A round-up of the week’s most important cybersecurity news.
- Law enforcement mounted operations against scam centres in Europe, the UAE and Thailand.
- Researchers found a phishing kit with AI features.
- Hackers from Drohobych sold Roblox players’ credentials for nearly ₴10m.
- A critical flaw in ransomware software causes irreversible data loss.
Law enforcement targeted scam centres in Europe, the UAE and Thailand
In a joint operation, authorities from the US, China, the UAE and Thailand shut down nine cryptocurrency scam centres and arrested 276 suspects. The US Department of Justice published the report.
Those detained in the UAE and Thailand used “pig butchering” schemes. Once victims agreed, they lost access to the “invested” cryptocurrency. The criminals also urged them to borrow from relatives and take out loans.
Myanmar national Thet Min Nyi has been charged with conspiracy to commit fraud and money laundering. Investigators allege he served as a manager and recruiter for a criminal outfit known as Ko Thet Company. Members of the Sanduo Group and Giant Company also await trial.
In Europe last week, authorities dismantled a scam network that is believed to have caused more than €50m in losses to victims worldwide.
The joint Europol-Eurojust operation, launched in June 2023, led to the arrest of ten suspects and searches at three call centres and nine private residences in Austria and Albania.
According to investigators, victims were lured to bogus investment platforms via search-engine and social-media ads. In reality, funds were routed into an international money-laundering scheme. In a second wave of fraud, the criminals recontacted “clients” offering help to recover lost assets, demanding a further €500 in cryptocurrency as an upfront fee.
The scamming network was registered as a legitimate business with 450 employees. Operators worked in language-based teams of six to eight, earning around €800 per month plus bonuses.
Researchers found a phishing kit with AI features
Cybersecurity specialists at Varonis uncovered the Bluekit phishing toolkit. It offers attackers more than 40 templates imitating popular services and includes a built-in AI assistant to draft malicious campaigns.
The kit provides scripts targeting email (Outlook, Hotmail, Gmail, Yahoo, ProtonMail), iCloud, GitHub and the Ledger crypto wallet.
Bluekit’s main draw is its AI Assistant panel, which supports multiple models, including Llama, GPT-4.1, Claude, Gemini and DeepSeek. The tool helps cybercriminals compose phishing emails.
Varonis believes the feature is experimental. A test attack draft had a useful structure but contained generic link fields, placeholders for QR codes and text requiring polishing before use.
Beyond AI, Bluekit folds management of the entire attack lifecycle into a single console:
- domain registration. Purchase and configure addresses directly from the interface;
- campaign management. Build phishing pages with realistic designs and logos of well-known brands such as Zara, Zoho and Ledger;
- fine-tuning. Block traffic via VPNs and proxies, cut off automated analysis systems and set filters based on device fingerprints;
- data capture. Exfiltrate stolen information via Telegram to hackers’ private channels.
The platform can track victims’ sessions in real time, including cookies, local storage and the state of the active session post-login. This helps attackers adjust their campaigns for maximum effect.
Despite being under active development, the product is evolving quickly and could gain wide adoption, researchers say.
Hackers from Drohobych sold Roblox players’ credentials for nearly ₴10m
Law enforcement in Lviv region arrested fraudsters who stole Roblox accounts worth ₴10m, according to the Office of the Prosecutor General of Ukraine.
According to investigators, three residents of Drohobych promoted infostealers disguised as tools to enhance gameplay. With the malware, the hackers gained access to victims’ credentials.
The accesses obtained were checked with a special programme (a checker) that revealed account contents. From October 2025 to January 2026, more than 610,000 accounts were sifted to find the most valuable. The data were sold for cryptocurrency on Russian platforms.
Following ten searches, officers seized equipment, records, more than €2,500 and about $35,000. The suspects have been notified of suspicion of theft and cybercrime.
A critical flaw in ransomware software causes irreversible data loss
Check Point researchers have found a serious defect in the handling of cryptographic nonces in the VECT 2.0 ransomware. Instead of encrypting, the bug destroys data beyond recovery.
The issue lies in how VECT 2.0 handles files larger than 128KB. To speed up processing, the program splits objects into four parts and encrypts them separately. But programming-logic errors lead to catastrophic results:
- All parts of a file use the same memory buffer for nonce output. Each newly generated key overwrites the previous one.
- As a result, only a single part remains and is written to disk.
- Only the last 25% of a file can be recovered. The first three parts cannot be decrypted because the unique numbers required were irretrievably lost during execution.
Even if a victim pays, the attackers cannot decrypt the data because the deleted nonces are not sent to their servers.
Researchers note the 128KB threshold is tiny, covering virtually all valuable corporate information:
- virtual-machine images;
- databases and backups;
- office documents, spreadsheets and mailboxes.
This turns the malware from ransomware into a straightforward wiper, making ransom payments pointless. The flaw affects all VECT 2.0 variants — Windows, Linux and ESXi.
According to experts, VECT was actively advertised on the BreachForums hacking platform. Operators invited users to become partners and distributed access keys via private messages.
Later, the group announced a partnership with TeamPCP — the team behind recent supply-chain attacks on Trivy, LiteLLM, Telnyx and the European Commission. The aim was to use victims to deploy ransomware.
Hackers breached the Qinglong task scheduler to mine cryptocurrency
Attackers exploited two authentication-bypass vulnerabilities in the Qinglong task scheduler to mine cryptocurrency surreptitiously on developers’ servers, according to cybersecurity firm Snyk.
Qinglong is an open-source Python/JS task-management platform popular among Chinese developers.
The remote-code-execution infection chain affected Qinglong version 2.20.1 and earlier.
Researchers say the root cause lay in a mismatch between the middleware’s authorisation logic and how the Express.js web framework routed requests. The authentication layer assumed certain URL patterns would always be handled in one way, whereas Express.js behaved differently.
According to Snyk, the attackers’ campaign began on February 7th 2026. Qinglong users were the first to spot a hidden malicious process, .FULLGC, whose name mimicked a standard resource-intensive task to evade notice.
The miner consumed 85–100% of CPU and targeted Linux, ARM64 and macOS systems. Qinglong’s developers fixed the flaw in PR 2941.
Also on ForkLog:
- April set a record for hacks in the crypto industry.
- A hacker withdrew more than $5m from the Wasabi protocol.
- ZetaChain disclosed details of a $334,000 cross-chain attack.
- Hackers attacked the Scallop DeFi protocol.
- Litecoin underwent a block reorg due to a zero-day bug.
What to read this weekend?
For those who missed the month’s highlights, ForkLog has prepared a short recap.