We round up the week’s most important cybersecurity news.
- MetaMask and OKX extensions in the AdsPower browser were compromised.
- Telegram users were warned about messages from an account named “Security”.
- A trojan targeting Bitcoin wallets slipped into app stores.
- Hundreds of AI developers downloaded a stealer disguised as DeepSeek.
MetaMask and OKX extensions in the AdsPower browser hit by an attack
On January 21 hackers mounted a supply-chain attack on the privacy-focused AdsPower browser. According to the latest expert findings, the malicious code ultimately targeted the MetaMask and OKX wallet extensions.
Might be one to watch for more information. Some info points to MetaMask (!) and OKX including malicious libraries. Based on the dates provided it could be OKX 3.39.9 and MetaMask 12.10.1. Will look into it deeper. https://t.co/htzB4nJ7df
— tuckner (@tuckner) February 5, 2025
According to SlowMist analysts, the attackers embedded a backdoor in the browser that siphoned off seed phrases and private keys to steal cryptocurrencies.
The incident went unnoticed for three days, after which AdsPower developers removed the code and the targeted extensions from users’ browsers. Potential victims were notified and advised to move funds to safe addresses.
Preliminary estimates put losses at around $4.7m. The investigation continues.
Telegram users warned about messages from an account named “Security”
F.A.C.C.T. Threat Intelligence analysts reported a surge in a Telegram account-takeover scheme in which criminals send messages from a user called “Security”, with the messenger’s logo as the avatar. The aim is to convince the target that there has supposedly been an unauthorised login to their account.
The message contains a link “to enhance data protection”. Following it opens a phishing site that asks the user to authorise in Telegram via QR code. If the victim complies, the attackers gain access to the account.
In 2023, a similar service offering full export of messages and content was advertised for $17,000 (over 1.5m roubles).
Trojan targeting Bitcoin wallets found in app stores
Kaspersky Lab experts discovered SparkCat, a trojan aimed at stealing crypto wallet data, in the App Store, Google Play and on unofficial platforms.
⚠️ A new mobile threat is on the rise! The #SparkCat malware is stealing sensitive data from iOS and Android users through OCR technology. Find out how it works and how to protect yourself. ?️?
? Read more: https://t.co/RuXVT7jSus
#MobileSecurity pic.twitter.com/y4TZFhiDev— Kaspersky (@kaspersky) February 7, 2025
The malware spreads as part of trojanised messengers, AI assistants and food-delivery apps.
Once on a device, SparkCat requests access to view photos. It can analyse text in images in the gallery using optical character recognition (OCR). When it finds a recovery phrase for crypto wallets, it sends the image to the attackers. Other data visible in screenshots—such as message content or passwords—are also at risk.
SparkCat targets users in the UAE, Europe and Asia. Apps with the embedded malicious module have been downloaded more than 242,000 times by Android users alone.
After Kaspersky notified them, Google and Apple removed the trojanised apps from their stores.
Hundreds of AI developers downloaded a stealer masquerading as DeepSeek
Positive Technologies researchers found two malicious packages, deepseek and deepseekai, in the Python Package Index (PyPI), masquerading as tools for AI developers.
When run on a computer, the software stole user and system data as well as API keys and permissions to access other infrastructure resources.
After being notified, PyPI immediately quarantined the packages and soon completely removed them. Despite the swift response, they were downloaded by 222 developers, including in the US, China, Russia, Germany, Hong Kong and Canada.
Because of the risk of compromise, affected developers were advised to rotate API keys, authentication tokens and passwords immediately.
Spanish police seized 50 crypto wallets from a suspect in hacks of NATO and the UN
In Alicante, a suspect was detained and placed under house arrest over breaches at no fewer than 40 public and private organisations in Spain and the United States. The investigation into the cyberattacks has been under way since January 2024.
According to the agency, the suspect gained access to internal documents and databases containing personal information on employees and clients, and later sold them on hacker forums. Victims included Spain’s Civil Guard and Ministry of Defence, NATO, the UN, the US Army and several universities.
During a search of the suspect’s home, police found and seized several computers, electronic devices and 50 cryptocurrency wallets containing various digital assets.
On the combined counts, the suspect faces up to 20 years in prison. Investigators are checking for links to other crimes and possible accomplices.
Russia’s tax service explains how it stores data on Bitcoin mined domestically
Russia’s Federal Tax Service will restrict access to information about mined cryptocurrencies and miners’ address identifiers, the deputy Anton Gorelkin said on his Telegram channel.
According to him, entrepreneurs are concerned about the safety of highly sensitive data, including wallet information. Gorelkin agreed that a leak could be “a big gift to geopolitical opponents”.
“At the FTS they assured me that the information is stored in a separate internal secure system, and access to it is seriously restricted even within the agency, and obtaining it from outside is practically impossible,” the official wrote.
Citing specialists, Gorelkin concluded that the risk of sensitive data leaking from the tax authority’s internal systems “is reduced to zero today”.
Also on ForkLog:
- Phishers updated their methods for hunting Phantom users.
- Tornado Cash developer Alexey Pertsev will be released on February 7.
- Bitcoin ransomware revenues fell from $1.25bn to $813m.
- A Coinbase executive suggested Kraken may reveal the identity of Satoshi Nakamoto.
- Media: Durov’s case will not reach court before 2026.
- Users lost funds due to a memecoin ad on Jupiter’s hacked X account.
- Deribit will halt services for Russian clients to comply with sanctions.
- In Ukraine, a crypto project “with 1,045% annual returns” was added to the unreliable list.
- Ripple explained the reasons for the XRP Ledger outage.
- DeepSeek under prohibition: in which countries the Chinese AI is restricted.
- Over two months, Coinbase customers lost more than $65m to scammers.
- A Canadian was charged with stealing $65m from KyberSwap and Indexed Finance.
What to read this weekend?
Together with a “Shard” expert, we examine how a liquidity provider can avoid losing seed capital and enriching fraudsters.