Crypto news

20.06.2026
09:28

Cyber threats of the week: USB worm targets crypto wallets, Apple patches a hole in Beats, and a new Android trojan

security_new1

This week, the cyber threat landscape for digital asset holders has been marked by several serious incidents. From self-spreading USB worms to sophisticated Android trojans and a vulnerability in Apple headphones, attackers continue to invent new ways to access your funds. Let's break down the key events.

USB Worm: A New Evolution of the Crypto Clipper

Microsoft researchers have detected a campaign spreading a unique malware that uses USB drives for self-replication. Activation occurs when a modified shortcut (.LNK) on the flash drive is opened. After that, the worm connects to a command server in the .onion domain zone and begins scanning the system.

Its main goal is to replace cryptocurrency wallet addresses in the clipboard. The malware monitors BIP39 seed phrases, as well as Bitcoin, Ethereum, Tron, and Monero addresses. Upon detection, it instantly replaces them with the attackers' addresses, with an algorithm selecting wallets with visually similar starting characters so the victim does not notice the substitution. For self-replication, the worm creates a task that copies it to every new USB drive connected to the PC.

The behavioral nature of the attack poses a particular danger: standard antivirus software may not detect the threat. Key indicators include suspicious activity from wscript.exe and cscript.exe, as well as unexpected connections to localhost:9050 (Tor port).

Rokarolla: Android Trojan with Full Device Takeover

Zimperium specialists have discovered a new Android trojan, Rokarolla, whose arsenal includes 137 remote commands. It disguises itself as installers for popular apps like TikTok and Google Chrome. After installation, the trojan mimics the Google Play Protect system component and uses social engineering to trick the user into granting access to "Accessibility Services."

Once in control, Rokarolla disables the real Play Protect and deploys its full functionality: intercepting PIN codes, reading and sending SMS, and using a built-in clipper to steal cryptocurrencies. A separate threat is a fake lock screen that allows attackers to control the smartphone even when locked. The trojan can also block incoming calls from bank anti-fraud systems, making it particularly dangerous for mobile banking users.

Vulnerability in Beats Studio Buds: Eavesdropping Without the Owner's Knowledge

Apple has released a firmware update (version 1B211) for its wireless Beats Studio Buds headphones, closing a critical vulnerability, CVE-2025-20701. The issue, discovered by SentinelOne experts, allowed attackers within Bluetooth range to connect to the headphones without authentication and use the built-in microphone for espionage.

Furthermore, the attack made it possible to read and overwrite the device's RAM and flash memory, as well as intercept trust relationships with previously paired smartphones. This opens a vector for multi-stage attacks, potentially threatening iPhone security. I recommend all Beats Studio Buds owners immediately check for the update.

South Korea: Dismantling a Crypto Laundering Network

South Korean law enforcement has arrested 23 suspects involved in laundering funds for a Cambodian phishing syndicate. From February 2024 to April 2025, the group moved approximately 11.1 million USDT through a network of 11,300 accounts on domestic and foreign exchanges. The total amount of stolen funds linked to these accounts is estimated at $17 million. The group's organizer is currently wanted via an Interpol "Red Notice."

Expert Conclusion

This week clearly demonstrates that cybercriminals are moving towards increasingly sophisticated and multi-layered attacks. The use of USB worms and fake reputations on GitHub is no longer just isolated incidents but a systemic trend. Users need to exercise maximum vigilance: do not connect suspicious USB drives, carefully check permissions for Android apps, and promptly update the firmware of all connected devices. Security in the crypto world begins with awareness at every step.