Europol on Monday announced the takedown of a cryptocurrency investment fraud ring that laundered €460 million ($540 million) from more than 5,000 victims across the world.
The operation, the agency said, was carried out by the Spanish Guardia Civil, along with support from law enforcement authorities from Estonia, France, and the United States. Europol said the investigation into the syndicate

Europol Dismantles $540 Million Cryptocurrency Fraud Network, Arrests Five Suspects

The threat actor known as Blind Eagle has been attributed with high confidence to the use of the Russian bulletproof hosting service Proton66.
Trustwave SpiderLabs, in a report published last week, said it was able to make this connection by pivoting from Proton66-linked digital assets, leading to the discovery of an active threat cluster that leverages Visual Basic Script (VBS) files as its

Blind Eagle Uses Proton66 Hosting for Phishing, RAT Deployment on Colombian Banks

Two deadly Ransomware Attacks on European hospitals show cybercrime now risks lives not just data with patients dying after treatment delays.

Cybercrime is often seen as a threat to privacy or money, but recent years show it can cost lives too. Ransomware, once just a way for criminals to **lock files for cash**, now disrupts hospitals and treatment, turning data extortion into a real danger for patients who need urgent care. When hospitals can’t access vital systems, people can and do die, a harsh reality now witnessed in Europe not once but twice.

****Death in the United Kingdom****

In June 2024, as **reported** by Hackread.com, the UK’s National Health Service suffered one of its most serious cyber incidents. The Russian-speaking Qilin ransomware group broke into Synnovis, a company that handles pathology services for major London hospitals like King’s College and Guy’s & St Thomas’.

This attack crippled blood test services across the capital, delaying vital operations and treatments. According to an **incident update** from the College issued last week, one patient, who needed urgent care, died unexpectedly during this crisis. Investigators confirmed the ransomware attack was a factor. The Qilin gang didn’t care that their demand for money put human lives on the line, they published stolen files online as proof of their crime, using patient safety as leverage.

****Death in Germany****

Four years earlier, a similar incident took place in Germany. **In September 2020**, hackers targeted Düsseldorf University Hospital with ransomware that shut down around 30 servers. Doctors had no choice but to shut the emergency department.

As a result, a critically ill woman who arrived needing urgent surgery had to be sent 32 kilometers (almost 20 miles) away. The delay cost her life. Local prosecutors considered **charging** the attackers with negligent homicide, a rare but deserved move against criminals who turned people’s medical emergencies into their payday.

****Ransomware and Windows Operating System****

These tragedies go on to show that hospitals remain lucrative and soft targets for cybercriminals. Many hospitals **still rely on Windows systems**, which attract ransomware because most malware is built to hit Windows environments.

Protecting these systems is possible but demands serious discipline, up-to-date backups stored safely offline, strong passwords and multi-factor logins, constant patching and smart network setups that keep infections from spreading unchecked. Staff also need training since many ransomware attacks start with a **human factor** and their single careless click on a fake email.

The use of legacy OS in healthcare is a whole new scandal as Kaspersky’s 2021 **report** found 73% of healthcare providers using medical equipment with a legacy OS. A legacy operating system is an old system that its developers no longer actively support or update. It’s usually been replaced by newer versions and doesn’t get the security fixes or patches needed to stay protected, which leaves it more open to attacks.

Some argue that Linux could help because fewer ransomware strains target it, and its security model makes it harder for malware to gain deep control. That’s true to a point, but moving an entire hospital to Linux is next to impossible because critical devices like lab equipment, MRI scanners, and medical record systems run on Windows-only software approved and supported by specific vendors. Hospitals can’t just replace them overnight.

Therefore, unfortunately, it all comes back to a better approach to increasing security on the systems they already use rather than imagining an easy switch that won’t happen anytime soon. Additionally, the Kaspersky report mentioned earlier found that hospitals use legacy operating systems from both Windows and Linux. So what’s the point of using Linux if it’s an outdated version?

****Fancy Alliance is Not Working****

In November 2023, a US-led alliance of 40 countries **announced** plans to target the ransomware ecosystem with new efforts to disrupt ransom payments, dismantle criminal infrastructure, and share intelligence across borders.

Yet by February 2025, ransomware attacks had surged by a **record 126%** as cyber criminals exploited file transfer vulnerabilities, infostealers, and AI-driven tactics to stay ahead.

Remember, these are 2 deaths but imagine an emergency in a city where dozens of people suddenly need urgent hospital care, maybe a major accident or an outbreak that floods the ER with critical patients. Now what if the same hospital is locked out of its own systems because ransomware has crippled lab reports, scans and patient records.

Doctors are forced to guess or work blind. Life-saving operations get delayed. Ambulances are turned away. What happens then? It’s obvious when hospitals get hacked, the damage doesn’t stop at data. It can leave an entire city helpless at the worst possible moment.

****Ransomware Gangs Targeting Healthcare and Hospitals Are Parasites****

What makes this all worse is the people behind these attacks. Ransomware gangs like **Qilin** are not brilliant hackers, they are parasites living off broken systems, careless setups and human mistakes. They hide in safe countries that turn a blind eye to their crimes.

These governments should stop pretending this is a normal petty crime and start treating it as the threat to human life it is. Any country giving shelter to ransomware criminals should hunt them down, seize their profits and put them behind bars for every life their greed destroys.

In the end, hospitals shouldn’t be forced to choose between saving lives and paying off criminals. These two deaths are proof that ransomware is no longer just about data, it’s about whether patients live or die when cyber criminals shut systems down. That should be enough to push every hospital, vendor and government to take this threat as seriously as it deserves.

How 2 Ransomware Attacks on 2 Hospitals Led to 2 Deaths in Europe

Palo Alto, California, 30th June 2025, CyberNewsWire

**Palo Alto, California, June 30th, 2025, CyberNewsWire**

Every security practitioner knows that employees are the weakest link in an organization, but this is no longer the case. SquareX’s research reveals that Browser AI Agents are more likely to fall prey to cyberattacks than employees, making them the new weakest link that enterprise security teams need to look out for. 

Browser AI Agents are software applications that act on behalf of users to access and interact with web content. Users can instruct these agents to automate browser-based tasks such as flight bookings, scheduling meetings, sending emails, and even simple research tasks. The productivity gains that Browser AI Agents provide make them an extremely compelling tool for employees and organizations alike. Indeed, a survey from PWC found that 79% of organizations have already adopted browser agents today. 

Yet, Browser AI Agents expose organizations to a massive security risk. These agents are trained to complete the tasks they are instructed to do, with little to no understanding of the security implications of their actions. Unlike human employees, Browser AI Agents are not subject to regular security awareness training. They cannot recognize visual warning signs like suspicious URLs, excessive permission requests, or unusual website designs that typically alert employees of a malicious site. Consequently, Browser AI Agents are more likely to fall prey to browser-based attacks than even a regular employee. Even if it is possible for users to add these guardrails, the overhead required to extensively write the security risk of every task performed by the agent in every prompt would probably outweigh the productivity gains. More importantly, employees using Browser AI Agents are unlikely to have enough security expertise to be able to write such a prompt in the first place.  

With the popular open-source Browser Use framework used by thousands of organizations, SquareX demonstrated how the Browser AI Agent, instructed to find and register for a file-sharing tool, succumbed to an OAuth attack. In the process of completing its task, it granted a malicious app complete access to the user’s email despite multiple suspicious signals – irrelevant permissions, unfamiliar brands, suspicious URLs – that likely would have stopped most employees from granting these permissions. In other scenarios, these agents might expose the user’s credit card information to a phishing site while trying to purchase groceries or disclose sensitive data when responding to emails from an impersonation attack. 

Unfortunately, neither browsers nor traditional security tools can differentiate between actions performed by users and these agents. Thus, it is critical for enterprises working with Browser AI Agents to provide browser-native guardrails that will prevent agents and employees alike from falling prey to these attacks.

> Vivek Ramachandran, Founder & CEO of SquareX, warns, “The arrival of Browser AI Agents have dethroned employees as the weakest link within organizations. Optimistically, these agents have the security awareness of an average employee, making them vulnerable to even the most basic attacks, let alone bleeding-edge ones. Critically, these Browser AI Agents are running on behalf of the user, with the same privilege level to access enterprise resources. Until the day browsers develop native guardrails for Browser AI Agents, enterprises must incorporate browser-native solutions like Browser Detection and Response to prevent these agents from being tricked into performing malicious tasks. Eventually, the new generation of identity and access management tools will also have to take into account Browser AI Agent identities to implement granular access controls on agentic workflows.”

To learn more about this security research, users can visit http://sqrx.com/browser-ai-agents .

SquareX’s research team is also holding a webinar on **July 11, 10am PT/1pm ET** to dive deeper into the research findings. To register, users can click here. 

**About SquareX**

SquareX’s browser extension turns any browser on any device into an enterprise-grade secure browser. SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively detect, mitigate, and threat-hunt client-side web attacks, including malicious browser extensions, advanced spearphishing, browser-native ransomware, genAI DLP, and more. Unlike legacy security approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables security leaders to reduce their attack surface, gain actionable intelligence, and strengthen their enterprise cybersecurity posture against the newest threat vector – the browser. Find out more on www.sqrx.com.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Reveals that Employees are No Longer the Weakest Link, Browser AI Agents Are

AT&T is set to pay $177 million to customers affected by two significant data breaches. Were you affected and how can you submit your claim?

AT&T is set to pay $177 million to customers affected by two significant data breaches. These breaches exposed sensitive personal information of millions of current and former AT&T customers.

For those that have missed the story so far:

*   Back in 2021, an entity named Shiny Hunters (a known hacking group) claimed to have breached AT&T. Later reports indicated this breach started in 2019. AT&T denied that the data came from its systems.
*   Then in March, 2024, the data of over 70 million people was posted for sale on an online cybercrime forum. The seller claimed the data came from the Shiny Hunters breach. AT&T again denied the data came from its systems.
*   On March 30, 2024, AT&T reset customer passcodes after a security researcher discovered the encrypted login passcodes found in the leaked data were easy to decipher.
*   Finally, on April 2, 2024, AT&T confirmed that 73 million current and former customers had been caught up in the data leak.
*   A later breach, revealed in July, 2024, involved a hack of AT&T’s cloud storage provider, Snowflake, compromising call and text records from 2022 for nearly 109 million US customers. Although no names were linked to this data, the breach was severe enough to lead to arrests.

Following these incidents, AT&T faced multiple class action lawsuits alleging inadequate protection of customer data. Now, a US District Judge has granted preliminary approval to a settlement resolving these lawsuits. This settlement offers an opportunity for affected customers to receive compensation for the harm caused by these breaches.

**Who qualifies for compensation?**

*   Any current or former AT&T customer whose data was accessed in either breach is eligible.
*   Priority and larger payments will go to those who can document damages directly caused by the breaches.
*   Maximum payouts are up to $5,000 for the 2019 breach and $2,500 for the 2024 breach.
*   Any remaining funds will be distributed to others affected, even without proof of damages.

The projected timeline for the claims process looks like this

*   Notices to eligible claimants will be sent by August 4, 2025.
*   The deadline to submit claims is November 18, 2025.
*   Payments are expected to begin in early 2026, pending final court approval scheduled for December 3, 2025.

**Check if your data was exposed**

To find out how to claim, watch for official notifications from AT&T or check the settlement website once it launches.

You can use Malwarebytes’ easy, free tool—the Malwarebytes Digital Footprint Portal—to check if your data was exposed in the AT&T breach. Simply click the button below, enter your email address, and follow the prompts on the screen.

When you get your results, you’ll see a pink bubble with the words “Exposed on AT&T” if your information was affected in the breach. If you see a green bubble then your data was not exposed.

We will keep you posted of any new developments in this case. Stay tuned!

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 AT&amp;T to pay compensation to data breach victims. Here&#8217;s how to check if you were affected 

Identity-based attacks are on the rise. Attacks in which malicious actors assume the identity of an entity to easily gain access to resources and sensitive data have been increasing in number and frequency over the last few years. Some recent reports estimate that 83% of attacks involve compromised secrets. According to reports such as the Verizon DBIR, attackers are more commonly using stolen

Leveraging Credentials As Unique Identifiers: A Pragmatic Approach To NHI Inventories 

Ever wonder what happens when attackers don’t break the rules—they just follow them better than we do? When systems work exactly as they’re built to, but that “by design” behavior quietly opens the door to risk?
This week brings stories that make you stop and rethink what’s truly under control. It’s not always about a broken firewall or missed patch—it’s about the small choices, default settings

⚡ Weekly Recap: Airline Hacks, Citrix 0-Day, Outlook Malware, Banking Trojans and more

We've seen several spikes in Android threats since the start of 2025. Here's how to protect yourself.

The Android threat landscape in the first half of 2025 has entered a new phase. An era marked not just by volume, but by coordination and precision. Attackers are no longer simply throwing malware at users and hoping for results. They’re building ecosystems .

Recent Malwarebytes threat research data reveals a sharp rise in mobile threats across the board, with malware targeting Android devices up 151%.

We’ve seen a 147% increase in spyware, a broad category of apps that collect user data without consent, with a notable spike in Feb and March. In fact, the February/March levels represent nearly a 4x multiplication of the baseline. 

Perhaps even more alarming is a 692% spike in SMS-based malware between April and May, a jump that we can’t just chalk up to coincidence. It could be due to seasonal scams like those we always see around tax season, which hit consumers hard this year, or widespread campaigns like toll fee scams, which also come in surges.

These numbers reflect a shift in strategy: Attackers are scaling operations, fine-tuning delivery, and exploiting both human psychology and systemic weak points. Take Spyloan, for example, a threat that lures targets with incredible loan conditions (low rates, no pre-check) but ends up stealing from desperate people. We saw a significant spike in May of this predatory app, which could well signal a resurgence for the summer. We’ll continue to monitor this uptick.

Banking Trojans and spyware are now outpacing more traditional nuisances like adware and riskware, and what’s changed is the level of sophistication. Threat actors are actively distributing malware through both official and unofficial app channels, often cloaking malicious apps behind layers of legitimacy.

Fake financial tools, predatory loan apps, and cleverly disguised “updates” aren’t just slipping through the cracks, they are being engineered with that objective in mind. Peaks in their activity often coincide with periods of personal stress, like tax season or holiday travel, suggesting a methodical approach to targeting.

As Sr. Director, Research and Development, Online Platforms at Malwarebytes, Shahak Shalev explains:

> Attackers know we trust our mobile devices implicitly—we bank on them, authenticate with them, store our entire digital lives on them. Now attackers are amping up the volume and sophistication of mobile threats. When spyware jumps 147% in five months, that tells us attackers are moving beyond simple scams to building sustainable criminal enterprises. They’re playing the long game now — developing monetization strategies for every type of data they can harvest; every user behavior they can exploit. The February spike shows this isn’t random, it’s methodical business development in the cybercrime space. 

Smishing (SMS phishing) has quickly become one of the most effective tools in the attacker’s playbook. Using AI-generated text and increasingly well-crafted lures, these campaigns are harder to spot than ever. And while smishing is rising fast, it’s not alone. We’re also seeing a growing number of PDF phishing attacks, where malicious documents act as entry points for broader compromise.

But perhaps the most systemic issue is lack of updates, with over 30% of Android devices remaining stuck on outdated operating systems. These devices are sitting ducks, because they are unable to receive critical security patches, yet are still being actively used. Combine this with counterfeit or gray-market devices that come preloaded with malware, and you’ve got a recipe for widespread exposure.

What we’re seeing isn’t a collection of one-off scams. It’s infrastructure. The Android threat landscape has matured into a network of monetization schemes that thrive on scale, persistence, and user trust. Attackers aren’t just after quick wins—they’re building operations that last.

The takeaway? Mobile security can’t be an afterthought. Individuals and organizations alike need to treat Android threats with the same seriousness as traditional desktop attacks. That means prioritizing device hygiene, avoiding sideloaded apps (where you download an app not from the Google Play store), staying current with patches where possible, and educating users about the social engineering tactics that increasingly underpin these attacks.

**How to protect your Android device**

Google Play Protect is a built in security feature from Android that automatically protects users against apps that engage in malicious behavior. That’s great, but we still see malware campaigns that are spread, partially or as a whole, through the Google Play Store.

To keep your devices free from Android malware:

*   Get your apps from the Google Play store whenever you can.
*   Be careful about the permissions you allow a new app. Does it really need those permissions for what it’s supposed to do? Permissions like “Display over other apps” should particularly raise a red flag, because they can be used to intercept login credentials.
*   Don’t allow notifications as much as possible. Dubious ad sites often request permission to display notifications. Allowing this will increase the number of ads as they push them to the device’s notification bar.
*   Use up-to-date and active security software on your Android.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android threats rise sharply, with mobile malware jumping by 151% since start of year 

Unidentified hackers breached a Norwegian dam's control system in April, opening its valve for hours due to a weak password. Learn how simple vulnerabilities threaten critical infrastructure.

In a concerning incident this April, unidentified hackers managed to breach the control systems of a Norwegian dam. Reportedly, hackers breached the control systems of a Norwegian dam, causing its water valve to open fully. The incident occurred at the Lake Risevatnet dam, situated near the city of Svelgen in Southwest Norway. The valve remained open for four hours before the unauthorized activity was detected.

According to the Norwegian energy news outlet, Energiteknikk, the hack did not pose a danger, as the water flow barely exceeded the dam’s minimum requirement. The valve released an additional 497 litres per second, but officials noted that the riverbed could handle a much larger volume, up to 20,000 litres per second.

****Vulnerable Control Systems Highlighted****

The incident was discovered on April 7 by the dam’s owner, Breivika Eiendom. Norwegian authorities, including NSM (National Security Authority), NVE (Norwegian Water Resources and Energy Directorate), and Kripos (a special agency of the Norwegian Police Service), were alerted on April 10, and an investigation is now underway.

Officials suspect the breach occurred because the valve’s web-accessible control panel was protected by a weak password. Breivika technical manager Bjarte Steinhovden speculated this was the likely vulnerability. The initial point of entry allowed attackers to bypass authentication controls and gain direct access to the operational technology (OT) environment.

****Broader Threats to Essential Services****

This incident is not isolated as such intrusions into vital infrastructure have occurred in the past. For instance, Hackread.com reported in April 2023, that Israel faced a wave of cyberattacks, with authorities believing they were part of OpIsrael, a campaign by pro-Palestinian hackers.

Among the targets were Israel’s irrigation systems, which saw several water monitors malfunction. The targets included irrigation and wastewater treatment systems in areas like the Hula Valley, the Jordan Valley, and the Galil Sewage Corporation. These cases show how simple vulnerabilities, like easy-to-guess passwords, can be exploited by threat actors.

****Lessons for Critical Infrastructure Protection****

While this particular facility primarily serves a fish farm and is not connected to Norway’s power grid, the incident shows a critical security lesson for essential infrastructure worldwide. It demonstrates how easily basic security failures, especially weak credentials, can compromise vital systems.

It also highlights that remote access, proper authentication, and clear ownership of cyber-physical interfaces should be standard security practices. The fact that the attack persisted for four hours undetected also indicates the importance of sufficient monitoring for critical infrastructure like dams. Effective cybersecurity practices, including strong passwords and multi-factor authentication (requiring more than one way to prove identity), are crucial for protecting these essential services.

Norwegian Dam Valve Forced Open for Hours in Cyberattack

Grocery giant Ahold Delhaize USA faced a major data breach affecting over 2.2 million employees. Learn what sensitive info was stolen and the ransomware group behind the Nov 2024 attack.

A data breach at Ahold Delhaize USA Services, LLC, a company providing support to the major East Coast grocery retailer Ahold Delhaize USA, has affected more than 2.2 million (2,242,521) individuals (including over 95,000 Mainers).

The incident, which involved unauthorized access to internal US business systems, occurred between November 5th and 6th, 2024, leading to the theft of highly sensitive personal, financial, and health information primarily belonging to current and former employees.

Ahold Delhaize USA is a prominent name in the US grocery sector, operating popular brands such as Food Lion, Giant Food, The GIANT Company, Hannaford, and Stop & Shop. According to Ahold Delhaize USA’s official statement, the company is notifying those impacted and is providing two years of complimentary credit monitoring and identity protection services. A help desk has also been established to assist individuals with inquiries.

****Details of the Cyberattack****

Ahold Delhaize USA Services detected the cybersecurity issue on November 6, 2024, and swiftly launched an investigation with the help of leading external cybersecurity experts., also coordinated with US federal law enforcement.

The investigation revealed that an unauthorized third party had gained access to and obtained files from one of their internal US file repositories. While the company quickly took some systems offline to contain the issue, leading to temporary disruptions for online orders and pharmacy services, these systems were soon restored.

The stolen data varied from person to person but was extensive, as per the breach notification submitted to the Maine Attorney General. It included names, contact details, dates of birth, government-issued identification numbers like Social Security numbers, passport numbers, and driver’s license numbers. Financial account records, including bank account numbers, were also compromised.

Additionally, health information, specifically workers’ compensation details and medical records within employment histories, along with other employment-related data, were exposed.

“Our review of the impacted files is still ongoing. At this time, we believe that many associates who were working for Ahold Delhaize Group, Ahold Delhaize Europe & Indonesia (EBS), Albert Heijn, Etos, Gall & Gall and the Ahold Delhaize Coffee Company in the Netherlands and who were on the payroll in April 2021 may have been affected by this issue,” the company noted.

Ahold Delhaize confirms that it found “no indication that customer payment or pharmacy systems were compromised” and “no customer credit card numbers contained in the affected files,” suggesting the focus of the attack was on employee data.

****Ransomware Group Claims Responsibility****

In a development that surfaced on April 16, 2025, the INC ransomware group publicly claimed responsibility for breaching Ahold Delhaize on their dark data leak website and threatened to release it fully after providing samples.

INC Ransomware on its dark web leak blog (Image: Hackread.com)

This group, active since mid-2023, often uses tactics like phishing emails or exploit kit malware to gain access. They are known for avoiding attacks in Russia, possibly indicating a base there or in a neighbouring country.

Ahold Delhaize confirmed on April 17, 2025, that data had indeed been stolen and began reviewing the affected files to identify the personal information at risk. This complex investigation, which has taken seven months to identify affected US individuals and also uncovered some Dutch employment data from April 2021, highlights the intricate nature of responding to such cyber incidents.

“To date, this is one of the most significant data breaches following a ransomware attack, particularly within the food and beverage sector,” said Rebecca Moody, Head of Data Research at Comparitech. “In fact, since we began tracking ransomware attacks at the start of 2018, this attack on Ahold Delhaize is the largest within the food and beverage sector (based on records affected).”

“In most cases, attacks on this sector have focused on system encryption, as this is often where the most disruption is caused. For example, from 2018 to the present, the average number of records breached in a ransomware attack on a food and beverage company was 53,200,_“_ explained Rebecca.

_“_This highlights the severity of this breach as well as the new focus on data theft (as well as system encryption) for the majority of ransomware gangs. It is likely that we’ll see larger data breaches within the food and beverage industry going forward. We are also yet to see the extent of the breaches on the UK’s Marks & Spencer and Co-op attacks this year.”

Latest News