{"id":96281,"date":"2026-04-18T07:00:00","date_gmt":"2026-04-18T04:00:00","guid":{"rendered":"https:\/\/u1f987.com\/en\/?p=96281"},"modified":"2026-04-18T09:06:30","modified_gmt":"2026-04-18T06:06:30","slug":"kraken-faces-extortion-signal-chats-recovered-and-other-cybersecurity-news","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/kraken-faces-extortion-signal-chats-recovered-and-other-cybersecurity-news\/","title":{"rendered":"Kraken faces extortion, Signal chats recovered, and other cybersecurity news"},"content":{"rendered":"<p>We compiled the week\u2019s most important cybersecurity news.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>Ukrainian authorities seized $8.3 million in hackers\u2019 crypto assets.<\/li>\n<li>Analysts found a crypto-address\u2013swapping trojan with a sophisticated delivery chain.<\/li>\n<li>Kraken faced extortion.<\/li>\n<li>The FBI extracted Signal chats after the app was deleted.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\">Ukraine seizes hackers\u2019 crypto assets worth $8.3 million<\/h2>\n<p>Law enforcement in Ukraine detained a member of an international hacking group that carried out cyberattacks in Europe and the US, according to <a href=\"https:\/\/gp.gov.ua\/ua\/posts\/vidmivali-milioni-vid-kiberatak-na-jevropu-ta-ssa-zatrimano-shhe-odnogo-ucasnika-miznarodnogo-xakerskogo-ugrupovannya-arestovano-aktivi-na-111-mln-dolariv-ssa\">Prosecutor General Ruslan Kravchenko<\/a>.<\/p>\n<p>Investigators say the perpetrators used malware to steal confidential information and documents to extort ransoms. The proceeds were sent to crypto wallets, then cashed out and laundered in Ukraine \u2014 including through purchases of real estate and high-value assets.<\/p>\n<p>Estimated losses exceeded $100 million. As part of the investigation, more than 30 searches were conducted and assets worth about $11.1 million were seized, including houses and cars, $1 million in cash and roughly $8.3 million in cryptocurrency.<\/p>\n<p>Authorities also identified the whereabouts of an accomplice responsible for laundering the funds.<\/p>\n<h2 class=\"wp-block-heading\">Analysts discover a crypto-address\u2013swapping trojan with a complex delivery<\/h2>\n<p>Researchers at Kaspersky <a href=\"https:\/\/securelist.ru\/clipbanker-malware-distributed-via-trojanized-proxifier\/115138\/\">reported<\/a> a campaign distributing the ClipBanker trojan, which swaps crypto wallet addresses in the clipboard.<\/p>\n<p>The malware masquerades as Proxifier, a utility for routing application traffic through a proxy server used by developers and system administrators.<\/p>\n<p>According to analysts, a link to the infected GitHub repository appears near the top of search results on Google and Yandex.<\/p>\n<p>The trojan deploys stealthily during Proxifier installation, using a fileless technique that runs code in memory. A scheduled task then launches a registry-based script that points to GitHub. From there, the chain retrieves a file with code, injects it into fontdrvhost.exe and deploys the final payload.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/img-3466f3e412d902f0-2056627940865199.webp\" alt=\"image\" class=\"wp-image-278619\"\/><figcaption class=\"wp-element-caption\">Source: Kaspersky Lab.<\/figcaption><\/figure>\n<p>ClipBanker\u2019s core function is to monitor the clipboard for crypto wallet addresses and swap them.<\/p>\n<p>Since early 2025, more than 2,000 Kaspersky users \u2014 mainly in India and Vietnam \u2014 have encountered the threat, the experts said.<\/p>\n<h2 class=\"wp-block-heading\">Kraken faced extortion\u00a0<\/h2>\n<p>Kraken\u2019s chief security officer, Nick Percoco, reported several employee-related incidents after which the crypto exchange\u2019s leadership was subjected to extortion.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Kraken Security Update<\/p>\n<p>We are currently being extorted by a criminal group threatening to release videos of our internal systems with client data shown if we do not comply with their demands. It\u2019s important to start with the most important points: our systems were never\u2026<\/p>\n<p>\u2014 Nick Percoco (@c7five) <a href=\"https:\/\/twitter.com\/c7five\/status\/2043720915330969743?ref_src=twsrc%5Etfw\">April 13, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The perpetrators threatened to publish company videos that allegedly display exchange users\u2019 data.<\/p>\n<p>According to Percoco, Kraken\u2019s infrastructure was not breached and client funds remain safe. He attributed the incident to customer-support staff accessing restricted information without authorization.<\/p>\n<p>Users whose data may have been affected were notified. In total, about 2,000 accounts (0.02% of the client base) were impacted.<\/p>\n<p>Percoco said that in February 2025 a source alerted the team to a video circulating in criminal circles showing access to customer-support systems. The investigation found that a support agent had been recruited by hackers. A second similar case followed.\u00a0<\/p>\n<p>Percoco added that the exchange is working with law-enforcement agencies in several jurisdictions and has handed over evidence.<\/p>\n<h2 class=\"wp-block-heading\">The FBI extracted Signal chats after the app was deleted<\/h2>\n<p>The FBI recovered messages from Signal even though they had been deleted and the app removed from an iPhone, <a href=\"https:\/\/www.404media.co\/fbi-extracts-suspects-deleted-signal-messages-saved-in-iphone-notification-database-2\/\">404 Media<\/a> reported.\u00a0<\/p>\n<p>In a court case <a href=\"https:\/\/www.justice.gov\/opa\/pr\/antifa-cell-members-convicted-prairieland-ice-detention-center-shooting\">concerning<\/a> an attack on an <span data-descr=\"U.S. Immigration and Customs Enforcement\" class=\"old_tooltip\">ICE<\/span> facility in Alvarado, Texas, the FBI submitted deleted Signal messages as evidence. Journalists say federal agents restored the data from push notifications preserved in iOS\u2019s internal database.<\/p>\n<p>If Signal\u2019s settings allow message content to appear in lock-screen previews, the text remains stored even after the app is removed.\u00a0<\/p>\n<p>Signal offers an option to hide content, but Lynette Sharp apparently did not enable it.<\/p>\n<p>Telegram co-founder Pavel Durov <a href=\"https:\/\/t.me\/durov\/485\">reacted<\/a> to the news. He called it \u201cyet another proof\u201d that Secret Chats are the safest way to communicate.<\/p>\n<p>Signal representatives confirmed receiving a request from 404 Media but then stopped replying. Apple declined to comment.<\/p>\n<h2 class=\"wp-block-heading\">Obsidian note-taking app used as a trojan backdoor<\/h2>\n<p>Experts at Elastic Security Labs <a href=\"https:\/\/www.elastic.co\/security-labs\/phantom-in-the-vault\">identified<\/a> a campaign in which scammers use the Obsidian note-taking app as bait. The final payload is a previously unknown trojan dubbed PHANTOMPULSE.<\/p>\n<p>The targets were employees of financial and cryptocurrency organizations. The attack unfolds as follows:<\/p>\n<ol class=\"wp-block-list\">\n<li>Attackers pose as staff at a venture-capital firm.<\/li>\n<li>The conversation moves to Telegram, where several \u201cpartners\u201d discuss industry services to create an air of legitimacy.<\/li>\n<li>The victim is invited to connect to a shared Obsidian cloud vault that purportedly contains a joint analytics dashboard.<\/li>\n<\/ol>\n<p>To execute malicious code, the hackers rely on Obsidian community plugins: Shell Commands (to run commands) and Hider (to conceal activity in the interface).<\/p>\n<p>Because third-party plugins are disabled in Obsidian by default, the hackers persuade the victim to enable them. The malicious vault configuration then automatically launches commands.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/img-273c15a9ac782ee7-2056628078740593.webp\" alt=\"image\" class=\"wp-image-278620\"\/><figcaption class=\"wp-element-caption\">Source: Elastic Security Labs.<\/figcaption><\/figure>\n<p>On Windows, the attack triggers a script that downloads and installs the PHANTOMPULSE malware.<\/p>\n<p>Its features include:<\/p>\n<ul class=\"wp-block-list\">\n<li>built with the help of AI;<\/li>\n<li>uses the Ethereum blockchain as a <span data-descr=\"a dead drop for passing materials between intelligence agents without a face-to-face meeting\" class=\"old_tooltip\">Dead Drop<\/span> Resolver (DDR) to determine the command server\u2019s address by decoding recent transactions of a specific wallet;<\/li>\n<li>collects telemetry, executes commands via code injection, takes screenshots, logs activity, can escalate privileges to SYSTEM, and cover its tracks.<\/li>\n<\/ul>\n<p>On Apple systems, the trojan launches an AppleScript and uses Telegram as the DDR, allowing the attackers to rotate domains if discovered.<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>Drift <a href=\"https:\/\/u1f987.com\/en\/news\/drift-secures-127-million-from-tether-for-hack-victim-compensation\">received<\/a> $127 million from Tether to compensate hack victims.<\/li>\n<li>Ledger <a href=\"https:\/\/u1f987.com\/en\/news\/ledger-unveils-security-roadmap-for-the-age-of-ai-agents\">published<\/a> a security roadmap for the age of AI agents.<\/li>\n<li>Scammers <a href=\"https:\/\/u1f987.com\/en\/news\/fraudsters-steal-9-5-million-via-fake-ledger-app-in-app-store\">stole<\/a> $9.5 million via a fake Ledger app in the App Store.<\/li>\n<li>The US Department of Justice <a href=\"https:\/\/u1f987.com\/en\/news\/us-justice-department-initiates-compensation-for-onecoin-victims\">began<\/a> payouts to OneCoin victims.<\/li>\n<li>Regulators worldwide <a href=\"https:\/\/u1f987.com\/en\/news\/global-regulators-express-concerns-over-anthropics-new-ai-model\">voiced concern<\/a> over the capabilities of Anthropic\u2019s new AI model.<\/li>\n<li>A hacker <a href=\"https:\/\/u1f987.com\/en\/news\/hacker-breaches-hyperbridge-mints-1-billion-polkadot-tokens\">hacked<\/a> the Hyperbridge bridge and minted 1 billion Polkadot tokens.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">What to read this weekend?<\/h2>\n<p>Promises, billions raised and harsh reality: in a new feature, ForkLog revisits the evolution of layer-1 blockchains that tried to unseat Ethereum.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We compiled the week\u2019s most important cybersecurity news.<\/p>\n","protected":false},"author":1,"featured_media":96282,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"This week: Ukraine seizes $8.3m, ClipBanker spreads, Kraken extortion, FBI pulls Signal chats.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-96281","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"30","promo_type":"1","layout_type":"1","short_excerpt":"This week: Ukraine seizes $8.3m, ClipBanker spreads, Kraken extortion, FBI pulls Signal chats.","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/96281","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=96281"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/96281\/revisions"}],"predecessor-version":[{"id":96283,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/96281\/revisions\/96283"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/96282"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=96281"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=96281"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=96281"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}