Thai Crypto Billionaire Flees to UAE, Fake FBI Tokens Emerge: Weekly Cybersecurity Roundup

1000X Founder Wanted for $42M Crypto Fraud

Thai law enforcement is hunting for billionaire and crypto industry pioneer Worawat Narknawdee. According to Thai PBS, the investigation was launched after users of the 1000X crypto platform filed complaints with police. Total damages are estimated at approximately 1.39 billion baht (roughly $42 million).

Back in March 2023, the SEC filed a complaint with the Cybercrime Investigation Bureau, accusing Narknawdee of operating 1000X without a license. Before entering the crypto space, he was the lead vocalist of rock band DoubleDeep, whose members were actively involved in investing. Narknawdee later founded the Traderist community, offering free crypto education to the public. Reports indicate he accumulated around 11,000 BTC through investments since 2012, and his company ACET was considered one of the fastest-growing in the industry.

However, data from the Department of Business Development painted a different picture. According to Creden Data, Narknawdee owns two companies: Bitnance Company (losses of approximately 30 million baht) and Great Begins Company (debt of around 5.8 million baht). Police say the billionaire has fled to the UAE, where he holds real estate, a hotel business, and other assets.

Why This Matters

The 1000X case underscores persistent risks associated with unlicensed crypto platforms. Even a high-profile public persona and media presence offer no guarantee of legitimacy. This week's incidents also highlight the growing sophistication of crypto scammers — from phishing through compromised official retail email systems to fabricating tokens that impersonate government agencies.

Crypto Pyramid Co-Founder Arrested in Kyiv

Ukrainian Cyber Police announced the arrest of a co-founder of a fraudulent scheme disguised as crypto investments. According to investigators, since 2022 a group of scammers had operated a network of financial pyramids across Ukraine. They offered citizens the chance to invest in a proprietary token, promising steady returns that were actually funded entirely by incoming deposits from new participants. Payouts followed a pyramid or binary commission structure.

The founder and his wife promoted the project through Instagram, enlisting bloggers for additional reach. Total damages amounted to approximately $1 million. Law enforcement conducted searches in the Khmelnytskyi, Odesa, Chernihiv, and Poltava regions, seizing computer equipment, notes, and a vehicle. One suspect has been formally charged with fraud, carrying a penalty of up to eight years in prison.

FBI Seizes Iranian Hacker Group Handala's Websites

The FBI has seized two websites belonging to the Iran-linked hacktivist group Handala, following a devastating cyberattack on medical technology giant Stryker. BleepingComputer reported the takedown, noting that while no official FBI statement was issued, the domains' DNS servers were redirected to those typically used by the agency during seizures.

Handala (also known as Handala Hack Team, Hatef, or Hamsa) has been active since December 2023 and is believed to be associated with Iran's Ministry of Intelligence and Security. The group has participated in attacks on Israeli organizations using data-wiping malware targeting Windows and Linux devices.

The website seizures followed Handala's massive March 11, 2026 cyberattack on Stryker. The hackers compromised a Windows domain administrator account and factory-reset approximately 80,000 devices, including employees' personal computers and mobile phones. The attackers claimed to have exfiltrated 50 terabytes of data before the wipe. In response, CISA urged American organizations to follow Microsoft's updated security hardening guidelines.

Nordstrom Customers Targeted by Crypto Scam

Customers of upscale U.S. department store chain Nordstrom received fraudulent messages promising to double their crypto wallet balances. BleepingComputer reported that the emails urged recipients to send cryptocurrency to a specified Bitcoin address, imposing a two-hour deadline to create urgency.

Notably, the messages originated from Nordstrom's official marketing email source, suggesting a security breach within the company's systems. Some recipients noted the email arrived at an address that had never been publicly shared or appeared in known data leaks. By March 18, scammers had collected over $5,600 in cryptocurrency. Blockchain explorer data showed the wallet held just 0.00001386 BTC as of March 20.

Fake TRC-20 Tokens Sent Under FBI's Name

On March 19, the FBI issued a warning about a phishing campaign in which scammers distributed fraudulent TRC-20 tokens labeled as "FBI tokens" to crypto wallets.

"FBI New York encourages users of the Tron blockchain network to exercise caution if they encounter a token purported to be from the FBI. If you receive a token from an account with the details below, do not provide any identifying information to any website associated with such…" — FBI New York (@NewYorkFBI), original post

After receiving the tokens, victims were sent threatening messages claiming they were suspected of money laundering and that their assets would be frozen. To "prevent the freeze," targets were directed to a third-party website to complete an AML procedure and disclose personal information. The total number of victims is still being determined.

Other Notable Incidents This Week

• Average crypto hack losses have reached $25 million.
• Hype around OpenClaw triggered a wave of phishing attacks on crypto wallets.
• The Lazarus Group is suspected of attacking crypto gift card service Bitrefill.
• Venus Protocol lost $2 million due to manipulation involving the THE token.