Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Crime. Show all posts
I fy
AI Cloud Cyber Crime Data espionage I fy

Infy Hackers Strike Again With New C2 Servers After Iran's Internet Shutdown Ends


Infy group's new attack tactic 

An Iranian hacking group known as Infy (aka Prince of Persia) has advanced its attack tactics to hide its operations. The group also made a new C2 infrastructure while there was a wave of internet shutdown imposed earlier this year. The gang stopped configuring its C2 servers on January 8 when experts started monitoring Infy. 

In reaction to previous protests, Iranian authorities implemented a nationwide internet shutdown on this day, which probably indicates that even government-affiliated cyber units did not have the internet. 

About the campaign 

The new activity was spotted on 26 January 2026 while the gang was setting up its new C2 servers, one day prior to the Iranian government’s internet restrictions. This suggests that the threat actor may be state-sponsored and supported by Iran. 

Infy is one of the many state-sponsored hacking gangs working out of Iran infamous for sabotage, spying, and influence campaigns coordinated with Tehran’s strategic goals. However, it also has a reputation for being the oldest and less famous gangs staying under the radar and not getting caught, working secretly since 2004 via “laser-focused” campaigns aimed at people for espionage.

The use of modified versions of Foudre and Tonnerre, the latter of which used a Telegram bot probably for data collection and command issuance, were among the new tradecraft linked to the threat actor that SafeBreach revealed in a report released in December 2025. Tornado is the codename for the most recent version of Tonnerre (version 50).

The report also revealed that threat actors replaced the C2 infrastructure for all variants of Tonnerre and Foudre and also released Tornado variant 51 that employs both Telegram and HTTP for C2.

It generates C2 domain names using two distinct techniques: a new DGA algorithm initially, followed by fixed names utilizing blockchain data de-obfuscation. We believe that this novel method offers more flexibility in C2 domain name registration without requiring an upgrade to the Tornado version.

Experts believe that Infy also abused a 1-day security bug in WinRAR to extract the Tornado payload on an infected host to increase the effectiveness of its attacks. The RAR archives were sent to the Virus Total platform from India and Germany in December 2025. This means the two countries may have been victims. 



Read more »
Ransomware
AI Black Basta Black Basta Ransomware Cloud Cyber Crime Data Ransomware

Federal Agencies Worldwide Hunt for Black Basta Ransomware Leader


International operation to catch Ransomware leader 

International law enforcement agencies have increased their search for individuals linked to the Black Basta ransomware campaign. Agencies confirmed that the suspected leader of the Russia-based Ransomware-as-a-service (RaaS) group has been put in the EU’s and Interpol’s Most Wanted list and Red Notice respectively. German and Ukrainian officials have found two more suspects working from Ukraine. 

As per the notice, German Federal Criminal Police (BKA) and Ukrainian National Police collaborated to find members of a global hacking group linked with Russia. 

About the operation 

The agencies found two Ukrainians who had specific roles in the criminal structure of Black Basta Ransomware. Officials named the gang’s alleged organizer as Oleg Evgenievich Nefedov from Russia. He is wanted internationally. German law enforcement agencies are after him because of “extortion in an especially serious case, formation and leadership of a criminal organization, and other criminal offenses.”

According to German prosecutors, Nefedov was the ringleader and primary decision-maker of the group that created and oversaw the Black Basta ransomware. under several aliases, such as tramp, tr, AA, Kurva, Washingt0n, and S.Jimmi. He is thought to have created and established the malware known as Black Basta. 

The Ukrainian National Police described how the German BKA collaborated with domestic cyber police officers and investigators from the Main Investigative Department, guided by the Office of the Prosecutor General's Cyber Department, to interfere with the group's operations.

The suspects

Two individuals operating in Ukraine were found to be carrying out technical tasks necessary for ransomware attacks as part of the international investigation. Investigators claim that these people were experts at creating ransomware campaigns and breaking into secured systems. They used specialized software to extract passwords from business computer systems, operating as so-called "hash crackers." 

Following the acquisition of employee credentials, the suspects allegedly increased their control over corporate environments, raised the privileges of hacked accounts, and gained unauthorized access to internal company networks.

Authorities claimed that after gaining access, malware intended to encrypt files was installed, sensitive data was stolen, and vital systems were compromised. The suspects' homes in the Ivano-Frankivsk and Lviv regions were searched with permission from the court. Digital storage devices and cryptocurrency assets were among the evidence of illicit activity that police confiscated during these operations.

Read more »
Spear Phishing
Cyber Crime Emails financial systems Korea ngos Spear Phishing

Why Emails Pretending to Be from NGOs and Banks Are Becoming More Dangerous



A new cyber threat campaign has been identified in South Korea in which attackers pretended to represent human rights groups and financial institutions to trick people into opening harmful files. The findings were published on January 19 by United Press International, citing research from South Korean cybersecurity firm Genians.

According to Genians, the attackers sent deceptive emails that appeared to come from legitimate North Korea-focused human rights organizations and South Korean financial entities. These messages were designed to persuade recipients to click links or open attachments that secretly installed malware on their devices. Malware refers to harmful software that can spy on users, steal information, or allow attackers to control infected systems.

The campaign has been named “Operation Poseidon” by researchers and has been linked to a hacking cluster known as Konni. Security analysts have associated Konni with long-running advanced persistent threat operations. Advanced persistent threats, often called APTs, are prolonged cyber operations that focus on maintaining covert access rather than causing immediate disruption. Genians reported that Konni shares technical infrastructure and target profiles with other North Korea-linked groups, including Kimsuky and APT37. These groups have previously been connected to cyber espionage, surveillance, and influence efforts directed at South Korean government bodies, researchers, and civil society organizations.

The emails used in this operation did not contain direct malicious links. Instead, the attackers hid harmful destinations behind legitimate online advertising and click-tracking services that are commonly used by businesses to measure user engagement. By routing victims through trusted services, the links were more likely to pass email security filters. Genians found that the redirections relied on Google Ads URLs and poorly secured WordPress websites. The final destinations hosted malware files that were often disguised as ordinary PDF documents or financial notices, increasing the likelihood that users would open them.

Security professionals note that campaigns of this nature are difficult to defend against because they combine technical methods with psychological manipulation. Genians assessed that the characteristics of Operation Poseidon reflect a high level of planning and sophistication, making it hard for any single security tool to stop such attacks on its own.

The findings come amid growing international concern over North Korea’s cyber operations. In October, the 11-country Multilateral Sanctions Monitoring Team described North Korea’s cyber program as a state-level effort with capabilities approaching those of China and Russia. The group reported that nearly all malicious cyber activity linked to the Democratic People’s Republic of Korea is conducted under the direction of entities sanctioned by the United Nations for involvement in weapons programs. In November, the United States Treasury Department estimated that more than 3 billion dollars had been stolen over the past three years through attacks on financial systems and cryptocurrency platforms.

Genians advised individuals and organizations to treat unsolicited emails with caution. The firm warned that attackers are likely to continue impersonating financial institutions and urged users not to trust documents based only on subject lines or file names.

Read more »
ransomware-as-a-service
Black Basta Ransomware Cyber Crime Cybercrime Investigation European law enforcement ransomware arrests ransomware-as-a-service

European Authorities Identify Black Basta Operatives, Add Alleged Ringleader to EU Most Wanted List

 

Law enforcement agencies in Ukraine and Germany have identified two Ukrainian nationals suspected of collaborating with the Russia-linked ransomware-as-a-service (RaaS) group known as Black Basta.

Authorities also confirmed that the group’s alleged leader, 35-year-old Russian citizen Oleg Evgenievich Nefedov (Нефедов Олег Евгеньевич), has been placed on both the European Union’s Most Wanted list and INTERPOL’s Red Notice database.

"According to the investigation, the suspects specialized in technical hacking of protected systems and were involved in preparing cyberattacks using ransomware," Ukraine’s Cyber Police said in an official statement.

Investigators revealed that the two suspects allegedly operated as “hash crackers,” focusing on extracting passwords from secured systems using specialized tools. Once credentials were obtained, other members of the ransomware operation infiltrated corporate networks, deployed ransomware, and demanded payment in exchange for restoring access to encrypted data.

Search operations carried out at the suspects’ homes in Ivano-Frankivsk and Lviv resulted in the seizure of digital storage devices and cryptocurrency holdings, authorities said.

Active since April 2022, Black Basta has reportedly attacked more than 500 organizations across North America, Europe, and Australia. The ransomware group is believed to have generated hundreds of millions of dollars in cryptocurrency through extortion payments.

In early 2025, a cache of internal Black Basta chat logs spanning roughly a year surfaced online. The leaked material provided rare insight into the group’s hierarchy, internal communications, key participants, and the security flaws they exploited to gain initial access to victim networks.

Those leaks identified Nefedov as the central figure behind Black Basta, noting that he operated under multiple aliases including Tramp, Trump, GG, and AA. Additional documents alleged that he maintained links with senior Russian political figures and intelligence services, including the FSB and GRU.

Investigators believe Nefedov used these alleged connections to shield his activities and avoid prosecution. Analysis by Trellix later indicated that despite being arrested in Yerevan, Armenia, in June 2024, Nefedov managed to secure his release. Other aliases attributed to him include kurva, Washingt0n, and S.Jimmi. While he is believed to be residing in Russia, his precise location remains unknown.

Further intelligence has linked Nefedov to Conti, the now-defunct ransomware group that emerged in 2020 as a successor to Ryuk. In August 2022, the U.S. State Department announced a $10 million reward for information leading to five individuals associated with Conti, including Target, Tramp, Dandis, Professor, and Reshaev.

Black Basta emerged as an independent operation following the Conti brand’s shutdown in 2022, alongside groups such as BlackByte and KaraKurt. Former Conti affiliates also dispersed to other ransomware operations including BlackCat, Hive, AvosLocker, and HelloKitty, many of which have since ceased activity.

A separate report released this week by Analyst1 highlighted Black Basta’s heavy reliance on Media Land, a bulletproof hosting provider sanctioned by the U.S., U.K., and Australia in November 2025, along with its general director Aleksandr Volosovik, also known as Yalishanda. Despite the sanctions, the group allegedly received preferential, VIP-level service.

"[Nefedov] served as the head of the group. As such, he decided who or which organisations would be the targets of attacks, recruited members, assigned them tasks, took part in ransom negotiations, managed the ransom obtained by extortion, and used it to pay the members of the group," Germany’s Federal Criminal Police Office (BKA or Bundeskriminalamt) stated.

Following the leaks, Black Basta appears to have ceased operations. The group has remained inactive since February and dismantled its data leak site later that month. However, cybersecurity experts caution that ransomware groups often dissolve only to reappear under new identities.

Reports from ReliaQuest and Trend Micro suggest that several former Black Basta affiliates may have transitioned to the CACTUS ransomware operation. This theory is supported by a sharp increase in victims listed on CACTUS’ leak site in February 2025, coinciding with Black Basta’s disappearance.
Read more »
Spain
Black Axe Gang Cyber Crime Europe Europol Germany Spain

Europol Cracks Down Gang Responsible for Cyber Crime Worth Billions


Europol’s joint operation to crackdown international gang

Europol recently arrested 34 people in Spain who are alleged to have a role in a global criminal gang called Black Axe. The operation was conducted by Spanish National Police and Bavarian State Criminal Police Office and Europol. 

Twenty eight individuals were arrested in Seville, three in Madrid and two in Malaga, and the last one in Barcelona. Among the 34 suspects, 10 individuals are from Nigeria. 

“The action resulted in 34 arrests and significant disruptions to the group's activities. Black Axe is a highly structured, hierarchical group with its origins in Nigeria and a global presence in dozens of countries,” Europol said in a press release on its website. 

About Black Axe 

Black Axe is infamous for its role in various cyber crimes like frauds, human trafficking, prostitution, drug trafficking, armed robbery, kidnapping, and malicious spiritual activities. The gang annually earns roughly billions of euros via these operations that have a massive impact. 

Officials suspect that Black Axe is responsible for fraud worth over 5.94 million euros. During the operation, the investigating agencies froze 119352 euros in bank accounts and seized 66403 euros in cash during home searches. 

The crackdown 

Germany and Spain's cross-border cooperation includes the deployment of two German officers on the scene on the day of action, the exchange of intelligence, and the provision of analytical support to Spanish investigators. 

The core group of the organized crime network, which recruits money mules in underprivileged communities with high unemployment rates, was the objective of the operation. The majority of these susceptible people are of Spanish nationality and are used to support the illegal activities of the network.

Europol's key role

Europol provided a variety of services to help this operation, such as intelligence analysis, a data sprint in Madrid, and on-the-spot assistance. Mapping the organization's structure across nations, centralizing data, exchanging important intelligence packages, and assisting with coordinated national investigations have all been made possible by Europol. 

In order to solve the problems caused by the group's scattered little cases, cross-border activities, and the blurring of crimes into "ordinary" local offenses, this strategy seeks to disrupt the group's operations and recover assets.



Read more »
web3adspanels takedown
bank account hacking cackdown Cyber Crime SEO poisoning attacks US cybercrime c web3adspanels takedown

US Shuts Down Web3AdspAnels Platform Used in Large-Scale Bank Account Cyber Thefts

 

US authorities have taken down an online platform allegedly used by cybercriminals to gain unauthorized access to Americans’ bank accounts.

Visitors attempting to access web3adspanels.org are now met with a law enforcement seizure notice. Investigators say the site played a key role in SEO poisoning operations that targeted individuals by stealing their online banking credentials.

According to officials, criminals paid for premium placements on search engines, directing users to websites that appeared to belong to legitimate banks but were actually fraudulent. Unsuspecting users entered their login details, which were secretly captured and stored, while access to their real bank accounts never occurred.

The Justice Department explained that web3adspanels.org functioned as a centralized platform where stolen credentials could be stored, modified, and later used to attempt unauthorized access to bank accounts and initiate illegal money transfers. An FBI affidavit notes that at least 19 victims—including two businesses—across the US have been identified in connection with this specific scheme, though authorities believe it represents only a fraction of the broader account takeover issue.

Prosecutors linked approximately $28 million in attempted fraudulent transfers to the platform, with confirmed losses estimated at $14.6 million.

More broadly, the FBI’s Internet Crime Complaint Center (IC3) reported receiving over 5,100 similar complaints since the beginning of the year, with total reported losses exceeding $262 million.

While announcing the takedown, the Justice Department did not explain how attackers were able to bypass stronger security measures such as multi-factor authentication (MFA). The IC3 also did not clarify this point in an advisory issued last month. However, authorities noted that such campaigns frequently rely on social engineering rather than simple phishing, persuading victims to voluntarily share their credentials and, critically, their MFA codes or one-time passwords.

Once access is obtained, cybercriminals typically move funds into accounts they control and then convert the money into cryptocurrencies, a tactic that complicates tracking across blockchain networks. In many cases, attackers also change victims’ banking passwords, effectively locking them out of their own accounts, the FBI said.

IC3 data shows that losses tied to electronic crime have steadily increased since 2020, with cyber-enabled fraud accounting for 83 percent of the total $16.6 billion in reported losses in 2024.
Read more »
Ransomware
AI Cloud Cyber Crime Data Extortion Internet Ransomware

Former Cybersecurity Employees Involved in Ransomware Extortion Incidents Worth Millions


It is very unfortunate and shameful for the cybersecurity industry, when cybersecurity professionals themselves betray trust to launch cyberattacks against their own country. In a shocking incident, two men have admitted to working normal jobs as cybersecurity professionals during the day, while moonlighting as cyber attackers.

About accused

An ex-employee of the Israeli cybersecurity company Sygnia has pleaded guilty to federal crimes in the US for having involvement in ransomware cyberattacks aimed to extort millions of dollars from firms in the US. 

The culprit, Ryan Clifford Goldberg, worked as a cyber incident response supervisor at Sygnia, and accepted that he was involved in a year-long plan of attacking business around the US. 

Kevin Tyler Martin, another associate,who worked as an ex DigitalMint employee, worked as a negotiation intermediary with the threat actors, a role supposed to help ransomware targets, has also accepted involvement. 

The situation is particularly disturbing because both men held positions of trust inside the sector established to fight against such threats.

Accused pled guilty to extortion charges 

Both the accused have pleaded guilty to one count of conspiracy to manipulate commerce via extortion, according to federal court records. In the plea statement, they have accepted that along with a third actor (not charged and unknown), they both launched business compromises and ransom extortions over many years. 

Extortion worth millions 

In one incident, the actors successfully extorted over $1 million in crypto from a Florida based medical equipment firm. According to the federal court, besides their legitimate work, they deployed software ‘ALPHV BlackCat’ to extract and encode target’s data, and distributed the extortion money with the software’s developers. 

According to DigitalMint, two of the people who were charged were ex-employees. After the incident, both were fired and “acted wholly outside the scope of their employment and without any authorization, knowledge or involvement from the company,” DigitalMint said in an email shared with Bloomberg.

In a recent conversation with Bloomberg, Sygnia mentioned that it was not a target of the investigation and the accused Goldberg was relieved of his duties as soon as the news became known.

A representative for Sygnia declined to speak further, and Goldberg and Martin's lawyers also declined to comment on the report.

Read more »
Taiwan Bitcoin
Criminal Assets Cyber Crime Government Holdings Seized Crypto Taiwan Bitcoin

Taiwan Holds 210 BTC Seized from Criminals, Debates Bitcoin's Strategic Value

 

Taiwan’s government said it is holding more than 210.45 bitcoin, worth about $18 million, all of which were seized during criminal investigations related to fraud, money laundering, and other financial crime. This disclosure was in response to a legislator’s demand for information on the state’s digital asset balance, exposing Taiwan as the 10th largest government holder of bitcoin in the world. 

The value of the seized digital assets has amounted to nearly 1.3 billion NTD (about $41 million), including those in stablecoins and other cryptocurrencies. Taiwan’s stash of bitcoin is entirely the byproduct of law enforcement seizures, not strategic investing, and officials emphasise that these are funds gleaned from fighting cybercrime and financial misfeasance. 

In addition to bitcoin, the Taiwanese government also holds considerable amounts of stablecoins like USDT and USDC, as well as over 2,400 ethereum coins and smaller amounts of other digital tokens. Officials are seeking to standardize the storage, tracking and reporting of such assets systemwide so the media can be assured of transparency and security. 

The fate of the seized bitcoin remains undecided. Usually the practice is to auction the confiscated assets, and the proceeds are poured into the public coffers, but legislators have begun debating whether to categorize bitcoin as a strategic commodity. Some feel virtual assets are not just speculative commodities but could have a role in national security or financial sovereignty. 

Taiwan’s central bank has reportedly agreed to conduct a more detailed study of bitcoin, including potential regulatory schemes and experiments involving confiscated funds. It seems the acquisition of a long-term strategy would require legislative and regulatory guidance, an indication of the increasing relevance of digital assets as a matter of public policy and finance. 

Worldwide, over 640,000 BTC, which accounts for around 3% of all bitcoin supply, are held by governments, with the United States holding the largest amount, followed by China and the UK.Taiwan’s position highlights the expanding role of cryptocurrencies in law enforcement and national asset management.
Read more »
Subscribe to: Comments (Atom)