@techcrunch.com - 18d
A global police operation involving agencies from Europe, Japan, the U.S., and the U.K. has successfully seized the dark web leak site of the 8Base ransomware gang. The takedown message displayed on the site was confirmed as legitimate by Lucy Sneddon, a spokesperson for the U.K.’s National Crime Agency. While the U.K. played a supportive role, other involved agencies have not yet commented. Security researchers first noticed the seizure notice earlier this week.
This operation is part of a larger effort targeting ransomware gangs. In a related development, authorities have arrested four suspected Phobos ransomware hackers in Phuket, Thailand. These individuals are accused of conducting cyberattacks on over 1,000 victims worldwide and extorting $16,000,000 worth of Bitcoin. The operation, codenamed "Phobos Aetor," involved raids across multiple locations.
Recommended read:
References :
- CyberInsider: Phobos Ransomware Gang Dismantled in International Sting
- BleepingComputer: Police arrests 4 Phobos ransomware suspects, seizes 8Base sites
- BleepingComputer: A global law enforcement operation targeting the Phobos ransomware gang has led to the arrest of four suspected hackers in Phuket, Thailand, and the seizure of 8Base's dark web sites. The suspects are accused of conducting cyberattacks on over 1,000 victims worldwide.
- bsky.app: A global law enforcement operation targeting the Phobos ransomware gang has led to the arrest of four suspected hackers in Phuket, Thailand, and the seizure of 8Base's dark web sites. The suspects are accused of conducting cyberattacks on over 1,000 victims worldwide.
- Carly Page: Mastodon post confirming the takedown of 8Base's leak site.
- techcrunch.com: TechCrunch reports on the global police operation seizing the 8base ransomware gang leak site.
- www.bleepingcomputer.com: BleepingComputer's report on the takedown of 8Base's dark web sites.
- DataBreaches.Net: Reports on police arresting 4 Phobos ransomware suspects and seizing 8Base sites.
- Threats | CyberScoop: cyberscoop article on 8base
- cyberscoop.com: Thai authorities detain four Europeans in ransomware crackdown
- Anonymous ???????? :af:: A global law enforcement operation targeting the Phobos ransomware gang has led to the arrest of four suspected hackers in Phuket, Thailand, and the seizure of 8Base’s dark web sites.
- The Register - Security: The Register: All your 8Base are belong to us: Ransomware crew busted in global sting
- securityaffairs.com: Report on the 8Base ransomware takedown highlighting the international collaboration.
- The Hacker News: The Hacker News: 8Base Ransomware Data Leak Sites Seized in International Law Enforcement Operation
- www.helpnetsecurity.com: The Thai police has arrested four individuals suspected of being the leaders of the 8Base ransomware group and of stealing approximately $16 million from 1,000+ victims they targeted with the Phobos ransomware.
- BleepingComputer: Police arrests 2 Phobos ransomware suspects, seizes 8Base sites - BleepingComputer
- socradar.io: International Operation Targets 8Base and Phobos Ransomware Gangs In a coordinated global effort, law enforcement agencies have successfully dismantled the dark web infrastructure of the 8Base ransomware gang and arrested four individuals linked to the Phobos ransomware.
- Help Net Security: 8Base ransomware group leaders arrested, leak site seized
- PCMag UK security: An international operation has dealt a major blow to a cybergang known as 8Base, which used the Phobos to infect hundreds of companies and organizations.
- techcrunch.com: Authorities arrest four suspected 8base ransomware operators in global takedown
- www.europol.europa.eu: Report on the global law enforcement operation that led to the arrests.
- Security Boulevard: Authorities Seize 8Base Ransomware Infrastructure, Arrest Four Russians
- securityboulevard.com: With "Operation Phobos Aetor," international law enforcement, including the US DOJ and Europol, arrest four Russian nationals and seize infrastructure connected to the 8Bbase ransomware group, the largest affiliate of the prolific Phobos RaaS operation.
- securityaffairs.com: Global law enforcement operation targeting the 8Base ransomware gang and related criminal activity.
- Carly Page: A global law enforcement operation has led to the arrest of four individuals who authorities accuse of being key figures in the 8base ransomware operation. The four suspects are accused of amassing $16 million through ransomware attacks against more than 1,000 organizations globally
- www.csoonline.com: Law enforcement agencies from 14 countries collaborated in an investigation against the related Phobos and 8Base ransomware operations, arresting four suspects and seizing 27 servers, including the data leak and ransom negotiation websites.
@www.bleepingcomputer.com - 28d
Operation Talent, a large-scale international law enforcement effort, has successfully dismantled two major cybercrime forums, Cracked and Nulled. These platforms, with a combined user base exceeding 9 million, were hubs for the distribution of illegal goods, including stolen data, malware, and hacking tools. The operation, led by German authorities with the cooperation of eight countries, involved the seizure of 12 domains, 17 servers, over 50 electronic devices, and approximately €300,000 in cash and cryptocurrencies. Two individuals were arrested in Spain and are believed to be the main operators of both forums and related services.
The takedown of Cracked and Nulled, executed between January 28th and 30th, also targeted associated services like Sellix, a payment processor used by Cracked, and StarkRDP, a hosting service promoted on both platforms. Investigators estimate that the suspects generated around €1 million in criminal proceeds through these illegal activities. Europol played a key role, providing forensic and analytical support to the authorities. The collaborative effort highlights the growing threat of “cybercrime-as-a-service”, where readily available tools and infrastructure are used to launch attacks by those with varying levels of technical knowledge.
Recommended read:
References :
- ciso2ciso.com: International Operation Dismantles Cracked and Nulled Cybercrime Hubs – Source: www.infosecurity-magazine.com
- www.bleepingcomputer.com: Police seizes Cracked and Nulled hacking forum servers, arrests suspects
- www.helpnetsecurity.com: Cybercrime forums Cracked and Nulled seized, operators arrested
- www.the420.in: Global Cybercrime Forums Cracked and Nulled Shut Down in International Sting Operation
- Pyrzout :vm:: International Operation Dismantles Cracked and Nulled Cybercrime Hubs – Source: www.infosecurity-magazine.com
- Techmeme: Europol and German law enforcement arrest two suspects and seize 17 servers to take down Cracked and Nulled, two of the largest hacking forums with 10M+ users
- securityonline.info: Europol Smashing Cybercrime Hubs: Cracked & Nulled Taken Down
- www.techmeme.com: Techmeme summarizes the news about the Europol takedown of Cracked and Nulled hacking forums, citing BleepingComputer as a source.
- securityonline.info: Security Online summarizes the Europol operation that led to the takedown of Cracked and Nulled cybercrime forums.
- The Hacker News: The Hacker News reports on the authorities seizing the domains of popular hacking forums as part of a major cybercrime crackdown.
- Help Net Security: Cybercrime forums Cracked and Nulled seized, operators arrested
- hackread.com: Operation Talent: Two Arrested as Authorities Dismantle Cracked and Nulled
- cyberinsider.com: This article discusses Europol and the FBI's coordinated takedown of the large cybercrime forums, Cracked and Nulled.
- CyberInsider: In a coordinated international effort, Europol and the FBI have dismantled Cracked.io and Nulled.to, two of the world's largest cybercrime forums, seizing their domains and shutting down associated services.
- securityaffairs.com: Operation Talent: An international law enforcement operation seized Cracked, Nulled and other cybercrime websites
- socradar.io: Operation Talent: FBI Takes Down Cracked.io and Nulled.to in Global Cybercrime Crackdown
- techcrunch.com: International police coalition takes down two prolific cybercrime and hacking forums
- www.justice.gov: This website contains the latest news about cybersecurity incidents and attacks.
- BleepingComputer: Europol and German law enforcement confirmed the arrest of two suspects and the seizure of 17 servers in Operation Talent, which took down Cracked and Nulled, two of the largest hacking forums with over 10 million users.
- infosec.exchange: NEW: An international coalition of law enforcement agencies announced it has seized and taken down two prominent hacking forums with more than 10 million users. German police called Cracked and Nulled “the world’s two largest trading platforms for cybercrime.� Operation has also led to several arrests, searches of properties, as well as seizure of servers, electronic devices, cash, and cryptocurrency.
- : U.S. Department of Justice : See parent toot above for EUROPOL announcement. The U.S. DOJ finally has their own press release for the takedown of cybercrime forums Cracked and Nulled. It has substantially more information about each case, definitely worth a read.
- The420.in: Global authorities have dismantled Cracked.io and Nulled.to, two major cybercrime forums with 10M+ users.
- DataBreaches.Net: Law enforcement has been busy. As reported yesterday, Cracked and Nulled forums were seized along with services associated with them financially.
- thecyberexpress.com: This website provides cybersecurity news and updates on various attacks.
Eduard Kovacs@SecurityWeek - 22d
Spanish authorities have arrested a hacker in Alicante for allegedly conducting over 40 cyberattacks targeting critical public and private organizations, including NATO, the US Army, and various Spanish entities such as the Guardia Civil and the Ministry of Defense. The investigation began in early 2024 after a data leak was reported from a Madrid business association, revealing that the hacker was boasting about stolen information on an underground criminal forum, even defacing the victim's website.
The suspect, known online as "Natohub" among other pseudonyms, is accused of illegally accessing computer systems, disclosing secrets, damaging computers, and money laundering. Police seized multiple computers, electronic devices, and over 50 cryptocurrency accounts containing various digital assets. Although the suspect's name hasn't been released by police, local news reports identify him as an 18-year-old man.
Recommended read:
References :
- BleepingComputer: The Spanish police have arrested a suspected hacker in Alicante for allegedly conducting 40 cyberattacks targeting critical public and private organizations, including the Guardia Civil, the Ministry of Defense, NATO, the US Army, and various universities.
- securityaffairs.com: Spanish Police arrested an unnamed hacker who allegedly breached tens of government institutions in Spain and the US.
- BleepingComputer: The Spanish police have arrested a suspected hacker in Alicante for allegedly conducting 40 cyberattacks targeting critical public and private organizations, including the Guardia Civil, the Ministry of Defense, NATO, the US Army, and various universities.
- Help Net Security: Suspected NATO, UN, US Army hacker arrested in Spain
- SecurityWeek: Spanish authorities have arrested an individual who allegedly hacked several high-profile organizations, including NATO and the US army.
- : The Spanish National Police and the Civil Guard announced the arrest (and release) of a hacker responsible for the cyberattacks against various Spanish government organizations, NATO and U.S. Army databases, and other international companies and entities.
- www.scworld.com: Suspected hacker arrested for attacks on NATO, US Army
- CyberInsider: Police Arrest Hacker Behind Attacks on U.S. and NATO Systems
- cyberinsider.com: Police Arrest Hacker Behind Attacks on U.S. and NATO Systems
- www.bleepingcomputer.com: Spanish National Police : (Spanish language) The Spanish National Police and the Civil Guard announced the arrest (and release) of a hacker responsible for the cyberattacks against various Spanish government organizations, NATO and U.S. Army databases, and other international companies and entities. Police seized multiple computers, electronic devices, and 50 cryptocurrency accounts containing various digital assets. Although no identity was released, linked the victim organizations to high profile attacks by the hacker using the alias "natohub".
- www.helpnetsecurity.com: Suspected NATO, UN, US Army hacker arrested in Spain
- www.securityweek.com: SecurityWeek provides details on the hacker's arrest and the organizations targeted.
- BleepingComputer: The Spanish police have arrested a suspected hacker in Alicante for allegedly conducting 40 cyberattacks targeting critical public and private organizations, including the Guardia Civil, the Ministry of Defense, NATO, the US Army, and various universities.
- bsky.app: The Spanish police have arrested a suspected hacker in Alicante
for allegedly conducting 40 cyberattacks targeting critical public and private organizations, including the Guardia Civil, the Ministry of Defense, NATO, the US Army, and various universities. https://www.bleepingcomputer.com/news/legal/spain-arrests-suspected-hacker-of-us-and-spanish-military-agencies/
- Cybernews: An undisclosed hacker has been accused of over 40 cyberattacks on strategic organizations, including government, universities, NATO, and the US Army.
- www.policia.es: Spanish National Police : (Spanish language) The Spanish National Police and the Civil Guard announced the arrest (and release) of a hacker responsible for the cyberattacks against various Spanish government organizations, NATO and U.S. Army databases, and other international companies and entities.
- Techmeme: Spanish police arrest a hacker for allegedly conducting 40 cyberattacks on critical public and private organizations, seizing 50 crypto accounts, PCs, and more
- BleepingComputer: The Spanish police have arrested a suspected hacker in Alicante for allegedly conducting 40 cyberattacks targeting critical public and private organizations, including the Guardia Civil, the Ministry of Defense, NATO, the US Army, and various universities.
- www.techmeme.com: Spanish police arrest a hacker for allegedly conducting 40 cyberattacks on critical public and private organizations, seizing 50 crypto accounts, PCs, and more
- ciso2ciso.com: Police arrest teenager suspected of hacking NATO and numerous Spanish institutions
- gbhackers.com: Authorities Arrested Hacker Who Compromised 40+ Organizations
- www.helpnetsecurity.com: The Spanish National Police has arrested a hacker suspected of having breached national and international agencies (including the United Nation’s International Civil Aviation Organization and NATO), Spanish universities and companies, and released stolen data on the dark web.
@www.chainalysis.com - 22d
Ransomware payments experienced a significant decline in 2024, dropping by 35% to approximately $813.55 million, according to a report by Chainalysis. This marks a notable decrease from the record $1.25 billion paid in 2023. The decline reflects a growing trend of victims refusing to pay extortion demands, despite ransomware gangs posting more victims on leak sites. The shift suggests that organizations are becoming more resilient to ransomware attacks, possibly due to enhanced data recovery strategies and the impact of increased law enforcement interventions.
The surprising decrease in payments, particularly in the second half of 2024, signals a potential change in the ransomware landscape. Crypto forensics firm Chainalysis noted that sums demanded by cyber gangs in the second half of 2024 were 53% higher than actual payouts. Law enforcement actions, including disruptions to prolific ransomware gangs like LockBit and improved international collaboration, are also contributing to this downturn. This indicates a shift in the financial dynamics of ransomware operations.
Recommended read:
References :
- Carly Page: Ransomware payments fell by more than one-third in 2024 as an increasing number of victims refused to negotiate with hackers
- techcrunch.com: Ransomware payments fell by more than one-third in 2024 as an increasing number of victims refused to negotiate with hackers.
- Help Net Security: Ransomware payments plummet as more victims refuse to pay
- techcrunch.com: TechCrunch covers Chainalysis' report on the decline in ransomware payments.
- www.chainalysis.com: Chainalysis' blog post presents their full analysis of the cryptocurrency crime trends in 2024.
- www.cybersecurity-insiders.com: Good news as ransomware pay fell by 35 percent in 2024
- www.helpnetsecurity.com: Ransomware payments plummet as more victims refuse to pay
- Ars OpenForum: Amount paid by victims to hackers declined by hundreds of millions of dollars.
- Techmeme: In 2024, ransomware attackers received ~$813.55M in payments from victims, down 35% on 2023's record $1.25B, as more victims refused to pay (Chainalysis)
- arstechnica.com: Amount paid by victims to hackers declined by hundreds of millions of dollars.
- www.cybersecurity-insiders.com: Good news as ransomware pay fell by 35 percent in 2024
- Moonshot News: Ransomware payments have changed dramatically
- moonshot.news: Ransomware payments fell 35% in 2024 from 2023 record-breaking $1.25 billion down to $813.55 million, marking the first revenue decline since 2022, US blockchain data platform Chainalysis reports.
- www.techmeme.com: In 2024, ransomware attackers received ~$813.55M in payments from victims, down 35% on 2023's record $1.25B, as more victims refused to pay
- cyberscoop.com: CyberScoop reports that ransomware payments dropped 35% in 2024.
- Blog: Field Effect reports on the decline in ransomware payments and increase in attack frequency.
- securityboulevard.com: Law enforcement actions, better defenses, and a refusal by victims to pay helped to reduce the amount of ransoms paid in 2024 by $35%, a sharp decline from the record $1.25 billion shelled out in 2023, according to researchers with Chainalysis.
- www.heise.de: Various measures against cybercriminals have once again shown success in 2024: Ransom payments following ransomware attacks have fallen again.
- Security Boulevard: Security Boulevard article on ransomware payments falling 35% in 2024.
- cyberpress.org: Cyberpress reports on ransomware payments plummeting in 2024.
- TechInformed: TechInformed reports on ransomware payments plummeting in 2024.
@hackread.com - 25d
The U.S. Department of Justice has charged Andean Medjedovic, a 22-year-old Canadian national, with stealing approximately $65 million in cryptocurrency. Medjedovic allegedly exploited vulnerabilities in the automated smart contracts used by the KyberSwap and Indexed Finance decentralized finance protocols. He reportedly withdrew millions of dollars of investor funds from the protocols at artificial prices, rendering the victims’ investments essentially worthless.
Medjedovic is also accused of laundering the proceeds of his fraudulent schemes through a series of transactions designed to conceal the source and ownership of the funds, including through swap transactions, bridging transactions, and the use of a digital assets mixer. The indictment also alleges that he attempted to extort the victims of the KyberSwap exploit. Medjedovic faces charges including wire fraud, unauthorized damage to a protected computer, attempted Hobbs Act extortion, money laundering conspiracy, and money laundering. If convicted, he faces a maximum of 10 years in prison on the unauthorized damage charge and 20 years on each of the other counts.
Recommended read:
References :
- BleepingComputer: The U.S. Justice Department has charged a Canadian man with stealing roughly $65 million after exploiting two decentralized finance (DeFI) protocols.
- securityonline.info: Canadian Hacker Indicted for $65 Million DeFi Exploit
- Cyber Security News: Cybersecurity News article about the Canadian national charged with stealing $65 million in crypto.
- securityonline.info: Details about the criminal indictment.
- www.justice.gov: U.S. Department of Justice : 22 year old Canadian national Andean Medjedovic was charged with exploiting vulnerabilities in the automated smart contracts used by the KyberSwap and Indexed Finance decentralized finance protocols to withdraw approximately $65 million from investor funds. Medjedovic also allegedly laundered the proceeds of his fraudulent schemes through a series of transactions designed to conceal the source and ownership of the funds, using bridging transactions and crypto mixers. The indictment cites: Wire fraud, unauthorized damage to a protected computer, attempted Hobbs Act extortion, money laundering conspiracy, and money laundering.
- DataBreaches.Net: Canadian man charged in $65 million cryptocurrency hacking schemes
- www.bleepingcomputer.com: Report on the exploit of KyberSwap and Indexed Finance.
- www.justice.gov: Original DOJ report about the incident.
- CryptoSlate: KyberSwap exploiter gets five-count criminal indictment after stealing $65M
- cryptoslate.com: KyberSwap exploiter gets five-count criminal indictment after stealing $65M
- Help Net Security: Man charged with stealing $65 million by exploting DeFI protocols vulnerabilities
- www.helpnetsecurity.com: Man charged with stealing $65 million by exploting DeFI protocols vulnerabilities
- hackread.com: News report on the alleged DeFi hack.
@www.justice.gov - 27d
U.S. and Dutch law enforcement agencies have jointly dismantled a network of 39 domains and associated servers used in Business Email Compromise (BEC) fraud operations. The operation, codenamed "Operation Heart Blocker," took place on January 29th and targeted the infrastructure of a group known as "The Manipulaters," which also went by the name Saim Raza. This group operated online marketplaces originating from Pakistan, selling phishing toolkits, scam pages, email extractors, and fraud-enabling tools. The services marketed were utilized by transnational organized crime groups in the US who used these tools to target various victims with BEC schemes. These attacks tricked victim companies into making fraudulent payments which are estimated to have caused over $3 million in losses.
The seized domains and servers contained millions of records, including at least 100,000 pertaining to Dutch citizens. "The Manipulaters" marketed their services under various brands, including Heartsender, Fudpage, and Fudtools which specialized in spam and malware dissemination. The U.S. Department of Justice stated that Saim Raza-run websites not only sold the tools, but they also provided training to end users through instructional videos on how to execute schemes using the malicious programs, making them accessible to those without the technical expertise. The service was estimated to have thousands of customers. The tools were used to acquire victim user credentials which were then utilized to further the fraudulent schemes. Users can check to see if they were impacted by credential theft via a Dutch Police website.
Recommended read:
References :
- ciso2ciso.com: U.S. and Dutch Authorities Dismantle 39 Domains Linked to BEC Fraud Network
- krebsonsecurity.com: FBI, Dutch Police Disrupt ‘Manipulaters’ Phishing Gang
- The Hacker News: U.S. and Dutch law enforcement agencies have announced that they have dismantled 39 domains and their associated servers as part of efforts to disrupt a network of online marketplaces originating from Pakistan.
- ciso2ciso.com: The FBI and authorities in The Netherlands this week seized dozens of servers and domains for a hugely popular spam and malware dissemination service operating out of Pakistan.
- ciso2ciso.com: The FBI and authorities in The Netherlands this week seized dozens of servers and domains for a hugely popular spam and malware dissemination service operating out of Pakistan.
- Pyrzout :vm:: U.S. and Dutch Authorities Dismantle 39 Domains Linked to BEC Fraud Network
- krebsonsecurity.com: FBI, Dutch Police Disrupt ‘Manipulaters’ Phishing Gang – Source: krebsonsecurity.com
- www.trendingtech.news: Internationale samenwerking ontmantelt phishingnetwerk 'the manipulaters'
- Pyrzout :vm:: FBI, Dutch Police Disrupt ‘Manipulaters’ Phishing Gang .S.DepartmentofJustice 'er-Do-WellNews
- hackread.com: Joint US-Dutch operation dismantled the HeartSender cybercrime network.
- www.justice.gov: Cybercrime websites selling hacking tools to transnational organized crime groups were seized.
- thecyberexpress.com: The Cyber Express article about the Justice Department disrupting a cybercrime network selling hacking tools.
- www.justice.gov: This website contains the latest news about cybersecurity incidents and attacks.
- Information Security Buzz: DoJ, Dutch Authorities Seize 39 Domains Selling Malicious Tools
- ciso2ciso.com: Law enforcement seized the domains of HeartSender cybercrime marketplaces – Source: securityaffairs.com
- ciso2ciso.com: Law enforcement seized the domains of HeartSender cybercrime marketplaces
- SecureWorld News: Secure World article about Operation Heart Blocker and the disruption of a phishing network.
@techcrunch.com - 18d
A global law enforcement operation has successfully disrupted the 8Base ransomware group, leading to the arrest of four individuals accused of being key figures in the operation. The suspects were apprehended in Phuket, Thailand, and are alleged to have amassed $16 million through ransomware attacks targeting over 1,000 organizations worldwide. Authorities have also seized the dark web infrastructure utilized by the group.
This coordinated effort resulted in the dismantling of 8Base's dark web data leak and negotiation sites, effectively crippling their ability to further extort victims. The operation, codenamed "Phobos Aetor", involved coordinated raids across multiple locations, resulting in the seizure of laptops, smartphones, and cryptocurrency wallets.
Recommended read:
References :
- BleepingComputer: A global law enforcement operation targeting the Phobos ransomware gang has led to the arrest of four suspected hackers in Phuket, Thailand, and the seizure of 8Base's dark web sites. The suspects are accused of conducting cyberattacks on over 1,000 victims worldwide.
- Carly Page: A global law enforcement operation has led to the arrest of four individuals who authorities accuse of being key figures in the 8base ransomware operation. The four suspects are accused of amassing $16 million through ransomware attacks against more than 1,000 organizations globally
- securityaffairs.com: Operation Phobos Aetor: Police dismantled 8Base ransomware gang
- BleepingComputer: A global law enforcement operation targeting the Phobos ransomware gang has led to the arrest of four suspected hackers in Phuket, Thailand, and the seizure of 8Base's dark web sites. The suspects are accused of conducting cyberattacks on over 1,000 victims worldwide. [...]
- cyberscoop.com: Thai authorities detain four Europeans in ransomware crackdown
- The Register - Security: All your 8Base are belong to us: Ransomware crew busted in global sting
- socradar.io: International Operation Targets 8Base and Phobos Ransomware Gangs
- securityboulevard.com: Authorities Seize 8Base Ransomware Infrastructure, Arrest Four Russians
- techcrunch.com: Authorities arrest four suspects in global 8base ransomware takedown
@www.bleepingcomputer.com - 7d
The Darcula phishing-as-a-service (PhaaS) platform is set to launch its third major version, Darcula 3.0, offering cybercriminals unprecedented capabilities. A key feature is the ability for even tech-illiterate individuals to create and deploy do-it-yourself phishing kits targeting any brand globally. This is made possible through browser automation tools like Puppeteer and Headless Chrome, allowing users to clone legitimate websites and inject malicious content with minimal effort. The platform also simplifies the creation of phishing kits by extracting assets and HTML structure from targeted brand websites, enabling fraudsters to customize templates and generate multi-step pages for data collection, such as payment details and two-factor authentication codes.
The updated Darcula platform includes a user-friendly interface that automates the creation of phishing kits. The final product is exported as a “.cat-page” bundle, deployable via Darcula’s admin panel. The admin panel, resembling legitimate Software-as-a-Service (SaaS) platforms, provides dashboards to manage stolen data, monitor campaigns, and configure advanced deception techniques. Built using technologies like Docker, React, and SQLite, it offers IP filtering, web crawler blocking, and device-specific access restrictions to evade detection. The platform also facilitates monetization of stolen data by enabling fraudsters to generate virtual cards from compromised payment details.
Recommended read:
References :
- cyberpress.org: Darcula 3.0 – A Tool that Offer Phishing kit for Any Brands
- The Hacker News: Cybercriminals Can Now Clone Any Brand’s Site in Minutes Using Darcula PhaaS v3
- www.bleepingcomputer.com: The Darcula phishing-as-a-service (PhaaS) platform is preparing to release its third major version, with one of the highlighted features, the ability to create do-it-yourself phishing kits to target any brand.
- www.helpnetsecurity.com: Darcula allows tech-illiterate crooks to create, deploy DIY phishing kits targeting any brand
- gbhackers.com: New Darcula 3.0 Tool Generates Phishing Kits to Mimic Global Brands
- Talkback Resources: 'Darcula' Phishing Kit Can Now Impersonate Any Brand
- BleepingComputer: The Darcula phishing-as-a-service (PhaaS) platform is preparing to release its third major version, with one of the highlighted features, the ability to create do-it-yourself phishing kits to target any brand.
- gbhackers.com: GB Hackers - New Darcula 3.0 Tool Generates Phishing Kits to Mimic Global Brands
- Help Net Security: Help Net Security - Darcula allows tech-illiterate crooks to create, deploy DIY phishing kits targeting any brand
- Cyber Security News: Darcula 3.0 – A Tool that Offer Phishing kit for Any Brands
- The420.in: Cybercriminals behind the notorious Darcula phishing-as-a-service (PhaaS) platform are preparing to roll out a new and more sophisticated version that enables scammers to clone any brand’s legitimate website effortlessly.
- www.the420.in: Darcula Phishing Platform Set to Launch Advanced Version
- Cybernews: Infosec exchange discussing new phishing tool for cybercriminals
@cyberinsider.com - 13d
Dutch Police have dismantled the ZServers/XHost bulletproof hosting operation, seizing 127 servers. The takedown follows a year-long investigation into the network, which has been used by cybercriminals to facilitate illegal activities. This includes the spread of malware, botnets, and various cyberattacks.
Earlier this week, authorities in the United States, Australia, and the United Kingdom announced sanctions against the same bulletproof hosting provider for its involvement in cybercrime operations. ZServers was accused of facilitating LockBit ransomware attacks and supporting the cybercriminals' efforts to launder illegally obtained money, according to The Record. The Cybercrime Team Amsterdam will conduct an additional probe of the servers, as the company advertised the possibility for customers to allow criminal acts from its servers while remaining anonymous to law enforcement.
Recommended read:
References :
- cyberinsider.com: Police Dismantle Bulletproof Hosting Provider ZServers/XHost
- gbhackers.com: Dutch Authorities Dismantle Network of 127 Command-and-Control Servers
- www.bleepingcomputer.com: The Dutch Police (Politie) dismantled the ZServers/XHost bulletproof hosting operation after taking offline 127 servers used by the illegal platform.
- www.scworld.com: Zservers/XHost servers dismantled by Dutch police
- Metacurity: Dutch cops dismantle ZServers bulletproof hosting operation
- BleepingComputer: The Dutch Police (Politie) dismantled the ZServers/XHost bulletproof hosting operation after taking offline 127 servers used by the illegal platform.
- CyberInsider: Police Dismantle Bulletproof Hosting Provider ZServers/XHost
- DataBreaches.Net: Dutch Police seizes 127 XHost servers, dismantles bulletproof hoster
- www.politie.nl: Politie Amsterdam ontmantelt digitaal crimineel netwerk; 127 servers offline gehaald - "an investigation of over a year, dismantled a bulletproof hoster on the Paul van Vlissingenstraat in Amsterdam. During the raid on February 12, 127 servers were taken offline and seized."
- Cybernews: After a year-long investigation, Amsterdam's Cybercrime Team shut down a bulletproof hosting provider, seizing 127 servers.
- securityaffairs.com: Dutch Police shut down bulletproof hosting provider Zservers and seized 127 servers
@www.reliaquest.com - 10d
ReliaQuest researchers are warning that the BlackLock ransomware group is poised to become the most prolific ransomware-as-a-service (RaaS) operation in 2025. BlackLock, also known as El Dorado, first emerged in early 2024 and quickly ascended the ranks of ransomware groups. By the fourth quarter of 2024, it was already the seventh most prolific group based on data leaks, experiencing a massive 1,425% increase in activity compared to the previous quarter.
BlackLock's success is attributed to its active presence and strong reputation within the RAMP forum, a Russian-language platform for ransomware activities. The group is also known for its aggressive recruitment of traffers, initial access brokers, and affiliates. They employ double extortion tactics, encrypting data and exfiltrating sensitive information, threatening to publish it if a ransom is not paid. Their custom-built ransomware targets Windows, VMWare ESXi, and Linux environments.
Recommended read:
References :
- AAKL: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock More: Infosecurity-Magazine: BlackLock On Track to Be 2025’s Most Prolific Ransomware Group
- Christoffer S.: ReliaQuest Inside the World’s Fastest Rising Ransomware Operator - BlackLock Somewhat of a deep dive into a relatively new RaaS (BlackLock), a very active group both on RAMP and with adding new victims to their leaksite.
- www.helpnetsecurity.com: BlackLock ransomware onslaught: What to expect and how to fight it
- www.reliaquest.com: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock
- Help Net Security: In-depth analysis of the BlackLock ransomware group and their operational methods.
- www.infosecurity-magazine.com: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock More: Infosecurity-Magazine: BlackLock On Track to Be 2025’s Most Prolific Ransomware Group
- cyberpress.org: BlackLock Ransomware Evolves: Threatens Windows, VMware ESXi, and Linux Systems
- gbhackers.com: BlackLock Ransomware Targets Windows, VMware ESXi, & Linux Environments
- Cyber Security News: BlackLock Ransomware Evolves: Threatens Windows, VMware ESXi, and Linux Systems
- gbhackers.com: BlackLock Ransomware Targets Windows, VMware ESXi, & Linux Environments
Daniel Kelley@SlashNext - 15d
A new phishing kit named Astaroth has emerged as a significant threat, targeting Microsoft, Gmail, Yahoo, AOL, Office 365, and other third-party login services. It uses an evilginx-style reverse proxy to perform man-in-the-middle attacks, enabling it to bypass two-factor authentication (2FA). Discovered on cybercrime marketplaces, Astaroth employs advanced techniques like session hijacking and real-time credential interception to dynamically retrieve authorization tokens, 2FA tokens, and session cookies, unlike traditional phishing tools.
Astaroth operates by redirecting victims to malicious servers mimicking legitimate login pages, complete with SSL certificates to avoid raising security warnings. The kit intercepts traffic in real-time, capturing login credentials and 2FA tokens before forwarding them to the legitimate server. Key features include bulletproof hosting and continuous updates for six months. It is marketed as an easy-to-use, 2-in-1 solution, costing $2000, and even includes pre-purchase testing to demonstrate its effectiveness in real-world attacks.
Recommended read:
References :
- Cyber Security News: Report on Astaroth 2FA phishing kit targeting multiple platforms.
- gbhackers.com: GBHackers article on the Astaroth kit.
- SlashNext: Phishing attacks continue to evolve, pushing even the most secure authentication methods to their limits. First advertised on cybercrime networks in late January 2025, Astaroth is a brand new phishing kit that bypasses two-factor authentication (2FA) through session hijacking and real-time credential interception.
- cyberpress.org: Astaroth 2FA Phishing Kit Exploits Gmail, Yahoo, Office 365, and Third-Party Accounts
- slashnext.com: Astaroth: A New 2FA Phishing Kit Targeting Gmail, Yahoo, AOL, O365, and 3rd-Party Logins
- gbhackers.com: gbhackers.com
- www.cysecurity.news: Details about Astaroth, including its features and marketing.
- MSSP feed for Latest: MSSPalert brief on the Astaroth phishing kit.
- hackread.com: Astaroth Phishing Kit Bypasses 2FA to Hijack Gmail and Microsoft Accounts
Dissent@DataBreaches.Net - 1d
A cybercriminal responsible for over 90 data leaks has been apprehended in Bangkok following a joint operation between the Royal Thai Police and the Singapore Police Force. The individual, known under aliases such as ALTDOS, DESORDEN, GHOSTR, and 0mid16B, targeted 65 organizations in the Asia-Pacific region and an additional 25 global targets. Between 2020 and February 2025, the hacker exfiltrated a staggering 13 terabytes of sensitive data from various sectors, including healthcare and finance.
The arrest marks a significant win in the fight against cybercrime, with authorities seizing laptops and other electronic devices during the raid in Thailand. Investigations revealed the suspect's involvement in attacks affecting multinational corporations, small businesses, and government databases across several countries, including Thailand, India, Indonesia, the UK, and the United States. The hacker allegedly worked alone, selling stolen data. The cybercriminal initially focused on Thai entities, later expanding operations across the Asia-Pacific region.
Recommended read:
References :
- gbhackers.com: Authorities Arrested Hacker Behind 90 Major Data Breaches Worldwide
- DataBreaches.Net: Criminal hacker known as ALTDOS, DESORDEN, GHOSTR and 0mid16B arrested
- CyberInsider: Cybercriminal Behind 90+ Data Leaks Arrested in Bangkok
@cyberinsider.com - 7d
B1ack's Stash, an illicit carding marketplace, released a dataset containing over 1 million stolen credit and debit cards on a dark web forum on February 19, 2025. Experts are warning that the release of over 1 million unique credit and debit cards by the carding website B1ack’s Stash appears to be a marketing strategy to attract new customers and gain notoriety within the cybercrime ecosystem. Other underground marketplaces like Joker Stash and BidenCash facilitate the sale of payment card data.
The cybersecurity community is on high alert. It has been reported that the leaked data includes PAN, expiration date, CVV2, cardholders' personal details, email address, IP address, and User-Agent, obtained through e-skimming. Banking institutions are being advised to monitor the dark web for the offering of credit and debit cards to prevent fraudulent activities.
Recommended read:
References :
- cyberinsider.com: On February 19, 2025, the illicit carding marketplace B1ack's Stash released a dataset containing over 1 million stolen credit and debit cards on a dark web forum.
- securityaffairs.com: Experts warn that the carding website B1ack’s Stash released a collection of over 1 million unique credit and debit cards.
- Talkback Resources: Carding website B1acks Stash released over 1 million credit and debit cards to attract customers, while underground marketplaces like Joker Stash and BidenCash facilitate the sale of payment card data, prompting banks to monitor the dark web for fraudulent activities.
- CyberInsider: On February 19, 2025, the illicit carding marketplace B1ack's Stash released a dataset containing over 1 million stolen credit and debit cards on a dark web forum.
- ciso2ciso.com: B1ack’s Stash released 1 Million credit cards
- Talkback Resources: Carding website B1acks Stash released over 1 million credit and debit cards to attract customers, while underground marketplaces like Joker Stash and BidenCash facilitate the sale of payment card data, prompting banks to monitor the dark web for fraudulent activities.
- Talkback Resources: Carding website B1acks Stash released over 1 million credit and debit cards to attract customers, while underground marketplaces like Joker Stash and BidenCash facilitate the sale of payment card data, prompting banks to monitor the dark web for fraudulent activities.
- Talkback Resources: Carding website B1acks Stash released over 1 million credit and debit cards to attract customers, while underground marketplaces like Joker Stash and BidenCash facilitate the sale of payment card data, prompting banks to monitor the dark web for fraudulent activities.
|
|
FlagThis - #cybercrime