"The attack, which researchers linked to North Korea's Lazarus Group, so far is the largest crypto platform hack of 2026."
TCLBanker: a banking Trojan aimed at crypto and finance platforms
Researchers at Elastic identified a banking Trojan named TCLBanker that specifically targets cryptocurrency, banking and fintech platforms by posing as a fake installer for the Logitech AI Prompt Builder. The malware is active in Brazil but researchers warned it could expand beyond Latin America. TCLBanker watches browser activity and activates when victims open any of 59 targeted financial or crypto platforms.
Once triggered, TCLBanker gives attackers remote control of infected systems: it can capture screens, log keystrokes and clipboard contents, and display fake login or support windows that harvest credentials and PINs. The malware also spreads through WhatsApp Web and Microsoft Outlook by hijacking authenticated accounts, harvesting contacts and automatically sending malicious links or phishing emails to new victims. Elastic noted the combination of credential theft, remote-access and self-spreading features effectively lowers the skill threshold for criminals to use capabilities previously seen mainly in higher-end operations.
Three indicted in a violent $6.5 million crypto robbery
U.S. federal prosecutors have charged Elijah Armstrong, Nino Chindavanh and Jayden Rucker in a violent scheme that allegedly stole roughly $6.5 million from victims in California. According to the Department of Justice, the suspects posed as delivery workers to gain entry into homes in San Francisco, San Jose, Sunnyvale and Los Angeles, then assaulted and restrained victims with firearms, duct tape and zip ties.
The prosecutors said in at least one instance the attackers forced a victim to provide access to cryptocurrency accounts, enabling transfers of about $6.5 million to wallets under the suspects' control. The three face charges including conspiracy to commit robbery and kidnapping; prosecutors described the scheme as organized, violent and highly dangerous, and noted some kidnapping-related counts could carry life sentences if the defendants are convicted.
Kelp DAO and Aave respond to a $292 million heist
Kelp DAO and Aave announced initial recovery steps after the April theft that researchers linked to North Korea's Lazarus Group. Kelp said it will gradually return the stolen rsETH tokens to its system over the next two weeks before reopening withdrawals and other user services. It also said it has tightened security checks and is changing some of the technology used to move assets between blockchain networks.
The theft pushed Aave into action as well: Aave led a wider industry effort that raised more than $300 million to support affected systems and users. LayerZero acknowledged it had weaknesses and security gaps in its setup, and those gaps were cited in post-incident analysis of how attackers moved and monetized portions of the stolen funds. The aggregate effort underscores how interconnected protocol security and emergency coordination have become when one large exploit can ripple across multiple platforms.
Treasury tightens oversight of Binance amid Iran-linked flows
The U.S. Department of the Treasury has ordered Binance to comply more closely with a monitoring program tied to the company's 2023 guilty plea over sanctions and anti-money-laundering violations, according to reporting by The Information. Treasury officials reminded Binance to cooperate fully with an independent compliance monitor and to provide records and documents promptly.
The move follows reports that more than $1 billion in 2024 and 2025 flowed through Binance to Iran-linked organizations. Earlier investigations cited by the reporting found some Binance accounts had been accessed from Iran and that crypto transactions linked to Iranian groups, including wallets tied to the Islamic Revolutionary Guards Corps, moved through the platform. Binance has disputed some of those reports but said it is cooperating with regulators and working to strengthen compliance and transparency measures.
What this means for technologists, regulators, and users
- Technologists and security teams: Expect focused attention on multi-vector malware like TCLBanker that combines credential theft, remote-access and self-propagation. The use of consumer collaboration tools (WhatsApp Web, Outlook) as propagation vectors calls for endpoint monitoring and tighter account-session controls.
- Policymakers and regulators: Treasury's move on Binance signals persistent follow-up on court-ordered monitors and on-the-ground compliance. Reports of more than $1 billion in flows tied to Iran and earlier findings about account access from Iran will likely shape monitoring and enforcement expectations tied to sanctions compliance.
- Affected platforms and users: Protocols hit directly by the Kelp DAO exploit face immediate operational choices—gradual token returns, tightened interchain transfer methods, and coordinated funds-raising to repay losses. Individual users whose accounts are tied to physical coercion or illicit transfers should expect law enforcement investigations and potential asset freezes while cases proceed.
Taken together, these incidents underscore a simple but consequential reality: criminals are leveraging both digital-scale exploits and traditional violent methods, and regulators are responding with closer oversight. The questions left on the table are concrete: will the gradual rsETH returns restore user trust, will the independent monitor and Binance's cooperation close the gaps Treasury flagged, and can defenders blunt the spread of malware like TCLBanker before it spreads beyond Brazil?
