Cybercrime

Chinese state-linked hackers use Google Calendar to steal data

In a report published this week, analysts at Google have uncovered a campaign in which a China-linked group known as APT41 targeted government ministries and other organisations.

Victims received spearphishing emails directing them to a ZIP file hosted on a compromised official website. Inside, a PDF and some insect images were designed to tempt users into clicking.

Opening the PDF quietly installed a programme called ToughProgress, which runs entirely in a device’s memory to evade antivirus checks. Once active, the malware stole sensitive files and prepared them for exfiltration.

Google Calendar became the hackers’ secret communication channel. An event dated 30 May 2023 carried encrypted data stolen from victims in its description.

Further entries in July contained new instructions. ToughProgress regularly checked the attacker-controlled calendar, decrypted any commands and uploaded its results back as new calendar events.

APT41 is one of China’s most active state-linked cyber groups. US authorities charged five members in 2020 with over a hundred intrusions worldwide and issued arrest warrants for operatives including Zhang Haoran and Tan Dailin.

Earlier investigations tie the group to long-running breaches of Southeast Asian government agencies and a Taiwanese research institute working on strategic technology.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

AT&T hit by alleged 31 million record breach

A hacker has allegedly leaked data from 31 million AT&T customers, raising fresh concerns over the security of one of America’s largest telecom providers. The data, posted on a major dark web forum in late May 2025, is said to contain 3.1GB of customer information in both JSON and CSV formats.

Instead of isolated details, the breach reportedly includes highly sensitive data: full names, dates of birth, tax IDs, physical and email addresses, device and cookie identifiers, phone numbers, and IP addresses.

Cybersecurity firm DarkEye flagged the leak, warning that the structured formats make the data easy for criminals to exploit.

If verified, the breach would mark yet another major incident for AT&T. In March 2024, the company confirmed that personal information from 73 million users had been leaked.

Just months later, a July breach exposed call records and location metadata for nearly 110 million customers, with blame directed at compromised Snowflake cloud accounts.

AT&T has yet to comment on the latest claims. Experts warn that the combination of tax numbers and device data could enable identity theft, financial scams, and advanced phishing attacks.

For a company already under scrutiny for past security lapses, the latest breach could further damage public trust.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Libra meme coin wallets frozen on Solana

Two wallets tied to the controversial Libra meme coin team have been frozen. Nearly $58 million in USDC stablecoins on the Solana blockchain are now locked.

The freeze on Solscan affects accounts holding $44.59 million and $13.06 million in USDC, a stablecoin issued by Circle. Major stablecoin issuers like Circle have the authority to blacklist addresses in cases of fraud or legal disputes.

The freeze follows a temporary restraining order from a US federal court, requested by Burwick Law amid ongoing litigation. Argentina’s justice department has also been linked to the legal action, connected to the Libra token promoted by Argentine President Javier Milei.

The token’s rapid rise and fall earlier this year sparked accusations of a pump-and-dump scheme.

Despite the legal troubles, Circle has recently filed for an initial public offering on the New York Stock Exchange, aiming for a $6.7 billion valuation. Meanwhile, Argentina’s task force investigating the scandal was disbanded last week.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Victoria’s Secret website hit by cyber attack

Victoria’s Secret’s website has remained offline for three days due to a security incident the company has yet to fully explain. A spokesperson confirmed steps are being taken to address the issue, saying external experts have been called in and some in-store systems were also taken down as a precaution.

Instead of revealing specific details, the retailer has left users with only a holding message on a pink background. It has declined to comment on whether ransomware is involved, when the disruption began, or if law enforcement has been contacted.

The firm’s physical stores continue operating as normal, and payment systems are unaffected, suggesting the breach has hit other digital infrastructure. Still, the shutdown has rattled investors—shares fell nearly seven percent on Wednesday.

With online sales accounting for a third of Victoria’s Secret’s $6 billion annual revenue, the pressure to resolve the situation is high.

The timing has raised eyebrows, as cybercriminals often strike during public holidays like Memorial Day, when IT teams are short-staffed. The attack follows a worrying trend among retailers.

UK giants such as Harrods, Marks & Spencer, and the Co-op have all suffered recent breaches. Experts warn that US chains are becoming the next major targets, with threat groups like Scattered Spider shifting their focus across the Atlantic.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

UK and EU strengthen maritime and cyber security

The UK and the EU have agreed to step up cooperation on cybersecurity as part of a wider defence and security pact.

The new framework, signed on 19 May, marks a major shift towards joint efforts in countering digital threats and hybrid warfare.

Instead of managing these challenges separately, the UK and EU will hold structured dialogues to address cyberattacks, disinformation campaigns, and other forms of foreign interference.

The deal outlines regular exchanges between national security officials, supported by thematic discussions focused on crisis response, infrastructure protection, and online misinformation.

A key aim is to boost resilience against hostile cyber activity by working together on detection, defence, and prevention strategies. The agreement encourages joint efforts to safeguard communication networks, protect energy grids, and strengthen public awareness against information manipulation.

The cooperation is expected to extend into coordinated drills and real-time threat sharing.

While the UK remains outside the EU’s political structure, the agreement positions it as a close cyber security partner.

Future plans include exploring deeper collaboration through EU defence projects and potentially forming a formal link with the European Defence Agency, ensuring that both sides can respond more effectively to emerging digital threats.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

EMSA given broader powers for digital maritime threats

The European Maritime Safety Agency (EMSA) is set to take on an expanded role in maritime security, following a provisional agreement between the European Parliament and the Council.

Instead of focusing solely on traditional safety tasks, EMSA will now help tackle modern challenges, including cyber attacks and hybrid threats that increasingly target critical maritime infrastructure across Europe.

The updated mandate enables EMSA to support EU member states and the European Commission with technical, operational and scientific assistance in areas such as cybersecurity, pollution response, maritime surveillance and decarbonisation.

Rather than remaining confined to its original scope, the agency may also adopt new responsibilities as risks evolve, provided such tasks are requested by the Commission or individual countries.

The move forms part of a broader EU legislative package aimed at reinforcing maritime safety rules, improving environmental protections and updating inspection procedures.

The reforms ensure EMSA is equipped with adequate human and financial resources to handle its wider remit and contribute to strategic resilience in an increasingly digital and geopolitically unstable world.

Created in 2002 and based in Lisbon, EMSA plays a central role in safeguarding maritime transport, which remains vital for Europe’s economy and trade.

With more than 2,000 marine incidents reported annually, the agency’s modernised mandate is expected to strengthen the EU’s ability to prevent disruptions at sea and support its broader green and security goals.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Customer data exposed in Adidas cyber attack

Adidas has confirmed a cyber attack that led to the compromise of customer data held by a third-party service partner.

According to the company, unauthorised access was gained to consumer contact details submitted during previous interactions with its customer service help desk. Payment credentials and passwords were not affected.

Affected individuals are now being notified directly, with the company expressing sincere regret for any concern caused. Contact information, such as names and email addresses, appears to be the primary type of data exposed.

Steps were taken immediately to contain the incident, with cybersecurity experts brought in to assist in a detailed investigation. Adidas stressed its commitment to safeguarding user data and is reviewing its systems to prevent similar breaches in future.

This incident adds to a growing list of cyber attacks targeting major UK retailers. Recent breaches involving Marks & Spencer, Co-op, and Harrods have caused operational disruption, prompting a wider investigation by the National Crime Agency into possible links among the attacks.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Taiwan rebuffs China’s hacking claims as disinformation

Taiwan has rejected accusations from Beijing that its ruling party orchestrated cyberattacks against Chinese infrastructure. Authorities in Taipei instead accused China of spreading false claims in an effort to manipulate public perception and escalate tensions.

On Tuesday, Chinese officials alleged that a Taiwan-backed hacker group linked to the Democratic Progressive Party (DPP) had targeted a technology firm in Guangzhou.

They claimed more than 1,000 networks, including systems tied to the military, energy, and government sectors, had been compromised across ten provinces in recent years.

Taiwan’s National Security Bureau responded on Wednesday, stating that the Chinese Communist Party is manipulating false information to mislead the international community.

Rather than acknowledging its own cyber activities, Beijing is attempting to shift blame while undermining Taiwan’s credibility, the agency said.

Taipei further accused China of long-running cyberattacks aimed at stealing funds and destabilising critical infrastructure. Officials described such campaigns as part of cognitive warfare designed to widen social divides and erode public trust within Taiwan.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Iranian hacker admits role in Baltimore ransomware attack

An Iranian man has pleaded guilty to charges stemming from a ransomware campaign that disrupted public services across several US cities, including a major 2019 attack in Baltimore.

The US Department of Justice announced that 37-year-old Sina Gholinejad admitted to computer fraud and conspiracy to commit wire fraud, offences that carry a maximum combined sentence of 30 years.

Rather than targeting private firms, Gholinejad and his accomplices deployed Robbinhood ransomware against local governments, hospitals and non-profit organisations from early 2019 to March 2024.

The attack on Baltimore alone resulted in over $19 million in damage and halted critical city functions such as water billing, property tax collection and parking enforcement.

Instead of simply locking data, the group demanded Bitcoin ransoms and occasionally threatened to release sensitive files. Cities including Greenville, Gresham and Yonkers were also affected.

Although no state affiliation has been confirmed, US officials have previously warned of cyber activity tied to Iran, allegations Tehran continues to deny.

Gholinejad was arrested at Raleigh-Durham International Airport in January 2025. The FBI led the investigation, with support from Bulgarian authorities. Sentencing is scheduled for August.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Hackers are selling 94 billion stolen cookies on Telegram

Cybercriminals are trading nearly 94 billion stolen browser cookies on Telegram, with over 20% still active and capable of granting direct access to user accounts.

These cookies, essential for keeping users logged in and websites functioning smoothly, are being repurposed as tools for account hijacking, bypassing login credentials and putting personal data at risk. Security experts warn that hundreds of millions of users globally could be exposed.

The data, revealed by cybersecurity firm NordVPN, shows that the theft spans 253 countries, with Brazil, India, Indonesia, Vietnam, and the US among the most affected.

Google services were the prime target, with over 4.5 billion stolen cookies linked to Google accounts, followed by YouTube, Microsoft, and Bing. Many of these cookies contain session IDs and user identifiers, which allow hackers to impersonate users and access their online accounts without detection.

The surge in cookie theft marks a 74% increase over the previous year, driven largely by the spread of malware. Redline, Vidar, and LummaC2 are among the most prolific infostealers, collectively responsible for over 60 billion stolen cookies.

These malware strains extract saved data from browsers and often act as gateways for more advanced cyberattacks.

New strains like RisePro, Stealc, Nexus, and Rhadamanthys are also emerging, designed to steal browser credentials and banking data more efficiently.

Many of these stolen cookies are being exchanged on Telegram channels, raising alarm about the app’s misuse. In response, Telegram stated:

The sale of private data is expressly forbidden by Telegram’s terms of service and is removed whenever discovered. Moderators empowered with custom AI and machine learning tools proactively monitor public parts of the platform and accept reports to remove millions of pieces of harmful content each year.’

With cookie theft becoming an increasingly common tactic, experts urge users to regularly clear cookies, use secure browsers, and consider additional protective measures to guard their digital identity.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!