Microsoft Corp. has announced a major update to its bug bounty program, extending coverage to include any vulnerability affecting its online services. This new framework, referred to as “In Scope By Default,” is an important shift in how the tech giant approaches coordinated vulnerability disclosure.Under this updated model, every Microsoft online service is automatically eligible for bounty awards from the moment it launches. Previously, the company relied on product-specific scope definitions, which often caused confusion for security researchers and limited the range of vulnerabilities eligible for rewards. By making all services In Scope By Default, Microsoft aims to make participation in the bug bounty program more predictable while ensuring critical vulnerabilities are addressed and incentivized regardless of their origin.A key feature of the expanded scope is its coverage of third-party and open-source components integrated into Microsoft services. This means that vulnerabilities in external libraries, dependencies, or open-source packages that power Microsoft’s cloud infrastructure are now eligible for bug bounty rewards, not just flaws in Microsoft’s own software.
A Strategic Shift in Bug Bounty Security Incentives
Tom Gallagher, vice president of engineering at the Microsoft Security Response Center (MSRC), highlighted the significance of the change in a December 11, 2025, blog post. He described it as more than an administrative adjustment, calling it a structural realignment designed to reflect real-world risk. Gallagher explained that by defaulting all services into scope, Microsoft hopes to reduce reporting delays, minimize confusion, and allow researchers to focus on vulnerabilities with meaningful impact on customers.“If Microsoft’s online services are impacted by vulnerabilities in third-party code, including open source, we want to know,” Gallagher stated. “If no bounty award formerly exists to reward this vital work, we will offer one. This closes the gap for security research and raises the security bar for everyone who relies on this code.”The new policy also allows Microsoft to collaborate more effectively with researchers on upstream or third-party vulnerabilities. The company can now assist with developing fixes or support maintainers when issues in external codebases directly affect Microsoft services.
Industry Reaction and Expected Impact
All new Microsoft online services now fall under bug bounty coverage from day one, while millions of existing endpoints no longer require manual approval to qualify. The update is designed to make it easier for security professionals to identify and report vulnerabilities across Microsoft’s expansive ecosystem.The new approach aligns with Microsoft’s broader security philosophy in an AI- and cloud-first environment, where attackers exploit any weak link, regardless of ownership. According to Gallagher, “Security vulnerabilities often emerge at the seams where components interact or where dependencies are involved. We value research that takes this broader perspective, encompassing not only Microsoft infrastructure but also third-party dependencies, including commercial software and open-source components.”Last year, Microsoft’s bug bounty program and its Zero Day Quest live-hacking event awarded over $17 million to researchers for high-impact discoveries. With the In Scope By Default initiative, the company expects to expand eligibility even further, particularly in areas involving Microsoft-owned domains, cloud services, and third-party or open-source code.Researchers participating in the program are expected to follow Microsoft’s Rules of Engagement for Responsible Security Research, ensuring customer privacy and data protection while enabling coordinated vulnerability disclosure. By widening its bug bounty scope, Microsoft aims to raise the overall security bar.
American officials joined Russia, Saudi Arabia and Iran in objecting to language on fossils fuels, biodiversity and plastics in a report that was three years in the making.
The Housemaid actor received backlash in September when she left a comment on Instagram after the rightwing activist was killed
The Housemaid star Amanda Seyfried has said she is “not fucking apologising” for describing Charlie Kirk as “hateful” after the latter was shot dead in September.
Seyfried was speaking to Who What Wear when she was asked about her social media activity, including the backlash around her Kirk comment. “I’m not fucking apologising for that. I mean, for fuck’s sake, I commented on one thing. I said something that was based on actual reality and actual footage and actual quotes. What I said was pretty damn factual, and I’m free to have an opinion, of course.”
Australia’s world-first social media ban for children under age 16 takes effect on December 10, leaving kids scrambling for alternatives and the Australian government with the daunting task of enforcing the ambitious ban.
What is the Australian social media ban, who and what services does it cover, and what steps can affected children take? We’ll cover all that, plus the compliance and enforcement challenges facing both social media companies and the Australian government – and the move toward similar bans in other parts of the world.
Australian Social Media Ban Supported by Most – But Not All
In September 2024, Prime Minister Anthony Albanese announced that his government would introduce legislation to set a minimum age requirement for social media because of concerns about the effect of social media on the mental health of children.
The amendment to the Online Safety Act 2021 passed in November 2024 with the overwhelming support of the Australian Parliament. The measure has met with overwhelming support – even as most parents say they don’t plan to fully enforce the ban with their children.
The law already faces a legal challenge from The Digital Freedom Project, and the Australian Financial Review reported that Reddit may file a challenge too.
Services affected by the ban – which proponents call a social media “delay” – include the following 10 services:
Facebook
Instagram
Kick
Reddit
Snapchat
Threads
TikTok
Twitch
X
YouTube
Those services must take steps by Wednesday to remove accounts held by users under 16 in Australia and prevent children from registering new accounts. Many services began to comply before the Dec. 10 implementation date, although X had not yet communicated its policy to the government as of Dec. 9, according to The Guardian.
Companies that fail to comply with the ban face fines of up to AUD $49.5 million, while there are no penalties for parents or children who fail to comply.
Opposition From a Wide Range of Groups - And Efforts Elsewhere
Opposition to the law has come from a range of groups, including those concerned about the privacy issues resulting from age verification processes such as facial recognition and assessment technology or use of government IDs. Others have said the ban could force children toward darker, less regulated platforms, and one group noted that children often reach out for mental health help on social media.
Amnesty International also opposed the ban. The international human rights group called the ban “an ineffective quick fix that’s out of step with the realities of a generation that lives both on and offline.”
Amnesty said strong regulation and safeguards would be a better solution.
“The most effective way to protect children and young people online is by protecting all social media users through better regulation, stronger data protection laws and better platform design,” Amnesty said. “Robust safeguards are needed to ensure social media platforms stop exposing users to harms through their relentless pursuit of user engagement and exploitation of people’s personal data.
“Many young people will no doubt find ways to avoid the restrictions,” the group added. “A ban simply means they will continue to be exposed to the same harms but in secret, leaving them at even greater risk.”
Even the prestigious medical journal The Lancet suggested that a ban may be too blunt an instrument and that 16-year-olds will still face the same harmful content and risks. Jasmine Fardouly of the University of Sydney School of Psychology noted in a Lancetcommentary that “Further government regulations and support for parents and children are needed to help make social media safe for all users while preserving its benefits.”
Still, despite the chorus of concerns, the idea of a social media ban for children is catching on in other places, including the EU and Malaysia.
Australian Children Seek Alternatives as Compliance Challenges Loom
The Australian social media ban leaves open a range of options for under-16 users, among them Yope, Lemon8, Pinterest, Discord, WhatsApp, Messenger, iMessage, Signal, and communities that have been sources of controversy such as Telegram and 4chan.
Users have exchanged phone numbers with friends and other users, and many have downloaded their personal data from apps where they’ll be losing access, including photos, videos, posts, comments, interactions and platform profile data.
Many have investigated VPNs as a possible way around the ban, but a VPN is unlikely to work with an existing account that has already been identified as an underage Australian account.
In the meantime, social media services face the daunting task of trying to confirm the age of account holders, a process that even Albanese has acknowledged “won’t be 100 per cent perfect.” There have already been reports of visual age checks failing, and a government-funded report released in August admitted the process will be imperfect.
The government has published substantial guidance for helping social media companies comply with the law, but it will no doubt take time to determine what “reasonable steps” to comply look like.
In the meantime, social media companies will have to navigate compliance guidance like the following passage:
“Providers may choose to offer the option to end-users to provide government-issued identification or use the services of an accredited provider. However, if a provider wants to employ an age assurance method that requires the collection of government-issued identification, then the provider must always offer a reasonable alternative that doesn’t require the collection of government-issued identification. A provider can never require an end-user to give government-issued identification as the sole method of age assurance and must always give end-users an alternative choice if one of the age assurance options is to use government-issued identification. A provider also cannot implement an age assurance system which requires end-users to use the services of an accredited provider without providing the end-user with other choices.”
During a recent investigation, we uncovered a phishing operation that combines free hosting on developer platforms with compromised legitimate websites to build convincing banking and insurance login portals. These fake pages don’t just grab a username and password–they also ask for answers to secret questions and other “backup” data that attackers can use to bypass multi-factor authentication and account recovery protections.
Instead of sending stolen data to a traditional command-and-control server, the kit forwards every submission to a Telegram bot. That gives the attackers a live feed of fresh logins they can use right away. It also sidesteps many domain-based blocking strategies and makes swapping infrastructure very easy.
Phishing groups increasingly use services like Cloudflare Pages (*.pages.dev) to host their fake portals, sometimes copying a real login screen almost pixel for pixel. In this case, the actors spun up subdomains impersonating financial and healthcare providers. The first one we found was impersonating Heartland bank Arvest.
Fake Arvest login page
On closer look, the phishing site shows visitors two “failed login” screens, prompts for security questions, and then sends all credentials and answers to a Telegram bot.
Comparing their infrastructure with other sites, we found one impersonating a much more widely known brand: United Healthcare.
HealthSafe ID overpayment refund
In this case, the phishers abused a compromised website as a redirector. Attackers took over a legitimate-looking domain like biancalentinidesigns[.]com and saddle it with long, obscure paths for phishing or redirection. Emails link to the real domain first, which then forwards the victim to the active Cloudflare pages phishing site. Messages containing a familiar or benign-looking domain are more likely to slip past spam filters than links that go straight to an obviously new cloud-hosted subdomain.
Cloud-based hosting also makes takedowns harder. If one *.pages.dev hostname gets reported and removed, attackers can quickly deploy the same kit under another random subdomain and resume operations.
The phishing kit at the heart of this campaign follows a multi-step pattern designed to look like a normal sign-in flow while extracting as much sensitive data as possible.
Instead of using a regular form submission to a visible backend, JavaScript harvests the fields and bundles them into a message sent straight to the Telegram API.. That message can include the victim’s IP address, user agent, and all captured fields, giving criminals a tidy snapshot they can use to bypass defenses or sign in from a similar environment.
The exfiltration mechanism is one of the most worrying parts. Rather than pushing credentials to a single hosted panel, the kit posts them into one or more Telegram chats using bot tokens and chat IDs hardcoded in the JavaScript. As soon as a victim submits a form, the operator receives a message in their Telegram client with the details, ready for immediate use or resale.
This approach offers several advantages for the attackers: they can change bots and chat IDs frequently, they do not need to maintain their own server, and many security controls pay less attention to traffic that looks like a normal connection to a well-known messaging platform. Cycling multiple bots and chats gives them redundancy if one token is reported and revoked.
What an attack might look like
Putting all the pieces together, a victim’s experience in this kind of campaign often looks like this:
They receive a phishing email about banking or health benefits: “Your online banking access is restricted,” or “Urgent: United Health benefits update.”
The link points to a legitimate but compromised site, using a long or strange path that does not raise instant suspicion.
That hacked site redirects, silently or after a brief delay, to a *.pages.dev phishing site that looks almost identical to the impersonated brand.
After entering their username and password, the victim sees an error or extra verification step and is asked to provide answers to secret questions or more personal and financial information.
Behind the scenes, each submitted field is captured in JavaScript and sent to a Telegram bot, where the attacker can use or sell it immediately.
From the victim’s point of view, nothing seems unusual beyond an odd-looking link and a failed sign-in. For the attackers, the mix of free hosting, compromised redirectors, and Telegram-based exfiltration gives them speed, scale, and resilience.
The bigger trend behind this campaign is clear: by leaning on free web hosting and mainstream messaging platforms, phishing actors avoid many of the choke points defenders used to rely on, like single malicious IPs or obviously shady domains. Spinning up new infrastructure is cheap, fast, and largely invisible to victims.
How to stay safe
Education and a healthy dose of skepticism are key components to staying safe. A few habits can help you avoid these portals:
Always check the full domain name, not just the logo or page design. Banks and health insurers don’t host sign-in pages on generic developer domains like *.pages.dev, *.netlify.app, or on strange paths on unrelated sites.
Don’t click sign-in or benefits links in unsolicited emails or texts. Instead, go to the institution’s site via a bookmark or by typing the address yourself.
Treat surprise “extra security” prompts after a failed login with caution, especially if they ask for answers to security questions, card numbers, or email passwords.
If anything about the link, timing, or requested information feels wrong, stop and contact the provider using trusted contact information from their official site.
ChatGPT allegedly validated the worst impulses of a wannabe influencer accused of stalking more than 10 women at boutique gyms, where the chatbot supposedly claimed he’d meet the “wife type.”
In a press release on Tuesday, the Department of Justice confirmed that 31-year-old Brett Michael Dadig currently remains in custody after being charged with cyberstalking, interstate stalking, and making interstate threats. He now faces a maximum sentence of up to 70 years in prison that could be coupled with “a fine of up to $3.5 million,” the DOJ said.
The podcaster—who primarily posted about “his desire to find a wife and his interactions with women”—allegedly harassed and sometimes even doxxed his victims through his videos on platforms including Instagram, Spotify, and TikTok. Over time, his videos and podcasts documented his intense desire to start a family, which was frustrated by his “anger towards women,” whom he claimed were “all the same from fucking 18 to fucking 40 to fucking 90” and “trash.”
On Wednesday, Micron Technology announced it will exit the consumer RAM business in 2026, ending 29 years of selling RAM and SSDs to PC builders and enthusiasts under the Crucial brand. The company cited heavy demand from AI data centers as the reason for abandoning its consumer brand, a move that will remove one of the most recognizable names in the do-it-yourself PC upgrade market.
“The AI-driven growth in the data center has led to a surge in demand for memory and storage,” Sumit Sadana, EVP and chief business officer at Micron Technology, said in a statement. “Micron has made the difficult decision to exit the Crucial consumer business in order to improve supply and support for our larger, strategic customers in faster-growing segments.”
Micron said it will continue shipping Crucial consumer products through the end of its fiscal second quarter in February 2026 and will honor warranties on existing products. The company will continue selling Micron-branded enterprise products to commercial customers and plans to redeploy affected employees to other positions within the company.
It’s not a bad time to upgrade your gaming PC. Graphics card prices in the 2020s have undulated continuously as the industry has dealt with pandemic and AI-related shortages, but it’s actually possible to get respectable mainstream- to high-end GPUs like AMD’s Radeon RX 9060 XT and 9070 series or Nvidia’s RTX 5060, 5070, and 5080 series for at or slightly under their suggested retail prices right now. This was close to impossible through the spring and summer.
But it’s not a good time to build a new PC or swap your older motherboard out for a new one that needs DDR5 RAM. And the culprit is a shortage of RAM and flash memory chips that has suddenly sent SSD and (especially) memory prices into the stratosphere, caused primarily by the ongoing AI boom and exacerbated by panic-fueled buying by end users and device manufacturers.
To illustrate just how high things have jumped in a short amount of time, let’s compare some of the RAM and storage prices listed in our system guide from three months ago to the pricing for the exact same components today. Note that several of these are based on the last available price and are currently sold out; we also haven’t looked into things like microSD or microSD Express cards, which could also be affected.
The ARC Data Sale to U.S. government agencies has come under intense scrutiny following reports of warrantless access to Americans’ travel records.
After growing pressure from lawmakers, the Airlines Reporting Corporation (ARC), a data broker collectively owned by major U.S. airlines, has announced it will shut down its Travel Intelligence Program (TIP), a system that allowed federal agencies to search through hundreds of millions of passenger travel records without judicial oversight.
Lawmakers Question ARC Data Sale and Warrantless Access
Concerns over the ARC Data Sale intensified this week after a bipartisan group of lawmakers sent letters to nine airline CEOs urging them to stop the practice immediately. The letter cited reports that government agencies, including the Department of Homeland Security (DHS), the Internal Revenue Service (IRS), the Securities and Exchange Commission (SEC), and the FBI had been accessing ARC’s travel database without obtaining warrants or court orders.
According to the lawmakers, ARC sold access to a system containing approximately 722 million ticket transactions covering 39 months of past and future travel data. This includes bookings made through more than 10,000 U.S.-based travel agencies, popular online travel portals like Expedia, Kayak, and Priceline, and even credit-card reward program bookings. Travel details in this database include a passenger’s name, itinerary, flight numbers, fare details, ticket numbers, and sometimes credit card digits used during the purchase.
Documents released through public records requests show that the FBI received travel records from ARC based solely on written requests, bypassing the need for subpoenas. DHS described the database as “an unparalleled intelligence resource.”
IRS Admits Policy Violations in Handling Travel Data
A central point of concern is the revelation that the IRS accessed ARC’s travel database without conducting a legal review or completing a required Privacy Impact Assessment. Under the E-Government Act of 2002, federal agencies must complete such assessments before procuring systems that collect personal data.
In a disclosure to Senator Ron Wyden, the IRS admitted it had purchased ARC’s airline data without meeting these requirements. The agency only completed the privacy assessment after receiving an oversight inquiry in 2025.
It also confirmed that it had not initially reviewed whether accessing the travel data constituted a search that required a warrant, despite previous commitments to do so after a 2021 investigation into cell-phone location data purchases.
Prospective Surveillance Raises New Privacy Concerns
Beyond historical travel data, lawmakers highlighted that ARC’s tools enabled what they termed “prospective surveillance.” Through automated, recurring searches, government agencies could receive alerts the moment a ticket matching specific criteria was booked. This type of forward-looking monitoring typically requires a higher legal threshold and is allowed only in limited circumstances authorized by Congress.
Lawmakers argued that buying such capabilities from a data broker like ARC allowed agencies to circumvent the Fourth Amendment, undermining Americans’ constitutional protection against unreasonable searches. Because ARC only captures bookings made through travel agencies, individuals booking directly with airlines do not have their travel data in the system, effectively creating inconsistent privacy protections based solely on how a ticket is purchased.
ARC Confirms End of Travel Intelligence Program
In a letter sent on Tuesday, ARC CEO Lauri Reishus informed lawmakers that the company would end the Travel Intelligence Program in the coming weeks. The decision follows public and political pressure since September, when media reports first revealed the extent of ARC’s data-sharing arrangements with government agencies.
Lawmakers noted that airlines benefit financially when passengers book tickets directly, raising concerns that the surveillance program not only threatened privacy rights but also created potential antitrust implications.
As lawmakers push for stronger privacy protections and clearer limits on government surveillance, the ARC data sale case has become a high-profile example of how easily personal travel data can be accessed and shared without passengers’ knowledge.
A disturbing case of hacking CCTV systems in India has exposed a widespread cybercrime racket through which intimate videos from a maternity ward were stolen and sold online. Police in Gujarat state say the discovery has raised concern for surveillance practices in a country where cameras are routinely placed across public and private spaces.The case came to light earlier this year when Gujarati media outlets detected several videos on YouTube. These clips, taken inside a maternity hospital, showed pregnant women undergoing medical examinations and receiving injections in their buttocks. Each video carried a link directing viewers to Telegram channels where longer versions of the footage could be purchased. To protect the privacy of those filmed, the city and the maternity hospital’s name have not been disclosed.
From a Single Hospital Breach to a Nationwide Cybercrime Operation
The hospital director told the BBC that the cameras had been installed “for the safety of doctors” and to guard against false allegations. None of the women seen in the videos has filed police complaints.Once alerted, investigators uncovered what they described as a massive nationwide cybercrime racket. Police say hackers had infiltrated at least 50,000 CCTV systems throughout India and were selling footage taken from hospitals, schools, residential complexes, offices, malls, and even private homes. Many of the stolen clips were marketed for prices ranging from 800 to 2,000 rupees, while some Telegram operators reportedly offered live feeds through subscription-based access. According to officers, the case demonstrates how a single CCTV hack can compromise thousands of devices due to weak digital protection.
Arrests, Charges, and the Spread of the Network
Arrests connected to the network have been made since February, spanning Maharashtra, Uttar Pradesh, Gujarat, Delhi, and Uttarakhand. The suspects face charges under laws addressing privacy violations, cyberterrorism, voyeurism, and the publication of obscene material. Police noted that no patient or hospital lodged an official complaint, largely due to fear of exposure and social stigma. Instead, a police officer formally initiated the case to prevent the matter from being dropped.The breach reflects the widespread vulnerabilities built into India’s surveillance ecosystem. Many CCTV units operate with default passwords such as “Admin123,” practice investigators say aided the hackers. Officers reported that the group used brute-force tools to access networks, enabling them to capture feed from thousands of locations. Specialists advise users to periodically change IP addresses and passwords, conduct routine audits of their systems, and adopt stronger security measures for both home and professional networks.
Growing Concerns About Surveillance and Privacy
The proliferation of CCTV across India, from hospital wards to private apartments, has created a fertile ground for hacking CCTV incidents, exposing sensitive footage, and disproportionately affecting women, who often hesitate to report breaches due to stigma. Despite government efforts to tighten digital security, gaps remain, and this latest breach highlights how quickly insecure systems can be exploited and sensitive data spread online.Platforms like Cyble offer a proactive solution, leveraging AI-native intelligence to monitor dark web activity, detect vulnerabilities, and prevent cybercrime before it impacts victims. Organizations looking to protect their networks and gain real-time threat visibility can schedule a free demo with Cyble to experience how its agentic AI hunts, predicts, and neutralizes threats autonomously, keeping security teams ahead of hackers.
The world’s largest and most disruptive botnet is now drawing a majority of its firepower from compromised Internet-of-Things (IoT) devices hosted on U.S. Internet providers like AT&T, Comcast and Verizon, new evidence suggests. Experts say the heavy concentration of infected devices at U.S. providers is complicating efforts to limit collateral damage from the botnet’s attacks, which shattered previous records this week with a brief traffic flood that clocked in at nearly 30 trillion bits of data per second.
Since its debut more than a year ago, the Aisuru botnet has steadily outcompeted virtually all other IoT-based botnets in the wild, with recent attacks siphoning Internet bandwidth from an estimated 300,000 compromised hosts worldwide.
The hacked systems that get subsumed into the botnet are mostly consumer-grade routers, security cameras, digital video recorders and other devices operating with insecure and outdated firmware, and/or factory-default settings. Aisuru’s owners are continuously scanning the Internet for these vulnerable devices and enslaving them for use in distributed denial-of-service (DDoS) attacks that can overwhelm targeted servers with crippling amounts of junk traffic.
As Aisuru’s size has mushroomed, so has its punch. In May 2025, KrebsOnSecurity was hit with a near-record 6.35 terabits per second (Tbps) attack from Aisuru, which was then the largest assault that Google’s DDoS protection service Project Shield had ever mitigated. Days later, Aisuru shattered that record with a data blast in excess of 11 Tbps.
By late September, Aisuru was publicly flexing DDoS capabilities topping 22 Tbps. Then on October 6, its operators heaved a whopping 29.6 terabits of junk data packets each second at a targeted host. Hardly anyone noticed because it appears to have been a brief test or demonstration of Aisuru’s capabilities: The traffic flood lasted less only a few seconds and was pointed at an Internet server that was specifically designed to measure large-scale DDoS attacks.
A measurement of an Oct. 6 DDoS believed to have been launched through multiple botnets operated by the owners of the Aisuru botnet. Image: DDoS Analyzer Community on Telegram.
Aisuru’s overlords aren’t just showing off. Their botnet is being blamed for a series of increasingly massive and disruptive attacks. Although recent assaults from Aisuru have targeted mostly ISPs that serve online gaming communities like Minecraft, those digital sieges often result in widespread collateral Internet disruption.
For the past several weeks, ISPs hosting some of the Internet’s top gaming destinations have been hit with a relentless volley of gargantuan attacks that experts say are well beyond the DDoS mitigation capabilities of most organizations connected to the Internet today.
Steven Ferguson is principal security engineer at Global Secure Layer (GSL), an ISP in Brisbane, Australia. GSL hosts TCPShield, which offers free or low-cost DDoS protection to more than 50,000 Minecraft servers worldwide. Ferguson told KrebsOnSecurity that on October 8, TCPShield was walloped with a blitz from Aisuru that flooded its network with more than 15 terabits of junk data per second.
Ferguson said that after the attack subsided, TCPShield was told by its upstream provider OVH that they were no longer welcome as a customer.
“This was causing serious congestion on their Miami external ports for several weeks, shown publicly via their weather map,” he said, explaining that TCPShield is now solely protected by GSL.
Traces from the recent spate of crippling Aisuru attacks on gaming servers can be still seen at the website blockgametracker.gg, which indexes the uptime and downtime of the top Minecraft hosts. In the following example from a series of data deluges on the evening of September 28, we can see an Aisuru botnet campaign briefly knocked TCPShield offline.
An Aisuru botnet attack on TCPShield (AS64199) on Sept. 28 can be seen in the giant downward spike in the middle of this uptime graphic. Image: grafana.blockgametracker.gg.
Paging through the same uptime graphs for other network operators listed shows almost all of them suffered brief but repeated outages around the same time. Here is the same uptime tracking for Minecraft servers on the network provider Cosmic (AS30456), and it shows multiple large dips that correspond to game server outages caused by Aisuru.
Multiple DDoS attacks from Aisuru can be seen against the Minecraft host Cosmic on Sept. 28. The sharp downward spikes correspond to brief but enormous attacks from Aisuru. Image: grafana.blockgametracker.gg.
BOTNETS R US
Ferguson said he’s been tracking Aisuru for about three months, and recently he noticed the botnet’s composition shifted heavily toward infected systems at ISPs in the United States. Ferguson shared logs from an attack on October 8 that indexed traffic by the total volume sent through each network provider, and the logs showed that 11 of the top 20 traffic sources were U.S. based ISPs.
AT&T customers were by far the biggest U.S. contributors to that attack, followed by botted systems on Charter Communications, Comcast, T-Mobile and Verizon, Ferguson found. He said the volume of data packets per second coming from infected IoT hosts on these ISPs is often so high that it has started to affect the quality of service that ISPs are able to provide to adjacent (non-botted) customers.
“The impact extends beyond victim networks,” Ferguson said. “For instance we have seen 500 gigabits of traffic via Comcast’s network alone. This amount of egress leaving their network, especially being so US-East concentrated, will result in congestion towards other services or content trying to be reached while an attack is ongoing.”
Roland Dobbins is principal engineer at Netscout. Dobbins said Ferguson is spot on, noting that while most ISPs have effective mitigations in place to handle large incoming DDoS attacks, many are far less prepared to manage the inevitable service degradation caused by large numbers of their customers suddenly using some or all available bandwidth to attack others.
“The outbound and cross-bound DDoS attacks can be just as disruptive as the inbound stuff,” Dobbin said. “We’re now in a situation where ISPs are routinely seeing terabit-per-second plus outbound attacks from their networks that can cause operational problems.”
“The crying need for effective and universal outbound DDoS attack suppression is something that is really being highlighted by these recent attacks,” Dobbins continued. “A lot of network operators are learning that lesson now, and there’s going to be a period ahead where there’s some scrambling and potential disruption going on.”
KrebsOnSecurity sought comment from the ISPs named in Ferguson’s report. Charter Communications pointed to a recent blog post on protecting its network, stating that Charter actively monitors for both inbound and outbound attacks, and that it takes proactive action wherever possible.
“In addition to our own extensive network security, we also aim to reduce the risk of customer connected devices contributing to attacks through our Advanced WiFi solution that includes Security Shield, and we make Security Suite available to our Internet customers,” Charter wrote in an emailed response to questions. “With the ever-growing number of devices connecting to networks, we encourage customers to purchase trusted devices with secure development and manufacturing practices, use anti-virus and security tools on their connected devices, and regularly download security patches.”
A spokesperson for Comcast responded, “Currently our network is not experiencing impacts and we are able to handle the traffic.”
The Mirai botmasters likewise used their crime machine to attack mostly Minecraft servers, but with the goal of forcing Minecraft server owners to purchase a DDoS protection service that they controlled. In addition, they rented out slices of the Mirai botnet to paying customers, some of whom used it to mask the sources of other types of cybercrime, such as click fraud.
A depiction of the outages caused by the Mirai botnet attacks against the internet infrastructure firm Dyn on October 21, 2016. Source: Downdetector.com.
Dobbins said Aisuru’s owners also appear to be renting out their botnet as a distributed proxy network that cybercriminal customers anywhere in the world can use to anonymize their malicious traffic and make it appear to be coming from regular residential users in the U.S.
“The people who operate this botnet are also selling (it as) residential proxies,” he said. “And that’s being used to reflect application layer attacks through the proxies on the bots as well.”
The Aisuru botnet harkens back to its predecessor Mirai in another intriguing way. One of its owners is using the Telegram handle “9gigsofram,” which corresponds to the nickname used by the co-owner of a Minecraft server protection service called Proxypipe that was heavily targeted in 2016 by the original Mirai botmasters.
Robert Coelho co-ran Proxypipe back then along with his business partner Erik “9gigsofram” Buckingham, and has spent the past nine years fine-tuning various DDoS mitigation companies that cater to Minecraft server operators and other gaming enthusiasts. Coelho said he has no idea why one of Aisuru’s botmasters chose Buckingham’s nickname, but added that it might say something about how long this person has been involved in the DDoS-for-hire industry.
“The Aisuru attacks on the gaming networks these past seven day have been absolutely huge, and you can see tons of providers going down multiple times a day,” Coelho said.
Coelho said the 15 Tbps attack this week against TCPShield was likely only a portion of the total attack volume hurled by Aisuru at the time, because much of it would have been shoved through networks that simply couldn’t process that volume of traffic all at once. Such outsized attacks, he said, are becoming increasingly difficult and expensive to mitigate.
“It’s definitely at the point now where you need to be spending at least a million dollars a month just to have the network capacity to be able to deal with these attacks,” he said.
RAPID SPREAD
Aisuru has long been rumored to use multiple zero-day vulnerabilities in IoT devices to aid its rapid growth over the past year. XLab, the Chinese security company that was the first to profile Aisuru’s rise in 2024, warned last month that one of the Aisuru botmasters had compromised the firmware distribution website for Totolink, a maker of low-cost routers and other networking gear.
“Multiple sources indicate the group allegedly compromised a router firmware update server in April and distributed malicious scripts to expand the botnet,” XLab wrote on September 15. “The node count is currently reported to be around 300,000.”
A malicious script implanted into a Totolink update server in April 2025. Image: XLab.
Aisuru’s operators received an unexpected boost to their crime machine in August when the U.S. Department Justicecharged the alleged proprietor of Rapper Bot, a DDoS-for-hire botnet that competed directly with Aisuru for control over the global pool of vulnerable IoT systems.
Once Rapper Bot was dismantled, Aisuru’s curators moved quickly to commandeer vulnerable IoT devices that were suddenly set adrift by the government’s takedown, Dobbins said.
“Folks were arrested and Rapper Bot control servers were seized and that’s great, but unfortunately the botnet’s attack assets were then pieced out by the remaining botnets,” he said. “The problem is, even if those infected IoT devices are rebooted and cleaned up, they will still get re-compromised by something else generally within minutes of being plugged back in.”
A screenshot shared by XLabs showing the Aisuru botmasters recently celebrating a record-breaking 7.7 Tbps DDoS. The user at the top has adopted the name “Ethan J. Foltz” in a mocking tribute to the alleged Rapper Bot operator who was arrested and charged in August 2025.
BOTMASTERS AT LARGE
XLab’s September blog post cited multiple unnamed sources saying Aisuru is operated by three cybercriminals: “Snow,” who’s responsible for botnet development; “Tom,” tasked with finding new vulnerabilities; and “Forky,” responsible for botnet sales.
KrebsOnSecurity interviewed Forky in our May 2025 story about the record 6.3 Tbps attack from Aisuru. That story identified Forky as a 21-year-old man from Sao Paulo, Brazil who has been extremely active in the DDoS-for-hire scene since at least 2022. The FBI has seized Forky’s DDoS-for-hire domains several times over the years.
Like the original Mirai botmasters, Forky also operates a DDoS mitigation service called Botshield. Forky declined to discuss the makeup of his ISP’s clientele, or to clarify whether Botshield was more of a hosting provider or a DDoS mitigation firm. However, Forky has posted on Telegram about Botshield successfully mitigating large DDoS attacks launched against other DDoS-for-hire services.
In our previous interview, Forky acknowledged being involved in the development and marketing of Aisuru, but denied participating in attacks launched by the botnet.
Reached for comment earlier this month, Forky continued to maintain his innocence, claiming that he also is still trying to figure out who the current Aisuru botnet operators are in real life (Forky said the same thing in our May interview).
But after a week of promising juicy details, Forky came up empty-handed once again. Suspecting that Forky was merely being coy, I asked him how someone so connected to the DDoS-for-hire world could still be mystified on this point, and suggested that his inability or unwillingness to blame anyone else for Aisuru would not exactly help his case.
At this, Forky verbally bristled at being pressed for more details, and abruptly terminated our interview.
“I’m not here to be threatened with ignorance because you are stressed,” Forky replied. “They’re blaming me for those new attacks. Pretty much the whole world (is) due to your blog.”
It adds a small extra step when logging in, but that extra effort pays off. Instagram’s 2FA requires an additional code whenever you try to log in from an unrecognized device or browser—stopping attackers even if they have your password.
Instagram offers multiple 2FA options: text message (SMS), an authentication app (recommended), or a security key.
Here’s how to enable 2FA on Instagram for Android, iPhone/iPad, and the web.
How to set up 2FA for Instagram on Android
Open the Instagram app and log in.
Tap your profile picture at the bottom right.
Tap the menu icon (three horizontal lines) in the top right.
Select Accounts Center at the bottom.
Tap Password and security > Two-factor authentication.
Choose your Instagram account.
Select a verification method: Text message (SMS), Authentication app (recommended), or WhatsApp.
SMS: Enter your phone number if you haven’t already. Instagram will send you a six-digit code. Enter it to confirm.
Authentication app: Choose an app like Google Authenticator or Duo Mobile. Scan the QR code or copy the setup key, then enter the generated code on Instagram.
WhatsApp: Enable text message security first, then link your WhatsApp number.
Follow the on-screen instructions to finish setup.
How to set up 2FA for Instagram on iPhone or iPad
Open the Instagram app and log in.
Tap your profile picture at the bottom right.
Tap the menu icon > Settings > Security > Two-factor authentication.
Tap Get Started.
Choose Authentication app (recommended), Text message, or WhatsApp.
Authentication app: Copy the setup key or scan the QR code with your chosen app. Enter the generated code and tap Next.
Text message: Turn it on, then enter the six-digit SMS code Instagram sends you.
WhatsApp: Enable text message first, then add WhatsApp.
Follow on-screen instructions to complete the setup.
Click Two-factor authentication, then choose your account.
Note: If your accounts are linked, you can enable 2FA for both Instagram and your overall Meta account here.
Choose your preferred 2FA method and follow the online prompts.
Enable it today
Even the strongest password isn’t enough on its own. 2FA means a thief must have access to your an additional factor to be able to log in to your account, whether that’s a code on a physical device or a security key. That makes it far harder for criminals to break in.
Turn on 2FA for all your important accounts, especially social media and messaging apps. It only takes a few minutes, but it could save you hours—or even days—of recovery later.It’s currently the best password advice we have.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.
Blue Origin, owned by Jeff Bezos, and Lockheed Martin are among the contractors that may compete with Elon Musk’s company in the race back to the lunar surface.
Last month, KrebsOnSecurity tracked the sudden emergence of hundreds of polished online gaming and wagering websites that lure people with free credits and eventually abscond with any cryptocurrency funds deposited by players. We’ve since learned that these scam gambling sites have proliferated thanks to a new Russian affiliate program called “Gambler Panel” that bills itself as a “soulless project that is made for profit.”
A machine-translated version of Gambler Panel’s affiliate website.
The scam begins with deceptive ads posted on social media that claim the wagering sites are working in partnership with popular athletes or social media personalities. The ads invariably state that by using a supplied “promo code,” interested players can claim a $2,500 credit on the advertised gaming website.
The gaming sites ask visitors to create a free account to claim their $2,500 credit, which they can use to play any number of extremely polished video games that ask users to bet on each action. However, when users try to cash out any “winnings” the gaming site will reject the request and prompt the user to make a “verification deposit” of cryptocurrency — typically around $100 — before any money can be distributed.
Those who deposit cryptocurrency funds are soon pressed into more wagering and making additional deposits. And — shocker alert — all players eventually lose everything they’ve invested in the platform.
The number of scam gambling or “scambling” sites has skyrocketed in the past month, and now we know why: The sites all pull their gaming content and detailed strategies for fleecing players straight from the playbook created by Gambler Panel, a Russian-language affiliate program that promises affiliates up to 70 percent of the profits.
Gambler Panel’s website gambler-panel[.]com links to a helpful wiki that explains the scam from cradle to grave, offering affiliates advice on how best to entice visitors, keep them gambling, and extract maximum profits from each victim.
“We have a completely self-written from scratch FAKE CASINO engine that has no competitors,” Gambler Panel’s wiki enthuses. “Carefully thought-out casino design in every pixel, a lot of audits, surveys of real people and test traffic floods were conducted, which allowed us to create something that has no doubts about the legitimacy and trustworthiness even for an inveterate gambling addict with many years of experience.”
Gambler Panel explains that the one and only goal of affiliates is to drive traffic to these scambling sites by any and all means possible.
A machine-translated portion of Gambler Panel’s singular instruction for affiliates: Drive traffic to these scambling sites by any means available.
“Unlike white gambling affiliates, we accept absolutely any type of traffic, regardless of origin, the only limitation is the CIS countries,” the wiki continued, referring to a common prohibition against scamming people in Russia and former Soviet republics in the Commonwealth of Independent States.
The program’s website claims it has more than 20,000 affiliates, who earn a minimum of $10 for each verification deposit. Interested new affiliates must first get approval from the group’s Telegram channel, which currently has around 2,500 active users.
The Gambler Panel channel is replete with images of affiliate panels showing the daily revenue of top affiliates, scantily-clad young women promoting the Gambler logo, and fast cars that top affiliates claimed they bought with their earnings.
A machine-translated version of the wiki for the affiliate program Gambler Panel.
The apparent popularity of this scambling niche is a consequence of the program’s ease of use and detailed instructions for successfully reproducing virtually every facet of the scam. Indeed, much of the tutorial focuses on advice and ready-made templates to help even novice affiliates drive traffic via social media websites, particularly on Instagram and TikTok.
Gambler Panel also walks affiliates through a range of possible responses to questions from users who are trying to withdraw funds from the platform. This section, titled “Rules for working in Live chat,” urges scammers to respond quickly to user requests (1-7 minutes), and includes numerous strategies for keeping the conversation professional and the user on the platform as long as possible.
A machine-translated version of the Gambler Panel’s instructions on managing chat support conversations with users.
The connection between Gambler Panel and the explosion in the number of scambling websites was made by a 17-year-old developer who operates multiple Discord servers that have been flooded lately with misleading ads for these sites.
The researcher, who asked to be identified only by the nickname “Thereallo,” said Gambler Panel has built a scalable business product for other criminals.
“The wiki is kinda like a ‘how to scam 101’ for criminals written with the clarity you would expect from a legitimate company,” Thereallo said. “It’s clean, has step by step guides, and treats their scam platform like a real product. You could swap out the content, and it could be any documentation for startups.”
“They’ve minimized their own risk — spreading the links on Discord / Facebook / YT Shorts, etc. — and outsourced it to a hungry affiliate network, just like a franchise,” Thereallo wrote in response to questions.
“A centralized platform that can serve over 1,200 domains with a shared user base, IP tracking, and a custom API is not at all a trivial thing to build,” Thereallo said. “It’s a scalable system designed to be a resilient foundation for thousands of disposable scam sites.”
The security firm Silent Push has compiled a list of the latest domains associated with the Gambler Panel, available here (.csv).
Authorities in Pakistan have arrested 21 individuals accused of operating “Heartsender,” a once popular spam and malware dissemination service that operated for more than a decade. The main clientele for HeartSender were organized crime groups that tried to trick victim companies into making payments to a third party, and its alleged proprietors were publicly identified by KrebsOnSecurity in 2021 after they inadvertently infected their computers with malware.
Some of the core developers and sellers of Heartsender posing at a work outing in 2021. WeCodeSolutions boss Rameez Shahzad (in sunglasses) is in the center of this group photo, which was posted by employee Burhan Ul Haq, pictured just to the right of Shahzad.
A report from the Pakistani media outlet Dawn states that authorities there arrested 21 people alleged to have operated Heartsender, a spam delivery service whose homepage openly advertised phishing kits targeting users of various Internet companies, including Microsoft 365, Yahoo, AOL, Intuit, iCloud and ID.me. Pakistan’s National Cyber Crime Investigation Agency (NCCIA) reportedly conducted raids in Lahore’s Bahria Town and Multan on May 15 and 16.
The NCCIA told reporters the group’s tools were connected to more than $50m in losses in the United States alone, with European authorities investigating 63 additional cases.
“This wasn’t just a scam operation – it was essentially a cybercrime university that empowered fraudsters globally,” NCCIA Director Abdul Ghaffar said at a press briefing.
In January 2025, the FBI and the Dutch Police seized the technical infrastructure for the cybercrime service, which was marketed under the brands Heartsender, Fudpage and Fudtools (and many other “fud” variations). The “fud” bit stands for “Fully Un-Detectable,” and it refers to cybercrime resources that will evade detection by security tools like antivirus software or anti-spam appliances.
The FBI says transnational organized crime groups that purchased these services primarily used them to run business email compromise (BEC) schemes, wherein the cybercrime actors tricked victim companies into making payments to a third party.
Dawn reported that those arrested included Rameez Shahzad, the alleged ringleader of the Heartsender cybercrime business, which most recently operated under the Pakistani front company WeCodeSolutions. Mr. Shahzad was named and pictured in a 2021 KrebsOnSecurity story about a series of remarkable operational security mistakes that exposed their identities and Facebook pages showing employees posing for group photos and socializing at work-related outings.
Prior to folding their operations behind WeCodeSolutions, Shahzad and others arrested this month operated as a web hosting group calling itself The Manipulaters. KrebsOnSecurity first wrote about The Manipulaters in May 2015, mainly because their ads at the time were blanketing a number of popular cybercrime forums, and because they were fairly open and brazen about what they were doing — even who they were in real life.
Sometime in 2019, The Manipulaters failed to renew their core domain name — manipulaters[.]com — the same one tied to so many of the company’s business operations. That domain was quickly scooped up by Scylla Intel, a cyber intelligence firm that specializes in connecting cybercriminals to their real-life identities. Soon after, Scylla started receiving large amounts of email correspondence intended for the group’s owners.
In 2024, DomainTools.comfound the web-hosted version of Heartsender leaked an extraordinary amount of user information to unauthenticated users, including customer credentials and email records from Heartsender employees. DomainTools says the malware infections on Manipulaters PCs exposed “vast swaths of account-related data along with an outline of the group’s membership, operations, and position in the broader underground economy.”
Shahzad allegedly used the alias “Saim Raza,” an identity which has contacted KrebsOnSecurity multiple times over the past decade with demands to remove stories published about the group. The Saim Raza identity most recently contacted this author in November 2024, asserting they had quit the cybercrime industry and turned over a new leaf after a brush with the Pakistani police.
The arrested suspects include Rameez Shahzad, Muhammad Aslam (Rameez’s father), Atif Hussain, Muhammad Umar Irshad, Yasir Ali, Syed Saim Ali Shah, Muhammad Nowsherwan, Burhanul Haq, Adnan Munawar, Abdul Moiz, Hussnain Haider, Bilal Ahmad, Dilbar Hussain, Muhammad Adeel Akram, Awais Rasool, Usama Farooq, Usama Mehmood and Hamad Nawaz.
Login
