{"id":185233,"date":"2026-02-06T23:19:00","date_gmt":"2026-02-07T04:19:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/06\/coinbase-confirms-data-leak-record-ransom-in-russia-and-other-cybersecurity-news\/"},"modified":"2026-02-07T00:00:11","modified_gmt":"2026-02-07T05:00:11","slug":"coinbase-confirms-data-leak-record-ransom-in-russia-and-other-cybersecurity-news","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/06\/coinbase-confirms-data-leak-record-ransom-in-russia-and-other-cybersecurity-news\/","title":{"rendered":"Coinbase confirms data leak, record ransom in Russia and other cybersecurity news"},"content":{"rendered":"

Coinbase confirms data leak, record ransom in Russia and other cybersecurity news<\/a><\/p>\n

https:\/\/forklog.com\/en\/coinbase-confirms-data-leak-record-ransom-in-russia-and-other-cybersecurity-news\/<\/a><\/p>\n

Publish Date: 2026-02-06 23:19:00<\/a><\/p>\n

Source Domain: forklog.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

The week’s key cybersecurity news: Coinbase leak, Step Finance hack, record ransom, and more.<\/p>\n

\t\t\t We have compiled the week\u2019s most important cybersecurity news.<\/p>\n

Coinbase confirmed a user-data leak.
\nThe operator of a major darknet drug market was sentenced to 30 years.
\nDeFi platform Step Finance lost $40m after a breach of treasury wallets.
\nGlobal Ledger: crypto scammers are giving victims ever less time to react.<\/p>\n

Coinbase confirms user-data leak
\nAttackers accessed information belonging to 30 Coinbase customers, the exchange confirmed, according to BleepingComputer.
\nThe statement followed soon after the Scattered Lapsus$ Hunters group posted, then deleted, screenshots in Telegram of Coinbase\u2019s internal support interface. The panel showed access to customer data\u2014email addresses, names, dates of birth, phone numbers, KYC information, cryptocurrency wallet balances and transactions.
\nThe leak occurred in December 2025 and is unrelated to an earlier incident. It remains unclear whether the group was directly involved in the latest attack.
\nOperator of a major darknet drug market gets 30 years
\nOn February 3rd a court sentenced the alleged operator of the Incognito Market darknet drug platform, Rui-Xiang Lin, to 30 years in prison, the U.S. Department of Justice reported.
\nProsecutors said the sentence closes one of the largest cases against illicit marketplaces since Silk Road.
\nEach listing on Incognito Market was posted by a specific seller. To become one, users had to register on the site and pay an entry fee. The platform charged a 5% commission on sales.
\nProceeds funded Incognito Market\u2019s operations, including server costs and staff incentives. Authorities say Lin\u2019s net profit exceeded $6m.
\nTo simplify finances, Incognito Market ran its own \u201cbank\u201d (Incognito Bank), allowing users to deposit crypto directly into site accounts. After a drug sale closed, funds moved from the buyer\u2019s account to the seller\u2019s address minus commission, preserving a degree of anonymity.
\nSource: U.S. Department of Justice.
\nInvestigators identified the group through blockchain analysis and undercover buys, as well as Lin\u2019s basic cybersecurity blunders:<\/p>\n

domain registration. Forensic analysts traced the marketplace domain to Lin because he used his real name, personal phone number and address;
\nbiography. Lin studied at National Taiwan University, then performed alternative civilian service in Saint Lucia. There he worked as a technical assistant and even taught local police methods to combat cybercrime and work with cryptocurrencies in his spare time.<\/p>\n

DeFi platform Step Finance loses $40m after treasury-wallet hack
\nOn January 31st Step Finance disclosed a security breach. External specialists helped the DeFi platform recover part of the stolen assets.
\nSeveral treasury wallets were compromised via a \u201cwell-known attack vector\u201d, the team said. CertiK initially estimated losses at 261,854 SOL (about $28.9m at the time), but the figure rose to roughly $40m as the investigation progressed.<\/p>\n

#CertiKInsight \ud83d\udea8
\nWe have seen a security breach of @StepFinance_ treasury wallets.https:\/\/t.co\/Zi3tMKaTqE
\n261,854 SOL (~$28.9M) has been withdrawn after stake authorization had been transferred tohttps:\/\/t.co\/o51kREYPHW
\nStay Vigilant! pic.twitter.com\/GrxpyzI2Uv
\n\u2014 CertiK Alert (@CertiKAlert) January 31, 2026<\/p>\n

At the time of writing, about $3.7m in Remora assets and $1m in other tokens had been recovered, thanks to the Token22 safeguards and coordination with partners.
\nSome operations were paused to tighten security. The team said its Remora Markets protocol is isolated from the incident and that all rTokens remain fully backed 1:1.
\nUsers were advised not to interact with the STEP token until the investigation concludes. A pre-attack network snapshot is planned to inform compensation decisions.
\nStep Finance has not disclosed details of the attack or the attackers\u2019 identities, prompting community speculation about a possible exit scam or insider involvement. These allegations have not been refuted so far.
\nGlobal Ledger: crypto scammers are leaving victims less time to respond
\nIn 2025, hackers targeting cryptocurrencies left victims progressively less time to react, conclude experts at Global Ledger.
\nLaundering sped up in the second half compared with the first, reaching new extremes. The report cites a case in which funds moved in just two seconds\u2014twice as fast as in H1 and twice as fast as the quickest public alert.
\nIn most cases, attackers began moving funds before the market learned of the breach itself. On average last year this occurred in roughly 76.4% of incidents. In H2 the rate rose to 84.6%, from 68.1% in H1.
\nSource: Global Ledger.
\nAt the same time, the laundering phase itself slowed by about 25% on average: from roughly eight days in H1 to 10.6 days in H2.
\nAccording to Global Ledger, in H2 hackers split sums more aggressively and relied more on non-custodial wallets, DeFi protocols, DEX, cross-chain bridges and mixers.
\nSource: Global Ledger.
\nAfter sanctions were lifted, use of Tornado Cash rose by more than 31 percentage points. Over the year, the mixer handled more than $2.05bn in Ethereum, about $655m of which was high risk. The share of funds exiting Tornado Cash to CEX increased from 0.16% (during restrictions) to 4.74% (after they were lifted).
\nRoughly 64% of incidents involved smart-contract hacks, the researchers said. Yet the largest losses\u2014$1.5bn\u2014hit users who signed fake approvals.
\nCrypto extortionists set a record in Russia
\nIn January 2025 hackers demanded a record ransom in cryptocurrency from a Russian fishing company, according to F6.
\nThe attackers demanded 50 BTC (about 500m rubles at the time of publication) to restore access to encrypted data. The victim\u2019s name was not disclosed.
\nFor the Russian market this is the largest ransom on record. The attack was linked to the CyberSec\u2019s group, known for hacking Russian firms and online resources, stealing data and publishing it. The group gained wider notoriety after the leak of the sysadmins.ru forum database and claims of mass breaches of Bitrix servers.
\nNotepad++ developer discloses details of the breach
\nOn February 2nd Notepad++ developer Don Ho shared findings from an investigation involving external cybersecurity experts and staff at the project\u2019s former hosting provider.
\nHe said the service was attacked back in June 2025 via a compromise at the hosting-provider level.
\nThe attackers acted surgically, targeting specific victims. Several independent experts concluded the attack was carried out by a Chinese \u201cgovernment\u201d group.
\nThe hosting server that housed the site and its update mechanism was compromised until September 2nd 2025. Maintenance took place that day, after which suspicious patterns disappeared from the logs.
\nThe backdoor let the hackers redirect part of the traffic going to notepad-plus-plus.org\/update\/getDownloadUrl.php to their own servers, where victims were served update URLs containing malicious files.
\nVersion 8.9.2 is expected within a month\u2014certificate and signature verification will become mandatory. Don Ho recommended users manually download version 8.9.1, which already includes the required safeguards.
\nAlso on ForkLog:<\/p>\n

A Chainstory study found signs of scam in most crypto press releases.
\nA vulnerability was found in the Moltbook social network for AI agents.
\nCurve Finance\u2019s CrossCurve bridge was hacked for $3m.<\/p>\n

What to read this weekend?
\nAndrey Asmakov explores whether humans will retain the right to intervene in the work of AI agents.<\/p>\n

\t\t\t\t\u041f\u043e\u0434\u043f\u0438\u0441\u044b\u0432\u0430\u0439\u0442\u0435\u0441\u044c \u043d\u0430 ForkLog \u0432 \u0441\u043e\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0445 \u0441\u0435\u0442\u044f\u0445<\/p>\n

Found a mistake? Select it and press CTRL+ENTER<\/p>\n

\t\t\t\t\u0420\u0430\u0441\u0441\u044b\u043b\u043a\u0438 ForkLog: \u0434\u0435\u0440\u0436\u0438\u0442\u0435 \u0440\u0443\u043a\u0443 \u043d\u0430 \u043f\u0443\u043b\u044c\u0441\u0435 \u0431\u0438\u0442\u043a\u043e\u0438\u043d-\u0438\u043d\u0434\u0443\u0441\u0442\u0440\u0438\u0438!<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Coinbase confirms data leak, record ransom in Russia and other cybersecurity news https:\/\/forklog.com\/en\/coinbase-confirms-data-leak-record-ransom-in-russia-and-other-cybersecurity-news\/ Publish Date:…<\/p>\n","protected":false},"author":1,"featured_media":185234,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/forklog.com\/wp-content\/uploads\/img-b5d7b9875a5427f0-4082029324633328.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,30,24,27],"class_list":["post-185233","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-breach","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/185233"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=185233"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/185233\/revisions"}],"predecessor-version":[{"id":185235,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/185233\/revisions\/185235"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/185234"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=185233"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=185233"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=185233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}