Facebook's pursuit of your personal data continues, and now it has a new target: photos on your phone that you haven't shared with it yet.

Facebook’s pursuit of your personal data continues apace, and now it has a new target: photos on your phone that you haven’t shared with it yet.

Techcrunch reports that the social media giant is now asking its users to peek at the photos on their phones’ camera rolls. In return it will give them new ideas to view their photos.

In a pop-up message seen by some of the site’s users, Facebook asks users to “allow cloud processing” of the photos in their camera roll. “To create ideas for you, we’ll select media from your camera roll and upload it to our cloud on an ongoing basis, based on info like time, location or theme,” the message says.

Image courtesy of Techcrunch

The site will then offer things like collages, recaps, AI restyling or themes like birthdays or graduations, it continues, adding that Facebook won’t use the photos to target you for ads.

But what else might Meta do with those photos? Its AI terms of service allow it to analyze the images you load using AI, “including facial features”.

Incidentally, you can’t share any images with Meta that contain images of people in Illinois or Texas unless you’re legally authorized to consent on their behalf, it warns. That’s likely because both those states have strict laws around the use of biometric data, including facial recognition, in photos. We’re not sure how that works, then, if you grant the company unfettered access to your camera roll which includes photos of your trip to Chicago or Austin to visit friends and family.

Another question is over whether the company will scan children’s images. If you have an aversion to sharing your kids’ photos on Facebook, this could be a real issue.

We can extend this into even more worrying areas. What if you have photos of your kids in the bath that you don’t want an AI to train on? Or if you have intimate photos of yourself or a partner on your phone?

Facebook reserves the right to subject any content to “automated or manual (i.e. human) review and through third-party vendors in some instances”. There’s nothing in Meta’s messaging that seems to stop it from subjecting your camera roll photos to this.

Facebook has made camera roll cloud processing an opt-in service, meaning that you must deliberately select it for the app to start scanning your camera roll. However, this wasn’t enough for at least one Reddit commenter, who warned that you can’t control your photos once you share them with others.

“So although I always uninstall Facebook and Instagram, if I share a photo of me with my family, Meta will still get to analyze it, because at least one of them will still have those apps installed,” they said. In general, reactions to the story seem negative.

Facebook isn’t the only company that allows you to automatically upload your photos to the cloud. Apple offers this as part of its tightly integrated photos service, and has been producing montages and other assets from its users’ photos for a long time.

Apple says that it only uses AI to analyze your photos on your local device, and while it stores them in the cloud it doesn’t access them there. However it also says that it has “a worldwide, royalty-free, perpetual, nonexclusive license to use the materials you submit within the Services and related marketing as well as to use the materials you submit for Apple internal purposes.” Those services include iCloud+. iCloud is the cloud service that stores your photos.

Google, which also allows you to automatically upload photos to its service, says that you own your photos but retains the right to modify and create derivative works on your content, and to share it with contractors.

Google’s past relationship with photo users has been problematic. It once deleted a dad’s account after he took an image of his son’s groin to send to a doctor and it was automatically uploaded to the cloud, where Google identified it as child sexual abuse material. Law enforcement considered him innocent. Google refused to reinstate his services.

Our advice? If you’re going to allow a service to automatically analyze the photos you take, be sure that you completely trust that service. Check to see if it has been accused of mishandling users’ data in the past, such as Meta was here, here, and of course here.

That’s not enough, though. Be careful who else you share your photos with, and under what circumstances. If you do share them, do so only with those you trust. Include a caveat to ensure that they know how you’re comfortable with them using those photos, and what you’re not OK with them doing.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Facebook wants to look at your entire camera roll for &#8220;AI restyling&#8221; suggestions, and more 

This week on the Lock and Code podcast, we speak with Becky Holmes about how she tricks, angers, and jabs at romance scammers online.

_This week on the Lock and Code podcast…_

There’s a unique counter response to romance scammers.

Her name is Becky Holmes.

Holmes, an expert and author on romance scams, has spent years responding to nearly every romance scammer who lands a message in her inbox. She told one scammer pretending to be Brad Pitt that she needed immediate help hiding the body of one of her murder victims. She made one romance scammer laugh at her immediate willingness to take an international flight to see him. She has told scammers she lives at addresses with lewd street names, she has sent pictures of apples—the produce—to scammers requesting Apple gift cards, and she’s even tricked a scammer impersonating Mark Wahlberg that she might be experimenting with cannibalism.

Though Holmes routinely gets a laugh online, she’s also coordinated with law enforcement to get several romance scammers shut down. And every effort counts, as romance scams are still a dangerous threat to everyday people.

Rather than tricking a person into donating to a bogus charity, or fooling someone into entering their username and password on a fake website, romance scammers ensnare their targets through prolonged campaigns of affection.

They reach out on social media platforms like Facebook, LinkedIn, X, or Instagram and they bear a simple message: They love you. They know you’re a stranger, but they sense a connection, and after all, they just want to talk.

A romance scammer’s advances can be appealing for two reasons. One, some romance scammers target divorcees and widows, making their romantic gestures welcome and comforting. Two, some romance scammers dress up their messages with the allure of celebrity by impersonating famous actors and musicians like Tom Cruise, Brad Pitt, and Keanu Reeves.

These scams are effective, too, to sometimes devastating consequences. According to recent research from Malwarebytes, 10% of the public have been the victims of romance scams, and a small portion of romance scam victims have lost $10,000 or more.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Holmes about her experiences online with romance scammers, whether AI is changing online fraud, and why the rules for protection and scam identification have changed in an increasingly advanced, technological world.

>  ”I’ve seen videos of scammers actually making these real life video manipulation calls where you’ve got some guy sitting one side of the world pretending to be somewhere else completely, and he’s talking into his phone and it’s coming out on the other person’s phone as a different image with a different voice.”

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Corpse-eating selfies, and other ways to trick scammers (Lock and Code S06E14) 

Apple and Google espouse strong values about data privacy, but they allow programs from a Big Brother state to thrive on their app stores, researchers allege.

Top Apple, Google VPN Apps May Help China Spy on Users

In a 6-3 decision, the Supreme Court held that age verification for explicit sites is constitutional. In a dissent, Justice Elena Kagan warned it burdens adults and ignores First Amendment precedent.

If you try to access Pornhub, one of the world’s biggest websites, from any of 17 US states, you’ll be blocked. Pornhub’s parent company, Aylo Holdings, has restricted access in response to a slew of laws that says Pornhub itself should be responsible for checking that every visitor is over 18. Now, the United States Supreme Court has made a decision on a key age verification law, which could have ramifications for the entire country and the wider internet as a whole.

On Friday, in a 6–3 decision that could reshape the landscape of online privacy and free speech, the Supreme Court upheld in full the Texas age verification law—one of the first passed in the country—requiring many websites publishing pornographic content to check that all visitors are over 18. The law, TX HB1181, says sites that are “more than one-third sexual material” can face fines of up to $10,000 per day if they don’t put in place age verification systems, plus extra penalties of up to $250,000. It also states websites should display health warnings about the potential health risks of pornography.

Writing for the majority, Justice Clarence Thomas said that because the law "simply requires proof of age to access content that is obscene to minors, it does not directly regulate adults’ protected speech," adding, "adults have no First Amendment right to avoid age verification."

In her dissent, Justice Elena Kagan argued that the Texas law imposes a direct and unconstitutional burden on adults’ access to protected speech. “A State may not care much about safeguarding adults’ access to sexually explicit speech; a State may even prefer to curtail those materials for everyone,” she wrote, “but the First Amendment protects those sexually explicit materials, for every adult.”

The ruling marks a major victory for Texas attorney general Ken Paxton, who defended the law amid fierce opposition from digital rights groups and the adult entertainment industry.

Legislators in Texas passed HB1181 in early 2023, but it was struck down in the US District Court for the Western District of Texas for potentially being unconstitutional before the law went into effect. Adult industry group the Free Speech Coalition, among others, challenged the Texas law on the grounds that it violates the First Amendment by restricting adults’ access to constitutionally protected speech. In March last year, a Fifth Circuit appeals court upheld the Texas law before the Free Speech Coalition took the case to the Supreme Court in a January hearing.

In recent years, a wave of age verification laws have been proposed in states across the country. More than half of US states have passed or have tried to pass age verification laws, according to a tracker published by the Free Speech Coalition.

“Efforts to regulate online pornography are often the opening move in broader campaigns to censor the internet,” Jess Miers, a visiting assistant professor of law at the University of Akron School of Law, said before the decision. “While this case focuses on mandatory age verification for adult content, state lawmakers are hoping it provides a legal foundation to impose sweeping restrictions on a wide range of online material.”

Attempts to get pornographic websites to implement age checks—more than just clicking a button saying you are over 18—have been accelerating over the past decade, since government officials in the UK passed laws on age verification checks only to delay and abandon them in 2019. Since then, though, a wave of companies and technologies selling age-checking software has rapidly expanded and matured. Adult websites and pornographers aren’t against introducing robust age checks; they say they don’t want children to be exposed to illicit content.

Multiple methods of age verification, which is often called age assurance, have been proposed or developed in recent years, with regulators and governments around the world pushing for them to be used to stop children accessing content that may not be suitable for them. These age verification methods can include, but aren’t limited to, checking someone’s identity against government ID, providing banking details, or using face-checking systems that can predict someone’s age.

Typically, third-party companies are developing the age-checking methods, with adult websites paying to use their services. This can mean people do not directly share their ID documents or other details used to verify their age directly with pornography websites or the companies that own them. Some companies, including Pornhub owner Aylo Holdings and Meta, have argued that age checks should happen by Google and Apple on their respective app stores. Those companies don’t agree.

Repeatedly, privacy and civil liberties experts have stated that any data collection or understanding of how people consume pornography could have devastating consequences if there’s a data breach or information is leaked. (One ID verification company suffered a data breach last year.) Unscrupulous companies could also sell or share data, privacy advocates say.

Last week, the preliminary results of an age checking trial in Australia, which has passed laws to ban under-16s from social media apps, found such systems may not be effective. Plus, age checks can often be easily circumvented by using a VPN. Aylo has claimed that current age verification proposals aren’t effective and push people to smaller websites, which may have fewer safety tools in place to moderate images and videos.

Despite potential concerns, laws mandating companies use age verification systems are being introduced around the world, and multiple companies are adopting the systems. Since 2022, Instagram has been using facial age estimation software to check people’s ages. In April, chat app Discord announced it is testing face scans in the UK and Australia. Regulators in Germany have been pursuing age checks—going as far as to fine individuals posting on X (then Twitter) in 2023—for years. Last week, Pornhub returned to France—it pulled services relating to the country’s age checking at the start of June—after a court ruling limited the law. And by July this year, porn sites and social media platforms operating in the UK are required to introduce “robust” age checks. Pornhub owner Aylo announced on Thursday that it would adopt "government approved age assurance methods” to comply with the law.

With the Supreme Court’s Friday decision, the threat to pornography and sexual expression in the country may be more grave. The Heritage Foundation’s Project 2025 plan, which has been partially followed by the US government, has suggested criminalizing pornography and shutting down its producers. Earlier this year, Senator Mike Lee of Utah proposed the Interstate Obscenity Definition Act, which could redefine what’s considered “obscene” content and potentially ban pornography entirely.

“Once the state has the authority to restrict access to adult content, it will almost certainly broaden the definition of ‘material harmful to minors,’” Miers says. “This could include reproductive health information, LGBTQ+ resources, and educational content related to race, gender, or diversity.”

_Additional reporting by Dell Cameron._

US Supreme Court Upholds Texas Porn ID Law

Tech Transparency Project warns Chinese-owned VPNs like Turbo VPN and X-VPN remain on Apple and Google app stores, raising national security concerns.

A recent report by the Washington, D.C.-based Tech Transparency Project (TTP) reveals that numerous free Virtual Private Network (VPN) apps, despite earlier warnings, continue to be available on both Apple’s App Store and Google’s Play Store, posing major privacy and national security risks.

According to the organisation’s claims, these apps, many with hidden ties to Chinese companies, could be exposing sensitive user data to the Chinese government. For your information, VPNs are tools designed to create a secure, encrypted connection over the internet, masking a user’s identity and online activity.

However, some users express concern about VPN services owned by Chinese companies due to privacy and data security considerations. Under Chinese national security laws (PDF), companies can be compelled to hand over user data to the government. This is particularly concerning because VPNs have access to a user’s entire web activity, making the data highly sensitive.

TTP’s initial report from April 1, 2025, revealed that over 20 of the top 100 free VPNs on the US Apple App Store in 2024 were linked to Chinese ownership. Many of these apps intentionally concealed their origins through shell companies.

It is worth noting that several apps were connected to Qihoo 360, a Chinese cybersecurity firm that the US has sanctioned due to its alleged links with China’s People’s Liberation Army.

One notable instance involves Autumn Breeze Pte. Ltd., listed as Snap VPN developer on Google Play Store. It asserts “no affiliation with Qihoo 360,” emphasizing a strict “no-log policy.” However, TTP’s research reveals Qihoo 360 acquired Autumn Breeze Pte. Ltd in 2020, and sold it to undisclosed parties after US sanctions. Corporate records for Autumn Breeze continue to list a Chinese director, whose name matches a Chinese national who’d led Qihoo 360’s mobile security unit.

Despite some apps, like Thunder VPN and Snap VPN, being removed from Apple’s App Store after media inquiries, TTP’s follow-up check in early May 2025 confirmed that many Chinese-owned VPNs remain available.

For instance, Turbo VPN and VPN Proxy Master, both linked to Qihoo 360, continue to be offered on Apple’s platform. The Google Play Store also hosts several Qihoo 360-connected apps, including Snap VPN and Signal Secure VPN, alongside other Chinese-owned VPNs like X-VPN and VPNify.

The report further suggests that Apple and Google may be financially benefiting from these potentially risky applications. Many of these free VPNs offer in-app purchases or display advertisements, from which both tech giants take a percentage of revenue (Apple typically charges 30% or 15%, while Google charges 15% up to $1 million in sales and 30% thereafter).

This suggests a financial incentive for the platforms to continue hosting these apps, despite the privacy implications for American users, researchers noted in their blog post shared with Hackread.com.

Screenshot via TTP

Neither Apple nor Google have responded to TTP’s requests for comment on these findings or their policies regarding data sharing by VPNs. Users are advised to exercise caution and thoroughly research the ownership and privacy policies of any VPN service they intend to use.

_“_Let’s think about how TikTok’s story unfolded: massive reach, secret ownership, and extensive data collection, which may have left U.S. soil but these VPN apps are even more concerning as they don’t just track your preferences; they monitor everything you do online,_“_ said Chad Cragle, Chief Information Security Officer at Deepwatch.

_“_When owned by Chinese companies and hidden behind layers of shell companies, it becomes a serious concern. Apple advocates for protecting our privacy, yet these apps are still accessible. Google? They often allow nearly any app on their store,_“_ claimed Chad.

_“_It’s time for the platforms to take responsibility and set the example. You can’t claim to prioritize privacy if you’re letting other parties control the playbook. If they don’t properly scrutinize these apps, they’re not just passively allowing it, they’re helping to create the problem. And let’s be honest, this isn’t just about privacy; it’s about national security, too,_“_ he emphasised.

Researchers Warn Free VPNs Could Leak US Data to China

FBI tracked IntelBroker as UK’s Kai West using an email address, crypto trails, YouTube activity and forum posts after dozens of high-profile data breaches and darknet activity.

Authorities in the United States have charged a British national, Kai Logan West, widely known online as “**IntelBroker**“, with a series of high-profile data breaches that collectively caused at least $25 million in damages to companies worldwide. The 23-year-old was arrested in France in February 2025 and now faces extradition to the United States to stand trial in the Southern District of New York.

As **reported** by Hackread.com, IntelBroker’s arrest was followed by several others, including four individuals linked to the ShinyHunters hacker group. Both IntelBroker and members of ShinyHunters were **involved** in administering and moderating the cybercrime and data breach forum BreachForums.

The **unsealed complaint** (PDF), dated February 2025, lays bare the FBI’s two-year investigation into West’s cybercrime operations, connecting him to dozens of data breaches, sales of stolen data, and the leadership of a hacking collective operating on clear and dark web forums.

****Who Is IntelBroker?****

Using aliases like “IntelBroker” and “Kyle Northern”, West built a reputation on a clear and dark web forum known in the indictment as “Forum‑1” ( BreachForums). Operating under the banner of a hacking crew called CyberN (formerly “The Boys”), IntelBroker offered hacked databases from government agencies, healthcare providers, telecommunications firms, and internet service providers.

Between 2023 and early 2025, West authored at least 158 threads offering stolen data on Forum‑1, with 41 of them involving US companies. The FBI notes that at least $2 million worth of **Monero cryptocurrency** was solicited for the stolen information.

In 2024, IntelBroker was listed as the “owner” of Forum‑1, and his fame skyrocketed as he gave away some data leaks for free to boost credibility, gather a following, and attract buyers.

****How the FBI Tracked Down IntelBroker****

What West didn’t know was that FBI agents were watching closely. The bureau deployed undercover officers posing as buyers on Forum‑1. On at least two occasions, agents purchased stolen data directly from IntelBroker.

In January 2023, one agent bought an API key and login credentials for a company dubbed “Victim‑7.” Although the credentials were limited in value, the transaction became a key element in tracking his identity when IntelBroker asked for payment in Bitcoin (instead of Monero) and provided a wallet address that could be traced on the blockchain.

FBI blockchain analysts followed the money and found that:

*   The Bitcoin wallet used for the transaction had been seeded from another wallet linked to an account on a financial platform called Ramp.
*   That Ramp account was registered using a UK provisional driving license issued to Kai Logan West.
*   The same identity, Kai West, also owned a Coinbase account under the alias Kyle Northern, but with KYC verification; confirming it was the same individual.

Provisional driving licence of Kai West (Image via US Justice Department complaint)

Further connecting the dots, both accounts were linked to a Gmail address used by West for personal matters, including:

*   Cloud-stored selfies
*   Receipts and ID documents
*   UK University Housing and Tuition communications
*   Videos showcasing networking tools like “GPRS Smash”

The email also included a student certificate showing West was enrolled in a Cyber Security program.

****Online Footprints and Forum Activity****

West didn’t just transact carelessly, he also exposed himself by linking his online activity to personal behaviour. His IntelBroker posts on Forum‑1 often referenced YouTube videos that he had just viewed from his personal email account, and he regularly updated his signature block to list members of his hacking group, which made it easier to trace his involvement across multiple threads.

When Forum‑1 was **seized and shut down in 2024** and relaunched, all old posts inherited the updated signature, creating a consistent trail of West’s activity and affiliations dating back to early 2023.

One of the YouTube videos posted by IntelBroker on BreachForums (Image via US Justice Department complaint)

****The Victim List: Telecoms, Healthcare, ISPs****

The indictment outlines at least six victims, referred to only as Victim‑1 through Victim‑6. Victim‑1, a telecom provider, had data exfiltrated and deleted from a hosting server in Manhattan, resulting in damage estimated in the hundreds of thousands.

Victim‑3, a municipal healthcare provider, had the personal and health data of over 56,000 individuals stolen, which West later sold to an undercover FBI agent for $1,000 in Monero. Victim‑6, an internet service provider, was compromised using information from previous leaks to breach an internal server.

In each case, West publicly offered proof samples, negotiated sales via private messages, and accepted only Monero to maintain anonymity, though the paper trail caught up.

However, since Hackread.com exclusively reported on IntelBroker’s data breaches, here is a comprehensive list of data breaches and leaks claimed by the hacker:

Here is the list sorted from shortest to longest by character count:

1.  **AMD**
2.  **Apple**
3.  **Cisco**
4.  **Nokia**
5.  **US DoD**
6.  **Europol**
7.  **T-Mobile**
8.  **Robert Half**
9.  **Space Eyes**
10.  **Home Depot**
11.  **Tech in Asia**
12.  **General Electric**
13.  **LA Intl. Airport**
14.  **HSBC & Barclays Bank**
15.  **Facebook Marketplace**
16.  **Weee! Grocery Service**
17.  **UAE’s Lulu Hypermarket**
18.  **US Federal Contractor Acuity**
19.  **Hewlett Packard Enterprise (HPE)**
20.  **MIT Technology Review Magazine**
21.  **An unnamed but “Top” Cybersecurity Firm**

****Criminal Charges****

West has been charged with four federal offences:

1.  Wire fraud
2.  Conspiracy to commit wire fraud
3.  Conspiracy to commit computer intrusions
4.  Accessing a protected computer to defraud and obtain value

Each carries the potential for several years in prison, particularly when involving health data or affecting critical infrastructure.

The FBI’s Special Agent Carson Hughes and US Attorney Jay Clayton emphasized the global reach and danger of IntelBroker’s operations. The FBI called the case “a warning” to cybercriminals who believe online anonymity shields them from consequences.

****Did IntelBroker Work for the UK’s National Crime Agency?****

Kai West presented himself professionally as a cybersecurity researcher and operated under two separate identities on LinkedIn, one as Kyle Northern and the other as K West. This was first flagged by **Nathaniel Fried**, Co-founder and CEO at 0xbowio, who shared details of West’s dual profiles with Hackread.com.

Notably, the Kyle Northern profile claimed he worked as a Security Researcher Trainee at the UK’s National Crime Agency (NCA) from September to October 2019. If accurate, this role could have involved access to classified systems, as the NCA deals with serious organized crime and national security. While the NCA affiliation remains unverified, West’s claimed background in cybersecurity and his academic path suggest the possibility shouldn’t be dismissed outright.

Kai Logan West on LinkedIn (Screenshot credit: Hackread.com)

West remains in French custody, and US officials are actively **seeking** extradition. If convicted, he could face decades behind bars. Meanwhile, Forum‑1 has been offline since April 2025, **reportedly** due to a MyBB zero-day vulnerability. Many of its members have since migrated to other platforms, including DarkForums and the Russian-language cybercrime forum XSS.

The exposure of IntelBroker stands out as a major cybercrime takedown. What made it possible was a mix of undercover FBI work, cryptocurrency tracking, and even old-school email evidence, all of which helped track one of the most well-known figures on cybercrime forums.

How an Email, Crypto Wallet and YouTube Activity Led the FBI to IntelBroker

Four alleged ShinyHunters members arrested, IntelBroker exposed as British national Kai West in global crackdown linked to BreachForums and major data breaches.

In a major development against global cybercrime, French authorities have apprehended several key individuals believed to be instrumental in operating BreachForums, a notorious online marketplace where stolen data is bought and sold.

The arrests, executed by France’s Cybercrime Brigade (BL2C) earlier this week, target figures deeply entrenched in high-profile data breaches and persistent attempts to revive the illicit forum after previous takedowns.

A press release from the Paris Public Prosecutor’s Office confirms that four individuals, identified by their online handles ShinyHunters, Hollow, Noct, and Depressed, all in their twenties, were detained on Monday.

These apprehensions are a follow-up to an earlier operation in February 2025, which saw the arrest of another prominent suspect known as IntelBroker, a British national, and are particularly significant as the individuals are suspected of pulling off major data breaches against prominent French entities, including the retail giant Boulanger, telecom provider SFR, the employment agency France Travail, and the French Football Federation.

The breach targeting France Travail alone is estimated to have compromised the sensitive personal details of a staggering 43 million individuals.

The names ShinyHunters and IntelBroker have been linked to numerous major cybercrime incidents. ShinyHunters has been associated with large-scale data breaches, including those affecting Salesforce, PowerSchool, and the Snowflake attacks which impacted companies like Santander, Ticketmaster, and AT&T. This alias is believed to represent a group of threat actors rather than a single individual.

AT&T database on BreachForums (Screenshot: Hackread.com)

IntelBroker rose to prominence through highly publicized breaches targeting organizations such as Facebook Marketplace, Europol, General Electric, AMD, Apple HSBC & Barclays Bank, Space Eyes, Home Depot, UAE’s Lulu Hypermarket and US Contractor Acuity, and T-Mobile data breach among others.

****IntelBroker Unmasked: Kai West Faces US Charges****

IntelBroker alias has now been formally identified as Kai West. As per the US Department of Justice’s unsealed four-count criminal Indictment and Complaint against West, he is accused of orchestrating a years-long hacking scheme that involved infiltrating numerous computer networks, stealing sensitive data, and then selling it.

These activities are alleged to have caused over $25 million in damages to dozens of victims across the globe. Prosecutors allege that West conspired with an online group named “CyberN\*\*\*\*\*\*” to steal data from a wide array of entities, including a telecommunications company and a municipal healthcare provider, subsequently putting the data for sale for over $2 million.

****BreachForums: A Tumultuous History****

BreachForums, a central platform for trading/selling hacked data and tools for illicit digital activities faced disruption in 2023 following the arrest of its original founder, Conor Fitzpatrick, who operated under the alias “pompompurin,” in the United States. Fitzpatrick was subsequently convicted of multiple criminal offences and is awaiting resentencing on July 8 in a Virginia federal court.  

In May 2024, ShinyHunters regained control of BreachForums’ domains after an administrator’s arrest, removing an FBI seizure notice. More recently, in April 2025, the forum unexpectedly went offline, with administrators attributing the shutdown to a MyBB 0day vulnerability. These latest arrests highlight ongoing international efforts to combat organized cybercrime.

BreachForums: ShinyHunters Members Arrested, IntelBroker Identified as Kai West

Kaspersky uncovers SparkKitty, new spyware in Apple App Store & Google Play. Steals photos, targets crypto info, active since early 2024 via malicious apps.

Cybersecurity researchers at Kaspersky have reported a new spyware operation, dubbed SparkKitty, that has infected apps available on both the official Apple App Store and Google Play.

This spyware aims to steal all images from users’ mobile devices, with a suspected focus on finding cryptocurrency information. The campaign has been active since early 2024, mainly targeting users in Southeast Asia and China.

SparkKitty spyware infiltrates devices through applications that look harmless, often disguised as modified versions of popular apps like **TikTok**. In the case of the malicious TikTok versions, they even included a fake TikToki Mall online store within the app that accepted cryptocurrency for consumer goods, often requiring an invitation code for access.

Installation process on iPhone showing how the malicious TikTok app uses a configuration profile (Source: Kaspersky)

****Targeting iOS Devices****

According to Kaspersky’s **report**, for iOS devices, the attackers use a special Enterprise provisioning profile from Apple’s Developer Program. This allows them to install certificates on iPhones that make the malicious apps appear trustworthy, bypassing the usual App Store review process for direct distribution.

Furthermore, threat actors embedded their malicious code by modifying open-source networking libraries like AFNetworking.framework and Alamofire.framework, and also disguised it as libswiftDarwin.dylib.

****Targeting Android Devices****

On the Android side, Kaspersky found SparkKitty spyware hidden in various cryptocurrency and casino applications. One such app, a messaging tool with crypto features, was downloaded over 10,000 times from **Google Play** before being removed.

Another infected Android app spread outside official stores had a similar version that slipped into the App Store. Both directly included the malicious code within the app itself, not just as a separate component.

Once installed, SparkKitty spyware’s main goal is to access and steal all photos from a device’s gallery. While it broadly collects images, it appears linked to older spyware called SparkCat, which used Optical Character Recognition (**OCR**), a technology that _reads_ text from images – to specifically find and steal details like cryptocurrency wallet recovery phrases from screenshots.

Some versions of SparkKitty also use OCR for this purpose, leveraging the Google **ML Kit library** for this function, particularly in apps distributed via shady web pages resembling scams and **Ponzi schemes**.

SparkKitty spyware apps on Google Play (left) and App Store (right)

****Connected Campaigns and Targets****

Kaspersky believes SparkKitty spyware is directly connected to the earlier SparkCat campaign, **discovered** in January 2025, sharing similar distribution methods through both official and unofficial app marketplaces. Both threats also seem focused on cryptocurrency theft. The attackers behind SparkKitty spyware specifically targeted users in Southeast Asia and China, often through modified gambling and adult games, as well as the **fake TikTok apps**.

While downloading apps from third-party stores is always risky, this discovery shows that even trusted sources like official app stores can no longer be considered fully reliable. Users in the affected regions, and indeed globally, should remain cautious about app permissions and consider the legitimacy of any app asking for unusual access, especially to photo galleries.

SparkKitty Spyware on App Store and Play Store, Steals Photos for Crypto Data

Scammers used Inferno Drainer to steal $43,000 in crypto from 110 CoinMarketCap users through a fake wallet prompt embedded in the site’s front-end.

A coordinated crypto theft operation targeting CoinMarketCap users has been exposed after leaked images surfaced from a Telegram channel known as TheCommsLeaks. The attack used a convincing wallet connection prompt embedded in CoinMarketCap’s own interface, tricking users into handing over access to their wallets. The result? more than $43,000 worth of crypto funds drained in hours.

According to Tammy H, a Senior Threat Intelligence Researcher and Certified Dark Web Investigator at Flare.io, a Canada-based cybercrime intelligence firm, the attack was carried out using Inferno Drainer, a known wallet-draining toolkit that’s been linked to previous campaigns.

****A Pop-Up with a Price****

The method was simple but effective. Users visiting CoinMarketCap were presented with a prompt asking them to “Verify Your Wallet” to access features. It looked identical to legitimate pop-ups seen on the platform, giving users no reason to doubt it. However, once connected, wallets were quietly emptied of whatever assets they held.

Video credit: apoorv.eth on X (Twitter)

A source cited in the leak claimed the prompt appeared across nearly every page on the site. “Make it where it appears on every page,” read one message. “Most people have coins pinned… the second they render the site.”

The attacker seemed focused on increasing visibility and maximizing wallet connections. Some reports suggest that even the connect button began malfunctioning due to being rendered too many times.

****Inside the Leak****

As per Tommy H’s analysis, the Telegram channel TheCommsLeaks began sharing details around 7:30 PM local time on June 20. The messages included screenshots showing a live dashboard used by the attacker. These visuals displayed wallet connections, token transfers and total values drained in real time.

Early numbers showed 67 successful hits and over 1,300 wallet connections. The payout was already past $21,000 within the first wave. By the time the campaign ended, the final haul had climbed to $43,266, drained from 110 victims.

Tokens siphoned off included SOL, XRP, EVT, and smaller coins like PENGU and SHDW. One transaction involving $1,769 in XRP was linked to a wallet visible on BscScan, offering public confirmation of the theft.

However, the researcher noted that not every attempt succeeded. Logs from the attacker’s toolkit also showed multiple failed drains, typically due to wallets holding unsupported tokens or negligible balances.

Attackers on Telegram

****What Happened on CoinMarketCap?****

After growing speculation over whether the attack came from a spoofed domain, CoinMarketCap addressed the issue directly. In a statement published on X, the company said a doodle image displayed on their homepage had triggered malicious code through an embedded API call. This vulnerability caused the unauthorized wallet prompt to appear for some users.

The company confirmed that its security team responded immediately after detecting the issue. The malicious content was removed, and internal systems were patched to prevent further abuse.

“All systems are now fully operational, and CoinMarketCap is safe and secure for all users,” the company stated, adding that it continues to monitor the situation and provide support.

This incident goes on to show how small interface changes, even those involving something as harmless as a homepage doodle, can be leveraged for large-scale damage. While the use of a legitimate platform’s own environment to deploy malicious prompts is extremely concerning, it reflects how easily trust in familiar interfaces can be misused.

In a separate incident reported by Hackread just last week, scammers exploited search ads to trick users into calling fake support numbers shown on real websites like Apple and PayPal. Though technically unrelated, both cases show how attackers rely on user assumptions about what’s safe to interact with online.

For now, users are advised to avoid connecting wallets directly through pop-ups and verify any prompt against the platform’s official guidance. If something looks familiar, that doesn’t always mean it’s safe.

Scammers Use Inferno Drainer to Steal $43K from CoinMarketCap Users

### Summary
The RedirectSlashes function in middleware/strip.go is vulnerable to host header injection which leads to open redirect.

### Details
The RedirectSlashes method uses the Host header to construct the redirectURL at this line https://github.com/go-chi/chi/blob/v5.2.1/middleware/strip.go#L55

The Host header can be manipulated by a user to be any arbitrary host. This leads to open redirect when using the RedirectSlashes middleware

### PoC
Create a simple server which uses the RedirectSlashes middleware
```
package main

import (
	"fmt"
	"net/http"

	"github.com/go-chi/chi/v5"
	"github.com/go-chi/chi/v5/middleware" // Import the middleware package
)

func main() {
	// Create a new Chi router
	r := chi.NewRouter()

	// Use the built-in RedirectSlashes middleware
	r.Use(middleware.RedirectSlashes) // Use middleware.RedirectSlashes

	// Define a route handler
	r.Get("/", func(w http.ResponseWriter, r *http.Request) {
		// A simple response
		w.Write([]byte("Hello, World!"))
	})

	// Start the server
	fmt.Println("Starting server on :8080")
	http.ListenAndServe(":8080", r)
}
```
Run the server `go run main.go`

Once the server is running, send a request that will trigger the RedirectSlashes function with an arbitrary Host header
`curl -iL -H "Host: example.com" http://localhost:8080/test/`

Observe that the request will be redirected to example.com

```
curl -L -H "Host: example.com" http://localhost:8080/test/

<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
... snipped ...
```
Without the host header, the response is returned from the test server
```
curl -L http://localhost:8080/test/

404 page not found
```

### Impact
An open redirect vulnerability allows attackers to trick users into visiting malicious sites. This can lead to phishing attacks, credential theft, and malware distribution, as users trust the application’s domain while being redirected to harmful sites.

### Potential mitigation
It seems that the purpose of the RedirectSlashes function is to redirect within the same application. In that case r.RequestURI can be used instead of r.Host by default. If there is a use case to redirect to a different host, a flag can be added to use the Host header instead. As this flag will be controlled by the developer they will make the decision of allowing redirects to arbitrary hosts  based on their judgement.

**Summary**

The RedirectSlashes function in middleware/strip.go is vulnerable to host header injection which leads to open redirect.

**Details**

The RedirectSlashes method uses the Host header to construct the redirectURL at this line https://github.com/go-chi/chi/blob/v5.2.1/middleware/strip.go#L55

The Host header can be manipulated by a user to be any arbitrary host. This leads to open redirect when using the RedirectSlashes middleware

**PoC**

Create a simple server which uses the RedirectSlashes middleware

    package main
    
    import (
    	"fmt"
    	"net/http"
    
    	"github.com/go-chi/chi/v5"
    	"github.com/go-chi/chi/v5/middleware" // Import the middleware package
    )
    
    func main() {
    	// Create a new Chi router
    	r := chi.NewRouter()
    
    	// Use the built-in RedirectSlashes middleware
    	r.Use(middleware.RedirectSlashes) // Use middleware.RedirectSlashes
    
    	// Define a route handler
    	r.Get("/", func(w http.ResponseWriter, r *http.Request) {
    		// A simple response
    		w.Write([]byte("Hello, World!"))
    	})
    
    	// Start the server
    	fmt.Println("Starting server on :8080")
    	http.ListenAndServe(":8080", r)
    }
    

Run the server go run main.go

Once the server is running, send a request that will trigger the RedirectSlashes function with an arbitrary Host header  
curl -iL -H "Host: example.com" http://localhost:8080/test/

Observe that the request will be redirected to example.com

    curl -L -H "Host: example.com" http://localhost:8080/test/
    
    <!doctype html>
    <html>
    <head>
        <title>Example Domain</title>
    
        <meta charset="utf-8" />
        <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
        <meta name="viewport" content="width=device-width, initial-scale=1" />
        <style type="text/css">
        body {
            background-color: #f0f0f2;
            margin: 0;
            padding: 0;
            font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
    ... snipped ...
    

Without the host header, the response is returned from the test server

    curl -L http://localhost:8080/test/
    
    404 page not found
    

**Impact**

An open redirect vulnerability allows attackers to trick users into visiting malicious sites. This can lead to phishing attacks, credential theft, and malware distribution, as users trust the application’s domain while being redirected to harmful sites.

**Potential mitigation**

It seems that the purpose of the RedirectSlashes function is to redirect within the same application. In that case r.RequestURI can be used instead of r.Host by default. If there is a use case to redirect to a different host, a flag can be added to use the Host header instead. As this flag will be controlled by the developer they will make the decision of allowing redirects to arbitrary hosts based on their judgement.

**References**

*   GHSA-vrw8-fxc6-2r93
*   go-chi/chi@1be7ad9

Tag

#apple