Labubu-hunting for crypto users, dangerous torrents with movies and other cybersecurity events

# Labubu-hunting for crypto users, dangerous torrents with movies and other cybersecurity events

We have gathered the most important news from the world of cybersecurity for the week.

• "Poisoning" of the crypto address for $1.6 million.
• Labubu fans lost their digital assets.
• Torrents with movies steal cryptocurrency.
• Hackers opened the gates of the Norwegian dam.

"Poisoning" of the crypto address for $1.6 million

According to a publication by the ScamSniffer fraud prevention team, on August 15, one user lost 140 ETH (~$636,500 at the time of writing ), by copying the wrong address from their "infected" cryptocurrency transaction history.

🚨💔 1 hour ago, a victim lost 140 ETH ($636,559) after copying the wrong address from contaminated transfer history. pic.twitter.com/iFuzpjup98

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) August 15, 2025

The "poisoning" of a crypto address is based on creating nearly identical addresses. Malicious actors send small transactions from wallets that resemble legitimate ones to trick users into copying the wrong one in future transfers.

According to Cointelegraph, on August 10, a victim of a similar attack lost $880,000. Other reports, as the media writes, indicate two more cases: the first - a loss of $80,000, the second - $62,000. In five days, the scammers managed to steal over $1.6 million using this method.

According to ScamSniffer, in addition to losses from "address poisoning," at least $600,000 was lost this week due to signing malicious phishing requests such as approve (, increaseAllowance ), and permit (.

🚨 11 hrs ago, an Aave user lost $343,389 worth of aEthWETH after signing a malicious "permit" phishing signature.💸 pic.twitter.com/Og097nUtrj

— Scam Sniffer | Web3 Anti-Scam )@realScamSniffer( August 10, 2025

On August 12, as a result of such actions, the user lost BLOCK and DOLO tokens worth $165,000.

Labubu fans lost their cryptocurrency

On August 11, F6 analysts discovered a cryptocurrency theft scheme targeting residents of the Russian Federation, reports RBC.

Using a fake marketplace for the popular toy Labubu, scammers offered free cryptocurrency with the same name. To participate in the fake promotion, users were asked to connect their crypto wallet.

After its activation, the attackers' site requested access to information about the balance and history of crypto transactions. If assets were present, the interface requested additional permission to verify participation in the "airdrop." Then, the malware transferred the victim's funds to the scammers' addresses.

To conserve their resources, hackers monitored wallets: if they were empty, the user was denied participation.

Previously, scammers used the Labubu brand to steal Telegram accounts. The attackers created bots where one could supposedly win a toy or receive it for a review. As a result, the victim shared their contact information and entered the code received from the messenger, after which they lost access to their account.

Torrents with movies steal cryptocurrency

Employees of "Kaspersky Lab" have recorded a wave of thefts involving the substitution of cryptocurrency wallets. The Efimer Trojan spreads through hacked WordPress sites, torrents, and email. Moreover, the malware collects the credentials of hacked resources for further spam distribution.

According to experts, attackers use torrent files as bait to target individuals. They find poorly secured WordPress sites and post messages offering to download a recently released movie. In the link to the password-protected archive, the malicious file is disguised as xmpeg_player.exe.

![])https://img-cdn.gateio.im/webp-social/moments-e3111f528dfd3a70922750bd215cb4aa.webp(Example of a hacked website offering to download an infected torrent with a movie. Source: "Kaspersky Lab". In the case of corporate "hunting", phishing emails with claims regarding copyright infringement are used. The infected file is in an archive with details. After launching it, the computer gets infected with Efimer, and the user only sees an error notification.

Next, a Trojan with the function of replacing crypto addresses in the clipboard with those of the attacker penetrates the victim's device. Additionally, the malware looks for strings resembling seed phrases and is capable of executing fraudulent code through the Tor network for self-recovery.

According to Kaspersky Lab, from October 2024 to July 2025, 5015 users of solutions faced attacks from Efimer. Among the most affected countries were India, Spain, Russia, Italy, and Germany.

Hackers opened the gates of the Norwegian dam

Pro-Russian hackers gained control over critical operating systems at a dam in Norway and opened the release valves. This is reported by Bleeping Computer.

Hackers breached the digital system managing the water flow at the dam in the Bremanger municipality and set the release valves to open. It took operators about four hours to detect and shut off the water. By that time, over 7.2 million liters had already passed through the system.

![])https://img-cdn.gateio.im/webp-social/moments-8979ebf021f77a4cc94ed60df48db536.webp(Consequences of the hacker attack on the dam in the Bremanger municipality, Norway. Source: VG. The attack occurred in April. However, the incident became publicly known in August from the head of the Norwegian police security service, Beate Gangos. According to her, it was less an attempt to cause damage than a demonstration of the hackers' capabilities.

The vulnerability of dealers allowed remote control of cars

On August 10, cybersecurity researcher Harness Eton Zveare stated in a comment to TechCrunch about a vulnerability in the online portal of car dealers of one of the manufacturers. It allowed the disclosure of customers' private data, information about their vehicles, as well as remotely hacking the vehicle.

Zveare refused to name the manufacturer but clarified that it is a well-known automotive company with several popular brands. According to him, it was difficult to discover a vulnerability in the portal's authorization system, but after finding it, he was able to completely bypass the login mechanism by creating a new administrator account.

Vulnerable code was loaded into the user's browser when opening the login page, allowing modification of it and bypassing authorization security checks. Once access was gained, he was able to enter more than 1000 dealer centers of the manufacturer across the United States.

As an example, Zveare took the VIN number of a car from the windshield of a vehicle in the parking lot and used it to identify the owner. He noted that the tool could also be used to search by the client's first and last name.

Having access to the portal also allows you to link any car to the mobile account, which enabled controlling some functions of the car through the app — for example, opening the doors. The expert did not check whether it was possible to drive away in the car, but noted that the vulnerability allowed for hacking it and stealing items.

Also on ForkLog:

• Tajikistan lost over $3 million due to illegal mining.
• BtcTurk has suspended withdrawals amid suspicious transactions totaling $48 million.
• The user hacked a hacker from North Korea.
• Ethereum developer became a victim of a malicious AI extension.
• Expert: the Qubic attack on Monero did not harm the network.
• Binance has joined the T3+ program to combat crypto crime.
• Hackers withdrew $7 million worth of bitcoins from the Odin.fun platform.
• KYC data leaks have led to an increase in attacks on crypto investors.
• Ransomware hackers Embargo were linked to the "escaped" group BlackCat.

What to read on the weekend?

ForkLog decided to investigate who is behind the brand Salomon Brothers and what threat the company's desire to gain access to bitcoin addresses it considers abandoned poses to the industry.