Cryptohack Roundup: Banking Trojan Targets Crypto Firms

Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime Cryptohack Roundup: Banking Trojan Targets Crypto Firms Also: Indictments in Theft Case, KelpDAO Restarts Operations Rashmi Ramesh (rashmiramesh_) • May 14, 2026     Share Post Share Credit Eligible Get Permission Image: Shutterstock Every week, ISMG rounds up cybersecurity incidents in digital assets. This week, banking Trojan TCLBanker targeted crypto platforms, three people indicted in a violent digital assets-related robbery, Kelp DAO restarted services after the $292 million hack and the U.S. Department of the Treasury tightened oversight of Binance. See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation TCLBanker Malware Targets Crypto Platforms Researchers at Elastic identified a banking Trojan called TCLBanker that targets cryptocurrency, banking and fintech platforms through a fake installer for Logitech AI Prompt Builder. The malware is active in Brazil, but researchers warned it could expand beyond Latin America. TCLBanker monitors browser activity and activates when victims open one of 59 targeted financial or crypto platforms. Once triggered, attackers can remotely control infected systems, capture screens, steal keystrokes and clipboard data, and display fake login or support windows designed to harvest credentials and PINs. The malware also spreads through WhatsApp Web and Microsoft Outlook. It hijacks authenticated accounts, harvests contacts and automatically sends malicious links or phishing emails to new victims. The researchers said TCLBanker combines credential theft, remote access and self-spreading features in a way that gives lower-level cybercriminals access to capabilities previously seen mainly in more advanced malware operations. Three Indicted in Violent Crypto Robbery U.S. federal prosecutors charged three men in connection with a violent crypto theft operation that allegedly stole about $6.5 million from victims across California. The U.S. Department of Justice said Elijah Armstrong, Nino Chindavanh and Jayden Rucker targeted victims across California, in San Francisco, San Jose, Sunnyvale and Los Angeles. The prosecutors said that the suspects posed as delivery workers to gain entry into victims' homes before assaulting and restraining them with firearms, duct tape and zip ties. In one case, the attackers allegedly forced a victim to hand over access to cryptocurrency accounts, allowing them to transfer roughly $6.5 million in digital assets to wallets under their control. The three men face charges including conspiracy to commit robbery and kidnapping. The prosecutors described the alleged scheme as organized, violent and highly dangerous. If convicted, the defendants could face lengthy prison sentences, including life imprisonment for some kidnapping-related charges. Kelp DAO Restarts Services After $292 Million Crypto Hack Kelp DAO and Aave are restarting services after taking initial recovery steps following a $292 million crypto theft in April. Kelp said it will gradually return the stolen rsETH tokens to its system over the next two weeks before reopening withdrawals and other user services. The company said it has tightened security checks and is changing some of the technology used to move assets between blockchain networks. The attack, which researchers linked to North Korea's Lazarus Group, so far is the largest crypto platform hack of 2026. After the theft, the attackers used part of the stolen crypto in ways that created major financial losses for Aave (see: North Korea Steals Bulk of Crypto So Far). To limit the damage, Aave led a wider industry effort that raised more than $300 million to support affected systems and users. LayerZero admitted it had weaknesses and security gaps in its setup. Treasury Tightens Oversight of Binance The U.S. Department of the Treasury ordered Binance to comply more closely with a monitoring program tied to the company's 2023 guilty plea over sanctions and anti-money-laundering violations, reported The Information. The move follows reports that more than $1 billion in 2024 and 2025 flowed through Binance to Iran-linked organizations. Treasury officials reminded Binance to fully cooperate with an independent compliance monitor and provide records and documents promptly. The scrutiny comes as U.S. lawmakers push for tougher enforcement of sanctions linked to Iran during ongoing tensions in the Middle East. Earlier investigations found that some Binance accounts had been accessed from Iran and that crypto transactions linked to Iranian groups, including wallets tied to the Islamic Revolutionary Guards Corps, moved through the platform. Binance has disputed some of those reports but said it is cooperating with regulators and working to strengthen its compliance and transparency measures.