Here are the week’s most important cybersecurity stories.
- A user lost $282m in cryptocurrency to a fake support agent.
- Phishers targeted users of the LastPass password manager.
- Thousands left Cambodia’s scam compounds.
- Authorities unmasked the leader of a ransomware gang.
A user lost $282m in crypto to fake tech support
On 10 January 2026 one of the biggest social-engineering heists was recorded: the victim lost bitcoin and litecoin worth $282m. On-chain sleuth ZachXBT drew attention to the case.
On January 10, 2026 at around 11 pm UTC a victim lost $282M+ worth of LTC & BTC due to a hardware wallet social engineering scam.
The attacker began converting the stolen LTC & BTC to Monero via multiple instant exchanges causing the XMR price to sharply increase.
BTC was also…
— ZachXBT (@zachxbt) January 16, 2026
The user handed the seed phrase of a hardware wallet to a scammer posing as a Trezor support agent. With access secured, the hacker withdrew 2,050,000 LTC and 1,459 BTC.
The attacker used the decentralised protocol THORChain to convert the assets into Monero, triggering a local spike. ZeroShadow specialists quickly traced the transaction chain and froze about $700,000.
Phishers set upon LastPass users
On 20 January the developers of the LastPass password manager warned users about a new phishing campaign masquerading as maintenance notifications.
Attackers send emails urging recipients to create a backup of their password vault within 24 hours. The notice includes a link supposedly leading to a page for creating an encrypted backup, but clicking Create Backup Now redirects the user to a phishing site.
The aim is to steal victims’ master passwords. Specialists believe the malicious campaign began on 19 January.
Thousands leave Cambodia’s scam camps
In the past week thousands of people — including victims of human traffickers — left scam centres in Cambodia as authorities cracked down on crime. This was reported by the BBC.
Phnom Penh has launched a fresh effort to bring order to the scam camps — sprawling complexes where hundreds of people run fraud schemes that steal billions of dollars from victims around the world.
Experts say many end up in such places through deception, though some work there voluntarily.
On 15 January Cambodian authorities arrested businessman Kuong Ly on suspicion of illegal recruitment and exploitation, fraud and money laundering. In March 2023 he was the subject of a BBC Eye investigation into scam centres in South-East Asia.
The programme described a compound in the resort city of Sihanoukville owned by Ly. People working there were lured from other countries, forced to work at night and to engage in fraud.
Authorities unmask the leader of a ransomware syndicate
Law-enforcement agencies in Germany and Ukraine have identified the head of the Black Basta ransomware gang as a 35-year-old Russian, Oleg Nefedov. Interpol and Europol have placed the fraudster, known online as tramp and kurva, on their most-wanted lists, reports Ukraine’s Cyber Police.
Investigators linked Nefedov to the now-disbanded Conti syndicate; after a 2022 rebrand, Black Basta emerged as its direct successor.
During raids in the Ivano-Frankivsk and Lviv regions two members of the group were detained. They specialised in breaching secured systems and stealing passwords, providing initial access to the networks of large corporations and paving the way for data encryption and multimillion-dollar ransom demands.
Searches seized digital media and substantial sums in cryptocurrency.
To date, Black Basta has attacked more than 700 organisations, including critical targets: Germany’s defence group Rheinmetall, Hyundai’s European arm and Britain’s BT Group.
Hackers target Chrome and Edge users
The KongTuke group has begun mass distribution of a malicious extension, NexShield, for Chrome and Edge, reported cybersecurity researchers at Huntress.
The malware poses as an ultra-light ad blocker. The extension intentionally overloads memory and CPU, freezing tabs and crashing the browser, pushing the user to seek a system fix.
After a forced restart, NexShield displays a fake security window offering to scan the system.
As a supposed remedy, the software suggests copying a command to the clipboard and executing it in the Windows command prompt. In reality this step runs a script that downloads a new remote-access trojan — ModeloRAT.
Experts say the main target is the corporate sector. The virus has a 60-minute delay to avoid suspicion and activates primarily on organisations’ domain networks. Once inside, ModeloRAT enables deep reconnaissance, registry changes, installation of third-party software and covert control of the victim’s computer.
Huntress researchers noted that simply removing the extension from the browser will not fix the problem, as the trojan sits deep in the system. PC owners are advised to run a full antivirus scan and never execute commands suggested by websites or extensions.
Zendesk’s helpdesk cloud floods users with spam after breach
Users around the world became targets of a mysterious wave of spam originating from unsecured systems of Zendesk’s cloud support service. On 18 January victims reported receiving hundreds of emails.
There’s some exploit or mass-scale abuse with @Zendesk right now… I just got EIGHT HUNDRED emails from them over the course of about an hour.
They’re all scams sent from different Zendesk instances. Many bypassed iCloud’s Junk filters. pic.twitter.com/nWXr2nFtg3
— Nick Oates (@nickoates_) January 18, 2026
The messages appear not to contain malicious links or blatant phishing. But the sheer volume and chaotic nature of the mailings alarm recipients.
The emails sport bizarre subjects: some mimic law-enforcement requests or takedown demands; others offer free Discord Nitro or plead “Help me!”.
According to BleepingComputer, the messages are generated by support platforms of companies that use Zendesk for customer service. Attackers found a loophole in a feature that allows unauthenticated users to submit requests and receive automatic replies.
Among the affected firms: Discord, Tinder, Riot Games, Dropbox, CD Projekt (2k.com), Maya Mobile, NordVPN, the Tennessee Department of Labor, Lightspeed, CTL, Kahoot, Headspace and Lime.
Zendesk told the outlet it has introduced new security features to detect and block such spam in future.
Also on ForkLog:
- Hackers stole $48m in confiscated bitcoin from South Korea’s prosecutor’s office.
- Trove Markets’ developers executed a rug pull after the ICO.
- Former Alameda Research head Caroline Ellison will be released on 28 January.
- Hackers drained $7m from Saga, crashing its native stablecoins.
- SlowMist discovered a “future attack” in a Linux store.
- Chainalysis introduced a tool to automate threat tracking across blockchains.
- The Makina Finance DeFi protocol was hacked for $5m.
- Experts called a major hack “a death sentence” for 80% of protocols.
What to read this weekend?
Elena Vasilyeva invites ForkLog readers to don a tinfoil hat to understand how conspiracy theories became a foundation of the digital economy, why Larry Fink is scarier than reptilians, and what DYOR has in common with religious ecstasy.