AI face clones of Binance users, a Telegram bug spat, and other cybersecurity developments

We compiled the week’s most important cybersecurity news.

Binance warns of AI-powered face cloning attempts

Fraudsters are using AI to clone the faces of Binance customers to bypass biometric checks and steal assets, the platform’s team warned users.

Attackers build fake 3D face models from publicly available or stolen photos and videos. Biometric bypasses are often paired with attempts to crack the password and 2FA.

Attacks on unsecured phones and desktop computers with access to Binance can be carried out remotely via malware. 

The exchange says it is actively tracking the threat and urges users to stay vigilant. 

Telegram denies a “session invalidation” vulnerability

The author of the Telegram channel “IT ? Digital” said he found a vulnerability in the messenger that allows access to user accounts without a password or MFA, and notified the developers. 

He says the issue arises when authorising through the Telegram widget on third-party sites, especially in the in-app browser. Such authorisations can create elevated sessions—they allow reading chats and accepting calls without entering the cloud password and without notifying the account owner. 

The main risk, he added, is that an attacker can intercept an authorisation token and use it on their own device. He believes this bug caused the theft of cryptocurrency worth 200 million roubles (~$3 million) from his client in early 2025.

To mitigate the risk, he advised users to clear the in-app browser history and disable all active web sessions and widgets.

Telegram officially denied the vulnerability, arguing the researcher misinterpreted how different authorisation types work. The specialist, in turn, maintains that the company’s response contradicts his video.

Alleged serial bitcoin extortionist charged in the US

The US Department of Justice charged a Yemeni national—believed to be the developer and main operator of the Black Kingdom ransomware—in connection with 1,500 attacks on Microsoft Exchange servers.

From March 2021 to June 2023, 36-year-old Rami Khaled Ahmed and accomplices allegedly infected networks with the encryptor and demanded $10,000 in bitcoin. Victims included a medical company in Encino, a ski resort in Oregon, a school district in Pennsylvania and a clinic in Wisconsin.

Authorities said Black Kingdom was built specifically to exploit a vulnerability in Microsoft Exchange Server to access target computers.

On charges of conspiracy, intentional damage to a protected computer and threatening to do so, Ahmed faces up to 15 years in prison.

iPhone owners targeted by spyware 

Apple notified users in more than 100 countries of a widespread attack using government spyware, TechCrunch reported. 

Victims include Italian journalist Ciro Pellegrino and Dutch right-wing activist Eva Vlaardingerbroek.

The spyware can access personal data, messages, the microphone and the camera without the owner’s consent. It is not yet clear which group is behind the targeted attacks.

Users who received warnings are advised to update iOS immediately to version 18.4.1 and enable Lockdown Mode for extra protection.

TikTok fined €530m for sending EEA data to China

Ireland’s Data Protection Commission (DPC) fined TikTok €530 million (over $601 million) for unlawfully transferring personal data of users from the European Economic Area to China in breach of the EU’s data-protection rules. 

The watchdog also cited a lack of transparency.

TikTok was ordered to bring its processing into compliance within six months. The DPC plans to suspend all data transfers to China if the company misses the deadline.

RansomHub ransomware operation goes dark

Group-IB specialists reported that the online infrastructure of the RansomHub extortion group “for unexplained reasons” ceased operating on April 1.

#RansomHub’s operation went dark on April 1st—coinciding with a surge in disclosures by rival #Qilin suggesting that affiliates might have migrated, highlighting the volatile nature of RaaS ecosystems. #CyberSecurity pic.twitter.com/1WrwvUC8xE

— Group-IB Global (@GroupIB) April 30, 2025

Some experts attributed this to “an exodus of many participants” after a slowdown in the syndicate’s activity since November 2024. The problems intensified when the rival RaaS group DragonForce claimed RansomHub had decided to move to its infrastructure as part of a new ransomware “cartel.”

Some affiliates may have shifted to Qilin, given a twofold increase in disclosures on its leak site since February.

By some estimates, over roughly a year of operations, RansomHub’s operators stole data from more than 200 victims. This RaaS group replaced the shuttered LockBit and BlackCat and attracted their partners, including Scattered Spider and Evil Corp, with favourable splits of ransom proceeds.

Fraudulent “virtual cards” surface on Telegram 

Russian Telegram users have encountered a scam offering “virtual cards” purportedly for overseas purchases and subscriptions, RIA Novosti reported, citing the State Duma.

Scammers lure victims with instant account creation and bonuses.

To apply, would-be victims are asked for a name and phone number, and sometimes a passport—depending on the story. They are then given details of non-existent cards, while the fraudsters gain access to real banking data under the pretext of a “top-up” or “linking.” 

Also on ForkLog:

• The EU will ban privacy tokens by 2027.
• No longer 18+. Civitai faced criticism after censoring content.
• The Kraken team uncovered a DPRK spy among job applicants.
• The US intends to cut the fraudulent Huione platform off from banks.
• Media reported on a collusion probe into market makers at Movement Labs; a co-founder was suspended.
• CoinGecko analysts recorded the death of 50% of crypto assets.
• 92% of April revenue for crypto criminals came from phishing.
• Fraudsters targeted Ledger users with paper mail.
• OFAC was barred from reinstating sanctions against Tornado Cash.
• Crypto criminals’ transfers to “risky” addresses reached $649 billion.
• A suspected $330 million bitcoin theft buoyed Monero’s price.
• Reporters caught Meta’s AI bots in “grooming” minors.
• Hacker Loopscale offered to return $5.8 million for a bounty.
• Bitget accused eight traders of manipulating VOXEL for $20 million.

What to read this weekend?

In an interview with ForkLog, Bitget CEO Gracy Chen discussed hacks and manipulation in the crypto market, and offered forecasts for the industry.