All news in category “Incidents and Data Breaches”

🔒 Vercel disclosed a security breach tied to a compromised Context.ai account used by an employee, which enabled an attacker to take over the employee's Vercel Google Workspace account. The actor accessed some Vercel environments and environment variables that were not marked sensitive, while encrypted sensitive variables show no evidence of exposure. Vercel is working with Mandiant, law enforcement and Context.ai, and has contacted affected customers to rotate credentials and investigate further.

🔒 Vercel has disclosed an unauthorized access incident that affected a limited subset of customers and certain internal systems. The company says its public services remain operational while it investigates the incident with external incident response experts and law enforcement. Vercel is notifying impacted customers and urging them to review environment variables, enable the sensitive environment variable feature where available, and rotate secrets or tokens if there is any suspicion of exposure.

🚨 Grinex, a Kyrgyzstan-incorporated cryptocurrency exchange sanctioned by the U.K. and the U.S., said it is suspending operations after reporting a $13.74 million theft it attributes to Western intelligence agencies. The company alleges the attack, which it says demonstrates unprecedented technical sophistication, stole over 1 billion rubles from user accounts on April 15, 2026. Blockchain investigators at Elliptic, TRM Labs, and Chainalysis report the funds were rapidly routed to TRON and Ethereum addresses and swapped into non‑freezable tokens, complicating asset recovery.

🔒 Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 report that threat actors are exploiting a command injection flaw, CVE-2024-3721, in TBK DVR devices to deliver a Mirai-family loader tracked as Nexcorium. The loader installs architecture-specific binaries, establishes persistence via crontab and systemd, and uses hard-coded credential lists plus an exploit for CVE-2017-17215 to spread to Huawei HG532 devices. Unit 42 also observed automated scans targeting EoL TP-Link routers via CVE-2023-33538, though initial attempts were flawed and did not achieve compromise. Researchers warn that unpatched, unsupported IoT devices and default credentials continue to enable large-scale DDoS botnets and recommend replacing EoL hardware and removing default passwords.

🛡️ Researchers report the Payouts King ransomware is leveraging QEMU as a covert reverse SSH backdoor, running hidden Alpine Linux VMs to execute tools and bypass host security. Operators create a scheduled task named TPMProfiler to launch the VM as SYSTEM, use virtual disks disguised as benign files, and forward ports for remote access. The campaign—linked to STAC4713 and observed alongside a separate STAC3725 activity exploiting CitrixBleed 2—employs credential theft, robust obfuscation, and AES-256/RSA-4096 encryption. Sophos recommends hunting for unauthorized QEMU installs, suspicious SYSTEM tasks, and unusual SSH tunnels.

🚨 Kyrgyzstan-based cryptocurrency exchange Grinex has suspended operations after reporting a $13.7 million theft from wallets used by Russian customers. The platform, believed to be a rebrand of Garantex, enables ruble-crypto flows and used a ruble-backed stablecoin A7A5. Grinex alleges the attack shows signs of involvement by 'foreign intelligence agencies', while blockchain analysts traced funds to TRON and Ethereum addresses and conversion via SunSwap; independent reports have not publicly confirmed the exchange's attribution.

🔒 DarkSword and Coruna are two newly discovered, zero-click spyware families actively abused in the wild to compromise iPhones and iPads without user interaction. DarkSword targets iOS 18 with a six‑vulnerability chain and runs filelessly in RAM, while Coruna exploits older releases (iOS 13–17.2.1) via numerous WebKit flaws. Both harvest passwords, messages, photos, browser history and crypto‑wallet secrets; researchers report several thousand infections and advise immediate OS updates and mitigations.

🛡️ FortiGuard Labs analyzed exploitation of CVE-2024-3721 against TBK DVR devices that delivered a Mirai-style, multi-architecture botnet named Nexcorium. The campaign used a downloader called "dvr" (nexuscorp-prefixed binaries) and a custom "X-Hacked-By" HTTP header linked to a suspected "Nexus Team" actor. Nexcorium includes scanning, brute-force credential lists, multiple persistence methods, integrity checks, and a broad DDoS toolkit controlled by a central C2.

🚨 Garrett Dutton (G. Love) says he downloaded a counterfeit Ledger Live app from Apple's App Store while setting up a new computer and was tricked into entering his seed phrase. Thieves used it to steal 5.9 BTC (about $440,000). Apple removed the fraudulent app on April 12 after investigators linked it to roughly $9.5 million stolen from more than 50 victims. Legitimate wallets never ask for your seed phrase; verify developer names and ratings and be especially cautious when installing apps on new devices.

🔒 A multinational law enforcement operation disrupted DDoS-for-hire infrastructure, seizing servers and databases and resulting in 53 domains being taken down and four arrests. Operation PowerOff, coordinated across 21 countries and outlined by Europol on April 16, removed backend components and more than 100 URLs advertising these services. Authorities recovered data on over three million criminal user accounts, sent roughly 75,000 warning notices to identified users, and posted additional warnings to cryptocurrency platforms to limit further abuse.

🔒 Kamerin Stokes, 23, was sentenced to 30 months in prison after selling access to tens of thousands of hacked accounts tied to DraftKings. Prosecutors say a November 2022 credential‑stuffing attack led by Nathan Austad (aka Snoopy) with accomplice Joseph Garrison compromised nearly 68,000 accounts; the group stole about $635,000 from roughly 1,600 accounts and generated over $2.1 million selling hacked accounts. Stokes, who operated as TheMFNPlug, briefly reopened his shop after pleading guilty with the tagline fraud is fun, was remanded for violating pretrial conditions, and was ordered to pay $1,327,061 in restitution and $125,965.53 in forfeiture, plus three years of supervised release.

🔓 Threat actors are actively using proof-of-concept exploit code for three recently disclosed Windows vulnerabilities to elevate privileges or disrupt Microsoft Defender. Researcher "Chaotic Eclipse" (aka "Nightmare-Eclipse") published PoCs for BlueHammer, RedSun, and UnDefend in protest over Microsoft’s handling of disclosure. Huntress Labs has observed exploitation in the wild, with BlueHammer seen since April 10, and Microsoft has patched only BlueHammer (CVE-2026-33825) so far while RedSun and UnDefend remain unaddressed.

🔒 Operation PowerOFF disrupted 53 domains tied to commercial DDoS-for-hire services and resulted in four arrests. Authorities seized servers and supporting infrastructure and obtained access to databases containing over 3 million criminal user accounts linked to more than 75,000 alleged attackers, issuing 25 search warrants. Law enforcement partners across 21 countries coordinated domain seizures, infrastructure disruption, and notification efforts to hinder further attacks and support follow-up investigations.

🔎 Operation PowerOFF has notified more than 75,000 suspected users of DDoS-for-hire platforms and taken 53 domains offline as part of a coordinated international law enforcement effort. Supported by Europol and authorities across 21 countries, the action included four arrests, 25 search warrants, and the dismantling of critical booter infrastructure. The operation is now shifting into a prevention phase featuring awareness campaigns, search-engine ad interventions, URL removals, and on-chain payment warnings to deter future abuse.

💧 Researchers at Darktrace identified ZionSiphon, a new operational technology malware engineered to sabotage water treatment and desalination environments. The sample includes routines to increase chlorine dosing, force valves open, and raise RO pressure by appending fixed configuration entries, and it propagates via USB as a hidden svchost.exe. A faulty IP verification routine currently prevents activation, but attackers could correct the logic to enable dangerous OT manipulation.

🔒 Cisco Talos researchers disclosed a previously undocumented botnet named PowMix that has been active against workers in the Czech Republic since at least December 2025. The campaign uses malicious ZIP attachments containing a Windows LNK that launches a PowerShell loader to extract and run the malware in memory while opening decoy compliance-themed documents. PowMix establishes persistence via a scheduled task, verifies process trees to avoid duplicate instances, and uses randomized beaconing intervals and REST-like C2 URL paths that embed encrypted heartbeat data and unique victim identifiers to evade network detections. The bot supports remote code execution, dynamic C2 migration, and self-deletion commands.

⚠️Researchers observed attackers exploiting a critical Marimo remote code execution flaw (CVE-2026-39987) to deploy a new NKAbuse variant hosted on Hugging Face Spaces. Attack activity began within hours of public disclosure, with a Space named "vsccode-modetx" serving a dropper script and a malicious binary labeled kagent. The dropper retrieves and runs the payload via curl, then installs persistence via systemd, cron, or macOS LaunchAgent, while Spaces' legitimate HTTPS hosting helps evade detection. Operators are urged to upgrade to version 0.23.0 or block the '/terminal/ws' endpoint if upgrades are not possible.

🔒 Two US nationals were sentenced after admitting they helped operate a scheme that placed North Korean remote IT workers into roles at more than 100 US organisations, including several Fortune 500 firms. Court filings say Kejia Wang (42) and Zhenxing Wang (39) used the stolen identities of at least 80 Americans, received laptops at their US addresses, provided remote access to DPRK-based operators and set up shell companies to launder payments to DPRK. They received prison terms of 108 and 92 months respectively after pleading guilty to conspiracy charges including wire fraud and money laundering; Zhenxing Wang also pleaded guilty to conspiracy to commit identity theft.

🔒 Cookeville Regional Medical Center has notified 337,917 patients that personal and medical data were accessed during a July 11–14, 2025 intrusion tied to the ransomware group Rhysida. The hospital began mailing breach letters in April 2026, roughly nine months after detection, and said files may include Social Security numbers, driver’s license data, treatment and insurance information. Rhysida claimed the attack in August 2025 and posted sample files; it demanded 10 Bitcoin. CRMC is offering 12 months of identity protection through Experian and reports additional security measures are in place.

⚠️ Microsoft Threat Intelligence describes a macOS campaign by the North Korea‑linked actor Sapphire Sleet that relies on social engineering instead of software exploits. The actor impersonated a legitimate update and lured victims to open a compiled AppleScript (.scpt) in Script Editor, then used cascading curl | osascript stages to deploy Mach‑O backdoors, harvest credentials, and exfiltrate cryptocurrency and personal data. Apple and Microsoft deployed protections and detections; defenders should block unsigned .scpt files and monitor curl/osascript chains.