Union Home Minister Amit Shah on Tuesday announced that the Central government has cancelled 12 lakh SIM cards and ensured that IMEI numbers blocked exceeded 3 lakh mobile devices as part of a sweeping nationwide crackdown on cybercrime. He added that 20,853 accused individuals have been arrested in connection with cyber offences up to December 2025.  Shah shared these figures while addressing the National Conference on “Tackling Cyber-Enabled Frauds and Dismantling the Ecosystem,” organized by the Central Bureau of Investigation (CBI) and the Indian Cyber Crime Coordination Centre (I4C). The conference focused on strategies to dismantle the growing organized ecosystem of cybercrime.  The large-scale action involving SIM cards being cancelled and IMEI numbers being blocked is aimed at cutting off the communication channels frequently used by fraud networks. According to Shah, these measures are part of a coordinated national effort to prevent and respond effectively to cybercrime. 

Multi-Agency Coordination Strengthened to Combat Organized Cybercrime 

The Home Minister underlined that tackling cybercrime requires close cooperation among multiple institutions. Agencies, including I4C, State Police forces, the CBI, the National Investigation Agency (NIA), the Enforcement Directorate (ED), the Department of Telecommunications, the banking sector, the Ministry of Electronics and Information Technology (MeitY), the Reserve Bank of India (RBI), and the judiciary, are collectively engaged in sustained enforcement efforts.  Emphasising the importance of inter-agency coordination, Shah said each institution has a clearly defined role and responsibility. Seamless cooperation among stakeholders, he noted, is essential to deliver effective outcomes, especially when cybercrime operations span across states and international jurisdictions.  He described the initiative taken by the CBI and I4C as “extremely significant,” stating that it brings various departments together and strengthens the implementation of anti-cybercrime measures. Through this integrated framework, authorities aim not only to make arrests but also to dismantle the broader infrastructure supporting cybercrime activities.  Shah also stressed the crucial role of the CBI and NIA, particularly in addressing cybercrimes originating outside India. He pointed out that lapses in maintaining the chain of custody of digital evidence often hinder convictions and remain a key challenge in prosecuting cyber offenders. 

Digital Growth, 181 Billion UPI Transactions and Rising Cybercrime Risks 

Highlighting India’s digital transformation over the past 11 years under the Digital India initiative, Shah said the country’s digital expansion has been remarkable. The number of internet users has risen from 250 million to over 1 billion, while broadband connections have grown nearly sixteenfold, also crossing the 1-billion mark.  He further noted that the cost of one gigabyte of data has dropped by 97 per cent, expanding internet access and usage. Connectivity through the BharatNet project has also seen dramatic growth. Eleven years ago, only 546 village panchayats were connected, whereas more than 2 lakh village panchayats are now covered, ensuring connectivity from Parliament to Panchayats.  Shah also pointed to the surge in digital financial transactions. In 2024 alone, India recorded more than 181 billion Unified Payments Interface (UPI) transactions with a total value exceeding Rs 233 trillion. The rapid expansion of digital payments, he indicated, has made the fight against cybercrime even more critical.  He warned that cybercrime, which was once largely individual-driven, has now become institutionalised. Criminal groups are using advanced technologies and continuously adapting their methods. In this environment, actions such as SIM cards cancelled and IMEI numbers blocked are intended to disrupt the operational backbone of fraudulent networks.  Calling for collective responsibility, Shah urged all agencies to identify vulnerabilities and minimise risks at every level. He said the Centre has adopted a comprehensive, multi-dimensional strategy to combat cybercrime. The key pillars include real-time cybercrime reporting, strengthening forensic networks, capacity building, research and development, promoting cyber awareness, and encouraging cyber hygiene.  He cautioned that without timely intervention, cyber fraud could have escalated into a national crisis. Shah called on stakeholders to act simultaneously, whether by identifying fraudulent call centres, enhancing awareness campaigns, improving the 1930 cybercrime helpline, reducing response times, or strengthening coordination between banks and I4C. 

In a major step against online piracy and illegal copyright distribution, U.S. law enforcement has partnered with Bulgarian authorities to dismantle three of the largest piracy websites operating in the European Union. The coordinated operation targeted platforms that allegedly provided unauthorized access to thousands of copyrighted movies, television shows, video games, software, and other digital content. The U.S. government executed seizure warrants against three U.S.-registered internet domains that were reportedly operated from Bulgaria. These domains — zamunda.net, arenabg.com, and zelka.org — were among the most heavily visited piracy services in the region. This action highlights growing international cooperation in tackling copyright infringement and protecting intellectual property rights worldwide.

Crackdown Targets Large-Scale Online Piracy Networks

According to U.S. authorities, the seized websites were allegedly engaged in the illegal distribution of copyrighted works on a massive scale. These platforms offered users access to unauthorized copies of content, including many works owned by U.S. companies and creators. The operation focused on online services that allowed millions of downloads of copyrighted material, contributing to significant financial losses for the entertainment, software, and publishing industries. Law enforcement officials emphasized that willful copyright infringement is a crime, and such piracy networks often operate as commercial enterprises rather than casual file-sharing platforms.

Tens of Millions of Visits and Millions in Losses

Court affidavits supporting the seizure warrants reveal the enormous scale of the piracy activity linked to these domains. The three websites reportedly:

• Received tens of millions of visits annually
• Offered thousands of infringed works without authorization
• Generated millions of illegal downloads
• Caused retail losses totaling millions of dollars

One of the domains was frequently ranked among the top 10 most visited websites in Bulgaria, highlighting how deeply embedded these piracy platforms were in the country’s online ecosystem. Authorities also noted that the websites appeared to generate substantial revenue through online advertisements, making piracy not only a copyright issue but also a profitable criminal business model.

Seized Domains Now Under U.S. Government Custody

The domains are now in the custody of the United States government. Visitors attempting to access the sites will instead see an official seizure banner. The notice informs users that:

• Federal authorities have seized the domain names
• Copyright infringement is a serious criminal offense
• The websites are no longer operational

The seizure of these domains represents a significant disruption of piracy infrastructure and sends a clear warning to operators running similar illegal platforms.

Strong Cooperation Between U.S., Bulgaria, and Europol

The Justice Department credited Bulgarian law enforcement agencies for their critical support in the takedown. Key Bulgarian partners included:

• The National Investigative Service
• The Ministry of the Interior’s General Directorate Combating Organized Crime
• The State Agency for National Security
• The Prosecutor’s Office

On the U.S. side, the operation involved:

• The U.S. Attorney’s Office for the Southern District of Mississippi
• Homeland Security Investigations (HSI) New Orleans Field Office
• The National Intellectual Property Rights Coordination Center (IPR Center)

The Justice Department also acknowledged the important coordination role played by Europol, along with technical support from the HSI Athens office and U.S. Customs and Border Protection (CBP) in Sofia. This case demonstrates how international partnerships are becoming essential in fighting cross-border cybercrime and piracy.

Role of ICHIP Program in Global Cybercrime Support

The Justice Department noted that it continues to provide intellectual property and cybercrime assistance to foreign partners through the International Computer Hacking and Intellectual Property (ICHIP) program. This program helps strengthen global law enforcement capabilities in areas such as:

• Cybercrime investigations
• Digital piracy enforcement
• Intellectual property protection
• Prosecutorial and judicial cooperation

The ICHIP initiative is jointly administered through OPDAT and the Computer Crime and Intellectual Property Section, in partnership with the U.S. Department of State.

IPR Center Remains Key Weapon Against Digital Piracy

The National Intellectual Property Rights Coordination Center (IPR Center) plays a central role in combating criminal piracy and counterfeiting. By bringing together expertise from multiple agencies, the IPR Center works to:

• Share intelligence on IP theft
• Coordinate enforcement actions
• Protect the U.S. economy and consumers
• Support investigations into digital piracy networks

Authorities encourage individuals and businesses to report suspected IP theft through the official IPR Center website.

Investigation Ongoing

The announcement was made by Assistant Attorney General A. Tysen Duva, U.S. Attorney Baxter Kruger, and Acting Special Agent in Charge Matt Wright of HSI New Orleans. Homeland Security Investigations has confirmed that the matter remains under active investigation. With the takedown of these major piracy sites, U.S. and Bulgarian authorities have delivered one of the strongest blows yet against online copyright infringement in the European Union.

The ShinyHunters and CL0P threat groups have returned with new claimed victims. ShinyHunters has resurfaced with a new onion-based data leak site, with the group publishing data allegedly stolen from three victims, with two apparently linked to recent vishing attacks targeting single sign-on (SSO) accounts at Okta, Microsoft and Google, which can lead to compromises of connected enterprise applications and services. In an email to The Cyber Express, a ShinyHunters spokesperson said “a lot more victims are to come from the new vishing campaign.” The CL0P ransomware group, meanwhile, has claimed 43 victims in recent days, its first victims since its exploitation of Oracle E-Business Suite vulnerabilities last year netted more than 100 victims. The group reportedly was targeting internet-facing Gladinet CentreStack file servers in its latest extortion campaign, but the threat group has posted no technical details to support the new claims.

ShinyHunters Returns

ShinyHunters has resurfaced following 2025 campaigns that saw breaches of PornHub and Salesforce environments and a “suspicious insider” at CrowdStrike. The group, which has also gone by Scattered LAPSUS$ Hunters, has claimed three new victims, all of whom have had confirmed breaches in recent weeks. One of the claimed victims is SoundCloud, which confirmed a breach in mid-December that the company said “consisted only of email addresses and information already visible on public SoundCloud profiles and affected approximately 20% of SoundCloud users.” Investment firm Betterment is another claimed victim with a recent confirmed breach. While it’s not clear if the incident is related to the ShinyHunters claims, the company reported a January 9 incident in which “an unauthorized individual gained access to certain Betterment systems through social engineering. This means the individual used identity impersonation and deception to gain access, rather than compromising our technical infrastructure. The unauthorized access involved third-party software platforms that Betterment uses to support our marketing and operations.” The third claimed victim is financial data firm Crunchbase, which confirmed a data exfiltration incident in a statement to SecurityWeek. ShinyHunters told The Cyber Express that only Crunchbase and Betterment are from the SSO vishing campaign. “We are releasing victims from many of our previous campaigns and ongoing campaigns onto our data leak site, not exclusively the SSO vishing campaign data thefts,” the spokesperson said. Meanwhile, a threat actor who goes by “LAPSUS-GROUP” has emerged recently on the BreachForums 5.0 cybercrime forum claiming data stolen from a Canadian retail SaaS company, but ShinyHunters told The Cyber Express that the actor is an “impersonator group” and has no connection to ShinyHunters.

CL0P Claims 43 New Victims

The Cl0p ransomware group appears to have launched a new extortion campaign, although it is not clear what vulnerabilities or services the group is targeting. The group listed 21 new victims last week, and then another 22 over the weekend. Alleged victims include a major hotel chain, an IT services company, a UK payment processing firm, a workforce management company, and a Canada-based mining company. In a note to clients today, threat intelligence company Cyble wrote, “At the time of reporting, Cl0p has not disclosed technical details, the volume or type of data allegedly exfiltrated, nor announced any ransom deadlines for these victims. No proof-of-compromise samples have been published. We continue to monitor the situation for further disclosures, validation of the victim listings, or escalation by the group.”

The hacking group Crimson Collective claims to have access to Brightspeed’s infrastructure and is disconnecting users from the company’s home internet services. The group made its latest claims in a post on Telegram yesterday. “Hey BrightSpeed, we disconnected alot of your users home internet.. they might be complaining you should check,” the Telegram post says. Asked by The Cyber Express how the group was able to do this, a Crimson Collective spokesperson replied, “we were able to do this with the access we had on their infrastructure,” suggesting that the extent of the claimed breach may go beyond customer data access. The Cyber Express reached out to Brightspeed to see if the company could confirm or deny Crimson Collective’s claims and will update this article with any response. So far the company has said only that it is “investigating reports of a cybersecurity event,” so any claims by the hacker group remain unconfirmed.

Crimson Collective’s Brightspeed Claims and Customer Risk

In a January 4 Telegram post, Crimson Collective claimed that the group had breached Brightspeed and obtained the personal data of more than a million residential customers of the U.S. fiber broadband provider. A day later, the threat group released a data sample to back up those claims. The group is also trying to sell the data, suggesting that any negotiations that may have taken place with Brightspeed had failed to progress. Crimson Collective claims to possess a wide range of data on Brightspeed customers, including names, email addresses, phone numbers, billing and service addresses, account status, network type, service instances, network assignments, IP addresses, latitude and longitude coordinates, payment history, payment card types and masked card numbers (last 4 digits), expiry dates, bank identification numbers (BINs), appointment and order records, and more. The data doesn’t include password or full credit card numbers that could put users at imminent risk of breach or theft, but the hacker group told The Cyber Express that “Every PII is important, with all this data people can easily start big sophisticated phishing campaigns or even get access to specific people's infrastructure.” Noelle Murata, Senior Security Engineer at Xcape, agreed that the data holds potential value for cybercriminals. “The stolen data reportedly includes payment card details and account histories that create opportunities for identity theft and sophisticated social engineering scams and are particularly dangerous when targeting a demographic that may be less digitally savvy,” Murata said in a statement shared with The Cyber Express.

Crimson Collective: An Emerging Threat

Crimson Collective first emerged last year with a Red Hat GitLab breach that exposed client Customer Engagement Reports (CERs) and other potentially sensitive data about client infrastructure. Murata said the Brightspeed attack “aligns with the Crimson Collective's pattern of exploiting cloud misconfigurations and leaked AWS credentials to bypass security measures.” The timing of the attack, coming just after the New Year holiday, is a possible example of "holiday hunting," where cybercriminals exploit reduced IT staffing over holidays, Murata said. “Service providers in rural and suburban areas often operate with limited security resources but face the same threats as larger urban carriers,” Murata said. “Transparency, prompt customer notification, and immediate containment will be crucial in the coming days.”

The hacking group Crimson Collective claims to have obtained the personal data of more than a million residential customers of U.S. fiber broadband provider Brightspeed. In a January 4 Telegram post, the group behind a Red Hat GitLab breach last year claimed to possess “over 1m+ residential user PII's,” or personally identifiable information. Crimson Collective said it would release a data sample on January 5 to give Brightspeed “some time first to answer to us.” It is not known what if any communications occurred between the company and the hacker group, but Crimson Collective made good on that threat and released the data sample today.

Crimson Collective Details Brightspeed Claims

Crimson Collective claims to possess a wide range of data on Brightspeed customers, including:

• Customer account master records containing names, email addresses, phone numbers, billing and service addresses, and account status
• Network type, consent flags, billing system, service instance, network assignment, and site IDs
• Address qualification responses with address IDs, full postal addresses, latitude and longitude coordinates, qualification status (fiber/copper/4G), maximum bandwidth, drop length, wire center, marketing profile codes, and eligibility flags
• User-level account details keyed by session/user IDs, “overlapping with PII including names, emails, phones, service addresses, account numbers, status, communication preferences, and suspend reasons”
• Payment history, including payment IDs, dates, amounts, invoice numbers, card types and masked payment card numbers (last 4 digits), gateways, and status
• Payment methods per account, including default payment method IDs, gateways, masked credit card numbers, expiry dates, bank identification numbers (BINs), holder names and addresses, status flags (Active/Declined), and created/updated timestamps
• Appointment and order records by billing account, including order numbers, status, appointment windows, dispatch and technician information, and install types.

Potential Risk for Brightspeed Users

In an email exchange with The Cyber Express, a Crimson Collective spokesperson noted that while the data doesn’t include password or credit card data that could put users at imminent risk of breach or theft, the group said that “Every PII is important, with all this data people can easily start big sophisticated phishing campaigns or even get access to specific people's infrastructure.” Asked if the group has established persistent access to Brightspeed’s environment, the spokesperson replied, “Cannot disclose this.” The Cyber Express also reached out to Brightspeed for comment and will update this article with any response. However, the company reportedly told Security Week that it is “currently investigating reports of a cybersecurity event. As we learn more, we will keep our customers, employees and authorities informed. We take the security of our networks and protection of our customers’ and employees’ information seriously and are rigorous in securing our networks and monitoring threats.”

Two cybersecurity experts charged with deploying ALPHV BlackCat ransomware against five companies have pleaded guilty to federal charges in the case, the U.S. Department of Justice announced today. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, were indicted in the BlackCat ransomware case in October. Together with an unnamed co-conspirator, they “successfully deployed the ransomware known as ALPHV BlackCat between April 2023 and December 2023 against multiple victims located throughout the United States,” the Justice Department said today. The two face sentencing in March for conspiring to obstruct commerce through extortion.

Misusing ‘Trusted Access and Technical Skill’

Martin and the co-conspirator worked as ransomware negotiators for DigitalMint, a Chicago-based company that specializes in mitigating cyberattacks, while Goldberg was an incident response manager at Sygnia Cybersecurity Services. DigitalMint and Sygnia have publicly stated they were not targets of the investigation and have cooperated fully with law enforcement. “These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop,” stated Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Goldberg and Martin used trusted access and technical skill to extort American victims and profit from digital coercion,” added U.S. Attorney Jason A. Reding Quiñones for the Southern District of Florida. “Their guilty pleas make clear that cybercriminals operating from within the United States will be found, prosecuted, and held to account.”

BlackCat Ransomware Case Netted More Than $1 million

According to the Justice Department, the three men agreed to pay the ALPHV BlackCat administrators a 20% share of any ransom payments they received in exchange for the ransomware and access to ALPHV BlackCat’s extortion platform. “After successfully extorting one victim for approximately $1.2 million in Bitcoin, the men split their 80% share of this ransom three ways and laundered the funds through various means,” the Justice Department said. The five unnamed victim companies targeted by the co-conspirators included:

• A medical device company based in Tampa, Florida
• A pharmaceutical company based in Maryland
• A doctor’s office based in California
• An engineering company based in California
• A drone manufacturer based in Virginia

The Tampa medical device company paid a $1.27 million ransom; it is not clear if other ransom payments were made. The Justice Department placed the guilty pleas in the context of priori law enforcement actions aimed at disrupting ALPHV BlackCat, including the development of a decryption tool that that the U.S. says saved global victims nearly $100 million in ransom payments. The Justice Department said Goldberg and Martin each pleaded guilty to one count of “conspiracy to obstruct, delay or affect commerce or the movement of any article or commodity in commerce by extortion in violation of 18 U.S.C. § 1951(a).” The defendants are scheduled to be sentenced on March 12, 2026, and face a maximum penalty of 20 years in prison. The cybersecurity industry has faced a number of insider incidents in recent months, including a “suspicious insider” at CrowdStrike and a former cybersecurity company official who pled guilty to stealing trade secrets to sell them to a Russian buyer. In the Goldberg and Martin case, corporate assets do not appear to have been misused.

The former employee behind the recent Coupang data breach tried to cover his tracks by smashing his MacBook Air and throwing it into a river, the company revealed in a recent update on the incident. The alleged perpetrator panicked when news outlets reported on the Coupang breach, the December 25 update said. “Among other things, the perpetrator stated that he physically smashed his MacBook Air laptop, placed it in a canvas Coupang bag, loaded the bag with bricks, and threw the bag into a nearby river,” the update said. Using maps and descriptions from the former employee, divers were able to recover the laptop from the river. “It was exactly as the perpetrator claimed—in a canvas Coupang bag loaded with bricks—and its serial number matched the serial number in the perpetrator’s iCloud account,” Coupang said. Coupang has since updated the post twice, once to reassure customers that the company was cooperating fully with the government in its investigation, and the second time to announce a “customer compensation plan to restore customer trust” with vouchers worth about USD $35 (50,000 won) per customer.

Coupang Breach Smaller than Feared

Much of the update sought to reassure customers of the Korean online retailer that the breach was smaller than initially feared. While initial reports said the breach – which led to the CEO’s resignation – might have compromised the data of more than 33 million, Coupang said its investigation indicates that while the perpetrator may have accessed 33 million accounts, he “retained limited user data from only 3,000 accounts and subsequently deleted the user data.” The user data included 2,609 building entrance codes, but no payment, log-in data or individual customs numbers were accessed, and the perpetrator never transferred any of the data to third parties, the company said. Coupang said it conducted its investigation with Mandiant, Palo Alto Networks and Ernst & Young.

Perpetrator ‘Confessed Everything’

Coupang said it used “digital fingerprints” and other forensic evidence to identify the former employee allegedly responsible for the breach. “The perpetrator confessed everything and revealed precise details about how he accessed user data,” the company said. The former employee used “an internal security key that he took while still working at the company” to access “basic user data” from more than 33 million customer accounts. He retained user data (name, email, phone number, address and partial order histories) from about 3,000 accounts, plus 2,609 building entrance access codes. The Coupang statement notes repeatedly that the alleged perpetrator’s story is supported by the available forensic evidence, likely to reassure customers that the breach wasn’t as bad as initially feared. The statement frequently uses phrases such as “exactly as the perpetrator described” to underscore that the forensic evidence supports the former employee’s claims. “The investigative findings to date are consistent with the perpetrator’s sworn statements and found no evidence that contradicts these statements,” the company says in another section. “The perpetrator stated that he used a personal desktop PC and a MacBook Air laptop to provision access and to store a limited amount of user data,” the Coupang statement said. “Independent forensic investigation confirmed that Coupang systems were accessed using one PC system and one Apple system as the primary hardware interfaces, exactly as the perpetrator described.” The perpetrator also turned over the PC system and four hard drives from the system, “on which analysts found the script used to carry out the attack,” the company said.

French authorities have arrested a 22-year-old man in connection with a French Interior Ministry cyberattack, marking an important development in an investigation into the breach of the ministry’s internal email systems. The arrest was carried out on December 17, 2025, following an inquiry led by the cybercrime unit of the Paris prosecutor’s office. According to a notice issued by France’s Ministry of the Interior, the suspect was taken into custody on charges including unauthorized access to a state-run automated personal data processing system. The offense carries a maximum sentence of up to 10 years in prison. "A person was arrested on December 17, 2025, as part of an investigation opened by the cybercrime unit of the Paris prosecutor's office, on charges including unauthorized access to a state-run automated personal data processing system, following the cyberattack against the Ministry of the Interior," the press release, translated into English, said. The ministry confirmed that the individual, born in 2003, is already known to the justice system and was convicted earlier in 2025 for similar cyber-related offenses. Authorities have not disclosed the suspect’s identity. "The suspect, born in 2003, is already known to the justice system, having been convicted of similar offenses in 2025," release added further. [caption id="attachment_107868" align="aligncenter" width="923"] Source: French Interior Ministry[/caption]

Investigation Into Cyberattack on France’s Ministry of the Interior 

The French Interior Ministry cyberattack was first publicly acknowledged last week, after officials revealed that the ministry’s internal email servers had been compromised. The cyberattack was detected overnight between Thursday, December 11, and Friday, December 12, and resulted in unauthorized access to a number of document files. French Interior Minister Laurent Nuñez described the incident as more serious than initially believed. Speaking to Franceinfo radio, he said, "It's serious. A few days ago, I said that we didn't know whether there had been any compromises or not. Now we know that there have been compromises, but we don't know the extent of them." Authorities later confirmed that the compromised files included criminal records, raising concerns about the sensitivity of the exposed information. However, Nuñez urged caution when assessing the scale of the breach. I can tell you that there have not been millions of pieces of data extracted as of this morning (...), but I remain very cautious about the level of compromise," he added.

Legal Action Aganist French Interior Ministry cyberattack

In a statement issued by Public Prosecutor Laure Beccuau, officials said the suspect of French Interior Ministry cyberattack was arrested as part of an investigation into unauthorized access to an automated data processing system, allegedly carried out as part of an organized group. Prosecutors reiterated that this offense is punishable by up to 10 years’ imprisonment. The investigation is being conducted by OFAC, France’s Office for Combating Cybercrime. Authorities noted that a further statement will be released once the police custody period ends, which can last up to 48 hours. French prosecutors also confirmed that while the suspect has prior convictions for similar crimes in 2025, they are not disclosing further details about those cases.

Government Response and Security Measures

Following the French Interior Ministry cyberattack, the Ministry of the Interior implemented standard security protocols and strengthened access controls across its systems. Speaking on RTL Radio, Minister Nuñez confirmed the attack and the immediate response, "There was indeed a cyberattack. An attacker was able to access a number of files. So we implemented the usual protection procedures." He further stated that investigations into French Interior Ministry cyberattack are ongoing at both judicial and administrative levels, and that France’s data protection authority, the National Commission for Information Technology and Civil Liberties (CNIL), has been notified. On RTL Matin, Nuñez emphasized that the origin of the French Interior Ministry cyberattack remains unclear, "It could be foreign interference, it could be people wanting to challenge the authorities and demonstrate their ability to access systems, and it could also be cybercrime. Right now, we don't know what it is."

Claims of Responsibility Surface Online

Following public disclosure of the French Interior Ministry cyberattack incident, a post appeared on an underground forum claiming responsibility for the breach. The post stated, "We hereby announce that, in revenge for our arrested friends, we have successfully compromised 'MININT' — the French Ministry of the Interior." The message appeared to reference the 2025 arrests of five BreachForums moderators and administrators, known online as “ShinyHunters,” “Hollow,” “Noct,” “Depressed,” and “IntelBroker.” However, authorities have not confirmed any direct link between the arrested suspect and these claims. As the investigation into the French Interior Ministry cyberattack continues, French officials have stressed that all possibilities remain under consideration and that further updates will follow once the custody period concludes.

A new Android malware locks device screens and demands that users pay a ransom to keep their data from being deleted. Dubbed “DroidLock” by Zimperium researchers, the Android ransomware-like malware can also “wipe devices, change PINs, intercept OTPs, and remotely control the user interface, turning an infected phone into a hostile endpoint.” The malware detected by the researchers targeted Spanish Android users via phishing sites. Based on the examples provided, the French telecommunications company Orange S.A. was one of the companies impersonated in the campaign.

Android Malware DroidLock Uses ‘Ransomware-like Overlay’

The researchers detailed the new Android malware in a blog post this week, noting that the malware “has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total takeover of the compromised device.” The malware uses fake system update screens to trick victims and can stream and remotely control devices via virtual network computing (VNC). The malware can also exploit device administrator privileges to “lock or erase data, capture the victim's image with the front camera, and silence the device.” The infection chain starts with a dropper that appears to require the user to change settings to allow unknown apps to be installed from the source (image below), which leads to the secondary payload that contains the malware. [caption id="attachment_107722" align="aligncenter" width="300"] The Android malware DroidLock prompts users for installation permissions (Zimperium)[/caption] Once the user grants accessibility permission, “the malware automatically approves additional permissions, such as those for accessing SMS, call logs, contacts, and audio,” the researchers said. The malware requests Device Admin Permission and Accessibility Services Permission at the start of the installation. Those permissions allow the malware to perform malicious actions such as:

• Wiping data from the device, “effectively performing a factory reset.”
• Locking the device.
• Changing the PIN, password or biometric information to prevent user access to the device.

Based on commands received from the threat actor’s command and control (C2) server, “the attacker can compromise the device indefinitely and lock the user out from accessing the device.”

DroidLock Malware Overlays

The DroidLock malware uses Accessibility Services to launch overlays on targeted applications, prompted by an AccessibilityEvent originating from a package on the attacker's target list. The Android malware uses two primary overlay methods:

• A Lock Pattern overlay that displays a pattern-drawing user interface (UI) to capture device unlock patterns.
• A WebView overlay that loads attacker-controlled HTML content stored locally in a database; when an application is opened, the malware queries the database for the specific package name, and if a match is found it launches a full-screen WebView overlay that displays the stored HTML.

The malware also uses a deceptive Android update screen that instructs users not to power off or restart their devices. “This technique is commonly used by attackers to prevent user interaction while malicious activities are carried out in the background,” the researchers said. The malware can also capture all screen activity and transmit it to a remote server by operating as a persistent foreground service and using MediaProjection and VirtualDisplay to capture screen images, which are then converted to a base64-encoded JPEG format and transmitted to the C2 server. “This highly dangerous functionality could facilitate the theft of any sensitive information shown on the device’s display, including credentials, MFA codes, etc.,” the researchers said. Zimperium has shared its findings with Google, so up-to-date Android devices are protected against the malware, and the company has also published DroidLock Indicators of Compromise (IoCs).

Recent data released by the National Crime Records Bureau (NCRB) paints a troubling picture of the rapid rise in cybercrime in India, particularly cases executed through mobile phones and computers.   The NCRB report notes that India recorded over 52,000 cybercrime incidents in 2021, a number that escalated to more than 86,000 by 2023. The Minister of State for Home Affairs, Bandi Sanjay Kumar, shared these figures in a written reply in the Rajya Sabha. 

Regional Trends Show Sharp Contrasts Across Northern India 

Haryana recorded 751 cybercrime cases in 2023, making it the highest among northern states, followed by Himachal Pradesh with 127 cases, a major jump from just 77 the previous year. Punjab, however, reported a decline, registering 511 cases in 2023 compared to 697 in 2022.  Among northern Union Territories, Delhi led with 407 cases, followed by Jammu & Kashmir with 185 and Chandigarh with 23. To strengthen cyber forensic capabilities, the Ministry of Home Affairs provided support to 20 states and UTs under the Nirbhaya-funded scheme. Punjab received ₹7.98 crore from 2018–19, while Himachal Pradesh received ₹7.29 crore. 

Ransomware Surge Places India and Asia-Pacific in a High-Risk Zone 

Beyond NCRB’s findings, rising digital threats in the Asia-Pacific region further illustrate the scale of cybercrime in India and neighboring countries. Cyble’s Monthly Threat Landscape Report: July 2025 reveals that India remains a priority target for ransomware groups. The Warlock ransomware group breached an India-based manufacturing firm, exfiltrating HR files, financial records, design archives, and internal repositories.   Additional leaks on dark web forums exposed stolen data from two Indian companies, a technology consulting firm and a subscription-based SaaS platform.  Unauthorized access to an Indian telecom network was also put up for sale for US$35,000, including credentials, CLI access, and operational network details. Regionally, Thailand, Japan, and Singapore each recorded six ransomware victims, with India and the Philippines close behind. The manufacturing, government, and critical infrastructure sectors faced the brunt of attacks. Meanwhile, South Asia witnessed hacktivist activity, with the pro-India Team Pelican Hackers claiming breaches of major Pakistani research and academic institutions.  Globally, July 2025 saw 423 ransomware victims, with the U.S. accounting for 223. Qilin ransomware topped global activity with 73 victims, followed by INC Ransom with 59. Cyble’s sensors also detected more than 1,000 daily attacks on U.S. industrial control systems, while the UK, Vietnam, China, Singapore, and Hong Kong recorded high targeting levels. A booming market for zero-day exploits added to the risk landscape, with vulnerabilities in WinRAR and leading VPN platforms being sold for USD $80,000 to 1 BTC. 

Insights from 2024 Call for Urgency of Cyber Preparedness 

Insights from the India Threat Landscape Report 2024 add critical context to the rising threat levels highlighted by the National Crime Records Bureau (NCRB). In the first half of 2024 alone, India recorded 593 cyberattacks, 388 data breaches, 107 data leaks, and 39 ransomware incidents, highlighting the need for stronger threat intelligence across tactical, operational, strategic, and technical layers.  Combined with Cyble’s observations on escalating ransomware activity, dark web exposure, and exploit markets, cybercrime in India is becoming the next big thing and demands a coordinated, intelligence-driven response.  Organizations seeking to stay protected from these threats can benefit from Cyble’s AI-powered threat intelligence ecosystem and autonomous security capabilities. Explore Cyble’s platform, experience Blaze AI, or schedule a free demo to strengthen your organization’s preparedness against modern-day cyber risks. 

U.S. companies made more than $2 billion in ransomware payments between 2022 and 2024, nearly equaling the total ransoms paid in the previous nine years, according to a new report from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN). The report, which looked at threat pattern and trend information identified in Bank Secrecy Act (BSA) filings, said that between Jan. 1, 2022 and Dec. 31, 2024, FinCEN received 7,395 BSA reports related to 4,194 ransomware incidents and totaling more than $2.1 billion in ransomware payments. In the previous nine years, from 2013 to 2021, FinCEN received 3,075 BSA reports totaling approximately $2.4 billion in ransomware payments, the report said. FinCEN notes that because its data is based on BSA filings, it is by nature incomplete, and indeed, the 4,194 ransomware incidents recorded by FinCEN between 2022 and 2024 is less than 40% of the nearly 11,000 ransomware attacks recorded in Cyble’s threat intelligence data over the same period.

ALPHV/BlackCat and LockBit Enforcement Actions Lowered Ransomware Payments

Ransomware incidents and payments reported to FinCEN reached an all-time high in 2023 of 1,512 incidents totaling approximately $1.1 billion in payments, an increase of 77 percent in payments from 2022. In 2024, incidents decreased slightly to 1,476 while total payments dropped to approximately $734 million. FinCEN attributed the decline in ransomware payments in 2024 to law enforcement disruption of the ALPHV/BlackCat and LockBit ransomware groups. However, LockBit is in the midst of its most significant comeback since the law enforcement actions disrupted the group, with 21 new victims claimed so far this month. Of the 267 ransomware variants identified during the reporting period, the most common variants were Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta. However, Qilin has emerged as the top ransomware group in 2025 by a wide margin, so FinCEN’s 2025 BSA data will almost certainly change. Despite the decline in payments, the value of reported ransomware payments in 2024 was still the third-highest yearly total since the reports began in 2013. The median ransomware payment was $124,097 in 2022, $175,000 in 2023, and $155,257 in 2024. Between January 2022 and December 2024, the most common payment range was below $250,000.

Financial Services, Manufacturing and Healthcare Most Targeted Sectors

Measuring both the number of ransomware incidents and the amount of aggregate payments, the financial services, manufacturing and healthcare industries were the most affected during the report period. Between January 2022 and December 2024, the most commonly targeted industries by number of incidents identified in ransomware-related BSA reports were manufacturing (456 incidents), financial services (432 incidents), healthcare (389 incidents), retail (337 incidents), and legal services (334 incidents). Industries that paid the most in ransoms during the three-year period were financial services (approximately $365.6 million), healthcare (about $305.4 million), manufacturing (approximately $284.6 million), science and technology (about $186.7 million), and retail ($181.3 million). The Onion router (TOR) was the most common communication method used by ransomware groups. About 42 percent of BSA reports indicated the method that ransomware threat actors used to communicate with their targets. Among those reports, 67 percent indicated that ransomware actors used TOR, while 28 percent indicated that ransomware actors used email to communicate with their victims. Bitcoin (BTC) was the most common ransomware-related payment method, accounting for 97 percent of reported payments. Monero (XMR) was cited in two percent of BSA reports involving ransomware. FinCEN also identified several common money laundering typologies used by ransomware groups. Threat actors overwhelmingly collected payments in unhosted convertible virtual currency (CVC) wallets and “continued to exploit CVC exchanges for money laundering purposes after receiving payment,” the report said. Ransomware groups also used “several common preferred malicious cyber facilitators, such as shared initial access vendors,” FinCEN said.

European law enforcement agencies have taken down an illegal cryptocurrency mixing service that they say has been used to facilitate cybercrime and money laundering. The operation to take down the cryptocurrency mixing service ‘Cryptomixer’ was conducted between November 24 and 28 and was announced today by Europol, which assisted Swiss and German law enforcement agencies in the action. The operation resulted in the seizure of three servers in Switzerland, 12 terabytes of data, €25 million in Bitcoin, and the cryptomixer[.]io domain. Law enforcement placed a seizure banner on the website after the takeover. “Mixing services such as Cryptomixer offer their clients anonymity and are often used before criminals redirect their laundered assets to cryptocurrency exchanges,” Europol said. “This allows ‘cleaned’ cryptocurrency to be exchanged for other cryptocurrencies or for FIAT currency through cash machines or bank accounts.”

Cryptocurrency Mixing ‘A Service to Obfuscate the Origin of Criminal Funds’

Europol called Cryptomixer “A service to obfuscate the origin of criminal funds.” “Cryptomixer was a hybrid mixing service accessible via both the clear web and the dark web,” the European law enforcement agency stated. “It facilitated the obfuscation of criminal funds for ransomware groups, underground economy forums and dark web markets. Its software blocked the traceability of funds on the blockchain, making it the platform of choice for cybercriminals seeking to launder illegal proceeds from a variety of criminal activities, such as drug trafficking, weapons trafficking, ransomware attacks, and payment card fraud.” Since its launch in 2016, Europol says that more than €1.3 billion in Bitcoin were mixed through the service. Deposited funds from users were pooled “for a long and randomised period” before they were redistributed to their destination addresses. “As many digital currencies provide a public ledger of all transactions, mixing services make it difficult to trace specific coins, thus concealing the origin of cryptocurrency,” the agency said.

Action Follows ChipMixer Takedown in 2023

Europol was also involved in the multi-national takedown of the crypto mixing service “ChipMixer” in 2023, an operation that involved four European countries and the U.S. ChipMixer was considered the largest mixing service of its time, and was suspected to have facilitated the laundering of 152,000 Bitcoins, worth an estimated €2.73 billion at the time. The joint law enforcement operations in both cases was part of EMPACT, the European Multidisciplinary Platform Against Criminal Threats, which aims to address the most important threats posed by organized and international crime affecting the EU.

An Australian man has been sentenced to more than seven years in jail on charges that he created ‘evil twin’ WiFi networks to hack into women’s online accounts to steal intimate photos and videos. The Australian Federal Police (AFP) didn’t name the man in announcing the sentencing, but several Australian news outlets identified him as Michael Clapsis, 44, of Perth, an IT professional who allegedly used his skills to carry out the attacks. He was sentenced to seven years and four months in Perth District Court on November 28, and will be eligible for parole after serving half that time, according to the Sydney Morning Herald. The AFP said Clapsis pled guilty to 15 charges, ranging from unauthorised access or modification of restricted data to unauthorised impairment of electronic communication, failure to comply with an order, and attempted destruction of evidence, among other charges.

‘Evil Twin’ WiFi Network Detected on Australian Domestic Flight

The AFP investigation began in April 2024, when an airline reported that its employees had identified a suspicious WiFi network mimicking a legitimate access point – known as an “evil twin” – during a domestic flight. On April 19, 2024, AFP investigators searched the man’s luggage when he arrived at Perth Airport , where they seized a portable wireless access device, a laptop and a mobile phone. They later executed a search warrant “at a Palmyra home.” Forensic analysis of data and seized devices “identified thousands of intimate images and videos, personal credentials belonging to other people, and records of fraudulent WiFi pages,” the AFP said. The day after the search warrant, the man deleted more than 1,700 items from his account on a data storage application and “unsuccessfully tried to remotely wipe his mobile phone,” the AFP said. Between April 22 and 23, 2024, the AFP said the man “used a computer software tool to gain access to his employer’s laptop to access confidential online meetings between his employer and the AFP regarding the investigation.” The man allegedly used a portable wireless access device, called a “WiFi Pineapple,” to detect device probe requests and instantly create a network with the same name. A device would then connect to the evil twin network automatically. The network took people to a webpage and prompted them to log in using an email or social media account, where their credentials were then captured. AFP said its cybercrime investigators identified data related to use of the fraudulent WiFi pages at airports in Perth, Melbourne and Adelaide, as well as on domestic flights, “while the man also used his IT privileges to access restricted and personal data from his previous employment.” “The man unlawfully accessed social media and other online accounts linked to multiple unsuspecting women to monitor their communications and steal private and intimate images and videos,” the AFP said.

Victims of Evil Twin WiFi Attack Enter Statements

At the sentencing, a prosecutor read from emotional impact statements from the man’s victims, detailing the distress they suffered and the enduring feelings of shame and loss of privacy. One said, “I feel like I have eyes on me 24/7,” according to the Morning Herald. Another said, “Thoughts of hatred, disgust and shame have impacted me severely. Even though they were only pictures, they were mine not yours.” The paper said Clapsis’ attorney told the court that “He’s sought to seek help, to seek insight, to seek understanding and address his way of thinking.” The case highlights the importance of avoiding free public WiFi when possible – and not accessing sensitive websites or applications if one must be used. Any network that requests personal details should be avoided. “If you do want to use public WiFi, ensure your devices are equipped with a reputable virtual private network (VPN) to encrypt and secure your data,” the AFP said. “Disable file sharing, don’t use things like online banking while connected to public WiFi and, once you disconnect, change your device settings to ‘forget network’.”

Two alleged members of the Scattered Spider threat group pled not guilty today to charges related to a cyberattack on Transport for London in August 2024. Thalha Jubair, 19, of east London, and Owen Flowers, 18, from Walsall in the West Midlands, were arrested in the UK in September. They appeared before Southwark Crown Court today and entered not guilty pleas to charges of conspiring to commit unauthorized acts against computer systems belonging to Transport for London (TfL), according to news reports. Sky News reported that the two “stood in the dock together and spoke only to confirm their names and enter not guilty pleas.” The charge states in part that the two are accused of "causing, or creating a significant risk of, serious damage to human welfare and intending to cause such damage or being reckless as to whether such damage was caused. Flowers is also accused of unauthorized acts against computer systems belonging to SSM Health, and attempting to commit unauthorized acts against computer systems belonging to Sutter Health. Jubair is also accused of failing to disclose the pin or passwords for devices seized from him in March 2025, and Jubair also faces substantial charges in the U.S. Both men continue to be held on remand, the BBC reported.

Scattered Spider Trial Date Set

A provisional trial date has been set for June 8, 2026, at Southwark Crown Court, with a pre-trial hearing scheduled for February 13. The cyberattack allegedly caused £39m of damage and disrupted TfL services for three months. While transport itself was unaffected, many TfL online services and information boards were knocked offline as part of the attack. Traffic cameras and "dial a ride" bookings were some of the affected services, and some payment systems were also affected. Personal data including names, emails and home addresses were accessed, and TfL was forced to inform thousands of customers that there may have been unauthorized access to personal information that may have included bank account numbers and sort codes.

Jubair Faces U.S. Charges Too

Jubair has also been charged by the U.S. Department of Justice (DoJ) for conspiracies to commit computer fraud, wire fraud, and money laundering in relation to at least 120 computer network intrusions and extortion involving 47 U.S. entities. The unsealed U.S. complaint alleged that Jubair’s victims paid at least $115 million in ransom payments. The U.S. claims Jubair could face up to 95 years in prison on the charges. Scattered Spider recently joined with ShinyHunters and LAPSUS$ to form the Scattered LAPSUS$ Hunters threat collective, which remains active, that Recent attacks by the group have targeted Salesforce data, including one involving the Gainsight customer success platform this week. Scattered LAPSUS$ Hunters also claims to have been behind an insider attack at security vendor CrowdStrike, according to Bleeping Computer, although CrowdStrike says its systems and customer data were not affected by the incident.

Google has filed a complaint in court that details the scam:

In a complaint filed Wednesday, the tech giant accused “a cybercriminal group in China” of selling “phishing for dummies” kits. The kits help unsavvy fraudsters easily “execute a large-scale phishing campaign,” tricking hordes of unsuspecting people into “disclosing sensitive information like passwords, credit card numbers, or banking information, often by impersonating well-known brands, government agencies, or even people the victim knows.”

These branded “Lighthouse” kits offer two versions of software, depending on whether bad actors want to launch SMS and e-commerce scams. “Members may subscribe to weekly, monthly, seasonal, annual, or permanent licenses,” Google alleged. Kits include “hundreds of templates for fake websites, domain set-up tools for those fake websites, and other features designed to dupe victims into believing they are entering sensitive information on a legitimate website.”

Google’s filing said the scams often begin with a text claiming that a toll fee is overdue or a small fee must be paid to redeliver a package. Other times they appear as ads—­sometimes even Google ads, until Google detected and suspended accounts—­luring victims by mimicking popular brands. Anyone who clicks will be redirected to a website to input sensitive information; the sites often claim to accept payments from trusted wallets like Google Pay.

This attempt to phish credentials caught our attention, mostly because of its front-end simplicity. Even though this is a script-kiddie-level type of attack, we figured it was worth writing up—precisely because it’s so easy to follow what they’re up to.

The email is direct and to the point. Not a lot of social engineering happening here.

“Dear ,

Pls kindly find the attached PO please send us PI once its available.”

The sender’s address belongs to a Czechoslovakian printing service (likely compromised), and the name and phone number are fake. The target is in Taiwan.

The attached .shtml file is a tidy fake login screen that doesn’t really specify which credentials they want:

The pre-filled email address in the screenshot is a fake one I added; normally it would be the target’s email.

We assume the phisher welcomes any credentials entered here, and are counting on the fact that most people reuse passwords on other sites.

Under the hood, the functionality of this attachment lies in this piece of JavaScript.

It starts with simple checks to make sure all the fields are filled out and long enough before declaring the Telegram bot that will receive the login details.

Using Telegram bots provides the phishers with several advantages:

• Stolen credentials are delivered instantly to the attacker via Telegram notifications. No need for the phisher to keep checking a database or inbox.
• Telegram is a legitimate, globally distributed messaging service, making it difficult to block.
• There’s no exposed web server or obvious phishing “drop site” that can be blocklisted or shut down.

The last line contains a credibility trick:

setTimeout(() => {window.location.assign("file:///C:/Users/USER/Downloads/Invoice_FAC_0031.pdf")}, 2000);

This tries to open a file on the user’s computer after waiting 2 seconds (2,000 milliseconds). Since this file almost certainly doesn’t exist, the browser will either block the action (especially from an email or non-local file) or show an error. Either way, it will make the login attempt look more legitimate and take the user’s mind off the fact that they just sent their credentials who knows where.

That’s really all there is to it, except for a bit of code that the dungeon-dweller forgot to remove during their copy-and-paste coding. Or they had no idea what it was for and left it in place for fear of breaking something.

I suspect the attacker originally used this code to encrypt the credentials with a hardcoded AES (Advanced Encryption Standard) key and injection vector, then send them to their server.

This attacker replaced that method with the simpler Telegram bot approach (much easier to use), but left the decryption stub because they were afraid removing it would break something.

Don’t fall for phishing attempts

Even though the sophistication level of this email was low, that does not reduce the possible impact of sending the attacker your credentials.

In phishing attempts like these, two simple rules can save you from lots of trouble.

• Don’t open unsolicited attachments
• Check if the website address in the browser matches the domain you expect to be on (e.g. adobe.com).

Other important tips to stay safe from phishing in general:

• Verify the sender: Always check if the sender’s email address matches what you would expect it to be. It’s not always conclusive but it can help you spot some attempts.
• Check through an independent channel if the sender actually sent you an attachment or a link.
• Use up-to-date security software, preferably with a web protection component.
• Keep your device and all its software updated.
• Use multi-factor authentication for every account you can.
• Use a password manager. Password managers will not auto-fill a password to a fake site, even if it looks like the real deal to you.

If you already entered credentials on a page you don’t trust, change your passwords immediately.

Pro tip: You can also upload screenshots of suspicious emails to Malwarebytes Scam Guard. It would have recognized this one as a phishing attempt.

---

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

There’s a modern-day train heist happening across America, and this time, some of the bandana-masked robbers are sitting behind screens.

According to new research, a group of cybercriminals has been attacking trucking, freight, and logistics companies for months, impersonating brands and even diverting real cargo shipments to unapproved locations so that the stolen goods can be sold or shipped elsewhere.

The impact, the researchers said, extends far beyond the logistics industry:

“Such crimes can create massive disruptions to supply chains and cost companies millions, with criminals stealing everything from energy drinks to electronics. The most targeted commodities are food and beverage products.”

Although the cyberattacks were mostly seen in North America, cargo theft is a problem across the world, impacting consumers and businesses that rely on the often-overlooked network of trucks, trains, ships, planes, and people.

In these attacks, cybercriminals compromise the accounts of carrier companies that transport goods from one location to the next. By posing as legitimate carriers, they can place real bids on shipments and then redirect them to unauthorized destinations, where they or their partners will receive and steal the cargo.

Researchers found that attackers take control of these accounts in at least one of three ways.

1. Fake load boards

Attackers may post a fake order on what’s called a “load board,” a digital marketplace that connects shippers with carriers so that cargo can be assigned and accepted. But when legitimate carriers inquire about the fake load board posting, the criminals reply with an email that includes a malicious link that, when clicked, installs Remote Monitoring and Management (RMM) software. (To make the scam more convincing, the cybercriminals also compromise a “broker” account so their load board posting looks legitimate.)

Despite the sneaky install method, RMM software itself is entirely legitimate. It’s used by IT support teams to remotely fix issues for employees. But that legitimacy makes RMM software perfect for any cybercriminal campaign because it may raise fewer red flags from older antivirus tools.

Once the attackers gain access to a carrier’s account, they can also deploy malware to steal account credentials, giving them greater access to a company’s network.

2. Compromised email accounts

A second observed attack method involved hijacking an active email address and then impersonating the owner when responding to emails about cargo orders and shipments. Here, too, cybercriminals inserted malicious links into emails that eventually install RMM tools.

3. Social engineering

Finally, researchers also observed the attackers sending direct phishing emails to carriers, using classic social engineering tricks—like sending a bogus bill to lure victims into clicking malicious links.

While many of the well-tested security best practices still apply—like not clicking on links inside emails—one of the strongest defenses is to use a security product that notifies users about RMM tools (also sometimes referred to as Remote Desktop Programs) installed on their device. RMM tools are legitimate, but because of their abuses in cybercriminal campaigns, it is important that every installation is verified and tracked.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Around 70 countries have signed the new United Nations (UN) Convention against Cybercrime—the first global treaty designed to combat cybercrime through unified international rules and cooperation.

The treaty needs at least 40 UN member states to ratify it before it becomes international law. Once the 40th country does so, it will take another 90 days for the convention to become legally binding for all those who have joined.

Notably, the United States declined to sign. In a brief statement, a State Department spokesperson said:

“The United States continues to review the treaty.”

And there is a lot to review. The convention has sparked significant debate about privacy, sovereignty, and how far law enforcement powers should reach. It was created in response to the rising frequency, sophistication, and cost of cybercrime worldwide—and the growing difficulty of countering it. As cyberattacks increasingly cross borders, international cooperation has become critical.

Supporters say the treaty closes legal loopholes that allow criminals to hide in countries that turn a blind eye. It also aims to solve miscommunication by establishing common definitions of cybercrimes, especially for threats like ransomware, online fraud, and child exploitation.​

But civil rights and digital privacy advocates argue that the treaty expands surveillance and monitoring powers, in turn eroding personal freedoms, and undermines safeguards for privacy and free expression.

Cybersecurity experts fear it could even criminalize legitimate research.

Katitza Rodriguez, policy director for global privacy at the Electronic Frontier Foundation (EFF) stated:

“The latest UN cybercrime treaty draft not only disregards but also worsens our concerns. It perilously broadens its scope beyond the cybercrimes specifically defined in the Convention, encompassing a long list of non-cybercrimes.”

The Foundation for Defense of Democracies (FDD) goes even further, arguing that the treaty could become a platform for authoritarian states to advance ideas of state control over the internet, draw democratic governments into complicity with repression, and weaken key cybersecurity tools on which Americans depend.

“Russia and China are exporting oppression around the world and using the United Nations as legal cover.”

Even Microsoft warned that significant changes would need to be made to the original draft before it could be considered safe:

“We need to ensure that ethical hackers who use their skills to identify vulnerabilities, simulate cyberattacks, and test system defenses are protected. Key criminalization provisions are too vague and do not include a reference to criminal intent, which would ensure activities like penetration testing remain lawful.”

Those changes never came to life. Many observers now say the treaty creates a legal framework that allows monitoring, data storage, and cross-border information sharing without clear data protection. Critics argue it lacks strong, explicit safeguards for due process and human rights, particularly when it comes to cross-border data exchange and extradition.

When you think about it, the idea of having a global system to counter cybercriminals makes sense—criminals don’t care about borders, and the current patchwork of national laws only helps them hide. But to many, the real problem lies in how the treaty defines cybercrime and what governments could do in its name.

---

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.