We have compiled the week’s most important cybersecurity news.
- Coinbase confirmed a user-data leak.
- The operator of a major darknet drug market was sentenced to 30 years.
- DeFi platform Step Finance lost $40m after a breach of treasury wallets.
- Global Ledger: crypto scammers are giving victims ever less time to react.
Coinbase confirms user-data leak
Attackers accessed information belonging to 30 Coinbase customers, the exchange confirmed, according to BleepingComputer.
The statement followed soon after the Scattered Lapsus$ Hunters group posted, then deleted, screenshots in Telegram of Coinbase’s internal support interface. The panel showed access to customer data—email addresses, names, dates of birth, phone numbers, KYC information, cryptocurrency wallet balances and transactions.
The leak occurred in December 2025 and is unrelated to an earlier incident. It remains unclear whether the group was directly involved in the latest attack.
Operator of a major darknet drug market gets 30 years
On February 3rd a court sentenced the alleged operator of the Incognito Market darknet drug platform, Rui-Xiang Lin, to 30 years in prison, the U.S. Department of Justice reported.
Prosecutors said the sentence closes one of the largest cases against illicit marketplaces since Silk Road.
Each listing on Incognito Market was posted by a specific seller. To become one, users had to register on the site and pay an entry fee. The platform charged a 5% commission on sales.
Proceeds funded Incognito Market’s operations, including server costs and staff incentives. Authorities say Lin’s net profit exceeded $6m.
To simplify finances, Incognito Market ran its own “bank” (Incognito Bank), allowing users to deposit crypto directly into site accounts. After a drug sale closed, funds moved from the buyer’s account to the seller’s address minus commission, preserving a degree of anonymity.
Investigators identified the group through blockchain analysis and undercover buys, as well as Lin’s basic cybersecurity blunders:
- domain registration. Forensic analysts traced the marketplace domain to Lin because he used his real name, personal phone number and address;
- biography. Lin studied at National Taiwan University, then performed alternative civilian service in Saint Lucia. There he worked as a technical assistant and even taught local police methods to combat cybercrime and work with cryptocurrencies in his spare time.
DeFi platform Step Finance loses $40m after treasury-wallet hack
On January 31st Step Finance disclosed a security breach. External specialists helped the DeFi platform recover part of the stolen assets.
Several treasury wallets were compromised via a “well-known attack vector”, the team said. CertiK initially estimated losses at 261,854 SOL (about $28.9m at the time), but the figure rose to roughly $40m as the investigation progressed.
We have seen a security breach of @StepFinance_ treasury wallets.https://t.co/Zi3tMKaTqE
261,854 SOL (~$28.9M) has been withdrawn after stake authorization had been transferred tohttps://t.co/o51kREYPHW
Stay Vigilant! pic.twitter.com/GrxpyzI2Uv
— CertiK Alert (@CertiKAlert) January 31, 2026
At the time of writing, about $3.7m in Remora assets and $1m in other tokens had been recovered, thanks to the Token22 safeguards and coordination with partners.
Some operations were paused to tighten security. The team said its Remora Markets protocol is isolated from the incident and that all rTokens remain fully backed 1:1.
Users were advised not to interact with the STEP token until the investigation concludes. A pre-attack network snapshot is planned to inform compensation decisions.
Step Finance has not disclosed details of the attack or the attackers’ identities, prompting community speculation about a possible exit scam or insider involvement. These allegations have not been refuted so far.
Global Ledger: crypto scammers are leaving victims less time to respond
In 2025, hackers targeting cryptocurrencies left victims progressively less time to react, conclude experts at Global Ledger.
Laundering sped up in the second half compared with the first, reaching new extremes. The report cites a case in which funds moved in just two seconds—twice as fast as in H1 and twice as fast as the quickest public alert.
In most cases, attackers began moving funds before the market learned of the breach itself. On average last year this occurred in roughly 76.4% of incidents. In H2 the rate rose to 84.6%, from 68.1% in H1.
At the same time, the laundering phase itself slowed by about 25% on average: from roughly eight days in H1 to 10.6 days in H2.
According to Global Ledger, in H2 hackers split sums more aggressively and relied more on non-custodial wallets, DeFi protocols, DEX, cross-chain bridges and mixers.
After sanctions were lifted, use of Tornado Cash rose by more than 31 percentage points. Over the year, the mixer handled more than $2.05bn in Ethereum, about $655m of which was high risk. The share of funds exiting Tornado Cash to CEX increased from 0.16% (during restrictions) to 4.74% (after they were lifted).
Roughly 64% of incidents involved smart-contract hacks, the researchers said. Yet the largest losses—$1.5bn—hit users who signed fake approvals.
Crypto extortionists set a record in Russia
In January 2025 hackers demanded a record ransom in cryptocurrency from a Russian fishing company, according to F6.
The attackers demanded 50 BTC (about 500m rubles at the time of publication) to restore access to encrypted data. The victim’s name was not disclosed.
For the Russian market this is the largest ransom on record. The attack was linked to the CyberSec’s group, known for hacking Russian firms and online resources, stealing data and publishing it. The group gained wider notoriety after the leak of the sysadmins.ru forum database and claims of mass breaches of Bitrix servers.
Notepad++ developer discloses details of the breach
On February 2nd Notepad++ developer Don Ho shared findings from an investigation involving external cybersecurity experts and staff at the project’s former hosting provider.
He said the service was attacked back in June 2025 via a compromise at the hosting-provider level.
The attackers acted surgically, targeting specific victims. Several independent experts concluded the attack was carried out by a Chinese “government” group.
The hosting server that housed the site and its update mechanism was compromised until September 2nd 2025. Maintenance took place that day, after which suspicious patterns disappeared from the logs.
The backdoor let the hackers redirect part of the traffic going to notepad-plus-plus.org/update/getDownloadUrl.php to their own servers, where victims were served update URLs containing malicious files.
Version 8.9.2 is expected within a month—certificate and signature verification will become mandatory. Don Ho recommended users manually download version 8.9.1, which already includes the required safeguards.
Also on ForkLog:
- A Chainstory study found signs of scam in most crypto press releases.
- A vulnerability was found in the Moltbook social network for AI agents.
- Curve Finance’s CrossCurve bridge was hacked for $3m.
What to read this weekend?
Andrey Asmakov explores whether humans will retain the right to intervene in the work of AI agents.