The U.S. Secret Service said it has dismantled a massive telecommunications threat in the New York tri-state area that could have shut down cellular networks and disrupted critical communications during the United Nations General Assembly. The discovery followed an investigation launched earlier this year after senior show more ...
U.S. officials were targeted by “imminent” telecommunications-related threats. According to Special Agent in Charge Matt McCool of the Secret Service’s New York field office, the scale and timing of the operation prompted an unusual public announcement. “Following multiple telecommunications-related imminent threats directed towards senior U.S. government officials this spring, the U.S. Secret Service began a protective intelligence investigation to determine the extent and impact these threats could have on protective operations,” McCool said in a statement. “This was a difficult and complex effort to identify the source of these fraudulent calls and the impact on the Secret Service protective mission.” Investigators uncovered tens of thousands of collocated and networked cellular devices across the New York area, which McCool described as capable of carrying out “nefarious telecommunications attacks.” These devices, concentrated within 35 miles of the United Nations headquarters, were configured to enable encrypted and anonymous communications between criminal groups and potential foreign threat actors. “This network had the potential to disable cell phone towers and essentially shut down the cellular network in New York City,” McCool said. “Given the timing, location, and proximity and potential for significant disruptions to the New York Telecom system, we moved quickly to disrupt this network.” A Threat at the Heart of Global Diplomacy The General Assembly, one of the most high-profile diplomatic gatherings in the world, is currently underway in Manhattan, drawing heads of state, senior officials, and thousands of delegates. The Secret Service, which has a protective mandate covering U.S. leaders and visiting dignitaries, coordinated with Homeland Security Investigations, the Department of Justice, the Office of the Director of National Intelligence, and the NYPD to neutralize the threat. McCool stressed that the devices are no longer a danger to the region. “To be clear, these recovered devices no longer pose a threat to the New York tri-state area,” he said. However, he noted that the investigation is far from over. Forensic examinations are now underway on data equivalent to that of 100,000 cell phones, an unprecedented haul that could reveal connections between foreign actors and individuals already known to law enforcement. “Early analysis indicates cellular communications between foreign actors and individuals that are known to federal law enforcement,” McCool said. “Given the sensitivity and complexity of this investigation, we are not able to go into specifics at this time. This is an open and active investigation and we have no arrest to announce today.” Technical Risks Experts noted that the incident bore similarities to other forms of telecom exploitation. Criminals and state-linked actors have long abused vulnerabilities in mobile networks through techniques such as: SIM-boxing, in which bulk devices reroute international calls through local numbers to avoid carrier fees — a practice often tied to organized crime. IMSI catchers or fake base stations, which mimic legitimate cell towers to intercept communications, track devices, or deliver malicious payloads. Botnet-driven DDoS attacks targeting telecom operators, capable of overwhelming infrastructure and knocking services offline. The New York operation, however, stood out in scale. The presence of tens of thousands of interconnected cellular devices suggested a system designed not only for fraud or interception but also for the potential mass disruption of communications infrastructure. Targeting the cellular backbone at such a critical time — with global leaders convened at the UN — could have crippled emergency services, diplomatic coordination, and financial transactions in the city. An Unresolved Puzzle The Secret Service has not confirmed whether the intent was specifically to disrupt the UN General Assembly, but McCool acknowledged that possibility is under review. “We will continue working towards identifying those responsible in their intent, including whether their plan was to disrupt the UN General Assembly and communications of government and emergency personnel during the official visit of world leaders,” he said. McCool said the announcement was made in the interest of transparency and public safety, even as the agency holds back operational details. “This announcement is designed to safeguard critical infrastructure and responsibly provide the public what we can at this time,” he said. “The Secret Service will continue to run down all leads until we fully understand the intent of the operation and identify those responsible.” The investigation remains ongoing, with forensic teams continuing to parse through mountains of intercepted data. Officials said more details could be shared once the analysis is complete and suspects are identified. Also read: UN Approves First Cybercrime Treaty Amidst Criticism From Human Rights Activists
British authorities arrested a man in his 40s from West Sussex in connection with a ransomware incident that knocked out automated check-in and baggage systems at several major European airports. Law enforcement detained the suspect under the Computer Misuse Act and later released him on conditional bail as show more ...
investigators continue their probe. “Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing,” said Deputy Director Paul Foster, head of the National Crime Agency’s Cyber Crime Unit. “Cybercrime is a persistent global threat that continues to cause significant disruption to the UK. Alongside our partners here and overseas, the NCA is committed to reducing that threat in order to protect the British public.” The outage began on September 19 and forced airlines to revert to manual processes, creating long queues and triggering hundreds of delays and cancellations across hubs including London Heathrow, Brussels, Berlin and Dublin. Thousands of passengers faced disrupted plans as ground staff issued handwritten boarding passes and moved baggage through improvised procedures. Read: Berlin, Brussels, Dublin, and Heathrow Disrupted by Cyberattack on Critical Check-In Systems Collins’ Parent Confirms Ransomware Attack Authorities and industry officials quickly traced the disruption to a vendor product. The attack targeted Collins Aerospace’s passenger processing software, known as MUSE (Multi-User System Environment), a platform that lets multiple airlines share check-in and gate resources. RTX, Collins’ parent company, disclosed the incident in an 8-K filing, saying it detected a “product cybersecurity incident involving ransomware” on systems that support MUSE and that those systems sit on customer-specific networks outside RTX’s enterprise environment. The European Union Agency for Cybersecurity (ENISA) said it identified the ransomware family used in the strike but declined to name the strain while investigations continue. ENISA’s confirmation moved the incident from “operational disruption” to a confirmed ransomware event, heightening concern about third-party software in critical transport infrastructure. Ransomware typically encrypts files or systems and demands payment for a decryption key. Airport Operations Still Lagging Airport operators warned that effects could linger. Berlin’s airport said check-in and baggage handling had yet to be fully restored and warned travelers to expect further delays and cancellations as teams continue manual processing and recovery work. Brussels reported limited operations in some areas, while Heathrow said most flights were running but urged passengers to verify schedules before travelling; Dublin reported operations “moving well” though some airlines still used manual workarounds. RTX told investors it activated its incident response plan, engaged internal and external cybersecurity experts, and notified domestic and international law enforcement and government agencies. The filing added that customers had shifted to backup or manual processes and that the company did not expect a material financial impact from the incident at this time. Those details underscore two practical realities: vendors must assume their software can become a vector for large-scale disruption, and customers must rehearse failover plans that do not depend on the vendor’s network. Cybersecurity specialists say the case shows supply-chain risk in aviation, where a single third-party platform can touch dozens of airlines and several airports simultaneously. The incident strengthens calls for stricter vendor security controls between provider and customer environments, and verified, offline recovery options for critical operations. There is also a need for rapid threat-sharing among operators and regulators to speed containment and recovery.
Jaguar Land Rover (JLR) has announced an extension of its production shutdown until October 1, 2025, following a major cyberattack that has severely disrupted its global operations. The automaker has been battling to restore functionality since August 31, 2025, when a critical cyber incident crippled its IT show more ...
infrastructure and brought manufacturing at multiple facilities to a standstill. The Jaguar Land Rover cyberattack, now entering its fifth week, has evolved from a corporate crisis into a national concern, with widespread economic implications and growing political attention. JLR Shutdown Extended Amid Ongoing Investigation In an official statement, JLR said that the company has notified its workforce, suppliers, and partners about the extended production pause. “We have made this decision to give clarity for the coming week as we build the timeline for the phased restart of our operations and continue our investigation,” the company said. JLR added that it is working closely with cybersecurity experts, the UK’s National Cyber Security Centre (NCSC), and law enforcement agencies to address the incident and ensure a secure return to operations. “Our teams continue to work around the clock,” the company emphasized, highlighting its commitment to safety and recovery. UK government officials have held a number of high-level meetings on the situation, including a visit yesterday by Business Secretary Peter Kyle and Industry Minister Chris McDonald to JLR headquarters. Global Impact and Operational Paralysis The cyberattack on Jaguar Land Rover has had far-reaching effects beyond the UK. Facilities in India, Slovakia, China, and Brazil have also been impacted, with production lines halted and IT systems inoperable. Notably, India’s operations, which typically produce around 1,000 vehicles per month, have been severely disrupted, resulting in vehicle backlogs of up to eight months depending on the model. Dealers globally are grappling with the inability to register vehicles, order spare parts, or use diagnostic software, leaving customers and service centers in a bind. More than 33,000 employees in the UK alone have been affected, with key assembly plants at Solihull and Halewood operating on minimal shifts. Supply Chain Strain and Economic Risk Beyond the direct impact on JLR, the shutdown is wreaking havoc on its vast supply chain. An estimated 200,000 jobs across supplier companies are at risk. According to the Society of Motor Manufacturers and Traders (SMMT), approximately 25% of JLR suppliers have already paused production, many opting to "bank hours" for future use or lay off workers. Mike Hawes, Chief Executive of SMMT, warned: “Whatever happens to JLR will reverberate through the supply chain. Some small and medium-sized enterprises are most at risk, with up to a quarter already forced to lay off employees. A further 20–25% are considering similar actions soon.” One unnamed supplier told the BBC it had already let go of nearly half its workforce due to the shutdown. Political Response and Government Involvement The severity of the Jaguar Land Rover cyberattack has prompted political action. On September 19, 2025, the UK’s Department for Business and Trade (DBT) held an “extraordinary meeting” with SMMT’s Automotive Components Section to assess the crisis. In a statement, the DBT said it is working “closely with JLR to understand any impacts on the supply chain” and remains in communication with cybersecurity experts to support the recovery effort. On September 17, more than 30 Members of Parliament sent a letter to Business and Trade Secretary Peter Kyle, urging the government to consider direct support for struggling suppliers. “It is clear that for some of these businesses, the cash flow situation is becoming serious,” the letter stated. “If this shutdown is prolonged, the predominantly UK-based supply chain will no longer exist, as companies will shutter and lay off skilled staff who are hard to replace.” Potential Financial Losses and Future Outlook JLR is believed to be losing at least £50 million per week due to lost production, with the company typically manufacturing over 1,000 vehicles a day. Industry analysts suggest the financial and reputational damage could take months—if not longer—to repair. Union leaders are skeptical about a near-term resolution. Jason Richards, a regional officer for the Unite union, told the BBC: “I don’t want to be pessimistic, and I don’t want to sensationalize this, but I really am concerned about the issue we find ourselves in… There’s zero chance production restarts next week.”
Endpoint detection and response (EDR) bypass and evasion tools and techniques are commonly used by threat and ransomware groups to evade security defenses to carry out their attacks. One common approach is to use BYOVD (Bring Your Own Vulnerable Driver) techniques to disable EDR and Antivirus protections, but that show more ...
requires threat actors to install vulnerable drivers to exploit. A new approach avoids the need to install vulnerable drivers by using Windows Error Reporting and the MiniDumpWriteDump function to put antivirus processes into hibernation, all done in user mode without the need for third-party tools. The exploit, dubbed EDR-Freeze, was published earlier this week by the anonymous researcher Two One Seven Three on Zero Salarium. Using Windows Functions to Bypass EDR The MiniDumpWriteDump function in the Windows DbgHelp library creates a minidump of a process for debugging. “But here's the catch: it suspends all threads in the target process during the dump,” the researcher wrote. “... This is necessary because threads could otherwise be modifying memory while the dump is being written, leading to corruption or inconsistencies.” Microsoft recommends using the function from an external process instead of calling it from within the crashing process to avoid deadlocks. The researcher faced two challenges: MiniDumpWriteDump executes very quickly, creating the challenge of extending its execution time; and EDR and Antivirus processes are often secured with Protected Process Light (PPL), which would have to be bypassed to tinker with those processes. By reverse-engineering the WerFaultSecure program, “we can use it to activate the MiniDumpWriteDump function with any desired process,” the researcher said. “By combining with the CreateProcessAsPPL tool, we can leverage WerFaultSecure to address the second issue. ... if a normal process can run a new process with PPL protection, then during the CreateProcess, we can force the child PPL process to suspend by using the CREATE_SUSPENDED flag.” The PROCESS_SUSPEND_RESUME privilege can be used to resume and suspend the process. Process Explorer can suspend a process protected with PPL – but not processes marked as antimalware. “But that is enough,” the researcher said. “With all the information above, if we can make WerFaultSecure perform the dump process and then call MiniDumpWriteDump with Antivirus processes, and then we suspend WerFaultSecure right at the moment it puts the target process into a suspended state, the target program will be suspended indefinitely because the process that could resume it, WerFaultSecure, has also been suspended.” EDR Bypass Through a Race Condition Attack The Zero Salarium researcher described a race condition attack with four steps: Use CreateProcessAsPPL to run WerFaultSecure with protection at the WinTCB level; Fill in the parameters for WerFaultSecure so that it performs the dump of the target process; Check the status of the target process until it is suspended; Then use OpenProcess with the PROCESS_SUSPEND_RESUME privilege and NtSuspendProcess to suspend the WerFaultSecure process. The researcher created a tool on GitHub to run the exploit – and another researcher quickly wrote a KQL rule to detect it. “The biggest weakness of the BYOVD attack is that you must carry drivers with software vulnerabilities to exploit, which can easily cause dangerous disturbances on monitored target machines,” the Zero Salarium researcher wrote. “With EDR-Freeze, exploiting the software vulnerability of the WerFaultSecure program available on Windows will address the weakness of the BYOVD technique. Additionally, we can flexibly control the programs of EDRs and Antimalware, deciding when they should run and when they should be suspended at will, ensuring that everything operates more smoothly.”
By Mandar Patil, Founding Member and SVP - Global Sales and Customer Success, Cyble At 02:17 a.m., the SOC phone lights up—an unfamiliar domain has begun hawking what looks like a tranche of employee KYC data. It’s a Sunday, naturally. Screens crowd with IP hops and credential lists, and the analysts’ show more ...
half-finished coffees go cold while they pivot from Slack screenshots to pastebins to a vendor portal that suddenly returns a 500. In that dark, crowded minute, there are two clocks. One belongs to the attacker, measuring how long they can monetize before takedowns bite. The other is the regulator’s—silent, precise, increasingly unforgiving. India’s Digital Personal Data Protection (DPDP) Act, 2023 has been on the books for a few years now. What changes now is less theatrical than a midnight “switch-on” and more like a control room coming alive. Procedural lights turning green, routes getting unblocked, appeal paths lit, and duties operationalized. With the DPDP Rules expected to be notified around September 28, 2025, the norm-setting scaffolding around the Act begins to function in earnest—especially for breach handling, consent governance, and the day-to-day operations of the new Data Protection Board (DPB). If the Act was the promise, the Rules are the wiring diagram. They don’t change India’s north star—rights-respecting processing at scale—but they do tell DPOs and CISOs how fast to move, what to log, whom to notify, and how to prove it when the Board asks. What Actually Switches on First The Rules bring the DPB’s practical life into view: digital office functioning, meeting processes, timelines for inquiries, and the appeals flow to the TDSAT (Telecom Disputes Settlement and Appellate Tribunal). In other words, the Board gets the instruments it needs to work like a modern adjudicatory agency. The draft text details the Board’s digital proceedings, quorum and voting, the six-month inquiry window (extendable in reasoned steps), and the appeal mechanism (filed digitally) to the TDSAT—giving companies and complainants a clear route from complaint to order to appeal. Crucially, penalty architecture under the Act remains exactly as stark as many first feared. The DPDP allows the Board to levy monetary penalties up to ₹250 crore per instance for the most serious lapses (notably failure to implement “reasonable security safeguards” to prevent personal data breaches). That ceiling is not rhetorical—it is explicit in the law’s schedule and widely summarized by neutral trackers and legal analysis. Appeals go to the TDSAT. This is not a rumor or a blog rumor mill—it’s baked into the Act’s structure: orders of the Board are appealable to TDSAT, with further recourse to the Supreme Court on limited grounds. Expect a learning curve as a telecom tribunal steps into the privacy beat, but the path is clear. Also read: India Releases Draft Data Protection Rules for Public Consultation Breach Notification: The New Choreography with An Old Metronome Under the Act, data fiduciaries must notify both the DPB and affected individuals in the event of a personal data breach. The DPDP Act itself never prescribed a fixed deadline, and the Draft Rules continue in that pragmatic vein, using the phrase “without delay” rather than a hard timer. Practically, Boards tend to read “without delay” as hours, not days. Now overlay India’s CERT-In regime—the metronome that’s been ticking since 2022. For a wide set of cyber incidents, CERT-In requires reporting within 6 hours of “noticing” or being informed of an incident. That obligation hasn’t gone away; the DPDP framework sits in addition to it. Your breach response runbook must assume two parallel notifications: one to CERT-In (6 hours) and another to the DPB/individuals (“without delay” under the draft Rules, with final timelines to be read from the notified text). Don’t conflate the two Implication: If you only discover breaches when victims complain, you’ve already lost the timeline. The only way to make six-hour and “without delay” windows tractable is: Continuous detection (across network, endpoint, identity, and dark-web surfaces) Pre-approved comms templates and decision trees Evidence capture that stands up in an inquiry Consent Managers: The ‘Interoperable Consent Layer’ Gets Real The Rules flesh out Consent Manager registration and obligations: the Board can register platforms that enable users to give, manage, withdraw, and audit their consents across multiple data fiduciaries; it may also suspend or cancel registrations for non-adherence. The schedules outline transparency duties, audit mechanisms, conflict-of-interest guardrails, and record-keeping (e.g., maintaining consent logs for at least seven years). Once notified, this interoperable layer should start tightening incentives for clean notices and traceable, revocable consent. For DPOs, this changes customer-facing UX priorities overnight. “Pretty” is no longer enough—consent has to be verifiable, portable, and provable. Not Everything Lands on Day 1 Some obligations will phase in over the first 12–24 months, especially for entities the government designates as Significant Data Fiduciaries (SDFs). SDFs shoulder additional duties: appointing a senior DPO in India, conducting Data Protection Impact Assessments (DPIAs) for high-risk processing, periodic independent audits, and maintaining beefed-up grievance and redressal processes. The negative-list approach to cross-border transfers (transfer allowed by default except to countries the government specifically restricts) will become clearer as notifications arrive. Two themes to watch as final Rules emerge: Children’s Data: Verifiable parental consent and age-gating standards are described with specificity in the draft, and will likely need technical controls (e.g., digital locker tokens) rather than checkbox rituals. Data Retention, Erasure Prompts, and Logs: The Rules sketch detailed triggers for erasure and one-year minimum log retention to support detection and investigation—a direct nod to practical incident response. The Day-One Survival Kit for Indian DPOs (and their boards) Map and minimize. If you can’t draw your data flows in three pages—what you collect, why, where it goes, who processes it, when you erase—you won’t survive discovery, let alone an inquiry. Start with notices, consents, and SDF-risk mapping. (If you operate at population scale, use advanced profiling, or touch the financial system, expect SDF conversations.) Build two notification muscles. Hard-wire CERT-In’s six-hour timer into your IR playbooks, and separately: Templated DPB + data-principal notifications “without delay,” with a contact who can answer technical questions. Don’t wait to draft these after an incident. Treat “reasonable security safeguards” as a legal control, not a buzzword. The Act’s heaviest penalty (up to ₹250 crore) is tethered to failures here. Think encryption and tokenization at rest and in transit; identity segmentation; monitoring and log retention; supplier hardening; and incident rehearshal. Reasonableness is contextual, but negligence is discoverable. Prepare for Consent Managers. If your web and app stacks can’t ingest standardized consent signals and expose machine-readable logs on demand, you’ll feel it in complaint handling and, eventually, in Board proceedings. Align privacy with business advantage. The Board will penalize non-compliance, but trust is the bigger prize in a 1.4-billion-user market. Early movers in privacy-by-design will advertise it—and convert on it. The law gives you a stick; take the carrot. Where Cyble Fits (and Where it Must be Careful) This is The Cyber Express by Cyble, and I won’t pretend we’re neutral observers. Our vantage point, watching breaches bloom first on the dark web before they hit mainstream, keeps surfacing the same lesson: You cannot compress investigation time if you start detecting late. Continuous monitoring of dark-web markets and closed channels, paired with curated breach intelligence, materially shortens the “time-to-notice” and the “time-to-evidence,” which are the two clocks that DPOs now live by. It’s tempting to say “only” dark-web intelligence can save you from penalties. That’s not how compliance works. What we can say, humbly and firmly, is that organizations with real-time leak visibility, across dark-web, messaging apps, breach-paste ecosystems, and credential dumps, consistently meet reporting windows that seem impossible on paper, because their first signal arrives earlier than the ransom email. Our teams already liaise (lawfully and appropriately) with sectoral responders and national incident channels so clients can meet CERT-In’s six-hour escalations while assembling the DPB narrative “without delay.” We’ve been here before. In earlier years, when India’s personal data law was still in committee, Cyble was invited to share practitioner perspectives with the parliamentary process, a reminder that the domestic privacy conversation has always included frontline intelligence and response voices. Myth-Busting the ‘72-hour Rule’ You will hear “72 hours” in hallways this week. It’s a GDPR reflex, and some sectoral documents and vendor write-ups echo it. The DPDP Act does not contain a hard 72-hour breach deadline, and the Draft DPDP Rules say “without delay” for intimation to the Board and affected individuals. Could the final rules or guidance land on a specific timer? Possibly. But today’s safe reading is: CERT-In = 6 hours, DPDP = promptly/without delay. Design for the stricter timer and you won’t be wrong. The Long Road: Children, DPIAs, and Transfers Expect verifiable parental consent to evolve beyond pop-ups; the draft sketches flows using Digital Locker or similar trust frameworks to confirm adult identity before a child account can be created. DPIAs will cease to be shelf-ware for SDFs; they’ll be living documents that justify risk choices before the Board asks. And cross-border transfers will formalize under a negative-list approach: default-allowed except to countries notified as restricted, with sectoral overlays where regulators add their own rails. None of this is performative. As appeals land at the TDSAT, we’ll see case-law harden what “reasonable safeguards,” “without delay,” and “DPIA quality” mean in India—not as borrowed phrases, but as Indian standards, born in Indian courts. The breach you prevent won’t make the news. The breach you detect early will feel, internally, like a near-miss. The breach you notify cleanly and quickly will hurt, but it will teach. India’s privacy regime is growing up—less prescriptive than some, more muscular than many. The DPB gives it a working spine; the TDSAT, a safety valve; the penalties, a sharp memory. For DPOs and boards, the goal isn’t to outrun the regulator. It’s to outrun your own lag—shorten the time between first signal and first decisive action. In that gap, reputations live or die. Also read: Everything You Need to Know About the Digital Personal Data Protection Bill 2023
European authorities have shut down a crypto-fraud ring that had amassed more than €100 million (approximately $107 million) by duping individuals across the continent. Eurojust, the European Union Agency for Criminal Justice Cooperation, coordinated the operation this week. Authorities in Spain, Portugal, Italy, show more ...
Romania, and Bulgaria carried out simultaneous raids, arresting five suspects—including the alleged ringleader—while freezing assets and searching multiple premises. Victims of the scheme were spread across Germany, France, Italy, Spain, and other countries, and were lured into investing through professional-looking online platforms that promised extraordinary returns. According to Eurojust, the fraud had operated for years, incorporating elaborate money-laundering networks to disguise illicit gains. The case revealed the highly technical playbook that scammers increasingly deploy. Fraudulent websites mimicked the interfaces of legitimate financial services, complete with fake dashboards displaying fabricated account balances, real-time trading graphs, and customer support channels. To build trust, some victims were subjected to sham know-your-customer (KYC) procedures, including uploading IDs and personal information, giving the platforms a veneer of regulatory compliance. In reality, funds deposited were never invested but were siphoned into layered laundering chains, often routed through multiple exchanges, mixers, and shell companies to obfuscate their origin. Eurojust investigators noted that the group maintained a network of accounts across different jurisdictions, using fast-moving transfers to frustrate tracing efforts. During the action day, national investigators coordinated to freeze bank accounts, seize digital infrastructure, and preserve forensic evidence from servers and devices. Authorities said that international cooperation was key, since the infrastructure supporting the fraud was dispersed across several countries. The coordinated seizures were designed not just to capture assets but also to map out the wider ecosystem of accomplices and enablers behind the operation. Crypto-Fraud on the Rise The takedown comes against the backdrop of an alarming rise in cryptocurrency-related fraud worldwide. In the United States, the FBI’s Internet Crime Complaint Center reported that crypto fraud losses in 2023 had climbed to $5.6 billion, a 45% increase over the previous year, based on nearly 70,000 complaints. Read: Massive Spike in Crypto Fraud: FBI Reports Over $5.6 Billion Losses in 2023 One year later, losses surged again to $9.3 billion in 2024, representing a 66% year-on-year jump. The steep growth showed how fraudsters were capitalizing on public enthusiasm for digital assets and the lack of robust safeguards in many investment channels. Europe has faced a parallel surge. Belgium’s Financial Services and Markets Authority disclosed that in the second half of 2024 alone, reported fraud losses reached €15.9 million, with nearly €12.5 million tied to bogus crypto-trading platforms. Eurojust itself has been pulled into several major investigations over the past two years, including a 2023 operation targeting fraudulent call centers in Ukraine and Georgia that defrauded thousands of victims across 20 countries. Those cases, like the most recent takedown, relied heavily on cross-border coordination and swift asset freezes to prevent funds from vanishing into untraceable crypto wallets. Several factors explain why crypto fraud has scaled so rapidly. The irreversible nature of blockchain transactions means victims have little recourse once their funds are transferred. Fraudulent platforms often deploy convincing user interfaces, engineered to instill confidence through professional branding, real-time trading data simulations, and customer support scripts. The use of fake KYC steps, while giving a sense of legitimacy, also enabled fraudsters to harvest sensitive personal data for secondary exploitation. Meanwhile, laundering tactics such as “smurfing” transactions into smaller sums, routing through mixers, and leveraging lightly regulated exchanges allowed scammers to convert illicit gains into fiat currencies with relative ease. With crypto investment scams doubling in the United States in just one year and European regulators issuing repeated warnings, cryptocurrency fraud has become a defining cybercrime of the decade. The dismantling of this €100M scheme adds urgency to ongoing debates over stricter oversight of crypto exchanges, stronger consumer protections, and more aggressive international policing. While the latest takedown marked a victory, experts agree that fraudsters will continue to exploit the trust gap between emerging technologies and investors eager for quick returns. Also read: Avoid Using Unregistered Cryptocurrency Transfer Services, FBI Warned
CISA this week offered a rare window into a real-world breach at a U.S. federal civilian agency. Delays in patching, unexercised incident response plans, and inadequate monitoring of EDR alerts were the three critical gaps that allowed the intrusion, the agency said. CISA said, the incident began when endpoint show more ...
detection and response (EDR) alerts surfaced in early July 2024, but were only observed a month later in August. During forensic analysis, the agency determined the threat actors had first gained access by exploiting CVE-2024-36401, a remote code execution vulnerability affecting GeoServer. It was technically an XPath expression injection vulnerability that stemmed from the way GeoServer handles XPath expressions. Specifically, when GeoServer interacts with the GeoTools library API, it passes element type attribute names insecurely to the commons-jxpath library. This mishandling allowed malicious actors to inject crafted XPath expressions that could execute arbitrary code on the affected server. Also read: GeoServer and GeoTools Address XPath Expression Injection Vulnerabilities The breach stretched over three weeks before detection, during which attackers pivoted across systems, deployed web shells, and leveraged living-off-the-land tools. On July 11, 2024, the adversaries exploited the first GeoServer and by July 24 used the same flaw to breach a second GeoServer. They then moved laterally from web infrastructure into SQL servers. In each environment, they dropped web shells (e.g., China Chopper), uploaded custom scripts for persistence and privilege escalation, and used tools such as Stowaway to establish encrypted proxy channels. Their tactics included cron jobs for persistence, abuse of valid accounts, and disabling or bypassing protections on public-facing servers. In some cases, endpoint protection was completely absent. Their reconnaissance included scanning via fscan, ping sweeps, and internal enumeration of hosts and services. CISA also mapped the attacker’s tradecraft to the MITRE ATT&CK framework. They used techniques such as Exploit Public-Facing Applications (T1190), Command and Scripting (PowerShell, T1059), Proxy (Stowaway, T1090), Defense Evasion via web shells and BITS jobs (T1202, T1197), and Brute Force credential attacks (T1110) for lateral movement. The agency's investigation also revealed three failures that cumulatively enabled this campaign. First, the agency delayed remediating known vulnerabilities. CVE-2024-36401 had been publicly disclosed 11 days before the first exploitation and 25 days before the second. Second, the agency’s incident response plan (IRP) was untested, lacked protocols for third-party collaboration, and prevented rapid deployment of external tools. That delay affected CISA’s ability to respond efficiently. Third, and perhaps most crucial, EDR alerts were not actively reviewed and crucial systems lacked endpoint defenses. The threat actors remained undetected for three weeks because alerts on the first GeoServer went unnoticed and the web server had no endpoint coverage. CISA in its advisory asked organizations to effectively strengthen three domains: Prevent, Prepare, Detect/Respond. Under Prevent, they advise aggressive patching of public-facing systems—especially known exploited vulnerabilities in CISA’s KEV (Known Exploited Vulnerabilities) catalog. Under Prepare, the agency urges maintaining and regularly exercising IRPs, and building robust logging systems that aggregate logs off-site. Under Detect/Respond, CISA calls for continuous review of alerts, deploying endpoint protections on all public-facing systems, and implementing behaviors-based anomaly detection. By making this advisory public, CISA effectively exposed not just one agency’s weakness, but systemic risks many organizations face; Complacency in patch management, brittle incident planning, and alert overload or blind spots in security operations.
Our blog has covered vulnerabilities in some unusual gadgets — from smart mattress covers and robot vacuums to traffic signal audio buttons, children’s toys, pet feeders, and even bicycles. But the case we’re discussing today might just be the most… exotic yet. Recently, cybersecurity researchers uncovered two show more ...
extremely serious vulnerabilities in the remote control apps for… Lovense sex toys. Everything about this story is wild: the nature of the vulnerable gadgets, the company’s intention to take 14 months (!) to fix the problems, and the scandalous details that emerged after researchers published their findings. So let’s… get stuck straight in to right into this tale, which is as absurd as it is fantastic. The Lovense online ecosystem The first thing that makes this story so unusual is that Lovense, a maker of intimate toys, caters to both long-distance couples and cam models (human models that use webcams) working on streaming platforms. To control devices and enable user interaction, the company has developed an entire suite of software products tailored for a variety of scenarios: Lovense Remote: the main mobile app for controlling intimate devices. Lovense Connect: a companion app that acts as a bridge between Lovense devices and other apps or online services. It’s installed on a smartphone or computer and allows a toy to connect via Bluetooth, and then relays control commands from external sources. Lovense Cam Extension: a browser extension for Chrome and Edge that links Lovense devices with streaming platforms. It’s used with the Lovense Connect app and the OBS Toolset streaming software for interactive control during live broadcasts. Lovense Stream Master: an all-in-one app for streamers and cam models combining device control features with live streaming functionality. Cam101: Lovense’s online educational platform for models working on streaming sites. Of course, this whole setup also includes APIs, SDKs, an internal platform for mini-apps, and more. In short, Lovense isn’t just about internet-connected intimate toys — it’s a full-fledged ecosystem. UI of the Stream Master app, which combines device management and video streaming. Source If you create an account in the Lovense infrastructure, you’re required to provide an email address. Whereas some services offer the option to sign in with Google or Apple, an email address is the primary sign-up method for a Lovense account. This detail might seem insignificant, but it’s at the core of the vulnerabilities that were discovered. Two vulnerabilities in Lovense online products So, how did this all unfold? In late July 2025, a researcher known as BobDaHacker published on his blog a detailed post about two vulnerabilities in Lovense’s online products. Many of the products (including Lovense Remote) have social-interaction features. These features allow users to chat, add friends, send requests and subscribe to other users, including people they don’t know. While using the social-interaction features of one of the Lovense apps, BobDaHacker spotted the first vulnerability: when he disabled notifications from another user, the app sent an API request to the Lovense server. After examining the body of this request, BobDaHacker was surprised to find that, instead of the user’s ID, the request contained their actual email address. When a simple action (like disabling notifications) was performed, the app would send a request to the server that included another user’s real email address. Source Upon further investigation, the researcher found that Lovense’s API architecture was designed so that for any action that concerned another user (like disabling their notifications), the app sends a request to the server. And in this request the user’s account is always identified by the real email address they signed up with. In practice, this meant that any user who intercepted their own network traffic could get access to the real email addresses of other people on the app. It’s important to remember that the Lovense apps have social-interaction features and allow communication with cam models. In many cases, users don’t know each other outside of the platform, and exposing the email addresses linked to their profiles could lead to deanonymization. BobDaHacker discussed his findings with another cybersecurity researcher named Eva, and together they examined the Lovense Connect app. This led them to discover an even more serious vulnerability: generating an authentication token in the app only required the user’s email address — no password was needed. This meant that any technically skilled person could gain access to any Lovense user’s account — as long as they knew the user’s email address. And as we just learned, that address could easily be obtained by exploiting the first vulnerability. To generate an authentication token in the Lovense app, only the user’s email was required — without the password. Source These tokens were used for authentication across various products in the Lovense ecosystem, including: Lovense Cam Extension Lovense Connect Stream Master Cam101 Furthermore, the researchers successfully used this method to gain access to not only regular user profiles but also accounts with administrator privileges. Lovense’s response to vulnerability reports In late March 2025, BobDaHacker and Eva reported the vulnerabilities they’d discovered in Lovense products through The Internet Of Dongs Project — a group dedicated to researching and improving the security of internet-connected intimate devices. The following month, in April 2025, they also posted both vulnerabilities on HackerOne, a more traditional platform for engaging with security researchers and paying bug bounties. Lovense, the adult-toy manufacturer, acknowledged the report and even paid BobDaHacker and Eva a total of $4000 in bounties. However, in May and then again in June, the researchers noticed the vulnerabilities still hadn’t been fixed. They continued talking to Lovense, which is when the most bizarre part of the story began to unfold. First, Lovense told the researchers that the account takeover vulnerability had been fixed on April. But BobDaHacker and Eva checked and confirmed this was false: it was still possible to get an authentication token for another user’s account without a password. The situation with the email disclosure vulnerability was even more absurd. The company stated it’d take 14 months to fully resolve the issue. Lovense admitted they had a fix that could be implemented in just one month, but they decided against it to avoid compatibility problems and maintain support for older app versions. The back-and-forth between the researchers and the manufacturer continued for several more months. The company would repeatedly claim the vulnerabilities were fixed, and the researchers would just as consistently prove they could still access both emails and accounts. Finally, in late July, BobDaHacker published a detailed blogpost describing the vulnerabilities and Lovense’s inaction, but only after giving the company advance notice. Journalists from TechCrunch and other outlets contacted BobDaHacker and were able to confirm that in early August — four months after the company was first notified — the researcher could still ascertain any user’s email address. And that was far from the end of it. The most scandalous details were revealed to BobDaHacker and Eva only after their research was published. A history of negligence: who warned Lovense and when BobDaHacker’s work made waves across media, blogs, and social networks. As a result, just two days after the report was published, Lovense finally patched both vulnerabilities — and this time, it seems, for real. However, it soon came to light that this story started long before BobDaHacker’s report. Other researchers had already warned Lovense about the very same vulnerabilities for years, but their messages were either ignored or hushed up. These researchers shared their stories with BobDaHacker and the publications that covered his investigation. To truly grasp the extent of Lovense’s indifference to user security and privacy, you just need to look at the timeline of these reports: 2023: a researcher known as @postypoo reported both bugs to Lovense, and was offered… two free adult toys in response, but the vulnerabilities were never fixed. Also2023: researchers @Krissy and @SkeletalDemise discovered the vulnerability related to account takeovers. Lovense claimed the issue had been fixed, and paid a bounty in the same month. However, @Krissy’s follow-up message stating that the vulnerability was still present went unanswered. 2022: a researcher named @radiantnmyheart discovered the bug that exposed emails, and reported it. The message was ignored. 2017: the company Pen Test Partners reported the email exposure vulnerability and the lack of chat encryption in the Lovense Body Chat app, and published its study on this. The report was ignored. 2016: The Internet Of Dongs Project identified three similar email exposure vulnerabilities. This all means that Lovense asked BobDaHacker to give it 14 months to patch vulnerabilities they’d known about for at least eight years! What’s more, after BobDaHacker’s report was published, they heard not only from the ethical hackers who’d previously reported these bugs, but also from the creator of an OSINT website and their friends, who were anything but happy. These individuals had apparently been exploiting the vulnerabilities for their own purposes — specifically, harvesting user emails and subsequent deanonymization. This isn’t surprising though given that the Pen Test Partners report had been publicly available since 2017. Protecting your privacy Lovense’s approach to user privacy and security clearly leaves a lot to be desired — to put it mildly. Whether to continue using the brand’s devices after this — especially connecting them to the company’s online services — is a decision each user needs to make for themselves. For our part, we offer some tips on how to protect yourself and maintain your privacy should you interact with adult online services. Always create a separate email address when you register for these types of services. It shouldn’t contain any information that can be used to identify you. Don’t use this email address for any other activities. When registering, don’t use your real first name, surname, age, date of birth, city of residence, or any other data that could identify you. Don’t upload real photos of yourself that could easily be used to recognize you. Protect your account with a strong password. It should contain at least 16 characters and ideally include a mix of uppercase and lowercase letters, numbers, and special characters. This password must be unique. Never use it for other services so you don’t put them at risk in the event of a data leak. To avoid forgetting the password and email address you created specifically for this service, use a reliable password manager. KPM can also help you generate a random, strong, and unique password. And if you want to be more… boned up when it comes to choosing adult toys and relevant services, we recommend looking at specialized resources like The Internet Of Dongs Project, where you can find information about brands that interest you. Check out our other posts on how to protect your private life from prying eyes: The Naked Truth Fifty shades of sextortion Watching porn safely: a guide for grown-ups What really goes on when your device is in repair
U.S. prosecutors last week levied criminal hacking charges against 19-year-old U.K. national Thalha Jubair for allegedly being a core member of Scattered Spider, a prolific cybercrime group blamed for extorting at least $115 million in ransom payments from victims. The charges came as Jubair and an alleged show more ...
co-conspirator appeared in a London court to face accusations of hacking into and extorting several large U.K. retailers, the London transit system, and healthcare providers in the United States. At a court hearing last week, U.K. prosecutors laid out a litany of charges against Jubair and 18-year-old Owen Flowers, accusing the teens of involvement in an August 2024 cyberattack that crippled Transport for London, the entity responsible for the public transport network in the Greater London area. A court artist sketch of Owen Flowers (left) and Thalha Jubair appearing at Westminster Magistrates’ Court last week. Credit: Elizabeth Cook, PA Wire. On July 10, 2025, KrebsOnSecurity reported that Flowers and Jubair had been arrested in the United Kingdom in connection with recent Scattered Spider ransom attacks against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group. That story cited sources close to the investigation saying Flowers was the Scattered Spider member who anonymously gave interviews to the media in the days after the group’s September 2023 ransomware attacks disrupted operations at Las Vegas casinos operated by MGM Resorts and Caesars Entertainment. The story also noted that Jubair’s alleged handles on cybercrime-focused Telegram channels had far lengthier rap sheets involving some of the more consequential and headline-grabbing data breaches over the past four years. What follows is an account of cybercrime activities that prosecutors have attributed to Jubair’s alleged hacker handles, as told by those accounts in posts to public Telegram channels that are closely monitored by multiple cyber intelligence firms. EARLY DAYS (2021-2022) Jubair is alleged to have been a core member of the LAPSUS$ cybercrime group that broke into dozens of technology companies beginning in late 2021, stealing source code and other internal data from tech giants including Microsoft, Nvidia, Okta, Rockstar Games, Samsung, T-Mobile, and Uber. That is, according to the former leader of the now-defunct LAPSUS$. In April 2022, KrebsOnSecurity published internal chat records taken from a server that LAPSUS$ used, and those chats indicate Jubair was working with the group using the nicknames Amtrak and Asyntax. In the middle of the gang’s cybercrime spree, Asyntax told the LAPSUS$ leader not to share T-Mobile’s logo in images sent to the group because he’d been previously busted for SIM-swapping and his parents would suspect he was back at it again. The leader of LAPSUS$ responded by gleefully posting Asyntax’s real name, phone number, and other hacker handles into a public chat room on Telegram: In March 2022, the leader of the LAPSUS$ data extortion group exposed Thalha Jubair’s name and hacker handles in a public chat room on Telegram. That story about the leaked LAPSUS$ chats also connected Amtrak/Asyntax to several previous hacker identities, including “Everlynn,” who in April 2021 began offering a cybercriminal service that sold fraudulent “emergency data requests” targeting the major social media and email providers. In these so-called “fake EDR” schemes, the hackers compromise email accounts tied to police departments and government agencies, and then send unauthorized demands for subscriber data (e.g. username, IP/email address), while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death. The roster of the now-defunct “Infinity Recursion” hacking team, which sold fake EDRs between 2021 and 2022. The founder “Everlynn” has been tied to Jubair. The member listed as “Peter” became the leader of LAPSUS$ who would later post Jubair’s name, phone number and hacker handles into LAPSUS$’s chat channel. EARTHTOSTAR Prosecutors in New Jersey last week alleged Jubair was part of a threat group variously known as Scattered Spider, 0ktapus, and UNC3944, and that he used the nicknames EarthtoStar, Brad, Austin, and Austistic. Beginning in 2022, EarthtoStar co-ran a bustling Telegram channel called Star Chat, which was home to a prolific SIM-swapping group that relentlessly used voice- and SMS-based phishing attacks to steal credentials from employees at the major wireless providers in the U.S. and U.K. Jubair allegedly used the handle “Earth2Star,” a core member of a prolific SIM-swapping group operating in 2022. This ad produced by the group lists various prices for SIM swaps. The group would then use that access to sell a SIM-swapping service that could redirect a target’s phone number to a device the attackers controlled, allowing them to intercept the victim’s phone calls and text messages (including one-time codes). Members of Star Chat targeted multiple wireless carriers with SIM-swapping attacks, but they focused mainly on phishing T-Mobile employees. In February 2023, KrebsOnSecurity scrutinized more than seven months of these SIM-swapping solicitations on Star Chat, which almost daily peppered the public channel with “Tmo up!” and “Tmo down!” notices indicating periods wherein the group claimed to have active access to T-Mobile’s network. A redacted receipt from Star Chat’s SIM-swapping service targeting a T-Mobile customer after the group gained access to internal T-Mobile employee tools. The data showed that Star Chat — along with two other SIM-swapping groups operating at the same time — collectively broke into T-Mobile over a hundred times in the last seven months of 2022. However, Star Chat was by far the most prolific of the three, responsible for at least 70 of those incidents. The 104 days in the latter half of 2022 in which different known SIM-swapping groups claimed access to T-Mobile employee tools. Star Chat was responsible for a majority of these incidents. Image: krebsonsecurity.com. A review of EarthtoStar’s messages on Star Chat as indexed by the threat intelligence firm Flashpoint shows this person also sold “AT&T email resets” and AT&T call forwarding services for up to $1,200 per line. EarthtoStar explained the purpose of this service in post on Telegram: “Ok people are confused, so you know when u login to chase and it says ‘2fa required’ or whatever the fuck, well it gives you two options, SMS or Call. If you press call, and I forward the line to you then who do you think will get said call?” New Jersey prosecutors allege Jubair also was involved in a mass SMS phishing campaign during the summer of 2022 that stole single sign-on credentials from employees at hundreds of companies. The text messages asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page, saying recipients needed to review pending changes to their upcoming work schedules. The phishing websites used a Telegram instant message bot to forward any submitted credentials in real-time, allowing the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website. That weeks-long SMS phishing campaign led to intrusions and data thefts at more than 130 organizations, including LastPass, DoorDash, Mailchimp, Plex and Signal. A visual depiction of the attacks by the SMS phishing group known as 0ktapus, ScatterSwine, and Scattered Spider. Image: Amitai Cohen twitter.com/amitaico. DA, COMRADE EarthtoStar’s group Star Chat specialized in phishing their way into business process outsourcing (BPO) companies that provide customer support for a range of multinational companies, including a number of the world’s largest telecommunications providers. In May 2022, EarthtoStar posted to the Telegram channel “Frauwudchat”: “Hi, I am looking for partners in order to exfiltrate data from large telecommunications companies/call centers/alike, I have major experience in this field, [including] a massive call center which houses 200,000+ employees where I have dumped all user credentials and gained access to the [domain controller] + obtained global administrator I also have experience with REST API’s and programming. I have extensive experience with VPN, Citrix, cisco anyconnect, social engineering + privilege escalation. If you have any Citrix/Cisco VPN or any other useful things please message me and lets work.” At around the same time in the Summer of 2022, at least two different accounts tied to Star Chat — “RocketAce” and “Lopiu” — introduced the group’s services to denizens of the Russian-language cybercrime forum Exploit, including: -SIM-swapping services targeting Verizon and T-Mobile customers; -Dynamic phishing pages targeting customers of single sign-on providers like Okta; -Malware development services; -The sale of extended validation (EV) code signing certificates. The user “Lopiu” on the Russian cybercrime forum Exploit advertised many of the same unique services offered by EarthtoStar and other Star Chat members. Image source: ke-la.com. These two accounts on Exploit created multiple sales threads in which they claimed administrative access to U.S. telecommunications providers and asked other Exploit members for help in monetizing that access. In June 2022, RocketAce, which appears to have been just one of EarthtoStar’s many aliases, posted to Exploit: Hello. I have access to a telecommunications company’s citrix and vpn. I would like someone to help me break out of the system and potentially attack the domain controller so all logins can be extracted we can discuss payment and things leave your telegram in the comments or private message me ! Looking for someone with knowledge in citrix/privilege escalation On Nov. 15, 2022, EarthtoStar posted to their Star Sanctuary Telegram channel that they were hiring malware developers with a minimum of three years of experience and the ability to develop rootkits, backdoors and malware loaders. “Optional: Endorsed by advanced APT Groups (e.g. Conti, Ryuk),” the ad concluded, referencing two of Russia’s most rapacious and destructive ransomware affiliate operations. “Part of a nation-state / ex-3l (3 letter-agency).” 2023-PRESENT DAY The Telegram and Discord chat channels wherein Flowers and Jubair allegedly planned and executed their extortion attacks are part of a loose-knit network known as the Com, an English-speaking cybercrime community consisting mostly of individuals living in the United States, the United Kingdom, Canada and Australia. Many of these Com chat servers have hundreds to thousands of members each, and some of the more interesting solicitations on these communities are job offers for in-person assignments and tasks that can be found if one searches for posts titled, “If you live near,” or “IRL job” — short for “in real life” job. These “violence-as-a-service” solicitations typically involve “brickings,” where someone is hired to toss a brick through the window at a specified address. Other IRL jobs for hire include tire-stabbings, molotov cocktail hurlings, drive-by shootings, and even home invasions. The people targeted by these services are typically other criminals within the community, but it’s not unusual to see Com members asking others for help in harassing or intimidating security researchers and even the very law enforcement officers who are investigating their alleged crimes. It remains unclear what precipitated this incident or what followed directly after, but on January 13, 2023, a Star Sanctuary account used by EarthtoStar solicited the home invasion of a sitting U.S. federal prosecutor from New York. That post included a photo of the prosecutor taken from the Justice Department’s website, along with the message: “Need irl niggas, in home hostage shit no fucking pussies no skinny glock holding 100 pound niggas either” Throughout late 2022 and early 2023, EarthtoStar’s alias “Brad” (a.k.a. “Brad_banned”) frequently advertised Star Chat’s malware development services, including custom malicious software designed to hide the attacker’s presence on a victim machine: We can develop KERNEL malware which will achieve persistence for a long time, bypass firewalls and have reverse shell access. This shit is literally like STAGE 4 CANCER FOR COMPUTERS!!! Kernel meaning the highest level of authority on a machine. This can range to simple shells to Bootkits. Bypass all major EDR’s (SentinelOne, CrowdStrike, etc) Patch EDR’s scanning functionality so it’s rendered useless! Once implanted, extremely difficult to remove (basically impossible to even find) Development Experience of several years and in multiple APT Groups. Be one step ahead of the game. Prices start from $5,000+. Message @brad_banned to get a quote In September 2023 , both MGM Resorts and Caesars Entertainment suffered ransomware attacks at the hands of a Russian ransomware affiliate program known as ALPHV and BlackCat. Caesars reportedly paid a $15 million ransom in that incident. Within hours of MGM publicly acknowledging the 2023 breach, members of Scattered Spider were claiming credit and telling reporters they’d broken in by social engineering a third-party IT vendor. At a hearing in London last week, U.K. prosecutors told the court Jubair was found in possession of more than $50 million in ill-gotten cryptocurrency, including funds that were linked to the Las Vegas casino hacks. The Star Chat channel was finally banned by Telegram on March 9, 2025. But U.S. prosecutors say Jubair and fellow Scattered Spider members continued their hacking, phishing and extortion activities up until September 2025. In April 2025, the Com was buzzing about the publication of “The Com Cast,” a lengthy screed detailing Jubair’s alleged cybercriminal activities and nicknames over the years. This account included photos and voice recordings allegedly of Jubair, and asserted that in his early days on the Com Jubair used the nicknames Clark and Miku (these are both aliases used by Everlynn in connection with their fake EDR services). Thalha Jubair (right), without his large-rimmed glasses, in an undated photo posted in The Com Cast. More recently, the anonymous Com Cast author(s) claimed, Jubair had used the nickname “Operator,” which corresponds to a Com member who ran an automated Telegram-based doxing service that pulled consumer records from hacked data broker accounts. That public outing came after Operator allegedly seized control over the Doxbin, a long-running and highly toxic community that is used to “dox” or post deeply personal information on people. “Operator/Clark/Miku: A key member of the ransomware group Scattered Spider, which consists of a diverse mix of individuals involved in SIM swapping and phishing,” the Com Cast account stated. “The group is an amalgamation of several key organizations, including Infinity Recursion (owned by Operator), True Alcorians (owned by earth2star), and Lapsus, which have come together to form a single collective.” The New Jersey complaint (PDF) alleges Jubair and other Scattered Spider members committed computer fraud, wire fraud, and money laundering in relation to at least 120 computer network intrusions involving 47 U.S. entities between May 2022 and September 2025. The complaint alleges the group’s victims paid at least $115 million in ransom payments. U.S. authorities say they traced some of those payments to Scattered Spider to an Internet server controlled by Jubair. The complaint states that a cryptocurrency wallet discovered on that server was used to purchase several gift cards, one of which was used at a food delivery company to send food to his apartment. Another gift card purchased with cryptocurrency from the same server was allegedly used to fund online gaming accounts under Jubair’s name. U.S. prosecutors said that when they seized that server they also seized $36 million in cryptocurrency. The complaint also charges Jubair with involvement in a hacking incident in January 2025 against the U.S. courts system that targeted a U.S. magistrate judge overseeing a related Scattered Spider investigation. That other investigation appears to have been the prosecution of Noah Michael Urban, a 20-year-old Florida man charged in November 2024 by prosecutors in Los Angeles as one of five alleged Scattered Spider members. Urban pleaded guilty in April 2025 to wire fraud and conspiracy charges, and in August he was sentenced to 10 years in federal prison. Speaking with KrebsOnSecurity from jail after his sentencing, Urban asserted that the judge case gave him more time than prosecutors requested because he was mad that Scattered Spider hacked his email account. Noah “Kingbob” Urban, posting to Twitter/X around the time of his sentencing on Aug. 20. A court transcript (PDF) from a status hearing in February 2025 shows Urban was telling the truth about the hacking incident that happened while he was in federal custody. The judge told attorneys for both sides that a co-defendant in the California case was trying to find out about Mr. Urban’s activity in the Florida case, and that the hacker accessed the account by impersonating a judge over the phone and requesting a password reset. Allison Nixon is chief research officer at the New York based security firm Unit 221B, and easily one of the world’s leading experts on Com-based cybercrime activity. Nixon said the core problem with legally prosecuting well-known cybercriminals from the Com has traditionally been that the top offenders tend to be under the age of 18, and thus difficult to charge under federal hacking statutes. In the United States, prosecutors typically wait until an underage cybercrime suspect becomes an adult to charge them. But until that day comes, she said, Com actors often feel emboldened to continue committing — and very often bragging about — serious cybercrime offenses. “Here we have a special category of Com offenders that effectively enjoy legal immunity,” Nixon told KrebsOnSecurity. “Most get recruited to Com groups when they are older, but of those that join very young, such as 12 or 13, they seem to be the most dangerous because at that age they have no grounding in reality and so much longevity before they exit their legal immunity.” Nixon said U.K. authorities face the same challenge when they briefly detain and search the homes of underage Com suspects: Namely, the teen suspects simply go right back to their respective cliques in the Com and start robbing and hurting people again the minute they’re released. Indeed, the U.K. court heard from prosecutors last week that both Scattered Spider suspects were detained and/or searched by local law enforcement on multiple occasions, only to return to the Com less than 24 hours after being released each time. “What we see is these young Com members become vectors for perpetrators to commit enormously harmful acts and even child abuse,” Nixon said. “The members of this special category of people who enjoy legal immunity are meeting up with foreign nationals and conducting these sometimes heinous acts at their behest.” Nixon said many of these individuals have few friends in real life because they spend virtually all of their waking hours on Com channels, and so their entire sense of identity, community and self-worth gets wrapped up in their involvement with these online gangs. She said if the law was such that prosecutors could treat these people commensurate with the amount of harm they cause society, that would probably clear up a lot of this problem. “If law enforcement was allowed to keep them in jail, they would quit reoffending,” she said. The Times of London reports that Flowers is facing three charges under the Computer Misuse Act: two of conspiracy to commit an unauthorized act in relation to a computer causing/creating risk of serious damage to human welfare/national security and one of attempting to commit the same act. Maximum sentences for these offenses can range from 14 years to life in prison, depending on the impact of the crime. Jubair is reportedly facing two charges in the U.K.: One of conspiracy to commit an unauthorized act in relation to a computer causing/creating risk of serious damage to human welfare/national security and one of failing to comply with a section 49 notice to disclose the key to protected information. In the United States, Jubair is charged with computer fraud conspiracy, two counts of computer fraud, wire fraud conspiracy, two counts of wire fraud, and money laundering conspiracy. If extradited to the U.S., tried and convicted on all charges, he faces a maximum penalty of 95 years in prison. In July 2025, the United Kingdom followed Australia’s example in banning victims of hacking from paying ransoms to cybercriminal groups unless approved by officials. U.K. organizations that are considered part of critical infrastructure reportedly will face a complete ban, as will the entire public sector. U.K. victims of a hack are now required to notify officials to better inform policymakers on the scale of Britain’s ransomware problem. For further reading (bless you), check out Bloomberg’s poignant story last week based on a year’s worth of jailhouse interviews with convicted Scattered Spider member Noah Urban.
The Japanese government suffered the most cybersecurity incidents in 2024 — 447, nearly double the previous year — while failing to manage 16% of critical systems.
Hackers tracked as UNC6148 are attacking SonicWall security devices by installing hidden software, allowing them to control systems, steal passwords, and hide their activities.
Threat actors exploited CVE-2024-36401 less than two weeks after it was initially disclosed and used it to gain access to a large federal civilian executive branch (FCEB) agency that uses the geospatial mapping data.
Casino and hotel operator Boyd Gaming reported a data breach to federal regulators, saying that an intruder accessed information on employees and “a limited number of other individuals."
Authorities from more than 40 countries and territories blocked 68,000 bank accounts and froze about 400 cryptocurrency wallets as part of the operation from April through August, Interpol said.
Researchers said the BRICKSTORM campaign stood out because of its “sophistication, evasion of advanced enterprise security defenses and focus on high-value targets.”
Britain's National Crime Agency said it arrested a man on suspicion of computer crimes related to a widely disruptive attack on airport check-in systems.
Sens. Chuck Schumer (D-NY), Maria Cantwell (D-WA) and Ed Markey (D-MA) intend for the bill to guard against commercial entities collecting, selling or mixing together individuals’ brain signals in ways that can shape their decisions, emotions or what they buy, according to a press release.
Maryland's statewide transit agency confirmed that a previously disclosed cyberattack exposed an unknown amount of data. A highly active cybercrime gang reportedly claimed the incident.
Libraesva has released a security update to address a vulnerability in its Email Security Gateway (ESG) solution that it said has been exploited by state-sponsored threat actors. The vulnerability, tracked as CVE-2025-59689, carries a CVSS score of 6.1, indicating medium severity. "Libraesva ESG is affected by a command injection flaw that can be triggered by a malicious email containing a
Cloud security company Wiz has revealed that it uncovered in-the-wild exploitation of a security flaw in a Linux utility called Pandoc as part of attacks designed to infiltrate Amazon Web Services (AWS) Instance Metadata Service (IMDS). The vulnerability in question is CVE-2025-51591 (CVSS score: 6.5), which refers to a case of Server-Side Request Forgery (SSRF) that allows attackers to
Most businesses don't make it past their fifth birthday - studies show that roughly 50% of small businesses fail within the first five years. So when KNP Logistics Group (formerly Knights of Old) celebrated more than a century and a half of operations, it had mastered the art of survival. For 158 years, KNP adapted and endured, building a transport business that operated 500 trucks
Cybersecurity researchers have disclosed details of a new malware family dubbed YiBackdoor that has been found to share "significant" source code overlaps with IcedID and Latrodectus. "The exact connection to YiBackdoor is not yet clear, but it may be used in conjunction with Latrodectus and IcedID during attacks," Zscaler ThreatLabz said in a Tuesday report. "YiBackdoor is able to execute
Think payment iframes are secure by design? Think again. Sophisticated attackers have quietly evolved malicious overlay techniques to exploit checkout pages and steal credit card data by bypassing the very security policies designed to stop them. Download the complete iframe security guide here. TL;DR: iframe Security Exposed Payment iframes are being actively exploited by attackers using
A suspected cyber espionage activity cluster that was previously found targeting global government and private sector organizations spanning Africa, Asia, North America, South America, and Oceania has been assessed to be a Chinese state-sponsored threat actor. Recorded Future, which was tracking the activity under the moniker TAG-100, has now graduated it to a hacking group dubbed RedNovember.
Companies in the legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and technology sectors in the U.S. have been targeted by a suspected China-nexus cyber espionage group to deliver a known backdoor referred to as BRICKSTORM. The activity, attributed to UNC5221 and closely related, suspected China-nexus threat clusters, is designed to facilitate
Cybersecurity researchers have disclosed two security flaws in Wondershare RepairIt that exposed private user data and potentially exposed the system to artificial intelligence (AI) model tampering and supply chain risks. The critical-rated vulnerabilities in question, discovered by Trend Micro, are listed below - CVE-2025-10643 (CVSS score: 9.1) - An authentication bypass vulnerability that
INC is the name of a ransomware-as-a-service (RaaS) operation that first appeared in late summer 2023. Learn more about what it has been up to, and how to protect against its attacks, in my article on the Fortra blog.
Parents across America face a growing wave of sophisticated online fraud designed to exploit their deepest fears and protective instincts. Americans reported losing more than $12.5 billion to fraud in 2024, representing a 25% increase over the prior year, according to new Federal Trade Commission data. Parents show more ...
represent a particularly vulnerable target because scammers understand that nothing motivates faster action than a perceived threat to a child’s safety or wellbeing. These criminals exploit parental love —creating artificial urgency that bypasses normal thinking. Why scammers target parents Parents are prime scam targets for several key reasons: They often have established credit, making it attractive for scams involving money. Easy access to cash that hackers try to tap into. Most importantly, parents will go to extraordinary lengths—including financial sacrifice—to protect their children from harm. Modern technology has made these scams more convincing than ever. Scammers now use artificial intelligence to clone voices, create fake social media profiles, and generate realistic scenarios that seem entirely plausible to worried parents. The 5 most devastating scams bankrupting parents right now 1. Family emergency scams The most emotionally devastating scam targeting parents involves fake emergencies. Scammers use AI to clone the voice of a child in distress, calling parents with scenarios like car accidents, jail time, or medical emergencies. The caller, sounding exactly like their child, beg for immediate money transfer while pleading for secrecy. These scams create powerful emotional responses that override logical thinking. Parents hear their child’s voice saying, “Don’t tell Dad” or “I’m scared,” and immediately spring into action without verification. “Pause and verify” protocol: Teach your entire family the 24-hour rule for any urgent financial requests. No legitimate emergency requires immediate wire transfers or gift card payments. Always hang up and call back using a known phone number to verify any emergency claims. 2. School-related fraudCybercriminals pose as school officials, coaches, or administrators claiming children owe money for equipment, field trips, or disciplinary issues. They demand immediate payment via wire transfer, gift cards, or cryptocurrency to avoid serious consequences like suspension or criminal charges. These scams work because parents want to protect their children’s academic and social standing. The fraudsters create artificial deadlines and threaten embarrassment or legal action if parents don’t act quickly. Verify information: Hang up and contact the school or organization directly using their official phone number or website to confirm its authenticity. 3. Social media kidnapping hoaxes In virtual kidnapping scams, fraudsters monitor children’s social media activity to gather personal information. They then call parents claiming to have kidnapped their child, demanding ransom money. Meanwhile, the child is simply unavailable—perhaps in class, at practice, or with friends. These schemes rely on the parent’s inability to immediately reach their child for confirmation. The scammers use publicly available information from social media posts to make their demands seem legitimate. Multi-Factor Authentication (MFA): Enable two-factor authentication on all family accounts, especially email, banking, and social media. This simple step blocks 99% of automated attacks, even if passwords are compromised. Show your children how to use authenticator apps rather than SMS authentication when possible. Additionally, It’s critical for parents to set their children’s social media accounts to private, use parental controls, and monitor their child’s social media habits. 4. Financial Sextortion of Minors The FBI has identified “financial sextortion” of teens as a “rapidly escalating threat”. Criminals trick minors into sharing explicit images, then blackmail both the child and parents for payment. These predators target children through gaming platforms, social media, and messaging apps. A study found approximately 5% of U.S. students reported that they had been the victim of sextortion. With 1 in 7 youth victims (15%) saying they harmed themselves in response to sextortion. Parents often discover these crimes only when their children’s demeanor changes or exhibit severe behavioral changes. The psychological damage extends far beyond the financial cost. Social media privacy settings: Regularly audit your family’s social media accounts together. Scammers harvest information from public posts to make their schemes more convincing. Teach children to never post real-time locations, vacation plans, personal details that criminals can exploit or share personal and explicit photos. 5. College and scholarship scams As college costs soar, scammers target parents desperate to secure educational funding for their children. They offer fake scholarships, guaranteed admissions, or student loan forgiveness programs that require upfront fees or personal financial information. These scams often impersonate legitimate organizations and use official-sounding language to appear credible. Parents, stressed about their children’s futures, may overlook red flags in their eagerness to secure opportunities. Email security awareness: Practice identifying phishing emails with your children using the “STOP, LOOK, THINK” method: STOP: Don’t click links or attachments immediately. LOOK: Check sender addresses carefully for misspellings or suspicious domains. THINK: Ask yourself if the request makes sense and verify independently. Your 5-step defense plan: stop scammers before they strike Real-time threat detection: Webroot’s advanced algorithms identify and block malicious websites, phishing attempts, and dangerous downloads before they can compromise family devices or data. Identity protection services: Comprehensive monitoring of identity, credit, and financial accounts helps detect fraud early, with up to $1 million in fraud expense and stolen funds reimbursement. Secure family browsing: Webroot automatically warns users about suspicious websites and blocks access to known scam sites, protecting curious children and busy parents from accidentally accessing dangerous content. Dark Web monitoring: This crucial feature monitors family members’ personal information and sends alerts if data appears in breaches or on criminal marketplaces. Password security: Strong password management ensures that all family accounts remain protected with unique, complex passwords that children and parents can easily access when needed. Never reuse passwords across accounts and use a password manager to track them all. Don’t let criminals exploit your parental instincts Establish clear communication protocols with your children. Create unique code words or security questions that only family members know. Practice scenarios where children should verify requests through multiple channels before sharing information or money. Have regular family discussions about online safety to help children understand current threats without creating excessive fear. Participate in school, community centers, and parent organizations cybersecurity workshops specifically designed for families. Combine street-smart awareness with enterprise-level cybersecurity solutions like Webroot to create an impenetrable defense against parent-targeting criminals. With October being Cybersecurity Awareness Month now is the perfect time to put your cybersecurity family game plan into place. The criminals betting on your parental panic are about to learn that informed, protected parents don’t make easy targets. Additional Resources: FTC Scam Reporting FTC 2024 Data Book FBI Internet Crime Complaint Center National Center for Missing & Exploited Children Webroot Solutions The post Guarding your family against the latest online threats appeared first on Webroot Blog.
