Sophos uncovers “Operation Crimson Palace, a long-term cyberespionage effort targeting a Southeast Asian government. Learn how attackers used…

Sophos uncovers “Operation Crimson Palace, a long-term cyberespionage effort targeting a Southeast Asian government. Learn how attackers used DLL sideloading and VMware exploits to steal sensitive military, economic, and South China Sea data. Discover how Southeast Asia can defend against future cyberattacks.

Cybersecurity firm Sophos has shared details of a large-scale espionage campaign dubbed “Crimson Palace.” This Chinese state-sponsored effort targeted a government agency in Southeast Asia for nearly two years, through tactics like DLL sideloading and VMware exploitation.

As per Sophos MDR’s human-led threat-hunting service, multiple Chinese state-sponsored actors have been active since early 2022, and despite a few weeks of dormancy, intrusion activity continues targeting the organization, which Sophos categorizes as “mixed estate.”

Sophos initially discovered activity in March 2022 with the detection of NUPAKAGE malware, attributed to Earth Preta and again in December 2022, intrusion activity was discovered using DLL-stitching to deploy malicious backdoors on domain controllers.

During the investigation, Sophos researchers found three distinct clusters of activity named Cluster Alpha, Cluster Bravo, and Cluster Charlie, targeting the same organization. These clusters overlap with multiple Chinese nation-state groups, including Worok, the APT41 subgroup Earth Longzhi, BackdoorDiplomacy, REF5961, TA428 and a relatively new threat group, Unfading Sea Haze that was reported in May 2024 to be carrying out extensive cyberattacks against military targets in the South China Sea.

Cluster Alpha focused on sideloading malware and establishing persistent C2 channels, while Cluster Bravo focused on using valid accounts to spread laterally. Cluster Charlie prioritized access management and aimed to exfiltrate sensitive information for espionage purposes.

These clusters used a mix of custom malware and publicly available tools to gather sensitive political, economic, and military information. These include CCoreDoor, PocoProxy, an updated variant of Cobalt Strike, PowHeartBeat backdoor, EAGERBEE malware, NUPAKAGE, Merlin C2 Agent, PhantomNet backdoor, RUDEBIRD malware, and an LSASS logon credential interceptor.

> _“Sophos MDR has observed the actors attempting to collect documents with file names that indicate they are of intelligence value, including military documents related to strategies in the South China Sea.”_
> 
> Sophos

Sophos believes the campaign’s primary aim is to maintain cyberespionage access for safeguarding Chinese state interests, including accessing critical IT systems, performing reconnaissance, collecting sensitive information, and deploying malware implants for command-and-control communications.

The campaign as per Sophos’ blog post, also included over 15 distinct DLL sideloading scenarios, most of which abused Windows Services, legitimate Microsoft binaries, and AV vendor software.

****Threat Actors Collaborating Worldwide****

This marks the first instance where Chinese threat groups are actively collaborating to target an entity, each with its own working hours and scheduling activities, directed by a central authority.

Last month, cybersecurity researchers at Check Point reported that several Iranian state-sponsored hacker groups are teaming up for large-scale attacks. Similarly, a report from Flashpoint last month highlighted that Russian state-sponsored hacker groups are changing tactics. They are now partnering up and increasingly relying on malicious paid tools instead of the custom-made tools they previously used.

1.  China-Linked Spyware Found in Play Store Apps, 2m Downloads
2.  China’s insidious surveillance against Uyghurs with Android malware
3.  Muddling Meerkat Suspected of Espionage via Great Firewall of China
4.  Chinese Blackwood APT Deploys NSPX30 Backdoor in Cyberespionage
5.  Cyberattacks Surge 325% in Philippines Amid South China Sea Standoff

Crimson Palace: Chinese Hackers Steal Military Secrets Over 2 Years

Eliot Higgins and his 28,000 forensic foot soldiers at Bellingcat have kept a miraculous nose for truth—and a sharp sense of its limits—in Gaza, Ukraine, and everywhere else atrocities hide online.

How to Lead an Army of Digital Sleuths in the Age of AI

Financially motivated sextortion of teenage boys is the fastest-growing global cybercrime, according to the FBI and Homeland Security.

“Hey there!” messaged Savannah, someone 16-year-old Charlie had never met before, but looked cute in her profile picture. She had long blonde hair, blue eyes, and an adorable smile, so he decided to DM with her on Instagram. Soon their flirty exchanges grew heated, and Savannah was sending Charlie explicit photos. When she asked him for some in return, he thought nothing of taking a quick snap of himself naked and sending it her way.

Within seconds, “Savannah” morphed from vixen to vice, threatening Charlie with posting his nude picture all over social media—unless he sent $500. Then she gave Charlie three days to get her the money, otherwise she’d share the compromising photos with his friends and family.

While the above scene is fictional, it’s indicative of what the FBI and Department of Homeland Security agree is the fastest-growing cybercrime of the last three years. It’s called financially motivated sextortion, or financial sextortion, and its victims are mainly teenage boys between the ages of 14 and 17.

Financial sextortion happens when adult criminals create fake accounts posing as young women on social media, gaming platforms, or messaging apps, and coerce victims into sending explicit photos. Scammers then threaten victims into sending payment, usually in the form of cryptocurrency, wire transfer, or gift cards, otherwise they’ll post the images online for all to see.

In an emerging trend, some sextortion scammers are now using artificial intelligence to manipulate photos from victims’ social media accounts into sexually graphic content. The predators then threaten to share the content on public forums and pornographic websites, as well as report victims to the police, claiming they’re in possession of child pornography. Demands for money immediately follow.

In 2023 alone, the National Center for Missing and Exploited Children (NCMEC) received 26,718 reports of financial sextortion of minors, more than double the 10,731 incidents reported in 2022. Sadly, these figures are likely far understated, since they rely on kids or their parents calling in the crime. A January 2024 threat intelligence report from Network Contagion Research Institute (NCRI) found children in the United States, Canada, and Australia are being targeted at an alarming rate, with a massive 1,000 percent surge in financial sextortion incidents in the last 18 months.

To illustrate how quickly the digital landscape has changed, a 2018 national survey found just 5 percent of US teens reported being victims of sextortion. Fast forward to June 2023, and 51 percent of Generation Z respondents said they or their friends were catfished in sextortion scams—47 percent in the last three months.

**The Yahoo Boys**

Financial sextortion has been linked to scammers in West Africa, particularly Nigeria and the Ivory Coast, as well as the Philippines. However, NCRI notes virtually all sextortion scams targeting minors can be directly linked to a distributed West African gang known as the Yahoo Boys. The Yahoo Boys mainly go after English-speaking minors and young adults on Instagram, Snapchat, and Wizz, an online dating platform for teens. They’re the original Nigerian Princes, but have changed tactics in recent years to elder fraud, romance scams, fake job scams—and now the sexual extortion of children for profit.

NCRI credits the tenfold increase in financial sextortion cases directly to the Yahoo Boys’ distribution of instructional videos and scripts on TikTok, YouTube, and Scribd, which are encouraging and enabling other threat actors to engage in financial sextortion as well. The videos have been viewed more than half a million times, and comments are filled with cybercriminals eager to download the scripts and get started.

The sextortion guides provide step-by-step instructions on how to create convincing fake social media profiles and “bomb” high schools, universities, and youth sports teams. The Yahoo Boys use this term to describe friending/following as many kids in a school or other location as possible to convince victims they could be an unknown classmate or peer from a nearby town.

While the payment amounts requested by the Yahoo Boys vary, they can range from as little as a couple hundred dollars to a few thousand. But predators employ ruthless tactics to intimidate their victims into paying, which can inflict lasting trauma and immense distress on children. Offenders often continue demanding more money after receiving the initial sum and may release victims’ sexually explicit images regardless of whether or not they were paid.

Indeed, the financial fallout may not be as daunting as the millions demanded by ransomware actors, but the emotional cost to teenage boys can be devastating. Anxiety. Humiliation. Shame. Despair. Feeling completely alone and afraid to ask for help. According to the FBI, financial sextortion has even been linked to fatalities. To their knowledge, at least 20 teens between January 2021 and July 2023 committed suicide when faced with the threat of nude photos that could ruin their lives.

****What to do if you or your child is financially sextorted****

Parents of teenage boys—or all teens for that matter—should have a conversation with their child about the pitfalls of financial sextortion. Remind them to be selective about what they share online and who they connect with, and if a stranger reaches out to them demanding payment or sexually explicit images, they should speak to a trusted adult before sending anything, be it money, photos, or more messages. In fact, open lines of communication can be the difference between life or death, so if your child doesn’t feel comfortable going to you, ask that they bookmark this article or one of the references listed below.

If you or your child are a victim of financially motivated sextortion, the most important advice to remember is this: You are not alone. You are not in trouble. Your child should not be in trouble. There is a way forward after this.

There are several resources you or your child can access to report the crime to law enforcement, speak to a caring counselor or peer, and request that harmful images be taken down. Here’s what we suggest:

*   Block the scammer from contacting you again, but save all chats and profile information because that will help law enforcement identify them.
*   Report the scammer’s account on the platform where the crime took place. Facebook and Instagram parent company Meta unveiled new tools last month to combat financial sextortion, and Snapchat has a reporting feature for nudity or sexual content, which now includes the option: “They leaked/are threatening to leak my nudes.”
*   Report the crime to NCMEC at Cybertipline.org or directly to the FBI at tips.fbi.gov or the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov. FBI Victim Services also has a Child Exploitation Notification Program. Canadian victims can access the Canadian Centre for Child Protection for resources, and report crimes to Cybertip.ca.
*   Seek emotional support, whether from a trusted adult, friend, or through professional services. NCMEC offers assistance for sextortion victims and their families, such as crisis intervention and referrals to local counseling professionals, and their Team Hope volunteer program connects victims to other who’ve experienced financial sextortion.
*   If you prefer a more anonymous support experience, the moderated Reddit forum r/Sextortion is a safe haven for victims to share their experiences and get advice from those who’ve already been through it.
*   Victims looking to remove sexually explicit images from the internet can go to Take It Down for help or Project Arachnid, which uses automated detection methods along with a team of analysts to quickly send removal notices to electronic service providers.
*   Ask for help. Problems from financial sextortion can be complex and require assistance from adults and professionals. If you don’t feel you have adults who can help, reach out to NCMEC at gethelp@ncmec.org or call 1-800-THE-LOST.

For more information and resources, visit the FBI’s page on financially motivated sextortion.

 Financial sextortion scams on the rise 

This post was authored by Kalpesh Mantri. 

Cisco Talos is actively tracking a recent increase in activity from malicious email campaigns containing a suspicious Microsoft Excel attachment that, when opened, infected the victim's system with the DarkGate malware. 
These campaigns, active since the second week of

Wednesday, June 5, 2024 08:00

_This post was authored by Kalpesh Mantri._ 

*   Cisco Talos is actively tracking a recent increase in activity from malicious email campaigns containing a suspicious Microsoft Excel attachment that, when opened, infected the victim's system with the DarkGate malware. 
*   These campaigns, active since the second week of March, leverage tactics, techniques, and procedures (TTPs) that we have not previously observed in DarkGate attacks. 
*   These campaigns rely on a technique called “Remote Template Injection” to bypass email security controls and to deceive the user into downloading and executing malicious code when the Excel document is opened.  
*   DarkGate has used AutoIT scripts as part of the infection process for a long time. However, in these campaigns, AutoHotKey scripting was used instead of AutoIT.  
*   The final DarkGate payload is designed to execute in-memory, without ever being written to disk, running directly from within the AutoHotKey.exe process. 

The DarkGate malware family is distinguished by its covert spreading techniques, ability to steal information, evasion strategies, and widespread impact on both individuals and organizations. Recently, DarkGate has been observed distributing malware through Microsoft Teams and even via malvertising campaigns. Notably, in the latest campaign, AutoHotKey scripting was employed instead of AutoIT, indicating the continuous evolution of DarkGate actors in altering the infection chain to evade detection. 

**Email campaigns **

This research began when a considerable number of our clients reported receiving emails, each containing a Microsoft Excel file attachment that followed a distinct pattern in its naming convention. 

Talos’ intent analysis of these emails revealed that the primary purpose of the emails primarily pertained to financial or official matters, compelling the recipient to take an action by opening the attached document. 

This peculiar trend prompted us to conduct an in-depth investigation into this widespread malspam activity. Our initial findings linked the indicators of compromise (IOCs) to the DarkGate malware.  

The table below includes some of the observed changes in attachment naming convention patterns over time.  

End Date 

Format 

Examples 

March 12, 2024 

March 19, 2024 

march-D%-2024.xlsx 

march-D5676-2024.xlsx 

march-D3230-2024.xlsx 

march-D2091-2024.xlsx 

March 15, 2024 

March 20, 2024 

ACH-%March.xlsx 

ACH-5101-15March.xlsx 

ACH-5392-15March.xlsx 

ACH-4619-15March.xlsx 

March 18, 2024 

March 19, 2024 

attach#%-2024.xlsx 

attach#4919-18-03-2024.xlsx 

attach#8517-18-03-2024.xlsx 

attach#4339-18-03-2024.xlsx 

March 19, 2024 

March 20, 2024 

march19-D%-2024.xlsx 

march19-D3175-2024.xlsx 

march19-D5648-2024.xlsx 

march19-D8858-2024.xlsx 

March 26, 2024 

March 26, 2024 

re-march-26-2024-%.xls? 

re-march-26-2024-4187.xlsx 

re-march-26-2024-7964.xlsx 

re-march-26-2024-4187.xls 

April 3, 2024 

April 5, 2024 

april2024-%.xlsx 

april2024-2032.xlsx 

april2024-3378.xlsx 

april2024-4268.xlsx 

April 9, 2024 

April 9, 2024 

statapril2024-%.xlsx 

statapril2024-9505.xlsx 

statapril2024-9518.xlsx 

statapril2024-9524.xlsx 

April 10, 2024 

April 10, 2024 

4\_10\_AC-%.xlsx\* 

4\_10\_AC-1177.xlsx 

4\_10\_AC-1288.xlsx 

4\_10\_AC-1301.xlsx 

_\*Variant redirecting to JavaScript file instead of VBS._ 

**Victimology **

Based on Cisco Talos telemetry, this campaign targets the U.S. the most often compared to other geographic regions.

Healthcare technologies and telecommunications were the most-targeted sectors, but campaign activity was observed targeting a wide range of industries. 

**Technical analysis **

Our telemetry indicates that malspam emails were the primary source of delivery for this campaign. It is an active campaign using attached Excel documents attempting to lure users to download and execute remote payloads.  

As shown below, the Excel spreadsheet has an embedded object with an external link to an attacker-controlled Server Message Block (SMB) file share. 

The overall infection process associated with this campaign is shown below. 

The infection process begins when the malicious Excel document is opened. These files were specially crafted to utilize a technique, called “Remote Template Injection,” to trigger the automatic download and execution of malicious contents hosted on a remote server. 

Remote Template Injection is an attack technique that exploits a legitimate Excel functionality wherein templates can be imported from external sources to expand a document’s functions and features. By exploiting the inherent trust users place in document files, this method skilfully evades security protocols that may not be as stringent for document templates compared to executable files. It represents a refined tactic for attackers to establish a presence within a system, sidestepping the need for conventional executable malware.  

When the Excel file is opened, it downloads and executes a VBS file from an attacker-controlled server. 

The VBS file is appended with a command that executes a PowerShell script from the DarkGate command and control (C2) server. 

This PowerShell script retrieves the next stage’s components and executes them, as shown below. 

**Payload analysis **

On March 12, 2024, the DarkGate campaign transitioned from deploying AutoIT scripts to employing AutoHotKey scripts. 

AutoIT and AutoHotKey are scripting languages designed for automating tasks on Windows. While both languages serve similar purposes, their differences lie in their syntax complexity, feature sets and community resources. AutoHotKey offers more advanced text manipulation features, extensive support for hotkeys, and a vast library of user-contributed scripts for various purposes. While both AutoIT and AutoHotKey have legitimate purposes, they are often abused by adversaries to run malicious scripts, consistent with other scripting languages often observed in infection chains. 

As shown in the screenshot above, one of the files retrieved is ‘test.txt.’ Within this file, there is base64-encoded blob that, when decoded, transforms into binary data. This binary data is then processed to execute the DarkGate malware payload directly within memory on infected systems. 

As shown in the previous PowerShell code, payloads are initially saved to disk within a directory (C:\\rimz\\) on the system. The directory name changes across infection chains that were analyzed. 

In this case, the attacker was using a legitimate copy of the AutoHotKey binary (AutoHotKey.exe) to execute a malicious AHK script (script.ahk). 

The executed AHK script reads content from the text file (test.txt), decodes it in memory, and executes it without ever saving the decoded DarkGate payload to disk. This file also contains shellcode that is loaded and executed by the AHK script, as shown below. 

**Persistence mechanisms **

Components used during the final stage of the infection process are stored at the following directory location: 

*   C:\\ProgramData\\cccddcb\\AutoHotKey.exe 
*   C:\\ProgramData\\cccddcb\\hafbccc.ahk 
*   C:\\ProgramData\\cccddcb\\test.txt 

Persistence across reboots is established through the creation of a shortcut file within the Startup directory on the infected system. 

C:\\Users\\<USERNAME>\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DfAchhd.lnk 

C:\\ProgramData\\cccddcb\\AutoHotkey.exe  C:\\ProgramData\\cccddcb"C:\\ProgramData\\cccddcb\\hafbccc.ahk 

Talos’ threat intelligence and detection response teams have successfully developed detection for these campaigns and blocked them as appropriate on Cisco Secure products. However, because of the evolving nature of recent DarkGate campaigns — as demonstrated by the shift from AutoIT to AutoHotKey scripts and use of remote template injection — serves as a stark reminder of the continuous arms race in cybersecurity. 

**Coverage **

 Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The following Snort SIDs apply to this threat:  

*   **Snort 2 SIDs:** 3, 12, 11192, 13667, 15306, 16642, 19187, 23256, 23861, 44484, 44485, 44486, 44487, 44488, 63521, 63522, 63523, 63524 
*   **Snort 3 SIDs:** 1, 16, 260, 11192, 15306, 36376, 44484, 44486, 44488, 63521, 63522, 63523, 63524 

The following ClamAV detections are also available for this threat:  

*   Doc.Malware.DarkGateDoc 
*   Ps1.Malware.DarkGate-10030456-0 
*   Vbs.Malware.DarkGate-10030520-0 

**Indicators of Compromise (IOCs) **

Indicators of Compromise (IOCs) associated with this threat can be found here.  

Below is an example of the configuration parameters extracted from one of the DarkGate payloads analyzed.  

hxxp://badbutperfect\[.\]com 

hxxp://withupdate\[.\]com 

hxxp://irreceiver\[.\]com 

hxxp://backupitfirst\[.\]com 

hxxp://goingupdate\[.\]com 

hxxp://buassinnndm\[.\]net 

anti\_analysis = true 

anti\_debug = false 

anti\_vm = true 

c2\_port = 80 

internal\_mutex (Provides the XOR key/maker used for DarkGate payload decryption) = WZqqpfdY 

ping\_interval = 60 

startup\_persistence = true 

username = admin

DarkGate switches up its tactics with new payload, email templates

HyperCycle enhances AI safety and efficiency with cryptographic proofs and peer-to-peer nodes. HyperShare supports decentralized governance and income…

HyperCycle enhances AI safety and efficiency with cryptographic proofs and peer-to-peer nodes. HyperShare supports decentralized governance and income distribution, promoting sophisticated AI capabilities and industry-wide collaboration.

HyperCycle is a platform that attempts to make AI systems safer and more efficient. The system’s main component, each HyperCycle node, employs cryptographic proofs and a peer-to-peer architecture. It consists of a virtual machine (VM), a transaction machine, and an AI machine that processes data and performs tasks.

A HyperCycle node requires a Sato server proof (via the $HYPC token), data to process, and instructions from a smart contract. The VM controls these components, the transaction machine checks the Sato server, and the AI machine begins to operate on the data.

Once the AI system has completed its mission, it returns the findings for verification and initiates payment for the service performed. The node gathers the results and payment proofs before delivering the final output to whoever requests it. This configuration improves AI agent collaboration, resulting in more sophisticated AI capabilities.

HyperShare enhances how nodes are handled within the HyperCycle platform. It also provides decentralized governance, income sharing, and shareholding, using S-Tokens for ownership and R-Tokens for revenue distribution. This allows users to interact, manage income, and administer nodes safely and autonomously from HyperCycle.

****What is HyperShare?****

HyperShare manages how value and money are distributed to everyone maintaining a node. It’s a smart contract that ensures fair income and ownership allocation without requiring trust between members.

HyperShare uses two kinds of tokens: S-Tokens and R-Tokens. S-Tokens are ownership tokens with voting rights, enabling holders to participate in governance decisions. This promotes participatory and democratic node management. R-Tokens are Revenue Tokens that distribute node profits, rewarding contributors depending on node performance.

HyperShare makes it easier to manage computing nodes, increases transparency, and assures that value and income are distributed evenly. This approach simplifies node maintenance and encourages cooperation and company development inside the HyperCycle network.

****HyperShare and its Components****

HyperShare is based on a complex design that contains two critical components: cHYpC and the License.

The cHYpC, which stands for “cycle HyperCycle,” serves as a value wrapper for the HyperShare network. It handles and represents many value types, including cryptocurrencies such as Bitcoin (BTC) and USD Coin.

The cHYpC can encapsulate these assets, making them simple to integrate and utilize throughout the HyperCycle network. It functions as a means of trade and a store of intrinsic value, offering a flexible and secure mechanism to manage many digital assets.

The License, another important part of the HyperShare platform, permits users to use the Virtual Machine, which runs smart contracts and processes data, and the Transaction Machine, which verifies and records transactions. It works alongside cHYpC to ensure that HyperShare can handle the financial and operational aspects of the HyperCycle Computation nodes efficiently.

The cHYpC helps in managing different types of value by adding financial assets into the HyperCycle platform, making transactions easier. Meanwhile, the License powers the nodes, enabling them to perform complex tasks.

Essentially, the cHYpC helps HyperCycle to manage value efficiently, whilst the License ensures that everything on the software side is working properly.

HyperShare has become a strong tool for controlling HyperCycle Computation Nodes by fusing operational capacity and value management, offering a whole solution for decentralized and effective node operation.

****Potential Benefits of Hypershare****

HyperShare offers various advantages for firms wishing to build atop HyperCycle Computation Nodes. It is intended to assist manage operations, revenue, and cooperation more efficiently inside the AI computing network.

The key advantage of HyperShare is its encouragement of multiparty cooperation. The decentralized platform allows several parties to collaborate easily by exchanging resources and expertise. Automated operations within the smart contract that manage connections and transactions free users to concentrate on their primary duties and remove middlemen.

HyperShare also provides decentralized governance. Using governance concepts built-in smart contracts reduces the need for a centralized authority. This ensures that decisions are made democratically and transparently, hence improving security and giving stakeholders control over node operations.

The HyperShare platform also places an emphasis on trust in the smart contract rather than in individuals. Predefined rules and algorithms ensure that all activities and transactions are completed fairly and precisely, reducing the potential for human error or misconduct.

****Practical Applications of HyperShare****

HyperShare is useful in various domains, particularly those involving artificial intelligence. It enables academics and institutions to pool resources and processing capacity, making working together on large AI projects simpler. HyperShare’s decentralized governance and automatic income distribution ensure that everyone’s efforts are adequately acknowledged and appreciated.

HyperShare benefits enterprises focusing on AI, such as machine learning or data processing, by spreading computing jobs, optimizing resources, and assuring transparent income sharing. This results in cheaper costs and aligned interests for everyone involved.

HyperShare may also aid startups and initiatives in developing decentralized apps (DApps) or blockchain solutions. For example, a decentralized finance (DeFi) network could use it to safely and effectively handle backend calculations. Stakeholders may own S-Tokens and R-Tokens, providing them with a voice in governance and a part of income, making the system more equitable and democratic.

Important problems in the AI computation industry with governance, cost control, and resource allocation are addressed with HyperShare. With the platform, AI networks ought to get more cooperative and scalable, benefiting all equally.

Its automatic income sharing simplifies the finance administration of AI operations. Developers and researchers can concentrate on creativity knowing that the smart contract will handle money well. This quickens the study and use of AI technology in several sectors, such as entertainment, healthcare, education, and finance.

****In Closing****

HyperShare maintains HyperCycle Computation Nodes active via the use of cooperative technology, open income sharing, and decentralized governance. Through the optimization of node operations and communication, business activities become safer and more effective.

This solution creates a trustworthy environment and optimizes procedures by using blockchain and AI technology. HyperShare allows stakeholders to collaborate successfully and freely.

1.  Could Bitcoin Be The Future Of DeFi?
2.  What is Blockchain Gaming and its Play-to-Earn Model?
3.  5 Ways Smart Contracts Are Making A Real-World Difference
4.  Enhancing Blockchain Randomness To Eliminate Trust Issues
5.  Blockchain in Identity Management: Securing Identities and Data

Understanding HyperCycle’s HyperShare Smart Contract Feature

A data breach at Tech in Asia has exposed the personal information of 221,470 users. Learn more about…

A data breach at Tech in Asia has exposed the personal information of 221,470 users. Learn more about the hack attributed to IntelBroker and the ongoing response to secure user data.

A database owned by Tech in Asia, a prominent technology news outlet focusing on startups and technological innovations across Asia, has been compromised. The breach was announced by a hacker known by the pseudonym “Sanggiero,” linked to the infamous hacking collective, IntelBroker.

Screenshot from the hacker’s post on Breach Forums (Credit: Hackread.com)

Tech in Asia, which has received backing from Eduardo Saverin, the co-founder of Facebook, operates from bases in Singapore and Jakarta. The platform is a critical resource for news on technological advancements and entrepreneurial ventures in the region.

Details of the breach were disclosed late last night on several dark web forums, including the infamous cybercrime and data leak forum Breach Forums. Sanggiero claimed responsibility for the hack, stating that it occurred in June 2024 and impacted over 221,470 individuals.

As seen by Hackread.com, the leaked information includes user data such as the following:

*   **Roles**
*   **Full names**
*   **Display names**
*   **Email addresses**
*   **Date of registration.**

Hackread.com analysed the leaked data

As confirmed by Tech in Asia to Hackread.com in an exclusive statement, these records belong to its users. However, the good news is that no passwords were leaked. According to Sanggiero, the data was accessed by exploiting several critical vulnerabilities in Tech in Asia’s API and other bugs that allowed access to the internal services of the website.

> _“We confirm that the Tech in Asia Indonesia site was compromised, but the main Tech in Asia site remains secure. The situation has been contained. We apologise to users affected by this incident and will contact them with safety measures. Only email addresses and names were leaked; account passwords remain secure. We are taking further measures to ensure that our users’ data remains safe.”_
> 
> Tech in Asia

The motives behind the breach are obvious. Additionally, IntelBrokers has been known for targeting high-profile companies and top security agencies. Some of the group’s previous hacks include Europol, Home Depot, ICE, USCIS, HSBC and Barclays Bank.

This incident leaves a critical lesson for all companies: Cybersecurity isn’t a one-time setup but a continual process. As cyber threats become more complex and frequent, it’s vital that businesses consistently enhance security. Doing so not only protects sensitive data but also builds and maintains the trust of its users.

_Follow our dedicated cybersecurity news coverage for updates on this story and more._

1.  AT&T Confirms Data Breach Affecting 73 Million Users
2.  Massive Data Breach Exposes Info of 43 Million French Workers
3.  API Misuse: Hacker Exposes 2.6M Duolingo Users’ Emails & Names
4.  American Express Cardholders Impacted by 3ed-Party Data Breach
5.  Dell Discloses Data Breach As Hacker Sells 49 Million Customer Data
6.  Ticketmaster Suffers Data Breach: 560M Users’ Info for Sale at $500K

Hackers Leak 221,470 Users’ Data in “Tech in Asia” News Outlet Breach

A WIRED investigation, based on more than 22 million flight coordinates, reveals the complicated truth about the first full-blown police drone program in the US—and why your city could be next.

The Age of the Drone Police Is Here

When a drug kingpin named Microsoft tried to seize control of an encrypted phone company for criminals, he was playing right into its real owners’ hands.

Inside the Biggest FBI Sting Operation in History

YouTube remains the only major US-based social media platform available in Russia. It’s become "indispensable" to everyday people, making a ban tricky. Journalists and dissidents are taking advantage.

In December 2020, Vladimir Putin held his end-of-the-year press conference as normal. Despite the Covid-19 pandemic still raging in Russia and worldwide, the president insisted that things would be OK. He had set aside 350 billion rubles ($4.8 billion) “to give social benefits to people, families, both children, doctors, and students.”

Two weeks later and nearly 1,000 miles away, the opposition Anti-Corruption Foundation uploaded a video to its YouTube channel. In it, Alexei Navalny introduces the world to “Putin’s palace,” which he dubbed “the world’s largest bribe.”

Over nearly two hours, Navalny walks viewers through the trappings of the palatial datcha, on the Black Sea coast. A 2-million-ruble sofa, a 2-million-ruble vanity, a dining table worth nearly 4 million rubles. The ubiquitous gold leafing on the walls, a private theater, a velvet-lined hookah bar, a casino, even a _Dance Dance Revolution_ room. The construction of such a lavish abode would have cost Putin and his oligarchic backers over 100 billion rubles ($1 billion) of money pilfered from the Russian state, Navalny tells the viewer. Money that could have gone to people, families, children, doctors, and students.

The Russian-language video exploded, far surpassing anything Navalany and the Foundation had ever produced. Within weeks, it blew past 100 million views, and it has added another 32 million views since then—nearing the population of Russia itself.

The Foundation’s popularity on the world’s largest video-sharing platform had been growing massively over the preceding year—particularly as Russians were stuck indoors, and as the Kremlin intensified its crackdown on the independent press.

“Twenty years of total government control have turned television into an incessant marathon of disgraceful propaganda, lies, and censorship,” as Navalny told his viewers in a 2020 video. Behind him, a stack of TVs broadcast different clips of Russian TV presenter Vladimir Solovyov, a ubiquitous face on the Russia1 channel.

In December of that year, Navalny began his regular video dispatches with a startling introduction: “Hi, it’s Navalny. I know who wanted to kill me. I know where they live. I know where they work. I know their real names.”

Working with investigative journalism outfit Bellingcat, Navalny had posed as a Kremlin official in order to coax a confession out of one of his would-be assassins. The alleged agent recounted how the team of Russian operatives applied the nerve agent Novichok to Navalny’s underwear. Navalny recorded the whole thing and posted it directly to his YouTube channel.

In a follow-up video, Navalny continues to break down the failed murder plot in front of a wall featuring each of the men’s photos, maps of the operation, and red twine connecting everything.

In the West, Navalny’s appeal was often shortened to that of simply an opposition figure—a divisive one, for some, who became the de facto alternative to Putin after the other alternatives were killed or jailed.

But in the years leading up to his 2021 imprisonment and death in February 2024, Navalny became much more than just a politician—and the media apparatus he became the face of became bigger than him.

While Russia has grown considerably more autocratic in recent years, with its elections even more tightly scripted and its media ever more controlled by the Kremlin, YouTube remains one of the few US-based social media sites still available in the country and a reliable and effective conduit to the Russian public. It could be key to determining what happens next in Moscow—if YouTubers can stay ahead of Kremlin censorship.

“With minimal resources, we were essentially able to establish a direct competitor of Putin’s propaganda television,” says Vladimir Milov. “We are still behind them, but we are breathing down their back.”

Milov is a former deputy minister with the Russian government, a longtime Navalny associate, and a YouTube creator in his own right. I caught up with him in Vilnius, where he’s been exiled since Moscow began criminal proceedings against him. Last year, Milov was convicted by the Russian courts of disseminating “war fakes” and sentenced to eight years in prison in absentia.

Milov’s regular updates, which tend to focus on economics and finance, go out to his 500,000-plus subscribers, and often rack up around a million views. Leonid Volkov, another Navalny associate who helps run the Anti-Corruption Foundation, boasts another 165,000 followers. Dasha Navalnaya, Alexei Navalny’s daughter, has her own channel where she interviews GenZ Russians about the state of their country.

Above that, independent media have found a second home on YouTube as well. Meduza, an independent media organization that had to decamp to Latvia after being declared a “foreign agent” under Russian law, has nearly 800,000 subscribers. The BBC’s Russian service, which left the country amid a 2022 media crackdown, broadcasts regularly to its 2.5 million subscribers.

Cobbling together the analytics across these various channels, Milov says these opposition YouTubers have about 10 million to 15 million dedicated viewers inside Russia—while another 20 million viewers may stumble across their content from time to time.

​”Our message gets through to the Russian people,” Milov says. “We are serving as a very effective alternative broadcasting tool that really competes with Putin's propaganda.”

VCIOM, a pollster loyal to the Kremlin, has found that a plurality of Russians still prefer to get their news from heavily censored Russian television, but their trust in the format has plummeted, from nearly 50 percent in 2016 to just 25 percent today. Meanwhile, trust in online news has jumped by roughly the same degree.

Meanwhile, as Western programming becomes rarer and rarer, many Russians are turning to YouTube for their primary source of entertainment—especially for kids’ programming. Eight of the 10 most-subscribed Russian YouTube channels, according to rankings compiled by analytics firm Socialblade, are targeted at young children.

So Russians are losing faith in the state-approved TV news, increasingly trusting of online media, and are looking to YouTube for entertainment. It has delivered tens of millions of people right at the opposition’s doorstep.

Even if most Russian YouTube users are looking for content to pacify their children, bringing them on the platform has enormous benefits, Milov says. “There's this magical black box which is called YouTube recommendations.” He says plenty of his followers don’t even watch his videos—they listen. If Russians are letting the algorithm choose their next video while they cook dinner or fold laundry, it increases the chances his voice will reach a Russian who has never heard him before.

Milov stresses that YouTube isn’t just a one-way service: Because it allows users to comment and chat anonymously, it provides an extraordinary chance for regular Russians to express themselves without fear of censorship.

“The amount of our feedback is enormous,” he says. “Just myself, alone, I literally get messages, every day, from at least hundreds of people from across the country. When something serious happens? Thousands.” Sometimes, Milov says, his first indication that something terrible has happened in Russia is seeing just how many unread messages he has in his YouTube inbox.

Milov says this feedback reinforces the idea, supported even by Kremlin-approved pollsters, that opposition to the war in Ukraine is growing. But it also provides some important details and nuance. “So this is like, I would say, an enormous focus group, with which you can also communicate. You can ask them questions back.” He chuckles, thinking of the notorious Russian security and intelligence agency: “You know, the FSB would kill for this kind of information.”

“Obviously, the question is, why didn’t Putin shut down YouTube?” Milov says. “It’s easier said than done.”

In recent years, Moscow has deployed an array of strategies to cow and kill independent media and the open internet in Russia. Platforms like Facebook, Twitter, and TikTok have been blocked altogether. Independent media like Meduza, TV Rain, and The Insider have been declared “undesirable” or labeled “foreign agents.”

Through it all, YouTube has survived.

Milov says the Kremlin was too slow to move on YouTube. By the time Moscow was banning other popular Western platforms, the Google-owned video platform had become indispensable to everyday Russians. “They kind of let the genie out of the bottle,” Milov says.

“YouTube is mommies showing cartoons to kids, teenagers are watching music videos, people are watching comedians, elderly folks watching old Soviet movies, which are widely available there, and so on,” he says. “And you shut it all down? So you have these empty evenings now, from this point on.”

Unable to disrupt YouTube, the Kremlin tried desperately to compete with it.

Moscow had high hopes for Rutube, a long-suffering YouTube clone which was relaunched in 2020 after a merger with the media arm of state-controlled energy giant Gazprom. If the site’s “top videos” section is to be believed, it hasn’t worked—some had racked up view counts in the mid-thousands.

VK, Russia’s answer to Facebook, has fared slightly better with its video-sharing platform, and it is rife with pro-Kremlin broadcasters. But even its most popular channels have just a tiny fraction of the biggest Russian-language YouTube accounts.

“It's like a big room, but it's empty,” Milov says of these Kremlin-backed alternatives.

Having failed to compete with his online critics, Milov believes Putin opted for a more direct strategy. Just days before I arrived in Vilnius, thugs appeared outside the home of Leonid Volkov, former chair of the Anti-Corruption Foundation and Nalvany chief of staff. Armed with hammers, they savagely beat him. Lithuanian intelligence believe the men arrested were operating on orders from Russia. A week after the attack, Volkov was back on YouTube, his arm in a sling, “I am not going to stop—although I will gesticulate less in the coming weeks,” he said.

Milov emailed me the day I arrived to apologize that, due to his new security protocols, he wouldn’t be able to show me around his home broadcast studio.

Last November, the YouTube channel Volgograd Watch uploaded a new video trying to answer a difficult question: “When will the mobilized be returned?”

Subscribers of the channel were asking when Russia’s conscripts on the front line might return home. Evgeny Kochegin, host of the channel, responded by providing a litany of links recommending anti-war groups and resources on how to dodge the draft. Kochegin himself fled conscription and was convicted in absentia for disseminating “fake news.”

In exile, Kochegin has tried to help others avoid being pressed into military service, and took to YouTube to do it, racking up a modest 30,000 subscribers. In May, however, Kochegin found YouTube to be an unreliable partner. His video was blocked for Russian viewers.

Agents Media, an independent Russian news outlet, reviewed four different removal notices targeting human rights and anti-war YouTube channels. The news outlet obtained emails from YouTube’s legal team, threatening to take offline an entire channel. In the email to the OVD-Info channel, YouTube wrote that the channel had violated Russian Law #149-FZ and that “if you do not remove the content, Google may be required to block it.”

According to a company transparency report, Google has received hundreds of thousands of removal requests from the Russian government since 2022, including nearly 67,000 on the grounds of “national security,” over 200 for “government criticism,” and one for violating the electoral law.

More than 1,000 applications from Moscow specifically cited Law #149-FZ, asking for the removal of nearly 1 million pieces of content—which could include channels, videos, or comments. Google reports that it approved more than 80 percent of those removal requests.

An open letter published in May, signed by major Russian NGOs and Reporters Without Borders, called on Google to stop adhering to these requests from Moscow. “We are very concerned that the company appears to be helping the Russian censor to silence human rights and anti-war voices,” they wrote.

In a statement, a spokesperson for YouTube insisted that if the company has concerns that legal requests are being used to silence dissidents, “we will push back”—noting that Russian courts have fined Google in the past for refusing to comply with its orders.

YouTube says it has removed more than 12,000 channels and over 140,000 videos relating to the war in Ukraine for violating the platform’s policies—including pro-Putin propagandists, Kremlin-controlled media outlets, and content from the Russian Ministry of Foreign Affairs.

The YouTube spokesperson, however, ignored questions as to why it has been so willing to respond to requests under Law #149-FX.

Whether their channels are at risk from legal requests from Moscow, or whether Moscow blocks their channels entirely—the Russian dissidents are always making contingency plans. “They will not kill us by just shutting down one thing and making the other cooperate with the regime,” Milov says. “We'll navigate through.”

One such plan is to wind up right where the problem began: on TV.

Not long after Russia invaded Ukraine in February 2022, a group calling itself the Denis Diderot Committee began calling on major satellite television providers to stop beaming Kremlin propaganda into Russia and Europe — and replace it with real news.

“That's the ultimate goal of our effort—to actually provide alternative media channels into the Russian television space that are not controlled by the Russian government,” Jim Phillipoff, one half of the committee, told WIRED at the time.

Two years on, the committee scored a huge win. Satellite provider Eutelsat took up the committee’s challenge and inked a deal with Reporters Without Borders to broadcast 11 channels of independent Russian news and content into the region, with the option to add 14 more. They call it the Svoboda Satellite Package—using the Russian word for “freedom.”

Phillipoff told WIRED this week that they have begun broadcasting into 4.5 million households in Russia, and another 61 million households in the broader region—and they hope to grow that number by securing space on other regional satellites.

While the satellite is simply rebroadcasting some existing channels, Philipoff says they’ve also created some channels from scratch—in some cases made up of dissident Russians’ YouTube content. They’ve been in talks with Volkov to help rebroadcast some of the work from the Anti-Corruption Foundation and other opposition groups. (They have also explored how to cooperate with eQsat, a like-minded effort to broadcast digital news files using satellites, which WIRED revealed last September.)

While Russian television remains under the thumb of the Kremlin, and Google remains willing to block content at its behest, Svoboda exists to reject the censorship altogether, Phillipoff says.

“The goal of our project is to circumvent this control.”

Russians Love YouTube. That’s a Problem for the Kremlin

This week on the Lock and Code podcast, we speak with Joseph Cox about the FBI's successful backdoor into the phone startup Anom.

_This week on the Lock and Code podcast…_

This is a story about how the FBI got everything it wanted.

For decades, law enforcement and intelligence agencies across the world have lamented the availability of modern technology that allows suspected criminals to hide their communications from legal scrutiny. This long-standing debate has sometimes spilled into the public view, as it did in 2016, when the FBI demanded that Apple unlock an iPhone used during a terrorist attack in the California city of San Bernardino. Apple pushed back on the FBI’s request, arguing that the company could only retrieve data from the iPhone in question by writing new software with global consequences for security and privacy.

“The only way to get information—at least currently, the only way we know,” said Apple CEO Tim Cook, “would be to write a piece of software that we view as sort of the equivalent of cancer.”

The standoff held the public’s attention for months, until the FBI relied on a third party to crack into the device.

But just a couple of years later, the FBI had obtained an even bigger backdoor into the communication channels of underground crime networks around the world, and they did it almost entirely off the radar.

It all happened with the help of Anom, a budding company behind an allegedly “secure” phone that promised users a bevvy of secretive technological features, like end-to-end encrypted messaging, remote data wiping, secure storage vaults, and even voice scrambling. But, unbeknownst to Anom’s users, the entire company was a front for law enforcement. On Anom phones, every message, every photo, every piece of incriminating evidence, and every order to kill someone, was collected and delivered, in full view, to the FBI.

Today, on the Lock and Code podcast with host David Ruiz, we speak with 404 Media cofounder and investigative reporter Joseph Cox about the wild, true story of Anom. How did it work, was it “legal,” where did the FBI learn to run a tech startup, and why, amidst decades of debate, are some people ignoring the one real-life example of global forces successfully installing a backdoor into a company?

> The public…and law enforcement, as well, \[have\] had to speculate about what a backdoor in a tech product would actually look like. Well, here’s the answer. This is literally what happens when there is a backdoor, and I find it crazy that not more people are paying attention to it.
> 
> Joseph Cox, author, Dark Wire, and 404 Media cofounder

Tune in today to listen to the full conversation.

Cox’s investigation into Anom, presented in his book titled Dark Wire, publishes June 4.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Tag

#intel