Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

700Credit Data Breach Exposes Personal Information of Over 5.6 Million Consumers

  A massive breach at the credit reporting firm 700Credit has led to the leakage of private details of over 5.6 million people, throwing a n...

All the recent news you need to know
User Data
AI chat browser extension surveillance Chrome extensions harvesting data Data Breach Privacy Privacy Breach Proxy risk Urban VPN User Data

Inside the Hidden Market Where Your ChatGPT and Gemini Chats Are Sold for Profit

 

Millions of users may have unknowingly exposed their most private conversations with AI tools after cybersecurity researchers uncovered a network of browser extensions quietly harvesting and selling chat data.Here’s a reminder many people forget: an AI assistant is not your friend, not a financial expert, and definitely not a doctor or therapist. It’s simply someone else’s computer, running in a data center and consuming energy and water. What you share with it matters.

That warning has taken on new urgency after cybersecurity firm Koi uncovered a group of Google Chrome extensions that were quietly collecting user conversations with AI tools and selling that data to third parties. According to Koi, “Medical questions, financial details, proprietary code, personal dilemmas,” were being captured — “all of it, sold for ‘marketing analytics purposes.’”

This issue goes far beyond just ChatGPT or Google Gemini. Koi says the extensions indiscriminately target multiple AI platforms, including “Claude, Microsoft Copilot, Perplexity, DeepSeek, Grok (xAI) and Meta AI.” In other words, using any browser-based AI assistant could expose sensitive conversations if these extensions are installed.

The mechanism is built directly into the extensions. Koi explains that “for each platform, the extension includes a dedicated ‘executor’ script designed to intercept and capture conversations.” This data harvesting is enabled by default through hardcoded settings, with no option for users to turn it off. As Koi warns, “There is no user-facing toggle to disable this. The only way to stop the data collection is to uninstall the extension entirely.”

Once installed, the extensions monitor browser activity. When a user visits a supported AI platform, the extension injects a specific script — such as chatgpt.js, claude.js, or gemini.js — into the page. The result is total visibility into AI usage. As Koi puts it, this includes “Every prompt you send to the AI. Every response you receive. Conversation identifiers and timestamps. Session metadata. The specific AI platform and model used.”

Alarmingly, this behavior was not part of the extension’s original design. It was introduced later through updates, while the privacy policy remained vague and misleading. Although the tool is marketed as a privacy-focused product, Koi says it does the opposite. The policy admits: “We share the Web Browsing Data with our affiliated company,” described as a data broker “that creates insights which are commercially used and shared.”

The main extension involved is Urban VPN Proxy, which alone has around six million users. After identifying its behavior, Koi searched for similar code and found it reused across multiple products from the same publisher, spanning both Chrome and Microsoft Edge.

Affected Chrome Web Store extensions include:
  • Urban VPN Proxy – 6,000,000 users
  • 1ClickVPN Proxy – 600,000 users
  • Urban Browser Guard – 40,000 users
  • Urban Ad Blocker – 10,000 users
On Microsoft Edge Add-ons, the list includes:
  • Urban VPN Proxy – 1,323,622 users
  • 1ClickVPN Proxy – 36,459 users
  • Urban Browser Guard – 12,624 users
  • Urban Ad Blocker – 6,476 users
Despite this activity, most of these extensions carry “Featured” badges from Google and Microsoft. These labels suggest that the tools have been reviewed and meet quality standards — a signal many users trust when deciding what to install.

Koi and other experts argue that this highlights a deeper problem with extension privacy disclosures. While Urban VPN does technically mention some of this data collection, it’s easy to miss. During setup, users are told the extension processes “ChatAI communication” along with “pages you visit” and “security signals,” supposedly “to provide these protections.”

Digging deeper, the privacy policy spells it out more clearly: “‘AI Inputs and Outputs. As part of the Browsing Data, we will collect the prompts and outputs queried by the End-User or generated by the AI chat provider, as applicable.’” It also states plainly: “‘We also disclose the AI prompts for marketing analytics purposes.’”

The extensions, Koi warns, “remained live for months while harvesting some of the most personal data users generate online.” The advice is blunt: “if you have any of these extensions installed, uninstall them now. Assume any AI conversations you've had since July 2025 have been captured and shared with third parties.”

Read more »
RansomHouse
Askul Data Breach Data Theft Japanese Firm RansomHouse

Askul Confirms RansomHouse Ransomware Breach Exposed 740,000 Records

 

Japanese e-commerce giant Askul Corporation confirmed that a ransomware attack carried out by the RansomHouse group led to the theft of about 740,000 customer records in October 2025. Askul, which is a major supplier of office supplies and logistics services owned by Yahoo! Japan, suffered a critical failure within their IT system due to the breach, forcing the company to shut down shipments to customers, including the popular retail chain Muji. 

Compromised data includes approximately 590,000 business customer service records, 132,000 individual customer records, 15,000 records of business partners (outsourcers, agents, suppliers), and about 2,700 records of executives and employees across group companies. 

Detailed information about the breach is not being disclosed by Askul to avoid further exploitation. The company is trying to individually contact affected customers and partners. It has reported the incident to Japan's Personal Information Protection Commission and put in place long-term monitoring to mitigate the risk of misuse. 

The RansomHouse group is known to conduct both data exfiltration and encryption operations, and it announced the breach on October 30, followed by two data leaks on November 10 and December 2. An Askul investigation found that the breach occurred due to compromised authentication credentials related to an outsourced partner administrator account that did not have multi-factor authentication (MFA). After accessing the systems, the attackers performed reconnaissance, gathered authentication information, disabled EDR software, and moved laterally between servers to gain privileged access. 

Several types of ransomware were deployed; some were even capable of bypassing the EDR signatures of the time. This resulted in widespread data encryption and systemic outages. Another step the attackers took was to clear the backup files to further impede recovery. Askul severed connectivity to infected networks, isolated affected systems, updated EDR signatures, and implemented MFA for all critical systems. 

As of mid-December, Askul continues to face disruptions in order shipping and is working to fully restore its systems. The financial impact of the attack has not yet been estimated, and the company has postponed its scheduled earnings report to allow for a thorough assessment.
Read more »
WhatsApp Security
Account Takeover browser hijacking Cyber Fraud Device Pairing End-to-End Encryption Identity Threats QR Phishing Social Engineering WhatsApp Security

GhostPairing Attack Puts Millions of WhatsApp Users at Risk

 


An ongoing campaign that aims to seize control of WhatsApp accounts by manipulating WhatsApp's own multi-device architecture has been revealed by cybersecurity experts in the wake of an ongoing, highly targeted attack designed to illustrate the increasing complexity of digital identity threats. 

Known as GhostPairing, the attack exploits the trust inherent in WhatsApp's system for pairing devices - a feature that allows WhatsApp Web users to send encrypted messages across laptops, mobile phones, and browsers by using the WhatsApp Web client. 

Through a covert means of guiding victims into completing a legitimate pairing process, malicious actors are able to link an attacker-controlled browser as a hidden companion device to the target account, without alerting the user or sending him/her any device notifications at all. 

The end-to-end encryption and frictionless cross-platform synchronization capabilities of WhatsApp remain among the most impressive in the industry, but investigators warn that these very strengths of the service have been used to subvert the security model, which has enabled adversaries to have persistent access to messages, media, and account controls.

Although the encryption remains intact in such a scenario technically, it will be strategically nullified if the authentication layer is compromised, allowing attackers to read and reply to conversations from within their own account. This effectively converts a feature that was designed to protect your privacy into an entry point for silent account takeovers, effectively converting a privacy-first feature into a security-centric attack.

Analysts have characterized GhostPairing as a methodical account takeover strategy that relies on WhatsApp’s legitimate infrastructure of device linkage as a means of obtaining access to accounts instead of compromising WhatsApp’s security through conventional methods of authentication. In this technique, users are manipulated socially so that they link an external device, under the false impression that they are completing a verification process. 

As a general rule, an attack takes place through messages appearing to come from trusted contacts, often compromised accounts, and containing links disguised as photos, documents, or videos. Once accessed by victims, these links lead them to fake websites meticulously modeled after popular social media platforms such as Facebook and WhatsApp, where allegedly the victim will be asked to enter his or her phone number as part of an authentication process. 

Moreover, the pages are designed to generate QR codes that are used to verify customer support, comply with regulations regarding KYC, process job applications, update KYC records, register promotional events, or recover account information. By scanning QR codes that mirror the format used by WhatsApp Web, users unintentionally link their accounts to those of attackers, not realizing they are scanning QR codes that are actually the same format used by WhatsApp Web. 

It is important to know that once the connection is paired, it runs quietly in the background, and the account owner does not receive an explicit login approval or security alert. Although WhatsApp’s encryption remains technically intact, the compromise at the device-pairing layer allows threat actors to access private communications in a way that effectively sidesteps encryption by allowing them to enter authenticated sessions from within their own account environment, even though WhatsApp’s encryption has remained unbroken technologically. 

The cybercriminals will then be able to retrieve historical chat data, track incoming messages in real time, view and transmit shared media — including images, videos, documents, and voice notes — and send messages while impersonating the legitimate account holder in order to take over the account. Additionally, compromised accounts are being repurposed as propagation channels for a broader range of targets, further enlarging the campaign's reach and scale. 

The intrusion does not affect normal app behavior or cause system instability, so victims are frequently unaware of unauthorized access for prolonged periods of time, which allows attackers to maintain persistent surveillance without detection for quite a while. 

The campaign was initially traced to users in the Czech Republic, but subsequent analysis has shown that the campaign's reach is much larger than one specific country. During their investigation, researchers discovered that threat actors have been using reusable phishing kits capable of rapid replication, which allows operations to scale simultaneously across countries, languages, and communication patterns. 

A victim's contact list is already populated with compromised or impersonated accounts, providing an additional layer of misplaced trust to the outreach, which is what initiates the attack chain. In many of these messages, the sender claims that they have found a photograph and invites their recipients to take a look at it through a link intentionally designed to look like the preview or media viewer for Facebook content. 

As soon as the link is accessed, users are taken to a fake, Facebook-branded verification page that requires them to authenticate their identity before they can view the supposed content. The deliberate mimicry of familiar interfaces plays a central role in lowering suspicions, thereby encouraging victims to complete verification steps with little hesitation, according to security analysts. 

A study published by Gen Digital's threat intelligence division indicates that the campaign is not relying on malware deployments or credential interceptions to execute. This malware manipulates WhatsApp's legitimate device-pairing system instead. 

As a consequence of the manipulation, WhatsApp allows users to link browsers and desktop applications together for the purpose of synchronizing messaging. Attackers can easily bind an unauthorized browser to an account by convincing the users to voluntarily approve the connection. In other words, they are able to bypass encryption by entering through a door of authentication that they themselves unknowingly open, rather than breaking it.

It has become increasingly apparent that threat actors are moving away from breaking encryption towards undermining the mechanisms governing access to it, as evidenced by GhostPairing. As part of this attack, people are using WhatsApp's unique feature: frictionless onboarding and the ability to link their devices to their account with just a phone number in order to extend your account to as many devices as they like. 

The simplicity of WhatsApp, often cited as a cornerstone of the company's global success, means that users don't have to enter usernames or passwords, reinforcing convenience, but inadvertently exposing more vulnerabilities to malicious use. WhatsApp's end-to-end encryption architecture further complicates things, since it provides every user with their own private key. 

Private cryptographic keys that are used to securely encrypt the content of the messages are stored only on the user's device, which theoretically should prevent eavesdropping unless an attacker is able to physically acquire the device or deploy malware to compromise it remotely if it can be accessed remotely. 

By embedding an attacker's device within an authenticated session, GhostPairing demonstrates that a social engineering attack can circumvent encryption without decrypting the data, but by embedding an attacker's device within a session in which encrypted content is already rendered readable, thus circumventing the encryption. 

Researchers have found that the technique is comparatively less scalable on platforms such as Signal, which supports only QR-based approvals for pairing devices, and this limitation has been noted to offer some protection against similar thematically driven device linking techniques. 

The analysts emphasize from a defensive standpoint that WhatsApp provides users with an option to see what devices are linked to them through their account settings section titled Linked Devices. In this section, unauthorized connections can, in principle, be identified, as well. The attackers may be able to establish silent persistence through fraudulently linking devices, but they cannot remove or revoke their device access themselves, since the primary registered device remains in charge of revocation. 

The addition of two-step PIN verification as a mitigation, which prevents attackers from making changes to an account's primary email address, adds additional hurdles for attackers. However, this control does not hinder access to messages once pairing has been completed. Especially acute consequences exist for organizations.

A common way for employees to communicate is via WhatsApp, which can sometimes lead to informal group discussions involving multiple members - many of which are conducted outside of formal documentation and oversight. It has been recommended by security teams to assume the existence of these shadow communication clusters, rather than treat them as exceptions, but as a default risk category. 

A number of industry guidelines (including those that have prevailed for the past five years) emphasize the importance of continued user awareness, and in particular that users should be trained in identifying phishing attempts, unsolicited spam, and the like, even if the attempt seems to come from well-known contacts or plausible verification attempts. 

The timing of the attack is difficult to determine when viewed from a broader perspective, but there are no signs that there is any relief. According to a report published by Meta in April of this year, millions of WhatsApp users had their mobile numbers exposed, and Meta confirmed earlier this year that the Windows desktop application had security vulnerabilities.

In parallel investigations, compromised Signal-based messaging tools have also been found to have been compromised by political figures and senior officials, confirming that cross-platform messaging ecosystems, regardless of whether or not they use encryption strength, are now experiencing identity-layer vulnerabilities that must be addressed with the same urgency as network or malware attacks have been traditionally addressed.

The GhostPairing campaign signals a nuanced, yet significant change in techniques for gaining access to accounts, which reflects a longer-term trend in which attackers attempt to gain access to identities through behavioral influence rather than technical subversion. 

Threat actors exploit WhatsApp's ability to link devices exactly as it was intended to work, whereas they decrypt the secure communication or override authentication safeguards in a way that seems to be more effective. 

They engineer moments of cooperation through the use of persuasive, familiar-looking interfaces. A sophisticated attack can be carried out by embedding fraudulent prompts within convincingly branded verification flows, which allows attackers to secure enduring access to victim accounts with very little technical skill, relying on legitimacy by design instead of compromising the systems.

There is a warning from security researchers that this approach goes beyond regional boundaries, as scalable phishing kits and interface mimicry enable multiple countries to deploy it across multiple languages. 

A similar attack can be attempted on any digital service that allows set-up via QR codes or numeric confirmation steps, irrespective of whether the system is built on a dedicated platform or not. This has an inherent vulnerability to similar attacks, especially when human trust is regarded as the primary open-source software vulnerability. 

Analysts have emphasized that the attack's effectiveness stems from the convergence of social engineering precision with permissive multi-device frameworks, so that it allows adversaries to penetrate encrypted environments without any need to break the encryption at all — and to get to a session in which all messages have already been decrypted for the authenticated user. 

It is encouraging to note that the defensive measures necessary to combat such threats are still relatively straightforward. The success rate of such deception-driven compromises could be significantly reduced if regular device hygiene audits, greater user awareness, and modest platform refinements such as clearer pairing alerts and tighter device verification constraints were implemented. 

Especially for organizations that are exposed to undocumented employee group chats that operate outside the formal oversight of the organization are of crucial importance for reducing risk. User education and internal reporting mechanisms are crucial components of mitigating risks. 

Amidst the rapid increase in digital interactions, defenders are being urged to treat vigilance in the process not as an add-on practice, but rather as a foundational layer of account security for the future. GhostPairing's recent appearance serves to serve as a reminder that the security of modern communication platforms is no longer solely defined by encryption standards, rather by the resilience of the systems that govern access to them, and that the security of these systems must be maintained at all times.

It is evident that as messaging ecosystems continue to grow and integrate themselves into everyday interactions — such as sharing personal media or coordinating workplace activities — the balance between convenience and control demands renewed scrutiny. 

It is strongly advised for users to follow regular digital safety practices, such as verifying unexpected links even if they are sent by familiar contacts, regularly auditing linked devices, and activating two-factor safeguards, such as two-step PIN verification, to ensure that their data is secure.

As organizations become increasingly aware of threats beyond the perimeter of their organizations, they should cultivate a culture of internal threat reporting that ensures that unofficial communication groups are acknowledged in risk models rather than ignored. 

Security teams are advised to conduct phishing awareness drills, make device-pairing alerts more clear at the platform level, and conduct periodic access hygiene reviews of widely used communication channels, such as encrypted messengers, for a number of reasons. 

With the incidence of identity-layer attacks on the rise, researchers emphasize that informed users remain the best countermeasure against silent account compromise - making awareness the best strategic strategy in the fight against silent account compromises, not only as a reactive habit, but as a long-term advantage.
Read more »
U.S
AI manufacturing research AI research centers critical infrastructure cybersecurity NIST MITRE partnership Technology U.S

NIST and MITRE Launch $20 Million AI Research Centers to Protect U.S. Manufacturing and Critical Infrastructure

 

The National Institute of Standards and Technology (NIST) has announced a new partnership with The MITRE Corporation to establish two artificial intelligence–focused research centers under a $20 million initiative. The effort will explore advanced AI applications, with a strong emphasis on how emerging technologies could reshape cybersecurity for U.S. critical infrastructure.

According to NIST, one of the new centers will concentrate on advanced manufacturing, while the other — the AI Economic Security Center to Secure U.S. Critical Infrastructure from Cyberthreats — will directly address the protection of essential services such as water, power, internet and other foundational systems against AI-driven cyber risks. The centers are expected to accelerate the creation and deployment of AI-enabled tools, including agentic AI technologies.

“The centers will develop the technology evaluations and advancements that are necessary to effectively protect U.S. dominance in AI innovation, address threats from adversaries’ use of AI, and reduce risks from reliance on insecure AI,” spokesperson Jennifer Huergo wrote in an agency release.

These initiatives are part of a broader federal strategy to establish AI research hubs at NIST, some of which were launched prior to the Trump administration. Earlier this year, the White House revamped the AI Safety Institute, renaming it the Center for AI Standards and Innovation, reflecting a wider policy shift toward global competitiveness — particularly with China — rather than a narrow focus on AI safety. Looking ahead, NIST plans to fund another major effort: a five-year, $70 million AI for Resilient Manufacturing Institute designed to strengthen manufacturing and supply chain resilience through AI integration.

Federal officials and industry leaders believe increased government backing for AI research will help drive innovation across U.S. industries. Huergo noted that NIST “expects the AI centers to enable breakthroughs in applied science and advanced technology.”

Acting NIST Director Craig Burkhardt added that the centers will jointly “focus on enhancing the ability of U.S. companies to make high-value products more efficiently, meet market demands domestically and internationally, and catalyze discovery and commercialization of new technologies and devices.”

When asked about MITRE’s role, Brian Abe, managing director of MITRE’s national cybersecurity division, said the organization is committing its full resources to the initiative, with the aim of delivering measurable improvements to U.S. manufacturing and critical infrastructure cybersecurity within three years.

“We will also leverage the full range of MITRE’s lab capabilities such as our Federal AI Sandbox,” said Abe. “More importantly, we will not be doing this alone. These centers will be a true collaboration between NIST and MITRE as well as our industry partners.”

Support for the initiative has been widespread among experts, many of whom emphasize the importance of collaboration between government and private industry in securing AI systems tied to national infrastructure. Over the past decade, sectors such as energy and manufacturing have faced growing threats from ransomware, foreign cyber operations and other digital attacks. The rapid advancement of large language models could further strain already under-resourced IT and security teams.

Randy Dougherty, CIO of Trellix, said the initiative targets some of the most critical risks facing AI adoption today. By prioritizing infrastructure security, he noted, “NIST is tackling the ‘high-stakes’ end of the AI spectrum where accuracy and reliability are non-negotiable.”

Industry voices also stressed that the success of the centers will depend on active participation from the sectors they aim to protect. Gary Barlet, public sector chief technology officer at Illumio, highlighted water and power systems as top priorities, emphasizing the need to secure their IT, operational technology and supply chains.

Barlet cautioned that meaningful progress will require direct involvement from infrastructure operators themselves. Without their engagement, he said, translating research into practical, deployable solutions will be difficult — and accountability will ultimately fall on those managing essential services.

“Too often, these centers are built by technologists for technologists, while the people who actually run our power grids, water systems, and other critical infrastructure are left out of the conversation,” Barlet said.
Read more »
Zero-day vulnerability
Chrome Security Patch In-The-Wild Exploit iOS Security Update MDM Compliance Memory Corruption Bug Remote Code Execution State-Backed Spyware Vulnerabitlites and Exploits WebKit Exploit Zero-day vulnerability

Google and Apple Deploy Rapid Security Fixes Following Zero-Day Attacks


 

It has been revealed that a set of advanced zero-day vulnerabilities, utilizing which a highly targeted hacking campaign was targeting private individuals, has been leveraged by Apple as an emergency security patch. Several weeks ago, in an official security advisory, the company said it believed the flaws had been weaponized, and were being used to attack a selective group of specific individuals using iOS versions prior to iOS 26 through an exceptionally sophisticated attack. 

In the list of vulnerabilities, CVE-2025-43529 stands out as a critical vulnerability that can be exploited remotely by WebKit, the open-source browser engine that forms the basis for Safari and supports a variety of core applications like Mail and the App Store, as well as supporting remote code execution. According to cybersecurity platform BleepingComputer, the vulnerability can be triggered whenever a device processes malicious web content, potentially giving attackers access to arbitrary code. 

Upon confirmation that the vulnerability was discovered by a collaborative security review and that the vulnerability was attributed to Google Threat Analysis Group, the vulnerability was deemed to be extremely serious, as WebKit is widely integrated throughout both macOS and iOS ecosystems and is also used as a basis for third-party applications such as Chrome on iOS, underscoring its severity. 

The company has urged all users to update their devices immediately, stating that the patches were created to neutralize active threats that had already circulated in the wild. According to the security advisory, the incident goes beyond the disclosure of a standard vulnerability, as it appears that it was the result of a highly precise and technically advanced exploitation effort directed at a number of individuals prior to the release of patches in this case. 

In an acknowledgement that Apple acknowledged awareness that at least one of these critical vulnerabilities may have already been exploited in an "extremely sophisticated attack" against carefully selected targets, Apple confirmed that two critical flaws affecting iPhones and iPads running iOS versions older than iOS 26 had already been fixed. 

The term zero-day exploit is used in cybersecurity terminology to refer to previously undisclosed software flaws which are actively exploited before the developers have had the opportunity to formulate defenses. It is often the case that the tactics employed by these operations are correlated with those of well-resourced threat actors, such as government-linked groups and commercial surveillance companies. 

Historically, malware frameworks developed by companies like NSO Group and Paragon Solutions have been linked to intrusions involving journalists, political dissenters, and human rights advocates, as well as many other types of malware. In response to both Apple and Google's announcements of emergency updates across their respective ecosystems, the scope of the alert grew dramatically. As a result, millions of iPhone, iPad, Mac, and Google Chrome users, particularly in New Delhi, are being urged to be on the lookout for cyber attacks as the threat grows. 

Google has also confirmed an active exploit of a Chrome vulnerability and has issued a priority patch that users should upgrade immediately, citing the browser's vast global footprint as a significant risk. Apple’s Security Engineering division and Google’s Threat Analysis Group have independently identified the flaw, a group that has been identified for its involvement in state-aligned intrusion campaigns and commercial spyware activity, and this has contributed to further strengthening the conclusion that the attack was carried out by elite surveillance operators, rather than opportunistic cybercriminals. 

It has been suggested by industry experts that even a single unpatched vulnerability in a platform like Chrome could expose millions of devices if it is not fixed immediately, so it's imperative to update as soon as possible, and it's a good reminder that the failure to update could have serious privacy and security implications. There has been an acknowledgement from Apple of the fact that recently patched security flaws could have been used to exploit highly targeted intrusion attempts affecting legacy iOS versions. 

The fixes have also been extended to a number of older iPad models and the iPhone 11, in keeping with Apple's long-standing policy that it doesn't release granular technical information, reiterating that it does not comment on ongoing security investigations in public. These patches were released in conjunction with broader ecosystem updates that covered WebKit as well as Screen Time and several other system-level components, reinforcing the fact that the vulnerabilities are cross-functional in nature. 

Google's and Apple's updates are most closely aligned in terms of technical issues. In fact, both companies have now corrected the CVE-2025-14174 flaw. It was originally addressed in Chrome Stable releases earlier in the month, and has been categorized as a serious memory access problem in ANGLE, a graphics abstraction layer which is also used by WebKit, which gives a better picture of the parallel impact on Apple platforms. 

It was later formally identified as an out-of-bounds memory access vulnerability in ANGLE that was the cause of this vulnerability. Google and the National Vulnerability Database confirmed that exploits had already been detected in the wild and that exploit activity had already been detected. 

According to Apple, in its own advisory, the same CVE is associated with a WebKit memory corruption condition triggered by maliciously crafted web content, further implying precise targeting rather than indiscriminate exploitation in the case of this vulnerability. 

Security researchers noted that the near-simultaneous disclosures reflect a growing risk caused by shared open-source dependencies across major consumer platforms, and that both companies responded with emergency updates within days of each other. SoCRadar, one of the leading sources of information on security, highlighted the strategic significance of this flaw by pointing out that it is present in both Chrome and WebKit environments, which is a clear example of indirect cross-vendor exposure as a result of its dual presence. 

It has been recommended by security analysts and enterprise security teams that the issue be remedied quickly, as it can leave devices vulnerable to post-exploitation instability, memory compromise, and covert code execution if the patch is not deployed in a timely fashion. 

As a result of the security advisory, organizations were advised to prioritize updating devices that are used by high-risk profiles, enforce compliance with endpoint management frameworks, monitor abnormal browser crashes or process anomalies, and limit access to unverified web content in order to reflect the seriousness of vulnerabilities that have already been identified as being exploited by active parties. 

On Wednesday, Google released a security update for Chrome without making any public announcement, stating only that investigations and remediation efforts were still in progress despite the vulnerability. The phrase "under coordination," which is used to indicate that investigations and remediation efforts were still underway, does not convey much information to the public. 

Several days after Apple released its own security advisory, the company quietly revised its internal patch documentation, intimating that there was a technical intersection between the two organizations' parallel assessments. Historically, this vulnerability has been attributed to Apple's security engineering division, which in collaboration with Google's Threat Analysis Group (TAG), has been identified as a shared vulnerability, officially titled CVE-2025-14174.

It is a highly specialized unit that is primarily tasked with identifying state-aligned cyber operations and commercial spyware networks instead of typical malware campaigns. The nature of the attribution, even though neither company has published extensive technical breakdowns, has reinforced industry consensus that this exploit aligns more closely with spyware-grade surveillance activities than with broad, untargeted cybercrime.

Both firms have also experienced an increase in the number of zero-day attacks resulting from the dual disclosure, which reflects the sustained adversarial interest in browsers and mobile operating systems as strategic attack surfaces. 

As of now, Apple has mitigated nine vulnerabilities that have been confirmed as having active exploitation chains by 2025, whereas Google has resolved eight Chrome zero-days in the same period—an unusually concentrated cadence that security researchers believe reflects an exceptionally well-resourced and persistent threat ecosystem that continues to treat consumer platforms as valuable infrastructure for precision intrusions and intelligence collection. 

It highlights one of the fundamental aspects of modern cybersecurity: software ecosystems have become increasingly interconnected, and a vulnerability in one widely used component can spread across competing platforms before users even realize the problem exists. However, despite the fact that emergency patches have curtailed active exploitation, the incident reflects a growing awareness of zero-day threats and how they often unfold silently, leaving very little room for delay in responding.

A number of security experts have pointed out that timely updates are among the most effective means of preventing complex exploit chains, which even advanced monitoring tools are struggling to detect in the early stages when they may be unable to detect them. 

The risk of consumer behavior can be significantly reduced by managing automatic updates, limiting exposure to untrusted web links, and monitoring unusual browser behavior. It is imperative for enterprises to enforce compliance through centralized device management, strengthen endpoint visibility, and correlate cross-vendor vulnerability disclosures in order to anticipate indirect exposure from shared dependencies that organizations must take into consideration.

The experts also recommend that periodic device audits be conducted, high-risk users should be protected more, browser isolations should be implemented, and threat intelligence feeds should be implemented to detect anomalies early on. Although it was severe, the breach has resulted in an increase in collaboration within security research units, demonstrating that when deployed quickly and strategically, coordinated defenses can outperform even the most elaborate intrusion attempts.
Read more »
Telegram
cryptocurrency Cyber Crime Dark Web Scams Telegram

Telegram-Based Crypto Scam Networks Are Now Larger Than Any Dark Web Market in History

 



For years, illegal online marketplaces were closely linked to the dark web. These platforms relied on privacy-focused browsers and early cryptocurrencies to sell drugs, weapons, stolen data, and hacking tools while remaining hidden from authorities. At the time, their technical complexity made them difficult to track and dismantle.

That model has now changed drastically. In 2025, some of the largest illegal crypto markets in history are operating openly on Telegram, a mainstream messaging application. According to blockchain intelligence researchers, these platforms no longer depend on sophisticated anonymity tools. Instead, they rely on encrypted chats, repeated channel relaunches after bans, and communication primarily in Chinese.

Analysis shows that Chinese-language scam-focused marketplaces on Telegram have reached an unprecedented scale. While enforcement actions earlier this year temporarily disrupted a few major platforms, activity quickly recovered through successor markets. Two of the largest currently active groups are collectively processing close to two billion dollars in cryptocurrency transactions every month.

These marketplaces function as service hubs for organized scam networks. They provide money-laundering services, sell stolen personal and financial data, host fake investment websites, and offer digital tools designed to assist fraud, including automated impersonation technologies. Researchers have also flagged listings that suggest serious human exploitation, adding to concerns about the broader harm linked to these platforms.

Their rapid growth is closely connected to large-scale crypto investment and romance scams. In these schemes, victims are gradually manipulated into transferring increasing amounts of money to fraudulent platforms. Law enforcement estimates indicate that such scams generate billions of dollars annually, making them the most financially damaging form of cybercrime. Many of these operations are reportedly run from facilities in parts of Southeast Asia where trafficked individuals are forced to carry out fraud under coercive conditions.

Compared with earlier dark web marketplaces, the difference in scale is striking. Previous platforms processed a few billion dollars over several years. By contrast, one major Telegram-based marketplace alone handled tens of billions of dollars in transactions between 2021 and 2025, making it the largest illicit online market ever documented.

Telegram has taken limited enforcement action, removing some large channels following regulatory scrutiny. However, replacement markets have repeatedly emerged, often absorbing users and transaction volumes from banned groups. Public statements from the platform indicate resistance to broad bans, citing privacy concerns and financial freedom for users.

Cryptocurrency infrastructure also plays a critical role in sustaining these markets. Most transactions rely on stablecoins, which allow fast transfers without exposure to price volatility. Analysts note that Tether is the primary stablecoin used across these platforms. Unlike decentralized cryptocurrencies, Tether is issued by a centralized company with the technical ability to freeze funds linked to criminal activity. Despite this capability, researchers observe that large volumes of illicit transactions continue to flow through these markets with limited disruption. Requests for comment sent to Tether regarding its role in these transactions did not receive a response at the time of publication.

Cybercrime experts warn that weak enforcement, fragmented regulation, and inconsistent platform accountability have created conditions where large-scale fraud operates openly. Without coordinated intervention, these markets are expected to continue expanding, increasing risks to users and the global digital economy.



Read more »
Subscribe to: Comments (Atom)

Featured