CySecurity News - Latest Information Security and Hacking Incidents: Cyber Crime

Cyber Crime Met Police Ransomware Splinter Groups

Ransomware Gangs Splinter as Cyber Threat Becomes More Volatile

Cybercrime is moving through a major reset as the ransomware world shifts away from big, organized cartels and toward smaller, more volatile splinter groups. Speaking at Infosecurity Europe 2026, William Lyne, Head of Economic and Cybercrime at the Metropolitan Police Service, said the underground market has become a highly accessible ecosystem where criminals can buy tools, services, and stolen data with ease. He described it as a place where threat actors can get almost everything they need, except a good drink.

The biggest driver behind this change is convenience. Cryptocurrencies have removed one of the oldest bottlenecks in cybercrime by making it much easier to cash out illegal profits, while underground marketplaces now provide ransomware kits, phishing services, infrastructure, and support on demand. That lower barrier to entry has blurred the old lines between hacktivists, criminal gangs, and state-linked actors, creating a blended threat environment that is far more crowded and harder to police.

Lyne warned that law enforcement crackdowns are also reshaping the market. When large, centralized groups such as LockBit are disrupted, their affiliates do not disappear; they scatter into smaller factions, each trying to rebuild revenue streams in a less visible way. The result is a more fragmented and “post-trust” criminal scene, where weaker internal controls and looser coordination can make attackers more aggressive, reckless, and unpredictable.

The threat is also becoming more global. Lyne said the ransomware ecosystem is no longer dominated by traditional Russian-speaking hubs, with actors now emerging from Brazil, Türkiye, and English-speaking groups such as Scattered Spider. At the same time, criminals are increasingly using AI to search through hoarded corporate data, turning old thefts into fresh extortion opportunities and new monetization schemes.

For police and security teams, the response must go beyond arrests alone. Lyne said the Met Police cannot “arrest its way out” of the problem and instead needs to focus on disrupting infrastructure, weakening trust inside criminal networks, and working more closely with private-sector defenders. In practical terms, that means security teams should expect a ransomware landscape that is smaller in structure but sharper in impact, where fragmented gangs may strike faster and with fewer rules than the cartels they replaced.

Crypto Exploit Losses Plummet 90% in May to $68.3 Million as Thieves Hit Security Wall



 

Cyber Crime

Blockchain Security CertiK Report Crypto Thieves Cyber Crime

Crypto Exploit Losses Plummet 90% in May to $68.3 Million as Thieves Hit Security Wall

Crypto thieves are hitting a major wall, with exploit losses plunging nearly 90% in May 2026. Blockchain security firm CertiK reported that crypto platform losses fell to $68.3 million last month, a dramatic drop from the staggering $650 million stolen in April. This sharp decline signals improved security measures across the industry and represents the third month in 2026 where losses stayed below $100 million.

Code vulnerabilities were responsible for the bulk of May's damage, accounting for roughly 66% of total losses at approximately $45 million. Cross-chain bridges took the heaviest hit by category, absorbing 42% of total losses or $28.6 million. Despite the marked decrease, the sector wasn't entirely free from high-profile incidents, though the overall attack success rate has significantly diminished compared to previous months.

The positive trend reflects multiple factors working together to protect crypto assets. Improved security measures and rapid response capabilities are driving this improvement, even as vulnerabilities persist across the ecosystem. CertiK's data shows that attackers are facing stronger defenses, with platforms implementing more robust protection systems and responding faster to emerging threats. This defensive upgrade is forcing crypto thieves to "hit a wall" as their traditional exploit methods become less effective.

May 2026's performance stands in stark contrast to the previous quarter's chaos. The nearly 90% drop demonstrates that the industry is learning from past mistakes and adapting quickly to attack vectors. While $68.3 million in losses remains concerning, the trajectory is clearly positive, with monthly losses trending downward consistently through early 2026. Investors and platform operators are seeing tangible benefits from increased security investments.

This security improvement offers hope for the cryptocurrency industry's long-term viability. As platforms strengthen their defenses and response times, the success rate for exploits continues declining. The trend suggests that crypto thieves are struggling to adapt to newer security protocols, marking a turning point in the ongoing battle between attackers and defenders. While attacks will continue, the dramatic reduction in losses indicates the industry is finally building effective walls against digital theft.

Ransomware Revenues Climb as Criminal Networks Expand and Adapt like unwanted vines



 

rapid7

Cyber Crime Digital Fraud Extortion FBI FTSE IABs ransomware rapid7

Ransomware Revenues Climb as Criminal Networks Expand and Adapt like unwanted vines

Ransomware operators continue to generate substantial profits, with new research from Rapid7 indicating that several cybercrime groups are recording revenue growth that outpaces many publicly traded businesses.

According to the cybersecurity firm's analysis, ransomware groups collectively received an estimated $529.2 million during the first quarter of 2026. That figure represents a 39% increase compared with the same period a year earlier. Rapid7 noted that none of the companies within the FTSE 350 index reported year-over-year revenue growth exceeding 30% during that quarter, placing ransomware operators among the fastest-growing entities examined in the study.

Several well-established ransomware operations appear to be benefiting from this trend. Rapid7 estimates that the Qilin ransomware group generated approximately $193 million between July 2025 and March 2026. During the same period, the Gentleman group is estimated to have collected roughly $52 million in ransom payments.

Rapid7 researchers argue that modern ransomware operations bear little resemblance to the stereotype of small groups of hackers working independently. Instead, many function through interconnected networks of specialists who focus on specific stages of an attack. Some actors gain access to victim networks, others develop malware, while separate teams handle extortion demands and payment negotiations.

A major factor behind this growth is the emergence of Initial Access Brokers, or IABs. These actors specialize in obtaining access to corporate networks and then selling that access to other criminals. As a result, launching a ransomware attack no longer requires extensive technical expertise. Access to compromised systems, attack tools, and even managed cybercrime services can now be purchased through underground marketplaces.

Researchers say this division of labor has created a more structured criminal economy. Different groups contribute individual services, allowing ransomware campaigns to operate through networks that resemble commercial supply chains rather than isolated criminal crews.

The study also highlights the resilience of these operations. Infrastructure used by ransomware groups, including servers, data leak platforms, and victim negotiation portals, can often be restored quickly after disruptions. Law enforcement agencies, meanwhile, frequently require lengthy investigations and international coordination before conducting enforcement actions. This difference in speed allows many criminal networks to continue operating even when portions of their infrastructure are removed.

Rapid7 CTO EMEA Thom Langford said ransomware groups have demonstrated an ability to continue generating revenue despite disruptions because their operations are designed to function even when individual components are taken offline. In many cases, the removal of a single server or criminal group does not significantly affect the broader ecosystem supporting ransomware activity.

The findings come amid continued financial losses linked to cybercrime. According to the FBI's Internet Crime Complaint Center, organizations and individuals reported more than $16 billion in cybercrime losses during 2024, reflecting the growing economic impact of digital fraud, extortion, and network intrusions.

To reduce ransomware risk, Rapid7 recommends that organizations continuously review their exposed systems and identify weaknesses that could provide attackers with an entry point. Particular attention should be given to misconfigured services, overlooked assets, and internet-facing systems, which are frequently targeted by Initial Access Brokers seeking access to corporate environments.

The company also advises security teams to make greater use of threat intelligence to understand how attackers operate, including the infrastructure, tools, and access methods commonly used during intrusions. Researchers further recommend strengthening identity security through tighter access controls, least-privilege policies, and monitoring for signs that employee credentials have been stolen, resold, or abused.

According to Rapid7, disrupting ransomware attacks before attackers establish access remains one of the most effective defensive strategies. By identifying weaknesses early and restricting opportunities for credential theft, organizations may be able to prevent ransomware incidents before they progress to the extortion stage.

Stablecoins Replace Bitcoin as the Primary Cryptocurrency in Illicit Transactions, Industry Data Shows



 

Stablecoins

Bitcoins Blockchain Integration crypto transactions cryptocurrency Cyber Crime data compliance Financial Regulators Money Laundering river Stablecoins

Stablecoins Replace Bitcoin as the Primary Cryptocurrency in Illicit Transactions, Industry Data Shows

For years, Bitcoin was widely associated with cryptocurrency-related crime. New industry data suggests that picture has changed astronomically, with stablecoins now accounting for the vast majority of identified illicit cryptocurrency activity.

The change of terms was accentuated by Bitcoin-focused financial services company River, which cited blockchain intelligence findings showing that Bitcoin's role in unlawful crypto transactions has declined sharply over the past several years. According to data attributed to Chainalysis, Bitcoin represented roughly 70% of illicit cryptocurrency transaction volume in 2020. By 2025, that figure had fallen to approximately 7%, while stablecoins had grown to account for around 84% of identified illicit transaction volume.

The numbers point to a drastic transformation in how cybercriminals, fraud operators, sanctioned entities, and money-laundering networks move digital funds across borders.

Why Stablecoins Are Becoming More Attractive to Criminal Networks

Unlike Bitcoin and many other cryptocurrencies, stablecoins are designed to maintain a relatively fixed value, typically by being linked to a traditional currency such as the U.S. dollar.

This stability removes one of the major risks associated with cryptocurrency transactions. A criminal group holding $1 million in Bitcoin today could see the value fluctuate significantly within days. Stablecoins largely eliminate that uncertainty, allowing illicit actors to move, store, and transfer funds without being exposed to major price swings.

Researchers say this makes stablecoins particularly useful in fraud schemes, investment scams, money-laundering operations, and cross-border transfers where predictable value is important.

The spike in acceptance of stablecoins across exchanges, payment services, and over-the-counter trading networks has also contributed to their increased use. Many stablecoins can be transferred globally within minutes while maintaining a value closely tied to fiat currency, making them practical for both legitimate and illegitimate financial activity.

Bitcoin Still Appears in Certain Criminal Operations

Despite its declining share, Bitcoin has not disappeared from the cybercrime infrastructure. It is still part of the overall pipeline in digital currency exchange.

Blockchain investigators continue to observe Bitcoin being used in ransomware attacks, darknet marketplaces, and extortion schemes. In these environments, long-established infrastructure, existing payment workflows, and familiarity among threat actors continue to support Bitcoin's use.

However, analysts note that criminal organizations are increasingly treating Bitcoin as only one option within a much larger digital financial ecosystem rather than the default cryptocurrency for illicit transactions.

Illicit Crypto Activity Continues to Soar

The change in asset preference comes as blockchain intelligence firms report increases in the overall value of illicit cryptocurrency activity.

TRM Labs recently estimated that illicit cryptocurrency flows reached approximately $158 billion in 2025, representing the highest level recorded by the company. The firm reported a sharp increase from the previous year, attributing much of the growth to sanctions-related activity, sophisticated money-laundering operations, underground financial networks, and expanded use of cryptocurrency by state-linked actors.

A large portion of these transactions involved stablecoins in the grand scheme of carrying out cyber criminal activities.

Researchers also observed that sanctions-evasion networks increasingly rely on stablecoins because of their liquidity, accessibility, and ability to move large sums through multiple jurisdictions with relative speed.

Compliance and Regulatory Pressure Expected to become more stringent

The developing concentration of illicit activity within stablecoin ecosystems is likely to intensify scrutiny from regulators and law-enforcement agencies.

Unlike decentralized cryptocurrencies, many major stablecoins are issued by identifiable companies that maintain reserve assets and have the technical ability to freeze certain wallets when required by legal authorities.

As a result, policymakers are increasingly examining how stablecoin issuers monitor suspicious transactions, respond to sanctions violations, and cooperate with criminal investigations.

Several stablecoin providers have already expanded collaboration with law enforcement agencies. Tether, the issuer of USDT, has publicly reported freezing wallets connected to suspected criminal activity, while blockchain analytics companies continue to develop tracking tools designed to identify suspicious transaction patterns across networks.

Criminal Use Remains a Small Portion of Overall Activity

Although illicit cryptocurrency volumes have risen in absolute terms, researchers caution against interpreting the data as evidence that most cryptocurrency activity is criminal.

Industry reports consistently show that unlawful transactions represent only a small fraction of total blockchain activity. Stablecoins process trillions of dollars in annual transaction volume, meaning the overwhelming majority of transactions are associated with legitimate uses such as payments, trading, remittances, and settlement activities.

Nevertheless, the latest findings draw a clearer picture into how criminal groups adapt quickly to changing financial technologies. While Bitcoin once dominated illicit cryptocurrency transactions, blockchain intelligence data now suggests that stablecoins have become the preferred vehicle for many forms of crypto-enabled financial crime due to their price stability, global accessibility, and ease of transfer.

The trend is expected to remain a driving focus for regulators, compliance teams, cryptocurrency exchanges, and law-enforcement agencies as governments continue developing rules for the rapidly expanding stablecoin sector.

AI Vigilante Sting Catches Alleged Paedophile Ex-Teacher in France



 

User Privacy

Cyber Crime French Teacher Minor Safety Sexual Exploitation User Privacy

AI Vigilante Sting Catches Alleged Paedophile Ex-Teacher in France

A retired French physical education teacher has been placed in custody after an online sting operation exposed what investigators say was a serious attempt to solicit a minor. The case has drawn wide attention because the “girl” he was speaking to was not real, but a digitally created identity controlled by an influencer known for targeting alleged predators. The meeting was streamed live, turning a criminal investigation into a public spectacle.

According to the BBC report, the 66-year-old man, identified as Dominique B, surrendered to authorities in eastern France one day after the exchange was broadcast. During the 40-minute interaction, he believed he was speaking with a 14-year-old girl, but the image and voice were being operated by a male influencer. Even though the visual disguise was imperfect, the setup was convincing enough to lead the retired teacher into inappropriate conversation.

The exchange reportedly attracted more than 40,000 live viewers and later approached a million views online. In the footage, the man is seen relaxing in a chair while the fake persona appears on screen, with the influencer adjusting his appearance to help maintain the illusion. The stunt’s reach shows how online platforms can amplify both exposure and controversy when criminal behavior is broadcast in real time.

French prosecutors in Vesoul say the man now faces charges for making sexual propositions to a person under 15 and for soliciting pornographic images from a minor. Those allegations carry serious legal and social consequences, especially given his former role as an educator. The case is likely to fuel further debate over the line between citizen-led vigilance and public shaming in digital spaces.

The influencer involved said his aim was to raise awareness, but the incident also highlights the growing use of deceptive online identities in anti-predator campaigns. While such tactics can expose dangerous behavior, they also raise questions about evidence, ethics, and the influence of livestream culture. For now, the French case stands as a stark reminder that online anonymity can be abused, and that public exposure is no substitute for lawful accountability.

Africa’s Digital Boom Makes It a Prime Target for Hackers



 

User Privacy

Africa Cyber Crime data security Digital Fraud User Privacy

Africa’s Digital Boom Makes It a Prime Target for Hackers

Africa’s digital boom is reshaping how people bank, work, study, and access public services, but that same progress is creating fresh openings for cybercriminals. As more governments and businesses move services online, attackers are finding more valuable systems to exploit, from mobile payments and health platforms to tax portals and identity databases.

The speed of digital adoption has often outpaced security investment, leaving weak points that can be difficult to fix later. In practical terms, the more connected Africa becomes, the larger the attack surface becomes for criminals looking for easy gains. One of the biggest risks is that many organizations still rely on limited budgets, outdated infrastructure, and a shortage of trained cybersecurity professionals.

Reports note that cybercrime losses in Africa now exceed $4 billion a year, while mobile-first threats such as SIM-swap fraud, phishing, and mobile money scams continue to rise. In some markets, cyberattacks are becoming more sophisticated, with criminals using automation and AI to make scams harder to detect. This is especially dangerous in countries where essential digital services are expanding quickly but security systems have not kept pace.

The problem is not only technical; it is also structural. Africa’s cybersecurity rules remain uneven across countries, making it harder to coordinate responses to cross-border attacks. Criminal groups can move between jurisdictions, exploit weak enforcement, and target victims at scale while leaving limited traces behind. At the same time, critical infrastructure such as power, telecoms, and hospitals is increasingly exposed because it depends on connected systems that are often not built with strong protection in mind. That combination of weak regulation, limited staffing, and rising digital dependence makes the continent an attractive hunting ground for hackers.

Cybersecurity experts argue that the solution must go beyond software and firewalls. Governments need stronger laws, better information-sharing, and more investment in training so that local teams can respond quickly to attacks. Businesses need to treat security as a core cost of digital growth, not an afterthought. Public awareness is also crucial, because many successful attacks still begin with simple tricks such as fake emails, urgent payment requests, or fraudulent links. If users understand the risks, the most common scams become much harder to carry out.

Africa’s digital future remains full of promise, but that promise depends on trust. If people cannot safely use online services, digital progress slows and confidence erodes. The continent now faces a clear choice: keep expanding online systems faster than they can be protected, or build security into digital growth from the start. The countries that succeed will be the ones that match innovation with resilience, and speed with discipline.

Hackers Exploit Telegram Mini Apps, Distribute Malware and Crypto Scams



 

Application Apps Crypto Crypto scams Cyber Crime Scam Telegram

Hackers Exploit Telegram Mini Apps, Distribute Malware and Crypto Scams

Cybersecurity experts found a large-scale fraud campaign that used Telegram’s Mini App feature to launch crypto attacks, mimic famous brands and spread Android malware.

FEMITBOT malware

Research by CTM360 has dubbed the platform as FEMITBOT, it is based on a string present in API responses and uses Telegram bots and integrated Mini Apps to make believable, app-like experiences directly inside the messaging platform.

These Mini Apps are lightweight web apps that run within Telegram’s built-in browser, allowing services like payments, interactive tools, and account access without needing users to leave the application. Exploiting Telegram Mini apps

The FEMITBOT platform is used for various scams such as financial frauds, AI tools, streaming sites, and fake cryptocurrency platforms.

In a few campaigns, hackers imitated famous brands to boost engagement and credibility, while having the same backend infrastructure with multiple Telegram bots and different domains.

Brands impersonated

Brands copied in this campaign are Disny, eBay, YouKu, NVIDIA, Moon Pay, Apple, and Coco-Cola. The campaign used a common backend, different phishing domains used the same API response: “Welcome to join the FEMITBOT platform," indicating they are all using the same infrastructure.

Telegram bots compromised

Campaign used Telegram bots to show phishing websites directly inside the social media site. Once a user interacts with a Telegram bot and opens “Start,” the bot starts a Mini App that shows a phishing page inside Telegram’s default WebView. The user is tricked into thinking it's part of the application itself.

Tricking users via phishing tactics

After entering the system, targets are displayed dashboards with fake balances with fake countdown timers or limited-time offers to bait users.

When a user tries to take money, they are asked to make a deposit or do referral work. This is a general tactic in advanced-fee scams and investments.

The infrastructure is built to be used across multiple campaigns so that hackers can easily switch among brands, themes, and languages. The campaigns also use tracking scripts like TikTok and Meta tracking pixels, to trace users’ activity, optimize performance, and measure interactions.

Malware distribution via mini apps

Additionally, some Mini Apps tried to spread malware by posing as companies like the BBC, NVIDIA, CineTV, Coreweave, and Claro in Android APKs.

“Built on a modular, template-driven architecture, FEMITBOT enables rapid deployment, brand impersonation, and campaign optimization using real-time tracking and analytics. This reflects a shift toward scalable, marketing-like fraud operations designed to maximize user conversion and financial gain,” the report said.

North Korean Hackers Hack US Crytpo Executives in Just Five Minutes



 

North Korean Hackers

Crypto Cyber Crime Hacked Hacking North Korean Hackers

North Korean Hackers Hack US Crytpo Executives in Just Five Minutes

About Arctic Wolf

Cybersecurity experts at Arctic Wolf have disclosed information about an advanced campaign attacking North American Web3 and cryptocurrency organizations. State-sponsored group BlueNoroff launched the attack campaign, it is a financially motivated gang associated with the infamous North Korean Lazarus Group. The aim is to make persistent access on the victim device.

The gang does this by fooling the victim into deploying malware on the systems; however, their tactic is quite advanced.

The discovery

Arctic Wolf found an active malicious intrusion in which the threat actor used spear-phishing to send an altered Calendly calendar invite with a typo-squatted Zoom link while posing as a respectable person in the Fintech legal industry. When the victim clicked the link, they were shown a phony Zoom meeting interface that simultaneously launched a ClickFix-style clipboard injection attack and secretly exfiltrated their live camera feed to use as a lure in subsequent attacks.

After that, information was stolen from the victim's device and browsers via a multi-stage credential extraction pipeline that concentrated on cryptocurrency wallet extensions.v Now enters ClickFix

While launching the attack campaign, the hackers use real, high-profile people from the Web3 world, create fake headshots (that look real) via ChatGPT, and generate animated videos via Adobe Premiere Pro.

After this, the hackers would make a fake Zoom video call website similar to the actual Zoom call page, and would show the video to make it all look real.

Attack tactic

After this, BlueNoroff gang would invite the actual victim via Calendly, six months prior (to make it all look real and convincing) as prominent people are busy.

Once the victim opens the Zoom link, they see the usual: a video call webpage with the user on the other side moving and acting like they are real people (remember they are all fake sem-animated video)but, after eight seconds on call, a notification comes up, saying their “SDK is deprecated” and showing users “Update Now” option.

“The technical execution chain in this campaign is both efficient and operationally disciplined. From initial URL click to full system compromise, including C2 establishment, Telegram session theft, browser credential harvesting, and persistence, the attacker completed in under five minutes,” Arctic Wolf said.

Canada's First SMS Blaster Bust: 3 Arrested in Toronto Cybercrime Crackdown



 

Toronto Police

Canada Cyber Crime Cyber Scam SMS Blaster Toronto Police

Canada's First SMS Blaster Bust: 3 Arrested in Toronto Cybercrime Crackdown

Toronto police have exposed a first-of-its-kind SMS blaster cybercrime case in Canada, where investigators say three men used a rogue device to mimic a cell tower and push fake texts to nearby phones. The operation, known as Project Lighthouse, reportedly ran across the Greater Toronto Area for months before police arrested the suspects and seized multiple devices.

The core issue is the use of an SMS blaster, a tool that can trick smartphones into connecting to a fake cellular signal. Once connected, the device can send fraudulent messages that look like they come from banks, delivery services, or other trusted organizations, often leading victims to phishing sites that steal passwords or banking details. Police also said the tactic creates a wider network risk because it can interrupt legitimate mobile connections.

Investigators say the threat was not small in scale. Reports indicate tens of thousands of devices may have connected to the rogue equipment over several months, and police recorded more than 13 million network disruptions linked to the operation. That disruption is especially serious because it can interfere with emergency access, including the ability to reach 911.

The arrests show how quickly cybercrime is evolving from online-only scams into hybrid attacks that combine physical devices, mobility, and social engineering. Police charged the three suspects with a combined 44 offences, including fraud, mischief, personation, and unauthorized interception-related crimes. The case is being treated as Canada’s first confirmed investigation of this kind, which makes it a warning sign for other cities and countries.

The broader lesson is that mobile phones can be vulnerable even when users do not click anything suspicious. If a rogue tower is nearby, the attack can start at the network level and then move into fake texts, credential theft, and financial fraud. For readers, the main takeaway is to be cautious with urgent SMS links, verify messages through official apps or websites, and treat unexpected texts from banks or government services as potentially malicious.

French Prosecutors Escalate Elon Musk X Probe to Criminal Investigation



 

X Platform

Algorithm Bias Criminal Investigation Cyber Crime Elon Musk French Probe X Platform

French Prosecutors Escalate Elon Musk X Probe to Criminal Investigation

French prosecutors have escalated their inquiry into Elon Musk and X into a criminal investigation, widening a case that already included allegations of algorithmic manipulation, improper data extraction, and harmful content on the platform. The move deepens a legal fight that has followed Musk’s company across Europe and adds fresh pressure on X’s leadership as regulators scrutinize how the platform operates inside France.

Paris prosecutors say the investigation began after complaints in 2025 raised concerns that X’s recommendation systems may have influenced political discourse in France. The case later expanded to examine whether the platform’s chatbot Grok helped generate or spread content such as Holocaust denial, sexually explicit deepfakes, and material involving non-consensual or abusive imagery. French officials have also looked at whether X knowingly facilitated the creation and distribution of such content.

According to reporting on the case, Musk and former X chief executive Linda Yaccarino were summoned for questioning on April 20, but neither appeared or cooperated with the interview request. Musk has previously rejected the allegations, calling the probe politically motivated and describing earlier enforcement actions as an attack. The French side has continued moving forward despite his objections.

The investigation has broader implications because it touches on how social media platforms manage algorithms, user data, and AI-generated content. It also reflects a wider regulatory pattern in which governments are testing whether major tech companies can be held responsible for content moderation failures, platform design choices, and possible violations of local law. X has already faced similar scrutiny in other jurisdictions, adding to the company’s legal and reputational burden.

There is also an international dimension to the dispute. Reports say the U.S. Department of Justice declined to assist French authorities, arguing that France was improperly interfering in an American company’s affairs. That leaves the case positioned not only as a criminal probe of X, but also as a test of how far national regulators can go when platform decisions and AI tools have cross-border effects.

Hackers Attack School Login Pages After Another Instructure Breach



 

Data Stolen

AI Infrastructure Cyber Crime data steal Data Stolen

Hackers Attack School Login Pages After Another Instructure Breach

Instructure attacked

Last week, edtech giant Instructure reported a data breach where threat actors stole students’ personal data: names, email addresses, and conversations between students and teachers. Hackers compromised Instructure again, destroying various schools’ login sites to the platform Canvas. Canvas allows schools to handle coursework and assignments and talk with the students.

ShinyHunters claim responsibility Cybercrime gang ShinyHunters published a message on Canvas login pages of three distinct schools. An analysis of the compromised portals reveal that the hackers deployed an HTML file that compromised the login screens to show their message.

According to the message, the hackers have threatened to leak the stolen data on May 12, if the organization does not settle the negotiations.

Instructure’s website was partially online, and returned “too many requests” error. The organization’s portal showed a notice that said it was “currently undergoing scheduled maintenance.”

Instructure has not replied to TechCrunch’s request for a comment.

Attack tactic

Earlier, ShinyHunters claimed accountability for the real hack, publishing it on its leak site, a website that threat actors use to post stolen data and blackmail victims into paying heavy ransoms. The aim is to extort Instructure into paying by not leaking the information on the web publicly. How threat actors compromised the login pages is still not clear. In a conversation with TechCrunch, ShinyHunter said that they couldn’t give specific details but said that this is a second breach. Extortion and data theft After the original breach at Instructure, threat actors claimed to have extorted information from 9,000 schools globally. The stolen files allegedly comprised data of 231 million people. ShinyHunters gang has attacked scores of victims in the last two years, using the same attack tactic: hack, leak, and extort.

This took place in a unique hacking campaign, where an anonymous group of threat actors attacked systems already infected by an infamous hacking group called TeamPCP. Once the hackers gained access into these systems. After that, they removed TeamPCP hackers and turned off their tools, according to a report by cybersecurity firm SentinelOne.

The impact

Following this, the threat actors use their access to install code built to replicate across distinct cloud infrastructure such as a self-spreading worm, steal different credentials, and send the stolen data back to their infrastructure.

TeamPCP is a criminal gang that has made headlines in recent times. It is due to their high-profile hacks– a broadcast cyberattack against highly used bug scanner tool Trivvy, a breach of the European Commission’s cloud infrastructure, which impacted any organization that used it: LiteLLM and AI recruiting startup Mercor, besides others.

When Screens Turn Against You: The Dark Mechanics of Webcam Sextortion



 

malware

Cyber Crime CyberCriminal Human Psychology Malicious Activities malware

When Screens Turn Against You: The Dark Mechanics of Webcam Sextortion

In the dim privacy of a personal screen, where anonymity is often assumed and discretion rarely questioned, a silent threat has begun to take shape. What was once dismissed as a crude bluff has, in certain cases, evolved into something far more tangible. Cybercriminals are increasingly exploiting adult content viewers, using a blend of malware, deception, and psychological manipulation to turn private moments into instruments of blackmail.

Security researchers have identified malware capable of detecting when explicit content is being viewed and quietly activating a device’s camera to capture compromising footage. These recordings, paired with screenshots of on-screen activity, are then transmitted to attackers who weaponise them in what is now widely known as sextortion. However, what makes this threat particularly insidious is the emotional leverage it exploits, more than the technology behind it. Shame, fear, and urgency become tools more powerful than any line of malicious code.

Fear as a Weapon: The Psychology Behind the Scam

Even in cases where no actual recording exists, scammers have perfected the art of persuasion. Victims often receive emails claiming that their devices have been hacked and that their webcam has captured explicit footage. To make the threat believable, attackers sometimes include previously leaked passwords or personal details, creating an illusion of total access.

In reality, many such claims are entirely fabricated. Experts have repeatedly clarified that these messages rely on social engineering rather than real surveillance. The objective is simple. Induce panic, push the victim into silence, and extract payment before reason can intervene.

This strategy has proven alarmingly effective. Large-scale campaigns have generated substantial profits, not through technical sophistication alone, but through an acute understanding of human vulnerability.

Beyond Malware: A Wider Ecosystem of Exploitation

The threat landscape extends well beyond a single strain of malicious software. Adult content platforms, particularly those operating outside regulated ecosystems, have long been fertile ground for cybercrime. Malware disguised as media players or exclusive content continues to lure users into unknowingly compromising their own devices.

At the same time, new variations of these scams are emerging. In some instances, fraudsters pose as law enforcement officials, accusing individuals of viewing illegal material and demanding immediate payment under the threat of legal action. Taken together, these tactics reveal a broader pattern. The target is the individual behind the device, not just the device.

North Korean Hackers Target Axios, Steal Cryptocurrency in a Massive Attack



 

UNC1069

Axios Backdoor Cyber Crime Data North Korea UNC1069

North Korean Hackers Target Axios, Steal Cryptocurrency in a Massive Attack

Threat actors from North Korea hacked software used by organizations in the US to steal cryptocurrency to fund North Korea's nuclear and missile programs. Experts found 135 devices across 12 organizations hacked; however, the list of victims can increase. The investigation may take months to uncover full details of the campaign.

Axios attacked

Hackers targeted Axios, a famous open-source JavaScript library that developers use to oversee HTTP requests. The North Korean gang accessed organizations' systems via malware that opens backdoor access to OS. Hackers targeted two versions of Axios that were downloaded over 183 million times each week; organizations that downloaded it during the particular time period were exposed to the attack.

About the incident

Hackers with ties to Pyongyang gained access to the account of a software engineer who oversees the open-source program Axios on Tuesday for at least three hours. According to the report, the attackers used that access to send infected updates to any company that had downloaded the software at the time. This caused the software developer to rush to take back control of his account while cybersecurity executives nationwide attempted to determine the extent of the damage.

The impact

While the full damage may take months to fix, experts believe that hundreds of thousands of business secrets have already leaked, which can make it one of the worst data breaches.

About UNC1069

The North Korean group, suspicious of hacking Axios is called UNC1069. Since 2018, the gang has attacked the finance industry. Mandiant believes that the hackers will "try to leverage the credentials and system access they recently obtained in this software supply chain attack to target and steal cryptocurrency from enterprises,"

Why are attacks on the rise from North Korea

Hacking has become a staple of North Korea. The revenue generated from these cyberattacks funds the country’s nuclear and missile programs to the point that these plans are half funded through hacking. In recent years, state-sponsored hackers have stolen billions of dollars from banks and cryptocurrency firms. This includes the infamous (and record-breaking) $1.5 billion crypto theft in 2025 in a single attack.

Most deadly cyberattack in history

The recent attack was the most advanced supply chain effort to date, cleaning its tracks after installing the payload on the target device. It made detection difficult for developers who unknowingly downloaded the malicious software. Experts say that UNC1069 is not even trying to hide anymore, they just disappears before detection.

FBI and Indonesian Police Dismantle W3LL Phishing Network in Major Cybercrime Bust



 

W3LL Phishing

Cyber Crime FBI Indonesian Police Joint Operation W3LL Phishing

FBI and Indonesian Police Dismantle W3LL Phishing Network in Major Cybercrime Bust

In a landmark international operation, the U.S. Federal Bureau of Investigation (FBI) collaborated with the Indonesian National Police to dismantle the W3LL phishing network, a sophisticated cybercrime platform responsible for over $20 million in attempted fraud.Authorities seized critical infrastructure, including key domains, and detained the alleged developer, identified as G.L., marking the first joint U.S.-Indonesia effort to shut down a hacking platform.

The FBI's Atlanta division led the charge, emphasizing that the takedown severs a vital tool cybercriminals used to steal account credentials from thousands of victims worldwide. The W3LL phishing kit, sold for around $500, empowered even low-skilled hackers by providing ready-made templates mimicking legitimate login pages for banks and services like Microsoft 365. This phishing-as-a-service (PhaaS) model allowed attackers to deploy fake sites that harvested credentials, hijacked session cookies, and bypassed multi-factor authentication (MFA) via adversary-in-the-middle (AitM) techniques.

First documented by Group-IB in 2023, W3LL operated through an underground "W3LL Store" serving about 500 threat actors with tools for phishing, business email compromise (BEC), and stolen data sales. Active since 2017, the network's developer previously created spam tools like PunnySender and evolved W3LL into a full-service ecosystem, reselling over 25,000 compromised accounts from 2019 to 2023. Even after the W3LL Store shuttered in 2023, operations persisted via encrypted messaging, rebranding the kit and targeting over 17,000 victims in 2023-2024 alone. French firm Sekoia noted code reuse in other kits like Sneaky 2FA, highlighting W3LL's enduring influence in the cyber underground.

FBI Atlanta Special Agent in Charge Marlo Graham hailed the bust as a strike against "full-service cybercrime," underscoring ongoing partnerships to protect the public. This operation disrupts a key resource for global fraud, but experts warn that cracked versions and similar kits continue circulating, perpetuating threats.For users in India and Asia, where phishing surges amid rising digital banking, the case spotlights the need for vigilance against PhaaS proliferation.

As cybersecurity evolves, such takedowns signal stronger global enforcement, yet the low barrier to entry for phishing tools demands proactive defenses like direct URL typing and advanced MFA. This victory reinforces international cooperation's role in combating cybercrime, potentially deterring similar networks while urging organizations to bolster detection.

Microsoft 365 Accounts Targeted in Large Iran-Linked Cyber Campaign



 

Ransomware

Cyber Crime Iran Microsoft 365 password spraying Ransomware

Microsoft 365 Accounts Targeted in Large Iran-Linked Cyber Campaign

A cyber operation believed to be linked to Iranian threat actors has been identified targeting Microsoft 365 environments, with a primary focus on organizations in Israel and the United Arab Emirates. The activity comes amid ongoing tensions in the Middle East and is still considered active.

According to research from Check Point, the campaign was carried out in three separate waves on March 3, March 13, and March 23, 2026. More than 300 organizations in Israel and over 25 in the U.A.E. were affected. Investigators also observed limited targeting in Europe, the United States, the United Kingdom, and Saudi Arabia.

The attackers focused on cloud-based systems used across a wide range of sectors, including government bodies, municipalities, transportation services, energy infrastructure, technology firms, and private companies. This broad targeting indicates an effort to access both public-sector systems and critical commercial operations.

The primary method used in the campaign is known as password spraying. In this technique, attackers attempt a small number of commonly used passwords across many accounts instead of repeatedly targeting a single account. This approach increases the chances of finding weak credentials while avoiding detection systems such as account lockouts or rate-limiting controls.

Security researchers noted that similar techniques have previously been associated with Iranian groups such as Peach Sandstorm and Gray Sandstorm. The current activity appears to follow a structured sequence. It begins with large-scale scanning and password attempts routed through Tor exit nodes to conceal the origin of the traffic. This is followed by login attempts, and in successful cases, the extraction of sensitive data, including email content from compromised accounts.

Analysis of Microsoft 365 logs revealed patterns consistent with earlier operations attributed to Gray Sandstorm. Investigators observed the use of red-team style tools and infrastructure, as well as commercial VPN services linked to hosting providers previously associated with Iran-linked cyber activity in the region.

To reduce risk, organizations are advised to monitor sign-in activity for unusual patterns, restrict authentication based on geographic conditions, enforce multi-factor authentication for all users, and enable detailed audit logs to support investigation in the event of a breach.

Renewed Activity from Pay2Key Ransomware Operation

In a related development, a U.S.-based healthcare organization was targeted in late February 2026 by Pay2Key, an Iran-linked ransomware group with connections to a broader threat cluster known by multiple aliases. The group operates under a ransomware-as-a-service model and was first identified in 2020.

The version used in this attack represents an upgrade from campaigns observed in July 2025, incorporating improved techniques for evasion, execution, and anti-forensic activity. Reports from Beazley Security and Halcyon indicate that no data was exfiltrated in this instance, marking a shift away from the group’s earlier double-extortion strategy.

The intrusion is believed to have begun through an unknown access point. Attackers then used legitimate remote access software such as TeamViewer to establish a foothold. From there, they harvested credentials to move laterally across the network, disabled Microsoft Defender Antivirus by falsely indicating that another antivirus solution was active, and interfered with system recovery processes. The attackers then deployed ransomware, issued a ransom note, and cleared logs to conceal their activity.

Notably, logs were deleted at the end of the attack rather than at the beginning, ensuring that even the ransomware’s own actions were removed, making forensic analysis more difficult.

The group has also adjusted its affiliate model, offering up to 80 percent of ransom payments, compared to 70 percent previously, particularly for attacks aligned with geopolitical objectives. In addition, a Linux variant of the ransomware has been identified in the wild. This version is configuration-driven, requires root-level access to execute, and is designed to navigate file systems, classify storage mounts, and encrypt data using the ChaCha20 encryption algorithm in either full or partial modes.

Before encryption begins, the malware weakens system defenses by stopping services, terminating processes, disabling security frameworks such as SELinux and AppArmor, and setting up a scheduled task to execute after system reboot. These steps allow the ransomware to run more efficiently and persist even after restarts.

Further developments point to coordination among pro-Iranian cyber actors. In March 2026, operators associated with another ransomware strain encouraged affiliates to adopt an alternative tool known as Baqiyat 313 Locker, also referred to as BQTLock, due to a surge in participation requests. This ransomware, which operates with pro-Palestinian motives, has been used in attacks targeting the U.A.E., the United States, and Israel since July 2025.

Cybersecurity experts note that Iran has a long history of using cyber operations as a response to political tensions. Increasingly, ransomware is being integrated into these efforts, blurring the line between financially motivated cybercrime and state-aligned cyber activity. Organizations need to adopt continuous monitoring, strong authentication measures, and proactive defense strategies to counter emerging threats.

Armenian Suspect Extradited to US Over Role in RedLine Malware Operation



 

Malware Attack

Armenia Cyber Crime Cyberattacks cybersecurity attacks Data Theft Infrastructure Security Malware Attack

Armenian Suspect Extradited to US Over Role in RedLine Malware Operation

A man from Armenia now faces trial in the U.S., accused of helping run a major cybercriminal network recently uncovered. On March 23, authorities took Hambardzum Minasyan into custody; later that week, he stood before judges in Austin. Officials there detailed how he supposedly aided the RedLine scheme behind the scenes.

Minasyan faces accusations tied to overseeing parts of a malicious software network, say U.S. justice officials. Hosting setups involving virtual servers - central to directing attacks - are part of what he allegedly handled. Domain registrations connected to RedLine operations were reportedly arranged by him. File-sharing platforms built under his direction may have helped spread the program to users. Control mechanisms behind these actions remain outlined in official claims.

After deployment, RedLine grabs private details like banking records and passwords from compromised devices. This stolen data often ends up traded or misused by online criminals. One key figure, Minasyan, allegedly helped manage core infrastructure alongside others involved. Control dashboards used by partners in the scheme were reportedly maintained through their efforts.

Besides handling infrastructure tasks, Minasyan faces claims he helped run money flows for the network. A digital currency wallet tied to him supposedly managed transactions among members and moved profits from compromised information. Officials report that the team continuously assisted people deploying the malicious software, guiding attack methods while boosting earnings.

Facing several accusations today, Minasyan is charged with using unauthorized access devices, breaking rules under the Computer Fraud and Abuse Act, along with plotting ways to launder money. A guilty verdict might lead to a maximum penalty of three decades behind bars.

A wave of global actions has tightened pressure on RedLine operations. Early in 2024, teams from several countries joined forces - among them officers from the Dutch National Police - to strike key systems powering the malware network. This push formed what officials later called Operation Magnus, a synchronized disruption targeting how the service operated.

Instead of selling outright, its creators let hackers lease access; investigators focused sharply on this rental setup during their work. A federal indictment names Maxim Alexandrovich Rudometov, a citizen of Russia, as central to creating the malicious software. Should he be found guilty, extended penalties may apply due to further allegations tied to his role.

A closer look reveals persistent attempts worldwide to weaken structured hacking groups while targeting central figures for responsibility. Despite challenges, momentum builds as actions cross borders to undermine digital criminal systems.

Cybercriminals Exploit Telnyx Package in Latest Supply Chain Attack



 

telnyx

AI vulnerabilities Cyber Crime Digital Service Act Snapchat telnyx

Cybercriminals Exploit Telnyx Package in Latest Supply Chain Attack

A cybercriminal group previously associated with a supply chain compromise involving the Trivy vulnerability scanner has launched another attack, this time targeting developers through manipulated Telnyx packages on the Python Package Index (PyPI).

According to findings from Ox Security, the group known as TeamPCP has re-emerged after its earlier involvement in distributing malicious versions of the LiteLLM package. That earlier campaign followed a breach affecting Trivy, an open-source vulnerability scanning tool, and resulted in compromised packages being made available to developers.

In the latest incident, the attackers appear to have interfered with the PyPI distribution of Telnyx’s Python software development kit. Telnyx, which provides voice-over-IP services and artificial intelligence-based voice solutions, had legitimate package versions replaced with altered releases containing a multi-stage information-stealing malware along with mechanisms designed to maintain long-term access on infected systems.

Researchers noted that while the malicious logic resembles what was previously observed in the LiteLLM case, the delivery technique differs. Instead of directly embedding harmful code into the package, the Telnyx versions retrieve a secondary payload disguised as a .wav audio file. This file is later decoded and executed on the victim’s machine, representing a more indirect and stealth-oriented infection method.

Telnyx acknowledged the issue and stated that it has since been resolved. The company clarified that the incident was limited strictly to its Python package and did not affect its infrastructure, network environment, APIs, or core services. However, it warned that any system where the affected package versions were installed should be considered compromised.

Users have been specifically advised to check whether they installed versions 4.87.1 or 4.87.2. If so, the recommendation is to treat the affected environment as breached and immediately rotate any credentials that may have been exposed.

The potential scale of exposure is notable. Ox Security reported that Telnyx packages receive more than 34,000 downloads per week on PyPI, suggesting that a considerable number of developers and services may have unknowingly installed the malicious versions before they were removed.

RedLine Infostealer Case Leads to Extradition

In a separate law enforcement development, a suspected individual connected to the RedLine infostealer operation has been extradited to the United States. Hambardzum Minasyan, an Armenian national, recently appeared in federal court in Austin, Texas.

He faces charges that include conspiracy to commit access device fraud, conspiracy to violate the Computer Fraud and Abuse Act, and conspiracy to engage in money laundering. According to court documents, his alleged role involved setting up virtual private servers and domains used to host RedLine infrastructure, maintaining repositories used to distribute the malware to affiliates, and registering cryptocurrency accounts used to collect payments.

If convicted on all counts, Minasyan could face a maximum sentence of 30 years in prison.

Authorities had previously identified another alleged key figure, Maxim Rudometov, in 2024, describing him as a central developer and operator of the RedLine malware. The U.S. government later announced a reward of $10 million for information related to Rudometov and his associates. It remains unclear whether any reward was issued in connection with Minasyan’s arrest.

EU Examines Snapchat and Adult Platforms Under Digital Services Act

Regulators in the European Union have also taken action against several online platforms over concerns related to child safety and compliance with the Digital Services Act.

Adult content platforms including Pornhub, Stripchat, XNXX, and XVideos have been provisionally found to be in violation of the law. The European Commission stated that these platforms rely on basic self-declaration systems requiring users to confirm they are over 18, without implementing robust age-verification mechanisms.

As these findings are preliminary, the companies have been given an opportunity to respond before any enforcement measures are finalized.

Snapchat is also under scrutiny, though at an earlier stage of investigation. The European Commission has indicated that the platform may face similar issues, particularly in relying on self-declared age verification. Regulators have raised concerns that such measures may not adequately protect minors from harmful interactions, including risks related to exploitation or recruitment into criminal activity.

A detailed investigation into Snapchat’s practices is now underway to determine whether further regulatory action is required.

LAPSUS$ Claims Data Leak from AstraZeneca

Meanwhile, the threat group LAPSUS$ has released a dataset totaling 2.66 GB, claiming it was stolen from pharmaceutical company AstraZeneca. If confirmed, the incident could become one of the more significant healthcare-related cybersecurity events of the year.

Analysis from SOCRadar suggests that the exposed data may include internal code repositories, authentication-related information, cloud infrastructure references, and employee records. Researchers indicated that the nature of the data points to a deeper operational compromise rather than a limited credential leak.

Such information could potentially be used to carry out further attacks, including targeted phishing campaigns or supply chain intrusions affecting AstraZeneca’s partners. The full dataset was reportedly released publicly over the weekend.

US Researchers Develop Large-Scale AI Vulnerability Detection System

In another development, researchers at Oak Ridge National Laboratory have introduced an advanced system designed to identify and exploit vulnerabilities in artificial intelligence models at scale.

The system, named Photon, operates at exascale computing levels and is capable of continuously probing AI systems for weaknesses. It begins by applying known attack techniques to a target model and then refines those methods based on observed responses. At the same time, it searches for previously unknown vulnerabilities and incorporates them into its testing cycle.

According to the research team, Photon was able to maintain approximately 95 percent computational efficiency while running across 1,920 GPUs on the Frontier supercomputer. It also reduced many of the operational bottlenecks typically associated with large-scale AI red-team testing.

Researchers describe Photon as a defining shift in AI security practices, enabling automated and continuous vulnerability discovery. However, they also noted that such capabilities are currently limited to highly resourced environments, meaning that widespread misuse by threat actors is unlikely in the near future.

International Crackdown Disrupts IoT Botnets Powering Large-Scale DDoS Attacks



 

Cybercrime Networks

Aisuru botnet AISURU Kimwolf botnet Botnet Cyber Attacks IoT Botnet Cyber Crime Cyber Security Cybercrime Networks

International Crackdown Disrupts IoT Botnets Powering Large-Scale DDoS Attacks

Early results came through cooperation among U.S., German, and Canadian agencies targeting major digital threats like Aisuru, KimWolf, JackSkid, and Mossad. Systems once used to manage attacks now stand inactive after teams disrupted central control points across borders. Instead of waiting, officials moved fast against links connecting malware operations - shutting down domains, servers, and coordination hubs.

What ran hidden for months became exposed overnight due to shared intelligence and precise actions. One after another, these botnets launched countless DDoS assaults across the globe - some aimed at critical systems like those tied to the Department of Defense Information Network. With each move, authorities hoped to break contact between hacked gadgets and cybercriminals. That separation would weaken control over the infected machines.

Over time, their capacity to act diminishes. Without signals from command servers, coordination crumbles. Even large-scale efforts lose momentum when links go silent. Behind the scenes, the goal remains clear: stop the flow before damage spreads further. One measure stands out when looking at recent cyber events - their sheer size. Not long ago, an assault tied to the Aisusu botnet hit speeds near 31.4 terabits each second, piling up 200 million queries in just one second.

That December incident wasn’t isolated; prior surges linked to the same system showed matching force. With time, such floods grow stronger, revealing how quickly disruption tools evolve. Figures released by the U.S. Department of Justice show botnet systems sent vast numbers of attack directives - hundreds of thousands in total. Among them, Aisuru was responsible for exceeding 200,000 such signals.

In contrast, KimWolf, along with JackSkid and Mossad, generated additional tens of thousands. Devices caught in these waves passed three million, largely made up of IoT hardware like cameras, routers, and recording units. Most of those compromised machines operated within American borders. From behind the scenes, access to hacked networks was turned into profit via a cybercrime rental setup, allowing third-party attackers to carry out intrusions, demand payments from targets, while knocking digital platforms offline.

Backing the operation's collapse, Akamai - a security company - pointed out how these sprawling botnets threaten core internet reliability, sometimes swamping defenses built to handle heavy assaults. Though this takedown deals a serious blow, specialists warn IoT-driven botnets remain an ongoing challenge in digital security. Still, new forms keep emerging despite progress made recently across enforcement efforts.

149 Hacktivist DDoS Claims Recorded Across 16 Countries Following Middle East Escalation



 

Middle East

Cyber Crime DDOS Attack Hackers IoT devices Middle East

149 Hacktivist DDoS Claims Recorded Across 16 Countries Following Middle East Escalation

A sharp rise in politically motivated cyber activity has emerged in the aftermath of the coordinated U.S.–Israel military operations against Iran, referred to as Epic Fury and Roaring Lion. Security analysts say online retaliation unfolded almost immediately, with hacktivist groups launching large-scale distributed denial-of-service, or DDoS, campaigns against institutions across multiple regions.

According to a report published by Radware, 149 separate DDoS attack claims were documented between February 28 and March 2, 2026. These incidents targeted 110 distinct organizations spanning 16 countries. Twelve different groups participated in the activity. Three of them, Keymous+, DieNet, and NoName057(16), were responsible for 74.6 percent of the total claims. Radware further noted that Keymous+ and DieNet alone accounted for nearly 70 percent of activity during that period.

The earliest attack in this wave was attributed to Hider Nex, also known as the Tunisian Maskers Cyber Force, on February 28. Information shared by Orange Cyberdefense describes Hider Nex as a Tunisian hacktivist collective aligned with pro-Palestinian causes. The group reportedly employs a dual strategy that combines service disruption with data theft and public leaks to amplify political messaging. Researchers trace its emergence to mid-2025.

Geographically, 107 of the 149 DDoS claims were directed at organizations in the Middle East, where government bodies and public infrastructure entities were disproportionately affected. Europe accounted for 22.8 percent of the global targeting during the same timeframe. By sector, government institutions represented 47.8 percent of all affected entities worldwide. Financial services followed at 11.9 percent, while telecommunications organizations accounted for 6.7 percent.

Within the Middle East, three countries experienced the highest concentration of reported activity. Kuwait accounted for 28 percent of regional attack claims, Israel represented 27.1 percent, and Jordan comprised 21.5 percent, according to Radware’s analysis.

Threat intelligence from Flashpoint, Palo Alto Networks Unit 42, and Radware identified additional groups engaged in disruptive campaigns, including Nation of Saviors, Conquerors Electronic Army, Sylhet Gang, 313 Team, Handala Hack, APT Iran, Cyber Islamic Resistance, Dark Storm Team, FAD Team, Evil Markhors, and PalachPro.

The cyber activity extended beyond DDoS operations. Pro-Russian hacktivist collectives Cardinal and Russian Legion publicly claimed breaches of Israeli military networks, including the Iron Dome missile defense system. These assertions have not been independently verified.

Separate threat reporting identified an active SMS-based phishing operation distributing a counterfeit version of Israel’s Home Front Command RedAlert mobile application. Victims were reportedly persuaded to install a malicious Android package disguised as a wartime update. Once installed, the application displayed a functional alert interface while covertly deploying surveillance and data-exfiltration capabilities.

Flashpoint also reported that Iran’s Islamic Revolutionary Guard Corps targeted energy and digital infrastructure sectors in the Middle East, including Saudi Aramco and an Amazon Web Services data center in the United Arab Emirates. Analysts assessed that the intent was to impose broader economic pressure in response to military losses.

Researchers at Check Point observed that Cotton Sandstorm, also known as Haywire Kitten, revived a previous online identity called Altoufan Team and claimed responsibility for website compromises in Bahrain. The firm described the activity as reactive and warned of the likelihood of further involvement across the region.

Data from Nozomi Networks shows that the Iranian state-linked group UNC1549, also tracked as GalaxyGato, Nimbus Manticore, and Subtle Snail, ranked as the fourth most active threat actor in the second half of 2025. Its campaigns focused on defense, aerospace, telecommunications, and government entities in support of national strategic objectives.

Economic signals have also reflected the instability. Major Iranian cryptocurrency exchanges remain operational but have introduced adjustments such as batching or temporarily suspending withdrawals and issuing advisories about potential connectivity disruptions. Ari Redbord, Global Head of Policy at TRM Labs, stated that the situation does not yet indicate large-scale capital flight, but rather market volatility managed under connectivity constraints and regulatory intervention. He noted that Iran has long relied in part on cryptocurrency infrastructure to circumvent sanctions, and current conditions represent a real-time stress test of that system.

Despite heightened online activity, Sophos reported observing an increase in hacktivist operations without a corresponding escalation in confirmed impact. The firm cited DDoS attacks, website defacements, and unverified compromise claims attributed largely to pro-Iran personas, including Handala Hack and APT Iran.

The National Cyber Security Centre has warned organizations of elevated Iranian cyber risk and advised strengthening defenses against DDoS campaigns, phishing activity, and threats targeting industrial control systems.

Cynthia Kaiser of Halcyon, formerly Deputy Assistant Director of the Federal Bureau of Investigation’s Cyber Division, stated that Iran has historically used cyber operations to retaliate against perceived political provocations and has increasingly incorporated ransomware into its playbook. She added that Tehran’s tolerance of private cybercriminal actors provides strategic options when responding to geopolitical events.

SentinelOne assessed with high confidence that organizations in Israel, the United States, and allied nations are likely to face direct or indirect targeting, particularly across government, critical infrastructure, defense, financial services, academic, and media sectors.

Nozomi Networks further emphasized that Iranian threat actors have a history of blending espionage, disruption, and psychological operations to achieve strategic objectives. During periods of instability, such campaigns often intensify and extend beyond immediate conflict zones.

To mitigate risk amid the ongoing conflict, security experts recommend continuous monitoring aligned with elevated threat conditions, updating threat intelligence signatures, minimizing external exposure, conducting comprehensive reviews of connected assets, enforcing strict segmentation between information technology and operational technology networks, and isolating Internet-of-Things devices.

Adam Meyers, head of Counter Adversary Operations at CrowdStrike, noted that Iranian cyber actors have historically synchronized digital campaigns with broader strategic goals. He added that these adversaries have evolved beyond traditional network intrusions, expanding into cloud and identity-focused operations capable of operating rapidly across hybrid enterprise environments with greater scale and impact.

As tensions persist, analysts caution that cyberspace is likely to remain an active parallel arena of confrontation, requiring sustained vigilance from organizations across affected and allied regions.

SLH Pays Up to $1,000 Per Call to Expand IT Help Desk Vishing Operations



 

Vishing

Advanced Social Engineering Cyber Crime IT Help Desk phishing Scattered Spider SIM swap Vishing

SLH Pays Up to $1,000 Per Call to Expand IT Help Desk Vishing Operations

A cybercrime network known as Scattered LAPSUS$ Hunters, or SLH, is offering financial rewards ranging from $500 to $1,000 per call to recruit women for voice phishing operations targeting corporate IT help desks.

The development was detailed in a threat intelligence brief published by Dataminr. According to the firm, recruits are provided with prepared scripts and paid upfront for participating in impersonation calls designed to trick help desk staff into granting account access. Analysts assess that specifically seeking female callers may be an intentional tactic to improve credibility and increase the likelihood of successful password or multi-factor authentication resets.

SLH is described as a high-profile cybercrime alliance associated with actors tied to LAPSUS$, Scattered Spider, and ShinyHunters. The group has previously demonstrated the ability to bypass multi-factor authentication using methods such as MFA prompt flooding and SIM swapping.

A core component of its intrusion strategy involves directly contacting help desks or call centers while posing as legitimate employees. Attackers attempt to persuade support staff to reset credentials or deploy remote monitoring and management software that enables persistent remote access. Once inside a network, Scattered Spider operators have been observed moving laterally into virtualized infrastructure, elevating privileges, and extracting sensitive enterprise information. In some incidents, the intrusion progressed to ransomware deployment.

To blend into legitimate traffic and evade detection, the actors routinely leverage trusted infrastructure and residential proxy services, including Luminati and OxyLabs. They have also used tunneling tools such as Ngrok, Teleport, and Pinggy, along with file-sharing platforms like file.io, gofile.io, mega.nz, and transfer.sh to transfer stolen data.

Earlier this month, Palo Alto Networks Unit 42, which tracks Scattered Spider under the alias Muddled Libra, described the actor as highly adept at manipulating human psychology. In one September 2025 investigation, attackers reportedly obtained privileged credentials through a help desk call, created a virtual machine, conducted Active Directory enumeration, and attempted to extract Microsoft Outlook mailbox data along with information downloaded from a Snowflake database.

Unit 42 also documented the group’s extensive targeting of Microsoft Azure environments through the Graph API to gain access to cloud resources. Tools such as ADRecon have been deployed to map directory structures and identify valuable assets.

Dataminr characterized the recruitment campaign as a calculated evolution in tactics, suggesting that the use of female voices may help bypass preconceived attacker profiles that help desk staff are trained to recognize.

Update: Shift Toward Branded Subdomain Impersonation and Mobile-Focused Phishing

In a follow-up assessment dated February 26, 2026, ReliaQuest reported observing ShinyHunters potentially transitioning to branded subdomain impersonation paired with live adversary-in-the-middle phishing and phone-guided social engineering. Observed domains followed formats resembling “organization.sso-verify.com.”

Researchers indicated that the group may be reusing previously exposed software-as-a-service records to craft convincing scenarios and identify the most effective internal targets. This method can enable rapid identity compromise and SaaS access through a single valid single sign-on session or help desk reset, without deploying custom malware.

ReliaQuest assessed that moving away from newly registered lookalike domains could help evade traditional domain-age detection controls. Simultaneously, mobile-oriented phishing lures may reduce visibility within enterprise network monitoring systems. The firm also noted signs of outsourced criminal labor to scale phone, email, and SMS outreach.

While the impersonation style resembles earlier Scattered Spider techniques, ReliaQuest attributed the recent subdomain activity primarily to ShinyHunters based on victim targeting patterns and operational behavior. The company stated it has no independently verifiable evidence confirming that the broader SLH collective is responsible for the subdomain campaign, though partial collaboration among groups remains possible. It also observed Telegram discussions indicating that the actors sometimes “unite” for specific social engineering operations, though the structure and scope of such collaboration remain unclear.

Security experts increasingly warn that help desks represent a critical weak point in modern enterprise defense. As organizations strengthen technical controls such as MFA and endpoint detection, attackers are redirecting efforts toward human intermediaries capable of overriding safeguards. Industry reporting throughout 2024 and 2025 has shown a consistent rise in vishing-led intrusions tied to cloud identity compromise.

Defensive recommendations include implementing stricter identity verification workflows, eliminating SMS-based authentication where possible, enforcing conditional access policies, and conducting post-call audits for new administrative accounts or privilege changes. Continuous monitoring of cloud logs and abnormal single sign-on activity is also considered essential.

The recruitment-driven expansion of scripted vishing operations signals an ongoing professionalization of social engineering. Rather than relying solely on technical exploits, threat actors are scaling psychologically informed tactics to accelerate high-volume, low-cost account compromise across enterprise environments.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

About Me

Footer About

Labels

Showing result(s) for

Popular Posts

Pages

Menu Item

FEMITBOT malware

Brands impersonated

Telegram bots compromised

Tricking users via phishing tactics

Malware distribution via mini apps

About Arctic Wolf

The discovery

Attack tactic

Instructure attacked

Attack tactic

The impact

Fear as a Weapon: The Psychology Behind the Scam

Beyond Malware: A Wider Ecosystem of Exploitation

Axios attacked

About the incident

The impact

About UNC1069

Why are attacks on the rise from North Korea

Most deadly cyberattack in history