All news in category “Incidents and Data Breaches”

🔒 Brightspeed is investigating claims that the extortion group Crimson Collective stole sensitive information belonging to more than one million customers. The U.S. broadband provider said it is rigorous in securing networks and is looking into a reported cybersecurity event, promising to keep customers, employees, and authorities informed. Crimson Collective posted on Telegram that the haul includes PII, account and payment details, and appointment/order records, and threatened to publish a sample to force a response.

📲 Russian-aligned threat actor UAC-0184 used the Viber messaging app to deliver malicious ZIP archives to Ukrainian military and government recipients, according to 360 Threat Intelligence Center. The archives contained LNK decoys that silently executed Hijack Loader, which retrieves a second ZIP (smoothieks.zip) via PowerShell and reconstructs the loader in memory. The loader uses DLL side-loading, module stomping, CRC32 checks for installed security products, and scheduled tasks for persistence before injecting Remcos RAT into chime.exe to enable remote control and data theft.

⚠️ Taiwan's National Security Agency reported that Chinese cyberattacks targeting the island's critical infrastructure rose 6% in 2025, averaging 2.6 million attacks per day. The assaults mainly focused on the energy sector, hospitals, banks and emergency services, and extended to the semiconductor industry, including TSMC. Attackers employed large-scale denial-of-service and man-in-the-middle techniques to disrupt operations and exfiltrate data. Many incidents reportedly coincided with Chinese military exercises and high-profile political events, while Beijing denies involvement.

🔓 Ilya Lichtenstein, convicted in the 2016 Bitfinex exchange breach, has been released from prison early and transferred to home confinement under the First Step Act. Sentenced to five years in November 2024 for money laundering tied to the attack, he served about 14 months before the transfer. Authorities previously recovered roughly 94,000 of the 119,754 stolen bitcoin, making the case one of the largest seizures in US history.

🛡️ Synthient reports the Kimwolf Android botnet has compromised more than two million devices by tunneling through residential proxy networks and embedded SDKs. The campaign, active since August 2025 and linked to AISURU by QiAnXin XLab, exploits exposed Android Debug Bridge (ADB) services—67% of infected devices had unauthenticated ADB enabled. Operators monetize infections via app installs, selling residential proxy bandwidth and DDoS services; the main payload listens on port 40860 and connects to 85.234.91[.]247:1337 for commands.

🔒 The New Zealand government has launched a review after Manage My Health, a national online patient portal, detected a cyber-attack on 30 December 2025 that may have exposed personal data for roughly 100,000–120,000 users. The vendor says the incident has been contained and the application is secure, but an alleged attacker using the alias 'Kazu' claims to have stolen over 428,000 files and demanded a $60,000 ransom. Health New Zealand, the New Zealand Police and independent forensic teams are involved while the Ministry examines data protections and third-party access across the health system.

🔒 Ledger says some customers had personal data exposed after a breach at third‑party payment processor Global‑e. The company confirmed its own network, hardware, and software were not compromised and that the leaked fields were limited to shopper names and contact information — no payment data, seed phrases, or blockchain secrets were taken. Ledger warned customers to watch for phishing attempts, never disclose their 24‑word recovery phrase, and follow any direct notifications from Global‑e for details.

🔒 NordVPN says files circulating on a hacking forum were dummy data taken from a temporary third-party automated testing environment, not from its production systems. The company says the environment was used during a trial of a potential vendor months earlier, contained only test accounts and artifacts, and was never connected to NordVPN infrastructure. NordVPN has contacted the vendor and characterized the report as a false alarm.

🔒 Resecurity says it intentionally diverted attackers into a honeypot after individuals claiming ties to the Scattered Lapsus$ Hunters (SLH) alliance posted screenshots alleging a breach. The company reports it detected reconnaissance of exposed services and steered the activity to an emulated environment populated with synthetic consumer and payment records. According to Resecurity, the adversaries interacted with the decoy, generating telemetry that revealed tooling and methods, while independent researchers have found no evidence that production systems or client data were compromised.

🔒 The European Space Agency (ESA) has acknowledged a December server compromise affecting a small number of external, non-corporate servers that support unclassified collaborative engineering activities. The agency says it has informed relevant stakeholders, implemented measures to secure potentially affected devices and launched a forensic analysis. Reports on underground forums claim over 200GB of data was stolen, including source code, CI/CD pipelines and credentials, raising supply chain and operational concerns.

🔓 Ilya Lichtenstein, convicted in connection with the 2016 Bitfinex breach, announced on X that he has been released early and credited the First Step Act for his early disposition. Federal records list his formal release date as February 9, 2026, while a Trump administration official said he is currently on home confinement. Lichtenstein said he intends to work in cybersecurity and thanked supporters, while prosecutors continue efforts to return seized assets to Bitfinex.

🔎 TRM Labs investigators say a 2022 data breach at LastPass enabled sustained thefts that drained millions in cryptocurrency from user wallets over several years. The firm traced approximately $28m stolen from 2024 to early 2025 and a further $7m in September 2025, with funds routed to Russian exchanges and money‑laundering services. Using proprietary demixing techniques, analysts were able to correlate CoinJoin‑mixed transactions to withdrawal clusters tied to Russia‑based infrastructure. The report underscores the long‑tail risk from exposed password vault backups and reiterates the need for MFA and prompt password changes.

🛡️ Threat actors claiming to be the "Scattered Lapsus$ Hunters" published screenshots saying they accessed Resecurity systems and stole employee data, internal communications, threat reports, and client lists. Resecurity disputes the claim, saying the exposed account was a monitored honeypot populated with synthetic datasets to observe attacker behavior. The firm says it collected telemetry, observed OPSEC failures, and shared intelligence with law enforcement.

🔒 ShinyHunters claims it gained full access to cybersecurity firm Resecurity, publishing Telegram screenshots that allegedly show employee records, internal chats, threat intelligence reports, and client data. Resecurity disputes the account, saying the accessed environment was an isolated honeypot populated with synthetic datasets after researchers detected probes in November 2025. The firm reports the actor generated automated exfiltration activity between December 12–24, collected telemetry on proxy infrastructure and tactics, and shared intelligence with law enforcement while the attacker promises to release more evidence.

🚨 Covenant Health disclosed that a May intrusion exposed sensitive patient data for 478,188 individuals after a broader analysis revised the initial July estimate of 7,864. The organization says the breach occurred on May 18 and was discovered on May 26; the ransomware group Qilin later claimed responsibility and said 852 GB of data was taken. Exposed elements may include names, addresses, dates of birth, Social Security numbers, medical record and insurance details, and treatment information. Covenant Health engaged third‑party forensics, reports ongoing review, has strengthened security, and is offering affected patients 12 months of free identity protection.

🔒 Blockchain investigator TRM Labs says a series of cryptocurrency thefts were traced back to the 2022 LastPass breach, where encrypted vault backups containing private keys and seed phrases were stolen. Attackers appear to have slowly decrypted vaults for users with weak or reused master passwords, draining wallets in waves months or years later. TRM also reported that stolen funds were converted to Bitcoin and laundered through Wasabi Wallet CoinJoin mixes before cash‑out via Russian-linked exchanges.

🛡️ Synthient and other researchers describe the explosive growth of the Kimwolf botnet, which has infected more than two million devices globally, concentrated in Vietnam, Brazil, India, Saudi Arabia, Russia and the United States. Kimwolf abuses residential proxy services — notably China-based IPIDEA — to tunnel back into home networks and compromise devices such as unofficial Android TV boxes and digital photo frames. The malware leverages weak proxy DNS handling and factory-enabled Android Debug Bridge (ADB) to gain unauthenticated administrative access, then installs proxy and DDoS-capable payloads. Researchers advise removing suspect TV boxes, isolating guests on a Guest Wi‑Fi network, and preferring reputable brands to reduce exposure.

🔐Trust Wallet attributes a December 24 compromise of its Chrome extension to activity tied to the Sha1‑Hulud campaign after attackers added malicious JavaScript to version 2.68. The injected code harvested sensitive wallet data and enabled unauthorized transactions, resulting in roughly $8.5 million stolen from over 2,500 wallets. Exposed GitHub developer secrets revealed a Chrome Web Store API key that let the attacker publish a trojanized build. Trust Wallet revoked release APIs, had malicious domains suspended, and has begun reimbursing victims while warning of impersonation scams.

🛡️ Transparent Tribe (APT36) has launched a spear-phishing campaign delivering a memory‑resident RAT that grants persistent remote control of compromised hosts. The attack chain leverages weaponized .LNK shortcuts that execute obfuscated HTA scripts via mshta.exe, decrypt payloads into memory, and present decoy PDFs to evade detection. The malware adapts persistence to detected antiviruses and drops a DLL, iinneldc.dll, which supports remote command execution, file exfiltration, screenshot capture, clipboard manipulation, and process control.

🔒 Two cybersecurity professionals, Ryan Goldberg and Kevin Martin, pleaded guilty to conspiring to obstruct, delay, or affect commerce through extortion for their roles in deploying the BlackCat (ALPHV) ransomware against multiple U.S. companies between April and December 2023. They admitted identifying and targeting victims while leveraging ransomware-as-a-service rather than developing the malware themselves, and reached plea agreements in December 2025 that were accepted by the Southern District of Florida. The attacks were tied to more than $9.5 million in losses, though authorities traced roughly $324,123.26 in proceeds to the defendants; both face up to 20 years in prison.