SUMMARY A large U.S. company with operations in China fell victim to a large-scale cyberattack earlier this year,…

****SUMMARY****

*   **Network Access**: Chinese hackers maintained access to a major U.S. company’s network for at least four months, likely stealing sensitive information, including emails.

*   **Techniques Used**: Hackers employed DLL sideloading, exploited Google and Apple software, and used tools like Impacket and FileZilla to move within the network.

*   **Targeted Data**: The attackers focused on Exchange Servers and email data, indicating a strategic intelligence-gathering operation.

*   **Attribution to Daggerfly**: Symantec linked the attack to Chinese state-sponsored groups Daggerfly and Crimson Palace, known for sophisticated cyber-espionage.
*   **Expert Insight**: Cybersecurity expert Stephen Kowski highlights the sophistication and dangers of long-term network breaches and emphasises the need for stronger email security and monitoring.

A large U.S. company with operations in China fell victim to a large-scale cyberattack earlier this year, according to cybersecurity firm Symantec. The attack believed to be the work of **Chinese hackers**, allowed the attackers to maintain access to the company’s network for at least four months, likely gathering sensitive information.

This follows **October 2024’s report** in which it was revealed that China’s Salt Typhoon hacking group targeted and successfully compromised AT&T, Verizon, and Lumen, compromising wiretap systems used in criminal investigations.

Symantec’s findings indicates the hackers were active from April 11, 2024, until August, though the initial breach may have happened even earlier. During this time, hackers moved through the company’s network, gaining access to multiple computers, including **Exchange Servers**.

This suggests a primary goal of stealing email data for intelligence-gathering purposes. According to Symantec’s **blog post**, hackers employed a mix of legitimate applications and open-source tools to carry out their attacks.

From DLL-sideloading, a technique where malicious code is loaded with legitimate applications, to the exploitation of Google and Apple software were carried out for this purpose. Additionally, threat actors utilized **Impacket**, a Python-based toolkit for network protocol manipulation, and FileZilla, an FTP client, among others.

****Links to Chinese APT Groups****

Although the organization’s name is still unknown, Symantec believes that the group behind the attack is closely linked to the Chinese state-sponsored group **Daggerfly** (Daggerfly (also known as BRONZE HIGHLAND StormCloud, and Evasive Panda) and Crimson Palace.

This claim is based on the group’s repeated use of DLL sideloading in past attacks. Daggerfly is well-known for using this technique. Moreover, one of the malicious files found on a compromised system was textinputhost.dat, which has also been associated with another Chinese group, Crimson Palace. This group recently **made news** for targeting South Asian governments and stealing sensitive military secrets.

**Stephen Kowski**, a cybersecurity expert at SlashNext, told _Hackread.com_ that this attack is part of a worrying trend. Hackers are using increasingly sophisticated methods to gain long-term access to company networks, he said.

“The focus on Exchange servers and email harvesting suggests a strategic intelligence-gathering operation,” Kowski added. He emphasized the need for strong email security and continuous monitoring to detect these kinds of attacks.

1.  **GLASSBRIDGE: Google Blocks Pro-China Fake News Sites**
2.  **China’s insidious surveillance against Uyghurs with Android malware**
3.  **Muddling Meerkat Suspected of Espionage via Great Firewall of China**
4.  **Chinese Blackwood APT Deploys NSPX30 Backdoor in Cyberespionage**
5.  **Cyberattacks Surge 325% in Philippines Amid South China Sea Standoff**

Chinese Hackers Breach US Firm, Maintain Network Access for Months

Cloudflare Tunnels is just the latest legitimate cloud service that cybercriminals and state-sponsored threat actors are abusing to hide their tracks.

Source: Classic Image via Alamy Stock Photo

NEWS BRIEF

BlueAlpha, a Russian state-sponsored advanced persistent threat (APT) group, has recently evolved its malware delivery chain to abuse Cloudflare Tunnels — with the goal of ultimately infecting victims with its proprietary GammaDrop malware.

Cloudflare Tunnels is, as its name suggests, a secure tunneling software. It can be used to connect resources to Cloudflare's network without using a publicly routable IP address, with the goal of protecting Web servers and applications from distributed denial-of-service (DDoS) and other direct cyberattacks, by hiding their origins.

Unfortunately, this obfuscation mechanism, like other legitimate cloud tools, can also be used by the likes of BlueAlpha, which uses Cloudflare Tunnels to conceal its GammaDrop staging infrastructure from traditional network detection mechanisms, according to Recorded Future's Insikt Group.

"Cloudflare offers the tunneling service for free with the use of the TryCloudflare tool," according to an analysis published this week from Insikt. "The tool allows anyone to create a tunnel using a randomly generated subdomain of trycloudflare.com and have all requests to that subdomain proxied through the Cloudflare network to the Web server running on that host."

The APT then uses the concealed infrastructure to mount HTML smuggling attacks that bypass email security systems, along with employing DNS fast-fluxing, which makes it more difficult to disrupt BlueAlpha’s command-and-control (C2) communications, Insikt Group researchers noted — and in the end, deliver the GammaDrop malware, which enables data exfiltration, credential theft, and backdoor access to networks.

BlueAlpha, which shares DNA with other Russian threat groups like Trident Ursa, Gamaredon, Shuckworm, and Hive0051, first emerged in 2014, and has lately targeted Ukrainian organizations via spearphishing campaigns. The APT has used the custom VBScript malware GammaLoad since at least October 2023.

To protect against such attacks, Insikt Group recommended several mitigations, including:

*   Beef up email security to block HTML smuggling techniques
    
*   Flag attachments with suspicious HTML events
    
*   Use application control policies to block malicious use of mshta.exe and untrusted .lnk files
    
*   Set up network rules to flag requests to trycloudflare.com subdomains
    

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Russia's 'BlueAlpha' APT Hides in Cloudflare Tunnels

A single barrier prevented attackers from exploiting a critical vulnerability in an enterprise collaboration platform. Now there's a workaround.

Source: Kristoffer Tripplaar via Alamy Stock Photo

Two new vulnerabilities in Mitel's MiCollab unified communications and collaboration (UCC) platform could help expose gobs of enterprise data.

MiCollab is a cross-platform application on mobile devices and desktops that combines instant messaging, SMS, phone calls, video calls, file sharing, remote desktop sharing — really any form of collaboration that occurs within an organization, save talking out loud. Organizations rely on it heavily for day-to-day business operations and, invariably, to house large amounts of personal and communications data.

That's what made CVE-2024-35286 so inconvenient when it was discovered earlier this year. This SQL injection vulnerability, resulting from a lack of user input sanitization, earned a "critical" 9.8 score in the Common Vulnerability Scoring System (CVSS) for how it allowed attackers to access important business data, and execute database and management operations at will. It came with a catch, though: A specific configuration was required to reach the vulnerable endpoint, where the treasure lay.

In a new blog post, researchers from watchTowr noted that "No sensible admin would do this" — referring to the undisclosed configuration — so the risk to reliable organizations was low. However, the researchers went on to discover a path traversal vulnerability in MiCollab — not to mention a third, arbitrary file-read vulnerability — which rendered that one lone defense moot.

**The New MiCollab Exploit Chain**

At Black Hat six years ago, a researcher going by the moniker Orange Tsai presented research exposing issues with how Web applications handle path normalization. Using special characters in URLs, attackers could trick Web servers into giving them access to files and directories they shouldn't be able to access.

Researchers from watchTowr put this logic to the test while toying with CVE-2024-35286. Working with an Apache configuration for MiCollab published to the Web back in 2009, they discovered that they could use the input "..;/" to bypass all roadblocks on the way to the vulnerable endpoint — "/npm-admin" from the NuPoint Unified Messaging (UM) component of the platform — with no authentication required. This stacked vulnerability was acknowledged as CVE-2024-41713, and given a "high" CVSS score of 7.5.

CVE-2024-41713 gave new life to the older CVE-2024-35286, and then the researchers discovered yet another zero-day allowing for arbitrary file read, which hasn't been assigned a CVE label or CVSS score. The three work best in combination: CVE-2024-41713 lubricating initial access, the arbitrary file-read issue providing visibility into files across the system, and CVE-2024-35286 enabling any number of malicious operations thereon. For its part, watchTowr published a proof-of-concept (PoC) exploit to GitHub that combines the first two.

"Based on public sources, there are over 10,000 publicly exposed Mitel MiCollab devices," notes Mayuresh Dani, manager of security research at the Qualys Threat Research Unit. "Provided that NuPoint Unified Messaging (NPM) is enabled, a remote threat actor can use CVE-2024-41713 and the \[file-read\] zero-day to access arbitrary files on affected devices."

Which is exactly what the proof-of-concept code does, he adds. "It does so by accessing the npm-pwg directory and invoking the Reconcile Wizard, which is normally used to generate system reports. If the attacker gets ahold of sensitive files containing authentication information on the device, this could be used to gain access to the device and possibly snoop on conversations flowing through the vulnerable instance."

**Hacking Enterprise Communications**

An email arrives in an employee's inbox from their boss. "Hi, please wire a payment to our contractor at \[bank account number\] immediately." The number one thing employees are told, to screen scams like this, is to call their boss to confirm the legitimacy of the email. But what if their phone system itself is breached?

"The vulnerabilities in Mitel MiCollab highlight a growing trend of attackers targeting communication platforms to gain access to sensitive systems," says Callie Guenther, senior manager of cyber threat research at Critical Start. Besides intercepting or blocking an organization's central lines of communication, snooping on employees, or simply causing a general havoc, attackers can also use a platform like MiCollab to facilitate any number of other kinds of cyberattacks. "Similar issues have been exploited in the past, such as the 2022 Mitel MiVoice Connect vulnerability (CVE-2022-29499), which ransomware groups used to deploy Web shells and move laterally through networks," she notes.

Both named CVEs have been patched as of Oct. 9. Mitel acknowledged the arbitrary file-read bug, but hasn't yet patched it at the time of publication. Organizations with MiCollab up to date are covered most of the way, though, as this last issue requires authentication to exploit.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Bypass Bug Revives Critical N-Day in Mitel MiCollab

In PyO3 0.23.0 the `PYO3_CONFIG_FILE` environment variable used to configure builds regressed such that changing the environment variable would no longer trigger PyO3 to reconfigure and recompile. In combination with workflows using tools such as `maturin` to build for multiple versions in a single build, this leads to Python wheels being compiled against the wrong Python API version.

All users who distribute artefacts for multiple Python versions are encouraged to update and rebuild with PyO3 0.23.3. Affected wheels produced from PyO3 0.23.0 through 0.23.2 are highly unstable and will crash the Python interpreter in unpredictable ways.


Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-vxcf-c7mx-pg53

**Build corruption when using \`PYO3\_CONFIG\_FILE\` environment variable**

Moderate severity GitHub Reviewed Published Dec 5, 2024 to the GitHub Advisory Database • Updated Dec 5, 2024

**Package**

cargo pyo3 (Rust)

**Affected versions**

\>= 0.23.0, < 0.23.3

**Description**

In PyO3 0.23.0 the PYO3_CONFIG_FILE environment variable used to configure builds regressed such that changing the environment variable would no longer trigger PyO3 to reconfigure and recompile. In combination with workflows using tools such as maturin to build for multiple versions in a single build, this leads to Python wheels being compiled against the wrong Python API version.

All users who distribute artefacts for multiple Python versions are encouraged to update and rebuild with PyO3 0.23.3. Affected wheels produced from PyO3 0.23.0 through 0.23.2 are highly unstable and will crash the Python interpreter in unpredictable ways.

**References**

*   PyO3/pyo3#4757
*   https://rustsec.org/advisories/RUSTSEC-2024-0409.html

Published to the GitHub Advisory Database

Dec 5, 2024

GHSA-vxcf-c7mx-pg53: Build corruption when using `PYO3_CONFIG_FILE` environment variable

SUMMARY A day after taking down the cybercrime platform MATRIX, Europol and international law enforcement agencies have successfully…

****SUMMARY****

*   **Manson Market Takedown**: Europol and international law enforcement dismantled the notorious Manson Market cybercrime platform, disrupting phishing networks and seizing stolen data.

*   **Sophisticated Marketplace**: Manson Market allowed cybercriminals to buy and sell stolen data with advanced filtering options, facilitating targeted fraud and financial crimes.

*   **Phishing Scams Uncovered**: Investigators linked the marketplace to fake online shops designed to steal payment information, fueling a steady flow of stolen credentials.

*   **Massive Operation**: Over 50 servers were seized across multiple countries, yielding 200 terabytes of evidence, and two suspects were arrested in Germany and Austria.

*   **Global Collaboration**: The operation highlights Europol’s role and international cooperation in dismantling complex cybercrime networks and protecting citizens.

A day after **taking down** the cybercrime platform MATRIX, Europol and international law enforcement agencies have successfully taken down Manson Market, a notorious cybercrime marketplace. This significant operation disrupted a network of phishing websites and seized a massive amount of stolen data.

Europol, along with authorities in Germany and other European countries, successfully dismantled a notorious cybercrime marketplace called Manson Market, serving a huge blow to the cybercrime fraternity.

Users trying to access the website (manson-market.pw) are informed that law enforcement authorities now possess all transactions, communications, and user information.

Screenshot credit: Hackread.com

The investigation began in late 2022 following reports of a surge in fraudulent phone calls. Scammers, impersonating bank employees, were deceiving victims into revealing sensitive personal information such as addresses and security answers. These tactics were used to gain access to online accounts and facilitate further fraudulent activities.

Investigators quickly traced these malicious activities to a Dark Web platform, Mason Market, which served as a _central hub_ for cybercriminals, enabling them to buy and sell stolen data with alarming ease, Europol’s press release **revealed**.

The marketplace even allowed for sophisticated filtering, allowing criminals to purchase data specifically tailored to their needs, such as information from victims in a particular region or with high account balances. This level of customization significantly increased the efficiency and impact of subsequent fraudulent activities. Europol reported that thousands of users took advantage of this illicit marketplace, putting countless individuals at financial risk.

Furthermore, the investigation uncovered a network of fake online shops designed to lure unsuspecting consumers into exposing payment information. These phishing scams, generally a common tactic employed by cybercriminals, were used to generate a steady stream of stolen credentials, which were then sold through the illicit marketplace, enriching the network’s operators.

Europol played a crucial role in dismantling this sophisticated criminal network. The agency’s European Cybercrime Centre (EC3) leveraged its extensive resources and expertise, coordinating efforts between law enforcement agencies across the continent. Europol’s forensic capabilities were instrumental in analyzing the complex digital evidence, uncovering crucial connections and advancing the investigation. 

On December 4th, authorities conducted searches in Germany and Austria, while the marketplace’s infrastructure and fake online shops were dismantled in Germany, Finland, the Netherlands, Norway, and other countries. Over 50 servers were seized, yielding a massive trove of digital evidence exceeding 200 terabytes. Two key suspects, a 27-year-old and a 37-year-old, were arrested from Austria and Germany, and placed in pretrial detention.

This takedown follows another significant victory against illegal platforms. Recently, German authorities **shut down** Crimenetwork, the largest online criminal marketplace in Germany, which has been operating since 2012 with over 100,000 buyers and 100 sellers. Europol also **dismantled** the encrypted messaging app Ghost used by drug traffickers and arrested 51 suspects.

The operation’s success underscores the significance of international cooperation in combating cybercrime, enabling law enforcement agencies to dismantle sophisticated criminal networks and safeguard citizens.

1.  **Europe’s largest known illegal IPTV op dismantled by police**
2.  **Europol takes down VPNLab used by ransomware operators**
3.  **Europol nabs 106 criminals involved in SIM swapping scams**
4.  **Telegram Founder Pavel Durov Reportedly Arrested in France**
5.  **Europol Busts Major Online CSAM Racket in Western Balkans**

Police Dismantle Manson Market, Seize 50 Servers and 200TB Evidence

Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site.

The issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-11942

**Drupal core vulnerable to improper error handling**

Moderate severity GitHub Reviewed Published Dec 5, 2024 to the GitHub Advisory Database • Updated Dec 5, 2024

**Package**

**Affected versions**

\>= 10.0.0, < 10.2.10

Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site.

The issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2024-11942
*   https://www.drupal.org/sa-core-2024-002

Published to the GitHub Advisory Database

Dec 5, 2024

GHSA-52jr-x6h6-xj6g: Drupal core vulnerable to improper error handling

Europol on Thursday announced the shutdown of a clearnet marketplace called Manson Market that facilitated online fraud on a large scale.
The operation, led by German authorities, has resulted in the seizure of more than 50 servers associated with the service and the arrest of two suspects. More than 200 terabytes of digital evidence have been collected.
Manson Market ("manson-market[.]pw") is

Europol Shuts Down Manson Market Fraud Marketplace, Seizes 50 Servers

SUMMARY The machine learning-based threat-hunting system of leading threat intelligence and cybersecurity firm ReversingLabs (RL) recently detected malicious…

****SUMMARY****

*   **Malicious Package Found**: ReversingLabs uncovered _aiocpa_, a Python package targeting crypto wallets via malicious updates.

*   **Unique Attack**: Hackers built trust by publishing a legitimate-looking crypto tool before injecting harmful code.

*   **AI Detection**: ReversingLabs’ _Spectra Assure_ flagged the package using machine learning to detect hidden malicious behaviour.

*   **Action Taken**: PyPI reported, quarantined, and removed the package to stop further harm.

*   **Key Takeaways**: Regular security checks, machine learning tools, and cautious dependency management are vital to combat open-source threats.

The machine learning-based threat-hunting system of leading threat intelligence and cybersecurity firm ReversingLabs (RL) recently detected malicious code in a legitimate-looking package, _“_aiocpa._“_ According to RL’s investigation, shared with Hackread.com, this package was designed to compromise cryptocurrency wallets. 

Through differential analysis of two package versions, RL was able to determine how these attackers carried out their distinctive campaign. The package, a synchronous and asynchronous Crypto Pay API client, has been downloaded 12,100 times.

While probing, researchers identified what makes this campaign unique. Unlike most attacks targeting open-source repositories like npm and PyPI, in this campaign, the threat actors published their own crypto client tool to gradually build trust with a growing user base. Then, they struck. An apparently harmless update to the aiocpa package (version 0.1.13 and later) injected malicious code.

“The malicious actor was observed trying to take over an existing PyPI project named pay, probably to gain access to an established user base, or the attacker estimated that such a package name would attract more victims,” researchers observed.

****How Machine Learning Spotted the Trouble****

RL uses a machine learning-based threat hunting system called Spectra Assure. This system continuously scans open-source packages for suspicious behaviour. In the case of aiocpa, on November 21, 2024, Spectra Assure flagged the updated package due to its resemblance to previously encountered malware.

Further revealed obfuscated code within the aiocpa package with numerous versions published until September 2024. This code was hidden behind layers of encryption and was designed to steal sensitive information like crypto trading tokens. If stolen, this data could be used to drain victims’ cryptocurrency wallets.

Researchers noted in the blog post that application security testing (AST) tools wouldn’t have caught this attack. The malicious code wasn’t present in the referenced GitHub repository, which would typically be reviewed for legitimacy. This is why advanced tools like Spectra Assure are crucial. They analyse code behaviour, allowing for a deeper inspection than traditional methods.

PyPI home page pf the malicious package and the GitHub account behind it (Screenshot credit: RL)

RL reported this malicious package to the Python Package Index (PYPI) for removal, which was later published on their blog on November 25. Researchers at Phylum reported on RL’s discovery, highlighting the uniqueness of the malicious campaign

The incident highlights the evolving nature of open-source software threats making it essential to perform regular security assessments, and consider machine learning-based threat hunting tools for powerful protection. Regular evaluation of third-party code, tools, packages, and extensions is also crucial.

Furthermore, PyPI users should be aware of package name takeover, a serious supply chain infection vector. If a project pay dependency is taken over by a threat actor, a new malicious version could be published to PyPI. The PyPI security team advises users to pin dependencies and versions, using hashes to prevent unwanted updates. 

1.  **ChatGPT Sandbox Flaws Enabling Python Execution**
2.  **PyPI Exploited to Infiltrate Systems Through Python Packages**
3.  **PythonAnywhere** **Cloud Platform Abused to Host Ransomware**
4.  **Qubitstrike Malware Hits Jupyter Notebooks for Cryptojacking**
5.  **VMCONNECT: Malicious PyPI Package Mimicking Python Tools**
6.  **New version of Jupyter infostealer delivered through MSI installer**

“aiocpa” Python Package Exposed as Cryptocurrency Infostealer

Inspired by her own experience of abuse, Nighat Dad fights for women’s social and digital rights in Pakistan and beyond.

Nighat Dad grew up in a conservative family in Jhang, in Pakistan’s Punjab province. The threat of early marriage hung over her childhood like a cloud. But despite their traditional values, Dad’s parents were determined that all their children get an education, and they moved the family to Karachi so she could complete her bachelor’s degree. “I never really thought I would work, because I was never taught that we could work and be independent,” she says. “We always needed permission to do anything.”

Dad thought a master’s in law might delay the inevitable betrothal, but soon after she completed the course, she found out her parents had arranged a marriage for her. She didn’t mind her new life of domestic chores in a household she describes as “lower-middle class”—that is, until the abuse started. “That’s when my legal education reminded me that this was wrong,” she says. “Our laws, our constitution, everything protects me, so why was I facing this? Why was I tolerating it?”

With her family’s backing, Dad left her husband and filed for divorce. But after years of domestic violence and abuse and with no experience of working, she struggled with a lack of confidence. “I had no idea that women who are divorced and have a child face such difficulties in a society like ours,” she says. When her ex-husband filed a custody case for their 2-month-old baby, Dad wasn’t sure how she would pay for a lawyer. That’s when her father reminded her that she was a lawyer too.

Dad used her degree to win custody of her only child. In the process, she realized how many women in Pakistan were facing years of violence and systemic injustice. But the thing that bothered her most was the digital divide.

Before her marriage, Dad’s family never allowed her access to her own cell phone, and when she finally did get one, her husband would use it as a surveillance tool—keeping track of who she called and who was texting her. She had an escape tool in her hand, but she couldn’t use it. “Going through that by myself made me realize how quickly technology is evolving, and how it’s creating virtual spaces for marginalized communities that might not have access to physical ones,” she says. “Facing those restrictions made me understand just how crucial it is to challenge societal norms and structures around women's access to technology and the internet, so they can use it as freely as men.”

In 2012, Dad established the Digital Rights Foundation, an NGO that aims to address the digital divide and fight online abuse of women and other gender minorities in Pakistan. She began by helping women who reached out to the organization, providing advice on digital safety and emotional and mental support. In 2016—the same year Pakistan finally passed legislation against online crimes—Dad and her team launched a cyber-harassment helpline. Since 2016, it has addressed more than 16,000 complaints from across the country. “Sometimes, the police would give our phone numbers to victims seeking reliable help,” she says.

The DRF’s in-house legal team offers pro bono advice and helps women file and follow-up complaints against their abusers. “In many cases, we were successful in actually getting the perpetrator arrested and taken to trial,” Dad says. In October 2021, the DRF’s legal team helped journalist Asma Shirazi win a landmark case in the Islamabad High Court against broadcaster ARY News, after she became the target of a coordinated troll campaign which was exacerbated by a false story aired on the channel.

“If an organization like the DRF had existed when I was facing my own issues, I would have felt so much more supported—knowing there was someone to guide me legally and help me navigate the complexities,” she says. “My abuse started with surveillance, and if I had someone to talk to back then, I might have avoided the deep depression that followed. I might not have ended up in such a miserable situation.”

Today, Dad and the DRF are helping to steer global conversations about tech policy reform. She recently joined the United Nations’ AI Advisory Board, and was a founder member of Meta’s Oversight Board, which acts as an independent platform for people to appeal decisions made by the social media giant. “The emerging tech space is mostly driven by big Western companies and governments, leaving out civil society NGOs from the Global South,” she says. “This puts us far behind in global AI governance, always playing catch-up in a fast-moving world. If we’re not part of the conversation, the gap just keeps widening. It’s about reminding the powerful that they can’t win this race alone—they have a responsibility to include the rest of the world, especially those without the same resources.”

_This article first appeared in the January/February 2025 edition of WIRED UK._

She Escaped an Abusive Marriage—Now She Helps Women Battle Cyber Harassment

Authorities across 19 African countries also dismantled their infrastructure and networks, thanks to cooperation between global law enforcement and private firms.

Source: Golden Dayz via Shutterstock

A combined effort among Interpol, Afripol, cybersecurity firms, and authorities in 19 different African nations resulted in the arrest of more than 1,000 suspects who allegedly took part in ransomware schemes, business email compromise (BEC), and other cybercrimes and digital fraud.

The collection of law enforcement investigations, dubbed Operation Serengeti, resulted in the arrest of 1,006 suspects linked to more than $192 million in financial losses and affecting at least 35,000 victims.

The African nations that took part in the joint law enforcement collaboration include Algeria, Angola, Benin, Cameroon, Côte d'Ivoire, Democratic Republic of the Congo, Gabon, Ghana, Kenya, Mauritius, Mozambique, Nigeria, Rwanda, Senegal, South Africa, Tanzania, Tunisia, Zambia, and Zimbabwe.

The investigators worked with private-sector companies, including cybersecurity firms and Internet service providers, to share intelligence and take action to disrupt cybercriminals' infrastructure, Interpol's Secretary General Valdecy Urquiza said in a statement.

"Operation Serengeti shows what we can achieve by working together, and these arrests alone will save countless potential future victims from real personal and financial pain," Urquiza said. "We know that this is just the tip of the iceberg, which is why we will continue targeting these criminal groups worldwide."

Cybercriminal organizations have expanded in Africa, attracted by the growing economy and relative lack of cybersecurity maturity. While Russia, Ukraine, China, and the US top the lists of cybercrime producers, Nigeria took the No. 5 spot in the World Cybercrime Index, an academic effort to identify the most significant exporters of cybercrime. The African nation has struggled against the stereotype of rampant fraud caused by the once-common Nigerian Prince email scam. Other nations — such as Egypt, Kenya, and South Africa — have also struggled with rising cybercrime.

Along with seven private-sector partners, Interpol and Afripol arrested more than 1,000 suspected cybercriminals in October and September. Source: Interpol

Yet global organizations are increasingly taking part in cross-border investigations, leading to arrests and increased pressure on cybercriminals, according to the World Economic Forum's Cybercrime Atlas, which collaborated with Interpol and Afripol on Operation Serengeti.

"As long as profits are high and risks are perceived to be low, organized criminals will continue to focus on cybercrime," the Cybercrime Atlas group stated in a November analysis. "But 2024 has shown that better collaboration between law enforcement, industry, and cybercrime experts gets results. It is supporting arrests, the disruption of criminals' online infrastructure and the seizure of criminal profits."

**Card Fraud in Kenya, Cyber Trafficking in Cameroon**

Two schemes described by Interpol in its release underscore the varied nature of cybercrime across the African continent.

A criminal group in Cameroon, for example, ran a multi-level marketing scam with a trafficking twist. By promising employment opportunities and training, the group attracted victims, who then paid a fee, but rather than meeting with instructors, were held captive until they brought other victims into the group. The scheme made the group at least $150,000, according to authorities.

In another scam, cybercriminals ran funds-stealing scripts on bank websites, which piggybacked on account holders' sessions to withdraw and redistribute funds to companies in China, Nigeria, and the United Arab Emirates, Interpol stated. Losses from the scheme exceeded $8.6 million. So far, nearly two dozen people suspected of taking part in the scheme have been arrested.

Other cybercriminal schemes include an investment scam run out of Nigeria, a $6 million Ponzi scheme in Senegal, and a virtual casino operated from Angola. Business email compromise continues to be among the most prominent threats affecting African organizations, says Derek Manky, global vice president of threat intelligence for Fortinet, a network-security firm that aided Interpol with technical and intelligence support.

"Users should be aware of this type of attack and always verify the identity of any source giving instructions, especially for payment and even within your organization," he says, adding, "Threat sharing is important to enable quick mobilization of protections for customers across many vendors and to help break down technical barriers to enabling protections."

**A Hard-Won, but Short, Respite**

Despite the large number of arrests, the operation will likely result only in a brief reduction in cybercriminal activity, as disrupted groups will quickly pivot and recreate their infrastructure, says Stephen Hilt, a senior threat researcher with cybersecurity firm Trend Micro, which also collaborated with authorities on the global intelligence support.

"While impactful, these efforts need to be part of a broader strategy," he says. "For long-term reductions in cybercrime, developing nations must strengthen their legal frameworks to increase the cost of cybercriminal activities. ... Without these measures, the underlying socioeconomic factors that drive cybercrime will persist."

African nations — and organizations worldwide — need to invest in cybersecurity education to bolster awareness of the current threats and safe behavior online, he says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tag

#git