Crypto news

20.06.2026
11:25

Cyber threats of the week: USB worm hunts for crypto wallets, Apple patches a hole in Beats, and a new Android trojan

Over the past week, the cyber threat landscape for the crypto community has been supplemented by several dangerous attack vectors. From self-propagating worms to sophisticated social engineering schemes, attackers continue to refine their methods. Let's break down the key events.

Cryptoclippers on Steroids: Fake Reputation and USB Worms

The most notable was a campaign to distribute a cryptoclipper written in Rust. The attackers built an entire "reputation economy" by manipulating ratings on GitHub, SourceForge, and YouTube. Disguised as legitimate trading tools for Solana and Pump.fun, they injected malware that swaps wallet addresses in the clipboard. To create an illusion of trustworthiness, AI-generated videos and coordinated fake accounts were used. This is a dangerous trend: trust in open platforms is no longer a guarantee of security.

In parallel, Microsoft experts revealed details of a USB worm that uses hidden Windows shortcuts (.LNK) for self-propagation. After infection via a flash drive, the malware scans the system, hides the user's original files, and replaces them with its own shortcuts. Every click on a "work document" activates the virus. It also monitors the clipboard for BIP39 seed phrases and addresses for Bitcoin, Ethereum, Tron, and Monero, replacing them with the attacker's addresses. Particularly dangerous is its ability to take screenshots every 10 seconds and execute arbitrary JavaScript scripts. Activity of this worm has been recorded since February, and its main indicator is behavioral anomalies, such as unexpected launches of wscript.exe or connections to localhost:9050.

South Korea Strikes at Money Laundering, and Android Gets a New Enemy

South Korean law enforcement conducted a large-scale operation, detaining 23 suspects linked to laundering cryptocurrency for a Cambodian phishing syndicate. The scheme is impressive in its scale: over 11,300 different accounts were used to move approximately 11.1 million USDT. The network's organizer is still wanted via Interpol, highlighting the global nature of such crimes.

In the world of mobile threats, Zimperium researchers discovered the Rokarolla trojan for Android. Its arsenal includes 137 remote commands. The malware disguises itself as installers for TikTok or Google Chrome, then uses social engineering to gain access to "Accessibility Services." After that, it disables Play Protect, intercepts PIN codes and SMS, and swaps wallet addresses via the clipboard. It can also mimic the Android lock screen to steal passwords and block incoming calls from banks to bypass two-factor authentication. The main advice is to be extremely cautious when granting permissions for "Accessibility Services."

Offline Social Engineering and a Hole in Headphones

The FBI has warned of a new tactic in "pig butchering" schemes: scammers have started using couriers to collect cash from victims whose bank transactions are blocked. After convincing the victim to withdraw money, they send a courier with a password for identification. In 2025, cryptocurrency and investment scams accounted for 49% of all cyber incidents in the US, with losses of $8.6 billion.

Finally, Apple closed a critical vulnerability (CVE-2025-20701) in its Beats Studio Buds wireless headphones. The flaw allowed a hacker within Bluetooth range to connect to the headphones without authorization and use the built-in microphone for eavesdropping, as well as intercept device control. The vulnerability was fixed in firmware version 1B211, but the very existence of such a possibility is a serious wake-up call for all Bluetooth headset users.

Analyst's Opinion: This past week clearly demonstrates that cybercrime in the crypto sphere is becoming increasingly professional and multifaceted. We are seeing not just technical exploits, but complex combinations of social engineering, reputation manipulation, and hardware vulnerabilities. For investors, this means that security is not just about a reliable wallet, but also about total digital hygiene: from verifying software sources to controlling Bluetooth connections.