Cybercrime

Police investigate rising crypto-related crimes in Russia

Police in St. Petersburg have dismantled an illegal crypto mining farm operating near Mitrofanievsky Highway. The facility caused around 10 million rubles ($127,873) in damage to the city’s power grid.

Dozens of mining rigs and tampered meters were seized from the unmanned warehouse.

Authorities believe the farm spanned several hundred square metres and was powered through a nearby substation. A manhunt is under way for those responsible.

Meanwhile, the Ministry of Internal Affairs has warned of a new scam using foreign call centres. Fraudsters pose as trading experts and convince victims to invest in crypto after fake training sessions.

Once trust is gained, scammers take control of victims’ accounts and transfer funds to their own wallets. The warning follows the sentencing of influencer Valeria Fedyakina, known as Bitmama, for a $21 million crypto fraud.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Billing software firm hit by ransomware attack

Healthcare billing platform Horizon Healthcare RCM has confirmed it suffered a ransomware attack, where threat actors stole sensitive data before encrypting its systems. The cybercriminal group, suspected to be affiliated with LockBit, reportedly demanded a ransom, which the company is believed to have paid to prevent public exposure of the stolen data.

The breach occurred in June 2024 and affected Horizon’s cloud-based revenue-cycle management platform. Although the company has not disclosed how many clients were impacted, it has notified healthcare providers using its services and is working with cybersecurity experts to assess the full scope of the incident.

Security analysts believe the attackers exfiltrated significant data, including protected health information, before deploying ransomware. While systems were eventually restored, concerns remain over long-term privacy risks and potential regulatory consequences for affected healthcare organisations.

Ransomware attacks on third-party vendors pose significant risks to the healthcare sector. Experts stress the importance of vendor risk assessments, data encryption, and secure system configurations to limit exposure.

As ransomware actors increasingly target supply-chain providers, proactive monitoring and resilience strategies are becoming essential for safeguarding critical data infrastructure.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

FBI warns cybercriminals are targeting airline security systems

The FBI has warned that a notorious cybercrime group known as Scattered Spider has broadened its attacks to target the airline sector. The gang, previously linked to breaches at Caesars, MGM, Aflac, and UK retailers, employs sophisticated social‑engineering methods.

These criminals impersonate employees or contractors and persuade IT help‑desk staff to register unauthorised devices, bypassing multi‑factor authentication. FBI and cybersecurity experts stress that airlines and third‑party suppliers are at serious risk.

While their flight operations remained unaffected, recent incidents at WestJet and Hawaiian Airlines are consistent with Scattered Spider’s modus operandi. Help‑desk teams are urged to reinforce identity verification protocols to prevent such incursions.

The FBI is collaborating with aviation partners to share intelligence and assist victims. Warnings emphasise prompt reporting of suspicious requests and reviews of help‑desk procedures. In particular, staff should resist pressure to add MFA devices or reset credentials without rigorous authentication, no matter how credible or urgent the request may appear.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Qantas cyber attack sparks customer alert

Qantas is investigating a major data breach that may have exposed the personal details of up to six million customers.

The breach affected a third-party platform used by the airline’s contact centre to store sensitive data, including names, phone numbers, email addresses, dates of birth and frequent flyer numbers.

The airline discovered unusual activity on 30 June and responded by immediately isolating the affected system. While the full scope of the breach is still being assessed, Qantas expects the volume of stolen data to be significant.

However, it confirmed that no passwords, PINs, credit card details or passport numbers were stored on the compromised platform.

Qantas has informed the Australian Federal Police, the Cyber Security Centre and the Office of the Information Commissioner. CEO Vanessa Hudson apologised to customers and urged anyone concerned to call a dedicated support line. She added that airline operations and safety remain unaffected.

The incident follows recent cyber attacks on Hawaiian Airlines, WestJet and major UK retailers, reportedly linked to a group known as Scattered Spider. The breach adds to a growing list of Australian organisations targeted in 2025, in what privacy authorities describe as a worsening trend.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Researchers track financial cyberattacks in Africa and spot new ransomware group

Cybersecurity researchers have identified a series of cyberattacks targeting African financial institutions since at least July 2023. The campaign, attributed to a threat cluster named CL-CRI-1014 by Palo Alto Networks Unit 42, involves using open-source and publicly available tools to maintain unauthorised access to compromised systems.

According to Unit 42, ‘CL’ stands for ‘cluster’ and ‘CRI’ refers to ‘criminal motivation.’ The threat actor is believed to be operating as an initial access broker (IAB), seeking to obtain entry into networks and sell access to other cybercriminals on underground forums.

Researchers noted that the group employs methods to evade detection by spoofing legitimate software, including copying digital signatures and using application icons from Microsoft Teams, Palo Alto Networks Cortex, and VMware Tools to disguise malicious payloads. Tools deployed include PoshC2 for command-and-control, Chisel for network tunnelling, and Classroom Spy for remote access.

While the initial intrusion vector remains unclear, once access is achieved, the attackers reportedly use MeshCentral Agent and Classroom Spy to control machines, with Chisel deployed to bypass firewalls. PoshC2 is propagated across Windows hosts and persisted through various techniques, including services, scheduled tasks, and startup shortcuts. In some cases, stolen user credentials were used to set up proxies via PoshC2.

Trustwave SpiderLabs has reported the emergence of a new ransomware group named Dire Wolf, which has claimed 16 victims across multiple countries, including the United States, India, and Italy, with primary targets in the technology, manufacturing, and financial sectors.

Dire Wolf ransomware was developed in Golang. It includes disabling system logging, terminating a predefined list of services and applications, and deleting shadow copies to hinder recovery. Although details about the group’s initial access or lateral movement techniques are unknown, Trustwave advises organisations to maintain standard cybersecurity practices and monitor for the techniques observed during the analysis.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Nobitex restores wallet access after major hack

Iran’s biggest crypto exchange, Nobitex, has begun restoring wallet access after a cyberattack that stole over $90 million this month. Wallet reactivation is being carried out in phases, starting with verified users and spot wallets, while other wallets will reopen once identity checks are completed.

Users were urged to update their details promptly, as deposits sent to old wallet addresses now risk permanent loss due to a complete system migration.

Nobitex warned that withdrawal, deposit, and trading services for verified users would resume as soon as security checks allow. Timelines may change depending on technical conditions.

Following the breach, Iran’s central bank mandated domestic exchanges to restrict operating hours from 10 am to 8 pm to improve security.

The pro-Israel hacking group Predatory Sparrow claimed responsibility, highlighting rising regional cyber tensions. Nobitex remains central to Iran’s growing crypto market, but the attack has shaken user trust and raised concerns over the country’s financial cybersecurity.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Europol backs Spain in dismantling crypto crime ring

Spanish law enforcement, supported by Europol and agencies from Estonia, France, and the United States, arrested five individuals on 25 June 2025 linked to a global cryptocurrency investment scam. The operation uncovered a vast fraud network responsible for laundering around €460 million taken from over 5,000 victims worldwide.

The suspects were detained following coordinated raids in Madrid and the Canary Islands. Authorities conducted five property searches in total.

Europol has been assisting with the case since 2023, providing technical expertise, financial crime analysis, and on-site support during the final phase of the investigation.

The group allegedly operated through a vast web of international sales agents facilitating fund collection via cash, wire transfers, and cryptocurrencies.

The criminal operation reportedly maintained a corporate and banking structure based in Hong Kong, using shell companies and various digital accounts under false identities to move illicit funds.

Online fraud remains a critical threat to EU security, and Europol warns that it is rapidly growing in scale and complexity. According to Europol’s latest threat report, the rise of AI-powered deception tools is expected to fuel the spread of cyber-enabled fraud further.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ahold Delhaize breach hits 2 million with data theft

A ransomware attack on Dutch retailer Ahold Delhaize resulted in a significant data breach affecting more than 2.2 million individuals across US businesses.

The breach occurred in November 2024 following network disruptions at supermarket chains, including Giant Food, Food Lion, and Stop & Shop.

The Inc Ransom group claimed responsibility in April 2025, stating it exfiltrated around 6 TB of data. The company confirmed that stolen files included employment records containing sensitive personal and financial information, with some data already posted on the dark web.

Affected individuals are now notified and offered two years of free identity protection services. The compromised data includes names, Social Security numbers, contact details, and medical and employment information.

Supermarkets have become a growing target in recent cyber campaigns. In April, UK retailers such as M&S and Harrods were also attacked, while distributor UNFI faced major disruptions earlier this month.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ransomware victims still paying, Sophos finds

Nearly half of ransomware victims paid the attackers last year, according to Sophos. In its 2025 survey of 3,400 IT pros, 49% admitted to making payments—just below last year’s record.

Ransom amounts dropped significantly, with median payments falling 50% and demand amounts down a third. Yet backup usage also hit a six-year low, used by just 54% of firms for recovery.

Attackers often exploited known vulnerabilities (32%) or unknown security gaps (40%), highlighting persistent weaknesses. Sophos noted many companies now accept ransomware as a business risk.

CISA warned that CVE-2024-54085 in AMI MegaRAC firmware is under active exploitation elsewhere. The bug allows attackers to bypass authenticating remotely.

Varonis flagged abuse of Microsoft’s Direct Send email feature in a phishing campaign affecting over 70 organisations. Disabling it is advised if not essential.

Rapid7 also found critical vulnerabilities in Brother printers. One flaw rated CVSS 9.8, allows password theft and cannot be patched—users must change defaults.

Finally, Google will roll out new Gemini AI features to Android users starting on July 7, even for those with app activity disabled.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Cybercrime surge hits airlines across North America

According to the FBI and cybersecurity experts, a well-known cybercrime group has launched fresh attacks on the airline industry, successfully breaching the networks of several airlines in the US and Canada.

The hackers, identified as ‘Scattered Spider’, are known for aggressive extortion tactics and are now shifting their focus to aviation instead of insurance or retail, their previous targets.

Airline security teams remain on high alert despite no flights or operations being disrupted. Hawaiian Airlines and Canada’s WestJet have acknowledged recent cyber incidents, while sources suggest more affected companies may step forward soon.

Both airlines reported no impact on day-to-day services, likely due to solid internal defences and continuity planning.

The attackers often exploit help desks by impersonating employees or customers to access corporate systems. Experts warn that airline call centres are especially vulnerable, given their importance to customer support.

Cybersecurity firms, including Mandiant, are now supporting the response and advising firms to reinforce these high-risk entry points.

Scattered Spider has previously breached major casinos, insurance, and retail companies. The FBI confirmed it is working with aviation partners to contain the threat and assist victims.

Industry leaders remain alert, noting that airlines, IT contractors, and vendors across the aviation sector are at risk from the escalating threat.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!