Crypto news

20.06.2026
08:51

Cybersecurity Week: USB worm for stealing cryptocurrencies, vulnerability in Beats Studio Buds, and new scammers' tactics

security_new1

An analytical overview of key cybersecurity events over the past week: from complex multi-stage attacks to new vulnerabilities in popular devices.

USB Worm with Self-Propagation Capability: A New Threat for Cryptocurrency Holders

Microsoft experts have identified a dangerous campaign in which attackers use a self-replicating USB worm to steal digital assets. Infection occurs when a modified shortcut file (.LNK) on a USB drive is opened. Once activated, the malware stealthily downloads additional modules from a command server located on the Tor network.

The worm scans the local system for user documents, hides the originals, and replaces them with malicious shortcuts bearing identical names. Thus, every time the victim tries to open their files, the malware is reactivated. For self-propagation, the program creates a task that monitors the connection of new USB drives and instantly copies itself onto them.

In its active phase, the stealer monitors the clipboard every half second, hunting for BIP39 seed phrases and wallet addresses for Bitcoin, Ethereum, Tron, and Monero. Upon detecting a copied address, it instantly replaces it with the attacker's details, with the algorithm selecting wallets that visually resemble the original. Additionally, every ten seconds, the virus takes five screenshots and sends them to the hackers.

My Expert Opinion: This campaign demonstrates a worrying evolution in cybercriminal tactics. Using USB drives for self-propagation and Tor to hide command servers is a return to classic methods, but with a modern, crypto-focused payload. Special attention should be paid to the fact that the infection indicators are behavioral rather than signature-based, making their detection by traditional antivirus software extremely difficult.

Fake Reputation as a Tool for Spreading Crypto Clippers

Check Point Research specialists have uncovered a large-scale campaign in which attackers created a complex "reputation economy" to promote malware. The ultimate goal is to inject crypto clippers disguised as legitimate trading tools for Solana and Pump.fun.

The malware, written in Rust, targets Windows and macOS. It covertly monitors the clipboard and replaces copied wallet addresses. To build trust, hackers use "ghost networks": fake accounts on VirusTotal, GitHub, and YouTube that inflate likes and leave positive reviews. On SourceForge, the download counter was artificially boosted to 44,000 using a farm of Android devices. A YouTube channel with over 91,000 subscribers is used for promotion, where videos are created using AI-generated voice.

Apple Fixes Dangerous Vulnerability in Beats Studio Buds

Apple has released a firmware update for its Beats Studio Buds wireless headphones, patching the high-severity vulnerability CVE-2025-20701. The issue, related to incorrect authorization in the Bluetooth audio SDK, allowed attackers within Bluetooth range to secretly connect to the headphones and activate the built-in microphone for espionage.

The exploit can be activated without authentication and provides near-complete control over the device, including reading and overwriting memory, as well as intercepting trust relationships with previously paired smartphones. The vulnerability has been fixed in firmware version 1B211.

South Korean Police Dismantle Cryptocurrency Laundering Network

Law enforcement in South Korea has arrested 23 suspects involved in laundering funds for a Cambodian phishing organization. Between February 2024 and April 2025, the group moved approximately 11.1 million USDT through a complex network of 11,300 different accounts on domestic and foreign exchanges. Criminal proceeds worth around $430,000 were seized. The alleged mastermind has been placed on Interpol's "Red Notice" international wanted list.

New Android Trojan Rokarolla and Other Threats

Zimperium researchers have discovered the Rokarolla trojan for Android, targeting cryptocurrency theft. Its arsenal includes 137 remote commands, allowing it to intercept PIN codes, manipulate the clipboard, and disable OS security mechanisms. The malware is distributed through fake websites masquerading as TikTok and Google Chrome, and gains access to "Accessibility Services" through social engineering.

Additionally, the FBI warns of a new tactic by scammers who hire couriers to collect cash from victims whose transactions are blocked by banks. According to the bureau, in 2025, cryptocurrency and investment scams accounted for 49% of all incidents, with losses amounting to $8.6 billion.