GPS deanonymisation, a chatbot fed with hacker chats, and other cybersecurity highlights

We have compiled the week’s most important cybersecurity news.

Leaked Black Basta chats were fed to ChatGPT

On February 11 an unknown insider released an archive of the Black Basta ransomware gang’s internal Matrix chats. Cyberthreat researchers at PRODAFT noted it.

The logs span September 2023 to September 2024. They include crypto-wallet addresses, victims’ accounts, and descriptions of phishing schemes and intrusion tactics.

They also expose the identities of some members, notably the gang’s presumed leader Oleg Nefedov (aliases GG, AA, “Trump”) and two likely administrators, Lapa and YY.

Leaked BlackBasta chat logs contain messages spanning from September 18, 2023, to September 28, 2024. Let’s analyze the statements disclosed by the leaker:
— Lapa is one of the key administrators of BlackBasta and is constantly busy with administrative tasks. Holding this… https://t.co/KxQVKZBp75 pic.twitter.com/BibWU5P9e8

— 3xp0rt (@3xp0rtblog) February 20, 2025

Hudson Rock passed more than a million internal messages to the ChatGPT-based BlackBastaGPT for analysis.

Experts believe the leak may have been the result of internal infighting within the group.

Gravy Analytics leak led to user deanonymisation

A January breach at US location-tracking firm Gravy Analytics caused a major leak of user data worldwide—from Russia to the United States. The broker resold geolocation data gathered by thousands of mobile apps.

The leaked dataset is tied to advertising identifiers—IDFA for iOS and AAID for Android—which often allows tracking people’s movements and, in some cases, deanonymising them.

In an experiment, researcher Baptiste Robert traced one user’s path from New York’s Columbus Circle to his home in Tennessee and, the next day, to his parents’ residence. Relying solely on OSINT, he learned a great deal about the person, including his mother’s name and that his late father was a US Air Force veteran.

Example of deanonymization:
— Dec 29, 7:08 PM: Seen at Columbus Circle, NYC.
— Later: Returned home to a TN town with a registered locksmith business.
— Next day: Visited his mother, Carol. His father was an USAF vet and passed 3 years ago.

Yes, you can be tracked. pic.twitter.com/MtViWTbpgf

— Baptiste Robert (@fs0c131y) January 8, 2025

The Gravy Analytics leak highlighted the serious risks of the data-broker industry.

Signal users were targeted via device linking

Google’s Threat Intelligence Group reported that Russian hackers are actively attempting to compromise Signal accounts by abusing the device-linking feature. Potential victims are tricked into scanning malicious QR codes to sync the messenger with an attacker’s device.

For targeted attacks, phishing links are disguised as Signal group invitations or as pairing instructions from a legitimate website.

The technique is dangerous because it does not require a full device compromise to monitor protected conversations.

Signal users are advised to update the app to the latest version, which includes improved protection against the phishing attacks identified by Google.

Researchers found new DPRK malware that tampers with crypto wallets

North Korea’s Lazarus hackers used a previously unknown JavaScript malware, Marstech1, in targeted attacks on blockchain developers, according to SecurityScorecard.

? North Korea’s @Lazarus Group is Targeting Developers—Again ?
The STRIKE team just uncovered Operation Marstech Mayhem—a new malware campaign spreading through @GitHub and NPM packages. Developers are unknowingly pulling infected repositories into their projects, putting… pic.twitter.com/1Cic14u1NP

— SecurityScorecard (@security_score) February 13, 2025

The malware is embedded into websites or npm packages tied to various cryptocurrency projects. Once on a victim’s device, it scans Chromium-browser directories for the MetaMask, Exodus and Atomic Wallet extensions, then alters their settings.

Marstech1 was first observed in 2024. At least 233 victims in the US, Europe and Asia have already been affected.

Researchers traced the malware to a public GitHub repository created by the now-banned profile SuccessFriend.

Ukrainian hackers claim breach of CarMoney

Hackers from the “Ukrainian Cyber Alliance” said they breached the infrastructure of the Russian microfinance firm CarMoney and accessed data on a large number of the organisation’s borrowers. Among them are units of the GRU, the FSB and military units.

As proof, the group published, among other things, two loan applications in the names of service members Dmitry Solovyov and Maxim Vagin.

The Telegram channel “Agency” examined the leaks and found information on people with matching names, dates and places of birth. However, the outlet could not independently verify the information presented by the hackers.

CarMoney’s press office said on its VK page that “one of the company’s old websites” was breached and that personal data of clients and investors was not affected. Nevertheless, “to prevent consequences”, specialists disabled all systems while monitoring was carried out.

CarMoney’s founder is Eduard Gurinovich, calling himself the exclusive partner of the game Hamster Kombat in Russia. Journalists, citing the outlet “Sobesednik”, also noted that a stake in CarMoney belongs to Lyudmila, the former wife of President Vladimir Putin.

On New Year’s Eve Russians were hit by a large cryptominer infection

Kaspersky researchers found that on December 31, 2024 cybercriminals launched a mass infection campaign, delivering the XMRig cryptominer via trojanised versions of popular games on torrent sites. The StaryDobry attack ran for a month.

New Year’s Eve wasn’t the only thing #StaryDobry crashed. ?

On December 31, our experts discovered that cybercriminals had launched a mass infection campaign, hiding #XMRig cryptominers inside trojanized game torrents. With a multi-stage execution chain and stealthy evasion… pic.twitter.com/ZGdtKWD1Ni

— Kaspersky (@kaspersky) February 21, 2025

The malicious releases of BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox and Plutocracy were prepared in advance and uploaded to torrent trackers around September 2024. Among the compromised installers were popular simulators and sandboxes requiring minimal disk space.

After installation, the cryptominer checked the number of CPU cores and would not run if there were fewer than eight. The attackers also hosted the mining pool server on their own infrastructure rather than a public one, complicating efforts to track their proceeds.

The campaign affected individuals and enterprises worldwide, including in Russia, Brazil, Germany, Belarus and Kazakhstan.

Also on ForkLog:

• Exchange Bybit lost $1.46bn in a breach.
• Pi Network’s token price plunged 50% after a CEX listing.
• Grok named Elon Musk the chief disinformer.
• SafeMoon’s CTO pleaded guilty to $200m crypto fraud.
• Russia set a date for banks to connect to a crypto-transaction analytics service.
• The SEC reshaped its crypto unit.
• BestChange was unblocked in Russia.
• A former employee of Bybit’s payroll provider was sentenced for stealing $5.7m.
• zkLend will allocate $400,000 under a compensation plan for hack victims.
• Millions stolen from Phemex moved to new addresses.
• Sanctioned entities received $15.8bn via cryptocurrencies in 2024.
• A macOS malware that swaps Bitcoin addresses improved its stealth.
• Russian authorities dropped claims against Vinnik.
• Researchers found a crypto-key stealer in a Steam game.
• Report: HTX sent more than 380,000 security notifications in January.
• Abstract users reported funds stolen via Cardex; the team later stated the loss amount.
• Four Norwegians were charged with $80m fraud.
• Binance’s chief warned of a “new” seed-phrase scam.
• Ethereum validators were urged to update the Geth client “to avoid losses”.
• Dave Portnoy bought a fake LIBRA for $170,000.
• In Russia, a Telegram-channel admin was detained for extorting bitcoins.
• Scammers launched a fake memecoin in the name of a Saudi prince.

What to read this weekend?

We investigate who actually stands behind the series of “presidential” memecoins.