All news in category “Incidents and Data Breaches”

🔒 Authorities in Nigeria arrested three alleged internet fraud suspects, including the principal developer of the RaccoonO365 phishing-as-a-service toolkit, following a joint investigation with Microsoft and the FBI. Investigators say the suspect operated a Telegram channel selling phishing links for cryptocurrency, hosted fraudulent Cloudflare portals, and used stolen or fraudulently obtained credentials to harvest Microsoft 365 logins. Laptops, mobile devices, and other evidence were seized during searches.

🔒 The FBI led an international operation that seized websites and infrastructure tied to E-Note, a Russian-controlled cryptocurrency exchange alleged to have facilitated laundering for cybercriminals. Authorities unsealed an indictment on Dec. 17 against Mykhalio Petrovich Chudnovets, accused of offering money laundering services since 2010. Law enforcement recovered servers, mobile apps, customer databases and records linking more than $70m in illicit proceeds to ransomware and account-takeover campaigns.

🔒 The University of Sydney reported unauthorized access to an online code repository that resulted in the theft of files containing personal information for more than 27,000 individuals. The breach affected current and former staff, students and alumni and included names, dates of birth, contact details and job information. The university says it detected the incident last week, blocked the access, notified regulators and launched support and notification processes for impacted people.

🔒 The Clop ransomware gang is actively targeting Internet-exposed Gladinet CentreStack file servers in a new extortion campaign, with incident responders reporting ransom notes on compromised systems. Gladinet has issued multiple security updates since April to address several flaws, some disclosed as zero-days. It remains unclear whether Clop is exploiting a fresh zero-day or targeting unpatched instances. Threat data shows 200+ IPs exposing CentreStack login pages and potentially at risk.

⚠️ Researchers at Gen Digital have identified a social-engineering technique dubbed GhostPairing that lets attackers add themselves as a trusted device to a victim’s WhatsApp account without passwords. By sending a malicious message that prompts the user to verify their phone number, attackers forward the generated pairing code and the user inadvertently approves the session. Once linked, the attacker can read and send messages in real time and propagate the scam to the victim’s contacts. Users should check Linked Devices and enable two-step verification.

🔍 A newly tracked China-aligned cluster, dubbed LongNosedGoblin, has been linked to cyber-espionage campaigns against government organizations in Southeast Asia and Japan, ESET reported. The actor has abused Windows Group Policy to deploy a suite of C#/.NET tools and uses cloud storage services like Microsoft OneDrive and Google Drive as command-and-control channels. Observed tools include NosyHistorian, NosyDoor, NosyStealer, NosyDownloader, and NosyLogger, enabling browser-data theft, keystroke capture, file exfiltration, and remote command execution. Activity dates back to at least September 2023 with targeted deployments and execution guardrails to limit operations to selected victims.

🔐 An automated password-spraying campaign is targeting multiple VPN platforms, with credential-based attacks observed against Palo Alto Networks GlobalProtect portals and Cisco SSL VPN gateways. GreyNoise recorded login attempts peaking at 1.7 million over 16 hours from more than 10,000 unique IPs, largely originating from the 3xK GmbH hosting space. The actor reused common username/password combinations and used an unusual Firefox user agent, indicating scripted credential probing rather than exploitation. Administrators are advised to enforce strong passwords, enable MFA, audit appliances, and block known malicious IPs.

✈️ A man reportedly boarded a British Airways flight at London Heathrow without a ticket or passport. Sources say he tailgated through to the security screening area and passed screening without being detected carrying banned items. At check-in he allegedly deceived a BA agent by posing as a family member whose passports and boarding passes had already been inspected. Authorities are investigating potential procedural and access-control failures.

🛑 Law enforcement seized servers and domains of the E-Note cryptocurrency exchange, accused of laundering more than $70 million originating from ransomware attacks and account takeovers. Authorities confiscated e-note.com, e-note.ws and jabb.mn, removed mobile apps, and obtained customer databases and transaction records. The DOJ has indicted Russian national Mykhalio Petrovich Chudnovets on one count of money laundering conspiracy; he faces up to 20 years in prison but has not been arrested. The seized records may help identify additional cybercriminals and the network of money mules used to move and convert illicit funds.

🔐 Proofpoint has observed a sharp increase in phishing campaigns that abuse Microsoft's OAuth device code authorization flow to gain access to Microsoft 365 accounts. Attackers use social engineering — QR codes, embedded buttons and hyperlinks — to trick users into entering device codes on Microsoft's legitimate verification page, which yields valid access tokens. Readily available tools such as SquarePhish2 and Graphish have lowered the bar for both state-aligned and financially motivated actors.

🚨 French authorities arrested a Latvian crew member after discovery of a remote access tool aboard the Italian passenger ferry Fantastic, owned by Grandi Navi Veloci. A Bulgarian crewmember was released without charge. The malware was detected and neutralized by GNV while the ship was docked in Sète, and France's DGSI seized items for forensic analysis. Investigators are treating the case as suspected foreign interference and continue cooperation with Italian authorities.

🛡️ Kaspersky researchers uncovered a new Windows infostealer named Stealka in November 2025 that steals browser data, extension files and application settings to enable account takeover, cryptocurrency theft and deployment of a cryptominer. The malware is most often distributed as game cracks, cheats and pirated software hosted on legitimate platforms; activation requires the victim to run the delivered file. Stealka specifically targets Chromium- and Gecko-based browsers and dozens of popular wallet, password manager and 2FA extensions. Users are advised to rely on reputable endpoint protection, avoid pirated software and keep secrets out of browser storage.

🔒 Cybernews reports researchers found an unsecured 16 TB MongoDB instance exposing roughly 4.3 billion personal and professional records. The dataset included names, emails, phone numbers, LinkedIn profile details, employment history, education, social accounts and profile images — data consistent with large-scale LinkedIn scraping. The operator secured the database two days after discovery on 25 November 2025, but ownership and the full exposure window remain unknown.

🚨Chainalysis reports North Korea's crypto thefts surged in 2025, exceeding $2bn and pushing the regime's cumulative haul to over $6.7bn. The firm says DPRK actors accounted for 60% of funds stolen this year, with the Bybit breach alone yielding an unprecedented $1.5bn; attackers are increasingly embedding IT workers inside exchanges and custodians to gain privileged access. They favor Chinese-language services, cross-chain bridges and mixers for laundering, while personal wallet thefts tripled in incidents but fell in average value to $713m overall.

🛡️ Darktrace links a newly observed, heavily obfuscated BeaverTail JavaScript variant to DPRK-associated Lazarus clusters, targeting cryptocurrency traders, developers and retail staff. The cross-platform loader and stealer harvests host details and retrieves follow-on payloads, with recent samples using layered Base64 and XOR encoding. Delivery has expanded via trojanized npm packages, fake interview platforms and command-injection lures.

🛡️The Greens say recent findings of Russian influence operations during the federal election confirm that existing protections for parliamentary democracy are inadequate. Although Germany implemented the NIS-2 law on December 6, 2024, it covers the federal administration and Bundestag administration but not the Bundestag as an institution or MPs' constituency offices. The federal government attributes an August 2024 cyberattack on air traffic control to the GRU-linked group Fancy Bear and says the campaign "Storm 1516" targeted the election with disinformation; the Russian ambassador was summoned.

📱 ENKI links the North Korean actor Kimsuky to a campaign delivering a new Android remote-access trojan dubbed DocSwap via QR codes on phishing sites impersonating CJ Logistics. Victims are lured by smishing or phishing to scan a QR that prompts installation of a malicious "SecDelivery.apk," which decrypts and loads an embedded payload and requests broad permissions. The app mimics OTP authentication to reassure users while launching a background service that connects to attacker infrastructure and exposes capabilities including keystroke logging, audio and camera capture, and data exfiltration.

🔒 In mid-December, a Raspberry Pi paired with a cellular modem was found attached to a ferry owned by the Mediterranean Shipping Company, apparently intended to give remote access to the vessel’s internal network. Robust segmentation and disabled remote access to critical control systems prevented lateral movement and a potential sabotage scenario. Analysts warn many organizations remain vulnerable because physical security and port-level controls are often overlooked, and they recommend stronger NAC, 802.1X enforcement, port locks, and continuous external infrastructure monitoring.

💰 Threat actors linked to North Korea stole at least $2.02 billion in cryptocurrency during 2025, a 51% increase year‑over‑year that made DPRK actors the leading source of global crypto theft. Chainalysis attributes much of the total to a February compromise of Bybit, estimated at $1.5 billion and linked to the cluster TraderTraitor. The report details systematic laundering across DeFi, mixers, bridges and OTC services, and an expanded use of IT infiltration schemes such as Wagemole to gain privileged access and facilitate high‑impact thefts.

🔍 Check Point reports a Chinese-linked group known as Ink Dragon is exploiting misconfigured IIS servers to assemble a stealthy global relay network. Attackers compromise web-facing IIS instances, harvest local credentials, move laterally via RDP, and install a custom IIS module that forwards commands and data between victims to hide C2 origins. Targets include government networks in Southeast Asia, South America and Europe; communications are concealed inside ordinary mailbox drafts. Mitigations include auditing IIS modules against a known baseline, enabling advanced IIS logging, hardening view state settings, and deploying a web application firewall (WAF).