonging to applicants for tester roles. Phishing ads were spotted in niche Telegram groups, social networks and on freelancer websites.

Victims were asked to install a malicious app that granted access to SMS and push notifications from banks.

Two scam groups using this scheme since April 2025 stole more than 14 million rubles from residents of Russia.

Also on ForkLog:

• Darknet marketplace Huione ramped up volumes after a “shutdown”.
• Thai authorities will introduce AI regulation to “avoid lagging behind progress”.
• Hong Kong authorities will develop an AML tool for cryptocurrencies.
• Analysts reported a new wave of covert mining in Russia.
• Quantum risks: Chaincode Labs assessed the threat to Bitcoin.
• Researchers identified the main threats to the Ethereum ecosystem.
• OpenAI services suffered a global outage.
• Hackers breached the X account of Paraguay’s president and posted a fake about bitcoin’s status.
• ALEX Lab will reimburse losses after an $8.3m hack.

What to read this weekend?

How cryptocurrencies and Mexican cartels intersected: