A Vietnamese hacking group known as Lone None has been found running a multi‑language scam campaign aimed at stealing personal and financial information, with a focus on cryptocurrency theft, according to Cofense Intelligence researchers.
The operation begins with counterfeit emails that pose as official copyright takedown notices from law firms around the world. Recipients are urged to remove allegedly infringing content from websites or social media, sometimes naming the recipient’s real social accounts. The messages are crafted in roughly ten languages, including English, French, German and Chinese, suggesting an intent to widen the campaign’s reach.
Recipients are directed to a link that downloads an archive—typically a ZIP file—containing the malware disguised as legitimate documents such as PDFs or PNGs. The threat actors employ DLL side-loading, abusing legitimate, signed programs (for example a trusted Word or PDF reader) to silently execute malicious code and bypass standard security checks.
Two information stealers are deployed in this campaign: Pure Logs Stealer and the newer Lone None Stealer (also known as PXA Stealer). Pure Logs retrieves a broad range of data, including passwords, credit card numbers, session cookies and local crypto wallet files stored by browsers and applications. Lone None Stealer, by contrast, concentrates on cryptocurrency theft, monitoring the clipboard for wallet addresses and quietly replacing them with the attackers’ address to divert funds if the victim copies and pastes a wallet address.
Cofense Intelligence notes that Lone None Stealer has been observed in about 29% of recent Pure Logs Stealer reports since June 2025, indicating the actor’s rising prominence in this family of information-stealing tools. The actor also uses a distinctive staging technique in which the address for the next attack step is hidden within a Telegram bot profile page, and the Telegram network serves as its primary command-and-control (C2) channel, enabling rapid exfiltration of stolen data.
Experts warn that the scam preys on fear of urgent legal disputes to prompt action and click-throughs. To protect themselves, users should exercise caution with unsolicited correspondence, avoid clicking links or downloading files from unexpected sources, and verify takedown notices through official channels.