Scattered Spider hackers sentenced, hardware wallet attacks, and other cybersecurity developments | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker



Weekly recap of major cybersecurity developments.

We compiled the week’s most important cybersecurity news.

  • macOS malware stole Telegram sessions and replaced wallet apps.
  • Scattered Spider hackers were sentenced for hacking London’s transport system.
  • About 300 fake GitHub repositories distributed an infostealer.
  • The U.S. charged operators of Russian bulletproof hosting providers Media Land and ML.Cloud.

macOS malware stole Telegram sessions and replaced crypto wallets

Researchers at SlowMist detailed a macOS infostealer’s multi-pronged approach to stealing cryptocurrency. According to them, the malware hijacks authenticated messenger sessions and targets both software and hardware wallets.

Once on a device, the malware collected sensitive data: passwords from the macOS Keychain, Safari cookies, hidden entries in Apple Notes, and databases from more than a dozen crypto wallets and browser extensions.

How the malware works:

  • account takeover bypassing 2FA. The malware copies Telegram Desktop’s local session files. These let attackers log in to the victim’s account on another Mac without a phone number, SMS code, or two-factor authentication password, as the system treats the connection as a continuation of an already authorized session;
  • phishing. The software replaces legitimate hardware wallet apps (Ledger Live and Trezor Suite) with exact copies whose sole purpose is to trick the user into entering the seed phrase.

The attackers decrypt stolen databases offline using passwords extracted from the compromised Mac, the researchers said.

Targets included Exodus, Atomic, Electrum, Wasabi, Monero wallets, as well as full node clients (Bitcoin Core, Litecoin Core, Dash Core and Dogecoin Core).

SlowMist urged users who suspect their Mac is compromised to immediately force-terminate all active sessions in Telegram settings, reauthenticate, and change passwords. To protect crypto assets, the firm advised generating a new seed phrase on a clean device and urgently moving funds there.

Scattered Spider hackers sentenced for hacking London’s transport system

A court sentenced two key members of the Scattered Spider hacking group to five years and six months in prison, the UK’s National Crime Agency (NCA) said.

Talha Jubair, 20, and Owen Flowers, 18, were found guilty of hacking Transport for London’s (TfL) IT infrastructure in August 2024.

The attack on TfL, which provides transport for 8.4 million Londoners, caused major disruption: 148 internal systems went down, Dial-a-Ride services, concessionary pass applications, digital payments and the refunds system were disabled. All 27,000 employees had to change their passwords at work.

Direct losses and recovery costs for TfL totaled £29 million. Authorities estimated that if the attackers had fully shut down the transport network, the UK economy could have lost up to £56 billion.

Both offenders were arrested by NCA officers in September 2024, two weeks after the breach. Searches of Flowers’ devices uncovered not only evidence related to TfL, but also signs of planned cyberattacks on U.S. healthcare companies Sutter Health and SSM Health Care Corporation.

The NCA called Scattered Spider “the most serious cyber threat to the UK in recent years.” Beyond the transport hack, the group faces numerous other allegations:

  • retail raids. In July 2025, the NCA arrested four more members linked to intrusions at major UK retailers, including Harrods, Marks & Spencer and Co-op;
  • U.S. charges. In September 2025, the Department of Justice charged Jubair in absentia. According to U.S. investigators, from May 2022 to September 2025 he was involved in breaching at least 120 networks in the United States, including critical infrastructure and courts;
  • extortion. Over one year (August 2024 to July 2025), Jubair and his accomplices extorted more than $115 million from victims worldwide.

About 300 fake GitHub repositories distributed an infostealer

Hackers set up 292 fake repositories on GitHub masquerading as popular antivirus tools, developer utilities, cryptocurrency services and gaming software, according to Arctic Wolf.

Each fake repository contained a README with a link to a phishing landing page. The download page used dynamic templates and automatically adapted its design and headings to the brand the victim was searching for.

Users were prompted to download a ZIP archive whose contents were regenerated every minute to evade signature analysis. Inside were a WinGUP-signed updater and a libcurl.dll library with a trojan. On execution, the malware loaded and operated solely in memory.

imageimage
Source: Arctic Wolf.

Analysis showed the attackers used a modified version of the BoryptGrab stealer. The malware did not attempt persistence and stole:

  • data from 19 browsers and 32 crypto wallets;
  • local sessions for Telegram and Steam, and Discord tokens;
  • contents of the Windows Credential Manager;
  • files from the Desktop and Documents folders if their names referenced passwords, backups or seed phrases.

Researchers flagged a dangerous trait: the malware bypasses Google Chrome protections by directly injecting code into the browser process.

Stolen data is archived and sent to a command server based in Russia. By the time the report was published, GitHub had removed most of the fraudulent repositories.

U.S. charges operators of Russian bulletproof hosts Media Land and ML.Cloud

The U.S. Department of Justice charged three Russian nationals with operating bulletproof hosting services Media Land and ML.Cloud.

Prosecutors said their infrastructure was used by major ransomware programs, including LockBit, BlackSuit and Play, causing more than $62 million in losses to organizations worldwide.

The bulletproof hosts knowingly ignored complaints about malicious activity and law enforcement takedown requests. Attackers used Media Land and ML.Cloud servers to deploy command servers, run phishing campaigns, conduct DDoS attacks and distribute malware. Their infrastructure was located in several countries, including the United States, China, the Netherlands and Finland.

According to the indictment, the roles in the group were as follows:

  • Alexander Volosovik (known on darknet forums as Yalishanda) — owner of Media Land;
  • Yulia Pankova — owner of ML.Cloud, also responsible for legal and financial matters;
  • Kirill Zatolokin — responsible for collecting payments from cybercriminals.

The group’s activities affected residents of at least 20 U.S. states. Victims included banks, schools, hospitals, government entities and media companies.

In response, the State Department announced a $10 million reward for any information that helps reveal these individuals’ or their companies’ ties to foreign governments, as well as details of their malicious activity.

In November last year, the United States, the United Kingdom and Australia already imposed tough sanctions against the defendants and their companies. In July, the EU formally joined the measures, adding Media Land, ML.Cloud and Alexander Volosovik to its first joint cyber sanctions package with the UK against Russia.

One OkoBot stealer module specialized in stealing seed phrases

Researchers at Kaspersky discovered the OkoBot malicious framework targeting Windows users since at least April 2025. One of its modules, SeedHunter, focuses on stealing seed phrases from owners of Ledger and Trezor hardware wallets.

Unlike most malware, which simply removes the original software and drops a fake copy, SeedHunter takes a subtler approach. It injects malicious code directly into the internal processes of already installed legitimate Ledger Live and Trezor Suite applications.

The module scans the computer’s USB ports and remains dormant until a hardware wallet is physically connected. Once the system recognizes the device, SeedHunter blocks the interface and overlays a fake window on top of the original app, prompting the user to enter the seed phrase. Because the request comes from inside the official program, users lower their guard.

According to the researchers, OkoBot lands on victims’ devices via fraudulent ClickFix browser notifications or trojanized GitHub repositories.

imageimage
Source: Kaspersky.

Beyond SeedHunter, the framework carries more than 20 surveillance payloads that:

  • deploy hidden SSH tunnels and modify system files for covert access to the computer;
  • install stealth browser extensions (including the Rilide stealer);
  • use keyloggers and secretly record MP4 screen video whenever the victim opens password managers (1Password), local wallets (Exodus) or tabs with MetaMask.

Researchers recorded hundreds of infections in more than 25 countries, led by Brazil, Vietnam, Canada and Mexico. The attackers’ servers do not target IP addresses from Russia and CIS countries, and comments in Russian were found in SeedHunter’s phishing page code.

Study of 85 browser crypto wallets finds tracking, deanonymization and address leakage

Scientists from the DistriNet research group at the Catholic University of Leuven in Belgium analyzed 85 popular browser crypto wallets with a combined Chrome Web Store user base of more than 35 million.

The audit found that the architecture of most of them enables third-party trackers to link user addresses, follow users across the web and deanonymize them. The researchers stressed these are not vulnerabilities or hacks but legitimate features and normal program behavior.

They identified three key privacy issues:

  • address linking. Seventeen wallets transmitted data in a way that let the provider’s server combine different addresses belonging to the same user into a single profile;
  • tracking after logout. Thirty-six of the 85 wallets revealed their presence to sites, creating a fingerprint. Many Web3 applications and wallets also failed to properly revoke access after disconnecting;
  • deanonymization via hidden iframes. A tracking script can silently load a trusted Web3 application, obtain the wallet address, and link it to the user’s name, email or browsing history.

The researchers notified developers about the tracking issue before publication. As of summer 2026, only Coinbase Wallet, Coin98 and Hana Wallet had shipped fixes. Most major players declined to recognize it as a vulnerability:

  • MetaMask closed the report as a duplicate, calling the issue a “known quirk” whose fix would “break too many existing Web3 applications”;
  • Rabby said a malicious script would need to be present on two sites simultaneously to exploit the issue, which is “practically impossible,” therefore “no vulnerability exists”;
  • OKX acknowledged the researchers’ technical point but closed the submission as “informational,” since data leaks occur without direct theft of funds;
  • Bybit, Backpack and Core categorized the risks as low or out of scope for their bug bounty programs.

The experts recommended regularly opening extension settings and manually clearing the “connected sites” list, as well as using isolated browser profiles for different activities.

Also on ForkLog:

  • A survey found gaps in corporate AI agent defenses.
  • Media: a leak revealed Suno’s data sources.
  • Summer.fi will shut down its interface after a $6 million hack.
  • Bonzo Lend lost $9 million due to a price oracle attack.

What to read this weekend?

In a new feature, ForkLog looks at how on-chain analysis combines with open-source intelligence, the tools crypto sleuths use, and where the line lies between investigation and surveillance.

Follow ForkLog on social media

Found a mistake in the text? Select it and press CTRL+ENTER



Click Here For The Original Source.

——————————————————–

..........

.

.

National Cyber Security

FREE
VIEW