Cybercrime | Breaking Cybersecurity News | The Hacker News

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of cryptocurrency funds and about 145 clearnet and dark web domains associated with an illicit carding marketplace called BidenCash. "The operators of the BidenCash marketplace use the platform to simplify the process of buying and selling stolen credit cards and associated personal information," the DoJ said . "BidenCash administrators charged a fee for every transaction conducted on the website." BidenCash launched in March 2022 to fill the void left by the shutdown of Joker's Stash a year earlier and several other carding forums like UniCC . Since the time it went operational, the illegal bazaar ("bidencash[.]asia," "bidencash[.]bd," and "bidencash[.]ws") is estimated to have supported more than 117,000 customers, facilitated the trafficking of over 15 million payment card numbers and personally identifiable information, and generated no less than $17 mi...

The U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) has levied sanctions against a Philippines-based company named Funnull Technology Inc. and its administrator Liu Lizhi for providing infrastructure to conduct romance baiting scams that led to massive cryptocurrency losses. The Treasury accused the Taguig-headquartered company of enabling thousands of websites involved in virtual currency investment scams that caused Americans to lose billions of dollars annually. "Funnull has directly facilitated several of these schemes, resulting in over $200 million in U.S. victim-reported losses," the agency said in a press release. The average loss is estimated to be over $150,000 per individual. Funnull, also called Fang Neng CDN (funnull[.]io, funnull[.]com, funnull[.]app, and funnull[.]buzz), first attracted the attention of the cybersecurity community in June 2024 after it was implicated in the supply chain attack of the widely-used Polyfill[.]io J...

Fake installers for popular artificial intelligence (AI) tools like OpenAI ChatGPT and InVideo AI are being used as lures to propagate various threats, such as the CyberLock and Lucky_Gh0$t ransomware families, and a new malware dubbed Numero. "CyberLock ransomware, developed using PowerShell, primarily focuses on encrypting specific files on the victim's system," Cisco Talos researcher Chetan Raghuprasad said in a report published today. "Lucky_Gh0$t ransomware is yet another variant of the Yashma ransomware, which is the sixth iteration of the Chaos ransomware series, featuring only minor modifications to the ransomware binary." Numero, on the other hand, is a destructive malware that impacts victims by manipulating the graphical user interface (GUI) components of their Windows operating system, thereby rendering the machines unusable. The cybersecurity company said the legitimate versions of the AI tools are popular in the business-to-business (B2B) sal...

A sprawling operation undertaken by global law enforcement agencies and a consortium of private sector firms has disrupted the online infrastructure associated with a commodity information stealer known as Lumma (aka LummaC or LummaC2), seizing 2,300 domains that acted as the command-and-control (C2) backbone to commandeer infected Windows systems. "Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft," the U.S. Department of Justice (DoJ) said in a statement. The confiscated infrastructure has been used to target millions across the world through affiliates and other cyber criminals. Lumma Stealer, active since late 2022, is estimated to have been used in at least 1.7 million instances to steal information, such as browser data, autofill information, login credentials, and cryptocurrency seed phrases. Th...

A Chinese-language, Telegram-based marketplace called Xinbi Guarantee has facilitated no less than $8.4 billion in transactions since 2022, making it the second major black market to be exposed after HuiOne Guarantee . According to a report published by blockchain analytics firm Elliptic, merchants on the marketplace have been found to peddle technology, personal data, and money laundering services. "The USDT stablecoin is the primary payment method, with the market having received $8.4 billion in transactions to date," the company said . "Some transactions can be linked to funds stolen by North Korea." Xinbi, like HuiOne, has offered its services to scammers in Southeast Asia, including those responsible for so-called romance baiting schemes (formerly referred to as "pig butchering"), which has become one of the most lucrative forms of cybercrime in recent years. What's notable about these criminal bazaars is that they are entirely run on Tele...

Moldovan law enforcement authorities have arrested a 45-year-old foreign man suspected of involvement in a series of ransomware attacks targeting Dutch companies in 2021. "He is wanted internationally for committing several cybercrimes (ransomware attacks, blackmail, and money laundering) against companies based in the Netherlands," officials said in a statement Monday. In conjunction with the arrest, police seized over €84,000 ($93,000) in cash, an electronic wallet, two laptops, a mobile phone, a tablet, six bank cards, two data storage devices, and six memory cards. The suspect's name was not disclosed. But he is said to have been detained after a search of his residence in Moldova. In at least one instance, the individual conducted a ransomware attack on the Netherlands Organization for Scientific Research (NWO), causing material damage worth approximately €4.5 million. The attack took place in February 2021, resulting in the leak of internal documents after th...

Germany's Federal Criminal Police Office (aka Bundeskriminalamt or BKA) has seized the online infrastructure and shutdown linked to the eXch cryptocurrency exchange over allegations of money laundering and operating a criminal trading platform. The operation was carried out on April 30, 2025, authorities said, adding they also confiscated 8 terabytes worth of data and cryptocurrency assets worth €34 million ($38.25 million) in Bitcoin, Ether, Litecoin, and Dash. According to the BKA, eXch[.]cx, existed since 2014 and offered cryptocurrency swapping services, allowing its users to exchange digital assets. It was available both on the clearnet and the dark web. eXch "specifically advertised on platforms of the criminal underground economy (UE) that it did not implement any anti-money laundering measures," the BKA said in a statement. "Users were neither required to identify themselves to the service, nor was user data stored there. Crypto swapping via eXch was...

Cybersecurity researchers have exposed what they say is an "industrial-scale, global cryptocurrency phishing operation" engineered to steal digital assets from cryptocurrency wallets for several years. The campaign has been codenamed FreeDrain by threat intelligence firms SentinelOne and Validin . "FreeDrain uses SEO manipulation, free-tier web services (like gitbook.io, webflow.io, and github.io), and layered redirection techniques to target cryptocurrency wallets," security researchers Kenneth Kinion, Sreekar Madabushi, and Tom Hegel said in a technical report shared with The Hacker News. "Victims search for wallet-related queries, click on high-ranking malicious results, land on lure pages, and are redirected to phishing pages that steal their seed phrases." The scale of the campaign is reflected in the fact that over 38,000 distinct FreeDrain sub-domains hosting lure pages have been identified. These pages are hosted on cloud infrastructure lik...

Europol has announced the takedown of distributed denial of service (DDoS)-for-hire services that were used to launch thousands of cyber-attacks across the world. In connection with the operation, Polish authorities have arrested four individuals aged between 19 and 22 and the United States has seized nine domains that are associated with the now-defunct platforms. "The suspects are believed to be behind six separate stresser/booter services that enabled paying customers to flood websites and servers with malicious traffic — knocking them offline for as little as EUR 10," Europol said in a statement. The services, named cfxapi, cfxsecurity, neostress, jetstress, quickdown and zapcut, are said to have been instrumental in launching widespread attacks on schools, government services, businesses, and gaming platforms between 2022 and 2025.  Europol said the platforms offered "slick user interfaces," enabling malicious actors with little to no technical expertis...

The U.S. Department of Justice (DoJ) on Thursday announced charges against a 36-year-old Yemeni national for allegedly deploying the Black Kingdom ransomware against global targets, including businesses, schools, and hospitals in the United States. Rami Khaled Ahmed of Sana'a, Yemen, has been charged with one count of conspiracy, one count of intentional damage to a protected computer, and one count of threatening damage to a protected computer. Ahmed is assessed to be currently living in Yemen. "From March 2021 to June 2023, Ahmed and others infected computer networks of several U.S.-based victims, including a medical billing services company in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin," the DoJ said in a statement. Ahmed is accused of developing and deploying the ransomware by exploiting a vulnerability in Microsoft Exchange Server known as ProxyLogon. The ransomware worked by either encrypting data from ...

Artificial intelligence (AI) company Anthropic has revealed that unknown threat actors leveraged its Claude chatbot for an "influence-as-a-service" operation to engage with authentic accounts across Facebook and X. The sophisticated activity, branded as financially-motivated, is said to have used its AI tool to orchestrate 100 distinct personas on the two social media platforms, creating a network of "politically-aligned accounts" that engaged with "10s of thousands" of authentic accounts. The now-disrupted operation, Anthropic researchers said, prioritized persistence and longevity over vitality and sought to amplify moderate political perspectives that supported or undermined European, Iranian, the United Arab Emirates (U.A.E.), and Kenyan interests. These included promoting the U.A.E. as a superior business environment while being critical of European regulatory frameworks, focusing on energy security narratives for European audiences, and cultural...

Cybersecurity researchers have revealed that RansomHub 's online infrastructure has "inexplicably" gone offline as of April 1, 2025, prompting concerns among affiliates of the ransomware-as-a-service (RaaS) operation. Singaporean cybersecurity company Group-IB said that this may have caused affiliates to migrate to Qilin, given that "disclosures on its DLS [data leak site] have doubled since February."  RansomHub, which first emerged in February 2024, is estimated to have stolen data from over 200 victims. It replaced two high-profile RaaS groups, LockBit and BlackCat, to become a frontrunner, courting their affiliates, including Scattered Spider and Evil Corp , with lucrative payment splits. "Following a possible acquisition of the web application and ransomware source code of Knight (formerly Cyclops), RansomHub quickly rose in the ransomware scene, thanks to the dynamic features of its multi-platform encryptor and an aggressive, affiliate-friendly ...