Invisible substitution of Bitcoin addresses, leak at an adult toy manufacturer, and other cybersecurity events - ForkLog: cryptocurrencies, AI, singularity, the future

# Invisible Bitcoin address substitution, leak at an adult toy manufacturer, and other cybersecurity events

We have compiled the most important cybersecurity news of the week.

• Hackers devised a scheme for unnoticed Bitcoin address substitution.
• A new Android trojan disguised as IPTV apps.
• Trezor and Ledger users received phishing paper letters.
• An investigator exposed major companies tracking Chrome users through extensions.

Hackers devised a scheme for unnoticed Bitcoin address substitution

Malicious actors began covertly replacing Bitcoin addresses under the pretext of profitable cryptocurrency arbitrage deals. The scheme was discovered by BleepingComputer experts.

The campaign is based on promises of huge profits from a supposed “vulnerability for arbitrage” on the Swapzone cryptocurrency exchange platform. In reality, hackers deploy malicious code that modifies the swap process directly in the victim’s browser.

Typically, ClickFix-style attacks target operating systems: users are tricked into running commands in PowerShell to “fix Windows errors,” which leads to the installation of stealer or ransomware. In this case, the target was a specific browser session.

According to media reports, this is one of the first recorded cases of using ClickFix mechanics to manipulate web pages for direct cryptocurrency theft.

To promote the scam, hackers leave comments on various posts on the popular code hosting service Pastebin.

Source: BleepingComputer. They promote a “leak of hacking documentation,” which allegedly allows earning $13,000 in two days, attaching a link to the resource. The “guide” in Google Docs describes a scheme for inflating exchange amounts in certain BTC pairs.

BleepingComputer observations showed that the document is constantly viewed by 1 to 5 people simultaneously, confirming active scheme operation.

Source: BleepingComputer. The fake guide suggests to users:

1. Visit Swapzone.
2. Copy JavaScript code from an external source.
3. Return to the Swapzone tab, type javascript:, paste the copied code, and press Enter.

This method exploits the browser’s javascript: URI function, which allows executing code within the context of the open site. Analysis revealed that the primary script loads a second, heavily obfuscated payload. It injects into the Swapzone page, replacing legitimate Next.js scripts responsible for transactions:

• Address substitution. The malicious script contains a list of hackers’ Bitcoin addresses. It inserts one of them instead of the real deposit address generated by the exchange.
• Visual deception. The code alters displayed exchange rates and payout amounts to create the impression that the “arbitrage scheme” is working.
• Result. The victim sees the legitimate service interface but sends funds to the hacker’s Bitcoin wallet.

New Android trojan disguised as IPTV apps

A new Android malware masquerades as IPTV streaming apps to steal digital identities and access victims’ bank accounts, cybersecurity firm ThreatFabric reports.

The Massiv malware uses overlay windows and keystroke logging to collect confidential data. It can also establish full remote control over infected devices.

During its campaign, Massiv targeted a Portuguese government app related to Chave Móvel Digital — a national digital authentication and signature system. Data stored in these services can be used to bypass KYC procedures, access bank accounts, and other government and private online services.

ThreatFabric reports cases of bank account and service creation in victims’ names without their knowledge.

Massiv offers operators two remote control modes:

• Screen streaming — uses Android MediaProjection API to broadcast the screen in real-time.
• UI-tree mode — extracts structured data via Accessibility Service.

Source: ThreatFabric. The second mode allows attackers to see text, interface element names, and their coordinates. This enables button presses and text field edits on behalf of the user. More importantly, this method can bypass screenshot protections often embedded in banking and financial apps.

Researchers noted a trend: over the past eight months, IPTV apps have increasingly been used as “lures” to infect Android devices.

Source: ThreatFabric. Such apps often violate copyright laws and are not available on Google Play. Users typically download them as APK files from unofficial sources and install manually.

According to the report, the campaign targets residents of Spain, Portugal, France, and Turkey.

Trezor and Ledger users received phishing paper letters

Users of Trezor and Ledger have been receiving ordinary letters sent by attackers allegedly on behalf of hardware wallet manufacturers.

Cybersecurity expert Dmitry Smilyants reports that the letter he received looked like an official notification from Trezor’s security department.

On branded letterhead, the recipient was asked to complete a mandatory procedure: scan a QR code and verify on a dedicated website by a certain date. Failure to do so threatened to revoke wallet functions.

Comments revealed other early cases of phishing supposedly from Ledger representatives. Both letters created a sense of urgency, prompting victims to act immediately.

at least they could have worked on a better phishing page 😭😭

even plaintext seed words sent to telegram api…

trezor.authentication-check[.]io/black/ pic.twitter.com/fa85203awR

— Who said what? (@g0njxa) February 12, 2026

QR codes in the letters directed to malicious sites mimicking official Trezor and Ledger setup pages. At the final stage, users were forced to enter their seed phrase to “confirm ownership of the device.”

Investigator exposed major companies tracking Chrome users via extensions

Researcher known as Q Continuum discovered 287 Chrome extensions transmitting all browsing history data to third-party companies. Their total installs exceeded 37.4 million.

Using an automated testing system, the researcher checked 32,000 plugins from the Chrome Web Store. Over 30 companies were found collecting data.

The analyst believes that extensions offering useful tools often unjustifiably request access to browsing history. Some encrypt data further complicating detection.

According to the expert, part of the data collection is documented in privacy policies. However, many users do not pay proper attention.

The researcher identified data collection by Similarweb, Semrush, Alibaba Group, ByteDance, and affiliated entity Big Star Labs.

Suspicious extensions include theme customizer Stylish, ad blockers Stands AdBlocker and Poper Blocker, as well as Similarweb’s own extension (SimilarWeb: Website Traffic & SEO Checker).

Source: GitHub user Q Continuum. About 20 million of the 37.4 million installs could not be linked to specific data recipients.

Similarweb’s privacy policy documents data collection. The company claims to anonymize data on the client side, but also states that “some of this data may include personal and confidential information depending on search queries and viewed content.”

Data leak at a popular adult toy manufacturer

Japanese company Tenga notified customers of a data breach, TechCrunch reports.

According to the statement, “an unauthorized person gained access to the email of one of our employees,” which allowed the hacker to view incoming messages. This potentially exposed customer names, email addresses, and correspondence history, which “could include order details or support requests.”

The hacker also sent spam messages to contacts of the compromised employee, including Tenga customers.

After the news broke, Tenga spokesperson told TechCrunch that technical analysis indicated the leak affected “about 600 people” in the US.

Tenga is a global supplier of adult products. Given the nature of the products, order details and support requests likely contain personal information many customers would prefer to keep private.

The company took several protective measures:

• Resetting the compromised employee’s credentials;
• Implementing multi-factor authentication across all systems — a basic security feature that prevents account access even with stolen passwords.

The spokesperson declined to specify whether two-factor authentication was enabled on the email account before the breach.

In Africa, 651 suspects arrested during cybercrime operation

African law enforcement agencies arrested 651 suspects and seized over $4.3 million during a joint operation against investment fraud, Interpol reports.

The operation, named Red Card 2.0, targeted cybercriminal groups responsible for over $45 million in losses. Authorities across 16 countries seized 2,341 devices and blocked 1,442 malicious websites, domains, and servers.

Key country results:

• Nigeria. Police dismantled an investment scam network recruiting youth for phishing, personal data theft, and fake investment schemes. Over 1,000 fraudulent social media accounts were taken down. Six gang members were arrested, who used stolen employee credentials to hack a major telecom provider;
• Kenya. 27 suspects detained during investigations into groups luring victims into fake investment projects via social media and messaging apps;
• Côte d’Ivoire. 58 arrests in efforts against mobile microloan apps that used hidden fees and illegal debt collection methods.

Also on ForkLog:

• OpenAI released a benchmark for evaluating AI agents’ ability to hack smart contracts.
• Vibe coding via Claude Opus led to a DeFi project Moonwell being hacked.
• Figure admitted to a data leak involving customer personal information.
• South Korean police lost 22 BTC from a cold wallet.

Weekend reading?

In the novel “False Blindness,” Canadian biologist and writer Peter Watts proposed a radical hypothesis: consciousness may be unnecessary for effective intelligence. Nearly 20 years after its publication, this thesis accurately describes generative AI.

ForkLog’s new material explores the mistakes we make when humanizing algorithms.