Cybercrime Operations Hit People and Systems, as Global Crackdowns Gain Momentum

We observed threat actors’ continued abuse of artificial intelligence, phishing, and identity impersonation using stolen credentials. Targets primarily included government systems and vulnerable individuals online. 

However, law enforcement also tracked romance scams and fraud schemes targeting the elderly, leading to millions in financial losses. Questions around privacy resurfaced as connected devices and AI-enabled technologies raised concerns about how personal data and everyday moments may be collected and reviewed. 

Yet the week brought decisive action, as international law enforcement seized infrastructure, dismantled criminal platforms, and disrupted networks responsible for phishing, ransomware, and cyber fraud, reinforcing confidence in defensive action and global coordination.

South Korea Tax Office Leak Triggers $4.8 Million Crypto Theft

South Korea’s National Tax Service inadvertently exposed a cryptocurrency wallet seed phrase in press materials following a February 26 raid on tax delinquents. The agency had announced the seizure of ₩8.1 billion, or $5.6 million, in assets and released images documenting the enforcement action. Unredacted photographs revealed recovery credentials for a wallet containing Pre-Retogeum tokens. Threat actors identified the exposed seed phrase and transferred approximately $4.8 million in tokens to external addresses within hours.

Hacked Prayer App Sends Surrender Messages Amid Airstrikes

A widely used Iranian prayer app, BadeSaba Calendar, was compromised to send surrender messages during reported U.S.-Israeli airstrikes on Iran. The app, which has over 5 million downloads, broadcast notifications urging military personnel to lay down arms and promising amnesty. The timing of the messages alongside kinetic military action suggests a coordinated psychological operation. Separately, authorities in the United Arab Emirates warned of scam calls impersonating official bodies to collect Emirates ID and UAE Pass credentials. 

AI Coding Tools Tied to Mexico Government Breach

A threat actor used AI chatbots to support a month-long intrusion into multiple Mexican government systems that began in late December 2025. Reports linked the campaign to Mexico’s tax authority first, with additional public-sector entities and at least one financial institution also affected. The attacker allegedly used the AI tools to speed up reconnaissance, generate exploit and automation scripts, and streamline data collection and exfiltration. Researchers estimate more than 150GB of sensitive data was taken, including tax-related and voter-linked records.

German Court Sentences Milton Group Operator in Global Investment Fraud Case

A German court in Bamberg sentenced the key operator of the Milton Group investment fraud network to seven years and six months in prison for organized commercial fraud. The court found he directed a large call center scheme that deceived investors into fake trading platforms, causing about €8M in direct losses. He also developed and licensed the PumaTS software used to scale similar scams. Prosecutors attributed an additional €42M in damages to operations built on that infrastructure. The court ordered the confiscation of €2.4M in illicit assets following his extradition from Armenia and trial in Bavaria.

US Cyber Command Disrupts Iranian Systems, Researchers Warn of Retaliation

US Cyber Command helped disrupt key Iranian communication and sensor systems in a coordinated operation. Researchers warn that retaliatory cyber activity from Iranian state-aligned actors and affiliated hacktivist groups is likely. Threat vectors may include ransomware, distributed denial-of-service attacks, spearphishing, and influence operations targeting allied infrastructure. Security firms have observed activity from groups linked to the IRGC, including Cotton Sandstorm and clusters overlapping with APT35 and APT42.

Wisconsin School District Network Outage Linked to INC Ransom

The Denmark School District in Wisconsin experienced an internet outage for about five days that disrupted operations across facilities serving about 1,500 students. The district reverted to paper-based instruction after network connectivity was lost in late January due to what its provider described as an internal issue. While officials have not confirmed a ransomware attack, the INC Ransom group later listed the district on its leak site. The group claimed to have exfiltrated more than 70GB of data. School authorities have not confirmed data theft.

OAuth Redirect Abuse Targets Public Sector Networks

An escalating campaign is abusing OAuth redirect to compromise government and public sector organizations, according to Microsoft. Attackers manipulate legitimate authorization flows to redirect authenticated users to attacker-controlled domains without triggering standard defenses. The activity distributes embedded ZIP malware and leverages EvilProxy, an adversary-in-the-middle framework designed to steal credentials and session tokens. Phishing lures include document sharing requests, Teams meeting notifications, password resets, and employee-related themes. Administrators are urged to audit registered OAuth applications.

Coruna iPhone Exploit Kit Spreads From Espionage Operations To Cybercrime

An iPhone exploit toolkit called Coruna is circulating among multiple threat actors. The toolkit includes five complete iOS exploit chains and 23 vulnerabilities targeting devices running iOS 13 through iOS 17.2.1. It can compromise an iPhone when a victim visits a malicious website, allowing attackers to bypass security protections and install malware. Researchers say the framework may have originated from surveillance tooling developed for government use before spreading to criminal operations

RedAlert Trojan Spreads Fake Emergency App In Israel Via Sms Spoofing

A RedAlert Trojan campaign involves distributing a fake emergency alert targeting users in Israel. The operation uses SMS spoofing to impersonate the Israeli Home Front Command and convince victims to sideload a malicious APK posing as an urgent update. Once installed, the application requests extensive permissions and harvests SMS messages, contact lists, and precise GPS location data. The spyware mimics the interface of the legitimate Red Alert rocket warning application widely used by civilians during regional conflicts. Researchers warn the campaign exploits wartime urgency to deploy surveillance malware capable of tracking victims and intercepting communications.

Suspected Iranian Hackers Exploit Ip Cameras Across the Middle East For Surveillance

Suspected Iranian threat actors compromised internet-connected surveillance cameras across multiple Middle Eastern countries. The operation exploits known vulnerabilities in Hikvision and Dahua devices to gain unauthorized access to live camera feeds. Compromised cameras were observed in Israel, the UAE, Qatar, Bahrain, Kuwait, Cyprus, and parts of Lebanon. Analysts believe attackers may use the footage to monitor military activity and assess missile strike impacts in real time.

Global Operation Dismantles LeakBase Hacker Forum, Targets 37 Active Users

International law enforcement dismantled LeakBase, a cybercriminal forum used to trade stolen credentials and breached databases. Authorities seized the platform’s domains and its central database containing records from 142,000 registered users. Investigators executed around 100 enforcement actions worldwide, including arrests, searches, and engagements with 37 highly active participants. The forum operated since 2021 and facilitated exchanges of credit card data, banking details, and infostealer logs stolen from organizations and individuals.

Hacktivist Groups Launch 149 DDoS Attacks Against 110 Organizations Worldwide

Between February 28 and March 3, 149 DDoS attacks were launched by 12 hacktivist groups against 110 organizations in 16 countries. The activity largely targeted entities in the Middle East, with 107 attacks focused on government bodies, telecommunications, and critical infrastructure. The groups included Keymous+, DieNet, and NoName057(16), which together accounted for the majority of the reported disruptions. The operations aimed to cause service outages and gain visibility through politically motivated disruptions.

Phobos Ransomware Administrator Pleads Guilty in $39 Million Extortion Case

Russian national Evgenii Ptitsyn pleaded guilty in U.S. federal court to wire fraud conspiracy tied to the Phobos ransomware operation. Authorities say the ransomware network targeted more than 1,000 public and private entities worldwide. Investigators traced cryptocurrency payments from victim decryption fees to wallets controlled by Ptitsyn. Extradited from South Korea in 2024, he now faces a possible prison sentence of up to 20 years.

U.S. Contractor Arrested Over Cryptocurrency Theft

U.S. authorities arrested a government contractor accused of stealing approximately $46 million in cryptocurrency connected to assets seized by the U.S. Marshals Service. The suspect, John Daghita, was apprehended on the island of Saint Martin in an operation involving the FBI and the French Gendarmerie. He diverted digital assets while working with a contractor responsible for managing government-seized cryptocurrency holdings. The funds are reported to be linked to cryptocurrency originally confiscated during the 2016 Bitfinex exchange hack. 

Florida Woman Sentenced for Microsoft COA Key Trafficking Scheme

A Florida woman received a prison sentence for operating a years-long scheme selling Microsoft product keys extracted from stolen Certificate of Authenticity labels. Heidi Richards, who ran Trinity Software Distribution, purchased tens of thousands of genuine Windows and Office COA stickers between 2018 and 2023. Instead of distributing them with licensed software, employees manually extracted activation codes and stored them in spreadsheets. The group then sold the license keys in bulk to customers worldwide, wiring over $5.14M to their supplier. Federal prosecutors said COA labels cannot legally be sold separately from the software they authenticate.

Tycoon 2FA Phishing Platform Disrupted in International Operation 

Law enforcement agencies from six European countries and private cybersecurity partners dismantled the infrastructure behind the Tycoon 2FA phishing-as-a-service platform used to bypass MFA. The coordinated operation removed 330 domains hosting phishing pages and control panels. Active since August 2023, the platform enabled cybercriminals to intercept authentication sessions and access protected accounts. The service facilitated attacks against nearly 100,000 organizations, including schools, hospitals, and government institutions. The infrastructure generated millions of phishing emails each month.

Fake LastPass Support Email Threads Target Vault Passwords

A phishing campaign is targeting LastPass users with fake alerts about unauthorized account access. The emails impersonate support representatives and mimic forwarded conversations discussing requests to change the account’s primary email address. Recipients are urged to respond quickly and click links such as “report suspicious activity,” “disconnect and lock vault,” or “revoke device.” These links redirect victims to a fake login page hosted on the domain verify-lastpass[.]com. The phishing site steals user credentials when victims attempt to sign in. Attackers use multiple sender addresses and modified URLs to increase credibility and evade detection.

Meta Faces Lawsuit Over Smart Glasses Privacy Claims

Meta is facing a class action lawsuit in the United States over privacy practices tied to its AI-powered smart glasses. The complaint follows a media investigation reporting that contractors in Kenya reviewed footage captured by the devices. Some reviewed content reportedly included sensitive scenes such as nudity and private activities. Plaintiffs allege Meta misled consumers by marketing the glasses with statements such as “designed for privacy” and “built for your privacy.” The lawsuit also names Luxottica of America, the glasses manufacturing partner, for alleged violations of consumer protection laws. Over seven million pairs of the smart glasses were reportedly sold in 2025. Meta said human review may occur when users share content with Meta AI and stated the practice is described in its policies.

Ghanaian National Pleads Guilty in $100 Million Romance Scam Scheme

A Ghanaian national pleaded guilty to participating in an international fraud network that conducted romance scams and business email compromise schemes. Derrick Van Yeboah admitted to conspiring to commit wire fraud before a federal judge in New York. Prosecutors said the group deceived victims, often elderly individuals, into sending money after forming fake online romantic relationships. The organization also used business email compromise tactics to trick companies into transferring funds. Authorities said the broader conspiracy stole and laundered more than $100 million from victims across the United States. Van Yeboah personally obtained more than $10 million through romance scams.

Globally Coordinated Law Enforcement Defeats and Curbs the Expanding Frontlines of Crime

Cybercrime intersected with geopolitics, fraud, and technology. Nation-state conflicts and hacktivist activity escalated cyber operations, which often also accompanied military and political disputes. Insider risks and the misuse of legitimate systems were detected and brought to justice.

The coordinated takedowns of phishing platforms, cybercrime forums, and fraud networks demonstrate the growing impact of international law enforcement collaboration and partnerships with private firms. As human lives, finances, and personal data become inseparable from connected systems, cybersecurity is swiftly moving from a technical issue to a societal concern.