- \n
- Over 700 browser-based crypto wallets were targeted by an info-stealer.<\/li>\n
- The UK imposed sanctions on Xinbi and scam compounds in Southeast Asia.<\/li>\n
- Malware used Solana to steal crypto data and conduct phishing.<\/li>\n
- A cyberattack on an ignition interlock maker limited access to vehicles.<\/li>\n<\/ul>\n<\/div>\n
Over 700 browser-based crypto wallets targeted by an info-stealer<\/h2>\n
The new Torg Grabber info-stealer targets sensitive data across 850 browser extensions, including crypto wallets, password managers, note-taking apps and two-factor authentication tools, report<\/a> cybersecurity researchers at Gen Digital.<\/p>\n
Initial access is achieved via the ClickFix technique: attackers hijack the clipboard and trick users into executing a malicious PowerShell command.<\/p>\n
The list of targeted extensions includes 728 crypto wallets such as MetaMask<\/a>, Phantom and Trust Wallet.<\/p>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-137510bc6262bae9-233234288849386.webp\")
Source: Gen Digital.<\/figcaption><\/figure>\n Torg Grabber also harvests data from Discord, Telegram, Steam, VPN tools, email services and desktop versions of crypto apps.<\/p>\n
Beyond these features, the malware can:<\/p>\n
- \n
- create a device fingerprint;<\/li>\n
- enumerate installed software (including 24 antivirus tools);<\/li>\n
- capture desktop screenshots;<\/li>\n
- steal files from the Desktop and Documents folders;<\/li>\n
- execute arbitrary code on the infected device.<\/li>\n<\/ul>\n
Since late 2025, scammers have used a more resilient HTTPS connection via Cloudflare\u2019s infrastructure. They also taught the stealer to bypass cookie protections in Chrome, Brave, Edge, Vivaldi and Opera.<\/p>\n
According to researchers, 334 samples were compiled between December 2025 and February 2026, with new command-and-control servers registered weekly.<\/p>\n
UK sanctions Xinbi and scam compounds in Southeast Asia<\/h2>\n
On 26 March, the UK government imposed<\/a> sanctions on the crypto marketplace Xinbi and individuals linked to scam compounds<\/a> in Southeast Asia.<\/p>\n
Officials said the platform facilitates the sale of stolen personal data and provides tools to find victims, including satellite internet equipment. The measures restrict the network\u2019s access to financial channels.<\/p>\n
The sanctions also hit Legend Innovation, operator of #8Park \u2014 a large scam compound in Cambodia. Preliminary estimates suggest up to 20,000 forced labourers are held there. The firm\u2019s director, Eang Soklim, and individuals tied to the Prince Group financial network were designated.<\/p>\n
According to Chainalysis<\/a>, more than $19.9bn in transactions flowed through Xinbi between 2021 and 2025.<\/p>\n
In India, law enforcement arrested<\/a> Sunil Nellatt Ramakrishnan, also known as Krish, on suspicion of trafficking people to fraudulent crypto centres in Myanmar.<\/p>\n
Authorities say he was a key player in transporting victims from Delhi to Bangkok under the pretext of legal employment in Thailand. People were forcibly moved to the Myawaddy area, including the KK Park complex.<\/p>\n
Searches at the suspect\u2019s residence linked him to human-trafficking operations in Cambodia.<\/p>\n
Malware used Solana to steal crypto data and phish<\/h2>\n
Cybersecurity firm Aikido observed<\/a> a new phase of the GlassWorm campaign. Hackers distribute phishing code bundles that steal developer data and install a remote access trojan.<\/p>\n
GlassWorm gains access via malicious packages published to developer repositories including npm, PyPI, GitHub and the Open VSX marketplace.<\/p>\n
Its operators also compromise maintainers\u2019 accounts on popular projects to push poisoned updates.<\/p>\n
Rather than hard-coding the command server address (where it is easy to find and block), the hackers used a \u201cdead drop\u201d method and hid it on the Solana<\/a> blockchain.<\/p>\n
The loader connects to the network and checks preselected crypto wallets, looking for transactions with a memo field. Once found, it extracts the obfuscated link, decrypts it and connects to the remote server. The malware does not infect systems with a Russian locale.<\/p>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-fc050f48ce017e03-233234388667742-1024x356.png\")
Decoding the Solana memo field into the hackers\u2019 remote server link. Source: Aikido.<\/figcaption><\/figure>\n The second stage of the attack includes:<\/p>\n
- \n
- theft and collection of data, exfiltration of crypto wallets and system profiling;<\/li>\n
- exfiltration. Collected data is compressed into a ZIP archive and sent to an external server;<\/li>\n
- follow-on downloads. After exfiltration, the chain pulls two more components.<\/li>\n<\/ul>\n
The first is a component for detecting USB devices. When a user connects a hardware wallet<\/a>, a phishing window appears:<\/p>\n
- \n
- for Ledger \u2014 a fake configuration error with 24 fields for entering the recovery phrase;<\/li>\n
- for Trezor \u2014 a \u201cfirmware verification failure\u201d message and forced emergency reboot with similar input fields.<\/li>\n<\/ul>\n
The second component is a JavaScript RAT. Its download address is extracted from a Google Calendar event description (another \u201cdead drop\u201d method).<\/p>\n
Its tasks include launching a covert remote desktop module, stealing browser data and executing arbitrary JavaScript.<\/p>\n
In addition, the trojan forcibly installs the Google Docs Offline extension. It collects a tree of active tabs, up to 5,000 history entries, screenshots and clipboard contents. The extension also monitors crypto exchanges such as Bybit<\/a>, tracking authorisation tokens and device IDs.<\/p>\n
Cyberattack on an ignition interlock maker limited access to vehicles<\/h2>\n
Hackers attacked Intoxalock, a US supplier of vehicle ignition interlock systems. Disrupted devices left some owners unable to start their cars, the outlet \u201c\u0425\u0430\u043a\u0435\u0440<\/a>\u201d reported.<\/p>\n
Intoxalock makes devices that offenders convicted of drink-driving are required to install. To start the engine, a driver must blow into a tube to verify that blood alcohol content is below the legal limit; otherwise the car will not start. In some states the system also records GPS coordinates and routinely photographs the person at the wheel.<\/p>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-0a09e9a975e459a9-233234649912063.webp\")
Source: Intoxalock<\/a>.<\/figcaption><\/figure>\n According to media reports, the device must be calibrated roughly once a month. Owing to the cyberattack, calibration proved impossible and drivers whose checks had expired were locked out. In Connecticut alone, the issue affected<\/a> 7\u201310% of users.<\/p>\n
The company extended<\/a> service-centre authorisations by 10 days, though the grace period did not apply to all device versions or all states.<\/p>\n
The system was restored on 22 March. Intoxalock\u2019s management pledged to reimburse users\u2019 expenses, including vehicle towing.<\/p>\n
Researcher found a trojan in the LiteLLM AI app<\/h2>\n
Malware for stealing credentials was discovered in the popular LiteLLM AI application, reported<\/a> Callum McMahon of FutureSearch.<\/p>\n
LiteLLM lets developers connect to hundreds of different neural networks and manage subscription payments. The project has over 40,000 GitHub stars, thousands of forks, and daily downloads reach<\/a> 3.4 million.<\/p>\n
According to McMahon, the virus entered via a third-party software package on which LiteLLM depends. He suspected an infection when his computer suddenly shut down right after installing the software. A bug in the malware itself caused the crash, revealing the presence of the hacker\u2019s code.<\/p>\n
McMahon and noted developer Andrej Karpathy reached<\/a> a shared conclusion: the virus was created through \u201cvibe coding\u201d without careful review.<\/p>\n
How the malware worked:<\/p>\n
- \n
- stole any credentials it could find;<\/li>\n
- used them to access other accounts and packages to harvest yet more passwords;<\/li>\n
- propagated along the chain, compromising additional systems.<\/li>\n<\/ul>\n
TechCrunch<\/a> noted that LiteLLM\u2019s website displays badges for major security certifications SOC 2 and ISO 27001, issued after an audit by Delve. The firm bills itself as an AI-based service that automates cybersecurity compliance.<\/p>\n
According to media reports, Delve had previously been accused of generating fake report data, using questionable auditors and misleading clients about their security posture.<\/p>\n
\n
Oh damn, I thought this WAS a joke<\/p>\n
\u2026 but no, LiteLLM *really* was “Secured by Delve” (the company that rubber stamped all of these audits, and seems to have been on the edge of fraudlent auditing, but useless for sure)<\/p>\n
And so unspririsingly LiteLLM was compromised, badly https:\/\/t.co\/P7FZrsagAb<\/a><\/p>\n
\u2014 Gergely Orosz (@GergelyOrosz) March 24, 2026<\/a><\/p><\/blockquote>\n