Cybersecurity of the week: Brazilians received an "alarm signal" from aliens, botnets on old D-Link devices, and other trends
The week was eventful: from hacker attacks on government systems to sophisticated methods of bypassing AI analysis. Let's break down the key events.
Brazilian "Panic": Hackers Breach Alert System
Brazil's National Emergency Alert System, Defesa Civil Alerta, suffered a brazen cyberattack. On the night of June 20, 2026, residents of several states received high-priority messages that bypassed silent mode on smartphones. Instead of natural disaster warnings, they contained incoherent text, slang, and even messages about an "alien attack." The attack was likely carried out through compromised Civil Defense employee accounts. Authorities had to shut down servers at 1:30 AM to stop the spam. This is a serious wake-up call: critical infrastructure, especially alert systems, must be protected much better.
Canadian Precedent: Intelligence Services Clean Citizens' Devices
Canada's intelligence service obtained an unprecedented court order for remote intervention on infected devices, from home routers to IoT equipment. Botnets, masquerading as regular users, were scanning critical infrastructure networks. Outdated devices pose a particular threat, confirmed by the new AryStinger botnet. It compromised over 4,000 D-Link routers of models DIR-850L and DIR-818LW, turning them into proxy servers. About 48% of infections were in South Korea, China, and Sweden. This case is a clear example of how legacy equipment becomes a Trojan horse for entire nations.
Gaslight: macOS Infostealer Deceiving AI
Researchers at SentinelOne discovered the Gaslight malware, which specifically targets AI analysis tools. Hidden inside the file is a loader with 38 fake system messages formatted in Markdown. These strings act as prompt injections for LLM models, simulating errors and crashes. The goal is to trick the AI agent into aborting analysis, deeming the sample "corrupted." This is an elegant but dangerous method of bypassing automated defenses. It is likely the work of North Korean hackers.
Europol Strikes: Dismantling the Amadey, StealC, and SocGholish Network
A joint operation by Europol and law enforcement from a dozen countries led to the seizure of 326 servers and 142 domains. Cryptocurrency assets worth over $47 million were frozen, and a database with 27 million stolen credentials was confiscated. Of particular interest is the cleanup of about 15,000 WordPress sites used for the covert distribution of the SocGholish malware. In Hong Kong, 69 people were arrested for laundering $25.6 million through fake accounts—the financial link of the syndicate.
Hacker Identification: ZachXBT vs. Merry
Polish law enforcement, with FBI support, arrested four members of a group specializing in SIM swapping and cryptocurrency theft. The hackers cloned phone numbers, bypassing 2FA, and laundered funds through a complex network of accounts. On-chain investigator ZachXBT identified one of them as Wojtek Kulish (nickname Merry) by matching designer items in a search video with his Instagram. This demonstrates how powerful a tool OSINT can be in the hands of professionals.
My Take: This week clearly showed that cyber threats are becoming increasingly sophisticated—from social engineering to attacks on AI. For cryptocurrency investors, this is a direct signal: two-factor authentication via SMS is no longer reliable protection. Use hardware keys, update router firmware, and do not ignore end-of-life notifications for devices. In a world where hackers can "shut down" an entire country's alert system, your personal security starts with basic hygiene.