A ‘honey‑smeared’ scam token, crypto billions stolen from Russia, and other cybersecurity news

We have compiled the week’s most important cybersecurity news.

Telegram users warned about a scam token pre‑market 

A honeypot scheme has spread across Telegram channels: its creators first build trust by posting “useful” market content, then pivot to shilling scams. This was reported by Vklader.

According to the outlet, one example of a fake token is Flowdesk (FWD), whose pre‑market is being pushed by the “Grossmeister” channel with more than 35,000 subscribers. Buyers are pointed to the non‑custodial platform PancakeSwap. 

“Creating tokens on such platforms does not require real assets or technology. Fraudsters actively exploit this by issuing tokens with grand promises and misleading people. It is often found that attempting to sell the token incurs a 100% fee,” — warned the authors of “Vklader”.

Shard estimated the volume of crypto stolen from Russians

The total losses to Russian residents from crypto theft in 2024 potentially exceeded $150 million (around 15 billion rubles at the exchange rate at the time of publication). This was reported by RBC, citing analysts at Shard.

Their calculations are based on the industry losing more than $2.16 billion last year in over 160 major attacks. Analysts derived the amount stolen from Russians from their approximate share of the global crypto market — about 7%.

The company collected data itself from open sources, but a precise estimate is difficult. According to the Interior Ministry, only 30% of victims report such crimes, and incidents may occur outside Russian jurisdiction. 

Darknet service offers illegal requests in the name of government agencies, paid in bitcoin

Researchers at Meridian Group reported the use of compromised law‑enforcement and government accounts to send emergency data requests to major online platforms. 

Meridian Group reports that “EDR-as-a-Service” is on the rise, with cybercriminals exploiting compromised accounts to submit fraudulent Emergency Data Requests, threatening privacy and security for citizens and government agencies alike. #Cybersecurity #… https://t.co/lkeIAioJsD

— Cyber_OSINT (@Cyber_O51NT) April 7, 2025

Hackers offer a turnkey service with payment in bitcoin or Monero. In return, customers receive a step‑by‑step playbook, guaranteed processing of the request and rapid delivery of data.

Analysts noted that beyond individual actors, ransomware gangs are also showing interest.

Coinbase to fix misleading account‑activity notifications

Clients of the Coinbase cryptocurrency exchange suspected account compromise due to a misleading account‑activity entry. This was reported by Bleeping Computer.

Users said that after receiving phishing emails purporting to be from Coinbase, they logged in and found numerous “second_factor_failure” or “2FA not passed” entries, with login attempts from unusual locations.

Many feared the exchange had been hacked — they changed passwords and scanned for malware. It later emerged that such activity log entries appear not only when an incorrect 2FA code is entered, but also when the password is wrong.

The Coinbase team is considering changing the wording of the notifications, but gave no timeline.

Cryptominers spotted in VS Code extensions

ExtensionTotal researcher Yuval Ronen found ten VS Code extensions that infect Windows devices with cryptocurrency miners. 

The malicious development tools appeared on Visual Studio Marketplace on 4 April 2025 and amassed more than 800,000 installs. The expert believes the figures were artificially inflated to lend legitimacy and popularity.

After installation and activation, a PowerShell script disables protections, escalates privileges and ultimately downloads the XMRig miner for Monero.

On 8 April, Microsoft representatives said they had removed the extensions and blocked the publisher on VS Marketplace. No further action is required from users.

Experts examined a new version of a crypto‑stealing trojan 

CYFIRMA researchers found a new version of Neptune RAT on GitHub. It comes with a cryptoclipper, ransomware, a password stealer capable of extracting credentials from more than 270 applications, and real‑time desktop monitoring.

The trojan can generate direct PowerShell commands from its builder and effectively bypass traditional security measures. It can detect virtual machines and persists on a victim’s device by modifying the Windows registry and adding itself to the task scheduler.

Experts say Neptune RAT poses a significant risk to individuals and organisations.

Spain makes arrests over an investment crypto scam

Spain’s National Police arrested six members of a criminal organisation that allegedly stole more than €19 million from 208 victims under the guise of crypto investments. Among those detained was the gang leader, who had planned to flee to Dubai.

The cybercriminals lured victims with AI‑based online ads using the names of well‑known national figures. They purportedly promised a “profitable income” from digital assets.

Officers seized numerous mobile phones, computers, hard drives, a mock weapon and documentation from the home of the main suspect.

More than €100,000 of the losses has been frozen.

Russian bloggers added to OKVED; miners may be next

From 1 May, individual entrepreneurs and companies in Russia that distribute information or advertising on social networks must add the relevant OKVED codes to their registration data.

MP Anton Gorelkin backed the initiative on his Telegram channel, saying that collecting statistical and economic information would help the state fight fakes and manipulation.

“I hope the classification will soon be expanded for other economic actors as well. For example, some market participants in data centres dream of their own classifier. What seems far more pressing to me is introducing an OKVED code for cryptocurrency miners,” — he noted. 

The official has already sent the relevant request to Rosstandart.

Earlier, Gorelkin said that owners of Telegram channels registered in the Roskomnadzor list (with audiences of 10,000 subscribers or more) can use the Trustchannelbot to obtain the relevant label.

In effect, this is a “third‑party” verification feature; there is no official requirement to use the bot.

Also on ForkLog:

• A long‑running attack on a HEX investor and a prevented Morpho Labs leak — cybersecurity news.
• An MEV bot ‘intercepted’ $200,000 from PROMPT airdrop participants.
• Media learned of the closure of the US crypto‑crime investigative unit. Later, the Senate called the move ‘a gross mistake’.
• NYDFS fined Block $40 million.
• Russians were warned about a digital‑ruble scam.
• Hackers attacked crypto investors via infected Microsoft Office extensions.
• ‘Elon Musk’ laundered $24 million via cryptocurrency and helped identify his clients.
• Argentina approved an investigation into the LIBRA memecoin.
• A court in Nigeria postponed proceedings with Binance.
• Kazakhstan reported crypto seized from pyramids.
• In the US, authorities demanded to disclose data on bitcoin’s creator.
• A wallet linked to the ZKasino scam lost $27 million on an ETH long.
• Jameson Lopp found 48,000 ‘poisonings’ of bitcoin addresses.
• Pump․fun restored the streaming feature with new restrictions.

What to read this weekend?

We discuss anonymous crypto exchange and more in the first public interview with the developer of BestChange.