ReportWire

Tag: Hacking

  • North Korea has stolen billions in cryptocurrency and tech firm salaries, report says

    WASHINGTON — WASHINGTON (AP) — North Korean hackers have pilfered billions of dollars by breaking into cryptocurrency exchanges and creating fake identities to get remote tech jobs at foreign companies, according to an international report on North Korea’s cyber capabilities.

    Officials in Pyongyang orchestrated the clandestine work to finance research and development of nuclear arms, the authors of the 138-page report found. The review was published by the Multilateral Sanctions Monitoring Team, a group that includes the U.S. and 10 allies and was set up last year to observe North Korea’s compliance with U.N. sanctions.

    North Korea also has used cryptocurrency to launder money and make military purchases to evade international sanctions tied to its nuclear program, the report said. It detailed how hackers working for North Korea have targeted foreign businesses and organizations with malware designed to disrupt networks and steal sensitive data.

    Despite its small size and isolation, North Korea has heavily invested in offensive cyber capabilities and now rivals China and Russia when it comes to the sophistication and capabilities of its hackers, posing a significant threat to foreign governments, businesses and individuals, the investigators concluded.

    Unlike China, Russia and Iran, North Korea has focused much of its cyber capabilities to fund its government, using cyberattacks and fake workers to steal and defraud companies and organizations elsewhere in the world.

    Aided in part by allies in Russia and China, North Korea’s cyber actions have “been directly linked to the destruction of physical computer equipment, endangerment of human lives, private citizens’ loss of assets and property, and funding for the DPRK’s unlawful weapons of mass destruction and ballistic missile programs,” the report said, using the acronym for North Korea’s official name, the Democratic People’s Republic of Korea.

    The monitoring group is made up of the U.S., Australia, Canada, France, Germany, Italy, Japan, the Netherlands, New Zealand, South Korea and the United Kingdom. It was created last year after Russia vetoed a resolution directing a U.N. Security Council panel of experts to monitor Pyongyang’s activities. The team’s first report, issued in May, looked at North Korea’s military support for Russia.

    Earlier this year, hackers linked to North Korea carried out one of the largest crypto heists ever, stealing $1.5 billion worth of ethereum from Bybit. The FBI later linked the theft to a group of hackers working for the North Korean intelligence service.

    Federal authorities also have alleged that thousands of IT workers employed by U.S. companies were actually North Koreans using assumed identities to land remote work. The workers gained access to internal systems and funneled their salaries back to North Korea’s government. In some cases, the workers held several remote jobs at the same time.

    A message left with North Korea’s mission to the U.N. was not immediately returned on Wednesday.

    Source link

  • Hackers Dox ICE, DHS, DOJ, and FBI Officials

    In a stunning new study, researchers at UC San Diego and the University of Maryland revealed this week that satellites are leaking a wealth of sensitive data completely unencrypted, from calls and text messages on T-Mobile to in-flight Wi-Fi browsing sessions, to military and police communications. And they did this with just $800 in off-the-shelf equipment.

    Face recognition systems are seemingly everywhere. But what happens when this surveillance and identification technology doesn’t recognize your face as a face? WIRED spoke with six people with facial differences who say flaws in these systems are preventing them from accessing essential services.

    Authorities in the United States and United Kingdom announced this week the seizure of nearly 130,000 bitcoins from an alleged Cambodian scam empire. At the time of the seizure, the cryptocurrency fortune was worth $15 billion—the most money of any type ever confiscated in the US.

    Control over a significant portion of US election infrastructure is now in the hands of a single former Republican operative, Scott Leiendecker, who just purchased voting machine company Dominion Voting Systems and owns Knowink, an electronic poll book firm. Election security experts are currently more baffled about the implications than worried about any possibility of foul play.

    While a new type of attack could let hackers steal two-factor authentication codes from Android phones, the biggest cybersecurity development of the week was the breach of security firm F5. The attack, which was carried out by a “sophisticated” threat actor reportedly linked to China, poses an “imminent threat” of breaches against government agencies and Fortune 500 companies. Finally, we sifted through the mess that is VPNs for iPhones and found the only three worth using.

    But that’s not all! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

    In recent years, perhaps no single group of hackers has caused more mayhem than “the Com,” a loose collective of mostly cybercriminal gangs whose subgroups like Lapus$ and Scattered Spider have carried out cyberattacks and ransomware extortion operations targeting victims from MGM Casinos to Marks & Spencer grocery stores. Now they’ve turned their sites to US federal law enforcement.

    On Thursday, one member of the Com’s loose collective began posting to Telegram an array of federal officials’ identifying documents. One spreadsheet, according to 404 Media, contained what appeared to be personal information of 680 Department of Homeland Security officials, while another included personal info on 170 FBI officials, and yet another doxed 190 Department of Justice officials. The data in some cases included names, email addresses and phone numbers, and addresses—in some cases of officials’ homes rather than the location of their work. The user who released the data noted in their messages a statement from the DHS that Mexican cartels have offered thousands of dollars for identifying information on agents, apparently mocking this unverified claim.

    “Mexican Cartels hmu we dropping all the doxes wheres my 1m,” the user who released the files wrote, using the abbreviation for “hit me up” and seemingly demanding a million dollars. “I want my MONEY MEXICO.”

    Over the last year—at least—the FBI has operated a “secret” task force that may have worked to disrupt Russian ransomware gangs, according to reports published this week in France’s Le Monde and Germany’s Die Zeit. The publications allege that at the end of last year, the mysterious Group 78 presented its strategy to two different meetings of European officials, including law enforcement officials and those working in judicial services. Little is known about the group; however, its potentially controversial tactics appeared to spur typically tight-lipped European officials to speak out about Group 78’s existence and tactics.

    At the end of last year, according to the reports, Group 78 was focusing on the Russian-speaking Black Basta ransomware gang and outlined two approaches: running operations inside Russia to disrupt the gang’s members and try to get them to leave the country; and also to “manipulate” Russian authorities into prosecuting Black Basta members. Over the last few years, Western law enforcement officials have taken increasingly disruptive measures against Russian ransomware gangs—including infiltrating their technical infrastructure, trying to ruin their reputations, and issuing a wave of sanctions and arrest warrants—but taking covert action inside Russia against ransomware gangs would be unprecedented (at least in public knowledge). The Black Basta group has in recent months gone dormant after 200,000 of its internal messages were leaked and its alleged leader identified.

    Over the last few years, AI-powered license plate recognition cameras—which are placed at the side of the road or in cop cars—have gathered billions of images of people’s vehicles and their specific locations. The technology is a powerful surveillance tool that, unsurprisingly, has been adopted by law enforcement officials across the United States—raising questions about how access to the cameras and data can be abused by officials.

    This week, a letter by Senator Ron Wyden revealed that one division of ICE, the Secret Service, and criminal investigators at the Navy all had access to data from the cameras of Flock Safety. “I now believe that abuses of your product are not only likely but inevitable, and that Flock is unable and uninterested in preventing them,” Wyden’s letter addressed to Flock says. Wyden’s letter follows increasing reports that government agencies, including the CBP, had access to Flock’s 80,000 cameras. “In my view,” Wyden wrote, “local elected officials can best protect their constituents from the inevitable abuses of Flock cameras by removing Flock from their communities.”

    Andy Greenberg, Matt Burgess

    Source link

  • Why the F5 Hack Created an ‘Imminent Threat’ for Thousands of Networks

    Thousands of networks—many of them operated by the US government and Fortune 500 companies—face an “imminent threat” of being breached by a nation-state hacking group following the breach of a major maker of software, the federal government warned on Wednesday.

    F5, a Seattle-based maker of networking software, disclosed the breach on Wednesday. F5 said a “sophisticated” threat group working for an undisclosed nation-state government had surreptitiously and persistently dwelled in its network over a “long term.” Security researchers who have responded to similar intrusions in the past took the language to mean the hackers were inside the F5 network for years.

    Unprecedented

    During that time, F5 said, the hackers took control of the network segment the company uses to create and distribute updates for BIG IP, a line of server appliances that F5 says is used by 48 of the world’s top 50 corporations. Wednesday’s disclosure went on to say the threat group downloaded proprietary BIG-IP source code information about vulnerabilities that had been privately discovered but not yet patched. The hackers also obtained configuration settings that some customers used inside their networks.

    Control of the build system and access to the source code, customer configurations, and documentation of unpatched vulnerabilities has the potential to give the hackers unprecedented knowledge of weaknesses and the ability to exploit them in supply-chain attacks on thousands of networks, many of which are sensitive. The theft of customer configurations and other data further raises the risk that sensitive credentials can be abused, F5 and outside security experts said.

    Customers position BIG-IP at the very edge of their networks for use as load balancers and firewalls, and for inspection and encryption of data passing into and out of networks. Given BIG-IP’s network position and its role in managing traffic for web servers, previous compromises have allowed adversaries to expand their access to other parts of an infected network.

    F5 said that investigations by two outside intrusion-response firms have yet to find any evidence of supply-chain attacks. The company attached letters from firms IOActive and NCC Group attesting that analyses of source code and build pipeline uncovered no signs that a “threat actor modified or introduced any vulnerabilities into the in-scope items.” The firms also said they didn’t identify any evidence of critical vulnerabilities in the system. Investigators, which also included Mandiant and CrowdStrike, found no evidence that data from its CRM, financial, support case management, or health systems was accessed.

    The company released updates for its BIG-IP, F5OS, BIG-IQ, and APM products. CVE designations and other details are here. Two days ago, F5 rotated BIG-IP signing certificates, though there was no immediate confirmation that the move is in response to the breach.

    Dan Goodin, Ars Technica

    Source link

  • Russia, China increasingly using AI to escalate cyberattacks on US, Microsoft finds

    WASHINGTON (AP) — Russia, China, Iran and North Korea have sharply increased their use of artificial intelligence to deceive people online and mount cyberattacks against the United States, according to new research from Microsoft.

    This July, the company identified more than 200 instances of foreign adversaries using AI to create fake content online, more than double the number from July 2024 and more than ten times the number seen in 2023.

    The findings, published Thursday in Microsoft’s annual digital threats report, show how foreign adversaries are adopting new and innovative tactics in their efforts to weaponize the internet as a tool for espionage and deception.

    America’s adversaries, as well as criminal gangs and hacking companies, have exploited AI’s potential, using it to automate and improve cyberattacks, to spread inflammatory disinformation and to penetrate sensitive systems. AI can translate poorly worded phishing emails into fluent English, for example, as well as generate digital clones of senior government officials.

    Government cyber operations often aim to obtain classified information, undermine supply chains, disrupt critical public services or spread disinformation. Cyber criminals on the other hand work for profit by stealing corporate secrets or using ransomware to extort payments from their victims. These gangs are responsible for the wide majority of cyberattacks in the world and in some cases have built partnerships with countries like Russia.

    Increasingly, these attackers are using AI to target governments, businesses and critical systems like hospitals and transportation networks, according to Amy Hogan-Burney, Microsoft’s vice president for customer security and trust, who oversaw the report. Many U.S. companies and organizations, meanwhile, are getting by with outdated cyber defenses, even as Americans expand their networks with new digital connections.

    Companies, governments, organizations and individuals must take the threat seriously if they are to protect themselves amid escalating digital threats, she said.

    “We see this as a pivotal moment where innovation is going so fast,” Hogan-Burney said. “This is the year when you absolutely must invest in your cybersecurity basics,”

    The U.S. is the top target for cyberattacks, with criminals and foreign adversaries targeting companies, governments and organizations in the U.S. more than any other country. Israel and Ukraine were the second and third most popular targets, showing how military conflicts involving those two nations have spilled over into the digital realm.

    Russia, China and Iran have denied that they use cyber operations for espionage, disruption and disinformation. China, for instance, says the U.S. is trying to “ smear ” Beijing while conducting its own cyberattacks.

    North Korea has pioneered a scheme in which it uses AI personas to create American identities allowing them to apply for remote tech jobs. North Korea’s authoritarian government pockets the salaries, while the hackers use their access to steal secrets or install malware.

    It’s the kind of digital threat that will face more American organizations in the years to come as sophisticated AI programs make it easier for bad actors to deceive, according to Nicole Jiang, CEO of Fable, a San Francisco-based security company that uses AI to sniff out fake employees. AI is not only a tool for hackers, but also a critical defense against digital attackers, Jiang said.

    “Cyber is a cat-and-mouse game,” she said. “Access, data, information, money: That’s what they’re after.”

    Source link

  • A New Attack Lets Hackers Steal 2-Factor Authentication Codes From Android Phones

    Android devices are vulnerable to a new attack that can covertly steal two-factor authentication codes, location timelines, and other private data in less than 30 seconds.

    The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet. The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.

    Like Taking a Screenshot

    Pixnapping attacks begin with the malicious app invoking Android programming interfaces that cause the authenticator or other targeted apps to send sensitive information to the device screen. The malicious app then runs graphical operations on individual pixels of interest to the attacker. Pixnapping then exploits a side channel that allows the malicious app to map the pixels at those coordinates to letters, numbers, or shapes.

    “Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping,” the researchers wrote on an informational website. “Chat messages, 2FA codes, email messages, etc. are all vulnerable since they are visible. If an app has secret information that is not visible (e.g., it has a secret key that is stored but never shown on the screen), that information cannot be stolen by Pixnapping.”

    The new attack class is reminiscent of GPU.zip, a 2023 attack that allowed malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites. It worked by exploiting side channels found in GPUs from all major suppliers. The vulnerabilities that GPU.zip exploited have never been fixed. Instead, the attack was blocked in browsers by limiting their ability to open iframes, an HTML element that allows one website (in the case of GPU.zip, a malicious one) to embed the contents of a site from a different domain.

    Pixnapping targets the same side channel as GPU.zip, specifically the precise amount of time it takes for a given frame to be rendered on the screen.

    Dan Goodin, Ars Technica

    Source link

  • ‘Happy Gilmore’ Producer Buys Spyware Maker NSO Group

    Research published this week indicates that North Korean scammers are trying to trick US companies into hiring them for architectural design work, using fake profiles, résumés, and Social Security numbers to pose as legitimate workers. The hustle fits into longstanding campaigns by the hermit kingdom to steal billions of dollars from organizations around the world using careful planning and coordination to pose as professionals in all different fields.

    Under pressure from the Department of Justice, Apple removed a series of apps from its iOS App Store this month related to monitoring US Immigration and Customs Enforcement activity and archiving content related to ICE’s actions. As more apps are removed, multiple developers told WIRED this week that they aren’t giving up on fighting Apple over the decisions—and many are still distributing their apps on other platforms in the meantime.

    WIRED examined increasing warnings from software supply chain security researchers that the proliferation of AI-generated software in codebases will create an even more extreme version of the code transparency and accountability issues that have come up with widespread integration of open source software components. And Apple announced expansions of its bug bounty program this week, including a maximum $2 million payout for certain exploit chains that could be abused to distribute spyware, and additional bonuses for exploits found in Apple’s Lockdown Mode or in beta versions of new software.

    But wait, there’s more! Each week, we round up the security and privacy news we didn’t report in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

    The notorious spyware vendor NSO Group, known for developing the Pegasus malware, has faced financial issues since losing a long legal battle against the secure messaging platform WhatsApp as well as a lawsuit filed by Apple. Now, the company, which has long had Israeli ownership, has been purchased by a group of US-based investors led by movie producer Robert Simonds, who helped finance Happy Gilmore, Billy Madison, The Pink Panther, Hustlers, and Ferrari, among many other films. The deal is reportedly worth “several tens of millions of dollars” and is close to completion. Israel’s Defense Export Control Agency (DECA) within the Ministry of Defense will need to approve the sale. Use of mercenary spyware has increased within some US federal government agencies since the beginning of the Trump administration.

    Hundreds of national security and cybersecurity specialists who work in the US Department of Homeland Security have faced mandatory reassignment in recent weeks to roles related to President Donald Trump’s mass deportation agenda. Bloomberg reports that affected workers are largely senior staffers who are not union eligible. Workers who refuse to move roles will reportedly be dismissed. Members of DHS’s Cybersecurity and Infrastructure Security Agency (CISA) who have faced reassignment reportedly worked on “issuing alerts about threats against US agencies and critical infrastructure.” For example, CISA’s Capacity Building team has faced a number of reassignments, which could hinder access to emergency recommendations and directives for high-value federal government assets. Workers have been moved to agencies including Immigration and Customs Enforcement, Customs and Border Protection, and the Federal Protective Service.

    A recent breach of a third-party customer service provider used by the communication platform Discord included a trove of data from more than 70,000 Discord users that contained identification documents as well as selfies, email addresses, phone numbers, some home location information, and more. The data was collected as part of age verification checks, a mechanism that has long been criticized for centralizing users’ sensitive information. 404 Media reports that the breach was perpetrated by attackers who are attempting to extort Discord. “This is about to get really ugly,” the hackers wrote in a Telegram channel on Wednesday while posting the stolen data.

    US Immigration and Customs Enforcement inked a $825,000 contract in May with TechOps Specialty Vehicles (TOSV), a Maryland-based company that manufactures equipment and vehicles for law enforcement. The company provides products including rogue cellphone towers that are used for phone surveillance and sometimes called “stingrays” or “cell-site simulators.” Public records reviewed by TechCrunch show that the agreement describes how the company “provides Cell Site Simulator (CSS) Vehicles to support the Homeland Security Technical Operations program” and is a modification for “additional CSS Vehicles.” TOSV also began a similar $818,000 contract with ICE in September 2024, prior to the start of the Trump administration. In an email to TechCrunch, TOSV president Jon Brianas declined to share details about the contracts but confirmed that the company does provide cell-site simulators. The company does not manufacture them itself, he said.

    Lily Hay Newman

    Source link

  • Vibe Coding Is the New Open Source—in the Worst Way Possible

    Just like you probably don’t grow and grind wheat to make flour for your bread, most software developers don’t write every line of code in a new project from scratch. Doing so would be extremely slow and could create more security issues than it solves. So developers draw on existing libraries—often open source projects—to get various basic software components in place.

    While this approach is efficient, it can create exposure and lack of visibility into software. Increasingly, however, the rise of vibe coding is being used in a similar way, allowing developers to quickly spin up code that they can simply adapt rather than writing from scratch. Security researchers warn, though, that this new genre of plug-and-play code is making software-supply-chain security even more complicated—and dangerous.

    “We’re hitting the point right now where AI is about to lose its grace period on security,” says Alex Zenla, chief technology officer of the cloud security firm Edera. “And AI is its own worst enemy in terms of generating code that’s insecure. If AI is being trained in part on old, vulnerable, or low-quality software that’s available out there, then all the vulnerabilities that have existed can reoccur and be introduced again, not to mention new issues.”

    In addition to sucking up potentially insecure training data, the reality of vibe coding is that it produces a rough draft of code that may not fully take into account all of the specific context and considerations around a given product or service. In other words, even if a company trains a local model on a project’s source code and a natural language description of goals, the production process is still relying on human reviewers’ ability to spot any and every possible flaw or incongruity in code originally generated by AI.

    “Engineering groups need to think about the development lifecycle in the era of vibe coding,” says Eran Kinsbruner, a researcher at the application security firm Checkmarx. “If you ask the exact same LLM model to write for your specific source code, every single time it will have a slightly different output. One developer within the team will generate one output and the other developer is going to get a different output. So that introduces an additional complication beyond open source.”

    In a Checkmarx survey of chief information security officers, application security managers, and heads of development, a third of respondents said that more than 60 percent of their organization’s code was generated by AI in 2024. But only 18 percent of respondents said that their organization has a list of approved tools for vibe coding. Checkmarx polled thousands of professionals and published the findings in August—emphasizing, too, that AI development is making it harder to trace “ownership” of code.

    Lily Hay Newman

    Source link

  • A breach every month raises doubts about South Korea’s digital defenses | TechCrunch

    South Korea is world-famous for its blazing-fast internet, near-universal broadband coverage, and as a leader in digital innovation, hosting global tech brands like Hyundai, LG, and Samsung. But this very success has made the country a prime target for hackers and exposed how fragile its cybersecurity defenses remain.  

    The country is reeling from a string of high-profile hacks, affecting credit card companies, telecoms, tech startups, and government agencies, impacting vast swathes of the South Korean population. In each case, ministries and regulators appeared to scramble in parallel, sometimes deferring to one another rather than moving in unison. 

    Critics argue that South Korea’s cyber defenses are hindered by a fragmented system of government ministries and agencies, often resulting in slow and uncoordinated responses, per local media reports

    With no clear government agency acting as “first responder” following a cyberattack, the country’s cyber defenses are struggling to keep pace with its digital ambitions. 

    “The government’s approach to cybersecurity remains largely reactive, treating it as a crisis management issue rather than as critical national infrastructure,” Brian Pak, the chief executive of Seoul-based cybersecurity firm Theori, told TechCrunch.  

    Pak, who also serves as an advisor to SK Telecom’s parent company’s special committee on cybersecurity innovations, told TechCrunch that because government agencies tasked with cybersecurity work in silos, developing digital defenses and training skilled workers often get overlooked. 

    The country is also facing a severe shortage of skilled cybersecurity experts.  

    “[That’s] mainly because the current approach has held back workforce development. This lack of talent creates a vicious cycle. Without enough expertise, it’s impossible to build and maintain the proactive defenses needed to stay ahead of threats,” Pak continued.  

    Political deadlock has fostered a habit of seeking quick, obvious “quick fixes” after each crisis, said Pak, all the while the more challenging, long-term work of building digital resilience continues to be sidelined. 

    This year alone, there has been a major cybersecurity incident in South Korea almost every month, further mounting concerns over the resilience of South Korea’s digital infrastructure.  

    January 2025 

    • GS Retail, the operator of convenience stores and grocery markets across South Korea, confirmed a data breach that exposed the personal details of about 90,000 customers after its website was attacked between December 27 and January 4. The stolen information included names, birth dates, contact details, addresses, and email addresses. 

    February 2025 

    April and May 2025 

    • South Korea’s part-time job platform Albamon was hit by a hacking attack on April 30. The breach exposed the resumes of more than 20,000 users, including names, phone numbers, and email addresses.
    • In April, South Korea’s telecom giant SK Telecom was hit by a major cyberattack. Hackers stole the personal data of about 23 million customers — nearly half the country’s population. Much of the aftermath of the cyberattack lasted through May, in which millions of customers were offered a new SIM card following the breach. 

    June 2025  

    • Yes24, South Korea’s online ticketing and retail platform, was hit by a ransomware attack on June 9, which knocked its services offline. The disruption lasted for about four days, with the company back online by mid-June. 

    July 2025 

    August 2025

    • Yes24 faced a second ransomware attack in August 2025, which took its website and services offline for a few hours. 
    • Hackers broke into South Korean financial services company Lotte Card, which issues credit and debit cards, between July 22 and August. The breach exposed around 200GB of data and is believed to have affected roughly 3 million customers. The breach remained unnoticed for approximately 17 days, until the company discovered it on August 31. 
    • Welcome Financial: In August 2025, Welrix F&I, a lending arm of Welcome Financial Group, was hit by a ransomware attack. A Russian-linked hacking group claimed it stole over a terabyte of internal files, including sensitive customer data, and even leaked samples on the dark web.
    • North Korea-linked hackers, believed to be the Kimsuky group, have been spying on foreign embassies in South Korea for months by disguising their attacks as routine diplomatic emails. According to Trellix, the campaign has been active since March and has targeted at least 19 embassies and foreign ministries in South Korea. 

    September 2025  

    • KT, one of South Korea’s biggest telecom operators, has reported a cyber breach that exposed subscriber data from more than 5,500 customers. The attack was linked to illegal “fake base stations” that tapped into KT’s network, enabling hackers to intercept mobile traffic, steal information like IMSI, IMEI, and phone numbers, and even make unauthorized micro-payments. 

    In light of the recent surge in hacking incidents, the South Korean Presidential Office’s National Security is stepping in to tighten defenses, pushing for a cross-ministerial effort that brings multiple agencies together in a coordinated, whole-of-government response.  

    In September 2025, the National Security Office announced that it would implement “comprehensive” cyber measures through an interagency plan, led by the South Korean president’s office. Regulators also signaled a legal change giving the government power to launch probes at the first sign of hacking — even if companies haven’t filed a report. Both steps aim to address the lack of a first responder that has long hindered South Korea’s cyber defenses. 

    But South Korea’s fragmented system leaves accountability weak, placing all authority in a presidential “control tower” could risk “politicization” and overreach, according to Pak.  

    A better path may be balance: a central body to set strategy and coordinate crises, paired with independent oversight to keep power in check. In a hybrid model, expert agencies like KISA would still handle the technical work — just with more straightforward rules and accountability, Pak told TechCrunch.  

    When reached for comment, a spokesperson for the South Korea’s Ministry of Science in ICT said the ministry, with KISA and other relevant agencies, is “committed to addressing increasingly sophisticated and advanced cyber threats.”  

    “We continue to work diligently to minimize potential harm to Korean businesses and the general public,” the spokesperson added.

    This article was originally published on September 30.

    Kate Park

    Source link

  • Private Key Leakage Remains the Leading Cause of Crypto Theft in Q3 2025

    Based on a report by SlowMist, private key leakage remains the leading cause of crypto theft, accounting for 317 stolen fund reports in Q3 2025.

    Slowmist’s MistTrack’s Stolen Funds Analysis shows that private key leaks remain the most common cause of crypto theft.

    The findings indicate that 317 stolen fund reports were filed between July and September, with assets worth more than $3.73 million successfully frozen or recovered in ten of those cases.

    Private Keys Remain the Core Vulnerability

    The report highlights that most crypto thefts rely on compromised credentials rather than sophisticated attacks. It notes that unauthorized dealers continue to sell fake hardware wallets, which remain a common scam. These devices often contain pre-written seed phrases or have been tampered with to secretly capture recovery information, allowing attackers to access funds once victims deposit assets.

    SlowMist advised users to only  purchase hardware wallets through authorized vendors, create seed phrases on their device, and try tiny transfers before transferring large sums of money. Simple checks, such as verifying packaging integrity and avoiding pre-set recovery cards, can help prevent losses.

    Attackers are also developing new methods using phishing and social engineering. The report examined some occurrences of EIP-7702 delegate phishing, where compromised accounts were linked to contracts that automatically drained assets once a transfer was initiated. In such cases, victims believed they were engaging in regular activity, but hidden authorizations allowed hackers to gain control.

    The analysis shows that social engineering remains a persistent threat, with phishers posing as recruiters on LinkedIn and building trust with job candidates over several weeks before convincing them to install “camera drivers” or other malicious code. In one case, attackers paired the program with a manipulated Chrome extension during a Zoom call, leading to losses of more than $13 million.

    Old Phishing Scams Remain Effective

    Traditional methods also continued to prove effective. Fraudulent Google ads cloned legitimate services such as MistTrack, while spoofed dashboards for decentralized finance platforms like Aave generated over $1.2 million in losses through hidden authorization requests. The exploiters also hijacked unused Discord vanity links left in project folders to trick communities.

    You may also like:

    Another attack vector disguises malicious commands as CAPTCHA verifications, tricking victims into copying code that steals wallet data, browser cookies, and private keys.

    SlowMist explained that Web3 exploits are not about complex tricks but involve hackers taking advantage of everyday actions. That being said, simple actions like slowing down, double-checking sources, and avoiding shortcuts are the best ways to stay safe in a space where threats keep changing.

    SPECIAL OFFER (Sponsored)

    Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive $600 exclusive welcome offer on Binance (full details).

    LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!

    Wayne Jones

    Source link

  • An App Used to Dox Charlie Kirk Critics Doxed Its Own Users Instead

    New research released this week shows that over the past few years the US Department of Homeland Security has collected DNA data of nearly 2,000 US citizens. The activity raises questions about legality and oversight given that DHS has been putting the information into an FBI crime database. Some of the genetic data is from US citizens as young as 14.

    The US Secret Service said on Tuesday that it had discovered facilities across the “New York tristate area” running so-called SIM servers—devices that manage and coordinate 100,000 SIM cards at a time for illicit operations. The Secret Service warned, though, that in addition to being used by cybercriminals for scamming, the apparatuses could also be used to launch critical infrastructure attacks that could disrupt mobile networks.

    A cyberattack on the UK-based automaker Jaguar Land Rover has been causing a supply chain meltdown, halting vehicle production, costing JLR tens of millions of dollars, and forcing its parts suppliers to lay off workers. The beleaguered company will have to shoulder the full cost of the attack because of inadequate insurance coverage, prompting talks of possible UK government assistance.

    If you’re worried about phone searches while traveling or doing specific activities, the password manager known as 1Password has a Travel Mode feature that can help you manage sensitive data and temporarily remove it from your device. We’ve got advice on how to use the tool most effectively.

    And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

    An app used to out those who spoke ill of the murdered right-wing activist Charlie Kirk was found to be leaking its users’ personal information, doxing the very people it had invited to dox its targets.

    The app Cancel the Hate, founded in the wake of Kirk’s September 10 assassination, suspended its services this week after it was revealed that security flaws in the website where the app was hosted exposed users’ email addresses and phone numbers. That site had asked its users to collect and share employment and other personal information of critics of Kirk and others “supporting political violence.” But a security researcher who identified themselves only as BobDaHacker demonstrated to news outlet Straight Arrow News that privacy settings on the site didn’t work as advertised, publicly leaking users’ information even when it was set to private. The hacker also reportedly had the ability to delete users’ accounts at will.

    Cancel the Hate, which displayed a photo of Kirk on its homepage and was founded by a Kirk supporter who cited his death as the motivation for creating the site, has since taken down its reporting features. It now displays a message on its homepage that it’s moving to a “new service provider.” The page that allows visitors to buy a $23 T-shirt remains online.

    Ransomware groups continued to plumb the depths of abject immorality this week with a new tactic: extorting preschools by stealing toddlers’ personal information and threatening their parents. The BBC reports that a hacker group says it has stolen the names, addresses, and photos of around 8,000 children from the preschool chain Kido, which has sites largely around London but also in the US and India. The hackers are threatening to leak the data if a ransom isn’t paid, going so far as to contact some of the children’s parents to reinforce their threat. The group has also posted sample information and photos of 10 children on their dark-web site.

    In August, The Guardian, Israeli-Palestinian publication +972 Magazine, and Hebrew-language publication Local Call revealed how Israeli signals intelligence agency Unit 8200 had built a comprehensive surveillance system to intercept and store Palestinian phone calls. More than “a million calls an hour” could be collected by the system, which reportedly amassed around 8,000 terabytes of call data and stored it in Microsoft’s Azure cloud service in the Netherlands, the publications reported.

    This week, following an external investigation commissioned by Microsoft, the company pulled some of the Israeli military’s access to its technology. In a statement, Microsoft president Brad Smith said the firm has taken the decision to “cease and disable” some “specific cloud storage and AI services and technologies” that it was providing to Israeli forces. Microsoft’s action—its investigation is still ongoing—follows a wave of staff protests at its ties to Israel and its ongoing war in Gaza. “We do not provide technology to facilitate mass surveillance of civilians. We have applied this principle in every country around the world, and we have insisted on it repeatedly for more than two decades,” Smith wrote in a statement.

    Andy Greenberg, Matt Burgess, Lily Hay Newman

    Source link

  • A Dangerous Worm Is Eating Its Way Through Software Packages

    New findings this week showed that a misconfigured platform used by the Department of Homeland Security left sensitive national security information—including data related to the surveillance of Americans—exposed and accessible to thousands of people. Meanwhile, 15 New York officials were arrested by Immigration and Customs Enforcement and the New York Police Department this week in or around 26 Federal Plaza—where ICE detains people in what courts have ruled are unsanitary conditions.

    Russia conducted conspicuous military exercises testing hypersonic missiles near NATO borders, stoking tensions in the region after the Kremlin had already recently flown drones into Polish and Romanian airspace. Scammers have a new tool for sending spam texts, known as “SMS blasters,” that can send up to 100,000 texts per hour while evading telecom company anti-spam measures. Scammers deploy rogue cell towers that trick people’s phones into connecting to the malicious devices so they can send the texts directly and bypass filters. And a pair of flaws in Microsoft’s Entra ID identity and access management system, which have been patched, could have been exploited to access virtually all Azure customer accounts—a potentially catastrophic disaster.

    WIRED published a detailed guide this week to acquiring and using a burner phone, as well as alternatives that are more private than a regular phone but not as labor-intensive as a true burner. And we updated our guide to the best VPNs

    But wait, there’s more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

    The cybersecurity world has seen, to its growing dismay, plenty of software supply-chain attacks, in which hackers hide their code in a legitimate piece of software so that it’s silently seeded out to every system that uses that code around the world. In recent years, hackers have even tried linking one software supply-chain attack to another, finding a second software developer target among their victims to compromise yet another piece of software and launch a new round of infections. This week saw a new and troubling evolution of those tactics: a full-blown self-replicating supply-chain attack worm.

    The malware, which has been dubbed Shai-Hulud after the Fremen name for the monstrous Sandworms in the sci-fi novel Dune (and the name of the Github page where the malware published stolen credentials of its victims), has compromised hundreds of open source software packages on the code repository Node Packet Management, or NPM, used by developers of Javascript. The Shai-Hulud worm is designed to infect a system that uses one of those software packages, then hunt for more NPM credentials on that system so that it can corrupt another software package and continue its spread.

    By one count, the worm has spread to more than 180 software packages, including 25 used by the cybersecurity firm CrowdStrike, though CrowdStrike has since had them removed from the NPM repository. Another count from cybersecurity firm ReversingLabs put the count far higher, at more than 700 affected code packages. That makes Shai-Hulud one of the biggest supply-chain attacks in history, though the intent of its mass credential-stealing remains far from clear.

    Western privacy advocates have long pointed to China’s surveillance systems as the potential dystopia awaiting countries like the United States if tech industry and government data collection goes unchecked. But a sprawling Associated Press investigation highlights how China’s surveillance systems have reportedly been largely built on US technologies. The AP’s reporters found evidence that China’s surveillance network—from the “Golden Shield” policing system that Beijing officials have used to censor the internet and crack down on alleged terrorists to the tools used to target, track, and often detain Uyghurs and the country’s Xinjiang region—appear to have been built with the help of American companies, including IBM, Dell, Cisco, Intel, Nvidia, Oracle, Microsoft, Thermo Fisher, Motorola, Amazon Web Services, Western Digital, and HP. In many cases, the AP found Chinese-language marketing materials in which the Western companies specifically offer surveillance applications and tools to Chinese police and domestic intelligence services.

    Scattered Spider, a rare hacking and extortion cybercriminal gang based largely in Western countries, has for years unleashed a trail of chaos across the internet, hitting targets from MGM Resorts and Caesar’s Palace to the Marks & Spencer grocery chain in the United Kingdom. Now two alleged members of that notorious group have been arrested in the UK: 19-year-old Thalha Jubair and 18-year-old Owen Flowers, both charged with hacking the Transport for London transit system—reportedly inflicting more than $50 million in damage—among many other targets. Jubair alone is accused of intrusions targeting 47 organizations. The arrests are just the latest in a string of busts targeting Scattered Spider, which has nonetheless continued a nearly uninterrupted string of breaches. Noah Urban, who was convicted on charges related to Scattered Spider activity, spoke from jail to Bloomberg Businessweek for a long profile of his cybercriminal career. Urban, 21, has been sentenced to a decade in prison.

    Lily Hay Newman, Andy Greenberg

    Source link

  • This Microsoft Entra ID Vulnerability Could Have Been Catastrophic

    As businesses around the world have shifted their digital infrastructure over the last decade from self-hosted servers to the cloud, they’ve benefitted from the standardized, built-in security features of major cloud providers like Microsoft. But with so much riding on these systems, there can be potentially disastrous consequences at a massive scale if something goes wrong. Case in point: Security researcher Dirk-jan Mollema recently stumbled upon a pair of vulnerabilities in Microsoft Azure’s identity and access management platform that could have been exploited for a potentially cataclysmic takeover of all Azure customer accounts.

    Known as Entra ID, the system stores each Azure cloud customer’s user identities, sign-in access controls, applications, and subscription management tools. Mollema has studied Entra ID security in depth and published multiple studies about weaknesses in the system, which was formerly known as Azure Active Directory. But while preparing to present at the Black Hat security conference in Las Vegas in July, Mollema discovered two vulnerabilities that he realized could be used to gain global administrator privileges—essentially god mode—and compromise every Entra ID directory, or what is known as a “tenant.” Mollema says that this would have exposed nearly every Entra ID tenant in the world other than, perhaps, government cloud infrastructure.

    “I was just staring at my screen. I was like, ‘No, this shouldn’’t really happen,’” says Mollema, who runs the Dutch cybersecurity company Outsider Security and specializes in cloud security. “It was quite bad. As bad as it gets, I would say.”

    “From my own tenants—my test tenant or even a trial tenant—you could request these tokens and you could impersonate basically anybody else in anybody else’s tenant,” Mollema adds. “That means you could modify other people’s configuration, create new and admin users in that tenant, and do anything you would like.”

    Given the seriousness of the vulnerability, Mollema disclosed his findings to the Microsoft Security Response Center on July 14, the same day that he discovered the flaws. Microsoft started investigating the findings that day and issued a fix globally on July 17. The company confirmed to Mollema that the issue was fixed by July 23 and implemented extra measures in August. Microsoft issued a CVE for the vulnerability on September 4.

    “We mitigated the newly identified issue quickly, and accelerated the remediation work underway to decommission this legacy protocol usage, as part of our Secure Future Initiative,” Tom Gallagher, Microsoft’s Security Response Center vice president of engineering, told WIRED in a statement. “We implemented a code change within the vulnerable validation logic, tested the fix, and applied it across our cloud ecosystem.”

    Gallagher says that Microsoft found “no evidence of abuse” of the vulnerability during its investigation.

    Both vulnerabilities relate to legacy systems still functioning within Entra ID. The first involves a type of Azure authentication token Mollema discovered known as Actor Tokens that are issued by an obscure Azure mechanism called the “Access Control Service.” Actor Tokens have some special system properties that Mollema realized could be useful to an attacker when combined with another vulnerability. The other bug was a major flaw in a historic Azure Active Directory application programming interface known as “Graph” that was used to facilitate access to data stored in Microsoft 365. Microsoft is in the process of retiring Azure Active Directory Graph and transitioning users to its successor, Microsoft Graph, which is designed for Entra ID. The flaw was related to a failure by Azure AD Graph to properly validate which Azure tenant was making an access request, which could be manipulated so the API would accept an Actor Token from a different tenant that should have been rejected.

    Matt Burgess, Lily Hay Newman

    Source link

  • Apple’s latest iPhone security feature just made life more difficult for spyware makers | TechCrunch

    Buried in an ocean of flashy novelties announced by Apple this week, the tech giant also revealed new security technology for its latest iPhone 17 and iPhone Air devices. This new security technology was made specifically to fight against surveillance vendors and the types of vulnerabilities they rely on the most, according to Apple.

    The feature is called Memory Integrity Enforcement (MIE) and is designed to help stop memory corruption bugs, which are some of the most common vulnerabilities exploited by spyware developers and makers of phone forensic devices used by law enforcement. 

    “Known mercenary spyware chains used against iOS share a common denominator with those targeting Windows and Android: they exploit memory safety vulnerabilities, which are interchangeable, powerful, and exist throughout the industry,” Apple wrote in its blog post

    Cybersecurity experts, including people who make hacking tools and exploits for iPhones, tell TechCrunch that this new security technology could make Apple’s newest iPhones some of the most secure devices on the planet. The result is likely to make life harder for the companies that make spyware and zero-day exploits for planting spyware on a target’s phone or extracting data from them. 

    “The iPhone 17 is probably now the most secure computing environment on the planet that is still connected to the internet,” a security researcher, who has worked on developing and selling zero-days and other cyber capabilities to the U.S. government for years, told TechCrunch.

    The researcher told TechCrunch that MIE will raise the cost and time to develop their exploits for the latest iPhones, and consequently up their prices for paying customers.

    “This is a huge deal,” said the researcher, who asked to remain anonymous to discuss sensitive matters. “It’s not hack proof. But it’s the closest thing we have to hack proof. None of this will ever be 100% perfect. But it raises the stakes the most.”

    Contact Us

    Do you develop spyware or zero-day exploits and are studying studying the potential effects of Apple’s MIE? We would love to learn how this affects you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.

    Jiska Classen, a professor and researcher who studies iOS at the Hasso Plattner Institute in Germany, agreed that MIE will raise the cost of developing surveillance technologies.

    Classen said this is because some of the bugs and exploits that spyware companies and researchers have that currently work will stop working once the new iPhones are out and MIE is implemented. 

    “I could also imagine that for a certain time window some mercenary spyware vendors don’t have working exploits for the iPhone 17,” said Classen. 

    “This will make their life arguably infinitely more difficult,” said Patrick Wardle, a researcher who runs a startup that makes cybersecurity products specifically for Apple devices. “Of course that is said with the caveat that it’s always a cat-and-mouse game.”

    Wardle said people who are worried about getting hacked with spyware should upgrade to the new iPhones. 

    The experts TechCrunch spoke to said MIE will reduce the efficacy of both remote hacks, such as those launched with spyware like NSO Group’s Pegasus and Paragon’s Graphite. It will also help to protect against physical device hacks, such as those performed with phone unlocking hardware like Cellebrite or Graykey. 

    Taking on the “majority of exploits”

    Most modern devices, including the majority of iPhones today, run software written in programming languages that are prone to memory-related bugs, often called memory overflow or corruption bugs. When triggered, a memory bug can cause the contents of memory from one app to spill into other areas of a user’s device where it shouldn’t go.

    Memory-related bugs can allow malicious hackers to access and control parts of a device’s memory that they shouldn’t be permitted to. The access can be used to plant malicious code that’s capable of gaining broader access to a person’s data stored in the phone’s memory, and exfiltrating it over the phone’s internet connection.

    MIE aims to defend against these kinds of broad memory attacks by vastly reducing the attack surface in which memory vulnerabilities can be exploited.

    According to Halvar Flake, an expert in offensive cybersecurity, memory corruptions “are the vast majority of exploits.” 

    MIE is built on a technology called Memory Tagging Extension (MTE), originally developed by chipmaker Arm. In its blog post, Apple said over the past five years it worked with Arm to expand and improve the memory safety features into a product called Enhanced Memory Tagging Extension (EMTE).  

    MIE is Apple’s implementation of this new security technology, which takes advantage of Apple having complete control of its technology stack, from software to hardware, unlike many of its phone-making competitors.

    Google offers MTE for some Android devices; the security-focused GrapheneOS, a custom version of Android, also offers MTE

    But other experts say Apple’s MIE goes a step further. Flake said the Pixel 8 and GrapheneOS are “almost comparable,” but the new iPhones will be “the most secure mainstream” devices.

    MIE works by allocating each piece of a newer iPhone’s memory with a secret tag, effectively its own unique password. This means only apps with that secret tag can access the physical memory in the future. If the secret doesn’t match, the security protections kick in and block the request, the app will crash, and the event is logged.

    That crash and log is particularly significant since it’s more likely for spyware and zero-days to trigger a crash, making it easier for Apple and security researchers investigating attacks to spot them. 

    “A wrong step would lead to a crash and a potentially recoverable artifact for a defender,” said Matthias Frielingsdorf, the vice president of research at iVerify, a company that makes an app to protect smartphones from spyware. “Attackers already had an incentive to avoid memory corruption.”

    Apple did not respond to a request for comment.

    MIE will be on by default system wide, which means it will protect apps like Safari and iMessage, which can be entry points for spyware. But third-party apps will have to implement MIE on their own to improve protections for their users. Apple released a version of EMTE for developers to do that. 

    In other words, MIE is a huge step in the right direction, but it will take some time to see its impact, depending on how many developers implement it and how many people buy new iPhones. 

    Some attackers will inevitably still find a way.

    “MIE is a good thing and it might even be a big deal. It could significantly raise the cost for attackers and even force some of them out of the market,” said Frielingsdorf. “But there are going to be plenty of bad actors that can still find success and sustain their business.”

    “As long as there are buyers there will be sellers,” said Frielingsdorf.

    Lorenzo Franceschi-Bicchierai, Zack Whittaker

    Source link

  • iPhone 17’s New MIE Feature Strengthens Crypto Wallet Security

    Cobo founder DiscusFish has said that the new iPhone 17 introduces a new Memory Integrity Enforcement (MIE) feature that boosts crypto wallet security.

    The system is designed to block advanced memory attacks during crypto wallet signing by combining hardware and software protections.

    Why It Matters for Crypto Users

    Apple shared in a September 9 blog post that MIE is powered by the A19 chip and uses Enhanced Memory Tagging Extension (EMTE), which checks memory in real-time. This setup instantly blocks common exploits such as buffer overflows and use-after-free attempts.

    For the crypto industry, this is important because memory flaws account for nearly 70% of all software vulnerabilities and are a common entry point for malware during wallet operations. Signing processes have always been a top target for hackers, as a single weak spot can lead to the theft of funds.

    Apple’s new MIE steps in by stopping these attacks at the hardware level before they can cause damage. Shutting down these threats early makes wallet signing much safer and harder for spyware to steal assets. Another benefit is that protections are always on, meaning users do not need to set up anything themselves. DiscusFish called the feature “a major win for high-net-worth crypto users and frequent signers.”

    Apple has also addressed side-channel risks with a function called Tag Confidentiality Enforcement (TCE), which prevents attackers from exposing memory tag values through speculative execution or other ways. This closes another pathway often used by hackers to get wallet data.

    The company’s security team confirmed that MIE was tested against real-world exploit chains, with most attacks stopped in their earliest stages. This reduces the opportunities for bad actors to compromise software.

    Additionally, the protections go beyond Apple’s native tools. Developers can also enable these features through Enhanced Security settings in Xcode, allowing crypto apps outside Apple’s ecosystem to benefit from the same defense model.

    iPhone 17 Sets New Standard for Wallet Safety

    Overall, the new iPhone 17 reduces the risk of spyware targeting private keys by combining typed memory allocators, tag checks, and confidentiality safeguards. This means that digital asset owners can reduce reliance on external hardware wallets or specialized devices for everyday signing.

    Elsewhere, a recent report from Web3 security firm CertiK revealed that more than $2.1 billion has already been lost to crypto-related attacks in 2025. Wallet breaches account for the bulk of these losses, with compromised apps alone responsible for $1.6 billion. The company added that this makes them the most damaging attack vector by a wide margin.

    SPECIAL OFFER (Sponsored)

    Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive $600 exclusive welcome offer on Binance (full details).

    LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!

    Wayne Jones

    Source link

  • Crypto-Stealing Malware Infiltrates Core JavaScript Libraries Used by Millions

    The NPM (node packet manager) account of developer ‘qix’ was compromised, allowing hackers to publish malicious versions of his packages.

    The attackers published malicious versions of dozens of extremely popular JavaScript packages, including fundamental utilities. The hack was massive in scope since the affected packages have over 1 billion combined weekly downloads.

    This attack on the software supply chain specifically targets the JavaScript/Node.js ecosystem.

    Crypto Clipper Malware

    The malicious code was a “crypto-clipper” designed to steal cryptocurrency by swapping wallet addresses in network requests and hijacking crypto transactions directly. It was also heavily obfuscated to avoid detection.

    The crypto-stealing malware has two attack vectors. When no crypto wallet extension is found, the malware intercepts all network traffic by replacing the browser’s native fetch and HTTP request functions with extensive lists of attacker-owned wallet addresses.

    Using sophisticated address swapping, it employs algorithms to find replacement addresses that look visually similar to legitimate ones, making the fraud nearly impossible to spot with the naked eye, said cybersecurity researchers.

    If a crypto wallet is found, the malware intercepts transactions before signing, and when users initiate transactions, it modifies them in memory to redirect funds to attacker addresses.

    The attack targeted packages such as ‘chalk,’ ‘strip-ansi,’ ‘color-convert,’ and ‘color-name,’ which are core building blocks buried deep in the dependency trees of countless projects.

    The attack was discovered accidentally when a build pipeline failed with a “fetch is not defined” error as the malware attempted to exfiltrate data using the fetch function.

    “If you use a hardware wallet, pay attention to every transaction before signing, and you’re safe. If you don’t use a hardware wallet, refrain from making any on-chain transactions for now,” advised Ledger CEO Charles Guillemet.

    Broad Attack Vector

    While the malware’s payload specifically targets cryptocurrency, the attack vector is much broader. It affects any environment running JavaScript/Node.js applications, such as web applications running in browsers, desktop applications, server-side Node.js applications, and mobile apps using JavaScript frameworks.

    So a regular business web application could unknowingly include these malicious packages, but the malware would only activate when users interact with cryptocurrency on that site.

    Uniswap and Blockstream were among the first to reassure users that their systems were not at risk.

    SPECIAL OFFER (Sponsored)

    Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive $600 exclusive welcome offer on Binance (full details).

    LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!

    Martin Young

    Source link

  • ICE Has Spyware Now

    The Biden administration considered spyware used to hack phones controversial enough that it was tightly restricted for US government use in an executive order signed in March 2024. In Trump’s no-holds-barred effort to empower his deportation force—already by far the most well-funded law enforcement agency in the US government—that’s about to change, and the result could be a powerful new form of domestic surveillance.

    Multiple tech and security companies—including Cloudflare, Palo Alto Networks, Spycloud, and Zscaler—have confirmed customer information was stolen in a hack that originally targeted a chatbot system belonging to sales and revenue generation company Salesloft. The sprawling data theft started in August, but in recent days more companies have revealed they had customer information stolen.

    Toward the end of August, Salesloft first confirmed it had discovered a “security issue” in its Drift application, an AI chatbot system that allows companies to track potential customers who engage with the chatbot. The company said the security issue is linked to Drift’s integration with Salesforce. Between August 8 and August 18, hackers used compromised OAuth tokens associated with Drift to steal data from accounts.

    Google’s security researchers revealed the breach at the end of August. “The actor systematically exported large volumes of data from numerous corporate Salesforce instances,” Google wrote in a blog post, pointing out that the hackers were looking for passwords and other credentials contained in the data. More than 700 companies may have been impacted, with Google later saying it had seen Drift’s email integration being abused.

    On August 28, Salesloft paused its Salesforce-Salesloft integration as it investigated the security issues; then on September 2 it said, “Drift will be temporarily taken offline in the very near future” so it can “build additional resiliency and security in the system.” It’s likely more companies impacted by the attack will notify customers in the coming days.

    Obtaining intelligence on the internal workings of the Kim regime that has ruled North Korea for three generations has long presented a serious challenge for US intelligence agencies. This week, The New York Times revealed in a bombshell account of a highly classified incident how far the US military went in one effort to spy on the regime. In 2019, SEAL Team 6 was sent to carry out an amphibious mission to plant an electronic surveillance device on North Korean soil—only to fail and kill a boatful of North Koreans in the process. According to the Times’ account, the Navy SEALs got as far as swimming onto the shores of the country in mini-subs deployed from a nuclear submarine. But due to a lack of reconnaissance and the difficulty of surveilling the area, the special forces operators were confused by the appearance of a boat in the water, shot everyone aboard, and aborted their mission. The North Koreans in the boat, it turned out, were likely unwitting civilians diving for shellfish. The Trump administration, the Times reports, never informed leaders of congressional committees that oversee military and intelligence activities.

    Phishing remains one of the oldest and most reliable ways for hackers to gain initial access to a target network. One study suggests a reason why: Training employees to detect and resist phishing attempts is surprisingly tough. In a study of 20,000 employees at the health care provider UC San Diego Health, simulated phishing attempts designed to train staff resulted in only a 1.7 percent decrease in the staff’s failure rate compared to staff who received no training at all. That’s likely because staff simply ignored or barely registered the training, the study found: In 75 percent of cases, the staff member who opened the training link spent less than a minute on the page. Staff who completed a training Q&A, by contrast, were 19 percent less likely to fail on subsequent phishing tests—still hardly a very reassuring level of protection. The lesson? Find ways to detect phishing that don’t require the victim to spot the fraud. As is often noted in the cybersecurity industry, humans are the weakest link in most organizations’ security—and they appear stubbornly determined to stay that way.

    Online piracy is still big business—last year, people made more than 216 billion visits to piracy sites streaming movies, TV, and sports. This week, however, the largest illegal sports streaming platform, Streameast, was shut down following an investigation by anti-piracy industry group the Alliance for Creativity and Entertainment and authorities in Egypt. Before the takedown, Streameast operated a network of 80 domains that saw more than 1.6 billion visits per year. The piracy network streamed soccer games from England’s Premier League and other matches across Europe, plus NFL, NBA, NHL, and MLB matches. According to the The Athletic, two men in Egypt were allegedly arrested over copyright infringement charges, and authorities found links to a shell company allegedly used to launder around $6.2 million in advertising revenue over the past 15 years.

    Matt Burgess, Andy Greenberg, Lily Hay Newman

    Source link

  • Automated Sextortion Spyware Takes Webcam Pics of Victims Watching Porn

    Sextortion-based hacking, which hijacks a victim’s webcam or blackmails them with nudes they’re tricked or coerced into sharing, has long represented one of the most disturbing forms of cybercrime. Now one specimen of widely available spyware has turned that relatively manual crime into an automated feature, detecting when the user is browsing pornography on their PC, screenshotting it, and taking a candid photo of the victim through their webcam.

    On Wednesday, researchers at security firm Proofpoint published their analysis of an open-source variant of “infostealer” malware known as Stealerium that the company has seen used in multiple cybercriminal campaigns since May of this year. The malware, like all infostealers, is designed to infect a target’s computer and automatically send a hacker a wide variety of stolen sensitive data, including banking information, usernames and passwords, and keys to victims’ crypto wallets. Stealerium, however, adds another, more humiliating form of espionage: It also monitors the victim’s browser for web addresses that include certain NSFW keywords, screenshots browser tabs that include those words, photographs the victim via their webcam while they’re watching those porn pages, and sends all the images to a hacker—who can then blackmail the victim with the threat of releasing them.

    “When it comes to infostealers, they typically are looking for whatever they can grab,” says Selena Larson, one of the Proofpoint researchers who worked on the company’s analysis. “This adds another layer of privacy invasion and sensitive information that you definitely wouldn’t want in the hands of a particular hacker.”

    “It’s gross,” Larson adds. “I hate it.”

    Proofpoint dug into the features of Stealerium after finding the malware in tens of thousands of emails sent by two different hacker groups it tracks (both relatively small-scale cybercriminal operations), as well as a number of other email-based hacking campaigns. Stealerium, strangely, is distributed as a free, open source tool available on Github. The malware’s developer, who goes by the named witchfindertr and describes themselves as a “malware analyst” based in London, notes on the page that the program is for “educational purposes only.”

    “How you use this program is your responsibility,” the page reads. “I will not be held accountable for any illegal activities. Nor do i give a shit how u use it.”

    In the hacking campaigns Proofpoint analyzed, cybercriminals attempted to trick users into downloading and installing Stealerium as an attachment or a web link, luring victims with typical bait like a fake payment or invoice. The emails targeted victims inside companies in the hospitality industry, as well as in education and finance, though Proofpoint notes that users outside of companies were also likely targeted but wouldn’t be seen by its monitoring tools.

    Once it’s installed, Stealerium is designed to steal a wide variety of data and send it to the hacker via services like Telegram, Discord, or the SMTP protocol in some variants of the spyware, all of which is relatively standard in infostealers. The researchers were more surprised to see the automated sextortion feature, which monitors browser URLs a list of pornography-related terms such as “sex” and “porn,” which can be customized by the hacker and trigger simultaneous image captures from the user’s webcam and browser. Proofpoint notes that it hasn’t identified any specific victims of that sextortion function, but the existence of the feature suggests it was likely used.

    Andy Greenberg

    Source link

  • WhatsApp patches exploit allowing hackers to target Apple users

    NEW YORK — WhatsApp has patched a security vulnerability that allowed sophisticated attacks against the Apple devices of “specific targeted users.”

    The messaging app, owned by Meta Platforms, said in a blog post that its vulnerability, chained with a bug found in iOS and iPadOS, allowed hackers to exploit and steal information from Apple devices.

    In a post on X, Amnesty’s Security Lab researcher Donncha Ó Cearbhaill said the malicious campaign lasted about 90 days. He said other apps beyond WhatsApp may also have been affected.

    WhatsApp said in a statement that less than 200 users were targeted and that the company had notified those affected. All users have been encouraged to update their app to the latest version to fix the issue.

    It’s not immediately clear who, or which spyware vendor, is behind the attacks.

    Apple also acknowledged the vulnerability in its systems and issued patches to fix the flaws.

    Source link

  • DOGE Put Everyone’s Social Security Data at Risk, Whistleblower Claims

    As students returned to school this week, WIRED spoke to a self-proclaimed leader of a violent online group known as “Purgatory” about a rash of swattings at universities across the US in recent days. The group claims to have ties to the loose cybercriminal network known as The Com, and the alleged Purgatory leader claimed responsibility for calling in hoax active-shooter alerts.

    Researchers from multiple organizations warned this week that cybercriminals are increasingly using generative AI tools to fuel ransomware attacks, including real situations where cybercriminals without technical expertise are using AI to develop the malware. And a popular, yet enigmatic, shortwave Russian radio station known as UVB-76 seems to have turned into a tool for Kremlin propaganda after decades of mystery and intrigue.

    But wait, there’s more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

    Since it was first created, critics have warned that the young and inexperienced engineers in Elon Musk’s so-called Department of Government Efficiency (DOGE) were trampling over security and privacy rules in their seemingly reckless handling of US government data. Now a whistleblower claims that DOGE staff put one massive dataset at risk of hacking or leaking: a database containing troves of personal data about US residents, including virtually every American’s Social Security number.

    The complaint from Social Security Administration chief data officer Charles Borges, filed with the Office of the Special Counsel and reviewed by The New York Times, states that DOGE affiliates explicitly overruled security and privacy concerns to upload the SSA database to a cloud server that lacked sufficient security monitoring, “potentially violating multiple federal statutes” in its allegedly reckless handling of the data. Internal DOGE and SSA communications reviewed by the Times shows officials waving off concerns about the data’s lack of sanitization or anonymization before it was uploaded to the server, despite concerns from SSA officials about the lack of security of that data transfer.

    Borges didn’t allege that the data was actually breached or leaked, but Borges emphasized the vulnerability of the data and the immense cost if it were compromised. “Should bad actors gain access to this cloud environment, Americans may be susceptible to widespread identity theft, may lose vital health care and food benefits, and the government may be responsible for reissuing every American a new Social Security number at great cost,” Borges wrote.

    Nearly 10 months have passed since the revelation that China’s cyberespionage group known as Salt Typhoon had penetrated US telecoms, spying on Americans’ calls and texts. Now the FBI is warning that the net cast by those hackers may have been far broader than even previously thought, encompassing potential victims in 80 countries. The bureau’s top cyber official, Brett Leatherman, told The Wall Street Journal and The Washington Post that the hackers had shown interest in at least 600 companies, which the FBI notified, though it’s not clear how many of those possible targets the hackers breached or what level of access they achieved. “That global indiscriminate targeting really is something that is outside the norms of cyberspace operations,” Leatherman told the Journal. The FBI says that Salt Typhoon’s telecom hacking alone resulted in the spies gaining access to at least a million call records and targeted the calls and texts of more than a hundred Americans.

    Days after Donald Trump’s Alaska summit with Vladimir Putin, the White House moved to gut its own intelligence ranks. A senior CIA Russia analyst—29 years in service and slated for a coveted overseas post—was abruptly stripped of her clearance, The Washington Post reported. She was one of 37 officials forced out under an August 19 memo from Director of National Intelligence Tulsi Gabbard. The order listed no infractions. To colleagues, it looked like a loyalty purge. The firings have reportedly unsettled the CIA’s rank and file, sending a message that survival depends on hewing intelligence to fit the president’s views.

    On Monday, Gabbard unveiled what she calls “ODNI 2.0,” a restructuring that cuts more than 500 positions and shutters or folds whole offices she deems redundant. The Foreign Malign Influence Center and the Cyber Threat Intelligence Integration Center are being pared back, while the National Intelligence University will be absorbed into the Pentagon’s defense school. Gabbard says the plan will save $700 million a year and depoliticize intelligence. Critics noted, however, a fact sheet published by Gabbard on Monday itemized only a fraction of those savings, and tjeu warned that the overhaul could hollow out the very coordination ODNI was created post-9/11 to provide—discarding expertise and leaving the intelligence fragmented at a time of escalating threats.

    Andy Greenberg, Lily Hay Newman, Dell Cameron

    Source link

  • Exclusive: Crowdstrike CEO George Kurtz on $290 million acquisition of startup Onum and security in the AI age

    Cybersecurity is more than just software, says George Kurtz, CEO and cofounder of CrowdStrike. 

    “What we do at CrowdStrike is as old as time,” he told Fortune. “It’s good versus evil. It’s a human nature story embodied in technology.”

    It’s a battle that’s more urgent and complex than ever, as the rise of AI has ballooned the number of cyber threats and cyber criminals. This makes M&A—a longstanding feature of the cybersecurity sector—more high-stakes than ever. To be sure, some of the biggest deals of 2025 have been in cyber, from Palo Alto Networks’ $25 billion acquisition of CyberArk to Google’s proposed $32 billion acquisition of Wiz

    CrowdStrike, which went public in 2019, is also a longtime acquirer, and today announced its acquisition of data observability startup Onum for about $290 million. CrowdStrike today also announced its Q2 2025 earnings, beating expectations but offering a softer-than-expected revenue outlook sending its shares down roughly 4% in after hours trading. 

    Kurtz exclusively spoke to Fortune about the Onum deal and CrowdStrike’s M&A strategy going forward.

    “We like to get things at the right stage,” he said. “When you look at some of these other acquisitions, like CyberArk, you’re talking about a 20-year-old technology company with a lot of integration risk. These are big companies, and I’ve seen the movie before. When I was at McAfee, we acquired 21 companies, and never quite got them integrated… So, when it comes down to it, we’re maniacally focused on the customer experience, on making sure we’re disciplined enough to get this stuff integrated. We have a great track record of doing that.”

    Onum marks one of CrowdStrike’s early deals since last year’s much-publicized IT outage, which Kurtz says didn’t derail its M&A efforts, but offered a pause. In the aftermath, CrowdStrike set a high bar and refrained from closing any deals, while continuing to talk to companies, entrepreneurs, and VCs, keeping the M&A pipeline active, said Kurtz. The Onum deal ultimately came together in three months. The Madrid-based startup, which counts Dawn Capital and Insight Partners among its VC backers, was especially compelling to CrowdStrike for its real-time pipeline detection—the ability to analyze and detect threats or anomalies in data as it is being ingested into a company’s systems. 

    “If you think about the data we have, we started becoming the Reddit of security data for all these AI models,” said Kurtz. “The more data we get in, the larger the moat we actually have, and the greater the opportunity we have to solve bigger and broader problems from an AI perspective. That’s really driving our vision for AI-native SOC [security operations center]. It’s a natural extension.”

    In part, this is looking towards a future filled with AI agents. 

    “Our goal is to secure every AI agent,” said Kurtz. “Okay, what’s an AI agent? An AI agent is basically superhuman. It has access to data. It has an identity, though it might be a non-human identity. It has access to a workflow, and it has access to systems that are outside of your own boundaries… So, it has all of the exposure that we’re protecting against. 

    In a lot of ways, Onum is a classic CrowdStrike deal. Since 2017, CrowdStrike has acquired eight companies, including Humio in 2021 for $400 million and Flow Security in 2024 for a reported $200 million. 

    “There are some companies that are obviously richly-valued,” Kurtz said. “I think some of these companies don’t realize that they are starting to move into zombieland: You look at their last round valuation, and it might be great for them, but it’s expensive and it’s necessarily actionable for a lot of companies, even ours… So, you start to hit these big, multi-billion dollar valuations with not a lot of ARR, relatively speaking, and your pool of buyers dramatically shrinks. That’s why we like to catch them in the sweet spot of where we can add value, and that value accrues to CrowdStrike’s shareholders.”

    The goal, in the end, remains the same—security, and fighting the bad guys (who now have more weapons to play with). 

    “With gen AI, we’re democratizing destruction,” said Kurtz. “We’re taking a very sophisticated topic known by a relatively few number of people … and now you’re making all that expertise available to many more people. … The biggest thing is that you’re really compressing the timeframe that the good guys have to be able to deal with these problems, because the bad actors are moving so much faster now.” 

    What’s one thing Kurtz is sure of, looking to the future? 

    “We know there’s going to be a greater need for security tomorrow than there is today,” he said.  

    Introducing the 2025 Fortune Global 500, the definitive ranking of the biggest companies in the world. Explore this year’s list.

    Allie Garfinkle

    Source link