Weekly Cybersecurity Roundup: Deepfake Discussions Rose 600 Percent on Crime Forums as Skill Gaps Hampered Defenders
Published
From student records and retail data to healthcare-related information and enterprise platforms, ShinyHunters appeared behind several extortion, data leaks threats, and ransom demands.
Stolen credentials were excessively misused to target exposed firewalls and VPN appliances. Victims such as Infinite Campus, Nintendo's TinyPulse provider, Nantes, and Tchap put employee data in focus, suggesting growing interest in staff and trusted identities.
With organizations tightening access controls, employee accounts offer an easier route into business systems than bypassing layered security defenses.
ShinyHunters Leak Exposes Infinite Campus Records After Salesforce Compromise
Infinite Campus disclosed that an unauthorized actor accessed an employee's Salesforce account during a March 2026 intrusion later linked to the ShinyHunters extortion group. The attackers subsequently published data they claimed was taken from the student information system provider, with Have I Been Pwned adding the breach on June 15, 2026. According to HIBP, the leaked dataset contains 137,123 unique email addresses. Infinite Campus stated that much of the exposed information consisted of school staff directory details that are commonly available through public school websites.
EvilTokens PhaaS Kit Hijacks Microsoft 365 Accounts Through OAuth Device Code
Researchers have detailed EvilTokens, a phishing-as-a-service kit that targets Microsoft 365 accounts by abusing Microsoft's legitimate OAuth 2.0 device authorization flow. Victims receive phishing lures disguised as invoices, calendar invitations, or SharePoint requests. They are prompted to enter a device code on a genuine Microsoft authentication page while the code is tied to the attacker's session, causing Microsoft to issue access and refresh tokens directly to the attacker after the user completes authentication and any required multi-factor verification. The access can expose corporate email, files, Teams, SharePoint, OneDrive, and other Microsoft 365 resources.
Novo Nordisk Refuses $25 Million Ransom as FulcrumSec Claims 1 TB Data Theft
Novo Nordisk disclosed a June 11, 2026, IT security incident involving unauthorized access to a limited number of internal IT systems and external copying of certain non-public data. FulcrumSec claims it stole more than 1 TB of data from the Wegovy and Ozempic maker and demanded $25 million. According to the threat group, Novo Nordisk declined to pay the ransom. The company confirmed that the affected information included pseudonymized clinical trial data, such as patient IDs, trial participation details, sex, year of birth, biomarkers, immunogenicity data, and lifestyle factors.
Malicious JetBrains Plugins Found Stealing AI API Keys From Developers
Researchers have identified 15 malicious plugins on the JetBrains Marketplace that masqueraded as AI coding assistants while secretly stealing API keys linked to OpenAI, DeepSeek, and SiliconFlow services. According to Aikido Security, the plugins offered legitimate-looking features such as AI chat, code reviews, bug detection, commit message generation, and unit-test creation, but transmitted user-supplied API keys to attacker-controlled servers. The campaign appears to have attracted tens of thousands of downloads. Researchers also uncovered separate malicious Chrome extensions designed to collect conversations from AI chatbots.
FortiBleed Campaign Targets Thousands of Fortinet Firewalls Using Stolen Credentials
Researchers at Hudson Rock and SOCRadar have identified a large-scale campaign targeting Fortinet firewalls and VPN appliances through previously stolen credentials. Attackers use automated scanning tools to locate internet-exposed devices and attempt logins with passwords harvested by infostealer malware. Hudson Rock reported evidence of more than 73,000 compromised firewall URLs spanning 194 countries, while SOCRadar estimated at least 30,000 affected devices. Domains associated with major organizations appeared in the exposed data, although individual compromises have not been confirmed.
Dutch Police Arrest Six Suspects in Amsterdam Bank Helpdesk Fraud Raid
Dutch police arrested six suspects, aged 15 to 30, during a June 10 raid on a suspected bank helpdesk fraud operation in Amsterdam. Officers found the group in conversation with a potential victim at the time of the raid. Police said the suspects allegedly posed as bank employees, encouraged victims to raise account limits, and in some cases visited homes while claiming to help secure accounts. Several victims reportedly lost money. The police seized laptops, phones, and bank cards from the residence that was raided. Further arrests have not been ruled out.
Nintendo Confirms TinyPulse Data Breach After Shadowbyt3$ Claims Employee Data Theft
Nintendo of America confirmed that employee survey data was exposed through TinyPulse, a third-party employee engagement platform owned by WebMD Health Services. The company said its own systems were not compromised and the incident was limited to internal survey content of a small subset of employees, much of it several years old. The disclosure follows claims by the Shadowbyt3$ extortion group, which alleges it stole employee-related information from TinyPulse systems and demanded a $2 million ransom. Nintendo said no customer information, financial data, or broader company systems were affected.
New York Man Accused of Using AI-Generated Nudes in Cyberstalking Case
A federal grand jury has indicted 21-year-old Anthony Belford of New York on a cyberstalking charge tied to online harassment of a Georgia college student. Prosecutors allege that between January and March 2025, he created fake social media and email accounts, posted more than a dozen AI-generated nude images of the victim, and operated profiles designed to appear as if they belonged to the student. Authorities also allege he impersonated the victim to distribute racist and derogatory messages to student groups and used spoofed forum accounts to draw attention to the fabricated content. Belford appeared in federal court on June 10.
Prinz Eugen Ransomware Hits Recently Modified Files First and Leaves Almost no Forensic Trail
Researchers have analyzed Prinz Eugen, a recently identified Go-based ransomware strain that encrypts files recursively, moving through folders and nested subfolders, while deliberately targeting recently modified files before older data. That approach increases pressure on victims by focusing on active business information that is often more valuable and may not yet be included in backup cycles. ThreatDown found the malware uses ChaCha20-Poly1305 encryption, verifies encrypted files before deleting originals, and avoids dropping a ransom note on infected systems. The operators also appear to have relied on compromised RDP access, RemotePC abuse, and a backdoor administrator account to maintain access.
French Government Messaging Platform Breached via Stolen Account Access
French authorities are investigating a breach of Tchap, a messaging platform used by government employees, after a hacker known as "misere" claimed to have stolen 13.5 GB of data from the service. The attacker alleged access to 73,467 user accounts, more than 643,000 messages, media files, and government chat rooms in multiple ministries. The intrusion reportedly began with a stolen legitimate account. ANSSI confirmed a security incident and said private conversations are encrypted. The breach comes as Western governments face growing warnings that officials and civil servants are being targeted through messaging platforms and account takeover campaigns.
Conti Affiliate Admits Role in Laundering Ransomware Proceeds
A Ukrainian national, Oleksii Lytvynenko, has pleaded guilty to participating in a wire fraud conspiracy tied to the Conti ransomware. The defendant helped launder cryptocurrency payments collected from victims after ransomware attacks. He joined the conspiracy by September 2021, possessed data stolen from 12 victims, and helped develop a malware loader used to deploy malicious software. Prosecutors tied him to the technical development of ransomware tooling used by the group. Conti targeted organizations across 47 U.S. states and 31 countries. Following his extradition from Ireland, Lytvynenko is scheduled for sentencing in September.
French City of Nantes Reports Employee Data Breach After Cyberattack on Municipal Systems
Nantes, a major city in western France, and the surrounding Nantes Métropole administrative authority disclosed a cyberattack after employees were notified of a breach involving their personal information. The incident was detected on June 9 and appears to have been contained before affecting citizen-facing services, with officials stating that residents were not impacted. The notable detail is the targeted scope: attackers reportedly focused on employee data rather than public services or municipal operations. City officials activated a crisis response team, implemented technical countermeasures, and said the situation is now under control. Nantes has notified France's data protection authority, CNIL, and plans to file a formal complaint as the investigation continues.
Cybercrime Accounts for over 30% of Reported Crime in Parts of Asia-Pacific
INTERPOL's latest cyberthreat assessment found that cybercrime now represents more than 30% of all recorded crime in over half of the Asia-Pacific countries surveyed, underscoring how digital offenses have become a law-enforcement challenge rather than a niche threat. Phishing emerged as the region's most prevalent and financially damaging cybercrime, with some countries reporting more than 10,000 cases and users clicking phishing links at roughly twice the global average. The report also said that DDoS attacks rose 92% year over year. One of the most striking findings was a 600% increase in discussions about deepfakes on cybercriminal forums and Telegram channels used by Southeast Asian threat actors. Based on input from 18 member countries, the assessment also found that many law-enforcement agencies continue to face shortages of cybercrime training, forensic tools, and technical resources as threats grow more sophisticated.
Keeping Pace With a Fast-Changing Threat Landscape
Developers remained a target for their accounts, API keys, and access to systems. Law enforcement gathered force, from Dutch arrests in bank helpdesk fraud to the Conti guilty plea after extradition. Prosecutors also pursued individuals responsible for concealing crime, extending legal pressure on the criminal ecosystem.
A pressing concern remains how technological advances are absorbed into cybercrime. INTERPOL's assessment found DDoS attacks rose 92%. While discussions about deepfakes on cybercriminal forums increased 600%, leaving little to guess about what to expect in AI-enabled fraud.
All this lands against shortages in cybercrime training, forensic tools, and technical resources, making the capability gap part of the story.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular