In this post, we explore how the psychological traps of operational security can unmask even the most sophisticated actors.
The post The Human Element: Turning Threat Actor OPSEC Fails into Investigative Breakthroughs appeared first on Flashpoint.
The post The Human Element: Turning Threat Actor OPSEC Fails into Investigative Breakthroughs appeared first on Security Boulevard.
Rachel Reeves’s inheritance tax changes encourage more people to invest in previously unloved product
The government’s “inheritance tax raid” on pensions has helped drive sales of retirement annuities to new highs.
Industry data this week revealed they enjoyed a “record-breaking” 2025, with sales growing by 4% to £7.4bn and the average amount invested in an annuity surpassing £80,000 for the first time.
Continue reading...
© Photograph: Alamy/PA
© Photograph: Alamy/PA
© Photograph: Alamy/PA
A family struggled to rebuild their lives after an abusive marriage ended in tragedy and financial ruin
Family life ended for Francesca Onody on a late summer evening in 2022 when her abusive husband doused their cottage with petrol as police arrived to arrest him. She and her children escaped seconds before the building exploded. Her husband Malcolm Baker died in the blaze.
That night, Onody lost her husband, her home, her pets and her possessions.
Continue reading...
© Composite: Guardian Design/Getty Images
© Composite: Guardian Design/Getty Images
© Composite: Guardian Design/Getty Images
Readers respond to Sangeeta Pillai’s objection to Britons’ ‘pointless stream of politeness’
I do not agree with Sangeeta Pillai (The hill I will die on: Britons love saying thank you – I think we should ban the phrase, 7 February). I do not like sarcastic or passive aggressive “thank yous”, but what is wrong with thanking people in the service industry for the service they give? I do not believe that it is overworked or meaningless. I love to thank baristas, shop assistants, bus drivers or other people because they more often than not provide a very good service. They work hard and are not paid a lot of money. They are often people doing jobs that are difficult for one reason or another.
Why not be kind and appreciative? Isn’t there enough hardship and negativity in these febrile times?
Deirdre Breen
Dublin, Ireland
© Photograph: Maksym Belchenko/Getty Images/iStockphoto
© Photograph: Maksym Belchenko/Getty Images/iStockphoto
© Photograph: Maksym Belchenko/Getty Images/iStockphoto
SemiCab platform by Algorhythm, previously considered a ‘penny stock’, sparks ‘category 5 paranoia’ across sector
Shares in trucking and logistics companies have plunged as the sector became the latest to be targeted by investors fearful that new artificial intelligence tools could slash demand.
A new tool launched by Algorhythm Holdings, a former maker of in-car karaoke systems turned AI company with a market capitalisation of just $6m (£4.4m), sparked a sell-off on Thursday that made the logistics industry the latest victim of AI jitters that have already rocked listed companies operating in the software and real estate sectors.
Continue reading...
© Photograph: Thilo Schmülgen/Reuters
© Photograph: Thilo Schmülgen/Reuters
© Photograph: Thilo Schmülgen/Reuters
This article explores the complexities of cyberwarfare, emphasizing the need to reconsider how we categorize cyber operations within the framework of the Law of Armed Conflict (LOAC). It discusses the challenges posed by AI in transforming traditional warfare notions and highlights the potential risks associated with the misuse of emerging technologies in conflicts.
The post The Law of Cyberwar is Pretty Discombobulated appeared first on Security Boulevard.
The firm remains confident even as the market flips from seeing it as an AI winner to fearing its profit margin will implode
As the FTSE 100 index bobs along close to all-time highs, it is easy to miss the quiet share price crash in one corner of the market. It’s got a name – the “Claude crash”, referencing the plug-in legal products added by the AI firm Anthropic to its Claude Cowork office assistant.
This launch, or so you would think from the panicked stock market reaction in the past few weeks, marks the moment when the AI revolution rips chunks out of some of the UK’s biggest public companies – those in the dull but successful “data” game, including Relx, the London Stock Exchange Group, Experian, Sage and Informa.
Continue reading...
© Photograph: miss.cabul/Shutterstock
© Photograph: miss.cabul/Shutterstock
© Photograph: miss.cabul/Shutterstock
Government action is needed before it is too late, writes Jill Fitzgerald-O’Connor
Re Larry Elliott’s article (How can Britain regain its manufacturing power?, 5 February), the basis for the revival of our manufacturing industry requires first a shift in attitude that brainwork is superior to manual labour.
Changes to the curriculum are needed so that technically oriented students can pursue courses that are a first option rather than second best. Part of my training as a designer-pattern cutter involved a placement in a factory, an experience now rarely available to fashion students. In the 1980s, the government set up the Enterprise Allowance Scheme to encourage innovation, but there was no follow-on support to encourage production; successful entrepreneurs had to apply for personal loans from banks, limited to the value of their houses.
Continue reading...
© Photograph: Alicia Canter/The Guardian
© Photograph: Alicia Canter/The Guardian
© Photograph: Alicia Canter/The Guardian
GDP in last three months of 2025 also hit by weak consumer spending, with little momentum going into this year
The UK economy expanded by only 0.1% in the final three months of last year, according to official data, as falling business investment and weak consumer spending led to little momentum going into 2026.
Figures from the Office for National Statistics (ONS) show that the economy grew at the same rate of 0.1% as the previous three months. This was less than a 0.2% rise that economists had been expecting.
Continue reading...
© Photograph: Chris Furlong/PA
© Photograph: Chris Furlong/PA
© Photograph: Chris Furlong/PA
For the past week, the massive “Internet of Things” (IoT) botnet known as Kimwolf has been disrupting The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure online communications. I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attempts against the botnet’s control servers.
Kimwolf is a botnet that surfaced in late 2025 and quickly infected millions of systems, turning poorly secured IoT devices like TV streaming boxes, digital picture frames and routers into relays for malicious traffic and abnormally large distributed denial-of-service (DDoS) attacks.
I2P is a decentralized, privacy-focused network that allows people to communicate and share information anonymously.
“It works by routing data through multiple encrypted layers across volunteer-operated nodes, hiding both the sender’s and receiver’s locations,” the I2P website explains. “The result is a secure, censorship-resistant network designed for private websites, messaging, and data sharing.”
On February 3, I2P users began complaining on the organization’s GitHub page about tens of thousands of routers suddenly overwhelming the network, preventing existing users from communicating with legitimate nodes. Users reported a rapidly increasing number of new routers joining the network that were unable to transmit data, and that the mass influx of new systems had overwhelmed the network to the point where users could no longer connect.
I2P users complaining about service disruptions from a rapidly increasing number of routers suddenly swamping the network.
When one I2P user asked whether the network was under attack, another user replied, “Looks like it. My physical router freezes when the number of connections exceeds 60,000.”
A graph shared by I2P developers showing a marked drop in successful connections on the I2P network around the time the Kimwolf botnet started trying to use the network for fallback communications.
The same day that I2P users began noticing the outages, the individuals in control of Kimwolf posted to their Discord channel that they had accidentally disrupted I2P after attempting to join 700,000 Kimwolf-infected bots as nodes on the network.
The Kimwolf botmaster openly discusses what they are doing with the botnet in a Discord channel with my name on it.
Although Kimwolf is known as a potent weapon for launching DDoS attacks, the outages caused this week by some portion of the botnet attempting to join I2P are what’s known as a “Sybil attack,” a threat in peer-to-peer networks where a single entity can disrupt the system by creating, controlling, and operating a large number of fake, pseudonymous identities.
Indeed, the number of Kimwolf-infected routers that tried to join I2P this past week was many times the network’s normal size. I2P’s Wikipedia page says the network consists of roughly 55,000 computers distributed throughout the world, with each participant acting as both a router (to relay traffic) and a client.
However, Lance James, founder of the New York City based cybersecurity consultancy Unit 221B and the original founder of I2P, told KrebsOnSecurity the entire I2P network now consists of between 15,000 and 20,000 devices on any given day.
An I2P user posted this graph on Feb. 10, showing tens of thousands of routers — mostly from the United States — suddenly attempting to join the network.
Benjamin Brundage is founder of Synthient, a startup that tracks proxy services and was the first to document Kimwolf’s unique spreading techniques. Brundage said the Kimwolf operator(s) have been trying to build a command and control network that can’t easily be taken down by security companies and network operators that are working together to combat the spread of the botnet.
Brundage said the people in control of Kimwolf have been experimenting with using I2P and a similar anonymity network — Tor — as a backup command and control network, although there have been no reports of widespread disruptions in the Tor network recently.
“I don’t think their goal is to take I2P down,” he said. “It’s more they’re looking for an alternative to keep the botnet stable in the face of takedown attempts.”
The Kimwolf botnet created challenges for Cloudflare late last year when it began instructing millions of infected devices to use Cloudflare’s domain name system (DNS) settings, causing control domains associated with Kimwolf to repeatedly usurp Amazon, Apple, Google and Microsoft in Cloudflare’s public ranking of the most frequently requested websites.
James said the I2P network is still operating at about half of its normal capacity, and that a new release is rolling out which should bring some stability improvements over the next week for users.
Meanwhile, Brundage said the good news is Kimwolf’s overlords appear to have quite recently alienated some of their more competent developers and operators, leading to a rookie mistake this past week that caused the botnet’s overall numbers to drop by more than 600,000 infected systems.
“It seems like they’re just testing stuff, like running experiments in production,” he said. “But the botnet’s numbers are dropping significantly now, and they don’t seem to know what they’re doing.”
For the past week, the massive "Internet of Things" (IoT) botnet known as Kimwolf has been disrupting the The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure online communications. I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attempts against the botnet's control servers.
The post Kimwolf Botnet Swamps Anonymity Network I2P appeared first on Security Boulevard.
Simplifying K-12 Technology: How ManagedMethods Can Reduce Complexity To Do More With Less As K-12 districts plan for the 2026/27 school year, the pressure is mounting. Budgets are tight, staffing is stretched thin, and the number of digital tools schools rely on continues to grow. What started as efforts to solve specific problems—student safety, classroom ...
The post Simplifying K-12 Technology: How ManagedMethods Can Reduce Complexity To Do More With Less appeared first on ManagedMethods Cybersecurity, Safety & Compliance for K-12.
The post Simplifying K-12 Technology: How ManagedMethods Can Reduce Complexity To Do More With Less appeared first on Security Boulevard.
Keyfactor has partnered with IBM Consulting to enable organizations to accelerate adoption of post-quantum cryptography (PQC) before existing legacy encryption schemes might be cracked later this decade. Under the terms of the non-exclusive alliance, the cryptographic discovery, public key infrastructure (PKI), digital signage and certificate lifecycle automation tools and platforms provided by Keyfactor will be..
The post Keyfactor Allies with IBM Consulting to Spur PQC Adoption appeared first on Security Boulevard.
Cyble documented 444 security incidents affecting the global telecommunication sector in 2025, including 90 confirmed ransomware attacks. Ransomware activity has increased fourfold since 2021. A total of 34 ransomware groups were identified, though the majority of attacks were driven by a small number of highly active actors.
The most prolific groups, Qilin, Akira, and Play, accounted for nearly 39% of all observed incidents. Qilin led with 16 attacks, primarily targeting organizations in the United States while expanding its operations into Europe and Asia.
Regionally, the Americas experienced the highest number of incidents, with the United States accounting for 47 attacks. Several telecom companies, including Verizon, AT&T, and Lumen Technologies, had reported breaches ahead of the U.S. elections in late 2024. In 2025, opportunistic actors continued to monetize data believed to have been exfiltrated during those earlier intrusions, particularly large volumes of customer PII.
Amazon Web Services (AWS) has attributed a persistent multi-year cyber espionage campaign targeting Western critical infrastructure, particularly the energy sector, to a group strongly linked with Russia’s Main Intelligence Directorate (GRU), known widely as Sandworm (or APT44).
In a report released Monday, the cloud giant’s threat intelligence teams revealed that the Russian-nexus actor has maintained a "sustained focus" on North American and European critical infrastructure, with operations spanning from 2021 through the present day.
Crucially, the AWS investigation found that the initial successful compromises were not due to any weakness in the AWS platform itself, but rather the exploitation of customer misconfigured devices. The threat actor is exploiting a fundamental failure in network defense, that of, customers failing to properly secure their network edge devices and virtual appliances.
The operation focuses on stealing credentials and establishing long-term persistence, often by compromising third-party network appliance software running on platforms like Amazon Elastic Compute Cloud (EC2).
AWS CISO CJ Moses commented in the report, warning, "Going into 2026, organizations must prioritize securing their network edge devices and monitoring for credential replay attacks to defend against this persistent threat."
AWS observed the GRU-linked group employing several key tactics, techniques, and procedures (TTPs) aligned with their historical playbook:
Exploiting Misconfigurations: Leveraging customer-side mistakes, particularly in exposed network appliances, to gain initial access.
Establishing Persistence: Analyzing network connections to show the actor-controlled IP addresses establishing persistent, long-term connections to the compromised EC2 instances.
Credential Harvesting: The ultimate objective is credential theft, enabling the attackers to move laterally across networks and escalate privileges, often targeting the accounts of critical infrastructure operators.
AWS’s analysis of infrastructure overlaps with known Sandworm operations—a group infamous for disruptive attacks like the 2015 and 2016 power grid blackouts in Ukraine—provides high confidence in the attribution.
Recently, threat intelligence company Cyble had detected advanced backdoors targeting the defense systems and the TTPs closely resembled Russia's Sandworm playbook.
The targeting profile analyzed by AWS' threat intelligence teams demonstrates a calculated and sustained focus on the global energy sector supply chain, including both direct operators and the technology providers that support them:
Energy Sector: Electric utility organizations, energy providers, and managed security service providers (MSSPs) specializing in energy clients.
Technology/Cloud Services: Collaboration platforms and source code repositories essential for critical infrastructure development.
Telecommunications: Telecom providers across multiple regions.
The geographic scope of the targeting is global, encompassing North America, Western and Eastern Europe, and the Middle East, illustrating a strategic objective to gain footholds in the operational technology (OT) and enterprise networks that govern power distribution and energy flow across NATO countries and allies.
AWS’ telemetry exposed a methodical, five-step campaign flow that leverages customer misconfiguration on cloud-hosted devices to gain initial access:
Compromise Customer Network Edge Device hosted on AWS: The attack begins by exploiting customer-side vulnerabilities or misconfigurations in network edge devices (like firewalls or virtual appliances) running on platforms like Amazon EC2.
Leverage Native Packet Capture Capability: Once inside, the actor exploits the device's own native functionality to eavesdrop on network traffic.
Harvest Credentials from Intercepted Traffic: The crucial step involves stealing usernames and passwords from the intercepted traffic as they pass through the compromised device.
Replay Credentials Against Victim Organizations’ Online Services and Infrastructure: The harvested credentials are then "replayed" (used) to access other services, allowing the attackers to pivot from the compromised appliance into the broader victim network.
Establish Persistent Access for Lateral Movement: Finally, the actors establish a covert, long-term presence to facilitate lateral movement and further espionage.
AWS has stated that while its infrastructure remains secure, the onus is on customers to correct the foundational security flaws that enable this campaign. The report strongly advises organizations to take immediate action on two fronts:
Secure Network Edge: Conduct thorough audits and patching of all network appliances and virtual devices exposed to the public internet, ensuring they are configured securely.
Monitor for Credential Replay: Implement advanced monitoring for indicators of compromise (IOCs) associated with credential replay and theft attacks, which the threat actors are leveraging to move deeper into target environments.
Last week on Malwarebytes Labs:
Stay safe!
We don’t just report on privacy—we offer you the option to use it.
Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.
Intellexa is a well-known commercial spyware vendor, servicing governments and large corporations. Its main product is the Predator spyware.
An investigation by several independent parties describes Intellexa as one of the most notorious mercenary spyware vendors, still operating its Predator platform and hitting new targets even after being placed on US sanctions lists and being under active investigation in Greece.
The investigation draws on highly sensitive documents and other materials leaked from the company, including internal records, sales and marketing material, and training videos. Amnesty International researchers reviewed the material to verify the evidence.
To me, the most interesting part is Intellexa’s continuous use of zero-days against mobile browsers. Google’s Threat Analysis Group (TAG) posted a blog about that, including a list of 15 unique zero-days.
Intellexa can afford to buy and burn zero-day vulnerabilities. They buy them from hackers and use them until the bugs are discovered and patched–at which point they are “burned” because they no longer work against updated systems.
The price for such vulnerabilities depends on the targeted device or application and the impact of exploitation. For example, you can expect to pay in the range of $100,000 to $300,000 for a robust, weaponized Remote Code Excecution (RCE) exploit against Chrome with sandbox bypass suitable for reliable, at‑scale deployment in a mercenary spyware platform. And in 2019, zero-day exploit broker Zerodium offered millions for zero-click full chain exploits with persistence against Android and iPhones.
Which is why only governments and well-resourced organizations can afford to hire Intellexa to spy on the people they’re interested in.
The Google TAG blog states:
“Partnering with our colleagues at CitizenLab in 2023, we captured a full iOS zero-day exploit chain used in the wild against targets in Egypt. Developed by Intellexa, this exploit chain was used to install spyware publicly known as Predator surreptitiously onto a device.”
To slow down the “burn” rate of its exploits, Intellexa delivers one-time links directly to targets through end-to-end encrypted messaging apps. This is a common method: last year we reported how the NSO Group was ordered to hand over the code for Pegasus and other spyware products that were used to spy on WhatsApp users.
The fewer people who see an exploit link, the harder it is for researchers to capture and analyze it. Intellexa also uses malicious ads on third-party platforms to fingerprint visitors and redirect those who match its target profiles to its exploit delivery servers.
This zero-click infection mechanism, dubbed “Aladdin,” is believed to still be operational and actively developed. It leverages the commercial mobile advertising system to deliver malware. That means a malicious ad could appear on any website that serves ads, such as a trusted news website or mobile app, and look completely ordinary. If you’re not in the target group, nothing happens. If you are, simply viewing the ad is enough to trigger the infection on your device, no need to click.
While most of us will probably never have to worry about being in the target group, there are still practical steps you can take:
We don’t just report on phone security—we provide it
Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.
Authorities in the United Kingdom this week arrested four people aged 17 to 20 in connection with recent data theft and extortion attacks against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group. The breaches have been linked to a prolific but loosely-affiliated cybercrime group dubbed “Scattered Spider,” whose other recent victims include multiple airlines.
The U.K.’s National Crime Agency (NCA) declined verify the names of those arrested, saying only that they included two males aged 19, another aged 17, and 20-year-old female.
Scattered Spider is the name given to an English-speaking cybercrime group known for using social engineering tactics to break into companies and steal data for ransom, often impersonating employees or contractors to deceive IT help desks into granting access. The FBI warned last month that Scattered Spider had recently shifted to targeting companies in the retail and airline sectors.
KrebsOnSecurity has learned the identities of two of the suspects. Multiple sources close to the investigation said those arrested include Owen David Flowers, a U.K. man alleged to have been involved in the cyber intrusion and ransomware attack that shut down several MGM Casino properties in September 2023. Those same sources said the woman arrested is or recently was in a relationship with Flowers.
Sources told KrebsOnSecurity that Flowers, who allegedly went by the hacker handles “bo764,” “Holy,” and “Nazi,” was the group member who anonymously gave interviews to the media in the days after the MGM hack. His real name was omitted from a September 2024 story about the group because he was not yet charged in that incident.
The bigger fish arrested this week is 19-year-old Thalha Jubair, a U.K. man whose alleged exploits under various monikers have been well-documented in stories on this site. Jubair is believed to have used the nickname “Earth2Star,” which corresponds to a founding member of the cybercrime-focused Telegram channel “Star Fraud Chat.”
In 2023, KrebsOnSecurity published an investigation into the work of three different SIM-swapping groups that phished credentials from T-Mobile employees and used that access to offer a service whereby any T-Mobile phone number could be swapped to a new device. Star Chat was by far the most active and consequential of the three SIM-swapping groups, who collectively broke into T-Mobile’s network more than 100 times in the second half of 2022.
Jubair allegedly used the handles “Earth2Star” and “Star Ace,” and was a core member of a prolific SIM-swapping group operating in 2022. Star Ace posted this image to the Star Fraud chat channel on Telegram, and it lists various prices for SIM-swaps.
Sources tell KrebsOnSecurity that Jubair also was a core member of the LAPSUS$ cybercrime group that broke into dozens of technology companies in 2022, stealing source code and other internal data from tech giants including Microsoft, Nvidia, Okta, Rockstar Games, Samsung, T-Mobile, and Uber.
In April 2022, KrebsOnSecurity published internal chat records from LAPSUS$, and those chats indicated Jubair was using the nicknames Amtrak and Asyntax. At one point in the chats, Amtrak told the LAPSUS$ group leader not to share T-Mobile’s logo in images sent to the group because he’d been previously busted for SIM-swapping and his parents would suspect he was back at it again.
As shown in those chats, the leader of LAPSUS$ eventually decided to betray Amtrak by posting his real name, phone number, and other hacker handles into a public chat room on Telegram.
In March 2022, the leader of the LAPSUS$ data extortion group exposed Thalha Jubair’s name and hacker handles in a public chat room on Telegram.
That story about the leaked LAPSUS$ chats connected Amtrak/Asyntax/Jubair to the identity “Everlynn,” the founder of a cybercriminal service that sold fraudulent “emergency data requests” targeting the major social media and email providers. In such schemes, the hackers compromise email accounts tied to police departments and government agencies, and then send unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.
The roster of the now-defunct “Infinity Recursion” hacking team, from which some member of LAPSUS$ hail.
Sources say Jubair also used the nickname “Operator,” and that until recently he was the administrator of the Doxbin, a long-running and highly toxic online community that is used to “dox” or post deeply personal information on people. In May 2024, several popular cybercrime channels on Telegram ridiculed Operator after it was revealed that he’d staged his own kidnapping in a botched plan to throw off law enforcement investigators.
In November 2024, U.S. authorities charged five men aged 20 to 25 in connection with the Scattered Spider group, which has long relied on recruiting minors to carry out its most risky activities. Indeed, many of the group’s core members were recruited from online gaming platforms like Roblox and Minecraft in their early teens, and have been perfecting their social engineering tactics for years.
“There is a clear pattern that some of the most depraved threat actors first joined cybercrime gangs at an exceptionally young age,” said Allison Nixon, chief research officer at the New York based security firm Unit 221B. “Cybercriminals arrested at 15 or younger need serious intervention and monitoring to prevent a years long massive escalation.”
Login