Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

State sponsored groups
cyber attack Cyber Attacks data security State sponsored groups

Chinese-linked Browser Extensions Linked to Corporate Espionage Hit Millions of Users

 

A Chinese-linked threat actor has been tied to a third large-scale malicious browser extension campaign that has compromised data from millions of users across major web browsers, according to new findings by cybersecurity firm Koi Security. 

The latest campaign, dubbed DarkSpectre, has affected about 2.2 million users of Google Chrome, Microsoft Edge and Mozilla Firefox, the researchers said. 

DarkSpectre has now been linked to two earlier campaigns known as ShadyPanda and GhostPoster, bringing the total number of impacted users across all three operations to more than 8.8 million over a period exceeding seven years. 

Koi Security said the activity appears to be the work of a single Chinese threat actor that it tracks under the name DarkSpectre. The campaigns relied on seemingly legitimate browser extensions that were used to steal data, hijack search queries, manipulate affiliate links and conduct advertising fraud. 

ShadyPanda, which Koi disclosed earlier this month, was found to have affected about 5.6 million users through more than 100 malicious or compromised extensions across Chrome, Edge and Firefox. Some of these extensions remained benign for years before being weaponised through updates. 

One Edge extension waited three days after installation before activating its malicious code, a tactic designed to evade store review processes. The second campaign, GhostPoster, primarily targeted Firefox users with utilities and VPN-style add-ons that injected malicious JavaScript to hijack affiliate traffic and carry out click fraud. 

Investigators also identified related extensions on other browsers, including an Opera add-on masquerading as a Google Translate tool that had close to one million installs. The newly attributed DarkSpectre campaign, also referred to by researchers as the Zoom Stealer operation, involved at least 18 extensions designed to collect sensitive data from online meetings. 

These extensions harvested meeting links, embedded passwords, meeting IDs, topics, schedules and participant details from platforms such as Zoom, Google Meet, Microsoft Teams, Cisco WebEx and GoTo Webinar. 

Researchers said the extensions posed as tools for recording or managing video meetings but quietly exfiltrated corporate meeting intelligence in real time using WebSocket connections. 

The stolen data also included details about webinar hosts and speakers, such as names, job titles, company affiliations and promotional materials. 

“This isn’t consumer fraud, this is corporate espionage infrastructure,” Koi Security researchers Tuval Admoni and Gal Hachamov said in media. They warned that the information could be sold to other threat actors or used for targeted social engineering and impersonation campaigns. 

Koi Security said indicators linking the activity to China included the use of command and control servers hosted on Alibaba Cloud, Chinese-language artifacts in the code, and registrations tied to Chinese provinces. 

Some fraud activity was also aimed at Chinese e-commerce platforms. The researchers cautioned that additional extensions linked to the same actor may still be active but dormant, building trust and user bases before being turned malicious through future updates.
Read more »
Trust Wallet
Chrome Cloud Data Google Internet Technology Trust Wallet

Trust Wallet Chrome Extension Hack Costs $8.5 Million Theft


Chrome extension compromise resulted in millions of theft

Trust Wallet recently disclosed that the Sha1-Hulur supply chain attack last year in November might be responsible for the compromise of its Google Chrome extension, causing $8.5 million assets theft. 

About the incident

According to the company, its "developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key." The attacker obtained full CWS API access via the leaked key, allowing builds to be uploaded directly without Trust Wallet's standard release process, which requires internal approval/manual review."

Later, the threat actor registered the domain "metrics-trustwallet[.]com" and deployed a malware variant of the extension with a backdoor that could harvest users' wallet mnemonic phrases to the sub-domain "api.metrics-trustwallet[.]com."

Attack tactic 

According to Koi, a cybersecurity company, the infected code activates with each unlock causing sensitive data to be harvested. It doesn't matter if the victims used biometrics or password, and if the wallet extension was opened once after the 2.68 version update or in use for months. 

The researchers Yuval Ronen and Oren Yomtov reported that, "the code loops through every wallet in the user's account, not just the active one. If you had multiple wallets configured, all of them were compromised. Seed phrases are stuffed into a field called errorMessage inside what looks like standard unlock telemetry. A casual code review sees an analytics event tracking unlock success with some error metadata."

Movie “Dune” reference? Yes.

Besides this, the analysis also revealed that querying the server directly gave the reply "He who controls the spice controls the universe." It's a Dune reference that is found in similar incidents like the Shai-Hulud npm. "The Last-Modified header reveals the infrastructure was staged by December 8 – over two weeks before the malicious update was pushed on December 24," it added. "This wasn't opportunistic. It was planned."

The findings came after Trust Wallet requested its one million users of Chrome extension to update to variant 2.69 after a malicious update (variant 2.68) was triggered by unknown hackers on December 24, 2025, in the browser's extension marketplace. 

The breach caused $8.5 million loss in cryptocurrency assets being stolen from 2,520 wallet addresses. The wallet theft was first reported after the malicious update.

Control measures 

Post-incident, Trust Wallet has started a reimbursement claim process for affected victims. The company has implemented additional monitoring measures related to its release processes.


Read more »
Password Security
Account security Account Takeover Compromised Passwords Credential stealing Cyber Security Cyberattacks data security Password Security

Why the Leak of 16 Billion Passwords Remains a Live Cybersecurity Threat in 2025

 

As the year 2025 comes to an end people are still talking about a problem with cybersecurity. This problem is really big. It is still causing trouble. A lot of passwords and login credentials were exposed. We are talking about 16 billion of them. People first found out about this problem earlier, in the year.. The problem is not going away. Experts who know about security say that these passwords and credentials are being used again in cyberattacks. So the problem is not something that happened a time ago it is still something that is happening now with the cybersecurity incident and the exposure of these 16 billion passwords and login credentials. 

The big problem is that people who do bad things on the internet use something called credential stuffing attacks. This is when they try to log in to lots of websites using usernames and passwords that they got from somewhere else. They do this because lots of people use the password for lots of different things. So even if the bad people got the passwords a time ago they can still use them to get into accounts. If people did not change their passwords after the bad people got them then their accounts are still not safe today. Credential stuffing attacks are a deal because of this. Credential stuffing attacks can get into accounts if the passwords are not changed. 

Recently people who keep an eye on these things have noticed that there has been a lot credential stuffing going on towards the end of the year. The people who study this stuff saw an increase in automated attempts to log in to virtual private network platforms. Some of these platforms were seeing millions of attempts to authenticate over short periods of time. Credential stuffing attacks, like these use computers to try a lot of things quickly rather than trying to find new ways to exploit software vulnerabilities. This just goes to show that credential stuffing can be very effective because it only needs a list of credentials that have been compromised to get around the security defenses of private network platforms and credential stuffing is a big problem. 

The thing about this threat is that it just will not go away. We know this because the police found hundreds of millions of stolen passwords on devices that belonged to one person. People in charge of security say that this shows how long passwords can be used by people after they have been stolen. When passwords get out they often get passed from one person to another which means they can still be used for a time after they were first stolen. This is the case, with stolen passwords. Password reuse is a problem. People use the password for lots of things like their personal stuff, work and bank accounts. 

This is not an idea because if someone gets into one of your accounts they can get into all of them. That means they can do a lot of damage like steal your money use your identity or get your information. Password reuse is a risk factor and it makes it easy for bad people to take over all of your accounts. Security professionals say that when you take action to defend yourself is very important. If you wait until something bad happens or your account is compromised it can cause a lot of damage. You should take steps before anything bad happens. 

For example you should check the databases that list breached information to see if your credentials are exposed. This is an important thing to do to stay safe. If you can you should stop using passwords and start using stronger ways to authenticate, like passkeys. Security professionals think that passkeys are a safer way to do things and they can really reduce the risk of something bad happening to your Security. Checking for exposed credentials and using passkeys are ways to defend yourself and stay safe from people who might try to hurt you or your Security. When we talk about accounts that still use passwords experts say we should use password managers. 

These managers help us create and store passwords for each service. This way if someone gets one of our passwords they cannot use it to get into our accounts. Password managers make sure we have strong passwords for each service so if one password is leaked it does not affect our other accounts. 

Experts, like password managers because they help keep our accounts safe by making sure each one has a password. The scale of the 16 billion credential leak serves as a reminder that cybersecurity incidents do not end when headlines fade. Compromised passwords retain their threat value for months or even years, and ongoing vigilance remains essential. 

As attackers continue to exploit old data in new ways, timely action by users remains one of the most effective defenses against account takeover and identity-related cybercrime.
Read more »
US Security
ByteDance Sale Cyber Security Data Privacy TikTok Deal TikTok Investors US Security

TikTok US Deal: ByteDance Sells Majority Stake Amid Security Fears

 


TikTok’s Chinese parent company, ByteDance, has finalized a landmark deal with US investors to restructure its operations in America, aiming to address longstanding national security concerns and regulatory pressures. The agreement, signed in late December 2025, will see a consortium of American investors take a controlling stake in TikTok’s US business, effectively separating it from ByteDance’s direct management. This move comes after years of scrutiny by US lawmakers, who have raised alarms about data privacy and potential foreign influence through the popular social media platform.

Under the new arrangement, TikTok US will operate as an independent entity, with its own board and leadership team. The investors involved are said to include major US financial firms and technology executives, signaling strong confidence in the platform’s future growth prospects. The deal is expected to preserve TikTok’s core features and user experience for its more than 170 million American users, while ensuring compliance with US data protection laws and national security standards.

Critics and privacy advocates have welcomed the move as a step toward greater transparency and accountability, but some remain skeptical about whether the separation will be deep enough to truly mitigate risks. National security experts argue that as long as ByteDance retains any indirect influence or access to user data, the underlying concerns may persist. 

US regulators have indicated they will continue to monitor the situation closely, with potential further oversight measures possible in the coming months.The deal is also expected to impact TikTok’s global expansion strategy. With its US operations now under American control, TikTok may find it easier to negotiate partnerships and investments in other Western markets where similar regulatory hurdles exist. However, challenges remain, especially in regions where geopolitical tensions could complicate business operations.

For users, the immediate effect is likely to be minimal. TikTok’s content, features, and community guidelines are expected to remain unchanged in the short term. Over the longer term, the separation could lead to new product innovations and business models tailored specifically to the US market. The deal marks a significant shift in the global tech landscape, reflecting the growing importance of data sovereignty and regulatory compliance in the digital age.
Read more »
Unleash Protocol hack
crypto security breach Cyber Attacks smart contract upgrade attack Unleash Protocol exploit Unleash Protocol hack

Unleash Protocol Suffers $3.9M Crypto Loss After Unauthorized Smart Contract Upgrade

 

Decentralized intellectual property platform Unleash Protocol has reported a loss of approximately $3.9 million in digital assets following an unauthorized upgrade to its smart contracts that enabled illicit withdrawals.

The Unleash team stated that the attacker managed to gain sufficient signing authority to function as an administrator within the project’s multisig governance framework.

"Our initial investigation indicates that an externally owned address gained administrative control via Unleash’s multisig governance and carried out an unauthorized contract upgrade," the company says in a public announcement.

"This upgrade enabled asset withdrawals that were not approved by the Unleash team and occurred outside our intended governance and operational procedures."

Unleash Protocol positions itself as a blockchain-based operating system for intellectual property management, transforming IP into tokenized on-chain assets. These assets can be used within decentralized finance (DeFi) applications, while smart contracts automate licensing, monetization, and royalty distribution among predefined stakeholders.

By exploiting the unauthorized contract upgrade, the attacker unlocked withdrawal functionality and siphoned multiple assets, including WIP (wrapped IP), USDC, WETH (wrapped Ether), stIP (staked IP), and vIP (voting-escrowed IP).

Blockchain security firm PeckShieldAlert estimates the total losses at roughly $3.9 million.

Following the withdrawals, the stolen funds were bridged using third-party services and sent to external wallets to obscure their movement. PeckShieldAlert further noted that the attacker deposited the funds into the Tornado Cash mixing service, totaling 1,337 ETH.

Tornado Cash, which was sanctioned by the United States in 2022 and later delisted in 2025 for its involvement in laundering funds linked to North Korean hacking groups, allows users to obscure transaction trails before moving funds to new wallets. Although intended to enhance privacy on public blockchains, the service has frequently been misused by cybercriminals to evade tracking and asset recovery.

In response to the breach, Unleash Protocol has halted all platform operations and initiated a comprehensive investigation with external security specialists to identify the root cause. The team is also assessing possible remediation and recovery strategies.

Until further notice, users have been urged to avoid interacting with Unleash Protocol smart contracts and to rely solely on official communication channels for updates regarding platform safety.
Read more »
Technology
Bitcoin Cryptography Blockchain Security Crypto Risk cyber threat Decentralised Consensus Post Quantum Crypto Public Key Exposure Quantum computing Shor Algorithm Technology

Bitcoin’s Security Assumptions Challenged by Quantum Advancements


While the debate surrounding Bitcoin’s security architecture has entered a familiar yet new phase, theoretical risks associated with quantum computing have emerged in digital forums and investor circles as a result of the ongoing debate. 

Although quantum machines may not be able to decipher blockchain encryption anytime soon, the recurring debate underscores an unresolved issue that is more of an interpretation than an immediacy issue. However, developers and market participants continue to approach the issue from fundamentally different perspectives, often without a shared technical or linguistic framework, despite the fact that they are both deeply concerned with the long-term integrity of the network. 

In response to comments made by well-known Bitcoin developers seeking to dispel growing narratives of a cryptographic threat that was threatening the bitcoin ecosystem, a resurgence of discussion has recently taken place. There is no doubt that they hold an firmly held position rooted in technical pragmatism: computational systems are not currently capable of breaking down Bitcoin's underlying cryptography, and scientific estimates indicate they would not be able to do so at a scale that would threaten the network for decades to come.

Although the reassurances are grounded in the practicality of the situation now, they have not been able to dampen the renewed momentum of speculation. This reveals that the debate is fueled as much as by perception and readiness as it is by technological capability itself. In addition, industry security leaders have provided input to the debate, including Jameson Lopp, Chief Security Officer at Casa, who pointed out that Bitcoin cannot be prepared structurally for a postquantum future because of its structural difficulties. 

Nonetheless, Lopp has warned that while quantum computing is not likely to pose an actual threat for Bitcoin's elliptic curve cryptography today, there is a timetable for defensive upgrades which is defined less by science feasibility and more by how complicated the governance system is. While centralized digital infrastructures may be patched at will as they are deployed at will, Bitcoin’s protocol modifications require broad consensus across a stakeholder landscape which is unusually fragmented. 

There is a requirement that node operators, miners, wallet providers, exchanges, and independent users all be part of a deliberative process that is difficult to interrupt quickly due to its deliberate nature. Based on Lopp's estimation, it may take five to ten years to transition the network to post-quantum standards. This is due to the friction inherent to decentralized decision-making, rather than the technical impossibility of the process. 

In this regard, Lopp emphasizes an important recurring theme: the threat is not urgent, but choreography—ensuring future safeguards are formulated with precision, patience, and overwhelming agreement, while not undermining Bitcoin's unique decentralization, which defines its resilience. In what had largely been a theoretical debate, the debate regarding Bitcoin's future-proofing has now gained a new dimension with the inclusion of empirical testing in what was largely a theoretical one. 

Project Eleven, a quantum computing research organization, has released a competitive challenge that aims to assess the stability of the network against actual quantum capabilities rather than projected advances in quantum technology. This initiative, which has been branded as the Q-Day Prize, offers 1 Bitcoin - an amount estimated to be approximately $84,000 at the time of release - to anyone able to decode the largest segment of a Bitcoin private key using Shor's algorithm on an operating quantum computer within a 12-month period. 

It is explicitly prohibited from participating in the contest if hybrid or classical computational assistance are employed, further emphasizing the contest's requirement that quantum performance be demonstrated unambiguously. 

It is not just the technical rigor that explains why the project was initiated, but it is also a strategic signaling exercise: Project Eleven claims that more than 10 million Bitcoin addresses have disclosed public keys to date, securing an estimated 6 million Bitcoins in total, the current market value of which is approximately $500 billion. 

Despite the fact that even a minimal level of progress – like successfully extracting even a fraction of the key bits – would constitute a significant milestone for this company, the firm maintains that even a breach of just three bits would be a monumental event, since no real-world elliptic curve cryptographic key has ever been breached at such a large scale.

In the spirit of Project Eleven, the project is not intended as an attack vector, but rather as a benchmark for preparedness, which is aimed at replacing conjecture with measurable results and increasing momentum towards post quantum cryptographic research before the technology reaches adversarial maturity. 

There is some stark divergence in perspectives on the quantum question among prominent Bitcoin community figures, though there is a common thread in how they assess the urgency of the situation. Founder of infrastructure firm Blockstream Adam Back asserted that the risk of quantum computing was in fact “effectively nonexistent in the near term,” arguing that it is still “ridiculously early” and is faced with numerous unresolved scientific challenges, and that even under extreme scenarios, Bitcoin's architecture would not suddenly expose all of its coins to seizure even if extreme scenarios occurred. 

The view expressed by Thicke echoes an underlying sentiment amongst designers who emphasize that even though Bitcoin's use of elliptic curve cryptography theoretically exposes some addresses to future risks, this has not translated into any current vulnerabilities as a result and that is why it is still regarded as something for the future. 

In theory, sufficiently powerful quantum machines running Shor's algorithm could, in theory, derive private keys from exposed public keys, which is something experts are concerned could threaten funds held in legacy address formats, such as Satoshi Nakamoto's untouched supply, which have been languishing for years. However, this remains speculative; quantum advances are not expected to result in the network failing immediately as a consequence. 

There are already a number of major companies and governments that are preparing for the future preemptively, with the United States signaling plans to phase out classical cryptography by the mid-2030s and firms like Cloudflare and Apple integrating quantum-resilient systems into their products. The absence of a clear transition strategy, however, in Bitcoin is drawing increased investor attention as a result of the absence of a formalized transition strategy. 

There appears to be a disconnect between cryptographic theory and practical readiness, as Nic Carter, a partner at Castle Island Ventures, has observed. The capital markets are less interested in the precise timing of quantum breakthroughs than in whether Bitcoin can demonstrate a viable path forward if cryptographic standards are altered, as opposed to whether they can predict a quantum breakthrough when it happens. 

A debate about Bitcoin's quantum security goes well beyond technical discourse; it is about extending the trust that has historically defined Bitcoin’s credibility—the underlying basis of Bitcoin’s credibility. As Bitcoin's ecosystem evolves into a financial infrastructure of global consequence, it is now intersecting institutional capital, sovereign research priorities, and retail investment on a scale that once seemed unimaginable, revealing how it has become so influential. 

According to industry observers and analysts, network confidence is no longer based on the network’s capacity for resisting hypothetical attacks, but rather on its ability to anticipate them. For long-term security planning, it is becoming increasingly important for Bitcoin’s decentralised design to be based on its philosophical foundations — self-custody, open collaboration, and distributed responsibility — to serve as strategic imperatives in order to achieve them. 

Some commentators caution against dismissing a time-bound vulnerability that is well recognized as such, and risk being interpreted as a failure of stewardship, especially since governments and major technology companies are rapidly adopting quantum-resistant cryptographic systems in an effort to avoid cyber security vulnerabilities. 

In spite of the fact that market sentiment is far from panicky, it does reflect an increasing intolerance of strategic ambiguity among investors and developers. Both are being urged to align once again around the principle which made Bitcoin so popular in the first place. The ability to survive and thrive in finance and emerging technologies requires proactive foresight, as well as the ability to adapt and develop in an innovative manner. 

BIP360 advocates argue that the proposal is not about forecasting quantum capability, but rather about determining the appropriate strategic time to implement the proposal. It is argued that the transition to post-quantum cryptographic standards - should it be pursued - will require a rare degree of synchronization across Bitcoin's distributed ecosystem, which means phased software upgrades, infrastructure revisions, as well as coordinated action on the part of wallet providers, node operators, custodians, and end users in order to achieve these goals.

It is stressed by supporters that initiating the conversation early can act as a means of risk mitigation, decreasing the probability that decision-making will be compressed should technological progress outpace consensus mechanisms. 

The governance model that has historically insulated Bitcoin from impulsive changes is now being reframed as a constraint in debates where horizons are shaped by decade-scale rather than immediate attack vectors. Quantum computing is viewed by cryptography experts as a non-existent threat to the network, and no credible scientific roadmaps suggest that an imminent threat will emerge from it. 

In spite of this, market participants noted that bitcoin has attracted more institutional capital and has longer investment cycles, which have led to a narrowing of tolerance towards unresolved systemic questions, no matter how distant. 

A lack of a common evaluative framework between protocol developers and investors continues to keep the quantum debate peripherie of sentiment, not as an urgent alarm, but rather as an unresolved variable quietly influencing the market psychology in a subtle way.
Read more »
ToneShell
cyber espionage Kapersky Kernel malware ToneShell

Advanced Rootkit Used to Conceal ToneShell Malware in Targeted Cyberespionage Attacks

 



Cybersecurity researchers have brought to light a new wave of cyberespionage activity in which government networks across parts of Asia were quietly compromised using an upgraded version of the ToneShell backdoor. What sets this campaign apart is the method used to hide the malware. Instead of relying solely on user-level tools, the attackers deployed a kernel-mode component that operates deep within the Windows operating system, allowing the intrusion to remain largely invisible.

The activity has been linked with high confidence to a China-aligned cyberespionage group that has a long history of targeting government agencies, policy institutions, non-governmental organizations, and research bodies. Investigators say the campaign reflects a continued focus on long-term intelligence collection rather than short-lived attacks.

The findings come from an investigation by Kaspersky, which identified malicious system drivers on compromised machines in countries including Myanmar and Thailand. Evidence suggests the campaign has been active since at least February 2025. In several cases, the affected systems had previously been infected with older espionage tools tied to the same threat ecosystem, indicating that access was maintained and expanded over time.

At the centre of the operation is a malicious kernel-mode driver disguised as a legitimate system component. The driver is digitally signed using an older certificate that appears to have been improperly reused, helping it avoid immediate suspicion during installation. Once active, it acts as a rootkit, injecting hidden code into normal processes and blocking attempts by security software to detect or remove it.

The driver protects itself aggressively. It prevents its files and registry entries from being altered, assigns itself a high execution priority, and interferes with Microsoft Defender by stopping key components from fully loading. While malicious code is running, it temporarily blocks access to infected processes, removing those restrictions afterwards to leave fewer traces behind.

The ToneShell backdoor delivered by this loader has also been updated. Earlier versions used a longer and more distinctive system identifier. The new variant switches to a shorter four-byte host marker, making individual infections harder to track. Its network traffic has been altered as well, with communications disguised to resemble legitimate encrypted web connections through the use of fake security headers.

Once installed, the backdoor gives attackers broad control over compromised systems. It can stage data in temporary files, upload and download information, cancel transfers when needed, open interactive remote command sessions, execute instructions in real time, and close connections cleanly to reduce forensic evidence. These features point to a tool designed for sustained, low-noise espionage rather than disruptive attacks.

Kaspersky warns that detecting this activity requires more than standard file scanning. Because much of the malicious behaviour occurs in memory and at the kernel level, advanced memory forensics are critical for uncovering infections. The researchers note that the campaign demonstrates a clear shift toward greater stealth and resilience, underscoring the growing sophistication of modern cyberespionage operations.

Read more »
VeraBank
Artisans' Bank cyberattack Data Breach Marquis Software ransomware attack US bank data breach VeraBank

Two US Banks Disclose Customer Data Exposure Linked to Marquis Software Ransomware Attack

 

Two American banks have issued public warnings to customers after being affected by a ransomware incident that occurred in August at a widely used financial software provider.

Artisans' Bank and VeraBank notified regulators in Maine last week that recent data breaches traced back to a cyberattack on Marquis Software. The vendor had earlier confirmed it suffered a ransomware attack around August 14, impacting dozens of corporate clients and thousands of individuals connected to those organizations.

In notification letters sent to affected customers, VeraBank clarified that Marquis Software serves as its “customer communication and data analysis vendor.”

“They had access to your data to communicate relevant and necessary updates with you and also to analyze what bank products and services may best fit your needs,” the Texas-based lender stated. “We only provided Marquis with access to your data after they had contractually agreed to secure and protect the same.”

According to VeraBank’s disclosures, 37,318 individuals had personal information compromised, though the bank did not specify exactly what data was taken.

Artisans' Bank, headquartered in Delaware, said it was alerted to the incident by Marquis Software in October. Its investigation revealed that the breach exposed the names and Social Security numbers of 32,344 people.

Both banks emphasized that their internal systems were not compromised and that the stolen information was “maintained by Marquis Software.”

The disclosures make VeraBank and Artisans' Bank the latest financial institutions identified as downstream victims of the Marquis Software attack. The company provides data analytics, compliance services, and digital marketing solutions to hundreds of banks and credit unions nationwide.

Marquis Software stated in its own breach notifications that it contacted federal law enforcement after discovering the cyberattack in August. The company said investigators traced the breach to a vulnerability in a SonicWall firewall device.

According to Marquis Software, the stolen data included names, addresses, phone numbers, Social Security numbers, taxpayer identification numbers, dates of birth, and financial account details that did not include security or access codes.

Between October 27 and November 25, Marquis Software notified at least 74 banks, credit unions, and financial institutions that their data was involved in the breach. The company filed reports with regulators in multiple states, including Maine, South Carolina, Washington, and Iowa, and also issued notices on behalf of several affected institutions.

The firm has not responded to inquiries about whether additional financial organizations have since been impacted or how many total individuals were affected.

Based on victim counts collected from various state breach registries, cybersecurity researchers and law firms estimate the total number of affected individuals could range from approximately 788,000 to 1.35 million.

Cybersecurity firm Comparitech reported obtaining a now-deleted breach notification letter from Iowa-based Community 1st Credit Union that alleged Marquis Software paid a ransom to the attackers. The company has not commented on whether a payment was made, and no ransomware group has publicly claimed responsibility for the attack.


Read more »
Scam Prevention
Cyber Fraud Fraud Alerts Holiday Scams Online Safety Scam Prevention

Holiday Scams Surge: How to Protect Yourself This Season

 

Scammers intensify their efforts during the holiday season, exploiting the rush, stress, and increased spending that characterize this time of year. The Federal Bureau of Investigation warns that fraud schemes spike significantly as criminals deploy sophisticated tactics—including AI-generated offers and phony delivery notifications—to steal money and personal information from unsuspecting victims.

The holiday period creates perfect conditions for fraudsters. People are distracted by family obligations, travel plans, and shopping deadlines, making them less likely to scrutinize suspicious messages or verify deals that appear too good to be true. With money flowing through shopping, travel bookings, and gift exchanges, scammers have numerous opportunities to exploit vulnerable targets.

Common holiday scams

Fake online shopping sites represent one of the most prevalent threats. These professional-looking storefronts advertise steep holiday discounts but disappear after collecting payments without delivering products. Consumers should navigate directly to trusted retailer websites rather than clicking promotional links and use credit cards for easier fraud disputes.

Phishing and smishing attacks flood inboxes with messages impersonating delivery services, claiming shipping problems or requesting order confirmations. These messages aim to harvest login credentials and financial details. Recipients should avoid clicking links in unexpected messages and instead manually type company URLs into browsers to verify account status.

Gift card scams involve tampering with physical cards to drain balances after activation or pressuring victims to pay with gift cards instead of standard methods. Purchasing cards directly from secure locations and retaining receipts provides protection against these schemes.Bogus charity operations emerge during the holidays, exploiting generosity through emotional donation requests. Donors should verify organizations using platforms like Charity Navigator before contributing funds.

Travel scams target holiday travelers with fake airline, hotel, or rental confirmations designed to collect money and personal information. Booking directly through official company channels and confirming reservations via verified apps prevents these frauds.Imposter scams feature criminals posing as customer service representatives on social media to extract sensitive data. 

Users should only engage with verified business accounts and never share personal details through direct messages.Non-delivery scams occur when buyers pay for goods they never receive or sellers ship items without receiving payment. Using platforms with buyer and seller protections minimizes these risks.

Protection strategies

Awareness and simple habits provide effective defense. Slowing down before clicking links, verifying sellers through reviews, and favoring credit cards over peer-to-peer payment apps significantly reduce risk. When urgency triggers suspicion, pausing to verify information can prevent costly mistakes and protect finances throughout the holiday season
Read more »
data sovereignty
Aerospace Cloud Cloud Security Corporate Security cyber resilience Cyber Security data security data sovereignty

Airbus Signals Shift Toward European Sovereign Cloud to Reduce Reliance on US Tech Giants

 

Airbus, the aerospace manufacturer in Europe is getting ready to depend less on big American technology companies like Google and Microsoft. The company wants to rethink how and where it does its important digital work. 

Airbus is going to put out a request for companies to help it move its most critical systems to a European cloud that is controlled by Europeans. This is a change in how Airbus handles its digital infrastructure. Airbus is doing this to have control over its digital work. The company wants to use a cloud, for its mission-critical systems. Airbus uses a lot of services from Google and Microsoft. The company has a setup that includes big data centers and tools like Google Workspace that help people work together. 

Airbus also uses software from Microsoft to handle money matters.. When it comes to very secret and military documents these are not allowed to be stored in public cloud environments. This is because Airbus wants to be in control of its data and does not want to worry about rules and regulations. Airbus has had these concerns for a time. 

The company wants to make sure it can keep its information safe. Airbus is careful, about where it stores its documents, especially the ones that are related to the military. The company is now looking at moving its applications from its own premises to the cloud. This includes things like systems for planning and managing the business platforms for running the factories tools for managing customer relationships and software for managing the life cycle of products which's where the designs for the aircraft are kept. 

These systems are really important to Airbus because they hold a lot of information and are used to run the business. So it is very important to think about where they are hosted. The people in charge have said that the information, in these systems is a matter of European security, which means the systems need to be kept in Europe. Airbus needs to make sure that the cloud infrastructure it uses is controlled by companies. The company wants to keep its aircraft design data safe and secure which is why it is looking for a solution that meets European security standards. 

European companies are getting really worried about being in control of their digital stuff. This is a deal for them especially now that people are talking about how different the rules are in Europe and the United States. Some big American companies like Microsoft, Google and Amazon Web Services are trying to make European companies feel better by offering services that deal with these worries.. European companies are still not sure if they can really trust these American companies. 

The main reason they are worried is because of a law in the United States called the US CLOUD Act. This law lets American authorities ask companies for access to data even if that data is stored in other countries. European companies do not like this because they think it means American authorities have much power over their digital sovereignty. Digital sovereignty is a concern for European companies and they want to make sure they have control, over their own digital stuff. 

For organizations that deal with sensitive information related to industry, defense or the government this set of laws is a big problem. Digital sovereignty is about a country or region being in charge of its digital systems the way it handles data and who gets to access that data. This means that the laws of that country decide how information is taken care of and protected. The way Airbus is doing things shows that Europe, as a whole is trying to make sure its cloud operations follow the laws and priorities of the region. European organizations and Europe are working on sovereignty and cloud operations to keep their information safe. 

People are worried about the CLOUD Act. This is because of things that happened in court before. Microsoft said in a court in France that it cannot promise to keep people from the United States government getting their data. This is true even if the data is stored in Europe. Microsoft said it has not had to give the United States government any data from customers yet.. The company admitted that it does have to follow the law. 

This shows that companies, like Microsoft that are based in the United States and provide cloud services have to deal with some legal problems. The CLOUD Act is a part of these problems. Airbus’ reported move toward a sovereign European cloud underscores a growing shift among major enterprises that view digital infrastructure not just as a technical choice, but as a matter of strategic autonomy. 

As geopolitical tensions and regulatory scrutiny increase, decisions about where data lives and who ultimately controls access to it are becoming central to corporate risk management and long-term resilience.
Read more »
Unauthorized Surveillance
Airspace Cyber Risk Critical Component Ban Cyber Security Data Exfiltration Threat FCC Covered List Homeland Network Protection Supply Chain Risk UAS Regulation Unauthorized Surveillance

FCC Rules Out Foreign Drone Components to Protect National Networks

 


A decisive step in federal oversight on unmanned aerial technology has been taken by the United States Federal Communications Commission, in a move that is aimed at escalating federal control over unmanned aerial technology. Specifically, the FCC has prohibited the sale of newly manufactured foreign drones and their essential hardware components in the United States, citing the necessity for national security. 

According to the FCC's regulatory action, which was revealed on Monday, drone manufacturers such as DJI and Autel, as well as other overseas drone manufacturers, have been placed on the FCC's "Covered List," which means that they cannot obtain the agency's mandatory authorization to sell, market, or market new drone models and critical parts to consumers.

The decision follows a directive issued by the U.S. Congress in December 2024, which required DJI and Autel to go on the list within a year of being notified if the government did not validate the continued sale of these systems under government monitoring. 

A ban on foreign drone systems and components has been imposed by the Federal Communications Commission without approval as it indicates that there are perceived risks associated with them-especially those originating from Chinese manufacturers-that are incompatible with the security thresholds established to protect U.S. technology infrastructure and communication networks, as well as the security standards in place to obtain such clearances, which are incompatible with the security thresholds. 

The decision adds unmanned aerial technology to the Federal Communications Commission's "Covered List", which is a list of technologies that cannot be imported or sold commercially in the United States for the sake of safety reasons. DJI and other foreign drone manufacturers will not be able to obtain the equipment authorization required for importing and selling drones. 

A statement issued by the agency on Monday emphasized the security rationale for its decision, stating that the ban is meant to mitigate risk associated with potential drone disruption, unauthorized surveillance operations, data extraction, and other airborne threats that could threaten the nation's infrastructure. 

In spite of the fact that the rule does not impact the current drone ecosystem in the country in any significant way, the rule does not seem to have any significant impact on it. During the Commission's meeting, it was clarified that the restrictions were only affecting future product approvals and were not affecting drones or drone components currently being sold in the United States; thus, previously authorized drone models still remain operational and legal in operation. 

Neither the FCC nor the FCC's spokesperson have responded to media inquiries regarding whether such actions are being contemplated, and the agency has not indicated any immediate plans to revoke past approvals or to impose retroactive prohibitions. 

For now, the regulatory scope remains forward-looking, leaving thousands of unmanned aircraft, manufactured by foreign companies, already deployed in the commercial, civilian, and industrial sectors, unaffected by this ruling. Though drones manufactured by foreign companies which were previously authorized to be purchased and sold can still be owned and sold, the FCC has incorporated critical parts into the scope of the ban, causing new uncertainty regarding long-term maintenance, repair, and supply chain security. 

The industry observers warn that replacement batteries, controllers, sensors, and other components that are crucial to the operation of drone fleets will become more difficult to source in the future as well as more expensive, thus potentially threatening operational uptime for these drones. 

A strong opposition has been raised within the U.S. commercial drone industry, which is composed of almost 500,000 FAA-licensed pilots, who are dependent on imported aircraft for a variety of day-to-day business functions including mapping, surveys, inspections of infrastructure, agricultural monitoring, and assistance in emergency situations. 8,000 commercial pilots were surveyed by the Pilot Institute last year, according to the Wall Street Journal, and 43 percent expect the ban to have an “extremely negative” impact on their companies, or even end the businesses altogether. 

This further emphasizes the concerns that this policy could have as disruptive an economic impact as its security motivations are preventative, reinforcing concerns about its economic impacts. In anticipation of the ruling, a number of operators had already begun stockpiling drones and spare parts, which was indicative of the market's expectation that procurement bottlenecks would soon take place. 

It is clear that the level of foreign dependency is profound, as evidenced by DJI, the Shenzhen-based drone manufacturer, which alone accounts for 70 to 90 percent of the commercial, government, and consumer drone market in the United States. 

A common example of this type of reliance is in the geospatial data industry, where firms like Spexi, whose headquarters is based in Vancouver, deploy large freelance pilot networks to scan regions looking for maps and mapping intelligence. 

According to CEO Bill Lakeland of Spexi, their pilots primarily operate DJI aircraft, such as the widely used DJI Mini series, and acknowledge the company's dependence on imported hardware. He stated that the company's operations have been mostly "reliant on the DJI Minis" however he did confirm that the company is in the process of exploring diversification strategies, as well as developing proprietary hardware solutions in the future. 

Although there are significant costs associated with domestically manufactured drones, resulting in firms like Spexi deciding to build their own alternatives despite the engineering and financial overhead entailed by such a move, cost is a significant barrier. This is a factor that is driving firms like Spexi to consider building their own alternatives. 

In Lin's words, “The U.S. should correct its erroneous practices and protect Chinese businesses by providing them an environment that is fair, just, and non-discriminatory,” this is a confirmation of Beijing’s view that exclusion is more appropriate than risk-based regulation. Accordingly, the recent dispute mirrors previous actions taken by the FCC, in which the FCC has previously added several Chinese enterprises to the same Covered List due to similar security concerns, effectively preventing those firms from getting federal equipment authorizations. 

However, there has been an air of unease around Chinese-manufactured drones since long before the current regulatory wave of legislation was instituted. The U.S. Army has banned the use of DJI drones since 2017 because it believes that there are cyber security vulnerabilities posed to operational risks. 

In that same year, the Department of Homeland Security circulated an internal advisory warning that Chinese-built unmanned aerial systems may be transmitting sensitive data such as flight logs and geolocations back to the manufacturers. Before Congress and federal agencies began formalizing import controls, there was a growing concern about cross-border data exposure. 

The FCC explained the rationale behind its sweeping drone restrictions in detail, pointing out that unmanned aerial systems and their associated components manufactured overseas are extremely vulnerable to being exploited by the federal government. This includes data transmission modules, communication systems, flight controllers, ground control stations, navigation units, batteries, and smart power systems. 

Various techniques, including persistent surveillance, unauthorized extraction of sensitive data, and even destructive actions within the U.S., can be manipulated to facilitate such activities. Nevertheless, the agency indicated that specific drones or parts of drones made by foreign nations could be exempted from the ban if the Department of Homeland Security deemed them to not pose such risks, underlining that the restrictions are not blanket exclusions but rather are based on assessed security vulnerabilities. 

A new rule passed by the FCC today also preserves continuity for current owners as well as the retail sector. Consumers can continue to use drones that have already been purchased, and authorized retailers are still eligible to sell, import, and market the models that have been approved by the Government in the current year. 

A regulatory development that follows a larger national security policy development is a result of President Donald Trump signing the National Defense Authorization Act for Fiscal Year 2026 last week, which included enhanced measures intended to protect the nation's airspace from unmanned aircraft that pose a threat to public safety or critical infrastructure. 

There have been prior moves taken by the FCC to tighten technological controls, and this latest move is reminiscent of those prior to it. Earlier this year, the agency announced that it had expanded its "Covered List" to include Russian cybersecurity firm Kaspersky, effectively barring the company from offering its software directly or indirectly to Americans on the basis of the same concerns over data integrity and national security. 

This decision of the FCC is one of the most significant regulatory interventions that have ever been made in the U.S. drone industry, reinforcing a broader federal strategy that continues to connect supply-chain sovereignty, aviation security, and communications infrastructure.

However, while the ban has been limited to future approvals, it has caused a significant shift in the policy environment where market access is now highly dependent on geopolitical risk assessments, hardware traceability, and data governance transparency, among other things. 

A critical point that industry analysts point out is that these rulings may accelerate domestic innovation by incentivizing domestic manufacturers to expand production, increase cost efficiencies, and strengthen standards for cybersecurity at component levels. 

Additionally, commercial operators are advised to prepare for short-term constraints by reevaluating their vendor reliance, maintaining maintenance inventories where technically viable, and optimizing modular platforms to facilitate interoperability between manufacturers should they arise in the near future. 

During the same time, policymakers may have to balance national security and economic continuity, making sure safeguards don't unintentionally obstruct critical services such as disaster response, infrastructure monitoring, and geospatial intelligence in the process. As a result of the ruling, the world's largest commercial UAS market could be transformed into a revolutionary one, defining a new way for drones to be built, approved, deployed, and secured.
Read more »
Scams
Cyber Crime Hacking IT information Korean Air Scams

Korean Air Confirms Employee Data Leak Linked to Third-Party Breach

 



Korean Air has confirmed that personal information belonging to thousands of its employees was exposed following a cyber incident at Korean Air Catering and Duty-Free, commonly referred to as KC&D. The company disclosed the issue after receiving notification from KC&D that its internal systems had been compromised by an external cyberattack.

KC&D, which provides in-flight meals and duty-free sales services, was separated from Korean Air in 2020 and now operates as an independent entity. Despite this separation, KC&D continued to store certain employee records belonging to Korean Air, which were housed on its enterprise resource planning system. According to internal communications, the exposed data includes employee names and bank account numbers. Korean Air estimates that information related to approximately 30,000 employees may have been affected.

The airline clarified that the incident did not involve passenger or customer data. Korean Air stated that, based on current findings, the breach was limited strictly to employee information stored within KC&D’s systems.

In an internal notice circulated to staff, Korean Air acknowledged that while the breach occurred outside its direct operational control, it is treating the situation with seriousness due to the sensitivity of the information involved. The company noted that it only became aware of the incident after KC&D formally disclosed the breach.

Following the notification, Korean Air said it immediately initiated emergency security measures and reported the matter to relevant authorities. The airline is actively working to determine the full extent of the exposure and identify all affected individuals. Employees have been advised to remain cautious of unexpected messages or unusual financial activity, as exposed personal information can increase the risk of scams and identity misuse.

Korean Air leadership reassured staff that there is currently no evidence suggesting further leakage of employee data beyond what has already been identified. The company also stated that it plans to conduct a comprehensive review of its data protection and security arrangements with external partners to prevent similar incidents in the future.

Although Korean Air has not officially attributed the attack to any specific group, a ransomware operation has publicly claimed responsibility for breaching KC&D’s systems. This claim has not been independently verified by Korean Air. Cybersecurity analysts have noted that the same group has been linked to previous attacks exploiting vulnerabilities in widely used enterprise software, often targeting third-party vendors as an entry point.

Ransomware groups typically operate by stealing sensitive data and threatening public disclosure to pressure victims. Such attacks increasingly focus on supply-chain targets, where indirect access can yield large volumes of data with fewer security barriers.

Korean Air stated that investigations are ongoing and that it will continue cooperating with authorities. The airline added that further updates and support will be provided to employees as more information becomes available.

Read more »
Government attacks
Cyber Security Cyberattacks cybersecurity risks Data Breaches Data Theft Digital Risk Digital Security Government attacks

A Year of Unprecedented Cybersecurity Incidents Redefined Global Risk in 2025

 

The year 2025 marked a turning point in the global cybersecurity landscape, with the scale, frequency, and impact of attacks surpassing anything seen before. Across governments, enterprises, and critical infrastructure, breaches were no longer isolated technical failures but events with lasting economic, political, and social consequences. The year served as a stark reminder that digital systems underpinning modern life remain deeply vulnerable to both state-backed and financially motivated actors. 

Government systems emerged as some of the most heavily targeted environments. In the United States, multiple federal agencies suffered intrusions throughout the year, including departments responsible for financial oversight and national security. Exploited software vulnerabilities enabled attackers to gain access to sensitive systems, while foreign threat actors were reported to have siphoned sealed judicial records from court filing platforms. The most damaging episode involved widespread unauthorized access to federal databases, resulting in what experts described as the largest exposure of U.S. government data to date. Legal analysts warned that violations of established security protocols could carry long-term legal and national security ramifications. 

The private sector faced equally severe challenges, particularly from organized ransomware and extortion groups. One of the most disruptive campaigns involved attackers exploiting a previously unknown flaw in widely used enterprise business software. By silently accessing systems months before detection, the group extracted vast quantities of sensitive employee and executive data from organizations across education, healthcare, media, and corporate sectors. When victims were finally alerted, many were confronted with ransom demands accompanied by proof of stolen personal information, highlighting the growing sophistication of data-driven extortion tactics. 

Cloud ecosystems also proved to be a major point of exposure. A series of downstream breaches at technology service providers resulted in the theft of approximately one billion records stored within enterprise cloud platforms. By compromising vendors with privileged access, attackers were able to reach data belonging to some of the world’s largest technology companies. The stolen information was later advertised on leak sites, with new victims continuing to surface long after the initial disclosures, underscoring the cascading risks of interconnected software supply chains. 

In the United Kingdom, cyberattacks moved beyond data theft and into large-scale operational disruption. Retailers experienced outages and customer data losses that temporarily crippled supply chains. The most economically damaging incident struck a major automotive manufacturer, halting production for months and triggering financial distress across its supplier network. The economic fallout was so severe that government intervention was required to stabilize the workforce and prevent wider industrial collapse, signaling how cyber incidents can now pose systemic economic threats. 

Asia was not spared from escalating cyber risk. South Korea experienced near-monthly breaches affecting telecom providers, technology firms, and online retail platforms. Tens of millions of citizens had personal data exposed due to prolonged undetected intrusions and inadequate data protection practices. In one of the year’s most consequential incidents, a major retailer suffered months of unauthorized data extraction before discovery, ultimately leading to executive resignations and public scrutiny over corporate accountability. 

Collectively, the events of 2025 demonstrated that cybersecurity failures now carry consequences far beyond IT departments. Disruption, rather than data theft alone, has become a powerful weapon, forcing governments and organizations worldwide to reassess resilience, accountability, and the true cost of digital insecurity.
Read more »
Ransomware
BlackCat Cyber Crime Insider Threat Plea Guilty Ransomware

Ex-Cybersecurity Pros Plead Guilty in $9.5M Ransomware Spree

 

Former incident responders Ryan Clifford Goldberg and Kevin Tyler Martin have pleaded guilty to participating in a series of ransomware attacks while working at cybersecurity firms tasked with helping organizations recover from such incidents. The case highlights a rare instance of trusted professionals abusing their positions to commit cybercrime, causing significant damage to multiple organizations in 2023.

Goldberg, formerly a manager of incident response at Sygnia, and Martin, a ransomware negotiator at DigitalMint, collaborated with an unnamed co-conspirator to carry out ransomware attacks using the ALPHV (BlackCat) ransomware variant. According to federal court records, the total losses caused by their actions exceeded $9.5 million. The attacks targeted a medical company in Florida, a pharmaceutical firm in Maryland, a California doctor’s office, an engineering company in California, and a drone manufacturer in Virginia. 

The indictment revealed that the trio received nearly $1.3 million in ransom payments from the Florida medical company in May 2023, but were unable to extort payments from the other victims. The ALPHV/BlackCat ransomware, first identified in late 2021, has been linked to numerous attacks on critical infrastructure providers, including the high-profile breach of UnitedHealth Group’s subsidiary Change Healthcare in 2024.

Goldberg and Martin each pleaded guilty to one count of conspiracy to interfere with interstate commerce by extortion, which reduces their maximum penalty from 50 years to 20 years in federal prison. As part of their plea agreements, both defendants are ordered to forfeit $342,000, representing the value of proceeds traced to their crimes. The court may also impose fines of up to $250,000 and additional restitution. 

A spokesperson for DigitalMint stated that the company cooperated fully with the Justice Department and supports the outcome as a step toward accountability. “His behavior is a clear violation of our values and ethical standards,” the spokesperson said, emphasizing that Martin’s actions were undertaken without the company’s knowledge or involvement. Sygnia did not immediately respond to requests for comment. 

Prosecutors noted that Goldberg and Martin abused their positions of trust and used their specialized skills to facilitate and conceal their crimes. Officials have indicated that they will recommend reduced sentences if both defendants make full, accurate, and complete disclosures of their offenses and refrain from committing further crimes.
Read more »
Social Engineering
Brand Impersonation Crypto Wallet Theft Cryptocurrency Fraud DNS Attack email security Holiday Cybercrime Merchant Data Breach Phishing scam Social Engineering

Grubhub Branding Misused to Promote Exponential Crypto Returns

 


The holiday season is a time when consumer engagement is at its peak and digital transactions are in the ascendant. However, a wave of misleading communication has been plaguing Grubhub's user community in recent weeks. 

There has been an increase in the number of users of Grubhub's online food delivery platform that has been targeted by a coordinated email scam designed to mimic Grubhub's infrastructure in order to cultivate trust among its customers.

It was falsely framed as part of a holiday crypto promotion. It used the authentic-sounding subdomain b.grubhub.com. The emails were derived from addresses typically associated with the company’s merchant partner outreach, appearing to have originated from those addresses. 

The verified communications team at Grubhub uses a similar domain when communicating with restaurants and commercial partners, giving legitimacy to what has really been a malicious impersonation campaign in reality. A fraud email was sent to users that asked them to transfer Bitcoins to external wallets and promised a tenfold return within minutes.

A widely circulated message claimed that there were only 30 minutes left in this promotion, asserting that any Bitcoin that was sent would be multiplied tenfold. This illustrates how the scam relies heavily on urgency and unrealistic financial incentives in order to convince victims. 

In multiple reports, it is revealed that these emails were being dispatched from counterfeit email addresses resembling merchant support channels, including Grubhubforrestaurants and other restaurant-specific sender tags, for example. This scam, which has been active since December 24, displays a high level of personalization, as recipient names are embedded directly in the email's body and delivery metadata, which indicates structured data harvesting or prior exposure to breaches.

Throughout the cryptocurrency fraud landscape, social engineering attacks have grown increasingly sophisticated, according to a study conducted by the University of Surrey. These attacks are raising renewed concerns about the misuse of digital trust and brand-based impersonation, and the exploitation of corporate identity, among other things. 

It has been reported that recipients have received scam emails, titled merry-christmas-promotion and crypto-promotion, starting on December 24. The emails were both deceptively appended to the b.grubhub.com subdomain and embedded with their full names, along with their e-mail addresses, and contained personal identifiers such as their full names.

It is without a doubt that this scam is one of the most textbook examples of high yield cryptocurrency reward scams, as it relies on psychological mechanics like trust, financial aspirations, and manufactured urgency so that it can deliver high returns with minimal investment. It is apparent from the attackers' narrative that they promised exponential returns on Bitcoin transfers, which is consistent with cryptocurrency fraud models that use implausible incentives to overcome skepticism. 

According to some users and independent researchers, this breach could have been caused by a DNS takeover, a situation where forged emails would have passed through normal authentication checks. However, Grubhub has not yet officially confirmed any of these claims, nor has it provided any technical information regarding the breach. 

BleepingComputer was informed by the company that the issue was identified within its merchant partner communications channels, and was promptly isolated from the issue, and that a full investigation is underway in order to prevent it from recurring in the future. A spokesperson from the platform also stated that containment measures were immediately implemented, suggesting that the platform does not view the incident as a routine spam attack, but rather as an attack on targeted integrity. 

Additionally, the company also discussed Grubhub's disclosure earlier this year during the event. The Grubhub company reported at that time that a threat actor had accessed a large volume of contact information of customers, merchants, and delivery drivers - providing contact information, but not payment credentials - resulting in the discovery of the threat actor's access to the servers of the company as a result. 

Even though the January breach is not related in structure in any way, experts note that previously exposed identity datasets are often resurfaced as raw material in impersonation campaigns a decade or two later, providing attackers with the level of personalization needed to appear credible and targeted to consumers. 

There has been an escalation in digital fraud during high-traffic holiday periods, according to law enforcement agencies, a trend highlighted in a recent public advisory from the Federal Bureau of Investigation which cautioned consumers against the seasonal cycle of scams. According to the bureau, attackers deliberately increase their activities at times of high demand for discounts, limited-time offers, and fast money gains, deploying schemes that are based on expectations and urgency. 

According to the FBI, non-payment scams and non-delivery scams were among the most frequently reported tactics in 2024, with victims misled into paying for goods or services that never materialized. There have been significant financial impacts on the financial system resulting from these frauds. 

The FBI estimates that in 2024 alone, these frauds alone will account for more than $785 million in losses to users, while credit card frauds will contribute an additional $199 million. This reinforces the persistence of the profitability of financial crime driven by impersonation. 

Additionally, investigators highlighted that phishing environments have evolved beyond traditional credential theft, and increasingly target passwords to cryptocurrency exchanges and accesses to digital wallets, where a single compromised account could allow the liquidation and transfer of assets immediately. 

A recent FBI advisory has advised users to be cautious when clicking on unsolicited links. Authorities are warning that malicious landing pages are routinely being used to collect crypto-platform authentication details, such as multi-factor authentication codes, for the purpose of diversion of funds that may not be recoverable. 

Researchers have drawn parallels between the ongoing Grubhub campaign and the more widespread crypto-doubling scam, a type of social engineering scam that engages in recognizable branding, individualized targeting, and a countdown-style deadline as a means to feign legitimacy and to eliminate suspicion. 

In an effort to combat fraud, industry experts and national agencies have repeatedly said that communications that include verified-looking domain names, time-sensitive ultimatums, or requests for transfers to external wallets have been identified as some of the most obvious behavioral indicators. 

In both Grubhub's guidance as well as from federal authorities, it is stressed that independent verification through official channels is a key component of ensuring authenticity, especially when messages are individually addressed. However, personalization no longer stands as a reliable sign of authenticity, but is often a sign that prior personal data exposure has been weaponized in order to enhance credibility. 

There are many ramifications of the phishing campaign that go far beyond the theft of isolated amounts of money. They prompt a broader discussion of digital trust, corporate identity, and the fragility of brand credibility in an increasingly weaponized online environment. Although users who have been affected by this crypto-crisis are at direct risk of losing cryptocurrencies, Grubhub itself faces an equally troubling threat - the erosion of public confidence - which is not a case of an actual breach of security, but rather a perception of one. 

As industry observers and researchers have noted for years, modern phishing operations are no longer dependent solely on technical intrusion; their success depends equally on psychological authenticity, which means familiar email formats, harvesting personal identifiers, and brand-aligned subdomains can alter the perception of phishing operations. 

It has been emphasized that this incident has raised concerns about how cybercriminals are reusing previously disclosed identity datasets, which they routinely repurpose to personalize fraudulent outreach on a large scale, giving phishing mail the appearance of one-on-one legitimacy. Security commentators have warned that such events can create lasting doubt among consumers who may be unable to distinguish a genuine system lapse from a forged communication. 

However, even if the corporate infrastructure remains intact, consumers may have difficulty distinguishing between a genuine system lapse, since their perception may be frightful. Additionally, the situation has also highlighted the growing gap between user preparedness and law enforcement agency preparedness, with cyber security experts emphasizing that the importance of phishing literacy is as crucial as the importance of a good password hygiene regimen. 

The following precautions are recommended: Verifying unexpected financial or promotional claims through company channels rather than embedded links, strengthening account defenses with unique, high-entropy passwords, and enabling multi-factor authentication as soon as possible, especially in cryptocurrency exchange accounts, where credential theft can result in a quick, irreversible transfer of funds. 

It has been reported that the campaign is part of a larger pattern of crypto-doubling social engineering fraud, which is a scam archetype that has been around for quite some time due to its perfect combination of technological deception with the strength of the promise of a big payday. 

In light of the incident, the delivery platforms and digital marketplaces have been urged to intensify customer education initiatives, including technical monitoring as well as public awareness outreach, since the most effective defense against impersonation-driven fraud lies not only in one strategy, but in a combination of infrastructure resilience, informed skepticism, and a robust defensive strategy.
Read more »
Subscribe to: Comments (Atom)