Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

PylangGhost
Crypto Scam Infostealer malware North Korean Hackers PylangGhost

North Korean Hackers Target Crypto Professionals With Info-Stealing Malware

 

North Korean hackers are tricking crypto experts into attending elaborate phoney job interviews in order to access their data and install sophisticated malware on their devices. 

Cisco Talos disclosed earlier this week that a new Python-based remote access trojan called "PylangGhost" links malware to a North Korean hacking group dubbed "Famous Chollima," also known as "Wagemole.” "Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies," the researchers explained. 

The effort uses fake employment sites that mimic reputable businesses like Coinbase, Robinhood, and Uniswap to recruit blockchain and crypto experts in India. The scam begins with bogus recruiters guiding job seekers to skill-testing websites, where they submit personal information and answer technical questions. 

Following completion of the assessments, candidates are directed to allow camera access for a video interview, and then urged to copy and execute malicious commands masked as video driver installations. 

Dileep Kumar H V, director of Digital South Trust, told Decrypt that to combat these scams, "India must mandate cybersecurity audits for blockchain firms and monitor fake job portals.” “CERT-In should issue red alerts, while MEITY and NCIIPC must strengthen global coordination on cross-border cybercrime,” he stated, calling for “stronger legal provisions” under the IT Act and “digital awareness campaigns.” 

The recently identified PylangGhost malware has the ability to harvest session cookies and passwords from more than 80 browser extensions, including well-known crypto wallets and password managers like Metamask, 1Password, NordPass, and Phantom. The Trojan runs remote commands from command-and-control servers and gains continuous access to compromised systems. 

This most recent operation fits in with North Korea's larger trend of cybercrime with a crypto focus, which includes the infamous Lazarus Group, which has been involved in some of the biggest heists in the industry. The regime is now focussing on individual professionals to obtain intelligence and possibly infiltrate crypto organisations from within, in addition to stealing money straight from exchanges. 

With campaigns like "Contagious Interview" and "DeceptiveDevelopment," the gang has been launching hiring-based attacks since at least 2023. These attacks have targeted cryptocurrency developers on platforms like GitHub, Upwork, and CryptoJobsList.
Read more »
North Korean Hackers
BitoPro hack crypto theft 2025 Cyber Attacks Lazarus Group cyberattack North Korean Hackers

BitoPro Blames North Korea’s Lazarus Group for $11 Million Crypto Theft During Hot Wallet Update

 

Taiwanese cryptocurrency exchange BitoPro has attributed a major cyberattack that resulted in the theft of approximately $11 million in digital assets to the infamous North Korean hacking group Lazarus. The breach occurred on May 8, 2025, when attackers exploited vulnerabilities during a hot wallet system upgrade.

According to BitoPro, its internal investigation uncovered evidence linking the incident to Lazarus, citing similarities in techniques and tactics observed in previous large-scale intrusions.

“The attack methodology bears resemblance to patterns observed in multiple past international major incidents, including illicit transfers from global bank SWIFT systems and asset theft incidents from major international cryptocurrency exchanges,” reads the company’s announcement.

BitoPro, which serves primarily Taiwanese customers and offers fiat currency transactions in TWD alongside various crypto assets, has over 800,000 registered users and processes nearly $30 million in trading volume each day.

During the attack, unauthorized withdrawals were conducted from an older hot wallet across multiple blockchains, including Ethereum, Tron, Solana, and Polygon. The stolen funds were subsequently funneled through decentralized exchanges and mixing services such as Tornado Cash, ThorChain, and Wasabi Wallet to obscure their origin.

Although the breach took place in early May, BitoPro publicly acknowledged the incident only on June 2, assuring users that platform operations remained unaffected and that impacted wallets were replenished using reserves.

The subsequent investigation concluded there was no evidence of insider involvement. Instead, attackers had carried out a sophisticated social engineering campaign that compromised an employee’s device responsible for managing cloud operations. Through this infection, they hijacked AWS session tokens, effectively bypassing multi-factor authentication protections to gain access to BitoPro’s cloud infrastructure.

The hackers’ command-and-control server then issued instructions to implant malicious scripts into the hot wallet host in preparation for the heist. By carefully simulating legitimate activity, they were able to transfer assets undetected when the wallet upgrade took place.

Once BitoPro became aware of the unauthorized activity, it deactivated the hot wallet system and rotated cryptographic keys, though by that point, roughly $11 million had already been drained.

The exchange has notified relevant authorities and collaborated with external cybersecurity specialists to conduct a thorough review, which concluded on June 11.

The Lazarus Group has developed a notorious reputation for targeting cryptocurrency platforms and decentralized finance ecosystems, with previous operations including a record-setting $1.5 billion theft from Bybit.
Read more »
Technology
Artificial Intelligence Deepfake Scams Technology

U.S. Senators Propose New Task Force to Tackle AI-Based Financial Scams

 


In response to the rising threat of artificial intelligence being used for financial fraud, U.S. lawmakers have introduced a new bipartisan Senate bill aimed at curbing deepfake-related scams.

The bill, called the Preventing Deep Fake Scams Act, has been brought forward by Senators from both political parties. If passed, it would lead to the formation of a new task force headed by the U.S. Department of the Treasury. This group would bring together leaders from major financial oversight bodies to study how AI is being misused in scams, identity theft, and data-related crimes and what can be done about it.

The proposed task force would include representatives from agencies such as the Federal Reserve, the Consumer Financial Protection Bureau, and the Federal Deposit Insurance Corporation, among others. Their goal will be to closely examine the growing use of AI in fraudulent activities and provide the U.S. Congress with a detailed report within a year.


This report is expected to outline:

• How financial institutions can better use AI to stop fraud before it happens,

• Ways to protect consumers from being misled by deepfake content, and

• Policy and regulatory recommendations for addressing this evolving threat.


One of the key concerns the bill addresses is the use of AI to create fake voices and videos that mimic real people. These deepfakes are often used to deceive victims—such as by pretending to be a friend or family member in distress—into sending money or sharing sensitive information.

According to official data from the Federal Trade Commission, over $12.5 billion was stolen through fraud in the past year—a 25% increase from the previous year. Many of these scams now involve AI-generated messages and voices designed to appear highly convincing.

While this particular legislation focuses on financial scams, it adds to a broader legislative effort to regulate the misuse of deepfake technology. Earlier this year, the U.S. House passed a bill targeting nonconsensual deepfake pornography. Meanwhile, law enforcement agencies have warned that fake messages impersonating high-ranking officials are being used in various schemes targeting both current and former government personnel.

Another Senate bill, introduced recently, seeks to launch a national awareness program led by the Commerce Department. This initiative aims to educate the public on how to recognize AI-generated deception and avoid becoming victims of such scams.

As digital fraud evolves, lawmakers are urging financial institutions, regulators, and the public to work together in identifying threats and developing solutions that can keep pace with rapidly advancing technologies.

Read more »
Malware Attack
Crypto Platform cryptocurrency cryptocurrency security cryptocurrency theft Cyber Attacks Digital Assets Lazarus Group Lazarus Group attack Malware Attack

Lazarus Group Suspected in $11M Crypto Heist Targeting Taiwan’s BitoPro Exchange

 

Taiwanese cryptocurrency platform BitoPro has blamed North Korea’s Lazarus Group for a cyberattack that resulted in $11 million in stolen digital assets. The breach occurred on May 8, 2025, during an upgrade to the exchange’s hot wallet system. 

According to BitoPro, the tactics and methods used by the hackers closely resemble those seen in other global incidents tied to the Lazarus Group, including high-profile thefts via SWIFT banking systems and other major crypto platforms. BitoPro serves a primarily Taiwanese customer base, offering fiat transactions in TWD alongside various cryptocurrencies. 

The exchange currently supports over 800,000 users and processes approximately $30 million in daily trades. The attack exploited vulnerabilities during a system update, enabling the unauthorized withdrawal of funds from a legacy hot wallet spread across several blockchain networks, including Ethereum, Tron, Solana, and Polygon. The stolen cryptocurrency was then quickly laundered through decentralized exchanges and mixers such as Tornado Cash, Wasabi Wallet, and ThorChain, making recovery and tracing more difficult. 

Despite the attack taking place in early May, BitoPro only publicly acknowledged the breach on June 2. At that time, the exchange assured users that daily operations remained unaffected and that the compromised hot wallet had been replenished from its reserve funds. Following a thorough investigation, the exchange confirmed that no internal staff were involved. 

However, the attackers used social engineering tactics to infect a cloud administrator’s device with malware. This allowed them to steal AWS session tokens, bypass multi-factor authentication, and gain unauthorized access to BitoPro’s cloud infrastructure. From there, they were able to insert scripts directly into the hot wallet system and carry out the theft while mimicking legitimate activity to avoid early detection. 

After discovering the breach, BitoPro deactivated the affected wallet system and rotated its cryptographic keys, though the damage had already been done. The company reported the incident to authorities and brought in a third-party cybersecurity firm to conduct an independent review, which concluded on June 11. 

The Lazarus Group has a long history of targeting cryptocurrency and decentralized finance platforms. This attack on BitoPro adds to their growing list of cyber heists, including the recent $1.5 billion digital asset theft from the Bybit exchange.
Read more »
python
Banana Squad Copycat CyberCrime Cyberhackers Cybersecurity GitHub Malicious Activities malware python

Malicious Copycat Repositories Emerge in Large Numbers on GitHub

 


The researchers at the National Cyber Security Agency have identified a sophisticated campaign that involved malicious actors uploading more than 67 deceptive repositories to GitHub, masquerading as legitimate Python-based security and hacking tools. 

In truth, these repositories actually serve as a vehicle through which trojanized payloads are injected into the system, thus compromising unsuspecting developers and security professionals. In a report by ReversingLabs under the codename Banana Squad, uncovered in 2023, that an earlier wave of attacks appeared to be an extension of that earlier wave, it appears that this operation is an extension of the earlier attack wave. 

During the previous campaign, counterfeit Python packages were distributed by the Python Package Index (PyPI) and were downloaded over 75,000 times and included the information-stealing capability that targeted Windows environments in particular. With their pivotal focus on GitHub, the attackers are taking advantage of the platform’s reputation as a trusted source for open-source software to make their malicious code more likely to infiltrate, thus expanding their malicious code’s reach. 

As a result of this evolving threat, it is becoming increasingly obvious that the software supply chain is facing persistent threats, and ensuring that packages and repositories are authenticated before they are integrated into development workflows is of utmost importance. Banana Squad was responsible for orchestrating the deployment of nearly 70 malicious repositories in its most recent operation, all carefully crafted to resemble genuine Python-based hacking utilities. 

It is important to note that the counterfeit repositories were designed in such a way that their names and file structures closely resembled those of reputable open-source projects already hosted on GitHub, giving them the appearance of being trustworthy at first glance. This group of hackers cleverly exploited a relatively overlooked feature of the GitHub code display interface in order to conceal their malicious intent further. 

There is a specific issue in which GitHub does not automatically wrap code lines on the next line if they exceed the width of the viewing window; rather, when the contents extend off the right edge of the screen indefinitely, GitHub will automatically wrap them onto the next line. This subtle quirk was tapped into by the attackers, who embedded a substantial stretch of empty space at the end of seemingly benign code lines, effectively pushing the malicious payload beyond the visible area of the code. 

Even when a diligent review of the code is conducted, it may not be possible to detect the hidden threat, unless the reviewer scrolls horizontally to the very end of each line, thus creating a blind spot for the concealed threat. Using this technique of obscuring software repositories and propagating malware under the guise of legitimate tools, threat actors are using an increasingly creative approach to evading detection and highlights the fact that they are using increasingly creative methods to evade detection. 

This Banana Squad activity does not represent an isolated incident. It is an excellent example of a broader trend in which cybercriminal groups are using GitHub to distribute malicious code in an increasing number of cases. It has become increasingly clear that threat actors are utilising the platform as a convenient delivery channel to reach out to a wide range of unaware developers and hobbyists over the past several months. 

The researchers at Trend Micro, for example, have recently discovered that 76 malicious projects have been attributed to the Water Curse group over the past few months. There was careful engineering involved in crafting these repositories so that they would deliver staged payloads that would harvest passwords, browser cookies, and other session data, as well as implement stealthy tools designed to enable persistent access to compromised computers. 

Another investigation by Check Point shed light on how the Stargazer's Ghost Network operated, a complex fraud scheme that relied on creating numerous fraudulent GitHub accounts to carry out its activities. A ghost profile was constructed by using stars, forks, and frequent updates, which mimicked the activity of legitimate developers, so that it appeared genuine, so that it would appear genuine to potential victims. This sophisticated ruse arose from the attackers' attempt to manipulate the popularity of their repositories to promote Java-based malware aimed at Minecraft players.

By doing so, they pushed the repositories to the top of GitHub's search rankings and made them more credible to potential users. According to research conducted by Check Point and Checkmarx, it appears that the Stargazer's Ghost Network is a small part of a larger underground ecosystem built around distribution-as-a-service models that may be the basis of much larger underground economies. It is essentially the same as renting out delivery infrastructure in mainstream organisations as they do in a cloud-based environment. 

As a result of their own research, Sophos analysts were able to confirm this perspective, revealing 133 compromised GitHub repositories which have been active since mid-2022. The malicious projects were capable of concealing harmful code in various forms, including Visual Studio build scripts, Python files that have been manipulated and JavaScript snippets that were used to manipulate screensavers. When the implants are executed, they can gather system information, capture screenshots, and launch notorious remote access trojans like Lumma Stealer, Remcos, and AsyncRAT.

Sophos also reported that operators often use Discord channels and YouTube tutorials to spread links to their repositories, typically offering quick game hacks or easy-to-use cyberattack tools as a means of spreading the word about the repositories. It has been proven to be a highly effective method of attracting novice users, who inadvertently compile and run malware on their machines, thereby turning themselves into unsuspecting victims of the very schemes they hoped to use.

Since GitHub is regarded as the world's leading platform for collaborating on open-source software, cybercriminals are naturally going to be interested in infiltrating these environments, as it is the world's largest hosting and collaboration platform for open-source software. In contrast to package registries such as npm or PyPI, people have historically preferred to adopt code from GitHub repositories to package registries for mass compromise because they are inherently more manual and require several deliberate steps in order to adopt the code. 

In order for a developer to be able to integrate a repository into their project, they must locate that repository, evaluate its credibility, clone it locally, and often perform a cursory code review during that process. These barriers create further barriers for attackers who wish to distribute malware across an extremely large range of networks by utilising source repository tools. 

In spite of this, the recent switch by groups like Banana Squad from traditional package registries to GitHub repositories may indicate a changing threat landscape shaped by stronger defensive measures that are being implemented within those registries. In the last two years, the majority of open-source ecosystems have made substantial security improvements to prevent malicious packages from spreading throughout their ecosystems. 

It is worth mentioning that Python Package Index (PyPI) recently implemented mandatory two-factor authentication (2FA) for all users of its system. As a result of these measures, ReversingLabs researchers are already experiencing measurable results. These measures are currently raising the bar for attackers seeking to hijack or impersonate trusted maintainers. 

In the opinion of Simons, one of the firm's principal analysts, the open-source community has become progressively more vigilant about scrutinising suspicious packages and reporting them. In today's society, adversaries are increasingly aware of the risks involved in sustaining malicious campaigns. As a result, they are finding it increasingly difficult to keep the campaigns going without being rapidly detected and removed. 

It is Simmons' contention that the combination of stricter platform policies, together with a more security-conscious user base, has resulted in a dramatic reduction in successful attacks. This trend has been supported by empirical evidence: According to ReversingLabs' report, malicious packages identified across npm, PyPI, and RubyGems declined by over 70% between 2023 and 2024. 

As a result of this decline in attacks, it is important to emphasize the progress that has been made within the package registry in regards to defensive initiatives; however, it is vital to also notice the adaptability of threat actors, who may now be shifting their focus to repositories where security controls and community vigilance aren't as robust as they used to be. 

Developers need to make sure that they exercise the same level of scrutiny when adopting code from repositories as they do when installing packages, since attackers continue to take advantage of any channel in their arsenal to spread their payloads across the Internet. In the future, the increased malicious activity against GitHub underscores an important point: as defenders strengthen security controls in one area of the software ecosystem, adversaries will invariably pivot to exploit the next weak spot in the software ecosystem. 

To achieve success in this dynamic, there needs to be a renewed commitment to embedding security as a shared responsibility rather than an afterthought across the open-source community. It is important for developers to adopt a security-in-depth approach that combines technical safeguards-such as cryptographic signatures, automated dependency scans, and sandboxed testing environments-with organisational practices emphasising the verification of sources and community trust signals in order to promote a defence-in-depth mindset. 

Platform providers must continue to invest in proactive threat hunting capabilities, improvements in detecting automated and manipulated accounts, and clearer mechanisms for users to evaluate the reputation and integrity of repositories when evaluating the provenance and integrity of data storage services. 

Educating contributors and maintaining users about the signs of tampering remains vitaltoo equip both novice contributors and experienced maintainers with the skills necessary to recognise subtle indications of tampering and deception, which remain crucial. It has become apparent that the open-source ecosystem is evolving.

Only a collaborative and adaptive approach, rooted in transparency, accountability, and constant vigilance, will be able to effectively blunt the effects of campaigns such as Banana Squad, thereby safeguarding the enormous value open-source innovation offers to individuals and organisations throughout the world.
Read more »
tech support cybercrime
call center security breach Coinbase data hack Data Breach hackers target call centers insider threat cybersecurity outsourced support risks tech support cybercrime

Hackers Exploit Low-Paid Tech Support Workers to Breach Major Companies, Steal Customer Data

 

As more companies turn to outsourced tech support to save money, the risks tied to these operations are becoming increasingly evident. The dangers aren’t solely technical anymore; they also stem from the individuals operating behind the screens, who are often under financial strain and targeted by increasingly sophisticated cybercriminals.

Hackers are weaponizing outsourced tech support teams and call centers—the very services meant to assist customers—as tools for large-scale cybercrime. Recent breaches in the US and UK illustrate a worrying trend: attackers manipulating the human side of support operations to slip past advanced security protocols and seize sensitive data.

In one of the most impactful incidents so far, criminals infiltrated overseas call centers serving prominent American companies, including the cryptocurrency platform Coinbase. While attackers used different tactics, they shared a common strategy: exploiting the access held by low-level support staff, who frequently earn low wages despite handling confidential customer details.

According to Coinbase, hackers bribed customer support agents employed by TaskUs and other help desk providers, offering payments upwards of $2,500 to secure insider assistance. "You're working with a low-paid labor market," Isaac Schloss, chief product officer at Contact Center Compliance, told the Wall Street Journal. "These people are in a position of poverty more often than not. So if the right opportunity comes for the right person, people are willing to look the other way."

The fallout was severe. At Coinbase, the breach affected data from as many as 97,000 customers and could result in reimbursement costs nearing $400 million. Using the stolen details, attackers impersonated legitimate Coinbase representatives, contacting victims about their accounts and persuading them to transfer cryptocurrency into criminal-controlled wallets. "Every other day a new case would come in, and it would be, 'I got called by Coinbase, and I lost all my money because it wasn't Coinbase,'" Josh Cooper-Duckett, director of investigations at Cryptoforensic Investigators, told the publication.

These tactics are not confined to the crypto industry. In the UK, hackers have also targeted major retailers such as Marks & Spencer and Harrods, pretending to be senior executives to pressure tech-support staff into granting access to internal systems—a method resembling the 2023 MGM Resorts breach.

Beyond bribery, call center vulnerabilities include malicious software planted to siphon off data in large volumes. In some cases, hackers persuaded insiders to describe the applications installed on their systems, ultimately identifying a browser extension with a flaw they could exploit. This allowed them to inject code and harvest extensive customer records.

The cross-border nature of outsourcing complicates accountability. In many regions, workers face minimal legal penalties for helping enable cyberattacks. "We've seen relatively limited consequences, in those regions, for perpetrators," Philip Martin, Coinbase's chief security officer, said. Even when employees are terminated, "It's a relatively straightforward thing for them to go get a new one," he noted.

Despite businesses investing billions in sophisticated cybersecurity tools, hackers persistently capitalize on the most fragile element: people. "Consistently, the human interaction has proven to be a weak link," Michael McPherson, a senior vice president at cybersecurity firm ReliaQuest, said.
Read more »
User Security
Cyber Fraud Helpdesk Scam IT Fraud User Privacy User Security

The Rise in IT Helpdesk Scams: What Can Users Do?

 

Over 37,500 complaints concerning phoney tech-support scams were filed in the United States last year alone, resulting in losses of over $924 million, according to the latest FBI's Internet Crime Report. 

In this piece, we'll look at how these scams work, the risks they bring, and how you can prevent them. 

Modus operandi

In this scheme, scammers generally mimic technical or customer-service representatives from prominent corporations, most often in the tech industry. This allows fraudsters to utilise impressive-sounding phrases and technical information that the common user cannot understand.

The most typical pretext used by fraudulent tech-support scammers to contact potential victims is claiming to have discovered a problem with the latter's computer. For example, fake employees of a software developer or a well-known antivirus company call you and tell you that they have discovered malware on your computer, you should be suspicious. 

Scammers therefore overwhelm their victims, creating panic and a sense of helplessness. The fraudsters then use these emotions to gain trust; these techniques are typically designed to make the victim feel compelled to trust them. It is this trust that the scammers ultimately use to achieve their objectives. 

Prevention tips

If someone approaches you claiming to be from tech support, warns you of a danger, and insists that action be taken immediately, it is most certainly a fake tech-support fraudster. Try not to panic and avoid doing anything you'll regret later.

It is preferable to share what is going on with someone else, as this might help you discover inconsistencies and flaws in the scammer's story. To buy time, tell them you're busy, have another call, your phone's battery is running low, or simply pretend to be disconnected. Furthermore, to protect yourself from scammers, you can take the following steps: 

  • Install a reputable security solution on all of your devices and heed its warnings. 
  • Never enter your login information while someone else is viewing, such as while screen sharing or when someone has remote access to your computer. 
  • Avoid installing remote access software on your computer, and never provide access to outsiders. By the way, our protection can alert you to such threats.

It's also worth noting that the elderly are particularly prone to tech support frauds. They may not be very cyber-savvy, therefore they want reliable security more than anyone else.
Read more »
US Federal Agencies
Cyber Attacks Krispy Kreme US Federal Agencies

Krispy Kreme Confirms Cyberattack Affected Over 160,000 People

 



Popular U.S.-based doughnut chain Krispy Kreme has confirmed that a cyberattack last year compromised the personal data of more than 160,000 individuals.

According to a notification filed with the Maine Attorney General's Office, the company stated that the breach took place in late November 2024. However, affected individuals were informed only in May 2025, after the company completed its internal investigation.

In letters sent to those impacted, Krispy Kreme explained that while they currently have no evidence of misuse, sensitive data may have been accessed during the breach. The company has not publicly confirmed all the types of information that were exposed, but a separate disclosure in Massachusetts revealed that documents containing Social Security numbers, banking details, and driver's license information were among those compromised.

Further updates posted on Krispy Kreme's official website in June added that other personal records may have also been involved. These include medical and health data, credit card numbers, passport details, digital signatures, and even login credentials for financial and email accounts. The extent of exposure varied depending on the individual.

The breach first came to light on November 29, 2024, when Krispy Kreme discovered unusual activity on its internal systems. The incident disrupted its online ordering services and was reported in a regulatory filing on December 11. To manage the situation, the company brought in independent cybersecurity specialists and took steps to secure its systems.

While the company has not commented on the source of the attack, a ransomware group known as “Play” claimed responsibility in late December. The group has a history of targeting organizations around the world and is known for stealing data and demanding ransom by threatening to publish stolen information online—a tactic known as double extortion. However, their claims about the stolen data have not been verified by Krispy Kreme.

The Play ransomware operation has been linked to hundreds of cyberattacks globally, including incidents involving governments, corporations, and local authorities. U.S. federal agencies, along with international partners, issued a security advisory in late 2023 warning organizations about the group’s growing threat.

Krispy Kreme, which operates in over 40 countries and runs thousands of sales points including through a partnership with McDonald’s is continuing to investigate the full impact of the incident. The company is urging those affected to stay alert for signs of identity theft and take steps to protect their financial and personal accounts.

Read more »
Privacy
Ads Data Privacy data security DPC EU European Cyber Security European Union Legal Action Against Meta Meta Chatbots Meta Data personalized ads Privacy

WhatsApp Ads Delayed in EU as Meta Faces Privacy Concerns

 

Meta recently introduced in-app advertisements within WhatsApp for users across the globe, marking the first time ads have appeared on the messaging platform. However, this change won’t affect users in the European Union just yet. According to the Irish Data Protection Commission (DPC), WhatsApp has informed them that ads will not be launched in the EU until sometime in 2026. 

Previously, Meta had stated that the feature would gradually roll out over several months but did not provide a specific timeline for European users. The newly introduced ads appear within the “Updates” tab on WhatsApp, specifically inside Status posts and the Channels section. Meta has stated that the ad system is designed with privacy in mind, using minimal personal data such as location, language settings, and engagement with content. If a user has linked their WhatsApp with the Meta Accounts Center, their ad preferences across Instagram and Facebook will also inform what ads they see. 

Despite these assurances, the integration of data across platforms has raised red flags among privacy advocates and European regulators. As a result, the DPC plans to review the advertising model thoroughly, working in coordination with other EU privacy authorities before approving a regional release. Des Hogan, Ireland’s Data Protection Commissioner, confirmed that Meta has officially postponed the EU launch and that discussions with the company will continue to assess the new ad approach. 

Dale Sunderland, another commissioner at the DPC, emphasized that the process remains in its early stages and it’s too soon to identify any potential regulatory violations. The commission intends to follow its usual review protocol, which applies to all new features introduced by Meta. This strategic move by Meta comes while the company is involved in a high-profile antitrust case in the United States. The lawsuit seeks to challenge Meta’s ownership of WhatsApp and Instagram and could potentially lead to a forced breakup of the company’s assets. 

Meta’s decision to push forward with deeper cross-platform ad integration may indicate confidence in its legal position. The tech giant continues to argue that its advertising tools are essential for small business growth and that any restrictions on its ad operations could negatively impact entrepreneurs who rely on Meta’s platforms for customer outreach. However, critics claim this level of integration is precisely why Meta should face stricter regulatory oversight—or even be broken up. 

As the U.S. court prepares to issue a ruling, the EU delay illustrates how Meta is navigating regulatory pressures differently across markets. After initial reporting, WhatsApp clarified that the 2025 rollout in the EU was never confirmed, and the current plan reflects ongoing conversations with European regulators.
Read more »
Scully Spiker
CrowdStrike outage DanaBot Data Breaches email threat Malicious Activities malware Qakbot Russian Espionage Scully Spiker

DanaBot Malware Enables Data Breaches and Russian Espionage

 


The United States has taken decisive action to eliminate one of the most persistent cybercrime threats in history by joining forces with international law enforcement bodies and several private cybersecurity companies to dismantle the infrastructure behind the notorious malware operation known as DanaBot, whose origins were linked to Russian state security interests over the past decade. 

During this multi-year campaign, hundreds of thousands of infected devices throughout the world were effectively cut off from the botnet's command and control channels by the seizure of the DanaBot server systems hosted within the United States. As CrowdStrike, the leading security company involved in the takedown, reports, the Defence Criminal Investigative Service (DCIS) has neutralised the operators’ ability to issue malicious directives. 

Thus, this criminal enterprise, as well as the wider network of Russian cyberproxies that are increasingly dependent on criminal syndicates for the advancement of their state-sponsored objective, has been disrupted by the operation. DanaBot, a banking Trojan that was tracked by security researchers under the name Scully Spider, has evolved over the years into a sophisticated tool that is capable of stealing credentials, espionaging, and leaking large quantities of data, which is an indication of the convergence between the interests of financial groups and geopolitical agents in espionage. 

A key aspect of cyber defence that is underscoring the importance of dismantling malware infrastructure is its ability to protect critical systems and expose hidden alliances that sustain digital espionage on a global scale, which is why the operation demonstrates the rise in the stakes of cyber defence. Identified and named in May of 2018 by Proofpoint researchers, DanaBot emerged at that time as a significant example of cybercrime malware that was provided as a service at a time when banking trojans predominated the landscape of email-delivered threats.

Initially, DanaBot was a popular payload for the prolific threat actor group TA547, who soon adopted it as their favourite payload, and it soon became a popular choice for other prominent cybercriminal collectives who wanted to take advantage of its versatility. The malware’s architecture was made up of an ever-evolving array of modules which performed both loader operations as well as core malicious functionality, in addition to sophisticated anti-analysis mechanisms that were aimed at frustrating security researchers and evading detection. 

Analysts from Proofpoint pointed out that DanaBot's technical signatures were distinct from earlier strains of financially motivated malware, including resemblances to Reveton ransomware, CryptXXX and others, suggesting that there was a more incremental evolution than an entirely new approach in this malware. 

There are a number of interesting facts about the name of this threat, including that it originated internally, after one researcher suggested that it be named in honour of a colleague's decision that the threat actors later adopted to market this malware to other criminals on the black market. 

A significant footprint was established by DanaBot in the email threat ecosystem during the period between 2018 and 2020 as a result of its extensive distribution by prominent cybercrime groups such as TA547, TA571, and TA564, allowing this threat to establish a substantial presence until its presence waned towards the middle of 2020. 

As a result of this decline, the cybercriminal underground as a whole shifted in the direction of a new generation of loaders, botnets, and information stealers, like IcedID and Qbot, which became increasingly the precursors to high-impact ransomware attacks, in parallel with broader trends within the cybercriminal underground. A resurgence of DanaBot activity has been confirmed through recent security telemetry, suggesting that the malware has been revised to meet the evolving needs of cybercrime as well as state-aligned espionage. 

There is no doubt that this resurgence of threat actors underscores their persistence in adapting to changing environments and continually recycling and retooling established attack frameworks to maintain their dominance in the global cyber world. At the heart of DanaBot was SCULLY SPIDER, an eCrime adversary based in Russia that developed and commercialised the malware to create a highly lucrative Malware-as-a-Service (MaaS) platform. 

It was DanaBot's modular design that set it apart from competing threats in May of 2018, which made it a rapidly spreading threat among cybercriminals, enabling clients to take advantage of credit card theft, large-scale wire fraud, and the targeted exfiltration of cryptocurrency wallets and related data that enabled its rapid adoption in the criminal underground as a result. As a result of DanaBot's adaptability as well as its robust monetisation features, its adoption across the criminal underground has been swift. 

There was, however, something that separated this operation from the typical financial-motivated campaigns in that the Russian authorities appeared to have given SCULLY SPIDER some latitude in their handling of the matter. Russian law enforcement is indeed capable of disrupting or prosecuting these activities, but they have not demonstrated a public record of doing so to date.

A pattern of tacit acceptance in cybercrime can be attributed to the Russian state's geopolitical strategy, which makes use of cybercriminals as de facto proxy forces to exert asymmetric pressure upon Western institutions while maintaining plausible deniability in the process. In its early stages, DanaBot was primarily targeting financial institutions and individuals in Ukraine, Poland, Italy, Germany, Austria, and Australia in its early phases.

A malware attack in October 2018, signalling the malware's operators' ambition to reach a higher-value target in mature financial markets, signalled the malware's operators' ambition to expand their target to banks and payment platforms. DanaBot's technical sophistication was evident from the very outset: early modules included Zeus-derived web injections, credential harvesting, keystroke logging, screen capture, and covert remote access using HVNC components - all of which enabled it to operate remotely. 

As Russia's cyber ecosystem has developed, the capabilities and covert operations of the country's principal security and intelligence agencies, including the Federal Security Service, the Foreign Intelligence Service and the General Staff (GRU), have formed the foundation of its formidable cyber ecosystem. Although not all of these entities are directly involved in financially motivated cybercrime, such as ransomware campaigns or the deployment of banking trojans, their connection with criminal hacking groups and willingness to rely on cyber proxies has helped create an environment where global threats remain persistent. 

There has been a significant increase in ransomware attacks over the past few years, and it is now one of the most destructive forms of cyber intrusion in history. Ransomware uses malicious code to encrypt or lock down entire systems when executed on an unsuspecting victim. After that, hackers often demand payment, often in hard-to-trace cryptocurrencies like Bitcoin and Ethereum, to regain access to their computer.

In addition to being profitable and disruptive, this strategy has played an important role in the proliferation of numerous cybercrime groups based in Russia. As a matter of fact, Centre 18 has a long history of combining state-aligned espionage with criminal hacking, and the FSB's main cyber unit has been a prominent player in the intersection of cybersecurity. About a decade ago, this unit made headlines for hiring a former hacker as a deputy director, an act that presaged a series of subsequent scandals. 

CCentre18 was implicated as being responsible for high-profile intrusions targeting U.S. political organisations during the 2016 presidential election, while the GRU, Russia's military intelligence agency, carried out parallel operations to extract sensitive data and disrupt democratic processes in parallel with them. The trajectory of Centre 18 came to a dramatic end when its leaders were exposed to an internal corruption scandal that resulted in charges of state treason being filed against the director, the hacker-turned-deputy director and several accomplices, who were all found guilty. 

While this setback may have had a significant impact on the pattern of cooperation between Russian intelligence services and criminal hackers, the overall pattern has remained relatively unchanged. In particular, one noteworthy example is that Russian hacker Aleksei Belan was recruited by the organisation. Belan is alleged to have played a significant role in the theft of billions of Yahoo email accounts in a breach widely regarded as the largest in history, which is widely regarded as an unprecedented event. 

The state-tolerated actors have been joined by groups such as Evil Corp that have developed a sprawling cybercrime operation. As a result of Evil Corp's development of Dridex (also called Bugat), the notorious banking trojan and ransomware toolkit, Maksim Yakubets' team was credited with the creation of this notorious malware.

Yakubets was indicted by the U.S. Department of Justice in 2019 for orchestrating attacks resulting in an estimated $100 million in fraud, demonstrating how ransomware has become a preferred weapon for profit as well as geopolitical manipulation. As well as stealing banking credentials, DanaBot's operators and criminal affiliates showed an extraordinary ability to perpetrate creative fraud schemes against the broader online economy. 

The users of DanaBot were eager to exploit any digital avenue available for illicit profit, and often chose e-commerce platforms as an ideal target because of their vulnerability to manipulation. It is worth noting that in a particularly notable case documented in the Kalinkin complaint, an affiliate used DanaBot to infiltrate an online storefront and orchestrate fictitious returns and fraudulent purchases. 

In leveraging stolen account credentials, the attackers were able to secure refund payments that far exceeded the original transaction amounts, causing significant financial losses to the retailer, who was unaware of the problem. A number of the victims were online merchants, who sustained fraud across their sales channels due to the malware's adaptability, which goes beyond conventional banking intrusions in order to show the malware's ability to adapt. 

As well as the variety and technical sophistication of the infection pathways used to facilitate these campaigns, DanaBot also routinely entered victim environments through large-scale spam email distributions and malvertising campaigns, which directed users to malicious sites containing exploits. It has also been observed that the malware is sometimes delivered as a secondary payload onto compromised systems, including those already compromised by loaders such as SmokeLoader, which firmly entrenches its position on the computer.

One particularly audacious approach that CrowdStrike observed in November 2021 involved enclosing DanaBot within a compromised version of the npm JavaScript runtime package, which was downloaded nearly 9 million times per week. By using this approach, the attackers demonstrated a willingness to exploit trusted software supply chains.

ESET researchers found that of all of these distribution methods, Google AdWords was identified as the most effective distribution method among them. In addition to creating malicious websites that appeared highly relevant to popular search queries, affiliates purchased paid ad placements to ensure their fraudulent links appeared prominently among legitimate results. Affiliates used this strategy to distribute their malicious websites across the web. 

A combination of social engineering techniques and manipulations of advertising platforms enticed unsuspecting users to download DanaBot under the guise of legitimate programs and services, resulting in the download of DanaBot. In addition to the deception of DanaBot operators, they also set up counterfeit IT support websites that claimed to be helpful resources for resolving technical problems. Those sites enticed users into copying and executing terminal commands, which, in reality, would initiate the process of installing malware. 

DanaBot's criminal network sustained a formidable presence with a multifaceted strategy involving email, ads, poisoned software packages, and fake support infrastructure. This illustrates how modern cybercrime has evolved into an agile enterprise that thrives on innovation, collaboration, and the exploitation of trust at all levels of the digital ecosystem, underpinning modern cybercrime as a modern enterprise. 

A critical lesson is that organisations should be aware of the constantly evolving threat landscape, as demonstrated by DanaBot. Many lessons can be gleaned from the longevity and reincarnation of the malware. Even well-known malware can still be very effective when attackers continually adjust their delivery methods, infrastructure, and monetisation strategies as well. 

It is essential that companies, especially those operating in the financial or personal data sector, are aware that resilience does not simply mean the protection of perimeters. Managing a proactive security posture, monitoring the supply chain dependencies continuously, and educating employees about social engineering are crucial pillars of protection. 

Moreover, there have been many instances of poisoned software repositories and malicious advertising, which underscores why we must scrutinise trusted channels as closely as we do untrusted channels. In a broader policy context, DanaBot's trajectory shows the strategic advantage that permissive or complicit nation-states can confer on cybercriminal operations through providing havens in which malware authors can refine and scale their capabilities without fear of disruption, and therefore providing a competitive advantage to cybercriminals. 

In light of this dynamic, regulators as well as multinational corporations must rethink traditional risk models and adopt intelligence-driven approaches to track threat actors beyond their technical signatures, scrutinising the threat actors' infrastructure, partnerships, and geopolitical ties of those actors. 

It is likely that malware-as-a-service platforms such as DanaBot will remain a persistent threat in the coming years, evolving along with changes in both underground economies and global political environments. For collective defences to be strengthened, coordination between the public and private sectors will be required, as well as the timely sharing of indicators of compromise and greater transparency from technology providers whose platforms are so often exploited as distribution channels by cyber criminals. 

Amidst a cybercrime era that has increasingly blurred into state-sponsored campaigns, vigilance, adaptability, and shared responsibility are no longer optional. They are the foundations on which digital trust and critical systems can be safeguarded as well as protected from a threat that doesn't seem to be receding.
Read more »
Wyze data breach
encrypted video access home security cameras Technology VerifiedView metadata Wyze cameras security Wyze data breach

Wyze Launches VerifiedView Metadata to Enhance Security After Past Data Breaches

 


Wyze’s security cameras and platform have earned praise from CNET reviewers in the past. However, over the last few years, recommendations for the company’s affordable cameras and related security products were tempered by a series of significant security breaches that raised concerns among experts and consumers alike.

More than a year has passed since those incidents, and Wyze has now introduced an advanced security feature called VerifiedView, designed to strengthen protections around user footage.

VerifiedView is a new metadata layer that applies to all content generated by Wyze cameras. Metadata refers to supplementary information attached to photos and videos, such as details about when and where they were captured, which helps systems search, organize, and identify files efficiently.

Wyze’s approach goes a step further. VerifiedView assigns every photo or video a unique identifier—an encrypted version of the user’s Wyze ID—that remains permanently tied to the account. Whenever someone tries to stream or view video through a Wyze account, their account identifier must match the one embedded in the metadata. If there is no match, access is denied. Live viewing functions the same way, ensuring that only the account that initially set up the camera can watch the footage.

While companies often embed metadata for various purposes, “this is the first time I've seen metadata used so clearly to manage video access and keep it from strange eyes.” This innovation is intended to directly address some of the most serious security issues, including past incidents in which unauthorized parties or employees were able to access private camera feeds.

Since the breaches and other security failures, Wyze has implemented several measures to bolster user safety and prevent similar problems. Key improvements include:

  • Automatic activation of two-factor authentication for all users, along with additional tools like OAuth, reCAPTCHA, and login abuse detection.
  • Investment in security resources provided by Amazon Web Services (AWS).
  • Expansion of Wyze’s security team to include more professionals dedicated to reviewing and strengthening code.
  • Regular penetration testing by firms such as Bitdefender, Google MASA, ioXT, and the NCC Group.

The introduction of a comprehensive cybersecurity training program for all employees.

“While I wish Wyze had started with security features like these, the changes are good to see.” For those evaluating options to protect their homes, these upgrades represent meaningful progress in Wyze’s approach to safeguarding customer data and privacy.
Read more »
Subscribe to: Comments (Atom)