Cybersecurity Roundup: Defenders Score Major Wins Against Cybercrime Networks While Legacy Risks Deepen
Published
A sweeping wave of international crackdowns sent shockwaves through the cybercriminal ecosystem this week, with authorities dismantling banking malware operations, VPN infrastructure, malware-signing services, DDoS botnets, and phishing networks across multiple regions.
Hundreds of suspects were arrested, servers and domains were seized, and long-running criminal platforms linked to ransomware, fraud, and credential theft were forced offline as part of the ongoing global effort.
Incidents involving poisoned developer tools, legacy Windows utilities, AI-driven exploitation, and third-party breaches reminded that trust itself is becoming harder to measure inside interconnected environments.
Grafana Refuses Extortion Demand After GitHub Token Breach Exposes Developer Codebase
Grafana Labs confirmed that attackers used a compromised access token to infiltrate its GitHub environment and steal portions of the company’s source code in what appears to be a developer-focused intrusion. The incident escalated into an extortion attempt after the threat actors downloaded internal code repositories, reflecting a growing pattern of attackers targeting software development infrastructure instead of customer-facing systems directly. Despite pressure from the attackers, Grafana said it refused to pay the ransom and instead revoked the exposed credentials, investigated the breach source, and strengthened internal security controls. The intrusion surfaced shortly after the Coinbase Cartel group claimed responsibility for breaching Grafana.
Banking Malware Empire Comes Tumbling Down in Global Law Enforcement Crackdown
An international law enforcement operation has dismantled the cybercriminal network behind the GozNym banking malware campaign, which investigators say targeted more than 41,000 victims worldwide. Authorities believe the group attempted to steal nearly $100 million by infecting computers, harvesting online banking credentials, and draining financial accounts. The operation involved coordinated action across the United States and several European countries, including searches and arrests tied to suspects in Eastern Europe. Investigators said the network operated like a cybercrime business, with different members specializing in malware development, infrastructure, and money laundering services. Prosecutors charged multiple individuals accused of helping run or support the operation through underground criminal forums.
Law Enforcement Operation Disrupts 14,200 IRGC-Linked URLs
European and U.S. law enforcement agencies disrupted a large online ecosystem tied to Iran’s Islamic Revolutionary Guard Corps (IRGC), identifying 14,200 URLs allegedly used for propaganda, recruitment, fundraising, and extremist messaging. Europol said the operation tracked content spread across social media platforms, blogs, streaming services, and standalone websites in multiple languages between February and April. Authorities also restricted the IRGC’s main X account in the European Union and removed content linked to aligned groups.
INTERPOL’s Operation Ramz Deals Crushing Blow to MENA Cybercrime Networks
A massive multinational cybercrime sweep led by INTERPOL ended with 201 arrests and the takedown of phishing and malware infrastructure spread across the Middle East and North Africa. The operation, spanning 13 countries, dismantled fraud operations, seized 53 servers, and exposed thousands of victims caught in sprawling cyber scam ecosystems. Investigators also uncovered trafficking-linked scam compounds in Jordan, where workers from Asia were allegedly trapped and forced into online fraud after fake job offers. Algerian and Moroccan authorities shut down phishing operations holding stolen banking data, malicious scripts, and scam infrastructure used to target victims across borders. Backed by nearly 8,000 shared intelligence alerts, the operation marked one of the region’s most coordinated victories yet against organized cyber fraud networks.
Microsoft’s MSHTA Legacy Tool Still Powers Malware Campaigns on Windows
Cybercriminals are increasingly using an old Windows component called MSHTA to spread malware and steal sensitive information from users, according to new research from Bitdefender. The tool was originally built by Microsoft to run web-based applications and scripts, but attackers are now repurposing it because it still exists on many Windows systems by default. Researchers observed a rise in campaigns where victims were tricked into clicking fake software downloads, phishing pages, or pop-up instructions that secretly launched malicious code through the utility. Since MSHTA is a legitimate Microsoft-signed program, suspicious activity tied to it can appear normal and become harder for security tools to detect.
NYC Health System Hit by Biometric Data Heist Affecting 1.8 Million
Hackers stole highly sensitive medical and biometric records belonging to at least 1.8 million individuals after breaching a third-party vendor connected to NYC Health + Hospitals, the largest public healthcare network in the United States. Investigators found the attackers maintained unauthorized access from November 2025 until February 2026, giving them months to quietly extract files from internal systems. The stolen information included medical histories, diagnoses, insurance data, Social Security numbers, passport details, financial records, precise geolocation data, and permanent biometric identifiers such as fingerprints and palm prints. The incident has raised fresh concerns about healthcare providers storing biometric information without publicly explaining why such data is being retained. NYCHHC said it launched an investigation after discovering the intrusion on February 2 and brought in external cybersecurity and data analytics specialists to determine the scale of the compromise.
Reaper Malware Opens Floodgates for macOS Credential and Crypto Theft
A newly discovered macOS infostealer called Reaper is targeting Apple users through fake installer pages impersonating trusted brands including Apple, Microsoft, and Google. The malware bypasses Apple’s newer Tahoe 26.4 protections by abusing macOS Script Editor to execute malicious payloads without relying on Terminal, helping the attack evade security warnings. Researchers found the campaign used typo-squatted domains posing as software download sites for apps like WeChat and Miro, while secretly fingerprinting victims’ systems and collecting location, VPN, and virtual machine data before deploying the malware.
GitHub Probes TeamPCP Claims of Internal Repository Breach
GitHub is investigating claims from the TeamPCP hacking group that it breached roughly 4,000 internal repositories and obtained sensitive source code and organizational data. The company said it currently has no evidence that customer repositories, enterprise environments, or external user data were impacted outside its own internal repositories. TeamPCP has allegedly listed the stolen data for sale on underground forums, threatening to leak the information publicly if no buyer emerges. While the claims remain unverified, the incident adds to scrutiny around software ecosystem trust and attacks targeting developer infrastructure.
AI-Fueled Exploit Attacks Overtake Stolen Credentials in Verizon Breach Report
Cybercriminals are increasingly using artificial intelligence to identify and exploit software vulnerabilities within hours, dramatically shrinking the response window for defenders, according to Verizon’s latest Data Breach Investigations Report. The report, which analyzed over 31,000 security incidents, found that vulnerability exploitation accounted for 31% of breaches, overtaking stolen credentials as the leading initial access vector for the first time. Researchers also observed growing use of generative AI across multiple attack stages, including reconnaissance, malware development, and automated targeting. At the same time, organizations are facing rising internal risks from “shadow AI,” where employees upload sensitive source code and business data into unauthorized AI tools.
FTC Moves to Rein In Deepfake Abuse With New Warnings to Online Platforms
The US Federal Trade Commission has issued warnings to several online platforms and AI-powered “nudify” services as part of a wider effort to combat the spread of non-consensual intimate imagery and deepfake pornography. Regulators said the companies are expected to comply with the Take It Down Act, which requires covered platforms to remove reported explicit content within 48 hours of receiving a valid complaint. The move is aimed at giving victims faster ways to remove harmful material that can spread rapidly online and cause long-term personal damage. Federal officials also stressed that websites failing to meet the law’s requirements could face investigations and significant financial penalties. The warnings were sent to a mix of social media firms and services linked to AI-generated explicit imagery
Microsoft, working alongside the FBI, Europol EC3, and cybersecurity firm Resecurity, has disrupted Fox Tempest, a malware-signing-as-a-service operation accused of helping ransomware groups disguise malicious software as trusted applications. The operation allegedly abused Microsoft’s Artifact Signing platform and fraudulent developer accounts to obtain code-signing credentials capable of bypassing software trust protections on victim systems. Authorities seized the group’s primary domain, blocked access to infrastructure hosting malicious code, and took hundreds of virtual machines offline during the coordinated disruption effort. Investigators linked the service to ransomware and malware campaigns involving groups and payloads including Qilin, Akira, Rhysida, Lumma Stealer, Vidar, and INC Ransom.
GitHub Traces Claimed Repository Breach to Poisoned VS Code Extension
GitHub has shared new technical details tied to the ongoing investigation into TeamPCP’s claims that thousands of the company’s internal repositories were stolen earlier this month. The company said a compromised employee device was linked to a malicious update of the Nx Console VS Code extension, which briefly distributed credential-stealing malware capable of harvesting GitHub tokens, cloud credentials, Kubernetes secrets, SSH keys, and developer vault data from infected systems. The extension update, uploaded on May 18 before being removed minutes later, allegedly enabled attackers to access internal repositories and exfiltrate data through multiple channels including HTTPS, DNS, and GitHub APIs.
Ukraine Seizes Infrastructure in Infostealer Case Targeting U.S. Retail Customers
Ukrainian cyber police say they identified and raided the infrastructure of an 18-year-old Odesa resident suspected of helping operate an infostealer-driven fraud network that targeted customer accounts belonging to a California-based online retailer. Investigators allege the operation compromised nearly 30,000 accounts between 2024 and 2025, with at least 5,800 accounts later used to make unauthorized purchases worth roughly $721,000. Authorities estimate the attacks caused more than $250,000 in direct operational losses after fraud-related chargebacks and transaction abuse. During searches at two locations tied to the suspect, officials seized computers, mobile devices, banking cards, cryptocurrency-related evidence, server logs, and credentials.
Researchers Link ‘Showboat’ Linux Malware to Telecom Espionage Activity
Researchers at Black Lotus Labs have uncovered a previously undocumented Linux malware framework called “Showboat” that has allegedly been used in long-running cyber operations targeting telecommunications providers since at least 2022. The post-exploitation toolkit, which researchers linked to PRC-aligned threat activity clusters, was reportedly used in attacks involving a telecom provider in the Middle East while also impersonating Southeast Asian telecommunications firms to disguise malicious traffic and infrastructure. According to the analysis, Showboat enables remote shell access, file transfers, Socks5 proxying, persistence mechanisms, and rotating command-and-control infrastructure tailored for Linux-based systems commonly found in telecom environments.
Global KimWolf Botnet Crackdown Leads to Canadian Arrest in DDoS-for-Hire Case
A multinational law enforcement operation targeting the KimWolf DDoS-for-hire network has led to the arrest of a 23-year-old Canadian suspect accused of helping operate the large-scale IoT botnet. U.S. prosecutors allege Ottawa resident Jacob Butler, known online as “Dort,” was linked to the KimWolf infrastructure through IP records, financial transactions, messaging platform evidence, and online account data tied to the botnet’s operations. Authorities say the malware network infected more than one million internet-connected devices worldwide, including webcams and digital photo frames, enabling more than 25,000 distributed denial-of-service attacks that allegedly caused over $1 million in damages to enterprise victims. The arrest follows a broader March 2026 operation in which international partners seized command-and-control infrastructure connected to the KimWolf, Aisuru, JackSkid, and Mossad botnets, alongside disruptions targeting dozens of DDoS-for-hire platforms.
Deleted Google API Keys Can Reportedly Remain Active for Nearly 23 Minutes
Google API keys may continue functioning for up to 23 minutes after deletion because of propagation delays across Google Cloud infrastructure, potentially creating a temporary abuse window for attackers with stolen credentials. Researchers at Aikido said tests conducted over two days showed revoked API keys remained usable for an average of about 16 minutes, with some backend systems continuing to accept authenticated requests long after deletion requests were issued. Attackers exploiting the delay could potentially continue accessing cloud services, generate fraudulent compute costs, retrieve files uploaded to Gemini-enabled projects, or extract cached conversational context before revocation fully propagates.
Cybercriminal VPN Cloak Dismantled in International Operation
International law enforcement agencies have dismantled “First VPN,” a service allegedly used by ransomware groups and cybercriminals to hide their identities and infrastructure during attacks. The operation, coordinated by Europol and Eurojust, led to the seizure of 33 servers spread across 27 countries along with the shutdown of multiple domains tied to the platform. Investigators said the VPN service had become deeply embedded in cybercrime operations, appearing in numerous ransomware, fraud, and data theft investigations over the past several years. Authorities also gained access to user data linked to the platform, allowing them to identify hundreds of individuals connected to ongoing investigations..
Third-Party Software Disruption Briefly Hits Cancer Care Provider Operations
A cybersecurity incident involving an external software provider briefly disrupted parts of The Oncology Institute’s financial operations this week. The issue affected fee-for-service collections, creating temporary delays in administrative workflows tied to payments and processing. Despite the disruption, the organization said it expects only limited business impact and does not anticipate long-term operational damage. No evidence currently suggests patient information or medical records were exposed during the incident. Healthcare providers increasingly face operational risks tied to outside technology partners, particularly as billing, scheduling, and clinical systems become interconnected.
Where Trust is the Weakest Link
Some of the most persistent security risks were discovered hiding inside systems and tools organizations trusted for years. Exposure now sits inside vendors, legacy systems, software dependencies, and digital relationships long assumed to be stable.
Supply chain weaknesses disrupted healthcare operations, while attackers remained inside networks for months extracting medical, biometric, and financial records. Aging Windows components and compromised developer tools reflected where modern attack chains emerge from.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular