All news with #insider threat tag

🔒 Kraken says a criminal group is attempting to extort the exchange by threatening to release videos that show internal support systems containing client data. The company says the incident resulted from an insider threat, with two instances of improper access by support employees and exposure limited to client support data. About 2,000 accounts (0.02% of users) were affected; Kraken says funds were never at risk. The exchange will not pay or negotiate and is working with federal law enforcement.

🔒 Security researchers report a rise in attackers abusing mailbox rules inside Microsoft 365 accounts to maintain post-compromise access, exfiltrate data and manipulate communications. The Proofpoint analysis found that roughly 10% of breached accounts in Q4 2025 had malicious rules created within seconds of takeover. Rules are often given minimal or nonsensical names and configured to delete messages or move them to low-visibility folders to evade detection. Defensive steps include disabling external auto-forwarding, enforcing MFA, monitoring OAuth and promptly removing malicious rules and revoking sessions.

🔒 Drift Protocol says a coordinated, six-month operation led to a $280M+ theft after attackers built "a functioning operational presence" inside the platform and engaged contributors in person and via Telegram. The attackers reportedly hijacked Security Council administrative powers and drained assets in about 12 minutes. Drift suspects two contributors were compromised via a malicious code repository (possible VSCode/Cursor exploit) and a fake TestFlight wallet app. Blockchain firms attribute the campaign to UNC4736, linked to North Korea.

🔒 A core infrastructure engineer, Daniel Rhyne, pleaded guilty on April 1 after launching an insider extortion attack that used routine admin tools and techniques to disable systems and accounts. He initiated unauthorized RDP sessions, deleted administrator accounts, changed passwords, and scheduled tasks on the domain controller, then claimed to have erased backups while demanding roughly $750,000 in bitcoin. Security experts say the methods were alarmingly predictable and could have been prevented by immutable backups, strict least privilege controls, and behavioral alerts for high‑risk tools.

🔒 A former core infrastructure engineer pleaded guilty after remotely accessing his employer's network and scheduling tasks that deleted domain administrator accounts and changed hundreds of passwords. Prosecutors say Daniel Rhyne targeted an industrial company in Somerset County, New Jersey, altering passwords to TheFr0zenCrew! and scheduling shutdowns that affected 254 servers and 3,284 workstations. He emailed coworkers demanding 20 BTC (roughly $750,000) and threatened to shut down 40 servers daily; investigators found web searches and a hidden VM used to plan the extortion. Rhyne was arrested in August and faces charges carrying up to 15 years in prison.

📬 Flare analysts examined a step‑by‑step fraud tutorial showing how attackers identify and abuse vacant residential properties to intercept mail for identity theft and financial fraud. The guide recommends using real‑estate sites (Zillow, Rightmove, Zoopla) to find “drop” addresses, enrolling in services such as Informed Delivery, and filing change‑of‑address or forwarding requests with forged or purchased identities. By combining digital discovery with physical mail forwarding, actors gain persistent access to verification letters, credit cards, and financial correspondence.

🎣 In episode 461 of Smashing Security, host Graham Cluley and guest Danny Palmer discuss a remarkable Bitcoin mystery: an Irishman who converted drug proceeds into BTC in 2011 now allegedly controls $400 million, but the access codes were hidden in a fishing-rod case that disappeared — until one frozen wallet unexpectedly moved $35 million. The episode also covers a major data breach at Ajax Football Club that may have exposed the personal details of around 300,000 supporters, enabling ticket theft and manipulation of stadium ban lists. Additional topics include an Iran-linked compromise of the FBI director’s personal email, reliability differences between Windows and macOS, and a UK court case in which CCTV footage was used in a crypto theft claim.

🔒 In episode 460 of the Smashing Security podcast, Graham Cluley and guest Jenny Radcliffe examine a string of notable security stories, including an alleged insider who stole a company payroll database and demanded $2.5 million in Bitcoin while signing extortion messages as 'Loot'. They also cover an incident in which two people were charged after attempting to approach the gates of the UK's Faslane nuclear submarine base. The show mixes incident analysis with cultural items — a spotlight on the Muslim punk group LadyParts and a recommendation of Lee McIntyre's On Disinformation — drawing practical lessons for security professionals and the public.

🔒 Crunchyroll is investigating claims that attackers stole personal data for roughly 6.8 million users after compromising a support agent's Okta SSO credentials. The actor says they accessed multiple applications — including Zendesk, Slack and Google Workspace — and downloaded about 8 million support tickets containing names, emails, IPs, locations and ticket contents. Intrusive payment details were reportedly present only when customers shared them in tickets. The attacker demanded $5 million in extortion but, according to the actor, received no response.

🔎 Behavioral analytics and threat intelligence combined to identify a suspected North Korea-linked fake IT worker within 10 days of hire. LevelBlue SpiderLabs and Cybereason XDR flagged geolocation anomalies, unmanaged device access, and use of Astrill VPN, triggering a high-severity alert and timely account revocation. Organizations should enforce EntraID Conditional Access, manage endpoints, and maintain software baselines to detect such insider threats.

🚨 Insider threats are rising again: the Mimecast State of Human Risk Report found 42% of organizations saw increases in both malicious and negligent insider incidents, with an average of six insider-driven incidents per month at an estimated cost of $13.1 million per incident. Two-thirds of surveyed IT leaders expect insider-related data loss to grow over the next 12 months. Experts warn the insider perimeter now includes contractors, fraudulent hires, and AI agents, and they recommend adaptive, behavior-driven controls, coordinated legal/HR response plans, and extending protections to nonhuman identities to reduce risk.

🔒 A North Carolina contractor, 27-year-old Cameron Curry (aka "Loot"), was convicted for extorting his employer, Brightly Software, after stealing payroll and corporate data during a six-month contract that ran through December 2023. Curry sent more than 60 threatening emails from lootsoftware@outlook.com demanding $2.5 million and attached screenshots of employee PII. Brightly paid $7,540 in Bitcoin, the FBI seized devices following a January 24, 2024 search, and Curry now faces up to 12 years in prison.

🔒 CISA urged U.S. organizations to strengthen Microsoft Intune administrative controls after a cyberattack exploited Intune to wipe devices at medical technology firm Stryker. Attackers allegedly created a new Global Administrator account, exfiltrated data, then used Intune’s built‑in wipe to erase nearly 80,000 devices. CISA recommended least‑privilege RBAC, enforced MFA via Microsoft Entra, privileged‑access hygiene, and multi‑admin approval for sensitive actions to reduce similar risks.

🚨 The U.S. Department of the Treasury's Office of Foreign Assets Control has sanctioned six individuals and two entities tied to a DPRK-run IT worker scheme that secured remote jobs, stole data, and funneled salaries back to North Korea to finance weapons programs. The operation—tracked as Coral Sleet/Jasper Sleet (also called PurpleDelta/Wagemole)—used stolen identities, fabricated personas, VPN services, and AI-enabled tools to conceal origins, launder funds, and deploy malware or extort victims. OFAC named Amnokgang Technology Development Company and several facilitators, currency converters, and account enablers; security firms and Microsoft warn the campaign leverages Astrill VPN, AI faceswaps, agentic LLM misuse, and offshore operations to maintain persistent, low-cost access.

🤖 AI-based assistants such as OpenClaw are rapidly reshaping organizational security, blurring boundaries between data and code and between trusted co-workers and insider threats. Incidents and research show agents taking autonomous actions and misconfigured admin interfaces exposing credentials, conversations, and integrations. Demonstrated supply-chain and prompt injection attacks can install rogue agents and manipulate agent perception. Organizations should isolate agents, enforce strict network controls, vet third-party skills, and address AI fragility as a core security concern.

🕵️ In episode 457 of the Smashing Security podcast, Graham Cluley and guest Carl Miller unpack a startling insider-abuse case where a defence contractor's leak of zero-day exploits apparently led to an internal investigation run by the leaker, who then framed an innocent colleague. The episode cites reporting and US government actions — including a DOJ sentencing and Treasury sanctions — that trace a network selling stolen government cyber tools to a Russia-linked broker. It also examines emerging concerns that nation states may attempt to manipulate AI by poisoning training data and influencing large language models, with broad implications for trust and national security.

🔒 AI-driven threats have increased employee awareness, but readiness remains uneven: only about 40% of leaders say staff are prepared to identify, avoid, and report AI-based threats. The 2025 report, based on responses from 1,850 senior IT and security leaders, shows training reduces incidents—67% of organizations report moderate or significant reductions—and measurement is shifting toward behavior-focused programs. However, low completion rates, rising insider risk, and outdated content limit impact; practical fixes include microlearning, role-based content, and clearer accountability backed by leadership.

🚨 A 22-year-old Alabama man, Jamarcus Mosley, pleaded guilty to federal extortion, cyberstalking, and computer fraud charges after hijacking social media accounts belonging to hundreds of young women, including minors. Between April 2022 and May 2025 Mosley impersonated friends and used social engineering to obtain account recovery codes and passwords, then threatened to publish private nude images unless victims paid, sent more explicit content, or surrendered access to other accounts. Sentencing is scheduled for May 27.

🛠️ ManoMano has notified customers that a security incident tied to a third‑party customer service subcontractor resulted in the unauthorized extraction of personal data for approximately 38 million individuals. Exposed information reportedly varies by interaction and may include full name, email address, phone number, and customer service communications; no account passwords were accessed. Identified in January 2026, ManoMano says it revoked the subcontractor’s access, strengthened controls, informed regulators, and is advising customers to remain vigilant against phishing and social engineering.

🔒 A former senior executive at L3Harris cyber-division Trenchant, Australian national Peter Williams, has been sentenced to 87 months in prison after pleading guilty to stealing and selling zero-day exploits to a Russian broker. He admitted taking eight cyber-exploit components over three years, accepting cryptocurrency payments and providing paid follow-on support. Authorities say the theft cost Trenchant/L3Harris about $35m and posed significant national security risks. Williams was ordered to forfeit $1.3m, cryptocurrency, property and luxury items, and to serve three years of supervised release with special conditions.