404Media is reporting that the FBI could not access a reporter’s iPhone because it had Lockdown Mode enabled:
The court record shows what devices and data the FBI was able to ultimately access, and which devices it could not, after raiding the home of the reporter, Hannah Natanson, in January as part of an investigation into leaks of classified information. It also provides rare insight into the apparent effectiveness of Lockdown Mode, or at least how effective it might be before the FBI may try other techniques to access the device.
“Because the iPhone was in Lockdown mode, CART could not extract that device,” the court record reads, referring to the FBI’s Computer Analysis Response Team, a unit focused on performing forensic analyses of seized devices. The document is written by the government, and is opposing the return of Natanson’s devices.
The FBI raided Natanson’s home as part of its investigation into government contractor Aurelio Perez-Lugones, who is charged with, among other things, retention of national defense information. The government believes Perez-Lugones was a source of Natanson’s, and provided her with various pieces of classified information. While executing a search warrant for his mobile phone, investigators reviewed Signal messages between Pere-Lugones and the reporter, the Department of Justice previously said.
Microsoft gives the FBI the ability to decrypt BitLocker in response to court orders: about twenty times per year.
It’s possible for users to store those keys on a device they own, but Microsoft also recommends BitLocker users store their keys on its servers for convenience. While that means someone can access their data if they forget their password, or if repeated failed attempts to login lock the device, it also makes them vulnerable to law enforcement subpoenas and warrants.
RAMP—the predominantly Russian-language online bazaar that billed itself as the “only place ransomware allowed”—had its dark web and clear web sites seized by the FBI as the agency tries to combat the growing scourge threatening critical infrastructure and organizations around the world.
Visits to both sites on Wednesday returned pages that said the FBI had taken control of the RAMP domains, which mirrored each other. RAMP has been among the dwindling number of online crime forums to operate with impunity, following the takedown of other forums such as XSS, which saw its leader arrested last year by Europol. The vacuum left RAMP as one of the leading places for people pushing ransomware and other online threats to buy, sell, or trade products and services.
I regret to inform you
“The Federal Bureau of Investigation has seized RAMP,” a banner carrying the seals of the FBI and the Justice Department said. “This action has been taken in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.” The banner included a graphic that appeared on the RAMP site, before it was seized, that billed itself as the “only place ransomware allowed.”
Read Alan's sharp critique of federal cyber agencies withdrawing from RSAC over leadership politics—and why sidelining collaboration hurts the entire cybersecurity community.
The FBI is warning that that the North Korean threat group Kimsuky is targeting organizations with spearphishing campaigns using malicious QR codes, a tactic known as “Quishing.”
The Quishing campaigns appear to be primarily directed at organizations in the U.S. and elsewhere that are involved in foreign policy linked to North Korea, or as the FBI advisory put it, “NGOs, think tanks, academia, and other foreign policy experts with a nexus to North Korea.”
Since last year, Kimsuky threat actors have targeted “think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR) codes in spearphishing campaigns,” the FBI said.
FBI Details Kimsuky QR Spearphishing Incidents
The FBI cited four incidents in May and June 2025 where Kimsuky actors used malicious QR codes in targeted spearphishing campaigns.
In one May 2025 incident, Kimsuky threat actors impersonated “a foreign advisor” in an email “requesting insight from a think tank leader regarding recent developments on the Korean Peninsula.” The email contained a malicious QR code for the recipient to scan to access a questionnaire.
Later that month, Kimsuky actors spoofed an embassy employee in an email seeking input “from a senior fellow at a think tank regarding North Korean human rights issues.” That email contained a QR code that claimed to offer access to a secure drive.
Also that month, the North Korean threat actors impersonated a think tank employee in an email with a QR code “that, when scanned, would take the targeted individual to Kimsuky infrastructure designed to conduct malicious activity.”
In June 2025, Kimsuky threat actors “sent a strategic advisory firm a spearphishing email inviting recipients to a non-existent conference.” The email included a QR code that took recipients to a registration landing page that included a registration button. That button “took visitors to a fake Google account login page, where users could input their login credentials for harvesting.”
It’s not the first time the FBI and other agencies have warned of Kimsuky and other North Korean threat actors targeting organizations involved in foreign policy; a similar warning was issued in 2023 of a spearphishing campaign that targeted think tanks, academic institutions and news organizations.
FBI Defines Quishing Tactics and Procedures
The FBI said Quishing attacks use QR codes “to force victims to pivot from their corporate endpoint to a mobile device, bypassing traditional email security controls.”
QR images are typically sent as email attachments or embedded graphics to evade URL inspection and sandboxing, the agency said. Victims are typically re-routed by the attacks to collect “device and identity attributes such as user-agent, OS, IP address, locale, and screen size in order to selectively present mobile-optimized credential harvesting pages impersonating Microsoft 365, Okta, or VPN portals.”
Quishing attacks “frequently end with session token theft and replay, enabling attackers to bypass multi-factor authentication and hijack cloud identities without triggering typical ‘MFA failed’ alerts,” the FBI said. The compromised mailbox can then be used for additional spearphishing attacks.
Protecting Against QR and Quishing Attacks
The FBI recommends “a multi-layered security strategy to address the unique risks posed by QR code-based spearphishing.” The agency’s recommendations include:
Employees should be educated on the risks of scanning unsolicited QR codes regardless of where they came from, and organizations should implement training programs to help users recognize social engineering tactics involving QR codes, “including urgent calls to action and impersonation of trusted entities.”
Organizations should also have clear processes for reporting suspicious QR codes and other phishing attempts.
QR code sources should first be verified by contacting the sender directly, “especially before entering login credentials or downloading files.”
Organizations should deploy mobile device management (MDM) or endpoint security solutions that can analyze QR-linked URLs before permitting access to web resources.
Phishing-resistant MFA should be required for all remote access and sensitive systems, and a strong password policy should be implemented.
All credential entry and network activity following QR code scans should be logged and monitored for possible compromises.
Access privileges should be reviewed according to zero trust principles, and regular audits should be conducted for unused or excessive account permissions.
The FBI encouraged organizations to establish a liaison relationship with the FBI Field Office in their region and to report malicious activity at fbi.gov/contact-us/field-offices.
The U.S. Department of Justice has announced a major disruption of a bank account takeover fraud operation that led to more than $28 million in unauthorized bank transfers from victims across the United States. Federal authorities seized a web domain and its supporting database that played a central role in helping criminals steal bank login details and drain victim accounts.
The seized domain, web3adspanels.org, was used as a backend control panel to store and manage stolen login credentials. According to investigators, the domain supported an organized scheme that targeted Americans through advanced impersonation scams and phishing advertisements designed to look like legitimate bank services.
How the Bank Account Takeover Fraud Worked
Court documents reveal that the criminal group relied heavily on fraudulent search engine advertisements. These phishing advertisements appeared on popular platforms such as Google and Bing and closely mimicked sponsored ads from real financial institutions.
[caption id="attachment_108029" align="aligncenter" width="1000"] Image Source: https://www.justice.gov/[/caption]
When users clicked on these fraudulent search ads, they believed they were visiting their bank’s official website. In reality, they were redirected to fake bank websites controlled by the attackers. Once victims entered their usernames and passwords, malicious software embedded in the fake pages captured those details in real time.
The stolen login credentials were then used to access legitimate bank accounts. From there, the criminals initiated unauthorized bank transfers, effectively draining funds before victims realized their accounts had been compromised.
Investigators confirmed that the seized domain continued hosting stolen credentials and backend infrastructure as recently as November 2025.
Financial Impact and Victims Identified
So far, the FBI has identified at least 19 confirmed victims across multiple U.S. states. This includes two businesses located in the Northern District of Georgia. The scheme resulted in attempted losses of approximately $28 million, with actual confirmed losses reaching around $14.6 million.
The server linked to the seized domain contained thousands of stolen login credentials, suggesting that the total number of affected individuals and organizations could be significantly higher. Authorities believe the web domain seizure has cut off the criminals’ ability to access and exploit this sensitive data.
Rising Threat Highlighted by FBI IC3 Data
Since January 2025, the FBI’s Internet Crime Complaint Center (IC3) has received more than 5,100 complaints related to bank account takeover fraud. Reported losses from these incidents now exceed $262 million nationwide.
In response, the FBI has issued public warnings urging individuals and businesses to remain vigilant. Recommended steps include closely monitoring financial accounts, using saved bookmarks instead of search engine links to access banking websites, and staying alert for impersonation scams and phishing attempts.
International Cooperation and Ongoing Investigation
The investigation is being led by the FBI Atlanta Field Office, with prosecutors from the U.S. Attorney’s Office for the Northern District of Georgia and the Justice Department’s Computer Crime and Intellectual Property Section (CCIPS). International partners played a critical role, including law enforcement agencies from Estonia and Georgia.
Estonian authorities preserved and collected key evidence from servers hosting the phishing pages and stolen login credentials. The Department of Justice’s Office of International Affairs also provided substantial assistance, highlighting the importance of cross-border cooperation in tackling cybercrime.
Since 2020, CCIPS has secured convictions against more than 180 cybercriminals and obtained court orders returning over $350 million to victims. Officials say the seizure of web3adspanels.org represents another important step in disrupting global cyber fraud networks and protecting victims from future financial harm.
The FBI Anchorage Field Office has issued a public warning after seeing a sharp increase in fraud cases targeting residents across Alaska. According to federal authorities, scammers are posing as law enforcement officers and government officials in an effort to extort money or steal sensitive personal information from unsuspecting victims.
The warning comes as reports continue to rise involving unsolicited phone calls where criminals falsely claim to represent agencies such as the FBI or other local, state, and federal law enforcement bodies operating in Alaska. These scams fall under a broader category of law enforcement impersonation scams, which rely heavily on fear, urgency, and deception.
How the Phone Scam Works
Scammers typically contact victims using spoofed phone numbers that appear legitimate. In many cases, callers accuse individuals of failing to report for jury duty or missing a court appearance. Victims are then told that an arrest warrant has been issued in their name.
To avoid immediate arrest or legal consequences, the caller demands payment of a supposed fine. Victims are pressured to act quickly, often being told they must resolve the issue immediately. According to the FBI, these criminals may also provide fake court documents or reference personal details about the victim to make the scam appear more convincing.
In more advanced cases, scammers may use artificial intelligence tools to enhance their impersonation tactics. This includes generating realistic voices or presenting professionally formatted documents that appear to come from official government sources. These methods have contributed to the growing sophistication of government impersonation scams nationwide.
Common Tactics Used by Scammers
Authorities note that these scams most often occur through phone calls and emails. Criminals commonly use aggressive language and insist on speaking only with the targeted individual. Victims are often told not to discuss the call with family members, friends, banks, or law enforcement agencies.
Payment requests are another key red flag. Scammers typically demand money through methods that are difficult to trace or reverse. These include cash deposits at cryptocurrency ATMs, prepaid gift cards, wire transfers, or direct cryptocurrency payments. The FBI has emphasized that legitimate government agencies never request payment through these channels.
FBI Clarifies What Law Enforcement Will Not Do
The FBI has reiterated that it does not call members of the public to demand payment or threaten arrest over the phone. Any call claiming otherwise should be treated as fraudulent. This clarification is a central part of the FBI’s broader FBI scam warning Alaska residents are being urged to take seriously.
Impact of Government Impersonation Scams
Data from the FBI’s Internet Crime Complaint Center (IC3) highlights the scale of the problem. In 2024 alone, IC3 received more than 17,000 complaints related to government impersonation scams across the United States. Reported losses from these incidents exceeded $405 million nationwide.
Alaska has not been immune. Reported victim losses in the state surpassed $1.3 million, underscoring the financial and emotional impact these scams can have on individuals and families.
How Alaskans Can Protect Themselves
To reduce the risk of falling victim, the FBI urges residents to “take a beat” before responding to any unsolicited communication. Individuals should resist pressure tactics and take time to verify claims independently.
The FBI strongly advises against sharing or confirming personally identifiable information with anyone contacted unexpectedly. Alaskans are also cautioned never to send money, gift cards, cryptocurrency, or other assets in response to unsolicited demands.
What to Do If You Are Targeted
Anyone who believes they may have been targeted or victimized should immediately stop communicating with the scammer. Victims should notify their financial institutions, secure their accounts, contact local law enforcement, and file a complaint with the FBI’s Internet Crime Complaint Center at www.ic3.gov. Prompt reporting can help limit losses and prevent others from being targeted.
The FBI is warning of AI-assisted fake kidnapping scams:
Criminal actors typically will contact their victims through text message claiming they have kidnapped their loved one and demand a ransom be paid for their release. Oftentimes, the criminal actor will express significant claims of violence towards the loved one if the ransom is not paid immediately. The criminal actor will then send what appears to be a genuine photo or video of the victim’s loved one, which upon close inspection often reveals inaccuracies when compared to confirmed photos of the loved one. Examples of these inaccuracies include missing tattoos or scars and inaccurate body proportions. Criminal actors will sometimes purposefully send these photos using timed message features to limit the amount of time victims have to analyze the images.
Images, videos, audio: It can all be faked with AI. My guess is that this scam has a low probability of success, so criminals will be figuring out how to automate it.
The FBI has issued a public service announcement warning about a surge in account takeover (ATO) fraud, and the timing lines up with a major alert Amazon has just sent to its 300 million customers about brand impersonation scams.
How ATO fraud works
Account takeover fraud is just what it says: Scammers figure out a way to hijack your account and use it for their own gain. It affects everything from email and social media to retailer, travel, and banking accounts. Criminals use plenty of tactics, including malware on your computer or phone, or “credential stuffing,” where they try compromised passwords across lots of sites.
The FBI’s new alert focuses on attackers who impersonate customer support or tech support from your bank. Amazon’s warning describes almost identical techniques, but aimed at Amazon shoppers instead of banking customers.
Attackers send texts, emails and make phone calls designed to fool you into giving away your username and password, and even your multi-factor authentication (MFA) codes. Once they’re in the account, scammers quickly reset passwords or other access controls, locking you out of your own account.
Fake websites, fake alerts, and fake customer support
The FBI highlights another technique used for similar purposes: website-based phishing. The scammer will direct you to a fake site that looks just like your bank’s login page. The moment you enter your details, the criminals steal them and use them on the real banking site.
Amazon says the same thing is happening to its customers. In a warning email sent November 24, it listed the attacks it is seeing most often:
Fake delivery notices or account-issue messages
Third-party ads offering unbelievable deals
Messages via unofficial channels requesting login or payment information
Links to look-alike websites
Unsolicited “Amazon support” phone calls
One of the FBI’s examples mirrors this almost exactly: Attackers claim there has been fraudulent activity on your account and urge you to click a link to “fix” it, but it sends you straight to a phishing site.
How do the scammers get you to these sites?
Search engine optimization (SEO) poisoning is one common technique, the FBI says. Scammers buy ads with search engines that direct users to their malicious sites. Many mimic household names with tiny variations that are easy to miss when you’re in a hurry.
Amazon’s warning is backed up by research from FortiGuard Labs, which found that 19,000+ new domains set up to imitate major retail brands. 2,900 of those were proven to be malicious.
This wave of impersonation attacks isn’t limited to search ads and look-alike domains. Researchers have also uncovered a system called Matrix Push C2 that abuses browser push notifications to deliver fake alerts designed to look like they’re from trusted brands such as Netflix, PayPal, and Cloudflare. Once clicked, those alerts lead victims to phishing pages or malware, giving attackers yet another path to steal login details or take over accounts.
A growing epidemic
This type of fraud is on the rise. According to TransUnion, digital account takeover climbed 21% from H1 2024 to H1 2025, and 141% since H1 2021. It’s big business; the FBI has received over 5,100 complaints since January, and says that losses have hit $262 million.
This is a popular time for scammers to ramp up ATO fraud. Amazon’s alert comes at one of the busiest online shopping periods of the year—Black Friday and the run-up to the holidays.
And while MFA is important, it doesn’t always save you. Proofpoint found that 65% of compromised accounts had MFA enabled. But if you give up your secrets to a scammer, they have the keys to the kingdom.
Passwordless options such as passkeys promise better security because then there’s no MFA code to give up (you just use biometric access or click on a browser prompt to log in). However, those are still relatively uncommon compared to passwords, and when they do exist, people don’t often use them.
How to protect yourself
Cybercriminals prey on the vulnerable and the distracted. Brand impersonation works because attackers lean hard on urgency. They claim your account has been breached, or a large transaction has gone through, or a delivery can’t be completed.
Scammers are experts at using fear to get past your emotional defenses. In one inventive twist highlighted by the FBI, scammers told victims their details were used for firearms purchases, then transferred them to a fake “law enforcement” accomplice. Once fear kicks in, people act fast.
Whether the scammer is posing as Amazon, your bank, or a courier service, the same rules apply:
Bookmark your bank and retailer login pages. Don’t search for them, as results can be spoofed.
Use official apps. Download your bank or Amazon app directly from an official link, not through a search engine.
Be stingy with personal info. Pet names, schools, and birthdays can help criminals with “security questions.”
Be skeptical of caller ID. It can be spoofed. Hang up, then call back using a verified number.
Use passkeys if offered. They cut out SMS codes entirely and help prevent phishing.
Never share one-time codes. No legitimate company will ask.
Amazon also reminds users:
It will never ask for payment information over the phone.
It will never send emails asking customers to verify login details.
All account changes, tracking, and refunds should go through the Amazon app or website only.
If you do think you’ve been hit by an ATO scam, contact your bank immediately to try and recall or reverse any fraudulent transactions. It might still not be too late, but every second counts. Also, file a complaint with the FBI’s IC3 online crime unit.
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
The Account Takeover fraud threat is accelerating across the United States, prompting the Federal Bureau of Investigation (FBI) to issue a new alert warning individuals, businesses, and organizations of all sizes to stay vigilant. According to the FBI Internet Crime Complaint Center (IC3), more than 5,100 complaints related to ATO fraud have been filed since January 2025, with reported losses exceeding $262 million.
The bureau warns that cyber criminals are increasingly impersonating financial institutions to steal money or sensitive information.
As the annual Black Friday sale draws millions of shoppers online, the FBI notes that the surge in digital purchases creates an ideal environment for Account Takeover fraud. With consumers frequently visiting unfamiliar retail websites and acting quickly to secure limited-time deals, cyber criminals deploy fake customer support calls, phishing pages, and fraudulent ads disguised as payment or discount portals.
The increased online activity during Black Friday makes it easier for attackers to blend in and harder for victims to notice red flags, making the shopping season a lucrative window for ATO scams.
How Account Takeover Fraud Works
In an ATO scheme, cyber criminals gain unauthorized access to online financial, payroll, or health savings accounts. Their goal is simple: steal funds or gather personal data that can be reused for additional fraudulent activities. The FBI notes that these attacks often start with impersonation, either of a financial institution’s staff, customer support teams, or even the institution’s official website.
To carry out their schemes, criminals rely heavily on social engineering and phishing websites designed to look identical to legitimate portals. These tactics create a false sense of trust, encouraging account owners to unknowingly hand over their login credentials.
Social Engineering Tactics Increase in Frequency
The FBI highlights that most ATO cases begin with social engineering, where cyber criminals manipulate victims into sharing sensitive information such as passwords, multi-factor authentication (MFA) codes, or one-time passcodes (OTP).
Common techniques include:
Fraudulent text messages, emails, or calls claiming unusual activity or unauthorized charges. Victims are often directed to click on phishing links or speak to fake customer support representatives.
Attackers posing as bank employees or technical support agents who convince victims to share login details under the guise of preventing fraudulent transactions.
Scenarios where cyber criminals claim the victim’s identity was used to make unlawful purchases—sometimes involving firearms, and escalate the scam by introducing another impersonator posing as law enforcement.
Once armed with stolen credentials, criminals reset account passwords and gain full control, locking legitimate users out of their own accounts.
Phishing Websites and SEO Poisoning Drive More Losses
Another growing trend is the use of sophisticated phishing domains and websites that perfectly mimic authentic financial institution portals. Victims believe they are logging into their bank or payroll system, but instead, they are handing their details directly to attackers.
The FBI also warns about SEO poisoning, a method in which cyber criminals purchase search engine ads or manipulate search rankings to make fraudulent sites appear legitimate. When victims search for their bank online, these deceptive ads redirect them to phishing sites that capture their login information.
Once attackers secure access, they rapidly transfer funds to criminal-controlled accounts—many linked to cryptocurrency wallets—making transactions difficult to trace or recover.
How to Stay Protected Against ATO Fraud
The FBI urges customers and businesses to take proactive measures to defend against ATO fraud attempts:
Limit personal information shared publicly, especially on social media.
Monitor financial accounts regularly for missing deposits, unauthorized withdrawals, or suspicious wire transfers.
Use unique, complex passwords and enable MFA on all accounts.
Bookmark financial websites and avoid clicking on search engine ads or unsolicited links.
Treat unexpected calls, emails, or texts claiming to be from a bank with skepticism.
What To Do If You Experience an Account Takeover
Victims of ATO fraud are advised to act quickly:
Contact your financial institution immediately to request recalls or reversals, and report the incident to IC3.gov.
Reset all compromised credentials, including any accounts using the same passwords.
File a detailed complaint at IC3.gov with all relevant information, such as impersonated institutions, phishing links, emails, or phone numbers used.
Notify the impersonated company so it can warn others and request fraudulent sites be taken down.
Stay informed through updated alerts and advisories published on IC3.gov.
The FBI has issued a fresh alert warning the public about a growing wave of IC3 impersonation scams, where fraudsters pose as officials from the Internet Crime Complaint Center (IC3) to deceive individuals into sharing sensitive information or paying fraudulent fees.
According to the Bureau, more than 100 such cases were reported between December 2023 and February 2025, signaling a concerning rise in criminal attempts disguised as official outreach.
IC3 Impersonation Scams Are Increasing Nationwide
In its latest public communication, the FBI emphasized that the IC3 does not directly contact victims for money, personal data, or case updates. Yet, scammers continue to exploit the trust associated with the organization, using emails, phone calls, social media, and messaging apps to trick victims, often by claiming they have recovered previously lost funds.
A particularly troubling variant of IC3 impersonation scams involves scammers posing as financial fraud victims online. They create fake female profiles, join support groups, and recommend contacting a supposed “Chief Director” of IC3 named Jaime Quin on Telegram.
Once victims reach out, the scammer claims to have recovered their stolen money but uses this pretext to gather financial information and re-target victims who have already suffered losses.
How the Scam Works
Reports show that initial contact methods vary, but the tactic generally follows a predictable pattern:
Scammers falsely claim to work with IC3 or the FBI.
They offer assistance in recovering lost funds or say money has already been recovered.
Once trust is gained, they request personal or financial details.
Victims are then pressured into sending additional payments or revealing sensitive data.
Authorities reiterate that the Internet Crime Complaint Center does not charge fees, does not work with third-party recovery companies, and never reaches out to individuals via social platforms or messaging apps.
[caption id="attachment_107108" align="aligncenter" width="975"] Source: FBI[/caption]
How to Protect Yourself
The FBI advises the public to stay vigilant and follow these safety guidelines:
IC3 will never contact individuals directly via phone, social media, or email.
Do not share personal or financial information with people you meet online or through unsolicited communication.
Avoid sending money, cryptocurrency, or gift cards to unknown individuals.
Be cautious of anyone claiming to be an IC3 representative, especially if they ask for payment.
Report Suspicious Activity Immediately
Victims are urged to report suspected fraud to ic3.gov, providing details such as communication methods, financial transaction records, and information about the individual or company involved.
Individuals aged 60 and above who need help filing a complaint can contact the Department of Justice’s Elder Justice Hotline at 1-833-FRAUD-11.
Indian authorities recovered Rs. 14 lakh (approximately $16,500) along with 52 laptops containing incriminating digital evidence when they arrested Vikas Kumar Nimar, a key cybercrime kingpin and fugitive who had evaded capture for two months while continuing to operate an illegal call center defrauding American citizens.
The arrest by India's Central Bureau of Investigation (CBI) marks the latest disruption in Operation Chakra, a coordinated international crackdown targeting transnational tech support scam networks that have stolen more than $40 million from victims in the United States, United Kingdom, Australia, and European Union countries.
The CBI registered the case against Nimar on September 24, 2024, conducting extensive searches at multiple locations in September that dismantled four illegal call centers operated by the accused in Pune, Hyderabad, and Visakhapatnam. Nimar, who was instrumental in establishing and operating the illegal call center VC Informetrix Pvt. Ltd at Pune and Visakhapatnam, went into hiding following the initial raids.
The CBI obtained an arrest warrant from the Chief Judicial Magistrate Court in Pune and tracked Nimar to his residential premises in Lucknow. Searches conducted during the November 20, 2025, arrest led to recovery of cash, mobile phones, and incriminating documents pertaining to the crimes.
During search operations, investigators discovered Nimar had established another illegal call center in Lucknow continuing to target US nationals despite being a fugitive. The CBI immediately dismantled this fifth operation, seizing 52 laptops containing digital evidence used in the cybercrime network's operations.
The agency said investigations continue with efforts to identify additional accomplices and trace stolen funds through cryptocurrency channels.
[caption id="attachment_107086" align="aligncenter" width="350"]Source: CBI on X platform[/caption]
Pattern of Tech Support Scams
The cybercrime networks dismantled through Operation Chakra employ social engineering tactics to defraud victims. Criminals contact targets claiming their bank accounts have been compromised, exploiting fear of financial loss to manipulate victims into taking immediate action.
Under the guise of providing technical assistance, fraudsters gain remote access to victims' computers and convince them to transfer money into cryptocurrency wallets they control. The operations targeted US nationals from 2023 to 2025, with one network alone defrauding American citizens of more than $40 million through these tactics.
The illegal call centers operate under legitimate-sounding company names to establish credibility. Previous raids uncovered operations running as "M/s Digipaks The Future of Digital" in Amritsar, "FirstIdea" in Delhi's Special Economic Zone, and VC Informetrix Pvt. Ltd in Pune and Visakhapatnam.
Operation Chakra represents extensive collaboration between Indian authorities and international law enforcement agencies. The CBI works closely with INTERPOL, the US Federal Bureau of Investigation, the UK's National Crime Agency, Homeland Security Investigations, and private sector partners including Microsoft Corporation.
Intelligence sharing from US authorities triggered the earlier investigation that led to raids uncovering the large-scale illegal call center in Amritsar. That operation intercepted 34 individuals engaged in active fraud, seizing 85 hard drives, 16 laptops, and 44 mobile phones loaded with incriminating digital evidence.
Operation Chakra-III's September raids last year across Mumbai, Kolkata, Pune, Hyderabad, Ahmedabad, and Visakhapatnam resulted in 26 arrests and seizure of 57 gold bars, Rs. 60 lakh in cash, 951 electronic devices, and three luxury vehicles. The coordinated strikes targeted call centers where over 170 individuals engaged in various forms of online fraud primarily targeting US citizens.
Cryptocurrency Laundering Networks
The networks rely heavily on cryptocurrency to launder stolen funds, presenting challenges for traditional financial crime investigations. Virtual asset transactions allow criminals to quickly move funds across borders with perceived anonymity, complicating recovery efforts.
One investigation revealed that key suspect Vishnu Rathi's group had scammed a US citizen into transferring nearly half a million dollars into cryptocurrency wallets under the guise of tech support services. The victim, led to believe her bank account was compromised, unknowingly handed control to criminals who manipulated her into making the large transfer.
The CBI coordinates with INTERPOL and foreign law enforcement bodies to follow money trails through virtual asset transactions, working to dismantle associated laundering networks alongside the operational infrastructure.
The CBI reiterated its commitment to rapidly identifying and taking action against organized technology-enabled crime networks. Authorities arrested individuals face charges under India's Information Technology Act of 2000 and the BNSS Act of 2023.
Previous Operation Chakra actions included the August arrest of a fugitive kingpin at Delhi's international airport while attempting to flee to Kathmandu, Nepal. Immigration officers intercepted the suspect based on CBI intelligence, preventing escape through a route previously exploited by wanted fugitives.
The multi-phase operation demonstrates India's strengthening cybersecurity posture through real-time intelligence sharing with global counterparts, moving beyond domestic law enforcement to tackle cybercriminals exploiting technological vulnerabilities across borders.
Cybercriminal groups peddling sophisticated phishing kits that convert stolen card data into mobile wallets have recently shifted their focus to targeting customers of brokerage services, new research shows. Undeterred by security controls at these trading platforms that block users from wiring funds directly out of accounts, the phishers have pivoted to using multiple compromised brokerage accounts in unison to manipulate the prices of foreign stocks.
Image: Shutterstock, WhataWin.
This so-called ‘ramp and dump‘ scheme borrows its name from age-old “pump and dump” scams, wherein fraudsters purchase a large number of shares in some penny stock, and then promote the company in a frenzied social media blitz to build up interest from other investors. The fraudsters dump their shares after the price of the penny stock increases to some degree, which usually then causes a sharp drop in the value of the shares for legitimate investors.
With ramp and dump, the scammers do not need to rely on ginning up interest in the targeted stock on social media. Rather, they will preposition themselves in the stock that they wish to inflate, using compromised accounts to purchase large volumes of it and then dumping the shares after the stock price reaches a certain value. In February 2025, the FBI said it was seeking information from victims of this scheme.
“In this variation, the price manipulation is primarily the result of controlled trading activity conducted by the bad actors behind the scam,” reads an advisory from the Financial Industry Regulatory Authority (FINRA), a private, non-profit organization that regulates member brokerage firms. “Ultimately, the outcome for unsuspecting investors is the same—a catastrophic collapse in share price that leaves investors with unrecoverable losses.”
“They will often coordinate with other actors and will wait until a certain time to buy a particular Chinese IPO [initial public offering] stock or penny stock,” said Merrill, who has been chronicling the rapid maturation and growth of the China-based phishing community over the past three years.
“They’ll use all these victim brokerage accounts, and if needed they’ll liquidate the account’s current positions, and will preposition themselves in that instrument in some account they control, and then sell everything when the price goes up,” he said. “The victim will be left with worthless shares of that equity in their account, and the brokerage may not be happy either.”
Merrill said the early days of these phishing groups — between 2022 and 2024 — were typified by phishing kits that used text messages to spoof the U.S. Postal Service or some local toll road operator, warning about a delinquent shipping or toll fee that needed paying. Recipients who clicked the link and provided their payment information at a fake USPS or toll operator site were then asked to verify the transaction by sharing a one-time code sent via text message.
In reality, the victim’s bank is sending that code to the mobile number on file for their customer because the fraudsters have just attempted to enroll that victim’s card details into a mobile wallet. If the visitor supplies that one-time code, their payment card is then added to a new mobile wallet on an Apple or Google device that is physically controlled by the phishers.
An image from the Telegram channel for a popular Chinese mobile phishing kit vendor shows 10 mobile phones for sale, each loaded with 4-6 digital wallets from different financial institutions.
This China-based phishing collective exposed a major weakness common to many U.S.-based financial institutions that already require multi-factor authentication: The reliance on a single, phishable one-time token for provisioning mobile wallets. Happily, Merrill said many financial institutions that were caught flat-footed on this scam two years ago have since strengthened authentication requirements for onboarding new mobile wallets (such as requiring the card to be enrolled via the bank’s mobile app).
But just as squeezing one part of a balloon merely forces the air trapped inside to bulge into another area, fraudsters don’t go away when you make their current enterprise less profitable: They just shift their focus to a less-guarded area. And lately, that gaze has settled squarely on customers of the major brokerage platforms, Merrill said.
THE OUTSIDER
Merrill pointed to several Telegram channels operated by some of the more accomplished phishing kit sellers, which are full of videos demonstrating how every feature in their kits can be tailored to the attacker’s target. The video snippet below comes from the Telegram channel of “Outsider,” a popular Mandarin-speaking phishing kit vendor whose latest offering includes a number of ready-made templates for using text messages to phish brokerage account credentials and one-time codes.
According to Merrill, Outsider is a woman who previously went by the handle “Chenlun.” KrebsOnSecurity profiled Chenlun’s phishing empire in an October 2023 story about a China-based group that was phishing mobile customers of more than a dozen postal services around the globe. In that case, the phishing sites were using a Telegram bot that sent stolen credentials to the “@chenlun” Telegram account.
Chenlun’s phishing lures are sent via Apple’s iMessage and Google’s RCS service and spoof one of the major brokerage platforms, warning that the account has been suspended for suspicious activity and that recipients should log in and verify some information. The missives include a link to a phishing page that collects the customer’s username and password, and then asks the user to enter a one-time code that will arrive via SMS.
The new phish kit videos on Outsider’s Telegram channel only feature templates for Schwab customers, but Merrill said the kit can easily be adapted to target other brokerage platforms. One reason the fraudsters are picking on brokerage firms, he said, has to do with the way they handle multi-factor authentication.
Schwab clients are presented with two options for second factor authentication when they open an account. Users who select the option to only prompt for a code on untrusted devices can choose to receive it via text message, an automated inbound phone call, or an outbound call to Schwab. With the “always at login” option selected, users can choose to receive the code through the Schwab app, a text message, or a Symantec VIP mobile app.
In response to questions, Schwab said it regularly updates clients on emerging fraud trends, including this specific type, which the company addressed in communications sent to clients earlier this year.
The 2FA text message from Schwab warns recipients against giving away their one-time code.
“That message focused on trading-related fraud, highlighting both account intrusions and scams conducted through social media or messaging apps that deceive individuals into executing trades themselves,” Schwab said in a written statement. “We are aware and tracking this trend across several channels, as well as others like it, which attempt to exploit SMS-based verification with stolen credentials. We actively monitor for suspicious patterns and take steps to disrupt them. This activity is part of a broader, industry-wide threat, and we take a multi-layered approach to address and mitigate it.”
Other popular brokerage platforms allow similar methods for multi-factor authentication. Fidelity requires a username and password on initial login, and offers the ability to receive a one-time token via SMS, an automated phone call, or by approving a push notification sent through the Fidelity mobile app. However, all three of these methods for sending one-time tokens are phishable; even with the brokerage firm’s app, the phishers could prompt the user to approve a login request that they initiated in the app with the phished credentials.
Vanguard offers customers a range of multi-factor authentication choices, including the option to require a physical security key in addition to one’s credentials on each login. A security key implements a robust form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by connecting an enrolled USB or Bluetooth device and pressing a button. The key works without the need for any special software drivers, and the nice thing about it is your second factor cannot be phished.
THE PERFECT CRIME?
Merrill said that in many ways the ramp-and-dump scheme is the perfect crime because it leaves precious few connections between the victim brokerage accounts and the fraudsters.
“It’s really genius because it decouples so many things,” he said. “They can buy shares [in the stock to be pumped] in their personal account on the Chinese exchanges, and the price happens to go up. The Chinese or Hong Kong brokerages aren’t going to see anything funky.”
Merrill said it’s unclear exactly how those perpetrating these ramp-and-dump schemes coordinate their activities, such as whether the accounts are phished well in advance or shortly before being used to inflate the stock price of Chinese companies. The latter possibility would fit nicely with the existing human infrastructure these criminal groups already have in place.
For example, KrebsOnSecurity recently wrote about research from Merrill and other researchers showing the phishers behind these slick mobile phishing kits employed people to sit for hours at a time in front of large banks of mobile phones being used to send the text message lures. These technicians were needed to respond in real time to victims who were supplying the one-time code sent from their financial institution.
The ashtray says: You’ve been phishing all night.
“You can get access to a victim’s brokerage with a one-time passcode, but then you sort of have to use it right away if you can’t set new security settings so you can come back to that account later,” Merrill said.
The rapid pace of innovations produced by these China-based phishing vendors is due in part to their use of artificial intelligence and large language models to help develop the mobile phishing kits, he added.
“These guys are vibe coding stuff together and using LLMs to translate things or help put the user interface together,” Merrill said. “It’s only a matter of time before they start to integrate the LLMs into their development cycle to make it more rapid. The technologies they are building definitely have helped lower the barrier of entry for everyone.”
Authorities in the United Kingdom this week arrested four people aged 17 to 20 in connection with recent data theft and extortion attacks against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group. The breaches have been linked to a prolific but loosely-affiliated cybercrime group dubbed “Scattered Spider,” whose other recent victims include multiple airlines.
The U.K.’s National Crime Agency (NCA) declined verify the names of those arrested, saying only that they included two males aged 19, another aged 17, and 20-year-old female.
Scattered Spider is the name given to an English-speaking cybercrime group known for using social engineering tactics to break into companies and steal data for ransom, often impersonating employees or contractors to deceive IT help desks into granting access. The FBI warned last month that Scattered Spider had recently shifted to targeting companies in the retail and airline sectors.
KrebsOnSecurity has learned the identities of two of the suspects. Multiple sources close to the investigation said those arrested include Owen David Flowers, a U.K. man alleged to have been involved in the cyber intrusion and ransomware attack that shut down several MGM Casino properties in September 2023. Those same sources said the woman arrested is or recently was in a relationship with Flowers.
Sources told KrebsOnSecurity that Flowers, who allegedly went by the hacker handles “bo764,” “Holy,” and “Nazi,” was the group member who anonymously gave interviews to the media in the days after the MGM hack. His real name was omitted from a September 2024 story about the group because he was not yet charged in that incident.
The bigger fish arrested this week is 19-year-old Thalha Jubair, a U.K. man whose alleged exploits under various monikers have been well-documented in stories on this site. Jubair is believed to have used the nickname “Earth2Star,” which corresponds to a founding member of the cybercrime-focused Telegram channel “Star Fraud Chat.”
In 2023, KrebsOnSecurity published an investigation into the work of three different SIM-swapping groups that phished credentials from T-Mobile employees and used that access to offer a service whereby any T-Mobile phone number could be swapped to a new device. Star Chat was by far the most active and consequential of the three SIM-swapping groups, who collectively broke into T-Mobile’s network more than 100 times in the second half of 2022.
Jubair allegedly used the handles “Earth2Star” and “Star Ace,” and was a core member of a prolific SIM-swapping group operating in 2022. Star Ace posted this image to the Star Fraud chat channel on Telegram, and it lists various prices for SIM-swaps.
Sources tell KrebsOnSecurity that Jubair also was a core member of the LAPSUS$ cybercrime group that broke into dozens of technology companies in 2022, stealing source code and other internal data from tech giants including Microsoft, Nvidia, Okta, Rockstar Games, Samsung, T-Mobile, and Uber.
In April 2022, KrebsOnSecurity published internal chat records from LAPSUS$, and those chats indicated Jubair was using the nicknames Amtrak and Asyntax. At one point in the chats, Amtrak told the LAPSUS$ group leader not to share T-Mobile’s logo in images sent to the group because he’d been previously busted for SIM-swapping and his parents would suspect he was back at it again.
As shown in those chats, the leader of LAPSUS$ eventually decided to betray Amtrak by posting his real name, phone number, and other hacker handles into a public chat room on Telegram.
In March 2022, the leader of the LAPSUS$ data extortion group exposed Thalha Jubair’s name and hacker handles in a public chat room on Telegram.
That story about the leaked LAPSUS$ chats connected Amtrak/Asyntax/Jubair to the identity “Everlynn,” the founder of a cybercriminal service that sold fraudulent “emergency data requests” targeting the major social media and email providers. In such schemes, the hackers compromise email accounts tied to police departments and government agencies, and then send unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.
The roster of the now-defunct “Infinity Recursion” hacking team, from which some member of LAPSUS$ hail.
Sources say Jubair also used the nickname “Operator,” and that until recently he was the administrator of the Doxbin, a long-running and highly toxic online community that is used to “dox” or post deeply personal information on people. In May 2024, several popular cybercrime channels on Telegram ridiculed Operator after it was revealed that he’d staged his own kidnapping in a botched plan to throw off law enforcement investigators.
In November 2024, U.S. authorities charged five men aged 20 to 25 in connection with the Scattered Spider group, which has long relied on recruiting minors to carry out its most risky activities. Indeed, many of the group’s core members were recruited from online gaming platforms like Roblox and Minecraft in their early teens, and have been perfecting their social engineering tactics for years.
“There is a clear pattern that some of the most depraved threat actors first joined cybercrime gangs at an exceptionally young age,” said Allison Nixon, chief research officer at the New York based security firm Unit 221B. “Cybercriminals arrested at 15 or younger need serious intervention and monitoring to prevent a years long massive escalation.”
Login
Image Source: https://www.justice.gov/[/caption]
When users clicked on these fraudulent search ads, they believed they were visiting their bank’s official website. In reality, they were redirected to fake bank websites controlled by the attackers. Once victims entered their usernames and passwords, malicious software embedded in the fake pages captured those details in real time.
The stolen login credentials were then used to access legitimate bank accounts. From there, the criminals initiated unauthorized bank transfers, effectively draining funds before victims realized their accounts had been compromised.
Source: FBI[/caption]
Source: CBI on X platform[/caption]
