Cyber Chaos of the Week: From an "alien invasion" in Brazil to a botnet on ancient D-Link devices and the arrest of a crypto hacker
The week was rich in cybersecurity events: from bizarre attacks on government systems to serious threats to the cryptocurrency sector. I analyzed the key incidents to give you a complete picture of what's happening.
Chaos in Brazil: Hackers Triggered an "Invasion" Siren
Brazil's national emergency alert system, Defesa Civil Alerta, suffered a brazen attack on the night of June 20. The attackers, having hacked employee accounts, sent high-priority messages to residents of several states. Smartphone sirens went off even in silent mode. Instead of flood or landslide warnings, citizens received incoherent text with the word "misanthropy" and typos, and in some regions, even messages about an "alien attack." To stop the chaos, authorities had to forcibly shut down servers at 1:30 AM. This incident is a stark example of how vulnerable critical infrastructure can be if access to it is insufficiently protected.
Canada Applies "Remote Cleaning" of Devices for the First Time
The Canadian intelligence service received an unprecedented court order for remote intervention in the operation of infected citizen devices. The target was botnets using home routers and IoT gadgets to mask attacks on the country's critical infrastructure. This operation highlighted the problem of outdated equipment: hackers actively exploit devices with factory passwords and discontinued support. Specifically, the XLab team discovered the AryStinger botnet, which hacked over 4,000 outdated D-Link routers (models DIR-850L and DIR-818LW), turning them into proxy servers for traffic theft and DNS request interception. 48% of infections occurred in South Korea, China, Sweden, Malaysia, and Singapore. This is a clear illustration that even a "smart" doorbell can become part of a global cyber threat.
macOS Infostealer Gaslight: Deceiving AI to Stay Undetected
Researchers from SentinelOne discovered a new malware for macOS — Gaslight. Its main "feature" is an attack on AI-based automated code analysis tools. Inside the file, a loader is hidden containing 38 fabricated error messages formatted in Markdown. These strings work as prompt injections for large language models. The goal is to make the AI agent believe the sample is "broken" or damaged and abort the analysis. This is a new level of malware evolution, targeting the weaknesses of modern cybersecurity systems.
Europol Strikes at the Amadey and StealC Network
A coordinated operation by Europol and law enforcement from a dozen countries led to the dismantling of a network distributing the SocGholish, Amadey, and StealC malware. The Amadey trojan was used for initial access, after which the StealC infostealer was deployed, specializing in stealing passwords, card data, and, crucially for us, cryptocurrency wallet seed phrases. The results are impressive: 326 servers were seized, cryptocurrency assets worth over $47 million were frozen, and a database with 27 million stolen credentials was confiscated. Notably, about 15,000 WordPress sites were cleaned, which hackers had used to covertly distribute viruses disguised as updates.
Arrest in Poland: ZachXBT Reveals Hacker's Identity
Polish police, with support from the FBI, arrested four members of a group involved in SIM swapping, cryptocurrency theft, and money laundering. The hackers cloned phone numbers, bypassing 2FA, and withdrew funds from exchanges. The amount of laundered money is estimated at tens of millions of zlotys. Authorities did not disclose names, but on-chain analyst ZachXBT identified one of the detainees as Wojtek Kulish (known as Merry), matching his clothing and jewelry with police operational video. This case is further proof that anonymity online is an illusion, and even a carefully concealed identity can be exposed.
My Comment: This week showed that cybercriminals are becoming increasingly inventive, attacking not only users but also the protection tools themselves. For the crypto community, the key takeaway is the need to use hardware wallets and increased vigilance when dealing with any updates and notifications. The vulnerability of old D-Link routers and attacks on emergency alert systems are just the tip of the iceberg. Security starts with basic principles: update firmware, use strong passwords, and never trust unverified sources.