{"id":199946,"date":"2026-03-28T02:07:00","date_gmt":"2026-03-28T06:07:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/28\/india-arrests-trafficker-solana-used-as-a-dead-drop-and-other-cybersecurity-developments\/"},"modified":"2026-03-28T05:35:17","modified_gmt":"2026-03-28T09:35:17","slug":"india-arrests-trafficker-solana-used-as-a-dead-drop-and-other-cybersecurity-developments","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/28\/india-arrests-trafficker-solana-used-as-a-dead-drop-and-other-cybersecurity-developments\/","title":{"rendered":"India arrests trafficker, Solana used as a dead drop, and other cybersecurity developments"},"content":{"rendered":"

India arrests trafficker, Solana used as a dead drop, and other cybersecurity developments<\/a><\/p>\n

https:\/\/forklog.com\/en\/india-arrests-trafficker-solana-used-as-a-dead-drop-and-other-cybersecurity-developments\/<\/a><\/p>\n

Publish Date: 2026-03-28 02:07:00<\/a><\/p>\n

Source Domain: forklog.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

The week’s key cybersecurity stories: wallets targeted, Solana dead drop, UK sanctions, and more.<\/p>\n

\t\t\t We have gathered the week\u2019s most important cybersecurity news.<\/p>\n

Over 700 browser-based crypto wallets were targeted by an info-stealer.
\nThe UK imposed sanctions on Xinbi and scam compounds in Southeast Asia.
\nMalware used Solana to steal crypto data and conduct phishing.
\nA cyberattack on an ignition interlock maker limited access to vehicles.<\/p>\n

Over 700 browser-based crypto wallets targeted by an info-stealer
\nThe new Torg Grabber info-stealer targets sensitive data across 850 browser extensions, including crypto wallets, password managers, note-taking apps and two-factor authentication tools, report cybersecurity researchers at Gen Digital.
\nInitial access is achieved via the ClickFix technique: attackers hijack the clipboard and trick users into executing a malicious PowerShell command.
\nThe list of targeted extensions includes 728 crypto wallets such as MetaMask, Phantom and Trust Wallet.
\nSource: Gen Digital.
\nTorg Grabber also harvests data from Discord, Telegram, Steam, VPN tools, email services and desktop versions of crypto apps.
\nBeyond these features, the malware can:<\/p>\n

create a device fingerprint;
\nenumerate installed software (including 24 antivirus tools);
\ncapture desktop screenshots;
\nsteal files from the Desktop and Documents folders;
\nexecute arbitrary code on the infected device.<\/p>\n

Since late 2025, scammers have used a more resilient HTTPS connection via Cloudflare\u2019s infrastructure. They also taught the stealer to bypass cookie protections in Chrome, Brave, Edge, Vivaldi and Opera.
\nAccording to researchers, 334 samples were compiled between December 2025 and February 2026, with new command-and-control servers registered weekly.
\nUK sanctions Xinbi and scam compounds in Southeast Asia
\nOn 26 March, the UK government imposed sanctions on the crypto marketplace Xinbi and individuals linked to scam compounds in Southeast Asia.
\nOfficials said the platform facilitates the sale of stolen personal data and provides tools to find victims, including satellite internet equipment. The measures restrict the network\u2019s access to financial channels.
\nThe sanctions also hit Legend Innovation, operator of #8Park \u2014 a large scam compound in Cambodia. Preliminary estimates suggest up to 20,000 forced labourers are held there. The firm\u2019s director, Eang Soklim, and individuals tied to the Prince Group financial network were designated.
\nAccording to Chainalysis, more than $19.9bn in transactions flowed through Xinbi between 2021 and 2025.
\nIn India, law enforcement arrested Sunil Nellatt Ramakrishnan, also known as Krish, on suspicion of trafficking people to fraudulent crypto centres in Myanmar.
\nAuthorities say he was a key player in transporting victims from Delhi to Bangkok under the pretext of legal employment in Thailand. People were forcibly moved to the Myawaddy area, including the KK Park complex.
\nSearches at the suspect\u2019s residence linked him to human-trafficking operations in Cambodia.
\nMalware used Solana to steal crypto data and phish
\nCybersecurity firm Aikido observed a new phase of the GlassWorm campaign. Hackers distribute phishing code bundles that steal developer data and install a remote access trojan.
\nGlassWorm gains access via malicious packages published to developer repositories including npm, PyPI, GitHub and the Open VSX marketplace.
\nIts operators also compromise maintainers\u2019 accounts on popular projects to push poisoned updates.
\nRather than hard-coding the command server address (where it is easy to find and block), the hackers used a \u201cdead drop\u201d method and hid it on the Solana blockchain.
\nThe loader connects to the network and checks preselected crypto wallets, looking for transactions with a memo field. Once found, it extracts the obfuscated link, decrypts it and connects to the remote server. The malware does not infect systems with a Russian locale.
\nDecoding the Solana memo field into the hackers\u2019 remote server link. Source: Aikido.
\nThe second stage of the attack includes:<\/p>\n

theft and collection of data, exfiltration of crypto wallets and system profiling;
\nexfiltration. Collected data is compressed into a ZIP archive and sent to an external server;
\nfollow-on downloads. After exfiltration, the chain pulls two more components.<\/p>\n

The first is a component for detecting USB devices. When a user connects a hardware wallet, a phishing window appears:<\/p>\n

for Ledger \u2014 a fake configuration error with 24 fields for entering the recovery phrase;
\nfor Trezor \u2014 a \u201cfirmware verification failure\u201d message and forced emergency reboot with similar input fields.<\/p>\n

The second component is a JavaScript RAT. Its download address is extracted from a Google Calendar event description (another \u201cdead drop\u201d method).
\nIts tasks include launching a covert remote desktop module, stealing browser data and executing arbitrary JavaScript.
\nIn addition, the trojan forcibly installs the Google Docs Offline extension. It collects a tree of active tabs, up to 5,000 history entries, screenshots and clipboard contents. The extension also monitors crypto exchanges such as Bybit, tracking authorisation tokens and device IDs.
\nCyberattack on an ignition interlock maker limited access to vehicles
\nHackers attacked Intoxalock, a US supplier of vehicle ignition interlock systems. Disrupted devices left some owners unable to start their cars, the outlet \u201c\u0425\u0430\u043a\u0435\u0440\u201d reported.
\nIntoxalock makes devices that offenders convicted of drink-driving are required to install. To start the engine, a driver must blow into a tube to verify that blood alcohol content is below the legal limit; otherwise the car will not start. In some states the system also records GPS coordinates and routinely photographs the person at the wheel.
\nSource: Intoxalock.
\nAccording to media reports, the device must be calibrated roughly once a month. Owing to the cyberattack, calibration proved impossible and drivers whose checks had expired were locked out. In Connecticut alone, the issue affected 7\u201310% of users.
\nThe company extended service-centre authorisations by 10 days, though the grace period did not apply to all device versions or all states.
\nThe system was restored on 22 March. Intoxalock\u2019s management pledged to reimburse users\u2019 expenses, including vehicle towing.
\nResearcher found a trojan in the LiteLLM AI app
\nMalware for stealing credentials was discovered in the popular LiteLLM AI application, reported Callum McMahon of FutureSearch.
\nLiteLLM lets developers connect to hundreds of different neural networks and manage subscription payments. The project has over 40,000 GitHub stars, thousands of forks, and daily downloads reach 3.4 million.
\nAccording to McMahon, the virus entered via a third-party software package on which LiteLLM depends. He suspected an infection when his computer suddenly shut down right after installing the software. A bug in the malware itself caused the crash, revealing the presence of the hacker\u2019s code.
\nMcMahon and noted developer Andrej Karpathy reached a shared conclusion: the virus was created through \u201cvibe coding\u201d without careful review.
\nHow the malware worked:<\/p>\n

stole any credentials it could find;
\nused them to access other accounts and packages to harvest yet more passwords;
\npropagated along the chain, compromising additional systems.<\/p>\n

TechCrunch noted that LiteLLM\u2019s website displays badges for major security certifications SOC 2 and ISO 27001, issued after an audit by Delve. The firm bills itself as an AI-based service that automates cybersecurity compliance.
\nAccording to media reports, Delve had previously been accused of generating fake report data, using questionable auditors and misleading clients about their security posture.<\/p>\n

Oh damn, I thought this WAS a joke
\n\u2026 but no, LiteLLM *really* was \u201cSecured by Delve\u201d (the company that rubber stamped all of these audits, and seems to have been on the edge of fraudlent auditing, but useless for sure)
\nAnd so unspririsingly LiteLLM was compromised, badly https:\/\/t.co\/P7FZrsagAb
\n\u2014 Gergely Orosz (@GergelyOrosz) March 24, 2026<\/p>\n

LiteLLM\u2019s developers mitigated the threat within hours of the tainted release appearing. The company has begun an investigation with Mandiant.
\nAlso on ForkLog:<\/p>\n

Fenbushi Capital\u2019s co-founder offered a bounty for the return of the stolen $42 million.
\nZachXBT accused Circle of mistakenly freezing 16 wallets.
\nIrish authorities gained access to \u20ac30 million in bitcoin.
\nA hack of Resolv crashed the USR stablecoin.
\nGoogle identified a DarkSword exploit chain for hacking iPhones.<\/p>\n

What to read this weekend?
\nIn a new ForkLog feature, we explain how Russia\u2019s authorities plan to monitor every crypto transaction inside the country and why bitcoin wallet keys may have to be shared with a digital depository.<\/p>\n

\t\t\t\t\u041f\u043e\u0434\u043f\u0438\u0441\u044b\u0432\u0430\u0439\u0442\u0435\u0441\u044c \u043d\u0430 ForkLog \u0432 \u0441\u043e\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0445 \u0441\u0435\u0442\u044f\u0445<\/p>\n

Found a mistake? Select it and press CTRL+ENTER<\/p>\n

\t\t\t\t\u0420\u0430\u0441\u0441\u044b\u043b\u043a\u0438 ForkLog: \u0434\u0435\u0440\u0436\u0438\u0442\u0435 \u0440\u0443\u043a\u0443 \u043d\u0430 \u043f\u0443\u043b\u044c\u0441\u0435 \u0431\u0438\u0442\u043a\u043e\u0438\u043d-\u0438\u043d\u0434\u0443\u0441\u0442\u0440\u0438\u0438!<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

India arrests trafficker, Solana used as a dead drop, and other cybersecurity developments https:\/\/forklog.com\/en\/india-arrests-trafficker-solana-used-as-a-dead-drop-and-other-cybersecurity-developments\/ Publish…<\/p>\n","protected":false},"author":1,"featured_media":199947,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/u1f987.com\/wp-content\/uploads\/img-66d050fbc289a484-4082036415917875.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24,31,35,32,25],"class_list":["post-199946","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity","tag-exploit","tag-hacker","tag-malware","tag-phishing"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/199946"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=199946"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/199946\/revisions"}],"predecessor-version":[{"id":199948,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/199946\/revisions\/199948"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/199947"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=199946"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=199946"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=199946"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}