We compiled the week’s most important cybersecurity news.
- Ukrainian authorities seized $8.3 million in hackers’ crypto assets.
- Analysts found a crypto-address–swapping trojan with a sophisticated delivery chain.
- Kraken faced extortion.
- The FBI extracted Signal chats after the app was deleted.
Ukraine seizes hackers’ crypto assets worth $8.3 million
Law enforcement in Ukraine detained a member of an international hacking group that carried out cyberattacks in Europe and the US, according to Prosecutor General Ruslan Kravchenko.
Investigators say the perpetrators used malware to steal confidential information and documents to extort ransoms. The proceeds were sent to crypto wallets, then cashed out and laundered in Ukraine — including through purchases of real estate and high-value assets.
Estimated losses exceeded $100 million. As part of the investigation, more than 30 searches were conducted and assets worth about $11.1 million were seized, including houses and cars, $1 million in cash and roughly $8.3 million in cryptocurrency.
Authorities also identified the whereabouts of an accomplice responsible for laundering the funds.
Analysts discover a crypto-address–swapping trojan with a complex delivery
Researchers at Kaspersky reported a campaign distributing the ClipBanker trojan, which swaps crypto wallet addresses in the clipboard.
The malware masquerades as Proxifier, a utility for routing application traffic through a proxy server used by developers and system administrators.
According to analysts, a link to the infected GitHub repository appears near the top of search results on Google and Yandex.
The trojan deploys stealthily during Proxifier installation, using a fileless technique that runs code in memory. A scheduled task then launches a registry-based script that points to GitHub. From there, the chain retrieves a file with code, injects it into fontdrvhost.exe and deploys the final payload.
ClipBanker’s core function is to monitor the clipboard for crypto wallet addresses and swap them.
Since early 2025, more than 2,000 Kaspersky users — mainly in India and Vietnam — have encountered the threat, the experts said.
Kraken faced extortion
Kraken’s chief security officer, Nick Percoco, reported several employee-related incidents after which the crypto exchange’s leadership was subjected to extortion.
Kraken Security Update
We are currently being extorted by a criminal group threatening to release videos of our internal systems with client data shown if we do not comply with their demands. It’s important to start with the most important points: our systems were never…
— Nick Percoco (@c7five) April 13, 2026
The perpetrators threatened to publish company videos that allegedly display exchange users’ data.
According to Percoco, Kraken’s infrastructure was not breached and client funds remain safe. He attributed the incident to customer-support staff accessing restricted information without authorization.
Users whose data may have been affected were notified. In total, about 2,000 accounts (0.02% of the client base) were impacted.
Percoco said that in February 2025 a source alerted the team to a video circulating in criminal circles showing access to customer-support systems. The investigation found that a support agent had been recruited by hackers. A second similar case followed.
Percoco added that the exchange is working with law-enforcement agencies in several jurisdictions and has handed over evidence.
The FBI extracted Signal chats after the app was deleted
The FBI recovered messages from Signal even though they had been deleted and the app removed from an iPhone, 404 Media reported.
In a court case concerning an attack on an ICE facility in Alvarado, Texas, the FBI submitted deleted Signal messages as evidence. Journalists say federal agents restored the data from push notifications preserved in iOS’s internal database.
If Signal’s settings allow message content to appear in lock-screen previews, the text remains stored even after the app is removed.
Signal offers an option to hide content, but Lynette Sharp apparently did not enable it.
Telegram co-founder Pavel Durov reacted to the news. He called it “yet another proof” that Secret Chats are the safest way to communicate.
Signal representatives confirmed receiving a request from 404 Media but then stopped replying. Apple declined to comment.
Obsidian note-taking app used as a trojan backdoor
Experts at Elastic Security Labs identified a campaign in which scammers use the Obsidian note-taking app as bait. The final payload is a previously unknown trojan dubbed PHANTOMPULSE.
The targets were employees of financial and cryptocurrency organizations. The attack unfolds as follows:
- Attackers pose as staff at a venture-capital firm.
- The conversation moves to Telegram, where several “partners” discuss industry services to create an air of legitimacy.
- The victim is invited to connect to a shared Obsidian cloud vault that purportedly contains a joint analytics dashboard.
To execute malicious code, the hackers rely on Obsidian community plugins: Shell Commands (to run commands) and Hider (to conceal activity in the interface).
Because third-party plugins are disabled in Obsidian by default, the hackers persuade the victim to enable them. The malicious vault configuration then automatically launches commands.
On Windows, the attack triggers a script that downloads and installs the PHANTOMPULSE malware.
Its features include:
- built with the help of AI;
- uses the Ethereum blockchain as a Dead Drop Resolver (DDR) to determine the command server’s address by decoding recent transactions of a specific wallet;
- collects telemetry, executes commands via code injection, takes screenshots, logs activity, can escalate privileges to SYSTEM, and cover its tracks.
On Apple systems, the trojan launches an AppleScript and uses Telegram as the DDR, allowing the attackers to rotate domains if discovered.
Also on ForkLog:
- Drift received $127 million from Tether to compensate hack victims.
- Ledger published a security roadmap for the age of AI agents.
- Scammers stole $9.5 million via a fake Ledger app in the App Store.
- The US Department of Justice began payouts to OneCoin victims.
- Regulators worldwide voiced concern over the capabilities of Anthropic’s new AI model.
- A hacker hacked the Hyperbridge bridge and minted 1 billion Polkadot tokens.
What to read this weekend?
Promises, billions raised and harsh reality: in a new feature, ForkLog revisits the evolution of layer-1 blockchains that tried to unseat Ethereum.