FBI warns law firms: Silent Ransom Group uses phishing emails and fake IT calls to steal data, demanding ransom to prevent public leaks. The agency is also urges victims to share ransom evidence.

The FBI has issued a warning to US law firms about a rising cyber threat targeting the legal sector. A group known as Silent Ransom Group (SRG), also called Luna Moth or Chatty Spider, has been focusing its attacks on law firms since early 2023, using a combination of phishing emails and **social engineering calls** to gain access to sensitive legal data.

This group is no newcomer. Operating since 2022, SRG has a track record of targeting industries such as healthcare and insurance. But in recent months, law firms have become their top target, likely because of the sensitive client information these firms handle.

Back in November 2023, the **FBI issued an alert** highlighting SRG’s use of callback phishing to breach networks. In these attacks, the group sends phishing messages designed as unclickable images, often creating a false sense of urgency and providing a phone number for the recipient to call. This tactic bypasses traditional email security filters and lures victims into making contact, where the attackers then guide them into compromising their own systems.

****Their Tactics****

Aligning with their tickets, SRG’s new phishing campaigns are also deceptively simple. They send emails pretending to come from companies offering subscription services, warning the recipient about a small, questionable charge. To cancel, victims are instructed to call a number provided in the email. On that call, attackers convince the victim to download remote access software, giving SRG an entry point into the company’s systems.

However, what’s new about this campaign is that SRG has started calling employees directly, pretending to be from the company’s own IT department. They instruct the employee to join a remote session or visit a specific web page, again installing tools that give the attackers control. Once inside, they use tools like **WinSCP** or disguised versions of Rclone to quietly exfiltrate sensitive data.

After stealing the data, SRG sends ransom notes demanding payment to prevent the release or sale of the stolen information. Sometimes, they even follow up with phone calls to pressure companies into negotiations.

> _“Similar to their phishing emails posing as a company with a subscription, SRG will also call employees at a victim company to pressure them into engaging in ransom negotiations.”_
> 
> The FBI

It is worth noting that the FBI’s alert came on the same day Cofense Intelligence’s May 2025 **report** revealed widespread abuse of Remote Access Tools (RATs) by cybercriminal groups. The report identified ConnectWise ScreenConnect as the most frequently abused RAT in 2025 attacks so far.

****Why Law Firms?****

Law firms make attractive targets because of the nature of their work such as confidential client details, corporate negotiations, and sensitive legal documents. A breach here doesn’t just threaten financial loss; it risks severe reputational harm.

However, it is not only recently that cybercriminals have been targeting law firms and the valuable information they hold. In April 2022, **researchers observed** scammers using AI-generated images to create fake law firm identities.

****Hard to Detect, Harder to Stop****

One reason SRG’s campaigns are effective is that they use legitimate system management and remote access tools, which are less likely to alert antivirus. Their attacks leave few traces, making post-attack investigations and protection more difficult.

This is why the FBI is urging everyone, including researchers and even victims, to share any ransom notes used by SRG during the attacks. If you have the phone number the group used to call, the wallet address they provided, or even voice call recordings, the FBI is seeking that information.

The FBI’s alert advised Network administrators to watch for unusual downloads of tools like Zoho Assist, **AnyDesk**, Splashtop, Syncro, or Atera, and to pay attention to unexplained external file transfers using WinSCP or Rclone.

Other red flags include unexpected emails about subscription renewals, strange calls or voicemails claiming data theft, and unsolicited contact from people claiming to be part of the company’s IT team.

> The Silent Ransom Group (SRG), aka Luna Moth or Chatty Spider, is targeting law firms. Tactics include IT social engineering calls and callback phishing emails to remotely access devices and steal data for extortion. Learn more about SRG’s IOCs and TTPs: https://t.co/ro96zjD1hA pic.twitter.com/pBAd89WaBJ
> 
> — FBI (@FBI) May 23, 2025

The FBI recommends paying strong attention to basic cybersecurity practices. This includes **training staff** to spot phishing attempts and social engineering tactics, and setting clear internal guidelines for how the IT team communicates with employees.

Additionally, using strong passwords along with two-factor authentication (2FA) across the organization and maintaining regular data backups can also help reduce the damage in case of a breach.

FBI Warns of Silent Ransom Group Targeting Law Firms via Scam Calls

A critical XSS vulnerability, CVE-2024-27443, in Zimbra Collaboration Suite’s CalendarInvite feature is actively being exploited, potentially by the…

A critical XSS vulnerability, CVE-2024-27443, in Zimbra Collaboration Suite’s CalendarInvite feature is actively being exploited, potentially by the Sednit hacking group. Learn how this flaw allows attackers to compromise user sessions and why immediate patching is crucial.

A new security weakness has been discovered in the Zimbra Collaboration Suite (ZCS), a popular email and collaboration platform. This issue, classified as CVE-2024-27443, is a type of cross-site scripting (XSS) flaw that could allow attackers to steal information or take control of user accounts.

****How the Flaw Works****

The problem lies specifically within the CalendarInvite feature of Zimbra’s Classic Web Client interface. It happens because the system doesn’t properly check incoming information in the Calendar header of emails.

This oversight creates an opening for a stored XSS attack. This means an attacker can embed harmful code into a specially designed email. When a user opens this email using the classic Zimbra interface, the malicious code runs automatically within their web browser, giving the attacker access to their session. The severity of this vulnerability is rated as medium, with a CVSS score of 6.1. It affects ZCS versions 9.0 (patches 1-38) and 10.0 (up to 10.0.6).

****Widespread Exposure and Active Exploitation****

According to Censys, a cybersecurity insights firm, as of Thursday, May 22, 2025, when the original report was published, a significant number of Zimbra Collaboration Suite instances were exposed online that could be vulnerable.

Censys observed a total of 129,131 potentially vulnerable ZCS instances globally, with most found in North America, Europe, and Asia. A large majority of these are hosted within cloud services. Additionally, 33,614 on-premises Zimbra hosts were identified, often linked to shared infrastructure.

The vulnerability was officially added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue on May 19, 2025, confirming it is actively being used by attackers.

****Possible Perpetrator?****

Security researchers from ESET have suggested that a well-known hacking group, Sednit (PDF) (AKA APT28 or Fancy Bear), might be involved in exploiting it. ESET’s researchers suspect that the Sednit group could be exploiting this flaw as part of a larger scheme called Operation RoundPress, which aims to steal login details and maintain access to webmail platforms. While there is currently no public proof-of-concept (PoC) exploit, the active exploitation highlights the urgency for users to take action.

****Patching and Mitigation****

The good news is that patches are available for this vulnerability. Zimbra has addressed the issue in ZCS version 10.0.7 and 9.0.0 Patch 39. Users are strongly advised to update their Zimbra Collaboration Suite to these patched versions immediately to protect against potential attacks.

Zimbra CVE-2024-27443 XSS Flaw Hits 129K Servers, Sednit Suspected

SK Telecom reveals malware intrusion that remained hidden for nearly two years, led to the leaking of 26.69…

SK Telecom reveals malware intrusion that remained hidden for nearly two years, led to the leaking of 26.69 million IMSI units and 9.82 GB of USIM data. Discover the telco’s security upgrades & future plans after the massive breach.

A recent data breach at South Korean telecommunications giant SK Telecom was, reportedly, much more deeply rooted than initially thought, with the intrusion remaining hidden for nearly two years. The company announced on Monday that the malware has gone undetected since at least June 2022.

The attack, disclosed in April, affected a significant portion of SK Telecom’s 23 million customers, compromising personal and financial details. The Ministry of Science and ICT, along with a joint team of public and private investigators, revealed that the attack compromised a significant portion of SK Telecom’s user data.

Specifically, approximately 26.69 million International Mobile Subscriber Identity (IMSI) units were leaked. IMSI is a unique 15-digit or shorter number that identifies and authenticates each mobile subscriber. Moreover, investigators identified 25 types of malware and quarantined 23 affected servers, claiming that 9.82 gigabytes of USIM information were compromised.

****Responding to the Breach****

In response to the security lapse, SK Telecom has implemented a series of preventative measures. The company has temporarily stopped new subscriber sign-ups and initiated a nationwide program to replace SIM cards as a safeguard.

Furthermore, they have rolled out an upgraded fraud detection system, FDS 2.0, which uses a “triple-factor authentication” process to prevent unauthorized SIM and device cloning. This enhanced security is now automatically applied across their network.

SK Telecom has also emphasized that no actual customer damages or instances of “terminal cloning” have been reported so far and all attempts at phone or SIM card piracy are now blocked at the network level, with three layers of verification to confirm the legitimacy of the subscriber, SIM card, and device. The company has pledged to “take full responsibility for any damages” that may arise from the breach, offering to replace the USIM of all 25 million subscribers, including 2 million budget phone users, for free.

****National Security Concerns and Future Steps****

SK Group chairman Chey Tae-won issued an apology to customers earlier in May, highlighting the severity of the incident by stating it “needs to be looked at as a matter of national defence.”

The malware used in the attack is believed to be BPFdoor, which can bypass authentication. It is typically used by hacking groups linked to China. Although no specific group has claimed responsibility, the chairman’s concerns and the identified malware align with similar tactics observed in recent attacks on US telecom companies.

Beyond technical upgrades, SK Telecom is also enhancing customer support. Starting May 19, the company plans to offer “mobile service” visits to remote areas, explaining SIM protection services and providing on-site SIM replacements and resets. These efforts highlight the company’s commitment to rebuilding customer trust and strengthening cybersecurity to counter cybersecurity threats.

SK Telecom Uncovers Two-Year Malware Attack, Leaking 26M IMSI Records

Akamai researchers reveal a critical flaw in Windows Server 2025 dMSA feature that allows attackers to compromise any…

Akamai researchers reveal a critical flaw in Windows Server 2025 dMSA feature that allows attackers to compromise any Active Directory user. Learn about the BadSuccessor attack and mitigation steps.

A significant security flaw has been uncovered in Windows Server 2025, posing a serious threat to organizations utilizing Active Directory (AD). Discovered by Akamai researcher Yuval Gordon, this privilege escalation vulnerability could allow malicious actors to gain full control over any user account within an organization’s AD, even with minimal initial access.

****The BadSuccessor Attack Explained****

According to Akamai’s research, shared exclusively with Hackread.com, the vulnerability exploits a new feature introduced in Windows Server 2025 called delegated Managed Service Accounts (dMSAs). For your information, dMSAs are designed to streamline the management of service accounts by allowing a new dMSA to _inherit_ permissions from an older account it replaces.

However, Gordon’s research revealed a critical oversight in this process. Attackers can simulate this migration by simply modifying two attributes on a dMSA object: msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState. By setting the first attribute to reference a target user and the second to “2” (indicating migration completion), an attacker can trick the system into believing a legitimate migration occurred.

This deceptive act, dubbed _BadSuccessor_ by the researchers, allows the attacker’s dMSA to automatically gain all the permissions of the targeted user, including highly privileged accounts like Domain Admins. Crucially, this attack doesn’t require any direct permissions on the targeted user’s account itself, only the ability to create or control a dMSA.

****Widespread Impact and No Immediate Patch****

The implications of this discovery are far-reaching. Akamai’s analysis revealed that in 91% of tested environments, users outside the domain admins group already possessed the necessary permissions to execute this attack. This highlights the widespread potential for compromise across organizations that rely on Active Directory.

Even more concerning, Microsoft has acknowledged the issue after a report on April 1, 2025, but currently has no patch available. While Microsoft has assessed the vulnerability as Moderate severity, citing that initial exploitation requires existing permissions on a dMSA object, Akamai researchers strongly disagree.

They emphasize that the ability to create a new dMSA, a benign permission often granted to users, can lead to full domain compromise. They compare its impact to highly critical attacks like DCSync.

“This vulnerability introduces a previously unknown and high-impact abuse path that makes it possible for any user with CreateChild permissions on an OU to compromise any user in the domain and gain similar power to the Replicating Directory Changes privilege used to perform DCSync attacks,” researchers wrote in the blog post.

****Proactive Measures and Ongoing Risks****

With no immediate fix from Microsoft, organizations are urged to take proactive steps to reduce their exposure. Key recommendations include monitoring for new dMSA objects, modifying the msDS-ManagedAccountPrecededByLink attribute, tracking dMSA authentication events, and reviewing permissions on Organizational Units (OUs).

As Windows Server 2025 becomes more widely adopted, organizations must prioritize understanding and mitigating the risks associated with its new features.

BadSuccessor Exploits Windows Server 2025 Flaw for Full AD Takeover

Cofense Intelligence's May 2025 report exposes how cybercriminals are abusing legitimate Remote Access Tools (RATs) like ConnectWise and Splashtop to deliver malware and steal data. Learn about this growing threat.

A new report from Cofense Intelligence reveals a troubling trend in cyberattacks: criminals are increasingly hijacking legitimate Remote Access Tools (RATs) to infiltrate computer systems. Unlike malicious software specifically designed for hacking, these tools are built for lawful purposes, often used by IT professionals in companies. Their genuine nature makes them particularly dangerous, as they can bypass traditional security measures and user suspicion.

****The Deception of Legitimate RATs****

Threat actors are leveraging the inherent trust in these tools to gain access to victim machines, researchers noted in the blog post shared with Hackread.com. Once installed, these legitimate RATs become a gateway for delivering further harmful programs, spying on user activities, or stealing sensitive information like passwords and confidential business records. The versatility of these tools, combined with their appearance of being trustworthy software, makes them a potent weapon in the hands of cybercriminals.

Cofense Intelligence highlighted several frequently abused legitimate RATs. ConnectWise ScreenConnect, previously known as ConnectWise Control and ScreenConnect, emerged as the most popular choice for attackers in 2024, appearing in 56% of active threat reports involving legitimate RATs.

“ConnectWise RAT is the most popularly abused legitimate remote access tool and accounted for 56% of all active threat reports (ATRs) with legitimate remote access tools in 2024,” wrote Kahng An from Cofense’s Intelligence Team in their report.

Its popularity is surging further in 2025, with current attack volumes already matching those seen throughout last year. Another tool, FleetDeck, saw a surge in use during the summer of 2024, particularly targeting German and French speakers with finance-themed lures.

****Common Attack Methods and Global Impact****

Attackers employ various methods to trick victims into installing these tools. For ConnectWise ScreenConnect, notable campaigns include spoofing the US Social Security Administration with emails falsely claiming to offer updated benefit statements.

Source: Cofense  

These emails often contain links to fake PDF files or directly to the RAT installer. Another tactic observed since February 5, 2025, involves emails pretending to be notifications about shared files on “filesfm,” leading victims to download a seemingly legitimate OneDrive client that is, in fact, the ConnectWise RAT installer.

According to Cofense, other legitimate RATs are also being exploited. Atera, a comprehensive remote monitoring and management suite that integrates with tools like Splashtop, has been used in campaigns targeting Portuguese speakers in Brazil with fake legal notices and invoices since October 2024.

Source: Cofense

Smaller, less common RATs like LogMeIn Resolve (GoTo RAT), Gooxion RAT, PDQ Connect, Mesh Agent, N-Able, and Teramind have also been observed in various, often localized, campaigns.

The ease and low cost of acquiring these tools allow attackers to quickly switch between different ones, posing a continuous challenge for cybersecurity protection, Cofense researchers concluded, adding that such campaigns are typically one-off events that are hard to sustain.

“These campaigns are generally one-off events and do not appear to be sustained over time. It is possible that the threat actors quickly pivot between different RATs because of the overall large number of different options that are available on the market.”

ConnectWise ScreenConnect Tops List of Abused RATs in 2025 Attacks

Operation Endgame takes down DanaBot malware network; 300 servers neutralized, €21.2M in crypto seized, 16 charged, 20 international warrants.

In a major international operation coordinated by Europol and Eurojust, law enforcement agencies and private sector partners have successfully dismantled the DanaBot malware network.

This global effort, part of the ongoing Operation Endgame, led to federal charges against 16 individuals, the neutralization of approximately 300 servers and 650 domains worldwide between May 19 and 22, 2025, and the issuance of international arrest warrants for 20 targets. Over EUR 21.2 million in cryptocurrency has also been seized in total during Operation Endgame, including EUR 3.5 million during this latest action week.

The DanaBot malware, controlled by a Russia-based cybercrime organization, infected over 300,000 computers globally, causing at least an estimated $50 million in damages through fraud and ransomware. Among those charged by the US Department of Justice (DoJ) are Aleksandr Stepanov, 39, and Artem Aleksandrovich Kalinkin, 34, both from Novosibirsk, Russia, who remain at large.

****DanaBot’s Evolution Tactics****

DanaBot, first identified in May 2018, operated as a _malware-as-a-service_ (MaaS), renting its capabilities to other criminals. It was highly versatile, stealing banking credentials, browsing history, and even cryptocurrency wallet information, while also offering remote access, keylogging, and screen recording. Initial infections often came via spam emails. Hackread.com notably reported on DanaBot’s emergence in 2019, when Proofpoint researchers first detailed its spread.

ESET, which has carefully tracked DanaBot since 2018, confirmed its evolution into a top banking malware, noting that countries like Poland, Italy, Spain, and Turkey were historically among its most targeted.

ESET researcher Tomáš Procházka added, “Apart from exfiltrating sensitive data, we have observed that Danabot is also used to deliver further malware, which can include ransomware, to an already compromised system.”

More recently, a new version of DanaBot has been found hidden in pirated software keys for “free VPN, anti-virus software and pirated games,” tricking users downloading from bogus sites.

DanaBot Infrastructure (Source: ESET)

Beyond financial crime, the investigation revealed DanaBot’s sinister dual purpose. A variant, tracked by CrowdStrike as SCULLY SPIDER, targeted military, diplomatic, and government entities in North America and Europe for espionage, and was observed by ESET launching DDoS attacks against targets like Ukraine’s Ministry of Defense following the Russian invasion.

According to Europol’s press release, this massive takedown is an evidence to extensive international cooperation. The investigation was spearheaded by the FBI’s Anchorage Field Office and the Defense Criminal Investigative Service (DCIS), with significant assistance from Germany’s Bundeskriminalamt (BKA), the Netherlands National Police, and the Australian Federal Police.

Europol and Eurojust provided crucial coordination, with a command post at Europol HQ involving investigators from Canada, Denmark, France, Germany, Netherlands, UK, and US.

Numerous private cybersecurity companies provided critical technical assistance, including Amazon, CrowdStrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Team Cymru, and ZScaler. ESET Research specifically contributed technical analysis of the malware and its backend infrastructure, along with identifying DanaBot’s command and control servers.

German authorities will add 18 suspects to the EU Most Wanted list from May 23, 2025. This coordinated action is a major blow to cybercriminal networks, showing the power of global partnerships against growing cybersecurity threats.

Operation Endgame is aimed at breaking the “ransomware kill chain.” So far authorities have neutralised initial access malware like Bumblebee, Latrodectus, Qakbot, Hijackloader, Trickbot and Warmcookie.

Operation Endgame Takes Down DanaBot Malware, Neutralizes 300 Servers

A Chrome zero-day bug, CVE-2025-4664, exposes login tokens on Windows and Linux. Google has issued a fix, users should update immediately.

A newly disclosed vulnerability in Google Chrome and Chromium-based browsers is putting users at risk of data leaks. Tracked as CVE-2025-4664, the flaw allows attackers to extract sensitive information like login tokens and session IDs from previously visited websites.

The security issue was detailed today by Wazuh, a cybersecurity company specializing in open-source threat detection. It affects users on both Windows and Linux, including Debian and Gentoo systems.

****How It Works****

The issue resides in the Chrome’s handling of the Link HTTP header when loading sub-resources like images and scripts. While most browsers ignore referrer policies in these headers, Chrome accepts them, even on cross-origin requests. That means an attacker can intentionally set a relaxed policy, such as unsafe-url, to access full referrer URLs.

These URLs can include sensitive data from other sites a user recently visited. If an attacker controls the destination server, they can quietly collect that data without the user knowing.

****Who’s Affected****

Users on the following systems are vulnerable if their browsers have not been updated:

*   **Windows**: Google Chrome versions before 136.0.7103.113

*   **Debian 11 Linux**: Chromium up to version 120.0.6099.224

*   **Gentoo Linux**: Chrome or Chromium versions before 136.0.7103.113

****What to Do****

Google has issued an emergency update to fix the vulnerability in Chrome on Windows and Chromium on Gentoo Linux. Debian users should uninstall affected versions of Chromium until a patched version becomes available.

****How to Manually Update Chrome (If auto-update is turned off)****

If Chrome isn’t updating automatically, follow these steps to make sure you’re running the latest version and protected against CVE-2025-4664:

1.  **Open Chrome** – Launch Google Chrome on your device.
2.  **Go to the Menu** – Click the three vertical dots in the top-right corner of the browser window.
3.  **Select “Help” → “About Google Chrome”** – This will open a new tab that shows your current version and automatically checks for updates.
4.  **Wait for Chrome to Check for Updates** – If a newer version is available, Chrome will start downloading it right away.
5.  **Click “Relaunch”** – Once the update is downloaded, click “Relaunch” to restart the browser and complete the installation.

****Check Update Status After Relaunch****

To confirm the update, go back to **Help > About Google Chrome**. The browser should now show the latest version number and the message “Google Chrome is up to date.”

If you’re on Windows, make sure the Chrome Update service is enabled in your system settings or through the Group Policy Editor. On Linux systems, especially those using Chromium, updates may require package manager commands or manual downloads depending on the distribution.

Wazuh’s blog post explains the importance of proactive vulnerability detection. Their tools provide real-time tracking and insights that help administrators stay on top of security threats, especially when zero-day flaws like this one come into play.

Chrome 0-Day CVE-2025-4664 Exposes Windows, Linux Browser Activity

Coca-Cola and its bottling partner CCEP targeted in separate cyber incidents, with the Everest ransomware gang and the Gehenna hacking group claiming data breaches involving sensitive employee and CRM data.

Coca-Cola and its bottling partner, Coca-Cola Europacific Partners (CCEP), are facing separate cyberattack claims from two distinct threat groups. The Everest ransomware gang says it has breached Coca-Cola’s systems, while another group named Gehenna (aka GHNA) is offering what it claims is a massive database stolen from CCEP’s Salesforce environment.

****Everest Ransomware Targets Coca-Cola****

The Everest ransomware group has listed Coca-Cola as a victim on its dark web leak site, sharing screenshots that suggest access to internal documents and personal information of 959 Employees. These include visa and passport scans, salary data, and other HR-related records.

According to samples reviewed by Hackread, the breach appears to affect Coca-Cola’s operations in the Middle East, with several files indicating that the Dubai office at the Dubai Airport Free Zone (DAFZ) may have been the specific target.

Everest has released samples that contain employee identification details and documents that typically circulate within HR departments. The nature of the leaked files indicates that personally identifiable information (PII) is involved.

Screenshot from the dark web leak site of the Everest ransomware gang (Image credit: Hackread.com)

Mr. Agnidipta Sarkar, Vice President CISO Advisory at ColorTokens, commented on the tactics: “Initial research points to tactics like harvesting credentials and targeting Active Directory, though those claims aren’t always reliable. If this attack is genuine, it suggests Coca-Cola’s cybersecurity investments may not have been enough to stop it.”

****Gehenna Claims Major Breach at Coca-Cola Europacific Partners****

In a separate incident, the Gehenna hacking group claims to have breached CCEP’s Salesforce dashboard earlier this month. The group says it exfiltrated more than 23 million records, dating back to 2016, containing sensitive customer relationship management (CRM) data.

The data allegedly includes 7.5 million Salesforce account records (6GB), 9.5 million customer service cases (52GB), 6 million contact entries (5GB), and over 400,000 product records (300MB).

Gehenna shared samples on a public data breach forum, which included case logs referencing Coca-Cola Enterprises Norway, complete with customer support history and contact details.

The group also posted a message aimed at CCEP employees, stating that they are “open to offers” and warning that they “have more where that came from.” Gehenna also claimed responsibility for previous incidents affecting Samsung Germany and Royal Mail, adding weight to the seriousness of their statement.

The group has also provided contact information via Telegram and appears to be actively soliciting a response from Coca-Cola Europacific Partners.

The screenshot shows Gehenna’s post about CCEP’s alleged breach (Image credit: Hackread.com)

Both incidents come amid an uptick in cyberattacks targeting large multinational corporations, particularly those holding customer and employee data at scale. The tactics used by Everest and Gehenna reflect different approaches, ransomware extortion and data leak-based pressure, but the goal is similar to making money out of stolen information.

Coca-Cola and CCEP have not publicly confirmed the breach at the time of writing.

John Bambenek, President at Bambenek Consulting, noted the broader risk with cloud platforms: “As companies adopt more SaaS solutions, it opens new doors for threat actors. SaaS platforms often lack the logging and security visibility that traditional infrastructure provides.”

He advised that “Organizations need to prioritize integrating SaaS logs into their SIEM and building detections for suspicious behaviour like large-scale data lookups from a single user account to avoid being caught off guard.”

Nevertheless, both groups appear to be active and well-resourced. Whether through law enforcement action or internal response, a public statement may help clarify the real impact behind the claims.

Coca-Cola, Bottling Partner Named in Separate Ransomware and Data Breach Claims

Global crackdown: Operation RapTor leads to 270 arrests, millions seized as law enforcement targets dark web drug, weapon, and crypto vendors.

In one of the largest global law enforcement actions against dark web crime to date, authorities from ten countries have arrested 270 individuals involved in drug trafficking, weapons sales, and the distribution of counterfeit goods online. The operation has been dubbed Operation RapTor.

Coordinated by Europol and the U.S. Department of Justice’s JCODE task force, the operation followed months of intelligence gathering after the takedowns of several dark web marketplaces: Nemesis, Incognito, Tor2Door, Bohemia, and Kingdom Market. These takedowns gave investigators access to key infrastructure and transaction data, which they used to identify vendors and buyers across the globe.

****A Multi-Continent Crackdown****

The arrests span the United States (130), Germany (42), the United Kingdom (37), France (29), South Korea (19) and several other nations. Authorities also confiscated over €184 million ($200 million) in cash and cryptocurrency, more than 2 metric tons of drugs, 144 kilograms of fentanyl, over 180 firearms, and thousands of counterfeit and illicit products.

Machines used by drug traffickers to produce fake prescription pills (Seized now) Via US DOJ

According to Europol and the DOJ, the scope of the operation reflects the evolving nature of cybercrime, where illegal activity often mirrors legitimate e-commerce in form but thrives in secrecy and deception. Many of those arrested had conducted thousands of sales, using crypto and encryption tools to evade detection.

****Dark Web Isn’t Invisible Anymore****

“This historic international seizure of firearms, deadly drugs, and illegal funds will save lives,” said Attorney General Pam Bondi. “Criminals cannot hide behind computer screens or seek refuge on the dark web.”

The operation also marks a major step forward in dismantling supply chains responsible for fentanyl-laced pills, a growing threat in the opioid crisis. Several US-based vendors convicted as part of related investigations were directly linked to fatal overdoses, including a trafficking ring that distributed over 120,000 fentanyl-laced pills nationwide.

****Targeting Infrastructure and Crypto****

A notable element of Operation RapTor is its focus not just on sellers but also on the marketplace infrastructure itself. The seizure of Nemesis Market, in particular, played a pivotal role. The market’s alleged operator, Behrouz Parsarad, an Iranian national, was sanctioned and indicted on drug trafficking charges.

The IRS Criminal Investigation Division noted that crypto forensics played a central role in tracing illicit transactions. “No digital wallet can hide you from facing justice,” said DEA Acting Administrator Robert Murphy.

****Changing Tactics of Dark Web Operators****

Law enforcement agencies are observing a shift in how dark web vendors operate. As major marketplaces go offline, criminals are increasingly turning to single-vendor shops, smaller, standalone sites that reduce exposure.

While this decentralization makes investigations more fragmented, the Operation RapTor results show that targeted surveillance and intelligence sharing can still yield high-impact outcomes.

The international partnerships powering the operation included not only Europol but also agencies from Austria, Brazil, France, Germany, the Netherlands, South Korea, Spain, Switzerland, and the United Kingdom, along with U.S. federal agencies like the FBI, DEA, FDA OCI, HSI, and IRS-CI.

Europol’s Head of Cybercrime Edvardas Šileris stressed that this operation is not the finish line but the launchpad for deeper investigations. “Operation RapTor shows that the dark web is not beyond the reach of law enforcement and Europol will continue working with our partners to make the internet safer for everyone,” he said in a press release.

Operation RapTor: 270 Arrested in Global Crackdown on Dark Web Vendors

Cybersecurity researcher Jeremiah Fowler discovered a misconfigured cloud server containing a massive 184 million login credentials, likely collected…

Cybersecurity researcher Jeremiah Fowler discovered a misconfigured cloud server containing a massive 184 million login credentials, likely collected using infostealer malware.

Cybersecurity researcher Jeremiah Fowler has discovered a misconfigured and unprotected database, containing over 184 million unique login names and passwords. According to Fowler’s research, shared with Hackread.com, this exposed collection amounted to approx. 47.42 gigabytes of data.

****A Massive Data Leak****

The database, which was not secured by a password or encryption, stored credentials for numerous online services. These included popular email providers, major tech platforms like Microsoft, and social media sites such as Facebook, Instagram, Snapchat, and Roblox.

Worse, the leak also contained access information for bank accounts, health platforms, and even government portals from various nations, putting unsuspecting individuals at high risk. Fowler confirmed the authenticity of some records by contacting individuals whose emails were found in the database. Several people verified that the listed passwords were indeed accurate and valid ones.

Upon discovery, Fowler quickly notified the hosting provider, and the database was removed from public access. The database’s IP address pointed to two domain names, one of which appeared to be unregistered. Due to private registration details, the true owner of this data cache remains unknown.

It’s also unclear how long this sensitive information was exposed or if other malicious actors had accessed it before its discovery. Since the hosting provider did not reveal customer details, the purpose of the data collection whether for criminal activity or legitimate research with an oversight.

****The Infostealer Connection****

From the looks of it, the database belonged to cybercriminals who were collecting data using infostealers and ended up exposing their own database in the process. Infostealers are widely used and effective tools among criminals. In fact, reports have shown that even the US military and FBI have had their systems compromised by infostealers costing as little as $10.

Infostealer malware is specifically designed to secretly collect sensitive information from infected computers, typically targeting login credentials stored in web browsers, email programs, and messaging apps.

Hackread.com’s reporting of the recent coordinated action by Microsoft and Europol to disrupt Lumma Stealer’s infrastructure, which infected over 394,000 Windows computers worldwide, offers a critical insight into the kind of threat highlighted by Fowler’s discovery.

As analysed by Fowler, the data, often raw credentials and URLs for login pages, aligns perfectly with what infostealers like Lumma are designed to steal. Although Fowler could not definitively name the specific malware responsible for the exposed database, the characteristics of the data strongly suggest such a method.

Cybercriminals exposing their own servers is nothing new. Just a few months ago, reports revealed that the well-known ShinyHunters and Nemesis hacking groups collaborated to target and extract data from exposed AWS buckets, only to accidentally leak their own in the process.

****Protection Against InfoStealers****

The availability of millions of login details presents a major advantage for cybercriminals who can exploit them through methods like “credential stuffing attacks” and “account takeovers.” These attacks allow criminals to access personal data, enabling identity theft or financial fraud.

The exposed data can also include business credentials, posing risks of corporate espionage, and even sensitive state networks. Knowing an email and an old password can make phishing and social engineering attacks more convincing.

Fowler urges users to stop using their emails as cold storage, regularly perform password updates, especially in cases of unknown breaches, never reuse unique passwords across accounts, use Two-Factor Authentication (2FA), and enable login notifications or suspicious activity alerts.

Source

HackRead