Hacking the CLI version of Bitwarden, the arrest of "black" collectors in Kyiv, and other cybersecurity events - ForkLog: cryptocurrencies, AI, singularity, the future

# Hack of the CLI version of Bitwarden, arrest of “black” collectors in Kyiv, and other cybersecurity events

We have compiled the most important cybersecurity news of the week.

• North Korean hackers stole $12 million in cryptocurrency over three months using AI tools.
• A former negotiator with extortionists turned out to be an accomplice.
• British intelligence: 100 governments worldwide have access to commercial espionage software.
• A security stylist was integrated into the developer password manager Bitwarden.

North Korean hackers stole $12 million in cryptocurrency over three months using AI tools

Over three months, the North Korean hacking group HexagonalRodent stole about $12 million in cryptocurrency and infected more than 2,000 Web3 developer computers to steal credentials and access crypto wallets. This was reported by cybersecurity expert Marcus Hutchins from Expel.

The attack relied on a method called vibe-coding — generating malicious software and infrastructure through text prompts to neural networks:

• Using AI web design tools from Anima, hackers created websites for non-existent IT companies;
• Victims were lured with fake job offers and asked to complete a “test assignment” containing malware;
• All code and correspondence in perfect English were generated with ChatGPT and Cursor.

Fragment of hacker code. Source: Expel An expert analyzed the hackers’ infrastructure, which they carelessly left open. Their prompts and database with victims’ wallets leaked online. Hutchins noted that the written code was filled with comments in English and emojis — a clear sign that the software was fully generated by an LLM.

According to Hutchins, by 2026, Pyongyang made a qualitative leap, using AI to automate every stage of cyberattacks, turning low-skilled operators into a large-scale cyber threat.

HexagonalRodent’s activity is just part of North Korea’s global strategy to automate crimes, confirmed by reports from other tech giants:

• Microsoft reported that North Korean operators use AI to generate fake documents, study vulnerabilities, and conduct social engineering;
• Anthropic stated that they thwarted attempts by North Korean agents to use the Claude model to improve viruses.

In comments to WIRED, representatives from OpenAI, Cursor, and Anima confirmed the abuse of their services. According to them, accounts related to hackers have been blocked, and the investigation will help understand how to prevent similar incidents.

A former negotiator with extortionists turned out to be an accomplice

Angelo Martino, who previously negotiated with extortionists at cybersecurity firm DigitalMint, pleaded guilty to aiding cybercriminals. The US Department of Justice announced this.

Martino admitted that he played “both sides” in five different incidents. Officially working for the victims, he provided confidential information to ALPHV/BlackCat malware operators, as well as supplied hackers with data such as victim insurance policy limits and negotiation strategies.

The investigation established that Martino maximized payouts for criminals, from which he took his share.

The ALPHV/BlackCat group operated on a CaaS model, where the gang creates and maintains encryption software, and “partners” use it in attacks and pay developers a share of the profits.

In 2023, law enforcement seized the hackers’ site on the dark web and released a decryption program that helped over 500 victims recover their systems.

In 2025, other DigitalMint employees — Kevin Tyler Martin and Ryan Clifford Goldberg — assisted the same group of hackers. Together with Martino, they earned over $1.2 million from just one victim.

Martino pleaded guilty to extortion, facing up to 20 years in prison. Authorities seized assets worth $10 million from him.

British intelligence: 100 governments worldwide have access to commercial espionage software

According to British intelligence, more than half of the governments worldwide have access to software capable of hacking devices to steal confidential information. Politico reports.

According to media, the barrier to access such surveillance technologies has lowered. Also, the number of countries potentially owning such hacking tools has increased: now 100, compared to 80 known in 2023.

Commercial espionage software developed by private companies like NSO Group’s Pegasus often relies on exploiting vulnerabilities in phone and computer software. Although governments claim these tools are used only against suspects in serious crimes, including terrorism.

British intelligence reports that in recent years, the “circle of victims” has expanded from political critics, opponents, and journalists to bankers and wealthy businessmen.

In the US, ICE actively uses Israeli software Graphite. Acting director Todd Lyons confirmed this to NPR.

He said law enforcement uses the software to combat foreign terrorist organizations and fentanyl traffickers using encrypted messaging. The software allows access to phone messages without clicking on links (zero-click).

A security stylist was integrated into the developer password manager Bitwarden

On April 22, 2026, the official npm package of the Bitwarden CLI password manager version 2026.4.0 was compromised. The repository contained a version with malicious code to steal developers’ credentials.

Several security companies analyzed the infection chain and assessed the incident:

• JFrog experts found that the package used a custom loader bw_setup.js to covertly run a spy script. The virus collected npm and GitHub tokens, SSH keys, and access to AWS, Azure, and Google Cloud;
• OX Security discovered that the stolen encrypted data was uploaded by automatically creating public repositories on the victim’s GitHub. Repositories were marked with the line Shai-Hulud: The Third Coming, and the virus could self-spread;
• Socket confirmed that the virus’s target was CI/CD infrastructure. They also linked this incident technically to the recent supply chain compromise of Checkmarx.

The attack is attributed to the hacker group TeamPCP, which previously conducted large-scale campaigns against Trivy and LiteLLM project developers. Experts strongly recommended developers immediately change all keys and tokens if they interacted with the compromised CLI.

Bitwarden promptly removed the infected version just an hour and a half after the attack began and confirmed the safety of user vaults and passwords.

Apple fixed a bug that allowed the FBI to read deleted Signal messages

Apple released a fix and security recommendations after the FBI gained access to Signal message notification content via iOS, despite the app being deleted.

We are very happy that today Apple issued a patch and a security advisory. This comes following @404mediaco reporting that the FBI accessed Signal message notification content via iOS despite the app being deleted.

Apple’s advisory confirmed that the bugs that allowed this to…

— Signal (@signalapp) April 22, 2026

Signal reported that after installing the update, all unintentionally saved notifications will be deleted, and new ones will not be saved.

Kyiv detains a gang of collectors extorting cryptocurrency using bot farms

In Kyiv, law enforcement detained scammers who used Bitcapital and Crypsee platforms to provide loans in cryptocurrency. Debtors and their relatives were harassed with generated offensive content and a bot farm of 6,000 SIM cards, Ukraine Cyberpolice reports.

According to investigators, the group organized a call center in Dnipro, operating since 2023 under the cover of companies registered in the UK and Cyprus.

Operators called debtors and, using fake data and voice-changing software, demanded repayment. If clients repaid on time, scammers invented fictitious debts. Later, they used threats and blackmail to extort money.

The bot farm was used to generate and distribute humiliating content using data and photos of victims, their relatives, and colleagues, as well as for systematic phone calls with threats.

Source: Ukraine Cyberpolice. At the same time, a separate group of two to six people could work on the victim, applying different approaches tailored to individual vulnerabilities. If successful, each received a percentage of the amount transferred to the victim.

Police conducted 44 searches in Dnipropetrovsk region and Kyiv. Over 80 mobile phones, computer equipment, cash, documents, stamps, and bot farms were seized.

Preliminary estimates suggest the total damage exceeded 5 million hryvnias (about )000 at the exchange rate at the time of writing(. Suspects face up to 12 years in prison.

Also on ForkLog:

• Tether blocked USDT worth $113 million at the request of the US authorities.
• Raids in the UK targeted illegal P2P cryptocurrency trading.
• Cybersecurity experts warned of a new wave of North Korean hacker attacks.
• Bloomberg reported unauthorized access to the Mythos AI model.
• Hackers attacked Volo and withdrew $3.5 million from WBTC and USDC pools.
• Journalists revealed a new scheme of Bitcoin extortion for passage through the Strait of Hormuz.
• Arbitrum froze 30,000 ETH as part of the Kelp hack investigation.
• Eth.limo regained control of the domain after a breach at easyDNS.
• The Kelp protocol lost ) million after a cross-chain bridge attack.

What to read this weekend?

For a long time, the use of cyber weapons for espionage was considered the prerogative of a narrow circle of intelligence agencies. However, an investigation by US authorities into Operation Zero revealed the scale of zero-day vulnerability trading.

On the shadow markets of states and the cost of hacking — in a new ForkLog article.