Heists across hundreds of thousands of wallets, an AI agent’s attack from scratch, and other cybersecurity developments

A roundup of the week’s key cybersecurity news.

Clipper operators created more than 700,000 wallets to steal cryptocurrency

CyberArk researchers uncovered the MassJacker campaign, which steals cryptocurrencies by swapping clipboard wallet addresses. At least 778,531 addresses are tied to the attackers for accumulating stolen assets.

Most were empty at the time of analysis, but 423 wallets held a combined $95,300. Historical data also points to larger transactions.

There is also a single Solana wallet that presumably serves as a central stash. Since its creation, it has processed inbound transactions exceeding $300,000.

MassJacker spreads via a site hosting pirated and malicious software.

CyberArk suspects the malware is tied to a specific threat group, given the reuse of file names and encryption keys.

ChatGPT’s Operator and DeepSeek exhibited malicious behaviour

Specialists at Symantec used the AI agent Operator by OpenAI to conduct a phishing attack on one of their colleagues, supplying only his job title as input.

Using open sources, the tool inferred the target’s name and email address, wrote a PowerShell script to collect system information from his computer, and sent a convincing malicious email.

In turn, Tenable researchers jailbroke the DeepSeek chatbot to make it write a keylogger and ransomware. To improve results, the experts used the model’s CoT capabilities.

#TenableResearch is conducting ongoing analysis of #GenAI as we seek to better understand various LLMs, including #DeepSeek.

? Explore how DeepSeek responds to requests to generate malware: https://t.co/ZIpYlNl7Nf

?: Staff Research Engineer Nicholas Miles pic.twitter.com/elDKEeVGDC

— Tenable (@TenableSecurity) March 13, 2025

In both cases the generated code contained errors and required manual editing. Once corrected, the malware worked.

The keylogger captured keystrokes, while the ransomware demonstrated file-encryption mechanics and a dialog box notifying the victim of the attack.

Suspected LockBit developer extradited to the US

Dual Russian and Israeli national Rostislav Panev, considered a key developer for the LockBit ransomware gang, was brought to the United States for a court hearing in his case. According to the Justice Department, from June 2022 to February 2024 he allegedly earned $230,000 in cryptocurrencies.

Panev was arrested in Israel in August 2024. Compromising evidence was found on his laptop.

The defendant admitted he performed coding, development, consulting and technical leadership for the LockBit group.

DOGE carried out sweeping cybersecurity layoffs

In the US, more than a hundred staff at the government agency CISA were laid off by the DOGE. This was reported by TechCrunch, citing those affected.

They said the move hit the Cyber Incident Response Team (CIRT), responsible for penetration testing and vulnerability management of government networks, as well as the “red team,” which models real-world attacks to prevent them. The cuts were abrupt, and their network access was revoked without prior notice, the sources added.

A CISA spokesperson told the media that the “red team” remains operational, while the agency is “reviewing all contracts for alignment with the new administration’s priorities.”

Separately, according to The Register, House Democrats asked 24 federal agencies to check whether DOGE’s team is passing confidential government data to “unauthorized and unaccountable” AI services.

The authors expressed concern that the cuts overseen by Elon Musk’s department were based on analysis of projects and staffing via commercial AI tools whose security is unproven.

A backdoor targeting Russian gamers was found on YouTube

Kaspersky Lab recorded the spread of the DCRat backdoor via YouTube. Attackers upload videos to fake or stolen accounts advertising various cheats, cracks and game bots, along with a link supposedly to download them.

«Няшный» зловред под видом кряка: наши эксперты обнаружили новую кампанию по распространению DCRat. Целью кампании преимущественно стали российские геймеры.

Злоумышленники публикуют на видеохостинге YouTube ролики, предлагающие скачать по ссылке кряки, читы, боты и другое… pic.twitter.com/DjXpdKP7Ms

— Kaspersky (@Kaspersky_ru) March 14, 2025

Instead of legitimate software, a trojan is installed that can fetch additional modules. The most dangerous functions include keystroke logging, webcam access, file downloads and password exfiltration.

In 80% of cases the victims were Russian users. The campaign also affected people in Belarus, Kazakhstan and China.

Hundreds of critical US organizations hit by Medusa ransomware

CISA, the FBI and the MS-ISAC warned in a joint advisory about the threat from Medusa ransomware, which as of February 2025 had affected more than 300 organizations in US critical infrastructure sectors.

Victims include firms in healthcare, education, law, insurance, technology and manufacturing. Companies in sensitive industries are advised to implement protections to reduce the likelihood and impact of potential attacks.

Medusa activity was first observed in January 2021.

According to law enforcement, the ransomware developers hire brokers via dark‑web forums to obtain initial access to prospective victims. Partners are promised $100 to $1m in rewards.

Signal paused cooperation with Ukraine

The Signal messenger stopped responding to requests from Ukrainian law enforcement about Russian cyberthreats. This was reported by The Record, citing a statement by Serhii Demediuk, deputy secretary of the NSDC.

He said Signal remains one of the most popular services used by the Russian side for messaging, as well as for preparing espionage operations and phishing attacks.

The official suggested that Signal’s policy shift is linked to political instability in the US, but did not rule out resuming cooperation soon.

Signal representatives did not comment.

Russian courts banned 33 Telegram sticker packs

By early March, courts in Kirov Oblast had banned at least 33 sticker packs on Telegram following applications from prosecutors. This was reported by «Верстка».

According to the claims, the agency’s review found sticker packs containing “images of Nazi symbols and attributes of banned extremist organizations.” Court rulings said the stickers “promote extremism on social networks.”

Media found that most banned sets are dedicated to Adolf Hitler and memes featuring him, or contain swastikas in one form or another. One set includes images of the flag and coat of arms of Ukraine.

Anton Gorelkin, deputy chair of the State Duma’s IT committee, said a “serious precedent” had been set and recommended that Telegram’s administrators “consider introducing mechanisms allowing users to complain about illegal content in stickers and emoji” out of court.

Also on ForkLog:

• A British operative was charged with stealing 50 seized BTC.
• OpenAI called to ban DeepSeek in the US.
• Hackers targeted crypto entrepreneurs via Zoom.
• A lawyer sought an international arrest warrant for LIBRA-linked Hayden Davis.
• A Kazakhstan resident illegally exchanged cryptocurrencies worth $11.3m.
• Lazarus Group hackers sent 400 ETH to Tornado Cash.
• The X account of DB News was hacked to promote fakes about TRUMP and Hyperliquid.
• A victim of a sandwich attack swapped $732,583 for $18,636.
• Ledger found a vulnerability in Trezor wallets.
• Lazarus hackers launched a new attack via GitHub.
• A suspected Garantex administrator was detained in India. The exchange said it intends to reimburse frozen cryptoassets.
• Kuna closed deposits and announced the shutdown date.
• A trader had $1.82m stolen via phishing.
• Bloomberg: EU regulators are probing OKX over activity by the Bybit hackers.
• A US resident was fined for concealing 119.65 seized BTC.
• Dark Storm hackers claimed responsibility for a DDoS attack on X.
• In Canada, the number of crypto fraudsters has risen amid a trade war with the US.
• Binance blocked the market maker for GPS and SHELL tokens.
• Ethereum developers detected interference in the deployment of Pectra on Sepolia.
• The founder of Yescoin was arrested after a dispute with a business partner.

What to read this weekend?

We settle the debate over which is safer — a P2P service or an exchange.