A hacker stole content from the Telemessage system used by the US government

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

A hacker breached and stole customer data from TeleMessage, an obscure Israeli company that sells modified versions of Signal and other messaging apps to the US government to archive messages.

The data stolen by the hacker contains the contents of some direct messages and group chats sent using its Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat. TeleMessage was recently the center of media coverage after Mike Waltz accidentally revealed he used the tool in a cabinet meeting with President Trump.

The app gathered messages from top US government officials via Waltz's chats with Marco Rubio, Tulsi Gabbard, and JD Vance. It contained serious vulnerabilities that allowed a hacker to trivially access the archived chats of some people who used the same tool.

According to screenshots of messages and backend systems, the hacked material includes data related to Customs and Border Protection (CBP), the cryptocurrency giant Coinbase, and other financial institutions.

The hacker did not access all messages stored or collected by TeleMessage, but could have likely accessed more data if they decided to, underscoring the extreme risk posed by taking ordinarily secure end-to-end encrypted messaging apps such as Signal and adding an extra archiving feature to them.

“I would say the whole process took about 15-20 minutes,” the hacker said, describing how they broke into TeleMessage’s systems. “It wasn’t much effort at all.”

One screenshot mentions Scotiabank. Financial institutions might turn to a tool like TeleMessage to comply with regulations around keeping copies of business communications. Governments have legal requirements to preserve messages similarly.

Another screenshot indicates that the Intelligence Branch of the Washington D.C. Metropolitan Police may be using the tool. (Joseph Cox and Micah Lee / 404 Media and Micah Lee Blog)

Related: New York Times, Reuters, Silicon Angle, micahflee, micahflee, NBC News, 404 Media, WinBuzzer, The Independent, Reuters, SiliconANGLE, Pixel Envy, Hacker News (ycombinator), Hacker News (ycombinator),  r/Military, r/inthenews, r/signal, r/signal, r/politics, r/neoliberal, r/technology, r/technology, r/law, r/cybersecurity, r/republicans

Reporting by German publication BR24 and its international partners uncovered a criminal network in Asia that is fueling a global scam that uses fake text messages to steal credit card details from huge numbers of people, enabled by a mastermind who calls himself Darcula, a name reminiscent of Count Dracula.

The scammers send millions of messages to smartphones worldwide, such as: "Hello, a hold has been placed on your DHL Express parcel. Please review and update your shipment information below." That is how they lure their victims into the trap.

A database provided by cybersecurity company Mnemonic, created by the criminal network, lists hundreds of thousands of victims with a copy of the software they use for the fraud, and more than 40,000 text messages from internal chat groups on a messenger service.

The software used for the fraud is called "Magic Cat", and it allows the creation of almost perfect imitations of websites belonging to companies and organizations in more than 130 countries with just a few clicks. The scammers frequently create copies of postal and package delivery companies, but electricity utilities and official agencies are also in their portfolios.

When someone opens a fake website, the software produces a computer voice in Chinese: "A user has successfully opened the website." The scammers can then follow in real time as users enter their data. The data can even be captured if users try to delete it.

The journalists' investigation revealed that Darcula is likely a 24-year-old Chinese man named Yucheng C., who is likely behind the Magic Cat software. 

The database provided to BR does not indicate that the software developer is stealing credit card data himself. He leases the software using go-betweens to other perpetrators, who must pay several hundred dollars weekly. (Alexander Nabert, Sammy Khamis, Arne Meyer-Fünffinger, Maximilian Zierer, and Marco Lehner / BR24)

Related: Le Monde, NRK, Mnemonic

The UK supermarket chain Co-op said hackers were able to access and extract customer data from one of its systems during a recent cyberattack.

“The accessed data included information relating to a significant number of our current and past members,” the company said. “This data includes Co-op Group members’ personal data such as names and contact details, and did not include members’ passwords, bank or credit card details, transactions or information relating to any members’ or customers’ products or services with the Co-op Group.”

This news comes as the cybercrime gang DragonForce took credit for a disruptive campaign of attacks targeting Co-op and at least two other British retailers over the last two weeks, Marks & Spencer (M&S) and Harrods.

Separately, an insider said it could be "months" before M&S fully recovers from an ongoing, severe cyber attack and that the company had no plan for such an incident.

In the meantime, M&S staff are being forced to work on personal devices in an ad-hoc manner, with internal advice constantly changing, according to the insider. (Ryan Gallagher / Bloomberg and Tom Cheshire / Sky News)

Related: Marketwatch, Daily Mail, Daily Mail, Daily Mail, NCSC. BleepingComputer, BBC, DoublePulsar, Engadget, Associated Press, Hackread, Al Jazeera, ComputerWeekly.com, Financial Times, Infosecurity Magazine

The pro-Russian hacker group NoName057(16) claimed responsibility for a cyberattack on the official websites of Romanian government institutions on May 4, the day of voting in the first round of the presidential election.

The hackers stated on their Telegram channel that they managed to "send DDoS surprises" to the Ministry of Internal Affairs and the Ministry of Justice of Romania's websites.

According to the Romanian National Cybersecurity Directorate, seven other websites of state institutions and presidential candidates, including the official website of the candidate from the government coalition, Crin Antonescu, were affected in addition to the ministries' websites. (Mariia Spaliek / Liga.net and TechRider)

Related: UNN, Euro Weekly News, Politico EU

US prosecutors announced they have indicted 36-year-old Rami Khaled Ahmed, a Yemeni national believed to be the developer and primary operator of 'Black Kingdom' ransomware.

Ahmed is accused of deploying the Black Kingdom malware on roughly 1,500 computers in the United States and abroad, demanding ransom payments of $10,000 in Bitcoin.

DOJ said, "According to the indictment, from March 2021 to June 2023, Ahmed and others infected computer networks of several U.S.-based victims, including a medical billing services company in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin."

Ahmed designed Black Kingdom ransomware to exploit a vulnerability in Microsoft Exchange for initial access to targeted computers.

This was first reported in March 2021 by researcher Marcus Hutchins, who discovered web shells deployed by Black Kingdom ransomware operators on Exchange servers vulnerable to ProxyLogon attacks.

The ProxyLogon flaw refers to a set of critical vulnerabilities in Microsoft Exchange Server that were first disclosed and exploited in early 2021. (Bill Toulas / Bleeping Computer)

Related: Justice Department, The Record, The 420

According to a White House summary, Donald Trump’s fiscal 2026 budget proposal would slash $491 million from the budget of the Cybersecurity and Infrastructure Security Agency (CISA), amounting to a nearly 17% reduction to the agency’s approximately $3 billion budget.

“The Budget refocuses CISA on its core mission — Federal network defense and enhancing the security and resilience of critical infrastructure — while eliminating weaponization and waste,” a summary reads.

The budget would target reducing what it identified as “so-called” disinformation and misinformation programs and offices; “duplicative” programs of other programs at the state and federal level; “external engagement offices such as international affairs”; and consolidating “redundant security advisors and programs.”

CISA doesn’t have any offices explicitly dedicated to combating misinformation or disinformation. During Trump’s first administration, and continuing into a stretch of the Biden administration, CISA ran a “Rumor Control” website to dispel false information about the election process.

However, CISA, under the Biden administration, said it had halted communications with social media companies about election misinformation and disinformation. And the Trump administration has already placed some election security officials who worked on disinformation and misinformation on administrative leave. (Tim Starks / Cyberscoop)

Related: White House, Breaking Defense, The Hill, Raw Story, Roll Call, Jewish Telegraphic Agency, AlterNet.org, Government Executive, InsideDefense.com, Daily Kos,  San Diego Union Tribune, Defense One, Government Technology State and Local Articles, Federal News Network, Washington Technology: News and Blogs, Fast Company, San Diego Union Tribune, Ars Technica, Nextgov,  SiliconANGLE, WinBuzzer, The Hill

TikTok was fined 530 million euros ($600 million) by its lead EU privacy regulator, Ireland's Data Protection Commissioner (DPC), over concerns about how it protects user information and was ordered to suspend data transfers to China if its processing is not brought into compliance within six months.

The DPC said TikTok, owned by China's ByteDance, failed to show that EU users' personal data, some of which is remotely accessed by staff in China, was afforded the high level of protection provided for under EU law.

As a result, the DPC said that the short-video platform did not address potential access by Chinese authorities to the data under counter-espionage and other laws identified by TikTok as materially diverging from EU standards.

TikTok strongly contested the finding and used the EU's legal framework, specifically the so-called standard contractual clauses, to grant tightly controlled and limited remote access. It plans to appeal the ruling. It also said the decision fails to fully consider data security measures first rolled out in 2023 that independently monitor remote access and ensure EU user data is stored in dedicated data centres in Europe and the United States. (Padraic Halpin / Reuters)

Related: Silicon UK, Silicon Republic, Sky News, NBC News Technology, OSnews, PhoneArena, City A.M. - Technology, Tech - Nikkei Asian Review, reddit TECH NEWS, AndroidHeadlines.com, CyberInsider, Digital Information World, The Guardian, Boing Boing, Washington Free Beacon, Techradar, Engadget, CyberInsider, Mashable, The Register, Semafor, Technology | The Hill, Slashdot

The Qilin ransomware gang says it has stolen 150GB of sensitive information from the Cobb County government.

County services, including courthouse filing, jail databases, and public Wi-Fi, were disabled when IT staff detected unauthorized users. The county says it did not pay any money to the hackers. (B.T. Clark / The Georgia Sun)

Related: Axios Cobb County, 11Alive, East Cobb News

A security lapse at the dating app Raw publicly exposed its users' personal data and private location data, including display names, dates of birth, dating and sexual preferences associated with the Raw app, and users’ locations.

Some location data included specific coordinates to locate Raw app users with street-level accuracy.

Raw claims on its website and in its privacy policy that its app and unreleased device both use end-to-end encryption, a security feature that prevents anyone other than the user, including the company, from accessing the data.

However, TechCrunch found no evidence that the app uses end-to-end encryption. Instead, it found that the app was publicly spilling user data to anyone with a web browser.

Raw fixed the data exposure shortly after TechCrunch contacted the company with details of the bug. (Zack Whittaker / TechCrunch)

Related: Databreaches.net

Malicious actors infiltrated the New York Post’s X account to scam crypto users on the microblogging platform.

Some X users from the crypto community have recently reported receiving a private message from the New York Post’s X account inviting them to be featured in a podcast and to contact them via Telegram.

The messages were first discovered on May 3 by Kerberus founder and CEO Alex Katz, who shared a screenshot of a message made out to be from author and journalist Paul Sperry via the official nypost account. He added that the scammer blocks users from replying to prevent the actual New York Post team from being alerted to the compromise after sending the message.  

Donny Clutterbuck from NFT Bitcoin’s ordinals platform Fomojis also reported being contacted by the hacker, suggesting that it could be a potential Zoom exploit by enabling audio. 

Blockchain sleuth ZachXBT said this compromise was similar to one from a few weeks ago when direct messages were sent from The Defiant’s X account. (Martin Young / Cointelegraph)

Related: Cryptonews, Cryptorank, Binance, Cryptonowmics

On May 2, the official X account of TRON DAO was hacked in a highly coordinated online breach.

One of the TRON DAO members was the target of the manipulation, allowing the attacker direct access to the company's verified account. Upon entry, the malicious party did not waste any time, posting the scam contract address, sending direct messages to unsuspecting users, and following new accounts, all sure indicators of a phishing attempt in progress.

The intruder persisted with efforts to seek payment from outside users even after getting logged off by TRON DAO, with the bogus cover of selling promotional posts from the hacked account. (Ammar Raza / TRON Weekly)

Related: Bitcoinist, Coinspeaker, Cointelegraph

Doppel, an AI-powered social engineering defense platform provider, announced it had raised $35 million in a Series B venture funding round.

Bessemer Venture Partners led the round with participation from 9Yards Capital and Sozo Ventures, a16z, South Park Commons, Strategic Cyber Ventures, Script Capital, and Sabrina Hahn. (Maria Deutscher / Silicon Angle)

Related: Doppel, MSSP Alert, FinSMEs, Forbes, VC News Daily

Application security startup Minimus Inc. announced it had raised $51 million in a huge venture funding seed round.

The funding came from YL Ventures LP and Mayfield Fund. (Duncan Riley / Silicon Angle)

Related: Minimus, Minimus

Best Thing of the Day: Victory for Victims

Mr. Deepfakes, the go-to site for nonconsensual deepfake porn, says it’s shutting down and not coming back because it lost a service provider and data.

Worst Thing of the Day: Punching Us in the Stomach

According to the Food and Ag-ISAC, ransomware gangs are ramping up attacks on the food and agriculture industry in 2025.

Closing Thought