Theft of $282 million from a crypto investor, escape from scam camps in Cambodia, and other cybersecurity events - ForkLog: cryptocurrencies, AI, singularity, the future

# Theft of $282 million from a crypto investor, stemming from scam camps in Cambodia and other cybersecurity events

We have compiled the most important cybersecurity news of the week.

• A user lost $282 million in cryptocurrency due to fake tech support.
• LastPass password manager users were targeted by phishers.
• Thousands of people left scam camps in Cambodia.
• Law enforcement uncovered the leader of a ransomware group.

User lost $282 million in cryptocurrency due to fake tech support

On January 10, 2026, one of the largest social engineering attacks was recorded: the victim lost over $282M worth of LTC & BTC. Onchain investigator ZachXBT brought this to attention.

On January 10, 2026, around 11 pm UTC, a victim lost $282M+ worth of LTC & BTC due to a hardware wallet social engineering scam.

The attacker began converting the stolen LTC & BTC to Monero via multiple instant exchanges, causing the XMR price to sharply increase.

BTC was also…

— ZachXBT $282 @zachxbt( January 16, 2026

The user handed over the seed phrase from their hardware wallet to a scammer pretending to be a Trezor support staff member. After gaining access, the hacker withdrew 2,050,000 LTC and 1,459 BTC.

The attacker used the decentralized protocol THORChain to convert assets into Monero, leading to a local pump. ZeroShadow experts managed to quickly trace the transaction chain and freeze about )000.

LastPass password manager users targeted by phishers

On January 20, LastPass developers warned users about a new phishing campaign disguised as technical maintenance notifications.

Hackers are sending emails urging recipients to urgently back up their password vaults within 24 hours. The notification contains a link supposedly leading to a page for creating an encrypted backup, but clicking the “Create Backup Now” button redirects users to a phishing site.

Thus, attackers attempt to steal victims’ master passwords. Experts believe the malicious campaign started on January 19.

Thousands of people left scam camps in Cambodia

Over the past week, thousands of people—including victims of human traffickers—left scam centers in Cambodia amid authorities’ crackdown on crime. BBC reports.

Phnom Penh has begun a new wave of order enforcement in scam camps—large complexes where hundreds of people participate in fraudulent schemes, stealing billions of dollars from victims worldwide.

According to experts, many are deceived into these places, but some work there voluntarily.

On January 15, Khuang Lee, a businessman, was arrested in Cambodia on suspicion of illegal recruitment and exploitation of people, fraud, and money laundering. In March 2023, he was featured in a BBC Eye investigation about scam centers in Southeast Asia.

The program discussed a complex in Sihanoukville, owned by Lee. People working there were tricked into labor camps from other countries, forced to work overnight, and engaged in fraud.

Law enforcement uncovered the leader of a ransomware group

German and Ukrainian law enforcement identified the head of the ransomware group Black Basta—35-year-old Russian Oleg Nefedov. Interpol and Europol added the scammer, known online as tramp and kurva, to the list of most wanted criminals, reports Ukraine’s Cyber Police.

![]$700 https://img-cdn.gateio.im/webp-social/moments-97ec74913bc9886afee1c6fd8bbaf052.webp(Source: Europe’s most wanted. Investigators linked Nefedov to the now-dismantled Conti syndicate, whose direct successor became Black Basta after rebranding in 2022.

During raids in Ivano-Frankivsk and Lviv regions, two group members specializing in hacking protected systems and stealing passwords were detained. They provided initial access to major corporations’ networks, paving the way for data encryption and subsequent multi-million dollar ransom demands.

Digital storage devices and significant amounts of cryptocurrency were seized during searches.

![])https://img-cdn.gateio.im/webp-social/moments-7f27f86250aaaa16926299183b644a04.webp(Source: Office of the Prosecutor General of Ukraine. Over its existence, Black Basta has attacked more than 700 organizations, including critical infrastructure: German defense company Rheinmetall, Hyundai’s European branch, and UK telecom BT Group.

Hackers attacked Chrome and Edge users

The KongTuke group has begun widespread distribution of the malicious NexShield extension for Chrome and Edge. Cybersecurity firm Huntress reports.

According to experts, the malware disguises itself as a lightweight ad blocker. The extension intentionally overloads memory and CPU, causing tabs to freeze and browsers to crash completely, prompting users to seek system recovery.

After forced restart, NexShield displays a fake security window offering to scan the system.

![])https://img-cdn.gateio.im/webp-social/moments-84a62111981c4e1dbe0c57fad68d59b9.webp(Source: Huntress. Under the guise of fixing issues, the software prompts copying a command to the clipboard and executing it in Windows Command Prompt. In reality, this step runs a script that downloads a new remote access trojan—ModeloRAT.

![])https://img-cdn.gateio.im/webp-social/moments-df633ff74f8145e15ee6fa41a7a47a28.webp(Source: Huntress. According to experts, the main target is the corporate sector. The virus has a 60-minute delay to avoid suspicion and mainly activates in organizational domain networks. Once inside, ModeloRAT allows attackers to conduct deep reconnaissance, modify the system registry, install third-party software, and covertly control the victim’s computer.

Huntress researchers noted that simply removing the extension from the browser will not solve the problem, as the trojan is deeply embedded in the system. They recommend full antivirus scans and never executing commands suggested by websites or extensions.

Zendesk cloud support service flooded users with spam after breach

Users worldwide have become targets of a mysterious wave of spam originating from unsecured Zendesk cloud support systems. On January 18, victims reported receiving hundreds of emails.

There’s some exploit or mass-scale abuse with @Zendesk right now… I just got EIGHT HUNDRED emails from them over the course of about an hour.

They’re all scams sent from different Zendesk instances. Many bypassed iCloud’s Junk filters. pic.twitter.com/nWXr2nFtg3

— Nick Oates )@nickoates_( January 18, 2026

Apparently, the messages do not contain malicious links or obvious phishing attempts. However, the volume and chaotic nature of the emails cause concern among recipients.

The emails have peculiar subjects: some mimic requests from law enforcement or content blocking notices, others offer free Discord Nitro or contain pleas like “Help me!”.

According to BleepingComputer, the emails are generated by support platforms used by companies employing Zendesk for customer service. Attackers exploited a loophole in a feature allowing unauthorized users to send requests for automatic responses.

Affected companies include Discord, Tinder, Riot Games, Dropbox, CD Projekt )2k.com(, Maya Mobile, NordVPN, Tennessee Department of Labor, Lightspeed, CTL, Kahoot, Headspace, and Lime.

Zendesk representatives told the publication that they have implemented new security features to detect and prevent such spam in the future.

Also on ForkLog:

• Hackers stole confiscated bitcoins worth ) million from South Korea’s prosecutor’s office.
• Trove Markets developers performed a rug pull after ICO.
• Former Alameda Research head Caroline Ellison will be released on January 28.
• Hackers withdrew $48 million from Saga and collapsed native stablecoins.
• SlowMist discovered a “future attack” in the Linux store.
• Chainalysis introduced a tool for automating threat tracking in blockchains.
• DeFi protocol Makina Finance was hacked for $7 million.
• Experts called a major breach a “death sentence” for 80% of protocols.

What to read this weekend?

Elena Vasileva invites ForkLog readers to put on a tinfoil hat to understand how conspiracy theories became the foundation of the digital economy, why Larry Fink is scarier than Reptilians, and what DYOR has in common with religious ecstasy.