TechNaduUK sanctions target cybercrime infrastructure
• Fraud compound (20K capacity)
• Crypto platform tied to ~$19.9B flows
• Assets seized globally
Cybercrime + human trafficking + crypto = evolving threat model
NERDS.xyz – Real Tech News for Real NerdsSavannah Guthrie family nightmare sparks an uncomfortable debate about banning bitcoin and crypto
https://fed.brid.gy/r/https://nerds.xyz/2026/02/savannah-guthrie-bitcoin-ransom/
Incognito Market operator sentenced to 30 years after running a $105M+ dark web narcotics operation using crypto-based internal banking.
Dark web anonymity continues to erode under sustained investigations.
BGDon 🇨🇦 🇺🇸 👨💻This has gotta be some kinda record. Here is a list of the Crypto investigations that have been paused/dismissed/canceled/terminated in the current U.S. administration.
That list: Aave, Binance, Coinbase, ConsenSys, Crypto.com, Cumberland DRW, Dragonchain, 31 Gemini, Gemini Earn, Hex , Immutable, Kraken, Ondo Finance, OpenSea, PayPal, Ripple, Robinhood, Tron, Uniswap, Yuga Labs, and the ZCash Foundation
Source: www.citationneeded.news
https://www.citationneeded.news/issue-100/ #Crypto #SEC #CFTC #Investigations #USGov #CryptoRegulation #CryptoCrime #CryptoCurrencies
Zeljka ZorzCryptocurrency thieves have found a new way to turn trusted Linux software packages on the Snap Store into crypto-stealing malware
https://www.helpnetsecurity.com/2026/01/21/linux-malware-snap-store/
This is old news - but worth repeating, as evidence of the crypto wild wild west!
Binance failed to police customer accounts executing suspicious transactions after it's s Nov 2023, settlement with the US Government for violations of sanctions and Bank Secrecy Laws.
Some accounts moved eight or nine figure sums, with a total of $144M in suspicious transfers. The operator of four cryptocurrency wallets involved has a history of transferring illicit funds for Hezbollah, the Houthis in Yemen, and the Assad regime in Syria. https://www.comsuregroup.com/news/13-suspicious-accounts-totalling-17-billion-since-2021/#:~:text=22/12/2025.%20According%20to%20a%20report%20in%20the,of%20a%202023%20settlement%20with%20the%20U.S.. #Crypto #CryptoCurrencies #Regulations #BankingLaw #Binance #USGov #CryptoCrime #MoneyLaundering #KYC #OFAC #Zhao
International arrest tied to crypto malware.
A KMSAuto-based clipper malware campaign infected 2.8M systems and stole ~$1.2M by hijacking crypto wallet addresses.
SOC GoulashAlright team, it's been a packed 24 hours in the cyber world! We've got a flurry of actively exploited zero-days and critical vulnerabilities to cover, alongside some significant breaches, new threat actor insights, and a few noteworthy law enforcement actions. Let's dive in:
Actively Exploited Zero-Days and Critical Vulnerabilities ⚠️
- Cisco is battling a maximum-severity zero-day (CVE-2025-20393) in its AsyncOS software for Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. Suspected Chinese-government-linked threat actors (UAT-9686) have been exploiting this flaw since late November, deploying persistent Python-based backdoors like AquaShell, along with tunneling tools. There's no patch yet, so Cisco advises customers to assess exposure, limit internet access to the Spam Quarantine feature, and rebuild compromised appliances.
- The React2Shell vulnerability (CVE-2025-55182) in React Server Components continues to spread, with Microsoft confirming hundreds of compromised machines across diverse organisations. Attackers are leveraging this RCE flaw for reverse shells, lateral movement, data theft, and even ransomware deployment (Weaxor ransomware). This critical bug now holds the highest verified public exploit count of any CVE, with new related defects (CVE-2025-55183, CVE-2025-67779, CVE-2025-55184) also emerging. Patching is crucial, but won't evict existing attackers.
- HPE has patched a maximum-severity RCE flaw (CVE-2025-37164) in its OneView infrastructure management software, affecting all versions prior to v11.00. This vulnerability allows unauthenticated attackers to execute arbitrary code with low complexity. Admins should update immediately as no workarounds exist.
- SonicWall is warning customers about an actively exploited zero-day (CVE-2025-40602) in its SMA 1000 remote-access appliance. This bug, stemming from insufficient authorisation checks, can be chained with a previously patched flaw (CVE-2025-23006) to achieve unauthenticated root-level RCE. Immediate updates and restricting console access to trusted networks are advised.
- CISA has added CVE-2025-59374, a critical supply chain compromise impacting ASUS Live Update, to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, linked to 2019's Operation ShadowHammer, allowed attackers to distribute trojanised software to specific targets. ASUS Live Update has reached end-of-support, so federal agencies are urged to discontinue its use.
- The Zeroday Cloud hacking competition in London saw researchers demonstrate 11 zero-day vulnerabilities in critical cloud infrastructure components like Redis, PostgreSQL, Grafana, MariaDB, and the Linux kernel. This highlights significant security gaps in widely used cloud systems, including a container escape flaw in the Linux kernel that could break isolation between cloud tenants.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisco-warns-of-unpatched-asyncos-zero-day-exploited-in-attacks/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/17/attacks_pummeling_cisco_0day/
📰 The Hacker News | https://thehackernews.com/2025/12/cisco-warns-of-active-attacks-exploiting-unpatched-0-day-in-asyncos-email-security-appliances.html
🗞️ The Record | https://therecord.media/chinese-attackers-zero-day
🤫 CyberScoop | https://cyberscoop.com/react2shell-vulnerability-fallout-spreads/
📰 The Hacker News | https://thehackernews.com/2025/12/threatsday-bulletin-whatsapp-hijacks.html (React2Shell Exploited in Ransomware Attacks)
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/18/react2shell_exploitation_spreads_as_microsoft/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hpe-warns-of-maximum-severity-rce-flaw-in-oneview-software/
📰 The Hacker News | https://thehackernews.com/2025/12/hpe-oneview-flaw-rated-cvss-100-allows-unauthenticated-remote-code-execution.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/18/sonicwall_sma_1000_0day/
📰 The Hacker News | https://thehackernews.com/2025/12/cisa-flags-critical-asus-live-update-flaw-after-evidence-of-active-exploitation.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/zeroday-cloud-hacking-event-awards-320-0000-for-11-zero-days/
Recent Cyber Attacks and Breaches 🔒
- Amazon's AWS GuardDuty team has warned of an ongoing cryptomining campaign leveraging compromised IAM credentials to exploit Elastic Compute Cloud (EC2) and Elastic Container Service (ECS) instances. Attackers establish persistence by disabling API termination, hindering incident response.
- France's Ministry of the Interior confirmed a cyberattack on its internal email servers, compromising document files. A 22-year-old suspect, previously convicted for similar offences, has been arrested. The notorious BreachForums claimed responsibility, citing revenge for prior arrests, and alleged the theft of 16 million police records, though French authorities have not confirmed this.
- PornHub and SoundCloud have both disclosed data breaches stemming from a compromise at their data analytics service provider, Mixpanel. PornHub stated limited analytics events were extracted, while SoundCloud reported email addresses and public profile information for approximately 20% of its 200 million users were accessed. The ShinyHunters group has allegedly taken credit for the Mixpanel attacks.
- DXS International, a tech supplier for the NHS, is investigating a cyberattack on its internal office servers. While the company claims minimal impact on frontline clinical services, the incident highlights the ongoing risk to critical infrastructure via third-party suppliers.
- The University of Sydney suffered a data breach after hackers accessed an online coding repository, stealing personal information of over 27,000 current and former staff, affiliates, students, and alumni. The stolen data includes names, dates of birth, phone numbers, home addresses, and job details, though no evidence of online publication or misuse has been found yet.
- French authorities arrested a Latvian crew member of an Italian passenger ferry, suspected of installing malware that could allow remote control of the vessel. The incident is being investigated as suspected foreign interference.
- The Clop ransomware gang is actively targeting internet-exposed Gladinet CentreStack file servers in a new data theft extortion campaign. It's currently unclear if Clop is exploiting a new zero-day or an unpatched N-day vulnerability, but over 200 CentreStack servers are potentially vulnerable.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/amazon-ongoing-cryptomining-campaign-uses-hacked-aws-accounts/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/18/crypto_crooks_use_stolen_aws/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/france-arrests-suspect-tied-to-cyberattack-on-interior-ministry/
🗞️ The Record | https://therecord.media/france-interior-ministry-hack-arrest
🗞️ The Record | https://therecord.media/millions-impacted-pornhub-soundcloud-breaches
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/18/nhs_tech_supplier_cyberattack/
🗞️ The Record | https://therecord.media/uk-nhs-tech-provider-dxs-discloses-hack
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/university-of-sydney-suffers-data-breach-exposing-student-and-staff-info/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/france-arrests-latvian-for-installing-malware-on-italian-ferry/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/clop-ransomware-targets-gladinet-centrestack-servers-for-extortion/
New Threat Research on Threat Actors, Malware, and Techniques 🛡️
- North Korea's state-backed cybercriminals plundered over $2 billion in cryptocurrency in 2025, a 51% increase year-on-year, accounting for 76% of all crypto service compromises. This surge is largely attributed to a $1.5 billion theft from Bybit and an increased focus on personal wallets, often facilitated by social engineering tactics like posing as IT workers or recruiters.
- The Kimsuky threat actor is distributing a new DocSwap Android malware variant via QR codes on phishing sites mimicking CJ Logistics. The malware uses social engineering to bypass security warnings and provides extensive RAT capabilities, including keystroke logging, audio capture, and file operations.
- GreyNoise observed an automated password spraying campaign targeting Palo Alto Networks GlobalProtect and Cisco SSL VPN gateways. Originating from over 10,000 unique IPs, the attacks use common username/password combinations, indicating scripted credential probing rather than vulnerability exploitation.
- A new modular information stealer, SantaStealer, is being advertised on underground forums, designed to operate in-memory and exfiltrate sensitive documents, credentials, and wallets from a wide range of applications.
- Threat actors are using a new "GhostPairing" social engineering technique to hijack WhatsApp accounts by luring victims to scan QR codes or enter phone numbers on fake Facebook viewer pages, abusing the legitimate device-linking feature.
- Bad actors are observed hosting videos on RuTube, advertising Roblox cheats that lead to Trojan and stealer malware like Salat Stealer, mirroring tactics seen on YouTube.
- An analysis of DDoSia's multi-layered command-and-control (C2) infrastructure reveals an average of 6 control servers active at any given time, with short lifespans, used by pro-Russian hacktivist group NoName057(16) to target Ukraine, European allies, and NATO states.
- A phishing campaign, attributed to Russian APT actors, is targeting entities in the Baltics and Balkans, spoofing government bodies with credential phishing emails that use blurred decoy documents and pop-ups to harvest credentials.
- New "ClickFix" attacks are leveraging fake CAPTCHA checks to trick users into running the `finger.exe` tool to retrieve malicious PowerShell code, attributed to clusters KongTuke and SmartApeSG.
- Threat actors are abusing Google's Application Integration service to send highly convincing phishing emails from authentic @google.com addresses, bypassing SPF, DKIM, and DMARC checks to steal Microsoft 365 credentials.
- Cato Networks observed large-scale reconnaissance and exploitation attempts targeting Modbus devices, including those controlling solar panel output. The rise of agentic AI tools is accelerating these attacks, reducing execution time from days to minutes.
- Bitsight research found approximately 1,000 Model Context Protocol (MCP) servers exposed on the internet without authorisation, leaking sensitive data and potentially allowing RCE or Kubernetes cluster management.
- A phishing campaign impersonating India's Income Tax Department is deploying legitimate remote access tools like LogMeIn Resolve, using tax irregularity themes to create urgency and bypass traditional Secure Email Gateway defenses.
- A previously unknown, China-aligned hacker group, LongNosedGoblin, is targeting government institutions across Southeast Asia and Japan. The group abuses Windows Group Policy to deploy malware like NosyHistorian (browser history collector) and NosyDoor (backdoor), with NosyDoor potentially offered as a commercial service.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/18/north_korea_stole_2b_crypto_2025/
🗞️ The Record | https://therecord.media/over-3-billion-crypto-stolen-2025-north-korea
📰 The Hacker News | https://thehackernews.com/2025/12/kimsuky-spreads-docswap-android-malware-via-qr-phishing-posing-as-delivery-app.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-password-spraying-attacks-target-cisco-pan-vpn-gateways/
📰 The Hacker News | https://thehackernews.com/2025/12/threatsday-bulletin-whatsapp-hijacks.html (SantaStealer, GhostPairing, RuTube, DDoSia, APT phishing, ClickFix, Google service abused, AI-driven ICS scans, Exposed MCP servers, Fake tax scam)
🗞️ The Record | https://therecord.media/new-china-linked-hacker-group-spies-on-governments-in-southeast-asia-japan
#CyberSecurity #ThreatIntelligence #ZeroDay #RCE #Vulnerability #Ransomware #APT #CyberAttack #DataBreach #InfoSec #IncidentResponse #CloudSecurity #SupplyChainSecurity #CryptoCrime
OSINT points to possible arrest of crypto actor ‘Danny’ after seizure-style wallet flows
• $18.58M consolidated into one wallet
• Flows match known LE seizure patterns
• Links to Genesis ($243M) & Kroll SIM-swap ($300M+)
• Reported Dubai villa raid + arrests
#OSINT #ThreatIntel #CryptoCrime #SIMSwap #GenesisBreach #KrollBreach
maniabelInternationale Strafverfolgende schalten CryptoGeldwäschedienst ab
Europol als auch BKA berichten über das Abschalten des CryptoGeldwäschedienstes cryptomixer[dot]io, der seit 2016 aktiv war.
Mehr: https://maniabel.work/archiv/606
#geldwäsche #cryptocrime #BKA #EuroPol #infosec #infosecnews