Hackers ramp up attacks on employee credentials

Recent research highlights a surge in identity‑focused cyberattacks aimed at stealing employee credentials.

Corporate login information is harvested using sophisticated tools like infostealer malware, phishing campaigns, and automated credential stuffing.

Security experts warn that compromised credentials allow attackers to masquerade as staff, access internal systems, and move laterally across organisations.

While some major firms rely solely on passwords, rigorous measures such as strong multifactor authentication, proactive monitoring, and cyber awareness training are more effective defences.

Despite awareness of these threats, many companies do not thoroughly scan for leaked credentials or flag suspicious login activity promptly.

However, this hesitancy often stems from budget limitations, competing priorities or bureaucratic inertia.

Security specialists stress the need for coordinated investment in layered security measures to protect against evolving identity‑based attacks.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ryuk ransomware hacker extradited to US after arrest in Ukraine

A key member of the infamous Ryuk ransomware gang has been extradited to the US after his arrest in Kyiv, Ukraine.

The 33-year-old man was detained in April 2025 at the request of the FBI and arrived in the US on 18 June to face multiple charges.

The suspect played a critical role within Ryuk by gaining initial access to corporate networks, which he then passed on to accomplices who stole data and launched ransomware attacks.

Ukrainian authorities identified him during a larger investigation into ransomware groups like LockerGoga, Dharma, Hive, and MegaCortex that targeted companies across Europe and North America.

According to Ukraine’s National Police, forensic analysis revealed the man’s responsibility for locating security flaws in enterprise networks.

Information gathered by the hacker allowed others in the gang to infiltrate systems, steal data, and deploy ransomware payloads that disrupted various industries, including healthcare, during the COVID pandemic.

Ryuk operated from 2018 until mid-2020 before rebranding as the notorious Conti gang, which later fractured into several smaller but still active groups. Researchers estimate that Ryuk alone collected over $150 million in ransom payments before shutting down.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Hackers target recruiters with fake CVs and malware

A financially driven hacking group known as FIN6 has reversed the usual job scam model by targeting recruiters instead of job seekers. Using realistic LinkedIn and Indeed profiles, the attackers pose as candidates and send malware-laced CVs hosted on reputable cloud platforms.

to type in resume URLs, bypassing email security tools manually. These URLs lead to fake portfolio sites hosted on Amazon Web Services that selectively deliver malware to users who pass as humans.

Victims receive a zip file containing a disguised shortcut that installs the more_eggs malware, which is capable of credential theft and remote access.

However, this JavaScript-based tool, linked to another group known as Venom Spider, uses legitimate Windows utilities to evade detection.

The campaign includes stealthy techniques such as traffic filtering, living-off-the-land binaries, and persistent registry modifications. Domains used include those mimicking real names, allowing attackers to gain trust while launching a powerful phishing operation.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Iranian hacker admits role in Baltimore ransomware attack

An Iranian man has pleaded guilty to charges stemming from a ransomware campaign that disrupted public services across several US cities, including a major 2019 attack in Baltimore.

The US Department of Justice announced that 37-year-old Sina Gholinejad admitted to computer fraud and conspiracy to commit wire fraud, offences that carry a maximum combined sentence of 30 years.

Rather than targeting private firms, Gholinejad and his accomplices deployed Robbinhood ransomware against local governments, hospitals and non-profit organisations from early 2019 to March 2024.

The attack on Baltimore alone resulted in over $19 million in damage and halted critical city functions such as water billing, property tax collection and parking enforcement.

Instead of simply locking data, the group demanded Bitcoin ransoms and occasionally threatened to release sensitive files. Cities including Greenville, Gresham and Yonkers were also affected.

Although no state affiliation has been confirmed, US officials have previously warned of cyber activity tied to Iran, allegations Tehran continues to deny.

Gholinejad was arrested at Raleigh-Durham International Airport in January 2025. The FBI led the investigation, with support from Bulgarian authorities. Sentencing is scheduled for August.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

WooCommerce responds to alleged data breach claim

A hacker going by the alias ‘Satanic’ recently claimed responsibility for a significant data breach affecting websites that use WooCommerce, a leading eCommerce platform. The attacker alleged that over 4.4 million customer records were compromised, including personal and corporate data such as email addresses, phone numbers, physical addresses, and social media profiles, as well as company revenues, staff sizes, and tech stacks.

The original announcement was made on Breach Forums, a known cybercrime forum, where the hacker stated that the data was available for sale via private messages or Telegram. While initial reports—including one by HackRead—linked the breach to WooCommerce-based stores, WooCommerce has since issued an official statement denying that its systems were involved in the incident.

‘We can confirm that no WooCommerce data has been involved in the breach described in these articles. Our team quickly investigated the data samples and compared them against our own records. We determined that the data was not obtained through a breach of WooCommerce.com or any other Automattic services.’ — Jay Walsh, Director of Communications, WooCommerce.

The company believes that the leaked data originated from a third-party service that aggregates publicly available information about e-commerce sites. It is unclear whether the data was accessed legally or obtained through other means.

The attacker claimed the breach was achieved by exploiting vulnerabilities in third-party systems integrated with WooCommerce-powered websites—such as CRMs or marketing platforms—rather than through WooCommerce itself. However, no technical evidence has been shared to substantiate this claim.

The incident follows previous breach claims by the same hacker involving platforms like Magento and Twilio’s SendGrid, the latter of which was also denied by the company.

WooCommerce, owned by Automattic, powers a large share of global online shops. While the platform remains secure according to its developers, the case highlights ongoing concerns about the security of third-party tools and integrations.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

North Korean hacker group cashes in on crypto trade

A wallet linked to North Korea’s notorious Lazarus Group has reportedly sold 40.78 Wrapped Bitcoin (WBTC) for $3.51 million, exchanging it for 1,847 Ethereum (ETH), according to data from SpotOnChain.

Instead of holding onto the ETH, the wallet redistributed 2,507 ETH across three separate addresses, with the largest portion of 1,865 ETH sent to another wallet allegedly tied to the hacker group.

The wallet originally purchased the 40.78 WBTC in February 2023 for around $999,900, when the price of WBTC averaged $24,521. Instead of selling earlier, the group waited until WBTC surged to $83,459, securing a realised profit of $2.51 million, representing a 251% gain over two years.

Lazarus Group, instead of operating openly, has been using complex laundering techniques to move stolen funds, particularly after its attack on crypto exchange Bybit.

In March, the group allegedly laundered nearly 500,000 ETH—worth $1.39 billion—through various transactions in just ten days, instead of keeping the stolen assets in a single location. At least $605 million was processed via the THORChain platform in a single day.

According to Arkham Intelligence, a wallet linked to the group still holds approximately $1.1 billion in crypto, with substantial reserves in Bitcoin, Ethereum, and Tether.

Meanwhile, Google’s Threat Intelligence Group has reported increased efforts by North Korean IT workers to infiltrate European tech and crypto firms, acting as insider operatives for state-sponsored cybercrime networks like Lazarus Group instead of working as legitimate employees.

For more information on these topics, visit diplomacy.edu.

New hacking group mimics Russia-linked group to target Russian entities, Chinese cybersecurity experts say

A hacking group, named as GamaCopy, has been imitating the tactics of the Russia-linked threat actor Gamaredon to target Russian-speaking victims, according to research by Chinese cybersecurity firm Knownsec.

GamaCopy’s latest campaign employed phishing documents disguised as reports on Russian armed forces’ locations in Ukraine, along with the open-source software UltraVNC for remote access.

However, while GamaCopy mirrors many techniques used by Gamaredon, researchers identified notable differences. For example, GamaCopy primarily uses Russian-language victims, whereas Gamaredon typically targets Ukrainian speakers. Additionally, GamaCopy’s use of UltraVNC represents a unique element in its attack chain.

Since June 2023, GamaCopy has targeted Russia’s defense and critical infrastructure sectors. However, the group is believed to have been active even earlier, i.e. since August 2021. Knownsec’s analysis suggests that GamaCopy’s operations are part of a deliberate false-flag campaign and links the group to another state-sponsored actor known as Core Werewolf, which has similarly targeted Russian defense systems since 2021.

This discovery follows recent reports of other hacker groups, conducting cyber-espionage campaigns against Russian entities, highlighting the increasing complexity and state-backed nature of these threats.

Hacker claims breach at Gravy Analytics data firm

A hacker claims to have breached US location tracking company Gravy Analytics, leaking around 1.4 gigabytes of data. The allegation, shared on a Russian-language cybercriminal forum, included screenshots suggesting a data theft. Verification attempts were complicated as Gravy’s website remained offline and the company did not respond to messages.

Cybersecurity experts reviewing the leaked data found the breach credible. Marley Smith from RedSense and John Hammond from Huntress both confirmed the data appeared legitimate, though the hacker’s identity remains unclear.

Gravy was previously involved in a crackdown by President Biden’s administration targeting data brokers collecting sensitive location data without proper consent. The Federal Trade Commission (FTC) settled with Gravy and Mobilewalla in December over allegations of deceptive data practices.

The FTC expressed concerns that such data could be misused for stalking, blackmail, and espionage but declined to comment on the breach. FTC Chair Lina Khan recently warned that targeted advertising practices leave sensitive data highly vulnerable.

Hacker demands ransom from India’s largest health insurer after data leak

Star Health, India‘s largest health insurer, has revealed it received a $68,000 ransom demand following a data breach that exposed customer details, including medical records. The cyberhacker used Telegram chatbots and a website to leak sensitive information, leading to significant reputational damage and a drop in the company’s stock value.

The hacker, who made the ransom demand in August, sent the request to Star Health’s managing director and CEO. While the company has launched an internal investigation, it also faces allegations that its chief security officer was involved in the data leak, although no evidence of wrongdoing has been found so far.

Star Health has taken legal action against both the hacker and Telegram, which has not permanently banned the accounts linked to the hacker. The company has sought help from Indian cybersecurity authorities to identify the individual behind the attack.

Telegram has not responded to requests for comment but previously removed the chatbots linked to the hack after Reuters brought them to its attention. The investigation continues as Star Health works to contain the damage from the breach.

Hacker steals AI design details from OpenAI

A hacker infiltrated OpenAI’s internal messaging systems last year, stealing details about the design of its AI technologies, according to Reuters’ sources familiar with the matter. The breach involved discussions on an online forum where employees exchanged information about the latest AI developments. Crucially, the hacker needed access to the systems where OpenAI builds and houses its AI.

OpenAI, backed by Microsoft, did not publicly disclose the breach, as no customer or partner information was compromised. Executives briefed employees and the board but did not involve federal law enforcement, believing the hacker had no ties to foreign governments.

In a separate incident, OpenAI reported disrupting five covert operations that aimed to misuse its AI models for deceptive activities online. The issue raised safety concerns and prompted discussions about safeguarding advanced AI technology. The Biden administration plans to implement measures to protect US AI advancements from foreign adversaries. At the same time, 16 AI companies have pledged to develop the technology responsibly amid rapid innovation and emerging risks.