AI Clones of Binance Clients, Telegram Vulnerability Controversy, and Other Cybersecurity Week Highlights

Here is a unique rephrasing of the provided text in English while preserving its meaning:

We have compiled the most significant cyber security news from the past week.

Fraudsters are leveraging AI to replicate the faces of clients from the cryptocurrency exchange Binance, enabling them to bypass biometric verification systems in order to steal assets. This warning was issued to users by the Binance team, as highlighted in their article.

To create fake 3D facial models, attackers utilize publicly available or stolen photos and videos from databases. Bypassing verification systems often coincides with attempts to crack passwords and bypass two-factor authentication (2FA).

Attacks on unprotected phones and desktops that have access to Binance can be conducted remotely through malware.

The exchange’s team is actively monitoring this threat and encourages users to remain vigilant.

The author of the Telegram channel “IT Digital” discovered a vulnerability in the messenger that allows unauthorized access to users’ accounts without requiring a password or multi-factor authentication (MFA), and reported this to the developers.

According to the researcher, the issue arises during login via the Telegram widget on external websites, particularly within the messenger’s in-app browser. Such logins can create elevated sessions that allow access to chats, the ability to answer calls without entering cloud passwords, and notifications to account owners.

The main risk is that an attacker could intercept the authorization token and use it on their own device, the expert added. He believes that this bug was responsible for the theft of cryptocurrency worth 200 million rubles (approximately $3 million) from his client in early 2025.

To mitigate such risks, the author advised users to clear the browsing history of the embedded Telegram browser, disable all active web sessions, and widgets.

Telegram officially denied any vulnerability, stating that the researcher misinterpreted the mechanisms behind various types of authorization. In turn, the specialist argues that the response from the messenger’s team contradicts his video content.

The U.S. Department of Justice has charged a Yemeni national, suspected to be the developer and primary operator of the Black Kingdom ransomware, with conducting 1,500 attacks on Microsoft Exchange servers.

According to case documents, from March 2021 to June 2023, 36-year-old Rami Khaled Ahmed and his accomplices infected computer networks with ransomware and demanded a ransom of $10,000 in Bitcoin. Among his victims were a medical company in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a clinic in Wisconsin.

Authorities emphasized that the Black Kingdom virus was specifically designed to exploit vulnerabilities in Microsoft Exchange Server and gain access to targeted computers.

For charges including conspiracy, intentional damage to a protected computer, and threats thereof, Ahmed faces up to 15 years in prison.

Apple has notified numerous users across over a hundred countries about a large-scale attack involving government spyware. This was reported by TechCrunch.

Among those affected are Italian journalist Chiro Pellegrino and Dutch right-wing activist Eva Vlaardingerbroek.

The spyware can access personal data, communications, microphone, and camera without the owner’s consent. It remains unclear which group is behind these targeted attacks.

Recipients of the alert are advised to immediately update their iPhones to the latest iOS version 18.4.1 and enable Lockdown Mode to enhance security.

The Irish Data Protection Commission (DPC) fined TikTok €530 million (over $601 million) for illegally transferring users’ personal data from the European Economic Area to China, in violation of EU data protection regulations.

The social media platform was also accused of lacking transparency.

TikTok has been ordered to align its data processing practices with requirements within six months. The DPC plans to halt all data transfers to China if the company fails to meet the deadline.

Group-IB specialists reported that the online infrastructure of the RansomHub ransomware group ceased operations «for inexplicable reasons» on April 1.

Several experts attributed this to the «departure of many participants» following a period of inactivity since November 2024. Problems became exacerbated when a competing Ransomware-as-a-Service (RaaS) group, DragonForce, claimed that RansomHub intended to transition to their infrastructure as part of a new «cartel» of ransomware programs.

Some affiliates may have migrated to Qilin, given the reported twofold increase in disclosed information on its leak site since February.

Estimates suggest that over a year of operations, RansomHub operators compromised the data of more than 200 victims. This RaaS group replaced the now-closed LockBit and BlackCat and attracted partnerships from them, including Scattered Spider and Evil Corp, through favorable distributions of ransom payouts.

Russian Telegram users have encountered a scam offering «virtual cards» for purchasing goods abroad and subscribing to foreign services. This was reported by «RIA Novosti,» citing the State Duma.

Scammers lure victims by promising instant account creation and bonuses.

To set up an account, victims are asked for their name, phone number, and sometimes their passport information, depending on the scam narrative. Afterward, they provide details for non-existent cards in exchange for access to genuine banking information under the pretense of «funding» or «linking» the account.