Cybercrime

LockBit ransomware platform breached again

LockBit, one of the most notorious ransomware groups of recent years, has suffered a significant breach of its dark web platform. Its admin and affiliate panels were defaced and replaced with a message linking to a leaked MySQL database, seemingly exposing sensitive operational details.

The message mocked the gang with the line ‘Don’t do crime CRIME IS BAD xoxo from Prague,’ raising suspicions of a rival hacker or vigilante group behind the attack.

The leaked database, first flagged by a threat actor known as Rey, contains 20 tables revealing details about LockBit’s affiliate network, tactics, and operations. Among them are nearly 60,000 Bitcoin addresses, payload information tied to specific targets, and thousands of extortion chat messages.

A ‘users’ table lists 75 affiliate and admin identities, many with passwords stored in plain text—some comically weak, like ‘Weekendlover69.’

While a LockBit spokesperson confirmed the breach via Tox chat, they insisted no private keys were exposed and that losses were minimal. However, the attack echoes a recent breach of the Everest ransomware site, suggesting the same actor may be responsible.

Combined with past law enforcement actions—such as Operation Cronos, which dismantled parts of LockBit’s infrastructure in 2024—the new leak could harm the group’s credibility with affiliates.

LockBit has long operated under a ransomware-as-a-service model, providing malware to affiliates in exchange for a cut of ransom profits. It has targeted both Linux and Windows systems, used double extortion tactics, and accounted for a large share of global ransomware attacks in 2022.

Despite ongoing pressure from authorities, the group has continued its operations—though this latest breach could prove harder to recover from.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Gemini Nano boosts scam detection on Chrome

Google has released a new report outlining how it is using AI to better protect users from online scams across its platforms.

The company says AI is now actively fighting scams in Chrome, Search and Android, with new tools able to detect and neutralise threats more effectively than before.

At the heart of these efforts is Gemini Nano, Google’s on-device AI model, which has been integrated into Chrome to help identify phishing and fraudulent websites.

The report claims the upgraded systems can now detect 20 times more harmful websites, many of which aim to deceive users by creating a false sense of urgency or offering fake promotions. These scams often involve phishing, cryptocurrency fraud, clone websites and misleading subscriptions.

Search has also seen major improvements. Google’s AI-powered classifiers are now better at spotting scam-related content before users encounter it. For example, the company says it has reduced scams involving fake airline customer service agents by over 80 per cent, thanks to its enhanced detection tools.

Meanwhile, Android users are beginning to see stronger safeguards as well. Chrome on Android now warns users about suspicious website notifications, offering the choice to unsubscribe or review them safely.

Google has confirmed plans to extend these protections even further in the coming months, aiming to cover a broader range of online threats.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Indian stock exchanges curb foreign access amid cybersecurity concerns

India’s two largest stock exchanges, the National Stock Exchange (NSE) and BSE Ltd, have temporarily restricted overseas access to their websites amid rising concerns over cyber threats. The move does not affect foreign investors’ ability to trade on Indian markets.

Sources familiar with the matter confirmed the decision followed a joint meeting between the exchanges, although no recent direct attack has been specified.

Despite the restrictions, market operations remain fully functional, with officials emphasising that the measures are purely preventive.

The precautionary step comes during heightened regional tensions between India and Pakistan, though no link to the geopolitical situation has been confirmed. The NSE has yet to comment publicly on the situation.

A BSE spokesperson noted that the exchanges are monitoring cyber risks both domestically and internationally and that website access is now granted selectively to protect users and infrastructure.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

LockBit ransomware Bitcoin addresses exposed

Nearly 60,000 Bitcoin addresses linked to LockBit’s ransomware operations have been exposed following a major breach of the group’s dark web affiliate panel.

The leak, which included a MySQL database dump, was shared publicly online and could assist blockchain analysts in tracing LockBit’s financial activity instead of leaving such transactions untracked.

Despite the scale of the breach, no private keys were leaked. A LockBit representative reportedly confirmed the incident in a message, stating that no sensitive access data was compromised.

However, the exposed database included 20 tables, such as one labelled ‘builds’ that contained details about ransomware created by affiliates and their targeted companies.

Another table, ‘chats,’ revealed over 4,400 messages from negotiations between victims and LockBit operators, offering a rare glimpse into the inner workings of ransomware extortion tactics.

Analysts believe the hack may be connected to a separate breach of the Everest ransomware site, as both featured identical messages, hinting at a possible link.

The incident has again underscored the central role of cryptocurrency in the ransomware economy. Each victim is typically given a unique address for payments, making tracking difficult.

Instead of remaining hidden, these addresses now give law enforcement and blockchain experts a chance to trace payments and potentially link them to previously unidentified actors.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

G7 to address North Korea’s role in major crypto hacks

Leaders of the Group of Seven (G7) nations are set to tackle North Korea’s ongoing cyber threats, particularly its involvement in large-scale cryptocurrency hacks.

The agenda will reportedly focus on the regime’s use of stolen crypto funds to finance weapons programmes. The issue has raised international concern over global security risks.

The summit, hosted by Canadian Prime Minister Mark Carney from 15 to 17 June in Alberta, is expected to address geopolitical challenges, including North Korea’s tightening alliance with Russia. Such ties have further complicated attribution of attacks and enforcement of sanctions, experts warn.

Investigations have linked North Korean hackers, notably the Lazarus Group, to major crypto heists. These include the $622 million Axie Infinity breach and February’s $1.4 billion Bybit attack. Analysts believe other cyber units are also active, making digital asset protection a growing priority.

The G7, comprising France, Germany, Italy, Japan, the UK, the US and Canada, aims to strengthen coordination against cybercrime. It also seeks to limit the regime’s ability to exploit the crypto ecosystem for hostile purposes.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Hackers hijack NY Post X account to scam crypto users

Cybercriminals reportedly breached the New York Post’s X account. They targeted cryptocurrency enthusiasts by luring them into a Telegram-based scam, disguised as a podcast invitation.

The fraudulent message, impersonating journalist Paul Sperry, invited users to a supposed editorial feature, offering both in-person and virtual interview options.

Kerberus CEO Alex Katz flagged the issue, confirming the scam was being pushed from NYP’s verified X profile.

Cybersecurity expert ‘Drew’ noted the attackers blocked replies to prevent the real NYP team from spotting the breach. He warned users not to respond to Telegram messages, emphasising that the invite was fake.

Unlike typical crypto scams involving phishing links or wallet drainers, this attack focused on private messaging and trust manipulation.

Victims reported that the scammer used detailed, personal references and staged interviews. These interviews enabled audio-triggered suspicious pop-ups, including one labelled ‘WiFi.’

Security experts say such methods exploit user trust built through prior interactions. As social engineering tactics evolve, crypto users are urged to verify every identity, even those they communicate with regularly.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Cyberattacks against US soar in early 2025

Cyberattacks targeting the US surged dramatically in early 2025, according to a new report from cybersecurity firm Trellix. Between October 2024 and March 2025, advanced persistent threats (APTs) increased by 136% compared to the previous quarter.

China’s cyber operations showed significant sophistication, with groups such as APT40 and Mustang Panda leading the charge. APT41, another Chinese-affiliated group, intensified its activities by 113%, focusing on exploiting both new and known vulnerabilities rather than relying on phishing tactics.

Analysts noted that nearly half of these threats originated from China, while over a third were linked to Russia. Meanwhile, Russia’s APT29, also known as Midnight Blizzard, primarily targeted transportation, shipping, and telecommunications sectors.

The report highlighted that government institutions remained the primary focus of hostile cyber actors. However, the telecommunications industry experienced a sharp 92% increase in APT attacks, while the technology sector faced a staggering 119% rise.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Hackers target UK retailers with fake IT calls

British retailers are facing a new wave of cyberattacks as hackers impersonate IT help desk staff to infiltrate company systems. The National Cyber Security Centre (NCSC) has issued an urgent warning following breaches at major firms including Marks & Spencer, Co-op, and Harrods.

Attackers use sophisticated social engineering tactics—posing as locked-out employees or IT support staff—to trick individuals into giving up passwords and security details. The NCSC urges companies to strengthen how their IT help desks verify employee identities, particularly when handling password resets for senior staff.

Security experts in the UK recommend using multi-step verification methods and even code words to confirm identities over the phone. These additional layers are vital, as attackers increasingly exploit trust and human error rather than technical vulnerabilities.

While the NCSC hasn’t named any group officially, the style of attack closely resembles the methods of Scattered Spider, a loosely connected network of young, English-speaking hackers. Known for high-profile cyber incidents—including attacks on Las Vegas casinos and public transport systems—the group often coordinates via platforms like Discord and Telegram.

However, those claiming responsibility for the latest breaches deny links to Scattered Spider, calling themselves ‘DragonForce.’ Speaking to the BBC, the group claimed to have stolen significant customer and employee data from Co-op and hinted at more disruptions in the future.

The NCSC is investigating with law enforcement to determine whether DragonForce is a new player or simply a rebranded identity of the same well-known threat actors.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

How digital twins are being weaponised in crypto scams

Digital twins are virtual models of real-world objects, systems, or processes. They enable real-time simulations, monitoring, and predictions, helping industries like healthcare and manufacturing optimise resources. In the crypto world, cybercriminals have found a way to exploit this technology for fraudulent activities.

Scammers create synthetic identities by gathering personal data from various sources. These digital twins are used to impersonate influencers or executives, promoting fake investment schemes or stealing funds. The unregulated nature of crypto platforms makes it easier for criminals to exploit users.

Real-world scams are already happening. Deepfake CEO videos have tricked executives into transferring funds under false pretences. Counterfeit crypto platforms have also stolen sensitive information from users. These scams highlight the risks of AI-powered digital twins in the crypto space.

Blockchain offers solutions to combat these frauds. Decentralised identities (DID) and NFT identity markers can verify interactions. Blockchain’s immutable audit trails and smart contracts can help secure transactions and protect users from digital twin scams.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Trump signals new extension for TikTok divestment deadline

President Donald Trump indicated he would extend the deadline set for the Chinese-owned company ByteDance to sell TikTok’s US operations if negotiations remain unfinished by 19 June.

The popular short-video app, used by around 170 million Americans, played a significant role in Trump’s appeal to younger voters during his 2024 election campaign. Trump described TikTok positively, hinting at protective measures rather than outright prohibition.

Originally mandated by Congress, the TikTok ban was supposed to be enforced starting on 19 January. Trump, however, has twice extended this deadline amid ongoing negotiations.

A potential agreement to spin off TikTok’s US operations into a new, US-majority-owned firm was suspended after China objected, a reaction spurred by Trump’s substantial tariffs on Chinese goods.

Democratic senators have challenged Trump’s authority to postpone the deadline further, arguing that the proposed spin-off arrangement does not satisfy legal conditions outlined in the original legislation.

Insiders indicate negotiations continue behind the scenes, though a resolution remains dependent on settling broader trade conflicts between the US and China.

Trump remains firm about maintaining high tariffs on China, now at 145%, which he insists significantly impacts the Chinese economy.

Yet, he has left the door open to eventually lowering these tariffs within a more comprehensive trade agreement, acknowledging China’s strong desire to resume business with the U.S.

Despite multiple extensions, the fate of TikTok’s US operations remains uncertain, as political and economic factors continue shaping negotiations. Trump’s willingness to extend deadlines reflects broader geopolitical dynamics between Washington and Beijing, linking digital platform regulation closely with international trade policy.