Cybercrime

Ransomware decline masks growing threat

A recent drop in reported ransomware attacks might seem encouraging, yet experts warn this is likely misleading. Figures from the NCC Group show a 32% decline in March 2025 compared to the previous month, totalling 600 incidents.

However, this dip is attributed to unusually large-scale attacks in earlier months, rather than an actual reduction in cybercrime. In fact, incidents were up 46% compared with March last year, highlighting the continued escalation in threat activity.

Rather than fading, ransomware groups are becoming more sophisticated. Babuk 2.0 emerged as the most active group in March, though doubts surround its legitimacy. Security researchers believe it may be recycling leaked data from previous breaches, aiming to trick victims instead of launching new attacks.

A tactic like this mirrors behaviours seen after law enforcement disrupted other major ransomware networks, such as LockBit in 2024.

Industrials were the hardest hit, followed by consumer-focused sectors, while North America bore the brunt of geographic targeting.

With nearly half of all recorded attacks occurring in the region, analysts expect North America, especially Canada, to remain a prime target amid rising political tensions and cyber vulnerability.

Meanwhile, cybercriminals are turning to malvertising, malicious code hidden in online advertisements, as a stealthier route of attack. This tactic has gained traction through the misuse of trusted platforms like GitHub and Dropbox, and is increasingly being enhanced with generative AI tools.

Instead of relying solely on technical expertise, attackers now use AI to craft more convincing and complex threats. As these strategies grow more advanced, experts urge organisations to stay alert and prioritise threat intelligence and collaboration to navigate this volatile cyber landscape.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

SK Telecom investigates data breach after cyberattack

South Korean telecom leader SK Telecom has confirmed a cyberattack that compromised customer data following a malware infection.

The breach was detected on 19 April, prompting an immediate internal investigation and response. Authorities, including the Korea Internet Security Agency, have been alerted.

Personal information of South Korean customers was accessed during the attack, although the extent of the breach remains under review. In response, SK Telecom is offering a complimentary SIM protection service, hinting at potential SIM swapping risks linked to the leaked data.

The infected systems were quickly isolated and the malware removed. While no group has claimed responsibility, concerns remain over possible state-sponsored involvement, as telecom providers are frequent targets for cyberespionage.

It is currently unknown whether ransomware played a role in the incident. Investigations are ongoing as officials continue to assess the scope and origin of the breach.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

JusticeLink breach leads to arrest in Sydney

A man has been charged following a serious cyberattack on JusticeLink, New South Wales’ largest online court-filing system.

Authorities say more than 9,000 files were illegally downloaded over a two-month period, although no personal data appears to have been compromised. The breach was first detected in March, prompting an immediate shutdown of the suspect’s account.

JusticeLink handles sensitive legal documents for over 400,000 cases annually. The 38-year-old suspect, arrested in Maroubra, Sydney, now faces charges of unauthorised access and misuse of a carriage service to cause harm. Two laptops were seized during the arrest.

Officials have reassured the public that the system is now secure, with no indication that personal information was leaked or found online.

Acting Attorney-General Ron Hoenig confirmed that people under court protection orders were not exposed to heightened risk. The man is expected to appear in Waverley Court on Thursday.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

SEC targets crypto executive in $198 million Ponzi case

Ramil Palafox, CEO of PGI Global, has been charged by the US Securities and Exchange Commission. He is accused of orchestrating a $198 million crypto-based Ponzi scheme.

According to the SEC, Palafox marketed unregistered ‘membership packages’ between 2020 and 2021. He promised returns of up to 200% through a fake AI-driven trading platform.

Investor funds were reportedly diverted to finance an extravagant lifestyle, including a $1.7 million Las Vegas home, luxury cars, and high-end jewellery.

SEC alleges PGI Global manipulated user dashboards and faked trading activity to deceive investors. The company, also known as PGI Global UK Ltd, was shut down by the UK High Court in 2022.

The case marks the first crypto enforcement action under new SEC Chair Paul Atkins. Prosecutors filed a related criminal case and seek a permanent ban on Palafox’s crypto involvement. Several family members are named to receive assets linked to the scheme.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Russian hackers target NGOs with fake video calls

Hackers linked to Russia are refining their techniques to infiltrate Microsoft 365 accounts, according to cybersecurity firm Volexity.

Their latest strategy targets non-governmental organisations (NGOs) associated with Ukraine by exploiting OAuth, a protocol used for app authorisation without passwords.

Victims are lured into fake video calls through apps like Signal or WhatsApp and tricked into handing over OAuth codes, which attackers then use to access Microsoft 365 environments.

The campaign, first detected in March, involved messages claiming to come from European security officials proposing meetings with political representatives. Instead of legitimate video links, these messages directed recipients to OAuth code generators.

Once a code was shared, attackers could gain entry into accounts containing sensitive data. Staff at human rights organisations were especially targeted due to their work on Ukraine-related issues.

Volexity attributed the scheme to two threat actors, UTA0352 and UTA0355, though it did not directly connect them to any known Russian advanced persistent threat groups.

A previous attack from the same actors used Microsoft Device Code Authentication, usually reserved for connecting smart devices, instead of traditional login methods. Both campaigns show a growing sophistication in social engineering tactics.

Given the widespread use of Microsoft 365 tools like Outlook and Teams, experts urge organisations to heighten awareness among staff.

Rather than trusting unsolicited messages on encrypted apps, users should remain cautious when prompted to click links or enter authentication codes, as these could be cleverly disguised attempts to breach secure systems.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

SK Telecom probes cyberattack after weekend breach

SK Telecom, South Korea’s largest mobile operator, has confirmed that hackers breached its internal systems, possibly exposing sensitive data linked to USIM cards.

The company discovered the intrusion late Saturday night and responded swiftly by removing malware and isolating affected equipment.

Investigations are underway, with the Korea Internet & Security Agency and the Ministry of Science and ICT examining the breach’s scope and root cause.

Officials have asked SK Telecom to preserve evidence and cooperate with technical experts sent to the site.

In response, SK Telecom is boosting defences against USIM-related fraud and offering a free protection service to concerned users.

Legal consequences could follow if the breach is found to have violated data protection laws, with potential fines reaching up to 3 percent of related revenue or 50 million won.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Scammers target Zhao with fake Grok tokens amid rising Musk-related fraud

Changpeng Zhao, former Binance CEO, was hit with 90 million fake Grok tokens. Scammers are ramping up their efforts to target crypto investors with Elon Musk-related fraud.

According to blockchain security firm PeckShield, the tokens are likely part of a phishing attack. These tokens are unrelated to Musk’s official AI chatbot, Grok, which has not issued any cryptocurrency.

Scammers have long exploited high-profile figures like Musk to gain trust from victims. Fake Grok-related tokens first appeared in 2023, leading to significant losses after scammers sold a portion of the supply.

Recent Elon Musk scams have resurfaced, featuring fake giveaways and memecoins on the BNB Smart Chain.

The rise in scams reflects a growing trend of phishing attacks, such as address poisoning, which trick victims into sending assets to fraudulent wallets.

In 2024, phishing incidents cost the crypto industry over $1 billion, highlighting the need for increased vigilance and security.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Google spoofed in sophisticated phishing attack

A sophisticated phishing attack recently targeted Google users, exploiting a well-known email authentication method to bypass security measures.

The attackers sent emails appearing to be from Google’s legitimate address, no-reply@accounts.google.com, and claimed the recipient needed to comply with a subpoena.

The emails contained a link to a Google Sites page, prompting users to log in and revealing a fake legal support page.

What made this phishing attempt particularly dangerous was that it successfully passed both DMARC and DKIM email authentication checks, making it appear entirely genuine to recipients.

In another cyber-related development, Microsoft issued a warning regarding the use of Node.js in distributing malware. Attackers have been using the JavaScript runtime environment to deploy malware through scripts and executables, particularly targeting cryptocurrency traders via malvertising campaigns.

The new technique involves executing JavaScript directly from the command line, making it harder to detect by traditional security tools.

Meanwhile, the US has witnessed a significant change in its disinformation-fighting efforts.

The State Department has closed its Counter Foreign Information Manipulation and Interference group, previously known as the Global Engagement Center, after accusations that it was overreaching in its censorship activities.

The closure, led by Secretary of State Marco Rubio, has sparked criticism, with some seeing it as a victory for foreign powers like Russia and China.

Finally, gig workers face new challenges as the Tech Transparency Project revealed that Facebook groups are being used to trade fake gig worker accounts for platforms like Uber and Lyft.

Sellers offer access to verified accounts, bypassing safety checks, and putting passengers and customers at risk. Despite reports to Meta, many of these groups remain active, with the social media giant’s automated systems failing to curb the activity.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Fake banking apps leave sellers thousands out of pocket

Scammers are using fake mobile banking apps to trick people into handing over valuable items without receiving any payment.

These apps, which convincingly mimic legitimate platforms, display false ‘successful payment’ screens in person, allowing fraudsters to walk away with goods while the money never arrives.

Victims like Anthony Rudd and John Reddock have lost thousands after being targeted while selling items through social media marketplaces. Mr Rudd handed over £1,000 worth of tools from his Salisbury workshop, only to realise the payment notification was fake.

Mr Reddock, from the UK, lost a £2,000 gold bracelet he had hoped to sell to fund a holiday for his children.

BBC West Investigations found that some of these fake apps, previously removed from the Google Play store, are now being downloaded directly from the internet onto Android phones.

The Chartered Trading Standards Institute described this scam as an emerging threat, warning that in-person fraud is growing more complex instead of fading away.

With police often unable to track down suspects, small business owners like Sebastian Liberek have been left feeling helpless after being targeted repeatedly.

He has lost hundreds of pounds to fake transfers and believes scammers will continue striking, while enforcement remains limited and platforms fail to do enough to stop the spread of fraud.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

US and Canadian authorities launch operation to combat Ethereum scam

The US Secret Service, in collaboration with Canadian officials, launched ‘Operation Avalanche‘ to target compromised wallets on the Ethereum blockchain.

The operation focused on disrupting an ongoing approval phishing scam, which had already cost victims $4.3 million.

Approval phishing occurs when scammers trick victims into signing illicit blockchain transactions, allowing fraudsters to drain funds from their wallets.

The US Secret Service assisted Canadian officials, helping to disrupt the scam and prevent further losses.

Both US and Canadian authorities have committed to continuing their efforts to identify stolen assets and return them to the victims. The operation highlights the importance of global law enforcement collaboration in combating crypto-related crimes.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot