| CNN
cnn.com
By
Helen Regan

A prominent tycoon wanted by United States federal prosecutors for allegedly running one of Asia’s largest transnational criminal networks has been arrested and extradited to China, Cambodian authorities and Chinese state media said.

Chen Zhi, 38, a national of China and Cambodia, was extradited on Tuesday after a months-long investigation by the two countries, Cambodia’s Interior Ministry said in a statement a day later. Chen’s Cambodian citizenship had been revoked, the ministry added.

The operation was conducted at the request of the Chinese government, the ministry said, though it is unclear what charges Chen faces in China. He was arrested alongside two other Chinese nationals.

Chen is the founder and chairman of Prince Group, which bills itself as one of Cambodia’s biggest conglomerates, with investments in luxury real estate, banking services, hotels, and major construction developments.

But US federal prosecutors say his business empire was fueled by forced labor and cryptocurrency scams that conned victims the world over and at one point were allegedly earning Chen and his associates $30 million every day.

In October, the US Treasury Department and UK Foreign Office sanctioned Prince Group and dozens of its affiliates, designating them transnational criminal organizations. Chen was charged in absentia in New York with money laundering conspiracy and wire fraud conspiracy, along with several associates.

Prosecutors also seized $15 billion in cryptocurrency from Chen following a years-long investigation, in what the Justice Department said was the largest forfeiture action in its history.

Since the indictment was announced, several other jurisdictions including Singapore, Thailand, Hong Kong and Taiwan announced seizures or freezes of hundreds of millions of dollars in assets linked to Chen.

CNN has reached out to lawyers representing Prince Group for comment on Chen’s arrest. Prince Group has previously denied engaging in unlawful activity, calling the allegations “baseless” and “aimed at justifying the unlawful seizure of assets,” according to a statement published on its website.

Chinese state media CCTV released footage Thursday of a handcuffed and hooded Chen being escorted from an airplane by Chinese security forces following his extradition.
“At present, Chen Zhi has been placed under compulsory criminal measures in accordance with the law, and the related cases are under further investigation,” the Ministry of Public Security said in a statement. It described Chen as “the ringleader of a major cross-border online gambling and fraud criminal syndicate.”

Chinese authorities will also issue wanted notices “for the first group of key members of the Chen Zhi criminal syndicate and will resolutely apprehend all fugitives and bring them to justice,” a ministry official said.

Cambodia has recently come under more pressure to act against the scam networks operating within its borders. In its statement, the interior ministry said Chen’s arrest was “within the scope of cooperation in combating transnational crime.”

The United Nations Office of Drugs and Crime has said the criminal networks that run the scam hubs are evolving at an unprecedented scale, despite highly publicized crackdowns last year.

“This arrest reflects sustained international pressure finally reaching a point where continued inaction became untenable for Phnom Penh,” said Jacob Sims, visiting fellow at Harvard University’s Asia Center and a transnational crime expert.

“It defused escalating Western scrutiny while aligning with Beijing’s likely preference to keep a politically sensitive case out of US and UK courts.”

What does arrest mean for US charges?
Analysts say Chen’s extradition to China will mean it is “highly unlikely” he will face justice in the US, at least in the short term. China does not have an extradition treaty with the US and the two countries are embroiled in a deepening geopolitical and economic rivalry.

“This outcome effectively shields Chen from US jurisdiction,” said Sims.

The global scam industry, much of it centered in Southeast Asia, is estimated to be worth between $50 billion and $70 billion. In 2023 it conned victims in the United States alone out of at least $10 billion dollars.

The massive industry relies on hundreds of thousands of people who have been trafficked or lured to work in heavily guarded scam compounds, where they are forced to carry out investment or romance scams known as “pig butchering,” to con ordinary people out of their life savings.

US prosecutors allege Chen and others operated at least 10 forced labor camps across Cambodia since 2015 to engage in cryptocurrency investment schemes under the threat of violence.

Authorities allege they laundered criminal proceeds through the business and bribed government officials to stay ahead of criminal investigations and raids on the compounds.

Prince Group, American and British authorities allege, was the umbrella for more than 100 shell companies and entities allegedly used to funnel laundered cash across 12 countries and territories from Singapore to St Kitts and Nevis.

Chen and others used the stolen money to buy Picasso artwork, private jets and properties in upscale neighborhoods of London, as well as supplying bribes to public officials, according to prosecutors in New York.

Analysts say Chen faces a number of outstanding legal issues in China, though the charges remain opaque and have not compelled his extradition until now.

“What is clear, however, is that Beijing has strong incentives to handle this quietly and internally, given the political sensitivities surrounding his business empire, its regional ties, and in particular, a number of reported ties to various Chinese government officials,” Sims said.

The activist website called “ICE List” was offline after a massive DDoS attack. The crash followed a leak of 4,500 federal agent names linked to the Renee Nicole Good shooting.
The website ICE List, also known as the (ICE List Wiki), was crippled by a major cyber attack after it prepared to publish the identities of thousands of federal agents in the United States, particularly those associated with Immigration and Customs Enforcement, ICE.

The site’s founder, Netherlands-based activist Dominick Skinner, confirmed that a massive DDoS attack began flooding their servers on Tuesday evening last week.

For your information, a DDoS attack works by flooding a website with so much fake traffic that it eventually crashes. Skinner told reporters that the length and intensity of this attack suggest a deliberate, organised effort to keep the leaked information from reaching the public.

The Shooting That Sparked the Leak
According to The Daily Beast, the data at the centre of this battle was provided by a whistleblower from the Department of Homeland Security (DHS). The leak reportedly includes the names, personal phone numbers, and work histories of roughly 4,500 employees from ICE and Border Patrol.

Further probing revealed that the whistleblower was moved to act following the death of Renee Nicole Good, a 37-year-old mother of three, who was fatally shot by an ICE agent in Minneapolis on January 7, 2026.

Within hours of the shooting, activists managed to identify the agent involved as Jonathan E. Ross. Skinner noted that for the whistleblower, this tragic incident was the “last straw,” leading them to hand over a dataset full of work emails, job titles, and résumé-style background info.

Identifying the Attackers
While the site is back online, Skinner observed that much of the malicious traffic appeared to originate from a bot farm in Russia. However, it is nearly impossible to track the true source, as in the world of hacking, proxies are often used to bounce signals through different countries to hide a person’s tracks. Skinner described the attack as “sophisticated,” suggesting that the attackers are highly determined to keep the names hidden.

Skinner’s team continues to operate out of the Netherlands to stay beyond the immediate reach of US authorities. Despite the crash, they remain committed to the project with plans to move to more secure servers. They plan to publish most of the names, though they intend to omit certain staff members, such as nurses or childcare workers.

digital-strategy.ec.europa.eu
DIGIBYTE
Publication 12 January 2026

The European Commission has launched a call for evidence on the upcoming European Open Digital Ecosystem Strategy - an initiative that will support EU ambitions to secure technological sovereignty.

The European Commission has launched a call for evidence on the upcoming European Open Digital Ecosystem Strategy - an initiative that will support EU ambitions to secure technological sovereignty.

A person in front of a laptop, with icons related to data analysis and open-source data hovering above.
GettyImages © Khanchit Khirisutchalual

Boosting European technological sovereignty is a key priority for the Commission with the open source sector considered particularly important to European ambitions. The Commission plans to set out a strategic approach to the open source sector in the EU and present a review of the 2020-2023 open source software strategy.

While across the EU there are thriving communities of open source developers whose work is aligned with EU digital rights and principles, European governments and companies are heavily dependent on non-EU digital technologies, hampering choice, competitiveness and creating challenges for cybersecurity. Open source software underpins 70-90% of all code in the digital economy, yet of the value generated by European open-source communities flows outside the EU, often benefiting tech giants elsewhere. With the importance of open source only growing, such as in key sectors such as high-performance computing and edge computing, a strategic approach is critical.

However, EU stakeholders face significant barriers including limited access to growth capital, and essential infrastructure. Supporting communities through research programmes alone has proven insufficient for successful scaling of open source solutions.

The forthcoming strategy will complement the forthcoming Cloud and AI Development Act and builds on successful EU initiatives such as the Next Generation Internet programme and the recently launched Digital Commons European Digital Infrastructure Consortium (EDIC).

The Commission invites input from open source communities, developers, companies, public administrations, industry, and research institutions. Stakeholders are specifically asked to identify barriers to open source adoption, demonstrate the added value of open source and share suggestions for concrete EU level measures to strengthen the ecosystem.

The final strategy, expected in Q1 2026, will establish a comprehensive framework supporting the entire open source lifecycle from development to market integration.

The consultation will close on 3 February 2026. Feedback can be submitted on the Commission Have Your Say platform.

| TechCrunch
techcrunch.com/

Lorenzo Franceschi-Bicchierai
12:01 PM PST · January 16, 2026

Nicholas Moore pleaded guilty to stealing victims’ information from the Supreme Court and other federal government agencies, and then posting it on his Instagram @ihackthegovernment.

A hacker posted the personal data of several of his hacking victims on his Instagram account, @ihackthegovernment, according to a court document.

Last week, Nicholas Moore, 24, a resident of Springfield, Tennessee, pleaded guilty to repeatedly hacking into the U.S. Supreme Court’s electronic document filing system. At the time, there were no details about the specifics of the hacking crimes Moore was admitting to.

On Friday, a newly filled document — first spotted by Court Watch’s Seamus Hughes — revealed more details about Moore’s hacks. Per the filing, Moore hacked not only into the Supreme Court systems, but also the network of AmeriCorps, a government agency that runs stipend volunteer programs, and the systems of the Department of Veterans Affairs, which provides healthcare and welfare to military veterans.

Moore accessed those systems using stolen credentials of users who were authorized to access them. Once he gained access to those victims’ accounts, Moore accessed and stole their personal data and posted some online to his Instagram account: @ihackthegovernment.

In the case of the Supreme Court victim, identified as GS, Moore posted their name and “current and past electronic filing records.”

In the case of the AmeriCorps victim, identified as SM, Moore boasted that he had access to the organization’s servers and published the victim’s “name, date of birth, email address, home address, phone number, citizenship status, veteran status, service history, and the last four digits of his social security number.”

And, in the case of the victim at the Department of Veterans Affairs, identified as HW, Moore posted the victim’s identifiable health information “when he sent an associate a screenshot from HW’s MyHealtheVet account that identified HW and showed the medications he had been prescribed.”

According to the court document, Moore faces a maximum sentence of one year in prison and a maximum fine of $100,000.

securityweek.com
By Eduard Kovacs| January 13, 2026 (12:09 PM ET)

The law firm Fried Frank seems to be informing high-profile clients about a recent data security incident.
PMorgan Chase is informing some investors about a data breach stemming from a recent cybersecurity incident at an outside law firm. The same incident triggered a similar data breach notice from Goldman Sachs in December 2025.

The Maine Attorney General’s Office requires companies that have suffered a data breach impacting the state’s residents to submit a report and a copy of the notification letter sent to affected individuals.

JPMorgan Chase submitted such a notification to the Maine AGO on Tuesday, revealing that investors in a private equity fund have been impacted by a data breach linked to an incident at the law firm Fried, Frank, Harris, Shriver & Jacobson LLP.

The notification letters reveal that an “unauthorized third party” copied files from a Fried Frank shared network drive. Some of the files contained the personal information of individuals who invested in the JPMorgan fund.

The compromised information includes names, contact information, account numbers, SSNs, and passport or other government ID numbers.

JPMorgan told the Maine AGO that a total of 659 individuals are affected by the data breach.

The banking giant’s disclosure mirrors a similar warning issued by Goldman Sachs in late 2025.

According to Goldman’s notification to impacted investors, Fried Frank told the company that “based on the steps it has taken to date, it believes that any data exposed in the incident is unlikely to be distributed or used improperly”.

Both Wall Street titans highlighted that their own systems were not compromised.

Fried Frank is facing lawsuits over the data breach.

It’s unclear who is behind the intrusion. SecurityWeek has not seen any ransomware group taking credit for an attack on Fried Frank. If it was indeed a ransomware attack, the law firm may have paid a ransom, which would be consistent with its statement about the unlikely abuse of the data.

SecurityWeek has reached out to Fried Frank for additional information and will update this article if the company responds.

The Brussels Times
Tuesday, 13 January 2026
By
The Brussels Times with Belga

The AZ Monica hospital in Antwerp was targeted by a cyberattack on Tuesday, with a full-scale investigation now launched.

The hospital detected a serious IT system disruption around 6:30 am and, as a precaution, shut down its servers at both the Deurne and Antwerp campuses. It is not yet clear whether patient data has been compromised.

All scheduled procedures were postponed on Tuesday, impacting a minimum of 70 surgeries across both campuses. Seven patients were proactively transferred to another hospital.

The motives behind the cyberattack remain unknown. Unconfirmed reports within the hospital suggest the hackers may be demanding ransom, but neither the public prosecutor nor the hospital’s CEO has confirmed these claims.

Access to AZ Monica remains possible, and its emergency department is operational, albeit in a limited capacity.

However, MUG and PIT emergency services are temporarily unavailable. The hospital emphasised that its primary focus continues to be patient safety and care continuity.

thepinknews.com
Jan 06
Written by Sophie Perry

The website belonging to the Free Speech Union (FSU) is down after a trans activism group BASH BACK hacked it and exposed its list of donors.

The Free Speech Union's website is current unavailable (PinkNews)

The website belonging to the Free Speech Union (FSU) is down after trans activism group BASH BACK hacked it and exposed its list of alleged donors.

The group, which vandalised offices belonging to the Equality and Human Rights Commission (EHRC) in London in October, published a list of names of people who have allegedly donated to the FSU’s various campaigns.

Shortly after publication of PinkNews’ article, the BASH BACK website also went down, with a 404 error page visible instead.

The freedom of speech organisation, founded by Conservative peer and journalist Toby Young, was said – according to GB News – to be undertaking an “independent security briefing” into BASH BACK, inspired by an article in the Daily Mail which detailed future BASH BACK targets, including the offices of health secretary Wes Streeting and prime minister Keir Starmer.

At the time of that article’s publication, BASH BACK stated the information about its targets was publicly available information.

“The Free Speech Union commissioned a ‘security’ report on us,” BASH BACK wrote on BlueSky on Monday (5 January), “so we tested their security. Turns out – it sucks.”

By Monday evening the FSU’s website was unavailable and stated “maintenance mode is on” but by Tuesday morning a 404 error code appears when attempting to access it.

PinkNews will not publish any of the names listed in the hacked list, and is also unable to verify its content.

A spokesperson for BASH BACK described the FSU in a statement as an “organisation for defending bigots”.

“Instead of fighting for the free speech of pro-Palestine activists, such as the prisoners currently on hunger strike, they move heaven and earth to defend every sexist, racist, and transphobe that crosses their path,” they wrote.

“The FSU has said nothing about the police banning the use of common Arabic phrases, the abuse of activists in prison, or the censorship imposed on the public around Britain’s involvement in genocide.

“Instead, their focus is on defending those who preach hatred. The public deserves to know who is funding the FSU’s activities, and we are glad to be able to reveal it.”

They went on to state the FSU “purports to be an advocacy group for freedom of expression” but instead “represent a security fund for attention-seeking reactionaries backed by the ultra-wealthy”.

“They use their funders’ deep pockets to repress ordinary people and impose a two-tier justice system where wealthy transphobes and racists can preach hate whilst those who oppose genocide are imprisoned and abused, or otherwise subject to police violence,” the spokesperson continued.

“In a time where free speech is under attack, not by ‘wokism’ or minorities, but by an increasingly authoritarian state, the so-called ‘Free Speech Union’ sets its sights instead on protecting powerful bigots from the consequences of their public tantrums.”

9to5mac.com
Arin Waichulis
| Jan 9 2026 - 7:19 am PT

Mosyle, a popular Apple device management and security firm, has exclusively shared details with 9to5Mac on a previously unknown macOS malware campaign. While crypto miners on macOS aren’t anything new, the discovery appears to be the first Mac malware sample uncovered in the wild that contains code from generative AI models—officially confirming what was inevitable.

At the time of discovery, Mosyle’s security research team says the threat was undetected by all major antivirus engines. This comes nearly a year after Moonlock Lab warned about chatter on dark web forums indicating how large language models were being used to write malware targeting macOS.

The campaign, which Mosyle is calling SimpleStealth, is spreading through a convincing fake website impersonating the popular AI app, Grok. The threat actors are using a look-alike domain to trick users into downloading a malicious macOS installer. When launched, victims are presented with what appears to be a full-functioning Grok app that looks and behaves like the real thing. This is a common technique used to keep the application front and center while malicious activity quietly runs in the background, allowing the malware to operate longer without being noticed.

According to Mosyle, SimpleStealth is designed to bypass macOS security safeguards during its first execution. The app prompts the user for their system password under the guise of completing a simple setup task. This allows the malware to remove Apple’s quarantine protections and prepare its true payload. From the user’s perspective, everything appears normal as the app continues to display familiar AI-related content that the real Grok app would.

Behind the scenes, however, the malware deploys the stealthy Monero (XMR) crypto miner that boasts having “quicker payouts” and being “confidential and untraceable” on its website. To stay hidden, the mining activity only starts when the Mac has been idle for at least a minute and stops immediately when the user moves the mouse or types. The miner further disguises itself by mimicking common system processes like kernel_task and launchd, making it far harder for users to spot abnormal behavior.

In evidence seen by 9to5Mac, the use of AI is found throughout the malware’s code, which features unusually long-winded comments, a mix of English and Brazilian Portuguese, and repetitive logic patterns that are characteristic of AI-generated scripts.

Overall, this situation is alarming for several reasons. Primarily because AI is lowering the barrier to entry for attackers faster than concerns around ‘malware-as-a-service’ could ever. Virtually anyone with internet access can now craft samples like SimpleStealth, significantly accelerating the pace at which new threats can be created and deployed.

The best way to stay safe is to avoid downloading anything from third-party sites. Always source your apps directly from the Mac App Store or directly from developer websites you trust.

Indicators of Compromise
Below you can find the Indictors of Compromise (IoCs) of the SimpleStealth sample for your own research or to improve detection at your organization. Exercise caution around visiting any observed domains.

Malware family: SimpleStealth
Distribution name: Grok.dmg
Target platform: macOS
Observed domain: xaillc[.]com

| The Verge
by
Terrence O'Brien
Jan 11, 2026, 6:26 PM GMT+1

The company claims there was no breach of its systems.

Instagram says it fixed the issue that sent password reset emails and that there was no breach of its systems.

If you’re one of the many, many people who received a password reset email from Instagram the other day, the company says it fixed the issue. What was the issue? Unclear. We reached out to Meta for clarification and have yet to receive a response. All we know is that an “external party” triggered the emails, and Instagram says you can safely ignore them.

The company posted on X that the issue had been fixed and also claimed there was no breach of its systems. This seemingly contradicts reports from Malwarebytes, which said that information on 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, and email addresses, was available on the dark web.

eurogamer.net
News by Connor Makar Staff Writer
Published on Jan. 6, 202

Final Fantasy 14 is suffering DDOS attacks on its American servers during the release of the latest Savage raid.

Final Fantasy 14 has released its latest Savage-tier raid today, pushing the game's best and brightest to race through this new challenge group content to earn powerful loot and see which region can take it down first. However, for Americans, this is proving difficult due to ongoing DDOS attacks and server outages.

With the release of patch 7.4 last month, players were welcomed back to the game with a bunch of new content to pour over. The Savage difficulty for the Heavyweight raid, which was delayed until after the holiday season, has just come out resulting in the usual rush to see which team can take it down first.

The problem comes from DDOS attacks. American players, obviously present on different servers than like-minded raiders in other regions, are facing a spree of connection issues as the servers are bombarded with digital assaults from nefarious parties. Checking the FF14 server status page, you can see a sizable portion of America servers under strain.

This has resulted in chaos for the race for world first Heavyweight Savage clears, as American teams are scrambling to contend with these extra hurdles. Players looking to temporarily hop to different servers, such as Oceania's Materia server cluster, aren't safe from these attacks either. The only way to dodge such attacks at this time appears to be a full-on server transfer to another region, which would add additional latency to play which top-end players tackling difficult content wouldn't want anyway. A messy situation.

Funnily enough, it appears as though Japanese servers are largely doing just fine during the initial release of Savage Heavyweights so far! This is both good and bad. It's good because these server outages are annoying and the less people experience them the better. It's bad because, from the perspective of competitive raiders looking to race each other to a world first clear, it adds a degree of unfairness to the mix. It takes what should be a joyful moment and sours it.

Unfortunately, this Savage raid release isn't the first time problems like these have hit Final Fantasy 14. In fact, it was only around two weeks ago when the American servers suffered several DDOS attacks. For Western FF14 players, this is a problem in desperate need of addressing, especially now that it's impacted one of the more climactic moments in the Dawntrail expansion's life cycle.

A short post on the Final Fantasy 14 website has acknowledged the problem, and states that it's being looked into. However, given the time sensitive nature of these Savage raid races, it's possible for the most dedicated FF14 players, the damage has been done.

therecord.media
Jonathan Greig
January 2nd, 2026

The claims administration company Sedgwick confirmed that a subsidiary that contracts with a handful of sensitive federal agencies is dealing with a cybersecurity incident.

Claims administration company Sedgwick confirmed that its government-focused subsidiary is dealing with a cybersecurity incident.

On New Year’s Eve, the TridentLocker ransomware gang claimed it attacked Sedgwick Government Solutions and stole 3.4 gigabytes of data.

A Sedgwick spokesperson confirmed the company is currently addressing a security incident at the subsidiary, which provides claims and risk management services to federal agencies like the Department of Homeland Security (DHS), Immigration and Customs Enforcement, Customs and Border Protection, Citizenship and Immigration Services, the Department of Labor, and the Cybersecurity and Infrastructure Security Agency (CISA).

“Following the detection of the incident, we initiated our incident response protocols and engaged external cybersecurity experts through outside counsel to assist with our investigation of the affected isolated file transfer system,” the spokesperson said.

“Importantly, Sedgwick Government Solutions is segmented from the rest of our business, and no wider Sedgwick systems or data were affected. Further, there is no evidence of access to claims management servers nor any impact on Sedgwick Government Solutions ability to continue serving its clients.”

The company has notified law enforcement and is in contact with its customers about the incident.

CISA and DHS did not respond to requests for comment. The company also provides services to municipal agencies in all 50 states as well as the Smithsonian Institution and the Port Authority of New York and New Jersey.

TridentLocker is a new ransomware gang that emerged in November, cybersecurity experts said. The group previously took credit for an attack on the Belgian postal and package delivery service bpost, which confirmed that it recently suffered from a data breach.

The group has listed a total of 12 victims on its leak site since its emergence.

Ransomware gangs have repeatedly targeted federal government contractors like Sedgwick. More than 10 million people had information leaked after the prominent government contractor Conduent was attacked one year ago.

SWI swissinfo.ch
Keystone-SDA
January 8, 2026 - 12:18

Swiss defence minister denounces increasing stream of disinformation from Russia.

Pfister interprets this as an attempt to influence Swiss politics and to unsettle the population.

The fact that Russia wants to influence the West with hybrid conflict management is nothing new – nor is the fact that Switzerland is increasingly affected by this. But rarely has a government minister condemned Russian “conspiracy narratives”, as Pfister called them, so clearly.

“Russia in particular has been increasingly attacking Switzerland with influence operations since 2022,” he said during a speech at a Swiss media industry event.

Russia primarily spreads disinformation and propaganda in Switzerland, claiming, among other things, that Switzerland is no longer neutral, no longer democratic and no longer safe.

Pfister gave a concrete example at the publishers’ meeting. In an influencing activity last May, pro-Russian accounts distributed a video from Geneva taken out of context in a coordinated manner on seven social media platforms and in all official Swiss languages.

“This supposedly showed that Switzerland was sinking into chaos,” said Pfister. The posts were viewed over two million times within a short space of time.

The two well-known Russian disinformation platforms Russia Today and Pravda alone disseminate between 800 and 900 articles per month in Switzerland, Pfister added. If such narratives continue unchecked, a society becomes vulnerable.

Swiss media publishers could play a decisive role in such an environment, Pfister said. “A healthy media system is also part of the Swiss security architecture.”

Especially in times of technological change and geopolitical uncertainty, the media need to fulfil their responsibilities more than ever.

bleepingcomputer.com
By Sergiu Gatlan
January 5, 2026

NordVPN denied allegations that its internal Salesforce development servers were breached, saying that cybercriminals obtained "dummy data" from a trial account on a third-party automated testing platform.

The company's statement comes after a threat actor (using the 1011 handle) claimed on a hacking forum over the weekend that they stole more than 10 databases containing sensitive information like Salesforce API keys and Jira tokens, following a brute-force attack against a NordVPN development server.

"Today i am leaking +10 DB's source codes from a nordvpn development server. This information was acquired by bruteforcing a misconfigured server of Nordypn, which has salesforce and jira information stored. Compromissed information: SalesForce api keys, jira tokens and more," the threat actor said.

However, as NordVPN revealed today, this is actually test data stolen from a temporary test environment deployed months earlier during trial testing a potential vendor for automated testing.

The Lithuanian VPN service added that the test environment had no connection with its own infrastructure and that the stolen data doesn't include sensitive customer or business information.

​"The leaked elements, such as the specific API tables and database schemas can only be artifacts of an isolated third-party test environment, containing only dummy data used for functionality checks. While no data in the dump points to NordVPN, we have contacted the vendor for additional information," NordVPN explained.

"Because this was a preliminary test and no contract was ever signed, no real customer data, production source code, or active sensitive credentials were ever uploaded to this environment.

"We ultimately chose a different vendor and did not proceed with the one we tested. The environment in question was never connected to our production systems."

While this was only a false alarm, in 2019, hackers breached the servers of NordVPN and TorGuard, gaining full root access and stealing private keys used to secure their web servers and VPN configurations.

In response to the 2019 incident, NordVPN introduced a bug bounty program and hired outside cybersecurity experts for a "full-scale" third-party security audit.

The company also announced plans to switch to dedicated servers that they own exclusively and to upgrade their entire 5,100-server infrastructure to RAM servers.

cybernews.com
Ernestas Naprys
Senior Journalist
Published: 2 January 2026

An investigative journalist has infiltrated the white supremacist dating website WhiteDate and exfiltrated over 8,000 profiles and 100GB of data. Photos and other sensitive details have been made public, and the full “WhiteLeaks” data is available to journalists and researchers on DDoSecrets.

An “old-school anarchist researcher,” who goes by the online pseudonym Martha Root, claims to have breached a racist dating site and two similar platforms.

The leak affects WhiteDate, a white supremacist dating site for “Europids seeking tribal love,” WhiteChild, a white supremacist site focused on family and ancestry, and WhiteDeal, a networking and professional development site for people with a racist worldview.
All three platforms were operated by a right-wing extremist from Germany.

“I infiltrated a racist dating site and made nazis fall in love with robots,” Root claims.

The journalist found that websites’ cybersecurity hygiene was so poor that it “would make even your grandma’s AOL account blush.”

“Imagine calling yourselves the ‘master race’ but forgetting to secure your own website – maybe try mastering to host WordPress before world domination.”

What data was exposed?
The researcher created a website okstupid.lol, where 8,000 leaked profiles are placed on the map, exposing users from very different regions of the world.

he data includes highly sensitive and detailed self-reported information, such as usernames, gender, age, location, activity history, lifestyle, height, eye color, hair color, and other physical appearance traits, income range, education, marital status, religion, and even self-assessed IQ, among many other fields.

Notably, the dataset also contains numerous profile photos, along with embedded EXIF metadata that reveals precise GPS coordinates, device information, timestamps, and other identifying details.

The researcher claims that image metadata “practically hands out home addresses.”

“Would like to find a woman who understands the value of nation and race, seeks the truth,” one of the exposed profiles reads.

whitedate-exposed-acc2
Root claims that the platform’s gender ratio “makes the Smurf village look like a feminist utopia” – the site is overwhelmingly male.

“For now,” the emails and private messages haven’t been publicly exposed. However, the dataset, dubbed “WhiteLeaks,” has been made available to researchers and journalists on Distributed Denial of Secrets (DDoSecrets), a nonprofit whistleblower site.

The researcher also disclosed that the entire operation was run by a Paris-based company called Horn & Partners, and they identified the woman behind the company.
Investigative journalists and Root presented the data and findings at the 39th Chaos Communications Congress in Germany.

“Martha is whatever the antifascist movement needs at the moment: a ghost in their servers, a thorn in their mythologies, and an intelligence that refuses obedience,” the researcher’s bio on the site reads.

blog.pypi.org
Dustin Ingram, on behalf of the PyPI team.

A look back at the major changes to PyPI in 2025 and related statistics.

As 2025 comes to a close, it's time to look back at another busy year for the Python Package Index. This year, we've focused on delivering critical security enhancements, rolling out powerful new features for organizations, improving the overall user experience for the millions of developers who rely on PyPI every day, and responding to a number of security incidents with transparency.

But first, let's look at some numbers that illustrate the sheer scale of PyPI in 2025:

More than 3.9 million new files published
More than 130,000 new projects created
1.92 exabytes of total data transferred
2.56 trillion total requests served
81,000 requests per second on average
These numbers are a testament to the continued growth and vibrancy of the Python community.

Let's dive into some of the key improvements we've made to PyPI this year.

Security First, Security Always
Security is our top priority, and in 2025 we've shipped a number of features to make PyPI more secure than ever.

Enhanced Two-Factor Authentication (2FA) for Phishing Resistance
We've made significant improvements to our 2FA implementation, starting with email verification for TOTP-based logins. This adds an extra layer of security to your account by requiring you to confirm your login from a trusted device, when using a phishable 2FA method like TOTP.

Since rolling out these changes, we've seen:

more than 52% of active users with non-phishable 2FA enabled
more than 45,000 total unique verified logins
Trusted Publishing and Attestations
Trusted publishing continues to be a cornerstone of our security strategy. This year, we've expanded support to include GitLab Self-Managed instances, allowing maintainers to automate their release process without needing to manage long-lived API tokens. We've also introduced support for custom OIDC issuers for organizations, giving companies more control over their publishing pipelines.

Adoption of trusted publishing has been fantastic:

more than 50,000 projects are now using trusted publishing
more than 20% of all file uploads to PyPI in the last year were done via trusted publishers
We've also been hard at work on attestations, a security feature that allows publishers to make verifiable claims about their software. We've added support for attestations from all Trusted Publishing providers, and we're excited to see how the community uses this feature to improve the security of the software supply chain.

17% of all uploads to PyPI in the last year that included an attestation.
Proactive Security Measures
Beyond user-facing features, we've also implemented a number of proactive security measures to protect the registry from attack. These include:

Phishing Protection: To combat the ongoing threat of phishing attacks, PyPI now detects and warns users about untrusted domains.
Improved ZIP file security: We've hardened our upload pipeline to prevent a class of attacks involving malicious ZIP files.
Typosquatting detection: PyPI now automatically detects and flags potential typosquatting attempts during project creation.
Domain Resurrection Prevention: We now periodically check for expired domains to prevent domain resurrection attacks.
Spam Prevention: We've taken action against spam campaigns, including prohibiting registrations from specific domains that were a source of abuse.
Transparency and Incident Response
This year, we've also focused on providing transparent and timely information about security incidents affecting PyPI. We've published detailed incident reports on a number of events, including:

An issue with privileges persisting in organization teams.
A widespread phishing attack targeting PyPI users.
A token exfiltration campaign via GitHub Actions workflows.
The potential implications of the "Shai-Hulud" attack on the npm ecosystem.
We believe that transparency is key to building and maintaining trust with our community, and we'll continue to provide these reports as needed.

Safety and Support Requests
This year, our safety & support team and administrators have been working diligently to address user requests and combat malware to maintain a healthy ecosystem. We're proud to report significant progress in handling various types of support inquiries and improving our malware response.

Malware Response
We've continued to improve our malware detection and response capabilities. This year, we've processed more than 2000 malware reports. This is a testament to the vigilance of our community and the dedication of our administrators.

Our goal is to reduce the time it takes to remove malware from PyPI, and we're happy to report that we're making significant progress: in the last year, 66% of all reports were handled within 4 hours, climbing to 92% within 24 hours, with only a few more complex issues reaching the maximum of 4 days to remediate.

Support Requests
Our support team has also been hard at work making sure our users can continue to be effective on PyPI. This year, we've successfully resolved 2221 individual account recovery requests.

We've also handled more than 500 project name retention sequests (PEP 541). This includes an average first triage time less than 1 week. This is a significant improvement compared to the previous 9-month backlog, and we're happy to report that the backlog is current for the month of December.

Organizations Growth
One of our biggest announcements in previous years was the general availability of organizations on PyPI. Organizations provide a way for companies and community projects to manage their packages, teams, and billing in a centralized location.

We have continued to see growing usage of organizations:

7,742 of organizations have been created on PyPI
9,059 projects are now managed by organizations
We've been hard at work adding new features to organizations, including team management, project transfers, and a comprehensive admin interface. We're excited to see organizations use these features to use PyPI more effectively.

A Better PyPI for Everyone
Finally, we've made a number of improvements to the overall maintainer experience on PyPI. These include:

Project Lifecycle Management: You can now archive your projects to signal that they are no longer actively maintained. This is part of a larger effort to standardize project status markers as proposed in PEP 792.
New Terms of Service: We've introduced a new Terms of Service to formalize our policies and enable new features like organizations.
Looking Ahead to 2026
We're proud of the progress we've made in 2025, but we know there's always more to do. In 2026, we'll continue to focus on improving the security, stability, and usability of PyPI for the entire Python community.

Acknowledgements
As always, a huge thanks to our sponsors who make the scale and reliability of PyPI possible, and a special shout-out to Fastly for being a critical infrastructure donor.

We'd also like to extend a special thank you to a few individuals who made significant contributions to PyPI this year. Thank you to William Woodruff, Facundo Tuesca, and Seth Michael Larson for your work on trusted publishing, attestations, project archival, zipfile mitigation, and other security features.

Finally, PyPI wouldn't be what it is today without the countless hours of work from our community. A huge thank you to everyone who contributed code, opened an issue, or provided feedback this year. As always, we're grateful for the contributions of our community, whether it's through code, documentation, or feedback. PyPI wouldn't be what it is today without you.

Here's to a great 2026!

| Reuters reuters.com
By Jeff Horwitz
December 31, 20252:00 PM GMT+1

A Reuters investigation examines its tactics, including efforts to make scam ads “not findable” when authorities search for them.
As regulators press Meta to crack down on rogue advertisers on Facebook and Instagram, the social media giant has drafted a “playbook” to stall them. Internal documents seen by Reuters reveal its tactics, including efforts to make scam ads “not findable” when authorities search for them.

SAN FRANCISCO - Japanese regulators last year were upset by a flood of ads for obvious scams on Facebook and Instagram. The scams ranged from fraudulent investment schemes to fake celebrity product endorsements created by artificial intelligence.
Meta, owner of the two social media platforms, feared Japan would soon force it to verify the identity of all its advertisers, internal documents reviewed by Reuters show. The step would likely reduce fraud but also cost the company revenue.
To head off that threat, Meta launched an enforcement blitz to reduce the volume of offending ads. But it also sought to make problematic ads less “discoverable” for Japanese regulators, the documents show.
The documents are part of an internal cache of materials from the past four years in which Meta employees assessed the fast-growing level of fraudulent advertising across its platforms worldwide. Drawn from multiple sources and authored by employees in departments including finance, legal, public policy and safety, the documents also reveal ways that Meta, to protect billions of dollars in ad revenue, has resisted efforts by governments to crack down.

In this case, Meta’s remedy hinged on its “Ad Library,” a publicly searchable database where users can look up Facebook and Instagram ads using keywords. Meta built the library as a transparency tool, and the company realized Japanese regulators were searching it as a “simple test” of “Meta’s effectiveness at tackling scams,” one document noted.
To perform better on that test, Meta staffers found a way to manage what they called the “prevalence perception” of scam ads returned by Ad Library searches, the documents show. First, they identified the top keywords and celebrity names that Japanese Ad Library users employed to find the fraud ads. Then they ran identical searches repeatedly, deleting ads that appeared fraudulent from the library and Meta’s platforms.
Instead of telling me an accurate story about ads on Meta’s platforms, it now just tells me a story about Meta trying to give itself a good grade for regulators.

Sandeep Abraham, former Meta fraud investigator

The tactic successfully removed some fraudulent advertising of the sort that regulators would want to weed out. But it also served to make the search results that Meta believed regulators were viewing appear cleaner than they otherwise would have. The scrubbing, Meta teams explained in documents regarding their efforts to reduce scam discoverability, sought to make problematic content “not findable” for “regulators, investigators and journalists.”

Within a few months, they said in one memo after the effort, “we discovered less than 100 ads in the last week, hitting 0 for the last 4 days of the sprint.” The Japanese government also took note, the document added, citing an interview in which a prominent legislator lauded the improvement.
Meta has studied searches of its Ad Library and worked to reduce the "discoverability" of problematic advertising. Documents reviewed by Reuters, and highlighted here by the news agency, show internal discussions about the effort. REUTERS
Meta has studied searches of its Ad Library and worked to reduce the "discoverability" of problematic advertising. Documents reviewed by Reuters, and highlighted here by the news agency, show internal discussions about the effort. REUTERS
“Fraudulent ads are already decreasing,” Takayuki Kobayashi, of the ruling Liberal Democratic Party, told a local media outlet. Kobayashi didn’t respond to a Reuters request for comment about the interview.
Japan didn’t mandate the verification and transparency rules Meta feared. The country’s Ministry of Internal Affairs and Communications declined to comment.
So successful was the search-result cleanup that Meta, the documents show, added the tactic to a “general global playbook” it has deployed against regulatory scrutiny in other markets, including the United States, Europe, India, Australia, Brazil and Thailand. The playbook, as it’s referred to in some of the documents, lays out Meta’s strategy to stall regulators and put off advertiser verification unless new laws leave them no choice.
The search scrubbing, said Sandeep Abraham, a former Meta fraud investigator who now co-runs a cybersecurity consultancy called Risky Business Solutions, amounts to “regulatory theater,” distorting the very transparency the Ad Library purports to provide. “Instead of telling me an accurate story about ads on Meta’s platforms, it now just tells me a story about Meta trying to give itself a good grade for regulators,” said Abraham, who left the company in 2023.

Meta spokesperson Andy Stone in a statement told Reuters there is nothing misleading about removing scam ads from the library. “To suggest otherwise is disingenuous,” Stone said.
By cleaning those ads from search results, the company is also removing them from its systems overall. “Meta teams regularly check the Ad Library to identify scam ads because when fewer scam ads show up there that means there are fewer scam ads on the platform,” Stone wrote.
Advertiser verification, he said, is only one among many measures the company uses to prevent scams. Verification is “not a silver bullet,” Stone wrote, adding that it “works best in concert with other, higher-impact tools.” He disputed that Meta has sought to stall or weaken regulations, and said that the company’s work with regulators is just part of its broader efforts to reduce scams.
Those efforts, Stone continued, have been successful, particularly considering the continuous maneuvers by scammers to get around measures to block them. “The job of chasing them down never ends,” he wrote. The company has set global scam reduction targets, Stone said, and in the past year has seen a 50% decline in user reports of scams. “We set a global baseline and aggressive targets to drive down scam activity in countries where it was greatest, all of which has led to an overall reduction in scams on platform.”
Meta’s internal documents cast new light on the central role played by fraudulent advertising in the social media giant’s business model – and the steps the company takes to safeguard that revenue. Reuters reported in November that scam ads Meta considers “high risk” generate as much as $7 billion in revenue for the company each year. This month, the news agency found that Meta tolerates rampant fraud from advertisers in China.
In response to Reuters’ coverage, two U.S. senators urged regulators at the Securities and Exchange Commission and the Federal Trade Commission to investigate and “pursue vigorous enforcement action where appropriate.” Citing Reuters reporting, the attorney general of the U.S. Virgin Islands also sued Meta this month for allegedly “knowingly and intentionally” exposing users of its platforms to “fraud and harm” and “profiting from scams.” Stone said Meta strongly disagrees with the lawsuit’s allegations.
In Brussels, where European authorities have also been focused on scams, a spokesperson for the European Commission told Reuters its regulators had recently asked Meta for details about its handling of fraudulent advertising. “The Commission has sent a formal request for information to Meta relating to scam ads and risks related to scam ads and how Meta manages these risks,” spokesperson Thomas Regnier wrote. “There are doubts about compliance.” He didn’t elaborate.
The documents reviewed by Reuters show that Meta assigned its handling of scams the top possible score in an internal ranking of regulatory, legal, reputational and financial risks in 2025. One internal analysis calculated that possible regulation in Europe and Britain that would make Meta liable for its users’ scam losses could cost the company as much as $9.3 billion.
EMPLOY A “REACTIVE ONLY” STANCE
One big push among regulators is to get Meta and other social media companies to adopt what is known as universal advertiser verification. The step requires all advertisers to pass an identity check by social media platforms before the platforms will accept their ads. Often, regulators request that some of an advertiser’s identity information also be viewable, allowing users to see whether an ad was posted locally or from the other side of the world.
Google in 2020 announced that it would gradually adopt universal verification, and said earlier this year it has now verified more than 90% of advertisers. Along with requiring verification in jurisdictions where it’s legally mandated, Meta offers to voluntarily verify some large advertisers and sells “Meta Verified” badges to others, combining identity checks with access to customer support staff.
Documents reviewed by Reuters say that 55% of Meta’s advertising revenue came from verified sources last year. Stone, the spokesperson, added that 70% of the company’s revenue now comes from advertisers it considers verified.
The internal company documents show that unverified advertisers are disproportionately responsible for harm on Meta’s platforms. One analysis from 2022 found that 70% of its newly active advertisers were promoting scams, illicit goods or “low quality” products. Stone said that Meta routinely disables such new accounts, “some on the very day that they’re created.”
Meta’s documents also show the company recognizes that universal verification would reduce scam activity. They indicate that Meta could implement the measure in any of the countries where it operates in less than six weeks, should it choose to do so.
But Meta has balked at the cost.
Despite reaping revenue of $164.5 billion last year, almost all of which came from advertising, Meta has decided not to spend the roughly $2 billion it estimates universal verification would cost, the documents show. In addition to that cost of implementation, staffers noted, Meta could ultimately lose up to 4.8% of its total revenue by blocking unverified advertisers.
I expected that the company would have continued to do more verification, and personally felt that was something that all major platforms should be doing.

Rob Leathern, a former senior director of product management at Facebook

Instead of adopting verification, Meta has decided to employ a “reactive only” stance, according to the documents. That means resisting efforts at regulation – through lobbying but also through measures like the scrubbing of Ad Library searches in Japan last year. The reactive stance also means accepting universal verification only if lawmakers mandate it.
So far, just a few markets, including Taiwan and Singapore, have done so.
Even then, the documents show, the financial costs to Meta have remained small. Meta’s own tests showed verification immediately reduced scam ads in those countries by as much as 29%. But much of the lost revenue was recouped because the same blocked ads continued to run in other markets.
If an unverified advertiser is blocked from showing ads in Taiwan, for example, Meta will show those ads more frequently to users elsewhere, creating a whack-a-mole dynamic in which scam ads prohibited in one jurisdiction pop up in another. In the case of blocked ads in Taiwan, “revenue was redistributed/rerouted to the remaining target countries,” one March 2025 document said, adding that consumer injury gets displaced, too. “This would go for harm as well,” the document noted.
Meta analyses found that even when verification blocked ads in one market, those same ads would still generate revenues for the company in other markets. Highlighting of internal document reviewed by Reuters. REUTERS
Meta analyses found that even when verification blocked ads in one market, those same ads would still generate revenues for the company in other markets. Highlighting of internal document reviewed by Reuters. REUTERS
Meta’s documents show the company believes its efforts to defeat regulation are succeeding. In mid-2024, one strategy document called the prospect of being “required to verify all advertisers” worldwide a “black swan,” a term used to describe an improbable but catastrophic event. In the months afterwards, policy staffers boasted about stalling regulations in Europe, Singapore, Britain and elsewhere.
In July, one Meta lobbyist wrote colleagues after they thwarted stricter measures considered by financial regulators in Hong Kong against financial scams. To get ahead of the effort, staffers helped regulators draft a voluntary “anti-scam charter.” They coordinated with Google, which also signed the charter, to present a “united front,” the document says. “Through skillful negotiations with regulators,” the Meta lobbyist wrote, Hong Kong relaxed rules that would have forced verification of financial advertisers. “The finalised language does not introduce new commitments or require additional product development.”
Hong Kong regulators, the lobbyist added, “have shown huge appreciation for Meta’s leading participation.”
Meta regulations screen shot
Meta staffers boasted about success slowing the push by authorities for advertiser verification. In one document, highlighted here by Reuters, Meta employees say their lobbying in Hong Kong thwarted "new commitments" in local regulations. REUTERS
A Google spokesperson said the company signed onto the charter because it believed it would benefit customers. Google participated, he said, of its own accord and as the result of direct engagement with Hong Kong regulators.
In a statement, Hong Kong financial regulators said that “advertiser verification is one of many ways social media platforms can protect the investment public.” They declined to respond to Reuters’ questions about Meta and noted that the regulators involved with the charter don't themselves have the authority to impose advertiser verification requirements.
“All social media platforms should strengthen their efforts to detect and remove fraudulent and unlawful materials,” they added.
“INDUSTRY AND REGULATORY EXPECTATIONS”
Fraud across social media platforms has surged in recent years, fueled by the rise of untraceable cryptocurrency payments, AI ad-generation tools and organized crime syndicates. Mob rings have found the business so lucrative that they employ forced labor to staff well-documented “scam compounds” that generate waves of fraudulent content from southeast Asia. Internally, Meta has cited estimates that such compounds are responsible for $63 billion in annual damage to consumers worldwide.
In some countries, regulators have determined that Meta platforms host more fraudulent content than its online competitors. In February 2024, Singapore police reported that more than 90% of social media fraud victims in the city state had been scammed through Facebook or Instagram. In a statement to Reuters, a spokesperson for Singapore’s Ministry of Home Affairs wrote that “Meta products have persistently been the most common platforms used by scammers.”
“We have repeatedly highlighted our deep concern over the continued prevalence of scams on Meta’s platforms,” the statement continued. After Reuters’ inquiries for this report, it added, Singapore authorities have asked Meta for more information and will broaden existing verification measures, including some mandating the use of facial recognition technology to prevent the impersonation of public figures. “We have reiterated that more needs to be done to secure Meta’s products and protect users from scams, instead of prioritising its profits. We have requested for a formal explanation from Meta and will take enforcement action if Meta is found to be in violation of legal requirements.”
A known weakness in Meta’s defenses is the ease of advertising on its platforms.
To purchase most advertisements, all a client needs is a user account – easily created with an email or phone number and a user-supplied name and birthdate. If Meta doesn’t verify those details, it can’t know who it’s doing business with. Even if an advertiser gets banned, there is nothing to stop it from returning with a new account. A fraudster can merely sign up again.
Meta has known about the problem for years, documents and interviews with former staffers show.
In the 2016 U.S. presidential election, fake political ads flooded Facebook with disinformation. In response, the company took steps to reduce chances that could happen again. Back then, foreign actors seeking to influence the election easily placed ads masquerading as Americans. Some Russian advertisers pretending to be American political activists even paid for such ads in rubles, Meta has said.
Starting in 2018, the company began requiring a valid identity document and a confirmed U.S. address before clients could place political ads. In addition to providing verification for the company itself, the general details, including the name and location of the advertiser, could be viewed by users, too.
Rob Leathern, a former senior director of product management at Facebook who oversaw the effort to verify political advertisers, said the added transparency and accountability led some staffers to believe that Meta would broaden it to all advertisers. “I expected that the company would have continued to do more verification, and personally felt that was something that all major platforms should be doing,” said Leathern, who left the company at the end of 2020.
Meta in 2018 also introduced its Ad Library, an easily searchable database of all ads that run on its platforms. The company, the documents show, expected to generate goodwill with the library, particularly with regards to political advertisements. Competitors, including Google, soon launched ad libraries of their own.

In the years that followed, Meta continued to acknowledge the effectiveness of both transparency and verification. So-called “know your customer policies,” Meta staffers wrote in a November 2024 document, are “commonly understood to be effective at reducing scam-risks.” They noted a competitive component, too, citing Google’s move at the start of the decade to adopt universal verification: “Google’s approach to verify all advertisers is recalibrating industry and regulatory expectations.”
Meta, however, has been reluctant to pay for it.
The internal documents show that last year Meta consulted with a company that works with Google to verify advertisers. Meta officials, according to the documents, wanted to know how much it would cost to follow suit. But the answer – at least $20 per advertiser – proved too costly for their liking, one document said.
The Meta spokesperson said that the company, regardless of cost, didn’t work with the vendor because its verification process took too long.
The potential for lost revenue has also given the company pause.
In addition to lost income from advertisers culled by verification, stricter measures could also cannibalize a paid program through which Meta already charges advertisers for similar status. The program, known as “Verified for Business,” costs clients as much as $349.99 per month and allows businesses to display a badge assuring users that Meta has authenticated their profile. Meta describes the program as more than just basic verification, offering advertisers better customer support and protections against impersonation.
Still, the documents show, Meta managers fear those revenues could shrivel if the company adopts verification for all advertisers.
“WE HAVE AN OPPORTUNITY”
In 2023, because of a sharp rise in ads for investment scams, Taiwan passed legislation ordering social media platforms to begin verifying advertisers of financial products. The self-governing island, population 23 million, is small compared to Meta’s major markets, but the company’s response there helps illustrate how resistant Meta has been to growing regulatory scrutiny worldwide.
In private conversations, the documents show, Taiwanese regulators told Meta it needed to demonstrate it was taking concrete steps to help reduce financial scam ads. When it came to financial fraud, the regulators said, Meta needed to verify the identity of those advertising financial services and respond to reports of fraud within 24 hours.
Meta, according to the documents, told Taiwan it needed more time to comply. Regulators agreed. But Meta, the documents show, in the months that followed didn’t address the problem to the government’s satisfaction.
Frustrated, the Taiwanese regulators last year issued new demands. Now, the new regulations stated, Meta and the owners of other major platforms would have to verify all advertisers. Regulators told Meta it would be fined $180,000 for every unverified scam ad it ran, Meta staffers wrote.
If it didn’t comply, the staffers calculated, the resulting fines would exceed Meta’s total profits in Taiwan. It would be cheaper to abandon the market than to disobey, they concluded.
Meta complied, rushing to verify advertisers ahead of regulators’ deadlines.
In a statement to Reuters, Taiwan’s Ministry of Digital Affairs said stricter regulations over the past year brought down rates of scam ads involving investments by 96% and identity impersonation by 94%. In addition to requiring major social media platforms to verify advertisers, Taiwan has developed its own AI system to scan ads on Meta’s platform, set up a portal for citizens to report fraudulent ads, and established public-private partnerships to detect scams, the ministry added.
Over the course of 2025, the statement said, Taiwan has fined Meta about $590,000 for four violations of the law. The ministry said it “will maintain a close watch on shifting fraud risks.”
The new rules gave Meta the opportunity to study the impact that full verification would have on its business. Before the new regulation, according to internal calculations, about 18% of all Meta advertising in Taiwan, or about $342 million of its annual ad business there, broke at least one of the company’s rules against false advertising or the sale of banned products. Unverified advertisers, one analysis found, produced twice as much problematic advertising as those who submitted verification details.
Their analyses also revealed the whack-a-mole dynamic.
Because scamming is a global business – and Meta’s algorithms allow clients to choose multiple markets in which to advertise – many advertisers seeking to place fraudulent posts do so in more than one geography. Meta experiments showed that while fraudulent ads decreased in Taiwan after the rule change, its algorithms simply rerouted them to users in other markets.
“The implication here is that violating actors that only require verification in one country, will shift their harm to other countries,” one analysis spelled out. Unless advertiser verification was “enforced globally,” staffers wrote, Meta wouldn’t so much be fighting scams as relocating them.
The documents included briefing notes prepared for Chief Executive Mark Zuckerberg about the dynamic. Reuters couldn’t determine whether the Meta boss ever saw the notes or was briefed on their contents. But the message delivered a similar conclusion. It also warned of a complication: If enforcement in one jurisdiction worsened the problem of fraud in others, regulators in the newly impacted markets were likely to crack down, too.
Meta spokesperson Stone said he couldn’t determine whether Zuckerberg received the briefing described in the document reviewed by Reuters.
Faced with the prospect of ever-expanding scrutiny, Meta considered embracing full verification voluntarily, the documents show. The goal, staffers wrote, could enable the company to appear proactive but also set terms and a timeline on its own. “We have an opportunity to set a goal of verifying all advertisers (and communicate our intention to do so externally, in order to better negotiate with lawmakers),” a November 2024 strategy document noted. Meta could “stage the rollout over time and set our own definitions of verification.”
Policy staff even planned to announce the decision during the first half of 2025, the documents show. But for reasons not specified in the documents, they postponed an announcement until the second half of the year and then cancelled it altogether. Leadership had changed its mind, a document noted, without saying why.
“MIMIC WHAT REGULATORS MAY SEARCH FOR”
Instead, Meta began to apply some of the lessons it learned in Japan.
That experience helped the company realize that Tokyo wasn’t the only government using Ad Library searches as a means of tracking online fraud. “Regulators will open up the ads library and show us multiple similar scam ads,” public policy staffers lamented in one 2024 document. Staffers also noted authorities were employing one feature that was proving especially useful: a keyword search. Unlike Google’s version, the Meta library made it easy to find scam ads through searches with terms like “free gift” or “guaranteed profit.”
Managers overseeing a revamp of the Ad Library proposed eventually killing the keyword feature entirely, the documents show. Wary of blowback from regulators, however, Meta decided not to. The Meta spokesperson said Meta is not considering it.
The company did, however, change the library so that searches returned fewer objectionable ads.
One adjustment made searches default to active ads, reducing the number of search results by eliminating content that Meta had already blocked through prior screening. The change made fraudulent ads from the past absent from new search results.
Staffers also made Meta’s systems rerun enforcement measures on all ads that appeared during new Ad Library searches, the documents show. That adjustment gave Meta a second chance to scrap violators that had previously evaded fraud filters.
One of the most useful tactics it learned in Japan was Meta’s mimicry of searches performed by regulators. After repeating the same queries, and deleting problematic results, staffers could eventually go days without finding scam ads, one document shows.
As a result, Meta decided to take the tactic global, performing similar analyses to assess “scam discoverability” in other countries. “We have built a vast keyword list by country that is meant to mimic what regulators may search for,” one document states. Another described the work as changing the “prevalence perception” of scams on Facebook and Instagram.
Meta’s perception-management tools are now part of what the company has referred to as its “general global playbook” for dealing with regulators. The documents reviewed by Reuters repeatedly reference the “playbook” as steps the company should follow in order to slow the push toward verification in any given jurisdiction.
Beginning one year ahead of expected regulation, the playbook advises, Meta should tell the local regulators it will create a voluntary verification process. When doing so, the documents add, Meta should ask those authorities for time to let the voluntary measures play out. To buy yet more time, and further gauge reactions from regulators, Meta after six months should force verification upon “new and risky” advertisers, the playbook continues.
Meta playbook screenshot
Meta has devised a “global playbook,” summarized in the document here, to delay and weaken the push by regulators to mandate advertiser verification. Internal documents reviewed by Reuters show that verification reduces scam ads, but also costs Meta revenue. REUTERS
If ultimately regulators force mandatory verification for all, the playbook states, Meta should once again stall. “Keep engaging with regulator on extension,” one document advises.
The documents show Meta staffers celebrating the success of their efforts to change some perceptions.
In March, industry officials and regulators met for a conference in London organized by the Global Anti-Scam Alliance, a group that organizes regular gatherings to address online fraud. Meta staffers in one document celebrated the lack of scorn heaped on the company compared with previous events.
“There was a drastic shift in tone,” a project manager noted. “Meta was rarely called out whereas previously we were explicitly and repeatedly shamed for lack of action in countering fraud.”

| Notepad++ notepad-plus-plus.org
2025-12-27

Though the version number is major, this release itself is not a major update, and it contains regression-fix & enhancements.

The self-signed certificate is no longer used as of this release. Only the legitimate certificate issued by GlobalSign is now used to sign Notepad++ release binaries. We strongly recommend that users who previously installed the self-signed root certificate remove it.

A log of security errors encountered during Notepad++ updates is now generated automatically. In case the auto-update process stops due to a signature or certificate verification failure - users can check the file located at ”%LOCALAPPDATA%\Notepad++\log\securityError.log” to identify the issue and report it to the Notepad++ issue tracker.

The jarring color regression in dark mode regression introduced in v8.8.9 has also been fixed in this release.

In addition to the security enhancements & the regression-fix mentioned above, this release includes various bug-fixes & several additional enhancements. You can view the full list of improvements for version 8.9 and download it here:

databreaches.net
Posted on December 25, 2025 by Dissent

Over the years, DataBreaches has been contacted by many people with requests for help notifying entities of data leaks or breaches. Some of the people who contact this site are cybercriminals, hoping to put pressure on their victims. Others are researchers who are frustrated by their attempts at responsible disclosure.

When it’s a “blackhat” contacting this site, DataBreaches often responds by seeking more information from them, and may even contact their target to ask for confirmation or a statement about claims that are being made. Usually, DataBreaches does not report on the attack or claims at that time, so as not to add to the pressure the entity might be under to pay some extortion. Occasionally, though, depending on the circumstances and the length of time since the alleged breach, this site may report on an attack that an entity has not yet disclosed, especially if personal information is already being leaked.

Some people have questioned whether I have been too friendly with cybercriminals or a mouthpiece for them. Occasionally, I have even been accused of aiding criminals. I’ve certainly knowingly aided some criminals who have contacted me over the years if they are trying to do the right thing or turn their lives around. And I’ve also helped some cybercriminals in ways I cannot reveal here because it involves off-the-record situations. One person recently referred to me as the “threat actor whisperer.”

The reality is that I talk to most cybercriminals as people and chatting with them gives me greater insights into their motivations and thinking. And, of course, it occasionally gives me tips and exclusives relevant to my reporting.

Do some threat actors lie to me? Undoubtedly. I resent being “played” and I get mad at myself if I have been duped.

The remainder of this post is about a data leak on a few forums involving data from WIRED and Condé Nast and how DataBreaches was “played.”

A Message on Signal
On November 22, a message request appeared on Signal from someone called “Lovely.” The avatar was a cute kitten, and the only message was “Hello.”

DataBreaches’ first thought was that this was a likely scammer, but curiosity prevailed, so I accepted the request. What they wrote next surprised me:

Can you try to get me a security contact at Condé Nast? I emailed them about a serious vulnerability on one of their websites a few days ago but I haven’t received a response ye

“Lovely,” who assured me they were not seeking a bug bounty or any payment, said they were simply trying to inform Condé Nast of a vulnerability that could expose account profiles and enable an attacker to change accounts’ passwords. On inquiry, they claimed they had only downloaded a few profiles as proof of the vulnerability.

“Lovely” showed me screenshots of attempts to inform WIRED and Condé Nast via direct contact with one of their security reporters and someone who claimed to be from their security team.

They also showed me my own registration data from WIRED.com, which was accurate, and the information from a WIRED reporter who also seemingly confirmed his data was also correct.

WIRED account information for DataBreaches that Lovely showed her on November 27. It shows email address and date registered and last updated among the fields.
WIRED account information for DataBreaches that Lovely showed her on November 27. It shows email address and date registered and last updated among the fields.
It all seemed consistent with what they had claimed.

Despite its vast wealth, Condé Nast lacks a security.txt file that explains how to report a vulnerability to them. Nowhere on its site did it plainly explain how to report a vulnerability to them.

Trying to help Condé Nast avoid compromise of what was described to me as a serious vulnerability risking more than 33 million users’ accounts, I reached out to people I know at WIRED. I also reached out to Condé Nast but received no replies from them.

When the “Researcher” Really Is Dishonorable
Weeks of failed attempts to get a response from Condé Nast followed and Lovely started stating that they were getting angry and thinking about leaking a database just to get the firm’s attention. Leaking a database? They had assured me they had only downloaded a few profiles as proof. But now they stated they had downloaded more than 33 million accounts. They wrote:

We downloaded all 33 million user’s information. The data includes email address, name, phone number, physical address, gender, usernames, and more.

The vulnerabilities allow us to
– view the account information of every Condé Nast account
– change any account’s email address and password

They also provided DataBreaches with a list of the json files showing the number of user accounts for each publication. Not all publications had all of the types of information.

DataBreaches reached out to Condé Nast again with that information, but again received no reply. A contact at WIRED was able to get the firm’s security team to engage and Lovely eventually told DataBreaches that they had made contact and given the security team information on six vulnerabilities they had found.

Six? How many lies had Lovely told me? Lovely asked me to hold off on reporting until the firm had time to remediate all the vulnerabilities. DataBreaches agreed, for the firm’s sake, but by now, had no doubts that Lovely had been dishonest and she had been “played.”

Eventually, Lovely sent a message that everything had now been remediated. DataBreaches asked, “Did they pay you anything?” And that’s when Lovely answered, “Not yet.” DataBreaches subsequently discovered that they have been leaking data from WIRED on at least two forums, with a list of all the json files they intend to leak. Or perhaps they intend to sell some of the data. Either way, they lied to this blogger to get her help in reaching Condé Nast.

“Regrets, I’ve Had a Few”
At one point when I reached out on LinkedIn seeking a contact at Condé Nast, someone suggested that Lovely wasn’t a researcher but was a cybercriminal and that I was aiding them.

With the clarity of hindsight, he was right in one respect, although I certainly had no indication of that at the outset or even weeks later. But as I replied to him at the time, “I hope I wasn’t helping a cybercriminal, but if Condé Nast found out about a vulnerability that allowed access to 33M accounts, did I harm Condé Nast by reaching out to them, or did I help them?”

I don’t know if Condé Nast verified Lovely’s claims or not about the alleged vulnerabilities. That said, based on what I had been told, I don’t regret my repeated attempts to get their security team to contact Lovely to get information about the alleged vulnerability.

As for “Lovely,” they played me. Condé Nast should never pay them a dime, and no one else should ever, as their word clearly cannot be trusted.

Update of December 27, 2025: By now, the data leak has started to be picked up on LinkedIn by Alon Gal and on Have I Been Pwned by Troy Hunt. Condé Nast has yet to issue any public statement or respond to this site’s inquiries. As HIBP reports:

In December 2025, 2.3M records of WIRED magazine users allegedly obtained from parent company Condé Nast were published online. The most recent data dated back to the previous September and exposed email addresses and display names, as well as, for a small number of users, their name, phone number, date of birth, gender, and geographic location or full physical address. The WIRED data allegedly represents a subset of Condé Nast brands the hacker also claims to have obtained.

bleepingcomputer.com
By Sergiu Gatlan
December 30, 2025

Two former employees of cybersecurity incident response companies Sygnia and DigitalMint have pleaded guilty to targeting U.S. companies in BlackCat (ALPHV) ransomware attacks in 2023.
Two former employees of cybersecurity incident response companies Sygnia and DigitalMint have pleaded guilty to targeting U.S. companies in BlackCat (ALPHV) ransomware attacks in 2023.

33-year-old Ryan Clifford Goldberg of Watkinsville, Georgia (in federal custody since September 2023), and 28-year-old Kevin Tyler Martin of Roanoke, Texas, who were charged in November, have now pleaded guilty to conspiracy to obstruct commerce by extortion and are set to be sentenced on March 12, 2026, facing up to 20 years in prison each.

Together with a third accomplice, the two BlackCat ransomware affiliates breached the networks of multiple victims across the United States between May 2023 and November 2023, paying a 20% share of ransoms in exchange for access to BlackCat's ransomware and extortion platform.

Goldberg is a former Sygnia incident response manager, and Martin worked at DigitalMint as a ransomware threat negotiator (just as the unnamed co-conspirator).

"These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop," said Assistant Attorney General A. Tysen Duva. "Extortion via the internet victimizes innocent citizens every bit as much as taking money directly out of their pockets."

According to court documents, their alleged victims include a Maryland pharmaceutical company, a California engineering firm, a Tampa medical device manufacturer, a Virginia drone manufacturer, and a California doctor's office.

While they have demanded ransoms ranging from $300,000 to $10 million, prosecutors said they were only paid $1.27 million by the Tampa medical device company after encrypting its servers and demanding $10 million in May 2023. While other victims also received ransom demands, the indictment does not indicate whether additional payments were made.

As BleepingComputer previously reported, the Justice Department was also investigating a former DigitalMint negotiator in July for allegedly working with ransomware groups. However, the DOJ and FBI did not comment on the investigation, and it is unclear if this case is related to it.

In December 2023, the FBI created a decryption tool after breaching BlackCat's servers to monitor their activities and obtain decryption keys. The FBI also found that the BlackCat operation collected at least $300 million in ransom payments from more than 1,000 victims until September 2023.

In a February 2024 joint advisory, the FBI, CISA, and the Department of Health and Human Services (HHS) also warned that Blackcat affiliates were primarily targeting organizations in the U.S. healthcare sector.

Hackread – Cybersecurity News, Data Breaches, AI, and More
by
Waqas
December 26, 2025
2 minute read

On December 25, while much of the world was observing Christmas, the Everest ransomware group published a new post on its dark web leak site claiming it had breached Chrysler systems, an American automaker. The group says it exfiltrated 1088 GB (over 1 TB) of data, describing it as a full database linked to Chrysler operations.

According to the threat actors, the stolen data spans from 2021 through 2025 and includes more than 105 GB of Salesforce related information. Everest claims the data contains extensive personal and operational records tied to customers, dealers, and internal agents.

Everest Ransomware Group Claims Theft of Over 1TB of Chrysler Data
Screenshot from the Everest ransomware group’s dark web leak site (Credit: Hackread.com)
Leaked Screenshots and Sample Data Details
Screenshots shared by the group and reviewed for this report appear to show structured databases, internal spreadsheets, directory trees, and CRM exports. Several images display Salesforce records containing customer interaction logs with names, phone numbers, email addresses, physical addresses, vehicle details, recall case notes, and call outcomes such as voicemail, disconnected, wrong number, or callback scheduled.

Everest Ransomware Group Claims Theft of Over 1TB of Chrysler Data
Related screenshots (Credit: Hackread.com)
The same material also includes agent work logs documenting call attempts, recall coordination steps, appointment handling, and vehicle status updates, such as sold, repaired, or owner not found.

Additional screenshots appear to reference internal file servers and directories labelled with dealer networks, automotive brands, recall programs, FTP paths, and internal tooling. One set of images also suggests the presence of HR or identity-related records, listing employee names, employment status fields such as active or permanently separated, timestamps, and corporate email domains associated with Stellantis.

For your information, Stellantis is a global automaker behind brands such as Jeep, Chrysler, Dodge, and FIAT. The automaker was also a victim of a cyber attack in September 2025.

Samples published by the attackers also include recall case narratives documenting customer conversations, interpreter use, dealership coordination, appointment scheduling, and follow-up actions. These records align with standard automotive recall support and customer service processes and are consistent with the CRM data shown in other samples.

The group has threatened to publish the full dataset once its countdown timer expires, stating that the company still has time to make contact. Everest also announced plans to release audio recordings linked to customer service interactions, further escalating the pressure.

Unconfirmed Pending Chrysler Response
Ransomware groups increasingly time disclosures around holidays, when incident response capacity is often reduced. At the time of writing, Chrysler has not publicly confirmed the breach or commented on the claims, and independent verification remains limited.

If validated, the alleged exposure would raise significant concerns regarding customer privacy, internal operational security, and third-party platform governance, given the reported scale and sensitivity of the CRM and recall management data involved.

This story is developing.