⚡ THN Weekly Recap: From $1.5B Crypto Heist to AI Misuse & Apple’s Data Dilemma - Related to team, weekly, ⚡, dutch, phishing

FBI, Dutch Police Disrupt ‘Manipulaters’ Phishing Gang

The FBI and authorities in The Netherlands this week seized dozens of servers and domains for a hugely popular spam and malware dissemination service operating out of Pakistan. The proprietors of the service, who use the collective nickname “The Manipulaters,” have been the subject of three stories . The FBI expressed the main clientele are organized crime groups that try to trick victim companies into making payments to a third party.

On January 29, the FBI and the Dutch national police seized the technical infrastructure for a cybercrime service marketed under the brands Heartsender, Fudpage and Fudtools (and many other “fud” variations). The “fud” bit stands for “Fully Un-Detectable,” and it refers to cybercrime resources that will evade detection by security tools like antivirus software or anti-spam appliances.

The Dutch authorities mentioned 39 servers and domains abroad were seized, and that the servers contained millions of records from victims worldwide — including at least 100,000 records pertaining to Dutch citizens.

A statement from the [website] Department of Justice refers to the cybercrime group as Saim Raza, after a pseudonym The Manipulaters communally used to promote their spam, malware and phishing services on social media.

“The Saim Raza-run websites operated as marketplaces that advertised and facilitated the sale of tools such as phishing kits, scam pages and email extractors often used to build and maintain fraud operations,” the DOJ explained.

The core Manipulaters product is Heartsender, a spam delivery service whose homepage openly advertised phishing kits targeting clients of various Internet companies, including Microsoft 365, Yahoo, AOL, Intuit, iCloud and [website], to name a few.

The government says transnational organized crime groups that purchased these services primarily used them to run business email compromise (BEC) schemes, wherein the cybercrime actors tricked victim companies into making payments to a third party.

“Those payments would instead be redirected to a financial account the perpetrators controlled, resulting in significant losses to victims,” the DOJ wrote. “These tools were also used to acquire victim user credentials and utilize those credentials to further these fraudulent schemes. The seizure of these domains is intended to disrupt the ongoing activity of these groups and stop the proliferation of these tools within the cybercriminal community.”.

KrebsOnSecurity first wrote about The Manipulaters in May 2015, mainly because their ads at the time were blanketing a number of popular cybercrime forums, and because they were fairly open and brazen about what they were doing — even who they were in real life.

We caught up with The Manipulaters again in 2021, with a story that found the core employees had started a web coding organization in Lahore called WeCodeSolutions — presumably as a way to account for their considerable Heartsender income. That piece examined how WeCodeSolutions employees had all doxed themselves on Facebook by posting pictures from organization parties each year featuring a large cake with the words FudCo written in icing.

A follow-up story last year about The Manipulaters prompted messages from various WeCodeSolutions employees who pleaded with this publication to remove stories about them. The Saim Raza identity told KrebsOnSecurity they were not long ago released from jail after being arrested and charged by local police, although they declined to elaborate on the charges.

The Manipulaters never seemed to care much about protecting their own identities, so it’s not surprising that they were unable or unwilling to protect their own consumers. In an analysis released last year, [website] found the web-hosted version of Heartsender leaked an extraordinary amount of user information to unauthenticated clients, including customer credentials and email records from Heartsender employees.

DomainTools also uncovered evidence that the computers used by The Manipulaters were all infected with the same password-stealing malware, and that vast numbers of credentials were stolen from the group and sold online.

“Ironically, the Manipulaters may create more short-term risk to their own consumers than law enforcement,” DomainTools wrote. “The data table ‘User Feedbacks’ (sic) exposes what appear to be customer authentication tokens, user identifiers, and even a customer support request that exposes root-level SMTP credentials–all visible by an unauthenticated user on a Manipulaters-controlled domain.”.

Police in The Netherlands revealed the investigation into the owners and end-consumers of the service is ongoing.

“The Cybercrime Team is on the trail of a number of buyers of the tools,” the Dutch national police presented. “Presumably, these buyers also include Dutch nationals. The investigation into the makers and buyers of this phishing software has not yet been completed with the seizure of the servers and domains.”.

[website] authorities this week also joined law enforcement in Australia, France, Greece, Italy, Romania and Spain in seizing a number of domains for several long-running cybercrime forums and services, including Cracked and Nulled. , the two communities attracted more than 10 million people in total.

Other domains seized as part of “Operation Talent” included Sellix, an e-commerce platform that was frequently used by cybercrime forum members to buy and sell illicit goods and services.

In cybersecurity, too often, the emphasis is placed on advanced technology meant to shield digital infrastructure from external threats. Yet, an equal......

Ransomware doesn't hit all at once—it slowly floods your defenses in stages. Like a ship subsumed with water, the attack starts quietly, below the sur......

The rising influence of artificial intelligence (AI) has many organizations scrambling to address the new cybersecurity and data privacy concerns crea......

⚡ THN Weekly Recap: From $1.5B Crypto Heist to AI Misuse & Apple’s Data Dilemma

Welcome to your weekly roundup of cyber news, where every headline gives you a peek into the world of online battles. This week, we look at a huge crypto theft, reveal some sneaky AI scam tricks, and discuss big changes in data protection.

Let these stories spark your interest and help you understand the changing threats in our digital world.

Lazarus Group Linked to Record-Setting $[website] Billion Crypto Theft — The North Korean Lazarus Group has been linked to a "sophisticated" attack that led to the theft of over $[website] billion worth of cryptocurrency from one of Bybit's cold wallets, making it the largest ever single crypto heist in history. Bybit revealed it detected unauthorized activity within one of our Ethereum (ETH) Cold Wallets during a planned routine transfer process on February 21, 2025, at around 12:30 [website] UTC. The incident makes it the biggest-ever cryptocurrency heist reported to date, dwarfing that of Ronin Network ($624 million), Poly Network ($611 million), and BNB Bridge ($586 million).

OpenAI Bans ChatGPT Accounts for Malicious Activities — OpenAI has revealed that it banned several clusters of accounts that used its ChatGPT tool for a wide range of malicious purposes. This included a network likely originating from China that used its artificial intelligence (AI) models to develop a suspected surveillance tool that's designed to ingest and analyze posts and comments from platforms such as X, Facebook, YouTube, Instagram, Telegram, and Reddit. Other instances of ChatGPT abuse consisted of creating social media content and long-form articles critical of the [website], generating comments for propagating romance-baiting scams on social media, and assisting with malware development.

— OpenAI has revealed that it banned several clusters of accounts that used its ChatGPT tool for a wide range of malicious purposes. This included a network likely originating from China that used its artificial intelligence (AI) models to develop a suspected surveillance tool that's designed to ingest and analyze posts and comments from platforms such as X, Facebook, YouTube, Instagram, Telegram, and Reddit. Other instances of ChatGPT abuse consisted of creating social media content and long-form articles critical of the [website], generating comments for propagating romance-baiting scams on social media, and assisting with malware development. Apple Drops iCloud's Advanced Data Protection in the [website] — Apple has stopped offering its Advanced Data Protection (ADP) feature for iCloud in the United Kingdom with immediate effect, rather than complying with government demands for backdoor access to encrypted user data. "We are gravely disappointed that the protections provided by ADP will not be available to our consumers in the UK given the continuing rise of data breaches and other threats to customer privacy," the business stated. The development comes shortly after reports emerged that the [website] government had ordered Apple to build a backdoor that grants blanket access to any Apple user's iCloud content.

— Apple has stopped offering its Advanced Data Protection (ADP) feature for iCloud in the United Kingdom with immediate effect, rather than complying with government demands for backdoor access to encrypted user data. "We are gravely disappointed that the protections provided by ADP will not be available to our consumers in the UK given the continuing rise of data breaches and other threats to customer privacy," the enterprise mentioned. The development comes shortly after reports emerged that the [website] government had ordered Apple to build a backdoor that grants blanket access to any Apple user's iCloud content. Salt Typhoon Leverages Years-Old Cisco Flaw for Initial Access — The China-linked hacking group called Salt Typhoon leveraged a now-patched security flaw impacting Cisco devices (CVE-2018-0171) and obtaining legitimate victim login credentials as part of a targeted campaign aimed at major [website] telecommunications companies. Besides relying extensively on living-off-the-land (LOTL) techniques to evade detection, the attacks have led to the deployment of a bespoke utility called JumbledPath that allows them to execute a packet capture on a remote Cisco device through an actor-defined jump-host. Cisco described the threat actor as highly sophisticated and well-funded, consistent with state-sponsored hacking activity.

— The China-linked hacking group called Salt Typhoon leveraged a now-patched security flaw impacting Cisco devices (CVE-2018-0171) and obtaining legitimate victim login credentials as part of a targeted campaign aimed at major [website] telecommunications companies. Besides relying extensively on living-off-the-land (LOTL) techniques to evade detection, the attacks have led to the deployment of a bespoke utility called JumbledPath that allows them to execute a packet capture on a remote Cisco device through an actor-defined jump-host. Cisco described the threat actor as highly sophisticated and well-funded, consistent with state-sponsored hacking activity. Russian Hackers Exploit Signal's Linking Feature — Multiple Russia-aligned threat actors have been observed targeting individuals of interest via malicious QR codes that exploit the privacy-focused messaging app Signal's "linked devices" feature to gain unauthorized access to their accounts and eavesdrop on the messages. The attacks have been attributed to two clusters tracked as UNC5792 and UNC4221. The development comes as similar attacks have also been recorded against WhatsApp.

— Multiple Russia-aligned threat actors have been observed targeting individuals of interest via malicious QR codes that exploit the privacy-focused messaging app Signal's "linked devices" feature to gain unauthorized access to their accounts and eavesdrop on the messages. The attacks have been attributed to two clusters tracked as UNC5792 and UNC4221. The development comes as similar attacks have also been recorded against WhatsApp. Winnti Stages RevivalStone Campaign Targeting Japan — Winnti, a subgroup with the APT41 Chinese threat activity cluster, targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024 that delivered a wide range of malware, including a rootkit that's capable of intercepting TCP/IP Network Interface, as well as creating covert channels with infected endpoints within the intranet. The activity has been codenamed RevivalStone.

Your go-to software could be hiding dangerous security flaws—don't wait until it's too late! revision now and stay ahead of the threats before they catch you off guard.

This week's list includes — CVE-2025-24989 (Microsoft Power Pages), CVE-2025-23209 (Craft CMS), CVE-2024-12284 (Citrix NetScaler Console and NetScaler Agent), CVE-2025-26465, CVE-2025-26466 (OpenSSH), CVE-2025-21589 (Juniper Networks Session Smart Router), CVE-2024-12510, CVE-2024-12511 (Xerox VersaLink C7025 Multifunction printer), CVE-2025-0366 (Jupiter X Core plugin), CVE-2024-50379, CVE-2024-56337, CVE-2024-52316, CVE-2024-50379, CVE-2024-56337 (Atlassian), CVE-2024-53900, CVE-2025-23061 (Mongoose library), CVE-2025-26776 (NotFound Chaty Pro plugin), CVE-2025-26763 (MetaSlider Responsive Slider by MetaSlider plugin), CVE-2024-54756 (ZDoom Team GZDoom), CVE-2024-57401 (Uniclare Student Portal), CVE-2025-20059 (Ping Identity PingAM Java Policy Agent), CVE-2025-0868 (DocsGPT), CVE-2025-1023, CVE-2025-1132, CVE-2025-1133, CVE-2025-1134, CVE-2025-1135 (ChurchCRM), CVE-2024-57045 (D-Link DIR-859 router), CVE-2024-57050 (TP-Link WR840N v6 router), CVE-2024-57049 (TP-Link Archer c20 router), CVE-2025-26794 (Exim), CVE-2024-50608, CVE-2024-50609 (Fluent Bit), CVE-2024-54961 (Nagios XI), CVE-2025-23115, and CVE-2025-23116 (Ubiquiti UniFi Protect Camera).

[website] Army Soldier Pleads Guilty to AT&T and Verizon Hacks — Cameron John Wagenius (aka Kiberphant0m), a 20-year-old [website] Army soldier, who was arrested early last month over AT&T and Verizon hacking, has pleaded guilty to two counts of unlawful transfer of confidential phone records information in 2024. He faces up to 10 years of prison for each count. Wagenius is also believed to have collaborated with Connor Riley Moucka (aka Judische) and John Binns, both of whom have been accused of stealing data from and extorting dozens of companies by breaking into their Snowflake instances.

— Cameron John Wagenius (aka Kiberphant0m), a 20-year-old [website] Army soldier, who was arrested early last month over AT&T and Verizon hacking, has pleaded guilty to two counts of unlawful transfer of confidential phone records information in 2024. He faces up to 10 years of prison for each count. Wagenius is also believed to have collaborated with Connor Riley Moucka (aka Judische) and John Binns, both of whom have been accused of stealing data from and extorting dozens of companies by breaking into their Snowflake instances. Two Estonian Nationals Plead Guilty in $577M Cryptocurrency Fraud Scheme — Two Estonian nationals, Sergei Potapenko and Ivan Turõgin, both 40, have pleaded guilty for the operation of a massive, multi-faceted cryptocurrency Ponzi scheme that claimed hundreds of thousands of people from across the world, including in the [website] They have also agreed to forfeit assets valued over $400 million obtained during the operation of the illicit scheme. The defendants "sold contracts to customers entitling them to a share of cryptocurrency mined by the defendants' purported cryptocurrency mining service, HashFlare," the Justice Department said. "Between 2015 and 2019, Hashflare's sales totaled more than $577 million, but HashFlare did not possess the requisite computing capacity to perform the vast majority of the mining the defendants told HashFlare customers it performed." Potapenko and Turõgin each pleaded guilty to one count of conspiracy to commit wire fraud. If convicted, they each face a maximum penalty of 20 years in prison. The disclosure comes as Indian law enforcement authorities seized nearly $190 million in cryptocurrency tied to the BitConnect scam. BitConnect is estimated to have defrauded over 4,000 investors across 95 countries, amassing $[website] billion before its collapse in 2018. Its founder Satish Kumbhani was charged by the [website] in 2022, but he remained a fugitive until his whereabouts were traced to Ahmedabad.

— Two Estonian nationals, Sergei Potapenko and Ivan Turõgin, both 40, have pleaded guilty for the operation of a massive, multi-faceted cryptocurrency Ponzi scheme that claimed hundreds of thousands of people from across the world, including in the [website] They have also agreed to forfeit assets valued over $400 million obtained during the operation of the illicit scheme. The defendants "sold contracts to clients entitling them to a share of cryptocurrency mined by the defendants' purported cryptocurrency mining service, HashFlare," the Justice Department introduced. "Between 2015 and 2019, Hashflare's sales totaled more than $577 million, but HashFlare did not possess the requisite computing capacity to perform the vast majority of the mining the defendants told HashFlare clients it performed." Potapenko and Turõgin each pleaded guilty to one count of conspiracy to commit wire fraud. If convicted, they each face a maximum penalty of 20 years in prison. The disclosure comes as Indian law enforcement authorities seized nearly $190 million in cryptocurrency tied to the BitConnect scam. BitConnect is estimated to have defrauded over 4,000 investors across 95 countries, amassing $[website] billion before its collapse in 2018. Its founder Satish Kumbhani was charged by the [website] in 2022, but he remained a fugitive until his whereabouts were traced to Ahmedabad. Thailand Rescues 7,000 People from Myanmar Call Centers — Thailand Prime Minister Paetongtarn Shinawatra introduced some 7,000 people have been rescued from illegal call center operations in Myanmar, and are waiting to be transferred to the country. In recent years, Myanmar, Cambodia, and Laos have become hotspots for illicit romance baiting scams, with most of them run by organized cybercrime syndicates and staffed by people who were illegally trafficked into the region under the promise of high-paying jobs. They are then tortured and enslaved into running scams such as romance fraud and fake investment schemes online. "We are facing an epidemic in the growth of financial fraud, leading to individuals, often vulnerable people, and companies being defrauded on a massive and global scale," INTERPOL noted last year. The United Nations estimated that scams targeting victims across East and Southeast Asia caused financial losses between $18 billion and $37 billion in 2023.

— Thailand Prime Minister Paetongtarn Shinawatra noted some 7,000 people have been rescued from illegal call center operations in Myanmar, and are waiting to be transferred to the country. In recent years, Myanmar, Cambodia, and Laos have become hotspots for illicit romance baiting scams, with most of them run by organized cybercrime syndicates and staffed by people who were illegally trafficked into the region under the promise of high-paying jobs. They are then tortured and enslaved into running scams such as romance fraud and fake investment schemes online. "We are facing an epidemic in the growth of financial fraud, leading to individuals, often vulnerable people, and companies being defrauded on a massive and global scale," INTERPOL noted last year. The United Nations estimated that scams targeting victims across East and Southeast Asia caused financial losses between $18 billion and $37 billion in 2023. Sanctioned Entities Fueled $16 billion in Crypto Activity — Sanctioned entities and jurisdictions were responsible for nearly $[website] billion in cryptocurrency activity last year, accounting for about 39% of all illicit crypto transactions. "In a departure from prior years, sanctioned jurisdictions accounted for a record share of total sanctions-related activity compared to individual entities, commanding nearly 60% of value by the end of 2024," Chainalysis noted. This is driven by the continued emergence of no-KYC exchanges despite enforcement actions, as well as the resurgence of Tornado Cash, which has been the target of sanctions and arrests. "The increase in Tornado Cash usage in 2024 was largely driven by stolen funds, which reached a three-year high, accounting for [website] of total inflows," the blockchain intelligence firm noted. Another notable factor is the increasing use of digital currencies by Iranian services for sanctions-related crypto activity. Cryptocurrency outflows from Iran reached $[website] billion in 2024, up about 70% year-over-year.

— Sanctioned entities and jurisdictions were responsible for nearly $[website] billion in cryptocurrency activity last year, accounting for about 39% of all illicit crypto transactions. "In a departure from prior years, sanctioned jurisdictions accounted for a record share of total sanctions-related activity compared to individual entities, commanding nearly 60% of value by the end of 2024," Chainalysis stated. This is driven by the continued emergence of no-KYC exchanges despite enforcement actions, as well as the resurgence of Tornado Cash, which has been the target of sanctions and arrests. "The increase in Tornado Cash usage in 2024 was largely driven by stolen funds, which reached a three-year high, accounting for [website] of total inflows," the blockchain intelligence firm stated. Another notable factor is the increasing use of digital currencies by Iranian services for sanctions-related crypto activity. Cryptocurrency outflows from Iran reached $[website] billion in 2024, up about 70% year-over-year. [website] Releases Russian Cybercriminal in Prison Swap — Alexander Vinnik, who pleaded guilty last year to money laundering charges in connection with operating the now-dismantled BTC-e cryptocurrency exchange, has been handed over by the [website] government to Russia in exchange for Marc Fogel, a school teacher sentenced to 14 years in prison for drug trafficking charges. He was originally arrested in Greece in 2017. His sentencing was scheduled to take place in June 2025.

— Alexander Vinnik, who pleaded guilty last year to money laundering charges in connection with operating the now-dismantled BTC-e cryptocurrency exchange, has been handed over by the [website] government to Russia in exchange for Marc Fogel, a school teacher sentenced to 14 years in prison for drug trafficking charges. He was originally arrested in Greece in 2017. His sentencing was scheduled to take place in June 2025. Black Hat SEO Campaign Targets Indian Sites — Threat actors have infiltrated Indian government, educational, and financial services websites, using malicious JavaScript code that leverage search engine optimization (SEO) poisoning techniques to redirect consumers to sketchy websites promoting online betting and other investment-focused games that claim to offer referral bonus. "Targets of interest include websites with [website] , [website] TLDs and the usage of keyword stuffing mentioning well known financial brands in India," CloudSEK noted. "Over 150 government portals, most belonging to state governments, have been affected at scale." It's currently not known how these websites are being compromised. A similar campaign targeting Malaysian government websites has also been reported in the past.

— Threat actors have infiltrated Indian government, educational, and financial services websites, using malicious JavaScript code that leverage search engine optimization (SEO) poisoning techniques to redirect consumers to sketchy websites promoting online betting and other investment-focused games that claim to offer referral bonus. "Targets of interest include websites with [website] , [website] TLDs and the usage of keyword stuffing mentioning well known financial brands in India," CloudSEK presented. "Over 150 government portals, most belonging to state governments, have been affected at scale." It's currently not known how these websites are being compromised. A similar campaign targeting Malaysian government websites has also been reported in the past. Sky ECC Distributors Arrested in Spain, Netherlands — Four distributors of the encrypted communications service Sky ECC, which was used extensively by criminals, have been arrested in Spain and the Netherlands. The two suspects arrested in Spain are presented to be the leading global distributors of the service, generating over €[website] million ($14 million) in profits. In March 2021, Europol presented that it was able to crack open Sky ECC's encryption, thereby allowing law enforcement to monitor the communications of 70,000 consumers and expose the criminal activity occurring on the [website] late January, the Dutch Police presented the arrest of two men from Amsterdam and Arnhem for allegedly selling Sky ECC phones in the country.

— Four distributors of the encrypted communications service Sky ECC, which was used extensively by criminals, have been arrested in Spain and the Netherlands. The two suspects arrested in Spain are expressed to be the leading global distributors of the service, generating over €[website] million ($14 million) in profits. In March 2021, Europol introduced that it was able to crack open Sky ECC's encryption, thereby allowing law enforcement to monitor the communications of 70,000 individuals and expose the criminal activity occurring on the [website] late January, the Dutch Police introduced the arrest of two men from Amsterdam and Arnhem for allegedly selling Sky ECC phones in the country. Italian Spyware Maker Linked to Malicious WhatsApp Clones — An Italian spyware firm named SIO, which offers solutions for monitoring suspect activities, gathering intelligence, or conducting covert operations, has been attributed as behind malicious Android apps that impersonate WhatsApp and other popular apps and are designed to steal private data from a target's device. The findings, , demonstrate the various methods used to deploy such invasive software against individuals of interest. The spyware, codenamed Spyrtacus, can steal text messages, instant messaging chats, contacts, call logs, ambient audio, and images, among others. It's currently not known who was targeted with the spyware. The oldest artifact, per Lookout, dates back to 2019 and the most recent sample was discovered in mid-October 2024. Interestingly, Kaspersky revealed in May 2024 that it observed Spyrtacus being used to target individuals in Italy, stating it shared similarities with another stalkerware malware named HelloSpy. "The threat actor first started distributing the malicious APK via Google Play in 2018, but switched to malicious web pages forged to imitate legitimate resources relating to the most common Italian internet service providers in 2019," the firm expressed. The development comes as iVerify expressed it discovered 11 new cases of Pegasus spyware infection in December 2024 that go beyond politicians and activists. "The new confirmed detections, involving known variants of Pegasus from 2021-2023, include attacks against individuals across government, finance, logistics, and real estate industries," iVerify expressed, adding in about half the cases, the victims did not receive any Threat Notifications from Apple.

— An Italian spyware enterprise named SIO, which offers solutions for monitoring suspect activities, gathering intelligence, or conducting covert operations, has been attributed as behind malicious Android apps that impersonate WhatsApp and other popular apps and are designed to steal private data from a target's device. The findings, , demonstrate the various methods used to deploy such invasive software against individuals of interest. The spyware, codenamed Spyrtacus, can steal text messages, instant messaging chats, contacts, call logs, ambient audio, and images, among others. It's currently not known who was targeted with the spyware. The oldest artifact, per Lookout, dates back to 2019 and the most recent sample was discovered in mid-October 2024. Interestingly, Kaspersky revealed in May 2024 that it observed Spyrtacus being used to target individuals in Italy, stating it shared similarities with another stalkerware malware named HelloSpy. "The threat actor first started distributing the malicious APK via Google Play in 2018, but switched to malicious web pages forged to imitate legitimate resources relating to the most common Italian internet service providers in 2019," the enterprise revealed. The development comes as iVerify revealed it discovered 11 new cases of Pegasus spyware infection in December 2024 that go beyond politicians and activists. "The new confirmed detections, involving known variants of Pegasus from 2021-2023, include attacks against consumers across government, finance, logistics, and real estate industries," iVerify revealed, adding in about half the cases, the victims did not receive any Threat Notifications from Apple. CryptoBytes Unleashes UxCryptor Malware — The financially motivated Russian threat actor known as CryptoBytes has been linked to a new ransomware called UxCryptor that uses leaked builders to create and distribute their malware. The group is active since at least 2023. "UxCryptor is part of a broader trend of ransomware families that use leaked builders, making it accessible to less technically skilled malware operators," the SonicWall Capture Labs threat research team revealed. "It is often delivered alongside other malware types, such as Remote Access Trojans (RATs) or information stealers, to maximize the impact of an attack. The malware is designed to encrypt files on the victim's system, demanding payment in cryptocurrency for decryption."

— The financially motivated Russian threat actor known as CryptoBytes has been linked to a new ransomware called UxCryptor that uses leaked builders to create and distribute their malware. The group is active since at least 2023. "UxCryptor is part of a broader trend of ransomware families that use leaked builders, making it accessible to less technically skilled malware operators," the SonicWall Capture Labs threat research team expressed. "It is often delivered alongside other malware types, such as Remote Access Trojans (RATs) or information stealers, to maximize the impact of an attack. The malware is designed to encrypt files on the victim's system, demanding payment in cryptocurrency for decryption." Threat Actors Take a Mere 48 Minutes to Go From Initial Access to Lateral Movement — Cybersecurity enterprise ReliaQuest, which in the recent past responded to a manufacturing sector breach involving phishing and data exfiltration, expressed the attack achieved a breakout time of just 48 minutes, indicating that adversaries are moving faster than defenders can respond. The attack involved the use of email bombing techniques reminiscent of Black Basta ransomware, followed by sending a Microsoft Teams message to trick victims into granting them remote access via Quick Assist. "One user granted the threat actor control of their machine for over 10 minutes, giving the threat actor ample time to progress their attack," ReliaQuest expressed.

— Cybersecurity firm ReliaQuest, which in recent times responded to a manufacturing sector breach involving phishing and data exfiltration, showcased the attack achieved a breakout time of just 48 minutes, indicating that adversaries are moving faster than defenders can respond. The attack involved the use of email bombing techniques reminiscent of Black Basta ransomware, followed by sending a Microsoft Teams message to trick victims into granting them remote access via Quick Assist. "One user granted the threat actor control of their machine for over 10 minutes, giving the threat actor ample time to progress their attack," ReliaQuest showcased. Russia Plans New Measures to Tackle Cybercrime — The Russian government is showcased to have approved a series of measures aimed at combating cyber fraud. This includes tougher punishments for attackers, longer prison terms, and strengthening international cooperation by allowing the extradition of criminals hiding abroad to Russia for trial and punishment.

Webinar 1: Build Resilient Identity: Learn to Reduce Security Debt Before It Costs You — Join our —a clear roadmap to close identity gaps, cut security debt, and future-proof your defenses in 2025. Learn practical steps to streamline workflows, mitigate risks, and optimize resource allocation, ensuring your organization stays one step ahead of cyber threats. Secure your spot now and transform your identity security strategy.

Build Resilient Identity: Learn to Reduce Security Debt Before It Costs You — Join our —a clear roadmap to close identity gaps, cut security debt, and future-proof your defenses in 2025. Learn practical steps to streamline workflows, mitigate risks, and optimize resource allocation, ensuring your organization stays one step ahead of cyber threats. Secure your spot now and transform your identity security strategy. Webinar 2: Transform Your Code Security with One Smart Engine — Join our ' Amir Kaushansky to explore ASPM—the unified, smarter approach to application security. Learn how merging code insights with runtime data bridges gaps in traditional AppSec, prioritizes risks, and shifts your strategy from reactive patching to proactive prevention. Reserve your seat today.

[website] Know someone who could use these? Share it.

Ghidra [website] — It makes your cybersecurity work easier and faster. With built-in Python3 support and new tools to connect source code to binaries, it helps you find problems in software quickly. Built by experts at the NSA, this improvement works on Windows, macOS, and Linux, giving you a smart and simple way to tackle even the toughest challenges in reverse engineering.

RansomWhen — It is an easy-to-use open-source tool designed to help you protect your data in the cloud. It works by scanning your CloudTrail logs to spot unusual activity that might signal a ransomware attack using AWS KMS. By identifying which identities have risky permissions, RansomWhen alerts you before an attacker can lock your S3 buckets and hold your data for ransom. This tool gives you a simple, proactive way to defend against sophisticated cyber threats.

Easy Steps to Supercharge Your Password Manager — In today's digital world, using an advanced password manager isn't just about storing passwords—it's about creating a secure digital fortress. First, enable two-factor authentication (2FA) for your password manager to ensure that even if someone gets hold of your master password, they'll need an extra code to gain access. Use the built-in password generator to create long, unique passwords for every account, mixing letters, numbers, and symbols to make them nearly impossible to guess. Regularly run security audits within your manager to spot weak or repeated passwords, and take advantage of breach monitoring aspects that alert you if any of your credentials show up in data breaches. When you need to share a password, use the manager's secure sharing option to keep the data encrypted. Finally, ensure your password database is backed up in an encrypted format so you can safely restore your data if needed. These simple yet advanced steps turn your password manager into a powerful tool for keeping your online life secure.

We've seen a lot of action in the cyber world this week, with criminals facing charges and new scams coming to light. These stories remind us that keeping informed is key to online safety. Thanks for joining us, and we look forward to keeping you updated next week.

2024 continued the trend of ransomware attacks in the education sector making headlines. The year opened with Freehold Township School District in New......

Have you ever wished you had an assistant at your security operations centers (SOCs) — especially one who never calls in sick, has a bad day or takes ......

The rising influence of artificial intelligence (AI) has many organizations scrambling to address the new cybersecurity and data privacy concerns crea......

Teen on Musk’s DOGE Team Graduated from ‘The Com’

Wired reported this week that a 19-year-old working for Elon Musk‘s so-called Department of Government Efficiency (DOGE) was given access to sensitive US government systems even though his past association with cybercrime communities should have precluded him from gaining the necessary security clearances to do so. As today’s story explores, the DOGE teen is a former denizen of ‘The Com,’ an archipelago of Discord and Telegram chat channels that function as a kind of distributed cybercriminal social network for facilitating instant collaboration.

Since President Trump’s second inauguration, Musk’s DOGE team has gained access to a truly staggering amount of personal and sensitive data on American citizens, moving quickly to seize control over databases at the [website] Treasury, the Office of Personnel Management, the Department of Education, and the Department of Health and Human Resources, among others.

Wired first reported on Feb. 2 that one of the technologists on Musk’s crew is a 19-year-old high school graduate named Edward Coristine, who reportedly goes by the nickname “Big Balls” online. One of the companies Coristine founded, [website] LLC, was set up in 2021, when he would have been around 16 years old.

“[website] LLC controls dozens of web domains, including at least two Russian-registered domains,” Wired reported. “One of those domains, which is still active, offers a service called Helfie, which is an AI bot for Discord servers targeting the Russian market. While the operation of a Russian website would not violate US sanctions preventing Americans doing business with Russian companies, it could potentially be a factor in a security clearance review.”.

Mr. Coristine has not responded to requests for comment. In a follow-up story this week, Wired found that someone using a Telegram handle tied to Coristine solicited a DDoS-for-hire service in 2022, and that he worked for a short time at a organization that specializes in protecting people from DDoS attacks.

Internet routing records show that Coristine runs an Internet service provider called Packetware (AS400495). Also known as “DiamondCDN,” Packetware currently hosts tesla[.]sexy and diamondcdn[.]com, among other domains.

DiamondCDN was advertised and claimed by someone who used the nickname “Rivage” on several Com-based Discord channels over the years. A review of chat logs from some of those channels show other members frequently referred to Rivage as “Edward.”.

From late 2020 to late 2024, Rivage’s conversations would show up in multiple Com chat servers that are closely monitored by security companies. In November 2022, Rivage could be seen requesting recommendations for a reliable and powerful DDoS-for-hire service.

Rivage made that request in the cybercrime channel “Dstat,” a core Com hub where individuals could buy and sell attack services. Dstat’s website dstat[.]cc was seized in 2024 as part of “Operation PowerOFF,” an international law enforcement action against DDoS services.

Coristine’s LinkedIn profile noted that in 2022 he worked at an anti-DDoS enterprise called Path Networks, which Wired generously described as a “network monitoring firm known for hiring reformed blackhat hackers.” Wired wrote:

“At Path Network, Coristine worked as a systems engineer from April to June of 2022, -deleted LinkedIn résumé. Path has at times listed as employees Eric Taylor, also known as Cosmo the God, a well-known former cybercriminal and member of the hacker group UGNazis, as well as Matthew Flannery, an Australian convicted hacker whom police allege was a member of the hacker group LulzSec. It’s unclear whether Coristine worked at Path concurrently with those hackers, and WIRED found no evidence that either Coristine or other Path employees engaged in illegal activity while at the enterprise.”.

The founder of Path is a young man named Marshal Webb. I wrote about Webb back in 2016, in a story about a DDoS defense organization he co-founded called BackConnect Security LLC. On September 20, 2016, KrebsOnSecurity .

Less than 24 hours after that story ran, [website] was hit with the biggest DDoS attack the Internet had ever seen at the time. That sustained attack kept this site offline for nearly 4 days.

The other founder of BackConnect Security LLC was Tucker Preston, a Georgia man who pleaded guilty in 2020 to paying a DDoS-for-hire service to launch attacks against others.

The aforementioned Path employee Eric Taylor pleaded guilty in 2017 to charges including an attack on our home in 2013. Taylor was among several men involved in making a false research to my local police department about a supposed hostage situation at our residence in Virginia. In response, a heavily-armed police force surrounded my home and put me in handcuffs at gunpoint before the police realized it was all a dangerous hoax known as “swatting.”.

CosmoTheGod rocketed to Internet infamy in 2013 when he and a number of other hackers set up the Web site exposed[dot]su, which “doxed” dozens of public officials and celebrities by publishing the address, Social Security numbers and other personal information on the former First Lady Michelle Obama, the then-director of the FBI and the [website] attorney general, among others. The group also swatted many of the people they doxed.

Wired noted that Coristine only worked at Path for a few months in 2022, but the story didn’t mention why his tenure was so short. A screenshot shared on the website [website] includes a snippet of conversations in June 2022 between Path employees discussing Coristine’s firing.

, Path founder Marshal Webb dismissed Coristine for leaking internal documents to a competitor. Not long after Coristine’s termination, someone leaked an abundance of internal Path documents and conversations. Among other things, those chats revealed that one of Path’s technicians was a Canadian man named Curtis Gervais who was convicted in 2017 of perpetrating dozens of swatting attacks and fake bomb threats — including at least two attempts against our home in 2014.

On May 11, 2024, Rivage . Rivage expressed frustration with his time spent on Com-based communities, suggesting that its profitability had been oversold.

“I don’t think there’s a lot of money to be made in the com,” Rivage lamented. “I’m not buying Heztner [servers] to set up some com VPN.”.

Rivage largely stopped posting messages on Com channels after that. Coristine subsequently spent three months last summer working at Neuralink, Elon Musk’s brain implant startup.

The trouble with all this is that even if someone sincerely intends to exit The Com after years of consorting with cybercriminals, they are often still subject to personal attacks, harassment and hacking long after they have left the scene.

That’s because a huge part of Com culture involves harassing, swatting and hacking other members of the community. These internecine attacks are often for financial gain, but just as frequently they are perpetrated by cybercrime groups to exact retribution from or assert dominance over rival gangs.

Experts say it is extremely difficult for former members of violent street gangs to gain a security clearance needed to view sensitive or classified information held by the [website] government. That’s because ex-gang members are highly susceptible to extortion and coercion from current members of the same gang, and that alone presents an unacceptable security risk for intelligence agencies.

And make no mistake: The Com is the English-language cybercriminal hacking equivalent of a violent street gang. KrebsOnSecurity has -world violence.

When Coristine’s name surfaced in Wired‘s research this week, members of The Com immediately took notice. In the following segment from a February 5, 2025 chat in a Com-affiliated hosting provider, members criticized Rivage’s skills, and discussed harassing his family and notifying authorities about incriminating accusations that may or may not be true.

2025-02-05 16:29:44 UTC vperked#0 they got this nigga on indiatimes man.

2025-02-05 16:29:46 UTC alexaloo#0 Their cropping is worse than AI could have done.

2025-02-05 16:29:48 UTC hebeatsme#0 bro who is that.

2025-02-05 16:29:53 UTC hebeatsme#0 yalla re talking about.

2025-02-05 16:29:56 UTC .yarrb#0 rivagew.

2025-02-05 16:29:57 UTC vperked#0 Rivarge.

2025-02-05 16:29:57 UTC xewdy#0 diamondcdm.

2025-02-05 16:29:59 UTC vperked#0 i cant spell it.

2025-02-05 16:30:00 UTC hebeatsme#0 rivage.

2025-02-05 16:30:14 UTC hebeatsme#0 i have him added.

2025-02-05 16:30:20 UTC hebeatsme#0 hes on discord still.

2025-02-05 16:30:47 UTC .yarrb#0 hes focused on stroking zaddy elon.

2025-02-05 16:30:47 UTC vperked#0 [website].

2025-02-05 16:30:50 UTC vperked#0 no fucking way.

2025-02-05 16:30:53 UTC vperked#0 they even made a wiki for him.

2025-02-05 16:31:05 UTC hebeatsme#0 no way.

2025-02-05 16:31:08 UTC hebeatsme#0 hes not a good dev either.

2025-02-05 16:31:14 UTC hebeatsme#0 like????

2025-02-05 16:31:22 UTC hebeatsme#0 has to be fake.

2025-02-05 16:31:24 UTC xewdy#0 and theyre saying ts.

2025-02-05 16:31:29 UTC xewdy#0 like ok bro.

2025-02-05 16:31:51 UTC .yarrb#0 now i wanna know what all the other devs are like….

2025-02-05 16:32:00 UTC vperked#0 “`Coristine used the moniker “bigballs” on LinkedIn and @Edwardbigballer on Twitter, .[“`.

2025-02-05 16:32:06 UTC hebeatsme#0 lmfaooo.

2025-02-05 16:32:17 UTC hebeatsme#0 has to be fake right.

2025-02-05 16:32:22 UTC .yarrb#0 does it mention Rivage?

2025-02-05 16:32:23 UTC xewdy#0 He previously worked for NeuraLink, a brain computer interface enterprise led by Elon Musk.

2025-02-05 16:32:26 UTC xewdy#0 bro what.

2025-02-05 16:32:27 UTC alexaloo#0 I think your current occupation gives you a good insight of what probably goes on.

2025-02-05 16:32:29 UTC hebeatsme#0 bullshit man.

2025-02-05 16:32:33 UTC xewdy#0 this nigga got hella secrets.

2025-02-05 16:32:37 UTC hebeatsme#0 rivage couldnt print hello world.

2025-02-05 16:32:42 UTC hebeatsme#0 if his life was on the line.

2025-02-05 16:32:50 UTC xewdy#0 nigga worked for neuralink.

2025-02-05 16:32:54 UTC hebeatsme#0 bullshit.

2025-02-05 16:33:06 UTC Nashville Dispatch ##0000 ||@PD Ping||.

2025-02-05 16:33:07 UTC hebeatsme#0 must have killed all those test pigs with some bugs.

2025-02-05 16:33:24 UTC hebeatsme#0 ur telling me the rivage who failed to start a enterprise.

2025-02-05 16:33:28 UTC hebeatsme#0 [website].

2025-02-05 16:33:32 UTC hebeatsme#0 who didnt pay for servers.

2025-02-05 16:33:42 UTC hebeatsme#0 was too cheap.

2025-02-05 16:33:50 UTC hebeatsme#0 like??

2025-02-05 16:33:53 UTC hebeatsme#0 it aint adding up.

2025-02-05 16:33:56 UTC alexaloo#0 He just needed to find his calling idiot.

2025-02-05 16:33:58 UTC alexaloo#0 He found it.

2025-02-05 16:34:01 UTC alexaloo#0 Cope in a river dude.

2025-02-05 16:34:04 UTC hebeatsme#0 he cant make good money right.

2025-02-05 16:34:08 UTC hebeatsme#0 doge is about efficiency.

2025-02-05 16:34:11 UTC hebeatsme#0 he should make $1/he.

2025-02-05 16:34:15 UTC hebeatsme#0 $1/hr.

2025-02-05 16:34:25 UTC hebeatsme#0 and be whipped for advanced code.

2025-02-05 16:34:26 UTC vperked#0 prolly makes more than us.

2025-02-05 16:34:35 UTC vperked#0 with his dad too.

2025-02-05 16:34:52 UTC hebeatsme#0 time to findings him for fraud.

2025-02-05 16:34:54 UTC hebeatsme#0 to donald trump.

2025-02-05 16:35:04 UTC hebeatsme#0 rivage participated in sim swap hacks in 2018.

2025-02-05 16:35:08 UTC hebeatsme#0 put that on his wiki.

2025-02-05 16:35:10 UTC hebeatsme#0 thanks.

2025-02-05 16:35:15 UTC hebeatsme#0 and in 2021.

2025-02-05 16:35:17 UTC hebeatsme#0 thanks.

2025-02-05 16:35:19 UTC chainofcommand#0 i dont think they’ll care tbh.

Given the speed with which Musk’s DOGE team was allowed access to such critical government databases, it strains credulity that Coristine could have been properly cleared beforehand. After all, he’d lately been dismissed from a job for allegedly leaking internal business information to outsiders.

(PDF) released by the Director of National Intelligence (DNI), eligibility determinations take into account a person’s stability, trustworthiness, reliability, discretion, character, honesty, judgment, and ability to protect classified information.

The DNI policy further states that “eligibility for covered individuals shall be granted only when facts and circumstances indicate that eligibility is clearly consistent with the national security interests of the United States, and any doubt shall be resolved in favor of national security.”.

On Thursday, 25-year-old DOGE staff member Marko Elez resigned after being linked to a deleted social media account that advocated racism and eugenics. Elez resigned after The Wall Street Journal asked the White House about his connection to the account.

“Just for the record, I was racist before it was cool,” the account posted in July. “You could not pay me to marry outside of my ethnicity,” the account wrote on X in September. “Normalize Indian hate,” the account wrote the same month, in reference to a post noting the prevalence of people from India in Silicon Valley.

Elez’s resignation came a day after the Department of Justice agreed to limit the number of DOGE employees who have access to federal payment systems. The DOJ showcased access would be limited to two people, Elez and Tom Krause, the CEO of a firm called Cloud Software Group.

Earlier today, Musk expressed he planned to rehire Elez after President Trump and Vice President JD Vance reportedly endorsed the idea. Speaking at The White House today, Trump expressed he wasn’t concerned about the security of personal information and other data accessed by DOGE, adding that he was “very proud of the job that this group of young people” are doing.

A White House official told Reuters on Wednesday that Musk and his engineers have appropriate security clearances and are operating in “full compliance with federal law, appropriate security clearances, and as employees of the relevant agencies, not as outside advisors or entities.”.

NPR reports Trump added that his administration’s cost-cutting efforts would soon turn to the Education Department and the Pentagon, “where he suggested without evidence that there could be ‘trillions’ of dollars in wasted spending within the $[website] trillion the federal government spent in fiscal year 2024.”.

GOP leaders in the Republican-controlled House and Senate have largely shrugged about Musk’s ongoing efforts to seize control over federal databases, dismantle agencies mandated by Congress, freeze federal spending on a range of already-appropriated government programs, and threaten workers with layoffs.

Meanwhile, multiple parties have sued to stop DOGE’s activities. ABC News says a federal judge was to rule today on whether DOGE should be blocked from accessing Department of Labor records, following a lawsuit alleging Musk’s team sought to illegally access highly sensitive data, including medical information, from the federal government.

At least 13 state attorneys general say they plan to file a lawsuit to stop DOGE from accessing federal payment systems containing Americans’ sensitive personal information, reports The Associated Press.

Reuters reported Thursday that the [website] Treasury Department had agreed not to give Musk’s team access to its payment systems while a judge is hearing arguments in a lawsuit by employee unions and retirees alleging Musk illegally searched those records.

Ars Technica writes that The Department of Education (DoE) was sued Friday by a California student association demanding an “immediate stop” to DOGE’s “unlawfully” digging through student loan data to potentially dismantle the DoE.

In mid-March 2024, KrebsOnSecurity revealed that the founder of the personal data removal service Onerep also founded dozens of people-search companie......

Human communication is multimodal. We receive information in many different ways, allowing our brains to see the world from various angles and turn th......

In cybersecurity, too often, the emphasis is placed on advanced technology meant to shield digital infrastructure from external threats. Yet, an equal......