Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Crime. Show all posts
Ransomware
AI Anthropic Cyber Crime Extortion Ransomware

Cybercriminals Weaponize AI for Large-Scale Extortion and Ransomware Attacks

 

AI company Anthropic has uncovered alarming evidence that cybercriminals are weaponizing artificial intelligence tools for sophisticated criminal operations. The company's recent investigation revealed three particularly concerning applications of its Claude AI: large-scale extortion campaigns, fraudulent recruitment schemes linked to North Korea, and AI-generated ransomware development. 

Criminal AI applications emerge 

In what Anthropic describes as an "unprecedented" case, hackers utilized Claude to conduct comprehensive reconnaissance across 17 different organizations, systematically gathering usernames and passwords to infiltrate targeted networks.

The AI tool autonomously executed multiple malicious functions, including determining valuable data for exfiltration, calculating ransom demands based on victims' financial capabilities, and crafting threatening language to coerce compliance from targeted companies. 

The investigation also uncovered North Korean operatives employing Claude to create convincing fake personas capable of passing technical coding evaluations during job interviews with major U.S. technology firms. Once successfully hired, these operatives leveraged the AI to fulfill various technical responsibilities on their behalf, potentially gaining access to sensitive corporate systems and information. 

Additionally, Anthropic discovered that individuals with limited technical expertise were using Claude to develop complete ransomware packages, which were subsequently marketed online to other cybercriminals for prices reaching $1,200 per package. 

Defensive AI measures 

Recognizing AI's potential for both offense and defense, ethical security researchers and companies are racing to develop protective applications. XBOW, a prominent player in AI-driven vulnerability discovery, has demonstrated significant success using artificial intelligence to identify software flaws. The company's integration of OpenAI's GPT-5 model resulted in substantial performance improvements, enabling the discovery of "vastly more exploits" than previous methods.

Earlier this year, XBOW's AI-powered systems topped HackerOne's leaderboard for vulnerability identification, highlighting the technology's potential for legitimate security applications. Multiple organizations focused on offensive and defensive strategies are now exploring AI agents to infiltrate corporate networks for defense and intelligence purposes, assisting IT departments in identifying vulnerabilities before malicious actors can exploit them. 

Emerging cybersecurity arms race 

The simultaneous adoption of AI technologies by both cybersecurity defenders and criminal actors has initiated what experts characterize as a new arms race in digital security. This development represents a fundamental shift where AI systems are pitted against each other in an escalating battle between protection and exploitation. 

The race's outcome remains uncertain, but security experts emphasize the critical importance of equipping legitimate defenders with advanced AI tools before they fall into criminal hands. Success in this endeavor could prove instrumental in thwarting the emerging wave of AI-fueled cyberattacks that are becoming increasingly sophisticated and autonomous. 

This evolution marks a significant milestone in cybersecurity, as artificial intelligence transitions from merely advising on attack strategies to actively executing complex criminal operations independently.
Read more »
Ransomwares
AI Chatbots AI Models AI Techniques Cyber Crime Cyber Extortion Cyber Hackers Data Extortion international cybercrime operation Ransomwares

Hacker Exploits AI Chatbot Claude in Unprecedented Cybercrime Operation

 

A hacker has carried out one of the most advanced AI-driven cybercrime operations ever documented, using Anthropic’s Claude chatbot to identify targets, steal sensitive data, and even draft extortion emails, according to a new report from the company. 

It Anthropic disclosed that the attacker leveraged Claude Code — a version of its AI model designed for generating computer code — to assist in nearly every stage of the operation. The campaign targeted at least 17 organizations across industries including defense, finance, and healthcare, making it the most comprehensive example yet of artificial intelligence being exploited for cyber extortion. 

Cyber extortion typically involves hackers stealing confidential data and demanding payment to prevent its release. AI has already played a role in such crimes, with chatbots being used to write phishing emails. However, Anthropic’s findings mark the first publicly confirmed case in which a mainstream AI model automated nearly the entire lifecycle of a cyberattack. 

The hacker reportedly prompted Claude to scan for vulnerable companies, generate malicious code to infiltrate systems, and extract confidential files. The AI system then organized the stolen data, analyzed which documents carried the highest value, and suggested ransom amounts based on victims’ financial information. It also drafted extortion notes demanding bitcoin payments, which ranged from $75,000 to more than $500,000. 

Jacob Klein, Anthropic’s head of threat intelligence, said the operation was likely conducted by a single actor outside the United States and unfolded over three months. “We have robust safeguards and multiple layers of defense for detecting this kind of misuse, but determined actors sometimes attempt to evade our systems through sophisticated techniques,” Klein explained. 

The report revealed that stolen material included Social Security numbers, bank records, medical data, and files tied to sensitive defense projects regulated by the U.S. State Department. Anthropic did not disclose which companies were affected, nor did it confirm whether any ransom payments were made. 

While the company declined to detail exactly how the hacker bypassed safeguards, it emphasized that additional protections have since been introduced. “We expect this model of cybercrime to become more common as AI lowers the barrier to entry for sophisticated operations,” Anthropic warned. 

The case underscores growing concerns about the intersection of AI and cybersecurity. With the AI sector largely self-regulated in the U.S., experts fear similar incidents could accelerate unless stronger oversight and security standards are enforced.
Read more »
Piracy
Cyber Crime Infostealer Pakistani Scammer Piracy

Pakistani Cybercriminals Turn Piracy Against Pirates in $4M Malware Scheme

 

A massive cybercrime operation based in Pakistan has been exposed after running a sophisticated infostealer malware campaign for five years, generating over $4 million by targeting software pirates. 

Operation details

The criminal network, primarily operating from Bahawalpur and Faisalabad, functioned like a multi-level marketing scheme but distributed malicious code instead of legitimate products. According to research, the group used search engine optimisation poisoning and forum posts to advertise pirated software such as Adobe After Effects and Internet Download Manager. 

Victims were redirected to malicious WordPress sites where infostealer malware, including Lumma Stealer, Meta Stealer, and AMOS was hidden within password-protected archives. The operation utilised disposable domains to mask the true source of infections, making detection more difficult. 

Financial infrastructure

The scheme's backbone consisted of two Pay-Per-Install (PPI) networks: InstallBank and SpaxMedia (later rebranded as Installstera). Over 5,200 affiliates operated at least 3,500 sites, earning payments for each successful malware installation or download. Payments were processed primarily through Payoneer and Bitcoin. 

The scale was enormous, with records showing 449 million clicks and more than 1.88 million installations during the documented period. Long-running domains proved most profitable, with a small fraction generating the majority of revenue. 

Downfall and exposure

The operation was accidentally exposed when the attackers themselves became infected by infostealer malware, revealing credentials, communications, and backend access to their own systems. This breach uncovered evidence of family involvement, with recurring surnames and shared accounts throughout the infrastructure. The group evolved their tactics over time, shifting from install-based tracking in 2020 to download-focused metrics in later years, possibly to evade detection or adapt monetisation methods. 

How to stay safe 

  • Avoid cracked or pirated software; rely on official developer sites and reputable distributors to prevent infostealer exposure at the source. 
  • Keep security suites updated and configure firewalls to block outbound C2 communication, reducing post-compromise impact if malware executes. 
  • Enable multi-factor authentication so stolen credentials are insufficient for account takeovers, and monitor accounts for identity-theft signals.
  • Maintain offline or secure cloud backups for recovery, stay alert to suspicious domain activity, and distrust “free” offers for expensive software that often hide hidden risks.
Read more »
Samourai Wallet
Blockchain cryptocurrency Cyber Crime DOJ Money Laundering Samourai Wallet

‘Samourai’ Cryptomixer Founders Admit to Money Laundering Charges

 


Two executives behind a cryptocurrency service called Samourai Wallet have admitted in court that they helped criminals hide more than $200 million.

Keonne Rodriguez, the company’s CEO, and William Lonergan Hill, its chief technology officer, pleaded guilty to conspiracy charges in the United States. Both men admitted they had knowingly operated an unlicensed money-transmitting business that was used to clean illegal funds.

Under the law, Rodriguez and Hill face a maximum prison sentence of five years each, along with financial penalties. They will also have to give up more than $200 million as part of their plea deal.

The U.S. Department of Justice (DOJ) had first arrested the pair in April last year. Prosecutors accused them of two main crimes: running a business without the required license and laundering money, a serious charge that can carry up to 20 years in prison.

Authorities say the two executives built Samourai in 2015 with tools designed to make it harder to track money on the blockchain, which is the public digital record of cryptocurrency transactions.

Samourai’s services worked in two main ways:

• Whirlpool: A mixing feature that bundled together Bitcoin transactions from multiple users. This made it harder to trace where the money originally came from.

• Ricochet: A tool that added extra steps called “hops” between the sending and receiving addresses. This technique was meant to confuse investigators and disguise the money trail.

Prosecutors explained that these tools were heavily used by cybercriminals. They were linked to proceeds from online thefts, drug trafficking, and fraud schemes. According to the DOJ, the scale of activity was massive: between 2017 and 2019, over 80,000 Bitcoin flowed through Samourai’s services. At the time of those transactions, the total value was estimated at more than $2 billion.

While the company portrayed itself as offering privacy, federal investigators say it profited directly from crime. Samourai’s mixing services alone generated more than $6 million in fees for Rodriguez and Hill.

Speaking about the case, U.S. Attorney Nicolas Roos emphasized that when cryptocurrency platforms are abused for crime, it damages public trust and puts pressure on legitimate companies trying to operate within the law.

The case underlines how regulators are cracking down on cryptocurrency “mixers,” services that blend together digital transactions to hide their origins. While privacy is one of cryptocurrency’s appeals, officials warn that these tools often provide cover for large-scale money laundering.

Read more »
Ransomware
BYOVD Attack Cyber Crime Data Stolen EDR Ransomware

New Hacking Tool Lets Ransomware Groups Disable Security Systems

 



Cybersecurity experts have discovered a new malicious tool designed to shut down computer security programs, allowing hackers to attack systems without being detected. The tool, which appears to be an updated version of an older program called EDRKillShifter, is being used by at least eight separate ransomware gangs.

According to researchers at Sophos, the groups using it include RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC. These criminal gangs use such programs to disable antivirus and Endpoint Detection and Response (EDR) systems software meant to detect and stop cyberattacks. Once these protections are switched off, hackers can install ransomware, steal data, move through the network, and lock down devices.


How the Tool Works

The new tool is heavily disguised to make it difficult for security software to spot. It starts by running a scrambled code that “unlocks” itself while running, then hides inside legitimate applications to avoid suspicion.

Next, it looks for a specific type of computer file called a driver. This driver is usually digitally signed, meaning it appears to be safe software from a trusted company but in this case, the signature is stolen or outdated. If the driver matches a name hidden in the tool’s code, the hackers load it into the computer’s operating system.

This technique is called a “Bring Your Own Vulnerable Driver” (BYOVD) attack. By using a driver with security weaknesses, the hackers gain deep control of the system, including the ability to shut down security tools.

The driver pretends to be a legitimate file, sometimes even mimicking trusted products like the CrowdStrike Falcon Sensor Driver. Once active, it terminates the processes and services of security products from well-known vendors such as Microsoft Defender, Kaspersky, Symantec, Trend Micro, SentinelOne, McAfee, F-Secure, and others.


Shared Development, Not Leaks

Sophos notes that while the tool appears in attacks by many different groups, it is not a case of one stolen copy being passed around. Instead, it seems to be part of a shared development project, with each group using a slightly different version — changing driver names, targeted software, or technical details. All versions use the same “HeartCrypt” method to hide their code, suggesting close cooperation among the groups.


A Common Criminal Practice

This is not the first time such tools have been shared in the ransomware world. In the past, programs like AuKill and AvNeutralizer have been sold or distributed to multiple criminal gangs, allowing them to disable security tools before launching attacks.

The discovery of this new tool is a reminder that ransomware operators are constantly improving their methods and working together to overcome defenses. Security experts stress the need for updated protections and awareness to defend against such coordinated threats.

Read more »
Everest Group
Cyber Crime cybersecurity news Data Theft Everest Group

Cybercrime Group Claims Theft of MailChimp Client Data

 

The Russian-speaking cybercrime group Everest says it has stolen a large trove of data from email marketing giant Mailchimp, but the company has denied any evidence of a security incident. Everest announced the alleged breach on its dark web leak site, claiming to possess a 767 MB database with 943,536 rows of information. 

The group said the stolen material includes internal company documents alongside a “wide variety” of customer data. However, cybersecurity analysts examining a sample of the leaked files found the contents less alarming than Everest’s claims suggest. According to reports, the dataset appears to be structured business information rather than highly sensitive internal records. 

The entries include domain names, corporate email addresses, phone numbers, locations, GDPR region tags, social media profiles, and hosting provider details. Many records also list the technology stacks used by the companies such as Shopify, WordPress, Amazon, Google Cloud, and PayPal, hinting that the information may have originated from a marketing or CRM export instead of Mailchimp’s core systems. 

In a statement to media, Mailchimp’s parent company Intuit said: “The security of our products and our customers’ data are among our highest priorities. We are aware of the claims regarding Intuit Mailchimp’s systems. Based on our investigation at this time, we have no evidence to suggest any security incidents or exfiltration of data from our systems.” 

What's about the Everest Group?

Active since late 2020, Everest has historically used a double-extortion model, encrypting victims’ data while threatening to leak it unless a ransom is paid. Past targets have included the Brazilian government and NASA. From late 2022 onward, the group has increasingly operated as an Initial Access Broker (IAB), selling access to compromised networks instead of deploying ransomware directly. 

Recently, it has acted more as a data broker, publishing stolen material from companies such as Coca-Cola, the Saudi Arabian Rezayat Group, and other high-profile organizations. While the true origin and sensitivity of the Mailchimp-linked dataset remain unconfirmed, security experts warn that even non-sensitive business data could be leveraged in phishing or social engineering campaigns.
Read more »
job seekers
apprenticeships Bank Bengaluru Cyber Crime Government Hackers job seekers

Hackers Tamper Govt Portal, Pocket ₹1.4 Lakh in Apprentice Stipends

 



Bengaluru — A government portal designed to support apprenticeships in India has become the latest target of cybercriminals. Hackers reportedly accessed the site and changed the bank details of several registered candidates, redirecting their stipend payments into unauthorized accounts.

The breach took place on the apprenticeshipindia.gov.in website, which is managed by the Ministry of Skill Development and Entrepreneurship. The platform is used by students and job seekers to apply for apprenticeship programs and receive government-backed financial support. Employers also use the site to onboard trainees and apply for partial stipend reimbursements under the National Apprenticeship Promotion Scheme (NAPS).

The issue came to light after a Bengaluru-based training institute, Cadmaxx Solution Education Trust, filed a complaint with the cybercrime police. According to Arun Kumar D, the organization’s CEO and director, the hacking activity spanned several months between January 3 and July 4, during which the attackers managed to manipulate banking information for six enrolled candidates.

Once the fraudulent bank account numbers were entered into the portal, the stipend funds were transferred to accounts held with HDFC Bank, State Bank of India, Axis Bank, and NSDL Payments Bank. The total amount diverted was ₹1,46,073, according to the complaint.

The cybercrime division in West Bengaluru registered an official case on July 26. Police have charged the unidentified perpetrators under multiple sections of the Information Technology Act, including those related to data tampering, unauthorized system access, and identity theft.

A senior officer involved in the case said investigators are working to trace the flow of funds by gathering account details from the banks involved. They are also reviewing server logs and IP addresses to understand how the portal was accessed whether it was through an external cyberattack or due to internal misuse.

Authorities mentioned that, if necessary, the matter will be escalated to CERT-In (Indian Computer Emergency Response Team), which handles major cybersecurity incidents at the national level.

This incident raises serious concerns about the protection of financial and personal data on public service websites, especially those used by students and job seekers. It also highlights the growing trend of hackers targeting official government platforms to exploit funding systems.

Read more »
Neblio Technologies
Bengaluru Firm Business Security Crypto Fraud Cyber Crime Neblio Technologies

Hackers Stole 384 Crore From Bengaluru Cryptocurrency Firm

 

In what is arguably the biggest cyberattack on an Indian cryptocurrency company, Neblio Technologies Private Limited, located in Bengaluru, was allegedly robbed off Rs. 384 crore. The company owns CoinDCX, a cryptocurrency exchange platform.

The company claims that someone hacked Neblio's wallet and transferred $44 million (roughly Rs. 384 crore). An employee named Rahul Agarwal is at the focus of this inquiry since his laptop was hijacked to facilitate the alleged transfer. 

Authorities investigating cybercrime are currently looking into the occurrence. When Hardeep Singh, Vice-President, Public Policy and Government Affairs, Neblio Technologies, learnt that the company's wallet had been compromised, the theft became apparent. Around 2.37 a.m. on July 19, cryptocurrency valued at Rs. 384 crore ($44 billion) was transferred to six separate accounts. 

The company's internal investigation found that Rahul Agarwal's laptop had been compromised. Investigators discovered that Agarwal's personal account had received a transfer of Rs. 15 lakh. Agarwal stated he was working a part-time job when questioned.

In his complaint, Singh said that Agarwal had been expressly told not to use the laptop for any other reason and that it was only to be used for official business. Singh believes Agarwal may have conspired with unidentified individuals to execute the hack, according to police sources.

“As the matter is currently under active investigation by the relevant authorities, we are unable to share further details at this point to ensure the integrity of the process is not compromised. We urge the media and the public to avoid speculation or the circulation of unverified information, as it may impede the ongoing investigation,” a Nebilo spokesperson stated. 

Police are still investigating the cyber robbery, which is among the largest crypto thefts reported in India. This incident illustrates crypto companies' increased vulnerability to high-stakes cyberattacks as use grows.
Read more »
United States
Cyber Crime Extradition Federal Agency Ransomware attack United States

Armenian Man Extradited to US After Targeting Oregon Tech Firm

 

The Justice Department said Wednesday last week that an Armenian national is in federal custody on charges related to their alleged involvement in a wave of Ryuk ransomware attacks in 2019 and 2020. On June 18, Karen Serobovich Vardanyan, 33, was extradited to the United States from Ukraine. 

On June 20, he appeared in federal court and pleaded not guilty to the allegations. The seven-day jury trial Vardanyan is awaiting is set to start on August 26. The prosecution charged Vardanyan with conspiracy, computer-related fraud, and computer-related extortion Each charge carries a maximum penalty of five years in federal prison and a $250,000 fine. 

Vardanyan and his accomplices, who include 45-year-old Levon Georgiyovych Avetisyan of Armenia and two 53-year-old Ukrainians, Oleg Nikolayevich Lyulyava and Andrii Leonydovich Prykhodchenko, are charged with gaining unauthorised access to computer networks in order to install Ryuk ransomware on hundreds of compromised workstations and servers between March 2019 and September 2020. 

Lyulyava and Prykhodchenko are still at large, while Avetisyan is in France awaiting a request for extradition from the United States. According to authorities, the Ryuk ransomware was widespread in 2019 and 2020, infecting thousands of people worldwide in the private sector, state and local governments, local school districts, and critical infrastructure. 

Among these are a series of assaults on American hospitals and a technology company in Oregon, where Vardanyan is the subject of a trial by federal authorities. Ryuk ransomware attacks have affected Hollywood Presbyterian Medical Centre, Universal Health Services, Electronic Warfare Associates, a North Carolina water company, and several U.S. newspapers. 

Ryuk ransomware operators extorted victim firms by demanding Bitcoin ransom payments in exchange for decryption keys. According to Justice Department officials, Vardanyan and his co-conspirators received approximately 1,160 bitcoins in ransom payments from victim companies, totalling more than $15 million at the time.
Read more »
User Privacy
Cyber Crime Data Leak Fraud Campaign Southeast Asia User Privacy

Asia is a Major Hub For Cybercrime, And AI is Poised to Exacerbate The Problem

 

Southeast Asia has emerged as a global hotspot for cybercrimes, where human trafficking and high-tech fraud collide. Criminal syndicates operate large-scale "pig butchering" operations in nations like Cambodia and Myanmar, which are scam centres manned by trafficked individuals compelled to defraud victims in affluent markets like Singapore and Hong Kong. 

The scale is staggering: one UN estimate puts the global losses from these scams at $37 billion. And things may soon get worse. The spike in cybercrime in the region has already had an impact on politics and policy. Thailand has reported a reduction in Chinese visitors this year, after a Chinese actor was kidnapped and forced to work in a Myanmar-based scam camp; Bangkok is now having to convince tourists that it is safe to visit. Singapore recently enacted an anti-fraud law that authorises law enforcement to freeze the bank accounts of scam victims. 

But why has Asia become associated with cybercrime? Ben Goodman, Okta's general manager for Asia-Pacific, observes that the region has several distinct characteristics that make cybercrime schemes simpler to carry out. For example, the region is a "mobile-first market": popular mobile messaging apps including WhatsApp, Line, and WeChat promote direct communication between the fraudster and the victim. 

AI is also helping scammers navigate Asia's linguistic variety. Goodman observes that machine translations, although a "phenomenal use case for AI," can make it "easier for people to be baited into clicking the wrong links or approving something.” Nation-states are also becoming involved. Goodman also mentions suspicions that North Korea is hiring fake employees at major tech companies to acquire intelligence and bring much-needed funds into the isolated country. 

A new threat: Shadow AI 

Goodman is concerned about a new AI risk in the workplace: "shadow" AI, which involves individuals utilising private accounts to access AI models without firm monitoring. That could be someone preparing a presentation for a company review, going into ChatGPT on their own personal account, and generating an image.

This can result in employees unintentionally submitting private information to a public AI platform, creating "potentially a lot of risk in terms of information leakage. The lines separating your personal and professional identities may likewise be blurred by agentic AI; for instance, something associated with your personal email rather than your business one. 

And this is when it gets tricky for Goodman. Because AI agents have the ability to make decisions on behalf of users, it's critical to distinguish between users acting in their personal and professional capacities. “If your human identity is ever stolen, the blast radius in terms of what can be done quickly to steal money from you or damage your reputation is much greater,” Goodman warned.
Read more »
Russia
Bitcoin Crypto Mining Cyber Crime electricity Russia

Hidden Crypto Mining Operation Found in Truck Tied to Village Power Supply

 


In a surprising discovery, officials in Russia uncovered a secret cryptocurrency mining setup hidden inside a Kamaz truck parked near a village in the Buryatia region. The vehicle wasn’t just a regular truck, it was loaded with 95 mining machines and its own transformer, all connected to a nearby power line powerful enough to supply an entire community.


What Is Crypto Mining, and Why Is It Controversial?

Cryptocurrency mining is the process of creating digital coins and verifying transactions through a network called a blockchain — a digital ledger that can’t be altered. Computers solve complex calculations to keep this system running smoothly. However, this process demands huge amounts of electricity. For example, mining the popular coin Bitcoin consumes more power in a year than some entire countries.


Why Was This Setup a Problem?

While mining can help boost local economies and create tech jobs, it also brings risks, especially when done illegally. In this case, the truck was using electricity intended for homes without permission. The unauthorized connection reportedly caused power issues like low voltage, grid overload, and blackouts for local residents.

The illegal setup was discovered during a routine check by power inspectors in the Pribaikalsky District. Before law enforcement could step in, two people suspected of operating the mining rig escaped in a vehicle.


Not the First Incident

This wasn’t an isolated case. Authorities report that this is the sixth time this year such theft has occurred in Buryatia. Due to frequent power shortages, crypto mining is banned in most parts of the region from November through March. Even when allowed, only approved companies can operate in designated areas.


Wider Energy and Security Impacts

Crypto mining operations run 24/7 and demand a steady flow of electricity. This constant use strains power networks, increases local energy costs, and can cause outages when grids can’t handle the load. Because of this, similar mining restrictions have been put in place in other regions, including Irkutsk and Dagestan.

Beyond electricity theft, crypto mining also has ties to cybercrime. Security researchers have reported that some hacking groups secretly install mining software on infected computers. These programs run quietly, often at night, using stolen power and system resources without the owner’s knowledge. They can also steal passwords and disable antivirus tools to remain undetected.


The Environmental Cost

Mining doesn’t just hurt power grids — it also affects the environment. Many mining operations use electricity from fossil fuels, which contributes to pollution and climate change. Although a study from the University of Cambridge found that over half of Bitcoin mining now uses cleaner sources like wind, nuclear, or hydro power, a significant portion still relies on coal and gas.

Some companies are working to make mining cleaner. For example, projects in Texas and Bhutan are using renewable energy to reduce the environmental impact. But the challenge remains, crypto mining’s hunger for energy has far-reaching consequences.

Read more »
North Korea
AI Artificial Intelligence Cloud Cyber Crime Data Deepfakes Extortion Internet lazarus North Korea

Amid Federal Crackdown, Microsoft Warns Against Rising North Korean Jobs Scams

Amid Federal Crackdown, Microsoft Warns Against Rising North Korean Jobs Scams

North Korean hackers are infiltrating high-profile US-based tech firms through scams. Recently, they have even advanced their tactics, according to the experts. In a recent investigation by Microsoft, the company has requested its peers to enforce stronger pre-employment verification measures and make policies to stop unauthorized IT management tools. 

Further investigation by the US government revealed that these actors were working to steal money for the North Korean government and use the funds to run its government operations and its weapons program.  

US imposes sanctions against North Korea

The US has imposed strict sanctions on North Korea, which restrict US companies from hiring North Korean nationals. It has led to threat actors making fake identities and using all kinds of tricks (such as VPNs) to obscure their real identities and locations. This is being done to avoid getting caught and get easily hired. 

Recently, the threat actors have started using spoof tactics such as voice-changing tools and AI-generated documents to appear credible. In one incident, the scammers somehow used an individual residing in New Jersey, who set up shell companies to fool victims into believing they were paying a legitimate local business. The same individual also helped overseas partners to get recruited. 

DoJ arrests accused

The clever campaign has now come to an end, as the US Department of Justice (DoJ) arrested and charged a US national called Zhenxing “Danny” Wanf with operating a “year-long” scam. The scheme earned over $5 million. The agency also arrested eight more people - six Chinese and two Taiwanese nationals. The arrested individuals are charged with money laundering, identity theft, hacking, sanctions violations, and conspiring to commit wire fraud.

In addition to getting paid in these jobs, which Microsoft says is a hefty payment, these individuals also get access to private organization data. They exploit this access by stealing sensitive information and blackmailing the company.

Lazarus group behind such scams

One of the largest and most infamous hacking gangs worldwide is the North Korean state-sponsored group, Lazarus. According to experts, the gang extorted billions of dollars from the Korean government through similar scams. The entire campaign is popular as “Operation DreamJob”. 

"To disrupt this activity and protect our customers, we’ve suspended 3,000 known Microsoft consumer accounts (Outlook/Hotmail) created by North Korean IT workers," said Microsoft.

Read more »
Russia
Cyber Crime ICC Israel Justice Russia

International Criminal Court Hit by Advanced Cyber Attack, No Major Damage

International Criminal Court Hit by Advanced Cyber Attack, No Major Damage

Swift discovery helped the ICC

Last week, the International Criminal Court (ICC) announced that it had discovered a new advanced and targeted cybersecurity incident. Its response mechanism and prompt discovery helped to contain the attack. 

The ICC did not provide details about the attackers’ intentions, any data leaks, or other compromises. According to the statement, the ICC, which is headquartered in The Hague, the Netherlands, is conducting a threat evaluation after the attack and taking measures to address any injuries. Details about the impact were not provided. 

Collective effort against threat actors

The constant support of nations that have ratified the Rome Statute helps the ICC in ensuring its capacity to enforce its mandate and commitment, a responsibility shared by all States Parties. “The Court considers it essential to inform the public and its States Parties about such incidents as well as efforts to address them, and calls for continued support in the face of such challenges,” ICC said. 

The ICC was founded in 2002 through the Rome Statute, an international treaty, by a coalition of sovereign states, aimed to create an international court that would prosecute individuals for international crimes– war crimes, genocide, terrorism, and crimes against humanity. The ICC works as a separate body from the U.N. International Court of Justice, the latter brings cases against countries but not individuals.

Similar attack in 2023

In 2023, the ICC reported another cybersecurity incident. The attack was said to be an act of espionage and aimed at undermining the Court’s mandate. The incident had caused it to disconnect its system from the internet. 

In the past, the ICC has said that it had experienced increased security concerns as threats against its various elected officials rose. “The evidence available thus far indicates a targeted and sophisticated attack with the objective of espionage. The attack can therefore be interpreted as a serious attempt to undermine the Court's mandate," ICC said. 

The recent notable arrests issued by the ICC include Russian President Vladimir Putin and Israeli Prime Minister Benjamin Netanyahu.

Read more »
Software
Cyber Crime Hacking. Ransomware Software

Cybercriminals Shift Focus to U.S. Insurance Industry, Experts Warn

 


Cybersecurity researchers are sounding the alarm over a fresh wave of cyberattacks now targeting insurance companies in the United States. This marks a concerning shift in focus by an active hacking group previously known for hitting retail firms in both the United Kingdom and the U.S.

The group, tracked by multiple cybersecurity teams, has been observed using sophisticated social engineering techniques to manipulate employees into giving up access. These tactics have been linked to earlier breaches at major companies and are now being detected in recent attacks on U.S.-based insurers.

According to threat analysts, the attackers tend to work one industry at a time, and all signs now suggest that insurance companies are their latest target. Industry experts stress that this sector must now be especially alert, particularly at points of contact like help desks and customer support centers, where attackers often try to deceive staff into resetting credentials or granting system access.

In just the past week, two U.S. insurance providers have reported cyber incidents. One of them identified unusual activity on its systems and disconnected parts of its network to contain the damage. Another confirmed experiencing disruptions traced back to suspicious network behavior, prompting swift action to protect data and systems. In both cases, full recovery efforts are still ongoing.

The hacking group behind these attacks is known for using clever psychological tricks rather than just technical methods. They often impersonate employees or use aggressive language to pressure staff into making security mistakes. After gaining entry, they may deploy harmful software like ransomware to lock up company data and demand payment.

Experts say that defending against such threats starts with stronger identity controls. This includes limiting access to critical systems, separating user accounts with different levels of privileges, and requiring strict verification before resetting passwords or registering new devices for multi-factor authentication (MFA).

Training staff to spot impersonation attempts is just as important. These attackers may use fake phone calls, messages, or emails that appear urgent or threatening to trick people into reacting without thinking. Awareness and skepticism are key defenses.

Authorities in other countries where similar attacks have taken place have also advised companies to double-check their security setups. Recommendations include enabling MFA wherever possible, keeping a close eye on login attempts—especially from unexpected locations—and reviewing how help desks confirm a caller’s identity before making account changes.

As cybercriminals continue to evolve their methods, experts emphasize that staying informed, alert, and proactive is essential. In industries like insurance, where sensitive personal and financial data is involved, even a single breach can lead to serious consequences for companies and their customers.

Read more »
Web Services
AI integration Artificial Intelligence Cyber Crime CyberCrime CyberThreat Cyersecurity AI Data Data Protectoin Technology Google LLM. Okta Web Services

AI Integration Raises Alarms Over Enterprise Data Safety

 


Today's digital landscape has become increasingly interconnected, and cyber threats have risen in sophistication, which has significantly weakened the effectiveness of traditional security protocols. Cybercriminals have evolved their tactics to exploit emerging vulnerabilities, launch highly targeted attacks, and utilise advanced techniques to breach security perimeters to gain access to and store large amounts of sensitive and mission-critical data, as enterprises continue to generate and store significant volumes of sensitive data.

In light of this rapidly evolving threat environment, organisations are increasingly forced to adopt more adaptive and intelligent security solutions in addition to conventional defences. In the field of cybersecurity, artificial intelligence (AI) has emerged as a significant force, particularly in the area of data protection. 

AI-powered data security frameworks are revolutionising the way threats are detected, analysed, and mitigated in real time, making it a transformative force. This solution enhances visibility across complex IT ecosystems, automates threat detection processes, and supports rapid response capabilities by identifying patterns and anomalies that might go unnoticed by human analysts.

Additionally, artificial intelligence-driven systems allow organisations to develop risk mitigation strategies that are scalable as well as aligned with their business objectives while implementing risk-based mitigation strategies. The integration of artificial intelligence plays a crucial role in maintaining regulatory compliance in an era where data protection laws are becoming increasingly stringent, in addition to threat prevention. 

By continuously monitoring and assessing cybersecurity postures, artificial intelligence is able to assist businesses in upholding industry standards, minimising operations interruptions, and strengthening stakeholder confidence. Modern enterprises need to recognise that AI-enabled data security is no longer a strategic advantage, but rather a fundamental requirement for safeguarding digital assets in a modern enterprise, as the cyber threat landscape continues to evolve. 

Varonis has recently revealed that 99% of organisations have their sensitive data exposed to artificial intelligence systems, a shocking finding that illustrates the importance of data-centric security. There has been a significant increase in the use of artificial intelligence tools in business operations over the past decade. The State of Data Security: Quantifying Artificial Intelligence's Impact on Data Risk presents an in-depth analysis of how misconfigured settings, excessive access rights and neglected security gaps are leaving critical enterprise data vulnerable to AI-driven exploitation. 

An important characteristic of this report is that it relies on extensive empirical analysis rather than opinion surveys. In order to evaluate the risk associated with data across 1,000 organisations, Varonis conducted a comprehensive analysis of data across a variety of cloud computing environments, including the use of over 10 billion cloud assets and over 20 petabytes of sensitive data. 

Among them were platforms such as Amazon Web Services, Google Cloud Services, Microsoft Azure Services, Microsoft 365 Services, Salesforce, Snowflake, Okta, Databricks, Slack, Zoom, and Box, which provided a broad and realistic picture of enterprise data exposure in the age of Artificial Intelligence. The CEO, President, and Co-Founder of Varonis, Yaaki Faitelson, stressed the importance of balancing innovation with risk, noting that, even though AI is undeniable in increasing productivity, it also poses serious security issues. 

Due to the growing pressure on CIOs and CISOs to adopt artificial intelligence technologies at a rapid rate, advanced data security platforms are in increasing demand. It is important to take a proactive, data-oriented approach to cybersecurity to prevent AI from becoming a gateway to large-scale data breaches, says Faitelson. It is important to note that researchers are also exploring two critical dimensions of risk as they relate to large language models (LLMs) as well as AI copilots: human-to-machine interaction and machine-to-machine integrity, which are both critical aspects of risk pertaining to AI-driven data exposure. 

A key focus of the study was on how sensitive data, such as employee compensation details, intellectual property rights, proprietary software, and confidential research and development insights able to be unintentionally accessed, leaked, or misused by using just a single prompt into an artificial intelligence interface if it is not protected. As AI assistants are being increasingly used throughout departments, the risk of inadvertently disclosing critical business information has increased considerably. 

Additionally, two categories of risk should be addressed: the integrity and trustworthiness of the data used to train or enhance artificial intelligence systems. It is common for machine-to-machine vulnerabilities to arise when flawed, biased, or deliberately manipulated datasets are introduced into the learning cycle of machine learning algorithms. 

As a consequence of such corrupted data, it can result in far-reaching and potentially dangerous consequences. For example, inaccurate or falsified clinical information could lead to life-saving medical treatments being developed, while malicious actors may embed harmful code within AI training pipelines, introducing backdoors or vulnerabilities to applications that aren't immediately detected at first. 

The dual-risk framework emphasises the importance of tackling artificial intelligence security holistically, one that takes into account the entire lifecycle of data, from acquisition and input to training and deployment, not just the user-level controls. Considering both human-induced and systemic risks associated with generative AI tools, organisations can implement more resilient safeguards to ensure that their most valuable data assets are protected as much as possible. 

Organisations should reconsider and go beyond conventional governance models to secure sensitive data in the age of AI. In an environment where AI systems require dynamic, expansive access to vast datasets, traditional approaches to data protection -often rooted in static policies and role-based access -are no longer sufficient. 

Towards the future of AI-ready security, a critical balance must be struck between ensuring robust protection against misuse, leakage, and regulatory non-compliance, while simultaneously enabling data access for innovation. Organisations need to adopt a multilayered, forward-thinking security strategy customised for AI ecosystems to meet these challenges. 

It is important to note that some key components of a data-tagging and classification strategy are the identification and categorisation of sensitive information to determine how it should be handled depending on the criticality of the information. As a replacement for role-based access control (RBAC), attribute-based access control (ABAC) should allow for more granular access policies based on the identity of the user, context, and the sensitivity of the data. 

Aside from that, organisations need to design data pipelines that are AI-aware and incorporate proactive security checkpoints into them so as to monitor how their data is used by artificial intelligence tools. Additionally, output validation becomes crucial—it involves implementing mechanisms that ensure outputs generated by artificial intelligence are compliant, accurate, and potentially risky before they are circulated internally or externally. 

The complexity of this landscape has only been compounded by the rise of global regulations and regional regulations that govern data protection and artificial intelligence. In addition to the general data privacy frameworks of GDPR and CCPA, businesses will now need to prepare themselves for emerging AI-specific regulations that will put a stronger emphasis on how AI systems access and process sensitive data. As a result of this regulatory evolution, organisations need to maintain a security posture that is both agile and anticipatable.

Matillion Data Productivity Cloud, for instance, is a solution that embodies this principle of "secure by design". As a hybrid cloud SaaS platform tailored to enterprise environments, Matillion has created a platform that is well-suited to secure enterprise environments. 

With its standardised encryption and authentiyoucation protocols, the platform is easily integrated into enterprise networks through the use of a secure cloud infrastructure. This platform is built around a pushdown architecture that prevents customer data from leaving the organisation's own cloud environment while allowing advanced orchestration of complex data workflows in order to minimise the risk of data exposure.

Rather than focusing on data movement, Matillion's focus is on metadata management and workflow automation, providing organisations with a secure, efficient data operation, allowing them to gain insights faster with a higher level of data integrity and compliance. Organisations must move towards a paradigm shift—where security is woven into the fabric of the data lifecycle—as AI poses a dual pressure on organisations. 

A shift from traditional governance systems to more adaptive, intelligent frameworks will help secure data in the AI era. Because AI systems require broad access to enterprise data, organisations must strike a balance between openness and security. To achieve this, data can be tagged and classified and attributes can be used to manage access precisely, attribute-based access controls should be implemented for precise control of access, and AI-aware data pipelines must be built with security checks, and output validation must be performed to prevent the distribution of risky or non-compliant AI-generated results. 

With the rise of global and AI-specific regulations, companies need to develop compliance strategies that will ensure future success. Matillion Data Productivity Cloud is an example of a platform which offers a secure-by-design solution, as it combines a hybrid SaaS architecture with enterprise-grade security and security controls. 

Through its pushdown processing, the customer's data will stay within the organisation's cloud environment while the workflows are orchestrated safely and efficiently. In this way, organisations can make use of AI confidently without sacrificing data security or compliance with the laws and regulations. As artificial intelligence and enterprise data security rapidly evolve, organisations need to adopt a future-oriented mindset that emphasises agility, responsibility, and innovation. 

It is no longer possible to rely on reactive cybersecurity; instead, businesses must embrace AI-literate governance models, advance threat intelligence capabilities, and secure infrastructures designed with security in mind. Data security must be embedded into all phases of the data lifecycle, from creation and classification to accessing, analysing, and transforming it with AI. Developing a culture of continuous risk evaluation is a must for leadership teams, and IT and data teams must be empowered to collaborate with compliance, legal, and business units proactively. 

In order to maintain trust and accountability, it will be imperative to implement clear policies regarding AI usage, ensure traceability in data workflows, and establish real-time auditability. Further, with the maturation of AI regulations and the increasing demands for compliance across a variety of sectors, forward-looking organisations should begin aligning their operational standards with global best practices rather than waiting for mandatory regulations to be passed. 

A key component of artificial intelligence is data, and the protection of that foundation is a strategic imperative as well as a technical obligation. By putting the emphasis on resilient, ethical, and intelligent data security, today's companies will not only mitigate risk but will also be able to reap the full potential of AI tomorrow.
Read more »
Smart Devices
Badbox Cyber Crime FBI Smart Devices

FBI Warns: Millions of Everyday Smart Devices Secretly Hijacked by Cybercriminals

 



The FBI recently raised concerns about a large-scale cybercrime network that has quietly taken control of millions of smart gadgets used in homes across the United States. This cyber threat, known as BADBOX 2.0, targets everyday devices such as TV streaming boxes, digital projectors, tablets, and even entertainment systems in cars.


What is BADBOX 2.0?

Unlike common malware that slows down or damages devices, BADBOX 2.0 silently turns these gadgets into part of a hidden network called a residential proxy network. This setup allows cybercriminals to use the victim's internet connection to carry out illegal activities, including online advertising fraud and data theft, without the device owner realizing anything is wrong.


Which Devices Are at Risk?

According to the FBI, the types of devices most affected include:

1. TV streaming boxes

2. Digital projectors

3. Aftermarket car infotainment systems

4. Digital photo frames

Many of these products are imported, often sold under unfamiliar or generic brand names. Some specific models involved in these infections belong to device families known as TV98 and X96, which are still available for purchase on popular online shopping platforms.


How Does the Infection Spread?

There are two main ways these devices become part of the BADBOX 2.0 network:

Pre-installed Malware: Some gadgets are already infected before they are even sold. This happens when malicious software is added during the manufacturing or shipping process.

Dangerous App Downloads: When setting up these devices, users are sometimes directed to install apps from unofficial sources. These apps can secretly install harmful software that gives hackers remote access.

This method shows how BADBOX 2.0 has advanced from its earlier version, which focused mainly on malware hidden deep within the device's firmware.


Signs Your Device May Be Infected

Users should watch for warning signs such as:

• The device asks to disable security protections like Google Play Protect.

• The brand is unfamiliar or seems generic.

• The device promises free access to paid content.

• You are prompted to download apps from unknown stores.

• Unusual or unexplained internet activity appears on your home network.


How to Stay Safe

The FBI recommends several steps to protect your home network:

1. Only use trusted app stores, like Google Play or Apple’s App Store.

2. Be cautious with low-cost, no-name devices. Extremely cheap gadgets are often risky.

3. Monitor your network regularly for unfamiliar devices or strange internet traffic.

4. Keep devices updated by installing the latest security patches and software updates.

5. If you believe one of your devices may be compromised, it is best to disconnect it immediately from your network and report the issue to the FBI through their official site at www.ic3.gov.

6. Be Careful with Cheap Deals


As experts warn, extremely low prices can sometimes hide dangerous risks. If something seems unusually cheap, it could come with hidden cyber threats.

Read more »
North Korea
Black Mail Businesses Crypto Cyber Crime Extortion NFTs North Korea

US Seizes $7.7 Million From Crypto Linked to North Korea's IT Worker Scam


The US Department of Justice has filed a civil forfeiture complaint against North Korean IT workers for illegally gaining employment with US businesses, and earning millions for the Korean government, which amounts to violations of sanctions.

The government seized $7.7m in funds in 2023 that involved Sim Hyon Sop- a worker at the North Korean Foreign Trade Bank (FTB) who joined hands with IT workers to launder the money for Pyongyang.

According to the complaint, the North Korean IT workers escaped security via fraud IDs and tactics that hid their real location. The salaries were credited in stablecoins like USDT and USDC.

To launder the money, employees created accounts using fake IDs, transferred funds in small amounts to other blockchains (chain hopping), and/or converted them into other digital currencies (token swapping).

Scammers also bought non-fungible tokens (NFTs) and used US accounts to make their operations look real. Sim worked with Kim Sang Man, the CEO of the “Jinyong IT Cooperation Company,” who served as a middleman between the FTB and the IT workers. 

According to the Justice Department’s National Security Division, North Korea, for years has “exploited global remote IT contracting and cryptocurrency ecosystems to evade US sanctions and bankroll its weapons programs.” 

Department head Sue Bai said, “Today’s multimillion-dollar forfeiture action reflects the Department’s strategic focus on disrupting these illicit revenue schemes. We will continue to use every legal tool available to cut off the financial lifelines that sustain the DPRK and its destabilizing agenda.”

North Korean IT workers have been slithering their way into employment in US firms for many years.  However, the advancement of these operations was exposed in 2024 when security expert KnowBe4 disclosed that even their organization was tricked into hiring an IT specialist from North Korea.

After that, Google has cautioned that US businesses remain a primary target and also warned that the threat actors have nor started focusing their operations at Europan firms.  While few do normal work to get paid, there is also a concern that their organization access allows them to extract important data and use it for extortion.

Read more »
TrickBot
Conti Cyber Crime Dark Web FBI ID Leak Internet Ransomware TrickBot

Mysterious Entity ExposedGang Exposes Cyber Criminals


An anonymous leaker is exposing the identities of the world’s most wanted cybercriminals. 

Recently, a mysterious leaker exposed leaders behind Trickbot and Conti ransomware, hacking groups that are known for some of the biggest extortions in recent times. 

Recently, The Register contacted an anonymous individual known by the alias GangExposed, who is on a personal mission to “fight against an organized society of criminals known worldwide”. GangExposed takes pleasure in thinking he can rid society of at least some of the cybercriminals. "I simply enjoy solving the most complex cases,” he said. 

Stern doxxed

One of the criminals doxxed is Stern, the mastermind of Conti ransomware operations and TrickBot. GangExposed claims Stern is Vitaly Nikolaevich, CySecurity reported about this case recently.

After the doxxing of Stern, GangExposed went after another important criminal, AKA professor, who is a 39-year-old Russian called Vladimir Viktorovich Kvitko. He is living in Dubai. Apart from exposing important individuals, GangExposed also leaked videos, ransom negotiations, and chat logs. 

About GangExposed

The leaker said it was not an “IT guy,” it just observed patterns that other people missed. 

"My toolkit includes classical intelligence analysis, logic, factual research, OSINT methodology, stylometry (I am a linguist and philologist), human psychology, and the ability to piece together puzzles that others don't even notice," the leaker said. 

"I am a cosmopolitan with many homes but no permanent base — I move between countries as needed. My privacy standards are often stricter than most of my investigations' subjects."

Leaked bought info to expose IDs

To expose the IDs of infamous threat actors, GangExposed used information received via “semi-closed databases, darknet services,” and through purchases. It has “access to the leaked FSB border control database.” GangExposed claims it purchased the database from the dark web for $250,000. 

GangExposed could have gotten at least $10 million in bounty from the FBI if it wanted to, but it has decided not to demand money.  This suggests the leakers may be resentful of former members looking for revenge, while some experts think taking the bounty would make them criminal as well. 

CySecurity had earlier reported on this incident, you can read the full story about the international crackdown on cybercrime gangs here

Read more »
Stolen Credentials
Cyber Crime Data Theft Infostealer Russian Market Stolen Credentials

Russian Market Sells Millions of Stolen Credentials

 

The "Russian Market" cybercrime marketplace has developed as one of the most popular places for purchasing and selling credentials stolen by info stealer malware. Although the marketplace has been functioning for almost six years and has grown in popularity by 2022, ReliaQuest believes that the Russian market has lately reached new heights.

Part of this spike in popularity can be attributed to the Genesis Market's demise, which left a significant gap in the market. Although the bulk (85%) of credentials provided on the Russian Market are "recycled" from existing sources, it has attracted enormous cybercrime audiences due to its diverse range of commodities for sale and the availability of logs for as little as $2. 

An infostealer log is typically a text file (or numerous files) written by infostealer malware that contains account passwords, session cookies, credit card data, cryptocurrency wallet data, and system profiling data obtained from an infected device. 

Each log includes dozens or even thousands of credentials, bringing the total amount of stolen credentials to hundreds of millions or more. Once captured, the logs are sent to an attacker's server, where they are stored for future nefarious action or sold on marketplaces such as Russian Market. 

Infostealers have become a common tactic for attackers, with numerous campaigns now aimed at the enterprise to steal session cookies and corporate credentials. According to ReliaQuest, this is evident in the Russian market, where 61% of stolen logs include SaaS credentials from platforms such as Google Workspace, Zoom, and Salesforce. Additionally, 77% of the logs had SSO (Single Sign-On) credentials.

Lumma stumbles, Acreed rises

ReliaQuest analysed over 1.6 million posts on the Russian market to chart the growth and decrease in popularity of specific info theft malware. Until recently, Lumma stole the majority of logs, accounting for 92% of all credentials sold on the Russian market. 

Lumma ruled the market when Raccoon Stealer collapsed due to law enforcement action. Lumma may face the same fate, as its operations were recently stopped by a global law enforcement operation that resulted in the seizure of 2,300 domain names.

The long-term outcomes of this operation are unknown, but Check Point said that Lumma's creators are already working to rebuild and resume their cybercrime operations. 

Meanwhile, ReliaQuests reports a significant spike in popularity of a new infostealer named Acreed, which is quickly gaining traction following Lumma's elimination. Acreed's rapid rise in the Russian market is evidenced by the over 4,000 logs submitted in its first week of operation, according to Webz. 

Acreed is similar to a conventional info-stealer in that it targets data stored in Chrome, Firefox, and their derivatives, such as passwords, cookies, cryptocurrency wallets, and credit card information. 

Phishing emails, "ClickFix" attacks, premium software malvertising, and YouTube or TikTok videos are all used by info-stealers to infect consumers. To avoid this broad risk, it is recommended that you be vigilant and use good software download habits.
Read more »
Wizard Spider
BlackCat Conti Ransomware Cyber Crime Ryuk Ranomware System BC TrickBot Wizard Spider

Germany Police Have ID'd the Leader of Trickbot Criminal Gang

Cops in Germany have found cybercrime gang leader

The Federal Criminal Police of Journey “BKA” has claimed that Stern, the leader of TrickBot and Conti cybercrime gangs, is Vitaly Nikolaevich Kovalev, a 36-year-old Russian. 

According to BKA, he is suspected of founding the ‘TrickBot’ group, aka ‘Wizard Spider. ' This was part of Operation Endgame, a collaborative global crackdown against malware infrastructure and hackers behind it. The gang used TrickBot and other malware, such as SystemBC, Bazarloader, Ryuk, Diavol, Conti, and IcedID. 

Most wanted in Germany

According to Interpol, Kovalev is wanted in Germany. He is charged with being the mastermind of an unnamed criminal gang.

This is not the first time Kovalev has been charged with participating in a cybercrime organization. In 2023, he was one of seven Russians charged in the US for their connections to the Conti and TrickBot cybercrime gangs. 

At that time, he was only charged as a senior member of the TrickBot gang using the aliases “Bergen,” “Ben,” “Bentley,” and “Alex Konor.”

Leaks led to the identification

The sanctions were announced after massive information leaks from Conti and TrickBot members called ContiLeaks and TrickLeaks.

Contileaks gave access to the gang’s inside conversations and source code, and TrickLeaks even leaked the identities, and personal information of TrickBot members, and online accounts on X (former Twitter).

These chats revealed that Kovalev aka “Stern” was heading the TriickBot operation and Conti and Ryuk ransomware groups. The chats revealed members asking Stern permission before launching attacks or getting lawyers for TrickBot members captured in the U.S. 

The leaks led to a speedy crackdown on Conti, the gang members switching to other operations or forming new criminal groups such as BlackCat, LockBit, Royal, Black Basta, AvosLocker, Zeon, and DagonLocker. 

BKA’s investigation revealed that the “TrickBot group consisted of more than 100 members. It works in an organized and hierarchically structured manner and is project and profit-oriented.” 

BKA said that the “group is responsible for the infection of several hundred thousand systems in Germany and worldwide; through its illegal activities, it has obtained funds in the three-digit million range. Its victims include hospitals, public facilities, companies, public authorities, and private individuals."

Kovalev is in hiding and German police believe that he may be in Russia. The police have asked for any info that could lead to his arrest. 

Read more »
Subscribe to: Posts (Atom)