Cybersecurity researchers have disclosed details of an artificial intelligence (AI) powered platform called AkiraBot that's used to spam website chats, comment sections, and contact forms to promote dubious search engine optimization (SEO) services such as Akira and ServicewrapGO.
"AkiraBot has targeted more than 400,000 websites and successfully spammed at least 80,000 websites since September

AkiraBot Targets 420,000 Sites with OpenAI-Generated Spam, Bypassing CAPTCHA Protections

A hacker using the alias “Satanic” claims a WooCommerce data breach via a third party, selling data on…

A hacker using the alias “Satanic” claims a WooCommerce data breach via a third party, selling data on over 4.4 million users/clients, including records tied to major organizations like NVIDIA, Texas.gov, and the National Institute of Standards and Technology (NIST).

Just hours after claiming responsibility for a **breach involving Magento**, a hacker known as “Satanic” has surfaced again, this time alleging a data breach connected to WooCommerce, one of the most widely used eCommerce platforms on the web.

According to a post made on **Breach Forums** earlier today, the threat actor claims the incident occurred on April 6, 2025, and involves the extraction of more than 4.4 million records containing detailed personal and business information.

The announcement suggests the data wasn’t pulled from **WooCommerce**‘s core infrastructure directly but rather from systems closely tied to websites using the platform, likely CRM or marketing automation tools connected through third-party integrations.

Satanic on Breach Forums (Screenshot credit: Hackread.com)

The data breach appears to include both customer and company-level information, including emails, phone numbers, physical addresses, and social media links to business data such as sales revenue, employee count, domain authority rankings, and platform usage.

In total, the hacker claims the database holds:

*   **998,000 phone numbers**

*   **4,432,120 individual records**

*   **1.3 million unique email addresses**

*   **Metadata on corporate websites, including technology stacks and payment solutions**.

****Top Organisations Listed in the Sample Data****

A 1,000-line sample shared by the hacker includes data from several notable websites, such as “nist.gov,” the official site of the National Institute of Standards and Technology (NIST), a U.S. Department of Commerce agency. Also listed is “texas.gov,” the official portal for the State of Texas.

In addition to government entities, the sample contains records linked to major organizations, including NVIDIA Corporation, the New York City Department of Education, the University of Oklahoma, and Oxford University Press, alongside data from other well-known institutions and private companies worldwide.

Each record includes detailed information typically found in well-arranged marketing databases, such as estimated revenue, number of SKUs (Stock Keeping units), marketing platforms in use (e.g., ActiveCampaign, HubSpot), hosting providers, and links to company social media.

Interestingly, several entries show references to WordPress CMS, with WooCommerce listed as the eCommerce plugin. Others highlight integrations with Salesforce, Pardot, and various payment platforms like PayPal and Stripe. This points to a data source larger than WooCommerce itself, possibly compiled through APIs or scraped from exposed CRM panels.

Sample data analysed by Hackread.com (Screenshot credit: Hackread.com)

****Data for Sale****

The hacker is currently offering the database for sale via direct messages or Telegram without listing a fixed price. According to their post, they are “taking offers only.”

This claim follows a growing pattern from the same actor, who recently alleged a breach involving **Magento** via a third party and previously took credit for the **Tracelo breach** affecting 1.4 million users. Just last week, Satanic also claimed to have **breached Twilio’s SendGrid**, though that incident was publicly denied by the company.

If the WooCommerce-related breach proves authentic, it would represent one of the largest known exposures involving WordPress-based commerce platforms this year. The combination of personal contact information, business intelligence, and technology stack profiling makes the dataset valuable for threat actors engaged in phishing, social engineering, or competitive intelligence scraping.

At the time of publishing, WooCommerce has not issued any public statement regarding the claim. While Hackread.com has reached out to the company, businesses relying on WooCommerce and connected CRM or marketing tools should consider reviewing their third-party integrations and checking for unusual data access patterns.

This story is developing.

Hacker Claims WooCommerce Data Breach, Selling 4m User Records

The Israeli spyware maker, still on the US Commerce Department’s “blacklist,” has hired a new lobbying firm with direct ties to the Trump administration, a WIRED investigation has found.

Shortly after Donald Trump declared victory in November, NSO Group cofounder and majority owner Omri Lavie rushed to X to congratulate him, speaking of a “new chapter where the world goes back to common sense,” while accusing the outgoing Biden administration of being “weak.” In another tweet, he gushed in Hebrew that Republicans “won in every category: the presidency, Congress, Senate, and the popular vote.”

Lavie’s enthusiasm is understandable. His company—frequently associated with alleged human rights abuses, most recently in February when journalists in Serbia were targeted with its Pegasus spyware—had a significant stake in a Trump victory, with the hopes of regaining the ability to freely do business with US entities. In a comment to Amnesty International, NSO stated, in part, that its “commitment to maintain the highest standard of ethical conduct as well as confidentiality towards our customers is paramount and is consistent with industry norms and our legal obligations.”

The Israeli spyware vendor has been on the US Commerce Department’s “blacklist” for more than three years, meaning it cannot do business with US companies without specific government approval. NSO Group poured at least $1.8 million into an aggressive pre-election lobbying effort, focusing primarily on Republican senators and representatives, with some meetings occurring as often as eight times. Yet the company remains on the Entity List.

Now, with a new occupant in the White House, NSO Group appears to be shifting its political strategy.

The company seems to have either terminated or altered its engagement with several of its previous lobbying consultancies in Washington—some of which were closely aligned with the Democrats—and has started working with a key new lobbying partner: the Vogel Group.

Founded by Alex Vogel, who served as chief counsel to former Senate majority leader Bill Frist, the Vogel Group is providing NSO Group with “strategic advisory on cybersecurity policy matters,” according to lobbying disclosure documents filed on March 10.

The Vogel Group’s connection to the Trump administration includes areas of key interest to NSO Group. One of the Israeli spyware vendor’s new lobbyists, Jonathan Fahey, joined Vogel’s Washington, DC, office as a principal on January 29 and served in various roles during Trump's first term, including acting director and acting principal legal adviser at Immigration and Customs Enforcement, deputy assistant secretary at the Department of Homeland Security, and general counsel to the White House Office of National Drug Control Policy—all three relevant departments for a company selling surveillance technology.

Another Vogel Group staffer, Hayden Jewett, is listed in disclosure records as assigned to lobby on behalf of NSO group. Jewett served as a congressional staff liaison to President Trump’s 2016 inauguration, facilitating coordination between congressional offices and the inaugural committee.

Law firm Holtzman Vogel—of which Alex Vogel is a partner—was founded by his wife, Jill Holtzman Vogel, a former Virginia state senator, a former chief counsel of the Republican National Committee (RNC), and a current principal at the Vogel Group. The firm has reportedly worked for the National Republican Senatorial Committee and the National Republican Congressional Committee and received in 2024 over $9.3 million in reported payments, with significant political funding from Republican organizations.

Holtzman Vogel also represented former Metropolitan Police Department lieutenant Andrew Zabavsky, who was pardoned by Trump in January 2025 for his conviction for obstruction of justice related to the investigation into the death of 20-year-old Karon Hylton-Brown, a case that sparked protests ahead of the 2020 US election.

Bill McGinley, a principal at the Vogel Group and former assistant to the president and cabinet secretary during Trump’s first term, left the lobbying firm after Trump appointed him to White House counsel on November 12. He was then reassigned as counsel to the so-called Department of Government Efficiency (DOGE) on December 4, only to leave on January 23.

“Lobbyists and advisers who have passed through the revolving door, having worked in the previous Trump White House or for the campaign, as well as those who are big campaign donors have a unique ability to bend the ear of the new administration,” says Dan Auble, a senior researcher at the nonprofit OpenSecrets, which tracks US political spending. “That access is very valuable.”

NSO Group spokesperson Gil Lainer declined to comment on the scope of the contract with the Vogel Group when asked by WIRED. The Vogel Group did not respond to WIRED’s request for comment.

**Closing the Circle**

NSO Group’s recent lobbying efforts appear to have mainly focused on Republican lawmakers, more than executive branch power players, particularly as the Biden administration had been engaged in a crackdown on commercial spyware. The company previously worked with several lobbying contractors, with whom it appears to have either terminated or altered its registrations.

These include its registrations under Foreign Agents Registration Act (FARA) with Pillsbury Winthrop Shaw Pittman LLP and Chartwell Strategy Group, as well as registrations under the Lobbying Disclosure Act (LDA) with law firms Paul Hastings LLP and Steptoe LLP. Pillsbury previously engaged Chartwell Strategy Group to provide NSO Group with “strategic communications counsel.” Chartwell Strategy Group has now, for the first time, registered under the LDA as a lobbyist for NSO Group, while the only current active registration of NSO Group under FARA is with Paul Hastings LLP.

Lobbyists representing foreign commercial interests—if their work is not intended to benefit a foreign government or political party—can be exempt from FARA and instead register under the LDA, which has no requirement to report specific meetings and is, overall, far less transparent than FARA.

Much of the public knowledge about NSO Group’s lobbying efforts came from FARA filings. Since both the Vogel Group and Chartwell Strategy Group are now registered under the LDA, it will now be more difficult to monitor their lobbying efforts.

Examining NSO Group's past and present consultants reveals numerous individuals who, one way or another, have been associated with the Trump administration. These people are not all lobbyists, but they do have direct connections to Trump world. They include David Tamasi, managing director at Chartwell Strategy and DC chairman of Trump’s 2016 joint fundraising committee, who bundled more than $500,000 for Trump’s campaign and the RNC in 2020, and at least $15,000 in 2024. His firm, a key player in NSO Group’s lobbying, had been actively preparing clients for Trump’s return.

Other NSO-connected figures also have close Trump ties: Bryan Lanza, a partner at Mercury Public Affairs, which consulted for the company from 2020 to 2021, is a veteran Trump ally; Michael Flynn, Trump’s former national security adviser, was paid nearly $100,000 by NSO Group’s parent firms, according to the The Washington Post, and was recently appointed by Trump to a West Point advisory board; Jeff Miller, who raised millions for Trump, received $170,000 from an NSO-linked company and was spotted at Trump’s 2024 election night event at Mar-a-Lago; and Rod Rosenstein, Trump’s former deputy attorney general, represented NSO Group in a lawsuit and previously helped justify Trump’s firing of FBI director James Comey.

Pillsbury Winthrop Shaw Pittman LLP, Chartwell Strategy Group, Paul Hastings LLP, and Steptoe LLP did not reply to WIRED’s request for comment. Nor did Flynn, Miller, or Rosenstein. Tamasi did not respond in time for publication.

**What Counts as a Win**

As of early March—before Vogel Group’s registration as a lobbyist for NSO Group—there had been no indication that the Trump administration intended to remove the company from the Entity List, according to a source familiar with the administration’s moves regarding spyware, who asked not to be named in order to discuss confidential matters. However, recent comments by NSO Group’s Lavie soft-peddled the impact of the Entity List on the company’s ability to operate in the US.

“\[The Americans\], when they say ‘blacklist,’ it sounds much more dramatic to me than it actually is,” Lavie claimed during an interview in Hebrew on an Israeli podcast following Trump’s election. He added: “You can still do business in the United States; it is definitely not a barrier for us to sell in the US.”

“In practice, we are on the list of Commerce, and what this does for us from a regulatory perspective, it simply forces American companies—if we want to buy technology from them—to ask for permission to sell us the technology. That's all,” Lavie said.

​​Lobbying efforts can target different parts of the US government. By lobbying the executive branch (the president and agencies), lobbyists can influence how laws are enforced rather than what the laws say. In contrast, when lobbying Congress, the focus is on passing, blocking, or amending laws by influencing legislators.

For example, for a company to be removed from the Entity List, it must go through a lengthy administrative process that includes a review by an interagency committee composed of representatives from the departments of Commerce, State, and Defense, among others. Although Congress could theoretically influence this process, it is not directly involved.

During the presidential transition period, NSO Group mainly focused on Congress and reached out to at least 10 Republican senators, representatives, and their staff, before beginning its outreach with the incoming administration. On February 2, the company shared its annual transparency report with Trump’s new deputy national security adviser, Alex Wong.

The Vogel Group could play a key role in supporting NSO Group if it attempts to engage with the new executive branch, including the president’s executive office, the National Security Council, and the State, Justice, and Commerce Departments, among other relevant agencies. Such engagement might aim not only at addressing NSO Group’s placement on the Entity List, but also at challenging the spyware-related visa restrictions imposed by the previous administration. In addition, the firm could potentially assist in efforts to roll back Executive Order 14093, signed by President Joe Biden, which continues to restrict the US government’s use of commercial spyware.

Asked whether the Trump administration intends to uphold the EO, White House press secretary Karoline Leavitt declined to comment.

“Much is at stake if the US revokes Executive Order 14093, an order that sets standards on US acquisition of spyware, as access to the US market, and US purchasing power, are great tools in shaping the global scope and scale of the market for spyware,” says Jen Roberts, the Atlantic Council’s associate director of the Cyber Statecraft Initiative and coauthor of a recent major report on the commercial spyware industry. Roberts also highlighted the need to better regulate US outbound investment into such technologies.

**Watching for Signs**

During Trump's first term, the FBI secretly acquired the Pegasus spyware for limited testing in 2019 and seriously contemplated its operational deployment; while during the final months of the administration in 2020, the US initiated a deal that financed the purchase of the Israeli spyware for Colombian security forces, according to the Colombian ambassador to the US and reported by Drop Site News. (The deal was finalized in 2021, after Trump left office.) In an official statement, NSO Group confirmed its dealings with Colombia but denied claims that the software was purchased irregularly. The New York Times also reported that in 2018 the CIA had purchased Pegasus for the government of Djibouti to conduct counterterrorism operations, while the Secret Service held discussions with NSO Group the same year.

The access and influence NSO Group could attain through lobbying efforts by companies like the Vogel Group and Chartwell Strategy Group could lead to a more favorable political environment and, in turn, potentially increase business opportunities under a second Trump administration—something very hard for outsiders to measure, given the opaque nature of government procurement of surveillance technologies.

In the coming weeks and months, NSO Group’s interactions with US government officials, facilitated by its lobbying, will be critical in achieving such a favorable political environment. Caroline Glick, an adviser to Israeli prime minister Benjamin Netanyahu, has also been recently lobbying the Trump White House—among others—on the matter of “request\[ing\] to check for options for lifting sanctions on Israeli technology companies,” according to reports in the Israeli media.

Experts closely monitoring the commercial spyware industry are raising the alarm about the prospect of NSO Group regaining business under Trump—further exacerbated by new reports that the company has been simultaneously pushing its interests on the international stage through the so-called Pall Mall Process, a UK- and France-led initiative to regulate such technologies.

“NSO has become a toxic brand that is widely associated not just with human rights abuses but also with national security threats to US, UK, France, and other countries,” says Natalia Krapiva, senior tech-legal counsel at civil-liberties-focused nonprofit Access Now.

Lainer, the NSO Group spokesperson, tells WIRED that the company “complies with all laws and regulations and sells only to vetted intelligence and law enforcement agencies, which use these technologies daily to prevent crime and terror attacks.” Lainer adds that NSO “has initiated and implemented the industry’s leading compliance and human rights program, which protects against misuse by government entities and investigates all credible claims of misuse”

Ultimately, the current administration will have the final say on how the US regulates NSO Group.

Senator Ron Wyden of Oregon, who has actively worked to address concerns related to surveillance and spyware, tells WIRED that “the Biden Administration blacklisted NSO” because its tool was used to “maliciously targeting journalists, human rights workers, and even US government officials around the world on behalf of foreign dictators and making all Americans less safe.”

“If Donald Trump puts the NSO Group back in business,” Wyden adds, “he'll be directly responsible for opening up new threats to our national security and enabling atrocities by foreign dictators.”

Spyware Maker NSO Group Is Paving a Path Back Into Trump’s America

Another day, another data breach claim involving a high-profile company!

A hacker using the alias “Satanic” claims Magento breach via third-party, leaks CRM data of more than 700,000 users, including emails, phone numbers, and company info from major firms.

A threat actor known as “Satanic” has claimed responsibility for a new data breach involving **Magento**, the open-source e-commerce platform used by thousands of businesses globally. According to the hacker, the alleged data breach occurred on April 9, 2025, via a third-party integration, leading to the theft of a large dataset containing detailed business and personal contact information.

The breach, which remains unverified by Adobe (Magento’s parent company), includes what the hacker describes as 745,000 unique entries, with 430,000 unique email addresses and 261,000 phone numbers. The entire dataset has been leaked on **Breach Forums**, a notorious cybercrime and data breach platform.

Satanic’s post on Breach Forums claiming Megento data breach (Screenshot credit: Hackread.com)

****From BBC to Chicago Tribune****

As analysed by Hackread.com, the data appears to be pulled from a CRM system linked to Magento deployments and includes names, job titles, corporate emails, company domains, phone numbers, and social media links, including organizations from BBC to Chicago Tribune and many more.

A file titled “MagentoCRM”, shared as part of the leak, contains structured entries showing in-depth details for each record. In one example, a record tied to the BBC lists a director’s full contact data, along with links to the organization’s social profiles and metadata about business verticals, technology usage, and online storefronts.

The sample files also show CRM-style data rather than raw credentials or payment information, but the nature of the leak still poses a serious risk. The information could be used in phishing or B2B impersonation scams or for profiling high-value targets. Additionally, several records appear to contain verified LinkedIn accounts, corporate email aliases, and customer service contact details.

The database also includes technical metadata that could assist attackers in understanding each company’s tech stack, marketing platforms, and even their payment processors. One entry references Magento alongside Salesforce, Adobe Experience Manager, and Stripe, suggesting the breached data may have been extracted from a tech intelligence platform or CRM enrichment tool integrated into Magento workflows.

While the data itself appears real and not AI-generated, this breach claim follows Satanic’s appearance in headlines last week, after offering what they described as the **entire database of Twilio’s SendGrid** email platform. That breach was denied by Twilio, but the hacker has maintained their claim in cybercrime forums.

In September 2024, the same actor was behind the **Tracelo breach**, where data from 1.4 million users of a geolocation tracking service was leaked online. In addition to these incidents, Satanic is known for sharing infostealer logs via Telegram channels, which are often used by cybercriminals to distribute compromised credentials and digital fingerprints.

While Hackread.com has reached out to Adobe, businesses using Magento, particularly those with connected CRM tools, are urged to audit their integrations, monitor for suspicious activity, and review data access policies across connected services.

This incident adds to a growing list of **third-party supply chain risks** affecting digital commerce platforms, where the weakness lies not in the platform itself but in the data pipes feeding into it.

Hackers Claim Magento Breach via Third-Party, Leak CRM Data of 700K Users

Lovable, a generative artificial intelligence (AI) powered platform that allows for creating full-stack web applications using text-based prompts, has been found to be the most susceptible to jailbreak attacks, allowing novice and aspiring cybercrooks to set up lookalike credential harvesting pages.
"As a purpose-built tool for creating and deploying web apps, its capabilities line up perfectly

Lovable AI Found Most Vulnerable to VibeScamming — Enabling Anyone to Build Live Scam Pages

Luxembourg, Luxembourg, 9th April 2025, CyberNewsWire

**Luxembourg, Luxembourg, April 9th, 2025, CyberNewsWire**

Gcore, the global edge AI, cloud, network, and security solutions provider, has launched Super Transit, a cutting-edge DDoS protection and acceleration feature, designed to safeguard enterprise infrastructure while delivering lightning-fast connectivity. 

This comes as organizations face a 56% year-on-year increase in high-volume, complex DDoS attacks that disrupt operations, increase latency, and compromise network security. Traditional solutions often require expensive, complex integrations, but Super Transit is delivered as part of the Gcore DDoS Protection Suite. Using the Gcore global network of 180+ points of presence (PoP), traffic is automatically routed through the Gcore Anycast backbone, and any malicious traffic is intelligently split from legitimate traffic in real-time. This proactive detection, filtering, and mitigation of DDoS attacks means an uninterrupted user experience, so even during an attack, users remain unaffected and continue to experience stable, secure, high-speed connectivity. 

Gcore Super Transit, which is available to all customers now, optimizes performance and security through the following key differentiators: 

**1\. Real-time DDoS threat mitigation:** Detects and blocks malicious traffic in real-time at the nearest Gcore PoP, before it can reach user networks – minimizing impact on performance. 

**2\. Global-scale protection:** Comprehensive defense against DDoS attacks of any size, backed by a total filtering network capacity exceeding 200 Tbps. 

**3\. Consistent performance:** Traffic is filtered at the edge with legitimate traffic routed via the optimal path within Gcore’s high-performance backbone, eliminating unnecessary rerouting to external scrubbing centers and reducing latency. 

**4\. Cost-effective protection:** Optimizes security spending with flexible, integrated deployment options that balance performance and affordability. 

> Andrey Slastenov, Head of Security at Gcore, commented: “This is a hugely important launch for many reasons. Primarily, Super Transit allows for fast, worldwide access to our DDoS protection services, with real-time intelligent data analysis and filtering ensuring legitimate data is routed to servers efficiently. These are crucial capabilities as advanced DDoS protection for real-time services mitigates latency and outages that significantly impact user experience and enterprises’ business success.” 

**About Gcore** 

Gcore is a global edge AI, cloud, network, and security solutions provider. Headquartered in Luxembourg, with a team of 600 operating from ten offices worldwide, Gcore provides solutions to global leaders in numerous industries. Gcore manages its global IT infrastructure across six continents, with one of the best network performances in Europe, Africa, and LATAM due to the average response time of 30 ms worldwide. Gcore’s network consists of 180 points of presence worldwide in reliable Tier IV and Tier III data centers, with a total network capacity exceeding 200 Tbps.

Users can learn more at gcore.com or follow them on LinkedIn, Twitter, and Facebook.

**Contact**

**Gcore PR team**  
**gcore.com**  
**\[email protected\]**

Gcore Super Transit Brings Advanced DDoS Protection and Acceleration for Superior Enterprise Security and Speed

Security Operations Centers (SOCs) today face unprecedented alert volumes and increasingly sophisticated threats. Triaging and investigating these alerts are costly, cumbersome, and increases analyst fatigue, burnout, and attrition. While artificial intelligence has emerged as a go-to solution, the term “AI” often blurs crucial distinctions. Not all AI is built equal, especially in the SOC. Many

Agentic AI in the SOC - Dawn of Autonomous Alert Triage

Austin, TX, USA, 7th April 2025, CyberNewsWire

**Austin, TX, USA, April 7th, 2025, CyberNewsWire**

Deep visibility into malware-siphoned data can help close gaps in traditional defenses before they evolve into major cyber threats like ransomware and account takeover

SpyCloud, the leading identity threat protection company, today released new analysis of its recaptured darknet data repository that shows threat actors are increasingly bypassing endpoint protection solutions: 66% of malware infections occur on devices with endpoint security solutions installed. SpyCloud offers integrations with leading endpoint detection and response (EDR) products, such as Crowdstrike Falcon and Microsoft Defender, that close this detection gap.

EDRs play a vital role in detecting, protecting against, and responding to threats on enterprise devices. Despite advanced AI detection and telemetry analysis offered in today’s EDR solutions, modern infostealer malware is designed to evade even the most sophisticated defenses, using tactics like polymorphic malware, memory-only execution, and exploitation of zero-day vulnerabilities or outdated software. The data speaks for itself: nearly one in two corporate users were already the victim of a malware infection in 2024, and in the year prior, malware was the cause of 61% of all breaches. 

SpyCloud’s findings underscore that while EDR and antivirus (AV) tools are essential and block a wide range of security threats, no security solution can block 100% of attacks. Organizations need to take a layered approach to close the gaps before attacks progress deeper into their environments, resulting in events like ransomware and account takeover.  

> “When a malware infection goes undetected, the consequences can be catastrophic,” said Damon Fleury, Chief Product Officer at SpyCloud. “We are in an arms race at the endpoint, where attackers are constantly evolving their tactics to skirt detection. SpyCloud provides a critical line of defense – uncovering infostealer infections that evade EDRs and AVs, detecting when stolen data begins circulating in the criminal underground, and automatically feeding that intelligence back to the EDR to quarantine the device and begin the post-infection remediation process.”

By closing this visibility gap, SpyCloud EDR integrations provide a new and powerful protection mechanism. Once malware exfiltrates credentials, personally identifiable information (PII), or session cookies, that stolen data becomes a launchpad for further entrenchment and compromise. SpyCloud helps stop cybercrime before it happens by identifying these identity risks early, mapping them back to impacted users, devices, and applications, and sending actionable intelligence to an organization’s EDR for response and remediation.  

> “As identity becomes the security perimeter, organizations need more than device-level protection; they need insight into what their endpoint solutions are missing,” added Fleury. “SpyCloud’s expertise in accessing malware logs before they’re broadly circulated among criminals enables faster, more targeted responses needed to address infections, prevent lateral movement, and block disruptive follow-on activities like admin lockout and ransomware deployment.”

To learn more about how SpyCloud can augment endpoint security strategy and remediate malware infections that EDRs and AVs may miss, users can **register to join SpyCloud’s upcoming virtual event on April 10**, where experts will walk through the data, explain the attack chain in detail, and demo how SpyCloud’s EDR integrations work in real-world scenarios. 

**About SpyCloud**

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated holistic identity threat protection solutions leverage advanced analytics to proactively prevent ransomware and account takeover, safeguard employee and consumer accounts, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights, users can visit spycloud.com.

**Contact**

**Emily Brown**  
**REQ on behalf of SpyCloud**  
**\[email protected\]**

SpyCloud Research Shows that Endpoint Detection and Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections

New Xanthorox AI hacking platform spotted on dark web with modular tools, offline mode, and advanced voice, image, and code-based cyberattack features.

A sophisticated new artificial intelligence (AI) platform tailored for offensive cyber operations, named Xanthorox AI, has been identified by cybersecurity firm SlashNext. First appearing in late Q1 2025, Xanthorox AI is reportedly circulating within cybercrime communities on darknet forums and encrypted channels.

According to SlashNext’s investigation, shared with Hackread.com ahead of its publishing on Monday, Xanthorox stands out from previous malicious AI tools like WormGPT, FraudGPT and EvilGPT due to its independent, multi-model framework. The system is based on five distinct AI models optimized for specific cyber operations.

These models are hosted on private servers under the seller’s control rather than public cloud infrastructure or openly accessible APIs. This unique setup sets Xanthorox AI apart from previous malicious tools that often relied on existing large language models (LLMs).

Xanthorox AI is a fully custom-built platform that uses “fully custom-built language models” instead of established models like LLaMA or Claude. It is promoted as a modular system capable of code generation, vulnerability exploitation, data analysis, and integrated voice and image processing, enabling automated and interactive attacks.

Its modular design allows for future updates or the replacement of specific functionalities. Xanthorox AI also has built-in voice and image handling modules. It can perform live internet search scraping using over 50 engines, offering up-to-date information. It also offers offline functionality, allowing users to use it without a constant network connection. The platform also emphasizes data containment to eliminate third-party AI data collection risks.

The toolkit includes the Xanthorox Coder, which automates tasks such as code creation and script development, while Xanthorox Vision adds visual intelligence by allowing users to upload images or screenshots for analysis. Reasoner Advanced aims to replicate human-like decision-making, supporting tasks requiring logical consistency and persuasive communication.

The platform also facilitates voice-based interaction through real-time voice calls and asynchronous voice messaging, allowing hands-free command and control. Overall, Xanthorox AI offers a versatile hacking assistant representing a significant advancement in cyberattack capabilities, enabling more precise and scalable phishing campaigns and malware creation.

Screenshot: SlashNext

“Xanthorox AI presents itself as a comprehensive, all-in-one hacking tool, powered by a modular architecture designed to support a wide range of cybercrime operations. From an attacker’s perspective, Xanthorox AI hits most of the marks needed for a versatile hacking assistant,” researchers wrote in their blog post.

Its emergence highlights the importance of adopting advanced AI-powered detection technologies, including AI-powered threat detection platforms capable of behavioural anomaly analysis and signature-less malware identification, email security solutions employing AI-based content and intent analysis, and network security measures incorporating AI-driven intrusion detection and prevention systems.

Casey Ellis, Founder at Bugcrowd, a San Francisco-based leader in crowdsourced cybersecurity, called it “a fascinating development,” noting that the cybercriminal ecosystem works like any service industry, with specialized groups and “startups” creating competitive advantages. He highlighted the thought and R&D behind the toolkit, the local model tuning that avoids reliance on major vendors, and praised the expert mix as the most effective way to build a flexible AI-powered attack platform.

Xanthorox AI Surfaces on Dark Web as Full Spectrum Hacking Assistant

A Minnesota cybersecurity and computer forensics expert whose testimony has featured in thousands of courtroom trials over the past 30 years is facing questions about his credentials and an inquiry from the Federal Bureau of Investigation (FBI). Legal experts say the inquiry could be grounds to reopen a number of adjudicated cases in which the expert's testimony may have been pivotal.

A Minnesota cybersecurity and computer forensics expert whose testimony has featured in thousands of courtroom trials over the past 30 years is facing questions about his credentials and an inquiry from the **Federal Bureau of Investigation** (FBI). Legal experts say the inquiry could be grounds to reopen a number of adjudicated cases in which the expert’s testimony may have been pivotal.

One might conclude from reading Mr. Lanterman’s LinkedIn profile that has a degree from Harvard University.

**Mark Lanterman** is a former investigator for the U.S. Secret Service Electronics Crimes Task Force who founded the Minneapolis consulting firm **Computer Forensic Services** (CFS). The CFS website says Lanterman’s 30-year career has seen him testify as an expert in more than 2,000 cases, with experience in cases involving sexual harassment and workplace claims, theft of intellectual property and trade secrets, white-collar crime, and class action lawsuits.

Or at least it did until last month, when Lanterman’s profile and work history were quietly removed from the CFS website. The removal came after **Hennepin County Attorney’s Office** said it was notifying parties to ten pending cases that they were unable to verify Lanterman’s educational and employment background. The county attorney also said the FBI is now investigating the allegations.

Those allegations were raised by **Sean Harrington**, an attorney and forensics examiner based in Prescott, Wisconsin. Harrington alleged that Lanterman lied under oath in court on multiple occasions when he testified that he has a Bachelor of Science and a Master’s degree in computer science from the now-defunct **Upsala College**, and that he completed his postgraduate work in cybersecurity at **Harvard University**.

Harrington’s claims gained steam thanks to digging by the law firm **Perkins Coie LLP**, which is defending a case wherein a client’s laptop was forensically reviewed by Lanterman. On March 14, Perkins Coie attorneys asked the judge (PDF) to strike Lanterman’s testimony because neither he nor they could substantiate claims about his educational background.

Upsala College, located in East Orange, N.J., operated for 102 years until it closed in 1995 after a period of declining enrollment and financial difficulties. Perkins Coie told the court that they’d visited **Felician University**, which holds the transcripts for Upsala College during the years Lanterman claimed to have earned undergraduate and graduate degrees. The law firm said Felician had no record of transcripts for Lanterman (PDF), and that his name was absent from all of the Upsala College student yearbooks and commencement programs during that period.

Reached for comment, Lanterman acknowledged he had no way to prove he attended Upsala College, and that his “postgraduate work” at Harvard was in fact an eight-week online cybersecurity class called **HarvardX**, which cautions that its certificates should not be considered equivalent to a Harvard degree or a certificate earned through traditional, in-person programs at Harvard University.

Lanterman has testified that his first job after college was serving as a police officer in Springfield Township, Pennsylvania, although the Perkins Coie attorneys noted that this role was omitted from his resume. The attorneys said when they tried to verify Lanterman’s work history, “the police department responded with a story that would be almost impossible to believe if it was not corroborated by Lanterman’s own email communications.”

As recounted in the March 14 filing, Lanterman was deposed on Feb. 11, and the following day he emailed the Springfield Township Police Department to see if he could have a peek at his old personnel file. On Feb. 14, Lanterman visited the Springfield Township PD and asked to borrow his employment record. He told the officer he spoke with on the phone that he’d recently been instructed to “get his affairs in order” after being diagnosed with a grave heart condition, and that he wanted his old file to show his family about his early career.

According to Perkins Coie, Lanterman left the Springfield Township PD with his personnel file, and has not returned it as promised.

“It is shocking that an expert from Minnesota would travel to suburban Philadelphia and abscond with his decades-old personnel file to obscure his background,” the law firm wrote. “That appears to be the worst and most egregious form of spoliation, and the deception alone is reason enough to exclude Lanterman and consider sanctions.”

Harrington initially contacted KrebsOnSecurity about his concerns in late 2023, fuming after sitting through a conference speech in which Lanterman shared documents from a ransomware victim and told attendees it was because they’d refused to hire his company to perform a forensic investigation on a recent breach.

“He claims he was involved in the Martha Stewart investigation, the Bernie Madoff trial, Paul McCartney’s divorce, the Tom Petters investigation, the Denny Hecker investigation, and many others,” Harrington said. “He claims to have been invited to speak to the Supreme Court, claims to train the ‘entire federal judiciary’ on cybersecurity annually, and is a faculty member of the United States Judicial Conference and the Judicial College — positions which he obtained, in part, on a house of fraudulent cards.”

In an interview this week, Harrington said court documents reveal that at least two of Lanterman’s previous clients complained CFS had held their data for ransom over billing disputes. In a declaration (PDF) dated August 2022, the co-founder of the law firm **MoreLaw Minneapolis LLC** said she hired Lanterman in 2014 to examine several electronic devices after learning that one of their paralegals had a criminal fraud history.

But the law firm said when it pushed back on a consulting bill that was far higher than expected, Lanterman told them CFS would “escalate” its collection efforts if they didn’t pay, including “a claim and lien against the data which will result in a public auction of your data.”

“All of us were flabbergasted by Mr. Lanterman’s email,” wrote MoreLaw co-founder **Kimberly Hanlon**. “I had never heard of any legitimate forensic company threatening to ‘auction’ off an attorney’s data, particularly knowing that the data is comprised of confidential client data, much of which is sensitive in nature.”

In 2009, a Wisconsin-based manufacturing company that had hired Lanterman for computer forensics balked at paying an $86,000 invoice from CFS, calling it “excessive and unsubstantiated.” The company told a Hennepin County court that on April 15, 2009, CFS conducted an auction of its trade secret information in violation of their confidentiality agreement.

“CFS noticed and conducted a Public Sale of electronic information that was entrusted to them pursuant to the terms of the engagement agreement,” the company wrote. “CFS submitted the highest bid at the Public Sale in the amount of $10,000.”

Lanterman briefly responded to a list of questions about his background (and recent heart diagnosis) on March 24, saying he would send detailed replies the following day. Those replies never materialized. Instead, Lanterman forwarded a recent memo he wrote to the court that attacked Harrington and said his accuser was only trying to take out a competitor. He has not responded to further requests for comment.

“When I attended Upsala, I was a commuter student who lived with my grandparents in Morristown, New Jersey approximately 30 minutes away from Upsala College,” Lanterman explained to the judge (PDF) overseeing a separate ongoing case (PDF) in which he has testified. “With limited resources, I did not participate in campus social events, nor did I attend graduation ceremonies. In 2023, I confirmed with Felician University — which maintains Upsala College’s records — that they could not locate my transcripts or diploma, a situation that they indicated was possibly due to unresolved money-related issues.”

Lanterman was ordered to appear in court on April 3 in the case defended by Perkins Coie, but he did not show up. Instead, he sent a message to the judge withdrawing from the case.

“I am 60 years old,” Lanterman told the judge. “I created my business from nothing. I am done dealing with the likes of individuals like Sean Harrington. And quite frankly, I have been planning at turning over my business to my children for years. That time has arrived.”

Lanterman’s letter leaves the impression that it was his decision to retire. But according to an affidavit (PDF) filed in a Florida case on March 28, Mark Lanterman’s son Sean said he’d made the difficult decision to ask his dad to step down given all the negative media attention.

**Mark Rasch**, a former federal cybercrime prosecutor who now serves as counsel to the New York cybersecurity intelligence firm Unit 221B, said that if an expert witness is discredited, any defendants who lost cases that were strongly influenced by that expert’s conclusions at trial could have grounds for appeal.

Rasch said law firms who propose an expert witness have a duty in good faith to vet that expert’s qualifications, knowing that those credentials will be subject to cross-examination.

“Federal rules of civil procedure and evidence both require experts to list every case they have testified in as an expert for the past few years,” Rasch said. “Part of that due diligence is pulling up the results of those cases and seeing what the nature of their testimony has been.”

Perhaps the most well-publicized case involving significant forensic findings from Lanterman was the 2018 conviction of **Stephen Allwine**, who was found guilty of killing his wife two years earlier after attempts at hiring a hitman on the dark net fell through. Allwine is serving a sentence of life in prison, and continues to maintain that he was framed, casting doubt on computer forensic evidence found on 64 electronic devices taken from his home.

On March 24, Allwine petitioned a Minnesota court (PDF) to revisit his case, citing the accusations against Lanterman and his role as a key witness for the prosecution.

Tag

#intel