Cybercrime

FC Barcelona documents leaked in ransomware breach

A recent cyberattack on French insurer SMABTP’s Spanish subsidiary, Asefa, has led to the leak of over 200GB of sensitive data, including documents related to FC Barcelona.

The ransomware group Qilin has claimed responsibility for the breach, highlighting the growing threat posed by such actors. With high-profile victims now in the spotlight, the reputational damage could be substantial for Asefa and its clients.

The incident comes amid growing concern among UK small and medium-sized enterprises (SMEs) about cyber threats. According to GlobalData’s UK SME Insurance Survey 2025, more than a quarter of SMEs have been influenced by media reports of cyberattacks when purchasing cyber insurance.

Meanwhile, nearly one in five cited a competitor’s victimisation as a motivating factor.

Over 300 organisations have fallen victim to Qilin in the past year alone, reflecting a broader trend in the rise of AI-enabled cybercrime.

AI allows cybercriminals to refine their methods, making attacks more effective and challenging to detect. As a result, companies are increasingly recognising the importance of robust cybersecurity measures.

With threats escalating, there is an urgent call for insurers to offer more tailored cyber coverage and proactive services. The breach involving FC Barcelona is a stark reminder that no organisation is immune and that better risk assessment and resilience planning are now business essentials.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Lazarus Group linked to Taiwan exchange hack

Taiwanese cryptocurrency exchange BitoPro has confirmed that North Korea’s state-sponsored Lazarus Group carried out a cyberattack on 9 May, resulting in the theft of approximately $11.5 million.

The company announced an internal investigation supported by an external cybersecurity firm. BitoPro detected suspicious outflows from its platform in early May, prompting immediate security measures and a comprehensive forensic review.

According to the exchange, the attackers employed tactics, techniques, and procedures (TTPs) consistent with previous operations attributed to Lazarus—an elite cybercrime unit from North Korea linked to numerous high-profile financial and cryptocurrency heists worldwide.

‘The methodology observed during the breach strongly resembles known Lazarus Group activity,’ BitoPro stated. ‘We are working closely with law enforcement and blockchain security experts to recover stolen assets and prevent further incidents.’

The breach adds to a growing list of Lazarus-linked attacks targeting decentralised finance (DeFi) platforms, exchanges, and cross-chain bridges—sectors often lacking the robust security infrastructure of traditional banking systems.

BitoPro’s disclosure highlights the escalating threat that state-affiliated hacking groups pose to the digital asset industry. Experts warn that these attacks are becoming more frequent and sophisticated as bad actors continue to exploit vulnerabilities in emerging financial technologies.

Currently, BitoPro has not confirmed whether any of the stolen funds have been recovered. The company has assured users that affected systems have been secured and that additional security measures are being implemented to protect its infrastructure.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

TCS clears its name in M&S data breach

Tata Consultancy Services (TCS) has publicly denied any involvement in the cyberattack that disrupted Marks & Spencer earlier this year. The attack, described as highly sophisticated, led to significant data theft and weeks-long disruption of online operations.

During the company’s annual shareholder meeting, TCS independent director Keki Mistry confirmed that none of the company’s systems or users were compromised. He said TCS is not under investigation by M&S and assured shareholders no other clients were affected.

TCS has worked with M&S for more than a decade and was awarded a $1bn contract in 2023 to overhaul the retailer’s supply chain systems. Although TCS reviewed its systems, Mistry’s comments suggest the breach did not stem from its infrastructure.

The retailer has not responded to TCS’s latest remarks but earlier stated it hopes to fully restore its online services by July.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

TxTag users targeted in sophisticated phishing scheme

A new phishing campaign targets employees with fake TxTag toll payment alerts, using legitimate-looking government domains to trick recipients into handing over sensitive information. The emails warn users of an impending account suspension unless they urgently pay a small fee, creating a false alarm to prompt quick action.

While the messages appear to come from official sources, researchers found they actually originate from an Indiana-based GovDelivery system—not Texas toll authorities—highlighting a subtle but crucial red flag. Once victims click the link, they are taken to a convincing replica of the TxTag payment site hosted at a fraudulent domain.

The page displays a believable debt of $6.69 to make the request seem routine and non-threatening. However, instead of simply logging in, users are asked to provide full personal details and, later, complete credit card information—including CVV codes.

The phishing site even validates card data to ensure the theft yields high-quality credentials. After submitting the data, victims see a fake processing message, which may be followed by an error claiming the card is unsupported.

That trick often leads users to input additional card details, giving attackers access to multiple financial accounts. The scam exemplifies the growing sophistication of phishing attacks in the US that combine technical misdirection with emotional manipulation, preying on trust in government branding and the fear of financial penalties.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

North Korea’s BlueNoroff uses deepfakes in Zoom calls to hack crypto workers

The North Korea-linked threat group BlueNoroff has been caught deploying deepfake Zoom meetings to target an employee at a cryptocurrency foundation, aiming to install malware on macOS systems.

According to cybersecurity firm Huntress, the attack began through a Telegram message that redirected the victim to a fake Zoom site. Over several weeks, the employee was lured into a group video call featuring AI-generated replicas of company executives.

When the employee encountered microphone issues during the meeting, the fake participants instructed them to download a Zoom extension, which instead executed a malicious AppleScript.

The script covertly fetched multiple payloads, installed Rosetta 2, and prompted for the system password while wiping command histories to hide forensic traces. Eight malicious binaries were uncovered on the compromised machine, including keyloggers, information stealers, and remote access tools.

BlueNoroff, also known as APT38 and part of the Lazarus Group, has a track record of targeting financial and blockchain organisations for monetary gain. The group’s past operations include the Bybit and Axie Infinity breaches.

Their campaigns often combine deep social engineering with sophisticated multi-stage malware tailored for macOS, with new tactics now mimicking audio and camera malfunctions to trick remote workers.

Cybersecurity analysts have noted that BlueNoroff has fractured into subgroups like TraderTraitor and CryptoCore, specialising in cryptocurrency theft.

Recent offshoot campaigns involve fake job interview portals and dual-platform malware, such as the Python-based PylangGhost and GolangGhost trojans, which harvest sensitive data from victims across operating systems.

The attackers have impersonated firms like Coinbase and Uniswap, mainly targeting users in India.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Massive data leak exposes 16 billion login credentials from Google, Facebook, and more

One of the largest-ever leaks of stolen login data has come to light, exposing more than 16 billion records across widely used services, including Facebook, Google, Telegram, and GitHub. The breach, uncovered by researchers at Cybernews, highlights a growing threat to individuals and organisations.

The exposed data reportedly originated from info stealer malware, previous leaks, and credential-stuffing tools. A total of 30 separate datasets were identified, some containing over 3.5 billion entries.

These were briefly available online due to unsecured cloud storage before being removed. Despite the swift takedown, the data had already been collected and analysed.

Experts have warned that the breach could lead to identity theft, phishing, and account takeovers. Smaller websites and users with poor cybersecurity practices are especially vulnerable. Many users continue to reuse passwords or minor variations of them, increasing the risk of exploitation.

While the leak is severe, users employing two-factor authentication (2FA), password managers, or passkeys are less likely to be affected.

Passkeys, increasingly adopted by companies like Google and Apple, offer a phishing-resistant login method that bypasses the need for passwords altogether.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Iran enforces crypto exchange curfew after Nobitex breach

Iran’s central bank has imposed strict operating hours on domestic crypto exchanges following a massive $100 million hack on Nobitex, the country’s largest digital asset platform. The move comes amid accusations that the incident was politically motivated.

According to blockchain analytics firm Chainalysis, exchanges in Iran are now required to operate between 10 am and 8 pm only. Analysts believe the curfew is aimed at improving monitoring capabilities and limiting capital flight during heightened Iran-Israel hostilities.

Andrew Fierman, head of national security intelligence at Chainalysis, suggested the decision was both a technical response to the hack and a strategic move to maintain tighter control over outflows.

The cyberattack, allegedly orchestrated by pro-Israel group Predatory Sparrow, targeted Nobitex’s internal systems, draining hot wallets of Bitcoin, Ether, Dogecoin, XRP, and Solana.

Cybersecurity experts say the stolen assets were transferred to burner wallets without access keys, effectively destroying them in a rare politically charged crypto burn. Nobitex stated it has isolated its systems and will compensate users using its reserve fund.

Nobitex plays a crucial role in Iran’s crypto economy, having processed over $11 billion in inflows, far outpacing all other domestic exchanges. Chainalysis notes the platform also has ties to sanctioned entities and terrorist-linked groups.

The incident is one in a series of recent cyberattacks on Iranian infrastructure, suggesting a growing digital front in the long-standing Iran-Israel conflict.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Episource data breach impacts patients at Sharp Healthcare

Episource, a UnitedHealth Group-owned health analytics firm, has confirmed that patient data was compromised during a ransomware attack earlier this year.

The breach affected customers, including Sharp Healthcare and Sharp Community Medical Group, who have started notifying impacted patients. Although electronic health records and patient portals remained untouched, sensitive data such as health plan details, diagnoses and test results were exposed.

The cyberattack, which occurred between 27 January and 6 February, involved unauthorised access to Episource’s internal systems.

A forensic investigation verified that cybercriminals viewed and copied files containing personal information, including insurance plan data, treatment plans, and medical imaging. Financial details and payment card data, however, were mostly unaffected.

Sharp Healthcare confirmed that it was informed of the breach on 24 April and has since worked closely with Episource to identify which patients were impacted.

Compromised information may include names, addresses, insurance ID numbers, doctors’ names, prescribed medications, and other protected health data.

The breach follows a troubling trend of ransomware attacks targeting healthcare-related businesses, including Change Healthcare in 2024, which disrupted services for months. Comparitech reports at least three confirmed ransomware attacks on healthcare firms already in 2025, with 24 more suspected.

Given the scale of patient data involved, experts warn of growing risks tied to third-party healthcare service providers.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

UBS employee data leaked after Chain IQ ransomware attack

UBS Group AG has confirmed a serious data breach affecting around 130,000 of its employees, following a cyberattack on its third-party supplier, Chain IQ Group AG.

The exposed information included employee names, emails, phone numbers, roles, office locations, and preferred languages. No client data has been impacted, according to UBS.

Chain IQ, a procurement services firm spun off from UBS in 2013, was reportedly targeted by the cybercrime group World Leaks, previously known as Hunters International.

Unlike traditional ransomware operators, World Leaks avoids encryption and instead steals data, threatening public release if ransoms are not paid.

While Chain IQ has acknowledged the breach, it has not disclosed the extent of the stolen data or named all affected clients. Notably, companies such as Swiss Life, AXA, FedEx, IBM, KPMG, Swisscom, and Pictet are among its clients—only Pictet has confirmed it was impacted.

Cybersecurity experts warn that the breach may have long-term implications for the Swiss banking sector. Leaked employee data could be exploited for impersonation, fraud, phishing scams, or even blackmail.

The increasing availability of generative AI may further amplify the risks through voice and video impersonation, potentially aiding in money laundering and social engineering attacks.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ryuk ransomware hacker extradited to US after arrest in Ukraine

A key member of the infamous Ryuk ransomware gang has been extradited to the US after his arrest in Kyiv, Ukraine.

The 33-year-old man was detained in April 2025 at the request of the FBI and arrived in the US on 18 June to face multiple charges.

The suspect played a critical role within Ryuk by gaining initial access to corporate networks, which he then passed on to accomplices who stole data and launched ransomware attacks.

Ukrainian authorities identified him during a larger investigation into ransomware groups like LockerGoga, Dharma, Hive, and MegaCortex that targeted companies across Europe and North America.

According to Ukraine’s National Police, forensic analysis revealed the man’s responsibility for locating security flaws in enterprise networks.

Information gathered by the hacker allowed others in the gang to infiltrate systems, steal data, and deploy ransomware payloads that disrupted various industries, including healthcare, during the COVID pandemic.

Ryuk operated from 2018 until mid-2020 before rebranding as the notorious Conti gang, which later fractured into several smaller but still active groups. Researchers estimate that Ryuk alone collected over $150 million in ransom payments before shutting down.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!