In one of the largest-ever breaches of a US telecom giant, AT&T revealed this week that “nearly all” its customer phone and text records were stolen after hackers accessed its account on a third-party cloud service. That cloud service, Snowflake, has been linked to several recent breaches, including those of Ticketmaster, banking firm Santander, and a subsidiary of LendingTree. Approximately 165 companies may have been targeted in the attacks against Snowflake accounts, potentially making it one of the largest collective breaches in history.
Researchers at crypto-tracing firm Elliptic revealed this week that an online marketplace, Huione Guarantee, is facilitating billions of dollars in financial scams frequently known as “pig butchering.” The offerings discovered on Houine Guarantee—a company reportedly linked to Cambodia’s ruling family—range from lists of potential targets to electric shock collars used to imprison human trafficking victims who are forced to work in scam labor camps in Southeast Asia.
Elsewhere in the crypto-tracing world, a US lawmaker this week introduced a resolution calling on the White House to classify former IRS investigator Tigran Gambaryan as a hostage due to his current imprisonment in Nigeria. Now employed as a crypto crime investigator at cryptocurrency exchange Binance after pioneering the practice for the IRS, Gambaryan was detained alongside a colleague in mid-March on the grounds that Binance had devalued the country’s fiat currency and enabled the “illicit” transfer of funds. While his colleague was able to escape, Gambaryan remains imprisoned on financial crimes charges—even as a growing number of US lawmakers pressure the Biden administration to facilitate his release.
One of the FBI’s most-wanted cybercriminals is finally headed to prison. Vyacheslav Igorevich Penchukov—who went by “Tank” online—received two nine-year sentences in US prison on Thursday and is ordered to fork over around $75 million. For years, Penchukov served as the lead hacker in cybercriminal group Jabber Zeus, which operated the Zeus malware. The group used its malware to access people’s bank accounts and siphon off tens of millions of dollars. Several of Penchukov’s alleged hacker colleagues remain at large, with multimillion-dollar bounties on their heads.
Google this week rolled out passkeys to users of its Advanced Protection Program. While passkeys—the cryptographic tech that promises to kill passwords once and for all—have been widely available to users of Google’s products for more than a year, APP users require greater security due to being at higher risk of targeted attacks, and it took the company more time to find a solution that would securely replace physical authentication keys as an added protection for logging in.
Finally, we got into the nitty gritty of the Pentagon’s long-running mission to equip special operation forces with AI superpowers. The “Hyper Enabled Operator” program started with the goal of creating a kind of Iron Man suit but has evolved in recent years to focus on instant situational awareness that would give soldiers the ability to assess risks faster than any mere human mind.
But that’s not all. Each week, we round up the security news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.
Spyware Users Exposed in Major Data Breach
For the third time since 2010, spyware vendor mSpy has suffered a substantial data breach, this time exposing millions of customers and prospective users around the globe, many of whom appear to have used the software to snoop on others. The leaked trove, published by transparency group Distributed Denial of Secrets, contains potentially terabytes of data apparently stolen from mSpy’s customer support system, Zendesk. It reveals names, email addresses, customer support tickets and documentation, and more.
Unlike military-grade spyware, like NSO Group’s infamous Pegasus, mSpy is a consumer product that’s often marketed as a way for parents to keep tabs on their children’s phone usage. But its customer base isn’t necessarily limited to nosey parents. Among the data is evidence that US government entities at least inquired about using the software, including the Social Security Administration, Immigration and Customs Enforcement personnel, and a US federal judge. Given the amount of data exposed by the leak, expect more revelations to trickle out.
“Gay Furry Hackers” Annoy the Heritage Foundation
The Heritage Foundation—a right-wing think tank whose “Project 2025” plan for molding the US into what critics describe as an autocratic Christian nationalist state ruled by an Über President Donald Trump—suffered a minor cyberattack this week at the gloved hands of self-described “gay furry hackers.” The breach itself appears to have been fairly minor—2 gigabytes of data taken from a blog called the Daily Signal. Much of it was “useless,” according to “vio,” one of the hackers with the group SeigSec, which said it targeted the Heritage Foundation because “Project 2025 threatens the rights of abortion health care and LGBTQ+ communities in particular.” Still, the intrusion apparently irked Heritage columnist Mike Howell, whose alleged chat with “vio” was leaked and later shared by Howell. SeigSec, which previously targeted a US nuclear lab and NATO, now says it is disbanding.
Car Dealership Software Firm Appears to Have Paid $25M to Ransomware Gang
Victims of ransomware attacks only have two choices, and both of them are bad: Refuse to pay the attackers and try to claw your way back without access to your systems and data, or pay up and hope they give you the decryption keys—and don’t leak your data anyway. CDK Global, which provides software to US car dealerships, seems to have picked the latter option. According to researchers at crypto tracing firm TRM Labs, CDK sent 387 bitcoin, worth around $25 million, to an account believed to be controlled by the BlackSuite ransomware gang. CDK has not confirmed the payment, but if accurate it would be at least the second major payment to ransomware gangs this year. In March, Change Healthcare paid a $22 million ransom to help end the disruption to medical facilities across the US. The problem with paying—besides costing a literal fortune—is that it can encourage more ransomware attacks. In fact, following Change Healthcare’s payment, researchers at security firm Recorded Future saw the largest spike in ransomware attacks targeting the health care industry in the four years that it has tracked the criminal activity. The catch, of course, is that paying can work: CDK indicated last week that nearly all of the 15,000 dealerships it works with are back online.
DOJ Disrupts “AI-Enhanced” RT Bot Farm
The US Department of Justice announced on Tuesday that US, Canadian, and Dutch authorities seized two domains used to operate a “bot farm” allegedly created by RT, the Russian state media organization, and operated by Russia’s Federal Security Service (FSB). The DOJ says it identified 968 social media accounts linked to the bot farm that were used to amplify RT content online. The RT bot farm was created in 2022, according to the DOJ, and commandeered by an FSB agent in 2023. It is unclear what impact the bot farm had, and the DOJ says its investigation is ongoing.
