Crypto news

20.06.2026
05:20

Masquerading as Trust: Fake Reputations, USB Worms, and New Android Trojans — Weekly Cyber Threat Digest

security_new1

The world of crypto security continues to present new challenges. This week, we witnessed a cascade of attacks, ranging from sophisticated reputation manipulation schemes on GitHub to self-replicating USB worms. I have analyzed the key events so you can stay on top of things.

Fake Reputation as a Tool: Crypto Clippers on Solana and Pump.fun

Attackers have taken social engineering to a new level by creating an entire "reputation economy" to promote malware. At the center of the scheme is a crypto clipper written in Rust, targeting Windows and macOS. It disguises itself as trading tools in the Solana and Pump.fun ecosystems, as well as betting software.

The hacker built a complex infrastructure of "Ghost Networks" across multiple platforms. On VirusTotal, a cluster of fake accounts mass-posted positive reviews to falsely classify malicious files as safe. On GitHub and SourceForge, a network of accounts was used for mutual promotion of repositories, while on SourceForge, the download counter was artificially inflated to 44,000 using a farm of Android devices. On YouTube, a channel with over 91,000 subscribers is used for advertising, where tutorial videos are created using AI voice generators and accompanied by fake comments. To legitimize the tool, the hacker uses press release distribution services, which are then automatically republished by partner news sites. This is a dangerous shift in tactics: the proven scheme could be used for the mass distribution of ransomware and more sophisticated info-stealers.

USB Worm: Hidden Shortcuts and Seed Phrase Theft

Microsoft experts have revealed details of a self-replicating malware campaign targeting cryptocurrency owners. The infection process is activated when a modified shortcut file (.LNK) is opened on a USB drive. The worm covertly installs additional payloads from a command server in the .onion domain zone, scans the system for user documents, replaces them with malicious shortcuts, and creates a scheduled task for self-propagation to new USB drives.

In its active phase, the stealer monitors the clipboard for BIP39 seed phrases (12 and 24 words) and wallet addresses for Bitcoin, Ethereum, Tron, and Monero. Upon detection, it instantly replaces them with the attacker's details, selecting wallets with visually matching initial characters. Every ten seconds, the virus takes five screenshots and sends them to the hackers. Activity has been recorded at least since February, and the main indicators of infection are behavioral: suspicious activity from wscript.exe and cscript.exe, unexpected launches of Curl and PowerShell, and connections to localhost:9050 (Tor port).

South Korea vs. Money Launderers: 11,300 Accounts and $17 Million in Damages

South Korean law enforcement has detained 23 suspects in a case involving money laundering for a Cambodian phishing organization. From February 2024 to April 2025, the group moved approximately 11.1 million USDT through a complex routing network using both domestic and foreign crypto exchanges. To launder the money, the attackers used about 11,300 different accounts linked to stolen funds totaling approximately $17 million, obtained from 265 incidents. Around $430,000 was seized during raids, but the alleged mastermind remains at large — an Interpol international warrant has been issued for him.

New Android Trojan Rokarolla: 137 Commands and Full Device Control

Zimperium researchers have discovered the Android trojan Rokarolla, targeting cryptocurrency theft. Its arsenal includes 137 remote commands, allowing it to intercept PIN codes, read SMS, manipulate the clipboard, and disable built-in OS protection mechanisms. The malware spreads through fake websites disguised as TikTok and Google Chrome installers. The dropper mimics the Google Play Protect system component and uses social engineering to trick the user into granting access to "Accessibility Services," after which it deploys the main payload and disables the real Play Protect scanner.

Rokarolla downloads fake HTML login pages for each active application from a target list, intercepting crypto wallet credentials. A separate overlay mimics the standard Android lock screen, allowing theft of the PIN or pattern. An integrated clipper replaces copied wallet addresses, while reading SMS and the ability to send messages allows bypassing two-factor authentication. Moreover, the trojan can block incoming calls from bank anti-fraud systems. The main defense is vigilance when granting permissions to "Accessibility Services."

Couriers for "Pig Butchering" and a Vulnerability in Beats Studio Buds

The FBI warns of a new tactic by operators of "pig butchering" crypto scams: they have started hiring couriers to collect cash from victims whose transactions are blocked by bank security systems. Scammers gain trust through social media, then convince victims to withdraw cash under the pretext of a "frozen" account and send a courier with a pre-arranged password. According to FBI data for 2025, cryptocurrency and investment fraud remain the most destructive form of cybercrime in the US: 49% of all incidents with total losses of $8.6 billion.

Apple has released a firmware update for Beats Studio Buds, fixing vulnerability CVE-2025-20701. It allowed attackers within Bluetooth range to secretly connect to the headphones, use the built-in microphone for espionage, and even intercept trust relationships with previously paired smartphones. The vulnerability is related to incorrect authorization in the Bluetooth audio SDK from Airoha and has been successfully fixed in firmware version 1B211.

My Expert Opinion: This week has shown that attackers are becoming not only technically more sophisticated but also psychologically more thoughtful. Manipulation of crowdsourcing platforms and the use of "reputation networks" is a worrying signal. Investors should be doubly cautious: trust not only reviews and ratings but also verify every downloaded application through several independent sources. USB worms and Android trojans remind us that basic security hygiene — regular updates and avoiding suspicious links — remains your primary shield.