Tag: organized-crime
All items tagged organized-crime.
- Two Scattered Spider members plead guilty over the 2024 Transport for London intrusion
- ShinyHunters extortion brand — Council of Europe named, Kodak and One Medical added to the leak-site pressure
- The Gentlemen — EDR-killer framework documented, OT-adjacent victim claimed, operator named
- Klue / Icarus — one dormant integration credential cascades into multi-tenant Salesforce CRM theft
- Law-enforcement momentum — Operation Endgame expands, Silver Fox mass-arrest, Conti loader plea
- Research: ClickFix matured into a productised malware-as-a-service supply chain
- Threat actor: INC ransomware's Rust rewrite and BYOVD evolution
- Check Point State of Ransomware Q1 2026 — ecosystem consolidation, with Switzerland and Germany named
- SocGholish / TA569 — Operation Endgame seized 106 servers, but seven delivery clusters remain operational
- Amazon's One Medical confirms a legacy-storage breach; ShinyHunters' 8.8TB claim is unverified and its deadline expires today `[SINGLE-SOURCE]`
- Krebs and Qurium tie the "Popa" Android-TV residential-proxy botnet to a NASDAQ-listed proxy vendor
- UPDATE: Klue OAuth-token breach — victim list grows, CRM-API abuse chain detailed
- Nintendo employee data stolen from third-party HR-survey SaaS (TinyPulse), not Nintendo's own systems
- Kodak confirms breach after ShinyHunters leak-site listing; June 18 deadline passed without publication
- UPDATE: The Gentlemen (Storm-2697) claims OT-adjacent Mackay Sugar attack; operator attributed to a Russian national
- Operation Endgame expands to SocGholish/TA569 — 106 C2 servers down, FakeUpdates loader stripped from 14,971 WordPress sites
- Icarus extortion group turns a dormant Klue credential into bulk Salesforce CRM theft across customers
- ESET: the Gentlemen RaaS gang centrally builds and maintains its affiliates' EDR-killer framework
- Sophos X-Ops: underground AI adoption is cautious but concrete — LLM-assisted packers, LLM C2 orchestration, NLP-triaged leak markets [SINGLE-SOURCE]
- China arrests 67 members of the Silver Fox (Winos/ValleyRAT) cybercrime network
- Crypto clipboard-hijacker campaign weaponises VirusTotal community reputation to suppress detection
- Zimperium: Rokarolla Android banking trojan targets 217 apps with full device takeover
- UPDATE: Novo Nordisk — FulcrumSec claims authorship, $25M demand refused, data offered for private sale
- iRhythm discloses data theft via social engineering of a third-party-hosted application (SEC 8-K) [SINGLE-SOURCE]
- UPDATE: Council of Europe named as a victim of the Oracle PeopleSoft (CVE-2026-35273) campaign
- Conti loader developer Oleksii Lytvynenko pleads guilty in US federal court after extradition from Ireland
- "Atomic Arch" supply-chain attack hijacks 400+ AUR packages to drop a credential stealer and eBPF rootkit
- Google sues China-based "Outsider" PhaaS network for weaponising Gemini to mass-produce phishing pages
- AudiA6 ransomware crypto-laundering service dismantled — two charged, Switzerland among the participating countries
- The Gentlemen ransomware: 478 claimed leak-site victims, self-propagating Go encryptor, operator publicly named
- UPDATE: ShinyHunters PeopleSoft campaign — Oracle confirms CVE-2026-35273 and ships an out-of-band patch; Nottingham quantifies 455,000 records
- NCSC-CH Week 23: coordinated surge in job-seeker targeting — fake interviews, reshipping identity theft, and LinkedIn-to-GitHub infostealer delivery
- Microsoft Threat Intelligence: AI-brand impersonation drives Lumma Stealer and Vidar delivery via signed binaries
- UPDATE: TeamPCP open-sources its Mini Shai-Hulud framework, spawning a new "Phantom Gyp" derivative
- Healthcare — HIPAA breach + healthcare supply-chain exposure
- Finance / payments — Stripe-abusing Magecart and OFAC Iran sanctions
- Luna Moth / UNC3753: vishing-to-physical-USB data-theft extortion reaches ~$20 M suppression payment and DNS fast-flux C2
- ShinyHunters — DentaQuest: 234 GB HIPAA claims data published after ransom refusal, 2.6 M Medicaid and dental-benefit records
- Sophos 2026 Active Adversary Report — identity the dominant intrusion root cause; Impacket and AnyDesk most-observed post-exploitation [SINGLE-SOURCE]
- TA4922 — China-nexus cybercrime cluster expands from Japan into Germany, UK and Italy with native-language lures and Atlas RAT
- Magecart family runs its skimmer out of Stripe — payload in customer metadata, stolen cards exfiltrated back through api.stripe.com
- Proofpoint TA4922: a China-nexus cybercrime cluster expands from Japan into Germany, the UK and Italy with native-language lures and DLL-side-loaded Atlas RAT
- Unit 42 Operation FlutterBridge: notarized macOS backdoor hides its logic in a remote WebView and exfiltrates documents through an "AI summarise" feature
- UPDATE: ShinyHunters extortion campaign adds DentaQuest — 234 GB published after refusal to pay, 2.6 M dental-benefit records exposed
- Sophos finds an attacker-built, AI-orchestrated EDR-evasion testing lab during incident response
- ANNUAL REPORT — Sophos 2026 Active Adversary Report: identity is the dominant intrusion root cause [SINGLE-SOURCE]
- GoDaddy documents WordPress malware using Steam profile comments as a Unicode-steganography C2 resolver
- UPDATE: ShinyHunters publishes the Charter Communications dataset after ransom refusal
- SmartApeSG ClickFix stages an unnamed RAT that pivots to a weaponised NetSupport Manager [SINGLE-SOURCE]
- Ghost Stadium PhaaS — 300+ FIFA domain clones, multi-language fake SSO, targeting UK/Germany/Portugal/Spain fan credentials before June 11 kickoff
- Carnival Corporation confirms 5.99 M-record ShinyHunters breach — passport + driver's-licence numbers exposed across four cruise brands
- Dutch Police + NCSC dismantle Asocks residential-proxy botnet (~17 M devices, 200 NL-hosted servers seized)
- Wiz CIRT names JINX-0164 — LinkedIn-recruiter lures, AUDIOFIX macOS infostealer, MINIRAT npm pivot into CI/CD
- WatchGuard documents Grandoreiro's Delphi-DLL-side-loading + WebSocket/STUN C2 against Portuguese & Spanish banks; ESET maps parallel Android BTMOB MaaS
- UPDATE: The Gentlemen ransomware — Microsoft publishes full technical dissection of the Storm-2697 Go-encryptor
- CrowdStrike, Google and Shadowserver simultaneously sever all four C2 channels of the GlassWorm developer-targeting botnet (not to be confused with the Nx Console / TanStack GitHub-publish chain in § 5) — Russia-attributed, active since early 2025
- FBI FLASH CSA 260526 — Silent Ransom Group sends operatives physically into US law-firm offices to insert USB exfiltration devices when remote social engineering fails
- SANS ISC — Akira ransomware kill chain reconstructed entirely from SSLVPN syslog and Windows EVTX, no EDR [SINGLE-SOURCE]
- UPDATE: ShinyHunters Salesforce campaign — Charter and 7-Eleven both confirm; 7-Eleven count put at ~185,000 affected
- Google's threat-intel group maps a Chinese-language PhaaS ecosystem doing real-time OTP relay over RCS/iMessage [SINGLE-SOURCE]
- UPDATE: ShinyHunters lists Charter Communications (Spectrum) — telco victim in the Salesforce-credential campaign
- ShinyHunters Salesforce-credential extortion — three named victims confirmed across the week, capped by Carnival's 5.99M-record disclosure
- Finance — Iberian retail-banking pressure from Grandoreiro plus a parallel Android MaaS
- Asocks residential-proxy botnet — Dutch Police + NCSC dismantle ~17M-device infrastructure hosted in the Netherlands
- Check Point Q1 2026 State of Ransomware — ecosystem reconsolidates; LockBit returns with a deliberate Europe pivot
- The Gentlemen / Storm-2697 — internal "Rocket" backend leaked by a rival; KELA and Check Point dissect the operator inner circle
- ShinyHunters Salesforce campaign — 40+ listed victims; Canada Life and Pitney Bowes confirm; the BreachForums extortion channel was previously seized
- UNC6671 / BlackFile — GTIG publishes the full profile; group announced shutdown "under this name", rebrand probable
- Netherlands FIOD arrests two over EU sanctions evasion for Stark Industries front; 800 servers seized; NoName057(16) DDoS plumbing dismantled
- Kimwolf / "Dort" DDoS-for-hire operator arrested — 30+ Tbps IoT botnet, U.S. DoD-range targeting, AISURU variant
- Megalodon mass-poisons 5,561 GitHub repos in a 6-hour window; SysDiag + Optimize-Build workflows exfiltrate cloud credentials and OIDC tokens
- FBI PSA260521 — Kali365 OAuth device-code PhaaS bypasses M365 MFA without credential capture
- Rhysida claims Stuttgart municipal-data theft for 5 BTC; city denies a confirmed incident
- ANNUAL REPORT — Check Point Research March-April 2026 AI Threat Landscape Digest: a single operator runs two AI platforms in parallel to breach nine Mexican government agencies [SINGLE-SOURCE]
- Operation Saffron dismantles First VPN — 33+ servers seized, user database captured, Switzerland named JIT participant; Phobos RaaS infrastructure link confirmed
- B1ack's Stash carding marketplace publicly releases 4.6M card records — SOCRadar attributes collection to e-skimming and phishing; not confirmed by issuing banks
- UPDATE: TeamPCP / Mini Shai-Hulud campaign — GitHub itself breached (~3,800 internal repos via poisoned VS Code extension), Microsoft `durabletask` PyPI worm propagates via AWS SSM and `kubectl exec`, Grafana confirms missed-token-rotation root cause
- Microsoft DCU disrupts Fox Tempest malware-signing-as-a-service feeding Rhysida, INC, Qilin and Akira ransomware operations
- Cisco Talos: "demo.pdb" BadIIS variant now a commodity MaaS IIS ISAPI backdoor; lwxat developer alias, builder tool recovered
- UPDATE: TheGentlemen RaaS lists Czech university and Swiss engineering firm on leak site
- 7-Eleven confirms ShinyHunters breach of 600,000+ Salesforce franchise-application records — same campaign as Instructure, Vimeo, Wynn Resorts, Vercel, Medtronic
- INTERPOL Operation Ramz — 13-country MENA cybercrime sweep: 201 arrests, 53 servers seized, Algerian PhaaS server takedown
- UPDATE: TeamPCP / Shai-Hulud — first copycat wave (Phantom Bot + SSH/cloud stealers), Checkmarx Jenkins plugin trojanised again, PCPJack rival worm hits exposed cloud services
- UPDATE: Grafana Labs CoinbaseCartel breach — victim confirms source-code-only theft, no customer data, ransom rejected
- THORChain GG20 Threshold Signature Scheme vault drain — ~$11M across nine chains; Switzerland-based protocol
- TeamPCP / Mini Shai-Hulud supply-chain worm — CI/CD credential theft running all week; GitHub itself among claimed victims
- TeamPCP / Mini Shai-Hulud / Megalodon — the open-sourced supply-chain worm became commodity infrastructure this week
- 7-Eleven — ShinyHunters Salesforce campaign claims another 600,000+ records
- Grafana Labs / CoinbaseCartel — source-code-only theft confirmed; ransom rejected; detected by canary token
- Rhysida claims Stuttgart municipal data — city denies a confirmed incident [SINGLE-SOURCE / unconfirmed]
- THORChain — ~$11M cross-chain vault drain on a Switzerland-based protocol
- Check Point Research March–April 2026 AI Threat Landscape Digest — operator-run AI platforms breach government agencies [SINGLE-SOURCE]
- Fox Tempest — Microsoft DCU disrupts the malware-signing service feeding Rhysida, INC, Qilin and Akira
- The Gentlemen RaaS — Czech university and Swiss engineering firm listed; comms overhaul continues [SINGLE-SOURCE]
- Law-enforcement infrastructure takedowns — Operation Saffron (Switzerland JIT), FIOD/Stark Industries, Kimwolf, INTERPOL Ramz
- Canvas / Instructure extortion — ransom paid, US House investigation, second-intrusion vulnerability re-exploited
- Manufacturing
- Foxconn — Nitrogen ransomware confirmed against North-American manufacturing sites
- BKA Dream Market arrest — "Speedstepper" detained in Germany after seven years at large
- Check Point April 2026 ransomware analysis — Qilin leads at 15%, Germany at 5% of global victims
- TeamPCP / Mini Shai-Hulud (ShinyHunters / WorldLeaks adjacent) — wave 4 + framework leak + IDE persistence
- "The Gentlemen" RaaS — operations continue post-leak, decryptor published, FortiOS / Erlang SSH initial access CVEs confirmed
- Qilin / Agenda RaaS — April 2026 lead at 15% of global ransomware activity, Germany 5% of global victims
- Canvas / Instructure — ShinyHunters / WorldLeaks ransom-paid, US House investigation
- BKA — Dream Market lead administrator "Speedstepper" arrested in Germany
- GTIG: UNC6671 "BlackFile" vishing → AiTM → rogue-MFA → programmatic SharePoint exfiltration of 1M+ files per victim; DLS shutdown signals probable rebrand [SINGLE-SOURCE]
- BKA arrests Dream Market lead administrator "Speedstepper" in Germany — cryptocurrency-to-physical-gold OPSEC failure after seven years at large
- UPDATE: TeamPCP / Mini Shai-Hulud — OpenAI named as victim; code-signing certificate rotation enforced for all macOS apps
- GemStuffer — RubyGems weaponised as a one-way exfiltration channel scraping UK local-authority ModernGov portals; new abuse pattern targets the asymmetric monitoring gap between package pull and push
- UPDATE: The Gentlemen RaaS — backend "Rocket" database leaked (16.22 GB), Check Point analysis exposes operator handles, ZeroPulse C2 internals, 1,570+ victims, decryptor published on GitHub
- TrickMo "TrickMo C" — Android banking trojan migrates C2 to The Open Network blockchain, adds SOCKS5 / SSH device-as-pivot
- BKA and ZIT dismantle relaunched Crimenetwork darknet marketplace; German operator arrested in Mallorca on European Arrest Warrant
- UPDATE: TeamPCP (UNC6780 / PCPJack ecosystem) backdoors the Checkmarx Jenkins AST plugin — third Checkmarx supply-chain compromise in three months, SANDCLOCK exfiltrates every CI secret reachable from the runner
- Hardening / detection summary
- Akira ransomware on Groupe 3R — 20 Swiss medical-imaging centres across seven cantons; second cyberattack on the same operator within twelve months
- ShinyHunters / WorldLeaks — week-long cross-incident operator activity touching Inditex, Vimeo, ADT, and Instructure / Canvas
- Canvas / Instructure breach — five-day arc from first claim to seven Dutch universities executing emergency disconnects
- Healthcare (CH, NL)
- Education (NL, UK, DE)
- Media and political (HU, DE)
- Europol IOCTA 2026
- Google Threat Intelligence Group — Europe data-leak landscape 2025
- ShinyHunters / WorldLeaks family (financial-data extortion, third-party-SaaS pivot)
- TeamPCP → PCPJack — cloud-worm successor evicting prior operator artefacts
- Akira ransomware — Swiss healthcare case confirmed; broader European playbook unchanged
- The Gentlemen RaaS — Europe-skewed operation surged approximately 448% QoQ; 32% of Q1 2026 victims in Europe; FortiGate CVE-2024-55591 initial-access funnel
- Akira playbook quarterly context — Q1 2026 healthcare concentration; Qilin remains the dominant operator on German healthcare victims
- [SINGLE-SOURCE-OTHER] SMS-blaster smishing establishing itself in Switzerland — portable IMSI-catchers force 2G downgrade, bypass operator SMS filtering
- Groupe 3R (Réseau Radiologique Romand) — Akira ransomware claims 48 GB; 20 imaging centres across seven Swiss cantons, second attack in twelve months
- PCPJack — modular cloud-credential-theft worm displaces TeamPCP using five public CVEs and a multi-cloud key-harvesting pipeline
- UPDATE: Canvas/Instructure — ShinyHunters claims a *second* intrusion despite May 8 patches; seven Dutch universities executed emergency disconnects on/before May 9
- Validate Akira-targeted edge-device CVE patch state in CH/EU healthcare
- Inditex (Zara) — ShinyHunters publishes 140 GB; 197,400 EU customer records confirmed via third-party analytics compromise
- UPDATE: Canvas/Instructure extortion — Oxford, Cambridge, Liverpool issue public statements; 44 Dutch universities confirmed; May 12 deadline active