Crypto theft via games, Telegram blocks’ impact, and other cybersecurity developments

We round up the week’s key cybersecurity news.

Experts uncover another way to steal crypto via Zoom

The director of cybersecurity firm Trail of Bits encountered a Zoom-borne cyberattack after being invited to an interview with Bloomberg Crypto. The attackers contacted the target on social media and scheduled the call via Calendly links.

During the call, the hackers initiated screen sharing and sent a request for remote control. At that moment, the caller changed their display name to “Zoom”, making the prompt look legitimate to the victim: “Zoom is requesting remote control of your screen”.

If approved, the attacker gains full remote control of the system, enabling theft of confidential data, installation of malware and initiation of crypto transactions.

Russians warned about a card-cloning app

Company F6 discovered a new malicious build of the legitimate NFCGate app for attacks on bank customers. It is tailored for fraudulent call centres.

Instead of intercepting NFC data from a user’s card, the attackers create a clone of their own card on the victim’s device. They then, under various pretexts, direct the victim to an ATM to deposit money supposedly to themselves. In fact, all transfers go to the scammers.

Losses of Russian bank customers from all malicious versions of NFCGate in Q1 2025 totalled 432m rubles. The average loss from the new version in March is estimated at 100,000 rubles.

“Test” video games spread crypto-stealers

“Test” video games have appeared on popular gaming platforms, used by cybercriminals to steal users’ confidential information, noted Flashpoint.

After the victim downloads an archive, the AgeoStealer malware lands on the computer. It scans Chrome, Firefox, Microsoft Edge and Opera for stored credentials, authentication tokens and browsing history.

The stealer prioritises logins and passwords, cookies and cryptocurrency wallet data.

AgeoStealer can mask its activity and evade detection by traditional antivirus tools for prolonged periods.

Telegram blocks reduced the number of leaks

In the first quarter of 2025, F6 specialists recorded 67 cases of publishing databases of Russian companies, 29% fewer than in the same period last year (95 leaks).

Experts linked the decline to active blocking of closed Telegram chats where stolen information was distributed.

More than 46% of all public leaks in 2025 fall on retail and online stores, 13% on the public sector. IT companies, internet services, telecoms and educational portals are also at risk.

Roughly 99.7m rows ended up in open access, including full names, home addresses, passwords, dates of birth, passport data and phone numbers.

Americans asked to help catch hackers

The FBI requested information from the public about Chinese hackers Salt Typhoon, behind large-scale breaches of telecommunications providers’ networks in the US and worldwide. Their activity led to theft of call detail records and a limited number of private messages.

Authorities are interested in any information that could help identify and locate the cybercriminals.

Separately, the State Department offers a reward of up to $10m for information on foreign hackers involved in malicious activity against US critical infrastructure.

Scammers built an “AI-based investment project” in WhatsApp’s name

The phishing site WhatsApp AI dupes users by promising monthly earnings from €14,000, experts at Solar AURA told ForkLog.

The platform is promoted as “a new solution for automated stock trading via the popular messenger”. Clients are enticed with minimal investments — it is enough to leave personal data and deposit funds for access to the system.

After payment, the money stays with the scammers, and the victim receives no profit.

Also on ForkLog:

• The Zora team was suspected of selling tokens ahead of the airdrop.
• CloneX NFT avatars returned after “disappearing”.
• Hackers from North Korea created shell companies to deceive users.
• Tether froze 28.7m USDT across 13 addresses.
• Crypto scammers stole $2.8bn from elderly Americans in 2024.
• ZKsync reached a deal with a hacker to return $5m.
• In NABU’s bitcoin declarations, inaccurate data were found.
• Operators of crypto-theft malware have begun renting out tools.
• The SEC accused PGI Global’s CEO of crypto fraud worth $198m.
• Unicoin rejected the SEC’s settlement offer.
• A hacker attacked XRP holders via a JavaScript library.
• WazirX will resume operations after a $235m hack.
• The UN voiced concern about money laundering via mining.
• Binance’s founder received 90m fake tokens Grok.
• Durov denied handing over private Telegram chats to authorities.
• Bitget will compensate losses after manipulation with the VOXEL token.
• In Kazakhstan, three pyramids had 3.8m USDT seized.
• Bybit’s CEO: more than half of stolen assets can be traced.
• HashFlare’s founders were asked to leave the US despite a court order.
• BestChange reported another block in Russia.

What to read this weekend?

The story of the founder of the OneCoin crypto pyramid scheme. How did Ruja Ignatova live, and where did she disappear to?