Масштабные кибератаки и борьба с мошенничеством: неделя в мире кибербезопасности Translation: Headline: Massive Cyberattacks and the Fight Against Fraud: A Week in Cybersecurity

We have gathered the most significant cybersecurity news from the past week.

On January 10, 2026, one of the most extensive social engineering attacks was recorded, resulting in a victim losing a total of $282 million in Bitcoin and Litecoin. On-chain investigator ZachXBT highlighted this incident.

The user shared the seed phrase for their hardware wallet with a scammer impersonating a Trezor support representative. Once access was gained, the hacker withdrew 2,050,000 LTC and 1,459 BTC.

The perpetrator utilized the decentralized protocol THORChain to convert the assets into Monero, resulting in a local pump for the latter. The ZeroShadow team quickly traced the transaction chain and managed to freeze approximately $700,000.

On January 20, LastPass developers alerted users about a new phishing campaign disguised as technical maintenance notifications.

Hackers are sending emails urging users to create a backup of their password vault within 24 hours. The notification includes a link that supposedly leads to a page for creating an encrypted backup; however, clicking the “Create Backup Now” button redirects users to a phishing site.

Thus, the malicious actors are attempting to steal their victims’ master passwords. Experts believe that the harmful campaign began on January 19.

In the past week, thousands of individuals—among them victims of human trafficking—have fled scam centers in Cambodia amid the government’s crackdown on crime, reports BBC.

Phnom Penh has initiated a new phase of restoring order in scam camps—large complexes where hundreds of people participate in fraudulent schemes, swindling billions of dollars from victims worldwide.

According to experts, many are lured into such places deceitfully, although some choose to work there voluntarily.

On January 15, a businessman, Khuong Li, was arrested in Cambodia on charges of illegal recruitment and exploitation of people, fraud, and money laundering. He had previously been the subject of a BBC Eye investigation in March 2023 regarding fraudulent centers in Southeast Asia.

The program covered a complex in the resort town of Sihanoukville owned by Li, where people were lured under false pretenses into a labor camp from other countries, forced to work night shifts, and engage in scams.

German and Ukrainian law enforcement have identified the leader of the ransomware hacker group Black Basta as 35-year-old Russian Oleg Nefedov. Interpol and Europol have placed the criminal, known online as tramp and kurva, on the list of most wanted criminals, according to Ukraine’s Cyber Police.

Investigators have established Nefedov’s connection to the now-disbanded Conti syndicate, which directly transformed into Black Basta following a rebranding in 2022.

During raids in the Ivano-Frankivsk and Lviv regions, two group members specializing in penetrating secure systems and stealing passwords were detained. They provided initial access to the networks of major corporations, paving the way for data encryption and subsequent ransom demands.

During the searches, digital information carriers and significant amounts of cryptocurrency were seized.

Throughout its existence, Black Basta has attacked over 700 organizations, including critical infrastructure such as the German defense contractor Rheinmetall, the European branch of Hyundai, and the British telecom company BT Group.

The KongTuke group has initiated widespread distribution of the malicious NexShield extension for Chrome and Edge, as reported by cybersecurity researchers from Huntress.

According to experts, the malware disguises itself as an ultra-light ad blocker. The extension intentionally overloads memory and CPU, causing tabs to freeze and the browser to crash, forcing users to seek ways to recover their systems.

After a forced restart, NexShield displays a fake security window offering to scan the system.

Under the guise of solving the issue, the software prompts the user to copy a command to the clipboard and execute it in the Windows command line. In reality, this action triggers a script that downloads a new remote access trojan—ModeloRAT.

Experts indicate that the primary target is the corporate sector. The virus has a delay of 60 minutes to evade suspicion and predominantly activates within an organization’s domain networks. Once inside, ModeloRAT enables attackers to conduct deep reconnaissance, alter the system registry, install third-party software, and covertly control the victim’s computer.

Huntress researchers noted that merely removing the extension from the browser won’t resolve the issue, as the trojan is deeply embedded in the system. They recommended that PC owners perform a full antivirus scan and never execute commands provided by websites or extensions.

Users worldwide have become targets in a mysterious wave of spam emanating from unsecured systems of the cloud service support Zendesk. On January 18, victims reported receiving hundreds of emails.

It appears that the messages do not contain malicious links or overt phishing attempts. However, the volume and chaotic nature of the distribution raise concerns among recipients.

The emails feature bizarre subject lines: some mimic requests from law enforcement or demands to block content, while others offer free Discord Nitro or contain pleas like «Help me!»

According to BleepingComputer, the emails are generated by support platforms of companies using Zendesk for customer service. Hackers exploited a vulnerability in a feature that allows unauthorized users to submit requests for automatic responses.

Affected companies include Discord, Tinder, Riot Games, Dropbox, CD Projekt (2k.com), Maya Mobile, NordVPN, the Tennessee Department of Labor, Lightspeed, CTL, Kahoot, Headspace, and Lime.

Zendesk representatives informed the publication that they have implemented new security features to detect and prevent such spam in the future.