Угроза кражи криптовалют через поддельные приглашения Y Combinator и разрушение крупнейшей SIM-фермы в США: Главные события кибербезопасности Threat of cryptocurrency theft via fake Y Combinator invitations and dismantling of the largest SIM farm in the USA: Key cybersecurity events

We have compiled the most significant news from the world of cybersecurity over the past week.

Two malicious packages found in the official Rust programming language repository were scanning developers’ devices with the intent of stealing cryptocurrencies and sensitive information. Since May 25, 2025, these packages have been downloaded 8,424 times. On September 24, researchers from Socket reported this incident.

The malware, known as faster_log and async_println, was distributed via Crates.io, a registry analogous to npm for JavaScript. They impersonated the legitimate fast_log by copying its README file and repository metadata. The malicious code retained the logging features of the actual project to avoid raising suspicion.

The malware scanned the victim’s environment and project source files for specific elements. Upon finding matches, it exfiltrated the data to an encoded URL.

The platform removed the fake packages and disabled the accounts of the fraudsters on the same day they were reported.

A large-scale phishing campaign targeted GitHub users through cryptocurrency drainers that infiltrated via fake invitations to participate in the Y Combinator startup support program.

On September 24, BleepingComputer reported that attackers exploited vulnerabilities in the notification system to deliver fraudulent messages. They created issues in multiple repositories and tagged targeted users.

When a GitHub account name is mentioned in issues, notifications are automatically sent. Since the emails appeared to come from a legitimate source, they landed directly in the recipients’ inboxes.

As bait, an invitation was sent to apply for an upcoming Y Combinator funding round with a $15 million fund. In some repositories, as many as 500 issues were opened by a user who had registered just a week earlier.

Recipients were encouraged to click on a phishing link, which contained a domain with an almost imperceptible error (‘l’ instead of ‘i’). Once the link was clicked, a JavaScript prompt appeared, asking users to verify their cryptocurrency wallet. Signing the transaction initiated the malicious actions that drained their accounts.

Following complaints to GitHub, the IC3, and Google Safe Browsing, the fraudulent repositories were taken down.

On September 25, Microsoft Threat Intelligence experts discovered a new variant of the XCSSET malware for macOS, designed to steal notes, cryptocurrencies, and browser data from infected devices. It spreads by searching for and infecting other projects in the Xcode developer environment, activating during product builds.

«We believe this method of infection and distribution is based on the file exchanges between developers creating applications for Apple or macOS,» stated the experts in their report.

Researchers noted several changes in the new version of the stealer.

On September 23, the U.S. Secret Service announced the dismantling of the largest SIM farm in the country’s history.

According to The New York Times, the investigation began after high-ranking officials received anonymous threats earlier in the year. The victims included two White House staffers and one Secret Service employee.

During the operation, more than 300 combined SIM servers and 100,000 SIM cards were seized. The farm operated just 56 km from the U.N. headquarters where a General Assembly meeting with world leaders was taking place. Authorities managed to neutralize the farm just hours before the meeting.

The capabilities of the farm allowed it to send spam to nearly all American phone numbers in a matter of minutes and potentially disrupt the national telecommunication network.

During the investigation, operatives found empty safe houses rented in Armonk (New York), Greenwich (Connecticut), Queens (New York), and New Jersey. Agents also confiscated firearms, computers, mobile phones, and 80 grams of cocaine.

On September 24, a suspect in distributing ransomware that caused widespread disruptions in European airport systems was apprehended.

Law enforcement stated that the arrest was made following an investigation into a cyber attack that affected the Multi-User System Environment (MUSE) software from Collins Aerospace. The suspect was released on bail pending investigation.

The attack was detected on Friday, September 19, as reports of flight delays began to emerge. Transport hubs experiencing technical difficulties included London Heathrow, Brussels Airport, Dublin Airport, and Berlin’s Willy Brandt Airport.

In an international operation led by Interpol, authorities seized over $439 million in cash and cryptocurrency. Law enforcement believes the confiscated assets are linked to cyber crimes that affected thousands of victims worldwide.

The operation, codenamed HAECHI VI, took place from April to August with the participation of authorities from 40 countries. During it, investigators arrested 400 cryptocurrency wallets and froze over 68,000 related bank accounts. Approximately $16 million in cryptocurrency was seized.

As part of this operation, 45 suspects in illegal access to social security accounts were arrested in Portugal. Additionally, the Royal Thai Police confiscated $6.6 million transferred by an unnamed Japanese corporation to accounts controlled by a transnational crime group composed of nationals from Thailand and West Africa.