Login
Financial regulators in Canada this week levied $176 million in fines against Cryptomus, a digital payments platform that supports dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services. The penalties for violating Canada’s anti money-laundering laws come ten months after KrebsOnSecurity noted that Cryptomus’s Vancouver street address was home to dozens of foreign currency dealers, money transfer businesses, and cryptocurrency exchanges — none of which were physically located there.
On October 16, the Financial Transactions and Reports Analysis Center of Canada (FINTRAC) imposed a $176,960,190 penalty on Xeltox Enterprises Ltd., more commonly known as the cryptocurrency payments platform Cryptomus.
FINTRAC found that Cryptomus failed to submit suspicious transaction reports in cases where there were reasonable grounds to suspect that they were related to the laundering of proceeds connected to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion.
“Given that numerous violations in this case were connected to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion, FINTRAC was compelled to take this unprecedented enforcement action,” said Sarah Paquet, director and CEO at the regulatory agency.
In December 2024, KrebsOnSecurity covered research by blockchain analyst and investigator Richard Sanders, who’d spent several months signing up for various cybercrime services, and then tracking where their customer funds go from there. The 122 services targeted in Sanders’s research all used Cryptomus, and included some of the more prominent businesses advertising on the cybercrime forums, such as:
-abuse-friendly or “bulletproof” hosting providers like anonvm[.]wtf, and PQHosting;
-sites selling aged email, financial, or social media accounts, such as verif[.]work and kopeechka[.]store;
-anonymity or “proxy” providers like crazyrdp[.]com and rdp[.]monster;
-anonymous SMS services, including anonsim[.]net and smsboss[.]pro.
Flymoney, one of dozens of cryptocurrency exchanges apparently nested at Cryptomus. The image from this website has been machine translated from Russian.
Sanders found at least 56 cryptocurrency exchanges were using Cryptomus to process transactions, including financial entities with names like casher[.]su, grumbot[.]com, flymoney[.]biz, obama[.]ru and swop[.]is.
“These platforms were built for Russian speakers, and they each advertised the ability to anonymously swap one form of cryptocurrency for another,” the December 2024 story noted. “They also allowed the exchange of cryptocurrency for cash in accounts at some of Russia’s largest banks — nearly all of which are currently sanctioned by the United States and other western nations.”
Reached for comment on FINTRAC’s action, Sanders told KrebsOnSecurity he was surprised it took them so long.
“I have no idea why they don’t just sanction them or prosecute them,” Sanders said. “I’m not let down with the fine amount but it’s also just going to be the cost of doing business to them.”
The $173 million fine is a significant sum for FINTRAC, which imposed 23 such penalties last year totaling less than $26 million. But Sanders says FINTRAC still has much work to do in pursuing other shadowy money service businesses (MSBs) that are registered in Canada but are likely money laundering fronts for entities based in Russia and Iran.
In an investigation published in July 2024, CTV National News and the Investigative Journalism Foundation (IJF) documented dozens of cases across Canada where multiple MSBs are incorporated at the same address, often without the knowledge or consent of the location’s actual occupant.
Their inquiry found that the street address for Cryptomus parent Xeltox Enterprises was listed as the home of at least 76 foreign currency dealers, eight MSBs, and six cryptocurrency exchanges. At that address is a three-story building that used to be a bank and now houses a massage therapy clinic and a co-working space. But the news outlets found none of the MSBs or currency dealers were paying for services at that co-working space.
The reporters also found another collection of 97 MSBs clustered at an address for a commercial office suite in Ontario, even though there was no evidence any of these companies had ever arranged for any business services at that address.
Amazon Web Services (AWS), one of the world’s largest cloud providers, recently experienced a major outage that disrupted popular websites and apps across the globe—including Snapchat, Reddit, Fortnite, Ring, and Coinbase, according to reports from CNN and CNBC.
The disruption began out of Northern Virginia, where many of the internet’s most-used applications are hosted.
AWS said the problem originated within its EC2 internal network, impacting more than 70 of its own services, and was tied to DNS issues, the system that tells browsers how to find the right servers online.
A few hours after the initial reports of outages, AWS said the problem had been “fully mitigated,” though it took several more hours for all users to see their systems stabilized, according to CNBC.
There is no indication the outage was caused by a cyberattack, and Amazon continues to investigate the root cause.
When Amazon Web Services falters, the ripple effects reach far beyond businesses. Millions of consumers suddenly lose access to everyday apps and tools, including everything from banking and airline systems to gaming platforms and smart home devices.
“In the past, companies ran their own servers—if one failed, only that company’s customers felt it,” said Steve Grobman, McAfee’s Chief Technology Officer. “Today, much of the internet runs on shared backends like Amazon Web Services or Google Cloud. That interconnectedness makes the web faster and more efficient, but it also means one glitch can impact dozens of services at once.”
Grobman noted the issue was related to a capability called DNS within AWS, he described DNS as providing the directions on how systems find each other and even if those systems are operational, it can be detrimental.. It’s analogous to “tearing up a map or turning off your GPS before driving to the store.” The store might still be open and stocked, he explained, but if you can’t find your way there, it doesn’t matter.
“Even with rigorous safeguards in place, events like this remind us just how complex and intertwined our digital world has become,” Grobman added. “It highlights why resilience and layered protection matter more than ever.”
Events like this sow uncertainty for consumers. When apps fail to load, people may wonder: Is my account hacked? Is my data at risk? Is it just me?
Cybercriminals exploit that confusion. After past outages, McAfee researchers have seen phishing campaigns, fake refund emails, and malicious links promising “fixes” or “status updates” appear within hours.
Scammers often mimic legitimate service alerts—complete with logos and urgent wording—to trick users into entering passwords or payment information. Others push fake customer-support numbers or send direct messages claiming to “restore access.”
Here’s how to stay secure when the :
Using advanced artificial intelligence, McAfee’s Scam Detector automatically detects scams across text, email, and video, blocks dangerous links, and identifies deepfakes, stopping harm before it happens.
McAfee’s identity protection tools also monitor for signs that your personal information may have been exposed and guide you through steps to recover quickly.
Sign in to your McAfee account to scan for recent breaches linked to your email. You can also sign up for a free trial of McAfee antivirus to protect your devices.
The post AWS Outage Disrupts Major Apps Like Reddit and Snapchat—What Happened and How to Stay Safe appeared first on McAfee Blog.
Cybercriminals tricked employees at major global companies into handing over Salesforce access and used that access to steal millions of customer records.
Here’s the McAfee breakdown on what happened, what information was leaked, and what you need to know to keep your data and identity safe:
Hackers claim they’ve stolen customer data from multiple major companies, including household names like Adidas, Cisco, Disney, Google, IKEA, Pandora, Toyota, and Vietnam Airlines. Security Week has reported throughout 2025 on a wave of social-engineering attacks exploiting human – rather than platform – vulnerabilities.
According to The Wall Street Journal, the hacking group has already released millions of Qantas Airlines customer records and is threatening to expose information from other companies next.
The data reportedly includes names, email addresses, phone numbers, dates of birth, and loyalty program details. While it doesn’t appear that financial data was included, this kind of personal information can still be exploited in phishing and scam campaigns.
Salesforce has issued multiple advisories stressing that these attacks stem from credential theft and malicious connected apps – not from a breach of its infrastructure.
Unfortunately, incidents like this aren’t rare, and they’re not limited to any one platform or industry. Even the most sophisticated companies can fall victim when hackers rely on social engineering and manipulation to breach secure systems.
Hackers reportedly called various companies’ employees pretending to be IT support staff—a tactic known as “vishing”—and convinced them to share login credentials or connect fake third-party tools, essentially handing the criminals the keys to their accounts. Once inside, they accessed customer databases and stole the information stored there.
Think of it less like a burglar breaking a lock, and more like someone being tricked into opening the door.
So far, leaked data appears to include:
There’s no indication of credit card or banking data in the confirmed leaks, but that doesn’t mean you’re in the clear.
Even if your financial information isn’t exposed in a data breach, personal details like name and address can still be used for targeted scams and phishing. When that information is stolen and sold online, scammers use it to:
Even if your data isn’t part of this specific leak, these attacks highlight how often your information moves through third-party systems you don’t control.
1) Change your passwords—today.
Use strong, unique passwords for every account. McAfee’s password manager can help. Try our random password generator here.
2) Turn on two-factor authentication (2FA).
Even if a hacker has your password, they can’t get in without your code.
3) Monitor your financial and loyalty accounts.
Watch for strange charges, redemptions, or password reset emails you didn’t request.
4) Freeze your credit.
It’s free and prevents new accounts from being opened in your name. You can unfreeze it anytime. McAfee users can employ a “security freeze” for extra protection.
5) Be extra cautious with “breach” emails or calls.
Scammers often pretend to be from affected companies to “help you secure your account.” Don’t click links or give information over the phone. Go directly to the company’s website or app or your own IT team if a breach happens at your workplace.
6) Consider identity protection.
McAfee’s built-in identity monitoring can monitor your personal info across the dark web, send alerts if your data appears in a breach, and include up to $1 million in coverage for identity recovery expenses.
Your data could already be out there, but you don’t have to leave it there.
McAfee helps you take back control. Using advanced artificial intelligence, McAfee’s Scam Detector automatically detects scams across text, email, and video, blocks dangerous links, and identifies deepfakes, stopping harm before it happens.
And McAfee’s Personal Data Cleanup can help you check which data brokers have your private details and request to have it removed on your behalf.
Stay ahead of scammers. Check your exposure, clean up your data, and protect your identity, all with McAfee.
Learn more about McAfee and McAfee Scam Detector.
What to do if you’re caught up in a data breach
How to delete yourself from the internet
How to spot phishing emails and scams
The post Hackers Trick Staff Into Exposing Major Companies’ Salesforce Data–Find Out if You’re Safe appeared first on McAfee Blog.
Cybercriminals are abusing a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages that come from hundreds of Zendesk corporate customers simultaneously.
Zendesk is an automated help desk service designed to make it simple for people to contact companies for customer support issues. Earlier this week, KrebsOnSecurity started receiving thousands of ticket creation notification messages through Zendesk in rapid succession, each bearing the name of different Zendesk customers, such as CapCom, CompTIA, Discord, GMAC, NordVPN, The Washington Post, and Tinder.
The abusive missives sent via Zendesk’s platform can include any subject line chosen by the abusers. In my case, the messages variously warned about a supposed law enforcement investigation involving KrebsOnSecurity.com, or else contained personal insults.
Moreover, the automated messages that are sent out from this type of abuse all come from customer domain names — not from Zendesk. In the example below, replying to any of the junk customer support responses from The Washington Post’s Zendesk installation shows the reply-to address is help@washpost.com.
One of dozens of messages sent to me this week by The Washington Post.
Notified about the mass abuse of their platform, Zendesk said the emails were ticket creation notifications from customer accounts that configured their Zendesk instance to allow anyone to submit support requests — including anonymous users.
“These types of support tickets can be part of a customer’s workflow, where a prior verification is not required to allow them to engage and make use of the Support capabilities,” said Carolyn Camoens, communications director at Zendesk. “Although we recommend our customers to permit only verified users to submit tickets, some Zendesk customers prefer to use an anonymous environment to allow for tickets to be created due to various business reasons.”
Camoens said requests that can be submitted in an anonymous manner can also make use of an email address of the submitter’s choice.
“However, this method can also be used for spam requests to be created on behalf of third party email addresses,” Camoens said. “If an account has enabled the auto-responder trigger based on ticket creation, then this allows for the ticket notification email to be sent from our customer’s accounts to these third parties. The notification will also include the Subject added by the creator of these tickets.”
Zendesk claims it uses rate limits to prevent a high volume of requests from being created at once, but those limits did not stop Zendesk customers from flooding my inbox with thousands of messages in just a few hours.
“We recognize that our systems were leveraged against you in a distributed, many-against-one manner,” Camoens said. “We are actively investigating additional preventive measures. We are also advising customers experiencing this type of activity to follow our general security best practices and configure an authenticated ticket creation workflow.”
In all of the cases above, the messaging abuse would not have been possible if Zendesk customers validated support request email addresses prior to sending responses. Failing to do so may make it easier for Zendesk clients to handle customer support requests, but it also allows ne’er-do-wells to sully the sender’s brand in service of disruptive and malicious email floods.
by Harshil Patel and Prabudh Chakravorty
*EDITOR’S NOTE: Special thank you to the GitHub team for working with us on this research. All malicious GitHub repositories mentioned in the following research have been reported to GitHub and taken down.
Digital banking has made our lives easier, but it’s also handed cybercriminals a golden opportunity. Banking trojans are the invisible pickpockets of the digital age, silently stealing credentials while you browse your bank account or check your crypto wallet. Today, we’re breaking down a particularly nasty variant called Astaroth, and it’s doing something clever: abusing GitHub to stay resilient.
McAfee’s Threat Research team recently uncovered a new Astaroth campaign that’s taken infrastructure abuse to a new level. Instead of relying solely on traditional command-and-control (C2) servers that can be taken down, these attackers are leveraging GitHub repositories to host malware configurations. When law enforcement or security researchers shut down their C2 infrastructure, Astaroth simply pulls fresh configurations from GitHub and keeps running. Think of it like a criminal who keeps backup keys to your house hidden around the neighborhood. Even if you change your locks, they’ve got another way in.
Astaroth is capable of targeting many South American countries like Brazil, Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama. It can also target Portugal and Italy.
But in the recent campaign, it seems to be largely focused on Brazil.
Figure 1: Geographical Prevalence
Astaroth is a password-stealing malware family that targets South America. The malware leverages GitHub to host configuration files, treating the platform as resilient backup infrastructure when primary C2 servers become inaccessible. McAfee reported the findings to GitHub and worked with their security research team to remove the malicious repositories, temporarily disrupting operations.
Figure 2 : Infection chain
The attack starts with an e-mail to the victim which contains a link to a site that downloads a zip file. Emails with themes such as DocuSign and resumes are used to lure the victims into downloading a zip file.
Figure 3: Phishing Email
Figure 4: Phishing Email
Figure 5: Phishing Email
JavaScript Downloader
The downloaded zip file contains a LNK file, which has obfuscated javascript command run using mshta.exe.
This command simply fetches more javascript code from the following URL:
To impede analysis, all the links are geo-restricted, such that they can only be accessed from the targeted geography.
The downloaded javascript then downloads a set of files in ProgramData from a randomly selected server:
Figure 6: Downloaded Files
Here,
”Corsair.Yoga.06342.8476.366.log” is AutoIT compiled script, “Corsair.Yoga.06342.8476.366.exe” is AutoIT interpreter,
“stack.tmp” is an encrypted payload (Astaroth),
and “dump.log” is an encrypted malware configuration.
AutoIt script is executed by javascript, which builds and loads a shellcode in the memory of AutoIT process.
Figure 7: AutoIt script building shellcode
The shellcode has 3 entrypoints and $LOADOFFSET is the one using which it loads a DLL in memory.
To run the shellcode the script hooks Kernel32: LocalCompact, and makes it jump to the entrypoint.
Figure 8: Hooking LocalCompact API
Shellcode’s $LOADOFFSET starts by resolving a set of APIs that are used for loading a DLL in memory. The API addresses are stored in a jump table at the very beginning of the shellcode memory.
Figure 9: APIs resolved by shellcode
Here shellcode is made to load a DLL file(Delphi) and this DLL decrypts and injects the final payload into newly created RegSvc.exe process.
The payload, Astaroth malware is written in Delphi and uses various anti-analysis techniques and shuts down the system if it detects that it is being analyzed.
It checks for the following tools in the system:
Figure 10: List of analysis tools
It also makes sure that system locale is not related to the United States or English.
Every second it checks for program windows like browsers, if that window is in foreground and has a banking related site opened then it hooks keyboard events to get keystrokes.
Figure 11: Hooking keyboard events
Programs are targeted if they have a window class name containing chrome, ieframe, mozilla, xoff, xdesk, xtrava or sunawtframe.
Many banking-related sites are targeted, some of which are mentioned below:
caixa.gov.br
safra.com.br
Itau.com.br
bancooriginal.com.br
santandernet.com.br
btgpactual.com
We also observed some cryptocurrency-related sites being targeted:
etherscan.io
binance.com
bitcointrade.com.br
metamask.io
foxbit.com.br
localbitcoins.com
The stolen banking credentials and other information are sent to C2 server using a custom binary protocol.
Figure 12: C2 communication
Figure 13: C2 infrastructure
Malware config is stored in dump.log encrypted, following is the information stored in it:
Figure 14: Malware configuration
Every 2 hours the configuration is updated by fetching an image file from config update URLs and extracting the hidden configuration from the image.
hxxps://bit[.]ly/4gf4E7H —> hxxps://raw.githubusercontent[.]com//dridex2024//razeronline//refs/heads/main/razerlimpa[.]png
Image file keeps the configuration hidden by storing it in the following format:
We found more such GitHub repositories having image files with above pattern and reported them to GitHub, which they have taken down.
For persistence, Astaroth drops a LNK file in startup folder which runs the AutoIT script to launch the malware when the system starts.
McAfee has extensive coverage for Astaroth:
Trojan:Shortcut/SuspiciousLNK.OSRT
Trojan:Shortcut/Astaroth.OJS
Trojan:Script/Astaroth.DL
Trojan:Script/Astaroth.AI
Trojan:Script/AutoITLoader.LC!2
Trojan:Shortcut/Astaroth.STUP
| IOC | Hash / URL |
|
7418ffa31f8a51a04274fc8f610fa4d5aa5758746617020ee57493546ae35b70 7609973939b46fe13266eacd1f06b533f8991337d6334c15ab78e28fa3b320be 11f0d7e18f9a2913d2480b6a6955ebc92e40434ad11bed62d1ff81ddd3dda945 |
|
| ZIP URL | https://91.220.167.72.host.secureserver[.]net/peHg4yDUYgzNeAvm5.zip |
| LNK | 34207fbffcb38ed51cd469d082c0c518b696bac4eb61e5b191a141b5459669df |
| JS Downloader | 28515ea1ed7befb39f428f046ba034d92d44a075cc7a6f252d6faf681bdba39c |
| Download server |
clafenval.medicarium[.]help sprudiz.medicinatramp[.]click frecil.medicinatramp[.]beauty stroal.medicoassocidos[.]beauty strosonvaz.medicoassocidos[.]help gluminal188.trovaodoceara[.]sbs scrivinlinfer.medicinatramp[.]icu trisinsil.medicesterium[.]help brusar.trovaodoceara[.]autos gramgunvel.medicoassocidos[.]beauty blojannindor0.trovaodoceara[.]motorcycles |
| AutoIT compiled script | a235d2e44ea87e5764c66247e80a1c518c38a7395291ce7037f877a968c7b42b |
| Injector dll | db9d00f30e7df4d0cf10cee8c49ee59a6b2e518107fd6504475e99bbcf6cce34 |
| payload | 251cde68c30c7d303221207370c314362f4adccdd5db4533a67bedc2dc1e6195 |
| Startup LNK | 049849998f2d4dd1e629d46446699f15332daa54530a5dad5f35cc8904adea43 |
| C2 server |
1.tcp.sa.ngrok[.]io:20262 1.tcp.us-cal-1.ngrok[.]io:24521 5.tcp.ngrok[.]io:22934 7.tcp.ngrok[.]io:22426 9.tcp.ngrok[.]io:23955 9.tcp.ngrok[.]io:24080 |
| Config update URL |
https://bit[.]ly/49mKne9 https://bit[.]ly/4gf4E7H https://raw.githubusercontent[.]com/dridex2024/razeronline/refs/heads/main/razerlimpa.png |
| GitHub Repositories hosting config images |
https://github[.]com/dridex2024/razeronline
https://github[.]com/Config2023/01atk-83567z https://github[.]com/S20x/m25 https://github[.]com/Tami1010/base https://github[.]com/balancinho1/balaco https://github[.]com/fernandolopes201/675878fvfsv2231im2 https://github[.]com/polarbearfish/fishbom https://github[.]com/polarbearultra/amendointorrado https://github[.]com/projetonovo52/master https://github[.]com/vaicurintha/gol |
The post Astaroth: Banking Trojan Abusing GitHub for Resilience appeared first on McAfee Blog.
A cybercriminal group that used voice phishing attacks to siphon more than a billion records from Salesforce customers earlier this year has launched a website that threatens to publish data stolen from dozens of Fortune 500 firms if they refuse to pay a ransom. The group also claimed responsibility for a recent breach involving Discord user data, and for stealing terabytes of sensitive files from thousands of customers of the enterprise software maker Red Hat.
The new extortion website tied to ShinyHunters (UNC6040), which threatens to publish stolen data unless Salesforce or individual victim companies agree to pay a ransom.
In May 2025, a prolific and amorphous English-speaking cybercrime group known as ShinyHunters launched a social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal.
The first real details about the incident came in early June, when the Google Threat Intelligence Group (GTIG) warned that ShinyHunters — tracked by Google as UNC6040 — was extorting victims over their stolen Salesforce data, and that the group was poised to launch a data leak site to publicly shame victim companies into paying a ransom to keep their records private. A month later, Google acknowledged that one of its own corporate Salesforce instances was impacted in the voice phishing campaign.
Last week, a new victim shaming blog dubbed “Scattered LAPSUS$ Hunters” began publishing the names of companies that had customer Salesforce data stolen as a result of the May voice phishing campaign.
“Contact us to negotiate this ransom or all your customers data will be leaked,” the website stated in a message to Salesforce. “If we come to a resolution all individual extortions against your customers will be withdrawn from. Nobody else will have to pay us, if you pay, Salesforce, Inc.”
Below that message were more than three dozen entries for companies that allegedly had Salesforce data stolen, including Toyota, FedEx, Disney/Hulu, and UPS. The entries for each company specified the volume of stolen data available, as well as the date that the information was retrieved (the stated breach dates range between May and September 2025).
Image: Mandiant.
On October 5, the Scattered LAPSUS$ Hunters victim shaming and extortion blog announced that the group was responsible for a breach in September involving a GitLab server used by Red Hat that contained more than 28,000 Git code repositories, including more than 5,000 Customer Engagement Reports (CERs).
“Alot of folders have their client’s secrets such as artifactory access tokens, git tokens, azure, docker (redhat docker, azure containers, dockerhub), their client’s infrastructure details in the CERs like the audits that were done for them, and a whole LOT more, etc.,” the hackers claimed.
Their claims came several days after a previously unknown hacker group calling itself the Crimson Collective took credit for the Red Hat intrusion on Telegram.
Red Hat disclosed on October 2 that attackers had compromised a company GitLab server, and said it was in the process of notifying affected customers.
“The compromised GitLab instance housed consulting engagement data, which may include, for example, Red Hat’s project specifications, example code snippets, internal communications about consulting services, and limited forms of business contact information,” Red Hat wrote.
Separately, Discord has started emailing users affected by another breach claimed by ShinyHunters. Discord said an incident on September 20 at a “third-party customer service provider” impacted a “limited number of users” who communicated with Discord customer support or Trust & Safety teams. The information included Discord usernames, emails, IP address, the last four digits of any stored payment cards, and government ID images submitted during age verification appeals.
The Scattered Lapsus$ Hunters claim they will publish data stolen from Salesforce and its customers if ransom demands aren’t paid by October 10. The group also claims it will soon begin extorting hundreds more organizations that lost data in August after a cybercrime group stole vast amounts of authentication tokens from Salesloft, whose AI chatbot is used by many corporate websites to convert customer interaction into Salesforce leads.
In a communication sent to customers today, Salesforce emphasized that the theft of any third-party Salesloft data allegedly stolen by ShinyHunters did not originate from a vulnerability within the core Salesforce platform. The company also stressed that it has no plans to meet any extortion demands.
“Salesforce will not engage, negotiate with, or pay any extortion demand,” the message to customers read. “Our focus is, and remains, on defending our environment, conducting thorough forensic analysis, supporting our customers, and working with law enforcement and regulatory authorities.”
The GTIG tracked the group behind the Salesloft data thefts as UNC6395, and says the group has been observed harvesting the data for authentication tokens tied to a range of cloud services like Snowflake and Amazon’s AWS.
Google catalogs Scattered Lapsus$ Hunters by so many UNC names (throw in UNC6240 for good measure) because it is thought to be an amalgamation of three hacking groups — Scattered Spider, Lapsus$ and ShinyHunters. The members of these groups hail from many of the same chat channels on the Com, a mostly English-language cybercriminal community that operates across an ocean of Telegram and Discord servers.
The Scattered Lapsus$ Hunters darknet blog is currently offline. The outage appears to have coincided with the disappearance of the group’s new clearnet blog — breachforums[.]hn — which vanished after shifting its Domain Name Service (DNS) servers from DDoS-Guard to Cloudflare.
But before it died, the websites disclosed that hackers were exploiting a critical zero-day vulnerability in Oracle’s E-Business Suite software. Oracle has since confirmed that a security flaw tracked as CVE-2025-61882 allows attackers to perform unauthenticated remote code execution, and is urging customers to apply an emergency update to address the weakness.
Mandiant’s Charles Carmakal shared on LinkedIn that CVE-2025-61882 was initially exploited in August 2025 by the Clop ransomware gang to steal data from Oracle E-Business Suite servers. Bleeping Computer writes that news of the Oracle zero-day first surfaced on the Scattered Lapsus$ Hunters blog, which published a pair of scripts that were used to exploit vulnerable Oracle E-Business Suite instances.
On Monday evening, KrebsOnSecurity received a malware-laced message from a reader that threatened physical violence unless their unstated demands were met. The missive, titled “Shiny hunters,” contained the hashtag $LAPSU$$SCATEREDHUNTER, and urged me to visit a page on limewire[.]com to view their demands.
A screenshot of the phishing message linking to a malicious trojan disguised as a Windows screensaver file.
KrebsOnSecurity did not visit this link, but instead forwarded it to Mandiant, which confirmed that similar menacing missives were sent to employees at Mandiant and other security firms around the same time.
The link in the message fetches a malicious trojan disguised as a Windows screensaver file (Virustotal’s analysis on this malware is here). Simply viewing the booby-trapped screensaver on a Windows PC is enough to cause the bundled trojan to launch in the background.
Mandiant’s Austin Larsen said the trojan is a commercially available backdoor known as ASYNCRAT, a .NET-based backdoor that communicates using a custom binary protocol over TCP, and can execute shell commands and download plugins to extend its features.
A scan of the malicious screensaver file at Virustotal.com shows it is detected as bad by nearly a dozen security and antivirus tools.
“Downloaded plugins may be executed directly in memory or stored in the registry,” Larsen wrote in an analysis shared via email. “Capabilities added via plugins include screenshot capture, file transfer, keylogging, video capture, and cryptocurrency mining. ASYNCRAT also supports a plugin that targets credentials stored by Firefox and Chromium-based web browsers.”
Malware-laced targeted emails are not out of character for certain members of the Scattered Lapsus$ Hunters, who have previously harassed and threatened security researchers and even law enforcement officials who are investigating and warning about the extent of their attacks.
With so many big data breaches and ransom attacks now coming from cybercrime groups operating on the Com, law enforcement agencies on both sides of the pond are under increasing pressure to apprehend the criminal hackers involved. In late September, prosecutors in the U.K. charged two alleged Scattered Spider members aged 18 and 19 with extorting at least $115 million in ransom payments from companies victimized by data theft.
U.S. prosecutors heaped their own charges on the 19 year-old in that duo — U.K. resident Thalha Jubair — who is alleged to have been involved in data ransom attacks against Marks & Spencer and Harrods, the British food retailer Co-op Group, and the 2023 intrusions at MGM Resorts and Caesars Entertainment. Jubair also was allegedly a key member of LAPSUS$, a cybercrime group that broke into dozens of technology companies beginning in late 2021.
A Mastodon post by Kevin Beaumont, lamenting the prevalence of major companies paying millions to extortionist teen hackers, refers derisively to Thalha Jubair as a part of an APT threat known as “Advanced Persistent Teenagers.”
In August, convicted Scattered Spider member and 20-year-old Florida man Noah Michael Urban was sentenced to 10 years in federal prison and ordered to pay roughly $13 million in restitution to victims.
In April 2025, a 23-year-old Scottish man thought to be an early Scattered Spider member was extradited from Spain to the U.S., where he is facing charges of wire fraud, conspiracy and identity theft. U.S. prosecutors allege Tyler Robert Buchanan and co-conspirators hacked into dozens of companies in the United States and abroad, and that he personally controlled more than $26 million stolen from victims.
Update, Oct. 8, 8:59 a.m. ET: A previous version of this story incorrectly referred to the malware sent by the reader as a Windows screenshot file. Rather, it is a Windows screensaver file.
Latest research from McAfee Labs just announced and the numbers are staggering. If you think you’re immune to scams because you’re “too smart” or “too careful,” you might want to think again. Scammers have stepped up their game in 2025, and they’re coming for everyone.
Let’s start with the most shocking stat: job-related scams exploded by over 1,000% from May through late July 2025. Yes, you read that right. One thousand percent.
Think about that for a moment. In a world where finding decent work feels harder than ever, scammers are weaponizing our most basic need for employment. They’re not just sending random “work from home” nonsense anymore. These criminals are getting sophisticated, using terms like “resume,” “recruit,” “maternity,” and “paternity” to exploit our hopes around benefits and career opportunities.
Here’s the brutal reality: Nearly 1 in 3 Americans have received a job offer scam by text message. That means if you’re in a group of three people, at least one of you has been targeted. Even more disturbing? 45% of Americans have either experienced a job search scam personally or know someone who has. This isn’t some distant threat anymore, it’s hitting close to home.
Amazon Prime Day was a goldmine for scammers. Text scams in the shopping category jumped 250% from May to late July, with much of that spike happening right around Prime Day. Coincidence? Absolutely not.
Scammers know exactly when we’re most vulnerable. They know we’re hunting for deals, expecting delivery notifications, and clicking faster than we’re thinking. Amazon and Apple are the top brand names being impersonated because, let’s face it, we all interact with these companies constantly.
Shopping email scams climbed 60% during this same period, with Amazon holding the top spot, Target moving into second place, and Apple rounding out the top three. The fact that Target surged into the number two spot tells us something important: scammers are diversifying their approach and studying our shopping habits more carefully than we might be studying theirs.
Personal finance scams aren’t just growing, they’re surging nearly 150% from May to late July. Email scams in this category literally doubled between June and July. The top bait words? “Loan” and “money.” Because nothing says desperation like targeting people who are already financially stressed.
Credit cards topped the list of email scam keywords, which makes perfect sense. In an economy where everyone’s feeling pinched, the promise of easy credit or debt relief hits different. URL-based finance scams rose 10% in July alone, proving that scammers are hitting us from every digital angle.
Here’s what’s really clever (in a completely evil way): technology scams grew 40% in text messages and saw a staggering 160% increase in email scams across June and July. Apple dominated the scam landscape, but here’s the kicker: Nvidia drove much of the late-July growth.
Think about why that matters. Nvidia isn’t just any tech company; it’s the company behind the AI revolution everyone’s talking about. Scammers are literally using our fascination with AI and cutting-edge tech against us. They’re banking on our FOMO around technology trends.
Let’s step back and think critically about what’s really happening here. These aren’t random increases. Scammers are becoming more sophisticated, more targeted, and more successful because they’re exploiting fundamental human psychology:
Economic anxiety: With inflation concerns and job market uncertainty, financial scams hit when people are most vulnerable.
Technology overwhelm: As tech evolves rapidly, scammers exploit our confusion and excitement about new developments.
Social proof manipulation: Using trusted brand names like Apple, Amazon, and Target because we’ve been conditioned to trust these companies.
Timing exploitation: Hitting during Prime Day, benefit enrollment periods, and job hunting seasons when our guard is down.
But there’s another layer we need to call out, the long-term impact of falling for a fake job. When you’re unemployed, every lead matters. Chasing a fraudulent one doesn’t just waste time; it effectively pauses your real job search. Many people say job hunting is a full-time job in itself, so losing that time can feel like being pushed back to square one. That setback compounds stress and deepens the economic anxiety you were already feeling. It’s not just about losing money, it’s about losing momentum, confidence, and critical opportunities in a competitive market.
Advice like “just be careful” doesn’t cut it anymore. Scammers have leveled up, and their tactics are sophisticated enough to fool even the smartest of people. That’s why having the right tools and awareness matters more than ever. Staying informed isn’t about fear, it’s about empowerment. The more you know, the harder it is for scammers to win.
For job seekers: If someone contacts you about a job you didn’t apply for, especially mentioning benefits or asking for personal information upfront, pump the brakes. Real recruiters don’t typically lead with benefit details or ask for sensitive data in initial communications.
For online shoppers: Those delivery notifications and deal alerts you’re getting? Slow down before clicking. Go directly to the retailer’s official website or app instead of clicking links in texts or emails.
For anyone with financial concerns: If an offer sounds too good to be true (instant loans, credit repair miracles, investment opportunities), it probably is. When you’re stressed about money, that’s exactly when scammers strike hardest.
For tech enthusiasts: Being excited about new technology is great, but scammers are counting on that excitement to make you click faster than you think. Always verify tech-related communications through official channels.
The data is crystal clear: scams aren’t just increasing, they’re exploding across every category that matters to everyday people. Job hunting, shopping, managing money, staying current with technology. These criminals are systematically targeting the most essential aspects of modern life.
But here’s what the scammers don’t want you to know: awareness is your best defense. They rely on speed, emotion, and distraction. The moment you slow down, verify independently, and think critically, their whole game falls apart.
The 2025 scam landscape isn’t just more dangerous, it’s more personal. These aren’t random attempts anymore. They’re calculated attacks designed to hit you exactly when and where you’re most likely to let your guard down. To help job hunters and others, McAfee has launched Scam Detector, an all-in-one protection solution to help keep you safer across text, email and video. McAfee’s Scam Detector runs continuously in the background across all your devices, analyzing incoming emails, texts, and videos to detect potential scams in real-time. When it detects something suspicious, you get an instant alert that explains what raised the red flag and walks you through the specific tactics scammers use, so you can spot similar attempts on your own. For job seekers, Scam Detector can be an invaluable tool to help prevent fraudulent scams.
Stay sharp out there. Your financial security, career prospects, and digital safety depend on it.
The post Scam Alert: The Alarming Reality Behind 2025’s Explosion in Digital Fraud appeared first on McAfee Blog.
U.S. prosecutors last week levied criminal hacking charges against 19-year-old U.K. national Thalha Jubair for allegedly being a core member of Scattered Spider, a prolific cybercrime group blamed for extorting at least $115 million in ransom payments from victims. The charges came as Jubair and an alleged co-conspirator appeared in a London court to face accusations of hacking into and extorting several large U.K. retailers, the London transit system, and healthcare providers in the United States.
At a court hearing last week, U.K. prosecutors laid out a litany of charges against Jubair and 18-year-old Owen Flowers, accusing the teens of involvement in an August 2024 cyberattack that crippled Transport for London, the entity responsible for the public transport network in the Greater London area.
A court artist sketch of Owen Flowers (left) and Thalha Jubair appearing at Westminster Magistrates’ Court last week. Credit: Elizabeth Cook, PA Wire.
On July 10, 2025, KrebsOnSecurity reported that Flowers and Jubair had been arrested in the United Kingdom in connection with recent Scattered Spider ransom attacks against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group.
That story cited sources close to the investigation saying Flowers was the Scattered Spider member who anonymously gave interviews to the media in the days after the group’s September 2023 ransomware attacks disrupted operations at Las Vegas casinos operated by MGM Resorts and Caesars Entertainment.
The story also noted that Jubair’s alleged handles on cybercrime-focused Telegram channels had far lengthier rap sheets involving some of the more consequential and headline-grabbing data breaches over the past four years. What follows is an account of cybercrime activities that prosecutors have attributed to Jubair’s alleged hacker handles, as told by those accounts in posts to public Telegram channels that are closely monitored by multiple cyber intelligence firms.
Jubair is alleged to have been a core member of the LAPSUS$ cybercrime group that broke into dozens of technology companies beginning in late 2021, stealing source code and other internal data from tech giants including Microsoft, Nvidia, Okta, Rockstar Games, Samsung, T-Mobile, and Uber.
That is, according to the former leader of the now-defunct LAPSUS$. In April 2022, KrebsOnSecurity published internal chat records taken from a server that LAPSUS$ used, and those chats indicate Jubair was working with the group using the nicknames Amtrak and Asyntax. In the middle of the gang’s cybercrime spree, Asyntax told the LAPSUS$ leader not to share T-Mobile’s logo in images sent to the group because he’d been previously busted for SIM-swapping and his parents would suspect he was back at it again.
The leader of LAPSUS$ responded by gleefully posting Asyntax’s real name, phone number, and other hacker handles into a public chat room on Telegram:
In March 2022, the leader of the LAPSUS$ data extortion group exposed Thalha Jubair’s name and hacker handles in a public chat room on Telegram.
That story about the leaked LAPSUS$ chats also connected Amtrak/Asyntax to several previous hacker identities, including “Everlynn,” who in April 2021 began offering a cybercriminal service that sold fraudulent “emergency data requests” targeting the major social media and email providers.
In these so-called “fake EDR” schemes, the hackers compromise email accounts tied to police departments and government agencies, and then send unauthorized demands for subscriber data (e.g. username, IP/email address), while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.
The roster of the now-defunct “Infinity Recursion” hacking team, which sold fake EDRs between 2021 and 2022. The founder “Everlynn” has been tied to Jubair. The member listed as “Peter” became the leader of LAPSUS$ who would later post Jubair’s name, phone number and hacker handles into LAPSUS$’s chat channel.
Prosecutors in New Jersey last week alleged Jubair was part of a threat group variously known as Scattered Spider, 0ktapus, and UNC3944, and that he used the nicknames EarthtoStar, Brad, Austin, and Austistic.
Beginning in 2022, EarthtoStar co-ran a bustling Telegram channel called Star Chat, which was home to a prolific SIM-swapping group that relentlessly used voice- and SMS-based phishing attacks to steal credentials from employees at the major wireless providers in the U.S. and U.K.
Jubair allegedly used the handle “Earth2Star,” a core member of a prolific SIM-swapping group operating in 2022. This ad produced by the group lists various prices for SIM swaps.
The group would then use that access to sell a SIM-swapping service that could redirect a target’s phone number to a device the attackers controlled, allowing them to intercept the victim’s phone calls and text messages (including one-time codes). Members of Star Chat targeted multiple wireless carriers with SIM-swapping attacks, but they focused mainly on phishing T-Mobile employees.
In February 2023, KrebsOnSecurity scrutinized more than seven months of these SIM-swapping solicitations on Star Chat, which almost daily peppered the public channel with “Tmo up!” and “Tmo down!” notices indicating periods wherein the group claimed to have active access to T-Mobile’s network.
A redacted receipt from Star Chat’s SIM-swapping service targeting a T-Mobile customer after the group gained access to internal T-Mobile employee tools.
The data showed that Star Chat — along with two other SIM-swapping groups operating at the same time — collectively broke into T-Mobile over a hundred times in the last seven months of 2022. However, Star Chat was by far the most prolific of the three, responsible for at least 70 of those incidents.
The 104 days in the latter half of 2022 in which different known SIM-swapping groups claimed access to T-Mobile employee tools. Star Chat was responsible for a majority of these incidents. Image: krebsonsecurity.com.
A review of EarthtoStar’s messages on Star Chat as indexed by the threat intelligence firm Flashpoint shows this person also sold “AT&T email resets” and AT&T call forwarding services for up to $1,200 per line. EarthtoStar explained the purpose of this service in post on Telegram:
“Ok people are confused, so you know when u login to chase and it says ‘2fa required’ or whatever the fuck, well it gives you two options, SMS or Call. If you press call, and I forward the line to you then who do you think will get said call?”
New Jersey prosecutors allege Jubair also was involved in a mass SMS phishing campaign during the summer of 2022 that stole single sign-on credentials from employees at hundreds of companies. The text messages asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page, saying recipients needed to review pending changes to their upcoming work schedules.
The phishing websites used a Telegram instant message bot to forward any submitted credentials in real-time, allowing the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website.
That weeks-long SMS phishing campaign led to intrusions and data thefts at more than 130 organizations, including LastPass, DoorDash, Mailchimp, Plex and Signal.
A visual depiction of the attacks by the SMS phishing group known as 0ktapus, ScatterSwine, and Scattered Spider. Image: Amitai Cohen twitter.com/amitaico.
EarthtoStar’s group Star Chat specialized in phishing their way into business process outsourcing (BPO) companies that provide customer support for a range of multinational companies, including a number of the world’s largest telecommunications providers. In May 2022, EarthtoStar posted to the Telegram channel “Frauwudchat”:
“Hi, I am looking for partners in order to exfiltrate data from large telecommunications companies/call centers/alike, I have major experience in this field, [including] a massive call center which houses 200,000+ employees where I have dumped all user credentials and gained access to the [domain controller] + obtained global administrator I also have experience with REST API’s and programming. I have extensive experience with VPN, Citrix, cisco anyconnect, social engineering + privilege escalation. If you have any Citrix/Cisco VPN or any other useful things please message me and lets work.”
At around the same time in the Summer of 2022, at least two different accounts tied to Star Chat — “RocketAce” and “Lopiu” — introduced the group’s services to denizens of the Russian-language cybercrime forum Exploit, including:
-SIM-swapping services targeting Verizon and T-Mobile customers;
-Dynamic phishing pages targeting customers of single sign-on providers like Okta;
-Malware development services;
-The sale of extended validation (EV) code signing certificates.
The user “Lopiu” on the Russian cybercrime forum Exploit advertised many of the same unique services offered by EarthtoStar and other Star Chat members. Image source: ke-la.com.
These two accounts on Exploit created multiple sales threads in which they claimed administrative access to U.S. telecommunications providers and asked other Exploit members for help in monetizing that access. In June 2022, RocketAce, which appears to have been just one of EarthtoStar’s many aliases, posted to Exploit:
Hello. I have access to a telecommunications company’s citrix and vpn. I would like someone to help me break out of the system and potentially attack the domain controller so all logins can be extracted we can discuss payment and things leave your telegram in the comments or private message me ! Looking for someone with knowledge in citrix/privilege escalation
On Nov. 15, 2022, EarthtoStar posted to their Star Sanctuary Telegram channel that they were hiring malware developers with a minimum of three years of experience and the ability to develop rootkits, backdoors and malware loaders.
“Optional: Endorsed by advanced APT Groups (e.g. Conti, Ryuk),” the ad concluded, referencing two of Russia’s most rapacious and destructive ransomware affiliate operations. “Part of a nation-state / ex-3l (3 letter-agency).”
The Telegram and Discord chat channels wherein Flowers and Jubair allegedly planned and executed their extortion attacks are part of a loose-knit network known as the Com, an English-speaking cybercrime community consisting mostly of individuals living in the United States, the United Kingdom, Canada and Australia.
Many of these Com chat servers have hundreds to thousands of members each, and some of the more interesting solicitations on these communities are job offers for in-person assignments and tasks that can be found if one searches for posts titled, “If you live near,” or “IRL job” — short for “in real life” job.
These “violence-as-a-service” solicitations typically involve “brickings,” where someone is hired to toss a brick through the window at a specified address. Other IRL jobs for hire include tire-stabbings, molotov cocktail hurlings, drive-by shootings, and even home invasions. The people targeted by these services are typically other criminals within the community, but it’s not unusual to see Com members asking others for help in harassing or intimidating security researchers and even the very law enforcement officers who are investigating their alleged crimes.
It remains unclear what precipitated this incident or what followed directly after, but on January 13, 2023, a Star Sanctuary account used by EarthtoStar solicited the home invasion of a sitting U.S. federal prosecutor from New York. That post included a photo of the prosecutor taken from the Justice Department’s website, along with the message:
“Need irl niggas, in home hostage shit no fucking pussies no skinny glock holding 100 pound niggas either”
Throughout late 2022 and early 2023, EarthtoStar’s alias “Brad” (a.k.a. “Brad_banned”) frequently advertised Star Chat’s malware development services, including custom malicious software designed to hide the attacker’s presence on a victim machine:
We can develop KERNEL malware which will achieve persistence for a long time,
bypass firewalls and have reverse shell access.This shit is literally like STAGE 4 CANCER FOR COMPUTERS!!!
Kernel meaning the highest level of authority on a machine.
This can range to simple shells to Bootkits.Bypass all major EDR’s (SentinelOne, CrowdStrike, etc)
Patch EDR’s scanning functionality so it’s rendered useless!Once implanted, extremely difficult to remove (basically impossible to even find)
Development Experience of several years and in multiple APT Groups.Be one step ahead of the game. Prices start from $5,000+. Message @brad_banned to get a quote
In September 2023 , both MGM Resorts and Caesars Entertainment suffered ransomware attacks at the hands of a Russian ransomware affiliate program known as ALPHV and BlackCat. Caesars reportedly paid a $15 million ransom in that incident.
Within hours of MGM publicly acknowledging the 2023 breach, members of Scattered Spider were claiming credit and telling reporters they’d broken in by social engineering a third-party IT vendor. At a hearing in London last week, U.K. prosecutors told the court Jubair was found in possession of more than $50 million in ill-gotten cryptocurrency, including funds that were linked to the Las Vegas casino hacks.
The Star Chat channel was finally banned by Telegram on March 9, 2025. But U.S. prosecutors say Jubair and fellow Scattered Spider members continued their hacking, phishing and extortion activities up until September 2025.
In April 2025, the Com was buzzing about the publication of “The Com Cast,” a lengthy screed detailing Jubair’s alleged cybercriminal activities and nicknames over the years. This account included photos and voice recordings allegedly of Jubair, and asserted that in his early days on the Com Jubair used the nicknames Clark and Miku (these are both aliases used by Everlynn in connection with their fake EDR services).
Thalha Jubair (right), without his large-rimmed glasses, in an undated photo posted in The Com Cast.
More recently, the anonymous Com Cast author(s) claimed, Jubair had used the nickname “Operator,” which corresponds to a Com member who ran an automated Telegram-based doxing service that pulled consumer records from hacked data broker accounts. That public outing came after Operator allegedly seized control over the Doxbin, a long-running and highly toxic community that is used to “dox” or post deeply personal information on people.
“Operator/Clark/Miku: A key member of the ransomware group Scattered Spider, which consists of a diverse mix of individuals involved in SIM swapping and phishing,” the Com Cast account stated. “The group is an amalgamation of several key organizations, including Infinity Recursion (owned by Operator), True Alcorians (owned by earth2star), and Lapsus, which have come together to form a single collective.”
The New Jersey complaint (PDF) alleges Jubair and other Scattered Spider members committed computer fraud, wire fraud, and money laundering in relation to at least 120 computer network intrusions involving 47 U.S. entities between May 2022 and September 2025. The complaint alleges the group’s victims paid at least $115 million in ransom payments.
U.S. authorities say they traced some of those payments to Scattered Spider to an Internet server controlled by Jubair. The complaint states that a cryptocurrency wallet discovered on that server was used to purchase several gift cards, one of which was used at a food delivery company to send food to his apartment. Another gift card purchased with cryptocurrency from the same server was allegedly used to fund online gaming accounts under Jubair’s name. U.S. prosecutors said that when they seized that server they also seized $36 million in cryptocurrency.
The complaint also charges Jubair with involvement in a hacking incident in January 2025 against the U.S. courts system that targeted a U.S. magistrate judge overseeing a related Scattered Spider investigation. That other investigation appears to have been the prosecution of Noah Michael Urban, a 20-year-old Florida man charged in November 2024 by prosecutors in Los Angeles as one of five alleged Scattered Spider members.
Urban pleaded guilty in April 2025 to wire fraud and conspiracy charges, and in August he was sentenced to 10 years in federal prison. Speaking with KrebsOnSecurity from jail after his sentencing, Urban asserted that the judge gave him more time than prosecutors requested because he was mad that Scattered Spider hacked his email account.
Noah “Kingbob” Urban, posting to Twitter/X around the time of his sentencing on Aug. 20.
A court transcript (PDF) from a status hearing in February 2025 shows Urban was telling the truth about the hacking incident that happened while he was in federal custody. The judge told attorneys for both sides that a co-defendant in the California case was trying to find out about Mr. Urban’s activity in the Florida case, and that the hacker accessed the account by impersonating a judge over the phone and requesting a password reset.
Allison Nixon is chief research officer at the New York based security firm Unit 221B, and easily one of the world’s leading experts on Com-based cybercrime activity. Nixon said the core problem with legally prosecuting well-known cybercriminals from the Com has traditionally been that the top offenders tend to be under the age of 18, and thus difficult to charge under federal hacking statutes.
In the United States, prosecutors typically wait until an underage cybercrime suspect becomes an adult to charge them. But until that day comes, she said, Com actors often feel emboldened to continue committing — and very often bragging about — serious cybercrime offenses.
“Here we have a special category of Com offenders that effectively enjoy legal immunity,” Nixon told KrebsOnSecurity. “Most get recruited to Com groups when they are older, but of those that join very young, such as 12 or 13, they seem to be the most dangerous because at that age they have no grounding in reality and so much longevity before they exit their legal immunity.”
Nixon said U.K. authorities face the same challenge when they briefly detain and search the homes of underage Com suspects: Namely, the teen suspects simply go right back to their respective cliques in the Com and start robbing and hurting people again the minute they’re released.
Indeed, the U.K. court heard from prosecutors last week that both Scattered Spider suspects were detained and/or searched by local law enforcement on multiple occasions, only to return to the Com less than 24 hours after being released each time.
“What we see is these young Com members become vectors for perpetrators to commit enormously harmful acts and even child abuse,” Nixon said. “The members of this special category of people who enjoy legal immunity are meeting up with foreign nationals and conducting these sometimes heinous acts at their behest.”
Nixon said many of these individuals have few friends in real life because they spend virtually all of their waking hours on Com channels, and so their entire sense of identity, community and self-worth gets wrapped up in their involvement with these online gangs. She said if the law was such that prosecutors could treat these people commensurate with the amount of harm they cause society, that would probably clear up a lot of this problem.
“If law enforcement was allowed to keep them in jail, they would quit reoffending,” she said.
The Times of London reports that Flowers is facing three charges under the Computer Misuse Act: two of conspiracy to commit an unauthorized act in relation to a computer causing/creating risk of serious damage to human welfare/national security and one of attempting to commit the same act. Maximum sentences for these offenses can range from 14 years to life in prison, depending on the impact of the crime.
Jubair is reportedly facing two charges in the U.K.: One of conspiracy to commit an unauthorized act in relation to a computer causing/creating risk of serious damage to human welfare/national security and one of failing to comply with a section 49 notice to disclose the key to protected information.
In the United States, Jubair is charged with computer fraud conspiracy, two counts of computer fraud, wire fraud conspiracy, two counts of wire fraud, and money laundering conspiracy. If extradited to the U.S., tried and convicted on all charges, he faces a maximum penalty of 95 years in prison.
In July 2025, the United Kingdom barred victims of hacking from paying ransoms to cybercriminal groups unless approved by officials. U.K. organizations that are considered part of critical infrastructure reportedly will face a complete ban, as will the entire public sector. U.K. victims of a hack are now required to notify officials to better inform policymakers on the scale of Britain’s ransomware problem.
For further reading (bless you), check out Bloomberg’s poignant story last week based on a year’s worth of jailhouse interviews with convicted Scattered Spider member Noah Urban.
Article tags
When news of Taylor Swift and Travis Kelce’s engagement broke recently, fans around the world celebrated this real-life love story. Unfortunately, cybercriminals saw something else entirely: a golden opportunity to exploit millions of devoted Swifties and NFL fans through sophisticated scams that blend AI technology with classic fraud tactics.
The engagement of two mega-celebrities creates an ideal environment for scammers. With millions of fans eager for content, merchandise, and insider information about their favorite stars, fraudsters have crafted elaborate schemes that prey on this enthusiasm. What makes these recent scams particularly dangerous is their use of cutting-edge AI technology that makes fake content increasingly difficult to detect.
McAfee threat researchers have identified a deepfake video circulating across social media platforms, all capitalizing on the engagement buzz. These AI-generated videos, some featuring a likeness of Selena Gomez, are commenting on the engagement, overlayed on video clips of Taylor Swift, but they’re entirely fabricated.
Figure 1 – Examples of deepfakes on social media
The sophistication of these deepfakes is concerning. They feature realistic facial movements and convincing audio that can fool even discerning viewers. Fortunately, McAfee’s Scam Detector technology has been successfully identifying these fraudulent videos, alerting users with notifications that read “Deepfake detected” and advising viewers to “take a moment to double-check if the video is real and accurate.”
Deepfake videos can serve several malicious purposes:
Perhaps even more concerning than the deepfakes is the explosion of fraudulent merchandise capitalizing on the engagement. Scammers have quickly pivoted to creating fake commemorative items, with one of the most prominent examples being counterfeit “Taylor Swift Funko Style Collectible Engagement Edition Dolls.”
Figure 2 – AI-Generated Funko Style Doll with AI-Generated Text
McAfee threat researchers recently investigated a website selling unauthorized Taylor Swift and Travis Kelce Funko Pop-style dolls. At first glance, the site appears legitimate, complete with professional product photography and detailed descriptions. However, closer inspection reveals several red flags:
AI-Generated Product Image: The most telling sign of fraud lies in the product images themselves. Researchers discovered that the Funko doll boxes contained misspelled words and incorrect text placement – classic indicators that the images were generated by AI rather than photographed from real products. These imperfections are common in AI-generated content, where text rendering often fails to produce accurate spelling or realistic placement. However, AI image generation tools are rapidly improving and are getting better at generating text.
Fraudulent Security Badges: The website goes to extraordinary lengths to appear legitimate, even displaying a fake “McAfee Secure” badge. This is particularly brazen, as scammers are literally using McAfee’s trusted brand to legitimize their fraudulent operation. Consumers should always verify security badges by clicking on them to ensure they lead to official verification pages. The McAfee SECURE seal was replaced by TrustedSite in 2013.
Too-Good-To-Be-True Pricing: The dolls are priced at $26.98, marked down from $49.99 – a classic pricing strategy designed to create urgency and the perception of a great deal.
These scams represent more than just financial fraud; they’re part of a larger ecosystem of misinformation and exploitation that damages both fans and the celebrities themselves. When deepfakes spread false information or when unauthorized merchandise floods the market, it can:
As these scams continue to evolve, consumers need to stay vigilant. Here are key steps to protect yourself:
For Social Media Content:
For Merchandise Purchases:
The Taylor Swift and Travis Kelce engagement scams highlight a broader trend in cybercrime: the democratization of sophisticated fraud tools. AI technology that once required significant technical expertise is now accessible to everyday scammers, making it easier than ever to create convincing fake content.
However, the same technology enabling these scams is also being used to combat them. Detection tools like McAfee’s Scam Detector are becoming more sophisticated at identifying AI-generated content, providing crucial protection for consumers.
The Taylor Swift and Travis Kelce engagement should be a celebration of love and happiness. Instead, it’s become another reminder of how quickly scammers adapt to exploit major news events and celebrity culture. By staying informed about these tactics and maintaining healthy skepticism about online content, fans can protect themselves while still enjoying legitimate coverage of their favorite celebrities.
Remember: if something seems too good to be true – whether it’s exclusive celebrity content or amazing merchandise deals, it probably is. In the age of AI-generated scams, a moment of caution can save you from becoming the next victim in this digital love story gone wrong. The best way to show love for Taylor Swift and Travis Kelce isn’t by clicking on suspicious links or buying questionable merchandise – it’s by being smart, careful consumers who don’t give scammers the attention and money they’re seeking.
The post How Fraudsters Are Exploiting the Taylor Swift and Travis Kelce Engagement appeared first on McAfee Blog.
While Apple goes to great lengths to keep all its devices safe, this doesn’t mean your Mac is immune to all computer viruses. What does Apple provide in terms of antivirus protection? In this article, we will discuss some signs that your Mac may be infected with a virus or malware, the built-in protections that Apple provides, and how you can protect your computer and yourself from threats beyond viruses.
A computer virus is a piece of code that inserts itself into an application or operating system and spreads when that program is run. While viruses exist, most modern threats to macOS come in the form of other malicious software, also known as malware. While technically different from viruses, malware impacts your Mac computers similarly: it compromises your device, data, and privacy.
While Apple’s macOS has robust security features, it’s not impenetrable. Cybercriminals can compromise a Mac through several methods that bypass traditional virus signatures. Common attack vectors include software vulnerabilities, phishing attacks that steal passwords, drive-by downloads from compromised websites, malicious browser extensions that seem harmless, or remote access Trojans disguised as legitimate software.
Understanding the common types of viruses and malware that target macOS can help you better protect your device and data. Here’s a closer look at the most prevalent forms of malware that Mac users should watch out for.
Whether hackers physically sneak it onto your device or by tricking you into installing it via a phony app, a sketchy website, or a phishing attack, viruses and malware can create problems for you in a couple of ways:
Is your device operating slower, are web pages and apps harder to load, or does your battery never seem to keep a charge? These are all signs that you could have a virus or malware running in the background, zapping your device’s resources.
Malware or mining apps running in the background can burn extra computing power and data, causing your computer to operate at a high temperature or overheat.
If you find unfamiliar apps you didn’t download, along with messages and emails that you didn’t send, that’s a red flag. A hacker may have hijacked your computer to send messages or to spread malware to your contacts. Similarly, if you see spikes in your data usage, that could be a sign of a hack as well.
Malware can also be behind spammy pop-ups, unauthorized changes to your home screen, or bookmarks to suspicious websites. In fact, if you see any configuration changes you didn’t personally make, this is another big clue that your computer has been hacked.
Your browser’s homepage or default search engine changes without your permission, and searches are redirected to unfamiliar sites. Check your browser’s settings and extensions for anything you don’t recognize.
Your antivirus software or macOS firewall is disabled without your action. Some viruses or malware are capable of turning off your security software to allow them to perform their criminal activities.
Fortunately, there are easy-to-use tools and key steps to help you validate for viruses and malware so you can take action before any real damage is done.
Macs contain several built-in features that help protect them from viruses:
There are a couple of reasons why Mac users may want to consider additional protection on top of the built-in antivirus safeguards:
Macs are like any other connected device. They’re also susceptible to the wider world of threats and vulnerabilities on the internet. For this reason, Mac users should think about bolstering their defenses further with online protection software.
If you suspect your Mac has been infected with a virus or other malware, acting quickly is essential to protect your personal data and stop the threat from spreading. Fortunately, this can be effectively done with a combination of manual steps and trusted security software:
In the most extreme cases, erasing your hard drive and reinstalling a fresh copy of macOS is a very effective way to eliminate viruses and malware. This process wipes out all data, including the malicious software. This, however, is considered the last resort for deep-rooted infections that are difficult to remove manually.
As cyber threats grow more sophisticated, taking proactive steps now can protect your device, your data, and your identity in the long run. Here are simple but powerful ways to future-proof your Mac, and help ensure your device stays protected against tomorrow’s threats before they reach you:
Staying safe online isn’t just about having the right software—it’s about making smart choices every day. Adopting strong digital habits can drastically reduce your risk of falling victim to viruses, scams, or data breaches.
An important part of a McAfee’s Protection Score involves protecting your identity and privacy beyond the antivirus solution. While online threats have evolved, McAfee has elevated its online protection software to thwart hackers, scammers, and cyberthieves who aim to steal your personal info, online banking accounts, financial info, and even your social media accounts to commit identity theft and fraud in your name. As you go about your day online, online protection suites help you do it more privately and safely. Comprehensive security solutions like McAfee+ include:
Yes. While Safari has built-in security features, you can still get a Mac virus by visiting a compromised website that initiates a drive-by download or by being tricked into downloading and running a malicious file.
Not necessarily. Many websites use aggressive pop-up advertising. However, if you see persistent pop-ups that are difficult to close, or fake virus warnings, it’s a strong sign of an adware infection.
Yes. While some consider it less harmful than a trojan, adware is a form of malware. It compromises your browsing experience, tracks your activity, slows down your computer, and can serve as a gateway for more dangerous infections.
If you have a security suite with real-time protection, your Mac is continuously monitored. It is still good practice to run a full system scan at least once a week for peace of mind.
Direct infection via a cable is extremely unlikely due to the security architecture of both operating systems. The greater risk comes from shared accounts. A malicious link or file opened on one device and synced via iCloud, or a compromised Apple ID, could affect your other devices.
Current trends show a rise in sophisticated adware and PUPs that are often bundled with legitimate-looking software. Cybercriminals are also focusing on malicious browser extensions that steal data and credentials, injecting malicious code into legitimate software updates, or devising clever ways to bypass Apple’s notarization process. Given these developments, Macs can and do get viruses and are subject to threats just like any other computer. While Apple provides a strong security foundation, their operating systems may not offer the full breadth of protection you need, particularly against online identity theft and the latest malware threats. Combining an updated system, smart online habits, and a comprehensive protection solution helps you stay well ahead of emerging threats. Regularly reviewing your Mac’s security posture and following the tips outlined here will also enable you to use your device with confidence and peace of mind.
The post Can Apple Macs get Viruses? appeared first on McAfee Blog.
The value of Bitcoin has had its ups and downs since its inception in 2013, but its recent skyrocket in value has created renewed interest in this virtual currency. The rapid growth of this alternative currency has dominated headlines and ignited a cryptocurrency boom that has consumers everywhere wondering how to get a slice of the Bitcoin pie. For those who want to join the craze without trading traditional currencies like U.S. dollars (i.e., fiat currency), a process called Bitcoin mining is an entry point. However, Bitcoin mining poses a number of security risks that you need to know.
Mining for Bitcoin is like mining for gold—you put in the work and you get your reward. But instead of back-breaking labor, you earn the currency with your time and computer processing power. Miners, as they are called, essentially maintain and secure Bitcoin’s decentralized accounting system. Bitcoin transactions are recorded in a digital ledger called a blockchain. Bitcoin miners update the ledger by downloading a special piece of software that allows them to verify and collect new transactions. Then, they must solve a mathematical puzzle to secure access to add a block of transactions to the chain. In return, they earn Bitcoins, as well as a transaction fee.
As the digital currency has matured, Bitcoin mining has become more challenging. In the beginning, a Bitcoin user could mine on their home computer and earn a good amount of the digital currency, but these days the math problems have become so complicated that it requires a lot of expensive computing power. This is where the risks come in. Since miners need an increasing amount of computer power to earn Bitcoin, some have started compromising public Wi-Fi networks so they can access users’ devices.
One example of this security breach happened at a coffee shop in Buenos Aires, which was infected with malware that caused a 10-second delay when logging in to the cafe’s Wi-Fi network. The malware authors used this time delay to access the users’ laptops for mining. In addition to public Wi-Fi networks, millions of websites are being compromised to access users’ devices for mining. When an attacker loads mining software onto devices without the owner’s permission, it’s called a cryptocurrency mining encounter or cryptojacking.
It’s estimated that 50 out of every 100,000 devices have encountered a cryptocurrency miner. Cryptojacking is a widespread problem and can slow down your device; though, that’s not the worst that can happen. Utility costs are also likely to go through the roof. A device that is cryptojacked could have 100 percent of its resources used for mining, causing the device to overheat, essentially destroying it.
Now that you know a little about mining and the Bitcoin security risks associated with it, here are some tips to keep your devices safe as you monitor the cryptocurrency market:
The post Bitcoin Security: Mining Threats You Need to Know appeared first on McAfee Blog.
FreshRSS