Cybercrime

MTN confirms cybersecurity breach and data exposure

MTN Group has confirmed a cybersecurity breach that exposed personal data of some customers in certain markets. The telecom giant assured the public, however, that its core infrastructure remains secure and fully operational.

The breach involved an unknown third party gaining unauthorised access to parts of MTN’s systems, though the company emphasised that critical services, including mobile money and digital wallets, were unaffected.

In a statement released on Thursday, MTN clarified that investigations are ongoing, but no evidence suggests any compromise of its central infrastructure, such as its network, billing, or financial service platforms.

MTN has alerted the law enforcement of South Africa and is collaborating with regulatory bodies in the affected regions.

The company urged customers to take steps to safeguard their data, such as monitoring financial statements, using strong passwords, and being cautious with suspicious communications.

MTN also recommended enabling multi-factor authentication and avoiding sharing sensitive information like PINs or passwords through unsecured channels.

While investigations continue, MTN has committed to providing updates as more details emerge, reiterating its dedication to transparency and customer protection.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

North Korean hackers create fake US firms to target crypto developers

North Korea’s Lazarus Group has launched a sophisticated campaign to infiltrate the cryptocurrency industry by registering fake companies in the US and using them to lure developers into downloading malware.

According to a Reuters investigation, these US-registered shell companies, including Blocknovas LLC and Softglide LLC, were set up using false identities and addresses, giving the operation a veneer of legitimacy instead of drawing suspicion.

Once established, the fake firms posted job listings through legitimate platforms like LinkedIn and Upwork to attract developers. Applicants were guided through fake interview processes and instructed to download so-called test assignments.

Instead of harmless software, the files installed malware that enabled the hackers to steal passwords, crypto wallet keys, and other sensitive information.

The FBI has since seized Blocknovas’ domain and confirmed its connection to Lazarus, labelling the campaign a significant evolution in North Korea’s cyber operations.

These attacks were supported by Russian infrastructure, allowing Lazarus operatives to bypass North Korea’s limited internet access.

Tools such as VPNs and remote desktop software enabled them to manage operations, communicate over platforms like GitHub and Telegram, and even record training videos on how to exfiltrate data.

Silent Push researchers confirmed that the campaign has impacted hundreds of developers and likely fed some stolen access to state-aligned espionage units instead of limiting the effort to theft.

Officials from the US, South Korea, and the UN say the revenue from such cyberattacks is funneled into North Korea’s nuclear missile programme. The FBI continues to investigate and has warned that not only the hackers but also those assisting their operations could face serious consequences.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

FBI reports $9.3 billion lost to cryptocurrency fraud in 2024

The Federal Bureau of Investigation (FBI) has revealed that Americans lost approximately $9.3 billion to cryptocurrency fraud in 2024. The figure marks a 66% increase compared to the previous year.

The data was published in the FBI’s annual Internet Crime Complaint Center (IC3) report.

Individuals aged 60 and older were the most heavily impacted, accounting for $2.8 billion in losses across 33,000 complaints. Investment scams made up the largest share of monetary losses. ‘Sextortion’ scams, where fraudsters used manipulated explicit media, were the most frequently reported.

Despite efforts like the FBI’s ‘Operation Level Up’, which helped prevent $285 million in potential fraud, experts warn that scams may continue to rise in 2025.

Chainalysis pointed to generative AI as a major enabler for cybercriminals, estimating $41 billion in global illicit crypto volume in 2024 alone.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

New research highlights escalating cyberthreats to global energy sector

Resecurity has published new research examining recent cyber threat activity targeting energy infrastructure across North America, Asia, and the European Union. The report, a continuation of Resecurity’s earlier analysis, focuses on incidents involving energy firms, including nuclear facilities and associated research entities.

According to the findings, these organisations are being targeted by various threat actors, including hacktivist groups, ransomware operators, and nation state entities. The report observes that geopolitical tensions remain a significant factor behind many of these activities, with actors associated with China, Iran, North Korea, and Russia among those identified.

The primary focus of these campaigns has been cyber-espionage, although incidents involving ransomware operations against operational technology (OT) systems have also been reported. The convergence of IT and OT systems, the growing use of cloud technologies, and the increased deployment of Industrial Internet of Things (IIoT) devices are noted as factors contributing to the expanded attack surface within the sector.

Resecurity’s HUNTER unit documented various threat actors engaged in targeting critical infrastructure. The report emphasises the need for energy firms to monitor potential exposure of credentials across dark web platforms, particularly due to vulnerabilities within IT and software supply chains.

Technological developments such as AI adoption within the energy sector are also discussed as contributing to the evolving threat landscape. AI is reported to lower entry barriers for certain types of cyber operations, while its integration into critical infrastructure networks introduces additional risks.

The Resecurity analysis also underscores the role of cyber supply chain risks, citing the MOVEit managed file transfer breach as an example of downstream impacts affecting multiple layers of vendors and service providers.

In response to these developments, the US Department of Energy (DOE), alongside the National Association of Regulatory Utility Commissioners (NARUC), issued updated cybersecurity guidelines in 2024 aimed at strengthening the resilience of electric distribution systems and distributed energy resources.

Overall, the research identifies an increase in cyberattacks targeting energy infrastructure globally, suggesting that some of these activities may be linked to broader geopolitical strategies. The report highlights the involvement of both state-sponsored and criminal actors in shaping this threat environment.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Researchers report espionage campaign targeting government and critical sectors in Southeast Asia

Symantec has reported that the China-linked espionage group known as Billbug—also referred to as Lotus Blossom, Lotus Panda, Bronze Elgin, and Thrip—conducted a sustained intrusion campaign against multiple organizations in a Southeast Asian country between August 2024 and February 2025. The campaign involved the use of several custom tools, including loaders, credential stealers, and a reverse SSH utility.

According to Symantec, this activity appears to continue a series of operations previously observed in late 2023, which targeted various government and critical infrastructure organisations across Southeast Asia. While Chinese attribution has been suggested, specific attribution to an individual actor remains inconclusive. Identified targets include a government ministry, an air traffic control organisation, a telecommunications provider, and a construction company.

Additional intrusions were reported against a news agency and an air freight company in neighbouring countries. The campaign leveraged DLL sideloading techniques, utilising legitimate executables from Trend Micro and Bitdefender to load malicious code.

Symantec’s analysis detailed how these binaries were used to sideload malicious DLLs, which decrypted and executed payloads designed to maintain persistence and enable further compromise of targeted systems. Billbug has been active since at least 2009, with a documented history of targeting government, defence, telecommunications, and critical infrastructure sectors in Southeast Asia and beyond.

Symantec and other cybersecurity researchers have tracked the group across multiple campaigns, including previous operations involving backdoors like Hannotog and Sagerunex. The recent report also references related findings from Cisco Talos, which provided indicators of compromise connected to the same campaign.

Symantec noted that Billbug continues to adapt its techniques, including the use of compromised legitimate software and custom malware, to conduct espionage operations across the region.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Microsoft expands rewards for reporting AI vulnerabilities

Microsoft has announced an expanded bug bounty initiative, offering up to $30,000 for researchers who uncover critical vulnerabilities in AI features within Dynamics 365 and the Power Platform.

The programme aims to strengthen security in enterprise software by encouraging ethical hackers to identify and report risks before cybercriminals can exploit them.

Rather than relying on general severity scales, Microsoft has introduced an AI-specific vulnerability classification system. It highlights prompt injection attacks, data poisoning during training, and techniques like model stealing and training data reconstruction that could expose sensitive information.

Highest payouts are reserved for flaws that allow attackers to access other users’ data or perform privileged actions without their consent.

The company urges researchers to use free trials of its services, such as PowerApps and AI Builder, to identify weaknesses. Detailed product documentation is provided to help participants understand the systems they are testing.

Even reports that don’t qualify for a financial reward can still lead to recognition if they result in improved defences.

The AI bounty initiative is part of Microsoft’s wider commitment to collaborative cybersecurity. With AI becoming more deeply integrated into enterprise software, the company says it is more important than ever to identify vulnerabilities early instead of waiting for security breaches to occur.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ransomware decline masks growing threat

A recent drop in reported ransomware attacks might seem encouraging, yet experts warn this is likely misleading. Figures from the NCC Group show a 32% decline in March 2025 compared to the previous month, totalling 600 incidents.

However, this dip is attributed to unusually large-scale attacks in earlier months, rather than an actual reduction in cybercrime. In fact, incidents were up 46% compared with March last year, highlighting the continued escalation in threat activity.

Rather than fading, ransomware groups are becoming more sophisticated. Babuk 2.0 emerged as the most active group in March, though doubts surround its legitimacy. Security researchers believe it may be recycling leaked data from previous breaches, aiming to trick victims instead of launching new attacks.

A tactic like this mirrors behaviours seen after law enforcement disrupted other major ransomware networks, such as LockBit in 2024.

Industrials were the hardest hit, followed by consumer-focused sectors, while North America bore the brunt of geographic targeting.

With nearly half of all recorded attacks occurring in the region, analysts expect North America, especially Canada, to remain a prime target amid rising political tensions and cyber vulnerability.

Meanwhile, cybercriminals are turning to malvertising, malicious code hidden in online advertisements, as a stealthier route of attack. This tactic has gained traction through the misuse of trusted platforms like GitHub and Dropbox, and is increasingly being enhanced with generative AI tools.

Instead of relying solely on technical expertise, attackers now use AI to craft more convincing and complex threats. As these strategies grow more advanced, experts urge organisations to stay alert and prioritise threat intelligence and collaboration to navigate this volatile cyber landscape.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

SK Telecom investigates data breach after cyberattack

South Korean telecom leader SK Telecom has confirmed a cyberattack that compromised customer data following a malware infection.

The breach was detected on 19 April, prompting an immediate internal investigation and response. Authorities, including the Korea Internet Security Agency, have been alerted.

Personal information of South Korean customers was accessed during the attack, although the extent of the breach remains under review. In response, SK Telecom is offering a complimentary SIM protection service, hinting at potential SIM swapping risks linked to the leaked data.

The infected systems were quickly isolated and the malware removed. While no group has claimed responsibility, concerns remain over possible state-sponsored involvement, as telecom providers are frequent targets for cyberespionage.

It is currently unknown whether ransomware played a role in the incident. Investigations are ongoing as officials continue to assess the scope and origin of the breach.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

JusticeLink breach leads to arrest in Sydney

A man has been charged following a serious cyberattack on JusticeLink, New South Wales’ largest online court-filing system.

Authorities say more than 9,000 files were illegally downloaded over a two-month period, although no personal data appears to have been compromised. The breach was first detected in March, prompting an immediate shutdown of the suspect’s account.

JusticeLink handles sensitive legal documents for over 400,000 cases annually. The 38-year-old suspect, arrested in Maroubra, Sydney, now faces charges of unauthorised access and misuse of a carriage service to cause harm. Two laptops were seized during the arrest.

Officials have reassured the public that the system is now secure, with no indication that personal information was leaked or found online.

Acting Attorney-General Ron Hoenig confirmed that people under court protection orders were not exposed to heightened risk. The man is expected to appear in Waverley Court on Thursday.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

SEC targets crypto executive in $198 million Ponzi case

Ramil Palafox, CEO of PGI Global, has been charged by the US Securities and Exchange Commission. He is accused of orchestrating a $198 million crypto-based Ponzi scheme.

According to the SEC, Palafox marketed unregistered ‘membership packages’ between 2020 and 2021. He promised returns of up to 200% through a fake AI-driven trading platform.

Investor funds were reportedly diverted to finance an extravagant lifestyle, including a $1.7 million Las Vegas home, luxury cars, and high-end jewellery.

SEC alleges PGI Global manipulated user dashboards and faked trading activity to deceive investors. The company, also known as PGI Global UK Ltd, was shut down by the UK High Court in 2022.

The case marks the first crypto enforcement action under new SEC Chair Paul Atkins. Prosecutors filed a related criminal case and seek a permanent ban on Palafox’s crypto involvement. Several family members are named to receive assets linked to the scheme.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot