Financial Crime | Breaking Cybersecurity News | The Hacker News

The encrypted vault backups stolen from the 2022 LastPass data breach have enabled bad actors to take advantage of weak master passwords to crack them open and drain cryptocurrency assets as recently as late 2025, according to new findings from TRM Labs. The blockchain intelligence firm said evidence points to the involvement of Russian cybercriminal actors in the activity, with one of the Russian exchanges receiving LastPass-linked funds as recently as October. This assessment is "based on the totality of on-chain evidence – including repeated interaction with Russia-associated infrastructure, continuity of control across pre-and post-mix activity, and the consistent use of high-risk Russian exchanges as off-ramps ," it added. LastPass suffered a major hack in 2022 that enabled attackers to access personal information belonging to its customers, including their encrypted password vaults containing credentials, such as cryptocurrency private keys and seed phrases.  ...

The U.S. Securities and Exchange Commission (SEC) has filed charges against multiple companies for their alleged involvement in an elaborate cryptocurrency scam that swindled more than $14 million from retail investors. The complaint charged crypto asset trading platforms Morocoin Tech Corp., Berge Blockchain Technology Co., Ltd., and Cirkor Inc., as well as investment clubs AI Wealth Inc., Lane Wealth Inc., AI Investment Education Foundation (AIIEF) Ltd., and Zenith Asset Tech Foundation, in connection with the operation. The SEC said the scam unfolded as a multi-step fraud that enticed unsuspecting users with ads on social media and built trust with them through group chats in which the scammers posed as financial professionals and promised returns from artificial intelligence (AI)-generated investment tips. The fraudsters then convinced the victims to invest their funds into fake cryptocurrency asset trading platforms, only to defraud them later. According to the SEC, AI Weal...

The U.S. Justice Department (DoJ) on Monday announced the seizure of a web domain and database that it said was used to further a criminal scheme designed to target and defraud Americans by means of a bank account takeover scheme. The domain in question, web3adspanels[.]org, was used as a backend web panel to host and manipulate illegally harvested bank login credentials. Users to the website are now greeted by a seizure banner that says the domain was taken down in an international law enforcement operation led by authorities from the U.S. and Estonia. "The criminal group perpetrating the bank account takeover fraud delivered fraudulent advertisements through search engines, including Google and Bing," the DoJ said . "These fraudulent advertisements imitate the sponsored search engine advertisements used by legitimate banking entities." The ads served as a conduit to redirect unsuspecting users to fake bank websites operated by the threat actors, who harvested ...

The U.S. Department of Justice (DoJ) this week announced the indictment of 54 individuals in connection with a multi-million dollar ATM jackpotting scheme. The large-scale conspiracy involved deploying malware named Ploutus to hack into automated teller machines (ATMs) across the U.S. and force them to dispense cash. The indicted members are alleged to be part of Tren de Aragua (TdA, Spanish for "the train of Aragua"), a Venezuelan gang designated a foreign terrorist organization by the U.S. State Department.  In July 2025, the U.S. government announced sanctions against the group's head, Hector Rusthenford Guerrero Flores (aka Niño Guerrero), and five other key members for their involvement in the "illicit drug trade, human smuggling and trafficking, extortion, sexual exploitation of women and children, and money laundering, among other criminal activities." The Justice Department said an indictment returned on December 9, 2025, has charged a group of...

Threat actors with ties to the Democratic People's Republic of Korea (DPRK or North Korea) have been instrumental in driving a surge in global cryptocurrency theft in 2025, accounting for at least $2.02 billion out of more than $3.4 billion stolen from January through early December. The figure represents a 51% increase year-over-year and $681 million more than 2024, when the threat actors stole $1.3 billion, according to Chainalysis' Crypto Crime Report shared with The Hacker News. "This marks the most severe year on record for DPRK crypto theft in terms of value stolen, with DPRK attacks also accounting for a record 76% of all service compromises," the blockchain intelligence company said . "Overall, 2025's numbers bring the lower-bound cumulative estimate for cryptocurrency funds stolen by the DPRK to $6.75 billion." The February compromise of cryptocurrency exchange Bybit alone is responsible for $1.5 billion of the $2.02 billion plundered by North ...

The U.S. Federal Bureau of Investigation (FBI) has warned that cybercriminals are impersonating financial institutions with an aim to steal money or sensitive information to facilitate account takeover (ATO) fraud schemes. The activity targets individuals, businesses, and organizations of varied sizes and across sectors, the agency said, adding the fraudulent schemes have led to more than $262 million in losses since the start of the year. The FBI said it has received over 5,100 complaints. ATO fraud typically refers to attacks that enable threat actors to obtain unauthorized access to an online financial institution, payroll system, or health savings account to siphon data and funds for personal gain. The access is often obtained by approaching targets through social engineering techniques, such as texts, calls, and emails that prey on users' fears, or via bogus websites. These methods make it possible for attackers to deceive users into providing their login credentials on a...

Nine people have been arrested in connection with a coordinated law enforcement operation that targeted a cryptocurrency money laundering network that defrauded victims of €600 million (~$688 million). According to a statement released by Eurojust today, the action took place between October 27 and 29 across Cyprus, Spain, and Germany, with the suspects arrested on charges of involvement in money laundering from fraudulent activities. In addition to the arrests of the individuals from their homes, authorities conducted searches that led to the seizure of €800,000 ($918,000) in bank accounts, €415,000 ($476,000) in cryptocurrencies, and €300,000 ($344,000) in cash. Participating nations in the "synchronized" effort alongside Eurojust were agencies from France, Belgium, Cyprus, Germany, and Spain. "The members of the network created dozens of fake cryptocurrency investment platforms that looked like legitimate websites and promised high returns," Eurojust said . ...

Cybersecurity researchers have shed light on a cybercriminal group called Jingle Thief that has been observed targeting cloud environments associated with organizations in the retail and consumer services sectors for gift card fraud. "Jingle Thief attackers use phishing and smishing to steal credentials, to compromise organizations that issue gift cards," Palo Alto Networks Unit 42 researchers Stav Setty and Shachar Roitman said in a Wednesday analysis. "Once they gain access to an organization, they pursue the type and level of access needed to issue unauthorized gift cards." The end goal of these efforts is to leverage the issued gift cards for monetary gain by likely reselling them on gray markets. Gift cards make for a lucrative choice as they can be easily redeemed with minimal personal information and are difficult to trace, making it harder for defenders to investigate the fraud. The name Jingle Thief is a nod to the threat actor's pattern of conduc...

Law enforcement authorities in Europe have arrested five suspects in connection with an "elaborate" online investment fraud scheme that stole more than €100 million ($118 million) from over 100 victims in France, Germany, Italy, and Spain. According to Eurojust , the coordinated action saw searches in five places across Spain and Portugal, as well as in Italy, Romania and Bulgaria. Bank accounts and other financial assets associated with the cybercrime ring were frozen. The main perpetrator behind the operation has been accused of large-scale fraud and money laundering by running an online investment platform for several years, tricking unsuspecting individuals into parting with their funds by promising them high returns on investments in various cryptocurrencies. Once the deposits were made, the funds were transferred to bank accounts in Lithuania to launder them. Victims who attempted to withdraw their assets from the platform were asked to pay additional fees, after wh...

INTERPOL on Friday announced that authorities from 18 countries across Africa have arrested 1,209 cybercriminals who targeted 88,000 victims. "The crackdown recovered $97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation," the agency said . The effort is the second phase of an ongoing law enforcement initiative called Operation Serengeti , which took place between June and August 2025 to tackle severe crimes like ransomware, online scams. and business email compromise (BEC). The first wave of arrests occurred late last year. Among the highlights are the dismantling of 25 cryptocurrency mining centres in Angola, where 60 Chinese nationals were involved in the illicit money-making scheme. "The crackdown identified 45 illicit power stations which were confiscated, along with mining and IT equipment worth more than $37 million, now earmarked by the government to support...

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) on Thursday renewed sanctions against Russian cryptocurrency exchange platform Garantex for facilitating ransomware actors and other cybercriminals by processing more than $100 million in transactions linked to illicit activities since 2019. The Treasury said it's also imposing sanctions on Garantex's successor, Grinex , as well as three executives of Garantex and six associated companies in Russia and the Kyrgyz Republic that have enabled these activities - Sergey Mendeleev (Co-founder) Aleksandr Mira Serda (Co-founder) Pavel Karavatsky (Co-founder) Independent Decentralized Finance Smartbank and Ecosystem (InDeFi Bank) Exved Old Vector A7 LLC A71 LLC A7 Agent LLC "Digital assets play a crucial role in global innovation and economic development, and the United States will not tolerate abuse of this industry to support cybercrime and sanctions evasion," said Under Secretar...

Google said it's implementing a new policy requiring developers of cryptocurrency exchanges and wallets to obtain government licenses before publishing apps in 15 jurisdictions in order to "ensure a safe and compliant ecosystem for users." The policy applies to markets like Bahrain, Canada, Hong Kong, Indonesia, Israel, Japan, the Philippines, South Africa, South Korea, Switzerland, Thailand, the United Arab Emirates, the United Kingdom, the United States, and the European Union. The changes do not apply to non-custodial wallets. This means developers publishing cryptocurrency exchange and wallet apps have to hold appropriate licences or be registered with relevant authorities like the Financial Conduct Authority (FCA) or Financial Crimes Enforcement Network (FinCEN), or authorized as a crypto-asset service provider (CASP) under the Markets in Crypto-Assets (MiCA) regulation before distribution. "If your targeted location is not on the list, you may continue to p...

The U.S. Department of Justice (DoJ) on Thursday announced charges against a 36-year-old Yemeni national for allegedly deploying the Black Kingdom ransomware against global targets, including businesses, schools, and hospitals in the United States. Rami Khaled Ahmed of Sana'a, Yemen, has been charged with one count of conspiracy, one count of intentional damage to a protected computer, and one count of threatening damage to a protected computer. Ahmed is assessed to be currently living in Yemen. "From March 2021 to June 2023, Ahmed and others infected computer networks of several U.S.-based victims, including a medical billing services company in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin," the DoJ said in a statement. Ahmed is accused of developing and deploying the ransomware by exploiting a vulnerability in Microsoft Exchange Server known as ProxyLogon. The ransomware worked by either encrypting data from ...

A coalition of international law enforcement agencies has seized the website associated with the cryptocurrency exchange Garantex ("garantex[.]org"), nearly three years after the service was sanctioned by the U.S. Treasury Department in April 2022. "The domain for Garantex has been seized by the United States Secret Service pursuant to a seizure warrant obtained by the United States Attorney's Office for the Eastern District of Virginia under the authority of 18 U.S.C. §§ 981 and 982," reads a seizure banner on the website. The operation was carried out in coordination with the U.S. Department of Justice's Criminal Division, the Federal Bureau of Investigation, Europol, the Dutch National Police, the German Federal Criminal Police Office (Bundeskriminalamt aka BKA), the Frankfurt General Prosecutor's Office, the Finnish National Bureau of Investigation, and the Estonian National Criminal Police. Founded in 2019, Garantex was previously subject to U....

The U.S. Federal Bureau of Investigation (FBI) formally linked the record-breaking $1.5 billion Bybit hack to North Korean threat actors, as the company's CEO Ben Zhou declared a "war against Lazarus." The agency said the Democratic People's Republic of Korea (North Korea) was responsible for the theft of the virtual assets from the cryptocurrency exchange, attributing it to a specific cluster it tracks as TraderTraitor, which is also referred to as Jade Sleet, Slow Pisces, and UNC4899. "TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains," the FBI said . "It is expected these assets will be further laundered and eventually converted to fiat currency." It's worth noting that the TraderTraitor cluster was previously implicated by Japanese and U.S. authorities in the theft of cryptocurrency worth $308 mil...