Weekly Cybersecurity Roundup of Falling Crime Networks and Rising AI Concerns
Published
Law enforcement agencies kept pressure on cybercrime networks, with Dutch authorities seizing botnet infrastructure and Bulgaria and Europol dismantling illegal streaming groups.
Spain pulled off a double strike, arresting a suspect linked to a government employee doxing and dismantling an online fake-ID marketplace.
Cybercriminals, meanwhile, chased victims through gaming platforms, social media, healthcare services, and fake job offers.
Netherlands Seizes 200 Servers Linked to 17-Million Device Botnet
A joint operation by Dutch Police and the National Cyber Security Center (NCSC) dismantled a botnet infrastructure that controlled an estimated 17 million compromised devices. Investigators found that roughly 200 servers hosted in the Netherlands were being used to manage infected computers, smartphones, and tablets involved in cybercriminal activity. Several servers were seized from a local hosting provider, which subsequently removed the remaining infrastructure from service. While authorities did not officially name the operation's target, reports indicate it may have been connected to the Asocks residential proxy network.
Instagram Fixes Flaw That Allowed Account Takeovers Through Meta AI Support Assistant
A security flaw in Instagram's support workflow allowed attackers to take over accounts by manipulating Meta's AI-powered support assistant. The exploit reportedly enabled threat actors to add their own email address to a target account and initiate a password reset without compromising the victim's original email account. Several high-profile accounts were reportedly affected, including profiles linked to the Obama-era White House, U.S. Space Force Chief Master Sergeant John Bentivegna, and security researcher Jane Wong. The attack relied on location spoofing and social engineering of the chatbot rather than malware or credential theft.
Spanish Police Arrest Suspect in Probe of Doxing Campaign Targeting State Personnel
Spanish authorities have arrested a suspect as part of an ongoing investigation into a doxing campaign that exposed personal information belonging to employees and officials from several government institutions, including the National Police, Civil Guard, National Security Council, and INCIBE. Investigators searched the suspect's residence and seized electronic devices to determine whether other individuals were involved in collecting and distributing the data. Authorities have not confirmed that government systems were breached, and INCIBE previously stated that its infrastructure was not compromised. Officials have indicated that some of the published information may have been assembled from older data leaks.
WeedHack Malware Hits Over 116,000 Minecraft Systems Through Fake Mods
A malware operation known as WeedHack has compromised more than 116,000 systems, with an estimated 2,000 to 3,000 new infections each day. The campaign spreads through fake Minecraft mods, cheat tools, clients, and utilities promoted via YouTube videos and search engine manipulation that direct users to malicious downloads. Once installed, the malware can steal browser passwords, cryptocurrency wallet data, Discord, Telegram credentials, and Minecraft session information while also capturing screenshots. Operators run WeedHack as a malware-as-a-service platform, offering a free version for credential theft and a paid tier that adds remote access, webcam control, keylogging, and file management capabilities.
Ultrahuman Discloses Wellness Data Breach Linked to Malware-Infected Employee Device
Ultrahuman suffered unauthorized access stemming from a malware-infected employee laptop. The intrusion occurred on March 27 and affected about 0.1% of its user base. Data exposed in the incident varied by account and included contact information, order history, transaction records, and fitness-related data. Passwords, payment information, production systems, and Ring devices were not affected. The compromised analytics environment provided only read-only access. The company took the system offline after detecting the intrusion.
Online Fake ID Marketplace Linked to Migrant Smuggling Dismantled in Spain
French and Spanish authorities, supported by Europol, dismantled a counterfeit document production facility in Alicante that allegedly supplied forged identity and administrative documents to customers across Europe. The operation resulted in one arrest and the seizure of around 800 forged European documents, document-making equipment, digital devices, a vehicle, and cash. Investigators traced the suspect after identifying a website advertising counterfeit IDs, eventually linking the operation to an apartment rented under a false identity and used as a fully equipped document-production workshop
ShinyHunters Publishes DentaQuest Data After Failed Extortion Attempt
More than 2.5 million DentaQuest records have been added to Have I Been Pwned after data attributed to the ShinyHunters extortion group was publicly released online. The threat actors allegedly published over 234GB of information after DentaQuest reportedly did not comply with their demands. The dataset included email addresses and healthcare enrollment records with Medicaid identifiers. DentaQuest acknowledged a cybersecurity incident involving unauthorized access to part of its network and said it had contained the activity while working with forensic specialists and law enforcement.
Attackers Spent Five Months Stealing Stock Exchange Executive Emails
Researchers have uncovered a five-month espionage operation that focused on stealing emails from a senior executive at a major global stock exchange. Rather than rapidly extracting data, the attackers repeatedly copied mailbox contents in small batches and transferred them through Dropbox and OneDrive Personal, helping the activity blend in with legitimate cloud traffic. The intrusion relied on malware disguised as trusted Adobe, Lenovo, and Microsoft-related services. The mailbox data was exported between November 2025 and February 2026. The operation could not be linked to a known threat group.
AI-Powered Worm can Adjust Attack Methods Based on Devices it Infects
A University of Toronto research team has demonstrated an AI-powered computer worm capable of moving through networks without human intervention while changing its attack methods based on the systems it encounters. Tested in an isolated environment, the prototype used a publicly available open-weight AI model to identify weaknesses, generate tailored attack strategies, and spread across Windows, Linux, cameras, printers, and other connected devices. The worm was also able to collect information such as passwords and system configurations from compromised machines, helping it discover new routes for further propagation. Unlike earlier worms, the prototype selected different attack approaches depending on the characteristics of each target. The work has not been observed in real-world attacks.
29 Arrested as International Crackdown Dismantles Nine Criminal Streaming Networks
A seven-month international law enforcement operation spanning 13 countries resulted in 29 arrests and the dismantling of nine organised crime groups accused of running illegal streaming services that distributed premium sports, film, and television content. Coordinated by Bulgaria and Europol, Operation KRATOS 2 targeted the criminal infrastructure behind illicit IPTV platforms, leading to 148 searches, the identification of 86 suspects, and the removal of more than 27,000 illegal streaming URLs. Investigators focused on the networks operating these services rather than just shutting down websites, helping uncover the individuals managing the platforms and the technical systems supporting them.
PCPJack Hijacks 230 Cloud Servers to Build Hidden Email Relay Network
The PCPJack threat actor has been linked to a campaign that allegedly compromised 230 servers across AWS, Google Cloud, and Microsoft Azure. The infrastructure was designed to route email traffic through trusted cloud environments, helping malicious messages blend in with legitimate activity. According to Hunt.io, the operation continuously refreshed its pool of verified proxies every five minutes, allowing the relay network to remain active. Investigators uncovered a toolkit that combined internet-scale scanning, credential-harvesting, and automated SMTP testing to manage the infrastructure. The operators invested heavily in maintaining a resilient cloud-based platform for email abuse.
Pink Extortion Group Uses Fake IT Calls and Teams Messages on Enterprise Victims
A newly identified extortion group known as Pink is using fake IT helpdesk calls and voice phishing attacks to gain access to corporate environments and steal sensitive data. According to Palo Alto Networks Unit 42, the operation impersonates internal support staff to harvest credentials, bypass MFA, and access platforms such as SharePoint and OneDrive. The attackers use compromised employee accounts and Microsoft Teams messages to pressure organizations into paying within 72 hours to prevent data release.
Trump Order Pushes AI Into Federal Cyber Defense and Vulnerability Hunting
The White House issued an executive order that places cybersecurity at the center of federal AI policy, directing agencies to accelerate protection of government networks and critical infrastructure. The order instructs CISA and other agencies to expand AI-enabled defensive tools, create an AI cybersecurity clearinghouse for vulnerability discovery and remediation, and increase hiring of cybersecurity specialists. Federal officials are also tasked with developing a classified process to assess the cyber capabilities of advanced AI models, including determining when certain frontier models warrant additional government scrutiny before release. This prioritizes enforcement against criminals who use AI for unauthorized access and steal data or facilitate other cyber offenses.
Espionage, AI, and the Future of Cyber Defense
Espionage stayed under the radar, with attackers quietly harvesting executive emails for months. And just when defenders thought malware needed prompts and instructions, a worm was unveiled that wrote its own playbook as it moved.
With governments investing in AI-powered cyber defense and vulnerability hunting, the bigger question may be whether future cyber battles are fought by humans using AI, humans chasing AI, or AI systems racing against each other.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular