Cybercrime | Breaking Cybersecurity News | The Hacker News

A coordinated law enforcement operation, in partnership with private sector companies, including Bitdefender, Bitsight, ESET, and Microsoft, has resulted in the takedown of criminal infrastructure powering Amadey and StealC. "The main common goal was to disrupt the 'assembly lines' cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure," Europol said in a statement. The development comes days after authorities from the Netherlands, Canada, Germany, and the U.S. disrupted malicious infrastructure associated with SocGholish and cleaned up nearly 15,000 infected WordPress websites. As part of the two-week-long action, cryptocurrency assets of criminal origin valued at more than $47 million have been identified, flagged, and restricted from use. In addition, as many as 27 million stolen login credentials have been recovered, and the malware distribution network has been hindered by dismantling 326 servers and 142 domains...

The U.S. Department of Justice (DoJ) on Tuesday announced the seizure of a cloud computing account put to use by subsidiaries of Cambodia-based corporate conglomerate HuiOne Group, as the Treasury unveiled fresh sanctions against nine individuals and 26 entities linked to Prince Group . "These subsidiaries are alleged to have assisted individuals and organizations in transferring proceeds of cryptocurrency investment frauds, cyber scams, and other criminal activities on cryptocurrency blockchains and allowing for the conversion of the proceeds of these schemes to the legitimate banking sector undetected," the DoJ said. The seized account, the Justice Department added, hosted backend infrastructure for the subsidiaries, including HuiOne Guarantee (aka Haowang Guarantee), which operated an illicit Telegram-based marketplace that engaged in transactions with billions of dollars between 2021 and 2025 by peddling a wide range of crimeware tools. These included personal an...

A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as FortiBleed that has targeted over 430,000 FortiGate firewalls globally. The campaign , active since February 2026, involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke sniffers on compromised firewalls. "Once deployed, these sniffers capture cleartext and hashed credentials from traffic passing through compromised devices," SOCRadar said [PDF] in a fresh report. "The actors then crack, validate, and reuse the credentials against Active Directory domains and other exposed services." Central to the operation is a Golang-based tool called FortigateSniffer that takes advantage of the FortiOS built-in diagnostic command -diagnose sniffer packet to passively capture authentication traffic from the infected appliances. Appearing in both Window...

A new report from INTERPOL has revealed a "dramatic increase" in cybercrime in Asia and the South Pacific, fueled by rapid digitalization, internet penetration, new technologies, organized criminal networks, and a disparity in cybersecurity maturity. According to INTERPOL's 2025/2026 Asia and South Pacific Cyberthreat Assessment Report, phishing has emerged as the most widespread and financially damaging form of cybercrime, with a third of countries in the region reporting more than 10,000 cases between January 2024 and March 2025. In all, over half of INTERPOL member countries have reported that cybercrime accounted for no less than 30% of all crimes recorded nationally. "The findings in this report highlight a rapidly evolving cyber threat landscape across Asia and the South Pacific, where cybercriminals are leveraging artificial intelligence, ransomware-as-a-service models and sophisticated social engineering techniques on an industrial scale," Neal Jett...

The internet did not break this week. It got used exactly as designed, which is worse. Searches were siphoned through shady browser add-ons. AI chat links turned into malware delivery paths. macOS attacks ran in memory and left almost nothing behind. Cloud agents looked like helpers until attackers treated them like open shells. Add exposed edge gear, poisoned packages, cash courier scams, stealers, loaders, and phishing that barely bothers pretending anymore. Here’s the full mess.

Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than 830 victims since August 2023. "The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations," Acronis researcher Darrel Virtusio said . "United States organizations account for more than 65% of listed victims, with legal services, manufacturing, construction, technology and health care among the most targeted sectors." INC's Windows and Linux/ESXi encryptors have also been rewritten in Rust to facilitate easier cross-platform development and better resist reverse engineering efforts. Attacks deploying the ransomware are characterized by the use of an updated credential dumper capable of targeting newer Veeam backup deployments that use the salted DPAPI credential encryp...

Google on Friday said it's pursuing legal action against a Chinese cybercrime network, accusing it of using its Gemini artificial intelligence (AI) agent to send phishing text messages targeting Americans. The network is said to be behind the development and management of a phishing-as-a-service (PhaaS) software kit called Outsider, per the tech giant. "The operation weaponized Gemini to help generate fraudulent phishing pages and deploy massive SMS phishing ('smishing') attacks, often through text messages impersonating legitimate brands, alerting recipients of 'brokerage account issues' or insisting they are eligible for 'rewards through their mobile phone carrier,'" Google said . "The texts prompt users to click a link leading to a fraudulent website that mimics trusted institutions to steal personal and financial information." Google said it's filing the lawsuit to dismantle the network's infrastructure, and that it...

An INTERPOL-led operation last month resulted in the disruption of Sniper Dz , a decade-long phishing-as-a-service (PhaaS) platform, Group-IB said Thursday. The effort, codenamed Operation Ramz , took place between October 2025 and February 2026, and saw authorities from 13 countries in the Middle East and North Africa (MENA) region making 201 arrests. Included among them was Guedz, the primary developer and administrator of Sniper Dz, a PhaaS service that's said to have collected more than 45,000 victim records. The arrest was made by the Algerian National Police. Over the years, the platform rebranded itself as Joker Dz, Storm Dz, and Spam Dz. As part of Operation Ramz, the website used to offer PhaaS capabilities to other cybercriminals was taken down. Authorities also seized hardware containing phishing software and scripts. "Active since at least 2015, Sniper Dz evolved into a sophisticated criminal platform offering ready-made phishing kits, hosting infrastructu...

Authorities in Europe have disrupted AudiA6 , a cryptocurrency laundering service used by ransomware gangs and cybercriminal networks. Europol, in a statement issued Thursday, said the dismantling of AudiA6 cut off a "key financial pipeline used to wash hundreds of millions in illicit profits." The service is estimated to have been used to launder more than €336 million (~$389 million) since the service was launched in 2021. "The platform became a central hub for ransomware actors and cybercriminals seeking to cash out stolen digital assets while hiding the money trail from authorities," the agency added . The operators of AudiA6 are suspected to have also administered a dark web cybercrime forum known as Dark2Web, where cybercriminals advertised illicit services and connected with other threat actors across the world. As part of the operation that took place on June 10, 2026, a number of coordinated actions were carried out, including - The arrest of ...

A new analysis of The Gentlemen operation has revealed that the financially motivated threat group initially operated as an affiliate responsible for conducting double extortion attacks, while leveraging resources from various ransomware-as-a-service (RaaS) schemes like LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis). According to a detailed report published by PRODAFT, the group, which it tracks as Phantom Mantis, is led by a Russian-speaking cybercriminal it calls LARVA-368, who goes by the online aliases hastalamuerte, ArmCorp, zeta88, nobody0, and santamuerte. The Gentlemen is known to be active since March 2025, claiming a total of 478 victims to date, per data from Ransomware.Live. "In July 2025, Phantom Mantis transitioned into The Gentlemen, an independent partnership program no longer dependent on other RaaS groups," the Swiss cybersecurity company said. "Additionally, LARVA-368 relies heavily on artificia...

It's been one of those weeks. You expect the usual noise: recycled malware, sloppy attacks, another easy target getting hit. Instead, there's a supply chain attack kit in a public repo, a $5,000-a-month RAT that clones browsers, and research showing AI agents can be tricked into leaking real credentials. The bigger problem is how polished this all looks now. Mule networks run like SaaS. Deepfake KYC bypass is sold as a feature. Endpoint tools can be quietly weakened using built-in OS settings, with no exploit needed. Here's the full list of threats, tools, flaws, and updates worth knowing.

It got stupid again. The internet still feels held together with tape. Bad plugins, old bugs, fake tools, trusted apps doing shady things. Same mess, new wrapper. And now the weird stuff is normal. Forums go down and come back worse. Cheap hackers get better toys. AI starts breaking real systems. Great. Read the whole thing before it ruins your week anyway.

A new China-linked cybercrime group known as TA4922 has expanded its targeting focus to target European organizations in the U.K., Germany, Italy, and South Africa. These efforts have been complemented by a "rapid operational tempo" and a continually evolving malware arsenal comprising known families like ValleyRAT (aka Winos 4.0) and Atlas RAT (aka AtlasCross RAT), as well as previously undocumented tools called RomulusLoader and SilentRunLoader , according to Proofpoint. The enterprise security company is keeping tabs on the activity under the moniker TA4922, describing it as a Chinese-speaking threat actor largely targeting East Asia. TA4922 is assessed to share some level of overlap with Silver Fox , with the threat actor's tradecraft more focused on cybercriminal objectives than espionage. "The actor is likely financially motivated and focused on obtaining remote access to victim environments for financial gain, such as data theft, fraud, access resale...

Dutch authorities have announced the takedown of a botnet that enslaved millions of infected devices, including computers, tablets, smartphones, and IoT devices, to carry out malicious attacks. The bot network, per the Dutch Politie and the National Cyber Security Center (NCSC), consisted of at least 17 million infected devices. More than 200 servers located in the Netherlands acted as the platform's backend infrastructure. According to a statement issued by the NCSC, police officials seized a subset of these servers from a hosting provider that provided the infrastructure. The provider is said to have subsequently taken the botnet offline following its use for criminal purposes. Although the name of the botnet was not explicitly mentioned, local news outlet NL Times reported that the service in question was Asocks, a company that offers residential proxies . In April 2024, HUMAN's Satori Threat Intelligence team identified a campaign dubbed PROXYLIB that involved inf...

Every time you think the industry has finally stopped doing some reckless, low-effort crap, somebody spins up a fresh box full of sketchy loaders, fake installers, recycled social-engineering bait, and enough exposed infrastructure to make you wonder if prod is just a public beta now - meanwhile some researcher casually drops a technique that turns a "minor" foothold into total account compromise because apparently six digits and blind trust were all that stood between your vault and getting absolutely pwned. Cool. Great. Love that for us. Then there's the supply chain mess... signed binaries, poisoned updates, legit tooling getting hijacked like it's still 2017, plus a few reports this week that feel less like advanced tradecraft and more like watching skiddies discover low-hanging fruit with enterprise branding slapped on top. The weird part isn't that it works. The weird part is how damn easy it still is. Anyway. Grab caffeine. Let's get into it. ...

Authorities in Europe and North America have announced the dismantling of a criminal virtual private network (VPN) service used by criminal actors to obscure the origins of ransomware attacks, data theft, scanning, and denial-of-service attacks. Codenamed Operation Saffron, the disruption of First VPN Service was led by France and the Netherlands, with several other nations supporting the investigation since December 2021, including Luxembourg, Romania, Switzerland, Ukraine, the U.K., Canada, Germany, the U.S., Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal. First VPN, per Europol , offered services designed specifically for criminal use, allowing anonymous payments and a hidden infrastructure that enabled paying customers to hide their identities when carrying out ransomware attacks, large-scale fraud, and data theft. It was promoted on Russian-speaking cybercrime forums such as Exploit[.]in and XSS[.]is as a tool to evade law enforcement. The inte...

The U.S. Department of Justice (DoJ) on Thursday announced the arrest of a Canadian man in connection with allegedly operating a distributed denial-of-service (DDoS) botnet known as Kimwolf . In tandem, Jacob Butler (aka Dort), 23, Ottawa, Canada, has been charged with offenses related to the development and operation of the botnet. Kimwolf is assessed to be a variant of AISURU that specifically infected Android devices with an exposed Android Debug Bridge (ADB) service. "Kimwolf targeted infected devices which were traditionally 'firewalled' from the rest of the internet, such as digital photo frames and web cameras," the DoJ said . "The infected devices were enslaved by the botnet operators." "The operators then used a 'cybercrime-as-a-service' model to sell access to the infected devices to other cybercriminals. The operators and their customers forced the victim devices to participate in DDoS attacks, targeting computers and servers l...

This week starts small. A token leaks. A bad package slips in. A login trick works. An old tool shows up again. At first, it feels like the usual mess. Then you see the pattern: attackers are not always breaking in. They are using the parts we already trust. That is what makes it worrying. The danger is in normal things now - updates, apps, cloud buttons, support chats, trusted accounts. AI does not make the attacks magic. It just helps people try more things, faster. Here's what showed up this week. 47 zero-days exposed 47 0-Days Discovered in Pwn2Own Berlin 2026 The Pwn2Own Berlin 2026 hacking contest has concluded, with security researchers collecting $1,298,250 in rewards after exploiting 47 zero-day flaws in various products from Windows, Linux, VMware, and NVIDIA. DEVCORE won the event with 50.5 Master of Pwn points and $505,000 in rewards throughout the three-day contest after hacking Microsoft SharePoint, Microsoft E...

Microsoft on Tuesday said it disrupted a malware-signing-as-a-service (MSaaS) operation that weaponized the company's Artifact Signing system to deliver malicious code and conduct ransomware and other attacks, compromising thousands of machines and networks across the world. The tech giant attributed the activity to a threat actor it calls Fox Tempest , which it said offered the MSaaS scheme to allow cybercriminals to disguise malware as legitimate software. The threat actor has been active since May 2025. The seizure effort has been codenamed OpFauxSign . "To disrupt the service, we seized Fox Tempest's website signspace[.]cloud, took offline hundreds of the virtual machines running the operation, and blocked access to a site hosting the underlying code," Steven Masada, assistant general counsel at Microsoft's Digital Crimes Unit, said . Microsoft noted that the operation enabled the deployment of Rhysida ransomware by threat actors such as Vanilla Tempe...

INTERPOL has coordinated a first-of-its-kind cybercrime crackdown across the Middle East and North Africa (MENA) that led to 201 arrests and the identification of an additional 382 suspects. The initiative involved the efforts of 13 countries from the region, aiming to investigate and neutralize malicious infrastructure, arrest perpetrators behind these activities, and prevent future losses. It took place between October 2025 and February 2026. "The operation focused on neutralizing phishing and malware threats, as well as tackling cyber scams that inflict severe cost to the region," INTERPOL said in a statement. "In addition to the arrests made, 3,867 victims were identified, and 53 servers were seized." The operation, codenamed Ramz , led to the disruption of a phishing-as-a-service (PhaaS) by Algerian authorities after its server was confiscated, along with a computer, a mobile phone, and hard drives containing phishing software and scripts. One suspect was ...