- \n
- Hackers devised a stealthy scheme to swap bitcoin addresses.<\/li>\n
- A new Android trojan was disguised as IPTV apps.<\/li>\n
- Trezor and Ledger users received phishing letters by post.<\/li>\n
- A researcher exposed major firms for tracking Chrome users via extensions.<\/li>\n<\/ul>\n<\/div>\n
Hackers devise a stealthy bitcoin address swap<\/h2>\n
Criminals have begun quietly substituting bitcoin addresses under the guise of a lucrative crypto-arbitrage deal. The scheme was spotted by BleepingComputer<\/a>.<\/p>\n
The campaign hinges on promises of huge profits from a supposed \u201carbitrage vulnerability\u201d on the Swapzone crypto-exchange platform. In reality, the attackers run malicious code that modifies the swap process directly in the victim\u2019s browser.<\/p>\n
ClickFix-style attacks usually target operating systems: users are tricked into running PowerShell commands to \u201cfix Windows errors\u201d, leading to the installation of stealers or ransomware. Here, the target is a specific browser session.<\/p>\n
According to media reports, this is among the first recorded cases of ClickFix mechanics being used to manipulate web pages for the direct theft of cryptocurrency.<\/p>\n
To push the scam, the attackers leave comments under various posts on Pastebin, the popular text (code snippet) hosting service.<\/p>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-58217912ec9a5a18-6824502853084525-1024x641.png\")
Source: BleepingComputer.<\/figcaption><\/figure>\n They advertise a \u201cleaked hacking manual\u201d that supposedly lets users earn $13,000 in two days, and attach a link. The \u201cguide\u201d in Google Docs describes a way to obtain inflated swap amounts in certain BTC pairs.<\/p>\n
BleepingComputer observed that between one and five people were viewing the document concurrently at any given time, suggesting the scheme is active.<\/p>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-51f8bba733c7bc8c-6824502872793235-793x1024.png\")
Source: BleepingComputer.<\/figcaption><\/figure>\n The bogus guide tells users to:<\/p>\n
- \n
- Go to the Swapzone website.<\/li>\n
- Copy JavaScript code from an external resource.<\/li>\n
- Return to the Swapzone tab, type javascript: into the address bar, paste the copied code and press Enter.<\/li>\n<\/ol>\n
This method uses the browser\u2019s javascript: URI scheme to execute code in the context of the open site. Analysis showed the initial script loads a second, heavily obfuscated payload. It injects itself into the Swapzone page, replacing legitimate Next.js scripts responsible for processing transactions:<\/p>\n
- \n
- address substitution. The malicious script contains a list of the attackers\u2019 bitcoin addresses. It inserts one of them instead of the legitimate deposit address generated by the exchange;<\/li>\n
- visual deception. The code changes the displayed exchange rates and payout amounts on screen, creating the impression that the \u201carbitrage scheme\u201d is working;<\/li>\n
- result. The victim sees the familiar interface of a legitimate service but sends money to the hacker\u2019s bitcoin wallet.<\/li>\n<\/ul>\n
New Android trojan disguised as IPTV apps<\/h2>\n
A new piece of Android malware poses as an IPTV app to steal digital identities and access victims\u2019 bank accounts, reported<\/a> ThreatFabric researchers.<\/p>\n
The Massiv virus uses screen overlays and keylogging to collect sensitive data. It can also establish full remote control of an infected device.<\/p>\n
During the campaign, Massiv targeted a Portuguese government app tied to Chave M\u00f3vel Digital, the national digital authentication and signature system. Data held in these services can be used to bypass KYC checks, access bank accounts and other public and private online services.<\/p>\n
ThreatFabric says there have been cases of bank accounts and services being opened in a victim\u2019s name without their knowledge.<\/p>\n
Massiv gives operators two modes of remote control:<\/p>\n
- \n
- screen streaming \u2014 uses the Android MediaProjection API<\/span> to broadcast the screen in real time;<\/li>\n
- UI-tree mode \u2014 extraction of structured data via the Accessibility Service.<\/li>\n<\/ul>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-62fec3984e5092cb-6824502487843520-1024x546.png\")
Source: ThreatFabric.<\/figcaption><\/figure>\n The second mode lets attackers see text, UI element names and their coordinates. That allows them to press buttons and edit text fields on the user\u2019s behalf. More importantly, the method can bypass screenshot protections often built into banking and finance apps.<\/p>\n
Researchers noted a striking trend: over the past eight months the use of IPTV apps as lures for infecting Android devices has surged.<\/p>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-914a8e97bb92a9b9-6824502302425253-1024x564.png\")
Source: ThreatFabric.<\/figcaption><\/figure>\n Such apps often infringe copyright, so they are not available on Google Play. Users are accustomed to downloading APKs from unofficial sources and installing them manually.<\/p>\n
The campaign is aimed at residents of Spain, Portugal, France and Turkey.<\/p>\n
Trezor and Ledger users received phishing letters by post<\/h2>\n
Users of Trezor<\/a> and Ledger<\/a> have begun receiving physical letters sent by scammers purporting to be the makers of the hardware wallets.<\/p>\n
According to cybersecurity specialist Dmitry Smilyanets, the letter<\/a> he received looked like an official notice from Trezor\u2019s security department.<\/p>\n
On company letterhead, the client was instructed to complete a mandatory step: scan a QR code and finish verification on a special website by a set date. Failure to do so would result in the loss of wallet functionality, the letter warned.<\/p>\n
In comments under the post, other earlier phishing cases allegedly from Ledger representatives also surfaced<\/a>. Both letters created urgency, pushing victims to act immediately.<\/p>\n
\n
at least they could have worked on a better phishing page \ud83d\ude2d\ud83d\ude2d<\/p>\n
even plaintext seed words sent to telegram api\u2026<\/p>\n
trezor.authentication-check[.]io\/black\/ pic.twitter.com\/fa85203awR<\/a><\/p>\n
\u2014 Who said what? (@g0njxa) February 12, 2026<\/a><\/p><\/blockquote>\n
- UI-tree mode \u2014 extraction of structured data via the Accessibility Service.<\/li>\n<\/ul>\n
- screen streaming \u2014 uses the Android MediaProjection API<\/span> to broadcast the screen in real time;<\/li>\n