A printer with a sting, the Dior breach and other cybersecurity highlights

We collected the week’s most important cybersecurity news.

Procolored printer drivers hid a crypto-stealer

For at least six months, official software bundled with Procolored printers included a remote-access trojan and a cryptocurrency stealer. The first to flag it was YouTube blogger Serial Hobbyism.

After installing drivers for the Procolored V11 Pro UV printer, a user’s antivirus detected the Floxif USB worm on the computer.

External experts helped the blogger determine that at least six printer models (F8, F13, F13 Pro, V6, V11 Pro and VF13 Pro) with companion software hosted on the Mega file-sharing platform contained the XRedRAT trojan and the SnipVex clipper. The latter infects .exe files and replaces Bitcoin addresses in the clipboard.

The address used by SnipVex to siphon stolen cryptocurrency received about 9.308 BTC (~$1m at the time of the report).

The malicious packages have been removed and an internal investigation has begun.

US arrests 12 over crypto fraud totalling $263m 

US authorities have charged 12 individuals in a cybercriminal conspiracy involving extortion, fraud and money laundering that netted more than $263m.

According to the Department of Justice, from October 2023 to March 2025 the group of American and foreign nationals carried out database breaches, phishing, and home burglaries aimed at stealing hardware crypto wallets.

The proceeds were spent at nightclubs, on private-jet rentals, hired security and sports cars priced up to $3.8m. Some $9m went on exotic cars and another $4m on parties.

Part of the scheme was exposed by on-chain sleuth ZachXBT, who in August 2024 tracked the theft of nearly 4,100 BTC from an early crypto investor.

The investigation is ongoing.

Dior confirmed a cyberattack and data leak

The French luxury brand Dior said it identified on May 7 a cybersecurity incident that resulted in unauthorised access to partial customer information.

Data affected include names, gender, phone numbers, email, addresses, purchase history and preferences. The company assured that the database did not contain account passwords or financial information, including bank details, card data or IBAN.

Steps have been taken to contain the breach, and an investigation is under way with cybersecurity experts. The data-protection authority and affected customers have been notified.

The number of affected customers and their regions have not been disclosed.

Telegram purged casino bots

Messenger Telegram removed the platform’s largest gambling project, @CasinoBot. A broad sweep also hit several other major projects with million-strong audiences, reported “Durov’s Code”.

Before that, the messenger blocked search for key words such as “casino”, “freespin” and “казино”, depriving such projects of organic traffic.

Telegram is reportedly tightening content moderation amid rumours of a possible IPO, aiming to minimise potential regulatory complaints.

Alleged BlackDB admin extradited to the US from Kosovo

A 33-year-old Kosovo citizen, Liridon Mazurika, has been extradited to the US on charges of running the cybercrime marketplace BlackDB, active since 2018, the Department of Justice reports.

According to prosecutors, he was the lead administrator of the platform, which sold compromised accounts, server data, stolen credit-card numbers and personal information on individuals, most of them US citizens.

The first court hearing has already taken place. The defendant was charged with five counts of fraudulent use of unauthorised access devices and one count of conspiracy to commit fraud. He faces up to 55 years in prison.

Meanwhile, in Moldova a 45-year-old “foreign citizen” was arrested on suspicion of using the DoppelPaymer ransomware.

Authorities believe that in 2021 the suspect was behind a series of cyberattacks on Dutch organisations. One victim was NWO, which suffered losses of around €4.5m.

Officers seized an e-wallet, €84,800, two laptops, a mobile phone, a tablet, six bank cards and several storage devices. He remains in custody pending extradition to the Netherlands.

A third of Russian courts’ archive disappeared after a cyberattack

Some 33% of the case archive (89m records) were deleted from the “consolidated database” of the ГАС “Pravosudie” system after a mass outage in October 2024, according to a report by Russia’s Audit Chamber.

The Telegram channel “If We’re Precise” explains that the missing cases should remain on the websites of district and magistrates’ courts, but “you won’t be able to collect them without special tools”.

According to the report, the last external security assessment of the ГАС “Pravosudie” websites was conducted in 2015; the system has never been fully updated and runs on “technically outdated foreign software products”.

The courts’ websites came back online only a month after the cyber incident. The Ukrainian group BO Team claimed responsibility.

Also on ForkLog:

• The former head of the DeGods project lost 16 NFTs to theft worth $19,000.
• Analysts outlined the timing of movements of stolen cryptocurrencies.
• AMLBot found a vulnerability in the blocking system of Tether wallets.
• Coinbase disclosed a data theft and refused to pay a $20m ransom.
• The scam marketplace Haowang shut down after its Telegram channels were blocked.
• Curve Finance confirmed a compromise of its DNS server.
• Charles Hoskinson announced a privacy-focused stablecoin on Cardano.
• Ledger regained control of its Discord channel after a hack.
• An expert suggested the emergence of “dark stablecoins”.
• In Las Vegas, teenagers kidnapped and robbed a crypto investor.
• Prosecutors in the Samourai Wallet case refused to drop the case despite orders.

What to read this weekend?

We unpack DePAI — a new trend in the machine economy — and its potential risks.