Cybersecurity

African cops bust 651 suspected cyber scammers across 16 countries

WVA AG sues Apple over alleged CSAM stored in iCloud, Ukrainian man sentenced to five years for role in DPRK remote IT worker scheme, Systems at Mississippi's only medical center struck down by cyber incident, Predator spyware can shut down recording indicators, much more

Cynthia B Brumfield

20 Feb 2026 — 13 min read

Computers used by a fraud ring in Nigeria. Source: Interpol.

Metacurity has been following cybersecurity, surveillance, and power as they unfold day by day—tracking patterns, context, and connections that most other sources miss. We go beyond the usual infosec news echo chamber, highlighting what’s real, overlooked, and often missed by traditional outlets. Please consider supporting our work by upgrading your subscription. Thank you!

Upgrade my subscription

Interpol announced that African law enforcement agencies arrested 651 suspects and recovered over $4.3 million in a joint operation targeting investment fraud, mobile money scams, and fake loan applications.

Operation Red Card 2.0 identified 1,247 victims between December 8 and January 30 while targeting cybercrime operations linked to over $45 million in financial losses.

Authorities across 16 countries also seized 2,341 devices and took down 1,442 malicious websites, domains, and servers during this joint action coordinated by the African Joint Operation against Cybercrime (AFJOC).

In Nigeria, police officers dismantled an investment fraud ring that was recruiting young people to run phishing, identity theft, and fake investment schemes, taking down over 1,000 fraudulent social media accounts in the process. They also arrested six members of a Nigerian cybercrime gang that used stolen employee credentials to breach a major telecom provider.

Kenyan investigators also apprehended 27 suspects while investigating fraud networks that used social media and messaging platforms to lure victims into fake investment schemes.

In Côte d'Ivoire, 58 suspects were arrested as part of a crackdown on predatory mobile loan apps that targeted victims with hidden fees and abusive debt-collection practices.

"These organized cybercriminal syndicates inflict devastating financial and psychological harm on individuals, businesses and entire communities with their false promises," said Neal Jetton, the head of INTERPOL's Cybercrime Directorate. (Sergiu Gatlan / Bleeping Computer)

Images of officers involved in the operation. Source: Interpol.

West Virginia Attorney General JB McCuskey accused Apple in a lawsuit of allowing its iCloud platform to be used to store and distribute child sexual abuse material.

It’s the latest claim against Apple that alleges the company knowingly failed to stop the spread of sexual content featuring children — and according to McCuskey, the first to be brought by a governmental agency (last year, a federal judge threw out a similar class action case against the company). And it comes as the tech industry faces mounting global pressure to address how its platforms harm children.

In a statement, McCuskey said Apple knew the spread of illicit content on its platform was a problem but took “no meaningful action to stop it.” He said he filed the lawsuit “to demand Apple follow the law, report these images, and stop re-victimizing children by allowing these images to be stored and shared.”

In addition to damages, the lawsuit filed in the Circuit Court of Mason County seeks to force Apple to implement new measures to detect child abuse materials and make its products safer in the future. (Brendan Bordelon / Politico)

The US Justice Department announced that Oleksandr Didenko, a Ukrainian national who ran multiple operations to aid the North Korean government’s expansive scheme to hire remote IT workers at US companies, was sentenced to five years in prison.

Didenko stole US citizens’ identities and created more than 2,500 fraudulent accounts on freelance IT job forums, money service transmitters, email services, and social media platforms to sell the proxy identities to North Korean workers. The 29-year-old pleaded guilty to multiple crimes related to the six-year scheme in November 2025.

Didenko ran a site, upworksell.com, to sell the stolen identities and paid co-conspirators to receive and host laptop farms in Virginia, Tennessee, and California, according to court records. He managed up to 871 identities through the laptop farms and helped North Korean technical workers gain employment at 40 US companies.

Didenko funneled money from Americans and US businesses into the coffers of North Korea’s hostile regime, Jeanine Pirro, US attorney for the District of Columbia, said. (Matt Kapko / CyberScoop)

The University of Mississippi Medical Center closed all its statewide clinics and canceled many appointments Thursday and Friday after a cybersecurity attack shut down all its computer systems, an incident officials expect to last multiple days.

The state’s only academic medical center said that many of its IT systems are down after the attack. That includes the electronic medical record system, which stores patient medical history, billing, test results, appointment booking, and chart documentation.

Dr. LouAnn Woodward, vice chancellor of the medical center, said at a press conference Thursday morning that all UMMC’s locations were impacted. She said the hospital was continuing to provide urgent, time-sensitive services using protocols that can function without electronic medical records, like paper charts. Emergency services will also continue to be available.

She said UMMC was trying to determine what would happen to patients’ personal information stored in the hospital’s computer systems, but the hospital had taken down the systems to prevent potential privacy breaches.

“We are working to mitigate all the risks that we know of,” she said.

In addition to suspending its clinic operations Thursday and Friday, the hospital system canceled all elective procedures, except for those at the Jackson Medical Mall’s dialysis clinic.

When asked about what impact the attack would have on the UMMC emergency service communication system, Dr. Alan Jones, vice chancellor for health affairs at UMMC, said that the system could operate independently of the regular hospital operations and should be capable of functioning during the attack.

He said the university was working to set up a phone line for patients to get more information about rescheduled or upcoming appointments, in addition to creating an operational plan for providing other medical services. (Allen Siegler / Mississippi Today)

Security researchers at Jamf found that Predator spyware can prevent iOS video and microphone recording indicators from appearing.

It's not a standalone attack, though — the technique is post-compromise behavior, and the analysis doesn't describe a new iOS vulnerability or a flaw that needs patching.

Predator does this by injecting code into SpringBoard, which manages the status bar and home screen. By intercepting sensor activity updates before they reach the UI, Predator allows the camera or microphone to operate without triggering the familiar green or orange dot.

Otherwise, the iPhone continues to function normally, giving users no obvious reason to suspect surveillance. Apps still launch, notifications arrive, and the interface behaves as expected, but the visual indicator never appears. (Andrew Orr / Apple Insider)

Related: Gizchina, IT Home, Jamf

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning of a critical vulnerability in multiple Honeywell CCTV products that allows unauthorized access to feeds or account hijacking.

Discovered by researcher Souvik Kanda and tracked as CVE-2026-1670, the security issue is classified as “missing authentication for critical function,” and received a critical severity score of 9.8.

The flaw allows an unauthenticated attacker to change the recovery email address associated with a device account, enabling account takeover and unauthorized access to camera feeds.

“The affected product is vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to change the remotely 'forgot password' recovery email address,” CISA says.

Honeywell has not published an advisory on CVE-2026-1670, but users are advised to contact the company’s support team for patch guidance. (Bill Toulas / Bleeping Computer)

A hacker tricked popular AI coding tool Cline into installing OpenClaw absolutely everywhere.

The hacker took advantage of a vulnerability in Cline that security researcher Adnan Khan had surfaced just days earlier as a proof of concept.

Cline’s workflow used Anthropic’s Claude, which could be fed sneaky instructions and made to do things that it shouldn’t, a technique known as a prompt injection.
The hacker used their access to slip through instructions to install software on users’ computers automatically.

They could have installed anything, but they opted for OpenClaw. Fortunately, the agents were not activated upon installation. (Robert Hart / The Verge)

Related: StepSecurity, Dark Reading

Microsoft has put forward a blueprint, shared with MIT Technology Review, for how to prove what’s real online.

An AI safety research team at the company recently evaluated how methods for documenting digital manipulation are faring against today’s most worrying AI developments, like interactive deepfakes and widely accessible hyperrealistic models. It then recommended technical standards that can be adopted by AI companies and social media platforms.

Microsoft evaluated 60 different combinations of methods for vetting content online, modeling how each setup would hold up under different failure scenarios—from metadata being stripped to content being slightly altered or deliberately manipulated. The team then mapped which combinations produce sound results that platforms can confidently show to people online, and which ones are so unreliable that they may cause more confusion than clarification. (James O'Donnell / MIT Tech Review)

Car shopping site CarGurus purportedly suffered a data breach with 1.7 million corporate records stolen, according to a notorious cybercrime crew that posted the online vehicle marketplace on its leak site.

"This is a final warning to reach out by 20 Feb 2026 before we leak along with several annoying (digital) problems that'll come your way," ShinyHunters wrote in its announcement. The digital crooks claimed the compromised files included personally identifiable information and "other internal corporate data."

According to ShinyHunters, the breach occurred on February 13, and it was part of the gang’s code-stealing spree in which they used voice phishing to obtain single-sign-on codes from users of Okta, Microsoft, and Google services. (Jessica Lyons / The Register)

Related: Tech Radar, SC Media

Japanese semiconductor testing equipment maker Advantest Corp. said that part of its internal systems has been accessed illegally from outside in what may be a ransomware attack.

The company said that unusual activity was detected in its information technology environment on Sunday. It isolated the affected systems and began an investigation in coordination with external cybersecurity specialists.

The incident may involve ransomware, which encrypts data and demands payment for its release. Advantest said it is assessing the scope of the impact, including whether any customer or employee information was compromised. (JiJi Press)

The Washington Hotel brand in Japan announced that its servers were compromised in a ransomware attack, exposing various business data.

The hospitality group has established an internal task force and engaged external cybersecurity experts to assess the impact of the intrusion, determine whether customer data was compromised, and coordinate recovery efforts.

According to the company’s disclosure, hackers breached its network on Friday, February 13, 2026, at 22:00 (local time). The IT staff immediately disconnected servers from the internet to prevent the attack from spreading on the network. (Bill Toulas / Bleeping Computer)

According to a new security bulletin issued by the FBI, hackers have rapidly ramped up their attacks in recent years, with more than 700 attacks on cash dispensers during 2025 alone, netting hackers at least $20 million in stolen cash.

The FBI says hackers are using a mix of physical access to ATMs, such as generic keys for unlocking front panels and accessing hard drives, and digital tools, like planting malware that can force ATMs to rapidly dispense cash in a flash.

The FBI warned that one particular malware, known as Ploutus, affects a variety of ATM manufacturers and cash dispensers by targeting the underlying Windows operating system that powers many ATMs. Ploutus grants the hackers full control over a compromised ATM, allowing them to issue instructions capable of tricking the dispenser into disbursing notes without drawing funds from customer accounts.

Ploutus takes advantage of extensions for financial services, or XFS software, which ATMs rely on to communicate with their various other hardware components, such as the PIN keypad, the card reader, and the all-important cash dispensing unit.

“Ploutus attacks the ATM itself rather than customer accounts, enabling fast cash-out operations that can occur in minutes and are often difficult to detect until after the money is withdrawn,” per the FBI bulletin. (Zack Whittaker / TechCrunch)

In its latest Android app ecosystem safety report, Google said it prevented 1.75 million policy-violating apps from being published on Google Play in 2025, down from 2.36 million in 2024 and 2.28 million in 2023.

Google says it banned more than 80,000 developer accounts in 2025 that had tried to publish these types of bad apps. That figure is also down year-over-year from 158,000 in 2024 and 333,000 in 2023.

Google noted it now runs over 10,000 safety checks on every app it publishes and continues to recheck apps after publication. The company has also integrated its latest generative AI models into the app review process, which has helped human reviewers find more complex malicious patterns faster. Google said it plans to increase its AI investments in 2026 to stay ahead of emerging threats.

In addition, Google said it prevented more than 255,000 apps from gaining excessive access to sensitive user data, a figure that’s down from 1.3 million in 2024. The company also blocked 160 million spam ratings and reviews last year, and prevented an average 0.5-star rating drop for apps targeted by review bombing.

Meanwhile, Android’s defense system, known as Google Play Protect, identified more than 27 million new malicious apps, and warned users or blocked the app from running. That’s an increase from the 13 million non-Play Store apps identified in 2024 and five million seen in 2023. These increases seem to suggest that bad actors are now more often avoiding the Play Store when targeting users with their malicious apps. (Sarah Perez / TechCrunch)

In an email, sex toy maker Tenga notified customers of a data breach.

In the message, the Japanese company said that “an unauthorized party gained access to the professional email account of one of our employees,” which gave the hacker access to the contents of the employee’s inbox. This access potentially allowed the hacker to see and steal customer names, email addresses, and historical email correspondence, “which may include order details or customer service inquiries.”

The hacker also sent spam emails to the hacked employee’s contacts, including customers, according to the email sent to customers.

A Tenga spokesperson said that the breach affected “approximately 600 people” in the United States, based on a forensic review. “We have already proactively contacted those who may have been impacted to ensure their safety and provide guidance,” said the spokesperson. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Researchers at ESET discovered the first known Android malware, which they call PromptSpy, to use generative AI in its execution flow, using Google’s Gemini model to adapt its persistence across different devices.

While machine learning models have previously been used by Android malware to analyze screenshots for ad fraud, ESET says that PromptSpy is the first known case of Android malware integrating generative AI directly into its execution.

On some Android devices, users can "lock" or "pin" an app in the Recent Apps list by long-pressing it and selecting a lock option. When an app is locked this way, Android is less likely to terminate it during memory cleanup or when the user taps "Clear all."

For legitimate apps, this prevents background processes from being killed. For malware like PromptSpy, it can serve as a persistence mechanism.

However, the method used to lock or pin an app varies between manufacturers, making it hard for malware to script the right way to do so on every device. That is where AI comes into play.

PromptSpy sends Google's Gemini model a chat prompt along with an XML dump of the current screen, including the visible UI elements, text labels, class types, and screen coordinates.

While the distribution of this malware appears very limited, it demonstrates how threat actors are using generative AI to not only create attacks and phishing sites, but also to modify malware behavior in real time. (Lawrence Abrams / Bleeping Computer)

The Fulu Foundation, which pays out bounties to people who can remove user-hostile features on connected devices, is now offering a potential payout of $10,000 to encourage hackers and tinkerers to disable software features that require Ring devices to send data to Amazon.

To get a Fulu bounty, winners don’t actually need to release their findings to the public, as that has the potential to open them to legal recourse for violating Section 1201 of the Digital Millennium Copyright Act, which prevents people from circumventing digital locks.

Like all Fulu bounty winners, the recipient will be able to choose if they want to release their work and thereby open themselves up to legal rebuke. (Boone Ashworth / Wired)

Related: Fulu Foundation, The Verge

Alexandra Seymour, principal deputy assistant cyber director for policy in the White House's Office of the National Cyber Director, said the Trump administration wants to boost the use of artificial intelligence for security in a way that doesn’t increase the number of targets for adversaries to attack.

The administration will “promote the rapid implementation of AI-enabled cyber defensive tools to detect, divert, and deceive threat actors who continue targeting our vital systems and sectors,” Seymour said at CyberTalks, presented by CyberScoop. “We want to ensure that as Americans, companies and agencies deploy AI to defend themselves, they are not inadvertently making themselves more vulnerable by widening the attack surface.”

Overall, “We’re working with our interagency and White House colleagues to promote AI-driven success while addressing concerns about AI security and countering AI abuse by adversaries,” she said.

The focus on AI is expected to get further attention from a forthcoming national cyber strategy and the implementation of that strategy due to follow. (Tim Starks / CyberScoop)

Related: NextGov

Best Thing of the Day: We're All Connected

Gharun Lacy, Deputy Assistant Secretary for the Cyber and Technology Security Directorate at the Department of State, issued a challenge for cybersecurity defenders to view their own individual “post-quantum” encryption plans as a small part in a greater collective project to make the entire digital ecosystem more resilient against longer-term threats like quantum-enabled cyberattacks.

Worst Thing of the Day: A Double Whammy From Threat Actors

A website is actively approaching victims of the Odido data breach in the Netherlands, claiming they can file a claim for damages against the telecom company by making a one-time payment of up to €50.