Quotidien Shaarli

The cyberattackers claimed 2.1m pieces of customer data had been stolen from the Legal Aid Agency

Millions of pieces of personal data, including criminal records, have been stolen from legal aid applicants in a massive cyberattack.

The data, including national insurance numbers, employment status and financial data, was breached earlier this year, according to the Ministry of Justice (MoJ).

The cyberattackers claimed they had stolen 2.1 million pieces of data from people who had applied for legal aid since 2010 but the MoJ only said a “significant amount of personal data” had been breached.

An MoJ source put the breach down to the “neglect and mismanagement” of the previous government, saying vulnerabilities in the Legal Aid Agency (LAA) systems have been known for many years.

“This data breach was made possible by the long years of neglect and mismanagement of the justice system under the last government,” the source said.

Plusieurs comptes SwissPass ont été piratés depuis le début de l’année en Suisse romande. En Valais, la police recense 16 cas pour un préjudice total de 15’400 francs. Ce type de fraude s'étend au-delà du canton.

La police cantonale valaisanne a lancé une alerte après avoir enregistré une série de piratages de comptes SwissPass. Dans un communiqué publié le 20 mai, elle indique avoir reçu plusieurs signalements de connexions frauduleuses à ces comptes. Selon l’autorité, 16 cas ont été recensés depuis le début de l’année 2025 dans le canton, pour un préjudice total de 15’400 francs.

Les fraudeurs accèdent aux comptes grâce à des identifiants compromis, sans qu’un vol physique de la carte ne soit nécessaire. Une fois dans le compte, ils utilisent les moyens de paiement enregistrés comme Twint, la carte de crédit ou le paiement sur facture, pour acheter des billets de train, souvent à destination de la France, de l’Italie ou sur des liaisons transfrontalières. Cette méthode leur permet de détourner des montants importants sans jamais accéder au compte bancaire de la victime.

In April 2025, the Global Threat Hunting system of NSFOCUS Fuying Lab detected a significant increase in the activity of a new Botnet Trojan developed based on Go language. Given that many of its built-in DDoS attack methods are HTTP-based, Fuying Lab named it HTTPBot. The HTTPBot Botnet family first came into our monitoring scope in August 2024. Over the past few months, it has expanded aggressively, continuously leveraging infected devices to launch external attacks. Monitoring data indicates that its attack targets are primarily concentrated in the domestic gaming industry. Additionally, some technology companies and educational institutions have also been affected. The attack of this Botnet family is highly targeted, with attackers employing a periodical and multi-stage attack strategy to conduct continuous saturation attacks on selected targets.

In terms of technical implementation, the HTTPBot Botnet Trojan uses an “attack ID” to precisely initiate and terminate the attack process. It also incorporates a variety of innovative DDoS attack methods. By employing highly simulated HTTP Flood attacks and dynamic feature obfuscation techniques, it circumvents traditional rule-based detection mechanisms, including but not limited to the following detection bypass mechanisms:

• Cookie replenishment mechanism
• Randomize the UA and header of http requests
• Real browser calling
• Randomize URL path
• Dynamic rate control
• Status code retry mechanism
  In recent years, most emerging Botnet families have primarily focused on developing communication methods and network control. This includes creating specialized communication tools, separating vulnerabilities from Trojans to protect key information, and enhancing communication anonymity through techniques like DGA (Domain Generation Algorithm), DOH (DNS over HTTPS), and OpenNIC. These Botnets typically emphasize traffic-based attacks aimed at bandwidth consumption. However, HTTPBot has taken a different approach by developing a range of HTTP-based attack methods to conduct transactional (business) DDoS attacks. Attackers can use these methods to precisely target high-value business interfaces and launch targeted saturation attacks on critical interfaces, such as game login and payment systems. This attack with “scalpel-like” precision poses a systemic threat to industries that rely on real-time interaction. HTTPBot marks a paradigm shift in DDoS attacks, moving from “indiscriminate traffic suppression” to “high-precision business strangulation.” This evolution forces defense systems to upgrade from simple “rule-based interception” to a more dynamic approach combining “behavioral analysis and resource elasticity.”