Crypto news

This week saw several landmark events in the world of cybersecurity, ranging from state-sponsored hacks to attacks on critical infrastructure and sophisticated methods of bypassing AI analysis. Let's break down the key incidents.

Canada: Intelligence services obtain warrant for remote device cleanup for the first time

The Canadian Security Intelligence Service achieved an unprecedented court ruling — permission for remote intervention on infected servers, home routers, and IoT devices. This concerns the fight against botnets that used compromised equipment to disguise traffic as regular users. The hackers' targets were critical infrastructure networks, including the energy sector, as well as government and military agencies.

The Federal Court of Canada declassified the public version of the ruling only in mid-June 2026, although the warrant itself was issued over two years ago. It emphasizes that citizens' personal data was not intercepted. However, a key problem with such attacks is outdated equipment with factory passwords. This was confirmed by XLab specialists, who discovered the AryStinger botnet exploiting outdated D-Link routers of models DIR-850L and DIR-818LW. During the campaign, hackers compromised over 4,000 routers, turning them into proxy servers for relaying malicious traffic and stealing data. About 48% of infections were concentrated in South Korea, China, Sweden, Malaysia, and Singapore.

Gaslight infostealer: Bypassing AI analysis with fake errors

Researchers from SentinelOne discovered new macOS malware named Gaslight. This infostealer, highly likely linked to North Korean hackers, attacks not only users but also AI-based automated code analysis tools. Inside the Gaslight file, a 3.5 KB loader is hidden, containing 38 fabricated system messages. These strings, formatted using Markdown syntax, work as prompt injections for LLM models.

The fake messages mimic developer logs, crash reports, and token expiration warnings. The goal is to make the AI agent doubt the correctness of its session and abort the analysis of the "corrupted" sample. This is an elegant but dangerous method, showing how hackers are beginning to adapt to modern defense tools.

Europol dismantles network distributing Amadey and StealC malware

Europol, together with law enforcement agencies from a dozen countries and Microsoft, conducted a large-scale operation against networks distributing SocGholish, Amadey, and StealC malware. The Amadey trojan was used to gain initial access, after which the StealC infostealer was deployed, specializing in stealing passwords, credit card data, and cryptocurrency wallet seed phrases.

The results are impressive: 326 servers and 142 domains were seized, cryptocurrency assets worth over $47 million were frozen, a database with more than 27 million stolen credentials was confiscated, and about 15,000 WordPress sites used by hackers for covert virus distribution were cleaned. In Hong Kong, police arrested 69 individuals involved in laundering $25.6 million through fake accounts.

Brazil: Hackers breach emergency alert system and send messages about "alien attack"

On the night of June 19-20, 2026, Brazil's national emergency alert system (Defesa Civil Alerta) suffered a cyberattack. Attackers hacked the accounts of Civil Defense employees and gained access to the government's Cell Broadcast distribution mechanism. As a result, residents of several states received 10 high-priority emergency alerts (Alerta Extremo) that bypassed smartphone system restrictions on sound and notifications.

Instead of real disaster warnings, hackers sent messages with incoherent text containing the word "misanthropy," slang, and typos. In some regions, the alerts warned of an alleged "alien attack" that had begun. To stop the spam attack, authorities had to forcibly shut down the alert system servers at 1:30 AM. The platform has been partially restored, but the authority to send alerts has been left only to the National Center for Risk and Disaster Management.

ZachXBT reveals identity of hacker arrested in Poland

European law enforcement, with support from the FBI and the U.S. Department of Homeland Security, arrested four members of a hacker group suspected of SIM-swapping attacks, cryptocurrency theft, and large-scale money laundering. The attackers used social engineering to breach the IT infrastructure of companies collaborating with telecom operators and cloned victims' phone numbers to bypass two-factor authentication.

Stolen funds were laundered through personal bank accounts, international payment platforms, and cryptocurrency wallets. The total amount laundered is estimated at tens of millions of Polish zloty. Official authorities did not disclose the identities of those arrested, but on-chain investigator ZachXBT identified one of them as Wojtek Kulish (known by the nickname Merry), matching designer clothing and jewelry from operational footage.

Analyst's comment: This week demonstrates a worrying trend: hackers are increasingly attacking not only user devices but also state critical infrastructure. The breach of Brazil's emergency alert system is not just a prank but a serious signal of the vulnerability of government systems. At the same time, the rise in attacks on cryptocurrency wallets and the use of sophisticated methods to bypass AI analysis underscores the need for constant updates to both hardware and software. The crypto industry, in turn, must be prepared for new challenges, especially in light of the record number of hacks.