FEED Validator

for Atom and RSS and KML

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

line 12, column 93: Self reference doesn't match document location [help]

... rel="self" type="application/rss+xml" />
                                             ^

line 60, column 0: content:encoded should not contain aria-describedby attribute (24 occurrences) [help]
```
<div id="attachment_71644" style="width: 757px" class="wp-caption aligncente ...
```
line 60, column 0: content:encoded should not contain decoding attribute (32 occurrences) [help]
```
<div id="attachment_71644" style="width: 757px" class="wp-caption aligncente ...
```
line 60, column 0: content:encoded should not contain sizes attribute (24 occurrences) [help]
```
<div id="attachment_71644" style="width: 757px" class="wp-caption aligncente ...
```
line 64, column 0: content:encoded should not contain loading attribute (31 occurrences) [help]
```
<div id="attachment_59487" style="width: 759px" class="wp-caption aligncente ...
```

Source: http://feeds.feedburner.com/krebsonsecurity/TEjH

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
>
<channel>
<title>Krebs on Security</title>
<atom:link href="https://krebsonsecurity.com/feed/" rel="self" type="application/rss+xml" />
<link>https://krebsonsecurity.com</link>
<description>In-depth security news and investigation</description>
<lastBuildDate>Thu, 10 Jul 2025 22:14:40 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod>
hourly </sy:updatePeriod>
<sy:updateFrequency>
1 </sy:updateFrequency>
<generator>https://wordpress.org/?v=6.2.2</generator>
<item>
<title>UK Arrests Four in ‘Scattered Spider’ Ransom Group</title>
<link>https://krebsonsecurity.com/2025/07/uk-charges-four-in-scattered-spider-ransom-group/</link>
<comments>https://krebsonsecurity.com/2025/07/uk-charges-four-in-scattered-spider-ransom-group/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Thu, 10 Jul 2025 17:31:10 +0000</pubDate>
<category><![CDATA[Ne'er-Do-Well News]]></category>
<category><![CDATA[Ransomware]]></category>
<category><![CDATA[Allison Nixon]]></category>
<category><![CDATA[Amtrak]]></category>
<category><![CDATA[Asyntax]]></category>
<category><![CDATA[bo764]]></category>
<category><![CDATA[Co-op Group]]></category>
<category><![CDATA[Doxbin]]></category>
<category><![CDATA[Earth2Star]]></category>
<category><![CDATA[Everlynn]]></category>
<category><![CDATA[fbi]]></category>
<category><![CDATA[Harrods]]></category>
<category><![CDATA[LAPSUS$]]></category>
<category><![CDATA[Marks & Spencer]]></category>
<category><![CDATA[MGM Casino]]></category>
<category><![CDATA[National Crime Agency]]></category>
<category><![CDATA[Operator]]></category>
<category><![CDATA[Owen David Flowers]]></category>
<category><![CDATA[Scattered Spider]]></category>
<category><![CDATA[Star Fraud Chat]]></category>
<category><![CDATA[Thalha Jubair]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=70968</guid>
<description><![CDATA[Authorities in the United Kingdom this week arrested four alleged members of "Scattered Spider," a prolific data theft and extortion group whose recent victims include multiple airlines and the U.K. retail chain Marks & Spencer.]]></description>
<content:encoded><![CDATA[Authorities in the United Kingdom this week arrested four people aged 17 to 20 in connection with recent data theft and extortion attacks against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group. The breaches have been linked to a prolific but loosely-affiliated cybercrime group dubbed “Scattered Spider,” whose other recent victims include multiple airlines.
The U.K.’s National Crime Agency (NCA) declined verify the names of those arrested, <a href="https://www.nationalcrimeagency.gov.uk/news/retail-cyber-attacks-nca-arrest-four-for-attacks-on-m-s-co-op-and-harrods" target="_blank" rel="noopener">saying</a> only that they included two males aged 19, another aged 17, and 20-year-old female.
Scattered Spider is the name given to an English-speaking cybercrime group known for using social engineering tactics to break into companies and steal data for ransom, often impersonating employees or contractors to deceive IT help desks into granting access. The FBI warned last month that Scattered Spider had recently shifted to targeting companies in the retail and airline sectors.
KrebsOnSecurity has learned the identities of two of the suspects. Multiple sources close to the investigation said those arrested include Owen David Flowers, a U.K. man alleged to have been involved in the cyber intrusion and ransomware attack that shut down several MGM Casino properties in September 2023. Those same sources said the woman arrested is or recently was in a relationship with Flowers.
Sources told KrebsOnSecurity that Flowers, who allegedly went by the hacker handles “bo764,” “Holy,” and “Nazi,” was the group member who anonymously gave interviews to the media in the days after the MGM hack. His real name was omitted from <a href="https://krebsonsecurity.com/2024/09/the-dark-nexus-between-harm-groups-and-the-com/" target="_blank" rel="noopener">a September 2024 story about the group</a> because he was not yet charged in that incident.
The bigger fish arrested this week is 19-year-old Thalha Jubair, a U.K. man whose alleged exploits under various monikers have been well-documented in stories on this site. Jubair is believed to have used the nickname “Earth2Star,” which corresponds to a founding member of the cybercrime-focused Telegram channel “Star Fraud Chat.”
In 2023, KrebsOnSecurity <a href="https://krebsonsecurity.com/2023/02/hackers-claim-they-breached-t-mobile-more-than-100-times-in-2022/" target="_blank" rel="noopener">published an investigation</a> into the work of three different SIM-swapping groups that phished credentials from T-Mobile employees and used that access to offer a service whereby any T-Mobile phone number could be swapped to a new device. Star Chat was by far the most active and consequential of the three SIM-swapping groups, who collectively broke into T-Mobile’s network more than 100 times in the second half of 2022.
<div id="attachment_71644" style="width: 757px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71644" decoding="async" class=" wp-image-71644" src="https://krebsonsecurity.com/wp-content/uploads/2025/07/ace-earth2star-starchat.png" alt="" width="747" height="306" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/07/ace-earth2star-starchat.png 1153w, https://krebsonsecurity.com/wp-content/uploads/2025/07/ace-earth2star-starchat-768x314.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/07/ace-earth2star-starchat-782x320.png 782w" sizes="(max-width: 747px) 100vw, 747px" />Jubair allegedly used the handles “Earth2Star” and “Star Ace,” and was a core member of a prolific SIM-swapping group operating in 2022. Star Ace posted this image to the Star Fraud chat channel on Telegram, and it lists various prices for SIM-swaps.</div>
Sources tell KrebsOnSecurity that Jubair also was a core member of the LAPSUS$ cybercrime group that <a href="https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/" target="_blank" rel="noopener">broke into dozens of technology companies in 2022</a>, stealing source code and other internal data from tech giants including Microsoft, Nvidia, Okta, Rockstar Games, Samsung, T-Mobile, and Uber.
In April 2022, KrebsOnSecurity <a href="https://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/" target="_blank" rel="noopener">published internal chat records from LAPSUS$</a>, and those chats indicated Jubair was using the nicknames Amtrak and Asyntax. At one point in the chats, Amtrak told the LAPSUS$ group leader not to share T-Mobile’s logo in images sent to the group because he’d been previously busted for SIM-swapping and his parents would suspect he was back at it again.
As shown in those chats, the leader of LAPSUS$ eventually decided to betray Amtrak by posting his real name, phone number, and other hacker handles into a public chat room on Telegram.
<div id="attachment_59487" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-59487" decoding="async" loading="lazy" class=" wp-image-59487" src="https://krebsonsecurity.com/wp-content/uploads/2022/04/amtraxdox.png" alt="" width="749" height="207" />In March 2022, the leader of the LAPSUS$ data extortion group exposed Thalha Jubair’s name and hacker handles in a public chat room on Telegram.</div>
That story about the leaked LAPSUS$ chats connected Amtrak/Asyntax/Jubair to the identity “Everlynn,” the founder of a cybercriminal service that <a href="https://krebsonsecurity.com/2022/03/hackers-gaining-power-of-subpoena-via-fake-emergency-data-requests/" target="_blank" rel="noopener">sold fraudulent “emergency data requests”</a> targeting the major social media and email providers. In such schemes, the hackers compromise email accounts tied to police departments and government agencies, and then send unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.
<div id="attachment_59127" style="width: 758px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-59127" decoding="async" loading="lazy" class=" wp-image-59127" src="https://krebsonsecurity.com/wp-content/uploads/2022/03/infinityrecursion.png" alt="" width="748" height="622" srcset="https://krebsonsecurity.com/wp-content/uploads/2022/03/infinityrecursion.png 864w, https://krebsonsecurity.com/wp-content/uploads/2022/03/infinityrecursion-768x638.png 768w, https://krebsonsecurity.com/wp-content/uploads/2022/03/infinityrecursion-782x650.png 782w" sizes="(max-width: 748px) 100vw, 748px" />The roster of the now-defunct “Infinity Recursion” hacking team, from which some member of LAPSUS$ hail.</div>
Sources say Jubair also used the nickname “Operator,” and that until recently he was the administrator of the Doxbin, a long-running and highly toxic online community that is used to “dox” or post deeply personal information on people. In May 2024, several popular cybercrime channels on Telegram ridiculed Operator after it was revealed that he’d staged his own kidnapping in a botched plan to throw off law enforcement investigators.
In November 2024, U.S. authorities <a href="https://krebsonsecurity.com/2024/11/feds-charge-five-men-in-scattered-spider-roundup/" target="_blank" rel="noopener">charged five men aged 20 to 25</a> in connection with the Scattered Spider group, which has long relied on recruiting minors to carry out its most risky activities. Indeed, many of the group’s core members were recruited from online gaming platforms like Roblox and Minecraft in their early teens, and have been perfecting their social engineering tactics for years.
“There is a clear pattern that some of the most depraved threat actors first joined cybercrime gangs at an exceptionally young age,” said Allison Nixon, chief research officer at the New York based security firm <a href="https://www.unit221b.com" target="_blank" rel="noopener">Unit 221B</a>. “Cybercriminals arrested at 15 or younger need serious intervention and monitoring to prevent a years long massive escalation.”
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/07/uk-charges-four-in-scattered-spider-ransom-group/feed/</wfw:commentRss>
<slash:comments>5</slash:comments>
</item>
<item>
<title>Microsoft Patch Tuesday, July 2025 Edition</title>
<link>https://krebsonsecurity.com/2025/07/microsoft-patch-tuesday-july-2025-edition/</link>
<comments>https://krebsonsecurity.com/2025/07/microsoft-patch-tuesday-july-2025-edition/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Wed, 09 Jul 2025 00:53:33 +0000</pubDate>
<category><![CDATA[Latest Warnings]]></category>
<category><![CDATA[Security Tools]]></category>
<category><![CDATA[Time to Patch]]></category>
<category><![CDATA[Action1]]></category>
<category><![CDATA[Adam Barnett]]></category>
<category><![CDATA[adobe]]></category>
<category><![CDATA[Ben Hopkins]]></category>
<category><![CDATA[CVE-2025-47178]]></category>
<category><![CDATA[CVE-2025-47981]]></category>
<category><![CDATA[CVE-2025-49695]]></category>
<category><![CDATA[CVE-2025-49696]]></category>
<category><![CDATA[CVE-2025-49697]]></category>
<category><![CDATA[CVE-2025-49702]]></category>
<category><![CDATA[CVE-2025-49719]]></category>
<category><![CDATA[CVE-2025-49740]]></category>
<category><![CDATA[Microsoft Configuration Manager]]></category>
<category><![CDATA[Microsoft Defender SmartScreen]]></category>
<category><![CDATA[Microsoft Patch Tuesday July 2025 Edition]]></category>
<category><![CDATA[Mike Walters]]></category>
<category><![CDATA[Office]]></category>
<category><![CDATA[Rapid7]]></category>
<category><![CDATA[SQL Server 2012]]></category>
<category><![CDATA[SQL Server 2016]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=71624</guid>
<description><![CDATA[Microsoft today released updates to fix at least 137 security vulnerabilities in its Windows operating systems and supported software. None of the weaknesses addressed this month are known to be actively exploited, but 14 of the flaws earned Microsoft's most-dire "critical" rating, meaning they could be exploited to seize control over vulnerable Windows PCs with little or no help from users.]]></description>
<content:encoded><![CDATA[Microsoft today released updates to fix at least 137 security vulnerabilities in its Windows operating systems and supported software. None of the weaknesses addressed this month are known to be actively exploited, but 14 of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited to seize control over vulnerable Windows PCs with little or no help from users.
<img decoding="async" loading="lazy" class="aligncenter wp-image-60331" src="https://krebsonsecurity.com/wp-content/uploads/2022/07/winupdatedate.png" alt="" width="749" height="496" srcset="https://krebsonsecurity.com/wp-content/uploads/2022/07/winupdatedate.png 923w, https://krebsonsecurity.com/wp-content/uploads/2022/07/winupdatedate-768x508.png 768w, https://krebsonsecurity.com/wp-content/uploads/2022/07/winupdatedate-782x518.png 782w" sizes="(max-width: 749px) 100vw, 749px" />
While not listed as critical, <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-49719" target="_blank" rel="noopener">CVE-2025-49719</a> is a publicly disclosed information disclosure vulnerability, with all versions as far back as SQL Server 2016 receiving patches. Microsoft rates CVE-2025-49719 as less likely to be exploited, but the availability of proof-of-concept code for this flaw means its patch should probably be a priority for affected enterprises.
Mike Walters, co-founder of Action1, said CVE-2025-49719 can be exploited without authentication, and that many third-party applications depend on SQL server and the affected drivers — potentially introducing a supply-chain risk that extends beyond direct SQL Server users.
“The potential exposure of sensitive information makes this a high-priority concern for organizations handling valuable or regulated data,” Walters said. “The comprehensive nature of the affected versions, spanning multiple SQL Server releases from 2016 through 2022, indicates a fundamental issue in how SQL Server handles memory management and input validation.”
Adam Barnett at Rapid7 notes that today is the end of the road for SQL Server 2012, meaning there will be no future security patches even for critical vulnerabilities, even if you’re willing to pay Microsoft for the privilege.
Barnett also called attention to <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-47981" target="_blank" rel="noopener">CVE-2025-47981</a>, a vulnerability with a CVSS score of 9.8 (10 being the worst), a remote code execution bug in the way Windows servers and clients negotiate to discover mutually supported authentication mechanisms. This pre-authentication vulnerability affects any Windows client machine running Windows 10 1607 or above, and all current versions of Windows Server. Microsoft considers it more likely that attackers will exploit this flaw.
Microsoft also patched at least four critical, remote code execution flaws in Office (<a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-49695" target="_blank" rel="noopener">CVE-2025-49695</a>, <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-49696" target="_blank" rel="noopener">CVE-2025-49696</a>, <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-49697" target="_blank" rel="noopener">CVE-2025-49697</a>, <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-49702" target="_blank" rel="noopener">CVE-2025-49702</a>). The first two are both rated by Microsoft as having a higher likelihood of exploitation, do not require user interaction, and can be triggered through the Preview Pane.
Two more high severity bugs include <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-49740" target="_blank" rel="noopener">CVE-2025-49740</a> (CVSS 8.8) and <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-47178" target="_blank" rel="noopener">CVE-2025-47178</a> (CVSS 8.0); the former is a weakness that could allow malicious files to bypass screening by Microsoft Defender SmartScreen, a built-in feature of Windows that tries to block untrusted downloads and malicious sites.
CVE-2025-47178 involves a remote code execution flaw in Microsoft Configuration Manager, an enterprise tool for managing, deploying, and securing computers, servers, and devices across a network. Ben Hopkins at Immersive said this bug requires very low privileges to exploit, and that it is possible for a user or attacker with a read-only access role to exploit it.
“Exploiting this vulnerability allows an attacker to execute arbitrary SQL queries as the privileged SMS service account in Microsoft Configuration Manager,” Hopkins said. “This access can be used to manipulate deployments, push malicious software or scripts to all managed devices, alter configurations, steal sensitive data, and potentially escalate to full operating system code execution across the enterprise, giving the attacker broad control over the entire IT environment.”
Separately, Adobe has <a href="https://helpx.adobe.com/security/security-bulletin.html" target="_blank" rel="noopener">released security updates</a> for a broad range of software, including After Effects, Adobe Audition, Illustrator, FrameMaker, and ColdFusion.
The SANS Internet Storm Center has <a href="https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%2C%20July%202025/32088" target="_blank" rel="noopener">a breakdown of each individual patch</a>, indexed by severity. If you’re responsible for administering a number of Windows systems, it may be worth keeping an eye on <a href="https://www.askwoody.com/" target="_blank" rel="noopener">AskWoody</a> for the lowdown on any potentially wonky updates (considering the large number of vulnerabilities and Windows components addressed this month).
If you’re a Windows home user, please consider backing up your data and/or drive before installing any patches, and drop a note in the comments if you encounter any problems with these updates.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/07/microsoft-patch-tuesday-july-2025-edition/feed/</wfw:commentRss>
<slash:comments>6</slash:comments>
</item>
<item>
<title>Big Tech’s Mixed Response to U.S. Treasury Sanctions</title>
<link>https://krebsonsecurity.com/2025/07/big-techs-mixed-response-to-u-s-treasury-sanctions/</link>
<comments>https://krebsonsecurity.com/2025/07/big-techs-mixed-response-to-u-s-treasury-sanctions/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Thu, 03 Jul 2025 16:06:05 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Latest Warnings]]></category>
<category><![CDATA[Ne'er-Do-Well News]]></category>
<category><![CDATA[Web Fraud 2.0]]></category>
<category><![CDATA[@nicelizhi]]></category>
<category><![CDATA[Facebook]]></category>
<category><![CDATA[Funnull Technology Inc.]]></category>
<category><![CDATA[GitHub]]></category>
<category><![CDATA[gmail]]></category>
<category><![CDATA[hotmail]]></category>
<category><![CDATA[LinkedIn]]></category>
<category><![CDATA[Liu "Steve" Lizhi]]></category>
<category><![CDATA[mark rasch]]></category>
<category><![CDATA[NexaMerchant]]></category>
<category><![CDATA[Nice Lizhi]]></category>
<category><![CDATA[Paypal]]></category>
<category><![CDATA[twitter]]></category>
<category><![CDATA[Unit 221B]]></category>
<category><![CDATA[XXL4]]></category>
<category><![CDATA[Youtube]]></category>
<category><![CDATA[Zach Edwards]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=71564</guid>
<description><![CDATA[In May 2025, the U.S. government sanctioned a Chinese national for operating a cloud provider linked to the majority of virtual currency investment scam websites reported to the FBI. But more than a month later, the accused continues to openly operate accounts at a slew of American tech companies, including Facebook, Github, LinkedIn, PayPal and Twitter/X.]]></description>
<content:encoded><![CDATA[In May 2025, the U.S. government sanctioned a Chinese national for operating a cloud provider linked to the majority of virtual currency investment scam websites reported to the FBI. But a new report finds the accused continues to operate a slew of established accounts at American tech companies — including Facebook, Github, PayPal and Twitter/X.
On May 29, the U.S. Department of the Treasury <a href="https://krebsonsecurity.com/2025/05/u-s-sanctions-cloud-provider-funnull-as-top-source-of-pig-butchering-scams/" target="_blank" rel="noopener">announced economic sanctions</a> against Funnull Technology Inc., a Philippines-based company alleged to provide infrastructure for hundreds of thousands of websites involved in virtual currency investment scams known as “<a href="https://krebsonsecurity.com/2022/07/massive-losses-define-epidemic-of-pig-butchering/" target="_blank" rel="noopener">pig butchering</a>.” In January 2025, KrebsOnSecurity detailed how Funnull was designed as a content delivery network that catered to <a href="https://krebsonsecurity.com/2025/01/infrastructure-laundering-blending-in-with-the-cloud/" target="_blank" rel="noopener">foreign cybercriminals seeking to route their traffic through U.S.-based cloud providers</a>.
<img decoding="async" loading="lazy" class="aligncenter size-full wp-image-71586" src="https://krebsonsecurity.com/wp-content/uploads/2025/07/lizhisanctions.png" alt="" width="663" height="569" />
The Treasury also sanctioned Funnull’s alleged operator, a 40-year-old Chinese national named Liu “Steve” Lizhi. The government says Funnull directly facilitated financial schemes resulting in more than $200 million in financial losses by Americans, and that the company’s operations were linked to the majority of pig butchering scams reported to the FBI.
It is generally illegal for U.S. companies or individuals to transact with people sanctioned by the Treasury. However, as Mr. Lizhi’s case makes clear, just because someone is sanctioned doesn’t necessarily mean big tech companies are going to suspend their online accounts.
The government says Lizhi was born November 13, 1984, and used the nicknames “XXL4” and “Nice Lizhi.” Nevertheless, Steve Liu’s 17-year-old account on LinkedIn (in the name “Liulizhi”) had hundreds of followers (Lizhi’s LinkedIn profile helpfully confirms his birthday) until quite recently: The account was deleted this morning, just hours after KrebsOnSecurity sought comment from LinkedIn.
<div id="attachment_71584" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71584" decoding="async" loading="lazy" class="wp-image-71584" src="https://krebsonsecurity.com/wp-content/uploads/2025/07/linkedin-liu.png" alt="" width="750" height="623" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/07/linkedin-liu.png 789w, https://krebsonsecurity.com/wp-content/uploads/2025/07/linkedin-liu-768x638.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/07/linkedin-liu-782x649.png 782w" sizes="(max-width: 750px) 100vw, 750px" />Mr. Lizhi’s LinkedIn account was suspended sometime in the last 24 hours, after KrebsOnSecurity sought comment from LinkedIn.</div>
In an emailed response, a LinkedIn spokesperson said the company’s “<a href="https://www.linkedin.com/help/linkedin/answer/a1339324/prohibited-countries-policy?lang=en" target="_blank" rel="noopener">Prohibited countries policy</a>” states that LinkedIn “does not sell, license, support or otherwise make available its Premium accounts or other paid products and services to individuals and companies sanctioned by the U.S. government.” LinkedIn declined to say whether the profile in question was a premium or free account.
Mr. Lizhi also maintains <a href="https://paypal.com/paypalme/nicelizhi" target="_blank" rel="noopener">a working PayPal account</a> under the name Liu Lizhi and username “@nicelizhi,” another nickname listed in the Treasury sanctions. A 15-year-old <a href="https://x.com/phpedu/with_replies" target="_blank" rel="noopener">Twitter/X account named “Lizhi”</a> that links to Mr. Lizhi’s personal domain remains active, although it has few followers and hasn’t posted in years.
These accounts and many others were flagged by the security firm Silent Push, which has been tracking Funnull’s operations for the past year and calling out U.S. cloud providers like Amazon and Microsoft for failing to more quickly sever ties with the company.
<div id="attachment_71588" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71588" decoding="async" loading="lazy" class="wp-image-71588" src="https://krebsonsecurity.com/wp-content/uploads/2025/07/pp-lizhi.png" alt="" width="749" height="471" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/07/pp-lizhi.png 816w, https://krebsonsecurity.com/wp-content/uploads/2025/07/pp-lizhi-768x483.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/07/pp-lizhi-782x492.png 782w" sizes="(max-width: 749px) 100vw, 749px" />Liu Lizhi’s PayPal account.</div>
In <a href="https://www.silentpush.com/blog/funnull-admin-sanctions/" target="_blank" rel="noopener">a report</a> released today, Silent Push found Lizhi still operates numerous Facebook accounts and groups, including a private Facebook account under the name Liu Lizhi. Another Facebook account clearly connected to Lizhi is a tourism page for Ganzhou, China called “EnjoyGanzhou” that was named in the Treasury Department sanctions.
“This guy is the technical administrator for the infrastructure that is hosting a majority of scams targeting people in the United States, and hundreds of millions have been lost based on the websites he’s been hosting,” said Zach Edwards, senior threat researcher at Silent Push. “It’s crazy that the vast majority of big tech companies haven’t done anything to cut ties with this guy.”
The FBI says it received nearly 150,000 complaints last year involving digital assets and $9.3 billion in losses — a 66 percent increase from the previous year. Investment scams were the top crypto-related crimes reported, with $5.8 billion in losses.
In a statement, a Meta spokesperson said the company continuously takes steps to meet its legal obligations, but that sanctions laws are complex and varied. They explained that sanctions are often targeted in nature and don’t always prohibit people from having a presence on its platform. Nevertheless, Meta confirmed it had removed the account, unpublished Pages, and removed Groups and events associated with the user for violating its policies.
Attempts to reach Mr. Lizhi via his primary email addresses at Hotmail and Gmail bounced as undeliverable. Likewise, his 14-year-old YouTube channel appears to have been taken down recently.
However, anyone interested in viewing or using Mr. Lizhi’s 146 computer code repositories will have no problem finding GitHub accounts for him, including one registered under the NiceLizhi and XXL4 nicknames mentioned in the Treasury sanctions.
<div id="attachment_71587" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71587" decoding="async" loading="lazy" class=" wp-image-71587" src="https://krebsonsecurity.com/wp-content/uploads/2025/07/xxl4-github.png" alt="" width="750" height="515" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/07/xxl4-github.png 1131w, https://krebsonsecurity.com/wp-content/uploads/2025/07/xxl4-github-768x528.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/07/xxl4-github-782x538.png 782w, https://krebsonsecurity.com/wp-content/uploads/2025/07/xxl4-github-100x70.png 100w" sizes="(max-width: 750px) 100vw, 750px" />One of multiple GitHub profiles used by Liu “Steve” Lizhi, who uses the nickname XXL4 (a moniker listed in the Treasury sanctions for Mr. Lizhi).</div>
Mr. Lizhi also operates a GitHub page for an open source e-commerce platform called NexaMerchant, which advertises itself as a payment gateway working with numerous American financial institutions. Interestingly, this profile’s <a href="https://www.github.com/orgs/NexaMerchant/follower" target="_blank" rel="noopener">“followers” page</a> shows several other accounts that appear to be Mr. Lizhi’s. All of the account’s followers are tagged as “suspended,” even though that suspended message does not display when one visits those individual profiles.
In response to questions, GitHub said it has a process in place to identify when users and customers are Specially Designated Nationals or other denied or blocked parties, but that it locks those accounts instead of removing them. According to its policy, GitHub takes care that users and customers aren’t impacted beyond what is required by law.
<div id="attachment_71595" style="width: 758px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71595" decoding="async" loading="lazy" class=" wp-image-71595" src="https://krebsonsecurity.com/wp-content/uploads/2025/07/nexamerchant.png" alt="" width="748" height="493" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/07/nexamerchant.png 1225w, https://krebsonsecurity.com/wp-content/uploads/2025/07/nexamerchant-768x507.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/07/nexamerchant-782x516.png 782w" sizes="(max-width: 748px) 100vw, 748px" />All of the follower accounts for the XXL4 GitHub account appear to be Mr. Lizhi’s, and have been suspended by GitHub, but their code is still accessible.</div>
“This includes keeping public repositories, including those for open source projects, available and accessible to support personal communications involving developers in sanctioned regions,” the policy states. “This also means GitHub will advocate for developers in sanctioned regions to enjoy greater access to the platform and full access to the global open source community.”
Edwards said it’s great that GitHub has a process for handling sanctioned accounts, but that the process doesn’t seem to communicate risk in a transparent way, noting that the only indicator on the locked accounts is the message, “This repository has been archived by the owner. It is not read-only.”
“It’s an odd message that doesn’t communicate, ‘This is a sanctioned entity, don’t fork this code or use it in a production environment’,” Edwards said.
Mark Rasch is a former federal cybercrime prosecutor who now serves as counsel for the New York City based security consulting firm Unit 221B. Rasch said when Treasury’s Office of Foreign Assets Control (OFAC) sanctions a person or entity, it then becomes illegal for businesses or organizations to transact with the sanctioned party.
Rasch said financial institutions have very mature systems for severing accounts tied to people who become subject to OFAC sanctions, but that tech companies may be far less proactive — particularly with free accounts.
“Banks have established ways of checking [U.S. government sanctions lists] for sanctioned entities, but tech companies don’t necessarily do a good job with that, especially for services that you can just click and sign up for,” Rasch said. “It’s potentially a risk and liability for the tech companies involved, but only to the extent OFAC is willing to enforce it.”
<div id="attachment_71589" style="width: 783px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71589" decoding="async" loading="lazy" class="size-full wp-image-71589" src="https://krebsonsecurity.com/wp-content/uploads/2025/07/fb-ganzhou.png" alt="" width="773" height="651" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/07/fb-ganzhou.png 773w, https://krebsonsecurity.com/wp-content/uploads/2025/07/fb-ganzhou-768x647.png 768w" sizes="(max-width: 773px) 100vw, 773px" />Liu Lizhi operates numerous Facebook accounts and groups, including this one for an entity specified in the OFAC sanctions: The “Enjoy Ganzhou” tourism page for Ganzhou, China. Image: Silent Push.</div>
In July 2024, Funnull purchased the domain polyfill[.]io, the longtime home of a legitimate open source project that allowed websites to ensure that devices using legacy browsers could still render content in newer formats. After the Polyfill domain changed hands, at least 384,000 websites were <a href="https://arstechnica.com/security/2024/07/384000-sites-link-to-code-library-caught-performing-supply-chain-attack/" target="_blank" rel="noopener">caught in a supply-chain attack</a> that redirected visitors to malicious sites. According to the Treasury, Funnull used the code to redirect people to scam websites and online gambling sites, some of which were linked to Chinese criminal money laundering operations.
The U.S. government says Funnull provides domain names for websites on its purchased IP addresses, using domain generation algorithms (DGAs) — programs that generate large numbers of similar but unique names for websites — and that it sells web design templates to cybercriminals.
“These services not only make it easier for cybercriminals to impersonate trusted brands when creating scam websites, but also allow them to quickly change to different domain names and IP addresses when legitimate providers attempt to take the websites down,” reads a Treasury statement.
Meanwhile, Funnull appears to be morphing nearly all aspects of its business in the wake of the sanctions, Edwards said.
“Whereas before they might have used 60 DGA domains to hide and bounce their traffic, we’re seeing far more now,” he said. “They’re trying to make their infrastructure harder to track and more complicated, so for now they’re not going away but more just changing what they’re doing. And a lot more organizations should be holding their feet to the fire.”
Update, 2:48 PM ET: Added response from Meta, which confirmed it has closed the accounts and groups connected to Mr. Lizhi.
Update, July 7, 6:56 p.m. ET: In a written statement, PayPal said it continually works to combat and prevent the illicit use of its services.
“We devote significant resources globally to financial crime compliance, and we proactively refer cases to and assist law enforcement officials around the world in their efforts to identify, investigate and stop illegal activity,” the statement reads.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/07/big-techs-mixed-response-to-u-s-treasury-sanctions/feed/</wfw:commentRss>
<slash:comments>6</slash:comments>
</item>
<item>
<title>Senator Chides FBI for Weak Advice on Mobile Security</title>
<link>https://krebsonsecurity.com/2025/06/senator-chides-fbi-for-weak-advice-on-mobile-security/</link>
<comments>https://krebsonsecurity.com/2025/06/senator-chides-fbi-for-weak-advice-on-mobile-security/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Mon, 30 Jun 2025 17:33:59 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Latest Warnings]]></category>
<category><![CDATA[Security Tools]]></category>
<category><![CDATA[The Coming Storm]]></category>
<category><![CDATA[Time to Patch]]></category>
<category><![CDATA[apple]]></category>
<category><![CDATA[Bill Marczak]]></category>
<category><![CDATA[Citizen Lab]]></category>
<category><![CDATA[CVE-2025-43200]]></category>
<category><![CDATA[Emerita Melissa Hortman]]></category>
<category><![CDATA[Federal Bureau of Investigation]]></category>
<category><![CDATA[google]]></category>
<category><![CDATA[International Computer Science Institute]]></category>
<category><![CDATA[John Hoffman]]></category>
<category><![CDATA[Kash Patel]]></category>
<category><![CDATA[Lockdown Mode]]></category>
<category><![CDATA[Lorenzo Francheschi-Bicchierai]]></category>
<category><![CDATA[Nicholas Weaver]]></category>
<category><![CDATA[Sen. Ron Wyden]]></category>
<category><![CDATA[Susie Wiles]]></category>
<category><![CDATA[The Wall Street Journal]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=71553</guid>
<description><![CDATA[Agents with the Federal Bureau of Investigation (FBI) briefed Capitol Hill staff recently on hardening the security of their mobile devices, after a contacts list stolen from the personal phone of the White House Chief of Staff Susie Wiles was reportedly used to fuel a series of text messages and phone calls impersonating her to U.S. lawmakers. But in a letter this week to the FBI, one of the Senate's most tech-savvy lawmakers says the feds aren't doing enough to recommend more appropriate security protections that are already built into most consumer mobile devices.]]></description>
<content:encoded><![CDATA[Agents with the Federal Bureau of Investigation (FBI) briefed Capitol Hill staff recently on hardening the security of their mobile devices, after a contacts list stolen from the personal phone of the White House Chief of Staff Susie Wiles was reportedly used to fuel a series of text messages and phone calls impersonating her to U.S. lawmakers. But in a letter this week to the FBI, one of the Senate’s most tech-savvy lawmakers says the feds aren’t doing enough to recommend more appropriate security protections that are already built into most consumer mobile devices.
<div id="attachment_71570" style="width: 762px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71570" decoding="async" loading="lazy" class=" wp-image-71570" src="https://krebsonsecurity.com/wp-content/uploads/2025/06/wyden-patel-letter.png" alt="" width="752" height="822" />A screenshot of the first page from Sen. Wyden’s letter to FBI Director Kash Patel.</div>
On May 29, The Wall Street Journal <a href="https://www.wsj.com/politics/policy/federal-authorities-probe-effort-to-impersonate-white-house-chief-of-staff-65da0d59" target="_blank" rel="noopener">reported</a> that federal authorities were investigating a clandestine effort to impersonate Ms. Wiles via text messages and in phone calls that may have used AI to spoof her voice. According to The Journal, Wiles told associates her cellphone contacts were hacked, giving the impersonator access to the private phone numbers of some of the country’s most influential people.
The execution of this phishing and impersonation campaign — whatever its goals may have been — suggested the attackers were financially motivated, and not particularly sophisticated.
“It became clear to some of the lawmakers that the requests were suspicious when the impersonator began asking questions about Trump that Wiles should have known the answers to—and in one case, when the impersonator asked for a cash transfer, some of the people said,” the Journal wrote. “In many cases, the impersonator’s grammar was broken and the messages were more formal than the way Wiles typically communicates, people who have received the messages said. The calls and text messages also didn’t come from Wiles’s phone number.”
Sophisticated or not, the impersonation campaign was soon <a href="https://www.justice.gov/opa/pr/after-two-day-manhunt-suspect-charged-shooting-two-minnesota-lawmakers-and-their-spouses" target="_blank" rel="noopener">punctuated</a> by the murder of Minnesota House of Representatives Speaker Emerita Melissa Hortman and her husband, and the shooting of Minnesota State Senator John Hoffman and his wife. So when FBI agents offered in mid-June to brief U.S. Senate staff on mobile threats, more than 140 staffers took them up on that invitation (a remarkably high number considering that no food was offered at the event).
But according to Sen. Ron Wyden (D-Ore.), the advice the FBI provided to Senate staffers was largely limited to remedial tips, such as not clicking on suspicious links or attachments, not using public wifi networks, turning off bluetooth, keeping phone software up to date, and rebooting regularly.
“This is insufficient to protect Senate employees and other high-value targets against foreign spies using advanced cyber tools,” Wyden wrote in <a href="https://www.wyden.senate.gov/download/wyden-letter-to-fbi-defensive-cyber-advice" target="_blank" rel="noopener">a letter</a> sent today to FBI Director Kash Patel. “Well-funded foreign intelligence agencies do not have to rely on phishing messages and malicious attachments to infect unsuspecting victims with spyware. Cyber mercenary companies sell their government customers advanced ‘zero-click’ capabilities to deliver spyware that do not require any action by the victim.”
Wyden stressed that to help counter sophisticated attacks, the FBI should be encouraging lawmakers and their staff to enable anti-spyware defenses that are built into Apple’s iOS and Google’s Android phone software.
These include Apple’s <a href="https://support.apple.com/en-us/105120" target="_blank" rel="noopener">Lockdown Mode</a>, which is designed for users who are worried they may be subject to targeted attacks. Lockdown Mode restricts non-essential iOS features to reduce the device’s overall attack surface. Google Android devices carry a similar feature called <a href="https://support.google.com/accounts/answer/9764949?hl=en" target="_blank" rel="noopener">Advanced Protection Mode</a>.
Wyden also urged the FBI to update its training to recommend a number of other steps that people can take to make their mobile devices less trackable, including the use of ad blockers to guard against malicious advertisements, <a href="https://krebsonsecurity.com/2024/10/the-global-surveillance-free-for-all-in-mobile-ad-data/" target="_blank" rel="noopener">disabling ad tracking IDs in mobile devices</a>, and opting out of commercial data brokers (the suspect charged in the Minnesota shootings reportedly <a href="https://krebsonsecurity.com/wp-content/uploads/2025/06/minnshooting-peoplesearch.png" target="_blank" rel="noopener">used multiple people-search services</a> to find the home addresses of his targets).
The senator’s letter notes that while the FBI has recommended all of the above precautions in various advisories issued over the years, the advice the agency is giving now to the nation’s leaders needs to be more comprehensive, actionable and urgent.
“In spite of the seriousness of the threat, the FBI has yet to provide effective defensive guidance,” Wyden said.
Nicholas Weaver is a researcher with the International Computer Science Institute, a nonprofit in Berkeley, Calif. Weaver said Lockdown Mode or Advanced Protection will mitigate many vulnerabilities, and should be the default setting for all members of Congress and their staff.
“Lawmakers are at exceptional risk and need to be exceptionally protected,” Weaver said. “Their computers should be locked down and well administered, etc. And the same applies to staffers.”
Weaver noted that Apple’s Lockdown Mode has a track record of blocking zero-day attacks on iOS applications; in September 2023, Citizen Lab <a href="https://krebsonsecurity.com/2023/09/adobe-apple-google-microsoft-patch-0-day-bugs/" target="_blank" rel="noopener">documented</a> how Lockdown Mode foiled a zero-click flaw capable of installing spyware on iOS devices without any interaction from the victim.
<img decoding="async" loading="lazy" class="aligncenter size-full wp-image-61232" src="https://krebsonsecurity.com/wp-content/uploads/2022/09/lockdownmode.png" alt="" width="314" height="629" />
Earlier this month, Citizen Lab researchers <a href="https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/" target="_blank" rel="noopener">documented a zero-click attack</a> used to infect the iOS devices of two journalists with Paragon’s Graphite spyware. The vulnerability could be exploited merely by sending the target a booby-trapped media file delivered via iMessage. Apple also recently updated its advisory for the zero-click flaw (CVE-2025-43200), noting that it was mitigated as of iOS 18.3.1, which was released in February 2025.
Apple has not commented on whether CVE-2025-43200 could be exploited on devices with Lockdown Mode turned on. But HelpNetSecurity <a href="https://www.helpnetsecurity.com/2025/06/13/ios-zero-click-attacks-used-to-deliver-graphite-spyware-cve-2025-43200/" target="_blank" rel="noopener">observed</a> that at the same time Apple addressed CVE-2025-43200 back in February, the company fixed another vulnerability flagged by Citizen Lab researcher Bill Marczak: <a href="https://support.apple.com/en-us/122174" target="_blank" rel="noopener">CVE-2025-24200</a>, which Apple said was used in an extremely sophisticated physical attack against specific targeted individuals that allowed attackers to disable USB Restricted Mode on a locked device.
In other words, the flaw could apparently be exploited only if the attacker had physical access to the targeted vulnerable device. And as the old infosec industry adage goes, if an adversary has physical access to your device, it’s most likely not your device anymore.
I can’t speak to Google’s Advanced Protection Mode personally, because I don’t use Google or Android devices. But I have had Apple’s Lockdown Mode enabled on all of my Apple devices since it was first made available in September 2022. I can only think of a single occasion when one of my apps failed to work properly with Lockdown Mode turned on, and in that case I was able to add a temporary exception for that app in Lockdown Mode’s settings.
My main gripe with Lockdown Mode was captured in <a href="https://techcrunch.com/2025/03/13/apples-lockdown-mode-is-good-for-security-but-its-notifications-are-baffling/" target="_blank" rel="noopener">a March 2025 column</a> by TechCrunch’s Lorenzo Francheschi-Bicchierai, who wrote about its penchant for periodically sending mystifying notifications that someone has been blocked from contacting you, even though nothing then prevents you from contacting that person directly. This has happened to me at least twice, and in both cases the person in question was already an approved contact, and said they had not attempted to reach out.
Although it would be nice if Apple’s Lockdown Mode sent fewer, less alarming and more informative alerts, the occasional baffling warning message is hardly enough to make me turn it off.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/06/senator-chides-fbi-for-weak-advice-on-mobile-security/feed/</wfw:commentRss>
<slash:comments>27</slash:comments>
</item>
<item>
<title>Inside a Dark Adtech Empire Fed by Fake CAPTCHAs</title>
<link>https://krebsonsecurity.com/2025/06/inside-a-dark-adtech-empire-fed-by-fake-captchas/</link>
<comments>https://krebsonsecurity.com/2025/06/inside-a-dark-adtech-empire-fed-by-fake-captchas/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Thu, 12 Jun 2025 22:14:00 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Ne'er-Do-Well News]]></category>
<category><![CDATA[Web Fraud 2.0]]></category>
<category><![CDATA[AdsPro]]></category>
<category><![CDATA[Aimed Global]]></category>
<category><![CDATA[BroPush]]></category>
<category><![CDATA[ByteCore AG]]></category>
<category><![CDATA[DollyWay]]></category>
<category><![CDATA[Doppelganger]]></category>
<category><![CDATA[GoDaddy]]></category>
<category><![CDATA[Help TDS]]></category>
<category><![CDATA[Holacode]]></category>
<category><![CDATA[Infoblox]]></category>
<category><![CDATA[LosPollos]]></category>
<category><![CDATA[Partners House]]></category>
<category><![CDATA[Qurium]]></category>
<category><![CDATA[Renee Burton]]></category>
<category><![CDATA[RexAds]]></category>
<category><![CDATA[RichAds]]></category>
<category><![CDATA[SkyForge Digital AG]]></category>
<category><![CDATA[smartlinks]]></category>
<category><![CDATA[Spamshield]]></category>
<category><![CDATA[TacoLoco]]></category>
<category><![CDATA[Teknology SA]]></category>
<category><![CDATA[VexTrio]]></category>
<category><![CDATA[wordpress]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=69927</guid>
<description><![CDATA[Late last year, security researchers made a startling discovery: Kremlin-backed disinformation campaigns were bypassing moderation on social media platforms by leveraging the same malicious advertising technology that powers a sprawling ecosystem of online hucksters and website hackers. A new report on the fallout from that investigation finds this dark ad tech industry is far more resilient and incestuous than previously known.]]></description>
<content:encoded><![CDATA[Late last year, security researchers made a startling discovery: Kremlin-backed disinformation campaigns were bypassing moderation on social media platforms by leveraging the same malicious advertising technology that powers a sprawling ecosystem of online hucksters and website hackers. A new report on the fallout from that investigation finds this dark ad tech industry is far more resilient and incestuous than previously known.
<div id="attachment_71492" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71492" decoding="async" loading="lazy" class=" wp-image-71492" src="https://krebsonsecurity.com/wp-content/uploads/2025/06/maladtech.png" alt="" width="750" height="422" />Image: Infoblox.</div>
In November 2024, researchers at the security firm Qurium published an investigation into “<a href="https://www.cybercom.mil/Media/News/Article/3895345/russian-disinformation-campaign-doppelgnger-unmasked-a-web-of-deception/" target="_blank" rel="noopener">Doppelganger</a>,” a disinformation network that promotes pro-Russian narratives and infiltrates Europe’s media landscape by pushing fake news through a network of cloned websites.
Doppelganger campaigns use specialized links that bounce the visitor’s browser through a long series of domains before the fake news content is served. Qurium <a href="https://www.qurium.org/forensics/when-kehr-meets-vextrio/" target="_blank" rel="noopener">found</a> Doppelganger relies on a sophisticated “domain cloaking” service, a technology that allows websites to present different content to search engines compared to what regular visitors see. The use of cloaking services helps the disinformation sites remain online longer than they otherwise would, while ensuring that only the targeted audience gets to view the intended content.
Qurium discovered that Doppelganger’s cloaking service also promoted online dating sites, and shared much of the same infrastructure with VexTrio, which is thought to be the oldest malicious traffic distribution system (TDS) in existence. While TDSs are commonly used by legitimate advertising networks to manage traffic from disparate sources and to track who or what is behind each click, VexTrio’s TDS largely manages web traffic from victims of phishing, malware, and social engineering scams.
<h2>BREAKING BAD</h2>
Digging deeper, Qurium noticed Doppelganger’s cloaking service used an Internet provider in Switzerland as the first entry point in a chain of domain redirections. They also noticed the same infrastructure hosted a pair of co-branded affiliate marketing services that were driving traffic to sketchy adult dating sites: LosPollos[.]com and TacoLoco[.]co.
The LosPollos ad network incorporates many elements and references from the hit series “Breaking Bad,” mirroring the fictional “Los Pollos Hermanos” restaurant chain that served as a money laundering operation for a violent methamphetamine cartel.
<div id="attachment_71484" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71484" decoding="async" loading="lazy" class=" wp-image-71484" src="https://krebsonsecurity.com/wp-content/uploads/2025/06/lospollos_mainpage.png" alt="" width="749" height="497" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/06/lospollos_mainpage.png 2710w, https://krebsonsecurity.com/wp-content/uploads/2025/06/lospollos_mainpage-768x510.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/06/lospollos_mainpage-1536x1020.png 1536w, https://krebsonsecurity.com/wp-content/uploads/2025/06/lospollos_mainpage-2048x1360.png 2048w, https://krebsonsecurity.com/wp-content/uploads/2025/06/lospollos_mainpage-782x519.png 782w" sizes="(max-width: 749px) 100vw, 749px" />The LosPollos advertising network invokes characters and themes from the hit show Breaking Bad. The logo for LosPollos (upper left) is the image of Gustavo Fring, the fictional chicken restaurant chain owner in the show.</div>
Affiliates who sign up with LosPollos are given JavaScript-heavy “smartlinks” that drive traffic into the VexTrio TDS, which in turn distributes the traffic among a variety of advertising partners, including dating services, sweepstakes offers, bait-and-switch mobile apps, financial scams and malware download sites.
LosPollos affiliates typically stitch these smart links into WordPress websites that have been hacked via known vulnerabilities, and those affiliates will earn a small commission each time an Internet user referred by any of their hacked sites falls for one of these lures.
<div id="attachment_71485" style="width: 755px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71485" decoding="async" loading="lazy" class="wp-image-71485" src="https://krebsonsecurity.com/wp-content/uploads/2025/06/lospollos_subdomain_linkedIn_announcement.png" alt="" width="745" height="321" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/06/lospollos_subdomain_linkedIn_announcement.png 1146w, https://krebsonsecurity.com/wp-content/uploads/2025/06/lospollos_subdomain_linkedIn_announcement-768x331.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/06/lospollos_subdomain_linkedIn_announcement-782x337.png 782w" sizes="(max-width: 745px) 100vw, 745px" />The Los Pollos advertising network promoting itself on LinkedIn.</div>
According to Qurium, TacoLoco is a traffic monetization network that uses deceptive tactics to trick Internet users into enabling “push notifications,” a <a href="https://tools.ietf.org/html/rfc8030" target="_blank" rel="noopener">cross-platform browser standard</a> that allows websites to show pop-up messages which appear outside of the browser. For example, on Microsoft Windows systems these notifications typically show up in the bottom right corner of the screen — just above the system clock.
In the case of VexTrio and TacoLoco, the notification approval requests themselves are deceptive — disguised as “CAPTCHA” challenges designed to distinguish automated bot traffic from real visitors. For years, VexTrio and its partners have successfully tricked countless users into enabling these site notifications, which are then used to continuously pepper the victim’s device with a variety of phony virus alerts and misleading pop-up messages.
<div id="attachment_71486" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71486" decoding="async" loading="lazy" class=" wp-image-71486" src="https://krebsonsecurity.com/wp-content/uploads/2025/06/maliciouspushcaptcha.png" alt="" width="749" height="643" />Examples of VexTrio landing pages that lead users to accept push notifications on their device.</div>
According to <a href="https://www.godaddy.com/resources/news/godaddy-annual-cybersecurity-report" target="_blank" rel="noopener">a December 2024 annual report</a> from GoDaddy, nearly 40 percent of compromised websites in 2024 redirected visitors to VexTrio via LosPollos smartlinks.
<h2>ADSPRO AND TEKNOLOGY</h2>
On November 14, 2024, Qurium <a href="https://www.qurium.org/forensics/when-kehr-meets-vextrio/" target="_blank" rel="noopener">published research</a> to support its findings that LosPollos and TacoLoco were services operated by Adspro Group, a company registered in the Czech Republic and Russia, and that Adspro runs its infrastructure at the Swiss hosting providers C41 and Teknology SA.
Qurium noted the LosPollos and TacoLoco sites state that their content is copyrighted by ByteCore AG and SkyForge Digital AG, both Swiss firms that are run by the owner of Teknology SA, Giulio Vitorrio Leonardo Cerutti. Further investigation revealed LosPollos and TacoLoco were apps developed by a company called Holacode, which lists Cerutti as its CEO.
The apps marketed by Holacode include numerous VPN services, as well as one called Spamshield that claims to stop unwanted push notifications. But in January, Infoblox said they tested the app on their own mobile devices, and found it hides the user’s notifications, and then after 24 hours stops hiding them and demands payment. Spamshield subsequently changed its developer name from Holacode to ApLabz, although Infoblox noted that the Terms of Service for several of the rebranded ApLabz apps still referenced Holacode in their terms of service.
Incredibly, Cerutti threatened to sue me for defamation before I’d even uttered his name or sent him a request for comment (Cerutti sent the unsolicited legal threat back in January after his company and my name were merely tagged in an Infoblox post on LinkedIn about VexTrio).
Asked to comment on the findings by Qurium and Infoblox, Cerutti vehemently denied being associated with VexTrio. Cerutti asserted that his companies all strictly adhere to the regulations of the countries in which they operate, and that they have been completely transparent about all of their operations.
“We are a group operating in the advertising and marketing space, with an affiliate network program,” Cerutti responded. “I am not [going] to say we are perfect, but I strongly declare we have no connection with VexTrio at all.”
“Unfortunately, as a big player in this space we also get to deal with plenty of publisher fraud, sketchy traffic, fake clicks, bots, hacked, listed and resold publisher accounts, etc, etc.,” Cerutti continued. “We bleed lots of money to such malpractices and conduct regular internal screenings and audits in a constant battle to remove bad traffic sources. It is also a highly competitive space, where some upstarts will often play dirty against more established mainstream players like us.”
Working with Qurium, researchers at the security firm Infoblox released details about VexTrio’s infrastructure to their industry partners. Just four days after Qurium published its findings, LosPollos announced it was suspending its push monetization service. Less than a month later, Adspro had rebranded to Aimed Global.
<div id="attachment_71527" style="width: 760px" class="wp-caption aligncenter"><a href="https://krebsonsecurity.com/wp-content/uploads/2025/06/lp-mm.png" target="_blank" rel="noopener"><img aria-describedby="caption-attachment-71527" decoding="async" loading="lazy" class="wp-image-71527 " src="https://krebsonsecurity.com/wp-content/uploads/2025/06/lp-mm.png" alt="" width="750" height="451" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/06/lp-mm.png 1538w, https://krebsonsecurity.com/wp-content/uploads/2025/06/lp-mm-768x462.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/06/lp-mm-1536x924.png 1536w, https://krebsonsecurity.com/wp-content/uploads/2025/06/lp-mm-782x470.png 782w" sizes="(max-width: 750px) 100vw, 750px" /></a>A mind map illustrating some of the key findings and connections in the Infoblox and Qurium investigations. Click to enlarge.</div>
<h2>A REVEALING PIVOT</h2>
In March 2025, researchers at GoDaddy <a href="https://www.godaddy.com/resources/news/dollyway-malware-c2-tds" target="_blank" rel="noopener">chronicled</a> how DollyWay — a malware strain that has consistently redirected victims to VexTrio throughout its eight years of activity — suddenly stopped doing that on November 20, 2024. Virtually overnight, DollyWay and several other malware families that had previously used VexTrio began pushing their traffic through another TDS called Help TDS.
Digging further into historical DNS records and the unique code scripts used by the Help TDS, Infoblox determined it has long enjoyed an exclusive relationship with VexTrio (at least until LosPollos ended its push monetization service in November).
In <a href="https://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/" target="_blank" rel="noopener">a report released today</a>, Infoblox said an exhaustive analysis of the JavaScript code, website lures, smartlinks and DNS patterns used by VexTrio and Help TDS linked them with at least four other TDS operators (not counting TacoLoco). Those four entities — Partners House, BroPush, RichAds and RexPush — are all Russia-based push monetization programs that pay affiliates to drive signups for a variety of schemes, but mostly online dating services.
“As Los Pollos push monetization ended, we’ve seen an increase in fake CAPTCHAs that drive user acceptance of push notifications, particularly from Partners House,” the Infoblox report reads. “The relationship of these commercial entities remains a mystery; while they are certainly long-time partners redirecting traffic to one another, and they all have a Russian nexus, there is no overt common ownership.”
Renee Burton, vice president of threat intelligence at Infoblox, said the security industry generally treats the deceptive methods used by VexTrio and other malicious TDSs as a kind of legally grey area that is mostly associated with less dangerous security threats, such as adware and scareware.
But Burton argues that this view is myopic, and helps perpetuate a dark adtech industry that also pushes plenty of straight-up malware, noting that hundreds of thousands of compromised websites around the world every year redirect victims to the tangled web of VexTrio and VexTrio-affiliate TDSs.
“These TDSs are a nefarious threat, because they’re the ones you can connect to the delivery of things like information stealers and scams that cost consumers billions of dollars a year,” Burton said. “From a larger strategic perspective, my takeaway is that Russian organized crime has control of malicious adtech, and these are just some of the many groups involved.”
<h2>WHAT CAN YOU DO?</h2>
As KrebsOnSecurity <a href="https://krebsonsecurity.com/2020/11/be-very-sparing-in-allowing-site-notifications/" target="_blank" rel="noopener">warned way back in 2020</a>, it’s a good idea to be very sparing in approving notifications when browsing the Web. In many cases these notifications are benign, but as we’ve seen there are numerous dodgy firms that are paying site owners to install their notification scripts, and then reselling that communications pathway to scammers and online hucksters.
If you’d like to prevent sites from ever presenting notification requests, all of the major browser makers let you do this — either across the board or on a per-website basis. While it is true that blocking notifications entirely can break the functionality of some websites, doing this for any devices you manage on behalf of your less tech-savvy friends or family members might end up saving everyone a lot of headache down the road.
To modify site notification settings in Mozilla Firefox, navigate to Settings, Privacy & Security, Permissions, and click the “Settings” tab next to “Notifications.” That page will display any notifications already permitted and allow you to edit or delete any entries. Tick the box next to “Block new requests asking to allow notifications” to stop them altogether.
<img decoding="async" loading="lazy" class="aligncenter wp-image-71514" src="https://krebsonsecurity.com/wp-content/uploads/2025/06/firefox-notifications.png" alt="" width="750" height="542" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/06/firefox-notifications.png 1185w, https://krebsonsecurity.com/wp-content/uploads/2025/06/firefox-notifications-768x555.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/06/firefox-notifications-782x566.png 782w" sizes="(max-width: 750px) 100vw, 750px" />
In Google Chrome, click the icon with the three dots to the right of the address bar, scroll all the way down to Settings, Privacy and Security, Site Settings, and Notifications. Select the “Don’t allow sites to send notifications” button if you want to banish notification requests forever.
<img decoding="async" loading="lazy" class="aligncenter wp-image-71515" src="https://krebsonsecurity.com/wp-content/uploads/2025/06/chromenotifications.png" alt="" width="750" height="500" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/06/chromenotifications.png 822w, https://krebsonsecurity.com/wp-content/uploads/2025/06/chromenotifications-768x512.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/06/chromenotifications-782x521.png 782w" sizes="(max-width: 750px) 100vw, 750px" />
In Apple’s Safari browser, go to Settings, Websites, and click on Notifications in the sidebar. Uncheck the option to “allow websites to ask for permission to send notifications” if you wish to turn off notification requests entirely.
<img decoding="async" loading="lazy" class="aligncenter wp-image-71516" src="https://krebsonsecurity.com/wp-content/uploads/2025/06/safarinotifications.png" alt="" width="749" height="499" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/06/safarinotifications.png 822w, https://krebsonsecurity.com/wp-content/uploads/2025/06/safarinotifications-768x512.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/06/safarinotifications-782x521.png 782w" sizes="(max-width: 749px) 100vw, 749px" />
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/06/inside-a-dark-adtech-empire-fed-by-fake-captchas/feed/</wfw:commentRss>
<slash:comments>54</slash:comments>
</item>
<item>
<title>Patch Tuesday, June 2025 Edition</title>
<link>https://krebsonsecurity.com/2025/06/patch-tuesday-june-2025-edition/</link>
<comments>https://krebsonsecurity.com/2025/06/patch-tuesday-june-2025-edition/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Wed, 11 Jun 2025 00:10:53 +0000</pubDate>
<category><![CDATA[Security Tools]]></category>
<category><![CDATA[Time to Patch]]></category>
<category><![CDATA[Acrobat Reader]]></category>
<category><![CDATA[Action1]]></category>
<category><![CDATA[Adam Barnett]]></category>
<category><![CDATA[Akamai]]></category>
<category><![CDATA[Alex Vovk]]></category>
<category><![CDATA[Automox]]></category>
<category><![CDATA[BadSuccessor]]></category>
<category><![CDATA[CVE-2025-33053]]></category>
<category><![CDATA[CVE-2025-33073]]></category>
<category><![CDATA[Experience Manager]]></category>
<category><![CDATA[Google Chrome]]></category>
<category><![CDATA[mozilla firefox]]></category>
<category><![CDATA[Patch Tuesday June 2025]]></category>
<category><![CDATA[Rapid7]]></category>
<category><![CDATA[sans internet storm center]]></category>
<category><![CDATA[Seth Hoyt]]></category>
<category><![CDATA[WebDAV]]></category>
<category><![CDATA[Windows Server Message Block]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=71465</guid>
<description><![CDATA[Microsoft today released security updates to fix at least 67 vulnerabilities in its Windows operating systems and software. Redmond warns that one of the flaws is already under active attack, and that software blueprints showing how to exploit a pervasive Windows bug patched this month are now public. ]]></description>
<content:encoded><![CDATA[Microsoft today released security updates to fix at least 67 vulnerabilities in its Windows operating systems and software. Redmond warns that one of the flaws is already under active attack, and that software blueprints showing how to exploit a pervasive Windows bug patched this month are now public.
<img decoding="async" loading="lazy" class="aligncenter wp-image-56287" src="https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate.png" alt="" width="749" height="527" srcset="https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate.png 841w, https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate-768x541.png 768w, https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate-782x550.png 782w, https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate-100x70.png 100w" sizes="(max-width: 749px) 100vw, 749px" />
The sole zero-day flaw this month is <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-33053" target="_blank" rel="noopener">CVE-2025-33053</a>, a remote code execution flaw in the Windows implementation of WebDAV — an HTTP extension that lets users remotely manage files and directories on a server. While WebDAV isn’t enabled by default in Windows, its presence in legacy or specialized systems still makes it a relevant target, said Seth Hoyt, senior security engineer at Automox.
Adam Barnett, lead software engineer at Rapid7, said Microsoft’s advisory for CVE-2025-33053 does not mention that the Windows implementation of WebDAV is listed as deprecated since November 2023, which in practical terms means that the WebClient service no longer starts by default.
“The advisory also has attack complexity as low, which means that exploitation does not require preparation of the target environment in any way that is beyond the attacker’s control,” Barnett said. “Exploitation relies on the user clicking a malicious link. It’s not clear how an asset would be immediately vulnerable if the service isn’t running, but all versions of Windows receive a patch, including those released since the deprecation of WebClient, like Server 2025 and Windows 11 24H2.”
Microsoft warns that an “elevation of privilege” vulnerability in the Windows Server Message Block (SMB) client (<a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-33073" target="_blank" rel="noopener">CVE-2025-33073</a>) is likely to be exploited, given that proof-of-concept code for this bug is now public. CVE-2025-33073 has a CVSS risk score of 8.8 (out of 10), and exploitation of the flaw leads to the attacker gaining “SYSTEM” level control over a vulnerable PC.
“What makes this especially dangerous is that no further user interaction is required after the initial connection—something attackers can often trigger without the user realizing it,” said Alex Vovk, co-founder and CEO of Action1. “Given the high privilege level and ease of exploitation, this flaw poses a significant risk to Windows environments. The scope of affected systems is extensive, as SMB is a core Windows protocol used for file and printer sharing and inter-process communication.”
Beyond these highlights, 10 of the vulnerabilities fixed this month were rated “critical” by Microsoft, including eight remote code execution flaws.
Notably absent from this month’s patch batch is a fix for a newly discovered weakness in Windows Server 2025 that allows attackers to act with the privileges of any user in Active Directory. The bug, dubbed “BadSuccessor,” was <a href="https://github.com/akamai/BadSuccessor" target="_blank" rel="noopener">publicly disclosed</a> by researchers at Akamai on May 21, and several public proof-of-concepts are now available. Tenable’s Satnam Narang said organizations that have at least one Windows Server 2025 domain controller should review permissions for principals and limit those permissions as much as possible.
Adobe has released updates for Acrobat Reader and six other products addressing at least 259 vulnerabilities, most of them in an update for Experience Manager. Mozilla Firefox and Google Chrome both recently released security updates that require a restart of the browser to take effect. The latest Chrome update fixes two zero-day exploits in the browser (CVE-2025-5419 and CVE-2025-4664).
For a detailed breakdown on the individual security updates released by Microsoft today, check out the <a href="https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20June%202025/32032" target="_blank" rel="noopener">Patch Tuesday roundup</a> from the SANS Internet Storm Center. Action 1 has <a href="https://www.action1.com/patch-tuesday/patch-tuesday-june-2025/?vyj" target="_blank" rel="noopener">a breakdown of patches from Microsoft</a> and a raft of other software vendors releasing fixes this month. As always, please back up your system and/or data before patching, and feel free to drop a note in the comments if you run into any problems applying these updates.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/06/patch-tuesday-june-2025-edition/feed/</wfw:commentRss>
<slash:comments>4</slash:comments>
</item>
<item>
<title>Proxy Services Feast on Ukraine’s IP Address Exodus</title>
<link>https://krebsonsecurity.com/2025/06/proxy-services-feast-on-ukraines-ip-address-exodus/</link>
<comments>https://krebsonsecurity.com/2025/06/proxy-services-feast-on-ukraines-ip-address-exodus/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Thu, 05 Jun 2025 22:44:33 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Russia's War on Ukraine]]></category>
<category><![CDATA[Time to Patch]]></category>
<category><![CDATA[Web Fraud 2.0]]></category>
<category><![CDATA[Amazon]]></category>
<category><![CDATA[AT&T]]></category>
<category><![CDATA[Cogent]]></category>
<category><![CDATA[Doug Madory]]></category>
<category><![CDATA[Hurricane Electric]]></category>
<category><![CDATA[Internet Protocol Version 4]]></category>
<category><![CDATA[Kentik]]></category>
<category><![CDATA[LVS]]></category>
<category><![CDATA[microsoft]]></category>
<category><![CDATA[Riley Kilmer]]></category>
<category><![CDATA[Spur]]></category>
<category><![CDATA[Stark Industries Solutions Inc]]></category>
<category><![CDATA[TVCOM]]></category>
<category><![CDATA[Ukrtelecom]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=71386</guid>
<description><![CDATA[Ukraine has seen nearly one-fifth of its Internet space come under Russian control or sold to Internet address brokers since February 2022, a new study finds. The analysis indicates large chunks of Ukrainian Internet address space are now in the hands of proxy and anonymity services nested at some of America's largest Internet service providers (ISPs).]]></description>
<content:encoded><![CDATA[<div id="attachment_71441" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71441" decoding="async" loading="lazy" class=" wp-image-71441" src="https://krebsonsecurity.com/wp-content/uploads/2025/06/ukraine-networks.png" alt="" width="749" height="611" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/06/ukraine-networks.png 823w, https://krebsonsecurity.com/wp-content/uploads/2025/06/ukraine-networks-768x626.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/06/ukraine-networks-782x638.png 782w" sizes="(max-width: 749px) 100vw, 749px" />Image: Mark Rademaker, via Shutterstock.</div>
Ukraine has seen nearly one-fifth of its Internet space come under Russian control or sold to Internet address brokers since February 2022, a new study finds. The analysis indicates large chunks of Ukrainian Internet address space are now in the hands of shadowy proxy and anonymity services that are nested at some of America’s largest Internet service providers (ISPs).
The findings come in <a href="https://www.kentik.com/blog/exodus-of-ipv4-from-war-torn-ukraine/" target="_blank" rel="noopener">a report</a> examining how the Russian invasion has affected Ukraine’s domestic supply of Internet Protocol Version 4 (IPv4) addresses. Researchers at Kentik, a company that measures the performance of Internet networks, found that while a majority of ISPs in Ukraine haven’t changed their infrastructure much since the war began in 2022, others have resorted to selling swathes of their valuable IPv4 address space just to keep the lights on.
For example, Ukraine’s incumbent ISP Ukrtelecom is now routing just 29 percent of the IPv4 address ranges that the company controlled at the start of the war, Kentik found. Although much of that former IP space remains dormant, Ukrtelecom told Kentik’s Doug Madory they were forced to sell many of their address blocks “to secure financial stability and continue delivering essential services.”
“Leasing out a portion of our IPv4 resources allowed us to mitigate some of the extraordinary challenges we have been facing since the full-scale invasion began,” Ukrtelecom told Madory.
Madory found much of the IPv4 space previously allocated to Ukrtelecom is now scattered to more than 100 providers globally, particularly at three large American ISPs — Amazon (AS16509), AT&T (AS7018), and Cogent (AS174).
Another Ukrainian Internet provider — LVS (AS43310) — in 2022 was routing approximately 6,000 IPv4 addresses across the nation. Kentik learned that by November 2022, much of that address space had been parceled out to over a dozen different locations, with the bulk of it being announced at AT&T.
<div id="attachment_71448" style="width: 755px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71448" decoding="async" loading="lazy" class=" wp-image-71448" src="https://krebsonsecurity.com/wp-content/uploads/2025/06/kentik-lvs.png" alt="" width="745" height="505" />IP addresses routed over time by Ukrainian provider LVS (AS43310) shows a large chunk of it being routed by AT&T (AS7018). Image: Kentik.</div>
Ditto for the Ukrainian ISP TVCOM, which currently routes nearly 15,000 fewer IPv4 addresses than it did at the start of the war. Madory said most of those addresses have been scattered to 37 other networks outside of Eastern Europe, including Amazon, AT&T, and Microsoft.
The Ukrainian ISP Trinity (AS43554) went offline in early March 2022 during the bloody siege of Mariupol, but its address space eventually began showing up in more than 50 different networks worldwide. Madory found more than 1,000 of Trinity’s IPv4 addresses suddenly appeared on AT&T’s network.
Why are all these former Ukrainian IP addresses being routed by U.S.-based networks like AT&T? According to spur.us, a company that tracks VPN and proxy services, nearly all of the address ranges identified by Kentik now map to commercial proxy services that allow customers to anonymously route their Internet traffic through someone else’s computer.
<img decoding="async" loading="lazy" class="aligncenter wp-image-31323" src="https://krebsonsecurity.com/wp-content/uploads/2015/06/proxy.png" alt="" width="748" height="313" />
From a website’s perspective, the traffic from a proxy network user appears to originate from the rented IP address, not from the proxy service customer. These services can be used for several business purposes, such as price comparisons, sales intelligence, <a href="https://www.linkedin.com/feed/update/urn:li:activity:7326663504701140992/?actorCompanyId=51677041" target="_blank" rel="noopener">web crawlers and content-scraping bots</a>. However, proxy services also are <a href="https://intel471.com/blog/a-look-at-the-residential-proxy-market" target="_blank" rel="noopener">massively abused for hiding cybercrime activity</a> because they can make it difficult to trace malicious traffic to its original source.
IPv4 address ranges are always in high demand, which means they are also quite valuable. There are now multiple companies that will pay ISPs to lease out their unwanted or unused IPv4 address space. Madory said these IPv4 brokers will pay between $100-$500 per month to lease a block of 256 IPv4 addresses, and very often the entities most willing to pay those rental rates are proxy and VPN providers.
A cursory review of <a href="https://bgp.he.net/AS7018#_prefixes" target="_blank" rel="noopener">all Internet address blocks currently routed through AT&T</a> — as seen in public records maintained by the Internet backbone provider Hurricane Electric — shows a preponderance of country flags other than the United States, including networks originating in Hungary, Lithuania, Moldova, Mauritius, Palestine, Seychelles, Slovenia, and Ukraine.
<div id="attachment_71435" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71435" decoding="async" loading="lazy" class=" wp-image-71435" src="https://krebsonsecurity.com/wp-content/uploads/2025/06/att-bg-he-net.png" alt="" width="749" height="751" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/06/att-bg-he-net.png 924w, https://krebsonsecurity.com/wp-content/uploads/2025/06/att-bg-he-net-768x770.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/06/att-bg-he-net-782x785.png 782w" sizes="(max-width: 749px) 100vw, 749px" />AT&T’s IPv4 address space seems to be routing a great deal of proxy traffic, including a large number of IP address ranges that were until recently routed by ISPs in Ukraine.</div>
Asked about the apparent high incidence of proxy services routing foreign address blocks through AT&T, the telecommunications giant said it recently changed its policy about originating routes for network blocks that are not owned and managed by AT&T. That new policy, spelled out in <a href="http://serviceguidenew.att.com/sg_flashPlayerPage/MIS" target="_blank" rel="noopener">a February 2025 update to AT&T’s terms of service</a>, gives those customers until Sept. 1, 2025 to originate their own IP space from their own autonomous system number (ASN), a unique number assigned to each ISP (AT&T’s is AS7018).
“To ensure our customers receive the best quality of service, we changed our terms for dedicated internet in February 2025,” an AT&T spokesperson said in an emailed reply. “We no longer permit static routes with IP addresses that we have not provided. We have been in the process of identifying and notifying affected customers that they have 90 days to transition to Border Gateway Protocol routing using their own autonomous system number.”
Ironically, the co-mingling of Ukrainian IP address space with proxy providers has resulted in many of these addresses being used in cyberattacks against Ukraine and other enemies of Russia. Earlier this month, the European Union sanctioned Stark Industries Solutions Inc., an ISP that surfaced two weeks before the Russian invasion and quickly became the source of large-scale DDoS attacks and spear-phishing attempts by Russian state-sponsored hacking groups. A deep dive into Stark’s considerable address space showed some of it was sourced from Ukrainian ISPs, and <a href="https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/" target="_blank" rel="noopener">most of it was connected to Russia-based proxy and anonymity services</a>.
<div id="attachment_71443" style="width: 855px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71443" decoding="async" loading="lazy" class="size-full wp-image-71443" src="https://krebsonsecurity.com/wp-content/uploads/2025/06/iproyal.png" alt="" width="845" height="462" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/06/iproyal.png 845w, https://krebsonsecurity.com/wp-content/uploads/2025/06/iproyal-768x420.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/06/iproyal-782x428.png 782w" sizes="(max-width: 845px) 100vw, 845px" />According to Spur, the proxy service IPRoyal is the current beneficiary of IP address blocks from several Ukrainian ISPs profiled in Kentik’s report. Customers can chose proxies by specifying the city and country they would to proxy their traffic through. Image: Trend Micro.</div>
Spur’s Chief Technology Officer Riley Kilmer said AT&T’s policy change will likely force many proxy services to migrate to other U.S. providers that have less stringent policies.
“AT&T is the first one of the big ISPs that seems to be actually doing something about this,” Kilmer said. “We track several services that explicitly sell AT&T IP addresses, and it will be very interesting to see what happens to those services come September.”
Still, Kilmer said, there are several other large U.S. ISPs that continue to make it easy for proxy services to bring their own IP addresses and host them in ranges that give the appearance of residential customers. For example, Kentik’s report identified former Ukrainian IP ranges showing up as proxy services routed by Cogent Communications (AS174), <a href="https://bgp.he.net/AS174#_prefixes" target="_blank" rel="noopener">a tier-one Internet backbone provider</a> based in Washington, D.C.
Kilmer said Cogent has become an attractive home base for proxy services because it is relatively easy to get Cogent to route an address block.
“In fairness, they transit a lot of traffic,” Kilmer said of Cogent. “But there’s a reason a lot of this proxy stuff shows up as Cogent: Because it’s super easy to get something routed there.”
Cogent declined a request to comment on Kentik’s findings.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/06/proxy-services-feast-on-ukraines-ip-address-exodus/feed/</wfw:commentRss>
<slash:comments>16</slash:comments>
</item>
<item>
<title>U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams</title>
<link>https://krebsonsecurity.com/2025/05/u-s-sanctions-cloud-provider-funnull-as-top-source-of-pig-butchering-scams/</link>
<comments>https://krebsonsecurity.com/2025/05/u-s-sanctions-cloud-provider-funnull-as-top-source-of-pig-butchering-scams/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Fri, 30 May 2025 01:55:16 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Ne'er-Do-Well News]]></category>
<category><![CDATA[Web Fraud 2.0]]></category>
<category><![CDATA[Amazon]]></category>
<category><![CDATA[Funnull]]></category>
<category><![CDATA[infrastructure laundering]]></category>
<category><![CDATA[Ivan Neculiti]]></category>
<category><![CDATA[Lazarus Group]]></category>
<category><![CDATA[microsoft]]></category>
<category><![CDATA[Silent Push]]></category>
<category><![CDATA[Stark Industrires Solutions Ltd]]></category>
<category><![CDATA[Suncity Group]]></category>
<category><![CDATA[Yuri Neculiti]]></category>
<category><![CDATA[Zach Edwards]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=71387</guid>
<description><![CDATA[The U.S. government today imposed economic sanctions on Funnull Technology Inc., a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams, commonly known as “pig butchering." In January 2025, KrebsOnSecurity detailed how Funnull was being used as a content delivery network that catered to cybercriminals seeking to route their traffic through U.S.-based cloud providers.]]></description>
<content:encoded><![CDATA[<div id="attachment_70230" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-70230" decoding="async" loading="lazy" class=" wp-image-70230" src="https://krebsonsecurity.com/wp-content/uploads/2025/01/funnell-ss.png" alt="" width="750" height="452" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/01/funnell-ss.png 1319w, https://krebsonsecurity.com/wp-content/uploads/2025/01/funnell-ss-768x463.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/01/funnell-ss-782x472.png 782w" sizes="(max-width: 750px) 100vw, 750px" />Image: Shutterstock, ArtHead.</div>
The U.S. government today imposed economic sanctions on Funnull Technology Inc., a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams known as “pig butchering.” In January 2025, KrebsOnSecurity detailed how Funnull was being used as a content delivery network that catered to cybercriminals seeking to route their traffic through U.S.-based cloud providers.
“Americans lose billions of dollars annually to these cyber scams, with revenues generated from these crimes rising to record levels in 2024,” reads <a href="https://home.treasury.gov/news/press-releases/sb0149" target="_blank" rel="noopener">a statement</a> from the U.S. Department of the Treasury, which sanctioned Funnull and its 40-year-old Chinese administrator Liu Lizhi. “Funnull has directly facilitated several of these schemes, resulting in over $200 million in U.S. victim-reported losses.”
The Treasury Department said Funnull’s operations are linked to the majority of virtual currency investment scam websites reported to the FBI. The agency said Funnull directly facilitated pig butchering and other schemes that resulted in more than $200 million in financial losses by Americans.
Pig butchering is a rampant form of fraud wherein people are lured by flirtatious strangers online into investing in fraudulent cryptocurrency trading platforms. Victims are coached to invest more and more money into what appears to be an extremely profitable trading platform, only to find their money is gone when they wish to cash out.
The scammers often insist that investors pay additional “taxes” on their crypto “earnings” before they can see their invested funds again (spoiler: they never do), and a shocking number of people <a href="https://krebsonsecurity.com/2022/07/massive-losses-define-epidemic-of-pig-butchering/" target="_blank" rel="noopener">have lost six figures or more through these pig butchering scams</a>.
KrebsOnSecurity’s <a href="https://krebsonsecurity.com/2025/01/infrastructure-laundering-blending-in-with-the-cloud/" target="_blank" rel="noopener">January story on Funnull</a> was based on research from the security firm Silent Push, which discovered in October 2024 that a vast number of domains hosted via Funnull were promoting gambling sites that bore the logo of the Suncity Group, a Chinese entity named in <a href="https://www.unodc.org/roseap/uploads/documents/Publications/2024/Casino_Underground_Banking_Report_2024.pdf" target="_blank" rel="noopener">a 2024 UN report</a> (PDF) for laundering millions of dollars for the North Korean state-sponsored hacking group <a href="https://en.wikipedia.org/wiki/Lazarus_Group" target="_blank" rel="noopener">Lazarus</a>.
Silent Push found Funnull was a criminal content delivery network (CDN) that carried a great deal of traffic tied to scam websites, funneling the traffic through a dizzying chain of auto-generated domain names and U.S.-based cloud providers before redirecting to malicious or phishous websites. The FBI has released a <a href="https://www.ic3.gov/CSA/2025/250529.pdf" target="_blank" rel="noopener">technical writeup</a> (PDF) of the infrastructure used to manage the malicious Funnull domains between October 2023 and April 2025.
<div id="attachment_71392" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71392" decoding="async" loading="lazy" class=" wp-image-71392" src="https://krebsonsecurity.com/wp-content/uploads/2025/05/funnull-network.png" alt="" width="749" height="464" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/05/funnull-network.png 2556w, https://krebsonsecurity.com/wp-content/uploads/2025/05/funnull-network-768x476.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/05/funnull-network-1536x952.png 1536w, https://krebsonsecurity.com/wp-content/uploads/2025/05/funnull-network-2048x1269.png 2048w, https://krebsonsecurity.com/wp-content/uploads/2025/05/funnull-network-782x485.png 782w" sizes="(max-width: 749px) 100vw, 749px" />A graphic from the FBI explaining how Funnull generated a slew of new domains on a regular basis and mapped them to Internet addresses on U.S. cloud providers.</div>
Silent Push <a href="https://www.silentpush.com/blog/infrastructure-laundering/" target="_blank" rel="noopener">revisited Funnull’s infrastructure</a> in January 2025 and found Funnull was still using many of the same Amazon and Microsoft cloud Internet addresses identified as malicious in its October report. Both Amazon and Microsoft pledged to rid their networks of Funnull’s presence following that story, but according to Silent Push’s Zach Edwards only one of those companies has followed through.
Edwards said Silent Push no longer sees Microsoft Internet addresses showing up in Funnull’s infrastructure, while Amazon continues to struggle with removing Funnull servers, including one that appears to have first materialized in 2023.
“Amazon is doing a terrible job — every day since they made those claims to you and us in our public blog they have had IPs still mapped to Funnull, including some that have stayed mapped for inexplicable periods of time,” Edwards said.
Amazon said its Amazon Web Services (AWS) hosting platform actively counters abuse attempts.
“We have stopped hundreds of attempts this year related to this group and we are looking into the information you shared earlier today,” reads a statement shared by Amazon. “If anyone suspects that AWS resources are being used for abusive activity, they can report it to AWS Trust & Safety using the report abuse form <a href="https://support.aws.amazon.com/#/contacts/report-abuse" target="_blank" rel="noopener">here</a>.”

U.S. based cloud providers remain an attractive home base for cybercriminal organizations because many organizations will not be overly aggressive in blocking traffic from U.S.-based cloud networks, as doing so can result in blocking access to many legitimate web destinations that are also on that same shared network segment or host.
What’s more, funneling their bad traffic so that it appears to be coming out of U.S. cloud Internet providers allows cybercriminals to connect to websites from web addresses that are geographically close(r) to their targets and victims (to sidestep location-based security controls by your bank, for example).
Funnull is not the only cybercriminal infrastructure-as-a-service provider that was sanctioned this month: On May 20, 2025, the European Union <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202500966" target="_blank" rel="noopener">imposed sanctions</a> on Stark Industries Solutions, an ISP that materialized at the start of Russia’s invasion of Ukraine and has been used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia.
In May 2024, KrebsOnSecurity published <a href="https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/" target="_blank" rel="noopener">a deep dive on Stark Industries Solutions</a> that found much of the malicious traffic traversing Stark’s network (e.g. vulnerability scanning and password brute force attacks) was being bounced through U.S.-based cloud providers. My reporting showed how deeply Stark had penetrated U.S. ISPs, and that its co-founder for many years sold “bulletproof” hosting services that told Russian cybercrime forum customers they would proudly ignore any abuse complaints or police inquiries.
<div id="attachment_67471" style="width: 758px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-67471" decoding="async" loading="lazy" class=" wp-image-67471" src="https://krebsonsecurity.com/wp-content/uploads/2024/05/stark-industries-solutions.png" alt="" width="748" height="464" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/05/stark-industries-solutions.png 1197w, https://krebsonsecurity.com/wp-content/uploads/2024/05/stark-industries-solutions-768x477.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/05/stark-industries-solutions-782x485.png 782w" sizes="(max-width: 748px) 100vw, 748px" />The homepage of Stark Industries Solutions.</div>
That story examined the history of Stark’s co-founders, Moldovan brothers Ivan and Yuri Neculiti, who each denied past involvement in cybercrime or any current involvement in assisting Russian disinformation efforts or cyberattacks. Nevertheless, the EU sanctioned both brothers as well.
The EU said Stark and the Neculti brothers “enabled various Russian state-sponsored and state-affiliated actors to conduct destabilising activities including coordinated information manipulation and interference and cyber-attacks against the Union and third countries by providing services intended to hide these activities from European law enforcement and security agencies.”
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/05/u-s-sanctions-cloud-provider-funnull-as-top-source-of-pig-butchering-scams/feed/</wfw:commentRss>
<slash:comments>14</slash:comments>
</item>
<item>
<title>Pakistan Arrests 21 in ‘Heartsender’ Malware Service</title>
<link>https://krebsonsecurity.com/2025/05/pakistan-arrests-21-in-heartsender-malware-service/</link>
<comments>https://krebsonsecurity.com/2025/05/pakistan-arrests-21-in-heartsender-malware-service/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Wed, 28 May 2025 17:41:47 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Breadcrumbs]]></category>
<category><![CDATA[Ne'er-Do-Well News]]></category>
<category><![CDATA[Abdul Moiz]]></category>
<category><![CDATA[Adnan Munawar]]></category>
<category><![CDATA[Atif Hussain]]></category>
<category><![CDATA[Awais Rasool]]></category>
<category><![CDATA[Bilal Ahmad]]></category>
<category><![CDATA[Burhanul Haq]]></category>
<category><![CDATA[Dilbar Hussain]]></category>
<category><![CDATA[DomainTools.com]]></category>
<category><![CDATA[FudCo]]></category>
<category><![CDATA[Fudpage]]></category>
<category><![CDATA[Fudtools]]></category>
<category><![CDATA[Hamad Nawaz]]></category>
<category><![CDATA[HeartSender]]></category>
<category><![CDATA[Hussnain Haider]]></category>
<category><![CDATA[Muhammad Adeel Akram]]></category>
<category><![CDATA[Muhammad Aslam]]></category>
<category><![CDATA[Muhammad Nowsherwan]]></category>
<category><![CDATA[Muhammad Umar Irshad]]></category>
<category><![CDATA[National Cyber Crime Investigation Agency]]></category>
<category><![CDATA[NCCIA Director Abdul Ghaffar]]></category>
<category><![CDATA[Rameez Shahzad]]></category>
<category><![CDATA[Saim Raza]]></category>
<category><![CDATA[Scylla Intel]]></category>
<category><![CDATA[Syed Saim Ali Shah]]></category>
<category><![CDATA[Usama Farooq]]></category>
<category><![CDATA[Usama Mehmood]]></category>
<category><![CDATA[WeCodeSolutions]]></category>
<category><![CDATA[Yasir Ali]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=71337</guid>
<description><![CDATA[Authorities in Pakistan have arrested 21 individuals accused of operating "Heartsender," a once popular spam and malware dissemination service that operated for more than a decade. The main clientele for HeartSender were organized crime groups that tried to trick victim companies into making payments to a third party, and its alleged proprietors were publicly identified by KrebsOnSecurity in 2021 after they inadvertently infected their computers with malware.]]></description>
<content:encoded><![CDATA[Authorities in Pakistan have arrested 21 individuals accused of operating “Heartsender,” a once popular spam and malware dissemination service that operated for more than a decade. The main clientele for HeartSender were organized crime groups that tried to trick victim companies into making payments to a third party, and its alleged proprietors were publicly identified by KrebsOnSecurity in 2021 after they inadvertently infected their computers with malware.
<div id="attachment_56867" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-56867" decoding="async" loading="lazy" class=" wp-image-56867" src="https://krebsonsecurity.com/wp-content/uploads/2021/09/fudcoteam.png" alt="" width="750" height="351" srcset="https://krebsonsecurity.com/wp-content/uploads/2021/09/fudcoteam.png 1694w, https://krebsonsecurity.com/wp-content/uploads/2021/09/fudcoteam-768x359.png 768w, https://krebsonsecurity.com/wp-content/uploads/2021/09/fudcoteam-1536x718.png 1536w, https://krebsonsecurity.com/wp-content/uploads/2021/09/fudcoteam-782x366.png 782w" sizes="(max-width: 750px) 100vw, 750px" />Some of the core developers and sellers of Heartsender posing at a work outing in 2021. WeCodeSolutions boss Rameez Shahzad (in sunglasses) is in the center of this group photo, which was posted by employee Burhan Ul Haq, pictured just to the right of Shahzad.</div>
A <a href="https://www.dawn.com/news/1911691" target="_blank" rel="noopener">report</a> from the Pakistani media outlet Dawn states that authorities there arrested 21 people alleged to have operated Heartsender, a spam delivery service whose homepage openly advertised phishing kits targeting users of various Internet companies, including Microsoft 365, Yahoo, AOL, Intuit, iCloud and ID.me. Pakistan’s National Cyber Crime Investigation Agency (NCCIA) reportedly conducted raids in Lahore’s Bahria Town and Multan on May 15 and 16.
The NCCIA told reporters the group’s tools were connected to more than $50m in losses in the United States alone, with European authorities investigating 63 additional cases.
“This wasn’t just a scam operation – it was essentially a cybercrime university that empowered fraudsters globally,” NCCIA Director Abdul Ghaffar said at a press briefing.
In January 2025, the FBI and the Dutch Police <a href="https://krebsonsecurity.com/2025/01/fbi-dutch-police-disrupt-manipulaters-phishing-gang/" target="_blank" rel="noopener">seized the technical infrastructure</a> for the cybercrime service, which was marketed under the brands Heartsender, Fudpage and Fudtools (and many other “fud” variations). The “fud” bit stands for “Fully Un-Detectable,” and it refers to cybercrime resources that will evade detection by security tools like antivirus software or anti-spam appliances.
The FBI says transnational organized crime groups that purchased these services primarily used them to run business email compromise (BEC) schemes, wherein the cybercrime actors tricked victim companies into making payments to a third party.
Dawn reported that those arrested included Rameez Shahzad, the alleged ringleader of the Heartsender cybercrime business, which most recently operated under the Pakistani front company WeCodeSolutions. Mr. Shahzad was named and pictured in a 2021 KrebsOnSecurity story about <a href="https://krebsonsecurity.com/2021/09/fudco-spam-empire-tied-to-pakistani-software-firm/" target="_blank" rel="noopener">a series of remarkable operational security mistakes</a> that exposed their identities and Facebook pages showing employees posing for group photos and socializing at work-related outings.
Prior to folding their operations behind WeCodeSolutions, Shahzad and others arrested this month operated as a web hosting group calling itself The Manipulaters. KrebsOnSecurity <a href="https://krebsonsecurity.com/2015/05/phishing-gang-is-audacious-manipulator/" target="_blank" rel="noopener">first wrote about The Manipulaters in May 2015</a>, mainly because their ads at the time were blanketing a number of popular cybercrime forums, and because they were fairly open and brazen about what they were doing — even who they were in real life.
Sometime in 2019, The Manipulaters <a href="https://krebsonsecurity.com/2021/09/fudco-spam-empire-tied-to-pakistani-software-firm/" target="_blank" rel="noopener">failed to renew their core domain name</a> — manipulaters[.]com — the same one tied to so many of the company’s business operations. That domain was quickly scooped up by <a href="https://www.scyllaintel.com/" target="_blank" rel="noopener">Scylla Intel</a>, a cyber intelligence firm that specializes in connecting cybercriminals to their real-life identities. Soon after, Scylla started receiving large amounts of email correspondence intended for the group’s owners.
In 2024, DomainTools.com <a href="https://krebsonsecurity.com/2024/04/the-manipulaters-improve-phishing-still-fail-at-opsec/" target="_blank" rel="noopener">found</a> the web-hosted version of Heartsender leaked an extraordinary amount of user information to unauthenticated users, including customer credentials and email records from Heartsender employees. DomainTools says the malware infections on Manipulaters PCs exposed “vast swaths of account-related data along with an outline of the group’s membership, operations, and position in the broader underground economy.”
Shahzad allegedly used the alias “Saim Raza,” an identity which has contacted KrebsOnSecurity multiple times over the past decade with demands to remove stories published about the group. The Saim Raza identity most recently contacted this author in November 2024, asserting they had quit the cybercrime industry and turned over a new leaf after a brush with the Pakistani police.
The arrested suspects include Rameez Shahzad, Muhammad Aslam (Rameez’s father), Atif Hussain, Muhammad Umar Irshad, Yasir Ali, Syed Saim Ali Shah, Muhammad Nowsherwan, Burhanul Haq, Adnan Munawar, Abdul Moiz, Hussnain Haider, Bilal Ahmad, Dilbar Hussain, Muhammad Adeel Akram, Awais Rasool, Usama Farooq, Usama Mehmood and Hamad Nawaz.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/05/pakistan-arrests-21-in-heartsender-malware-service/feed/</wfw:commentRss>
<slash:comments>12</slash:comments>
</item>
<item>
<title>Oops: DanaBot Malware Devs Infected Their Own PCs</title>
<link>https://krebsonsecurity.com/2025/05/oops-danabot-malware-devs-infected-their-own-pcs/</link>
<comments>https://krebsonsecurity.com/2025/05/oops-danabot-malware-devs-infected-their-own-pcs/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Thu, 22 May 2025 21:53:21 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Ne'er-Do-Well News]]></category>
<category><![CDATA[Russia's War on Ukraine]]></category>
<category><![CDATA[Aleksandr Stepanov]]></category>
<category><![CDATA[Artem Aleksandrovich Kalinkin]]></category>
<category><![CDATA[DanaBot]]></category>
<category><![CDATA[DCIS]]></category>
<category><![CDATA[Defense Criminal Investigative Service]]></category>
<category><![CDATA[ESET]]></category>
<category><![CDATA[fbi]]></category>
<category><![CDATA[Flashpoint]]></category>
<category><![CDATA[google]]></category>
<category><![CDATA[Intel 471]]></category>
<category><![CDATA[JimmBee]]></category>
<category><![CDATA[Lumen]]></category>
<category><![CDATA[Lumma Stealer]]></category>
<category><![CDATA[Maffiozi]]></category>
<category><![CDATA[microsoft]]></category>
<category><![CDATA[Onix]]></category>
<category><![CDATA[Paypal]]></category>
<category><![CDATA[proofpoint]]></category>
<category><![CDATA[team cymru]]></category>
<category><![CDATA[U.S. Department of Justice]]></category>
<category><![CDATA[Zscaler]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=71351</guid>
<description><![CDATA[The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling DanaBot, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The FBI says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware.]]></description>
<content:encoded><![CDATA[The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling DanaBot, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The FBI says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware.
<div id="attachment_71354" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71354" decoding="async" loading="lazy" class=" wp-image-71354" src="https://krebsonsecurity.com/wp-content/uploads/2025/05/danabot.png" alt="" width="749" height="650" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/05/danabot.png 817w, https://krebsonsecurity.com/wp-content/uploads/2025/05/danabot-768x666.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/05/danabot-782x679.png 782w" sizes="(max-width: 749px) 100vw, 749px" />DanaBot’s features, as promoted on its support site. Image: welivesecurity.com.</div>
Initially <a href="https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0" target="_blank" rel="noopener">spotted</a> in May 2018 by researchers at the email security firm Proofpoint, DanaBot is a malware-as-a-service platform that specializes in credential theft and banking fraud.
Today, the U.S. Department of Justice unsealed a criminal complaint and indictment from 2022, which said the FBI identified at least 40 affiliates who were paying between $3,000 and $4,000 a month for access to the information stealer platform.
The government says the malware infected more than 300,000 systems globally, causing estimated losses of more than $50 million. The ringleaders of the DanaBot conspiracy are named as Aleksandr Stepanov, 39, a.k.a. “JimmBee,” and Artem Aleksandrovich Kalinkin, 34, a.k.a. “Onix”, both of Novosibirsk, Russia. Kalinkin is an IT engineer for the Russian state-owned energy giant Gazprom. His Facebook profile name is “Maffiozi.”
According to the FBI, there were at least two major versions of DanaBot; the first was sold between 2018 and June 2020, when the malware stopped being offered on Russian cybercrime forums. The government alleges that the second version of DanaBot — emerging in January 2021 — was provided to co-conspirators for use in targeting military, diplomatic and non-governmental organization computers in several countries, including the United States, Belarus, the United Kingdom, Germany, and Russia.
“Unindicted co-conspirators would use the Espionage Variant to compromise computers around the world and steal sensitive diplomatic communications, credentials, and other data from these targeted victims,” reads a grand jury indictment dated Sept. 20, 2022. “This stolen data included financial transactions by diplomatic staff, correspondence concerning day-to-day diplomatic activity, as well as summaries of a particular country’s interactions with the United States.”
The indictment says the FBI in 2022 seized servers used by the DanaBot authors to control their malware, as well as the servers that stored stolen victim data. The government said the server data also show numerous instances in which the DanaBot defendants infected their own PCs, resulting in their credential data being uploaded to stolen data repositories that were seized by the feds.
“In some cases, such self-infections appeared to be deliberately done in order to test, analyze, or improve the malware,” the criminal complaint reads. “In other cases, the infections seemed to be inadvertent – one of the hazards of committing cybercrime is that criminals will sometimes infect themselves with their own malware by mistake.”
<div id="attachment_71359" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71359" decoding="async" loading="lazy" class=" wp-image-71359" src="https://krebsonsecurity.com/wp-content/uploads/2025/05/eset-danabotmap.png" alt="" width="750" height="479" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/05/eset-danabotmap.png 846w, https://krebsonsecurity.com/wp-content/uploads/2025/05/eset-danabotmap-768x490.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/05/eset-danabotmap-782x499.png 782w" sizes="(max-width: 750px) 100vw, 750px" />Image: welivesecurity.com</div>
A <a href="https://www.justice.gov/usao-cdca/pr/16-defendants-federally-charged-connection-danabot-malware-scheme-infected-computers" target="_blank" rel="noopener">statement</a> from the DOJ says that as part of today’s operation, agents with the Defense Criminal Investigative Service (DCIS) seized the DanaBot control servers, including dozens of virtual servers hosted in the United States. The government says it is now working with industry partners to notify DanaBot victims and help remediate infections. The statement credits a number of security firms with providing assistance to the government, including ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Team CYMRU, and ZScaler.
It’s not unheard of for financially-oriented malicious software to be repurposed for espionage. A variant of the ZeuS Trojan, which was used in countless online banking attacks against companies in the United States and Europe between 2007 and at least 2015, was for a time diverted to espionage tasks by its author.
As detailed <a href="https://krebsonsecurity.com/2015/08/inside-the-100m-business-club-crime-gang/" target="_blank" rel="noopener">in this 2015 story,</a> the author of the ZeuS trojan created a custom version of the malware to serve purely as a spying machine, which scoured infected systems in Ukraine for specific keywords in emails and documents that would likely only be found in classified documents.
The public charging of the 16 DanaBot defendants comes a day after Microsoft <a href="https://www.microsoft.com/en-us/security/blog/2025/05/21/lumma-stealer-breaking-down-the-delivery-techniques-and-capabilities-of-a-prolific-infostealer/" target="_blank" rel="noopener">joined</a> a slew of tech companies in <a href="https://www.justice.gov/opa/pr/justice-department-seizes-domains-behind-major-information-stealing-malware-operation" target="_blank" rel="noopener">disrupting the IT infrastructure</a> for another malware-as-a-service offering — <a href="https://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-lumma-stealer/" target="_blank" rel="noopener">Lumma Stealer</a>, which is likewise offered to affiliates under tiered subscription prices ranging from $250 to $1,000 per month. Separately, Microsoft filed a civil lawsuit to seize control over 2,300 domain names used by Lumma Stealer and its affiliates.
Further reading:
<a href="https://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/" target="_blank" rel="noopener">Danabot: Analyzing a Fallen Empire</a>
<a href="https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense" target="_blank" rel="noopener">ZScaler blog: DanaBot Launches DDoS Attack Against the Ukrainian Ministry of Defense</a>
<a href="https://flashpoint.io/blog/operation-endgame-danabot-malware/" target="_blank" rel="noopener">Flashpoint: Operation Endgame DanaBot Malware</a>
<a href="https://www.team-cymru.com/post/inside-danabots-infrastructure-in-support-of-operation-endgame-ii" target="_blank" rel="noopener">Team CYMRU: Inside DanaBot’s Infrastructure: In Support of Operation Endgame II</a>
<a href="https://www.justice.gov/usao-cdca/media/1401361/dl?inline" target="_blank" rel="noopener">March 2022 criminal complaint v. Artem Aleksandrovich Kalinkin</a>
<a href="https://www.justice.gov/usao-cdca/media/1401356/dl?inline" target="_blank" rel="noopener">September 2022 grand jury indictment naming the 16 defendants</a>
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/05/oops-danabot-malware-devs-infected-their-own-pcs/feed/</wfw:commentRss>
<slash:comments>13</slash:comments>
</item>
</channel>
</rss>
<!--
Performance optimized by W3 Total Cache. Learn more: https://www.boldgrid.com/w3-total-cache/
Object Caching 310/310 objects using memcached
Page Caching using memcached (User agent is rejected)
Database Caching using memcached
Served from: krebsonsecurity.com @ 2025-07-10 19:30:12 by W3 Total Cache
-->

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):

<a href="http://www.feedvalidator.org/check.cgi?url=http%3A//feeds.feedburner.com/krebsonsecurity/TEjH"><img src="valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=http%3A//feeds.feedburner.com/krebsonsecurity/TEjH

Home · About · News · Docs · Terms