{"id":93508,"date":"2026-01-24T07:00:00","date_gmt":"2026-01-24T04:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=93508"},"modified":"2026-01-24T07:01:38","modified_gmt":"2026-01-24T04:01:38","slug":"a-282m-crypto-theft-an-exodus-from-cambodias-scam-camps-and-other-cybersecurity-news","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/a-282m-crypto-theft-an-exodus-from-cambodias-scam-camps-and-other-cybersecurity-news\/","title":{"rendered":"A $282m crypto theft, an exodus from Cambodia\u2019s scam camps, and other cybersecurity news"},"content":{"rendered":"<p>Here are the week\u2019s most important cybersecurity stories.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>A user lost $282m in cryptocurrency to a fake support agent.<\/li>\n<li>Phishers targeted users of the LastPass password manager.<\/li>\n<li>Thousands left Cambodia\u2019s scam compounds.<\/li>\n<li>Authorities unmasked the leader of a ransomware gang.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\">A user lost $282m in crypto to fake tech support<\/h2>\n<p>On 10 January 2026 one of the biggest social-engineering heists was recorded: the victim lost bitcoin and litecoin worth $282m. On-chain sleuth ZachXBT drew attention to the case.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">On January 10, 2026 at around 11 pm UTC a victim lost $282M+ worth of LTC &#038; BTC due to a hardware wallet social engineering scam.<\/p>\n<p>The attacker began converting the stolen LTC &#038; BTC to Monero via multiple instant exchanges causing the XMR price to sharply increase.<\/p>\n<p>BTC was also\u2026<\/p>\n<p>\u2014 ZachXBT (@zachxbt) <a href=\"https:\/\/twitter.com\/zachxbt\/status\/2012212936735912351?ref_src=twsrc%5Etfw\">January 16, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The user handed the seed phrase of a hardware wallet to a scammer posing as a Trezor support agent. With access secured, the hacker withdrew 2,050,000 LTC and 1,459 BTC.<\/p>\n<p>The attacker used the decentralised protocol THORChain to convert the assets into <a href=\"https:\/\/forklog.com\/en\/news\/monero-reclaims-top-spot-as-leading-privacy-coin-amid-zcash-team-departure\">Monero<\/a>, triggering a local <a href=\"https:\/\/forklog.com\/en\/news\/bitcoin-and-privacy-coins-climb-amid-trump-powell-standoff\">spike<\/a>. ZeroShadow specialists quickly traced the transaction chain and froze about $700,000.<\/p>\n<h2 class=\"wp-block-heading\">Phishers set upon LastPass users<\/h2>\n<p>On 20 January the developers of the LastPass password manager <a href=\"https:\/\/blog.lastpass.com\/posts\/new-phishing-campaign-targeting-lastpass-customers\">warned<\/a> users about a new phishing campaign masquerading as maintenance notifications.<\/p>\n<p>Attackers send emails urging recipients to create a backup of their password vault within 24 hours. The notice includes a link supposedly leading to a page for creating an encrypted backup, but clicking Create Backup Now redirects the user to a phishing site.\u00a0<\/p>\n<p>The aim is to steal victims\u2019 master passwords. Specialists believe the malicious campaign began on 19 January.\u00a0<\/p>\n<h2 class=\"wp-block-heading\">Thousands leave Cambodia\u2019s scam camps<\/h2>\n<p>In the past week thousands of people \u2014 including victims of human traffickers \u2014 left scam centres in Cambodia as authorities cracked down on crime. This was reported by the <a href=\"https:\/\/www.bbc.com\/russian\/articles\/cn56lpvw77xo\">BBC<\/a>.<\/p>\n<p>Phnom Penh has launched a fresh effort to bring order to the scam camps \u2014 sprawling complexes where hundreds of people run fraud schemes that steal billions of dollars from victims around the world.<\/p>\n<p>Experts say many end up in such places through deception, though some work there voluntarily.<\/p>\n<p>On 15 January Cambodian authorities arrested businessman Kuong Ly on suspicion of illegal recruitment and exploitation, fraud and money laundering. In March 2023 he was the subject of a BBC Eye investigation into scam centres in South-East Asia.<\/p>\n<p>The programme described a compound in the resort city of Sihanoukville owned by Ly. People working there were lured from other countries, forced to work at night and to engage in fraud.<\/p>\n<h2 class=\"wp-block-heading\">Authorities unmask the leader of a ransomware syndicate<\/h2>\n<p>Law-enforcement agencies in Germany and Ukraine have identified the head of the Black Basta ransomware gang as a 35-year-old Russian, Oleg Nefedov. Interpol and Europol have placed the fraudster, known online as tramp and kurva, on their most-wanted lists, <a href=\"https:\/\/cyberpolice.gov.ua\/news\/naczpolicziya-vykryla-chleniv-mizhnarodnogo-xakerskogo-ugrupovannya-ta-identyfikuvala-jogo-organizatora-6407\/\">reports<\/a> Ukraine\u2019s Cyber Police.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"606\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-a66cfc7500d6ef4b-4405340147700486-1024x606.png\" alt=\"image\" class=\"wp-image-273935\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/img-a66cfc7500d6ef4b-4405340147700486-1024x606.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/img-a66cfc7500d6ef4b-4405340147700486-300x178.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/img-a66cfc7500d6ef4b-4405340147700486-768x455.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/img-a66cfc7500d6ef4b-4405340147700486.png 1258w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">\u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a: <a href=\"https:\/\/eumostwanted.eu\/#\/nefedov-oleg-evgenievich\">Europe\u2019s most wanted<\/a>.<\/figcaption><\/figure>\n<p>Investigators linked Nefedov to the now-disbanded Conti syndicate; after a 2022 rebrand, Black Basta emerged as its direct successor.<\/p>\n<p>During raids in the Ivano-Frankivsk and Lviv regions two members of the group were detained. They specialised in breaching secured systems and stealing passwords, providing initial access to the networks of large corporations and paving the way for data encryption and multimillion-dollar ransom demands.<\/p>\n<p>Searches seized digital media and substantial sums in cryptocurrency.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"768\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-9d71452781336e51-4405342005160981-1024x768.png\" alt=\"image\" class=\"wp-image-273937\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/img-9d71452781336e51-4405342005160981-1024x768.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/img-9d71452781336e51-4405342005160981-300x225.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/img-9d71452781336e51-4405342005160981-768x576.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/img-9d71452781336e51-4405342005160981.png 1066w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">\u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a: <a href=\"https:\/\/gp.gov.ua\/ua\/posts\/miznarodna-operaciya-ukrayini-ta-nimeccini-vikrito-ucasnikiv-ugrupovannya-black-basta\">\u041e\u0444\u0438\u0441<\/a> \u0413\u0435\u043d\u043f\u0440\u043e\u043a\u0443\u0440\u043e\u0440\u0430 \u0423\u043a\u0440\u0430\u0438\u043d\u044b.<\/figcaption><\/figure>\n<p>To date, Black Basta has attacked more than 700 organisations, including critical targets: Germany\u2019s defence group Rheinmetall, Hyundai\u2019s European arm and Britain\u2019s BT Group.<\/p>\n<h2 class=\"wp-block-heading\">Hackers target Chrome and Edge users<\/h2>\n<p>The KongTuke group has begun mass distribution of a malicious extension, NexShield, for Chrome and Edge, <a href=\"https:\/\/www.huntress.com\/blog\/malicious-browser-extention-crashfix-kongtuke\">reported<\/a> cybersecurity researchers at Huntress.\u00a0<\/p>\n<p>The malware poses as an ultra-light ad blocker. The extension intentionally overloads memory and CPU, freezing tabs and crashing the browser, pushing the user to seek a system fix.<\/p>\n<p>After a forced restart, NexShield displays a fake security window offering to scan the system.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"471\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-95351f67fbdd868d-4405340736272411-1024x471.png\" alt=\"image\" class=\"wp-image-273936\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/img-95351f67fbdd868d-4405340736272411-1024x471.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/img-95351f67fbdd868d-4405340736272411-300x138.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/img-95351f67fbdd868d-4405340736272411-768x353.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/img-95351f67fbdd868d-4405340736272411-1536x707.png 1536w, https:\/\/forklog.com\/wp-content\/uploads\/img-95351f67fbdd868d-4405340736272411.png 1600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">\u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a: Huntress.<\/figcaption><\/figure>\n<p>As a supposed remedy, the software suggests copying a command to the clipboard and executing it in the Windows command prompt. In reality this step runs a script that downloads a new remote-access trojan \u2014 ModeloRAT.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-ecfcdd7d9986de45-4405339301711550.webp\" alt=\"image\" class=\"wp-image-273934\"\/><figcaption class=\"wp-element-caption\">\u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a: Huntress.<\/figcaption><\/figure>\n<p>Experts say the main target is the corporate sector. The virus has a 60-minute delay to avoid suspicion and activates primarily on organisations\u2019 domain networks. Once inside, ModeloRAT enables deep reconnaissance, registry changes, installation of third-party software and covert control of the victim\u2019s computer.<\/p>\n<p>Huntress researchers noted that simply removing the extension from the browser will not fix the problem, as the trojan sits deep in the system. PC owners are advised to run a full antivirus scan and never execute commands suggested by websites or extensions.<\/p>\n<h2 class=\"wp-block-heading\">Zendesk\u2019s helpdesk cloud floods users with spam after breach<\/h2>\n<p>Users around the world <a href=\"https:\/\/x.com\/troyhunt\/status\/2012784392607821950\">became<\/a> targets of a mysterious wave of spam originating from unsecured systems of Zendesk\u2019s cloud support service. On 18 January victims reported receiving hundreds of emails.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">There\u2019s some exploit or mass-scale abuse with <a href=\"https:\/\/twitter.com\/Zendesk?ref_src=twsrc%5Etfw\">@Zendesk<\/a> right now\u2026 I just got EIGHT HUNDRED emails from them over the course of about an hour.<\/p>\n<p>They\u2019re all scams sent from different Zendesk instances. Many bypassed iCloud\u2019s Junk filters. <a href=\"https:\/\/t.co\/nWXr2nFtg3\">pic.twitter.com\/nWXr2nFtg3<\/a><\/p>\n<p>\u2014 Nick Oates (@nickoates_) <a href=\"https:\/\/twitter.com\/nickoates_\/status\/2012761746503606379?ref_src=twsrc%5Etfw\">January 18, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The messages appear not to contain malicious links or blatant phishing. But the sheer volume and chaotic nature of the mailings alarm recipients.<\/p>\n<p>The emails sport bizarre subjects: some mimic law-enforcement requests or takedown demands; others offer free Discord Nitro or plead \u201cHelp me!\u201d.<\/p>\n<p>According to <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/zendesk-ticket-systems-hijacked-in-massive-global-spam-wave\/\">BleepingComputer<\/a>, the messages are generated by support platforms of companies that use Zendesk for customer service. Attackers found a loophole in a feature that allows unauthenticated users to submit requests and receive automatic replies.<\/p>\n<p>Among the affected firms: Discord, Tinder, Riot Games, Dropbox, CD Projekt (2k.com), Maya Mobile, NordVPN, the Tennessee Department of Labor, Lightspeed, CTL, Kahoot, Headspace and Lime.<\/p>\n<p>Zendesk told the outlet it has introduced new security features to detect and block such spam in future.\u00a0<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>Hackers <a href=\"https:\/\/forklog.com\/en\/news\/hackers-steal-48-million-in-confiscated-bitcoin-from-south-korean-prosecutors\">stole<\/a> $48m in confiscated bitcoin from South Korea\u2019s prosecutor\u2019s office.<\/li>\n<li>Trove Markets\u2019 developers <a href=\"https:\/\/forklog.com\/en\/news\/trove-markets-developers-execute-rug-pull-following-ico\">executed<\/a> a rug pull after the ICO.<\/li>\n<li>Former Alameda Research head Caroline Ellison <a href=\"https:\/\/forklog.com\/en\/news\/former-alameda-research-head-caroline-ellison-to-be-released-on-january-28\">will be released<\/a> on 28 January.<\/li>\n<li>Hackers <a href=\"https:\/\/forklog.com\/en\/news\/saga-blockchain-hacked-7-million-stolen-stablecoins-depegged\">drained<\/a> $7m from Saga, crashing its native stablecoins.<\/li>\n<li>SlowMist <a href=\"https:\/\/forklog.com\/en\/news\/slowmist-identifies-future-attack-in-linux-store\">discovered<\/a> a \u201cfuture attack\u201d in a Linux store.<\/li>\n<li>Chainalysis <a href=\"https:\/\/forklog.com\/en\/news\/chainalysis-unveils-tool-for-automating-blockchain-threat-monitoring\">introduced<\/a> a tool to automate threat tracking across blockchains.<\/li>\n<li>The Makina Finance DeFi protocol <a href=\"https:\/\/forklog.com\/en\/news\/makina-finance-defi-protocol-breached-for-5-million\">was hacked<\/a> for $5m.<\/li>\n<li>Experts <a href=\"https:\/\/forklog.com\/en\/news\/major-hacks-spell-doom-for-80-of-crypto-protocols-experts-say\">called<\/a> a major hack \u201ca death sentence\u201d for 80% of protocols.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">What to read this weekend?<\/h2>\n<p>Elena Vasilyeva invites ForkLog readers to don a tinfoil hat to understand how conspiracy theories became a foundation of the digital economy, why Larry Fink is scarier than reptilians, and what <a href=\"https:\/\/forklog.com\/en\/news\/dyor-what-it-is-and-why-it-matters-to-crypto-investors\">DYOR<\/a> has in common with religious ecstasy.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The week\u2019s key cybersecurity stories.<\/p>\n","protected":false},"author":1,"featured_media":93509,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"The week\u2019s key cybersecurity stories.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-93508","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"375","promo_type":"1","layout_type":"1","short_excerpt":"The week\u2019s key cybersecurity stories.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/93508","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=93508"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/93508\/revisions"}],"predecessor-version":[{"id":93510,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/93508\/revisions\/93510"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/93509"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=93508"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=93508"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=93508"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}