New computer-hacking methods, SMS phishing and other cybersecurity developments

We have gathered the week’s most important cybersecurity news.

The FBI estimates $21bn in cybercrime losses

Victims in the United States lost around $21bn to cybercrime, according to a report by the FBI for 2025.

Top categories included investment fraud, business email compromise, tech-support scams and data breaches. The tally rose by 26% compared with 2024.

Last year, the most common complaints were:

• phishing — 191,000 cases;
• extortion — 89,000;
• investment schemes — 72,000.

The last category accounted for 49% of recorded incidents, with losses of $8.6bn. However, the largest damage came from cryptocurrency-related crime: losses exceeded $11bn across 181,565 cases.

Key findings:

• cyber fraud featured in 453,000 complaints and caused $17.7bn in losses;
• Americans aged over 60 suffered the most: $7.7bn in losses (up 37% year-on-year);
• for the first time, AI-enabled scams (voice cloning, fake profiles, forged documents and deepfake videos) were included: 22,300 complaints and $893m in losses. 

Chrome gets chip-level protection against info-stealers

Google launched Device Bound Session Credentials (DBSC) in Chrome 146 for Windows. The feature is designed to block malware from stealing and reusing cookies.

Session cookies act as authentication tokens that let users access accounts without re-entering credentials. Info-stealers such as GlassWorm and LummaC2 have learned to extract these data effectively from browser memory or local files.

DBSC cryptographically binds a user’s session to specific hardware—the computer’s security chip:

• on Windows — Trusted Platform Module;
• on macOS — Secure Enclave.

How the protection works:

• the chip generates a unique public–private key pair;
• the private key cannot be exported off the device;
• to issue new short-lived session cookies, Chrome must prove to the server that it controls the corresponding private key.

If an attacker steals cookies, they become almost immediately useless, as the server will not validate the session without the hardware-held key. macOS users will get the feature in a future Chrome update.

Ukraine exposes “helpers” in cryptocurrency trading

Ukrainian law enforcement uncovered a scheme to steal cryptocurrencies under the guise of trading assistance to “multiply profits,” the Cyber Police reported. 

According to investigators, the perpetrators found potential victims in thematic Telegram channels. They sent links to fake websites that mimicked trading platforms but contained malware—crypto-drainers.

After connecting a wallet to such a site, victims effectively granted the attackers full access to their assets without additional confirmation.

Scale of losses:

• in one case, the suspects seized about 95,000 USDT;
• in another, they stole more than 1,000 USDT.

The attackers moved funds between wallets, swapped them for other assets and converted them to cash.

Police carried out 20 simultaneous searches at the residences of group members and at an office location. They seized computer equipment and mobile phones, cash and records confirming the illegal activity.

Four members, including a co-organiser, were notified of suspicion of large-scale fraud and laundering of criminal proceeds.

The charges carry up to 12 years in prison with confiscation of assets.

Researchers disclose new ways to hack computers

Three research groups presented new attacks on Nvidia GPUs’ memory. They can grant hackers privileged access by exploiting “bit flips.”

Memory cells store information as electrical charges that define bits as 1s or 0s. A Rowhammer attack intensively agitates some cells to alter the charge in adjacent ones, causing bit flips.

New Rowhammer variants targeting GDDR6 video memory:

• GDDRHammer. Works against the RTX 6000 on the Ampere architecture. Using new hammering patterns, the researchers achieved an average of 129 bit flips per memory bank—64 times more than last year’s GPUHammer. The attack allows an adversary to gain access to the CPU;
• GeForge works similarly but manipulates the page directory. The researchers achieved 1,171 bit flips on an RTX 3060 and 202 on an RTX 6000. According to them, this is the first GPU Rowhammer that enables privilege escalation to root;
• GPUBreach. The attacker coerces a kernel-privileged driver to perform an out-of-bounds write. The attack was demonstrated on an RTX A6000—a model widely used to train AI.

The team from Toronto shared details with Nvidia, Google, AWS and Microsoft back in November 2025. In response, Google paid the researchers $600 under its bug-bounty programme. Nvidia said it may update its last-year security bulletin related to GPUHammer.

Hackers exploited an old flaw in the Flowise AI platform 

Hackers have begun actively exploiting a maximum-severity vulnerability in the Flowise AI platform, said VulnCheck cybersecurity expert Caitlin Condon.

The tool is designed to build applications based on a LLM using AI agents, including by users without technical skills. 

According to Condon, the flaw allows JavaScript code to run without any security checks. The issue was publicly disclosed in September last year with a warning that successful exploitation leads to command execution and access to the file system.

According to the expert, the problem lies in the Flowise CustomMCP node, which allows configuration of a connection to an external server. At the time it was observed, activity was limited and originated from a single Starlink IP address.

Between 12,000 and 15,000 custom Flowise instances are accessible online. It is not yet clear what share remain vulnerable.

Condon recommended updating the software to version 3.1.1 (or at least 3.0.6), and considering disconnecting instances from the internet if external access is not required.

In the US, scammers sent “fine notices” with phishing QR codes

Fraudsters sent fake SMS about unpaid traffic fines, posing as state courts, BleepingComputer reports.

The QR code led to a phishing site to take a $6.99 payment and subsequently steal personal and financial data. 

The new campaign began a few weeks ago, according to the outlet. One user shared with the publication the text of a message targeting New York residents. Similar SMS reached victims in other states.

Unlike previous campaigns with ordinary links, this version used an image of an alleged court notice.

The message received by the newsroom claimed it was sent by the “Criminal Court of the City of New York.” The recipient was threatened: either immediate payment of a fine for parking or toll violations, or a court appearance.

How the phishing worked:

1. Scanning the code led to an intermediary site to solve a CAPTCHA, used to evade automated security systems.
2. After that, the user landed on a site mimicking the Department of Motor Vehicles or another agency. In all examples, the “debt” amount was the same.
3. Clicking the payment button opened a form to enter personal details and bank-card information.

According to the outlet, the data were then stolen and could be used for fraud and identity theft.

Also on ForkLog:

• Unknown actors attacked a Hyperliquid vault via a FARTCOIN pump.
• The password “123456” exposed a network of North Korean IT workers in the crypto industry.
• Bitcoin ATM operator Bitcoin Depot reported a $3.7m breach.
• OpenAI will strengthen measures to protect children.
• DEX Stabble urged users to withdraw assets over a North Korean hacker threat.
• Anthropic shut down public access to the Mythos AI model after it “escaped the lab.”
• Bitcoin Core will host a public demonstration of Bitcoin consensus vulnerabilities.
• Solana projects will get a unified incident-response system for hacks.
• North Korean operatives secretly wrote code for leading DeFi projects for seven years.
• Drift Protocol revealed details of a $280m hack.

What to read this weekend?

In a new piece, ForkLog and industry experts examine how DAOs are developing and what holds decentralised organisations back.