Kraken Extortion, FBI Recovers Deleted Signal Messages, and Other Cybersecurity Headlines
KrakenEXCHANGEWeekly cybersecurity roundup: Kraken faces extortion after employee compromise, FBI recovers deleted Signal chats via iOS push notifications, $8.3M in hacker crypto assets seized in Ukraine, and new trojans target crypto users.
The past week delivered a string of high-profile cybersecurity incidents affecting the crypto industry — from an extortion campaign targeting a major exchange to the discovery of sophisticated new malware aimed at financial professionals. Here's a breakdown of the key events.
Ukraine Seizes $8.3M in Hacker Crypto Assets
Ukrainian law enforcement arrested a member of an international hacking group responsible for cyberattacks across Europe and the United States. The announcement came from Prosecutor General Ruslan Kravchenko.
The group deployed malicious software to steal confidential information and documents, demanding ransoms from victims. Proceeds were funneled to cryptocurrency wallets, then cashed out and laundered in Ukraine — partly through real estate and luxury asset purchases.
Total damages are estimated at over $100 million. Investigators conducted more than 30 searches and seized assets worth approximately $11.1 million, including residential properties, vehicles, $1 million in cash, and roughly $8.3 million in cryptocurrency. An accomplice responsible for money laundering was also located.
Why This Matters
This week's incidents highlight several critical attack surfaces for the crypto ecosystem. Exchange security, messenger privacy assumptions, and supply-chain attacks through legitimate software all pose direct risks to users and institutions. Each event carries practical takeaways — from verifying software download sources to properly configuring messenger notification settings.
ClipBanker Trojan Swaps Crypto Addresses via Fake Proxifier
Researchers at Kaspersky Lab uncovered a campaign distributing the ClipBanker trojan, which monitors clipboard contents and replaces cryptocurrency wallet addresses with attacker-controlled ones.
The malware masquerades as Proxifier, a legitimate utility used by developers and system administrators to route application traffic through proxy servers. The infected GitHub repository ranked at the top of Google and Yandex search results.
During installation, ClipBanker deploys silently using fileless infection techniques, executing code directly in memory. A scheduled task then triggers a registry-based script that reaches out to GitHub for a payload file, which is injected into fontdrvhost.exe to deliver the final malicious component.
Since early 2025, over 2,000 Kaspersky users have encountered the threat, primarily in India and Vietnam.
Kraken Hit by Extortion After Employee Recruitment by Hackers
Kraken Chief Security Officer Nick Percoco disclosed a series of incidents involving compromised employees that led to extortion attempts against exchange leadership.
"Kraken Security Update — We are currently being extorted by a criminal group threatening to release videos of our internal systems with client data shown if we do not comply with their demands. It's important to start with the most important points: our systems were never…" — Nick Percoco (@c7five), original post
A criminal group threatened to publish video recordings allegedly showing user data from internal systems. According to Percoco, Kraken's infrastructure was not breached and client funds remained secure. The exposure stemmed from support staff accessing restricted information without authorization.
Affected account holders received notifications — approximately 2,000 accounts in total, representing 0.02% of the exchange's customer base. The investigation revealed that one support employee had been recruited by hackers, with the activity traced back to February 2025. A second similar incident followed. Kraken is cooperating with law enforcement across multiple jurisdictions and has handed over evidence.
FBI Recovers Deleted Signal Messages from iPhone
The FBI successfully extracted Signal messenger conversations despite the messages being deleted and the app removed from an iPhone, according to reporting by 404 Media.
In a court case involving an attack on an ICE facility in Alvarado, Texas, the FBI presented deleted Signal messages from defendant Lynette Sharp's phone as evidence. Federal agents recovered the data through push notifications stored in iOS's internal database.
When Signal settings allow message content to appear in lock screen previews, the text persists in device storage even after the app is uninstalled. Signal offers an option to disable content display in notifications, but Sharp apparently did not enable it.
Telegram co-founder Pavel Durov responded to the news, calling it "yet another proof" that secret chats represent the most secure communication method. Signal representatives initially acknowledged a media inquiry from 404 Media but subsequently stopped responding. Apple declined to comment.
PHANTOMPULSE Trojan Spreads Through Obsidian Note-Taking App
Elastic Security Labs identified a campaign in which attackers weaponize the popular note-taking application Obsidian to deliver a previously unknown trojan called PHANTOMPULSE. The targets are employees at financial and cryptocurrency organizations.
The attack chain works as follows:
- Attackers impersonate venture capital representatives and move conversations to Telegram, where multiple "partners" simulate legitimate business discussions.
- The victim is invited to connect to an Obsidian vault allegedly containing a shared analytics dashboard.
- Malicious code execution leverages community plugins — Shell Commands (to run commands) and Hider (to conceal activity traces in the interface).
- Since third-party plugins are disabled by default, attackers convince the victim to enable them manually. The vault's malicious configuration then automatically executes commands.
On Windows, PHANTOMPULSE is deployed via a script. Its capabilities include using the Ethereum blockchain as a Dead Drop Resolver (DDR) to determine command server addresses by decoding recent transactions from a specific wallet, collecting telemetry, taking screenshots, escalating privileges to SYSTEM level, and covering its tracks. On Apple systems, the trojan launches AppleScript with Telegram serving as the DDR, allowing operators to rotate domains if detected. Researchers note the malware was built with AI assistance.
Frequently Asked Questions
Was Kraken exchange hacked?
No, according to Kraken CSO Nick Percoco, the exchange's infrastructure was not breached and customer funds remained safe. The incident resulted from support staff being recruited by hackers and accessing restricted information without authorization.
How did the FBI recover deleted Signal messages?
The FBI extracted the messages through push notifications stored in iOS's internal database. When Signal settings allow message content to appear in lock screen previews, the text persists in device storage even after the app is completely uninstalled.
What is the ClipBanker trojan and how does it work?
ClipBanker is malware that monitors the clipboard for cryptocurrency wallet addresses and replaces them with attacker-controlled addresses. It disguises itself as the legitimate Proxifier utility and uses fileless infection techniques, operating entirely in memory.
How does PHANTOMPULSE trojan use Obsidian to attack crypto workers?
Attackers pose as venture capital representatives and convince victims to connect to an Obsidian vault. They exploit community plugins Shell Commands and Hider to execute malicious code. The trojan uses the Ethereum blockchain as a Dead Drop Resolver to determine its command server address.
How much crypto was seized from hackers in Ukraine?
Ukrainian authorities seized approximately $8.3 million in cryptocurrency as part of the investigation. Total seized assets amounted to about $11.1 million, including real estate, vehicles, and $1 million in cash. The group's overall damage is estimated at over $100 million.
Read also
GPU Memory Attacks, $21B in Cybercrime Losses, and Chrome's Chip-Level Protection: Cybersecurity Roundup
The FBI reported record $21 billion in cybercrime losses for 2025, Google introduced hardware-bound session protection in Chrome, and researchers demonstrated three new attack methods targeting Nvidia GPU memory.
Infostealer Targets 700+ Crypto Wallets, Hackers Use Solana as Dead Drop, and UK Sanctions Xinbi
Weekly cybersecurity roundup: Torg Grabber infostealer targets 728 browser-based crypto wallets, GlassWorm campaign hides C2 addresses in Solana blockchain, and the UK imposes sanctions on crypto marketplace Xinbi linked to scam compounds.
BeatBanker Android Trojan with Monero Miner, $333M Crypto ATM Fraud, and TPMS Vehicle Tracking: Weekly Cybersecurity Roundup
Key cybersecurity events of the week: new BeatBanker Android trojan with built-in Monero miner, record $333M losses from crypto ATM fraud in the US, and researchers demonstrate vehicle tracking via tire pressure sensors.
AI Audit Uncovers Critical Liveness Bug in Ethereum's Nethermind Client
Octane Security's AI discovered a high-severity vulnerability in the Nethermind execution client that could have halted block production for 38% of Ethereum mainnet validators. The Ethereum Foundation awarded a maximum $50,000 bounty.
April 2026 Sets All-Time Record for Number of Crypto Hacks
April 2026 saw a record-breaking 24 crypto hacks resulting in approximately $651 million in total losses. Kelp and Drift Protocol suffered the largest exploits.
Drift Protocol on Solana Hacked for $280M in Sophisticated Durable Nonce Attack
Solana-based DeFi platform Drift Protocol lost at least $280 million in a hack on April 1. The DRIFT token dropped 37% while Circle faces criticism for failing to freeze stolen USDC.