arstechnica.com - Ars Technica
Dan Goodin – 29 janv. 2026 19:30
Settlement comes more than 6 years after Gary DeMercurio and Justin Wynn's ordeal began.
Two security professionals who were arrested in 2019 after performing an authorized security assessment of a county courthouse in Iowa will receive $600,000 to settle a lawsuit they brought alleging wrongful arrest and defamation.
The case was brought by Gary DeMercurio and Justin Wynn, two penetration testers who at the time were employed by Colorado-based security firm Coalfire Labs. The men had written authorization from the Iowa Judicial Branch to conduct “red-team” exercises, meaning attempted security breaches that mimic techniques used by criminal hackers or burglars.
The objective of such exercises is to test the resilience of existing defenses using the types of real-world attacks the defenses are designed to repel. The rules of engagement for this exercise explicitly permitted “physical attacks,” including “lockpicking,” against judicial branch buildings so long as they didn’t cause significant damage.
A chilling message
The event galvanized security and law enforcement professionals. Despite the legitimacy of the work and the legal contract that authorized it, DeMercurio and Wynn were arrested on charges of felony third-degree burglary and spent 20 hours in jail, until they were released on $100,000 bail ($50,000 for each). The charges were later reduced to misdemeanor trespassing charges, but even then, Chad Leonard, sheriff of Dallas County, where the courthouse was located, continued to allege publicly that the men had acted illegally and should be prosecuted.
Reputational hits from these sorts of events can be fatal to a security professional’s career. And of course, the prospect of being jailed for performing authorized security assessment is enough to get the attention of any penetration tester, not to mention the customers that hire them.
“This incident didn’t make anyone safer,” Wynn said in a statement. “It sent a chilling message to security professionals nationwide that helping [a] government identify real vulnerabilities can lead to arrest, prosecution, and public disgrace. That undermines public safety, not enhances it.”
DeMercurio and Wynn’s engagement at the Dallas County Courthouse on September 11, 2019, had been routine. A little after midnight, after finding a side door to the courthouse unlocked, the men closed it and let it lock. They then slipped a makeshift tool through a crack in the door and tripped the locking mechanism. After gaining entry, the pentesters tripped an alarm alerting authorities.
Within minutes, deputies arrived and confronted the two intruders. DeMercurio and Wynn produced an authorization letter—known as a “get out of jail free card” in pen-testing circles. After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit, the deputies said they were satisfied the men were authorized to be in the building. DeMercurio and Wynn spent the next 10 or 20 minutes telling what their attorney in a court document called “war stories” to deputies who had asked about the type of work they do.
When Sheriff Leonard arrived, the tone suddenly changed. He said the Dallas County Courthouse was under his jurisdiction and he hadn’t authorized any such intrusion. Leonard had the men arrested, and in the days and weeks to come, he made numerous remarks alleging the men violated the law. A couple months after the incident, he told me that surveillance video from that night showed “they were crouched down like turkeys peeking over the balcony” when deputies were responding. I published a much more detailed account of the event here. Eventually, all charges were dismissed.
DeMercurio and Wynn sued Dallas County and Leonard for false arrest, abuse of process, defamation, intentional infliction of emotional distress, and malicious prosecution. The case dragged on for years. Last Thursday, five days before a trial was scheduled to begin in the case, Dallas County officials agreed to pay $600,000 to settle the case.
It’s hard to overstate the financial, emotional, and professional stresses that result when someone is locked up and repeatedly accused of criminal activity for performing authorized work that’s clearly in the public interest. DeMercurio has now started his own firm, Kaiju Security.
“The settlement confirms what we have said from the beginning: our work was authorized, professional, and done in the public interest,” DeMercurio said. “What happened to us never should have happened. Being arrested for doing the job we were hired to do turned our lives upside down and damaged reputations we spent years building.”
bleepingcomputer.com
By Lawrence Abrams
January 28, 2026
The FBI has seized the notorious RAMP cybercrime forum, a platform used to advertise a wide range of malware and hacking services, and one of the few remaining forums that openly allowed the promotion of ransomware operations.
Both the forum's Tor site and its clearnet domain, ramp4u[.]io, now display a seizure notice stating, "The Federal Bureau of Investigation has seized RAMP."
"This action has been taken in coordination with the United States Attorney's Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice," the notice reads.
The seizure banner also appears to taunt the forum's operators by displaying RAMP's own slogan: "THE ONLY PLACE RANSOMWARE ALLOWED!," followed by a winking Masha from the popular Russian "Masha and the Bear" kid's cartoon.
While there has been no official announcement by law enforcement regarding this seizure, the domain name servers have now been switched to those used by the FBI when seizing domains:
Name Server: ns1.fbi.seized.gov
Name Server: ns2.fbi.seized.gov
If so, law enforcement now has access to a significant amount of data tied to the forum's users, including email addresses, IP addresses, private messages, and other potentially incriminating information.
For threat actors who failed to follow proper operational security (opsec), this could lead to identification and arrests.
In a forum post to the XSS hacking forum, one of the alleged former RAMP operators known as "Stallman" confirmed the seizure.
"I regret to inform you that law enforcement has seized control of the Ramp forum," reads the translated forum post.
"This event has destroyed years of my work building the freest forum in the world, and while I hoped this day would never come, I always knew in my heart it was possible. It's a risk we all take.
BleepingComputer contacted the FBI with question regarding the seizure but they declined to comment.
The RAMP cybercrime forum
The RAMP cybercrime forum launched in July 2021, following the banning of the promotion of ransomware operations by popular Russian-speaking Exploit and XSS hacking forums.
This ban was due to heightened pressure from Western law enforcement following the DarkSide ransomware attack on Colonial Pipeline.
Exploit banning ransomware promotion
Exploit banning ransomware promotion
In July 2021, a new Russian-speaking forum called RAMP launched, promoting itself as one of the last remaining places where ransomware could be openly promoted. This led to multiple ransomware gangs using the forum to promote their operations, recruit affiliates, and buy and sell access to networks.
RAMP was launched by a threat actor known as Orange, who also operated under the aliases Wazawaka and BorisElcin.
Orange was previously the administrator of the Babuk ransomware operation, which shut down after its ransomware attack on the D.C. Metropolitan Police Department.
Internal disputes allegedly erupted within the group over whether stolen law enforcement data should be publicly leaked, and after the data was leaked, the group splintered.
Following the split, Orange launched the RAMP forum on a Tor onion domain that Babuk had previously used.
Soon after its launch, RAMP experienced distributed denial-of-service (DDoS) attacks that disrupted its availability. Orange publicly blamed former Babuk partners for the attacks, though the previous members denied responsibility to BleepingComputer, stating they had no interest in the forum.
The individual behind the Orange and Wazawaka aliases was later publicly identified by cybersecurity journalist Brian Krebs as Russian national Mikhail Matveev.
In an interview with Recorded Future's Dmitry Smilyanets, Matveev confirmed that he previously operated under the alias Orange and that he created RAMP using the former Babuk onion domain.
Matveev explained that the forum was initially created to repurpose Babuk's existing infrastructure and traffic. He claimed that RAMP ultimately generated no profit and was subjected to constant DDoS attacks, which led him to step away from managing it after it gained popularity.
In 2023, Matveev was indicted by the U.S. Department of Justice for his involvement in multiple ransomware operations, including Babuk, LockBit, and Hive, which targeted U.S. healthcare organizations, law enforcement agencies, and other critical infrastructure.
He was also sanctioned by the U.S. Treasury's Office of Foreign Assets Control and placed on the FBI's most-wanted list, with the U.S. State Department offering a reward of up to $10 million for information leading to his arrest or conviction.
politico.eu
January 28, 2026 4:16 pm CET
By Sam Clark
Europe is investing heavily in security but not enough in cyber, bloc’s cyber agency chief says.
BRUSSELS — The European Union urgently needs to rethink its cyber defenses as it faces an unprecedented volume and pace of attacks, the head of the bloc's cyber agency told POLITICO.
“We are losing this game,” said Juhan Lepassaar, the executive director of the EU's Agency for Cybersecurity (ENISA). “We are not catching up, we're losing this game, and we're losing massively.”
Europe has been pummeled with damaging cyberattacks in recent years, which have shut down major airports, disrupted elections and crippled hospitals. Just in the past week, cyber experts pinned an attempted attack on Poland’s power grid on Russia, and the president of Germany's Bundesbank said in an interview that the central bank faced over 5,000 cyberattacks every minute.
The cyber threats come as Europe deals with war on its eastern border, China's growing power over the global technology market and an increasingly unfriendly United States. In the past year, European countries have pledged to boost defense spending and the EU has shaped many of its policies around security and self-reliance.
Investing in security services but not in cybersecurity creates a “loophole,” Lepassaar warned.
The agency chief's warnings come one week after the European Commission presented a proposal to overhaul its Cybersecurity Act legislation. The bill would allow the EU's cyber agency, based in Athens, to expand its personnel by 118 full-time staff and to spend more on operational costs. The agency now has approximately 150 staff.
But Lepassaar lamented that wasn't nearly enough. He drew a comparison to EU police agency Europol and EU border agency Frontex, which have more than 1,400 and more than 2,500 staff respectively, with more resources on the way.
“We just don't need an upgrade. We need a rethink," he said. “Doubling the capacity is the absolute minimum."
The European Union has fallen short in cyber investment for years and it needs to build an entire new EU-level cyber infrastructure, the agency chief said.
Europe needs to 'step up'
When Lepassaar took charge of the agency in 2019, Europe was in a “totally different environment," he said.
In 2019, approximately 17,000 software flaws were added to a global database logging such vulnerabilities; in 2025, more than 41,000 were added, he said. And in 2019, it took hackers approximately two months on average to use those flaws in an attack, but now it took only one day on average, he said, citing industry and government data.
The cybersecurity industry has warned it now takes hackers far less time to exploit glitches, in part because of AI.
Just as Europe has pledged to take greater responsibility for its physical security, it must do the same in cyberspace, said Lepassaar — an Estonian who previously headed the office of European Commissioner for Digital Affairs Andrus Ansip.
In areas such as cataloging and managing cyber vulnerabilities — an obscure but critical area of cybersecurity — the only organizations systematically working on the problem have long been U.S.-based, Lepassaar said. “We all reap the benefits for free … it's needed that we now step up and take our fair share of this.”
MITRE, a U.S.-based nonprofit group, manages a global database of cyber flaws on which the entire industry relies. It nearly lost funding last year before being bailed out by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
European startups and small businesses benefit from a system whose security is “backed up only by MITRE and CISA,” Lepassaar said.
ENISA has started operating a database of cyber flaws — though this was planned before MITRE nearly lost its funding — and recently took on a key technical role that further embeds it at the core of global cybersecurity infrastructure.
“It's part of our obligation as Europe to take our fair share from this,” Lepassaar said.
cnn.com
By
Sean Lyngaas
PUBLISHED Jan 28, 2026, 6:00 AM ET
Weeks before the 2024 election, American military hackers carried out a secret operation to disrupt the work of Russian trolls spewing false information at US voters.
Weeks before the 2024 election, American military hackers carried out a secret operation to disrupt the work of Russian trolls spewing false information at US voters.
From their perch at Cyber Command at Fort Meade, Maryland, the military hackers took aim at the computer servers and key personnel of at least two Russian companies that were covertly pumping out the propaganda, according to multiple sources briefed on the operation.
The trolls were trying to influence election results in six swing states by publishing fictitious news stories that attacked American politicians who supported Ukraine. One of the companies had held “strategy meetings” with Kremlin officials on how to covertly influence US voters, according to an FBI affidavit.
In one case, the Cyber Command operatives planned to knock offline computer servers based in a European country that one of the Russian companies used, the sources said. Though the Russian trolls continued to create content through Election Day, when President Donald Trump defeated then-Vice President Kamala Harris, one source briefed on the hacking effort said it successfully slowed down the Russians’ operations.
The hacking campaign, which hasn’t been previously reported, was one of multiple US cyber operations against Russian and Iranian groups aimed at blunting foreign influence on the 2024 election. It was part of a broader US government effort involving the FBI, the Department of Homeland Security, and other intelligence and security agencies that exposed and disrupted foreign meddling.
But a year into a second Trump administration, many of the government centers previously tasked with repelling foreign influence operations have been disbanded or downsized — and local election officials are preparing to face a continued onslaught of foreign influence operations largely on their own.
The administration has shut down foreign-influence-focused centers at the Office of the Director of National Intelligence, the FBI and the State Department that helped warn the public that China, Russia and Iran’s spy services were targeting Americans with election-related disinformation. The Department of Homeland Security has also slashed its election security teams, which pass intelligence to local election offices and help them defend against cyber threats.
The Trump administration has accused those federal programs of censoring Americans and conducting domestic interference in US elections.
While military cyber operations are still an option, there is widespread concern among current and former officials that the US government’s willingness to combat foreign efforts to shape elections has waned. The cuts to election security programs risk causing an exodus of expertise at US intelligence and security agencies that was built up over nearly a decade.
The cuts come even as the US intelligence community found, in a threat assessment released by the Office of the Director of National Intelligence Tulsi Gabbard, that foreign powers will continue to try to influence US elections.
“I find it devastating and deeply alarming for our national security,” said Mike Moser, a former election security specialist at DHS’ Cybersecurity and Infrastructure Security Agency, who resigned after the agency froze its election work last year. “To see those partnerships unilaterally dismantled is a tragedy. We are losing the human and technological infrastructure that protects our democracy.”
Foreign influence and propaganda tend to increase in years when general elections or midterms are held. But even in the off-year of 2025, groups tied to authoritarian regimes were weighing in on races like the New York City mayoral election.
Chinese state-owned media accounts repeatedly amplified Trump’s attacks on Zohran Mamdani, the Democrat who ended up winning New York’s mayoral election, according to disinformation-tracking firm Alethea Group. Some pro-Iranian influencer accounts, meanwhile, pivoted to attacking Mamdani as a “Zionist apologist” in October after Mamdani made overtures to Jewish voters in New York, Alethea said.
But by the time that election was held in November of last year, the cuts to election protection efforts had already taken hold.
The 2026 midterms could be a litmus test for how foreign adversaries respond to a US government that is less forceful in publicly combating influence operations.
“We’ve not had a disaster take place because, in many ways, the procedures and policies and tools set up during the first Trump administration helped keep us safe,” Sen. Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, told CNN. “We’re going into a (2026) election cycle with our guard down.”
Multiple government agencies and processes for countering foreign influence that are now being cut were set up during Trump’s first term, including a dedicated team at the FBI that tracked counterintelligence threats to elections.
In April, Trump fired Gen. Tim Haugh, the head of Cyber Command and the National Security Agency ,who had led numerous operations countering Russian meddling.
“The foundation that we built to protect our electoral process was driven by the first Trump administration’s direct guidance to NSA and Cyber Command — the focus that they put at CISA and FBI to counter foreign influence and then any potential hacking activity targeting our electoral process,” Haugh told CNN in his first interview on the subject since being fired. He declined to comment on any Cyber Command operations during the 2024 election.
Far-right activist and Trump confidant Laura Loomer had pushed for Haugh’s removal, publicly calling him “disloyal” to Trump due to the fact that he had served alongside former Chairman of the Joint Chiefs of Staff Gen. Mark Milley. Haugh has denied the allegation.
Nearly 10 years after Russian agents tried to influence the 2016 election through hacking and disinformation, Americans are arguably more susceptible to covert propaganda than ever, according to experts.
“This is just an enormous set of vulnerability for our nation,” Haugh said. “We have shown a decreasing ability to discern truth from fiction as a society.”
Cyber Command declined to comment for this story. The NSA referred to questions to ODNI.
Cuts to federal funding for cybersecurity services for election offices have forced those offices to scramble for alternative funds, said Paul Lux, a Republican who is the top election official for Okaloosa County, Florida.
Election officials are also unsure whether the FBI and CISA will continue to hold classified briefings for them on threats to elections, something those agencies have done for years.
The briefings were “illuminating,” Lux said. “They allowed me to personally connect some dots” by making the threats more tangible, he added.
The FBI had no comment when asked by CNN whether the briefings would continue.
A CISA spokesperson did not directly answer a question about the briefings but provided a statement that read, in part, “since January 2025, CISA has issued 38 joint cybersecurity advisories with law enforcement and international partners and provided threat intelligence guidance to combat evolving threats and protect critical infrastructure, and we will continue to ensure election officials remain informed of any emerging issues going forward.”
With or without federal security and intelligence support, election officials will be ready to do their job, Lux said. “Our mission doesn’t change. (It is to) provide safe, free and fair elections with as much transparency as possible.”
Dismantling offices
The same type of Russian trolls that Cyber Command took aim at in the 2024 election continue to churn out content. A Russian covert influence network focused on undermining Western support for Ukraine has set up at least 200 fake websites since last March to target audiences in the US, France and elsewhere, according to the cyber intelligence firm Recorded Future.
The concern among more than a dozen current and former officials who spoke to CNN is that the Trump administration took a hatchet, rather than a scalpel, to federal programs aimed at countering the type of influence operation that Recorded Future uncovered. The programs could have been downsized, rather than abruptly canceled, in a way that met the Trump administration’s goal of cutting bureaucratic red tape, the sources said.
The State Department’s Global Engagement Center, which focused on combating foreign propaganda, posted a massive US intelligence dump on Russian meddling prior to the 2024 election. (The Trump administration formally shut down the State Department center last April after Congress let its funding expire.)
ODNI’s Foreign Malign Influence Center, which was set up under then-President Joe Biden, turned intelligence on Russian AI-generated videos posted on X purporting to show voter fraud into public statements in the days before Election Day in 2024.
Without that center, it’s unclear which government agency would warn the public of such efforts.
In announcing the Foreign Malign Influence Center’s closure in August, ODNI said the center was “redundant” and that other elements of the intelligence community perform some of the same work. Some Republican lawmakers agree.
“I am confident ODNI and the (intelligence community) will remain poised to assess and warn policymakers of covert and overt foreign influence operations targeting (US government) policies and manipulating public opinion,” said Rick Crawford, an Arkansas Republican who chairs the House intelligence committee, in a statement to CNN.
But Haugh, who spent more than three decades in the Air Force, said the cuts at various federal agencies mean that the US government has fewer levers to pull to punish or expose foreign influence operations.
ODNI did not answer a detailed list of questions on how the agency plans to counter foreign influence, including whether ODNI has a top intelligence specialist dedicated to the issue, as it has had in years past. An ODNI spokesperson referred CNN to a previous agency statement saying the Foreign Malign Influence Center’s core functions would be moved to other parts of ODNI.
Gabbard said in August that ODNI would cut its workforce by over 40% and save taxpayers hundreds of millions of dollars in the process.
Trump’s new pick to replace Haugh and lead the NSA and Cyber Command, Lt. Gen. Joshua Rudd, pledged to protect the electoral process from foreign interference during his Senate confirmation hearing.
“Any foreign attempt to undermine the American process of democracy, and at the center of that is our electoral process, as you all know far better than I do, has got to be safeguarded,” Rudd told senators on January 15.
A sensitive subject
The FBI’s election security posture today has been shaped by Trump’s grievances over the bureau’s investigation into his 2016 campaign’s contacts with Russia and his false claims of a stolen 2020 election.
As president-elect in 2017, Trump was incsensed when then-FBI Director James Comey briefed him on the existence of a salacious, and later debunked, dossier about Trump gathered by a former British intelligence agent. Many see a through line between that day and the FBI’s current counterintelligence posture for elections.
“You could argue that where we are today happened because Comey briefed Trump, Trump got embarrassed and the rest is one big revenge tour,” said a former senior FBI counterintelligence official who served during the first Trump term and Biden’s term. They spoke on the condition of anonymity out of fear of retaliation from the Trump administration
If and when US officials speak publicly on foreign efforts to shape US democracy is an intensely delicate subject in the second Trump administration. Trump has bristled at US intelligence findings that Russia tried to influence the 2016 election in his favor, while Democrats have often exaggerated those findings to attack Trump.
A year after FBI agents were caught off-guard in 2016 by the scale of Russian hacking and propaganda aimed at voters, the bureau set up a Foreign Influence Task Force (FITF), a team of about 30 people to focus on the threat of foreign meddling. The task force passed intelligence about what foreign spies were doing on Facebook and Twitter to those social media platforms.
In February 2025, Attorney General Pam Bondi dissolved FITF, citing the need to “free resources to address more pressing priorities, and end risks of further weaponization and abuses of prosecutorial discretion.”
The impact of Bondi’s memo goes beyond FITF, according to current and former FBI officials. It’s a disincentive for any FBI agent to take up a case involving Russian election influence.
“Say the Russians influence the election again — I’m worried that we won’t know it until after the fact,” the ex-FBI official said.
In a statement to CNN, the FBI said it continues to pursue cases related to “foreign influence efforts by adversarial nations.”
“The Counterintelligence Division and our field offices work together to defend the homeland against all foreign influence efforts, including any attempts at election interference,” the FBI said.
The Cyber Command operation against Russian trolls in 2024 followed the Justice Department’s public disclosure that it had seized internet domains used by the trolls. US officials saw the hacking as an added, clandestine counter-punch to complement the law enforcement seizure. Under the second Trump administration, the public may not know if the Justice Department takes such an action leading up to an election.
After Trump won the 2024 election, a planning document used by his transition team and reviewed by CNN lamented a “surge in politicization and meddling in US politics by US intelligence agencies,” and said the Justice Department and the FBI should revisit how they communicate threats to the public, “e.g. in announcing indictments of foreign hackers or getting involved in threats to election security in partisan ways.”
Working with local election offices
Cyber Command, the NSA and other parts of the US intelligence community began playing a more prominent role in the cyber defense of US elections after the Russian intervention in 2016. The federal Cybersecurity and Infrastructure Security Agency emerged as a conduit between those powerful military and spy agencies and local election offices, building trust with those offices and passing on intelligence on foreign threats. Trump signed a law establishing CISA as a part of the Department of Homeland Security during his first term.
But Trump and his top advisers never forgave CISA’s leadership for saying the 2020 election was secure. They accused CISA of “censoring” conservative voices when in the first Trump term, at the urging of Republican and Democratic election officials, the agency flagged to social media platforms posts that spread false information about voting. The second Trump administration last year paused all of CISA’s election security work and reassigned the agency’s election specialists or put them on administrative leave
CISA spokespeople say the agency still offers some cybersecurity services to election offices, as it does other sectors. But election officials say the impact from the cuts to so many offices, including CISA, is clear.
A day after the US bombed Iranian nuclear facilities in June, pro-Iranian hackers breached an Arizona state election website and replaced candidates’ photos with an image of Iran’s Supreme Leader Ayatollah Ali Khamenei. It had echoes of 2020, when, according to the FBI, Iranian hackers set up a website with violent threats to election officials.
But while CISA was central to the federal response to the 2020 incident — and communicated proactively with election officials then — Arizona election officials now say they are not getting the same level of collaboration with the agency. In a statement to CNN, a CISA official said the agency “worked with Arizona and provided direct assistance to support their response efforts.”
The cuts to CISA have “drastically reduced national visibility into foreign threats and increased the potential for security failures,” Moser, the former CISA election security official, told CNN. “While state and local officials take great care to secure elections, now they are effectively being siloed and expected to combat sophisticated nation-state adversaries with severely limited federal support.”
A CISA spokesperson said: “Every day, DHS and CISA are providing our partners the most capable and timely threat intelligence, expertise, no-cost tools and resources these partners need to defend against risks.”
Foreign powers, with the help of artificial intelligence, will continue to target American voters with disinformation, the ODNI said in its annual worldwide threat assessment published in March.
“Reinforcing doubt in the integrity of the U.S. electoral system achieves one of (Russia’s) core objectives,” the intelligence report says.
China, in particular, is making alarming leaps in AI-powered influence activity, according to researchers at Vanderbilt University’s Institute of National Security. In August, the institute published documents leaked from a Chinese firm that appear to show it targeting the 2024 Taiwan election with a wave of social media posts. The Chinese firm has also put together profiles on at least 117 members of Congress and more than 2,000 American political figures and “thought leaders,” according to the research.
“This election cycle, foreign governments will be able to use AI tools to essentially whisper in the ear of anyone they target,” said Emerson Brooking, a former Pentagon cyber policy adviser who now studies influence operations at the Atlantic Council’s Digital Forensic Research Lab. “And the Trump team isn’t just unprepared; they’ve deliberately knocked down a lot of the defenses built over the past eight years.”
Last year, Gabbard and Iowa GOP Sen. Chuck Grassley released declassified intelligence documents related to the FBI and intelligence community’s probes of Russian influence on the 2016 election. Contrary to Gabbard’s public claims, the documents do not show the probes were a hoax. But they do show the lengths to which Russia’s SVR foreign intelligence service was willing to go either to impress their Kremlin bosses or to play mind games with US officials analyzing the hack, according to Michael van Landingham, a former CIA analyst, and Alex Orleans, a counterintelligence researcher.
That Americans are still arguing about Russia’s 2016 influence operations 10 years later is exactly what Russian intelligence hoped for, they said.
“SVR officers are definitely dining out on the fact that our national discourse still can’t fully escape the riptides of 2016,” Orleans told CNN.
CNN’s Katie Bo Lillis and Evan Perez contributed to this report.
politico.com
By John Sakellariadis
01/27/2026 03:30 PM EST
The interim director of the Cybersecurity and Infrastructure Security Agency triggered an internal cybersecurity warning with the uploads — and a DHS-level damage assessment.
The interim head of the country’s cyber defense agency uploaded sensitive contracting documents into a public version of ChatGPT last summer, triggering multiple automated security warnings that are meant to stop the theft or unintentional disclosure of government material from federal networks, according to four Department of Homeland Security officials with knowledge of the incident.
The apparent misstep from Madhu Gottumukkala was especially noteworthy because the acting director of the Cybersecurity and Infrastructure Security Agency had requested special permission from CISA’s Office of the Chief Information Officer to use the popular AI tool soon after arriving at the agency this May, three of the officials said. The app was blocked for other DHS employees at the time.
None of the files Gottumukkala plugged into ChatGPT were classified, according to the four officials, each of whom was granted anonymity for fear of retribution. But the material included CISA contracting documents marked “for official use only,” a government designation for information that is considered sensitive and not for public release.
Cybersecurity sensors at CISA flagged the uploads this past August, said the four officials. One official specified there were multiple such warnings in the first week of August alone. Senior officials at DHS subsequently led an internal review to assess if there had been any harm to government security from the exposures, according to two of the four officials.
It is not clear what the review concluded.
In an emailed statement, CISA’s Director of Public Affairs Marci McCarthy said Gottumukkala “was granted permission to use ChatGPT with DHS controls in place,” and that “this use was short-term and limited.” McCarthy added that the agency was committed to “harnessing AI and other cutting-edge technologies to drive government modernization and deliver on” Trump’s executive order removing barriers to America’s leadership in AI.
The email also appeared to dispute the timeline of POLITICO’s reporting: “Acting Director Dr. Madhu Gottumukkala last used ChatGPT in mid-July 2025 under an authorized temporary exception granted to some employees. CISA’s security posture remains to block access to ChatGPT by default unless granted an exception.”
Gottumukkala is currently the senior-most political official at CISA, an agency tasked with securing federal networks against sophisticated, state-backed hackers from adversarial nations, including Russia and China.
Any material uploaded into the public version of ChatGPT that Gottumukkala was using is shared with ChatGPT-owner OpenAI, meaning it can be used to help answer prompts from other users of the app. OpenAI has said the app has more than 700 million total active users.
Other AI tools now approved for use by DHS employees — such as DHS’s self-built AI-powered chatbot, DHSChat — are configured to prevent queries or documents input into them from leaving federal networks.
Gottumukkala “forced CISA’s hand into making them give him ChatGPT, and then he abused it,” said the first official.
All federal officials are trained on the proper handling of sensitive documents. According to DHS policy, security officials are also supposed to investigate the “cause and affect” of any exposure of official use documents, and determine the “appropriateness” of any administrative or disciplinary action. Depending on the circumstances, those could range from things like mandatory retraining or a formal warning, to more serious measures, like the suspension or revocation of a security clearance, said one of the four officials.
After DHS detected the activity, Gottumukkala spoke with senior officials at DHS to review what he uploaded into ChatGPT, said two of the four officials. DHS’s then-acting general counsel, Joseph Mazzara, was involved in the effort to assess any potential harm to the department, according to the first official. Antoine McCord, DHS’s chief information officer, was also involved, according to a second official.
Gottumukkala also had meetings this August with CISA’s chief information officer, Robert Costello, and its chief counsel, Spencer Fisher, about the incident and the proper handling of for official use only material, the four people said.
Mazzara and Costello did not respond to requests for comment. McCord and Fisher could not be reached for comment.
Gottumukkala has helmed the agency in an acting capacity since May, when he was appointed by DHS Secretary Kristi Noem as its deputy director. Donald Trump’s nominee to head CISA, DHS special adviser Sean Plankey, was blocked last year by Sen. Rick Scott (R-Fla.) over a Coast Guard shipbuilding contract. A date for his new confirmation hearing has not been set.
Gottumukkala’s tenure atop the agency has not been smooth — and this would not be his first security-related incident.
At least six career staff were placed on leave this summer after Gottumukkala failed a counterintelligence polygraph exam that he pushed to take, as POLITICO first reported. DHS has called the polygraph “unsanctioned.” Asked during Congressional testimony last week if he was “aware” of the failed test, Gottumukkala twice told Rep. Bennie Thompson (D-Miss.) that he did not “accept the premise of that characterization.”
And last week, Gottumukkala tried to oust Costello, CISA’s CIO, before other political appointees at the agency intervened to block the move.
ctrlaltnod.com
Emanuel DE ALMEIDA
January 29, 2026
SonicWall cloud breach led to ransomware attack affecting 74+ US banks and 400,000+ individuals via Marquis Software Solutions compromise.
TL;DR
Marquis Software Solutions suffered a ransomware attack on August 14, 2025, affecting over 74 U.S. banks and credit unions and compromising data of 400,000+ individuals
Investigation revealed attackers exploited configuration data stolen from SonicWall's cloud backup service breach in September 2025
State-sponsored hackers accessed SonicWall's MySonicWall cloud service via API calls, initially affecting "less than 5%" but later confirmed to impact all cloud backup customers
The attack bypassed Marquis's firewall defenses using stolen configuration files rather than exploiting CVE-2024-40766 as initially suspected
Marquis is pursuing legal recourse against SonicWall and evaluating options to recover expenses from the incident
Verified Timeline
August 14, 2025 — Marquis Software Solutions detected suspicious network activity and confirmed ransomware attack, initiated investigation with cybersecurity experts
September 17, 2025 — SonicWall disclosed security incident involving unauthorized access to MySonicWall cloud backup files, initially reporting less than 5% of firewall customers affected
October 9, 2025 — SonicWall updated disclosure, confirming all customers using cloud backup service were impacted
November 5, 2025 — SonicWall attributed breach to state-sponsored hackers who accessed cloud backup files via API call
December 3, 2025 — Marquis began notifying affected banks and credit unions about data breach from August ransomware attack
January 29, 2026 — Marquis publicly attributed ransomware attack to exploitation of configuration data from SonicWall's cloud backup breach
What We Know vs. What's Unclear
Confirmed
State-sponsored hackers breached SonicWall's MySonicWall cloud service in September 2025
All SonicWall customers using cloud backup service were affected, not just 5% as initially reported
Attackers accessed firewall configuration backup files via API calls
Marquis ransomware attack on August 14, 2025 affected 74+ U.S. financial institutions
Over 400,000 individuals had personal information compromised
Attackers used stolen SonicWall configuration data to circumvent Marquis firewall defenses
CVE-2024-40766 was not the primary attack vector as initially suspected
Unclear or Unconfirmed
Identity of the state-sponsored threat group behind SonicWall breach
Specific ransomware family used in Marquis attack
Exact method attackers used configuration data to bypass security controls
Whether the same threat actors were responsible for both SonicWall breach and Marquis attack
Full scope of additional organizations potentially compromised using stolen SonicWall data
Timeline between SonicWall data theft and Marquis attack initiation
Who Is Affected
This interconnected breach affected multiple stakeholder groups across the financial services sector:
Primary Victims: Marquis Software Solutions, a Texas-based financial services provider, serves as the central victim of the ransomware attack that leveraged stolen SonicWall configuration data.
Financial Institutions: Over 74 U.S. banks and credit unions that utilize Marquis services experienced data exposure. These institutions face potential regulatory scrutiny, customer trust erosion, and compliance obligations under financial data protection regulations.
Individual Consumers: More than 400,000 individuals associated with affected financial institutions had sensitive personal information compromised, including Social Security numbers, Taxpayer Identification Numbers, financial account details, and personal identifiers.
SonicWall Customers: All customers using SonicWall's MySonicWall cloud backup service experienced configuration file exposure, potentially enabling similar attacks against other organizations using compromised firewall settings.
Broader Impact: The incident demonstrates supply chain vulnerability risks, where third-party service breaches can enable downstream attacks against customers who may have maintained otherwise secure configurations.
Technical Details
SonicWall Breach Vector: State-sponsored hackers accessed SonicWall's MySonicWall cloud service through API calls, successfully extracting firewall configuration backup files stored in the cloud environment. The breach occurred in September 2025, with SonicWall initially underestimating the scope before confirming all cloud backup customers were affected.
CVE-2024-40766 Context: Initially suspected as the attack vector, CVE-2024-40766 represents an improper access control vulnerability in SonicWall's SSLVPN feature that allows authentication bypass. This critical vulnerability was patched by SonicWall in August 2024, but investigators determined it was not the primary attack method used against Marquis.
Attack Methodology: Rather than exploiting unpatched vulnerabilities, attackers leveraged configuration data stolen from SonicWall's cloud service to understand and circumvent Marquis's firewall defenses. The specific technical methods used to weaponize configuration files have not been disclosed.
Ransomware Details: The specific ransomware family deployed against Marquis has not been publicly disclosed. The incident reflects broader trends where ransomware groups adopt new tactics to maximize impact and evade traditional security measures. Technical indicators of compromise and malware signatures remain unavailable in public reporting.
CVSS Scoring: CVE-2024-40766 maintains critical severity ratings, though specific CVSS scores were not confirmed in available sources. The vulnerability's critical classification reflects its potential for authentication bypass in SSLVPN implementations.
Detection & Validation
Organizations can implement several detection strategies to identify potential exploitation of stolen configuration data:
Firewall Configuration Monitoring: Implement continuous monitoring of firewall rule changes, VPN configuration modifications, and access control list updates. Establish alerts for unauthorized configuration changes or suspicious administrative access patterns.
Network Traffic Analysis: Monitor for unusual network traffic patterns that might indicate attackers leveraging knowledge of internal network configurations. Focus on connections to previously unknown external IP addresses or unexpected internal network traversal.
Authentication Log Review: Examine VPN and administrative access logs for successful authentication attempts using compromised credentials or from unexpected geographic locations. Look for authentication events occurring outside normal business hours.
API Activity Monitoring: For organizations using cloud-based firewall management services, monitor API call patterns and authenticate all management interface access. Implement alerting for bulk configuration downloads or unusual API usage patterns.
Endpoint Detection: Deploy endpoint detection and response tools to identify lateral movement techniques that attackers might employ after gaining initial access through compromised firewall configurations.
Specific IOCs: Specific indicators of compromise related to this incident have not been publicly disclosed by affected organizations or security vendors.
Mitigation & Hardening
Immediate Credential Reset: Reset all credentials, API keys, and authentication tokens used by users, VPN accounts, and administrative services. This includes service accounts and automated system credentials that may have been exposed in configuration files.
Firewall Configuration Audit: Conduct comprehensive review of current firewall rules, VPN configurations, and access control policies. Compare current settings against known-good baselines to identify unauthorized modifications.
Multi-Factor Authentication Implementation: Deploy MFA across all administrative interfaces, VPN connections, and cloud management portals. Prioritize hardware-based tokens or certificate-based authentication for high-privilege accounts.
Network Segmentation Review: Reassess network segmentation strategies to limit potential lateral movement if perimeter defenses are compromised. Implement zero-trust principles for internal network communications.
Cloud Service Security Assessment: Evaluate security posture of all third-party cloud services, particularly those handling configuration data or backup files. Implement additional encryption and access controls where possible.
Patch Management Acceleration: Ensure all network security devices receive priority patching, particularly SonicWall devices that should be updated to address CVE-2024-40766 and other known vulnerabilities.
Monitoring Enhancement: Deploy enhanced network monitoring tools to detect configuration-based attacks and unusual administrative activity. Establish baselines for normal network behavior patterns.
Incident Response Planning: Update incident response procedures to address supply chain compromise scenarios where third-party service breaches enable downstream attacks.
FAQ
How did attackers use SonicWall configuration data to compromise Marquis?
According to Marquis's statement, attackers leveraged configuration data extracted from SonicWall's cloud backup breach to circumvent their firewall defenses. The stolen configuration files likely contained network topology information, firewall rules, and security policies that attackers used to identify weaknesses and craft targeted bypass techniques. Specific technical details of how configuration data was weaponized have not been publicly disclosed.
Were SonicWall customers who don't use cloud backup affected?
No, the SonicWall breach specifically affected customers using the MySonicWall cloud backup service. Organizations that maintain local-only firewall configurations and don't utilize SonicWall's cloud backup features were not directly impacted by the configuration file theft. However, all SonicWall customers should ensure they have applied patches for CVE-2024-40766 and other known vulnerabilities.
What legal action is Marquis taking against SonicWall?
Marquis has indicated they are evaluating options with respect to SonicWall, including seeking recoupment of expenses incurred due to the incident. The company has not specified whether formal legal proceedings have been initiated, but they are exploring potential avenues for recovering costs related to the breach investigation, customer notification, and remediation efforts.
How can organizations protect against similar supply chain attacks?
Organizations should implement multiple defensive layers including vendor risk assessments, contractual security requirements for third-party services, monitoring of cloud service provider security bulletins, and incident response procedures that account for supply chain compromises. Recent incidents like Ingram Micro's ransomware attack and ransomware attacks on major firms demonstrate the importance of maintaining defense-in-depth strategies that ensure single points of failure in vendor services don't compromise entire security postures. Organizations should also stay informed about emerging threats, such as new ransomware techniques being adopted by threat actors.
| CyberScoop
cyberscoop.com/
By
Matt Kapko
January 22, 2026
Ianis Antropenko, a Russian national living in California, admitted to committing ransomware attacks against at least 50 victims. He faces up to 25 years in jail.
Russian national pleaded guilty to leading a ransomware conspiracy that targeted at least 50 victims during a four-year period ending in August 2022.
Ianis Aleksandrovich Antropenko began participating in ransomware attacks before moving to the United States, but conducted many of his crimes while living in Florida and California, where he’s been out on bond enjoying rare leniency since his arrest in 2024.
Antropenko pleaded guilty in the U.S. District Court for the Northern District of Texas earlier this month to conspiracy to commit money laundering and conspiracy to commit computer fraud and abuse. He faces up to 25 years in jail, fines up to $750,000 and is ordered to pay restitution to his victims and forfeit property.
Federal prosecutors reached a plea agreement with Antropenko after a years-long investigation, closing one of the more unusual cases against a Russian ransomware operator who committed many of his crimes while living in the U.S.
While most cybercriminals, especially those involved in ransomware, are held in jail pending trial because of a flight risk, Antropenko was granted bail the day of his arrest.
This rare flash of deferment in a case involving a prolific cybercriminal is even more shocking considering his multiple run-ins with police since then. Antropenko violated conditions for his pretrial release at least three times in a four-month period last year, including two arrests in Southern California involving dangerous behavior while under the influence of drugs and alcohol.
As part of his plea agreement, Antropenko recognized that pleading guilty could impact his immigration status since the crimes he committed are removable offenses.
Court records don’t indicate if Antropenko has been detained pending sentencing, and his sentencing hasn’t been scheduled. His attorney and federal prosecutors working on his case did not respond to requests for comment.
Antropenko admitted to leading the ransomware conspiracy with the aid of multiple co-conspirators, including some who lived outside the U.S.
His ex-wife, Valeriia Bednarchik, was previously implicated by the FBI and prosecutors as one of his alleged co-conspirators involved in the laundering of ransomware proceeds.
FBI investigators traced Antropenko’s activities via accounts he held at Proton Mail, PayPal and Bank of America, and accounts he and Bednarchik controlled at Binance and Apple. In Bednarchik’s iCloud account, agents found a seed phrase for a crypto wallet that had received over 40 Bitcoin from Antropenko’s accounts, as well as evidence she had agreed to safeguard a disguised copy of this phrase so the funds could be accessed if Antropenko became unavailable. Her account also contained joint tax returns with Antropenko and photos showing large amounts of U.S. cash.
Bednarchik, who also lives in Southern California, has been identified as Antropenko’s unnamed co-conspirator through court documents and public records. While authorities previously indicated they plan to bring charges against her, no cases are currently pending.
Antropenko, who previously pleaded not guilty to the charges in October 2025, used multiple ransomware variants to commit attacks, including Zeppelin and GlobeImposter. The ransomware operation he led caused losses of at least $1.5 million to victims, according to court records.
Yet, the spoils of his crimes appear to be much greater. The Justice Department seized more than $2.8 million in cryptocurrency, nearly $71,000 in cash and two luxury vehicles from Antropenko in February 2024. Authorities seized an additional $595,000 in cryptocurrency from a wallet Antropenko owned in July 2025.
pcmag.com
Michael Kan
Senior Reporter
UPDATE 1/24: The hacking group World Leaks claims to have stolen 1.4TB of data from Nike, according to a post on the gang's website.
The stolen data covers 188,000 files. But a cursory look suggests that World Leaks looted internal files about Nike's clothing manufacturing business, rather than any customer or employee information. For example, a few of the folders have been titled "Garment making process," "Nike Apparel tools" and "Women's Lifestyle." Another set of folders have been titled with the Chinese language.
The data
(World Leaks)
We've reached out to Nike for comment and we'll update the story if we hear back.
Original story:
Nike is investigating a possible data breach after a hacking group listed the fashion brand as one of its latest victims.
On Thursday, cybersecurity researchers spotted World Leaks posting on the dark web about breaching Nike. It's unclear what they stole; for now, the group’s post shows only a countdown clock, indicating that World Leaks plans to reveal more on Saturday morning.
In response, Nike told PCMag: “We always take consumer privacy and data security very seriously. We are investigating a potential cybersecurity incident and are actively assessing the situation.”
According to cybersecurity firms, World Leaks operates as an extortion group that loots data from companies to force them to pay up, or else it’ll leak the stolen information. The group previously operated as “Hunters International,” and focused on delivering ransomware to encrypt victim computers. But last year, following increased scrutiny from law enforcement, the gang rebranded as World Leaks and pivoted to extortion-only tactics.
“They typically gain initial access through phishing campaigns, compromised credentials, or exploitation of exposed services,” according to cybersecurity vendor Blackpoint Cyber. “Once inside, they perform data discovery and exfiltration, prioritizing confidential corporate or personal information.”
WorldLeaks sites
(Credit: World Leaks)
Still, it’s possible that World Leaks stole inconsequential data from Nike. The group has already listed 114 other victims; it claims to have stolen 1.3TB of data from Dell. But the PC maker says World Leaks merely infiltrated a platform the company uses to demo products to prospective clients. As a result, the hackers were only able to access and steal an outdated contact list.
databreaches.net/
Posted on January 24, 2026 by Dissent
Telehealth provider Call-On-Doc, Inc., dba Call-On-Doc.com, advertises that it has 2 million active patients and treats 150+ medical conditions. It claims to be the most highly rated telehealth service, and it assures patients of “state-of-the-art” data security for their information. But if a post on a hacking forum is accurate, Call-On-Doc recently had a breach that may have affected more than one million patients.
According to a sales listing on a hacking forum, Call-On-Doc was breached in early December, and 1,144,223 patient records were exfiltrated. The types of information reportedly included:
Patient Code, Transaction Number, Patient Name, Patient Address, Patient City, Patient State, Patient Zip, Patient Country, Patient Phone Number, Patient Email Address, Medical Category, Medical Condition, Service / Prescription, Paid Amount
Three screenshots with rows of dozens of patients’ information were included in the listing. An additional .txt file with information on 1,000 patients was also included.
Inspection of the screenshots immediately raised concerns about the sensitive information they revealed. Although some appointments were visits for conditions such as strep infections or other medical conditions, a number of patient records were for the “STD” category (sexually transmitted disease), with the specific type of STD listed in the “Condition” field.
Is Call-On-Doc HIPAA-Regulated?
Call-On-Doc does not accept insurance. It is a self-pay model, and no health insurance information or Social Security Numbers were included in the data. Because it is self-pay, DataBreaches is unsure whether Call-On-Doc is a HIPAA-regulated entity. If it uses electronic transmission for other covered transactions, it might be. But even if it is not a HIPAA-regulated entity, it would still be regulated by state laws and the Federal Trade Commission (FTC).
When HIPAA does not apply, the FTC can investigate and take enforcement action for violations of the FTC Act if there are deceptive or “unfair practices,” such as promising excellent data security for health data or patient information, but failing to deliver it.
A check of Call-On-Doc’s website reveals the following statement in its FAQ:
Q: Is my payment and medical information safe with Call-On-Doc?
A: Absolutely! Call-On-Doc employs state-of-the-art security measures, including our proprietary Electronic Health Record (EHR) system, and is fully HIPAA compliant.
According to the threat actor, they found no evidence of any encryption, and the entity did not detect the attack while it was in progress. HIPAA does not actually mandate encryption, but what “state-of-the-art” security measures did Call-On-Doc use to provide the kind of protection that protected health information (PHI) requires? And have they implemented any changes or additional protections since being alerted to the alleged breach?
Given that patients from many states may be involved, this might be a situation in which multiple state attorneys general collaborate to investigate a breach and an entity’s risk assessment, security, and incident response, including notification obligations.
Notification Obligations and Regulatory Questions
DataBreaches emailed Call-On-Doc’s privacy@ email address on Thursday to ask if it had confirmed any breach. There was no reply.
DataBreaches emailed its support@ email address on Friday. There was no reply.
If these are real data, there are several questions regulators may investigate.
According to the individual who posted the listing and shared additional details with DataBreaches in private communication, the breach occurred in early December. They contacted Call-On-Doc on December 25 to alert them to the breach and to try to negotiate a payment to avoid leaking or selling it. “They contacted me from an unofficial email address. I provided all the evidence and details, but then they stopped responding—basically ignoring me,” the person told DataBreaches.
Regardless of which federal or state agencies may have jurisdiction, if these are real patient data, Call-On-Doc also has a duty to notify patients and regulators promptly. While some regulations or statutes require “without unreasonable delay,” HIPAA has a “no later than 60 calendar days from discovery” deadline, and 19 states have notification deadlines of 30 days. As of publication, DataBreaches cannot find any substitute notice, media notice, website notice, or notification to any state attorneys general or federal regulators.
DataBreaches reminds readers that Call-On-Doc has not confirmed the claims. Even though the patient data appears likely to be real, AI has advanced to the point where threat actors can create datasets that appear legitimate. DataBreaches does not think that is the case here, but can’t rule out that possibility without contacting patients, which this site tries to avoid to spare patients any embarrassment or anxiety. For a small random sample from the 1,000 records file that DataBreaches checked via Google searches, most patients are still at the addresses listed in the 1,000-patient sample. Others could be verified as having lived at the listed addresses in the recent past.
One other detail suggests the data are real: the seller is accepting escrow for the sale, which is usually an indicator that the listing is not a scam.
This post may be updated when Call-On-Doc responds or more information becomes available.
If you were or are a Call-On-Doc patient and have heard from Call-On-Doc about a breach, we’d like to hear from you.
therecord.media
Daryna Antoniuk
January 23rd, 2026
Germany’s Dresden State Art Collections, one of Europe’s oldest museum networks, has been hit by a targeted cyberattack that disrupted large parts of its digital infrastructure, the state of Saxony’s culture ministry said this week.
The attack, discovered on Wednesday, has left the museum group with limited digital and phone services. Online ticket sales, visitor services, and the museum shop are currently unavailable, and payments at museum sites can only be made in cash. Tickets purchased online before the incident remain valid and can still be scanned on site.
Despite the disruption, the museums remain open to visitors. The culture ministry said security systems protecting the collections were not affected and that both physical and technical security remain fully intact.
The Dresden State Art Collections, known as SKD, said it is unclear when all affected systems will be fully restored. As of Friday, the institution was still operating under restrictions, with no new updates on the incident, local media reported, citing an SKD spokesperson.
Officials have not said who carried out the attack or what their motives may have been. It is also unclear whether the incident involved a ransom demand or whether any negotiations with the attackers are underway.
The Dresden State Art Collections oversee about 15 museums, housing works by artists such as Raphael and Rembrandt, as well as the famed Green Vault, one of Europe’s richest treasure chambers, known for its royal jewels and goldwork.
Cultural institutions have increasingly become targets for cybercriminals in recent years. In 2023, Canada’s national art museum spent weeks restoring systems after a ransomware attack, while in 2022 the Metropolitan Opera in New York suffered a cyberattack that disrupted ticketing and box office operations during the busy holiday season.
Major libraries have also drawn the attention of hackers, prompting U.S. officials to launch a program to help such institutions protect themselves from cyberattacks. In 2023, ransomware crippled the systems of the British Library, one of the world’s largest and the national library of the United Kingdom. In Canada, the Toronto Public Library spent months recovering from a ransomware attack, describing the incident as a “crime scene.”
Clothing retailer Under Armour is investigating a recent data breach that purloined customers’ email addresses and other personal information, but so far there are no signs the hackers stole any passwords or financial information.
The breach is believed to have happened late last year, and affected 72 million email addresses, according to information cited by the cybersecurity website Have I Been Pwned. Some of the records taken also included personal information that included names, genders, birthdates and ZIP codes.
In an Under Armour statement acknowledging its investigation into the claims of a data breach, the Baltimore-based company said: “We have no evidence to suggest this issue has affected UA.com or systems used to process payments or store customer passwords. Any implication that sensitive personal information of tens of millions of customers has been compromised is unfounded.”
Have I Been Pwned CEO Troy Hunt said that he agrees with Under Armour’s assertion, based on the information that has emerged so far. But he also said he was surprised by the lack of an official disclosure statement from the company.
seclists.org
From: Simon Josefsson <simon () josefsson org>
Date: Tue, 20 Jan 2026 15:00:07 +0100
If you are tired of modern age vulnerabilities, and remember the good
old times on bugtraq, I hope you will appreciate this one. If someone
can allocated a CVE, we will add it in future release notes.
/Simon
The telnetd server invokes /usr/bin/login (normally running as root)
passing the value of the USER environment variable received from the
client as the last parameter.
If the client supply a carefully crafted USER environment value being
the string "-f root", and passes the telnet(1) -a or --login parameter
to send this USER environment to the server, the client will be
automatically logged in as root bypassing normal authentication
processes.
This happens because the telnetd server do not sanitize the USER
environment variable before passing it on to login(1), and login(1)
uses the -f parameter to by-pass normal authentication.
Severity: High
Vulnerable versions: GNU InetUtils since version 1.9.3 up to and
including version 2.7.
On a Trisquel GNU/Linux 11 aramo laptop:
root@kaka:~ sudo apt-get install inetutils-telnetd telnet
root@kaka:~ sudo sed -i 's/#<off># telnet/telnet/' /etc/inetd.conf
root@kaka:~ sudo /etc/init.d/inetutils-inetd start
root@kaka:~ USER='-f root' telnet -a localhost
...
root@kaka:~#
The bug was introduced in the following commit made on 2015 March 19:
https://codeberg.org/inetutils/inetutils/commit/fa3245ac8c288b87139a0da8249d0a408c4dfb87
Based on mailing list discussions:
https://lists.gnu.org/archive/html/bug-inetutils/2014-12/msg00012.html
https://lists.gnu.org/archive/html/bug-inetutils/2015-03/msg00001.html
It was included in the v1.9.3 release made on 2015 May 12.
Do not run a telnetd server at all. Restrict network access to the
telnet port to trusted clients.
Apply the patch or upgrade to a newer release which incorporate the
patch.
Disable telnetd server or make the InetUtils telnetd use a custom
login(1) tool that does not permit use of the '-f' parameter.
The template for invoking login(1) is in telnetd/telnetd.c:
/* Template command line for invoking login program. */
char *login_invocation =
#ifdef SOLARIS10
/* TODO: `-s telnet' or `-s ktelnet'.
* `-u' takes the Kerberos principal name
* of the authenticating, remote user.
*/
PATH_LOGIN " -p -h %h %?T{-t %T} -d %L %?u{-u %u}{%U}"
#elif defined SOLARIS
/* At least for SunOS 5.8. */
PATH_LOGIN " -h %h %?T{%T} %?u{-- %u}{%U}"
#else /* !SOLARIS */
PATH_LOGIN " -p -h %h %?u{-f %u}{%U}"
#endif
;The variable expansion happens in telnetd/utility.c:
/* Expand a variable referenced by its short one-symbol name.
Input: exp->cp points to the variable name.
FIXME: not implemented */
char *
_var_short_name (struct line_expander *exp)
{
char *q;
char timebuf[64];
time_t t;
switch (*exp->cp++)
{
case 'a':
#ifdef AUTHENTICATION
if (auth_level >= 0 && autologin == AUTH_VALID)
return xstrdup ("ok");
#endif
return NULL;
case 'd':
time (&t);
strftime (timebuf, sizeof (timebuf),
"%l:%M%p on %A, %d %B %Y", localtime (&t));
return xstrdup (timebuf);
case 'h':
return xstrdup (remote_hostname);
case 'l':
return xstrdup (local_hostname);
case 'L':
return xstrdup (line);
case 't':
q = strchr (line + 1, '/');
if (q)
q++;
else
q = line;
return xstrdup (q);
case 'T':
return terminaltype ? xstrdup (terminaltype) : NULL;
case 'u':
return user_name ? xstrdup (user_name) : NULL;
case 'U':
return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup ("");
default:
exp->state = EXP_STATE_ERROR;
return NULL;
}
}Thus there is potential for similar vulnerabilities for other
variables.
On non-GNU/Linux systems, only the remote hostname field is of
interest. The remote_hostname variable is populated in the function
telnetd_setup from telnetd/telnetd.c by calling getnameinfo() or
gethostbyaddr() depending on platform. This API is generally not
considered to return trusted data, thus relying on it to not return a
value such as 'foo -f root' is not advisable.
We chose to sanitize all variables for expansion. The following two
patches are what we suggest:
https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b
https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc
This vulnerability was found and reported by Kyu Neushwaistein aka
Carlos Cortes Alvarez on 2026-01-19.
Initial patch by Paul Eggert on 2026-01-20. Simon Josefsson improved
the patch to also cover similar concerns with other expansions.
This advisory was drafted by Simon Josefsson on 2026-01-20.
bleepingcomputer.com
By Sergiu Gatlan
January 21, 2026 12:49 PM
Fortinet customers are seeing attackers exploiting a patch bypass for a previously fixed critical FortiGate authentication vulnerability (CVE-2025-59718) to hack patched firewalls.
Fortinet customers are seeing attackers exploiting a patch bypass for a previously fixed critical FortiGate authentication vulnerability (CVE-2025-59718) to hack patched firewalls.
One of the affected admins said that Fortinet has allegedly confirmed that the latest FortiOS version (7.4.10) didn't fully address this authentication bypass vulnerability, which should've been patched in early December with the release of FortiOS 7.4.9.
Fortinet is also reportedly planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully patch the security flaw.
"We just had a malicious SSO login on one of our FortiGate's running on 7.4.9 (FGT60F). We have a SIEM that caught the local admin account being created. Now, I have done a little research, and it appears this is exactly how it looked when someone came in on CVE-2025-59718. But we have been on 7.4.9 since December 30th," the admin said.
The customer shared logs showing that the admin user was created from an SSO login of cloud-init@mail.io from IP address 104.28.244.114. These logs looked similar to previous exploitation of CVE-2025-59718 seen by cybersecurity company Arctic Wolf in December 2025, which reported that attackers were actively exploiting the vulnerability via maliciously crafted SAML messages to compromise admin accounts.
"We observed the same activity. Also running 7.4.9. Same user login and IP address. Created a new system admin user named "helpdesk". We have an open ticket with support. Update: The Fortinet developer team has confirmed the vulnerability persists or is not fixed in v7.4.10," another one added.
BleepingComputer reached out to Fortinet multiple times this week with questions about these reports, but the company has yet to reply.
Until Fortinet provides a fully patched FortiOS release, admins are advised to temporarily disable the vulnerable FortiCloud login feature (if enabled) to secure their systems against attacks.
To disable FortiCloud login, you have to navigate to System -> Settings and switch "Allow administrative login using FortiCloud SSO" to Off. However, you can also run the following commands from the command-line interface:
config system global
set admin-forticloud-sso-login disable
end
Luckily, as Fortinet explains in its original advisory, the FortiCloud single sign-on (SSO) feature targeted in the attacks is not enabled by default when the device is not FortiCare-registered, which should reduce the total number of vulnerable devices.
However, Shadowserver still found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled in mid-December. At the moment, more than half have been secured, with Shadowserver now tracking just over 11,000 that are still reachable over the Internet.
CISA has also added the CVE-2025-59718 FortiCloud SSO auth bypass flaw to its list of actively exploited vulnerabilities, ordering federal agencies to patch within a week.
Hackers are now also actively exploiting a critical Fortinet FortiSIEM vulnerability with publicly available proof-of-concept exploit code that can enable them to gain code execution with root privileges on unpatched devices.
cybernews.com/
Vilius Petkauskas
Deputy Editor
Luxshare, one of Apple’s key partners in assembling iPhones, AirPods, Apple Watches, and Vision Pro, allegedly suffered a data breach, orchestrated by a ransomware cartel. The attackers are threatening to leak data from Apple, Nvidia, and LG unless the company pays a ransom.
Key takeaways:
Luxshare, Apple's key iPhone assembler, allegedly suffered a ransomware attack threatening confidential product data leaks from multiple tech giants.
RansomHub attackers claim access to 3D CAD models, circuit board designs, and engineering documentation from Apple and Nvidia products.
Cybernews researchers claim leaked data includes confidential Apple-Luxshare repair projects, employee PII, and product design files from 2019-2025.
The breach could enable competitors to reverse-engineer products, manufacture counterfeits, and exploit hardware vulnerabilities in Apple devices.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
The Luxshare data breach allegedly occurred last month, with attackers claiming December 15th, 2025, as the date Apple key partners’ data was encrypted. The alleged attackers, RansomHub, announced the Luxshare data breach on their dark web forum.
Luxshare is an essential partner to the American giant. Many Apple products, including iPhone, AirPods, Apple Watch are assembled at Luxshare, which means the company has very intimate information about Apple’s products.
The conversation on this topic is live. Join in the discussion.
“We were waiting for you for quite some time, but it seems that your IT department decided to conceal the incident that took place in your company. We strongly recommend that you contact us to prevent your confidential data and project documents from being leaked,” the attackers claim.
We have reached out to the company and will update the article once we receive a reply. We have also reached out to Apple and will add its response as soon as we receive it.
Luxshare data breach claims on the dark web
Attakers' post announcing Luxshare data breach. Image by Cybernews.
What data did the Luxshare data breach expose?
The Cybernews research team investigated the data sample that the attackers attached to the post.
According to our team, the leaked data includes details on what appear to be confidential projects regarding device repair and shipping between Apple and Luxshare, including timelines, detailed processes, and information about other Luxshare clients.
Moreover, the leaked information appears to include personal identifiable information (PII) of individuals working on specific projects, with their full names, job positions and work emails exposed.
Luxshare data breach projects
Alleged information on Apple and Luxshare projects. Image by Cybernews.
“Dates of these projects range from 2019 to 2025 and the information appears to expose sensitive business operations. Additionally, .dwg and gerber files, which are often used to create product model designs, are also included,” the team explained.
While Apple’s assembler data breach is still unconfirmed, the team believes that the information included in the post appears to be legitimate.
Luxshare data breach team info
Alleged information about Luxshare staff working on Apple projects. Image by Cybernews.
What do the Luxshare attackers say?
The RansomHub attackers claim to have wide access to confidential Luxshare client data. The stolen data supposedly ranges from 3D product models to circuit board design data, information that’s highly coveted by corporate spies.
According to the attackers, they have accessed archives that contain:
Confidential 3D CAD product models, 3D engineering design data, 3D engineering documentation
Access to high-precision geometric data for Parasolid products
2D component drawings for manufacturing
Mechanical component drawings
Confidential engineering drawings in PDF format
Electronic design documentation
Electrical and layout architecture data
Printed circuit board manufacturing data
“The archives contain data from Apple, Nvidia, as well as LG, Geely, Tesla, and other large companies whose production and R&D information is publicly available. Protected by a non-disclosure agreement,” the attackers claim.
If confirmed, the attack could be disastrous for Luxshare and its partners. For one, attackers could sell the data to competitors who could utilize the stolen details to reverse-engineer products, bypass years of R&D, and manufacture counterfeits.
The cybersecurity implications are also extreme as attackers could clearly uncover hardware vulnerabilities, chip locations, and power systems, which would be beneficial to target firmware or carry out supply chain attacks.
China-based Luxshare is a behemoth in the electronics manufacturing industry. Based in the country’s tech heart, Shenzhen, the company employs over 230,000 people and reports revenues of over $37 billion.
According to reporting by the Wall Street Journal, Luxshare’s importance to Apple’s supply chain ballooned after its main assembler, Foxconn, went through a series of production halting protests.
Who are the Luxshare attackers?
First spotted in 2024, RansomHub is a well established actor in the ransomware scene. For example, the gang proved itself to be one of the most active ransomware gangs of the past couple of years.
According to security experts, RansomHub is among the most prolific ransomware-as-a-service (RaaS) operations, emerging after ALPHV (BlackCat) disappeared. It primarily targets industrial manufacturing and healthcare.
RansomHub brought some technological innovations to the table. Its tools are capable of remote encryption. The affiliates exploit exposed unprotected machines, reducing the risk of detection and increasing the success rate of attacks.
According to a CISA advisory, the cybercrooks breached nearly 500 victims in 2024, almost at a rate of one victim per day. The cyber watchdog also provides a full list of the Kremlin-backed gang's known IOCs, including IP addresses, tools, known URLs, email addresses, and more.
Updated on January 19th [01:30 p.m. GMT] with a insights from the Cybernews research team.
ynetnews.com
Lior Ben Ari, News Agencies|01.19.26 | 02:22
Messages against the regime, documentary footage of protests, and speeches by Crown Prince Reza Pahlavi are seen on the screens of Iranian channels received via satellite; 'Message to the Iranian army and security forces: Do not turn your weapons on the people'
ran’s opposition television channel Iran International reported Sunday evening that satellite broadcasts of several Iranian state TV channels were hijacked, with anti–ayatollah regime protest messages and statements by Crown Prince Reza Pahlavi aired for several minutes. Pahlavi, the exiled son of the shah ousted in the 1979 Islamic Revolution, has in recent weeks sought to position himself as a leader of the protests aimed at toppling the regime.
According to Iran International, the messages were seen by viewers watching Iranian state channels via the Badr satellite. During the brief takeover, videos and images documenting protests against the regime appeared on screen, alongside a call by Prince Reza Pahlavi urging the Iranian people to join the demonstrations and appealing to the armed forces to side with the protesters. The opposition outlet noted that Iran’s state broadcasting authority relies on the Badr satellite to transmit a number of regional channels nationwide.
Videos circulating on social media showed on-screen messages such as: “People of Iran, continue your struggle. Freedom is closer than ever,” as well as “Europe is with you!” and “Prince Reza Pahlavi is our voice, he is mobilizing global support for us.” For several seconds, another message flashed repeatedly: “This is a message to the Iranian army and security forces: Do not turn your weapons on the people. Join the nation for Iran’s freedom!” A photograph of Iranian President Masoud Pezeshkian later appeared, alongside a written appeal addressed to him: “Mr. Pezeshkian, the moment of truth has arrived. Do you stand with those spreading lies about ‘mercenaries,’ ‘Mossad agents’ and similar nonsense?”
The satellite broadcast hack came as the Islamic Republic remains largely cut off from the outside world, a week and a half after authorities shut down internet access. NetBlocks, an organization that monitors internet traffic and cybersecurity, reported that Iran briefly saw an uptick in connectivity earlier Sunday after usage had hovered at about 1% of normal levels over the past week, before dropping again later in the day. According to NetBlocks, there was a sudden spike in access to Google and certain messaging services from inside Iran, allowing a small number of Iranians to relay detailed information about the severity of conditions on the ground. That window was short-lived, however, as internet traffic soon plunged again.
Iran’s authorities cut internet access on January 8, the day protests against the regime escalated into mass demonstrations and, according to reports, the deadliest day of clashes with security forces. Earlier Sunday, Pezeshkian said that, given the need to ease online business activity and reduce communications restrictions, he had recommended that the secretary of the Supreme National Security Council remove internet limitations as soon as possible, though he did not specify when this would happen.
Journalists with Agence France-Presse in Tehran reported Sunday that they were briefly able to connect to the global internet in the morning, even as major internet service providers remained blocked. Some Iranians were able to send and receive WhatsApp messages for the first time in days. International phone calls to and from Iran, which were blocked last week, were restored on Tuesday, and SMS services resumed on Saturday.
Despite the severe restrictions on internet access and Iran’s longstanding bans on certain apps—including Instagram and Facebook, which require VPNs to access—reports of atrocities committed by security forces against protesters have nonetheless leaked out in recent days, mainly via users connected to Elon Musk’s Starlink satellite internet service.
Earlier Sunday, Iran’s semi-official Fars news agency reported that the CEO of Irancell, the country’s second-largest mobile operator, had been dismissed after failing to comply with a government order to shut down the internet. Iranian state television reported that schools and universities reopened Sunday after being closed for a week, saying authorities had regained control of the situation.
Iran admits 5,000 killed, toll may be far higher
Earlier in the evening, Pezeshkian warned that any attack on Iran’s supreme leader, Ali Khamenei, would be considered a declaration of all-out war against the Iranian nation, and that the Islamic Republic’s response to any military aggression would be severe and regrettable. His remarks followed comments a day earlier by former U.S. ambassador to Israel Dan Shapiro, who said he believed President Donald Trump would attempt to kill Khamenei as early as this week.
In a post on the X platform on Sunday evening, Pezeshkian wrote: “If there are difficulties and hardships in the lives of the dear people of Iran, one of the main causes is the long-standing hostility and inhumane sanctions imposed by the U.S. government and its allies. Any harm to the supreme leadership of our country would amount to a declaration of all-out war against the Iranian nation.”
Trump has signaled in recent days that he has decided, for now, to pause any strike on Iran—falling short of the promise he made to the Iranian people at the height of the unrest a week and a half ago that “help is on the way,” urging them to continue fighting the regime. Still, over the past 24 hours, threats and insults have again been exchanged between Trump and Iran’s leadership. In the background, the United States continues to move an aircraft carrier and forces suited for a large-scale strike closer to the Middle East, leading many to believe the likelihood of a U.S. attack remains high.
In a series of posts on X, Khamenei on Saturday harshly attacked Trump, claiming the United States was responsible for the wave of protests sparked by Iran’s dire economic situation. “Responsibility must be placed on the United States,” he wrote, adding: “We find the U.S. president guilty of all the losses, damages and slander.” Trump responded in an interview with Politico, calling Khamenei a sick man and saying, “It’s time to look for new leadership in Iran.”
On Sunday morning, an Iranian official told Reuters that at least 5,000 people have been killed in the crackdown on protests since the beginning of the month. He said the dead included about 500 members of the security forces and, in line with the regime’s official narrative, blamed the deaths of “innocent civilians” on “terrorists and armed rioters,” whom he claimed were armed by Israel and other foreign actors. A day earlier, Khamenei himself acknowledged that “thousands” had been killed in the suppression of the protests, also pointing the finger at the United States, Trump and “the Zionists,” as he put it.
According to the Iranian official who spoke to Reuters, the final death toll is not expected to rise significantly. However, unverified reports suggest the number of fatalities is far higher. Britain’s Sunday Times reported Sunday morning that, according to doctors in Iran, the death toll may exceed 16,000. Citing a medical report compiled inside Iran and leaked by doctors using Starlink, the paper said between 16,500 and 18,000 protesters had been killed and about 330,000 wounded, including children and pregnant women.
On Saturday night, the U.S.-based Human Rights Activists News Agency (HRANA), which reports on Iran through a network of activists, said it had verified 3,308 protest-related deaths, but was still investigating another 4,382 cases, meaning the toll could rise sharply. HRANA said more than 24,000 protesters had been arrested, and despite Trump’s claim that Iran halted 800 planned executions of detainees, it is highly possible that many will eventually be tried and executed, as Iran has done after previous protest waves, including the 2022 “hijab protests.”
bleepingcomputer.com
By Lawrence Abrams
January 15, 2026
Exclusive: Food delivery platform Grubhub has confirmed a recent data breach after hackers accessed its systems, with sources telling BleepingComputer the company is now facing extortion demands.
"We're aware of unauthorized individuals who recently downloaded data from certain Grubhub systems," Grubhub told BleepingComputer.
"We quickly investigated, stopped the activity, and are taking steps to further increase our security posture. Sensitive information, such as financial information or order history, was not affected."
Grubhub would not respond to any further questions regarding the breach, including when it occurred, whether customer data was involved, or if they were being extorted.
However, the company confirmed that it is working with a third-party cybersecurity firm and has notified law enforcement.
Last month, Grubhub was also linked to a wave of scam emails sent from its b.grubhub.com subdomain that promoted a cryptocurrency scam promising a tenfold return on Bitcoin payments.
Grubhub said at the time that it contained the issue and took steps to prevent further unauthorized messages, but would not answer further questions related to the incident.
It is unclear if the two incidents are connected.
Extorted by hackers
While Grubhub would not share further details, multiple sources have told BleepingComputer that the ShinyHunters cybercrime group is extorting the company.
BleepingComputer attempted to verify these claims with the threat actors, but they refused to comment.
According to sources, the threat actors are demanding a Bitcoin payment to prevent the release of older Salesforce data from a February 2025 breach and newer Zendesk data that was stolen in the recent breach.
Grubhub uses Zendesk to power its online support chat system, which provides support for orders, account issues, and billing.
While it is unclear when the breach occurred, BleepingComputer was told that it was through secrets/credentials stolen in the recent Salesloft Drift data theft attacks.
In August, threat actors used stolen OAuth tokens for Salesloft's Salesforce integration to conduct a data theft campaign between August 8 and August 18, 2025.
According to a report by Google's Threat Intelligence team (Mandiant), the stolen data was then used to harvest credentials and secrets to conduct follow-up attacks on other platforms.
"GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens," reports Google.
ShinyHunters claimed at the time to be behind the breach, stating they stole approximately 1.5 billion data records from the "Account", "Contact", "Case", "Opportunity", and "User" Salesforce object tables for 760 companies.
As threat actors continue to abuse previously stolen Salesforce data to carry out follow-on attacks, organizations impacted by the Salesloft Drift breaches must rotate all affected access tokens and secrets as soon as possible if they have not already done so.
| Commsrisk
By
Eric Priezkalns
19 Jan 2026
The scourge of smishing messages sent by rogue base stations is spreading across Europe but national leaders ignore the underlying security threat.
Police have announced the first ever arrests of smishing SMS blaster scammers in Greece. Regular readers of Commsrisk will anticipate all the essential facts of the case: a false base station was carried in the back of a car; the car was driven through densely populated suburbs of Athens, a major metropolitan area; the phones of victims were downgraded to 2G to bypass the security protocols of subsequent generations; victims received SMS messages that impersonated banks and contained links to phishing websites. But perhaps the most important common factor was that the two driver-operators of the SMS blaster were Chinese.
The arrests in Greece relied upon dumb luck rather than technologies that identify and pinpoint fake base stations. An employee of a shopping mall in Spata, an eastern district of Athens, warned police that two Chinese customers had behaved suspiciously. The police stopped and questioned the Chinese, who presented forged identity documents. The police then proceeded to search their car, where they found an SMS blaster and associated equipment. Three actual cases of fraud have since been tied to messages sent by the SMS blaster. The victims in these cases respectively reside in Spata, in downtown Athens, and in Maroussi, a northern suburb of Athens.
Greek police released an image of the equipment they found; this has been reproduced at the bottom of the article. Regular readers will also recognize another element commonly seen in photographs of devices seized during SMS blaster busts worldwide: a DC-to-AC electricity converter in the distinctive orange case of Chinese manufacturer NFA. We have also collated images of NFA converters that powered SMS blasters in Hong Kong, Japan, Malaysia, the Philippines, Qatar, Serbia, Thailand, Türkiye and the United Kingdom. There is nothing illegal about making and selling devices that convert DC electricity to AC, but the use of the same Chinese manufacturer’s equipment by Chinese criminals arrested in such a wide spread of countries would suggest common supply chains are enabling the intercontinental spread of SMS blaster crime.
A lot is said about the need for collaboration to reduce fraud but the extent of voluntary collaboration can be gauged by:
the widespread, but often unacknowledged dependence on this website to monitor and analyze information about SMS blaster crime from around the world; and
the information provided here for free is not even quoted correctly by the authorities.
The Greek authorities advised their local press that Greece is the fifth European country to be attacked using an SMS blaster. Commsrisk’s open source intelligence is evidently having an impact because press reports of earlier busts usually featured ineptly random lists of a few places where SMS blasters had been found before. The SMS blaster map on our Global Fraud Dashboard shows that Greece is at least the sixth country in Europe to discover smishing messages from SMS blasters carried by car. The other five European countries are, in chronological order of when their cases were reported: France, Norway, the United Kingdom, Switzerland and Serbia. Fake base stations that transmitted SMS messages have also been identified in Türkiye although the Turkish authorities insist those devices were used for espionage instead of smishing fraud. Note also that a Chinese national based in Istanbul was involved in the supply of those fake base stations and that an NFA power converter was used in conjunction with one of them.
The new case from Athens has been added to our SMS blaster map. If you believe a useful purpose is served by the open source intelligence that is automatically harvested by our Global Fraud Dashboard then please consider donating to the crowdfunding campaign we will launch soon. The goal is to finance the development work for a massive expansion of the number of charts on the dashboard and the range of data sources that it monitors.
I draw one overriding conclusion from the general ignorance surrounding the spread of SMS blaster crime: national authorities are not gathering and exchanging intelligence that would help them anticipate the spread of international crimes involving communications tech. They do not formulate plans to protect the public until they have identified crimes occurring within their jurisdictions. If detection depends on dumb luck, as it has in many of the European cases, then a lot of crime can occur before the authorities will react. This is a dangerous approach when dealing with crimes involving electronic communications as they are easily spread to new countries. Insufficient importance is attached to systematically detecting these crimes even though a few countries have researched and implemented technologies to proactively identify SMS blasters. Nor are we thinking strategically about safety. A rogue base station can be used for smishing fraud, or for espionage, or to spread panic.
If I were Vladimir Putin, a former spook with a penchant for destabilizing other countries through black ops and disinformation, then I would be laughing at European governments that talk a lot about preparing for conflict but have not modified mobile networks to reveal how many fake base stations are being transported around the continent. The invasion of Ukraine has prompted a rapid evolution in the ways electronic communications are exploited for warfare. Manufacturers of military drones commonly advertise versions that carry IMSI-catchers, a kind of surveillance device that mimics base stations in much the same way that SMS blasters do. Meanwhile, Europe remains so blasé about SMS blasters that a Chinese national could rent a car in, say, Estonia or Bulgaria, then drive it the whole way to Portugal or Italy, blasting SMS messages along the entire route, without anyone trying to stop him. The method is currently being used for fraud but it could just as easily spread disinformation with the intention to cause mayhem ahead of an invasion.
My guess (and hope) is that 2026 will be the year when most European police and governments will finally stop pretending that SMS blasters are a ‘new’ problem that will simply go away if they ignore it. To put the current European situation into context, consider that the mushrooming of SMS blaster crime was witnessed a decade ago across a similarly-sized geographic region. Chinese legal reports show there had already been over 1,600 separate prosecutions involving fake base stations by 2016. The Chinese authorities responded by taking radical action to punish the manufacture and sale of SMS blasters as well as their use by criminals. It seems they care less about the export of SMS blasters now that the domestic threat has been quelled.
Instead of learning from China’s example, European authorities behave as if there is no need to proactively tackle the supply of SMS blasters. I doubt Europe has the same determination to fight crime as the authorities in China, even if it was capable of marshaling and coordinating resources in the way the Chinese Communist Party can. Fearing they might be overwhelmed by exports from China, various East Asian countries have banned the importation of SMS blasters and run sting operations to disrupt supply lines.
Meanwhile, false base stations can openly be bought through websites — on condition they are never used within China — and Western internet firms including Google do nothing about adverts that promote their sale. Those involved in European legislation and regulation dither over how to write a definition of SMS blasters that can be used to make them illegal without prohibiting legitimate radio telecoms equipment. Presumably these dunderheads will later do what they always do: wait for a crisis to occur then seek praise for reacting to it while pretending there was no way to anticipate it.
Look immediately below for the Greek police photograph of the equipment they seized, and keep scrolling for comparative photos of NFA converters used to power SMS blasters found in (clockwise from top left): Hong Kong; Malaysia; Thailand; Türkiye; the United Kingdom; Manila in the Philippines; Bulacan in the Philippines; Serbia; Qatar; and Japan.
therecord.media
Suzanne Smalley
January 12th, 2026
Hungary has granted political asylum to Poland's former justice minister, Zbigniew Ziobro, who is being prosecuted for his role in a spyware scandal that has rocked the country.
Hungary has granted political asylum to Poland's former justice minister, Zbigniew Ziobro, who is being prosecuted for his role in a spyware scandal that has rocked the country.
Ziobro is facing dozens of charges for allegedly embezzling money meant for crime victims to pay for spyware used to snoop on the devices of political opponents.
One of the highest profile people implicated in Poland’s sprawling spyware scandal, Ziobro said on X that he intends to accept Hungary’s asylum offer “due to the political persecution in Poland.”
“I have decided to remain abroad until genuine guarantees of the rule of law are restored in Poland,” Ziobro posted. “I believe that instead of acquiescing to being silenced and subjected to a torrent of lies—which I would have no opportunity to refute—I can do more by fighting the mounting lawlessness in Poland.”
Ziobro served as justice minister from 2015 until 2023 and stands accused of helping facilitate a massive spyware operation that current Police Prime Minister Donald Tusk has alleged involved snooping on nearly 600 people.
In September 2024, a Senate commission investigating the scandal said it had found "gross violations of constitutional standards.”
It is unusual for a country within the European Union to offer asylum to a criminal defendant facing prosecution elsewhere in the bloc. Hungarian Prime Minister Viktor Orban is politically aligned with Ziobro, a member of the right-wing Law and Justice (PiS) party, and has his own history with spyware, however.
In December 2024, another former Justice Ministry official, Marcin Romanowski, claimed asylum in Hungary after facing charges for his alleged role in the spyware operation.
techcrunch.com
Lorenzo Franceschi-Bicchierai
11:15 AM PST · January 8, 2026
The infamous spyware maker released a new transparency report claiming to be a responsible spyware maker, without providing insight into how the company dealt with problematic customers in the past.
NSO Group, one of the most well-known and controversial makers of government spyware, released a new transparency report on Wednesday, as the company enters what it described as “a new phase of accountability.”
But the report, unlike NSO’s previous annual disclosures, lacks details about how many customers the company rejected, investigated, suspended, or terminated due to human rights abuses involving its surveillance tools. While the report contains promises to respect human rights and have controls to demand its customers do the same, the report provides no concrete evidence supporting either.
Experts and critics who have followed NSO and the spyware market for years believe the report is part of an effort and campaign by the company to get the U.S. government to remove the company from a blocklist — technically called the Entity List — as it hopes to enter the U.S. market with new financial backers and executives at the helm.
Last year, a group of U.S. investors acquired the company, and since then, NSO has been undergoing a transition that included high-profile personnel changes: former Trump official David Friedman was appointed the new executive chairman; CEO Yaron Shohat stepped down; and Omri Lavie, the last remaining founder who was still involved in the company, also left, as Israeli newspaper Haaretz reported.
“When NSO’s products are in the right hands within the right countries, the world is a far safer place. That will always be our overriding mission,” Friedman wrote in the report, which does not mention any country where NSO operates.
Natalia Krapiva, the senior tech-legal counsel at Access Now, a digital rights organization that investigates spyware abuses, told TechCrunch: “NSO is clearly on a campaign to get removed from the U.S. Entity List and one of the key things they need to show is that they have dramatically changed as a company since they were listed.”
“Changing the leadership is one part and this transparency report is another,” said Krapiva.
“However, we have seen this before with NSO and other spyware companies over the years where they change names and leadership and publish empty transparency or ethics reports but the abuses continue.”
“This is nothing but another attempt at window dressing and the U.S. government should not be taken for a fool,” said Krapiva.
Ever since the Biden administration added NSO to the Entity List, the company has lobbied to have its restrictions lifted. After President Donald Trump took office again last year, NSO intensified these efforts. But, as of May last year, NSO had failed to sway the new administration.
In late December, the Trump administration lifted sanctions against three executives tied to the Intellexa spyware consortium, in what some saw as a sign of a shift in the administration’s attitude toward spyware makers.
A lack of details
This year’s transparency report, which covers 2025, has fewer details than reports from previous years.
In an earlier transparency report covering 2024, for example, NSO said it opened three investigations of potential misuse. Without naming the customers, the company said it cut ties with one, and imposed on another customer “alternative remediation measures,” including mandating human rights training, monitoring the customer activities, and requesting more information about how the customer uses the system. NSO did not provide any information about the third investigation.
NSO also said that during 2024, the company rejected more than $20 million “in new business opportunities due to human rights concerns.”
In the transparency report published the prior year, covering 2022 and 2023, NSO said it suspended or terminated six government customers, without naming them, claiming these actions resulted in a revenue loss of $57 million.
In 2021, NSO said it had “disconnected” the systems of five customers since 2016 following an investigation of misuse, resulting in more than $100 million in “estimated loss of revenue,” and it also said that it “discontinued engagements” with five customers due to “concerns regarding human rights.”
NSO’s newest transparency report does not include the total number of customers NSO has, statistics that have been consistently present in previous reports.
TechCrunch asked NSO spokesperson Gil Lanier to provide similar statistics and figures, but did not receive answers by press time.
John Scott-Railton, a senior researcher at The Citizen Lab, a human rights organization that has investigated spyware abuses for more than a decade, criticized NSO.
“I was expecting information, numbers,” Scott-Railton told TechCrunch. “Nothing in this document allows outsiders to verify NSO’s claims, which is business as usual from a company that has a decade-long history of making claims that later turned out to be misrepresentation.”
| CNN
cnn.com
By
Helen Regan
A prominent tycoon wanted by United States federal prosecutors for allegedly running one of Asia’s largest transnational criminal networks has been arrested and extradited to China, Cambodian authorities and Chinese state media said.
Chen Zhi, 38, a national of China and Cambodia, was extradited on Tuesday after a months-long investigation by the two countries, Cambodia’s Interior Ministry said in a statement a day later. Chen’s Cambodian citizenship had been revoked, the ministry added.
The operation was conducted at the request of the Chinese government, the ministry said, though it is unclear what charges Chen faces in China. He was arrested alongside two other Chinese nationals.
Chen is the founder and chairman of Prince Group, which bills itself as one of Cambodia’s biggest conglomerates, with investments in luxury real estate, banking services, hotels, and major construction developments.
But US federal prosecutors say his business empire was fueled by forced labor and cryptocurrency scams that conned victims the world over and at one point were allegedly earning Chen and his associates $30 million every day.
In October, the US Treasury Department and UK Foreign Office sanctioned Prince Group and dozens of its affiliates, designating them transnational criminal organizations. Chen was charged in absentia in New York with money laundering conspiracy and wire fraud conspiracy, along with several associates.
Prosecutors also seized $15 billion in cryptocurrency from Chen following a years-long investigation, in what the Justice Department said was the largest forfeiture action in its history.
Since the indictment was announced, several other jurisdictions including Singapore, Thailand, Hong Kong and Taiwan announced seizures or freezes of hundreds of millions of dollars in assets linked to Chen.
CNN has reached out to lawyers representing Prince Group for comment on Chen’s arrest. Prince Group has previously denied engaging in unlawful activity, calling the allegations “baseless” and “aimed at justifying the unlawful seizure of assets,” according to a statement published on its website.
Chinese state media CCTV released footage Thursday of a handcuffed and hooded Chen being escorted from an airplane by Chinese security forces following his extradition.
“At present, Chen Zhi has been placed under compulsory criminal measures in accordance with the law, and the related cases are under further investigation,” the Ministry of Public Security said in a statement. It described Chen as “the ringleader of a major cross-border online gambling and fraud criminal syndicate.”
Chinese authorities will also issue wanted notices “for the first group of key members of the Chen Zhi criminal syndicate and will resolutely apprehend all fugitives and bring them to justice,” a ministry official said.
Cambodia has recently come under more pressure to act against the scam networks operating within its borders. In its statement, the interior ministry said Chen’s arrest was “within the scope of cooperation in combating transnational crime.”
The United Nations Office of Drugs and Crime has said the criminal networks that run the scam hubs are evolving at an unprecedented scale, despite highly publicized crackdowns last year.
“This arrest reflects sustained international pressure finally reaching a point where continued inaction became untenable for Phnom Penh,” said Jacob Sims, visiting fellow at Harvard University’s Asia Center and a transnational crime expert.
“It defused escalating Western scrutiny while aligning with Beijing’s likely preference to keep a politically sensitive case out of US and UK courts.”
What does arrest mean for US charges?
Analysts say Chen’s extradition to China will mean it is “highly unlikely” he will face justice in the US, at least in the short term. China does not have an extradition treaty with the US and the two countries are embroiled in a deepening geopolitical and economic rivalry.
“This outcome effectively shields Chen from US jurisdiction,” said Sims.
The global scam industry, much of it centered in Southeast Asia, is estimated to be worth between $50 billion and $70 billion. In 2023 it conned victims in the United States alone out of at least $10 billion dollars.
The massive industry relies on hundreds of thousands of people who have been trafficked or lured to work in heavily guarded scam compounds, where they are forced to carry out investment or romance scams known as “pig butchering,” to con ordinary people out of their life savings.
US prosecutors allege Chen and others operated at least 10 forced labor camps across Cambodia since 2015 to engage in cryptocurrency investment schemes under the threat of violence.
Authorities allege they laundered criminal proceeds through the business and bribed government officials to stay ahead of criminal investigations and raids on the compounds.
Prince Group, American and British authorities allege, was the umbrella for more than 100 shell companies and entities allegedly used to funnel laundered cash across 12 countries and territories from Singapore to St Kitts and Nevis.
Chen and others used the stolen money to buy Picasso artwork, private jets and properties in upscale neighborhoods of London, as well as supplying bribes to public officials, according to prosecutors in New York.
Analysts say Chen faces a number of outstanding legal issues in China, though the charges remain opaque and have not compelled his extradition until now.
“What is clear, however, is that Beijing has strong incentives to handle this quietly and internally, given the political sensitivities surrounding his business empire, its regional ties, and in particular, a number of reported ties to various Chinese government officials,” Sims said.