The week’s key cybersecurity news: Coinbase leak, Step Finance hack, record ransom, and more.
We have compiled the week’s most important cybersecurity news.
Attackers accessed information belonging to 30 Coinbase customers, the exchange confirmed, according to BleepingComputer.
The statement followed soon after the Scattered Lapsus$ Hunters group posted, then deleted, screenshots in Telegram of Coinbase’s internal support interface. The panel showed access to customer data — email addresses, names, dates of birth, phone numbers, KYC information, cryptocurrency wallet balances and transactions.
The leak occurred in December 2025 and is unrelated to an earlier incident. It remains unclear whether the group was directly involved in the latest attack.
On February 3rd a court sentenced the alleged operator of the Incognito Market darknet drug platform, Rui-Xiang Lin, to 30 years in prison, the U.S. Department of Justice reported.
Prosecutors said the sentence closes one of the largest cases against illicit marketplaces since Silk Road.
Each listing on Incognito Market was posted by a specific seller. To become one, users had to register on the site and pay an entry fee. The platform charged a 5% commission on sales.
Proceeds funded Incognito Market’s operations, including server costs and staff incentives. Authorities say Lin’s net profit exceeded $6m.
To simplify finances, Incognito Market ran its own “bank” (Incognito Bank), allowing users to deposit crypto directly into site accounts. After a drug sale closed, funds moved from the buyer’s account to the seller’s address minus commission, preserving a degree of anonymity.
Investigators identified the group through blockchain analysis and undercover buys, as well as Lin’s basic cybersecurity blunders:
On January 31st Step Finance disclosed a security breach. External specialists helped the DeFi platform recover part of the stolen assets.
Several treasury wallets were compromised via a “well-known attack vector”, the team said. CertiK initially estimated losses at 261,854 SOL (about $28.9m at the time), but the figure rose to roughly $40m as the investigation progressed.
At the time of writing, about $3.7m in Remora assets and $1m in other tokens had been recovered, thanks to the Token22 safeguards and coordination with partners.
Some operations were paused to tighten security. The team said its Remora Markets protocol is isolated from the incident and that all rTokens remain fully backed 1:1.
Users were advised not to interact with the STEP token until the investigation concludes. A pre-attack network snapshot is planned to inform compensation decisions.
Step Finance has not disclosed details of the attack or the attackers’ identities, prompting community speculation about a possible exit scam or insider involvement. These allegations have not been refuted so far.
In 2025, hackers targeting cryptocurrencies left victims progressively less time to react, conclude experts at Global Ledger.
Laundering sped up in the second half compared with the first, reaching new extremes. The report cites a case in which funds moved in just two seconds — twice as fast as in H1 and twice as fast as the quickest public alert.
In most cases, attackers began moving funds before the market learned of the breach itself. On average last year this occurred in roughly 76.4% of incidents. In H2 the rate rose to 84.6%, from 68.1% in H1.
At the same time, the laundering phase itself slowed by about 25% on average: from roughly eight days in H1 to 10.6 days in H2.
According to Global Ledger, in H2 hackers split sums more aggressively and relied more on non-custodial wallets, DeFi protocols, DEX, cross-chain bridges and mixers.
After sanctions were lifted, use of Tornado Cash rose by more than 31 percentage points. Over the year, the mixer handled more than $2.05bn in Ethereum, about $655m of which was high risk. The share of funds exiting Tornado Cash to CEX increased from 0.16% (during restrictions) to 4.74% (after they were lifted).
Roughly 64% of incidents involved smart-contract hacks, the researchers said. Yet the largest losses — $1.5bn — hit users who signed fake approvals.
In January 2025 hackers demanded a record ransom in cryptocurrency from a Russian fishing company, according to F6.
The attackers demanded 50 BTC (about 500m rubles at the time of publication) to restore access to encrypted data. The victim’s name was not disclosed.
For the Russian market this is the largest ransom on record. The attack was linked to the CyberSec’s group, known for hacking Russian firms and online resources, stealing data and publishing it. The group gained wider notoriety after the leak of the sysadmins.ru forum database and claims of mass breaches of Bitrix servers.
On February 2nd Notepad++ developer Don Ho shared findings from an investigation involving external cybersecurity experts and staff at the project’s former hosting provider.
He said the service was attacked back in June 2025 via a compromise at the hosting-provider level.
The attackers acted surgically, targeting specific victims. Several independent experts concluded the attack was carried out by a Chinese “government” group.
The hosting server that housed the site and its update mechanism was compromised until September 2nd 2025. Maintenance took place that day, after which suspicious patterns disappeared from the logs.
The backdoor let the hackers redirect part of the traffic going to notepad-plus-plus.org/update/getDownloadUrl.php to their own servers, where victims were served update URLs containing malicious files.
Version 8.9.2 is expected within a month — certificate and signature verification will become mandatory. Don Ho recommended users manually download version 8.9.1, which already includes the required safeguards.
Also on ForkLog:
Andrey Asmakov explores whether humans will retain the right to intervene in the work of AI agents.
