CyberSecurity news

FlagThis - #cybercrime

Cynthia B@Metacurity //
The U.S. Treasury Department has sanctioned Funnull Technology Inc., a Philippines-based company, for providing infrastructure that facilitated "pig butchering" scams, a type of cryptocurrency investment fraud that has cost Americans over $200 million. The Treasury’s Office of Foreign Assets Control (OFAC) took action on May 29, 2025, targeting Funnull and its administrator, Liu Lizhi. The FBI has also issued an advisory warning against Funnull, highlighting its role as a major distributor of online scams. Funnull is accused of enabling cybercriminals by purchasing IP addresses in bulk from major cloud service providers and then selling them to operators of fraudulent investment platforms.

The sanctions follow an FBI investigation that linked Funnull to the majority of virtual currency investment scam websites reported to them. The agency stated that Funnull directly facilitated pig butchering and other schemes that resulted in more than $200 million in financial losses for U.S. victims, with average individual losses exceeding $150,000. These scams typically involve perpetrators posing as romantic partners or friends online to gain victims’ trust, then convincing them to invest in virtual currency on platforms that ultimately prove to be fraudulent. Scammers often demand additional "taxes" on purported crypto earnings before allowing victims to withdraw their funds, which never happens.

Security firm Silent Push had previously identified Funnull as a criminal content delivery network (CDN) routing traffic through U.S.-based cloud providers before redirecting users to malicious websites. Their October 2024 research exposed a sprawling cluster of domains, dubbed "Triad Nexus," routed through Funnull's CDNs, revealing how cybercriminals leverage credible cloud providers for malicious activities through what they termed "infrastructure laundering." The FBI observed patterns of IP address activity on Funnull infrastructure between October 2023 and April 2025, including the simultaneous migration of hundreds of domains to other IP addresses, further complicating efforts to track and combat the scams.

Recommended read:
References :
  • krebsonsecurity.com: U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Threats | CyberScoop: Treasury sanctions crypto scam facilitator that allegedly stole $200M from US victims
  • Metacurity: US sanctions Filipino firm for pig butchering scams that cost Americans $200 million
  • DataBreaches.Net: U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • www.chainalysis.com: Chainalysis: OFAC Sanctions Funnull Technology Inc. for Supporting Pig Butchering Scams
  • www.silentpush.com: U.S. Treasury Sanctions FUNNULL CDN, FBI Issues Advisory Warning Against Major Cyber Scam Facilitator

@cyberscoop.com //
Operation Endgame, a coordinated effort by Europol, Eurojust, and law enforcement agencies internationally, has successfully disrupted the DanaBot malware network. This operation has led to the neutralization of approximately 300 servers and 650 domains worldwide between May 19 and 22, 2025. The U.S. Department of Justice (DoJ) has unsealed charges against 16 individuals allegedly involved in the development and deployment of the DanaBot malware, which was controlled by a Russia-based cybercrime organization.

The DanaBot malware, initially identified in May 2018, operated as a malware-as-a-service (MaaS), renting its capabilities to other criminals. It infected over 300,000 computers globally, causing an estimated $50 million in damages through fraud and ransomware. The malware was versatile, stealing banking credentials, browsing history, and cryptocurrency wallet information, while also offering remote access, keylogging, and screen recording. Initial infections often occurred through spam emails containing malicious attachments or hyperlinks, turning infected computers into part of a botnet.

Among those charged by the US Department of Justice are Aleksandr Stepanov, 39, and Artem Aleksandrovich Kalinkin, 34, both from Novosibirsk, Russia, who remain at large. The unsealed criminal complaint revealed that some of the defendants exposed their real-life identities by accidentally infecting their own systems with the malware. Operation Endgame also led to the issuance of international arrest warrants for 20 targets and the seizure of over EUR 21.2 million in cryptocurrency, including EUR 3.5 million during this latest action week.

Recommended read:
References :
  • Threats | CyberScoop: DanaBot malware operation seized in global takedown
  • DataBreaches.Net: 16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide
  • hackread.com: Operation Endgame Takes Down DanaBot Malware, Neutralizes 300 Servers
  • The Hacker News: U.S. Dismantles DanaBot Malware Network, Charges 16 in $50M Global Cybercrime Operation
  • Help Net Security: DanaBot botnet disrupted, QakBot leader indicted
  • Risky Business Media: Risky Bulletin: DanaBot and Lumma Stealer taken down

@www.bleepingcomputer.com //
The US government has indicted Rustam Rafailevich Gallyamov, a 48-year-old Russian national from Moscow, as the leader of the Qakbot botnet malware conspiracy. Gallyamov, also known as "Cortes" and other aliases, is accused of leading a group of cybercriminals responsible for developing and deploying the Qakbot malware since 2008. This indictment is part of an ongoing multinational effort involving the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada to combat cybercrime. The Justice Department has also filed a civil forfeiture complaint against Gallyamov, seeking to seize over $24 million in cryptocurrency allegedly obtained through his criminal activities.

According to court documents, Gallyamov used the Qakbot malware to infect over 700,000 computers globally, establishing a vast network or "botnet" of compromised machines. Starting in 2019, this botnet was leveraged to facilitate ransomware attacks against innocent victims worldwide, causing significant financial losses. The FBI and its international partners crippled Gallyamov's bot network in 2023, but he allegedly continued to deploy alternative methods to make his malware available to criminal cyber gangs. The Qakbot malware, also known as Qbot and Pinkslipbot, evolved over time from a banking trojan into a tool used for malware dropping and keystroke logging.

Officials emphasize the commitment to holding cybercriminals accountable and disrupting their activities. "Today’s announcement of the Justice Department’s latest actions to counter the Qakbot malware scheme sends a clear message to the cybercrime community,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. U.S. Attorney Bill Essayli for the Central District of California added, "The criminal charges and forfeiture case announced today are part of an ongoing effort with our domestic and international law enforcement partners to identify, disrupt, and hold accountable cybercriminals." The case demonstrates the FBI’s commitment to relentlessly pursuing individuals who target Americans and demand ransom, even when they reside overseas.

Recommended read:
References :
  • bsky.app: Leader of Qakbot Malware Conspiracy Indicted for Involvement in Global Ransomware Scheme
  • DataBreaches.Net: Russian national and leader of Qakbot malware conspiracy indicted in long-running global ransomware scheme
  • www.bleepingcomputer.com: The U.S. government has indicted Russian national Rustam Rafailevich Gallyamov, the leader of the Qakbot botnet malware operation that compromised over 700,000 computers and enabled ransomware attacks.
  • The DefendOps Diaries: The Indictment of Rustam Rafailevich Gallyamov: A Turning Point in Cybercrime Battle
  • thecyberexpress.com: The U.S. Justice Department has unsealed an indictment against Rustam Rafailevich Gallyamov, a Russian national accused of running a cybercrime group responsible for one of the most notorious malware threats in recent years:.
  • BleepingComputer: US indicts leader of Qakbot botnet linked to ransomware attacks
  • The Register - Security: Feds finger Russian 'behind Qakbot malware' that hit 700K computers Agents thought they shut this all down in 2023, but the duck quacked again Uncle Sam on Thursday unsealed criminal charges and a civil forfeiture case against a Russian national accused of leading the cybercrime ring behind Qakbot, the notorious malware that infected hundreds of thousands of computers worldwide and helped fuel ransomware attacks costing victims tens of millions of dollars.
  • Tech Monitor: The U.S. Justice Department has indicted Rustam Rafailevich Gallyamov, the alleged leader of the Qakbot botnet malware operation.
  • www.justice.gov: Justice Department Announces Leader of Qakbot Malware Conspiracy Indicted for Involvement in Global Ransomware Scheme
  • Security Affairs: Leader of Qakbot cybercrime network indicted in U.S. crackdown
  • BleepingComputer: The U.S. government has indicted Russian national Rustam Rafailevich Gallyamov, the leader of the Qakbot botnet malware operation that compromised over 700,000 computers and enabled ransomware attacks.
  • securityaffairs.com: Leader of Qakbot cybercrime network indicted in U.S. crackdown
  • Daily CyberSecurity: Europol and Eurojust have dismantled the digital backbone of several major malware strains used in ransomware operations.
  • www.helpnetsecurity.com: DanaBot botnet disrupted, QakBot leader indicted
  • ComputerWeekly.com: US makes fresh indictments over DanaBot, Qakbot malwares

@cyberscoop.com //
A federal grand jury indictment unsealed today has charged 16 defendants who allegedly developed and deployed the DanaBot malware, a scheme that infected over 300,000 computers globally. The malware, controlled and deployed by a Russia-based cybercrime organization, facilitated fraud and ransomware attacks, causing at least $50 million in damage. Aleksandr Stepanov, 39, also known as “JimmBee,” and Artem Aleksandrovich Kalinkin, 34, also known as “Onix”, both of Novosibirsk, Russia are amongst those charged.

The DanaBot malware was distributed through spam email messages containing malicious attachments or hyperlinks. Once a computer was infected, it became part of a botnet, allowing operators to remotely control the compromised machines. The malware operated on a malware-as-a-service model, offering access to the botnet and support tools to clients for a fee. DanaBot had extensive capabilities, including stealing data, hijacking banking sessions, recording keystrokes, and providing full remote access to victim computers.

In addition to the criminal charges related to DanaBot, the U.S. Department of Justice announced the seizure of internet domains tied to the LummaC2 information-stealing malware operation, which has been actively targeting U.S. critical infrastructure. The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint advisory warning of these campaigns, which involve the deployment of the LummaC2 infostealer to breach networks and siphon off sensitive data. Microsoft independently took down 2,300 internet domains also used by the LummaC2 actors.

Recommended read:
References :
  • DataBreaches.Net: 16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide
  • The Register - Security: Suspected creeps behind DanaBot malware that hit 300K+ computers revealed
  • WIRED: Feds Charge 16 Russians Allegedly Tied to Botnets Used in Ransomware, Cyberattacks, and Spying
  • Threats | CyberScoop: DanaBot malware operation seized in global takedown
  • krebsonsecurity.com: Oops: DanaBot Malware Devs Infected Their Own PCs
  • Risky Business Media: Risky Bulletin: DanaBot and Lumma Stealer taken down
  • borncity.com: Operations Endgame, DanaBot-Net and Raptor disrupt infrastructure for ransomware attacks and more
  • hackread.com: Operation Endgame Takes Down DanaBot Malware, Neutralizes 300 Servers
  • The Hacker News: U.S. Dismantles DanaBot Malware Network, Charges 16 in $50M Global Cybercrime Operation

@cyberscoop.com //
A 19-year-old college student from Worcester, Massachusetts, Matthew Lane, has agreed to plead guilty to charges related to a massive cyberattack on PowerSchool, a cloud-based education software provider. The cyberattack involved extorting millions of dollars from PowerSchool in exchange for not leaking the personal data of millions of students and teachers. Lane exploited stolen credentials to gain unauthorized access to PowerSchool's networks, leading to the theft of sensitive student and teacher data.

The data breach is considered one of the largest single breaches of American schoolchildren's data, affecting approximately 62.4 million students and 9.5 million teachers. According to court documents, Lane obtained stolen data from a U.S. telecommunications company before targeting PowerSchool. After the initial victim refused to pay a ransom, Lane allegedly sought to hack another company that would pay. The stolen information included sensitive details like Social Security numbers and academic records.

Lane will plead guilty to multiple charges, including cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft. The incident has been described by authorities as a serious attack on the economy, with the potential to instill fear in parents regarding the safety of their children's data. This case highlights the increasing risk of cyberattacks targeting educational institutions and the importance of robust cybersecurity measures to protect student and teacher data.

Recommended read:
References :
  • cyberscoop.com: Massachusetts man will plead guilty in PowerSchool hack case
  • DataBreaches.Net: Massachusetts hacker to plead guilty to PowerSchool data breach
  • BleepingComputer: A 19-year-old college student from Worcester, Massachusetts, has agreed to plead guilty to a massive cyberattack on PowerSchool that extorted millions of dollars in exchange for not leaking the personal data of millions of students and teachers.
  • The DefendOps Diaries: Explore the PowerSchool data breach, its impact on education tech, and lessons for cybersecurity.
  • BleepingComputer: PowerSchool hacker pleads guilty to student data extortion scheme
  • www.bleepingcomputer.com: A 19-year-old college student from Worcester, Massachusetts, has agreed to plead guilty to a massive cyberattack on PowerSchool that extorted millions of dollars in exchange for not leaking the personal data of millions of students and teachers. [...]
  • cyberinsider.com: PowerSchool Hacker to Plead Guilty for Extortion Affecting Millions
  • Threats | CyberScoop: Massachusetts man will plead guilty in PowerSchool hack case
  • techcrunch.com: US student agrees to plead guilty to hack affecting tens of millions of students
  • The Register - Security: US teen to plead guilty to extortion attack against PowerSchool
  • CyberInsider: PowerSchool Hacker to Plead Guilty for Extortion Affecting Millions
  • hackread.com: 19-Year-Old Admits to PowerSchool Data Breach Extortion
  • techcrunch.com: US student agrees to plead guilty to hack affecting tens of millions of students

Pierluigi Paganini@Security Affairs //
Moldovan law enforcement, in collaboration with Dutch authorities, have apprehended a 45-year-old foreign man suspected of orchestrating a series of ransomware attacks targeting Dutch companies in 2021. The suspect is wanted internationally for a range of cybercrimes, including ransomware attacks, blackmail, and money laundering. This arrest marks a significant step in the fight against cybercrime, particularly concerning the persistent threat posed by DoppelPaymer ransomware. The operation involved a coordinated effort between Moldovan prosecutors, the country's Center for Combating Cybercrimes, and law enforcement from the Netherlands, highlighting the importance of international cooperation in tackling sophisticated cyber threats.

The suspect's alleged involvement includes a ransomware attack on the Netherlands Organization for Scientific Research (NWO), resulting in estimated damages of €4.5 million. During the arrest on May 6, Moldovan police searched the suspect's residence and car, seizing substantial evidence, including over €84,000 in cash, an electronic wallet, two laptops, a mobile phone, a tablet, six bank cards, two data storage devices, and six memory cards. The suspect is currently in custody, and extradition procedures to the Netherlands are underway, where he will face charges related to his alleged cybercrimes.

The DoppelPaymer ransomware group emerged in 2019, known for its sophisticated tactics, including data exfiltration before encryption, to pressure victims into paying ransoms. The group has targeted various sectors globally and evolved into other ransomware variants, showcasing the challenges in combating this type of cyber threat. The arrest in Moldova underscores the ongoing efforts by law enforcement to pursue and bring cybercriminals to justice, reinforcing the message that cybercrime will not go unpunished.

Recommended read:
References :
  • DataBreaches.Net: Moldovan Police Arrest Suspect in €4.5M Ransomware Attack on Dutch Research Agency
  • securityaffairs.com: Moldovan Police arrested a 45-year-old foreign man participating in ransomware attacks on Dutch companies
  • The DefendOps Diaries: DoppelPaymer Ransomware: A Persistent Cyber Threat and Recent Arrests
  • BleepingComputer: Moldova arrests suspect linked to DoppelPaymer ransomware attacks
  • www.techradar.com: Suspect arrested with links to €4.5M DoppelPaymer ransomware attacks
  • The Hacker News: Moldovan Police Arrest Suspect in €4.5M Ransomware Attack on Dutch Research Agency

Ashish Khaitan@The Cyber Express //
The FBI has issued a warning regarding the increasing exploitation of end-of-life (EoL) routers by cybercriminals. These outdated devices, which no longer receive security updates from manufacturers, are being targeted with malware, most notably variants of TheMoon, to establish proxy networks. This allows malicious actors to mask their online activities and conduct illicit operations with anonymity. The FBI emphasizes that routers from 2010 or earlier are particularly vulnerable due to the absence of recent software updates, making them susceptible to known exploits.

The compromised routers are then incorporated into botnets and used as proxies, sold on networks like 5Socks and Anyproxy. This enables cybercriminals to route malicious traffic through these unsuspecting devices, obscuring their real IP addresses and making it difficult to trace their criminal activities. TheMoon malware exploits open ports on vulnerable routers, bypassing the need for passwords, and then connects to a command-and-control (C2) server for instructions. This process allows the malware to spread rapidly, infecting more routers and expanding the proxy network.

To mitigate this growing threat, the FBI advises users to replace EoL routers with actively supported models and apply all available firmware and security updates. Disabling remote administration and using strong, unique passwords are also crucial steps in securing network devices. Additionally, regularly rebooting routers can help flush out temporary malware behavior. The FBI's warning underscores the importance of maintaining up-to-date security measures on network hardware to prevent exploitation by cybercriminals seeking to anonymize their activities.

Recommended read:
References :
  • Daily CyberSecurity: FBI Warns: End-of-Life Routers Hijacked to Power Cybercriminal Proxy Networks
  • The DefendOps Diaries: Exploitation of End-of-Life Routers: A Growing Cybersecurity Threat
  • BleepingComputer: FBI: End-of-life routers hacked for cybercrime proxy networks
  • Davey Winder: FBI Warns Of Router Attacks — Is Yours On The List Of 13?
  • www.scworld.com: Attacks surge against antiquated routers, FBI warns
  • bsky.app: The FBI IC3 has published a new PSA warning companies and home consumers that threat actors are exploiting old and outdated end-of-life routers to create massive botnets and that they should probably buy a new device
  • BleepingComputer: The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.
  • cyberinsider.com: FBI Warns Hackers Are Exploiting EoL Routers in Stealthy Malware Attacks
  • www.bleepingcomputer.com: The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.
  • bsky.app: The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.
  • thecyberexpress.com: The Federal Bureau of Investigation (FBI) has issued a warning about the TheMoon malware. The warning also stresses the dramatic uptick in cyberattacks targeting aging internet routers, especially those deemed “End of Life†(EOL).
  • thecyberexpress.com: TheMoon Malware Targets Aging Routers, FBI Issues Alert
  • The Hacker News: BREAKING: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in U.S. - Dutch Operation
  • securityonline.info: FBI Warns: End-of-Life Routers Hijacked to Power Cybercriminal Proxy Networks
  • securityaffairs.com: The FBI warns that attackers are using end-of-life routers to deploy malware and turn them into proxies sold on 5Socks and Anyproxy networks.
  • www.techradar.com: FBI warns outdated routers are being hacked
  • thecyberexpress.com: The Federal Bureau of Investigation (FBI) has issued a warning about the TheMoon malware.
  • BleepingComputer: Police dismantles botnet selling hacked routers as residential proxies
  • thecyberexpress.com: Law Enforcement Takes Down Botnet Made Up of Thousands of End-Of-Life Routers
  • techcrunch.com: NEW: FBI and Dutch police seized and shut down a botnet made of hacked routers. U.S. authorities also indicted three Russians and a Kazakhstan national for hacking the devices, running the botnet, and selling access to it as a service.
  • infosec.exchange: NEW: FBI and Dutch police seized and shut down a botnet made of hacked routers. U.S. authorities also indicted three Russians and a Kazakhstan national for hacking the devices, running the botnet, and selling access to it as a service.
  • techcrunch.com: NEW: FBI and Dutch police seized and shut down a botnet made of hacked routers. U.S. authorities also indicted three Russians and a Kazakhstan national for hacking the devices, running the botnet, and selling access to it as a service.
  • www.justice.gov: A joint U.S.-Dutch law enforcement operation has taken down a botnet-for-hire that was comprised of thousands of end-of-life routers. The U.S. Department of Justice (DOJ) announced the unsealing of an indictment charging four foreign nationals with conspiracy and other alleged computer crimes for operating the botnets.
  • www.csoonline.com: The FBI is warning that cybercriminals are exploiting that are no longer being patched by manufacturers. Specifically, the “5Socks†and “Anyproxy†criminal networks are using publicly available exploits and injecting persistent malware to gain entry to obsolete routers from Linksys, and Cradlepoint.
  • The Register - Security: The FBI also issued a list of end-of-life routers you need to replace Earlier this week, the FBI urged folks to bin aging routers vulnerable to hijacking, citing ongoing attacks linked to TheMoon malware. In a related move, the US Department of Justice unsealed indictments against four foreign nationals accused of running a long-running proxy-for-hire network that exploited outdated routers to funnel criminal traffic.…
  • iHLS: FBI Warns: Old Routers Exploited in Cybercrime Proxy Networks
  • Peter Murray: FBI and Dutch police seize and shut down botnet of hacked routers
  • The DefendOps Diaries: Explore the dismantling of the Anyproxy botnet and the global efforts to secure digital infrastructure against cybercrime.
  • securityaffairs.com: Operation Moonlander dismantled the botnet behind Anyproxy and 5socks cybercriminals services
  • Anonymous ???????? :af:: BREAKING: $46M cybercrime empire busted. FBI & Dutch forces take down a botnet run on hacked home routers—active since 2004.
  • www.itpro.com: FBI takes down botnet exploiting aging routers
  • Threats | CyberScoop: US seizes Anyproxy, 5socks botnets and indicts alleged administrators

@cyble.com //
The ransomware landscape is experiencing significant shifts in April 2025, with groups like Qilin taking center stage. Despite a general decline in ransomware attacks from 564 in March to 450 in April, the lowest level since November 2024, Qilin has surged to the top of the ransomware rankings. This rise is attributed to the realignment of cybercriminal groups within the chaotic Ransomware-as-a-Service (RaaS) ecosystem. Qilin is reportedly leveraging sophisticated tools and techniques, contributing to their increased success in recent months.

Qilin's success is partly due to the adoption of advanced tactics, techniques, and procedures (TTPs). Threat actors associated with Qilin have been observed utilizing malware such as SmokeLoader, along with a previously undocumented .NET compiled loader called NETXLOADER, in campaigns dating back to November 2024. NETXLOADER is a highly obfuscated loader designed to deploy additional malicious payloads and bypass traditional detection mechanisms, making it difficult to analyze. This loader plays a critical role in Qilin's stealthy malware delivery method. The surge in activity is reflected in the doubling of disclosures on Qilin's data leak site since February 2025, making it the top ransomware group in April.

The emergence of new actors like DragonForce is reshaping the threat landscape. The group is built for the gig economy. Its features include a 20% revenue share, white-label ransomware kits, pre-built infrastructure. DragonForce quickly moved to absorb affiliates following the April 2025 disappearance of RansomHub, pitching itself as an agile alternative to collapsed legacy operators. A historic surge in ransomware activity is occurring. A total of 2,289 publicly named ransomware victims were reported in just Q1 a 126% year-over-year increase, setting an all-time high. 74 distinct ransomware groups are now operating concurrently, highlighting an explosion of new actors and affiliate-driven threats.

Recommended read:
References :
  • cyble.com: Ransomware Attacks April 2025: Qilin Emerges from Chaos
  • cyble.com: Global ransomware attacks in April 2025 declined to 450 from 564 in – the lowest level since November 2024 – as major changes among the leading Ransomware-as-a-Service (RaaS) groups caused many affiliates to align with new groups.
  • The Hacker News: Qilin Ransomware Ranked Highest in April 2025 with Over 45 Data Leak Disclosures
  • www.redpacketsecurity.com: [QILIN] – Ransomware Victim: www[.]hcsheriff[.]gov

Shivani Tiwari@cysecurity.news //
Cybersecurity firm Bitdefender has issued a warning about a significant increase in subscription scams that are cleverly disguised as legitimate online stores and enticing mystery boxes. This new wave of scams is characterized by its unprecedented sophistication, employing high-quality website design, targeted advertising, and social media exploitation to deceive unsuspecting users. Over 200 fake retail sites have been identified as part of this operation, all designed to harvest credit card data and personal information from victims globally. These sites offer a wide range of products, including clothing, electronics, and beauty items, making it harder for users to distinguish them from genuine e-commerce platforms.

This scam network leverages social media platforms, particularly Facebook, where cybercriminals deploy sponsored ads and impersonate content creators to lure victims. A key component of this fraud is the evolution of the "mystery box" scam, which promises surprise items for a nominal fee but conceals hidden subscription models in the fine print. Victims are often unknowingly enrolled in recurring payment plans, with charges ranging up to 44 EUR every 14 days, disguised as loyalty benefits or exclusive shopping privileges. The scammers exploit the human fascination with the unknown, offering boxes supposedly left at post offices or bags found at airports, requiring a small payment to claim ownership, with the primary objective being collecting financial information.

Bitdefender's investigation reveals that these schemes utilize complex payment structures and convoluted terms to confuse users, transforming a seemingly one-time purchase into recurring charges. To evade detection, scammers employ techniques such as multiple ad versions, Google Drive-hosted images for easy replacement, cropped visuals to bypass pattern recognition, and homoglyph tactics to obscure malicious intent. Many of these fraudulent sites remain active, continuously targeting users globally, with specific campaigns observed in Romania, Canada, and the United States. The connection between these scams and a Cyprus-registered address raises suspicions of a coordinated operation involving offshore entities.

Recommended read:
References :
  • cyberpress.org: Subscription-Based Scams Exploit Users to Harvest Credit Card Data
  • securityonline.info: Bitdefender exposes a sprawling web of subscription-based scams that blend professional-looking websites, social media manipulation, and
  • cybersecuritynews.com: A significant wave of subscription-based scams is sweeping across the internet, specifically designed to steal credit card information from unsuspecting users.
  • hackread.com: Bitdefender uncovers a massive surge in sophisticated subscription scams disguised as online shops and evolving mystery boxes. Learn…
  • www.cysecurity.news: Cybersecurity researchers at Bitdefender have uncovered a sharp increase in deceptive online subscription scams, with fraudsters disguising themselves as legitimate e-commerce platforms and mystery box vendors.
  • gbhackers.com: Subscription-Based Scams Targeting Users to Steal Credit Card Information

@cyberalerts.io //
The United States has indicted a 36-year-old Yemeni national, Rami Khaled Ahmed of Sana'a, believed to be the developer and primary operator of the 'Black Kingdom' ransomware. The charges stem from approximately 1,500 attacks conducted against Microsoft Exchange servers globally. Ahmed is accused of deploying the Black Kingdom malware on these systems between March 2021 and June 2023, targeting businesses, schools, and hospitals within the U.S. and elsewhere. He faces one count of conspiracy, one count of intentional damage to a protected computer, and one count of threatening damage to a protected computer.

The attacks involved exploiting a vulnerability in Microsoft Exchange Server known as ProxyLogon, identified as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. This allowed Ahmed and his co-conspirators to gain access to vulnerable networks, encrypt data, or claim to have stolen information. Victims were then instructed to send $10,000 worth of Bitcoin to a cryptocurrency address controlled by a co-conspirator as ransom for decryption. They were also allegedly asked to send proof of payment to a Black Kingdom email address.

Cybersecurity experts described Black Kingdom ransomware as somewhat rudimentary, characterizing the attacker as a "motivated script-kiddie" leveraging ProxyLogon to deploy web shells and PowerShell commands. The indictment underscores the ongoing cybersecurity challenges posed by ransomware and highlights the importance of patching vulnerabilities promptly to prevent exploitation. If convicted, Ahmed faces a maximum sentence of five years in federal prison for each count. The FBI, with assistance from the New Zealand Police, is conducting the investigation.

Recommended read:
References :
  • bsky.app: Bsky.app Post on the Black Kingdom Ransomware Indictment
  • The DefendOps Diaries: The DefendOpsDiaries: The Indictment of a Black Kingdom Ransomware Administrator: A Turning Point in Cybersecurity
  • thehackernews.com: U.S. Charges Yemeni Hacker Behind Black Kingdom Ransomware Targeting 1,500 Systems
  • www.bleepingcomputer.com: BleepingComputer article on US indicting Black Kingdom Ransomware admin
  • DataBreaches.Net: US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks
  • BleepingComputer: A 36-year-old Yemeni national, who is believed to be the developer and primary operator of 'Black Kingdom' ransomware, has been indicted by the United States for conducting 1,500 attacks on Microsoft Exchange servers.
  • BleepingComputer: US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks
  • Talkback Resources: U.S. Charges Yemeni Hacker Behind Black Kingdom Ransomware Targeting 1,500 Systems [exp] [mal]
  • The Hacker News: U.S. Charges Yemeni Hacker Behind Black Kingdom Ransomware Targeting 1,500 Systems
  • DataBreaches.Net: US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks
  • securebulletin.com: US indicts Black Kingdom ransomware operator: technical analysis of ProxyLogon exploitation and law enforcement response
  • www.scworld.com: US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks
  • Secure Bulletin: US indicts Black Kingdom ransomware operator: technical analysis of ProxyLogon exploitation and law enforcement response
  • securityaffairs.com: US authorities have indicted Black Kingdom ransomware admin
  • bsky.app: Risky Biz podcast/newsletter covering the charges against the Black Kingdom ransomware operator
  • databreaches.net: US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks
  • securityonline.info: SecurityOnline article about the indictment.
  • Daily CyberSecurity: Yemeni National Indicted for Black Kingdom Ransomware Attacks
  • Threats | CyberScoop: Federal prosecutors indict alleged head of Black Kingdom ransomware
  • cyberscoop.com: Federal prosecutors indict alleged head of Black Kingdom ransomware
  • www.scworld.com: Alleged Black Kingdom hacker indicted over massive Exchange Server breach

Lawrence Abrams@BleepingComputer //
Ryan Kramer, a 25-year-old from California, has pleaded guilty to two criminal charges related to a significant data breach at Disney. Kramer, operating under the alias "NullBulge," admitted to illegally accessing Disney's internal Slack channels and stealing over 1.1 terabytes of confidential data. The stolen data included internal communications, sensitive information, images, source code, and credentials. The breach led Disney to switch from Slack to Microsoft Teams following the incident, which impacted over 10,000 Slack channels.

He distributed a malicious program, disguised as an AI-powered image generation tool, on platforms like GitHub. This program contained a backdoor that allowed him to access the computers of those who downloaded and executed it. According to prosecutors, a Disney employee fell victim to this poisoned project between April and May of 2024, inadvertently granting Kramer access to their network and online credentials. This initial breach then allowed Kramer to move laterally within Disney's systems, compromising various platforms and confidential data storage areas.

Armed with the stolen data, Kramer, falsely claiming affiliation with the Russian hacking group NullBulge, attempted to extort the victim. When the victim did not respond, Kramer proceeded to release their personal information, including bank, medical, and other sensitive details, across multiple platforms. While Kramer awaits sentencing, he faces a maximum of five years in federal prison for each felony count of accessing a computer to obtain information and threatening to damage a protected computer. The FBI is also investigating the extent to which data from at least two other victims who downloaded Kramer's malicious GitHub project may have been compromised.

Recommended read:
References :
  • bsky.app: Hacker 'NullBulge' pleads guilty to stealing Disney's Slack data
  • cyberinsider.com: A 25-year-old Santa Clarita man has agreed to plead guilty to hacking a Disney employee's personal computer, stealing login credentials, and exfiltrating 1.1 terabytes of confidential data from internal Slack channels used by the entertainment giant.
  • The DefendOps Diaries: Explore lessons from Disney's Slack breach, highlighting corporate cybersecurity vulnerabilities and strategies for protection.
  • BleepingComputer: Hacker 'NullBulge' pleads guilty to stealing Disney's Slack data
  • www.scworld.com: A 25-year-old California man, Ryan Kramer, has pleaded guilty to infiltrating Disneys internal communications and stealing over 1.1 terabytes of confidential data by deploying malware disguised as an AI image generation tool, BleepingComputer reports.
  • The Register - Security: Disney Slack attack wasn't Russian protesters, just a Cali dude with malware
  • www.scworld.com: Hacker pleads guilty to orchestrating Disney data heist
  • www.techradar.com: Hacker pleads guilty to illegally accessing Disney Slack channels and stealing huge tranche of data
  • The Register: Disney Slack attack wasn't Russian protesters, just a Cali dude with malware A 25-year-old California man pleaded guilty to stealing and dumping 1.1TB of data from the House of Mouse When someone stole more than a terabyte of data from Disney last year, it was believed to be the work of Russian hacktivists protesting for artist rights. We now know it was actually a 25-year-old Calif…
  • go.theregister.com: Disney Slack attack wasn't Russian protesters, just a Cali dude with malware
  • gbhackers.com: GBHackers Article: Disney Hacker Admits Guilt After Stealing 1.1TB of Internal Data
  • Talkback Resources: Disney Slack hacker was Californian, not Russian: DoJ
  • DataBreaches.Net: Disney Hacker Who Accessed 1.1 Terabytes of Data Pleads Guilty
  • CyberInsider: Disney Hacker Admits Using Malware-Laced AI Art App to Achieve Breach
  • securityonline.info: California Man to Plead Guilty in Hack of Disney Employee, Theft of 1.1TB of Confidential Slack Data

@cyberscoop.com //
A Ukrainian national, Artem Stryzhak, has been extradited to the United States to face charges related to his alleged involvement in Nefilim ransomware attacks. Stryzhak, aged 35, was arrested in Spain in June 2024 and arrived in the U.S. on April 30, 2025. Federal authorities accuse him of participating in a conspiracy to commit fraud and related activity, including extortion, through the use of Nefilim ransomware between 2018 and 2021. He is scheduled to appear for arraignment in the U.S. District Court for the Eastern District of New York.

Stryzhak and his co-conspirators are accused of targeting high-revenue companies in the U.S., Canada, and multiple European countries, including France, Germany, Australia, the Netherlands, Norway, and Switzerland. The ransomware attacks involved encrypting computer networks, stealing data, and demanding ransom payments in exchange for decryption keys. According to the indictment, Stryzhak had an agreement with Nefilim administrators to use the ransomware in exchange for 20% of the extorted proceeds. The victims included companies spanning various industries, such as engineering consulting, aviation, chemicals, insurance, construction, pet care, eyewear, and oil and gas transportation.

U.S. Attorney John Durham emphasized the international nature of the case, stating that Stryzhak was part of an international ransomware scheme targeting high-revenue companies. Officials said the series of ransomware attacks caused millions of dollars in losses, including extortion payments and damage to victim computer systems. The extradition highlights ongoing international law enforcement efforts to combat ransomware and hold cybercriminals accountable, regardless of their location. Durham added that criminals who carry out such malicious cyberattacks often believe that American justice cannot reach them abroad.

Recommended read:
References :