News linked to both this project and an event.
According to Cryptopolitan, the North Korea–linked hacker group Lazarus Group has been found deploying the fileless remote access Trojan RemotePE, primarily targeting banks, cryptocurrency exchanges, and fintech companies. This malware runs entirely in memory and employs process hollowing, anti-analysis detection techniques, and encrypted C2 communications—making it difficult for traditional antivirus and forensic tools to detect. The report states that attacks typically begin with Telegram-based social engineering: attackers impersonate employees of trading firms and lure victims into installing malicious software using forged Calendly and Picktime links, ultimately executing the payload without touching the file system.
on-chain detective ZachXBT has exposed US threat actor Dritan Kapllani Jr., alleging his involvement in social engineering thefts targeting crypto users, totaling approximately $19 million.ZachXBT stated that Dritan has long been flaunting luxury cars,名牌 watches, private jets, and nightclub lifestyles on social media. On April 23, 2026, during a "Band 4 Band (B4B)" voice call on Discord, in an attempt to prove he was wealthier than another hacker, he publicly displayed an Exodus wallet containing $3.68 million in assets.The relevant ETH address is: 0x4487db847db2fc99372a985743a26f46e0b2bba6ZachXBT's tracking revealed that this address is linked to a social engineering theft incident on March 14, 2026, involving 185 BTC (approximately $13 million). The following day, Dritan's Exodus wallet received about $5.3 million from that theft. By the time of the B4B call six weeks later, approximately $1.6 million had already been spent or laundered.On May 11, the US Department of Justice unsealed a criminal indictment against Trenton Johnson, charging him with participation in the theft of 185 BTC. He faces a potential maximum sentence of 40 years in prison. The indictment refers to "Co-Conspirator 1 (CC-1)," believed to be Dritan, who has not yet been formally charged.ZachXBT also noted that Dritan is connected to hacker John Daghita (Lick), who was previously arrested for stealing $46 million from the US government. John had previously exposed Dritan's old wallet address on Telegram. On-chain analysis shows that this address is linked to multiple high-confidence social engineering thefts in 2025, with a cumulative total exceeding $5.85 million.ZachXBT stated that Dritan has long been active in the "The Com" hacker circle and had seemingly avoided formal prosecution due to being a minor. Now that he has turned 18, his "borrowed time may finally be over."
According to SlowMist, its security monitoring system MistEye has detected a counterfeit TronLink Chrome MV3 extension targeting TRON wallet users with a two-layer phishing attack. The extension disguises itself as the official plugin using Unicode obfuscation and brand spoofing. Upon installation, it first loads a remote iframe-based pop-up page designed to trick users into entering their mnemonic phrases, private keys, keystore files, and passwords—then exfiltrates this sensitive data via same-origin APIs to a Telegram bot. The malicious infrastructure involved includes the domains tronfind-api[.]tronfindexplorer[.]com and trx-scan-explorer[.]org; the malicious extension ID is ekjidonhjmneoompmjbjofpjmhklpjdd. SlowMist advises users to immediately uninstall the extension. If sensitive information has already been submitted, users should promptly migrate their assets and discontinue use of the compromised wallet.
Bybit’s Security Operations Center has identified a multi-stage malware campaign targeting macOS users of Claude Code, an AI-powered search and development tool. Attackers used search engine optimization (SEO) poisoning to push malicious domains to the top of Google search results, luring users to counterfeit installation pages. Once installed, the malware steals browser credentials, macOS Keychain data, Telegram sessions, VPN configurations, and cryptocurrency wallet information. Bybit stated that the malware can also establish persistent access via backdoor functionality and attempts to target over 250 browser wallet extensions and multiple desktop wallet applications. This malicious infrastructure was identified on March 12, and related analysis, mitigation, and detection measures were completed the same day.
Odaily News Telegram founder Pavel Durov posted on X, stating that the "age verification app" proposed by the EU has design flaws and was compromised in just a few minutes. The reason lies in the fundamental security issues of its architecture that trusts user devices. The solution is positioned as "privacy-friendly," but it can actually be easily cracked. Its development path is summarized as follows: first, launch a system that appears to protect privacy but has vulnerabilities; after being compromised, use "fixes" as a reason to weaken privacy protection, eventually evolving into a surveillance tool in the name of privacy. Such "accidental vulnerability incidents" may be used to expand regulation, and the public is urged to stay vigilant.
According to Elastic Security Labs, threat actors impersonated venture capital firms and lured targets into opening malicious Obsidian note vaults via LinkedIn and Telegram. This attack leveraged Obsidian’s Shell Commands plugin to execute malicious payloads without exploiting any vulnerabilities when victims opened the note vaults. The PHANTOMPULSE malware discovered in this campaign is a previously undocumented Windows Remote Access Trojan (RAT) that uses Ethereum transaction data to achieve blockchain-based C2 communication. The macOS payload employs an obfuscated AppleScript dropper and uses a Telegram channel as a fallback C2. Elastic Defend detected and blocked the PHANTOMPULSE execution before it could run.
Zerion disclosed that some of its corporate hot wallets were recently targeted by an AI-driven social engineering attack linked to North Korean hackers, resulting in losses of approximately $100,000. Zerion stated that user funds, applications, and infrastructure remain unaffected and proactively disabled its web application to mitigate risk. This incident marks the second such attack this month, following the $280 million breach of Drift Protocol, underscoring how North Korean hackers are leveraging AI to refine social engineering tactics—primarily targeting employees and developers at crypto firms. The Security Alliance (SEAL) tracked the hacker group UNC1069, which conducts low-pressure, multi-week social engineering campaigns across platforms including Telegram, LinkedIn, and Slack, using AI tools to edit images and videos to enhance attack efficiency.