Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach. Show all posts
telecommunications
Data Breach Orange Group Security Systems Sensitive data telecommunications

Hacker Leaks Stolen Data After Cyberattack on Orange Group

 


A hacker has claimed responsibility for breaking into the systems of Orange Group, a well-known French telecommunications provider. The attacker alleges that they stole a large number of internal files, including confidential details about customers and employees. After failing to extort the company, the hacker released some of this data on an underground forum.  


Orange Verifies the Cyberattack  

Orange Group has acknowledged the breach, stating that the attack targeted a non-essential system. The company has started an internal investigation and is taking steps to limit the damage. However, reports suggest that significant amounts of data have already been exposed.  

The hacker, who goes by the online name Rey, is associated with a cybercriminal group called HellCat. Despite this, Rey insists that this was not a ransomware attack. The breach primarily impacted Orange Romania, a regional branch of the company.  


What Information Was Compromised?  

According to the hacker, the stolen files contain nearly 380,000 email addresses, as well as confidential company records. The leaked data includes:  

• Customer and employee details  

• Business contracts and invoices  

• Internal source code  

• Payment card information, though many of these details are outdated  

Some of the email addresses in the leaked files belonged to former employees and business partners who had been associated with Orange Romania over five years ago. Additionally, the breach affected records from Yoxo, Orange’s subscription-based mobile service.  


How Did the Breach Occur?  

Rey claims to have accessed Orange’s systems for over a month before stealing data. The hacker reportedly gained entry using stolen login credentials and weaknesses in Jira, a software tool the company uses for project management and issue tracking.  

On the day of the attack, the hacker extracted company files for about three hours without triggering any security alerts. They also left a ransom note, but Orange did not respond or engage in negotiations.  


Orange’s Official Statement  

When asked about the breach, an Orange spokesperson confirmed that their Romanian operations had been targeted by hackers. The company’s cybersecurity and IT teams are currently working to understand the full extent of the breach and are focused on reducing its impact.  


A Pattern of Attacks?  

This is not the first time attackers have used Jira security flaws to steal information from large corporations. In similar cases, cybercriminals have managed to extract huge amounts of data, including 40GB in one breach and 2.5GB in another.  

This incident shows us the reality of weakened security systems and stolen login details can allow hackers to infiltrate major organizations. Companies must regularly update their cybersecurity measures to prevent such attacks. Employees and customers affected by this breach should remain cautious of phishing scams or fraudulent activities that may arise from their leaked data.  

As the investigation progresses, more details about the Orange Group breach may emerge. For now, the company is working on securing its systems and preventing further exposure of sensitive information.

Read more »
Ransomware attack
cyber attack Cybersecurity Breach Data Breach data security Lee Enterprises newspaper hack Ransomware attack

Lee Enterprises Confirms Ransomware Attack Impacting 75+ Publications

 

Lee Enterprises, a major newspaper publisher and the parent company of The Press of Atlantic City, has confirmed a ransomware attack that disrupted operations across at least 75 publications. The cybersecurity breach caused widespread outages, impacting the distribution of printed newspapers, subscription services, and internal business operations.

The attack, first disclosed to the Securities and Exchange Commission (SEC) on February 3, led to significant technology failures, affecting essential business functions. In an official update to the SEC, Lee Enterprises reported that hackers gained access to its network, encrypted key applications, and extracted files—common tactics associated with ransomware incidents.

As a result of the attack, the company's ability to deliver newspapers, process billing and collections, and manage vendor payments was severely affected. “The incident impacted the Company’s operations, including distribution of products, billing, collections, and vendor payments,” Lee Enterprises stated in its SEC filing.

With a vast portfolio of 350 weekly and specialty publications spanning 25 states, Lee Enterprises is now conducting a forensic investigation to assess the extent of the data breach. The company aims to determine whether hackers accessed personal or sensitive information belonging to subscribers, employees, or business partners.

By February 12, the company had successfully restored distribution for its core publications. However, weekly and ancillary publications are still facing disruptions, accounting for approximately five percent of the company's total operating revenue. While recovery efforts are underway, full restoration of all affected services is expected to take several weeks.

Cybersecurity experts have warned that ransomware attacks targeting media organizations can have severe consequences, including financial losses, reputational damage, and compromised data security. The increasing frequency of such incidents highlights the urgent need for media companies to strengthen their cybersecurity defenses against evolving cyber threats.

Growing Cybersecurity Threats in the Media Industry


The publishing industry has become an attractive target for cybercriminals due to its reliance on digital infrastructure for content distribution, subscription management, and advertising revenue. Recent high-profile cyberattacks on media organizations have demonstrated the vulnerability of traditional and digital publishing operations.

While Lee Enterprises has not yet disclosed whether a ransom demand was made, ransomware attacks typically involve hackers encrypting critical data and demanding payment for its release. Cybersecurity experts caution against paying ransoms, as it does not guarantee full data recovery and may encourage further attacks.

As Lee Enterprises continues its recovery process, the company is expected to implement stronger cybersecurity measures to prevent future breaches. The incident serves as a reminder for organizations across the media sector to enhance their security protocols, conduct regular system audits, and invest in advanced threat detection technologies.
Read more »
Russian IT security
banking software hack Cybersecurity Data Breach LANIT breach LANIT cyberattack NKTsKI warning Russian IT security

LANIT Cyberattack: Russian IT Giant Faces Major Security Breach

 

Russia's National Coordination Center for Computer Incidents (NKTsKI) has issued a warning to organizations in the country's credit and financial sector regarding a security breach at LANIT, a leading Russian IT service and software provider.

The alert, also published on GosSOPKA’s (State System for Detection, Prevention, and Elimination of Consequences of Computer Attacks) website, states that the attack occurred on February 21, 2025. The incident may have affected LLC LANTER and LLC LAN ATMservice, both subsidiaries of the LANIT Group of Companies.

LANIT Group is a key player in Russia’s IT sector and the nation’s largest system integrator, with a client portfolio that includes the Russian Ministry of Defense and entities within the military-industrial complex, such as Rostec. Due to these associations, the U.S. Department of the Treasury imposed sanctions on LANIT in May 2024.

LLC LANTER and LLC LAN ATMservice specialize in banking technology, developing software solutions for banking equipment, payment systems, and Automated Teller Machines (ATMs).

Following the breach, NKTsKI has advised all potentially impacted organizations to reset passwords, update access keys, and modify remote access credentials.

"NKTsKI recommends that all organizations immediately change passwords and access keys for their systems hosted in LANIT's data centers," the bulletin states. "If your infrastructure uses LANIT group developments and software products, and LANIT engineers have been granted remote access, it is also recommended to change connection credentials."

"Additionally, it is advised to enhance monitoring of threats and information security events in systems that were developed, deployed, or maintained by engineers from the LANIT Group of Companies."

A detailed PDF document has been provided with further security recommendations, outlining measures to mitigate threats from compromised external channels.

NKTsKI has not disclosed how the attackers infiltrated the LANIT network, the exact timeline of the breach, the extent of the compromised data, or the perpetrators behind the attack.

In recent months, Russian ATM operators and banks have faced repeated cyberattacks from Ukrainian hackers, who frequently use distributed denial-of-service (DDoS) techniques to disrupt operations.

However, the latest warning suggests a deeper infiltration into a major service provider’s systems, raising concerns about potential widespread supply chain vulnerabilities.
Read more »
Patient Data
Data Breach data security Data Sets Data Theft Healthcare Data healthcare data breach Patient Data

DM Clinical Research Database Exposed Online, Leaking 1.6M Patient Records

 

A clinical research database containing over 1.6 million patient records was discovered publicly accessible online without encryption or password protection. Security researcher Jeremiah Fowler found the dataset, linked to DM Clinical Research, exposing sensitive information such as names, medical histories, phone numbers, email addresses, medications, and health conditions. 

The unprotected database, totaling 2TB of data, put those affected at risk of identity theft, fraud, and social engineering scams. While the database name suggests it belongs to DM Clinical Research, it remains unclear whether the firm directly managed it or if a third party was responsible. Fowler immediately sent a disclosure notice, and the database was taken offline within hours. 

However, it is unknown how long it remained exposed or whether threat actors accessed the data before its removal. Only a thorough forensic audit can determine the extent of the breach. DM Clinical Research responded to the disclosure, stating that they are reviewing the findings to ensure a swift resolution. They emphasized their commitment to data security and compliance with legal regulations, highlighting the importance of protecting sensitive patient information. 

However, this incident underscores the growing risks facing the healthcare industry, which remains a prime target for cyberattacks, including ransomware and data breaches. Healthcare data is among the most valuable for cybercriminals, as it contains detailed personal and medical information that cannot be easily changed, unlike financial data. 

In recent years, hackers have aggressively targeted medical institutions. In 2024, a cyberattack compromised the records of 190 million Americans, and UnitedHealth suffered a ransomware attack that leaked customer information onto the dark web. The exposure of sensitive medical conditions—such as psychiatric disorders, HIV status, or cancer—could lead to discrimination, scams, or blackmail. Attackers often use exposed medical data to craft convincing social engineering scams, posing as doctors, insurance companies, or medical professionals to manipulate victims. 

Fowler warns that health records, unlike financial data, remain relevant for a lifetime, making breaches particularly dangerous. Organizations handling sensitive data must take proactive measures to protect their systems. Encryption is critical to safeguarding customer information, as unprotected datasets could lead to legal consequences and financial losses. Real-time threat detection, such as endpoint security software, helps identify intrusions and suspicious activity before damage is done. 

In the event of a breach, transparency is essential to maintaining consumer trust and mitigating reputational harm. For individuals affected by data breaches, vigilance is key. Regularly monitoring financial accounts and bank statements for suspicious transactions can help detect fraudulent activity early. Social engineering attacks are also a major risk, as scammers may exploit exposed medical data to impersonate trusted professionals. 

Be cautious of unexpected emails, phone calls, or messages requesting personal information, and avoid opening attachments from unfamiliar sources. Using strong, unique passwords—especially for financial and healthcare accounts—adds an extra layer of security. 

This breach is yet another reminder of the urgent need for stronger cybersecurity measures in the healthcare sector. As cybercriminals continue to exploit vulnerabilities, both organizations and individuals must remain proactive in safeguarding sensitive data.
Read more »
National Public Data
California Privacy Protection Agency Data Breach data breach fine data brokers regulation National Public Data

National Public Data Faces $46,000 Fine from California Regulator Over Data Breach

 

National Public Data, the Florida-based company responsible for exposing millions of Social Security numbers to hackers last year, is now facing a fine from a U.S. regulator—though the penalty amount may fall short of consumer expectations.

The California Privacy Protection Agency (CPPA) has imposed a $46,000 fine on National Public Data, the maximum penalty permitted under California’s data broker regulations. The agency announced the enforcement action on Thursday, citing the company’s failure to comply with the state's data deletion law.

According to the regulator, National Public Data did not register or pay the required annual fee under California’s Delete Act, which mandates data brokers to register by January 31, 2024, and contribute to the California Data Broker Registry. Companies that fail to comply face a daily fine of $200. In this case, the company registered on September 18—230 days past the deadline—resulting in the accumulated $46,000 penalty.

The company’s registration came only after CPPA reached out, following widespread media coverage of the Social Security number leak. It remains uncertain whether additional penalties will be levied, but the CPPA confirmed that the current fine will be presented to an administrative law judge. "The CPPA’s five-member board ultimately decides whether to adopt or modify the judge’s decision. At that point, the agency’s decision becomes reviewable by a California court," the CPPA stated to PCMag.

Funds collected from the penalty will be directed to the Data Brokers’ Registry Fund to support the implementation and enforcement of the Delete Act, including the development of California’s first-of-its-kind data deletion system, according to the agency.

While the fine may seem minimal to those affected by the data breach, National Public Data remains under scrutiny. Last year, the company acknowledged that attorneys general from all 50 states, along with the Federal Trade Commission (FTC), were investigating the incident. Additionally, California's Consumer Privacy Act grants residents the right to sue businesses for data breaches that expose nonencrypted personal information.

National Public Data’s parent company, Jerico Pictures, has also faced significant legal challenges. In an attempt to manage mounting lawsuits, the company sought bankruptcy protection in a Florida court. However, the filing was dismissed after U.S. Trustee for Florida, Mary Ida Townson, stated: "The Debtor [Jerico Pictures] lacks the income and resources to demonstrate a reasonable likelihood of rehabilitation." Financial records indicate that the company reported a net profit of $865,149 on $1.2 million in revenue for 2023 and $475,526 in 2022.

Although further regulatory actions remain uncertain, National Public Data has ceased operations. Jerico Pictures' owner, Salvatore Verini, has not provided any public comment on the situation.
Read more »
Ransomware attack
Amsterdam cybercrime investigation Black Basta Cyber Threats Cybersecurity Data Breach Hacking phishing Ransomware Ransomware attack

Internal Chat Logs of Black Basta Ransomware Gang Leaked Online

 

A previously unidentified source has leaked what is claimed to be an archive of internal Matrix chat logs linked to the Black Basta ransomware group. The individual behind the leak, known as ExploitWhispers, initially uploaded the stolen messages to the MEGA file-sharing platform, which has since taken them down. However, they have now made the archive available through a dedicated Telegram channel.

It remains uncertain whether ExploitWhispers is a cybersecurity researcher who infiltrated the group's internal chat server or a discontented member of the operation. While no specific reason was provided for the leak, cybersecurity intelligence firm PRODAFT suggested that it could be a direct consequence of the ransomware gang’s alleged attacks on Russian banks.

"As part of our continuous monitoring, we've observed that BLACKBASTA (Vengeful Mantis) has been mostly inactive since the start of the year due to internal conflicts. Some of its operators scammed victims by collecting ransom payments without providing functional decryptors," PRODAFT stated.

"On February 11, 2025, a major leak exposed BLACKBASTA's internal Matrix chat logs. The leaker claimed they released the data because the group was targeting Russian banks. This leak closely resembles the previous Conti leaks."

The leaked archive contains internal chat messages exchanged between September 18, 2023, and September 28, 2024. A review conducted by BleepingComputer reveals that the messages encompass a broad range of sensitive information, including phishing templates, email addresses for targeting, cryptocurrency wallets, data dumps, victims' login credentials, and confirmations of previously reported attack strategies.

Additionally, the leaked records contain 367 unique ZoomInfo links, potentially reflecting the number of organizations targeted during the specified timeframe. Ransomware groups frequently use ZoomInfo to gather intelligence on their targets, either internally or for negotiations with victims.

ExploitWhispers also disclosed information about key Black Basta members, identifying Lapa as an administrator, Cortes as a threat actor connected to the Qakbot malware group, and YY as the primary administrator. Another individual, referred to as Trump (also known as GG and AA), is believed to be Oleg Nefedov, who is suspected of leading the operation.

Black Basta operates as a Ransomware-as-a-Service (RaaS) group, first emerging in April 2022. The gang has targeted several high-profile organizations across various industries, including healthcare, government contractors, and major corporations.

Notable victims include German defense contractor Rheinmetall, Hyundai's European division, BT Group (formerly British Telecom), U.S. healthcare provider Ascension, government contractor ABB, the American Dental Association, U.K. tech outsourcing firm Capita, the Toronto Public Library, and Yellow Pages Canada.

A joint report from CISA and the FBI, published in May 2024, revealed that Black Basta affiliates compromised more than 500 organizations between April 2022 and May 2024.

Research from Corvus Insurance and Elliptic estimates that the ransomware gang collected approximately $100 million in ransom payments from over 90 victims by November 2023.

This incident bears similarities to the February 2022 data breach involving the Russian-based Conti cybercrime syndicate. At that time, a Ukrainian security researcher leaked over 170,000 internal chat messages and the source code for the Conti ransomware encryptor, following the group's public support for Russia amid the Ukraine conflict.
Read more »
Medical Data
Australia Data Breach Fertility Clinic Genea IVF Firm Medical Data

Australian IVF Giant Genea Suffers Data Breach Following Cyber Incident

 

A leading Australian IVF clinic suspects personal patient information may have been compromised during a cyber attack earlier this month. 

On February 14, Genea suspended several services and launched an inquiry into suspicious activity discovered on its network. In an update, the health service provider stated, we now believe the attacker may have accessed and stolen personal information that we hold. 

“Our investigation has identified that Genea’s patient management systems, which contain information about you, was accessed by an unauthorised third party,” Genea told patients. “We stress that at this point in time it is unknown what personal information within the folders on the patient management system has been compromised.” 

The patient management system includes a goldmine of information, including names, emails, phone numbers, Medicare and private health insurance details, medical history, prescriptions, test results, and doctor's notes. 

“At this stage there is no evidence that any financial information such as credit card details or bank account numbers have been impacted by this incident,” Genea noted. “The investigation is however ongoing, and we will keep you updated of any relevant further findings should they come to light.” 

The IVF service claimed to have notified the Australian Cyber Security Centre and the Office of the Australian Information Commissioner (OAIC). It will also meet with both the latter and the National Office of Cyber Security to "discuss the incident". 

Given that the theft involves personal information that potentially causes harm to those it was stolen from, the OAIC will ensure Genea ticks all of the boxes under the notifiable data breaches program. 

After several patients reported that the company's phone lines were down and that there were issues with its app and emails, Genea said last week that it had been obliged to take some systems and services offline "out of an abundance of caution" as it investigated the incident. 

Patients should be on the lookout for unusual emails, texts, phone calls, and "any other attempts that might relate to possible identity theft or fraud using your personal information". Genea, established in 1986 by Professor Robert Jansen, is one of Australia's top three IVF providers, with thousands of patients and 21 facilities across the country.
Read more »
Security Incident
Data Breach Data Leak Financial Data Fintech Security Incident

Fintech Giant Finastra Breach Exposed Private Data, Company Notifies Victims

 

The financial technology behemoth Finastra is alerting victims of a data breach after unidentified hackers initially gained access to its networks in October 2024 and took their personal data. More than 8,100 financial institutions in 130 countries, including 45 of the top 50 banks in the world, rely on London-based Finastra to supply financial services software applications.

The security incident was discovered on November 7 after Finastra detected malicious activity on some of its systems, as the business warned in breach notification letters given to those impacted by the breach. 

"Our investigation revealed that an unauthorized third party accessed a Secure File Transfer Platform (SFTP) at various times between October 31, 2024 and November 8, 2024. Findings from the investigation indicate that on October 31, 2024, the unauthorized third party obtained certain files from the SFTP," the fintech giant noted. 

"Finastra has no indication the unauthorized third party further copied, retained, or shared any of the data. We have no reason to suspect your information has or will be misused. As a result, we believe the risk to individuals whose personal data was involved is low.” 

At least 65 people in the state whose financial account information was stolen received breach notification letters from Finastra last week, although the company has not yet disclosed the number of victims or the type of data that was compromised (apart from the names of the victims), according to filings with the Massachusetts Attorney General's office. 

Additionally, the financial services organisation offers those whose information was compromised or stolen in the incident two years of free credit monitoring and identity restoration services through Experian.

The hack is believed to be connected to a (now-deleted) post on the BreachForums online cybercrime community by a threat actor called "abyss0" who claimed to sell 400GB of data allegedly stolen from Finastra's network, despite the fact that Finastra only revealed a very small amount of information in filings with Attorney General offices.

Last year in November, when a local media outlet enquired about the forum post, a Finastra spokesperson declined to confirm or deny ownership of the data, stating that the company experienced a limited-scope security incident and is assessing its impact.

"On November 7, 2024 Finastra's Security Operations Center (SOC) detected suspicious activity related to an internally hosted Secure File Transfer Platform (SFTP) we use to send files to certain customers," Finastra added. 

Finastra was also forced to shut down parts of its systems in March 2020 to combat what Tom Kilroy, the company's Chief Operating Officer at the time, described as a ransomware attack. While the company did not disclose how the attackers got access to its systems, cyber threat intelligence firm Bad Packets discovered that Finastra had many unpatched Pulse Secure VPN and Citrix ADC (NetScaler) servers prior to the attack.
Read more »
Hackers
CVE CVEs Cybersecurity Dark Web Data Breach Data Leak data security FortiGate devices Hackers

Hackers Leak 15,000 FortiGate Device Configs, IPs, and VPN Credentials

 

A newly identified hacking group, the Belsen Group, has leaked critical data from over 15,000 FortiGate devices on the dark web, making sensitive technical details freely available to cybercriminals. The leak includes configuration files, IP addresses, and VPN credentials, significantly increasing security risks for affected organizations. 

Emerging on cybercrime forums and social media just this month, the Belsen Group has been actively promoting itself. As part of its efforts, the group launched a Tor website where it released the stolen FortiGate data, seemingly as a way to establish its presence in the hacking community. In a post on an underground forum, the group claimed responsibility for breaching both government and private-sector systems, highlighting this operation as its first major attack. 

The exposed data is structured within a 1.6 GB archive, organized by country. Each country’s folder contains multiple subfolders corresponding to specific FortiGate device IP addresses. Inside, configuration files such as configuration.conf store FortiGate system settings, while vpn-passwords.txt holds various credentials, some of which remain in plaintext. 

Cybersecurity researcher Kevin Beaumont examined the leak and confirmed that these files include firewall rules, private keys, and other highly sensitive details that could be exploited by attackers. Further analysis suggests that the breach is linked to a known vulnerability from 2022—CVE-2022-40684—which was actively exploited before Fortinet released a security patch. 

According to Beaumont, evidence from a forensic investigation into a compromised device revealed that this zero-day vulnerability provided attackers with initial access. The stolen data appears to have been gathered in October 2022, around the same time this exploit was widely used. Fortinet had previously warned that CVE-2022-40684 was being leveraged by attackers to extract system configurations and create unauthorized super-admin accounts under the name fortigate-tech-support. 

Reports from the German news site Heise further confirm that the leaked data originates from devices running FortiOS firmware versions 7.0.0-7.0.6 or 7.2.0-7.2.2. The fact that FortiOS 7.2.2 was specifically released to address this vulnerability raises questions about whether some systems remained compromised even after the fix was made available. 

Although the leaked files were collected over two years ago, they still pose a significant threat. Configuration details, firewall rules, and login credentials could still be exploited if they were not updated after the original breach. Given the scale of the leak, cybersecurity experts strongly recommend that administrators review their FortiGate device settings, update passwords, and ensure that no outdated configurations remain in use.
Read more »
Private Data
Android Apps Android Spyware Data Breach data security Data Theft Lookout Malicious Apps Private Data

Italian Spyware Firm SIO Linked to Malicious Android Apps Targeting WhatsApp Users

 

SIO, an Italian spyware company known for selling surveillance tools to government agencies, has been linked to a series of malicious Android apps designed to mimic WhatsApp and other popular services while secretly stealing private data, TechCrunch has revealed. Late last year, a security researcher provided TechCrunch with three Android apps, alleging they were government spyware used in Italy. 

Upon investigation, Google and cybersecurity firm Lookout confirmed that these apps were indeed spyware. This discovery highlights the expanding landscape of government surveillance, with numerous companies employing varied methods to target individuals. Italy is already embroiled in a separate spyware scandal involving Israeli firm Paragon, whose sophisticated surveillance tool allegedly targeted journalists and NGO founders. 

In contrast, the SIO-linked spyware campaign relied on a more straightforward approach—disguising malicious Android apps as well-known communication and customer service applications. Lookout researchers identified the malware as Spyrtacus, a spyware capable of stealing text messages, chats from WhatsApp, Signal, and Facebook Messenger, recording calls, capturing ambient audio and camera images, and extracting contact information. 

Their analysis confirmed that SIO was responsible for creating and distributing Spyrtacus, with samples dating back to 2019. Some variants impersonated apps from Italian telecom providers TIM, Vodafone, and WINDTRE. Google stated that none of the infected apps were available on the Play Store, asserting that Android security measures have protected users from this malware since 2022. 

However, a 2024 Kaspersky report suggested that earlier versions of Spyrtacus were distributed via Google Play in 2018 before shifting to fake websites mimicking major Italian internet providers. Italy has a long history of government spyware development, with companies such as Hacking Team, Cy4Gate, and RCS Lab selling surveillance tools to international law enforcement agencies. Spyrtacus is the latest example of this trend, with Lookout identifying command-and-control servers registered to ASIGINT, an SIO subsidiary specializing in wiretapping software. 

The SIO, Italian government and the Ministry of Justice have reportedly declined to comment. Lookout has also discovered references to Naples in the malware’s source code, suggesting a possible connection to developers from the region. 
Read more »
PHP
Cyberattacks CyberCrime Cybersecurity CyberThreat Data Breach Google TAG GTM PHP

Cybercriminals Leverage Google Tag Manager for Credit Card Data Theft

 


It is common for cybersecurity criminals to exploit vulnerabilities in Magento to inject an obfuscated script, which has been delivered through Google Tag Manager (GTM), into Magento-based eCommerce platforms, which allows them to intercept and steal credit card information during the checkout process. Using a hidden PHP backdoor, unauthorized access can be enabled, and continuous data exfiltration can continue, allowing persistence to be maintained. 

A security researcher at Sucuri discovered that the credit card skimming malware was embedded in a database table called cms_block.content, which enables unauthorized access and continuous data exfiltration. Because the malware is designed to avoid detection, it appears legitimate, and as a result, security measures may have a difficult time identifying and containing the threat. As a result, experts advise website administrators to implement enhanced security protocols so that such threats can be identified and eliminated efficiently. 

An investigation conducted by Sucuri recently revealed the presence of sophisticated credit card skimming operations that targeted a Magento-based eCommerce platform. To carry out the attack successfully, Google Tag Manager (GTM) is being used to inject malicious JavaScript into the checkout process to facilitate the collection of payment information without the user's knowledge. Throughout the cms_block, the malware was embedded to accomplish its purpose. 

A database table containing content data, which allowed cybercriminals to intercept transactions discreetly, was analyzed further by Sucuri, which revealed that a hidden backdoor was hidden within the media directories, making it possible for the attacker to access the compromised system indefinitely. It is well known that there is a great deal of threats to retailers and hospitality organizations, particularly those that operate eCommerce platforms, which are being exploited by third parties to gather information about real-time credit cards and send it to a remote server controlled by criminals. 

Organizations in the retail and hospitality industries, particularly those utilizing eCommerce platforms, are at a much greater risk of being attacked with similar GTM-based attacks. This is because the use of stealthy, legitimate-looking scripts makes it difficult for store owners to detect and mitigate these threats. It has become clear that WordPress and Magento are now used very widely as platforms for online retail operations, and as such, this attack methodology is very effective, and it could potentially negatively impact a wide range of businesses across the industry as a whole. 

If these vulnerabilities are not addressed promptly, significant financial losses may occur, fraud chargebacks may be made, and the cardholder may not be in compliance with the Payment Card Industry Data Security Standard (PCI DSS) regulations, in addition to the potential financial losses. The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) has released a report containing intelligence that will help organizations enhance their threat detection and response capabilities by integrating the information from this report into their cybersecurity strategies.

In the attack, people see an unconventional Magecart operation utilizing Google Tag Manager (GTM), a legitimate and free tool from Google that allows website owners to easily manage and deploy marketing tags on their websites without having to modify the code directly. To facilitate this process, GTM eliminates the need for developer intervention whenever marketers wish to track and adjust their advertising or marketing campaigns, as well as to track the effectiveness of their advertisements. 

As a result of a customer reporting unauthorized access to their credit card payment data on their eCommerce platform, Sucuri's security researchers discovered Magecart's activity for the first time. It was discovered by researchers that malware was being loaded from the cms_block after investigations were carried out. The malware exploited a modified GTM tag that contained a JavaScript payload embedded in it, effectively acting as a credit card skimmer by encoding the payload. The attackers used a method of obfuscating index values by using the function _0x5cdc, which maps specific characters within an array to specific index values in an array to avoid detection. 

There is no doubt that this method results in a huge amount of complexity and makes it much more challenging to determine the script's true purpose and prevent such sophisticated attacks from happening in the future. Taking proactive measures in detecting and mitigating threats is an important aspect of ensuring our systems' security, say cybersecurity experts. An investigation by Sucuri found that the attackers used an obfuscated backdoor disguised as a Google Tag Manager (GTM) and Google Analytics script to gain unauthorised access to the data being collected for web analytics and advertising purposes.

It has been reported that Puja Srivastava, a Sucuri researcher, found a script that could be executed from a Magento database table, allowing credit card information to be exfiltrated when executed from that database table. Scripts are used to gather information from users during the checkout process, and they are then sent to remote servers controlled by attackers, as they were designed to gather sensitive information from users. Earlier this month, Sucuri reported a series of security concerns related to WordPress plugins, which were exploited in a campaign targeting victims to redirect them to malicious websites, which were in turn used to compromise administrator accounts. 

Additionally, almost seven years ago, Google Tag Manager was identified as one of the tools used in the development of a malvertising campaign. However, in another case, According to the Department of Justice, Andrei Fagaras and Tamas Kolozsvari have been indicted for their alleged involvement in a payment card skimming operation. During these incidents, it was highlighted that the threat of cyber-attacks targeted at eCommerce platforms has not been contained and that enhanced security measures are needed to protect sensitive financial information. 

A group known as Magecart refers to a decentralized organization of cybercriminal organizations that conduct online payment card skimming attacks. These attacks typically involve injecting malicious code into websites to steal payment card information from customers, which is then monetized as needed. Such attacks have caused major damage to several organizations, including Ticketmaster, British Airways, and even the Green Bay Packers football team. After identifying the source of the infection on the client's website, the Sucuri team took immediate action to get rid of the malicious code immediately, eliminating any malicious code found in all compromised areas of the client's website. 

Aside from removing the malware from the system, they also removed obfuscated scripts and backdoors to prevent the malware from being reintroduced. Sucuri recommends that eCommerce platforms protect themselves against similar threats by logging into Google Tag Manager (GTM) and carefully reviewing all active tags, deleting any that appear suspicious from their list. Moreover, organizations need to conduct a comprehensive website security scan to detect and remove any remaining malicious code, backdoor files, as well as other files that could compromise their website, ensuring the integrity of the digital infrastructure of their organization.
Read more »
Password
Cyber Crime Data Breach DDOS Attacks IoT Password

Huge Data Leak Puts 2.7 Billion Records at Risk – What You Should Know

 



A security issue has surfaced involving an unprotected database linked to Mars Hydro, a Chinese company known for making smart devices like LED grow lights and hydroponic equipment. Security researcher Jeremiah Fowler discovered this database was left open without a password, exposing nearly 2.7 billion records.


What Data Was Leaked?  

The database contained sensitive details, including WiFi network names, passwords, IP addresses, and device identifiers. Although no personal identity information (PII) was reportedly included, the exposure of network details still presents serious security risks. Users should be aware that cybercriminals could misuse this information to compromise their networks.


Why Is This Dangerous?  

Many smart devices rely on internet connectivity and are often controlled through mobile apps. This breach could allow hackers to infiltrate users’ home networks, monitor activity, or launch cyberattacks. Experts warn that leaked details could be exploited for man-in-the-middle (MITM) attacks, where hackers intercept communication between devices. 

Even though there’s no confirmation that cybercriminals accessed this database, IoT security remains a growing concern. Previous reports suggest that 57% of IoT devices have critical security weaknesses, and 98% of data shared by these devices is unencrypted, making them prime targets for hackers.


Rising IoT Security Threats  

Cybercriminals often target IoT devices, and botnet attacks have increased by 500% in recent years. Once a hacker gains access to a vulnerable device, they can spread malware, launch large-scale Distributed Denial-of-Service (DDoS) attacks, or infiltrate critical systems. If WiFi credentials from this breach fall into the wrong hands, attackers could take control of entire networks.


How Can Users Protect Themselves?  

To reduce risks from this security lapse, users should take the following steps:

1. Update Device Passwords: Many IoT gadgets use default passwords that are the same across multiple devices. Changing these to unique, strong passwords is essential.

2. Keep Software Up-to-Date: Manufacturers release software patches to fix security flaws. Installing these updates regularly reduces the risk of exploitation.

3. Monitor Network Activity: Watch for unusual activity on your network. Separating IoT devices from personal computers and smartphones can add an extra layer of security.

4. Enhance Security Measures: Using encryption tools, firewalls, and network segmentation can help defend against cyberattacks. Consider investing in comprehensive security solutions for added protection.


This massive data leak stresses the importance of IoT security. Smart devices provide convenience, but users must stay proactive in securing them. Understanding potential risks and taking preventive measures can help safeguard personal information and prevent cyber threats.



Read more »
Zacks Investment Research breach
cybersecurity news Data Breach Financial Data Breach Zacks data leak Zacks Investment Research breach

Zacks Investment Research Faces Another Data Breach Impacting 12 Million Accounts

 

Zacks Investment Research reportedly suffered a data breach in 2024, exposing sensitive information from approximately 12 million accounts.

The American investment research firm provides data-driven insights through its proprietary stock assessment tool, ‘Zacks Rank,’ assisting investors in making informed financial decisions.

In late January, a threat actor posted data samples on a hacker forum, claiming the breach occurred in June 2024. The exposed data, available for purchase using cryptocurrency, includes full names, usernames, email addresses, physical addresses, and phone numbers. Despite multiple inquiries from BleepingComputer, Zacks has not responded to confirm the authenticity of the leaked data.

The hacker further claimed to have accessed the company’s active directory as a domain administrator and stolen the source code for Zacks.com and 16 other websites, including internal portals. Samples of the stolen source code were shared as proof of the breach.

The leaked database has now been listed on Have I Been Pwned (HIBP), a platform that allows users to check if their personal information has been compromised. HIBP verified that the database contained 12 million unique email addresses, IP addresses, usernames, physical addresses, phone numbers, and passwords stored as unsalted SHA-256 hashes.

However, approximately 93% of the email addresses found in the breach had already been exposed in previous leaks associated with Zacks or other platforms.

Zacks has not officially confirmed this latest breach. If verified, it would mark the company's third major data breach in four years.

  • January 2023: Zacks disclosed that hackers had infiltrated its networks between November 2021 and August 2022, compromising the personal data of 820,000 customers.
  • June 2023: HIBP verified another leaked database originating from Zacks. The breach affected 8.8 million users, exposing email addresses, usernames, unsalted SHA-256 passwords, physical addresses, phone numbers, and full names.
  • May 2020: Data from Zacks reportedly surfaced online, indicating an earlier security incident.

While no official confirmation has been issued, HIBP has verified the recent leak with a high degree of confidence, suggesting that the compromised data stems from a new security incident.
Read more »
Sensitive Information
Data Breach Data Leak data security DDoS Hackers Personal Data Police Sensitive Information

Hackers Leak 8,500 Files from Lexipol, Exposing U.S. Police Training Manuals

 

An anonymous hacker group called the “puppygirl hacker polycule” recently made headlines by leaking over 8,500 files from Lexipol, a private company that provides training materials and policy manuals for police departments across the United States. 

As first reported by The Daily Dot, the data breach exposed internal documents, including thousands of police policies, emails, phone numbers, addresses, and other sensitive information about Lexipol employees. The hackers published the stolen data on Distributed Denial of Secrets (DDoS), a nonprofit platform for leaked information. In a statement, the group said they targeted Lexipol because, in their view, there aren’t “enough hacks against the police,” so they took action themselves.  

Founded in 2003, Texas-based Lexipol LLC, also known for its online training platform PoliceOne, has become a significant force in police privatization. The company supplies policy manuals and training content to more than 20% of U.S. police departments, according to a 2022 Indiana Law Journal analysis. This widespread adoption has effectively shaped public policy, despite Lexipol being a private company. 

Critics have long raised concerns about Lexipol’s focus on minimizing legal liability for police departments rather than addressing issues like excessive force or racial profiling. The Intercept reported in 2020 that Lexipol’s training materials, used by the NYPD after the George Floyd protests, prioritized protecting departments from lawsuits rather than promoting accountability or reform. 

Additionally, Lexipol has actively opposed proposed changes to police use-of-force standards, favoring a more lenient “objectively reasonable” standard. The leaked documents revealed striking similarities in policy language across different police departments, with matching sections on use-of-force protocols and even identical “Code of Ethics” pages — some ending with a religious oath dedicating officers to their profession before God. 

Despite Lexipol’s intent to reduce legal risks for its clients, some police departments using its policies have faced legal consequences. In 2017, Culver City, CA, adopted a Lexipol manual that suggested detaining suspected undocumented immigrants based on “lack of English proficiency,” contradicting the city’s sanctuary status. Similarly, Spokane, WA, paid a $49,000 settlement in 2018 after police violated local immigration laws using Lexipol’s guidance. 

Although the puppygirl hacker polycule isn’t linked to previous major breaches, their tactics echo those of SiegedSec, a group known for hacking government sites and playfully demanding research into “IRL catgirls.” As political tensions rise, the hackers predict more “hacktivist” attacks, aiming to expose injustices and empower public awareness. The Lexipol breach serves as a stark reminder of the vulnerabilities in privatized law enforcement systems and the growing influence of cyberactivism.
Read more »
zkLend
Cyvers Alerts Data Breach DeFi Digital Assets zkLend

zkLend DeFi Platform Hacked, Loses $9.5 Million

 



A major hacking incident has hit zkLend, a decentralized lending platform that operates on the Starknet blockchain. The attacker managed to steal about $9.5 million worth of cryptocurrency by exploiting a vulnerability in the system.

According to blockchain security company Cyvers, the stolen digital assets were initially moved to the Ethereum network through a bridging mechanism. The hacker then tried to hide the transactions using Railgun, a privacy-focused tool that makes it difficult to trace funds. However, due to Railgun’s internal restrictions, the stolen funds were redirected back to the hacker’s original wallet.

In reaction to the security breach, zkLend temporarily disabled all withdrawals and advised its users to avoid making deposits or repaying loans until the issue was fully investigated. The company is working with law enforcement agencies and cybersecurity experts, including StarkWare, Starknet Foundation, and Binance Security, to track the stolen assets and identify the culprit.

The incident has raised fresh concerns about security vulnerabilities in the decentralized finance (DeFi) sector. Data from DeFiLlama reveals that cybercriminals have already stolen over $110 million from blockchain projects since the beginning of 2024. This attack on zkLend is now considered one of the most significant breaches to affect the Starknet ecosystem.

Efforts to Recover Stolen Funds

To retrieve the lost assets, zkLend has reached out to the hacker via an on-chain message. They have offered the attacker a 10% “white hat” reward, allowing them to keep a portion of the funds if they return the remaining amount. The total sum requested back is around 3,300 ETH, valued at approximately $8.78 million. zkLend has set a strict deadline of February 14, warning that legal action will follow if the assets are not returned.

Preetam Rao, CEO of security firm QuillAudits, pointed out that this is likely the most significant security breach on Starknet in recent years. He commended zkLend for maintaining transparency and offering a bounty to incentivize the hacker to return the funds.

Meir Dolev, Co-founder and CTO of Cyvers, highlighted that the breach exposes major risks in DeFi lending. He noted that the vulnerability lay in zkLend’s smart contract structure rather than in the core cryptographic system of Starknet’s zero-knowledge rollup technology.

Understanding Railgun’s Role in the Attack

Unlike other tools such as Tornado Cash, which mixes funds to hide their source, Railgun is built into DeFi applications, ensuring user privacy while they interact with blockchain networks. The hacker used Railgun to obscure the movement of stolen assets, but due to its built-in policies, the funds were eventually sent back to the original wallet.

What Happens Next?

zkLend has promised to provide a full report detailing how the breach occurred once their investigation is complete. The company is urging its users to remain patient as they work to strengthen security measures and prevent similar attacks in the future.

This hack serves as a reminder of the risks in DeFi platforms. It highlights the importance of continuous security upgrades to protect digital assets from increasingly sophisticated cyber threats.



Read more »
Youtube
2FA Data Breach Emails Google Youtube

Google Fixes YouTube Security Flaw That Exposed User Emails

 



A critical security vulnerability in YouTube allowed attackers to uncover the email addresses of any account on the platform. Cybersecurity researchers discovered the flaw and reported it to Google, which promptly fixed the issue. While no known attacks exploited the vulnerability, the potential consequences could have been severe, especially for users who rely on anonymity.


How the Vulnerability Worked

The flaw was identified by researchers Brutecat and Nathan, as reported by BleepingComputer. It involved an internal identifier used within Google’s ecosystem, known as the Gaia ID. Every YouTube account has a unique Gaia ID, which links it to Google’s services.

The exploit worked by blocking a YouTube account and then accessing its Gaia ID through the live chat function. Once attackers retrieved this identifier, they found a way to trace it back to the account’s registered email address. This loophole could have exposed the contact details of millions of users without their knowledge.


Google’s Reaction and Fix

Google confirmed that the issue was present from September 2024 to February 2025. Once informed, the company swiftly implemented a fix to prevent further risk. Google assured users that there were no reports of major misuse but acknowledged that the vulnerability had the potential for harm.


Why This Was a Serious Threat

The exposure of email addresses poses various risks, including phishing attempts, hacking threats, and identity theft. This is particularly concerning for individuals who depend on anonymity, such as whistleblowers, journalists, and activists. If their private details were leaked, it could have led to real-world dangers, not just online harassment.

Businesses also faced risks, as malicious actors could have used this flaw to target official YouTube accounts, leading to scams, fraud, or reputational damage.


Lessons and Preventive Measures

The importance of strong security measures and rapid responses to discovered flaws cannot be emphasized more. Users are encouraged to take precautions, such as enabling two-factor authentication (2FA), using secure passwords, and being cautious of suspicious emails or login attempts.

Tech companies, including Google, must consistently audit security systems and respond quickly to any potential weaknesses.

Although the security flaw was patched before any confirmed incidents occurred, this event serves as a reminder of the omnipresent risks in the digital world. By staying informed and following security best practices, both users and companies can work towards a safer online experience.



Read more »
Website Security
Cyber Security CyberCrime Cybersecurity Data Breach eCommerce Google Tag Manager Hacking Magento malware Payment security Website Security

Cybercriminals Exploit Google Tag Manager to Steal Payment Data from Magento Sites

 

Cybercriminals have been leveraging Google Tag Manager (GTM) to inject malware into Magento-powered eCommerce websites, compromising customer payment data, according to cybersecurity experts.

Security researchers at Sucuri recently detected a live attack where a Magento-based online store suffered a credit card data breach. The investigation led to a malicious script embedded within Google Tag Manager, which, while appearing to be a standard tracking tool, was designed to steal sensitive payment information.

Google Tag Manager is a widely used tag management system that enables website owners to deploy tracking codes without modifying site code directly. However, attackers obfuscate the injected script, making detection difficult. The malware captures payment details at checkout and transmits them to a remote server. Researchers also discovered a backdoor, allowing persistent access to compromised sites.

At least six websites were found infected with the same GTM ID, and one domain used in the attack, eurowebmonitortool[dot]com, has now been blacklisted by major security firms. Cybersecurity experts emphasize that this attack method is not new. Sucuri researchers had previously identified similar threats, reaffirming that this technique is "still being widely used."

Given its popularity among eCommerce businesses, Magento remains a primary target for cybercriminals. Stolen payment data can be exploited for fraudulent purchases, malvertising campaigns, and other illicit activities.

Security Measures for Protection
To mitigate risks, website administrators should:
  • Remove any suspicious GTM tags
  • Conduct a full security scan
  • Ensure Magento and all extensions are updated
  • Regularly monitor site traffic and GTM configurations for anomalies
Proactive cybersecurity measures and ongoing vulnerability monitoring are crucial to safeguarding eCommerce platforms from such sophisticated attacks.
Read more »
United States
Cyber Fraud Data Breach DOJ Phobos Ransomware United States

Two Russian Hackers Arrested for Large-Scale Ransomware Attacks

 



Authorities in the United States have charged two Russian nationals with carrying out widespread cyberattacks using Phobos ransomware. The suspects, Roman Berezhnoy (33) and Egor Nikolaevich Glebov (39), were arrested in Thailand for allegedly orchestrating more than a thousand attacks worldwide.  

Cybercriminals Behind the Phobos Ransomware Attacks 

According to the U.S. Department of Justice (DoJ), both men were actively involved in cybercrime from 2019 to 2024. They were linked to two hacking groups known as "8Base" and "Affiliate 2803," which were responsible for spreading Phobos ransomware.  

Their method of attack involved infiltrating computer networks, stealing important files, and encrypting them using ransomware. Victims were then left with no access to their own data unless they paid a ransom. If payments were not made, the attackers allegedly threatened to leak sensitive information to the public or to the organizations’ clients and partners.  

Legal Charges and Possible Consequences

The two men now face multiple serious charges, including:  

1. Fraud involving online transactions  

2. Hacking into protected systems  

3. Intentional damage to computer networks  

4. Extortion through cyber threats  

If found guilty, the penalties could be severe. Wire fraud charges alone could lead to a 20-year prison sentence, while hacking-related crimes carry additional penalties of up to 10 years.  

International Crackdown on Ransomware Operations

In a coordinated effort, Europol and other international agencies have shut down 27 servers used by the 8Base ransomware group. This action has significantly disrupted the cybercriminal network.  

Authorities also revealed that a previous arrest in Italy in 2023 helped law enforcement gather intelligence on Phobos ransomware operations. This intelligence allowed them to prevent over 400 potential cyberattacks and take down key infrastructure used by the hackers.  

What This Means for Cybersecurity

Phobos ransomware has been a major cyber threat since 2018, targeting businesses and organizations worldwide. While these arrests and crackdowns have weakened the group, it is uncertain whether this will fully eliminate their operations.  

This case highlights the growing efforts by global law enforcement agencies to combat cybercrime. Businesses and individuals are urged to remain cautious, implement strong security measures, and stay informed about evolving cyber threats.  


Read more »
User Privacy
Data Breach Health Sisters Medical Data US Hospital User Privacy

US Health System Notifies Nearly 900K Patients Regarding a 2023 Data Breach

 

Hospital Sisters Health System informed nearly 882,000 patients that a cyberattack in August 2023 resulted in a data breach that compromised their private and medical data. 

Established in 1875, HSHS works with about 2,200 physicians and employs over 12,000 employees. It also runs a network of physician practices and 15 community hospitals in Illinois and Wisconsin, including two children's hospitals. 

The non-profit healthcare institution stated in data breach notifications given to those affected that the incident was discovered on August 27, 2023, after determining that the hacker had gained access to the HSHS network.

Following the security incident, its systems were affected by a widespread outage that knocked out "virtually all operating systems" and phone systems in Illinois and Wisconsin hospitals. HSHS also hired external security specialists to investigate the incident, assess the impact, and assist the IT staff in restoring hacked systems.

"We are prioritizing patient safety as we establish a process for restoration. With the support of third-party experts, we are bringing our systems back online as quickly and as safely as possible," HSHS noted in a September 2024 statement. "A health system of our size operates hundreds of system applications across thousands of servers, and as such, our restoration and investigative work will take some time to complete.” 

While the incident and subsequent outage appear to be the result of a ransomware attack, no ransomware outfit has claimed responsibility for the breach. Following the forensic inspection, HSHS discovered that between August 16 and August 27, 2023, the perpetrators had accessed files on hacked systems.

The information accessed by attackers while inside HSHS' systems varies by individual, but it typically includes a combination of name, address, date of birth, medical record number, limited treatment data, health insurance information, Social Security number, and/or driver's license number. 

While HSHS stated that there is no evidence that the victims' information was utilised in fraud or identity theft activities, it recommended impacted individuals to keep an eye on their account statements and credit reports for suspicious behaviour. The health system also provides free Equifax credit monitoring for one year to anybody harmed by the breach.

New York Blood Centre (NYBC), one of the biggest independent blood collection and distribution organisations in the world, announced that it had to reschedule some appointments due to a ransomware attack, Connecticut healthcare provider Community Health Centre (CHC) informed more than a million patients regarding a data breach last week. 

UnitedHealth said earlier this month that the Change Healthcare ransomware assault last year had stolen the data of some 190 million Americans, nearly twice as many as the 100 million that were made public in October.
Read more »
ransomware payments
Cybercrime Trends cybersecurity news Data Breach law enforcement crackdown Cyber Attacks ransomware attacks ransomware payments

Ransomware Payments Drop 35% in 2024 Amid Increased Resistance and Law Enforcement Crackdowns

 

Ransomware payments saw a significant decline in 2024, dropping 35% year-over-year to $813.55 million from the $1.25 billion recorded in 2023. Additionally, only about 30% of victims engaged in ransom negotiations proceeded with payments.

These insights, reported by blockchain intelligence firm Chainalysis, highlight a downward trend despite 2024 being a record-breaking year for ransomware attacks. A notable incident involved a Fortune 50 company paying $75 million to the Dark Angels ransomware group—the largest known payout of the year. Meanwhile, cybersecurity firm NCC Group recorded 5,263 successful ransomware breaches in 2024, marking the highest-ever attack volume.

Despite the increase in attacks, ransomware actors are facing difficulties in extorting payments. Chainalysis noted a surge in disclosures on data leak sites, indicating that cybercriminals are resorting to increased exposure tactics to pressure victims. However, a growing number of organizations are resisting ransom demands.

This shift is driven by heightened cybersecurity awareness, improved protective measures, and a realization that attackers’ promises to delete stolen data are often unreliable. Legal scrutiny has also played a role, pushing companies to forgo negotiations, instead opting to restore systems from backups while mitigating reputational risks.

Another critical factor behind the payment decline is the impact of law enforcement operations. In 2024, global agencies targeted ransomware groups, with ‘Operation Cronos’ taking down LockBit, one of the most prolific gangs. Additionally, the collapse of ALPHV/BlackCat created instability, leaving smaller groups unable to dominate the space, despite RansomHub’s attempts.

Chainalysis data indicates that even when ransoms were paid, they were often significantly reduced through negotiations. Cybercriminals are also facing increasing difficulties laundering their illicit earnings. Crackdowns on cryptocurrency mixers and non-compliant exchanges have forced ransomware actors to shift to alternative methods, such as cross-chain bridges, to obscure transactions.

Centralized exchanges remained the primary cash-out method in 2024, handling 39% of all ransomware proceeds. However, an increasing number of affiliates are now opting to hold funds in personal wallets, wary of law enforcement tracking and potential arrests.

Despite the surge in ransomware activity, victims are becoming more resistant, and law enforcement is tightening its grip, signaling a potential long-term shift in the cybersecurity landscape.
Read more »
Subscribe to: Posts (Atom)