Labubu lures target crypto users, booby-trapped movie torrents and other cybersecurity developments

We have gathered the week’s most important cybersecurity news.

Crypto-address “poisoning” nets $1.6m

According to a post by the anti-scam team ScamSniffer, on 15 August one user lost 140 ETH (~$636,500 at the time of writing) after copying the wrong address from a “contaminated” transfer history.

🚨💔 1 hour ago, a victim lost 140 ETH ($636,559) after copying the wrong address from contaminated transfer history. pic.twitter.com/iFuzpjup98

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) August 15, 2025

Address poisoning relies on creating near-identical addresses. Attackers send small transactions from lookalike wallets to trick users into copying the wrong one for future transfers.

According to Cointelegraph, on 10 August a victim of a similar attack lost $880,000. Other reports, the outlet writes, point to two more cases: one a loss of $80,000, the other $62,000. Over five days, scammers made off with more than $1.6 million using this method.

ScamSniffer also reported that, beyond address-poisoning losses, at least $600,000 was stolen this week after victims signed malicious phishing prompts such as approve, increaseAllowance and permit.

🚨 11 hrs ago, an Aave user lost $343,389 worth of aEthWETH after signing a malicious “permit” phishing signature.💸 pic.twitter.com/Og097nUtrj

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) August 10, 2025

On 12 August, a user lost BLOCK and DOLO tokens worth $165,000.

Labubu fans lose cryptocurrency

On 11 August, F6 analysts uncovered a scheme to steal cryptocurrency from Russian users, reports РБК.

Using a fake marketplace for the popular Labubu toy, scammers offered free cryptocurrency with the same name. To take part in the bogus promotion, users were asked to connect a crypto wallet.

Once activated, the site requested access to balance and transaction history. If assets were present, the interface asked for additional permission to verify eligibility for an “airdrop”. The malware then transferred the victim’s funds to the attackers’ addresses.

To conserve resources, the hackers screened wallets: if they were empty, the user was refused participation.

Earlier, fraudsters abused the Labubu brand to steal Telegram accounts. They created bots that ostensibly let users win the toy or receive it for a review. Victims shared their contact details and entered a code received from the messenger, after which they lost access to their accounts.

Movie torrents steal cryptocurrency

Researchers at Kaspersky Lab observed a wave of thefts involving wallet substitution. The Efimer trojan spreads via compromised WordPress sites, torrents and email. The malware also collects credentials from compromised resources for further spam distribution.

For attacks on individuals, attackers use torrent files as lures. They find poorly protected WordPress sites and post messages offering downloads of newly released films. In a link to a password-protected archive, the malicious file is disguised as a player, xmpeg_player.exe.

For corporate targets, phishing emails allege copyright infringement. The infected file is contained in an archive with details. After it is launched, the computer is infected with Efimer, and the user sees only an error notification.

A trojan then lands on the device, swapping crypto addresses in the clipboard for the attackers’ wallets. The malware also searches for strings resembling seed phrases and can execute fraudulent code via the Tor network for self-recovery.

Kaspersky says that from October 2024 to July 2025, 5,015 users of its solutions encountered Efimer. The most affected countries included India, Spain, Russia, Italy and Germany.

Hackers opened the gates of a Norwegian dam

Pro-Russian hackers gained control of critical operational systems at a dam in Norway and opened the discharge valves, writes Bleeping Computer

They breached the digital system controlling water flow at a dam in the municipality of Bremanger and set the discharge valves to open. Operators took about four hours to detect and shut off the water. By that time, more than 7.2 million litres had flowed through the system.

The attack occurred in April. It became public in August from Beate Gangås, head of the Norwegian police security service. In her words, it was less an attempt to cause damage than a demonstration of hacker capabilities.

Dealer portal flaw allowed remote car control

On 10 August, Harness cybersecurity researcher Eaton Zveare told TechCrunch about a vulnerability in a carmaker’s online dealer portal. It allowed exposure of customers’ personal data and vehicle details, as well as remote compromise of a vehicle.

Zveare declined to name the manufacturer but said it is a widely known car group with several popular brands. He said finding the flaw in the portal’s authentication system was difficult, but once he did, he was able to fully bypass the login mechanism by creating a new administrator account.

Vulnerable code was loaded into the user’s browser when the login page opened, allowing it to be modified and security checks bypassed. With access, he could reach more than 1,000 of the manufacturer’s dealerships across the United States.

As an example, Zveare took a vehicle’s VIN from a windscreen in a car park and used it to identify the owner. He noted the tool could also be used to search by a customer’s first and last name.

With portal access, it was also possible to link any car to a mobile account, enabling control of some functions via the app — for example, unlocking doors. The expert did not test whether the car could be driven away, but said the flaw enabled a break-in and theft of belongings.

Also on ForkLog:

• Tajikistan lost more than $3m due to illegal mining.
• BtcTurk suspended withdrawals amid $48m in suspicious transactions.
• A user hacked a North Korean hacker.
• An Ethereum developer fell victim to a malicious AI extension.
• Expert: the Qubic attack on Monero caused no damage to the network.
• Binance joined the T3+ anti-crypto-crime programme.
• Hackers withdrew $7m in bitcoin from the Odin.fun platform.
• KYC data leaks led to a rise in attacks on crypto investors.
• Embargo ransomware operators were linked to the ‘runaway’ BlackCat group.

What to read this weekend?

ForkLog looked into who stands behind the Salomon Brothers brand and what risks the industry faces from the company’s bid to access bitcoin addresses it considers abandoned.