TikTok users’ crypto at risk, a Gemini flaw, and other cybersecurity developments

We gathered the week’s most important cybersecurity news.

Hybrid attack targets the TikTok community’s cryptocurrency

Criminals are using the SparkKitty spyware, distributed through fake TikTok shops, to steal users’ crypto.

According to an August report by CTM360, security specialists uncovered a global malware campaign dubbed FraudOnTok. The hybrid model blends phishing with malware to dupe shoppers and affiliate participants on TikTok’s e-commerce platform.

Once installed, the software infiltrates the victim’s device, accesses the photo gallery and extracts screenshots that may contain wallet data.

The tandem of phishing and a trojan makes FraudOnTok particularly dangerous. The scam starts with lookalike marketplaces that are nearly indistinguishable from official TikTok Shop, TikTok Wholesale and TikTok Mall pages. Users are prompted to log in and make a purchase; at checkout they are steered towards crypto wallets. Victims often believe they are topping up a TikTok wallet or paying in digital assets such as USDT and ETH.

According to CTM360, the campaign has involved:

• over 10,000 fake websites, many using cheap or free TLDs such as .top, .shop and .icu;
• around 5,000 malware samples distributed via QR codes, messengers and in-app downloads.

Firefox users lost around $1m in crypto

The GreedyBear campaign seeded more than 150 malicious extensions in Mozilla’s official store for Firefox, enabling thieves to steal roughly $1m in cryptocurrency.

Per Koi Security, the attackers disguised malicious add-ons as popular wallets such as MetaMask, TronLink and Rabby.

At first, the extensions were uploaded in a benign form to pass Firefox moderation. They amassed fake positive reviews, after which the attackers injected malicious code and changed the original names and logos.

According to Koi Security specialist Tuval Admoni, the extensions captured data directly from the pop-up interface and exfiltrated it to a remote server. The malware also:

• logged keystrokes and input data;
• stole wallet credentials by reading input fields;
• sent victims’ IP addresses to the attackers’ server.

The fake extensions have been removed from Mozilla’s official store. The campaign was accompanied by dozens of Russian-language piracy sites pushing more than 500 malicious executables, as well as fake sites impersonating Trezor, Jupiter Wallet and “wallet repair” services.

Experts say code analysis shows traces of AI generation, which helped scale the campaign, mask and vary payloads, and recover after takedowns. At the time of writing, the fake extensions have been removed from the official Mozilla store.

Developers in the crosshairs of crypto drainers

On 4 August, researchers at Safety found malware in the npm JavaScript package ecosystem aimed at stealing cryptocurrency.

The suspect module was marketed as a tool for “license auditing and registry optimisation in high-load Node.js environments”. It was published to the registry on 28 July 2025 and amassed more than 1,500 downloads before removal.

According to the team, one open-source component was bluntly named “enhanced stealth crypto wallet drainer”, making its purpose clear.

The software activated automatically upon installation, lodging itself in hidden system folders on Windows, Linux and macOS. It scanned systems for crypto wallets; once found, funds were automatically transferred to the attackers’ Solana address.

Experts believe the fraudulent code was generated with the help of AI, presumably Claude from Anthropic.

A serious vulnerability found in Gemini

On 6 August, cybersecurity researchers published a video that demonstrated a serious vulnerability in Google’s popular AI model, Gemini.

A controlled attack using indirect prompt injection (“promptware”) forced Gemini to operate smart-home devices. The researchers showed how an AI system can initiate real-world physical actions via digital compromise.

A team from Tel Aviv University, the Technion and SafeBreach built a project titled Invitation is all you need. They embedded malicious instructions in Google Calendar invitations. When a user asked Gemini to “summarize the calendar”, the AI triggered pre-programmed actions — turning on smart-home devices — despite the user not requesting them.

In the demonstration, Gemini also:

• opened blinds;
• switched on a boiler;
• sent spam and offensive messages;
• revealed email contents;
• started Zoom video calls;
• uploaded files to a device.

In response, Google hardened Gemini’s protections. Measures included:

• output filtering;
• mandatory user confirmation for sensitive actions;
• AI-based analysis of suspicious prompts and commands.

Dozens of major firms hit by extortionists

According to Bleeping Computer on 6 August, Google suffered a data breach amid an ongoing wave of attacks on Salesforce CRM.

In June, the company reported that an actor dubbed UNC6040 was targeting employees with voice phishing (vishing) to gain access to Salesforce and download customer data. The information is then used for extortion: hackers demand cryptocurrency to keep the data from being published.

Per Bleeping Computer, the well-known ShinyHunters group is behind the attacks. The outfit has operated for years and has been linked to a raft of major breaches, including PowerSchool, Oracle Cloud, attacks on Snowflake, AT&T, NitroPDF, Wattpad and MathWay.

In comments to the outlet, the hackers said they had compromised numerous Salesforce instances and that the attacks were ongoing. They claim to have infiltrated a company with a trillion-dollar market cap and are considering “just dumping the data without ransom”.

For other firms, they have moved to extortion, emailing demands and threatening to publish data. According to Bleeping Computer, one company has already paid 4 BTC.

Other victims reportedly include Adidas, Qantas, Allianz Life, Cisco and LVMH subsidiaries Louis Vuitton, Dior and Tiffany & Co.

Also on ForkLog:

• The CrediX team disappeared after a $4.5m hack.
• Scammers targeted Aave users via Google Ads.
• HashFlare founders asked the court not to send them to prison over $577m in fraud.
• A Tornado Cash co-founder was found partially guilty. The crypto community is disappointed.
• Livestock-farming miners from Ingushetia stole 8m kWh of electricity.
• A crypto investor lost $3m with one click.
• Over 80% of financial pyramids in Russia have moved to cryptocurrencies.
• Google identified multimillion-dollar crypto thefts by “freelancers” from North Korea.
• The CrediX protocol halted operations after a $4.5m hack.
• Cybercriminals accelerated the pace of laundering cryptoassets.
• Researchers found an undisclosed hack of the LuBian mining pool for 127,426 BTC.

What to read this weekend?

Why, in AI development, the notions of “sovereign AI” and “global artificial intelligence” mean little and mostly enable manipulation — read about it on ForkLog.