Cybercrime

TxTag users targeted in sophisticated phishing scheme

A new phishing campaign targets employees with fake TxTag toll payment alerts, using legitimate-looking government domains to trick recipients into handing over sensitive information. The emails warn users of an impending account suspension unless they urgently pay a small fee, creating a false alarm to prompt quick action.

While the messages appear to come from official sources, researchers found they actually originate from an Indiana-based GovDelivery system—not Texas toll authorities—highlighting a subtle but crucial red flag. Once victims click the link, they are taken to a convincing replica of the TxTag payment site hosted at a fraudulent domain.

The page displays a believable debt of $6.69 to make the request seem routine and non-threatening. However, instead of simply logging in, users are asked to provide full personal details and, later, complete credit card information—including CVV codes.

The phishing site even validates card data to ensure the theft yields high-quality credentials. After submitting the data, victims see a fake processing message, which may be followed by an error claiming the card is unsupported.

That trick often leads users to input additional card details, giving attackers access to multiple financial accounts. The scam exemplifies the growing sophistication of phishing attacks in the US that combine technical misdirection with emotional manipulation, preying on trust in government branding and the fear of financial penalties.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

INTERPOL cracks down on global cybercrime networks

Over 20,000 malicious IP addresses and domains linked to data-stealing malware have been taken down during Operation Secure, a coordinated cybercrime crackdown led by INTERPOL between January and April 2025.

Law enforcement agencies from 26 countries worked together to locate rogue servers and dismantle criminal networks instead of tackling threats in isolation.

The operation, supported by cybersecurity firms including Group-IB, Kaspersky and Trend Micro, led to the removal of nearly 80 per cent of the identified malicious infrastructure. Authorities seized 41 servers, confiscated over 100GB of stolen data and arrested 32 suspects.

More than 216,000 individuals and organisations were alerted, helping them act quickly by changing passwords, freezing accounts or blocking unauthorised access.

Vietnamese police arrested 18 people, including a group leader found with cash, SIM cards and business records linked to fraudulent schemes. Sri Lankan and Nauruan authorities carried out home raids, arresting 14 suspects and identifying 40 victims.

In Hong Kong, police traced 117 command-and-control servers across 89 internet providers. INTERPOL hailed the effort as proof of the impact of cross-border cooperation in dismantling cybercriminal infrastructure instead of allowing it to flourish undisturbed.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Hackers are selling 94 billion stolen cookies on Telegram

Cybercriminals are trading nearly 94 billion stolen browser cookies on Telegram, with over 20% still active and capable of granting direct access to user accounts.

These cookies, essential for keeping users logged in and websites functioning smoothly, are being repurposed as tools for account hijacking, bypassing login credentials and putting personal data at risk. Security experts warn that hundreds of millions of users globally could be exposed.

The data, revealed by cybersecurity firm NordVPN, shows that the theft spans 253 countries, with Brazil, India, Indonesia, Vietnam, and the US among the most affected.

Google services were the prime target, with over 4.5 billion stolen cookies linked to Google accounts, followed by YouTube, Microsoft, and Bing. Many of these cookies contain session IDs and user identifiers, which allow hackers to impersonate users and access their online accounts without detection.

The surge in cookie theft marks a 74% increase over the previous year, driven largely by the spread of malware. Redline, Vidar, and LummaC2 are among the most prolific infostealers, collectively responsible for over 60 billion stolen cookies.

These malware strains extract saved data from browsers and often act as gateways for more advanced cyberattacks.

New strains like RisePro, Stealc, Nexus, and Rhadamanthys are also emerging, designed to steal browser credentials and banking data more efficiently.

Many of these stolen cookies are being exchanged on Telegram channels, raising alarm about the app’s misuse. In response, Telegram stated:

The sale of private data is expressly forbidden by Telegram’s terms of service and is removed whenever discovered. Moderators empowered with custom AI and machine learning tools proactively monitor public parts of the platform and accept reports to remove millions of pieces of harmful content each year.’

With cookie theft becoming an increasingly common tactic, experts urge users to regularly clear cookies, use secure browsers, and consider additional protective measures to guard their digital identity.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Agentic AI could accelerate and automate future cyberattacks, Malwarebytes warns

A new report by Malwarebytes warns that the rise of agentic AI will significantly increase the frequency, sophistication, and scale of cyberattacks.

Since the launch of ChatGPT in late 2022, threat actors have used generative AI to write malware, craft phishing emails, and execute realistic social engineering schemes.

One notable case from January 2024 involved a finance employee who was deceived into transferring $25 million during a video call with AI-generated deepfakes of company executives.

Criminals have also found ways to bypass safety features in AI models using techniques such as prompt chaining, injection, and jailbreaking to generate malicious outputs.

While generative AI has already lowered the barrier to entry for cybercrime, the report highlights that agentic AI—capable of autonomously executing complex tasks—poses a far greater risk by automating time-consuming attacks like ransomware at scale.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

NatWest hit by 100 million cyber attacks every month

NatWest is defending itself against an average of 100 million cyber attacks each month, according to the bank’s head of cybersecurity.

Speaking to Holyrood’s Criminal Justice Committee, Chris Ulliott outlined the ‘staggering’ scale of digital threats targeting the bank’s systems. Around a third of all incoming emails are blocked before reaching staff, as they are suspected to be the start of an attack.

Instead of relying on basic filters, NatWest analyses every email for malicious content and has a cybersecurity team of hundreds, supported by a multi-million-pound budget.

Mr Ulliott also warned of the growing use of AI by cyber criminals to make scams more convincing—such as altering their appearance during video calls to build trust with victims.

Police Scotland reported that cybercrime has more than doubled since 2020, with incidents rising from 7,710 to 18,280 in 2024. Officials highlighted the threat posed by groups like Scattered Spider, believed to consist of young hackers sharing techniques online.

MSP Rona Mackay called the figures ‘absolutely staggering,’ while Ben Macpherson said he had even been impersonated by fraudsters.

Law enforcement agencies, including the FBI, are now working together to tackle online crime. Meanwhile, Age Scotland warned that many older people lack confidence online, making them especially vulnerable to scams that can lead to financial ruin and emotional distress.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Masked cybercrime groups rise as attacks escalate worldwide

Cybercrime is thriving like never before, with hackers launching attacks ranging from absurd ransomware demands of $1 trillion to large-scale theft of personal data. Despite efforts from Microsoft, Google and even the FBI, these threat actors continue to outpace defences.

A new report by Group-IB has analysed over 1,500 cybercrime investigations to uncover the most active and dangerous hacker groups operating today.

Rather than fading away after arrests or infighting, many cybercriminal gangs are re-emerging stronger than before.

Group-IB’s May 2025 report highlights a troubling increase in key attack types across 2024 — phishing rose by 22%, ransomware leak sites by 10%, and APT (advanced persistent threat) attacks by 58%. The United States was the most affected country by ransomware activity.

At the top of the cybercriminal hierarchy now sits RansomHub, a ransomware-as-a-service group that emerged from the collapsed ALPHV group and has already overtaken long-established players in attack numbers.

Behind it is GoldFactory, which developed the first iOS banking trojan and exploited facial recognition data. Lazarus, a well-known North Korean state-linked group, also remains highly active under multiple aliases.

Meanwhile, politically driven hacktivist group NoName057(16) has been targeting European institutions using denial-of-service attacks.

With jurisdictional gaps allowing cybercriminals to flourish, these masked hackers remain a growing concern for global cybersecurity, especially as new threat actors emerge from the shadows instead of disappearing for good.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

G7 to address North Korea’s role in major crypto hacks

Leaders of the Group of Seven (G7) nations are set to tackle North Korea’s ongoing cyber threats, particularly its involvement in large-scale cryptocurrency hacks.

The agenda will reportedly focus on the regime’s use of stolen crypto funds to finance weapons programmes. The issue has raised international concern over global security risks.

The summit, hosted by Canadian Prime Minister Mark Carney from 15 to 17 June in Alberta, is expected to address geopolitical challenges, including North Korea’s tightening alliance with Russia. Such ties have further complicated attribution of attacks and enforcement of sanctions, experts warn.

Investigations have linked North Korean hackers, notably the Lazarus Group, to major crypto heists. These include the $622 million Axie Infinity breach and February’s $1.4 billion Bybit attack. Analysts believe other cyber units are also active, making digital asset protection a growing priority.

The G7, comprising France, Germany, Italy, Japan, the UK, the US and Canada, aims to strengthen coordination against cybercrime. It also seeks to limit the regime’s ability to exploit the crypto ecosystem for hostile purposes.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Cyber incident disrupts services at Marks & Spencer

Marks & Spencer has confirmed that a cyberattack has disrupted food availability in some stores and forced the temporary shutdown of online services. The company has not officially confirmed the nature of the breach, but cybersecurity experts suspect a ransomware attack.

The retailer paused clothing and home orders on its website and app after issues arose over the Easter weekend, affecting contactless payments and click-and-collect systems. M&S said it took some systems offline as a precautionary measure.

Reports have linked the incident to the hacking group Scattered Spider, although M&S has declined to comment further or provide a timeline for the resumption of online orders. The disruption has already led to minor product shortages and analysts anticipate a short-term hit to profits.

Still, M&S’s food division had been performing strongly, with grocery spending rising 14.4% year-on-year, according to Kantar. The retailer, which operates around 1,000 UK stores, earns about one-third of its non-food sales online. Shares dropped earlier in the week but closed Tuesday slightly up.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

France accuses Russia of cyberattacks on Olympic and election targets

France has publicly accused Russia’s military intelligence agency of launching cyberattacks against key French institutions, including the 2017 presidential campaign of Emmanuel Macron and organisations tied to the Paris 2024 Olympics.

The allegations were presented by Foreign Minister Jean-Noël Barrot at the UN Security Council, where he condemned the attacks as violations of international norms. French authorities linked the operations to APT28, a well-known Russian hacking group connected to the GRU.

The group also allegedly orchestrated the 2015 cyberattack on TV5 Monde and attempted to manipulate voters during the 2017 French election by leaking thousands of campaign documents. A rise in attacks has been noted ahead of major events like the Olympics and future elections.

France’s national cybersecurity agency recorded a 15% increase in Russia-linked attacks in 2024, targeting ministries, defence firms, and cultural venues. French officials warn the hacks aim to destabilise society and erode public trust.

France plans closer cooperation with Poland and pledged to counter Russia’s cyber operations with all available means.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ransomware decline masks growing threat

A recent drop in reported ransomware attacks might seem encouraging, yet experts warn this is likely misleading. Figures from the NCC Group show a 32% decline in March 2025 compared to the previous month, totalling 600 incidents.

However, this dip is attributed to unusually large-scale attacks in earlier months, rather than an actual reduction in cybercrime. In fact, incidents were up 46% compared with March last year, highlighting the continued escalation in threat activity.

Rather than fading, ransomware groups are becoming more sophisticated. Babuk 2.0 emerged as the most active group in March, though doubts surround its legitimacy. Security researchers believe it may be recycling leaked data from previous breaches, aiming to trick victims instead of launching new attacks.

A tactic like this mirrors behaviours seen after law enforcement disrupted other major ransomware networks, such as LockBit in 2024.

Industrials were the hardest hit, followed by consumer-focused sectors, while North America bore the brunt of geographic targeting.

With nearly half of all recorded attacks occurring in the region, analysts expect North America, especially Canada, to remain a prime target amid rising political tensions and cyber vulnerability.

Meanwhile, cybercriminals are turning to malvertising, malicious code hidden in online advertisements, as a stealthier route of attack. This tactic has gained traction through the misuse of trusted platforms like GitHub and Dropbox, and is increasingly being enhanced with generative AI tools.

Instead of relying solely on technical expertise, attackers now use AI to craft more convincing and complex threats. As these strategies grow more advanced, experts urge organisations to stay alert and prioritise threat intelligence and collaboration to navigate this volatile cyber landscape.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!