Here are the week’s key cybersecurity stories.
- North Korean hackers targeted blockchain developers to steal crypto.
- The FBI dismantled ransomware’s ‘last refuge’.
- Hackers breached single sign-on systems to target corporations.
- CISA’s acting chief sparked a scandal by uploading agency documents to ChatGPT.
North Korean hackers targeted blockchain developers to steal crypto
The North Korean hacking group Konni used AI-generated malware to attack blockchain developers, according to Check Point analysts.
The attackers’ main objective is to gain access to development environments, opening a path to API credentials, infrastructure and, ultimately, company crypto wallets.
Experts say the attack starts on Discord, where the victim receives a link to a ZIP archive. Inside are a PDF lure and a malicious LNK file. Launching the shortcut kicks off a complex chain:
- A PowerShell loader starts and opens a DOCX document to distract the user.
- In the background, a CAB archive is extracted with a backdoor, batch (BAT) files, and a tool to bypass user account control.
- An hourly task is created in the scheduler disguised as a OneDrive process, which runs an encrypted script directly in memory and wipes traces after execution.
Analysts concluded the malicious script was created with a LLM. Several factors point to this:
- an unusual structure. Clear documentation at the start of the code and a neat, modular layout rarely seen in “hand-made” malware;
- telling comments. The code contains the line # < — — your permanent project UUID (your permanent project UUID).
Researchers linked the campaign to Konni based on similarities in loader formats and file names used in previous operations.
Active since 2014, the group has typically targeted South Korea, Russia and Europe. The new campaign focuses on three Asia-Pacific countries: India, Japan and Australia.
The FBI dismantled ransomware’s ‘last refuge’
The FBI, in coordination with the US Department of Justice, seized the popular cyber-extortion forum RAMP, BleepingComputer reports.
RAMP styled itself as the “last refuge” for ransomware operators, attracting numerous groups that used the forum to recruit affiliates and to buy and sell access to corporate networks.
Though there has been no official statement yet, the domain’s DNS servers were switched to those the FBI typically uses in seizures:
- ns1.fbi.seized.gov;
- ns2.fbi.seized.gov.
An administrator known as Stallman confirmed the development, acknowledging that years of his work were wiped out.
According to the outlet, law enforcement obtained a vast trove of confidential data: users’ IP addresses, private messages and mailboxes. For forum participants who failed to maintain strict anonymity, this poses a direct risk of de-anonymisation and arrest.
The platform emerged in 2021 after other hacker portals such as Exploit and XSS banned ransomware advertising. The resource is run by hacker Mikhail Matveev, known as Orange.
In 2023, the US Department of Justice charged Matveev with involvement in developing the Babuk, LockBit and Hive malware. He was added to the FBI’s most-wanted cybercriminals list, and in November 2024 he was arrested in Kaliningrad.
Hackers breached single sign-on systems to target corporations
The ShinyHunters group launched a large wave of vishing attacks aimed at single sign-on (SSO) systems from Okta, Microsoft and Google, the hackers told BleepingComputer.
The attackers use advanced social engineering: they call employees posing as support and convince them to enter logins and codes on spoofed sites.
An Okta report confirmed the use of sophisticated phishing kits. These tools include a web control panel that lets the hacker change site content in real time while talking to the victim by phone:
- if the attacker needs a code when entering the stolen credentials, a matching field instantly appears on the victim’s screen;
- if push approval is required, the phishing site displays instructions on how to approve it.
Compromising a single SSO account can give criminals access to an entire corporate ecosystem, including Google Workspace, Slack and Microsoft 365. To prepare their attacks, ShinyHunters use data from earlier breaches—names, roles and phone numbers—making their calls highly convincing.
The group also relaunched its leak site, posting data on breaches at SoundCloud, Betterment and Crunchbase. The companies’ representatives confirmed the incidents.
CISA chief sparks furor by uploading agency documents to ChatGPT
Acting director of the US Cybersecurity and Infrastructure Security Agency (CISA) Madhu Gottumukkala became the subject of an internal probe after uploading sensitive agency contract documents to ChatGPT, Politico reports.
Most CISA staff are blocked from accessing the chatbot, but Gottumukkala sought special permission to use OpenAI’s product instead of approved secure tools.
According to media reports, the federal network security system issued several data-leak warnings. While the uploaded information was not classified, it was marked “for official use only.” The data can now be used by the model to answer users, putting the confidentiality of government contracts at risk.
Gottumukkala could face discipline ranging from a formal reprimand to loss of clearance for classified information.
Cyberattack on Poland’s power sector: new details
In late December, Poland’s energy infrastructure was hit by a coordinated attack targeting distributed energy facilities across the country. The strikes affected thermal power plants as well as wind and solar control systems, Reuters reports.
Although the attackers breached operating systems and damaged “key equipment beyond repair,” they failed to interrupt electricity supply. The total capacity of affected assets was 1.2 GW, equivalent to 5% of Poland’s power supply.
Officially, 12 facilities were hit. However, cybersecurity firm Dragos said the real number was as high as 30.
Researchers “with moderate confidence” attributed the attack to the Russian hacking group Electrum. Though its activity overlaps with the well-known Sandworm (APT44), the team classified it as a separate cluster.
Electrum had previously been linked to attacks on Ukrainian networks using the Caddywiper and Industroyer2 malware. In Poland, the hackers deployed a new wiper—DynoWiper.
According to Dragos, the attackers demonstrated deep knowledge of industrial equipment. They deliberately targeted:
- vulnerable dispatching and communications systems;
- remote terminals and border network devices;
- Windows-based monitoring and control systems.
The hackers successfully disabled communications equipment at several sites, depriving operators of remote control, though generation continued in autonomous mode.
Experts believe the shutdowns did not trigger a blackout. However, a sudden 1.2 GW drop could have caused a critical frequency deviation. Similar fluctuations have led to cascading failures in other countries, including the large-scale collapse of the Iberian power system in 2025.
Also on ForkLog:
- The US Department of Justice seized $400 million from the Helix bitcoin mixer.
- Hackers stole $2.9 billion in crypto in 2025.
- Critical vulnerabilities were found in the Clawdbot AI agent.
- Boasting on Telegram helped uncover the theft of $40 million from the US government.
- ZachXBT accused Circle of inaction after the $16.8 million SwapNet hack.
What to read this weekend?
Vasily Smirnov unpacks the UN’s Hanoi Convention on cybercrime. In his new piece, he explores how signatory countries might apply it.