All news in category “Incidents and Data Breaches”

🔒 Russian police in the Rostov region arrested a Taganrog resident accused of owning and administering the cybercrime forum LeakBase. The forum, launched in 2021 and linked to the ARES threat group, grew to over 142,000 members and was used to trade stolen databases, exploits, and illicit services. In March 2026 authorities from the FBI and 14 other countries dismantled the site during Operation Leak, seizing the domain and preserving the forum database and logs as evidence.

🔒 Hambardzum Minasyan, an Armenian national, was extradited to the United States and charged with helping administer the RedLine infostealer operation. U.S. prosecutors allege he registered virtual private servers, domains, a cryptocurrency account used for affiliate payments, and file-sharing repositories that distributed the malware. He is accused of managing command-and-control infrastructure, assisting affiliates, and conspiring to launder proceeds, and faces multiple federal counts with a potential prison term if convicted.

🔒 Threat actors are exploiting interest in OpenClaw with a GitHub phishing campaign that lures developers with fake 'CLAW' token airdrops promising thousands of dollars. Attackers open issues, tag developers, and redirect victims to cloned sites that prompt users to connect their crypto wallets. Researchers at OX Security found obfuscated wallet‑stealing code and a C2 server used to collect addresses and drain funds. Recommended actions include blocking the phishing domain and revoking suspicious wallet approvals.

🔒 In episode 460 of the Smashing Security podcast, Graham Cluley and guest Jenny Radcliffe examine a string of notable security stories, including an alleged insider who stole a company payroll database and demanded $2.5 million in Bitcoin while signing extortion messages as 'Loot'. They also cover an incident in which two people were charged after attempting to approach the gates of the UK's Faslane nuclear submarine base. The show mixes incident analysis with cultural items — a spotlight on the Muslim punk group LadyParts and a recommendation of Lee McIntyre's On Disinformation — drawing practical lessons for security professionals and the public.

⚠️ Coruna, an iPhone exploit kit, repurposes an updated kernel exploit originally used in the 2023 Operation Triangulation campaign, according to Kaspersky. The kit targets iOS 13.0–17.2.1 devices with five full exploit chains and 23 exploits, fingerprinting Safari visitors and selecting tailored Mach-O loaders and payloads. Kaspersky warns the actively maintained, modular codebase now enables mass exploitation and broader criminal reuse, increasing risk to unpatched users.

🔒 Security researchers warn that the Iran-linked Pay2Key ransomware group has re-emerged with enhanced evasion, execution and anti-forensics capabilities. A Halcyon and Beazley Security analysis of a recent US healthcare provider incident describes interactive access via TeamViewer, credential theft with Mimikatz, LaZagne and ExtPassword, and host discovery using Advanced IP Scanner and ns.exe. Operators used the AD console (dsa.msc) to blend in, deployed an SFX payload (abc.exe) to encrypt systems within three hours, and removed a 'No Defender' toolkit to hide tracks. Report authors found no clear evidence of data exfiltration and warn defenders to monitor this unpredictable, politically motivated threat.

🔒 Sansec researchers uncovered a novel payment skimmer that uses WebRTC data channels to load malicious payloads and exfiltrate card data, effectively sidestepping Content Security Policy protections. The skimmer establishes a peer connection to a hard-coded IP (202.181.177[.]177) over UDP port 3479, retrieves JavaScript, and injects it into the checkout page to capture payment details. The campaign was enabled by the PolyShell flaw in Magento, which allows unauthenticated executable uploads. Because WebRTC traffic runs over DTLS-encrypted UDP rather than HTTP, standard HTTP-based monitoring and CSP enforcement may fail to detect or block the theft.

🔒 Gen Digital researchers describe a rapidly evolving info‑stealer named Torg Grabber that exfiltrates data from 850 browser extensions, including 728 cryptocurrency wallets. Initial access commonly uses a clipboard hijack and a ClickFix PowerShell trick; the payload runs in memory via reflective loading, direct syscalls and heavy obfuscation. Operators migrated exfiltration to HTTPS through Cloudflare and added an App‑Bound Encryption bypass to harvest Chromium cookie data.

🔒 Russian authorities have arrested the alleged administrator of LeakBase, a major cybercrime forum accused of trading stolen personal databases since 2021. The suspect, reported to be a resident of Taganrog, was detained and technical equipment seized during a search. Officials say the platform hosted hundreds of millions of accounts, bank details and corporate documents and had over 147,000 registered users. The site was dismantled earlier this month and its content preserved for evidentiary purposes.

🔒 Millions of CI/CD pipelines were exposed after the threat actor TeamPCP injected malicious code into widely used tools — Trivy, Checkmarx workflows, and LiteLLM packages — enabling credential theft and persistent backdoors. The compromised artifacts were live only briefly but likely executed broadly, exfiltrating cloud keys, SSH credentials and cryptocurrency wallets. Immediate steps include pinning dependencies to exact SHAs, rotating secrets, hunting for traffic to typosquatted domains, and restoring affected systems from verified backups.

🔍 Cybersecurity researchers report a new GlassWorm evolution that delivers a multi-stage data theft framework and a remote access trojan (RAT) which force-installs a malicious Google Chrome extension masquerading as Google Docs Offline. The campaign gains initial access via rogue packages on npm, PyPI, GitHub and Open VSX, and resolves C2 addresses using Solana memos and public Google Calendar dead drops. A .NET component performs hardware wallet phishing when Ledger or Trezor devices are connected, while a WebSocket RAT harvests browser data, executes arbitrary JavaScript, and supports HVNC and SOCKS modules. Developers are urged to verify publishers and use scanning tools such as AFINE's glassworm-hunter.

🔐 A supply-chain compromise of Trivy has escalated into an extortion campaign linked to Lapsus$, with Mandiant reporting over 1,000 impacted enterprise SaaS environments and the potential for many more. Initial access by cloud-native actor TeamPCP led to stolen credentials that were used to backdoor packages and extend control to projects such as LiteLLM. Security firms Wiz and Socket describe malicious Docker and npm artifacts, a self-replicating worm, and manipulated CI/CD tags, while Aqua Security and partners work to rotate credentials and contain the incident.

📦 The widely used Python package LiteLLM on PyPI was found to contain credential-stealing malware in versions 1.82.7 and 1.82.8, uploaded on 24 March 2026. Security researchers report the malicious code harvested SSH keys, cloud credentials, Kubernetes secrets, database credentials, TLS keys and cryptocurrency wallets, then encrypted and exfiltrated the data to attacker infrastructure and installed persistent backdoors. Endor Labs and JFrog analysis showed the later variant executed whenever any Python process started, enabling silent background operation; version 1.82.6 is the last known clean release and organizations are urged to rotate secrets and audit systems for compromise.

⚖️ The U.S. Department of Justice sentenced Russian national Ilya Angelov to two years in prison and fined him $100,000 for operating a botnet that enabled ransomware attacks against American companies. Angelov, 40, of Tolyatti, used aliases "milan" and "okart" and co‑managed the Russia‑based cybercriminal group TA551, which distributed malware-laden spam and sold access to compromised machines. Prosecutors say TA551 sold bot access to groups behind BitPaymer and IcedID, contributing to millions in extortion payments.

🔐 Huntress is tracking an active device code phishing campaign targeting Microsoft 365 identities at over 340 organizations across the US, Canada, Australia, New Zealand, and Germany. The attackers use Cloudflare Workers redirects and Railway.com-hosted infrastructure to harvest OAuth access and refresh tokens that remain valid after password resets. Sectors hit include construction, non-profits, real estate, manufacturing, finance, healthcare, legal and government.

⚠️ PyPI warned developers after two malicious releases of the Python LLM middleware LiteLLM were briefly posted, potentially exposing any credentials accessible to the package environment. Sonatype and Wiz analyses describe a three-stage, obfuscated payload that harvested environment variables, cloud and CI/CD credentials, SSH keys, and other sensitive artifacts, encrypting stolen data before exfiltration. PyPI linked the uploads to an exploited Trivy dependency in the ongoing TeamPCP supply-chain campaign and urged users to revoke or rotate secrets that may have been exposed.

🎵 Michael Smith pleaded guilty to conspiracy to commit wire fraud after using AI to generate hundreds of thousands of songs and deploying up to 10,000 bots that streamed them billions of times, fraudulently earning more than US $8 million in royalties. He has agreed to forfeit US $8,091,843.64 and will be sentenced on July 29, 2026. The case highlights how AI and automation can be abused on streaming platforms, undermining legitimate artists' income.

🔎Operation Henhouse V saw UK police and partners carry out a large-scale fraud crackdown, resulting in 557 arrests, 172 voluntary interviews and 249 cease-and-desist notices. Law enforcement secured account-freezing orders of £9m and seized £18.1m in cash and assets. The operation, led by the NCA and City of London Police, targeted online and offline scams and identified overseas call centres, demonstrating strengthened coordination amid rising digital fraud.

🔒 Ilya Angelov, a 40-year-old Russian national who used the handles milan and okart, was sentenced to two years in prison after admitting he managed the Mario Kart phishing botnet that helped deliver ransomware. The botnet distributed malware via massive spam campaigns—up to 700,000 emails per day—and at its peak infected about 3,000 machines daily. Authorities linked the botnet to BitPaymer attacks on 72 U.S. companies, resulting in over $14 million in extortion payments.

🔒 Microsoft provides operational guidance to detect, investigate, and mitigate the March 19, 2026 supply-chain compromise that weaponized the Trivy vulnerability scanner and related GitHub Actions. The campaign, attributed to TeamPCP, used prior access to force-push tag changes and publish a trojanized Trivy binary (v0.69.4), enabling credential theft while preserving legitimate scan output. The guidance describes observable telemetry, hunting queries, and immediate remediation steps including safe versions, action pinning, and secrets protections.