Cyber threats of the week: USB worm targets crypto wallets, Apple patches a hole in Beats Studio Buds, and a new wave of Android trojans

The past week in cybersecurity was eventful: from sophisticated social engineering schemes to hardware vulnerabilities. Let's break down the key events that should be on the radar of everyone working with digital assets.
Fake Reputation as a Weapon: Next-Generation Crypto Clippers
Attackers have elevated trust-building tactics to a new level. Instead of isolated phishing emails, they have deployed an entire infrastructure of "ghost networks" to promote a malicious crypto clipper. This Rust-based trojan, masquerading as trading tools for Solana and Pump.fun, monitors the clipboard and instantly swaps wallet addresses.
What is particularly alarming is that attackers manipulate ratings on GitHub, SourceForge, and YouTube. They use account farms to inflate likes, stars, and positive reviews. On SourceForge, downloads were artificially boosted to 44,000 using Android farms. Even VirusTotal came under attack: a cluster of fake accounts falsely marked malicious files as safe. This is a dangerous precedent, showing that crowdsourcing platforms are no longer a reliable source of validation.
USB Worm with Tor Control: A Hidden Threat for Windows
Microsoft experts have uncovered the workings of a self-replicating worm targeting cryptocurrency theft. Infection begins with opening a modified .LNK file on a USB drive. The worm then hides the user's original documents and replaces them with malicious shortcuts, activating with each click.
A key feature is the use of Tor to communicate with a command server in the .onion domain. The malware monitors the clipboard every half-second for BIP39 seed phrases and Bitcoin, Ethereum, Tron, and Monero addresses. Upon detection, it swaps the address with the attacker's details, with an algorithm selecting visually similar starting characters. Additionally, the virus takes screenshots every ten seconds and can execute arbitrary JavaScript scripts. Activity has been recorded since February, and the main indicator is suspicious activity from wscript.exe and cscript.exe processes.
South Korea: Dismantling a $17 Million Money Laundering Network
South Korean law enforcement arrested 23 suspects involved in laundering funds for a Cambodian phishing organization. Between February 2024 and April 2025, the group moved approximately 11.1 million USDT through a network of 11,300 accounts. These accounts were linked to stolen funds totaling $17 million obtained from 265 incidents. About $430,000 was seized, but the alleged mastermind fled and is on Interpol's international wanted list via a "red notice." This is a clear example of how complex transit schemes attempt to hide the traces of cryptocurrency crimes.
Rokarolla: Android Trojan with Full Device Control
Zimperium researchers have discovered a new Android trojan, Rokarolla, whose arsenal includes 137 remote commands. It spreads through fake websites masquerading as installers for TikTok and Google Chrome. After gaining access to "Accessibility Services," the trojan disables Play Protect and deploys overlay attacks.
Rokarolla fakes the Android lock screen to steal PIN codes, intercepts SMS to bypass 2FA, and uses a built-in clipper to swap crypto wallet addresses. Moreover, it can block incoming calls to prevent bank alerts from reaching the victim. The only reliable protection is extreme caution when granting "Accessibility" permissions.
Cash Collection Couriers: A New Tactic for "Pig Butchering" Scams
The FBI warns of a new tactic by scammers using "pig butchering" schemes. When banking systems block suspicious transactions, attackers send couriers to collect cash from victims. They convince people to withdraw money under the pretext of a "frozen" account, then simulate a balance increase in a fake wallet. According to the FBI, in 2025, cryptocurrency and investment fraud accounted for 49% of all incidents with losses of $8.6 billion. This is a reminder that even offline interaction does not guarantee safety.
Beats Studio Buds Vulnerability: Apple Patches Spyware Hole
Apple has released a firmware update for Beats Studio Buds, fixing a critical vulnerability, CVE-2025-20701. The flaw in Airoha's Bluetooth audio SDK allowed attackers within range to connect to the headphones without authorization and activate the microphone for eavesdropping. The exploit also provided access to the device's RAM and flash memory, as well as allowing interception of trust relationships with previously paired iPhones. The vulnerability is fixed in firmware version 1B211. This is a serious signal that even peripheral devices can become an attack vector for crypto wallets and personal data.
Cryptalist Expert Commentary: The past week clearly demonstrates the evolution of threats: from simple phishing to multi-layered attacks using social engineering, reputation manipulation, and hardware vulnerabilities. The crypto community needs to rethink its security models, focusing on behavioral analysis and hardware wallets, rather than relying solely on antivirus solutions.