All news in category “Incidents and Data Breaches”

🚨 Spanish and Ukrainian authorities dismantled a criminal network that exploited war-displaced Ukrainian women to run an automated online gambling and money-laundering scheme. The group financed victims' travel to Spain, coerced them into opening bank accounts and credit cards, then seized control to feed bot-driven low-odds bets. Investigators say the operation used identities from over 5,000 people across 17 nationalities and laundered an estimated €4.75 million. Authorities arrested 12 suspects, executed searches in Spain and Ukraine, and seized devices, bots, SIMs, vehicles and frozen properties.

🛡️ Zscaler ThreatLabz reported in January 2026 that a suspected Iran-nexus cluster dubbed Dust Specter has targeted Iraqi government officials by impersonating the Ministry of Foreign Affairs to deliver novel malware families — SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The campaign uses two infection chains: a password-protected RAR containing a .NET dropper that sideloads DLLs and a consolidated in-memory binary that avoids disk writes. Operators staged payloads on compromised Iraqi infrastructure and employed geofencing, User-Agent checks, randomized C2 URIs with checksums, and execution delays; Zscaler also notes code artifacts suggesting possible use of generative AI.

🔒 Amsterdam police, working with Europol and international partners, have shut down LeakBase, a major online marketplace for stolen data whose servers were located in Amsterdam. The platform had about 142,000 registered users and has been seized as part of a joint operation involving investigators from 14 countries and the FBI. Authorities conducted around 100 targeted operations aimed at 37 primary users. The site now displays a police notice warning that trading stolen data is a criminal offense.

📱 The Iranian prayer-timing app BadeSaba Calendar — installed by over five million users from the Google Play Store — delivered a rapid series of push notifications shortly after a set of explosions, beginning at 9:52 a.m. Tehran time. The alerts, starting with the phrase 'Help has arrived', reached users over roughly 30 minutes. No one has claimed responsibility; analysts say the speed and scale point to a likely state operation, with the US and Israel named as plausible actors.

🚨 Cisco Talos discloses UAT-9244, a China‑nexus APT active since 2024 that has targeted South American telecommunications providers and deployed three implants: TernDoor, PeerTime, and BruteEntry. The actor compromises Windows and multi‑architecture Linux/embedded devices using DLL side‑loading, BitTorrent-based P2P C2, and large-scale brute‑forcing via converted edge devices. Talos provides IOCs, detection signatures, and mitigations to help defenders identify and disrupt this campaign.

🐾 ClearSky reports a Russian-linked campaign targeting Ukrainian entities that deploys a .NET loader named BadPaw and a backdoor called MeowMeow. The attack begins with a phishing message that lures victims to download a ZIP archive containing an HTA decoy presenting a Ukrainian border-crossing appeal while executing hidden stages. The HTA extracts a VBScript and a PNG-embedded loader, establishes persistence via a scheduled task, and orchestrates retrieval of the MeowMeow backdoor from a remote C2 server. Researchers attribute the operation to APT28 with moderate confidence based on targeting, lures, and tradecraft overlaps.

🔒 Europol and international partners have taken down LeakBase, an English-language forum that trafficked stolen credentials and stealer logs, seizing two domains and the site's customer database. Coordinated actions on March 3 included arrests, house searches and interviews across the US, Australia, Belgium, Poland, Portugal, Romania, Spain and the UK. Europol said 37 of the forum’s most active users were targeted and vowed to continue tracing offenders as part of Operation Leak.

🔐 A Russian national, Evgenii Ptitsyn, pleaded guilty to a wire fraud conspiracy for administering the Phobos ransomware operation that victimized hundreds worldwide. Extradited from South Korea in November 2024, prosecutors say the RaaS campaign — linked to the Crysis family — collected over $39 million from more than 1,000 victims and accounted for roughly 11% of ID Ransomware submissions in mid‑2024. Affiliates paid about $300 per deployment for decryption keys; Ptitsyn faces up to 20 years and is scheduled for sentencing on July 15. International law enforcement actions, including Operation Aether, have disrupted parts of the gang and warned over 400 companies.

🛡️ A Europol-led coalition of law enforcement and private cybersecurity firms dismantled Tycoon 2FA, a subscription-based phishing-as-a-service toolkit that enabled adversary-in-the-middle credential and session harvesting at scale. The platform provided a web console for crafting campaigns, harvesting passwords, MFA codes and session cookies, and forwarding stolen data to Telegram for near-real-time monitoring. Authorities seized 330 domains and disrupted infrastructure that generated tens of millions of phishing emails per month, affecting organizations worldwide.

🔒 A coordinated international operation by the FBI and Europol dismantled LeakBase, a major clearnet forum used to trade stolen credentials and financial data. Authorities seized the site (leakbase[.]la), preserving user accounts, posts, private messages, credit details and IP logs as evidence. The disruption, dubbed Operation Leak, targeted administrators and heavy users and follows reporting that the forum hosted stealer logs and large hacked databases used in account takeover and fraud.

🔒 Microsoft led a court-authorized disruption of Tycoon2FA, a prominent phishing-as-a-service operation, seizing 330 active domains and coordinating infrastructure seizures with Europol and partner law enforcement. Private-sector partners including Cloudflare, Coinbase, Intel471, Proofpoint, the Shadowserver Foundation, SpyCloud and Trend Micro assisted in removing control panels and fraudulent login pages. Microsoft estimates Tycoon2FA accounted for roughly 62% of phishing attempts it blocked by mid-2025 and linked to about 96,000 victims since 2023.

🕵️ In episode 457 of the Smashing Security podcast, Graham Cluley and guest Carl Miller unpack a startling insider-abuse case where a defence contractor's leak of zero-day exploits apparently led to an internal investigation run by the leaker, who then framed an innocent colleague. The episode cites reporting and US government actions — including a DOJ sentencing and Treasury sanctions — that trace a network selling stolen government cyber tools to a Russia-linked broker. It also examines emerging concerns that nation states may attempt to manipulate AI by poisoning training data and influencing large language models, with broad implications for trust and national security.

🔒 LastPass warns of a targeted phishing campaign that spoofs support email threads to trick users into revealing vault credentials. The messages impersonate a LastPass representative by abusing the display name and use subject lines that mimic forwarded internal conversations about changing an account's primary email. Recipients are urged to click links such as “report suspicious activity” that lead to a fake login page on the domain "verify-lastpass[.]com". LastPass says its systems were not compromised and reminds users never to disclose their master password and to report suspicious messages to abuse@lastpass.com.

🔒 Google researchers disclosed a previously undocumented iOS exploit kit named Coruna, comprising 23 exploits and five full exploit chains that target iOS 13.0 through 17.2.1. Observed by the Google Threat Intelligence Group in 2025, the framework fingerprints devices, avoids targets in Lockdown Mode or private browsing, and delivers a stager loader called PlasmaLoader that injects into the iOS root daemon. Post-exploitation modules specifically target cryptocurrency wallets to extract BIP39 recovery phrases and other sensitive text, encrypting stolen data and using a DGA seeded with "lazarus" for resilience.

🔔 Customers of restaurants using HungerRush, a provider of POS, online ordering, delivery, and payment services, reported receiving mass extortion emails claiming millions of customer records would be exposed if the company did not respond. The messages were delivered via Twilio SendGrid infrastructure and, according to headers, passed SPF, DKIM, and DMARC checks for the hungerrush.com domain. Security researchers also reported an earlier infostealer infection on an employee device that allegedly harvested corporate credentials, though a direct link to a confirmed breach has not been established. Customers should be vigilant for targeted phishing and SMS scams that may leverage any exposed data.

🔒 The FBI has seized the LeakBase cybercrime forum and preserved data from more than 142,000 members as part of a multinational operation coordinated by Europol. On March 3–4 authorities seized two domains, switched nameservers to ns1.fbi.seized.gov and ns2.fbi.seized.gov, and posted a seizure notice. Investigators secured the forum database — including accounts, posts, private messages, credit details, and IP logs — for evidentiary use and executed arrests, searches, and interviews across the US, Australia, Belgium, Poland, Portugal, Romania, Spain, and the UK.

🚨 Cybersecurity firms reported 149 hacktivist DDoS claims from Feb 28–Mar 2 that targeted 110 organizations across 16 countries, with 107 attacks concentrated in the Middle East. Two groups, Keymous+ and DieNet, drove nearly 70% of activity while NoName057(16) and others composed most remaining operations. Government, finance, and telecom sectors were disproportionately targeted, and vendors including Radware, Orange Cyberdefense, and Unit 42 provided attribution and telemetry. Analysts warn allied nations and critical infrastructure to increase monitoring and harden defenses.

🔒 Europol coordinated an international law enforcement operation that disrupted Tycoon2FA, a prolific phishing-as-a-service platform that intercepted credentials and session cookies via reverse proxies to bypass MFA and hijack authenticated sessions. Authorities seized 330 domains and removed control panels and phishing pages across multiple countries, with technical disruption led by Microsoft and support from private partners including Trend Micro and Cloudflare. The action aims to curb tens of millions of monthly phishing messages and protect nearly 100,000 targeted organizations while urging defenders to revoke active sessions and monitor for unauthorized access.

🛡️ Microsoft and Europol, supported by industry partners, seized infrastructure linked to the phishing-as-a-service operator Tycoon2FA, removing over 300 domains used in large-scale MFA-bypass campaigns. The PhaaS offering used adversary-in-the-middle techniques to intercept live authentication sessions and capture credentials, one‑time passcodes and session cookies in real time. Investigators say Tycoon2FA had roughly 2,000 users and leveraged more than 24,000 domains since launching in August 2023. Security firms recommend adopting phishing‑resistant authentication, strict conditional access and advanced email protections.

🏥 The University of Mississippi Medical Center (UMMC) says it has resumed normal operations nine days after a ransomware attack that disrupted electronic medical records and multiple IT systems. Phone lines were restored and clinics reopened with extended hours to reschedule missed appointments. UMMC is investigating the intrusion with FBI and CISA, and confirmed attackers had communicated with staff; no group has claimed responsibility.