Cynthia B@Metacurity
//
The U.S. Treasury Department has sanctioned Funnull Technology Inc., a Philippines-based company, for providing infrastructure that facilitated "pig butchering" scams, a type of cryptocurrency investment fraud that has cost Americans over $200 million. The Treasury’s Office of Foreign Assets Control (OFAC) took action on May 29, 2025, targeting Funnull and its administrator, Liu Lizhi. The FBI has also issued an advisory warning against Funnull, highlighting its role as a major distributor of online scams. Funnull is accused of enabling cybercriminals by purchasing IP addresses in bulk from major cloud service providers and then selling them to operators of fraudulent investment platforms.
The sanctions follow an FBI investigation that linked Funnull to the majority of virtual currency investment scam websites reported to them. The agency stated that Funnull directly facilitated pig butchering and other schemes that resulted in more than $200 million in financial losses for U.S. victims, with average individual losses exceeding $150,000. These scams typically involve perpetrators posing as romantic partners or friends online to gain victims’ trust, then convincing them to invest in virtual currency on platforms that ultimately prove to be fraudulent. Scammers often demand additional "taxes" on purported crypto earnings before allowing victims to withdraw their funds, which never happens. Security firm Silent Push had previously identified Funnull as a criminal content delivery network (CDN) routing traffic through U.S.-based cloud providers before redirecting users to malicious websites. Their October 2024 research exposed a sprawling cluster of domains, dubbed "Triad Nexus," routed through Funnull's CDNs, revealing how cybercriminals leverage credible cloud providers for malicious activities through what they termed "infrastructure laundering." The FBI observed patterns of IP address activity on Funnull infrastructure between October 2023 and April 2025, including the simultaneous migration of hundreds of domains to other IP addresses, further complicating efforts to track and combat the scams. Recommended read:
References :
@cyberscoop.com
//
Operation Endgame, a coordinated effort by Europol, Eurojust, and law enforcement agencies internationally, has successfully disrupted the DanaBot malware network. This operation has led to the neutralization of approximately 300 servers and 650 domains worldwide between May 19 and 22, 2025. The U.S. Department of Justice (DoJ) has unsealed charges against 16 individuals allegedly involved in the development and deployment of the DanaBot malware, which was controlled by a Russia-based cybercrime organization.
The DanaBot malware, initially identified in May 2018, operated as a malware-as-a-service (MaaS), renting its capabilities to other criminals. It infected over 300,000 computers globally, causing an estimated $50 million in damages through fraud and ransomware. The malware was versatile, stealing banking credentials, browsing history, and cryptocurrency wallet information, while also offering remote access, keylogging, and screen recording. Initial infections often occurred through spam emails containing malicious attachments or hyperlinks, turning infected computers into part of a botnet. Among those charged by the US Department of Justice are Aleksandr Stepanov, 39, and Artem Aleksandrovich Kalinkin, 34, both from Novosibirsk, Russia, who remain at large. The unsealed criminal complaint revealed that some of the defendants exposed their real-life identities by accidentally infecting their own systems with the malware. Operation Endgame also led to the issuance of international arrest warrants for 20 targets and the seizure of over EUR 21.2 million in cryptocurrency, including EUR 3.5 million during this latest action week. Recommended read:
References :
@www.bleepingcomputer.com
//
The US government has indicted Rustam Rafailevich Gallyamov, a 48-year-old Russian national from Moscow, as the leader of the Qakbot botnet malware conspiracy. Gallyamov, also known as "Cortes" and other aliases, is accused of leading a group of cybercriminals responsible for developing and deploying the Qakbot malware since 2008. This indictment is part of an ongoing multinational effort involving the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada to combat cybercrime. The Justice Department has also filed a civil forfeiture complaint against Gallyamov, seeking to seize over $24 million in cryptocurrency allegedly obtained through his criminal activities.
According to court documents, Gallyamov used the Qakbot malware to infect over 700,000 computers globally, establishing a vast network or "botnet" of compromised machines. Starting in 2019, this botnet was leveraged to facilitate ransomware attacks against innocent victims worldwide, causing significant financial losses. The FBI and its international partners crippled Gallyamov's bot network in 2023, but he allegedly continued to deploy alternative methods to make his malware available to criminal cyber gangs. The Qakbot malware, also known as Qbot and Pinkslipbot, evolved over time from a banking trojan into a tool used for malware dropping and keystroke logging. Officials emphasize the commitment to holding cybercriminals accountable and disrupting their activities. "Today’s announcement of the Justice Department’s latest actions to counter the Qakbot malware scheme sends a clear message to the cybercrime community,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. U.S. Attorney Bill Essayli for the Central District of California added, "The criminal charges and forfeiture case announced today are part of an ongoing effort with our domestic and international law enforcement partners to identify, disrupt, and hold accountable cybercriminals." The case demonstrates the FBI’s commitment to relentlessly pursuing individuals who target Americans and demand ransom, even when they reside overseas. Recommended read:
References :
@cyberscoop.com
//
A federal grand jury indictment unsealed today has charged 16 defendants who allegedly developed and deployed the DanaBot malware, a scheme that infected over 300,000 computers globally. The malware, controlled and deployed by a Russia-based cybercrime organization, facilitated fraud and ransomware attacks, causing at least $50 million in damage. Aleksandr Stepanov, 39, also known as “JimmBee,” and Artem Aleksandrovich Kalinkin, 34, also known as “Onix”, both of Novosibirsk, Russia are amongst those charged.
The DanaBot malware was distributed through spam email messages containing malicious attachments or hyperlinks. Once a computer was infected, it became part of a botnet, allowing operators to remotely control the compromised machines. The malware operated on a malware-as-a-service model, offering access to the botnet and support tools to clients for a fee. DanaBot had extensive capabilities, including stealing data, hijacking banking sessions, recording keystrokes, and providing full remote access to victim computers. In addition to the criminal charges related to DanaBot, the U.S. Department of Justice announced the seizure of internet domains tied to the LummaC2 information-stealing malware operation, which has been actively targeting U.S. critical infrastructure. The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint advisory warning of these campaigns, which involve the deployment of the LummaC2 infostealer to breach networks and siphon off sensitive data. Microsoft independently took down 2,300 internet domains also used by the LummaC2 actors. Recommended read:
References :
@cyberscoop.com
//
A 19-year-old college student from Worcester, Massachusetts, Matthew Lane, has agreed to plead guilty to charges related to a massive cyberattack on PowerSchool, a cloud-based education software provider. The cyberattack involved extorting millions of dollars from PowerSchool in exchange for not leaking the personal data of millions of students and teachers. Lane exploited stolen credentials to gain unauthorized access to PowerSchool's networks, leading to the theft of sensitive student and teacher data.
The data breach is considered one of the largest single breaches of American schoolchildren's data, affecting approximately 62.4 million students and 9.5 million teachers. According to court documents, Lane obtained stolen data from a U.S. telecommunications company before targeting PowerSchool. After the initial victim refused to pay a ransom, Lane allegedly sought to hack another company that would pay. The stolen information included sensitive details like Social Security numbers and academic records. Lane will plead guilty to multiple charges, including cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft. The incident has been described by authorities as a serious attack on the economy, with the potential to instill fear in parents regarding the safety of their children's data. This case highlights the increasing risk of cyberattacks targeting educational institutions and the importance of robust cybersecurity measures to protect student and teacher data. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
Moldovan law enforcement, in collaboration with Dutch authorities, have apprehended a 45-year-old foreign man suspected of orchestrating a series of ransomware attacks targeting Dutch companies in 2021. The suspect is wanted internationally for a range of cybercrimes, including ransomware attacks, blackmail, and money laundering. This arrest marks a significant step in the fight against cybercrime, particularly concerning the persistent threat posed by DoppelPaymer ransomware. The operation involved a coordinated effort between Moldovan prosecutors, the country's Center for Combating Cybercrimes, and law enforcement from the Netherlands, highlighting the importance of international cooperation in tackling sophisticated cyber threats.
The suspect's alleged involvement includes a ransomware attack on the Netherlands Organization for Scientific Research (NWO), resulting in estimated damages of €4.5 million. During the arrest on May 6, Moldovan police searched the suspect's residence and car, seizing substantial evidence, including over €84,000 in cash, an electronic wallet, two laptops, a mobile phone, a tablet, six bank cards, two data storage devices, and six memory cards. The suspect is currently in custody, and extradition procedures to the Netherlands are underway, where he will face charges related to his alleged cybercrimes. The DoppelPaymer ransomware group emerged in 2019, known for its sophisticated tactics, including data exfiltration before encryption, to pressure victims into paying ransoms. The group has targeted various sectors globally and evolved into other ransomware variants, showcasing the challenges in combating this type of cyber threat. The arrest in Moldova underscores the ongoing efforts by law enforcement to pursue and bring cybercriminals to justice, reinforcing the message that cybercrime will not go unpunished. Recommended read:
References :
Ashish Khaitan@The Cyber Express
//
The FBI has issued a warning regarding the increasing exploitation of end-of-life (EoL) routers by cybercriminals. These outdated devices, which no longer receive security updates from manufacturers, are being targeted with malware, most notably variants of TheMoon, to establish proxy networks. This allows malicious actors to mask their online activities and conduct illicit operations with anonymity. The FBI emphasizes that routers from 2010 or earlier are particularly vulnerable due to the absence of recent software updates, making them susceptible to known exploits.
The compromised routers are then incorporated into botnets and used as proxies, sold on networks like 5Socks and Anyproxy. This enables cybercriminals to route malicious traffic through these unsuspecting devices, obscuring their real IP addresses and making it difficult to trace their criminal activities. TheMoon malware exploits open ports on vulnerable routers, bypassing the need for passwords, and then connects to a command-and-control (C2) server for instructions. This process allows the malware to spread rapidly, infecting more routers and expanding the proxy network. To mitigate this growing threat, the FBI advises users to replace EoL routers with actively supported models and apply all available firmware and security updates. Disabling remote administration and using strong, unique passwords are also crucial steps in securing network devices. Additionally, regularly rebooting routers can help flush out temporary malware behavior. The FBI's warning underscores the importance of maintaining up-to-date security measures on network hardware to prevent exploitation by cybercriminals seeking to anonymize their activities. Recommended read:
References :
@cyble.com
//
The ransomware landscape is experiencing significant shifts in April 2025, with groups like Qilin taking center stage. Despite a general decline in ransomware attacks from 564 in March to 450 in April, the lowest level since November 2024, Qilin has surged to the top of the ransomware rankings. This rise is attributed to the realignment of cybercriminal groups within the chaotic Ransomware-as-a-Service (RaaS) ecosystem. Qilin is reportedly leveraging sophisticated tools and techniques, contributing to their increased success in recent months.
Qilin's success is partly due to the adoption of advanced tactics, techniques, and procedures (TTPs). Threat actors associated with Qilin have been observed utilizing malware such as SmokeLoader, along with a previously undocumented .NET compiled loader called NETXLOADER, in campaigns dating back to November 2024. NETXLOADER is a highly obfuscated loader designed to deploy additional malicious payloads and bypass traditional detection mechanisms, making it difficult to analyze. This loader plays a critical role in Qilin's stealthy malware delivery method. The surge in activity is reflected in the doubling of disclosures on Qilin's data leak site since February 2025, making it the top ransomware group in April. The emergence of new actors like DragonForce is reshaping the threat landscape. The group is built for the gig economy. Its features include a 20% revenue share, white-label ransomware kits, pre-built infrastructure. DragonForce quickly moved to absorb affiliates following the April 2025 disappearance of RansomHub, pitching itself as an agile alternative to collapsed legacy operators. A historic surge in ransomware activity is occurring. A total of 2,289 publicly named ransomware victims were reported in just Q1 a 126% year-over-year increase, setting an all-time high. 74 distinct ransomware groups are now operating concurrently, highlighting an explosion of new actors and affiliate-driven threats. Recommended read:
References :
Shivani Tiwari@cysecurity.news
//
Cybersecurity firm Bitdefender has issued a warning about a significant increase in subscription scams that are cleverly disguised as legitimate online stores and enticing mystery boxes. This new wave of scams is characterized by its unprecedented sophistication, employing high-quality website design, targeted advertising, and social media exploitation to deceive unsuspecting users. Over 200 fake retail sites have been identified as part of this operation, all designed to harvest credit card data and personal information from victims globally. These sites offer a wide range of products, including clothing, electronics, and beauty items, making it harder for users to distinguish them from genuine e-commerce platforms.
This scam network leverages social media platforms, particularly Facebook, where cybercriminals deploy sponsored ads and impersonate content creators to lure victims. A key component of this fraud is the evolution of the "mystery box" scam, which promises surprise items for a nominal fee but conceals hidden subscription models in the fine print. Victims are often unknowingly enrolled in recurring payment plans, with charges ranging up to 44 EUR every 14 days, disguised as loyalty benefits or exclusive shopping privileges. The scammers exploit the human fascination with the unknown, offering boxes supposedly left at post offices or bags found at airports, requiring a small payment to claim ownership, with the primary objective being collecting financial information. Bitdefender's investigation reveals that these schemes utilize complex payment structures and convoluted terms to confuse users, transforming a seemingly one-time purchase into recurring charges. To evade detection, scammers employ techniques such as multiple ad versions, Google Drive-hosted images for easy replacement, cropped visuals to bypass pattern recognition, and homoglyph tactics to obscure malicious intent. Many of these fraudulent sites remain active, continuously targeting users globally, with specific campaigns observed in Romania, Canada, and the United States. The connection between these scams and a Cyprus-registered address raises suspicions of a coordinated operation involving offshore entities. Recommended read:
References :
@cyberalerts.io
//
The United States has indicted a 36-year-old Yemeni national, Rami Khaled Ahmed of Sana'a, believed to be the developer and primary operator of the 'Black Kingdom' ransomware. The charges stem from approximately 1,500 attacks conducted against Microsoft Exchange servers globally. Ahmed is accused of deploying the Black Kingdom malware on these systems between March 2021 and June 2023, targeting businesses, schools, and hospitals within the U.S. and elsewhere. He faces one count of conspiracy, one count of intentional damage to a protected computer, and one count of threatening damage to a protected computer.
The attacks involved exploiting a vulnerability in Microsoft Exchange Server known as ProxyLogon, identified as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. This allowed Ahmed and his co-conspirators to gain access to vulnerable networks, encrypt data, or claim to have stolen information. Victims were then instructed to send $10,000 worth of Bitcoin to a cryptocurrency address controlled by a co-conspirator as ransom for decryption. They were also allegedly asked to send proof of payment to a Black Kingdom email address. Cybersecurity experts described Black Kingdom ransomware as somewhat rudimentary, characterizing the attacker as a "motivated script-kiddie" leveraging ProxyLogon to deploy web shells and PowerShell commands. The indictment underscores the ongoing cybersecurity challenges posed by ransomware and highlights the importance of patching vulnerabilities promptly to prevent exploitation. If convicted, Ahmed faces a maximum sentence of five years in federal prison for each count. The FBI, with assistance from the New Zealand Police, is conducting the investigation. Recommended read:
References :
Lawrence Abrams@BleepingComputer
//
Ryan Kramer, a 25-year-old from California, has pleaded guilty to two criminal charges related to a significant data breach at Disney. Kramer, operating under the alias "NullBulge," admitted to illegally accessing Disney's internal Slack channels and stealing over 1.1 terabytes of confidential data. The stolen data included internal communications, sensitive information, images, source code, and credentials. The breach led Disney to switch from Slack to Microsoft Teams following the incident, which impacted over 10,000 Slack channels.
He distributed a malicious program, disguised as an AI-powered image generation tool, on platforms like GitHub. This program contained a backdoor that allowed him to access the computers of those who downloaded and executed it. According to prosecutors, a Disney employee fell victim to this poisoned project between April and May of 2024, inadvertently granting Kramer access to their network and online credentials. This initial breach then allowed Kramer to move laterally within Disney's systems, compromising various platforms and confidential data storage areas. Armed with the stolen data, Kramer, falsely claiming affiliation with the Russian hacking group NullBulge, attempted to extort the victim. When the victim did not respond, Kramer proceeded to release their personal information, including bank, medical, and other sensitive details, across multiple platforms. While Kramer awaits sentencing, he faces a maximum of five years in federal prison for each felony count of accessing a computer to obtain information and threatening to damage a protected computer. The FBI is also investigating the extent to which data from at least two other victims who downloaded Kramer's malicious GitHub project may have been compromised. Recommended read:
References :
@cyberscoop.com
//
A Ukrainian national, Artem Stryzhak, has been extradited to the United States to face charges related to his alleged involvement in Nefilim ransomware attacks. Stryzhak, aged 35, was arrested in Spain in June 2024 and arrived in the U.S. on April 30, 2025. Federal authorities accuse him of participating in a conspiracy to commit fraud and related activity, including extortion, through the use of Nefilim ransomware between 2018 and 2021. He is scheduled to appear for arraignment in the U.S. District Court for the Eastern District of New York.
Stryzhak and his co-conspirators are accused of targeting high-revenue companies in the U.S., Canada, and multiple European countries, including France, Germany, Australia, the Netherlands, Norway, and Switzerland. The ransomware attacks involved encrypting computer networks, stealing data, and demanding ransom payments in exchange for decryption keys. According to the indictment, Stryzhak had an agreement with Nefilim administrators to use the ransomware in exchange for 20% of the extorted proceeds. The victims included companies spanning various industries, such as engineering consulting, aviation, chemicals, insurance, construction, pet care, eyewear, and oil and gas transportation. U.S. Attorney John Durham emphasized the international nature of the case, stating that Stryzhak was part of an international ransomware scheme targeting high-revenue companies. Officials said the series of ransomware attacks caused millions of dollars in losses, including extortion payments and damage to victim computer systems. The extradition highlights ongoing international law enforcement efforts to combat ransomware and hold cybercriminals accountable, regardless of their location. Durham added that criminals who carry out such malicious cyberattacks often believe that American justice cannot reach them abroad. Recommended read:
References :
|