-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

Cybercrime | Breaking Cybersecurity News | The Hacker News

Category — Cybercrime
SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users

SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users

Jul 08, 2026 Cybercrime / AI Security
A new banking fraudulent operation is targeting customers of Mexican banks, fintech, payment processors, and cryptocurrency exchanges using ClickFix lures. The activity cluster, tracked by Elastic Security Labs under the moniker REF6045 , involves infecting victims through fake CAPTCHA verification pages that deceive them into running a malicious command that installs a PowerShell toolkit dubbed SCMBANKER . Some components of the malware date back to October 2025. "Once installed, the operator can see when a victim opens a banking session, lock the screen behind a fake bank warning, push the victims towards live phone interaction, redirect the browser, or replace account numbers copied to the clipboard," security researchers Jia Yu Chan and Salim Bitam said . "For a full takeover, they can also deploy a commercial remote-access tool." SCMBANKER is specifically designed to go after Mexico's financial ecosystem, with evidence pointing to the use of a large...
The Verification Step Is the New ATO Battleground in 2026

The Verification Step Is the New ATO Battleground in 2026

Jul 08, 2026 Identity Security / Compliance
For years, account takeover (ATO) followed a predictable script. Attackers bought stolen credentials in bulk, ran them through automated tools, and waited for matches. Credential stuffing was cheap, scalable, and for defenders, relatively well understood. That era is ending. Not because attackers gave up, but because the front door finally got harder to kick in. Passkeys are now mainstream. According to the FIDO Alliance's 2026 research, 75% of global consumers have enabled a passkey on at least one account. At the same time, passkeys are becoming more common in the workplace, with 68% of companies now using, testing, or introducing them for employee sign-ins.  Phishing-resistant, passwordless authentication is no longer aspirational, it's becoming the default. When the password disappears, so does the value of a stolen password. So where does the attack go next? It moves downstream, to the moments where systems still trust a human to prove who they are. The attac...
RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service

RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service

Jul 07, 2026 Malware / Mobile Security
A new Android malware operation called RedWing is being rented out on Telegram as a ready-made bank-fraud service. It lets even low-skill criminals take over a victim's phone, steal their banking logins, and capture the one-time codes that protect their accounts. Zimperium's zLabs , which found the operation, says it looks like a new variant of Oblivion , a $300-a-month rent-a-malware tool documented earlier this year. RedWing is sold as a complete product, in subscription tiers with referral discounts, guides, and how-to videos, so a buyer needs no malware-writing skill. A Telegram bot builds each buyer a custom app on demand. Researchers say a substantial number of the resulting droppers and payloads currently evade conventional security tools. Infection starts with a phishing link that opens a fake app-store page. The kit's dropper builder can mimic Google Play, the Galaxy Store, and AppGallery, or build fully custom pages, complete with fake ratings, reviews, ...
cyber security

Take the AI Sprawl CISO Survey. Get fast track to BlackHat swag

websiteRecoAI Security / SaaS Security
Answer questions on AI sprawl. First access to the peer benchmark report.
cyber security

Zscaler ThreatLabz 2026 VPN Risk Report with Cybersecurity Insiders

websiteZscalerAI Security / Network Security
VPN Risk Report reveals attackers using AI to move at machine speed, leaving legacy VPNs exposed.
DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts

DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts

Jul 07, 2026 Identity Security / Threat Intelligence
A Microsoft 365 device code phishing campaign has been observed leveraging collaboration-themed lures to take control of victim accounts between the last week of June 2026 and into early July, per findings from ZeroBEC. "The campaign did not depend on a fake Microsoft password page. It used a malicious collaboration-style lure to push users into the legitimate Microsoft device login experience, while a backend broker generated and polled Microsoft Authentication Broker device-code tokens," the email security company said in a report shared with The Hacker News. The activity is assessed to share "strong" overlaps with a campaign documented by Microsoft in February 2025 under the moniker Storm-2372 , including the use of messaging or Teams-style lures to trick unsuspecting victims into entering an attacker-provided device code, along with their credentials, effectively allowing the threat actor to recover the token and hijack their account. Despite these simi...
Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker

Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker

Jul 07, 2026 Cybercrime / Law Enforcement
U.S. prosecutors linked an alleged Scattered Spider hacker to a break-in at a luxury jewelry retailer using a persistent Windows device ID, according to a newly unsealed federal complaint . Microsoft records tied that ID first to the account the attackers used to keep access during the May 2025 intrusion, then to online accounts prosecutors say belong to 19-year-old Peter Stokes. Stokes is charged with conspiracy, computer intrusion, and fraud. A dual U.S.-Estonian citizen known online as "Bouquet," he was extradited from Finland and made his first court appearance in Chicago on June 30, as THN reported . He is presumed innocent pending trial. How the break-in worked Between May 12 and 15, 2025, attackers phoned the retailer's IT help desk from Google Voice numbers, posed as locked-out employees, and got staff to reset employees' passwords and the mobile devices tied to their multifactor authentication. Within a few hours, they controlled three accounts, t...
Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT

Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT

Jul 06, 2026 Cyber Espionage / Cybercrime
A suspected China-nexus threat activity cluster has been observed targeting Indian taxpayers, tax professionals, and corporate finance teams to deliver a remote access trojan designed to steal sensitive data from compromised hosts. The multi-stage campaign, codenamed Operation DragonReturn by Seqrite Labs, involves sending spear-phishing emails impersonating the Income Tax Department of India. It was first observed on May 18, 2026. The activity, per the cybersecurity company, coincides with the annual income tax filing season in the country. "It is not opportunistic – the precision of the lure document, the use of real legal citations, bilingual content, and active payload rotation indicate a deliberate, resourced, and sustained threat operation focused exclusively on the Indian taxpayer ecosystem," security researchers Dixit Panchal and Soumen Burma said . The end goal of the campaign is assessed to be the deployment of malware for financial gain or sensitive data the...
New Java-Based QuimaRAT MaaS Built to Run on Windows, Linux, and macOS

New Java-Based QuimaRAT MaaS Built to Run on Windows, Linux, and macOS

Jul 06, 2026 Malware / Endpoint Security
Cybersecurity researchers have flagged a novel Java-based remote access trojan (RAT) called QuimaRAT that's capable of targeting Windows, Linux, and macOS environments. According to LevelBlue, the cross-platform malware is advertised under a malware-as-a-service (MaaS) model, costing anywhere between $150 for one month to $1,200 for lifetime access. Other subscription tiers include $300 for three months, $500 for six months, and $700 for twelve months. "Built around a modular architecture, the RAT supports dynamic capability expansion through encrypted plugins that can be delivered, loaded, unloaded, and updated directly from its command-and-control (C2) infrastructure," the cybersecurity company said in an analysis of the malware. The malware author also advertises a builder capable of generating multiple output formats, including JAR, EXE, APP, SH, BAT, and VBS, indicating an attempt to help prospective customers package the client tailored for different enviro...
Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices

Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices

Jul 02, 2026 Cybercrime / Botnet
Google has significantly degraded NetNut , one of the biggest networks that turns home devices into rented relays for other people's traffic. Working with the FBI, Lumen, and others, Google's Threat Intelligence Group (GTIG)  said this week  it had reduced the network's pool of usable devices by millions. Google identifies NetNut, also tracked as Popa , as a network spread across home devices worldwide, including smart TVs and streaming boxes , and GTIG estimates the network holds at least 2 million devices. If one of those devices is in your home, strangers can route their own traffic through your internet connection, and your address gets the blame for whatever they do with it. How It Works A residential proxy network sells access to real home internet addresses. Attackers pay to route their traffic through your connection so it looks like ordinary home browsing, not the datacenter traffic that security tools tend to block. To build that pool, operators nee...
ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories

ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories

Jul 02, 2026 Hacking News / Cybersecurity News
This week’s security news is mostly about weak spots. Browsers, bots, sandboxes, AI systems, and email flows all show the same problem in different ways. Everything looks normal until someone tests a small gap and finds a way through. This is not one big break. It is small permissions, weak checks, open systems, and normal tools doing things they were allowed to do. That same pattern runs through the stories below.
19-Year-Old Scattered Spider Suspect Extradited to Face U.S. Hacking Charges

19-Year-Old Scattered Spider Suspect Extradited to Face U.S. Hacking Charges

Jul 01, 2026 Cybercrime / Ransomware
A teenager accused of belonging to the hacking group Scattered Spider has been extradited from Finland to face U.S. charges of conspiracy, computer intrusion, and fraud, the U.S. Department of Justice  announced  on July 1. Peter Stokes , 19, a dual U.S. and Estonian citizen, appeared in a Chicago federal court on June 30, where a judge ordered him held in custody. Finnish police arrested him in April on an Interpol Red Notice, an international arrest request, before his extradition in late June. His case is the latest in a run of arrests targeting a crew tied to breaches at casinos, retailers, and airlines. Court records identify Stokes by the online handle "Bouquet" and describe at least four intrusions, the first when he was 16. In one case, in May 2025, prosecutors say he and others broke into a luxury jewelry retailer, copied its data, and demanded about $8 million in cryptocurrency. The retailer refused to pay, evicted the intruders, and spent at least $2 milli...
236,000 DCloud Uni-App Sites Used in Crypto Scams, Phishing, and Wallet Drainers

236,000 DCloud Uni-App Sites Used in Crypto Scams, Phishing, and Wallet Drainers

Jun 29, 2026 Cybercrime / Cryptocurrency
New findings unearthed by Infoblox show that more than 236,000 websites are using investment scam templates built using a legitimate Chinese open-source, cross-platform application development framework called DCloud Uni-App . The templates power bogus cryptocurrency exchanges, multi-language pig-butchering operations, WhatsApp phishing networks, fake gambling platforms, brand-impersonation sites, and crypto wallet drainers. A total of 236,493 distinct second-level domains have been identified by the DNS threat intelligence company. "For the last two years, there's been a dramatic scaling up of scam websites using the DCloud framework, and operators of these sites continue to launch complex real-world schemes to trick victims," Infoblox said in an exhaustive report published last week. It's being assessed that unknown threat actors are selling DCloud investment scam templates, although there are indications of centralized ownership across a significant chunk o...
ThreatsDay Bulletin: Smart TV Proxyware, 24-Year curl Bug, AI Crime Forums + 13 More Stories

ThreatsDay Bulletin: Smart TV Proxyware, 24-Year curl Bug, AI Crime Forums + 13 More Stories

Jun 25, 2026 Hacking News / Cybersecurity News
It’s dumb out there again. This week has the usual smell of prod on fire and nobody wanting to admit who left the door open — old creds still working, trusted apps doing sketchy crap, browser tricks jumping the fence, and “normal” workflows turning into phishing pipes because apparently email was not enough hell already. The worst part is how cheap some of it feels. Not elite. Not cinematic. Just stale secrets, fake updates, lazy trust, and random boxes quietly becoming someone else’s infrastructure. Same internet, fresh headache. Let’s get into it.
Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered

Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered

Jun 24, 2026 Cybercrime / Law Enforcement
A coordinated law enforcement operation, in partnership with private sector companies, including Bitdefender, Bitsight, ESET, and Microsoft, has resulted in the takedown of criminal infrastructure powering Amadey and StealC. "The main common goal was to disrupt the 'assembly lines' cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure," Europol said in a statement. The development comes days after authorities from the Netherlands, Canada, Germany, and the U.S. disrupted malicious infrastructure associated with SocGholish and cleaned up nearly 15,000 infected WordPress websites. As part of the two-week-long action, cryptocurrency assets of criminal origin valued at more than $47 million have been identified, flagged, and restricted from use. In addition, as many as 27 million stolen login credentials have been recovered, and the malware distribution network has been hindered by dismantling 326 servers and 142 domains...
DoJ Seizes Huione Cloud Account Tied to Cyber Scam Money Laundering

DoJ Seizes Huione Cloud Account Tied to Cyber Scam Money Laundering

Jun 24, 2026 Money Laundering / Cybercrime
The U.S. Department of Justice (DoJ) on Tuesday announced the seizure of a cloud computing account put to use by subsidiaries of Cambodia-based corporate conglomerate HuiOne Group, as the Treasury unveiled fresh sanctions against nine individuals and 26 entities linked to Prince Group . "These subsidiaries are alleged to have assisted individuals and organizations in transferring proceeds of cryptocurrency investment frauds, cyber scams, and other criminal activities on cryptocurrency blockchains and allowing for the conversion of the proceeds of these schemes to the legitimate banking sector undetected," the DoJ said. The seized account, the Justice Department added, hosted backend infrastructure for the subsidiaries, including HuiOne Guarantee (aka Haowang Guarantee), which operated an illicit Telegram-based marketplace that engaged in transactions with billions of dollars between 2021 and 2025 by peddling a wide range of crimeware tools. These included personal an...
FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation

FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation

Jun 23, 2026 Initial Access Broker / Firewall Security
A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as FortiBleed that has targeted over 430,000 FortiGate firewalls globally. The campaign , active since February 2026, involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke sniffers on compromised firewalls. "Once deployed, these sniffers capture cleartext and hashed credentials from traffic passing through compromised devices," SOCRadar said [PDF] in a fresh report. "The actors then crack, validate, and reuse the credentials against Active Directory domains and other exposed services." Central to the operation is a Golang-based tool called FortigateSniffer that takes advantage of the FortiOS built-in diagnostic command -diagnose sniffer packet to passively capture authentication traffic from the infected appliances. Appearing in both Window...
INTERPOL Warns Phishing, Ransomware, and AI Scams Are Rising Across Asia-Pacific

INTERPOL Warns Phishing, Ransomware, and AI Scams Are Rising Across Asia-Pacific

Jun 22, 2026 Cybercrime / Artificial Intelligence
A new report from INTERPOL has revealed a "dramatic increase" in cybercrime in Asia and the South Pacific, fueled by rapid digitalization, internet penetration, new technologies, organized criminal networks, and a disparity in cybersecurity maturity. According to INTERPOL's 2025/2026 Asia and South Pacific Cyberthreat Assessment Report, phishing has emerged as the most widespread and financially damaging form of cybercrime, with a third of countries in the region reporting more than 10,000 cases between January 2024 and March 2025. In all, over half of INTERPOL member countries have reported that cybercrime accounted for no less than 30% of all crimes recorded nationally. "The findings in this report highlight a rapidly evolving cyber threat landscape across Asia and the South Pacific, where cybercriminals are leveraging artificial intelligence, ransomware-as-a-service models and sophisticated social engineering techniques on an industrial scale," Neal Jett...
ThreatsDay Bulletin: Claude Chat Abuse, NastyC2 npm Packages, Device-Code Phishing + 25 More Stories

ThreatsDay Bulletin: Claude Chat Abuse, NastyC2 npm Packages, Device-Code Phishing + 25 More Stories

Jun 18, 2026 Hacking News / Cybersecurity News
The internet did not break this week. It got used exactly as designed, which is worse. Searches were siphoned through shady browser add-ons. AI chat links turned into malware delivery paths. macOS attacks ran in memory and left almost nothing behind. Cloud agents looked like helpers until attackers treated them like open shells. Add exposed edge gear, poisoned packages, cash courier scams, stealers, loaders, and phishing that barely bothers pretending anymore. Here’s the full mess.
INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023

INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023

Jun 18, 2026 Vulnerability / Enterprise Security
Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than 830 victims since August 2023. "The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations," Acronis researcher Darrel Virtusio said . "United States organizations account for more than 65% of listed victims, with legal services, manufacturing, construction, technology and health care among the most targeted sectors." INC's Windows and Linux/ESXi encryptors have also been rewritten in Rust to facilitate easier cross-platform development and better resist reverse engineering efforts. Attacks deploying the ransomware are characterized by the use of an updated credential dumper capable of targeting newer Veeam backup deployments that use the salted DPAPI credential encryp...
Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing

Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing

Jun 12, 2026 Cybercrime / Artificial Intelligence
Google on Friday said it's pursuing legal action against a Chinese cybercrime network, accusing it of using its Gemini artificial intelligence (AI) agent to send phishing text messages targeting Americans. The network is said to be behind the development and management of a phishing-as-a-service (PhaaS) software kit called Outsider, per the tech giant. "The operation weaponized Gemini to help generate fraudulent phishing pages and deploy massive SMS phishing ('smishing') attacks, often through text messages impersonating legitimate brands, alerting recipients of 'brokerage account issues' or insisting they are eligible for 'rewards through their mobile phone carrier,'" Google said . "The texts prompt users to click a link leading to a fraudulent website that mimics trusted institutions to steal personal and financial information." Google said it's filing the lawsuit to dismantle the network's infrastructure, and that it...
INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator

INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator

Jun 12, 2026 Cybercrime / Phishing
An INTERPOL-led operation last month resulted in the disruption of Sniper Dz , a decade-long phishing-as-a-service (PhaaS) platform, Group-IB said Thursday. The effort, codenamed Operation Ramz , took place between October 2025 and February 2026, and saw authorities from 13 countries in the Middle East and North Africa (MENA) region making 201 arrests. Included among them was Guedz, the primary developer and administrator of Sniper Dz, a PhaaS service that's said to have collected more than 45,000 victim records. The arrest was made by the Algerian National Police. Over the years, the platform rebranded itself as Joker Dz, Storm Dz, and Spam Dz. As part of Operation Ramz, the website used to offer PhaaS capabilities to other cybercriminals was taken down. Authorities also seized hardware containing phishing software and scripts. "Active since at least 2015, Sniper Dz evolved into a sophisticated criminal platform offering ready-made phishing kits, hosting infrastructu...
⚡ Top Stories This Week
Expert Insights Articles Videos
Cybersecurity Resources