Prank Trojan CrystalX in Russia, $53M Uranium Finance Hack Charges, and European Commission Data Breach: Cybersecurity Roundup

A series of notable cybersecurity incidents with direct implications for the crypto industry emerged this past week. A bizarre new trojan discovered in Russia combines crypto theft with real-time pranking of victims. US prosecutors charged a hacker with stealing $53 million from DEX Uranium Finance. An updated seed phrase stealer infiltrated Apple and Android app stores. The European Commission confirmed a major data breach attributed to the ShinyHunters group.

CrystalX: The Trojan That Steals Crypto and Trolls Victims

Kaspersky Lab researchers identified an active campaign distributing a new trojan called CrystalX across Russia. The malware is promoted through a Crime-as-a-Service (CaaS) model via advertisements on Telegram and YouTube.

CrystalX functions as both spyware and a stealer, capable of:

• Harvesting browser credentials and account data from Steam, Discord, and Telegram;
• Silently swapping cryptocurrency wallet addresses in the clipboard;
• Secretly recording audio and video from the screen and webcam.

What sets CrystalX apart is its built-in "prank" functionality. The control panel features a dedicated "Rofl" section with commands for changing the desktop wallpaper, rotating the screen by 90°–270°, swapping left and right mouse buttons, forcing an OS shutdown, disabling the monitor, making the cursor jitter, hiding desktop icons, and disabling the taskbar, task manager, and cmd.exe. The attacker can even open a two-way chat dialog with the victim.

Leonid Bezvershenk, a senior expert at Kaspersky GReAT, noted that the virus is being actively developed and maintained by its creators. He expects the number of victims to grow as the attack geography expands. Security experts recommend downloading applications exclusively from official stores, using reliable antivirus software, and enabling file extension display in Windows to avoid accidentally launching dangerous .EXE, .VBS, and .SCR files.

MaskGram Stealer Hides C2 Server Addresses in Spotify and Chess.com Profiles

The Solar 4RAYS research team discovered that operators of the MaskGram stealer are embedding command-and-control server addresses within user profiles on Spotify and Chess.com. This technique, known as Dead Drop Resolver (DDR), allows infected machines to contact legitimate services rather than suspicious IP addresses, effectively disguising malicious traffic as normal user activity.

MaskGram targets credentials and cryptocurrency. It collects system data, takes screenshots, and extracts information from Chromium browsers, crypto wallets, email clients, messengers, and VPN applications. The malware is distributed through social engineering — disguised as cracked versions of tools like Netflix Hunter Combo Tool, Steam Combo Extractor, and Deezer Checker.

In March, researchers at Aikido documented a similar DDR technique being used by the GlassWorm stealer through crypto transactions on the Solana blockchain.

Uranium Finance Hacker Charged with $53M Theft

US prosecutors charged Jonathan Spallette (alias Cthulhon) with stealing over $53 million from decentralized exchange Uranium Finance and laundering the proceeds. The breach of the BNB Chain-based DEX occurred in April 2021 and ultimately forced the platform to shut down.

During a February 2025 search of the suspect's home, law enforcement seized valuable items and recovered access to approximately $31 million in cryptocurrency. According to investigators, Spallette laundered stolen assets through DEXs and the Tornado Cash mixer.

A portion of the stolen funds was spent on collectibles:

• A Magic: The Gathering "Black Lotus" card — approximately $500,000;
• 18 sealed Alpha Edition Magic: The Gathering boosters — approximately $1.5 million;
• A complete first-edition Pokémon base set — approximately $750,000;
• An ancient Roman coin minted to commemorate the assassination of Julius Caesar — over $601,000.

Spallette faces up to 10 years in prison for computer fraud and up to 20 years for money laundering.

Updated SparkCat Stealer Targets Seed Phrases on iOS and Android

Kaspersky Lab identified a new version of SparkCat malware that infiltrated both Apple App Store and Google Play Store. As reported by The Hacker News, the stealer disguises itself as innocuous applications such as corporate messengers and food delivery services, covertly scanning victims' photo galleries for crypto wallet seed phrases.

Analysts examined two infected apps on App Store and one on Google Play. The iOS variant scans for mnemonic phrases in English, making it potentially dangerous for users worldwide. The Android version features multiple layers of code obfuscation, code virtualization, and cross-platform programming languages to evade analysis. It searches for keywords in Japanese, Korean, and Chinese, confirming its focus on Asian markets.

Researchers believe the operation is run by a Chinese- or Russian-speaking operator with advanced technical capabilities.

Why This Matters

This week's events underscore the growing sophistication of attacks targeting crypto holders. Threat actors are deploying increasingly creative methods — from hiding C2 infrastructure in legitimate platforms like Spotify and Chess.com to infiltrating official Apple and Google app stores. Clipboard hijacking to swap crypto addresses remains one of the most effective theft vectors, as users rarely double-check destination addresses before confirming transactions. The CrystalX trojan's CaaS distribution model also signals a trend toward commoditization of crypto-targeting malware.

European Commission Confirms Data Breach by ShinyHunters

The European Commission confirmed a data breach following a cyberattack on its Europa.eu web platform. The ShinyHunters extortion group claimed responsibility. The Commission stated that the incident was contained and did not disrupt portal operations.

The attackers told BleepingComputer they had exfiltrated more than 350 GB of information, including multiple databases. On their darknet leak site, the group claimed to have stolen over 90 GB of files: email server dumps, databases, confidential documents and contracts, and other sensitive materials. While the hackers did not disclose how they compromised the AWS accounts, they provided screenshots confirming access to credentials of several EC employees.