Thai crypto billionaire on the run, ‘FBI’ tokens and other cybersecurity highlights

This week’s top cybersecurity: 1000X scandal, FBI seizures, Nordstrom scam, fake ‘FBI’ tokens.

We have gathered the week’s most important cybersecurity news.

Thai investors accuse 1000X boss of $42m fraud

Thai law enforcers are searching for billionaire and crypto-industry pioneer Worawat Narknawdee, Thai PBS reports.

A case was opened after users of the crypto platform 1000X went to the police. The damage is estimated at roughly 1.39bn baht (~$42m at the time of writing).

In March 2023, SEC filed a complaint with the Cyber Crime Investigation Bureau, accusing Narknawdee of running 1000X without a licence. According to media reports, before launching his crypto venture he was the lead singer of the rock band DoubleDeep, whose members were active investors. He later founded the Traderist community, where he offered free public education on handling cryptocurrencies.

Through investments since 2012, the trader amassed about 11,000 BTC. His company ACET became one of the industry’s fastest-growing.

However, data from the Department of Business Development revealed another side of his activities. According to Creden Data, Narknawdee owns two companies: Bitnance Company (a loss of ~30m baht) and Great Begins Company (a debt of ~5.8m baht).

Police say the billionaire fled to the UAE, where he owns property, a hotel business and other assets.

Co-founder of $1m crypto pyramid detained in Kyiv

Ukrainian law enforcement uncovered a ring that appropriated funds under the guise of crypto investments. One of the scheme’s co-founders was detained in Kyiv, reported the Cyber Police.

According to investigators, since 2022 the group built a network of financial pyramids across Ukraine. They urged citizens to invest in their own token, promising steady returns. In practice, payouts came from new investors and were distributed via pyramid or binary commission schemes.

The founder and his spouse promoted the project on Instagram, with other bloggers amplifying the ads. Losses totalled about $1m.

Police searched suspects’ residences in Khmelnytskyi, Odesa, Chernihiv and Poltava regions, seizing computer equipment, notes and a car.

One participant was notified of suspicion of fraud, an offence punishable by up to eight years in prison.

FBI seizes Iranian hackers’ websites after major attack on the healthcare sector

The FBI seized two websites used by the hacktivist group Handala after a destructive cyberattack on medtech giant Stryker, reports BleepingComputer.

There has been no official statement from law enforcement about the seizures. However, the domains’ DNS servers were switched to those the FBI typically uses when taking sites offline.

Media say Handala (also known as Handala Hack Team, Hatef, Hamsa) is an Iran-linked hacktivist group that emerged in December 2023. Its operations are associated with the country’s Ministry of Intelligence and Security. It has targeted Israeli organisations using wiper malware for Windows and Linux.

The takedowns followed a mass attack by Handala on March 11th 2026. The hackers compromised a Windows domain administrator account and factory-reset about 80,000 devices, including employees’ PCs and mobile phones. The attackers claimed to have stolen 50 terabytes of data before wiping.

After the incident, CISA urged US organisations to follow Microsoft’s updated guidance to harden defences.

Nordstrom customers hit by crypto scam

In the US, customers of high-end fashion department store chain Nordstrom received scam emails offering to double their crypto-wallet balances, reports BleepingComputer.

Emails promised a 200% return on any cryptocurrency sent to a listed bitcoin address. Victims were given two hours to decide — a ploy to create urgency.

The messages appeared to originate from an official sender the company uses for marketing, indicating a security breach. Some customers said the email reached an address that had never been disclosed or leaked online.

As of March 18th, more than $5,600 had been sent to the scammers in cryptocurrency. According to a blockchain explorer, on March 20th the wallet held just 0.00001386 BTC.

Scammers airdropped TRC-20 tokens posing as the FBI

On March 19th the FBI warned crypto investors about a new phishing scheme in which scammers, posing as the agency, distributed fake tokens.

FBI New York encourages users of the Tron blockchain network to exercise caution if they encounter a token purported to be from the FBI. If you receive a token from an account with the details below, do not provide any identifying information to any website associated with such… pic.twitter.com/VF03sjM4VW

— FBI New York (@NewYorkFBI) March 19, 2026

Unknown TRC-20 tokens labelled “FBI tokens” landed in users’ wallets, followed by ultimatum messages. The scammers alleged the owner was suspected of money laundering and threatened to freeze assets. To “avoid a block,” victims were told to visit a third-party site for an AML check and to disclose personal data.

The number of victims is being determined.

Also on ForkLog:

• Average losses from hacks in the crypto industry hit $25m.
• Hype around OpenClaw sparked a wave of phishing attacks on crypto wallets.
• The Lazarus group is suspected of attacking the Bitrefill service.
• Venus Protocol lost $2m due to manipulation of the THE token.

What to read this weekend?

In a new feature, ForkLog explains why it is perfectly fine to stay away from gadgets and the internet.