AI installers demand Monero, Trickbot’s leader unmasked, and other cybersecurity news

We have compiled the week’s key cybersecurity stories.

Dark Partners linked to a network of fake crypto wallets and trading apps

Researcher g0njxa detailed Dark Partners, a group engaged in large-scale theft of digital assets.

The hackers run numerous sites that distribute stealers disguised as AI services, VPNs and crypto software. Among the latter are fake builds of TradingView, MetaTrader 5, Ledger, Exodus, Koinly, AAVE and Unusual Whales.

Read about an ongoing malware campaign delivering “PayDay Loader” to Windows users and Poseidon Stealer to MacOS individuals on fake AI and software websites

A bit of malware analysis and threat hunting, thanks to @anyrun_app @urlscanio

???https://t.co/5DqX3NMQQl

— Who said what? (@g0njxa) May 26, 2025

The malware scans victims’ devices for previously installed wallets — Electrum, Coinomi, Exodus, Atomic Wallet, Wasabi, Ledger Live, MetaMask and others. The hackers also collect host information, credentials, private keys and cookies for resale.

g0njxa suggested Dark Partners use purchased code-signing certificates for Windows malware builds.

Trickbot’s leader unmasked in Germany

Germany’s Federal Criminal Police Office (BKA) identified the leader of the Trickbot and Conti hacking groups, known as “Stern”, as 36-year-old Russian national Vitaliy Kovalev. He was put on a wanted list on charges of forming a criminal organisation and is believed to be hiding in Russia.

In February 2023, Kovalev was one of seven individuals sanctioned by the United States for links to TrickBot and Conti. He was described at the time as a senior figure in the groups.

According to the BKA, Trickbot had more than 100 members. In total it is responsible for infecting several hundred thousand systems worldwide, causing damage worth hundreds of millions of dollars.

Fake AI installers demand $50,000 in Monero

Cisco Talos researchers found that malware is being distributed under the guise of legitimate AI-tool installers: the CyberLock and Lucky_Gh0$t ransomware, as well as the Numero wiper.

CyberLock’s operators claim they have full access to confidential business documents, personal files and databases. They demand $50,000 in Monero for a decryption key, pledging to direct the sum to humanitarian aid in various countries.

They threaten to publish data if payment is not made within three days. However, analysts found no evidence of data‑exfiltration functionality in the ransomware’s code.

Lucky_Gh0$t follows a similar playbook. Numero, meanwhile, manipulates the GUI — overwriting window and button content with numeric sequences, rendering the operating system unusable.

Netherlands links AVCheck admins to cryptor services

Dutch police, with support from U.S. counterparts, took down the AVCheck service, used by cybercriminals to assess how stealthy their malware is against commercial antivirus tools.

Investigators also linked the site’s administrators to the cryptor services Cryptor.biz and Crypt.guru. The former’s domain was seized; the latter is offline.

Such services help malware operators encrypt or obfuscate payloads, making them part of the same ecosystem.

Undercover agents posing as customers helped shutter the services.

New tool claims it can locate YouTube commenters’ homes

A service called YouTube-Tools has appeared online. It can find all of a user’s comments on the platform and, using AI, compile a profile with a presumed home location, languages, interests and political views, according to 404 Media.

The tool was initially created to study League of Legends usernames, but its capabilities expanded after switching to a modified LLM from Mistral.

According to the developer, YouTube-Tools is intended for law enforcement. In practice, anyone can access it after registration for about $20 a month.

Experts warned the tool could pose a serious privacy risk.

Britain announces cyber force overhaul

UK Defence Secretary John Healey outlined government plans to create a cyber command to defend the country from hacker attacks and to help the military organise such operations themselves, the BBC reported.

The new structure will modernise targeting and coordination systems for army units using AI technologies. The budget is £1 billion ($1.3 billion).

The cyber command will also play a leading role in electronic warfare, intercepting enemy communications and jamming drones.

Over the past two years, UK authorities have faced roughly 90,000 cyberattacks by foreign intelligence services, mainly from Russia and China.

Also on ForkLog:

• An Euler user lost $500,000 due to a temporary deUSD spike on Avalanche.
• Analysts revealed the cause of the Cetus hack, and the team unveiled a recovery plan approved by validators.
• A trust attack: how fake Ledger Live software steals crypto — and what to do about it.
• Three countries made arrests of suspects in Bitcoin extortion.
• A hacker drained $12 million from Cork Protocol.
• Michael Saylor came out against Proof-of-Reserves.
• Hackers posted data of a Solana co-founder to the Migos group’s Instagram account.
• A crypto investor lost $2.6 million to a ‘zero-transfer’ scam.
• The market capitalisation of privacy coins topped $10 billion. XMR and ZEC continued to rise.

What to read this weekend?

We examine the loopholes that Ethereum’s account abstraction has opened up for cybercriminals.