Cybersecurity News Roundup: Disruptions, Arrests, and an Expanding Attack Surface
Published
Cyber intrusions increasingly reveal how modern attacks depend less on brute force and more on access already embedded in systems. Compromised credentials and exposed cloud permissions continue to provide pathways that scale quietly. Sophisticated tooling once reserved for intelligence or surveillance is now circulating within criminal ecosystems.
In a surprising case, a ransomware negotiator was found effectively speaking for both sides of the same attack. At the same time, incidents attributed to geopolitical conflicts drew attention to increasing hacktivist and nation-state cyber operations.
EU Court Says Banks Must Immediately Refund Phishing Victims
An Advocate General at the Court of Justice of the European Union has issued a legal opinion stating that banks should immediately refund victims of unauthorized transactions due to phishing. The guidance interprets the EU Payment Services Directive (PSD2) as requiring payment providers to reimburse the stolen amount. The opinion arose from a case referred by a Polish court involving a customer dispute in which they lost funds after entering credentials on a fake banking page. Banks may seek recovery of funds if they prove the customer deliberately or through gross negligence failed to protect their security credentials.
Florida Arrest Tied to Government Impersonation and Vishing Ring
Authorities in Florida arrested 28-year-old Atlanta resident D'Zyre Youngblood in connection with a vishing ring accused of impersonating law enforcement officials to extort victims. Investigators said callers posing as a police captain threatened victims with arrest unless they sent money through Bitcoin transfers. The investigation began after a Volusia County woman reported losing about $79,000 to the scheme. Cryptocurrency transaction tracing helped link the payments to the suspect’s accounts. Officials believe the operation was connected to a broader fraud network run by inmates inside Georgia prisons with outside accomplices.
Coruna iPhone Exploit Toolkit Spreads From Spy Operations to Cybercrime Campaigns
Coruna, a powerful iOS exploit toolkit containing 23 vulnerabilities organized into five exploit chains, has been targeting iPhones running iOS 13 through 17.2.1. The framework was detected in 2025 and later appeared in attacks attributed to the espionage group UNC6353. The toolkit chains multiple exploits to compromise devices when users visit malicious websites, enabling access to data. Researchers warn that the case illustrates how advanced surveillance-grade cyber capabilities can circulate across the espionage and cybercriminal ecosystem.
ShinyHunters Claims Data Theft from Salesforce Ecosystem Targeting 100 Companies
ShinyHunters claimed the extraction of CRM data from nearly 100 organizations abusing misconfigured Salesforce Experience Cloud guest user permissions. The attackers said the campaign targeted internet-facing Salesforce deployments and affected companies, including Snowflake, Okta, Sony, AMD, LastPass, and Salesforce itself. Researchers report the actors modified AuraInspector, an open-source Mandiant security assessment tool, to automate vulnerability discovery and bypass Salesforce’s 2,000-record extraction limit.
KadNap Hijacks Asus Routers to Build 14,000-Device Proxy Botnet
Cybersecurity researchers identified KadNap malware compromising Asus routers and enrolling them into a botnet exceeding 14,000 devices worldwide. The botnet uses a custom implementation of the Kademlia distributed hash table protocol to conceal command and control infrastructure and make disruption more difficult. Infected routers proxy network traffic for a service called Doppelganger, which sells anonymized connections for criminal use. Threat actors could conduct credential stuffing and brute force attacks using hijacked residential IP addresses.
Stryker Devices Wiped as Handala Claims Network Breach
Medical device manufacturer Stryker confirmed a network disruption affecting its Microsoft environment and internal operations worldwide. Thousands of employees reportedly lost access to corporate systems after company devices were wiped and authentication services were disrupted. The pro-Iran Handala hacking group claimed responsibility, alleging it erased more than 200,000 internal systems and exfiltrated 50 terabytes of proprietary data. Around 5,500 employees across the United States, Ireland, Australia, and India were reportedly locked out.
Unauthorized Access Incident Affected FBI New York Server in 2023
A cyber incident in February 2023 affected a server at the FBI’s New York Field Office used in investigations involving child exploitation cases. Reports citing Justice Department documents said the system also contained files related to the Jeffrey Epstein investigation. The FBI described the event as an isolated cyber incident and said access by the malicious actor was restricted before the network was secured. The intrusion reportedly occurred at a forensic lab environment used for processing digital evidence. Authorities have not publicly disclosed which files were accessed or confirmed whether any data was exfiltrated, and the investigation remains ongoing.
Bell Ambulance Data Breach Exposes Information of Nearly 240,000 Patients
Bell Ambulance, the largest ambulance service provider in Wisconsin, confirmed a cyberattack affecting 237,830 individuals. The incident was discovered in February 2025 and involved unauthorized access to patient and personal data, which included Social Security numbers, driver’s license numbers, financial account details, medical records, and health insurance data. The Medusa ransomware group later claimed responsibility and listed the organization on its leak site, and demanded a $400,000 ransom. The company disclosed the breach in notification letters and a filing with the Maine Attorney General.
Ransomware Insider Acts as Both Negotiator and Attacker
U.S. prosecutors have charged Angelo Martino, a former employee of a cyber incident response firm, in connection with ransomware linked to the ALPHV/BlackCat group. He helped conduct ransomware attacks while participating in negotiations with victims in his professional role. In several cases, organizations reportedly hired the firm to manage ransom discussions after their systems were compromised. Martino was allegedly assigned to negotiate those incidents, creating a situation where the same individual was connected to both the attack and the response process. Two other former cybersecurity professionals have already pleaded guilty in related charges.
Global Operation Dismantles SocksEscort Proxy Network Used in Online Fraud
International law enforcement agencies dismantled the SocksEscort residential proxy network during Operation Lightning. They seized 34 domains and 23 servers from seven countries and froze about $3.5M in cryptocurrency. The network relied on the AVRecon botnet to hijack small-office and home-office (SOHO) routers. Compromised devices routed malicious traffic through legitimate residential IP addresses. The service reportedly provided access to roughly 369,000 IP addresses. Officials say the infrastructure enabled bank and cryptocurrency account takeovers, fraud, and ransomware activity.
Telus Digital Confirms Cyber Attack, Denies Ransom as ShinyHunters Claims 1 Month Long Breach
Telus Digital confirmed a cybersecurity incident while the ShinyHunters group claimed stealing nearly 1 petabyte of data during a months-long breach. The company said additional security controls were deployed while the investigation continues, and confirmed it rejected a $65 million ransom demand. ShinyHunters allegedly gained access using Google Cloud credentials obtained from the Salesloft Drift breach, then used the TruffleHog tool to locate additional credentials across systems. The attackers claim the stolen data includes FBI background checks and campaign information tied to Telus Digital’s BPO and telecom clients.
Hanover County Schools Investigates Data Incident
Hanover County Public Schools in Virginia is investigating a data incident that disrupted internet access and internal systems across the district. The disruption prompted a transition to offline instruction for at least one week. The school system suspended the use of student Chromebooks despite indications that the devices were not directly affected. Staff and faculty are currently relying on phone lines to communicate with families. The school district serves about 17,000 students across 24 facilities, though the nature of the intrusion and responsible actors remain unknown.
XWorm RAT Becomes Third Most Detected Global Threat
Security researchers report that the XWorm remote access trojan has become the third most detected global malware threat. Enterprise detections reportedly increased by about 174 percent last year, according to security analyses referencing ANY.RUN data. The malware operates as a malware-as-a-service model. Recent campaigns have exploited path traversal vulnerabilities in archived files, including a WinRAR flaw, often delivered through phishing messages. Once executed, the malware uses living off the land techniques to abuse legitimate Microsoft utilities. The payload runs in memory through reflective DLL injection, enabling the malware to evade traditional signature-based defenses.
INTERPOL Operation Synergia III Concludes With 45,000 Malicious IPs Disrupted and 94 Arrests
INTERPOL has announced the results of Operation Synergia III, which dismantled over 45,000 malicious IP addresses and arrested 94 individuals, with another 110 under investigation. The operation ran from July 2025 to January 2026 and involved law enforcement agencies across 72 countries. Authorities targeted infrastructure supporting phishing, malware distribution, and ransomware. They seized 212 electronic devices and servers linked to identity theft, romance scams, social engineering, and credit card fraud.
France and Germany Arrest Suspects in Fraud Investigation
French and German authorities have arrested three suspects linked to an online fraud scheme following judicial cooperation coordinated by Eurojust. The investigation targeted a group suspected of using phishing emails to obtain victims’ online banking credentials and phone access. The suspects allegedly bypassed verification measures to transfer money from accounts. Investigators estimate the scheme defrauded victims of around €1 million. During coordinated searches conducted in both countries, authorities seized assets including cryptocurrency and jewellery. The alleged group leader, located in France, has been placed in custody pending a court decision on extradition to Germany. Authorities said evidence collected during the action day will continue to be analyzed as the investigation proceeds.
Disruption Rises, But the Attack Surface Keeps Expanding
The broader signal emerging from recent developments is that cybercrime is operated as an ecosystem rather than isolated incidents. However, the sustained momentum of multinational investigations and arrests builds hope that coordinated enforcement can successfully fracture these networks when intelligence and legal cooperation align.
The trajectory ahead will likely depend on whether defensive coordination across governments, industry, and security researchers can keep pace with the speed at which attackers adapt and reuse the same digital infrastructure.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular