| The Record from Recorded Future News Alexander Martin
September 18th, 2025

Two suspected members of the Scattered Spider cybercrime collective have been arrested and charged in the United Kingdom following an investigation into the hack of Transport for London (TfL) last year.

The National Crime Agency (NCA) announced on Thursday that Thalha Jubair, 19, from East London, and Owen Flowers, 18, from Walsall, had been arrested at their homes at lunchtime on Tuesday.

The Crown Prosecution Service authorized charges against both men on Wednesday night under the Computer Misuse Act, alleging they conspired to commit unauthorized acts against TfL, which was hacked in August 2024. Flowers had initially been arrested over the the transit agency attack in September 2024, but released on bail.

The NCA said its officers also discovered additional potential evidence that Flowers had been involved in attacks against U.S. healthcare companies following his arrest. Flowers faces two additional charges of conspiring with others to infiltrate and damage the networks of SSM Health Care Corporation and attempting to do the same to Sutter Health.

Jubair faces an additional charge for refusing to provide investigators with passcodes to access devices seized from him. The U.S. Department of Justice also unsealed a complaint against Jubair on Thursday, accusing him of computer crimes.

The men are set to appear at Westminster Magistrates’ Court at 2 p.m. on Thursday. In England and Wales, criminal cases begin with a first hearing in a magistrates’ court where it is decided whether the case will proceed to a Crown Court for a jury trial — required for all cases where the sentence could exceed 12 months.

The specific charges against both men are “conspiracy to commit an unauthorised act in relation to a computer causing / creating risk of serious damage to human welfare/national security,” the maximum sentence for which is life imprisonment.

Magistrates’ courts also decide whether a defendant can be released on bail. Prosecutors are seeking to have both men remanded in custody until they can face trial.

Paul Foster, the head of the NCA’s National Cyber Crime Unit, said: “Today’s charges are a key step in what has been a lengthy and complex investigation. This attack caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure.”

It follows the NCA warning of an increasing threat from English-speaking cybercriminal groups, including the loose collective tracked as Scattered Spider, which has been associated with a range of attacks in both Britain and the United States.

“The NCA, UK policing and our international partners, including the FBI, are collectively committed to identifying offenders within these networks and ensuring they face justice,” said Foster.

Hannah Von Dadelszen, the CPS’ chief prosecutor for the Crown Prosecution Service, said: “Our prosecutors have worked to establish that there is sufficient evidence to bring the case to trial and that it is in the public interest to pursue criminal proceedings.”

The charges come as the NCA’s cybercrime unit is understood to be busier than ever in investigating a range of cases. These include the hack against TfL, the Legal Aid Agency, two incidents impacting the National Health Service, and attacks on three retailers — Marks & Spencer, the Co-op, and the London-based luxury store Harrods.

Contempt of court laws prohibit prejudicing a jury trial by suggesting suspects' guilt or innocence, publishing details regarding their past convictions, or speculating about the character of the defendants.

bleepingcomputer.com
Microsoft and Cloudflare have disrupted a massive Phishing-as-a-Service (PhaaS) operation, known as RaccoonO365, that helped cybercriminals steal thousands of Microsoft 365 credentials.

In early September 2025, in coordination with Cloudflare's Cloudforce One and Trust and Safety teams, Microsoft's Digital Crimes Unit (DCU) disrupted the cybercrime operation by seizing 338 websites and Worker accounts linked to RaccoonO365.

The cybercrime group behind this service (also tracked by Microsoft as Storm-2246) has stolen at least 5,000 Microsoft credentials from 94 countries since at least July 2024, using RaccoonO365 phishing kits that bundled CAPTCHA pages and anti-bot techniques to appear legitimate and evade analysis.

For instance, a large-scale RaccoonO365 tax-themed phishing campaign targeted over 2,300 organizations in the United States in April 2025, but these phishing kits have also been deployed in attacks against more than 20 U.S. healthcare organizations.

The credentials, cookies, and other data stolen from victims' OneDrive, SharePoint, and email accounts were later employed in financial fraud attempts, extortion attacks, or as initial access to other victims' systems.

"This puts public safety at risk, as RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have severe consequences for hospitals," said Steven Masada, Assistant General Counsel for Microsoft's Digital Crimes Unit.

"In these attacks, patient services are delayed, critical care is postponed or canceled, lab results are compromised, and sensitive data is breached, causing major financial losses and directly impacting patients."

RaccoonO365 has been renting subscription-based phishing kits through a private Telegram channel, which had over 840 members as of August 25, 2025. The prices ranged from $355 for a 30-day plan to $999 for a 90-day subscription, all paid in USDT (TRC20, BEP20, Polygon) or Bitcoin (BTC) cryptocurrency.
​Microsoft estimated that the group has received at least $100,000 in cryptocurrency payments so far, suggesting there are approximately 100 to 200 subscriptions; however, the actual number of subscriptions sold is likely much higher.

During its investigation, the Microsoft DCU also found that the leader of RaccoonO365 is Joshua Ogundipe, who lives in Nigeria.

Cloudflare also believes that RaccoonO365 also collaborates with Russian-speaking cybercriminals, given the use of Russian in its Telegram bot's name.

"Based on Microsoft's analysis, Ogundipe has a background in computer programming and is believed to have authored the majority of the code," Masada added.

"An operational security lapse by the threat actors in which they inadvertently revealed a secret cryptocurrency wallet helped the DCU's attribution and understanding of their operations. A criminal referral for Ogundipe has been sent to international law enforcement."

In May, Microsoft also seized 2,300 domains in a coordinated disruption action targeting the Lumma malware-as-a-service (MaaS) information stealer.

krebsonsecurity.com Brian Krebs September 16, 2025

At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn. The malware, which briefly infected multiple code packages from the security vendor CrowdStrike, steals and publishes even more credentials every time an infected package is installed.

The novel malware strain is being dubbed Shai-Hulud — after the name for the giant sandworms in Frank Herbert’s Dune novel series — because it publishes any stolen credentials in a new public GitHub repository that includes the name “Shai-Hulud.”

“When a developer installs a compromised package, the malware will look for a npm token in the environment,” said Charlie Eriksen, a researcher for the Belgian security firm Aikido. “If it finds it, it will modify the 20 most popular packages that the npm token has access to, copying itself into the package, and publishing a new version.”

At the center of this developing maelstrom are code libraries available on NPM (short for “Node Package Manager”), which acts as a central hub for JavaScript development and provides the latest updates to widely-used JavaScript components.

The Shai-Hulud worm emerged just days after unknown attackers launched a broad phishing campaign that spoofed NPM and asked developers to “update” their multi-factor authentication login options. That attack led to malware being inserted into at least two-dozen NPM code packages, but the outbreak was quickly contained and was narrowly focused on siphoning cryptocurrency payments.

In late August, another compromise of an NPM developer resulted in malware being added to “nx,” an open-source code development toolkit with as many as six million weekly downloads. In the nx compromise, the attackers introduced code that scoured the user’s device for authentication tokens from programmer destinations like GitHub and NPM, as well as SSH and API keys. But instead of sending those stolen credentials to a central server controlled by the attackers, the malicious nx code created a new public repository in the victim’s GitHub account, and published the stolen data there for all the world to see and download.

Last month’s attack on nx did not self-propagate like a worm, but this Shai-Hulud malware does and bundles reconnaissance tools to assist in its spread. Namely, it uses the open-source tool TruffleHog to search for exposed credentials and access tokens on the developer’s machine. It then attempts to create new GitHub actions and publish any stolen secrets.

“Once the first person got compromised, there was no stopping it,” Aikido’s Eriksen told KrebsOnSecurity. He said the first NPM package compromised by this worm appears to have been altered on Sept. 14, around 17:58 UTC.

The security-focused code development platform socket.dev reports the Shai-Halud attack briefly compromised at least 25 NPM code packages managed by CrowdStrike. Socket.dev said the affected packages were quickly removed by the NPM registry.

In a written statement shared with KrebsOnSecurity, CrowdStrike said that after detecting several malicious packages in the public NPM registry, the company swiftly removed them and rotated its keys in public registries.

“These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected,” the statement reads, referring to the company’s widely-used endpoint threat detection service. “We are working with NPM and conducting a thorough investigation.”

A writeup on the attack from StepSecurity found that for cloud-specific operations, the malware enumerates AWS, Azure and Google Cloud Platform secrets. It also found the entire attack design assumes the victim is working in a Linux or macOS environment, and that it deliberately skips Windows systems.

StepSecurity said Shai-Hulud spreads by using stolen NPM authentication tokens, adding its code to the top 20 packages in the victim’s account.

“This creates a cascading effect where an infected package leads to compromised maintainer credentials, which in turn infects all other packages maintained by that user,” StepSecurity’s Ashish Kurmi wrote.

Eriksen said Shai-Hulud is still propagating, although its spread seems to have waned in recent hours.

“I still see package versions popping up once in a while, but no new packages have been compromised in the last ~6 hours,” Eriksen said. “But that could change now as the east coast starts working. I would think of this attack as a ‘living’ thing almost, like a virus. Because it can lay dormant for a while, and if just one person is suddenly infected by accident, they could restart the spread. Especially if there’s a super-spreader attack.”

For now, it appears that the web address the attackers were using to exfiltrate collected data was disabled due to rate limits, Eriksen said.

Nicholas Weaver is a researcher with the International Computer Science Institute, a nonprofit in Berkeley, Calif. Weaver called the Shai-Hulud worm “a supply chain attack that conducts a supply chain attack.” Weaver said NPM (and all other similar package repositories) need to immediately switch to a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method.

“Anything less means attacks like this are going to continue and become far more common, but switching to a 2FA method would effectively throttle these attacks before they can spread,” Weaver said. “Allowing purely automated processes to update the published packages is now a proven recipe for disaster.”

oag.dc.gov September 8, 2025
Lawsuit Alleges That 93% of Deposits to Athena Bitcoin, Inc. Are From Scams That Target Vulnerable Residents & Seniors & That Athena Profits from Illegal, Hidden Fees

Attorney General Brian L. Schwalb today sued Athena Bitcoin, Inc. (Athena), one of the country’s largest operators of Bitcoin Automated Teller Machines (BTMs), for charging undisclosed fees on deposits that it knows are often the result of scams, and for failing to implement adequate anti-fraud measures. When users discover they have been scammed and seek refunds, Athena imposes a strict “no refunds” policy on their entire transactions—even failing to return the significant undisclosed fees it collects from scam victims.

An investigation by the Office of the Attorney General (OAG) showed that Athena BTMs appeal to criminals because Athena fails to provide effective oversight, creating an unchecked opportunity for illicit international fraud. Athena BTMs are most frequently used by scammers targeting elderly users who are less familiar with cryptocurrency and less likely to report fraud. According to the company’s own data from its first five months of operations in the District:

93% of all Athena BTM deposits were the direct result of scams;

Nearly half of all deposits were flagged to Athena as the product of fraud;

Victims’ median age was 71; and

The median amount lost per scam transaction was $8,000, with one victim losing a total of $98,000 in nineteen transactions over a period of several days.
“Athena’s bitcoin machines have become a tool for criminals intent on exploiting elderly and vulnerable District residents,” said Attorney General Schwalb. “Athena knows that its machines are being used primarily by scammers yet chooses to look the other way so that it can continue to pocket sizable hidden transaction fees. Today we’re suing to get District residents their hard-earned money back and put a stop to this illegal, predatory conduct before it harms anyone else.”

Athena is one of the country’s largest BTM operators and has maintained seven BTMs in the District. BTMs allow users to purchase cryptocurrencies such as Bitcoin with cash and then deposit the cryptocurrency into a digital “wallet.” The wallet should be owned by the consumer purchasing the cryptocurrency, but in the scams conducted with Athena’s machines, exploited users send large sums of money directly to swindlers.

OAG’s lawsuit alleges Athena violates the District’s Consumer Protection Procedures Act and Abuse, Neglect, and Financial Exploitation of Vulnerable Adults and the Elderly Act by:

Facilitating financial scams. Athena is well aware that the safeguards it has implemented are insufficient to protect customers from fraud. Athena’s own logs show that during its first five months of operation in the District, 48% of all funds deposited in the company’s BTMs resulted in consumers reporting directly to Athena that they had been the victim of a scam.

Illegally profiting from hidden fees. Athena BTMs charge District consumers fees of up to 26% per transaction without clearly disclosing them at any point in the process. Bitcoin purchased through other apps and exchanges typically have fees of 0.24% to 3%. In June 2024, Athena added a confusing and misleading reference to a “Transaction Service Margin” in its lengthy Terms of Service, but the magnitude of the margin is never disclosed, nor is the word “fee” ever mentioned.

Refusing to refund victims of fraud. Athena further deceives users through a refund policy that either outright denies scam victims refunds or arbitrarily caps them, even though Athena could easily return the hidden transaction fees it pockets. Athena also requires fraud victims to sign a release that frees the company of all future liability and blames victims for not sufficiently heeding onscreen BTM warnings.
With this lawsuit, OAG seeks to force Athena to bring Athena’s operations into compliance with District law, secure restitution for victims, and penalties for the District.

A copy of the lawsuit is available here.

This case is being handled by Assistant Attorneys General Anabel Butler and Jason Jones, Investigator Lu Lagravinese, and Civil Rights and Elder Justice Section Chief Alicia M. Lendon.

Resources for District Residents

Elder financial abuse is all too common and largely underreported. It happens to people across all socioeconomic backgrounds and can be perpetrated by anyone having a connection to the senior resident, whether through a family, personal, or business relationship. Elders or vulnerable adults may be hesitant to report abuse because of fear of retaliation or lack of physical or cognitive ability to report the abuse, or because they do not want to get the alleged abuser in trouble.

Resources to help residents learn how to detect, prevent, and report abuse of the elderly or vulnerable adults are available here.

Google has confirmed that hackers created a fraudulent account in its Law Enforcement Request System (LERS) platform that law enforcement uses to submit official data requests to the company

"We have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account," Google told BleepingComputer.

"No requests were made with this fraudulent account, and no data was accessed."

The FBI declined to comment on the threat actor's claims.

This statement comes after a group of threat actors calling itself "Scattered Lapsus$ Hunters" claimed on Telegram to have gained access to both Google's LERS portal and the FBI's eCheck background check system.

The group posted screenshots of their alleged access shortly after announcing on Thursday that they were "going dark."

The hackers' claims raised concerns as both LERS and the FBI's eCheck system are used by police and intelligence agencies worldwide to submit subpoenas, court orders, and emergency disclosure requests.

Unauthorized access could allow attackers to impersonate law enforcement and gain access to sensitive user data that should normally be protected.

The "Scattered Lapsus$ Hunters" group, which claims to consist of members linked to the Shiny Hunters, Scattered Spider, and Lapsus$ extortion groups, is behind widespread data theft attacks targeting Salesforce data this year.

The threat actors initially utilized social engineering scams to trick employees into connecting Salesforce's Data Loader tool to corporate Salesforce instances, which was then used to steal data and extort companies.

The threat actors later breached Salesloft's GitHub repository and used Trufflehog to scan for secrets exposed in the private source code. This allowed them to find authentication tokens for Salesloft Drift, which were used to conduct further Salesforce data theft attacks.

These attacks have impacted many companies, including Google, Adidas, Qantas, Allianz Life, Cisco, Kering, Louis Vuitton, Dior, Tiffany & Co, Cloudflare, Zscaler, Elastic, Proofpoint, JFrog, Rubrik, Palo Alto Networks, and many more.

Google Threat Intelligence (Mandiant) has been a thorn in the side of these threat actors, being the first to disclose the Salesforce and Salesloft attacks and warning companies to shore up their defenses.

Since then, the threat actors have been taunting the FBI, Google, Mandiant, and security researchers in posts to various Telegram channels.

Late Thursday night, the group posted a lengthy message to a BreachForums-linked domain causing some to believe the threat actors were retiring.

"This is why we have decided that silence will now be our strength," wrote the threat actors.

"You may see our names in new databreach disclosure reports from the tens of other multi billion dollar companies that have yet to disclose a breach, as well as some governmental agencies, including highly secured ones, that does not mean we are still active."

However, cybersecurity researchers who spoke with BleepingComputer believe the group will continue conducting attacks quietly despite their claims of going dark.

Update 9/15/25: Article title updated as some felt it indicated a breach.

bbc.com 12.09 Theo LeggettBusiness correspondent

The past two weeks have been dreadful for Jaguar Land Rover (JLR), and the crisis at the car maker shows no sign of coming to an end.

A cyber attack, which first came to light on 1 September, forced the manufacturer to shut down its computer systems and close production lines worldwide.

Its factories in Solihull, Halewood, and Wolverhampton are expected to remain idle until at least Wednesday, as the company continues to assess the damage.

JLR is thought to have lost at least £50m so far as a result of the stoppage. But experts say the most serious damage is being done to its network of suppliers, many of whom are small and medium sized businesses.

The government is now facing calls for a furlough scheme to be set up, to prevent widespread job losses.

David Bailey, professor of business economics at Birmingham Business School, told the BBC: "There's anywhere up to a quarter of a million people in the supply chain for Jaguar Land Rover.

"So if there's a knock-on effect from this closure, we could see companies going under and jobs being lost".

Under normal circumstances, JLR would expect to build more than 1,000 vehicles a day, many of them at its UK plants in Solihull and Halewood. Engines are assembled at its Wolverhampton site. The company also has large car factories in China and Slovakia, as well as a smaller facility in India.

JLR said it closed down its IT networks deliberately in order to protect them from damage. However, because its production and parts supply systems are heavily automated, this meant cars simply could not be built.

Sales were also heavily disrupted, though workarounds have since been put in place to allow dealerships to operate.

Initially, the carmaker seemed relatively confident the issue could be resolved quickly.

Nearly two weeks on, it has become abundantly clear that restarting its computer systems has been a far from simple process. It has already admitted that some data may have been seen or stolen, and it has been working with the National Cyber Security Centre to investigate the incident.

Experts say the cost to JLR itself is likely to be between £5m and £10m per day, meaning it has already lost between £50m and £100m. However, the company made a pre-tax profit of £2.5bn in the year to the end of March, which implies it has the financial muscle to weather a crisis that lasts weeks rather than months.

'Some suppliers will go bust'
JLR sits at the top of a pyramid of suppliers, many of whom are highly dependent on the carmaker because it is their main customer.

They include a large number of small and medium-sized firms, which do not have the resources to cope with an extended interruption to their business.

"Some of them will go bust. I would not be at all surprised to see bankruptcies," says Andy Palmer, a one-time senior executive at Nissan and former boss of Aston Martin.

He believes suppliers will have begun cutting their headcount dramatically in order to keep costs down.

Mr Palmer says: "You hold back in the first week or so of a shutdown. You bear those losses.

"But then, you go into the second week, more information becomes available – then you cut hard. So layoffs are either already happening, or are being planned."

A boss at one smaller JLR supplier, who preferred not to be named, confirmed his firm had already laid off 40 people, nearly half of its workforce.

Meanwhile, other companies are continuing to tell their employees to remain at home with the hours they are not working to be "banked", to be offset against holidays or overtime at a later date.

There seems little expectation of a swift return to work.

One employee at a major supplier based in the West Midlands told the BBC they were not expecting to be back on the shop floor until 29 September. Hundreds of staff, they say, had been told to remain at home.

When automotive firms cut back, temporary workers brought in to cover busy periods are usually the first to go.

There is generally a reluctance to get rid of permanent staff, as they often have skills that are difficult to replace. But if cashflow dries up, they may have little choice.

Labour MP Liam Byrne, who chairs the Commons Business and Trade Committee, says this means government help is needed.

"What began in some online systems is now rippling through the supply chain, threatening a cashflow crunch that could turn a short-term shock into long-term harm", he says.

"We cannot afford to see a cornerstone of our advanced manufacturing base weakened by events beyond its control".

The trade union Unite has called for a furlough system to be set up to help automotive suppliers. This would involve the government subsidising workers' pay packets while they are unable to do their jobs, taking the burden off their employers.

"Thousands of these workers in JLR's supply chain now find their jobs are under an immediate threat because of the cyber attack," says Unite general secretary, Sharon Graham.

"Ministers need to act fast and introduce a furlough scheme to ensure that vital jobs and skills are not lost while JLR and its supply chain get back on track."

Business and Trade Minister Chris Bryant said: "We recognise the significant impact this incident has had on JLR and their suppliers, and I know this is a worrying time for those affected.

"I met with the chief executive of JLR yesterday to discuss the impact of the incident. We are also in daily contact with the company and our cyber experts about resolving this issue."

https://www.international.gc.ca Date modified: 2025-09-12

Summary
Rapid Response Mechanism Canada (RRM Canada) has detected a “hack and leak” operation by Iran-linked hacker group, “Handala Hack Team” (Handala). The operation targeted five Iran International journalists, including one from Canada. RRM Canada assesses that the operation began on July 8, 2025.

The hacked materials ranged from photos of government IDs to intimate content. They were first released via the Handala website, then further amplified via X, Facebook, Instagram, Telegram, and Iranian news websites. At the time of assessment, engagement with the hacked materials has varied from low to medium (between 0 to 2,200 interactions and 1 to 225,000 views), depending on the platform. The social media campaign appears to have stopped as of early August.

Following the aftermath of the initial “hack and leak” operation, RRM Canada also detected amplification of the leaked information through multiple AI chatbots—ChatGPT, Gemini, Copilot, Claude, Grok, and DeepSeek. These platforms all outlined detailed information about the “hack and leak” operation, providing names of the affected individuals, the nature of the leaked information, and links to the released images. RRM Canada notes that some of these chatbots continue to surface the leaked images upon request.

Many sources, including the Atlantic Council, have associated the Handala Hack group with Iran’s intelligence services. Footnote1

Targets and content
Initial “hack and leak” operation
On July 8, 2025, alleged “hacktivist” group “Handala Hack Team” claimed to have accessed the internal communication and server infrastructure of Iran International—a Farsi satellite television channel and internationally-based English, Arabic, and Farsi online news operation.Footnote2 The group released several uncensored photos of government IDs (including passports, permanent resident cards, and driver’s licences) of five Iran International staffers. In some instances, released content included email address passwords, along with intimate photos and videos. (See Annex A)

RRM Canada detected the operation on July 9, 2025, following the release of the information on a Telegram channel associated with Handala. The group claimed to have acquired information of thousands of individuals linked to Iran International, including documents and intimate images of journalists who worked for the news agency.Footnote3

On July 11, 2025, RRM Canada detected further distribution of materials on X and Facebook. The information appears to focus on a Canadian resident employed by Iran International. The leak included several photos of the individual’s ID, including their provincial driver’s licence, permanent resident card, and Iranian passport, and other personal photos and videos. Three other internationally based staff of the news agency were targeted in a similar fashion, with the release of government-issued ID on Handala’s website and then distributed online.

It is believed that more journalists have been affected by the hack, and there are suggestions that the group is also using the hacked intimate images as a source of revenue by implementing pay-for-play access to some images.

Information amplified through AI chatbots
RRM Canada tested six popular AI chatbots—ChatGPT, Gemini, Copilot, Claude, Grok, and DeepSeek—to assess whether the platforms would retrieve and share the information leaked by Handala. While the required prompts varied, all tested chatbots outlined detailed information about the operation, providing the names of the individuals implicated in the lead in addition to the nature of information. (See Annex B)

In addition to providing information, links, and, in some cases, images related to the leak, the chatbots provided citations that included links to unreliable or state-linked sources or repeated unverified accusations against Iran International regarding its credibility from Handala.

Tactics, techniques and procedures
“Hack and leak” operations are a type of cyber-enabled influence campaign where malicious actors hack into a target’s systems or accounts to steal sensitive or private information and then leak the information publicly. Operations are often implemented with the intent to damage reputations, influence public opinion, disrupt political processes, and even put personal safety at risk.

These operations are often associated with state-sponsored actors, hacktivist groups, or cybercriminals.

Links to Iranian intelligence
Handala established their web presence in December 2023. The group has limited social media presence, likely resulting from frequent violations of the platforms’ terms of service.

Atlantic Council and several threat intelligence firms (including Recorded Future, Trellix, and others) report that Handala has connections or is affiliated with other Iranian intelligence-linked groups such as Storm-842 (also known as Red Sandstorm, Dune, Void Manticore, or Banished Kitten).Footnote4 Iran International asserts that Handala and Storm-842 are the same group operating as a cyber unit within Iran’s Ministry of Intelligence.Footnote5

Implications
The leak of personal information increases the risk to the personal safety of the affected Iran International staff. The ease of access to the information resulting from search engine algorithms and availability on AI chatbots further increases this risk. Such operations are used as a form of digital transnational repression (DTNR), which is leveraged to coerce, harass, silence, and intimidate those who speak against foreign actors or against their interests.

Annex A: Sample images of leaked information
Image 1
Image 1: Government-issued ID and personal photos of a Canadian resident working for Iran International.

Image 2
Image 2: post likely from Handala Hack Team associates amplifying leaked materials.

Annex B: Large language model outputs
Image 3
Image 3: Web version of ChatGPT producing leaked images.

Image 4
Image 4: Google’s Gemini reproducing images of the leak.

Image 5
Image 5: Grok showing X posts that include leaked information.

Image 6
Image 6: Claude generating responses with a citation linking directly to Handala's website.

Image 7
Image 7: DeepSeek generating responses with a citation linking directly to Handala’s website.

ZATAZ » Darknet: dismantling of the French DFAS platform
Posted On 12 Sep 2025By : Damien Bancal

The Paris prosecutor has announced the shutdown of DFAS, one of the last major French-speaking darknet platforms, after a joint investigation by Cyberdouanes and OFAC.
On September 12, 2025, the Paris prosecutor confirmed the dismantling of the darknet platform “Dark French Anti System” (DFAS), active since 2017. Considered the last major French-speaking darknet marketplace, it facilitated drug sales, personal data trading, and criminal tools. Two men were arrested on September 8: the alleged creator, born in 1997, and an active contributor, born in 1989. More than 6 bitcoins, worth about €600,000, were seized. The investigation, launched by Cyberdouanes in 2023, uncovered over 12,000 members and 110,000 published messages. This operation closes a series of successive dismantlings carried out by French authorities since 2018.

The origins and structure of DFAS
The DFAS platform, short for “Dark French Anti System,” had been operating on the darknet since 2017. It offered various services, including drug sales, tools for fraud and cyberattacks, weapons, and guidance on user anonymization. It stood out as a rare French-speaking hub in a landscape largely dominated by English-language platforms.
One of the two men arrested, born in May 1997, is suspected of having designed and managed the platform. The second, born in April 1989, acted as a tester of its criminal services. Both suspects were brought before a judge for possible indictment.

The investigation began in 2023, led by the French customs intelligence unit DNRED. Cyberdouanes noted a steady growth in activity, despite earlier takedowns of French-speaking marketplaces. DFAS had more than 12,000 active members and over 110,000 messages. The site also served as a refuge for former users of previously dismantled platforms.

On September 8, 2025, law enforcement arrested two individuals linked to DFAS. More than 6 bitcoins, worth around €600,000, were seized. Investigators also secured technical materials documenting the platform’s operations and exchanges. The U.S. Office of Foreign Assets Control (OFAC) subsequently pursued the financial flows tied to the platform.

The end of a French-speaking darknet cycle
DFAS was the last major French-speaking darknet marketplace still active in 2025. Its shutdown follows a series of high-profile operations: La Main Noire in 2018, French Deep Web in 2021, Le Monde Parallèle that same year, and Cosa Nostra in 2024. Each closure had temporarily displaced users, but DFAS succeeded in capturing a large share of these migrations.

The Paris prosecutor’s announcement thus marks a turning point: the French-speaking darknet is now without a central hub. Criminal exchanges are dispersing across foreign platforms or smaller, harder-to-trace channels, complicating both monitoring and enforcement. [ZATAZ News English version]

| The Record from Recorded Future News Jonathan Greig
September 15th, 2025

Hackers connected to the Scattered Spider and ShinyHunters cybercriminal operations are extorting organizations for exorbitant ransoms after stealing data from Salesforce, the FBI warned.

The agency released a flash notice on Friday with information about an ongoing data theft campaign that has impacted hundreds of businesses this year. The FBI refers to the hackers as both UNC6040 and UNC6395 and by their colloquial names of ShinyHunters and Scattered Spider, respectively.

After months spent breaching some of the largest companies in the world, the hackers are now attempting to extort victim organizations — threatening to leak troves of customer data, business documents and more.

The FBI did not say how many victims have received extortion emails demanding payment in cryptocurrency but they noted that the monetary demands have varied widely and are made at seemingly random times. Some extortion incidents were initiated days after data exfiltration while others took place months later.

The FBI said the campaign began in October 2024 when members of the group gained access to organizations through social engineering attacks that involved contacting call centers and posing as IT employees.

That scheme typically gave the cybercriminals access to employee credentials that were then leveraged to access Salesforce instances holding customer data. In other cases, the hackers used phishing emails or texts to take over employees’ phones or computers.

The hackers evolved their tactics throughout the summer, switching to exploiting third-party applications that organizations linked to their Salesforce instances.

“UNC6040 threat actors have deceived victims into authorizing malicious connected apps to their organization's Salesforce portal,” the FBI said.

“This grants UNC6040 threat actors significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments.”

By August, the hackers began targeting the Salesloft Drift application, an AI chatbot that can be integrated with Salesforce.

The tactic allowed them to bypass traditional defenses like multifactor authentication, login monitoring and password resets, the FBI explained. In some cases, the FBI has found that the hackers created malicious applications within Salesforce trial accounts that allowed them to register connected apps without using a legitimate corporate account.

On Monday, Reuters and the BBC confirmed that Kering — the French conglomerate that owns Gucci, Balenciaga and Alexander McQueen — was attacked by the same ShinyHunters cybercriminals.

ShinyHunters told the BBC that it stole information connected to 7.4 million unique email addresses. The hackers told another news outlet that they stole the information in late 2024 but only began negotiating a ransom in June 2025.

Last week, a critical government agency in Vietnam confirmed that millions of financial records were stolen in an attack claimed by ShinyHunters. The cybercriminals previously took credit for devastating campaigns targeting giants in the insurance, retail and aviation industries.

The FBI provided indicators of compromise that potential victims can use to see whether they have been affected by the hacking campaigns and urged companies to train call center employees on the tactics used.

The agency also said companies should limit the privileges of almost every employee account, enforce IP-based access restrictions, monitor API usage and more.

Experts said the information provided by the FBI showed how sophisticated the actors are at abusing legitimate tools for nefarious purposes, like Azure cloud infrastructure, virtual servers, Tor exit nodes and proxy services to obfuscate their origin.

Scattered retirement?
The FBI notice came shortly after the group made several posts on Telegram claiming to be retiring. The group blamed a recent string of arrests, law enforcement activity and criminal convictions against members as their reason for ceasing the current operation.

Cybersecurity experts were dubious about the disbanding claims, noting that cybercriminal operations often make similar claims before reconstituting under different names. Some theorized the hackers are likely going to enjoy the spoils of their recent extortion campaigns before returning to cybercriminal activity.

Sam Rubin, a senior official with Palo Alto Networks’ Unit 42, said recent arrests may have prompted the group to lay low, but history says such activity is often temporary.

“Groups like this splinter, rebrand, and resurface — much like ShinyHunters. Even if public operations pause, the risks remain: stolen data can resurface, undetected backdoors may persist, and actors may re-emerge under new names,” he said.

“Silence from a threat group does not equal safety.”

databreaches.net Posted on September 15, 2025 by Dissent

On September 11, DataBreaches broke the story that customers of several high-end fashion brands owned by Paris-headquartered Kering had their personal information acquired by ShinyHunters as part of two Salesforce attacks. As we reported, a spokesperson for ShinyHunters claimed to have acquired more than 43 million customer records from Gucci and almost 13 million records from Balenciaga, Brioni, and Alexander McQueen combined.

Kering never responded to emailed inquiries, but ShinyHunters provided DataBreaches with samples from both attacks that appeared legitimate. They also provided chat logs from negotiations they claimed took place with someone presenting themselves as Balenciaga’s safety manager. Those negotiations appeared to go on for more than a month and a half between June 20 and mid-August. According to the logs, it appeared Kering agreed to pay a ransom of 500,000 euros, but then they went silent and never followed through.

Kering Issues a Statement
Although they did not respond to DataBreaches’ questions at the time, Kering issued a statement that they provided to other news sites, including LeMagIT and The Guardian.

Their statement, as reported by LeMagIT, does not answer all of the questions DataBreaches had, but it’s a start. Kering states:

« En juin 2025, nous avons constaté qu’un tiers non autorisé avait temporairement accédé à nos systèmes et consulté des données clients limitées provenant de certaines de nos Maisons », explique le service de presse de Kering dans une déclaration adressée à la rédaction.

Celle-ci ajoute que « nos Maisons ont immédiatement signalé cette intrusion aux autorités compétentes et ont informé les clients conformément aux réglementations locales ».

Et de préciser qu’aucune « information financière, telle que des numéros de compte bancaire ou de carte de crédit, ni aucun numéro d’identification personnelle (numéro de sécurité sociale), n’ont été compromise lors de cet incident ».

Selon le service de presse de Kering « l’intrusion a été rapidement identifiée et des mesures appropriées ont été prises pour sécuriser les systèmes concernés et éviter que de tels incidents ne se reproduisent à l’avenir ».

A machine translation roughly yields:

In June 2025, we found that an unauthorized third party had temporarily accessed our systems and accessed limited customer data from some of our Houses. Our Houses immediately reported this intrusion to the competent authorities and informed the customers in accordance with local regulations….. No financial information, such as bank account or credit card numbers, nor any personal identification number (social security number), was compromised during this incident.

According to Kering’s statement, “the intrusion was quickly identified and appropriate measures were taken to secure the affected systems and prevent such incidents from recurring in the future.”

They do not name the brands affected, they do not disclose the total number of affected individuals, and when asked what countries were affected, Kering reportedly declined to answer Reuter’s question.

An Inconsistent Statement?
It appears that neither Kering nor any of the affected brands detected the breaches on their own, and they only first found out when ShinyHunters contacted them in June. Why they did not discover the breaches by their own means is unknown to DataBreaches.

DataBreaches can confirm that there was no financial information in the samples of records that DataBreaches inspected. However, Kering’s statement to another news outlet contradicts claims made by ShinyHunters to DataBreaches.net in important respects.

As previously reported, ShinyHunters provided this site with chat logs of negotiations between ShinyHunters and someone claiming to be a representative of Balenciaga. But Kering has apparently told the BBC that it did not engage in conversations with the criminal(s), and it didn’t pay any ransom, consistent with long-standing law enforcement advice.

Their denial appears to be factually inaccurate, at least in part.

At the time of our first publication, DataBreaches reported that Balenciaga had made a small test payment in BTC to ShinyHunters. This site did not include specific proof in that article, but ShinyHunters had provided this site with evidence at the time. We are posting that proof now in light of Kering’s denial that they engaged in any conversations or paid any ransom.

The chat log provided to this site showed that Balenciaga was to make a small test payment in BTC to ShinyHunters on or about July 4. The amount mentioned in the chat log was 0,00045 BTC. The chat log also showed the BTC address as bc1qzwpshyadethrqum0yyjh7uxxzhsnjjgapdmr4c. DataBreaches had redacted that address from the published report.

On July 4, Balenciaga’s “user” told ShinyHunters that the test payment had been made:

[en attente] : 2025-07-04
[03:09:08] shinycorp: Bonjour, vous nous aviez promis un paiement hier, mais nous n’avons rien reçu. des nouvelles ?
[04:23:45] Utilisateur: Bonjour
[04:24:05] Utilisateur: nous avons eu du retard pour la création du compte
[04:24:09] Utilisateur: https://blockstream.info/tx/a4d9c24a90fdbcf652f18bafae89740094ad7a555e4e747e7e2602771e9a1d6b
[04:24:18] Utilisateur: ci joint la preuve du paiement test
[04:24:24] Utilisateur: je vous invite à vérifier
[04:52:42] shinycorp: Reçu pour la première fois
[06:17:52] shinycorp: Veuillez diffuser la transaction.
[07: 45: 06] Utilisateur: fichier: / / / C: / Utilisateurs / X / Bureau / flux de blocs.htm
[07:46:28] Utilisateur: https://blockstream.info/tx/a4d9c24a90fdbcf652f18bafae89740094ad7a555e4e747e7e2602771e9a1d6b

DataBreaches had looked up the wallet address and found confirmation of the payment. The following is a screengrab showing the payment.

Btcpaid

Kering’s reported claims about no conversations and no payment appear to be refuted by the chat log and corresponding BTC transaction. ShinyHunters did not claim that Kering paid their ransom demand, but they do claim that there were extensive negotiations and that a small test payment was made, and there seems to be proof of that.

Kering’s statement to other news sites also leaves a lot of other unanswered questions. They told the BBC that they had emailed all affected customers, but that raises other questions. DataBreaches emailed Kering again today to ask for additional details. Specifically, DataBreaches asked them:

Have you notified data protection regulators in all of the countries where your customers reside?
When did you send emails to customers to notify them?
Have you notified store customers by postal mail if the customers did not provide email addresses? If not, how have you notified those without email addresses?
Your statement claims that you did not have any conversations with the attackers. Has your legal department obtained IP addresses from qtox to find out the IP address of the person representing themself as Balenciaga’s negotiator? Are you claiming that ShinyHunters was lying about negotiations, or are you saying something else?
No reply has been received.

Furthermore, we still do not know how many unique customers, total, were affected by these attacks on their brands. The BBC reported that it might be less than 7.4 million based on the number of unique email addresses. But the 7.4 million unique email addresses were only for the Balenciaga, Brioni, and Alexander McQueen data. There were more than 43 million records for the Gucci data set, so there would be a significant number of unique email addresses and customers there, too, and not all customers provide an email address.

Although Kering does not seem to be embracing public transparency in its incident response, we may eventually find out more if investors demand accountability or if data protection regulators report on any investigations and findings.

| CyberScoop By
Tim Starks
September 10, 202

Major cyber intrusions by the Chinese hacking groups known as Salt Typhoon and Volt Typhoon have forced the FBI to change its methods of hunting sophisticated threats, a top FBI cyber official said Wednesday.

U.S. officials, allied governments and threat researchers have identified Salt Typhoon as the group behind the massive telecommunications hack revealed last fall but that could have been ongoing for years. Investigators have pointed at Volt Typhoon as a group that has infiltrated critical infrastructure to cause disruptions in the United States if China invades Taiwan and Americans intervene.

Those hacks were stealthier than in the past, and more patient, said Jason Bilnoski, deputy assistant director of the FBI’s cyber division. The Typhoons have focused on persistent access and gotten better at hiding their infiltration by using “living off the land” techniques that involve using legitimate tools within systems to camouflage their efforts, he said. That in turn has complicated FBI efforts to share indicators of compromise (IOCs).

“We’re having to now hunt as if they’re already on the network, and we’re hunting in ways we hadn’t before,” he said at the Billington Cybersecurity Summit. “They’re not dropping tools and malware that we used to see, and perhaps there’s not a lot of IOCs that we’d be able to share in certain situations.”

The hackers used to be “noisy,” with an emphasis on hitting a target quickly, stealing data and then escaping, Bilnoski said. But now for nation-backed attackers, “we’re watching exponential leaps” in tactics, techniques and procedures, he said.

Jermaine Roebuck, associate director for threat hunting at the Cybersecurity and Infrastructure Security Agency, said his agency is also seeing those kinds of changes in the level of stealth from sophisticated hackers, in addition to “a significant change” in their intentions and targeting.

“We saw a lot of espionage over the last several years, but here lately, there’s been a decided shift into computer network attack, prepositioning or disruption in terms of capabilities,” he said at the same conference.

The targeting has changed as organizations, including government agencies, have shifted to the cloud. “Well, guess what?” he asked. “The actors are going toward the cloud” in response.

They’ve also focused on “edge devices,” like devices that supply virtual private network connections or other services provided by managed service providers, Roebuck said. Organizations have less insight into the attacks those devices and providers are facing than more direct intrusions, he said.

wsj.com By
Robert McMillan
Sept. 15, 2025 7:00 am ET

Botnets, massive networks of hacked devices, are being used for dangerous attacks, one of which recently set a world record

The Federal Bureau of Investigation recently disrupted a network of hacked devices used by criminals in some of the largest online attacks yet seen. Now those devices have been hacked by someone new to build an even bigger weapon.
Law-enforcement agencies and technology companies are waging a war against increasingly powerful networks of hacked devices, called botnets, that can knock websites offline for a fee. They are used for extortion and by disreputable companies to knock rivals offline, federal prosecutors say.

But lately, a new age of dangerous botnets has arrived, and existing internet infrastructure isn’t prepared, some network operators say. These botnets are leveraging new types of internet-connected devices with faster processors and more network bandwidth, offering them immense power.

The criminals controlling the botnets now have the capabilities to move beyond website takedowns to target internet connectivity and disrupt very large swaths of the internet.

“Before the concern was websites; now the concern is countries,” said Craig Labovitz, head of technology with Nokia’s Deepfield division.

In August, federal prosecutors charged a 22-year-old Oregon man with operating a botnet that had shut down the X social-media site earlier this year.

But the FBI’s takedown last month appeared to have an unwanted consequence: freeing up as many as 95,000 devices to be taken over by new botnet overlords. That led to a free-for-all to take over the machines “as fast as possible,” said Damian Menscher, a Google engineer.

The operators of a rival botnet, called Aisuru, seized control of more than one-fourth of them and immediately started launching attacks that are “breaking records,” he said.

On Sept. 1, the network services company Cloudflare said it had measured an attack that clogged up computer networks with 11.5 trillion bits of junk information per second. That is enough to consume the download bandwidth of more than 50,000 consumer internet connections. In a post to X, Cloudflare declared this attack, known as a distributed denial of service, or DDoS, a “world record” in terms of intensity. Some analysts see it almost as an advertisement of the botnet’s capabilities.

It was one of several dozen attacks of a similar size that network operators have witnessed over the past weeks. The attacks were very short in duration—often lasting just seconds—and may be demonstrations of the Aisuru capabilities, likely representing just a fraction of their total available bandwidth, according to Nokia.

With the world’s increasing dependence on computer networks, denial-of-service attacks have become weapons of war. Russia’s intelligence service, the GRU, used DDoS attacks on Ukraine’s financial-services industry as a way to cause disruption ahead of its 2022 invasion, U.K. authorities have said.

Botnets such as Aisuru are made up of a range of internet-connected devices—routers or security cameras, for example—rather than PCs, and often these machines can only join one botnet at a time. Their attacks can typically be fended off by the largest cloud-computing providers.

One massive network that Google disrupted earlier this year had mushroomed from at least 74,000 Android devices in 2023 to more than 10 million devices in two years. That made it the “largest known botnet of internet-connected TV devices,” according to a July Google court filing.

This network was being used to click billions of Google advertisements in an ad fraud scheme, Google said, but the massive network “could be used to commit more dangerous cybercrimes, such as ransomware” or denial-of-service attacks, the Google filing said.

To date, denial-of-service attacks are spawned from networks like Aisuru that typically include tens of thousands of computers, not millions, making them easier to defend against.

In the past year, a very large botnet that has typically been used for fraud began launching online attacks. Called ResHydra, it is made up of tens of millions of devices, according to Nokia.

Res Hydra represents a whole new level of problem, said Chris Formosa, a researcher with the networking company Lumen’s Black Lotus Labs. Harnessing a botnet of that size would “do extreme damage to a country.”

bleepingcomputer.com By Bill Toulas
September 8, 2025

American furniture brand Lovesac is warning that it suffered a data breach impacting an undisclosed number of individuals, stating their personal data was exposed in a cybersecurity incident.

Lovesac is a furniture designer, manufacturer, and retailer, operating 267 showrooms across the United States, and having annual net sales of $750 million.

They are best known for their modular couch systems called 'sactionals,' as well as their bean bags called 'sacs.'
According to the notices sent to impacted individuals, between February 12, 2025, and March 3, 2025, hackers gained unauthorized access to the company's internal systems and stole data hosted on those systems.

Lovesac discovered the breach on February 28, 2025, which means it took them three days to fully remediate the situation and block the threat actor's access to its network.

The data that has been stolen includes full names and other personal information that hasn't been disclosed in the notice sample shared with the Attorney General's offices.

The company has not clarified whether the incident impacts customers, employees, or contractors, and neither has it disclosed the exact number of individuals affected.

Enclosed in the notification letter, recipients will find instructions on enrolling in 24 24-month credit monitoring service through Experian, redeemable until November 28, 2025.

The company noted that it currently has no indication that the stolen information has been misused, but urges impacted individuals to remain vigilant against phishing attempts.

Ransomware gang claimed attack on Lovesac
Although Lovesac does not name the attackers and didn't mention data encryption in the letters, the RansomHub ransomware gang claimed an attack on March 3, 2025.

The threat actors added Lovesac onto their extortion portal, announcing the breach, indicating plans to leak the stolen data if a ransom payment isn't made. We were unable to determine if they followed up with this threat.

The RansomHub ransomware-as-a-service (RaaS) operation emerged in February 2024 and has since amassed a roster of high-profile victims, including staffing firm Manpower, oilfield services giant Halliburton, the Rite Aid pharmacy chain, Kawasaki's European division, the Christie's auction house, U.S. telecom provider Frontier Communications, the Planned Parenthood healthcare nonprofit, and Italy's Bologna Football Club.

The ransomware operation quietly shut down in April 2025, with many of their affiliates moving to DragonForce.

BleepingComputer has contacted Lovesac to learn more about the incident, its impact, and how many customers were impacted, and will update this post if we receive a response.

Salesloft Trust Portal September 13, 2025 at 1:19 AM

Important Update Regarding Drift Security
The following provides additional information to our trust site post on September 6, 2025, regarding our current Drift remediation and fortification efforts and those going forward. We are continuing our efforts on remediation and additional security controls.

We are focused on the ongoing hardening of the Drift Application environment. This process includes rotating credentials, temporarily disabling certain parts of the Drift application and strengthening security configurations.

Furthermore, we are implementing new multi-factor authentication processes and further refining limitations to the application environment. These measures are complemented by an ongoing analysis of available logs and configuration settings, as well as the remediation of secrets within the environment and GitHub hardening activities.

As a part of this process, we have systems that will be turned on over the weekend that may send you automated notifications originating from Drift. Please disregard these notifications as they are part of our security testing process. Until we provide you with a definitive update that the Drift application has been restored and re-enabled, it will remain inaccessible to customers and third party integrations.

All of this is focused on continuing to harden the Drift environment prior to and after re-enabling the Drift application — which we expect to be soon.

September 11, 2025 at 12:30 AM
Drift Status Update
Most Recent: We want to provide you with an update regarding the status of the Drift application while it is temporarily offline.

On Sept 6, we posted a trust site update detailing the initial results of our investigation and remediation efforts to date. While Drift is offline, Salesloft is working to confirm the root cause of the security incident and implement additional security measures to avoid similar incidents in the future and to restore the application as soon as possible. We hope to be able to provide an ETA soon for getting Drift back online.

At this time, we are advising all Drift customers to treat any and all Drift integrations and related data as potentially compromised.

The security of your data and operations remains our highest priority, and we are committed to providing a safe and secure platform for all users. Thank you for your patience during this time.

For ongoing updates, please subscribe to trust.salesloft.com.

September 07, 2025 at 9:20 PM
Salesforce/Salesloft Integration Is Restored
We are pleased to report that the integration between the Salesloft platform and Salesforce is now restored.

Salesforce users can once again leverage the full capabilities and integrations of the Salesloft platform with confidence. For more information, read our most recent trust site update.

While the connection between systems was disabled, both Salesloft and Salesforce continued to run independently. The Salesloft Customer Success team will be reaching out to you directly to help you with data reconciliation before we can re-enable your Salesforce sync. Once we connect with you, the restoration should be relatively quick.

The step-by-step process for re-syncing your data and activities between Salesloft and Salesforce can be found in this help article.

The security of your data and operations remains our highest priority, and we remain committed to providing a safe and secure platform for all users. Thank you for your patience during this time and for your continued partnership.

For assistance, please contact Customer Support at help.salesloft.com.
For ongoing updates, please subscribe to our trust site (trust.salesloft.com)

September 07, 2025 at 2:00 AM
Update on Mandiant Drift and Salesloft Application Investigations
On August 28, 2025, Salesloft retained Mandiant to investigate the compromise of the Drift platform and its technology integrations. The objectives of the investigation are to determine the root cause, scope of the incident, and assist Salesloft with containment and remediation. Mandiant was subsequently engaged to examine the Salesloft environment to determine if it was compromised and verify the segmentation between the Drift and Salesloft environments.

The following is an update as of September 6, 2025:

What Happened:

Mandiant’s investigation has determined the threat actor took the following actions:

In March through June 2025, the threat actor accessed the Salesloft GitHub account. With this access, the threat actor was able to download content from multiple repositories, add a guest user and establish workflows.

The investigation noted reconnaissance activities occurring between March 2025 and June 2025 in the Salesloft and Drift application environments.
The analysis has not found evidence beyond limited reconnaissance related to the Salesloft application environment.
The threat actor then accessed Drift’s AWS environment and obtained OAuth tokens for Drift customers’ technology integrations.

The threat actor used the stolen OAuth tokens to access data via Drift integrations.
Response and Remediation Activities:

As part of a comprehensive response, Salesloft performed containment and eradication activities, validated by Mandiant, in the Drift and Salesloft application environments, including but not limited to:

Drift Application Environment:
Isolated and contained the Drift infrastructure, application, and code.
The Drift Application has been taken offline.
Rotated impacted credentials
Salesloft Application Environment:
Rotated credentials in the Salesloft environment.
Performed proactive threat hunting of the environment and noted no additional Indicators of Compromise (“IOCs”) found.
Rapidly hardened Salesloft environment against the known methods used by the threat actor during the attack.
Threat hunting based on Mandiant Intelligence across Salesloft infrastructure and technologies:
IOC analysis.
Analysis of events associated with at-risk credentials based on threat actor activity.
Analysis of events associated with activity that would permit the threat actor to circumvent Salesloft security controls.
Mandiant has verified the technical segmentation between Salesloft and Drift applications and infrastructure environments.
Based on the Mandiant investigation, the findings support the incident has been contained. The focus of Mandiant’s engagement has now transitioned to forensic quality assurance review.

| The Record from Recorded Future News therecord.media Suzanne Smalley
September 11th, 2025

Switzerland-based providers of secure email, VPNs and other digital services say a pending government proposal would be catastrophic to their ability to protect the privacy of users.

The Swiss government could soon require service providers with more than 5,000 users to collect government-issued identification, retain subscriber data for six months and, in many cases, disable encryption.

The proposal, which is not subject to parliamentary approval, has alarmed privacy and digital-freedoms advocates worldwide because of how it will destroy anonymity online, including for people located outside of Switzerland.

A large number of virtual private network (VPN) companies and other privacy-preserving firms are headquartered in the country because it has historically had liberal digital privacy laws alongside its famously discreet banking ecosystem.

Proton, which offers secure and end-to-end encrypted email along with an ultra-private VPN and cloud storage, announced on July 23 that it is moving most of its physical infrastructure out of Switzerland due to the proposed law.

The company is investing more than €100 million in the European Union, the announcement said, and plans to help develop a “sovereign EuroStack for the future of our home continent.” Switzerland is not a member of the EU.

Proton said the decision was prompted by the Swiss government’s attempt to “introduce mass surveillance.”

Proton founder and CEO Andy Yen told Radio Télévision Suisse (RTS) that the suggested regulation would be illegal in the EU and United States.

"The only country in Europe with a roughly equivalent law is Russia," Yen said.

One of the Swiss officials spearheading the effort told a Swiss news outlet that strict safeguards will be used to protect against mass surveillance. The official, Jean-Louis Biberstein, described the effort as necessary to fight cyberattacks, organized crime and terrorism.

It is unclear when the proposed regulation will be implemented. The Swiss government must give the public the right to comment during a “consultation” process before imposing the rule, NymVPN chief operating officer Alexis Roussel told Recorded Future News.

“There is a great worrying paradox, when the need for privacy tech is becoming so important to protect citizens to have a state that actively destroys its own local privacy industry," Roussel said.

Nym is among a coalition of industry players, politicians and digital-freedoms organizations opposing the measure.

Roussel believes the government will tweak the proposal in response to the intense backlash, but said he doesn’t think the changes will be significant enough to address his concerns.

The metadata the regulation would allow law enforcement to seize is “where most value for surveillance resides, in who you speak to and when,” Roussel said.

Internet users would no longer be able to register for a service with just an email address or anonymously and would instead have to provide their passport, drivers license or another official ID to subscribe, said Chloé Berthélémy, senior policy adviser at European Digital Rights (eDRI), an association of civil and human rights organizations from across Europe.

The regulation also includes a mass data retention obligation requiring that service providers keep users’ email addresses, phone numbers and names along with IP addresses and device port numbers for six months, Berthélémy said. Port numbers are unique identifiers that send data to a specific application or service on a computer.

All authorities would need to do to obtain the data, Berthélémy said, is make a simple request that would circumvent existing legal control mechanisms such as court orders.

“The right to anonymity is supporting a very wide range of communities and individuals who are seeking safety online,” Berthélémy said.

“In a world where we have increasing attacks from governments on specific minority groups, on human rights defenders, journalists, any kind of watchdogs and anyone who holds those in power accountable, it's very crucial that we … preserve our privacy online in order to do those very crucial missions.”

krebsonsecurity.com Krebs on Security September 11, 2025

In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of Kremlin-linked cyberattacks and disinformation campaigns.…

Materializing just two weeks before Russia invaded Ukraine in 2022, Stark Industries Solutions became a frequent source of massive DDoS attacks, Russian-language proxy and VPN services, malware tied to Russia-backed hacking groups, and fake news. ISPs like Stark are called “bulletproof” providers when they cultivate a reputation for ignoring any abuse complaints or police inquiries about activity on their networks.

In May 2025, the European Union sanctioned one of Stark’s two main conduits to the larger Internet — Moldova-based PQ Hosting — as well as the company’s Moldovan owners Yuri and Ivan Neculiti. The EU Commission said the Neculiti brothers and PQ Hosting were linked to Russia’s hybrid warfare efforts.

But a new report from Recorded Future finds that just prior to the sanctions being announced, Stark rebranded to the[.]hosting, under control of the Dutch entity WorkTitans BV (AS209847) on June 24, 2025. The Neculiti brothers reportedly got a heads up roughly 12 days before the sanctions were announced, when Moldovan and EU media reported on the forthcoming inclusion of the Neculiti brothers in the sanctions package.

In response, the Neculiti brothers moved much of Stark’s considerable address space and other resources over to a new company in Moldova called PQ Hosting Plus S.R.L., an entity reportedly connected to the Neculiti brothers thanks to the re-use of a phone number from the original PQ Hosting.

“Although the majority of associated infrastructure remains attributable to Stark Industries, these changes likely reflect an attempt to obfuscate ownership and sustain hosting services under new legal and network entities,” Recorded Future observed.

Neither the Recorded Future report nor the May 2025 sanctions from the EU mentioned a second critical pillar of Stark’s network that KrebsOnSecurity identified in a May 2024 profile on the notorious bulletproof hoster: The Netherlands-based hosting provider MIRhosting.

MIRhosting is operated by 38-year old Andrey Nesterenko, whose personal website says he is an accomplished concert pianist who began performing publicly at a young age. DomainTools says mirhosting[.]com is registered to Mr. Nesterenko and to Innovation IT Solutions Corp, which lists addresses in London and in Nesterenko’s stated hometown of Nizhny Novgorod, Russia.
According to the book Inside Cyber Warfare by Jeffrey Carr, Innovation IT Solutions Corp. was responsible for hosting StopGeorgia[.]ru, a hacktivist website for organizing cyberattacks against Georgia that appeared at the same time Russian forces invaded the former Soviet nation in 2008. That conflict was thought to be the first war ever fought in which a notable cyberattack and an actual military engagement happened simultaneously.

Mr. Nesterenko did not respond to requests for comment. In May 2024, Mr. Nesterenko said he couldn’t verify whether StopGeorgia was ever a customer because they didn’t keep records going back that far. But he maintained that Stark Industries Solutions Inc. was merely one client of many, and claimed MIRhosting had not received any actionable complaints about abuse on Stark.

However, it appears that MIRhosting is once again the new home of Stark Industries, and that MIRhosting employees are managing both the[.]hosting and WorkTitans — the primary beneficiaries of Stark’s assets.

A copy of the incorporation documents for WorkTitans BV obtained from the Dutch Chamber of Commerce shows WorkTitans also does business under the names Misfits Media and and WT Hosting (considering Stark’s historical connection to Russian disinformation websites, “Misfits Media” is a bit on the nose).
The incorporation document says the company was formed in 2019 by a y.zinad@worktitans.nl. That email address corresponds to a LinkedIn account for a Youssef Zinad, who says their personal websites are worktitans[.]nl and custom-solution[.]nl. The profile also links to a website (etripleasims dot nl) that LinkedIn currently blocks as malicious. All of these websites are or were hosted at MIRhosting.

Although Mr. Zinad’s LinkedIn profile does not mention any employment at MIRhosting, virtually all of his LinkedIn posts over the past year have been reposts of advertisements for MIRhosting’s services.

san.com straightarrownews Sep 08, 2025 at 06:20 PM GMT+2
Mikael Thalen (Tech Reporter)

Summary
Sensitive data leaked
More than 2,000 files linked to former U.K. Prime Minister Boris Johnson were stolen by hackers and leaked online.

‘Devastating’ breach
Cybersecurity experts describe the leak as a serious exposure of data belonging to a world leader.

‘High-priority target’
A former U.K. official says the breach could be related to an influence campaign by a foreign adversary.

Full story
Leaked computer files tied to former U.K. Prime Minister Boris Johnson offer an unprecedented glimpse into a scandal over COVID-19 protocols, his response to the Ukraine war and his private views on world leaders, including Russian President Vladimir Putin. The hack also found documents pitching a reality television show.

Taken together, the files paint an intimate portrait of the former politician’s day-to-day activities, including during his time as prime minister from 2019 to 2022.

Straight Arrow News obtained the more than 2,000 files from the nonprofit leak archiver DDoSecrets. Unidentified hackers quietly posted the data online last year, according to DDoSecrets co-founder Emma Best, but it has not been previously reported.

SAN sent an inquiry to Johnson’s office, where the data appears to have originated, as well as to Johnson’s personal email address, but did not receive a reply.

Little is known about the details surrounding the breach and those responsible. But cybersecurity experts describe the data leak as a serious exposure of information in the hands of a world leader.

“It’s obviously a devastating compromise if personal emails, documents and the like have been collected and breached,” Shashank Joshi, visiting fellow at the Department of War Studies at King’s College London, told SAN.

World leaders are regularly targeted by both criminal and nation-state hackers. In 2020, according to researchers at Citizen Lab, the University of Toronto-based group that specializes in spyware detection, multiple phones at Johnson’s office and the foreign office were compromised.

That attack, which Citizen Lab linked to the United Arab Emirates, was carried out with the advanced Israeli-made spyware known as Pegasus. Both the UAE and NSO Group, the company behind the spyware, denied involvement.

Rob Pritchard, the former deputy head of the U.K.’s Cyber Security Operations Centre and founder of the consulting firm The Cyber Security Expert, told SAN that it is entirely possible that the hack of Johnson could be tied to an influence operation from a foreign adversary.

“I think this really highlights the importance of ensuring good practices when it comes to cybersecurity, especially for high-profile individuals,” Pritchard said. “Ex-prime ministers will undoubtedly still be very high-priority targets for a range of countries, and their private office will hold sensitive information, if not actually classified information in the strict sense.”

‘Security briefing: Nuclear’
A folder titled “Travel” underscores the hack’s intrusiveness.

It includes photos of Johnson’s passport and driver’s license, as well as his visa information for Australia, Canada, Kurdistan, Saudi Arabia and the U.S. Identifying documents for family and staff are also present.

Itineraries outlining visits to numerous countries offer insight into Johnson’s routine. One U.S. visit, which does not include a date but appears to have been during President Donald Trump’s first term, shows efforts by Johnson to meet prominent politicians, such as Sen. Ted Cruz, R-Texas, former National Security Adviser John Bolton, former United Nations Ambassador Nikki Haley and Florida Gov. Ron DeSantis.

Other itineraries, including one for a November 2023 visit to Israel, mention Johnson’s security measures. The document states that although Johnson did not bring a protection force of his own, “4 Israeli private security agents” would look after his group while “on the ground.”

Documents related to a November 2022 visit to Egypt show the names and phone numbers of two individuals tasked with protecting Johnson while in the city of Sharm El-Sheikh. The travel folder also contains documents related to VIP suite bookings at London Gatwick Airport and COVID-19 vaccination records for those traveling with Johnson.

Another folder called “Speeches” contains dozens of notes and transcripts for talks by Johnson both during and after his tenure. Invoices show how much Johnson charged for several speaking engagements in 2024 after leaving office, including $350,000 for a speech to Masdar, a clean energy company in the UAE. After deductions, however, Johnson appears to have pocketed $94,459.08.

The usernames, passwords, phone numbers and email addresses used for Johnson’s accounts on Facebook, Instagram, Twitter, LinkedIn, Snapchat and Threads are exposed as well in a file marked “confidential.”

Another folder, labeled “DIARY,” includes Johnson’s daily schedules, marked as both “sensitive” and “confidential,” during his time as prime minister. One schedule from July 2019 simply states, “Security briefing: Nuclear.” Another entry from that month: “Telephone call with the President of the United States of America, Donald Trump.”

‘Partygate’
A folder titled “Notebooks” includes scans of hundreds of pages of Johnson’s handwritten notes. Many sections have been redacted with “National Security” warnings.

SAN confirmed that the documents are related to the U.K.’s independent public inquiry into the COVID-19 pandemic, which required Johnson to hand over copies of his diaries and notebooks. Although many of the documents related to the inquiry were made public, those obtained by SAN were not.

The investigation found that Johnson attended numerous social gatherings during the pandemic in breach of COVID-19 lockdown regulations. The ensuing scandal, known as “Partygate,” ultimately led to Johnson’s resignation.

In one notebook entry dated March 19, 2020, Johnson writes that “some very difficult rationing decisions” would be required because of the pandemic’s strain on the U.K.’s medical system.

Another entry regarding the 2021 G7 summit in Cornwall, England, highlights the issues Johnson planned to discuss with numerous world leaders, including former President Joe Biden, French President Emmanuel Macron and former German Chancellor Angela Merkel.

‘It would only take one missile’
The data cache contains 160 emails from the first 22 months following Johnson’s tenure as prime minister. They appear to have come from the account of Johnson’s senior adviser.

These emails discuss Johnson’s private endeavors, including a document pitching a reality TV show to popular streaming platforms, complete with AI-generated photos of the former world leader.

One of the later emails contained in the breach, dated June 10, 2024, shows attempts by the U.K.’s National Security Secretariat to schedule a meeting with Johnson regarding “a sensitive security issue” almost two years after he left office.

The email, sent on behalf of Deputy National Security Adviser Matt Collins, noted a “strong preference” for an in-person meeting with the former prime minister. It’s unclear what spurred the meeting request and whether it was related to the breach.
The final folder from the leaked data involves the Russian invasion of Ukraine.

Notes on a widely reported phone call between Johnson and Russian President Vladimir Putin from February 2022 offer insight into the former prime minister’s thinking. The conversation is described by Johnson, who makes specific mention of Putin’s use of profanity, as “weirdly intimate in tone.”

Johnson also claims that Putin said, “I don’t want to hurt you boris but it would only take one missile.”

Johnson later revealed the threat in a 2023 documentary by the BBC. A Kremlin spokesperson responded by calling the claim a “lie.”

In another entry dated “25 October,” Johnson reminds himself to “call Putin” with an invite to a United Nations Climate Change Conference. Johnson notes that such events are “not really his bag since it is all about moving beyond hydrocarbons and he is paranoid about covid.”

The leak also contains a U.K. Defense Intelligence document dated December 2022 regarding the status of a nuclear power plant in Ukraine. The document includes numerous classification labels, such as sensitive, which denotes that it is not intended for public release. Other markings show that the document may only be shared with international partners in the European Union, NATO, Australia and New Zealand.

The U.K.’s Cabinet Office, which supports the prime minister, did not provide a statement when contacted by SAN.

Alan Judd (Content Editor) and Devin Pavlou (Digital Producer) contributed to this report.

databreaches.net Posted on September 8, 2025 by Dissent

Some data breaches make headlines for the number of people affected globally, such as a Facebook scraping incident in 2019 that affected 553 million people worldwide. Then there are breaches that affect a country’s entire population or much of it, such as a misconfigured database that exposed almost the entire population of Ecuador in 2019, an insider breach that compromised the information of almost all Israelis in 2006, a misconfigured voter database that exposed more than 75% of Mexican voters in 2016, and the UnitedHealth Change Healthcare ransomware incident in 2024 that affected more than 190 million Americans.

And now there’s Vietnam. ShinyHunters claims to have successfully attacked and exfiltrated more than 160 million records from the Credit Institute of Vietnam, which manages the country’s state-run National Credit Information Center. Vietnam National Credit Information Center is a public non-business organization directly under the State Bank of Vietnam, performing the function of national credit registration; collecting, processing, storing and analyzing credit information; preventing and limiting credit risks; scoring and rating the credit of legal entities and natural persons within the territory of Vietnam; and providing credit information products and services in accordance with the provisions of the State Bank and the law.

While those affiliated with ShinyHunters bragged on Telegram that Vietnam was “owned within 24 hours,” ShinyHunters listed the data for sale on a hacking forum, and provided a large sample of data from what they described as more than 160 million records with “very sensitive information including general PII, credit payment, risks analysis, Credit cards (require you’re own deciphering of the FDE algorithm), Military ID’s, Government ID’s Tax ID’s, Income Statements, debts owed, and more.”

DataBreaches asked ShinyHunters for additional details about the incident, including how many unique individuals were in the data, because the country’s entire population is slightly under 102 million. ShinyHunters responded that the data set included historical data. They stated that they did not know how many unique individuals were involved, but were pretty sure they got the entire population.
Because this incident did not seem to be consistent with ShinyHunters’ recent campaigns, DataBreaches asked how they picked the target and how they gained access. According to ShinyHunters, they picked the target because it held a massive amount of data. The total amount or records (line) across all tables was like 3 billion or more, they said, and they gained access by an n-day exploit. On follow-up, DataBreaches asked whether this was an exploit that CIC could have been able to patch. There was no actual patch available, Shiny stated, as the software was end-of-life.

In response to a question as to whether the CIC had responded to any extortion or ransom demands, ShinyHunters stated that there had been no ransom attempt at all because ShinyHunters assumed they would not get any response at all.

DataBreaches emailed the CIC to ask them about the claims, but has received no reply by publication. If CIC responds to DataBreaches’ inquiries, this post will be updated, but it is important to note that there is no confirmation of ShinyHunters’ claims at this point, however credible their claims may appear.

It is also important to note that this post has referred to this as an attack by ShinyHunters and has not attributed it to Scattered Spider or Lapsus$. When DataBreaches asked which group(s) to attribute this to, ShinyHunters had replied, “It wasn’t a Scattered Spider type of hack … so ShinyHunters.” ShinyHunters acknowledged that they need to deal with the name situation, but said, “I don’t know how to fix the name problem considering for years everyone thought both are completely different groups.”

oxfordmail.co.uk | Oxford Mail By Madeleine Evans
Digital reporter

The Clarkson's Farm presenter said The Farmer's Dog pub in Burford has been the latest victim of cyber criminals, the same ones who launched massive attacks on M&S and Co-op in recent months.

Writing in his Sun column, the TV presenter-turned-farmer explained that the popular country pub had been hit too.

The former journalist wrote: "So, Jaguar Land Rover had to shut down its production lines this week after systems were breached by computer hackers. And we are told similar attacks were launched in recent months on both M&S and the Co-op.

"But no one thought to mention that my pub, The Farmer’s Dog, has been hit too. It was though.

"Someone broke into our accounting system and helped themselves to £27,000."

The former Top Gear host purchased The Windmill pub in Asthall near Burford for around £1,000,000.

The pub reopened to the public one year ago on August 22, 2024, at midday after being renamed The Farmer’s Dog.

Since it's opening, the 65-year-old celebrity owner has described running it as "more stressful" than running the farm.

The cyber attack comes as the latest set back in a string of difficulties facing the Diddly Squat farmer, as he's come up against local councils, Oxfordshire residents and farming issues all documented in his hit Amazon Prime series Clarkson's Farm.

Series four of the documentary show was released across May and June this year, with eight new episodes dropping on Prime Video.

therecord.media The Record from Recorded Future News, Jonathan Greig
September 9th, 2025

New York Blood Center submitted documents to regulators in Maine, Texas, New Hampshire and California that confirmed the cyberattack, which they said was first discovered on January 26.

One of the largest independent blood centers serving over 75 million people across the U.S. began sending data breach notification letters to victims this week after suffering a ransomware attack in January.

New York Blood Center submitted documents to regulators in Maine, Texas, New Hampshire and California that confirmed the cyberattack, which they said was first discovered on January 26.

The organization left blank sections of the form in Maine that says how many total victims were affected by the attack but told regulators in Texas that 10,557 people from the state were impacted. In a letter on its website, New York Blood Center said the information stolen included some patient data as well as employee information.

The information stolen during the cyberattack includes names, health information and test results. For some current and former employees, Social Security numbers, driver’s licenses or government ID cards and financial account information were also leaked.

An investigation into the attack found that hackers accessed New York Blood Center’s network between January 20 and 26, making copies of some files before launching the ransomware.

Founded in 1964, New York Blood Center controls multiple blood-related entities that collect about 4,000 units of blood products each day and serve more than 400 hospitals across dozens of states.

The organization also provides clinical services, apheresis, cell therapy, and diagnostic blood testing — much of which requires receiving clinical information from healthcare providers. The organization said some of this information was accessed by the hackers during the cyber incident.

The investigation into the ransomware attack was completed on June 30 and a final list of victims that needed to be notified was compiled by August 12.

New York Blood Center began mailing notification letters on September 5 but also posted a notice on its website and created a call center for those with questions.

Multiple blood donation and testing companies were attacked by ransomware gangs over the last year including OneBlood, Synnovis and South Africa’s national lab service.