Crypto news

Another week brought us a whole spectrum of incidents—from absurd to truly dangerous. We are witnessing hackers exploiting not only complex technical vulnerabilities but also human trust and outdated infrastructure. Let's break down the key events.

Canada: A Precedent for Remote "Cleanup"

The Canadian intelligence service obtained an unprecedented court order for remote intervention in infected servers and IoT devices within the country. This concerns botnets that used compromised home routers and "smart" gadgets (doorbells, cameras) to disguise traffic as that of ordinary users. The goal was to scan critical infrastructure and government agency networks.

This is the first time intelligence agencies have been allowed to conduct remote "cleaning" of devices. In effect, it is an acknowledgment that individuals and small businesses cannot independently defend against sophisticated botnets exploiting outdated equipment. The order was issued two years ago but only made public now. According to the court, personal data was not intercepted.

D-Link in the Crosshairs: The AryStinger Botnet

My long-standing topic—the vulnerability of legacy equipment. XLab specialists discovered a new botnet, AryStinger, which specifically targets outdated D-Link router models—DIR-850L and DIR-818LW. These devices have long been discontinued, their firmware is not updated, and factory passwords often remain unchanged.

Hackers compromised over 4,000 such routers, turning them into proxy servers. AryStinger does not just relay traffic—it can intercept DNS requests, steal browser session data, and monitor all network traffic. 48% of infections occurred in South Korea, China, Sweden, Malaysia, and Singapore. This is another alarming signal for anyone using old routers: your device is an ideal launchpad for an attack.

macOS Gaslight: AI Analysis Fooled by Fake Errors

Researchers from SentinelOne discovered a new infostealer for macOS called Gaslight, likely linked to North Korean hackers. Its main "trick" is attacking AI-powered automated code analysis tools.

Inside the file is a hidden 3.5 KB loader containing 38 fabricated system messages formatted in Markdown. These "errors"—messages about memory overflow, token expiration, crashes—act as prompt injections for LLMs. The goal is to force the AI agent to abort analysis, truncate the report, or refuse to work altogether, citing non-existent technical issues. This is an elegant way to bypass automated defenses by exploiting the weaknesses of the algorithms themselves.

Europol Strikes Against Amadey and StealC

A joint operation by Europol and law enforcement from a dozen countries led to the dismantling of a network distributing the SocGholish, Amadey, and StealC malware. The results are impressive: 326 servers and 142 domains were seized, and cryptocurrency assets worth over $47 million were frozen. A database with 27 million stolen credentials was confiscated. Approximately 15,000 WordPress sites, which hackers used to covertly distribute the virus disguised as system updates, were cleaned.

The Amadey trojan acted as a loader, after which the StealC infostealer was deployed, specializing in stealing passwords, credit card data, and cryptocurrency wallet seed phrases. In Hong Kong, police arrested 69 members of a financial cell who laundered about $25.6 million through a network of fake accounts. This is a clear example of how cybercrime intertwines with traditional financial fraud.

Brazil: Hackers "Hack" Disaster Alert System

The most absurd, yet no less dangerous, attack of the week occurred in Brazil. On the night of June 19-20, 2026, hackers breached the national emergency alert system, Defesa Civil Alerta. Residents of several states received "warnings" on their smartphones with sirens that could not be turned off—the signal activated even in silent mode.

Instead of real disaster notifications, the attackers sent 10 messages containing the word "misanthropy," slang, and typos. In some regions, the alerts warned of an "alien attack." To stop the attack, authorities had to forcibly shut down the system's servers at 1:30 AM. This shows how vulnerable critical infrastructure is if attackers gain access to employee accounts.

ZachXBT Reveals Identity of Polish Hacker

European law enforcement, with support from the FBI, arrested four members of a hacker group suspected of SIM swapping, cryptocurrency theft, and money laundering. Names have not been officially disclosed, but on-chain investigator ZachXBT identified one of them as Wojtek Kulish (nickname Merry)—a Polish hacker specializing in social engineering. ZachXBT matched designer clothing and jewelry from police operational footage with items Kulish had previously shown on Instagram. A clever move that once again proves that even in cybercrime, one cannot be too public.

My Expert Verdict

This week is a vivid illustration that cybersecurity is no longer just an IT department issue. We see how the vulnerability of old equipment (D-Link routers) and the human factor (compromised employee accounts in Brazil) become entry points for large-scale attacks. The attack on AI tools is a new trend that will only intensify. Hackers are learning to bypass automated defenses by exploiting the weaknesses of the algorithms themselves. I recommend that anyone using outdated routers immediately replace them with modern models running up-to-date firmware. And remember: even the most reliable system can be compromised through human error.