Weekly Cybersecurity News Highlighting Incentives Over Exploits, Arrests, and Hacker Claims

Bribing support agents, coercing insiders, or abusing outsourced staff is seen as a cheaper, quieter, and more scalable entry point than burning zero-days. Attackers are expanding their attack surface by targeting smart devices that often lack security maturity. Exploiting smart pet feeders that collect audio, behavioral data, credentials, and cloud tokens is not surprising. 

These devices are cloud-connected, likely poorly authenticated and maintained under legacy support models. From a risk perspective, their compromise offers disproportionate access relative to their original use.

Accused Coupang Data Thief Threw Laptop into the River

Coupang disclosed its compensation plan and internal investigation findings following a major cybersecurity incident. The company said affected users would receive remedies based on impact assessments. Investigators traced part of the incident to a corporate laptop that was improperly disposed of. The device was later recovered from a river.

IoT Flaws in Smart Pet Feeders Expose Pet, User, and Employee Data

Severe vulnerabilities in Petlibro smart pet feeders exposed user, employee, and device data. A critical authentication bypass allowed full account takeover via Google login abuse. Flaws enabled access to pet profiles, audio recordings, and remote device control. The most serious issue remained unpatched for over two months due to legacy support.

Former Coinbase Support Agent Arrested in India Over Insider Data Breach

Indian authorities arrested a former Coinbase support agent for allegedly helping attackers access internal systems during a 2025 data breach. The incident exposed sensitive PII and KYC documents belonging to about 69,500 customers. Coinbase said bribed outsourcing staff enabled the access. The company refused to pay a $20 million ransom. One more arrest is expected as the investigation continues.

Hacker Arrested in KMSAuto Clipper Malware Campaign Targeting Cryptocurrency

A Lithuanian national was arrested and extradited to South Korea for operating a large-scale KMSAuto clipper malware campaign. The malware infected about 2.8 million systems worldwide by masquerading as an illegal Windows activation tool. They hijacked cryptocurrency transactions, stealing roughly $1.2 million through 8,400 transfers. Police warned that pirated software remains a common and high-risk vector for malware distribution

Two Cybersecurity Professionals Plead Guilty in ALPHV BlackCat Ransomware Case

Two U.S.-based cybersecurity professionals pleaded guilty to extortion conspiracy for launching ALPHV (BlackCat) ransomware attacks in 2023. The pair abused incident-response roles and accessed the gang’s ransomware and extortion platform. Court records show one victim paid about $1.2 million in Bitcoin, with a portion sent to ALPHV administrators. Both defendants face up to 20 years in prison, with sentencing scheduled for March 2026.

Oracle EBS Exploitation Exposes Millions at University of Phoenix, Korean Air

The exploitation of Oracle E-Business Suite systems led to a data security incident at the University of Phoenix, potentially exposing the personal information of nearly 3.5 million individuals. Korean Air separately confirmed an employee data leak traced to an ERP server operated by a former catering subsidiary. Both incidents are linked to a broader campaign publicly claimed by the CL0P ransomware group.

Multiple Data Exposures Targeting Mexican Government Systems

An investigative journalist reported a series of alleged data exposures affecting multiple Mexican government institutions. The disclosures include the Sonora State Judiciary, Sonora Finance Secretariat, and Hermosillo municipal citizen services systems. Additional incidents reportedly involve Baja California’s private security registries and the Tabasco Education Secretariat databases. The data includes financial records, scanned identity documents, and credentials.

Sedgwick Confirms Cyber Incident, Ransomware Group Claims Data Theft

Soon after Sedgwick Government Solutions appeared on a ransomware leak site operated by TridentLocker, the company confirmed a cybersecurity incident at its federal contractor subsidiary. Sedgwick said the activity was limited to an isolated file transfer system and did not affect core platforms or company networks. The ransomware group claimed it exfiltrated 3.4 GB of data. Sedgwick said services to government clients continue uninterrupted.

European Space Agency Confirms Cyber Incident

After claims appeared on a hacking forum, the European Space Agency confirmed a cybersecurity incident involving a limited number of external servers used for unclassified collaborative engineering work. ESA said the affected systems did not host sensitive or mission-critical data. 

Data Breach Disclosures and Challenges Ahead

Attacking ESA reflects probing of legacy infrastructure, and externally exposed systems that sit adjacent to high-value organizations. Attack confirmation following public claims suggests that leak sites might push the incident response timeline.

Arrests in India, Lithuania, and South Korea show growing cross-border law enforcement collaboration to combat cyber threats. But the question remains, once all technical gaps are patched, how do organizations prevent staff from giving in to incentives to prevent cyber attacks?