All news in category “Incidents and Data Breaches”

🔒 Coupang disclosed a data breach impacting 33.7 million customer accounts, exposing names, phone numbers, email addresses, delivery address books and purchase histories. The company detected unusual activity on November 6, confirmed a breach on November 18 and publicly disclosed the incident on November 29; attackers had access from June 24 to November 8. A former employee who retained access keys is the prime suspect. The incident highlights gaps where non‑mandated data remained unencrypted and underscores the need for stronger voluntary protections.

🛡️Attackers abused Google Cloud Application Integration to send thousands of malicious emails that appeared to originate from the legitimate address noreply-application-integration@google.com. The messages impersonated routine enterprise notifications—voicemail alerts, file-access and permission requests—raising the chance recipients would click links or disclose credentials. Check Point observed 9,394 phishing emails targeting about 3,200 customers over 14 days.

🔒 DXS International said it discovered a cyber-attack on 14 December that affected its office servers and disclosed the incident to the London Stock Exchange on 18 December. The company reported minimal impact, with front-line NHS clinical services remaining operational, and said it contained the breach and is investigating with NHS England and an external cybersecurity specialist. A threat actor calling itself Devman has claimed to have stolen 300GB and threatened to publish data on 20 December; that claim remains unconfirmed.

🔒A Ukrainian national has pleaded guilty to participating as an affiliate in the Nefilim ransomware operation after being extradited from Barcelona following his June 2024 arrest. He joined the group in June 2021, received an account for a 20% cut and used databases such as ZoomInfo to identify large corporate victims in the US, Canada and Australia. Operators exfiltrated data, encrypted networks and threatened publication on a 'corporate leaks' site; the defendant faces up to 10 years and will be sentenced in May 2026. A known co-conspirator, Volodymyr Tymoshchuk, remains at large and is subject to an up-to-$11m reward.

🛡️Ukrainian national Artem Aleksandrovych Stryzhak, 35, pleaded guilty to participating as an affiliate in the Nefilim ransomware operation, admitting he obtained access to the ransomware code in June 2021 in exchange for a 20% share of ransom proceeds. He targeted high-revenue corporations across the United States, Canada, Australia and several European countries using custom-tailored malware and coordinating data-exfiltration and leak threats to coerce payment. Arrested in Spain in June 2024 and extradited to the U.S. in April 2025, Stryzhak faces up to 10 years in prison; sentencing is scheduled for May 6, 2026.

📧 Fortra researchers have identified a global business email compromise (BEC) collective dubbed Scripted Sparrow that is sending an estimated 4–6 million highly tailored messages each month. The group poses as executive coaching and leadership consultancies, registering numerous domains and webmail addresses while sending spoofed reply chains with fake invoices and W‑9 forms to Accounts Payable teams. Fortra urges organisations to enforce strict payment approval protocols, verify requests via official channels and never trust embedded reply chains.

📱 Group-IB reports that adversaries are increasingly using innocuous-looking dropper APKs to deploy the Android SMS stealer Wonderland, enabling bidirectional C2, USSD execution, and OTP interception. Operators tracked as TrickyWonders coordinate via Telegram, abusing stolen sessions and using fake Google Play pages, Facebook ads, dating apps, and messaging platforms to distribute per-build, heavily obfuscated malware. The move to droppers and rapid domain rotation improves stealth and resilience, amplifying financial theft.

🔍 SafeBreach has linked renewed operations to the Iranian APT known as Infy (Prince of Persia), revealing updated Foudre downloader and Tonnerre implants active across Iran, Iraq, Turkey, India, Canada and parts of Europe. The campaign, tracked through September 2025 samples, shifts from macro-laced Excel to embedded executables and employs a DGA plus RSA-signed C2 validation. SafeBreach identified C2 folders including a 'key' directory and a Telegram integration used selectively via a tga.adr file. Analysts warn Infy remains active and dangerous to high-value targets.

💰The U.S. Department of Justice has indicted 54 individuals tied to a large-scale ATM jackpotting conspiracy that used the Ploutus malware to force machines to dispense cash. Prosecutors allege members of the Venezuelan gang Tren de Aragua, designated a Foreign Terrorist Organization, recruited operatives who conducted surveillance, opened ATM hoods and installed malware by replacing drives or using removable media. Two related indictments returned in October and December 2025 charge bank fraud, burglary, computer fraud and money laundering, exposing an operation that siphoned millions and laundered proceeds to fund other criminal and terrorist activities.

🛡️ Researchers have observed renewed activity from the Prince of Persia threat actor, long linked to Iran, after an apparent 2022 hiatus. SafeBreach found updated Foudre and Tonnerre variants, a new domain generation algorithm and altered delivery using Excel files with embedded SFX payloads alongside legacy malicious macros. Select victims can now be controlled via the Telegram API, and identified targets are predominantly in Iran with some victims across Europe, Iraq, Turkey, India and Canada.

🔒 Nigerian police arrested three individuals linked to targeted Microsoft 365 phishing attacks delivered via the Raccoon0365 platform, citing intelligence shared by Microsoft and the FBI. Authorities say one suspect, Okitipi Samuel (aka RaccoonO365 or Moses Felix), developed and sold phishing kits on Telegram and hosted pages on Cloudflare using compromised accounts. The toolkit automated fake Microsoft login pages and has been tied to at least 5,000 account compromises across 94 countries; two other detainees currently have no proven role in creating the service.

🔒 Proofpoint links a September 2025 phishing campaign to a suspected Russia-aligned cluster called UNK_AcademicFlare that exploits device code authentication to seize Microsoft 365 accounts. The group leverages compromised government and military email addresses to build rapport and send Cloudflare Worker links that mimic OneDrive, asking victims to copy and enter a short code. When users input the code on Microsoft's device code page, the service issues an access token that attackers can capture to take over accounts.

🔒 Google has filed a lawsuit against the scraping company SerpApi for circumventing security measures and taking copyrighted content that appears in Search results. The complaint alleges SerpApi cloaks its bots, rotates identities, and bombards websites to harvest licensed images and real‑time Search data, which it then resells for a fee. Google says it resorted to legal action after technical protections were repeatedly bypassed in order to protect publishers and rightsholders.

⚖️ Google has filed a lawsuit against the scraping company SerpApi, alleging it circumvented security measures to copy and resell copyrighted content that appears in Google Search. The complaint says SerpApi cloaks its bots, rotates false crawler identities, and bombards sites with large bot networks, overriding websites' directives. Google states it follows industry-standard crawling protocols and uses legal action as a last resort to stop malicious scraping.

🔒 Multiple threat actors are exploiting the OAuth device code flow to compromise Microsoft 365 accounts by tricking users into entering device codes on legitimate Microsoft device login pages, which results in victims authorizing attacker-controlled applications and granting persistent access without credential theft or direct MFA bypass. Proofpoint reports a significant volume increase since September and attributes activity to financially motivated groups such as TA2723 and a suspected Russia-aligned actor tracked as UNK_AcademicFlare. The campaigns use phishing kits like SquarePhish and Graphish and employ lures such as salary bonuses and spoofed OneDrive links. Organizations should enforce Microsoft Entra Conditional Access and implement sign-in origin policies to mitigate these attacks.

🛡️ The Danish Defence Intelligence Service (DDIS) said on December 18, 2025 that Russian-aligned actors were responsible for recent destructive and disruptive cyber activity against Denmark. The agency named pro‑Russian hacktivist groups Z‑Pentest for a destructive 2024 intrusion at a water utility and NoName057(16) for DDoS campaigns targeting websites ahead of the 2025 municipal and regional elections. DDIS assessed both groups have links to the Russian state and are being used as instruments of a hybrid campaign to create insecurity and penalise countries supporting Ukraine. The statement followed a global advisory, co-signed by 23 law enforcement and intelligence bodies, which catalogued related TTPs.

🔒 Danish intelligence (DDIS) attributed a destructive cyberattack on a water utility to Russian-linked actors, identifying Z-Pentest as responsible for the sabotage and NoName057(16) for election-period DDoS operations. The agency said these actions are part of Moscow's broader hybrid campaign to punish countries supporting Ukraine. Officials will summon the Russian ambassador and warned the attacks undermine public security.

🔓 Doublespeed, a startup backed by Andreessen Horowitz (a16z), was breached, exposing its operation of hundreds of AI-generated social media accounts and a phone farm controlling more than 1,000 smartphones. The anonymous intruder said they reported a vulnerability to Doublespeed on October 31 and still have access to the company's backend, including the device fleet. The compromise reveals promoted products often lacked required advertising disclosures and raises concerns about platform abuse and regulatory compliance.

🔒 Security researchers observed a coordinated credential-stuffing campaign targeting Cisco SSL VPN and Palo Alto Networks GlobalProtect portals over a two-day span in mid-December. GreyNoise reported millions of automated login sessions from more than 10,000 unique IPs, using a consistent TCP fingerprint and a Firefox-like user agent. The activity did not exploit software flaws but instead relied on large-scale username/password probes. Analysts urged enforcing strong passwords and MFA, auditing exposed edge devices, and leveraging threat-intel blocklists to filter malicious traffic.

💰 Federal prosecutors announced indictments against 54 individuals accused of using Ploutus malware to carry out ATM 'jackpotting' attacks across the United States. Two separate grand jury indictments in the District of Nebraska charge 22 and 32 defendants with installing malware, removing or replacing ATM hard drives, and forcing cash dispensals. Authorities allege total losses reached $40.73m and tie some activity to the Venezuelan syndicate Tren de Aragua.