techcrunch.com
1:06 PM PST · December 10, 2025
Zack Whittaker

CEO of South Korean retail giant techcrunch.comresigns after massive data breach
Park Dae-jun has resigned as chief executive of South Korean retail giant Coupang after a data breach exposed the personal information of more than half of the country’s population.

In a statement, Park apologized for the breach, citing a “deep sense of responsibility for the outbreak and the subsequent recovery process.”

Coupang has replaced Park with Harold Rogers, the top lawyer at Coupang’s U.S.-based parent company, according to a machine translation of the company statement.

The retail giant, often compared to Amazon for its dominance in South Korean e-commerce and logistics, last month revealed details of a data breach affecting close to 34 million people. The breach allegedly began in June but wasn’t noticed until November, when Coupang initially said over 4,500 customers had their data stolen. The company later revised that figure dramatically upward.

The Coupang hack is the latest in a string of security incidents affecting corporate giants and the central government across the country this year, including a data center fire that led to a massive, irretrievable loss of South Korean government data.

noyb.eu
Blog post by Max Schrems

As instability in the US legal system becomes undeniable and the US shows open signs of hostility towards the EU, it is time to reconsider where our data is flowing

Most EU-US data transfers are based on the “Transatlantic Data Privacy Framework” (TAFPF) or so-called “Standard Contract Clauses” (SCCs). Both instruments rely on fragile US laws, non-binding regulations and case law that is under attack – and is likely blown up in the next months. As instability in the US legal system becomes undeniable and the US shows open signs of hostility towards the EU, it is time to reconsider where our data is flowing – and how long the legal “house of cards” that the EU has built is holding up.

Layers of US and EU law. The “bridge” that the European Commission and previous Democratic US administrations built to allow EU personal data to be processed in the US does not rely on a simple, stable US privacy law. Instead, the EU and the US relied on a wild patchwork of tons of internal guidelines and regulations, Supreme Court case law, US factual “practices” or Executive Orders.

In an attempt to make ends meet, these layers are not supporting each other, but are lined up to generate the thinnest possible connection between EU and US law – meaning that the failure of just one of the many legal elements would likely make most EU-US data transfers instantly illegal. Just like a house of cards, the instability of any individual card will make the house collapse.

Given the enormously destructive approach of the Trump administration, many elements of EU-US transfers are under attack – often times not because of any direct intentions. Instead, the current US administration just widely attacks the US legal system and constitutional fabric (with the help of a highly politicised Supreme Court) – with many potential consequences for EU-US data flows.

1st Likely Point of Failure: FTC independence. This past Monday, the US Supreme Court has heard a case about the independence of the Federal Trade Commission (FTC). Ever since a case in 1935 (Humphrey's Executor), it is US Supreme Court case law that the US legislator can create “independent” bodies within the executive branch, which is somewhat isolated from the US President.

A previously fringe theory that, under the US Constitution, all powers of the executive must rest with one person only (the President) has now gained traction among US conservative lawyers. This so-called “unitary executive theory” would make any independent authority, such as the FTC, typically unconstitutional. All powers would need to be concentrated in the President.

In Trump v. Slaughter, the US Supreme Court now heard arguments of an FTC commissioner that was removed by Trump despite all independence guarantees in 15 U.S.C. § 41. Based on the comments and questions of the Judges, it is widely believed (see e.g. The Guardian, CNN or SCOTUS Blog) that the conservative majority on the US Supreme Court will side with Trump and (to one extent or another) follow the “unitary executive theory”, overturning FTC independence.

In combination with the US Supreme Court rulings on absolute immunity of the President, the US would thereby move increasingly towards a system where the President is an absolute “King” – at least for four years.

From a European perspective, FTC independence is a crucial element, because Article 8(3) of the EU Charter of Fundamental Rights (CFR) requires that the processing of personal data is monitored and enforce by an “independent” body. In the TADPF (and previously in the “Safe Harbor” and “Privacy Shield” systems), the EU and the US have agreed to give these powers to the FTC in the US – being such an “independent” body. Section 2.3.4. of the TADPF decision of the European Commission highlights the Enforcement role being with the FTC. Recital 61 and Footnote 92 explicitly refer to 15 U.S.C. § 41 as a basis to have the necessary independence guarantees in the US.

No other element in the TADPF has the necessary investigative powers and independence. There is private arbitration as well, but they lack any investigative powers or relevant enforcement powers. Consequently, any TADPF participant must be either governed by the independent FTC or the DoT (for transport organizations).

Trump v. Slaughter is scheduled to be decided in June or July 2026 the latest, but could be decided earlier. So, it’s time to “buckle up” on this one and get prepared.

One path could be to switch to SCCs or BCRs, as they do not require an independent US body for enforcement, but also allow to make the agreement subject to an EU data protection authority. However, there are also massive questions as to how already transferred data can be brought “back” to any EU approved system or even brought “back” to the EU in general. Furthermore, SCCs and BRCs may also be affected by massive shifts in US law (see below).

2nd Likely Point of Failure: Data Protection Review Court. Directly in connection to Trump v. Slaughter, which deals with oversight in the private sector, the parallel question arises on how the so-called “Data Protection Review Court” (DPRC) can still be relied upon as any form of realistic redress against US government surveillance.

The DPRC has many legal issues (you could easily fill a PhD thesis with these problems), but crucially the DPRC is not a real US court – also because it is not established by law. It is actually a group of people within the executive branch that is solely established by an Executive Order of Biden (EO 14.086, see details below). This group of people may at best be called a “tribunal” from the perspective of Article 6 ECHR, but even this claim is probably an overstatement.

The crux is that, in relation to Trump v. Slaughter, the “independence” of this so-called “Court” is not even established by law (as 15 USC § 41 for the FTC), but by EO 14.086, so a merely internal Presidential Order that can be changed at any time.

Logically, if the Supreme Court in Trump v. Slaughter holds that independent executive bodies are unconstitutional, it may well be that any independence claims in EO 14.086 itself are (logically) also unconstitutional. This very much depends on the line of arguments that the Supreme Court will use in Trump v. Slaughter, but we may very likely see this as a direct consequence of any broader ruling.

This problem would expand far beyond the TADPF, because other transfer systems (SCCs or BCRs) rely on so-called “Transfer Impact Assessments” (TIAs) that in turn usually point to EO 14.086 and the DPRC as a ground why any EU controller came to the conclusion that US law may not overrule SCCs or BCRs beyond what is permissible under Article 7, 8 and 47 of the Charter.

If these elements are gone, we are down to Article 49 GDPR for “necessary” transfers (e.g. sending an email to the US, placing an order or booking a hotel or flight), but any “outsourcing” to US cloud providers or SaaS providers would typically not have any viable legal basis anymore.

3rd Likely Point of Failure: EO 14.086. Beyond changes in US constitutional law, there is also Trump himself as a major risk factor. As explained above, basically all forms of EU-US data transfers rely on a Biden Executive Order (EO 14.086). Trump has repeatedly threatened to overturn this EO. Already on the day of his inauguration, media reports indicated he will blindly overturn all Biden EOs. In the end he signed EO 14.148, which only overturned 68 Biden EOs and 11 Biden Presidential Memoranda – but not EO 14.086.

EO 14.148 demands that all “national security” EOs should have been reviewed within 45 days by the National Security Advisor – this should have happened by 06.03.2025. There were no reports about any consequent changes. This does not mean that EO 14.086 was not (partially) overturned in the meantime, as the US President can issue “secret” EOs that change the published EO 14.086. Given the erratic actions by Trump, this is not an unlikely scenario.

In a recent outburst on Biden’s use of the so-called Autopen, Trump has declared all Biden EOs signed with autopens void via a Truth Social posting. It is entirely unclear whether EO 14.086 is such an “autopen” EO and if Trump’s social media postings amount to the formal overturning of these EOs. At the same time, one has to wonder if any NSA official feels overly bound by them anymore. It is also not unlikely that the Truth Social posting may be followed up with a formal EO overturning these Biden EOs.

Another indication that EO 14.086 may be on the line is the “Project 2025” agenda for the conservative takeover of the US government. On page 225, the author lashes out against EO 14.086, the EU and the allegedly unfair treatment of the US - so EO 14.086 is clearly on the agenda. To make things even more absurd, the author (Dustin Carmack) is now the new “Republican” lobbyist of Meta – a company that relies on EO 14.086 to justify its EU-US data transfers that were challenged in Schrems I and Schrems II.

Overall, EO 14.086 could fall any moment – and with it the TADPF and with it almost all TIAS and most SCCs, BCRs.

Many other options. While this goes beyond this blog post, there are many additional questions as to the many other elements used in the TADPF.

There are obviously still the principal questions to the TADPF ever having achieved “essential equivalence”. For example:

The protections in EO 14.086 were largely a 1:1 copy of an Obama EO called PPD-28, which was rejected by the CJEU in Schrems II.
The extremely high burdens for redress or the lack of any real right to be heard before the DPRC are miles away from Article 47 of the Charter.
The commercial data protection principles of the TADPF do not even require a legal basis (as required in Article 8(2) of the Charter and Article 6(1) of the GDPR), but only require to allow for an opt-out.
Furthermore, there were questions about the independence of the PCLOB or the heavy reliance of the EU on (unwritten) “US practices” – when Trump has shown that he and his administration do not even respect laws, let alone previous “practices”.

What can we do? In my view, EU governments and controllers must (more than ever) urgently prepare for very likely hits to EU-US data transfers in the next months. The US National Security Strategy has made it clear that the Trump Administration sees Europe more as an enemy than a partner and that European digital legislation is a core focus point of likely US aggression.

The only long-term solution is (unfortunately) to limit any data transfers to US providers, insofar as they have “possession, custody or control” of European personal data. There may be more offers where all factual access from the US is technically impossible – however, so far the only realistic protection that is available on the market is to switch to European providers.

| United States Department of Justice
justice.gov
Updated December 10, 2025

Ukrainian National Indicted and Rewards Announced for Co-Conspirators Relating to Destructive Cyberattacks Worldwide
The Justice Department announced two indictments in the Central District of California charging Ukrainian national Victoria Eduardovna Dubranova, 33, also known as Vika, Tory, and SovaSonya, for her role in conducting cyberattacks and computer intrusions against critical infrastructure and other victims around the world, in support of Russia’s geopolitical interests. Dubranova was extradited to the United States earlier this year on an indictment charging her for her actions supporting CyberArmyofRussia_Reborn (CARR). Today, Dubranova was arraigned on a second indictment charging her for her actions supporting NoName057(16) (NoName). Dubranova pleaded not guilty in both cases, and is scheduled to begin trial in the NoName matter on Feb. 3, 2026 and in the CARR matter on April 7, 2026.

As described in the indictments, the Russian government backed CARR and NoName by providing, among other things, financial support. CARR used this financial support to access various cybercriminal services, including subscriptions to distributed denial of service-for-hire services. NoName was a state-sanctioned project administered in part by an information technology organization established by order of the President of Russia in October 2018 that developed, along with other co-conspirators, NoName’s proprietary distributed denial of service (DDoS) program.

“Today’s actions demonstrate the Department’s commitment to disrupting malicious Russian cyber activity — whether conducted directly by state actors or their criminal proxies — aimed at furthering Russia’s geopolitical interests,” said Assistant Attorney General for National Security John A. Eisenberg. “We remain steadfast in defending essential services, including food and water systems Americans rely on each day, and holding accountable those who seek to undermine them.”

“Politically motivated hacktivist groups, whether state-sponsored like CARR or state-sanctioned like NoName, pose a serious threat to our national security, particularly when foreign intelligence services use civilians to obfuscate their malicious cyber activity targeting American critical infrastructure as well as attacking proponents of NATO and U.S. interests abroad,” said First Assistant U.S. Attorney Bill Essayli for the Central District of California. “The charges announced today demonstrate our commitment to eradicating global threats to cybersecurity and pursuing malicious cyber actors working on behalf of adversarial foreign interests.”

“When pro-Russia hacktivist groups target our infrastructure, the FBI will use all available tools to expose their activity and hold them accountable,” said Assistant Director Brett Leatherman of the FBI Cyber Division. “Today’s announcement demonstrates the FBI’s commitment to disrupt Russian state-sponsored cyber threats, including reckless criminal groups supported by the GRU. The FBI doesn’t just track cyber adversaries – we work with global partners to bring them to justice.”

“The defendant’s illegal actions to tamper with the nation’s public water systems put communities and the nation’s drinking water resources at risk,” said EPA Acting Assistant Administrator Craig Pritzlaff. “These criminal charges serve as an unequivocal warning to malicious cyber actors in the U.S. and abroad: EPA’s Criminal Investigation Division and our law enforcement partners will not tolerate threats to our nation’s water infrastructure and will pursue justice against those who endanger the American public. EPA is unwavering in its commitment to clean, safe water for all Americans.”

Cyber Army of Russia Reborn

According to the indictment, CARR, also known as Z-Pentest, was founded, funded, and directed by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). CARR claimed credit for hundreds of cyberattacks against victims worldwide, including attacks against critical infrastructure in the United States, in support of Russia’s geopolitical interests. CARR regularly posted on Telegram claiming credit for its attacks and published photos and videos depicting its attacks. CARR primarily hacked industrial control facilities and conducted DDoS attacks. CARR’s victims included public drinking water systems across several states in the U.S., resulting in damage to controls and the spilling of hundreds of thousands of gallons of drinking water. CARR also attacked a meat processing facility in Los Angeles in November 2024, spoiling thousands of pounds of meat and triggering an ammonia leak in the facility. CARR has attacked U.S. election infrastructure during U.S. elections, and websites for U.S. nuclear regulatory entities, among other sensitive targets.

An individual operating as “Cyber_1ce_Killer,” a moniker associated with at least one GRU officer instructed CARR leadership on what kinds of victims CARR should target, and his organization financed CARR’s access to various cybercriminal services, including subscriptions to DDoS-for-hire services. At times, CARR had more than 100 members, including juveniles, and more than 75,000 followers on Telegram.

The CARR indictment charges Dubranova with one count of conspiracy to damage protected computers and tamper with public water systems, one count of damaging protected computers, one count of access device fraud, and one count of aggravated identity theft. If convicted of these charges, Dubranova would face a statutory maximum penalty of 27 years in federal prison.

NoName057(16)

NoName was covert project whose membership included multiple employees of The Center for the Study and Network Monitoring of the Youth Environment (CISM), among other cyber actors. CISM was an information technology organization established by order of the President of Russia in October 2018 that purported to, among other things, monitor the safety of the internet for Russian youth.

According to the indictment, NoName claimed credit for hundreds of cyberattacks against victims worldwide in support of Russia’s geopolitical interests. NoName regularly posted on Telegram claiming credit for its attacks and published proof of victim websites being taken offline. The group primarily conducted DDoS cyberattacks using their own proprietary DDoS tool, DDoSia, which relied on network infrastructure around the world created by employees of CISM.

NoName’s victims included government agencies, financial institutions, and critical infrastructure, such as public railways and ports. NoName recruited volunteers from around the world to download DDoSia and used their computers to launch DDoS attacks on the victims that NoName leaders selected. NoName also published a daily leaderboard of volunteers who launched the most DDoS attacks on its Telegram channel and paid top-ranking volunteers in cryptocurrency for their attacks.

The NoName indictment charges Dubranova with one count of conspiracy to damage protected computers. If convicted of this charge, Dubranova would face a statutory maximum penalty of five years in federal prison.

Concurrent with today’s actions, the U.S. Department of State has offered potential rewards for up to $2 million for information on individuals associated with CARR and up to $10 million for information on individuals associated with NoName. Additionally, today the FBI, CISA, NSA, DOE, EPA, and DC3 issued a Joint Cybersecurity Advisory assessing that pro-Russia hacktivist groups, like CARR and NoName, target minimally secured, internet-facing virtual network computing connections to infiltrate (or gain access to) operational technology control devices within critical infrastructure systems to execute attacks against critical infrastructure, resulting in varying degrees of impact, including physical damage.

On July 19, 2024, U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions targeting two CARR members, Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, for their roles in cyber operations against U.S. critical infrastructure. These two individuals were the group’s leader and a primary hacker, respectively.

The FBI Los Angeles Field Office investigated the CARR and NoName cases as part of FBI’s Operation Red Circus, an ongoing operation to disrupt Russian state-sponsored cyberthreats to U.S. critical infrastructure and interests abroad.

Assistant U.S. Attorneys Angela Makabali and Alexander Gorin for the Central District of California and Trial Attorney Greg Nicosia of the National Security Division’s National Security Cyber Section are prosecuting these cases. Assistant U.S. Attorney James E. Dochterman for the Central District of California is handling the forfeiture cases. The Justice Department’s Office of International Affairs provided significant assistance for both investigations.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

space.com
By Tereza Pultarova published 2 days ago

An AI start-up has found a vulnerability in security software protecting NASA's ground control communications with satellites in space.
"A vulnerability in this software poses a threat to billions of dollars in space infrastructure and the scientific missions they enable."

Communications between Earth and NASA spacecraft were critically vulnerable to hacking for years until an AI found the flaw and fixed it in just four days.

The vulnerability was sniffed out by an AI cybersecurity algorithm developed by California-based start-up AISLE and resides in the CryptoLib security software that protects spacecraft-to-ground communications. The vulnerability could have enabled hackers to seize control over countless space missions including NASA's Mars rovers, according to the cybersecurity researchers.

"For three years, the security system meant to protect spacecraft-to-ground communications contained a vulnerability that could undermine that protection." the AISLE cyber-security researchers wrote in a blog post on the company's website describing the vulnerability. "A vulnerability in this software poses a threat to billions of dollars in space infrastructure and the scientific missions they enable."

The researchers said the vulnerability was found in the authentication system and could have been exploited through compromised operator credentials. For example, the attackers could have gained access to user names and passwords of NASA employees through social engineering, methods such as phishing or infecting computers with viruses uploaded to USB drives and left where personnel could find them.

"The vulnerability transforms what should be routine authentication configuration into a weapon," the researchers wrote. "An attacker … can inject arbitrary commands that execute with full system privileges."

In other words, an attacker could remotely hijack the spacecraft or just intercept the data it is exchanging with ground control.

Fortunately, to gain access to the spacecraft through the CryptoLib vulnerability would require the attackers to, at some point, have local access to the system, which "reduces the attack surface compared to a remotely exploitable flaw," the researchers said in the blog post.

by GPSPATRON and Gdynia Maritime University | GPSPATRON.com

Discover the latest findings on GNSS interference in the Baltic Sea from a joint study by GPSPATRON and Gdynia Maritime University.

Introduction
GNSS interference has become a growing challenge in the Baltic Sea, affecting maritime navigation, aviation, and critical infrastructure. While numerous datasets and services, such as gpsjam.org, spoofing.skai-data-services.com, and flightradar24, report high-altitude GNSS interference based on ADS-B data, there is a significant lack of studies focusing on ground-level interference. Since most critical infrastructure relies on GNSS at ground level, this gap in research leaves many questions unanswered about the real-world impact of interference on essential systems. To bridge this knowledge gap, GPSPATRON and Gdynia Maritime University have established a scientific and technical collaboration aimed at systematically studying GNSS interference at ground level. This partnership combines GPSPATRON’s expertise in real-time GNSS interference monitoring and classification is complemented by the Faculty of Navigation at Gdynia Maritime University’s extensive knowledge of how GNSS spoofing and jamming affect maritime navigation, port security, and vessel operations.

The study, conducted from June to November 2024, utilized GPSPATRON’s proprietary GNSS interference monitoring system, integrating the GP-Probe TGE2-CH3 sensor and the GP-Cloud platform. The GP-Probe TGE2-CH3 is a high-end GNSS signal monitoring device designed to capture full-spectrum GNSS signals and transmit them in real time to GP-Cloud for processing. The sensor collects raw signal data, enabling comprehensive analysis of jamming, spoofing, and other anomalies affecting GNSS performance.

GP-Cloud, GPSPATRON’s cloud-based analytics platform, processes and interprets incoming data, identifying interference patterns, classifying anomalies, and providing real-time visualization. By working in tandem, the GP-Probe continuously streams data, while GP-Cloud applies advanced algorithms to detect disruptions, measure their impact, and generate detailed reports.

The sensor was installed on the Faculty of Navigation building at Gdynia Maritime University, directly on the shoreline at approximately 15 meters above sea level. The accompanying screenshot shows the exact installation location on a map, where detection range circles indicate the estimated distances at which interference sources with different antenna heights could be detected.

GPSPATRON Report - GNSS Interference in the Baltic Sea - Article Ico
The primary goal of this research was to characterize the occurrence, patterns, and potential sources of GNSS interference affecting ground-level infrastructure. Unlike previous studies that relied on ADS-B data from aircraft at high altitudes, this research provided a unique perspective by focusing on low-altitude and ground-based disruptions. Through continuous monitoring and spectral analysis, the study aimed to identify the nature of interference, assess its impact on GNSS accuracy, and explore potential mitigation strategies.

This collaborative effort represents a significant step toward understanding and mitigating GNSS interference threats in the Baltic region. The findings contribute valuable insights to maritime authorities, port operators, and regulatory bodies, highlighting the need for enhanced GNSS monitoring capabilities to protect critical navigation and communication systems.

Key Findings
A total of 84 hours of GNSS interference was detected, confirming persistent disruptions in the region, primarily caused by jamming rather than spoofing.
October recorded the highest interference activity, with six major jamming incidents totaling 29 hours, highlighting an intensified interference pattern.
Two primary interference types were identified:
Multi-constellation jamming, detected throughout June to September, indicating broad-spectrum interference affecting multiple GNSS systems.
Multi-tone interference, first observed in October, suggesting a change in jamming tactics, potentially signaling more sophisticated techniques.
Long-duration interference events exceeding 7 hours were recorded, significantly disrupting GNSS-dependent maritime navigation, port operations, and infrastructure reliability.
Severe degradation in GNSS positioning accuracy was observed during interference events, with errors increasing from the nominal 3–5 meters to over 35 meters, posing safety and operational risks.
No correlation was found between terrestrial GNSS interference and ADS-B-based detections, reinforcing the limitations of relying solely on airborne interference monitoring systems to assess threats to ground-level infrastructure.
Strong indications of mobile maritime jamming sources were identified , with interference signals exhibiting movement patterns consistent with vessels navigating in the Baltic Sea.

| FinCEN.gov
December 04, 2025

WASHINGTON—Today, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) is issuing a Financial Trend Analysis on ransomware incidents in Bank Secrecy Act (BSA) data between 2022 and 2024, which totaled more than $2.1 billion in ransomware payments.

WASHINGTON—Today, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) is issuing a Financial Trend Analysis on ransomware incidents in Bank Secrecy Act (BSA) data between 2022 and 2024, which totaled more than $2.1 billion in ransomware payments.

“Banks and other financial institutions play a key role in protecting our economy from ransomware and other cyber threats,” said FinCEN Director Andrea Gacki. “By quickly reporting suspicious activity under the Bank Secrecy Act, they provide law enforcement with critical information to help detect cybersecurity trends that can damage our economy. This work is vital to safeguarding our nation’s financial sector and strengthening our national security.”

Previous FinCEN Financial Trend Analyses have focused on reported ransomware payments and incidents by the date the activity was filed with FinCEN. Today’s report shifts the focus to the incident date of each ransomware attack and offers greater visibility into the activities conducted by ransomware actors.

Reported Ransomware Incidents and Payments Reach All-Time High in 2023

Ransomware incidents and payments reported to FinCEN reached their highest level in 2023 with 1,512 incidents, totaling $1.1 billion in payment—an increase of 77 percent in total payments year-over-year from 2022 to 2023.
Following law enforcement’s disruption of two high-profile ransomware groups, ransomware incidents reported to FinCEN decreased in 2024, with 1,476 incidents, reflecting $734 million in the aggregate value of reported payments in BSA reports.
The median amount of a single ransomware transaction was $124,097 in 2022; $175,000 in 2023; and $155,257 in 2024. Between 2022 and 2024, the most common payment amount range was below $250,000.
FinCEN Data Shows Ransomware Payments Top $2.1B in Just Three Years

During the three-year review period (January 2022 – December 2024), FinCEN received 7,395 BSA reports related to 4,194 ransomware incidents totaling more than $2.1 billion in ransomware payments.
During the previous nine-year period (2013 through the end of 2021) FinCEN received 3,075 BSA reports totaling approximately $2.4 billion in ransomware payments.
Financial Services, Manufacturing, and Healthcare were the Most Impacted Industries

The manufacturing industry accounted for 456 incidents totaling approximately $284.6 million reported payments; the financial services industry accounted for 432 incidents totaling approximately $365.6 million reported payments; and the healthcare industry accounted for 389 incidents totaling approximately $305.4 million reported payments.
The Onion Router (TOR) was the Most Common Communication Method Reported

Threat actors most often communicated with their intended ransomware targets via messages sent over The Onion Router protocol, accounting for 67 percent of reports that provided the communication method.
Other ransomware threat actors communicated with their intended targets via email or through other private encrypted messaging systems.
ALPHV/BlackCat was the Most Prevalent Ransomware Variant Between 2022 and 2024

FinCEN identified more than 200 ransomware variants reported in BSA data.
The most reported variants were Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta.
The 10 variants with the highest cumulative payment amounts identified in BSA reports accounted for approximately $1.5 billion in payments.
Ransomware is a complex cybersecurity problem requiring a variety of preventive, protective, and preparatory best practices. More information on FinCEN’s efforts to combat ransomware, including guidance and other resources for financial institutions, is available at www.fincen.gov/resources/fincen-combats-ransomware.

FinCEN’s FTA is available online at Ransomware Trends in Bank Secrecy Act Data

Questions or comments regarding the contents of this release should be addressed to the FinCEN Regulatory Support Section by submitting an inquiry at www.fincen.gov/contact.

FinCEN periodically publishes Financial Trend Analyses describing threat pattern and trend information derived from Bank Secrecy Act (BSA) filings to highlight priority illicit finance risks. These analyses provide information that is relevant to a wide range of consumers, businesses, and industries; communicate the value of BSA reporting; and enhance feedback loops between government users of BSA reports and their filers. Additionally, Financial Trend Analyses fulfill FinCEN’s obligations pursuant to section 6206 of the Anti-Money Laundering Act of 2020, which requires FinCEN to periodically publish threat pattern and trend information derived from BSA filings.

| Freedom Mobile
December 3, 2025

At Freedom Mobile, we take the protection of personal information very seriously. We want to inform you about a recent privacy incident that requires your attention.

On October 23, we detected unauthorized activity on our customer account management platform. Our investigation revealed that a third party used the account of a subcontractor to gain access to the personal information of a limited number of our customers. We quickly identified the incident and implemented corrective measures and security enhancements, including blocking the suspicious accounts and corresponding IP addresses.

While our teams continue to closely monitor the situation to prevent any further unauthorized access, we wanted to inform you of the incident so that you can take precautionary measures.

What personal information was accessed?

First and last name

Home address

Date of birth

Phone number (home and/or cell)

Freedom Mobile account number

Rest assured that this incident did not affect your payment information or passwords.

Although we have no reason to believe that this information was misused, we encourage you to follow best practices to protect your data:

Protect your personal information: Be cautious of any unexpected messages asking for personal information or directing you to a website to enter it. Freedom Mobile will never ask you for personal information such as credit card numbers, banking information, passwords, or PIN codes by email or SMS.

Stay alert with messages: Avoid clicking on links or downloading attachments from emails or texts that seem suspicious.

Monitor your accounts: Regularly check your accounts for unusual or suspicious activity.

To learn more about different types of fraud and how to protect yourself, visit the Canadian Anti-Fraud Centre website at https://antifraudcentre-centreantifraude.ca.

We’re sorry this happened and understand it may cause concern. If you have any questions, please contact us at privacyofficer@freedommobile.ca

Thank you for your attention.

• Nariman Gharib
  December 3, 2025

The cyber group "Banished Kitten," operating under the alias "Handala" and affiliated with the Ministry of Intelligence and Security of Iran (MOIS), has once again exposed its own clumsy operations. This time, the group inadvertently revealed confidential access to Suvarnabhumi Airport (BKK) in Bangkok, Thailand, while attempting to claim they had compromised Israeli airport security. As previously reported, "Handala" operates under MOIS's Counter-Terrorism (CT) division, led by Seyed Yahya Hosseini Panjaki (alias "Seyed Yahya Hamidi"), Deputy of Internal Security at MOIS. Hosseini's reckless actions continue to endanger Iran's national interests, further exposing the group's incompetence.

The Blunder

On November 15, 2025, "Handala" published a propaganda piece titled "Smile for the Camera – Handala Is Watching," boasting about access to "Shabak's airport security systems" (Israel's domestic security agency). The post threatened: "Our presence defies your imagination. Handala is not just a name; it's a shadow, a watchful gaze in places you never expect, even at the exit cameras of your airport gates."

There's just one problem: the images aren't from Israel. A simple comparison of the published airport surveillance images with publicly available references clearly identifies the location as Suvarnabhumi Airport (BKK) in Bangkok, Thailand, not Ben Gurion Airport. The evidence is clear: the distinctive exposed steel beam ceiling structure, the immigration hall layout with its recognizable queue barriers, and the terminal's characteristic architecture all unmistakably match Bangkok's main international hub. The images show travelers in the passport control area with Suvarnabhumi's signature industrial ceiling design and escalators visible in the background. Once again, the CT Division's amateur operatives have failed basic operational security. This marks the first time the group has publicly disclosed accessing critical infrastructure outside Israel.

Suvarnabhumi Airport is no small target. According to official statistics, BKK handled 62,234,693 passengers in 2024, making it the busiest airport in Thailand, the 9th busiest airport in Asia, and ranking among the top 25 busiest airports worldwide. The airport serves as a major transit hub connecting Asia, Europe, and the Middle East, with traffic increasing 20% compared to the previous year. Since the airport's third runway opened in November 2024, capacity has expanded to 94 flights per hour, Suvarnabhumi is investing heavily in becoming a world-class hub.

What makes this breach particularly concerning is the sophistication of the systems potentially compromised. Suvarnabhumi Airport operates AI-powered facial recognition technology, license plate tracking, and integrated CCTV systems across the facility. The airport's Thailand Immigration System (TIS) maintains both "black lists" and "watch lists" with detection capabilities within 20 seconds of passport scanning. If MOIS has access to these systems, they could potentially monitor travelers, track movements, and identify targets passing through one of Asia's busiest transit points.

Warning to Iranians

Dear Iranians: even in Thailand, a popular destination and transit point for Iranian citizens traveling abroad, the oppressive regime is watching you. The Islamic Republic's intelligence apparatus has extended its surveillance to monitor Iranians traveling through Bangkok. Whether for business, tourism, or seeking freedom abroad, your movements may be tracked by Seyed Yahya's amateur operatives. With over 62 million passengers transiting through BKK annually, the potential for surveillance and targeting of Iranian dissidents, activists, and ordinary citizens is significant. It should be noted that Thailand is among the limited countries that Iranian citizens can travel to without needing a visa.

It's no surprise that "Handala" continues to make operational security mistakes. As recently exposed by Iran International, Ali Bermoudeh, a 27-year-old amateur hacker from Tabriz whose passwords for key accounts are simply his birthdate, works for this reckless group. His handler at MOIS is Morteza Aftabifar. When your cyber operators can't distinguish between Tel Aviv and Bangkok, and secure their accounts with passwords like "1377629" perhaps it's time for Seyed Yahya to reconsider his recruitment standards.

Thai authorities should be aware: the Islamic Republic's Ministry of Intelligence has compromised security systems at Suvarnabhumi Airport. This is not speculation. MOIS's own cyber group published the evidence themselves. A breach of this magnitude by a state-sponsored threat actor, one designated as a terrorist organization by the European Union, demands immediate investigation and response. But hey, at least they got the continent right this time. The real question is: what will Thailand do about it?

chosun.com

Coupang Executives Sell Shares After Data Breach Coupang executives sold shares post-breach; President Lee Jae-myung seeks responsibility Amid growing

Amid growing calls for accountability against Kim Bom-suk, 47, chairman of Coupang Inc., over the data breach affecting 33.7 million individuals, it has been confirmed that key Coupang executives sold billions of won worth of company stock. The timing of these sales—immediately after the incident—is expected to spark significant controversy.

According to a U.S. Securities and Exchange Commission (SEC) filing on the 2nd (local time), Gaurav Anand, Coupang’s chief financial officer (CFO), reported selling 75,350 Coupang Inc. shares at approximately $29 per share on the 10th of last month. The sale amounted to around $2.186 million (approximately 3.2 billion Korean won). Additionally, former Vice President Pranam Kolari sold 27,388 Coupang shares on the 17th of last month, with the transaction valued at $772,000 (approximately 1.13 billion Korean won). Kolari, who oversaw search and recommendation technologies, resigned on the 14th of last month. However, the SEC confirmed he had notified the company of his resignation on October 15th, prior to the incident.

According to a breach incident report submitted to the Korea Internet & Security Agency (KISA) and obtained by the office of Science, ICT, Broadcasting, and Communications Committee Chairman Representative Choi Min-hee, Coupang reported unauthorized access to its account information at 6:38 p.m. on the 6th of last month. This predates the executives’ stock sales. However, the company recorded the time of awareness as 10:52 p.m. on the 18th of last month. While the sales occurred before the company publicly acknowledged the breach, the transactions took place after the incident itself, making controversy inevitable.

Domestically, criticism has emerged holding Chairman Kim ultimately responsible for the incident. President Lee Jae-myung also stated during a Cabinet meeting on the 2nd, “Coupang has caused significant public concern. The cause of the accident must be identified swiftly, and responsibility must be held strictly,” while instructing measures such as strengthening penalties and implementing a punitive damages system.

cyble.com
December 8, 2025

China-nexus groups rapidly exploited React2Shell (CVE-2025-55182). Learn how the React Server Components flaw was weaponized within minutes of disclosure.

React2Shell (CVE-2025-55182) was exploited within minutes by China-nexus groups, exposing critical weaknesses in React Server Components.
The vulnerability disclosure cycle has entered a new era, one where the gap between publication and weaponization is measured in minutes, not days. It has been confirmed that China-nexus threat actors began actively exploiting a critical React Server Components flaw, React2Shell, only hours after its public release.

The vulnerability, tracked as CVE-2025-55182, impacts React Server Components across React 19.x and Next.js 15.x/16.x deployments using the App Router and carries a CVSS 10.0 severity rating, enabling unauthenticated remote code execution (RCE).

CISA immediately added the flaw to its Known Exploited Vulnerabilities catalog, stating:
“CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.”

The Researcher’s PoCs and the Mechanism of Exploitation
Lachlan Davidson, who has been attributed with finding this flaw, published the original PoCs on GitHub, explaining:

“As public PoCs are circulating and Google’s Scanner uses a variation of my original submitted PoC, it’s finally a responsible time to share my original PoCs for React2Shell.”

Davidson released three PoCs, 00-very-first-rce-poc, 01-submitted-poc.js, and 02-meow-rce-poc, and summarized the attack chain:

“$@x gives you access to a Chunk”
“We plant its then on our own object”
“The JS runtime automatically unravels nested promises”
“We now re-enter the parser, but with control of a malicious fake Chunk object”
“Planting things on _response lets us access a lot of gadgets”
“RCE”
He also noted that “the publicly recreated PoC… did otherwise use the same _formData gadget that mine did”, though the chaining primitive in his then implementation was not universally adopted.

Rapid Weaponization by China-Nexus Groups
AWS detected exploitation beginning within hours of public disclosure on December 3, based on telemetry from its MadPot honeypot infrastructure. The actors included:

Earth Lamia, known for targeting financial, logistics, and government sectors across Latin America, MENA, and Southeast Asia.
Jackpot Panda, primarily focused on East and Southeast Asian organizations aligned with domestic security interests.
AWS stated, “China continues to be the most prolific source of state-sponsored cyber threat activity, with threat actors routinely operationalizing public exploits within hours or days of disclosure.”

Attackers overwhelmingly prioritized speed over precision, firing flawed and incomplete public PoCs at large swaths of the internet in a high-volume scanning wave. Many PoCs made unrealistic assumptions, such as assuming exposed fs, vm, or child_process modules that never appear in real deployments.

Yet this volume-based strategy still identifies edge-case vulnerable configurations.

Technical Analysis: React2Shell in the RSC Flight Protocol
CRIL (Cyble Research and Intelligence Labs) found that at its core, CVE-2025-55182 (React2Shell) is an unsafe deserialization flaw in the React Server Components Flight protocol. It affects:

react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
Across React versions 19.0.0–19.2.0, patched in 19.0.1, 19.1.2, and 19.2.1.

Next.js is additionally vulnerable under CVE-2025-66478, impacting all versions from 14.3.0-canary.77, all unpatched 15.x builds, and all 16.x releases before 16.0.7.

Attack telemetry showed:

Automated scanners with user-agent randomization
Parallel exploitation of CVE-2025-1338
Immediate PoC adoption regardless of accuracy
Manual exploitation attempts, including whoami, id, and /etc/passwd reads
File write attempts such as /tmp/pwned.txt
A concentrated cluster originating from 183[.]6.80.214 executed 116 requests over 52 minutes, demonstrating active operator involvement.

Cloudflare’s Emergency Downtime While Mitigating React2Shell
The severity of React2Shell (CVE-2025-55182) was spotlighted when Cloudflare intentionally took down part of its own network to apply emergency defenses. The outage affected 28% of Cloudflare-served HTTP traffic early Friday.

Cloudflare CTO Dane Knecht clarified that the disruption “was not caused, directly or indirectly, by a cyberattack… Instead, it was triggered by changes being made to our body parsing logic while attempting to detect and mitigate an industry-wide vulnerability disclosed this week in React Server Components.”

This incident unfolded as researchers observed attackers hammering the vulnerability, alongside waves of legitimate and fraudulent proofs of concept circulating online.

Global Warnings Ring-In
The Australian Cyber Security Centre (ACSC) issued a public notice, stating, “This alert is relevant to all Australian businesses and organizations… ASD’s ACSC is aware of a critical vulnerability in React Server Components… Organizations should review their networks for vulnerable instances of these packages and upgrade to fixed versions.”

Organizations must assume that scanning React2Shell is continuous and widespread. ACSC outlined some Immediate steps for mitigation.

Update all React/Next.js deployments: Verify versions against vulnerable ranges and upgrade to patched releases.
Enable AWS WAF interim protection rules: These block known exploit sequences during patching windows.
Review logs for exploitation indicators: Look for malformed RSC payloads, next-action or rsc-actionid headers, and repeated sequential failures.
Inspect backend systems for post-exploitation behavior: Unexpected execution, unauthorized file writes, or suspicious commands.
Conclusion
The exploitation of React2Shell (CVE-2025-55182) shows how quickly high-severity vulnerabilities in critical and widely adopted components can be weaponized. China-nexus groups and opportunistic actors began targeting the flaw within minutes of disclosure, using shared infrastructure and public PoCs, accurate or not, to launch high-volume attacks. Organizations using React or Next.js App Router must patch immediately and monitor for iterative, operator-driven activity.

Given this tempo, organizations need intelligence and automation that operate in real time. Cyble, ranked #1 globally in Cyber Threat Intelligence Technologies by Gartner Peer Insights, provides AI-native security capabilities through platforms such as Cyble Vision and Blaze AI. These systems identify threats early, correlate IOCs across environments, and automate response actions.

Schedule a personalized demo to evaluate how AI-native threat intelligence can strengthen your security posture against vulnerabilities like React2Shell.

Indicators of Compromise
206[.]237.3.150
45[.]77.33.136
143[.]198.92.82
183[.]6.80.214
MITRE ATT&CK Techniques
Tactic Technique ID Technique Name
Initial Access T1190 Exploit Public-Facing Application
Privilege Escalation T1068 Exploitation for Privilege Escalation

bleepingcomputer.com
By Lawrence Abrams
December 6, 2025

Over 77,000 Internet-exposed IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182), with researchers now confirming that attackers have already compromised over 30 organizations across multiple sectors.

React2Shell is an unauthenticated remote code execution vulnerability that can be exploited via a single HTTP request and affects all frameworks that implement React Server Components, including Next.js, which uses the same deserialization logic.

React disclosed the vulnerability on December 3, explaining that unsafe deserialization of client-controlled data inside React Server Components enables attackers to trigger remote, unauthenticated execution of arbitrary commands.

Developers are required to update React to the latest version, rebuild their applications, and then redeploy to fix the vulnerability.

On December 4, security researcher Maple3142 published a working proof-of-concept demonstrating remote command execution against unpatched servers. Soon after, scanning for the flaw accelerated as attackers and researchers began using the public exploit with automated tools.

Over 77,000 vulnerable IP addresses
Shadowserver Internet watchdog group now reports that it has detected 77,664 IP addresses vulnerable to the React2Shell flaw, with approximately 23,700 in the United States.

The researchers determined that IP addresses were vulnerable using a detection technique developed by Searchlight Cyber/Assetnote, where an HTTP request was sent to servers to exploit the flaw, and a specific response was checked to confirm whether a device was vulnerable.

GreyNoise also recorded 181 distinct IP addresses attempting to exploit the flaw over the past 24 hours, with most of the traffic appearing automated. The researchers say the scans are primarily originating from the Netherlands, China, the United States, Hong Kong, and a small number of other countries.

Palo Alto Networks reports that more than 30 organizations have already been compromised through the React2Shell flaw, with attackers exploiting the vulnerability to run commands, conduct reconnaissance, and attempt to steal AWS configuration and credential files.

These compromises include intrusions linked to known state-associated Chinese threat actors.

Widespread exploitation of React2Shell
Since its disclosure, researchers and threat intelligence companies have observed widespread exploitation of the CVE-2025-55182 flaw.

GreyNoise reports that attackers frequently begin with PowerShell commands that perform a basic math function to confirm the device is vulnerable to the remote code execution flaw.

These tests return predictable results while leaving minimal signs of exploitation:

powershell -c "4013841979"
powershell -c "4032043488"
Once remote code execution was confirmed, attackers were seen executing base64-encoded PowerShell commands that download additional scripts directly into memory.

powershell -enc <base64>
One observed command executes a second-stage PowerShell script from the external site (23[.]235[.]188[.]3), which is used to disable AMSI to bypass endpoint security and deploy additional payloads.

According to VirusTotal, the PowerShell script observed by GreyNoise installs a Cobalt Strike beacon on the targeted device, giving threat actors a foothold on the network.

Amazon AWS threat intelligence teams also saw rapid exploitation hours after the disclosure of the React CVE-2025-55182 flaw, with infrastructure associated with China-linked APT hacking groups known as Earth Lamia and Jackpot Panda.

In this exploitation, the threat actors perform reconnaissance on vulnerable servers by using commands such as whoami and id, attempting to write files, and reading /etc/passwd.

Palo Alto Networks also observed similar exploitation, attributing some of it to UNC5174, a Chinese state-sponsored threat actor believed to be tied to the Chinese Ministry of State Security.

"Unit 42 observed threat activity we assess with high confidence is consistent with CL-STA-1015 (aka UNC5174), a group suspected to be an initial access broker with ties to the Chinese Ministry of State Security," Justin Moore, Senior Manager at Palo Alto Networks Unit 42, told BleepingComputer via email.

"In this activity, we observed the deployment of Snowlight and Vshell malware, both highly consistent with Unit 42 knowledge of CL-STA-1015 (also known as UNC5174)."

The deployed malware in these attacks is:

Snowlight: A malware dropper that allows remote attackers to drop additional payloads on breached devices.
Vshell: A backdoor commonly used by Chinese hacking groups for remote access, post-exploitation activity, and to move laterally through a compromised network.
The rush to patch
Due to the severity of the React flaw, companies worldwide have rushed to install the patch and apply mitigations.

Yesterday, Cloudflare rolled out emergency detections and mitigations for the React flaw in its Web Application Firewall (WAF) due to its widespread exploitation and severity.

However, the update inadvertently caused an outage affecting numerous websites before the rules were corrected.

CISA has also added CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply patches by December 26, 2025, under Binding Operational Directive 22-01.

Organizations using React Server Components or frameworks built on top of them are advised to apply updates immediately, rebuild and redeploy their applications, and review logs for signs of PowerShell or shell command execution.

| The Guardian - theguardian.com
Tess McClure
Tue 2 Dec 2025 03.02 CET

For days before the explosions began, the business park had been emptying out. When the bombs went off, they took down empty office blocks and demolished echoing, multi-cuisine food halls. Dynamite toppled a four-storey hospital, silent karaoke complexes, deserted gyms and dorm rooms.

So came the end of KK Park, one of south-east Asia’s most infamous “scam centres”, press releases from Myanmar’s junta declared. The facility had held tens of thousands of people, forced to relentlessly defraud people around the world. Now, it was being levelled piece by piece.

But the park’s operators were long gone: apparently tipped off that a crackdown was coming, they were busily setting up shop elsewhere. More than 1,000 labourers had managed to flee across the border, and some 2,000 others had been detained. But up to 20,000 labourers, likely trafficked and brutalised, had disappeared. Away from the junta’s cameras, scam centres like KK park have continued to thrive.

So monolithic has the multi-billion dollar global scam industry become that experts say we are entering the era of the “scam state”. Like the narco-state, the term refers to countries where an illicit industry has dug its tentacles deep into legitimate institutions, reshaping the economy, corrupting governments and establishing state reliance on an illegal network.

The raids on KK Park were the latest in a series of highly publicised crackdowns on scam centres across south-east Asia. But regional analysts say these are largely performative or target middling players, amounting to “political theatre” by officials who are under international pressure to crack down on them but have little interest in eliminating a wildly profitable sector.

“It’s a way of playing Whack-a-Mole, where you don’t want to hit a mole,” says Jacob Sims, visiting fellow at Harvard University’s Asia Centre and expert on transnational and cybercrime in the Mekong.

In the past five years scamming, says Sims, has mutated from “small online fraud rings into an industrial-scale political economy”.

“In terms of gross GDP, it’s the dominant economic engine for the entire Mekong sub-region,” he says, “And that means that it’s one of the dominant – if not the dominant – political engine.”

Government spokespeople in Myanmar, Cambodia and Laos did not respond to questions from the Guardian, but Myanmar’s military has previously said it is “working to completely eradicate scam activities from their roots”. The Cambodian government has also described allegations it is home to one of “the world’s largest cybercrime networks supported by the powerful” as “baseless” and “irresponsible”.

Morphing in less than a decade from a world of misspelled emails and implausible Nigerian princes, the industry has become a vast, sophisticated system, raking in tens of billions from victims around the world.

At its heart are “pig-butchering” scams – where a relationship is cultivated online before the scammer pushes their victim to part with their money, often via an “investment” in cryptocurrency. Scammers have harnessed increasingly sophisticated technology to fool targets: using generative AI to translate and drive conversations, deepfake technology to conduct video calls, and mirrored websites to mimic real investment exchanges. One survey found victims were conned for an average of $155,000 (£117,400) each. Most reported losing more than half their net worth.

Those huge potential profits have driven the industrialisation of the scam industry. Estimates of the industry’s global size now range from $70bn into the hundreds of billions – a scale that would put it on a par with the global illicit drug trade. The centres are typically run by transnational criminal networks, often originating from China, but their ground zero has been south-east Asia.

By late 2024, cyber scamming operations in Mekong countries were generating an estimated $44bn (£33.4bn) a year, equivalent to about 40% of the combined formal economy. That figure is considered conservative, and on the rise. “This is a massive growth area,” says Jason Tower, from the Global Initiative against Transnational Organised Crime. “This has become a global illicit market only since 2021 – and we’re now talking about a $70bn-plus-per-year illicit market. If you go back to 2020, it was nowhere near that size.”

In Cambodia, one company alleged by the US government to run scam compounds across the country had $15bn of cryptocurrency targeted in a Department of Justice (DOJ) seizure last month – funds equal to almost half of Cambodia’s economy.

With such huge potential profits, infrastructure has rapidly been built to facilitate it. The hubs thrive in conflict zones and along lawless and poorly regulated border areas. In Laos, officials have told local media around 400 are operating in the Golden Triangle special economic zone. Cyber Scam Monitor – a collective that monitors scamming Telegram channels, police reports, media and satellite data to identify scam compounds – has located 253 suspected sites across Cambodia. Many are enormous, and operating in public view.

The scale of the compounds is itself an indication of how much the states hosting them have been compromised, experts claim.

“These are massive pieces of infrastructure, set up very publicly. You can go to borders and observe them. You can even walk into some of them,” says Tower. “The fact this is happening in a very public way shows just the extreme level of impunity – and the extent to which states are not only tolerating this, but actually, these criminal actors are becoming state embedded.”

Thailand’s deputy finance minister resigned this October following allegations of links to scam operations in Cambodia, which he denies. Chen Zhi, who was recently hit by joint UK and US sanctions for allegedly masterminding the Prince Group scam network, was an adviser to Cambodia’s prime minister. The Prince Group said it “categorically rejects” claims the company or its chairman have engaged in any unlawful activity. In Myanmar, scam centres have become a key financial flow for armed groups. In the Philippines, ex-mayor Alice Guo, who ran a massive scam centre while in office, has just been sentenced to life in prison.

Across south-east Asia, scam masterminds are “operating at a very high level: they’re obtaining diplomatic credentials, they’re becoming advisers … It is massive in terms of the level of state involvement and co-optation,” Tower says.

“It’s quite unprecedented that you have an illicit market of this nature, that is causing global harm, where there’s blatant impunity, and it’s happening in this public way.”

wired.com
Andy Greenberg
The Big Story
Dec 4, 2025 12:00 PM

Privacy stalwart Nicholas Merrill spent a decade fighting an FBI surveillance order. Now he wants to sell you phone service—without knowing almost anything about you.

Nicholas Merrill has spent his career fighting government surveillance. But he would really rather you didn’t call what he’s selling now a “burner phone.”
Yes, he dreams of a future where anyone in the US can get a working smartphone—complete with cellular coverage and data—without revealing their identity, even to the phone company. But to call such anonymous phones “burners” suggests that they’re for something illegal, shady, or at least subversive. The term calls to mind drug dealers or deep-throat confidential sources in parking garages.
With his new startup, Merrill says he instead wants to offer cellular service for your existing phone that makes near-total mobile privacy the permanent, boring default of daily life in the US. “We're not looking to cater to people doing bad things,” says Merrill. “We're trying to help people feel more comfortable living their normal lives, where they're not doing anything wrong, and not feel watched and exploited by giant surveillance and data mining operations. I think it’s not controversial to say the vast majority of people want that.”

That’s the thinking behind Phreeli, the phone carrier startup Merrill launched today, designed to be the most privacy-focused cellular provider available to Americans. Phreeli, as in, “speak freely,” aims to give its user a different sort of privacy from the kind that can be had with end-to-end encrypted texting and calling tools like Signal or WhatsApp. Those apps hide the content of conversations, or even, in Signal’s case, metadata like the identities of who is talking to whom. Phreeli instead wants to offer actual anonymity. It can’t help government agencies or data brokers obtain users’ identifying information because it has almost none to share. The only piece of information the company records about its users when they sign up for a Phreeli phone number is, in fact, a mere ZIP code. That’s the minimum personal data Merrill has determined his company is legally required to keep about its customers for tax purposes.
By asking users for almost no identifiable information, Merrill wants to protect them from one of the most intractable privacy problems in modern technology: Despite whatever surveillance-resistant communications apps you might use, phone carriers will always know which of their customers’ phones are connecting to which cell towers and when. Carriers have frequently handed that information over to data brokers willing to pay for it—or any FBI or ICE agent that demands it with a court order

Merrill has some firsthand experience with those demands. Starting in 2004, he fought a landmark, decade-plus legal battle against the FBI and the Department of Justice. As the owner of an internet service provider in the post-9/11 era, Merrill had received a secret order from the bureau to hand over data on a particular user—and he refused. After that, he spent another 15 years building and managing the Calyx Institute, a nonprofit that offers privacy tools like a snooping-resistant version of Android and a free VPN that collects no logs of its users’ activities. “Nick is somebody who is extremely principled and willing to take a stand for his principles,” says Cindy Cohn, who as executive director of the Electronic Frontier Foundation has led the group’s own decades-long fight against government surveillance. “He's careful and thoughtful, but also, at a certain level, kind of fearless.”

More recently, Merrill began to realize he had a chance to achieve a win against surveillance at a more fundamental level: by becoming the phone company. “I started to realize that if I controlled the mobile provider, there would be even more opportunities to create privacy for people,” Merrill says. “If we were able to set up our own network of cell towers globally, we can set the privacy policies of what those towers see and collect.”
Building or buying cell towers across the US for billions of dollars, of course, was not within the budget of Merrill’s dozen-person startup. So he’s created the next best thing: a so-called mobile virtual network operator, or MVNO, a kind of virtual phone carrier that pays one of the big, established ones—in Phreeli’s case, T-Mobile—to use its infrastructure.
The result is something like a cellular prophylactic. The towers are T-Mobile’s, but the contracts with users—and the decisions about what private data to require from them—are Phreeli’s. “You can't control the towers. But what can you do?” he says. “You can separate the personally identifiable information of a person from their activities on the phone system.”
Signing up a customer for phone service without knowing their name is, surprisingly, legal in all 50 states, Merrill says. Anonymously accepting money from users—with payment options other than envelopes of cash—presents more technical challenges. To that end, Phreeli has implemented a new encryption system it calls Double-Blind Armadillo, based on cutting-edge cryptographic protocols known as zero-knowledge proofs. Through a kind of mathematical sleight of hand, those crypto functions are capable of tasks like confirming that a certain phone has had its monthly service paid for, but without keeping any record that links a specific credit card number to that phone. Phreeli users can also pay their bills (or rather, prepay them, since Phreeli has no way to track down anonymous users who owe them money) with tough-to-trace cryptocurrency like Zcash or Monero.

| The Jerusalem Post
jpost.com
ByJERUSALEM POST STAFF
NOVEMBER 26, 2025 21:02

A new directive would restrict IDF-issued devices to iPhones for lieutenant colonels, reducing the risk of intrusions for senior officers.

The Israel Defense Forces will tighten rules on mobile devices for senior officers and prohibit Android phones on IDF-issued lines, Army Radio reported on Wednesday.

Under the expected order, commanders from the rank of lieutenant colonel and above will be permitted to use only Apple iPhones for official communications. The step is aimed at reducing the risk of intrusions on senior officers’ handsets, according to the report.

Under the plan, the IDF would standardize operating systems at senior echelons to simplify security controls and updates. The IDF has not publicly detailed timelines or exceptions, and there was no immediate comment on whether the policy will cover personal devices used for work.

Why the IDF is acting now
Israeli security officials have long warned that hostile actors use social platforms and messaging apps to target soldiers’ phones and track troop movements. The IDF previously cautioned that Hamas used WhatsApp to solicit information from troops on the Gaza border, urging soldiers to report suspicious messages to commanders.
Military intelligence has also exposed repeated “honeypot” schemes in which operatives posed as women online to lure personnel into installing malware, most notably in Operation HeartBreaker. Analysts noted that such campaigns sought access to contacts, photos, and real-time location data on soldiers’ devices.

IDF staged scenarios mimicking Hezbollah-linked 'honeypots'
The new step follows earlier efforts to harden mobile use across the force, including training and internal drills designed to raise officers’ awareness of social-engineering tactics. In recent years, the IDF even staged scenarios mimicking Hezbollah-linked “honeypots” to stress-test units’ digital discipline.

Army Radio said the directive is expected to be issued in the coming days, with implementation applying to officers from lieutenant colonel up to the general staff. The reported move aligns with a broader push to curb inadvertent exposure from social media and ubiquitous messaging apps that can reveal patterns of life.
In 2019, the IDF warned troops that Hamas was using WhatsApp to gather data on IDF movement near Gaza and instructed soldiers to flag suspicious contacts to their chains of command.

blog.pypi.org
Mike Fiedler
PyPI Admin, Safety & Security Engineer (PSF)

Shai-Hulud is a great worm, not yet a snake. Attack on npm ecosystem may have implications for PyPI.

PyPI and Shai-Hulud: Staying Secure Amid Emerging Threats
An attack on the npm ecosystem continues to evolve, exploiting compromised accounts to publish malicious packages. This campaign, dubbed Shai-Hulud, has targeted large volumes of packages in the JavaScript ecosystem, exfiltrating credentials to further propagate itself.

PyPI has not been exploited, however some PyPI credentials were found exposed in compromised repositories. We've revoked these tokens as a precaution, there's no evidence they have been used maliciously. This post raises awareness about the attack and encourages proactive steps to secure your accounts, especially if you're using build platforms to publish packages to PyPI.

How does this relate to PyPI?
This week, a security researcher disclosed long-lived PyPI credentials exposed as part of the Shai-Hulud campaign. The credentials were found in GitHub repositories (stored as repository secrets), and were still valid. We saw an attack with insecure workflow settings for Ultralytics in 2024.

While the campaign primarily targets npm, some projects use monorepo setups, publishing both JavaScript packages to npmjs.com and Python packages to PyPI from the same repository. When attackers compromise these repositories, they can extract credentials for multiple platforms.

We investigated the reported credentials and found they were associated with accounts that hadn't published recently. We've revoked these credentials and reached out to affected users to advise them to rotate any remaining tokens.

What can I do to protect my PyPI account?
Here are security practices to protect your PyPI account:

Use Trusted Publishing: If you are using a build platform to publish packages to PyPI, consider using a Trusted Publisher. This eliminates the need to manage long-lived authentication tokens, reducing the risk of credential exposure. Trusted Publishing uses short-lived, scoped tokens for each build, minimizing the impact of any potential compromise. This approach has risen in popularity, with other registries like Crates.io, RubyGems, and npmjs.com adopting similar models.

When using GitHub Actions, consider layering in additional security measures, like requiring human approval via GitHub Environments before publishing. This blog post from pyOpenSci has detailed guidance on adding manual review steps to GitHub Actions workflows.

Audit your workflows for misconfiguration: Review your GitHub Actions workflows for any potential security issues. Tools like zizmor and CodeQL can help identify vulnerabilities in your CI/CD pipelines. Adopt scanning as automated actions for the repository to catch future issues.

Review your account activity: Regularly check your PyPI account activity for any unauthorized actions. If you notice any suspicious activity, report it to the PyPI security team immediately.

Taking any of these steps helps mitigate the risk of compromise and keeps packages secure.

themoscowtimes.com
Dec. 2, 2025

Hundreds of Porsche vehicles across Russia have been rendered undriveable after a failure in their factory-installed satellite security system, according to reports from owners and dealerships.

Drivers in Moscow, Krasnodar and other cities began reporting sudden engine shutdowns and fuel-delivery blockages last week, effectively immobilizing their vehicles.

Rolf, Russia’s largest dealership group, said service requests spiked on Friday as cars lost connection to their onboard alarm modules, which are linked via satellite.

The outage affects all Porsche models and engine types, and any vehicle could potentially lock itself automatically, a Rolf representative told the RBC news website.

“It’s possible this was done deliberately,” the representative was quoted as saying, though no evidence has emerged to support that claim.

Owners’ groups say the problem appears tied to the Vehicle Tracking System, or VTS, which is an onboard security module.

The Russian Porsche Macan Club said some drivers had restored function by disabling or rebooting the VTS, while others reported success after disconnecting their car batteries for up to 10 hours, according to the Telegram channel Mash.

Rolf said specialists were still investigating the root cause of the problem. Porsche’s office in Russia and its global headquarters in Germany have not yet commented on the system failure.

Porsche halted deliveries and suspended its commercial operations in Russia after the full-scale invasion of Ukraine in February 2022. However, the company still retains ownership of three subsidiaries in the country, which it has so far been unable to sell.

The Guardian
Dan Milmo Global technology editor.
Wed 3 Dec 2025 07.00 CET

Researchers uncovered 354 AI-focused accounts that had accumulated 4.5bn views in a month

Hundreds of accounts on TikTok are garnering billions of views by pumping out AI-generated content, including anti-immigrant and sexualised material, according to a report.

Researchers said they had uncovered 354 AI-focused accounts pushing 43,000 posts made with generative AI tools and accumulating 4.5bn views over a month-long period.

According to AI Forensics, a Paris-based non-profit, some of these accounts attempt to game TikTok’s algorithm – which decides what content users see – by posting large amounts of content in the hope that it goes viral.

One posted up to 70 times a day or at the same time of day, an indication of an automated account, and most of the accounts were launched at the beginning of the year.

Last month TikTok revealed there were at least 1.3bn AI-generated posts on the platform. More than 100m pieces of content are uploaded to the platform every day, indicating that labelled AI material is a small part of TikTok’s catalogue. TikTok is also giving users the option of reducing the amount of AI content they see.

Of the accounts that posted content most frequently, half focused on content related to the female body. “These AI women are always stereotypically attractive, with sexualised attire or cleavage,” the report said.

AI Forensics found the accounts did not label half of the content they posted and less than 2% carried the TikTok label for AI content – which the nonprofit warned could increase the material’s deceptive potential. Researchers added that the accounts sometimes escape TikTok’s moderation for months, despite posting content barred by its terms of service.

Dozens of the accounts revealed in the study have subsequently been deleted, researchers said, indicating that some had been taken down by moderators.

Some of the content took the form of fake broadcast news segments with anti-immigrant narratives and material sexualising female bodies, including girls that appeared to be underage. The female body category accounted for half of the top 10 most active accounts, said AI Forensics, while some of the fake news pieces featured known broadcasting brands such as Sky News and ABC.

Some of the posts have been taken down by TikTok after they were referred to the platform by the Guardian.

TikTok said the report’s claims were “unsubstantiated” and the researchers had singled it out for an issue that was affecting multiple platforms. In August the Guardian revealed that nearly one in 10 of the fastest growing YouTube channels globally were showing only AI-generated content.

“On TikTok, we remove harmful AIGC [artificial intelligence-generated content], block hundreds of millions of bot accounts from being created, invest in industry-leading AI-labelling technologies and empower people with tools and education to control how they experience this content on our platform,” a TikTok spokesperson said.

The most popular accounts highlighted by AI Forensics in terms of views had posted “slop”, the term for AI-made content that is nonsensical, bizarre and designed to clutter up people’s social media feeds – such as animals competing in an Olympic diving contest or talking babies. The researchers acknowledged that some of the slop content was “entertaining” and “cute”.

| TechCrunch
Zack Whittaker
10:55 AM PST · December 3, 2025

Marquis said ransomware hackers stole reams of banking customer data, containing personal information and financial records, as well as Social Security numbers, belonging to hundreds of thousands of people. The number of affected people is expected to rise.

Fintech company Marquis is notifying dozens of U.S. banks and credit unions that they had customer data stolen in a cyberattack earlier this year.

Details of the cyberattack emerged this week after Marquis filed data breach notices with several U.S. states confirming its August 14 incident as a ransomware attack.

Texas-based Marquis is a marketing and compliance provider that allows banks and other financial institutions to collect and visualize all of their customer data in one place. The company counts more than 700 banking and credit union customers on its website. As such, Marquis has access to and stores large amounts of data belonging to consumer banking customers across the United States.

At least 400,000 people are so far confirmed affected by the data breach, according to legally required disclosures filed in the states of Iowa, Maine, Texas, Massachusetts, and New Hampshire that TechCrunch has reviewed.

Texas has the largest number of state residents so far who had data stolen in the breach, affecting at least 354,000 people.

Marquis said in its notice with Maine’s attorney general that banking customers with the Maine State Credit Union accounted for the majority of its data breach notifications, or around one-in-nine people who are known to be affected throughout the state.

The number of individuals affected by the breach is expected to rise as more data breach notifications roll in from other states.

Marquis said the hackers stole customer names, dates of birth, postal addresses, and financial information, such as bank account, debit, and credit card numbers. Marquis said the hackers also stole customers’ Social Security numbers.

According to its most recent notices, Marquis blamed the ransomware attack on hackers who exploited a vulnerability in its SonicWall firewall. The vulnerability was considered a zero-day, meaning the flaw was not known to SonicWall or its customers before it was maliciously exploited by hackers.

Marquis did not attribute the ransomware attack to a particular group, but the Akira ransomware gang was reportedly behind the mass-hacks targeting SonicWall customers at the time.

TechCrunch asked Marquis if it is aware of the total number of people affected by the breach, and if Marquis received any communication from the hackers or if the company paid a ransom, but we did not hear back by the time of publication.

sicuranext.com
Claudio Bono
01 Dec 2025

Earlier this year, our CTI team set out to build something we'd been thinking about for a while: a phishing intelligence pipeline that could actually keep up with the threat. We combined feeds from hundreds of independent sources with our own real-time hunt for suspicious SSL/TLS certificates. The goal was simple: get better visibility into what attackers are actually doing, not what they were doing six months ago.

Last quarter's numbers hit harder than we expected: 42,000+ validated URLs and domains, all actively serving phishing kits, command-and-control infrastructure, or payload delivery.

This isn't your grandfather's phishing problem. We're not talking about misspelled PayPal domains and broken English. What we're seeing is organized, efficient, and frankly, impressive in all the wrong ways. This research breaks down the infrastructure, TTPs, and operational patterns behind modern phishing—and what it means for anyone trying to defend against it.

Finding #1: All Roads Lead to Cloudflare
Here's the headline: 68% of all phishing infrastructure we tracked lives on Cloudflare.

Provider Domains % of Total
Cloudflare 17,202 68.0%
GCP 3,414 13.5%
AWS 2,185 8.6%
Azure 1,355 5.4%
This isn't random. Cloudflare's free tier is a gift to threat actors—zero upfront cost, world-class DDoS protection (yes, really), and proxy services that completely mask origin servers. Good luck tracking down the actual host when everything's bouncing through Cloudflare's edge network.

We're seeing thousands malicious domains clustered on AS13335 alone. That's Cloudflare's primary ASN, and it's become the de facto home base for phishing operations worldwide.

The CDN Divide: Two Strategies, One Ecosystem
When we looked at the 12,635 unique IPs hosting these IOCs, a clear pattern emerged. The threat landscape has forked:

51.54% direct hosting – Think disposable infrastructure. Spin it up fast, burn it down faster. Perfect for smishing blasts and hit-and-run campaigns.
48.46% CDN/proxy-protected: The long game. These setups are built to survive, leveraging CDNs (92% Cloudflare, naturally) for origin obfuscation and anti-takedown resilience.
Here's the problem: your IP-based blocking protection? It works on roughly half the threat landscape. The other half just laughs at you from behind Cloudflare's proxy. You need URL filtering, domain heuristics, and TLS fingerprinting now. IP blocks alone are a coin flip.

And before anyone says "these domains must be unstable", we saw a 96.16% mean DNS resolution rate. These operators run infrastructure like a Fortune 500 company. High availability, minimal downtime, proper DevOps hygiene. It's professional-grade crime.

Finding #2: Abusing Trust at Scale
Forget .xyz and .tk domains. Attackers have moved upmarket.

TLD Count Why They Use It
.com 11,324 Universal legitimacy
.dev 7,389 Targets developers
.app 2,992 Mobile/SaaS impersonation
.io 2,425 Tech sector credibility
.cc 1,745 Cheap, minimal oversight
The surge in .dev and .app domains tells you everything. Attackers aren't just going after your CFO anymore: they're targeting developers. Fake GitHub OAuth flows, spoofed Vercel deployment pages, bogus npm package sites. They're hunting credentials from the people who actually understand security, betting (correctly) that a something.dev domain gets less scrutiny than something-phishing.tk.

Free Hosting: The Perfect Cover
Now pair this with free hosting platforms, and you get a disaster: 72% of domains in our dataset used obfuscation via legitimate services.

Vercel: 1,942 domains
GitHub Pages: 1,540 domains
GoDaddy Sites: 734 domains
Webflow: 669 domains
Try explaining to your CISO why you need to block github.io or vercel.app. You can't. Your developers need those. Your business uses those. Attackers know this, and they're weaponizing it. Domain reputation systems collapse when every phishing page sits under a trusted parent domain.

Finding #3: PhaaS and the Industrialization of Crime
We need to stop calling these "phishing kits." That undersells what we're dealing with.

What we're seeing is Phishing-as-a-Service (PhaaS): full-stack criminal SaaS platforms. Services like Caffeine - now offline - and W3LL offer subscription-based access to complete attack infrastructure: hosting, templates, exfiltration pipelines, even customer support. They've turned phishing into a commodity anyone can buy.

The real nightmare feature? MFA bypass. Kits like EvilProxy and Tycoon 2FA don't bother stealing passwords anymore. They operate as adversary-in-the-middle (AitM) proxies, sitting between the victim and the legitimate service. User authenticates, kit intercepts, passes creds through to the real site, then steals the resulting session cookie. No password needed. No MFA challenge. Just instant account access.

These platforms also ship with serious evasion tech:

Geofencing to block security researchers by IP range
User-Agent Based Cloaking that targets devices by browser user agent: often the final landing page is only visible on mobile devices browsers
DevTools detection (open F12, page immediately stop working)
Cloudflare CAPTCHA to filter out automated scanners
Over the past four months, we clustered 20 distinct phishing clusters based on shared infrastructure fingerprints: same rotated IPs, same registrars, identical evasion patterns and obfuscation methods. This isn't a bunch of script kiddies copying code. It's coordinated, engineered operations with centralized data management and exfiltration workflows.

Almost 60% of the observed IOCs are deemed to be linked with PhaaS, this means a global tendency to separate those who produce and manage actual infrastructure from those (often non-technical users) who use it (for a fee), hoping to make a significant profit by reselling stolen data.

Finding #4: Meta in the Crosshairs
If there's one target dominating the landscape, it's Meta. 10,267 mentions: 42% of all brand impersonation we tracked.

Brand Mentions Attack Type
Meta 10,267 Facebook/Instagram/WhatsApp creds
Amazon 2,617 Payment data, account takeover
Netflix 2,450 Subscription scams
PayPal 1,993 Financial fraud, redirects
Stripe 1,571 Merchant account compromise
Why Meta? Three billion users. Multiple attack surfaces. Credential reuse across platforms. It's target-rich and full of high-value accounts. The focus on Stripe and PayPal shows attackers aren't just after creds anymore: they're after money. Direct financial fraud, merchant compromise, payment interception.

What This Means for Defense
The era of "just block the domain" is over. We're up against industrialized, adaptive, professionally-run adversaries. Deterministic detection is dead. You can't regex your way out of this anymore, defenses need to evolve:

CDN-aware detection – IP blocking is 50% effective at best
Behavioral analysis – Focus on session anomalies, not just domains
TLS fingerprinting – Track certificate patterns and issuance velocity
Hunt for PhaaS indicators – Cluster campaigns by shared infrastructure
User education that doesn't suck – Stop educating people talking about domain typosquotting or http vs https concepts: teach people what real-scenario looks like in practice.
This isn't FUD. This is what 42,000 live phishing sites look like when you actually go hunting for them. The threat is real, it's organized, and it's not slowing down.

What Comes Next: Diving Deep into the Criminal Engine
In our next in-depth analysis, we will reveal the real infrastructure that powers this industrialization. We will guide you step by step through a modern and complex PhaaS platform, demonstrating exactly how the TTPs described in this article function in a real operational environment.

| The Record from Recorded Future News
therecord.media
Jonathan Greig
December 1st, 2025

A recent cyberattack on South Korea’s largest cryptocurrency exchange was allegedly conducted by a North Korean government-backed hacking group.

Yonhap News Agency reported on Friday that South Korean government officials are involved in the investigation surrounding $30 million worth of cryptocurrency that was stolen from Upbit on Wednesday evening.

On Friday, South Korean officials told the news outlet that North Korea’s Lazarus hacking group was likely involved in the theft based on the tactics used to break into the cryptocurrency platform and the methods deployed to launder the stolen funds.

Investigators believe the hackers impersonated administrators at Upbit before transferring about $30 million.

In a statement, the company called the theft an “abnormal withdrawal” and said it is in the process of investigating the attack.

Oh Kyung-seok, CEO of parent company Dunamu, added that the platform has suspended deposits and withdrawals.

All losses will be covered by Upbit. The attack came one day after South Korean internet giant Naver purchased Dunamu for $10 billion.

“After detecting the abnormal withdrawal, Upbit immediately conducted an emergency security review of the relevant network and wallet systems,” the CEO said. “To prevent further abnormal transfers, all assets have been transferred to a secure cold wallet.”

Upbit tracked some of the stolen funds to another wallet on Thursday and is trying to freeze some of the assets so they cannot be moved further.

Investigators noted that the attack bears the hallmarks of a previous incident in 2019 when about $40 million was stolen from Upbit. That attack was also attributed to Lazarus — one of the most prolific state-backed hacking groups.

Lazarus is allegedly organized within the North Korean Reconnaissance General Bureau and has stolen billions worth of cryptocurrency over the last nine years, with blockchain monitoring firm Chainalysis saying hacking groups connected to North Korea’s government stole $1.3 billion worth of cryptocurrency across 47 incidents in 2024.

The group is accused of stealing $1.5 billion from Dubai-based crypto platform Bybit in February. The United Nations said last year that it is tracking dozens of incidents over a five-year period that have netted North Korea $3 billion.