We round up the week’s most important cybersecurity news.
- Hackers hid a stealer in a fake TradingView Premium.
- Researchers uncovered a stealer that targets crypto users.
- Extortionists threatened to feed artists’ work to AI models.
- A vulnerability was found in the control of Chinese robots.
Hackers hid a stealer in a fake TradingView Premium
Cybercriminals ran fake ads offering a free installation of TradingView Premium to deliver malware to victims’ Android devices, Bitdefender researchers reported.
The Brokewell malware appeared in early 2024. It has a wide range of capabilities, including theft of confidential data, remote monitoring and control of an infected device.
According to the researchers, the campaign targeted cryptocurrency users. It has been active since at least July 22, using about 75 ads localised for the Russian-speaking segment.
When victims clicked the link, they were redirected to a site masquerading as the official TradingView page, which offered the malicious file tw-update.apk. After installation, the app requested Accessibility permissions. If granted, it opened a supposed system update window while the infostealer silently granted itself the required privileges.
The attackers also tried to obtain the phone’s lock-screen PIN by imitating an Android system prompt.
Experts noted the scheme targeted only mobile users: visitors from other devices saw harmless content.
According to Bitdefender, the fake app is an “extended version of the Brokewell malware” and supports the following functions:
- scans for BTC, ETH, USDT and IBAN bank details;
- steals and exports Google Authenticator codes;
- takes over accounts via fake login screens;
- records the screen and keystrokes, steals cookies, activates the camera and microphone, and tracks geolocation;
- intercepts SMS, including banking and 2FA codes, by replacing the default messaging app;
- can receive remote commands via Tor or WebSockets to send SMS, place calls, delete software or even self-destruct.
Researchers found a stealer dangerous to crypto users
Researchers at F6 reported the Phantom Papa campaign discovered in June. Attackers sent emails in Russian and English with attachments containing the Phantom stealer.
Malware based on the code of the CaaS tool Stealerium enables operators to steal passwords, banking and cryptocurrency information, and the contents of browsers and messengers.
The recipients of the stealer-laden emails were organisations from various sectors: retail, industry, construction and IT.
The report notes the use of lurid subjects such as See My Nude Pictures and Videos. Classic phishing lures also appeared, for example “Attached copy of payment No.06162025”.
When recipients unpacked and launched files with .img and .iso extensions from RAR attachments, the malware infiltrated the device. On execution, Phantom collected detailed information about the hardware and system configuration, and stole cookies, passwords, payment-card data from the browser, images and documents. The stolen data was delivered via Telegram bots such as papaobilogs.
Another risk for cryptocurrency holders is the Clipper module. In an infinite loop with a two-second interval, it read the clipboard. If the content changed, the malware wrote it to a file, then scanned the active window for terms linked to crypto services: “bitcoin”, “monero”, “crypto”, “trading”, “wallet”, “coinbase”.
If such terms were found, it searched the clipboard for wallet addresses using popular address fragments and replaced any found with preset attacker addresses.
Phantom also includes a PornDetector module. It can monitor user activity and, if it finds one of the strings “porn”, “sex” or “hentai”, take a screenshot. If the window remains active, the module then captures an image from the webcam.
Extortionists threatened to feed art to AI models
On August 30, alleged LunaLock extortionists posted on the Artists&Clients service about a breach, 404 Media reports.
The attackers demanded $50,000 in bitcoin or Monero from the owners of the art marketplace. Otherwise, they promised to publish all the data and pass the artworks to AI companies to train LLM models.
A countdown timer on the site gave the owners a few days to raise the sum. At the time of writing, the site is offline.
“This is the first case I have seen of threat actors using the threat of training AI models as an element of their extortion tactics”, said Flare senior cyber threat analyst Tammy Harper in a comment to 404 Media.
She added that such tactics may prove effective against artists given the sensitivity of the issue.
A vulnerability found in the control of Chinese robots
On August 29, a cybersecurity specialist going by BobDaHacker disclosed issues in the security of a leading global supplier of commercial robots. The vulnerability allowed machines to obey arbitrary commands.
Pudu Robotics is a Chinese manufacturer of robots for a wide range of tasks in industry and public places.
BobDaHacker found that administrative access to the robots’ control software was left unlocked. According to him, an attacker needs only to obtain a valid authorisation token or create a test account intended for trials before purchase.
After initial authentication, there were no additional security checks. An attacker could redirect food deliveries or disable an entire fleet of restaurant robots, allowing anyone to make serious changes—for example, renaming robots to complicate recovery.
Cloudflare withstands a record DDoS attack
Cloudflare blocked the largest recorded DDoS attack, which peaked at 11.5 Tbps, the network services provider said on September 1.
Cloudflare’s defenses have been working overtime. Over the past few weeks, we’ve autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps. The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud.… pic.twitter.com/3rOys7cfGS
— Cloudflare (@Cloudflare) September 1, 2025
“Cloudflare’s defenses have been working overtime. Over the past few weeks, we’ve autonomously blocked hundreds of hyper-volumetric DDoS attacks, the largest of which reached peaks of 5.1 billion packets per second and 11.5 Tbps”, the company said.
The record attack lasted roughly 35 seconds and combined traffic from multiple IoT devices and cloud providers.
Also on ForkLog:
- Grokking. The Grok chatbot was taught to post scam links.
- A quantum computer cracked a “tiny” cryptographic key.
- The US proposed a plan to protect assets from quantum threats.
- Hackers hid malicious links in smart contracts.
- A Venus user lost $27m to phishing.
- A psychology book helped “hack” ChatGPT.
- Hackers stole WLFI tokens using smart wallets.
- Losses from crypto project hacks in August reached $163m.
- Binance helped freeze $47m in scammer assets.
- El Salvador secured its 6,284 BTC against a quantum threat.
What to read this weekend?
In the FLMonthly digest, ForkLog spoke with cypherpunk Anton Nesterov about the main threats to privacy and how to counter them.