Stealth bitcoin address swaps, a sex-toy maker’s data leak, and other cybersecurity news

A roundup of the week’s key cybersecurity developments.

Hackers devise a stealthy bitcoin address swap

Criminals have begun quietly substituting bitcoin addresses under the guise of a lucrative crypto-arbitrage deal. The scheme was spotted by BleepingComputer.

The campaign hinges on promises of huge profits from a supposed “arbitrage vulnerability” on the Swapzone crypto-exchange platform. In reality, the attackers run malicious code that modifies the swap process directly in the victim’s browser.

ClickFix-style attacks usually target operating systems: users are tricked into running PowerShell commands to “fix Windows errors”, leading to the installation of stealers or ransomware. Here, the target is a specific browser session.

According to media reports, this is among the first recorded cases of ClickFix mechanics being used to manipulate web pages for the direct theft of cryptocurrency.

To push the scam, the attackers leave comments under various posts on Pastebin, the popular text (code snippet) hosting service.

They advertise a “leaked hacking manual” that supposedly lets users earn $13,000 in two days, and attach a link. The “guide” in Google Docs describes a way to obtain inflated swap amounts in certain BTC pairs.

BleepingComputer observed that between one and five people were viewing the document concurrently at any given time, suggesting the scheme is active.

The bogus guide tells users to:

1. Go to the Swapzone website.
2. Copy JavaScript code from an external resource.
3. Return to the Swapzone tab, type javascript: into the address bar, paste the copied code and press Enter.

This method uses the browser’s javascript: URI scheme to execute code in the context of the open site. Analysis showed the initial script loads a second, heavily obfuscated payload. It injects itself into the Swapzone page, replacing legitimate Next.js scripts responsible for processing transactions:

• address substitution. The malicious script contains a list of the attackers’ bitcoin addresses. It inserts one of them instead of the legitimate deposit address generated by the exchange;
• visual deception. The code changes the displayed exchange rates and payout amounts on screen, creating the impression that the “arbitrage scheme” is working;
• result. The victim sees the familiar interface of a legitimate service but sends money to the hacker’s bitcoin wallet.

New Android trojan disguised as IPTV apps

A new piece of Android malware poses as an IPTV app to steal digital identities and access victims’ bank accounts, reported ThreatFabric researchers.

The Massiv virus uses screen overlays and keylogging to collect sensitive data. It can also establish full remote control of an infected device.

During the campaign, Massiv targeted a Portuguese government app tied to Chave Móvel Digital, the national digital authentication and signature system. Data held in these services can be used to bypass KYC checks, access bank accounts and other public and private online services.

ThreatFabric says there have been cases of bank accounts and services being opened in a victim’s name without their knowledge.

Massiv gives operators two modes of remote control:

• screen streaming — uses the Android MediaProjection API to broadcast the screen in real time;
• UI-tree mode — extraction of structured data via the Accessibility Service.

The second mode lets attackers see text, UI element names and their coordinates. That allows them to press buttons and edit text fields on the user’s behalf. More importantly, the method can bypass screenshot protections often built into banking and finance apps.

Researchers noted a striking trend: over the past eight months the use of IPTV apps as lures for infecting Android devices has surged.

Such apps often infringe copyright, so they are not available on Google Play. Users are accustomed to downloading APKs from unofficial sources and installing them manually.

The campaign is aimed at residents of Spain, Portugal, France and Turkey.

Trezor and Ledger users received phishing letters by post

Users of Trezor and Ledger have begun receiving physical letters sent by scammers purporting to be the makers of the hardware wallets.

According to cybersecurity specialist Dmitry Smilyanets, the letter he received looked like an official notice from Trezor’s security department.

On company letterhead, the client was instructed to complete a mandatory step: scan a QR code and finish verification on a special website by a set date. Failure to do so would result in the loss of wallet functionality, the letter warned.

In comments under the post, other earlier phishing cases allegedly from Ledger representatives also surfaced. Both letters created urgency, pushing victims to act immediately.

See more

at least they could have worked on a better phishing page 😭😭

even plaintext seed words sent to telegram api…

trezor.authentication-check[.]io/black/ pic.twitter.com/fa85203awR

— Who said what? (@g0njxa) February 12, 2026

The QR codes in the letters led to malicious sites mimicking the official setup pages for Trezor and Ledger. At the final step, users were forced to enter their seed phrase to “confirm ownership of the device”.

Researcher accuses big firms of tracking Chrome users via extensions

A researcher going by Q Continuum found 287 Chrome extensions that transmit all browsing-history data to third-party companies. Their combined installs exceed 37.4 million.

Using an automated testing system, the specialist checked 32,000 plugins from the Chrome Web Store and identified more than 30 companies collecting data.

The analyst argues that extensions offering handy tools are unjustifiably requesting access to browser history. Some additionally encrypt the data, hindering detection.

According to the researcher, some of the data collection is formally spelled out in privacy policies. Not all users, however, pay due attention to them.

The researcher called out Similarweb, Semrush, Alibaba Group, ByteDance and Big Star Labs, an entity affiliated with Similarweb.

Under suspicion are the Stylish theme customiser and ad blockers (Stands AdBlocker and Poper Blocker, CrxMouse), as well as Similarweb’s own extension (SimilarWeb: Website Traffic & SEO Checker).

Roughly 20 million of the 37.4 million installs could not be tied to specific data recipients.

Similarweb’s privacy policy documents its data collection. The company says it anonymises information on the client side, though it also notes that “some of this data may include personal and confidential information depending on search queries and viewed content”.

Data of customers of a popular adult-toy maker leaked

Japanese company Tenga sent customers notices of a data-security incident, reports TechCrunch.

According to the notice, “an unauthorised party accessed the professional email account of one of our employees”, giving the hacker access to the inbox. This potentially allowed them to view and steal customer names, email addresses and message histories that “might have included order details or support enquiries”.

The hacker also sent spam to the contact list of the compromised employee, including company clients.

After publication, a Tenga representative told TechCrunch that a technical examination indicated the leak affected “approximately 600 individuals” in the United States.

Tenga is a global supplier of adult goods. Given the nature of the products, order and support details are likely to contain personal information many customers prefer not to disclose.

The company has taken several protective measures:

• resetting credentials for the compromised employee;
• rolling out multi-factor authentication across all systems — a basic security feature that prevents account access even with a stolen password.

The representative declined to say whether two-factor authentication was enabled on the email account before the breach.

In Africa, 651 suspects arrested in cybercrime operation

Law enforcement in African countries arrested 651 suspects and seized more than $4.3 million in a joint operation against investment fraud, Interpol reports.

Red Card 2.0 targeted cybercriminal groups linked to financial losses exceeding $45 million. Authorities in 16 countries seized 2,341 devices and blocked 1,442 malicious websites, domains and servers.

Key results by country:

• Nigeria. Police dismantled an investment-fraud network that recruited young people to conduct phishing attacks, steal identities and run fake investment schemes. More than 1,000 fraudulent social-media accounts were removed. Six gang members who used stolen employee credentials to breach a major telecom provider were also arrested;
• Kenya. Twenty-seven suspects were detained during probes into groups that lured victims into bogus investment projects via social networks and messengers;
• Côte d’Ivoire. Fifty-eight people were arrested as part of a crackdown on microloan apps that used hidden fees and illegal debt-collection methods.

Also on ForkLog:

• OpenAI released a benchmark to assess AI agents’ ability to hack smart contracts.
• Vibe coding via Claude Opus led to the hack of the Moonwell DeFi project.
• Figure acknowledged a leak of customers’ personal data.
• From a cold wallet held by South Korea’s police, 22 BTC went missing.

What to read this weekend?

In his novel “Blindsight”, Canadian biologist and writer Peter Watts proposed a radical hypothesis: intelligence can function effectively without consciousness. Nearly 20 years on, the thesis neatly describes generative AI.

In a new piece, ForkLog examines the mistakes we make when anthropomorphising algorithms.