Airlines, transportation sector are Scattered Spider's latest targets

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

The FBI and cybersecurity firms are warning that the prolific hacking group known as Scattered Spider is now targeting airlines and the transportation sector.

The FBI said it had “recently observed” cyberattacks resembling Scattered Spider to include the airline sector.

Executives from Google’s cybersecurity unit, Mandiant, and Palo Alto Networks’ security research division, Unit 42, also said they have witnessed Scattered Spider cyberattacks targeting the aviation industry.

Scattered Spider is a collective of predominantly English-speaking hackers, typically teenagers and young adults, who are financially motivated to steal and extort sensitive data from company networks. The hackers are also known for their deception tactics, which often rely on social engineering, phishing, and sometimes threats of violence toward company help desks and call centers to gain access to their networks, and sometimes deploy ransomware.

The FBI’s statement added that the hackers may target large corporations and their third-party IT providers, meaning “anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.” (Zack Whittaker / TechCrunch)

Related: CNN, Cyberscoop, Bleeping Computer, Reuters, Computer Weekly, DataBreachToday, The Record, PCMag, The Register, Airways Magazine, Travel Weekly, Aviation Week, Travel Age West, Business Insider, Security Affairs, PYMNTS, Men's Journal, NewsBytes, Charles Carmakal on LinkedIn, Sam Rubin on LinkedIn

The US Justice Department said in an Inspector General's audit that a hacker working for the Sinaloa drug cartel was able to obtain an FBI official's phone records and use Mexico City's surveillance cameras to help track and kill the agency's informants in 2018.

The audit focused on the FBI's efforts to mitigate the effects of "ubiquitous technical surveillance," a term used to describe the global proliferation of cameras and the thriving trade in vast stores of communications, travel, and location data.

The IG said that the hacker worked for a cartel run by "El Chapo," a reference to the Sinaloa drug cartel run by Joaquín "El Chapo" Guzmán, who was extradited to the United States in 2017.

The IG said the hacker identified an FBI assistant legal attaché at the US Embassy in Mexico City and was able to use the attaché's phone number "to obtain calls made and received, as well as geolocation data."

It further said the hacker also "used Mexico City's camera system to follow the (FBI official) through the city and identify people the (official) met with." The report said, "The cartel used that information to intimidate and, in some instances, kill potential sources or cooperating witnesses."

The report did not identify the alleged hacker, attaché, or victims. (Raphael Satter / Reuters)

Related: OIG.Justice.gov, CNN, The Guardian, ABC7, CyberScoop, The Sun

Germany's data protection Commissioner, Meike Kamp, asked Apple and Google to remove Chinese AI startup DeepSeek from their app stores in the country due to concerns about data protection, following a similar crackdown elsewhere, saying that DeepSeek illegally transfers users' personal data to China.

The two US tech giants must now review the request promptly and decide whether to block the app in Germany, she added, though her office has not set a precise timeframe.

The commissioner said she decided after asking DeepSeek in May to meet the requirements for non-EU data transfers or else voluntarily withdraw its app.

DeepSeek did not comply with this request, she added.DeepSeek shook the technology world in January with claims that it had developed an AI model to rival those from US firms such as ChatGPT creator OpenAI at much lower cost.

However, it has come under scrutiny in the United States and Europe for its data security policies. (Hakan Ersen and Miranda Murray / Reuters)

Related: PYMNTS.com,  CNBC, PCMag, WinBuzzer, Asia Financial, Silicon Republic, Neowin, Moneycontrol, New York Post, Techstrong.ai, UPI, Silicon UK, MarketWatch, TechCrunch, The Decoder, Reuters, Yahoo Finance, Reclaim The Net, AppleInsider, Cryptopolitan, TipRanks Financial, Mobile World Live, MacDailyNews, MacTech.com,  r/technology, r/privacy, r/europe, r/apple

A global problem is plaguing the banking industry in which cybercriminals use fake bank accounts to launder cash from US scam victims to crime syndicate bosses in Asia who run pig butchering or romance scam operations from prison-like compounds in Cambodia, Laos, and Myanmar.

US bank accounts are so crucial to the laundering process that a thriving international black market has developed to rent accounts for fraud. 

The massive demand for accounts used for misbehavior gives banks a crucial, and not always welcome, role as gatekeepers, a responsibility required by US law, to prevent criminals from opening accounts or engaging in money laundering.

Yet from the US to Singapore, Australia, and Hong Kong, banks have consistently failed at that responsibility, according to experts who have investigated money laundering, as well as reviews of fraudulent account details shared by victims and court cases.

The American Bankers Association, which represents the industry, acknowledged that “with more than 140 million bank accounts opened every year, bad actors can sometimes get through despite determined and ongoing efforts to stop them.” But the group said other industries like telecommunications providers and social media platforms need to do more to fight fraud because there’s only so much that financial institutions can do. (Cezary Podkul / ProPublica)

Related: Daily Hodl

The Trump administration has, for the first time ever, built a searchable national citizenship data system.

The tool, which is being rolled out in phases, is designed to be used by state and local election officials to give them an easier way to ensure only citizens are voting. But it was developed rapidly without a public process, and some of those officials are already worrying about what else it could be used for.

DHS, in partnership with the White House's Department of Governmental Efficiency (DOGE) team, has recently rolled out a series of upgrades to a network of federal databases to allow state and county election officials to quickly check the citizenship status of their entire voter lists, both US-born and naturalized citizens, using data from the Social Security Administration as well as immigration databases.

Such integration has never existed before, and experts call it a sea change that inches the US closer to having a roster of citizens. A centralized national database of Americans' personal information has long been considered a third rail, especially to privacy advocates as well as political conservatives, who have traditionally opposed mass data consolidation by the federal government.

The system is an upgrade to DHS's Systematic Alien Verification for Entitlements, or SAVE database, which is under contract to the controversial and secretive Silicon Valley company Palantir. (Jude Joffe-Block, Miles Parks / NPR)

Related: Common Dreams

Canada's Industry Minister Melanie Joly announced that the Canadian government has ordered Chinese surveillance camera manufacturer Hikvision to cease operations in Canada over national security concerns.

Hikvision, also known as Hangzhou Hikvision Digital Technology Co, has faced numerous sanctions and restrictions by Canada's neighbor, the United States, over the past five and a half years for the firm's dealings and the use of its equipment in China's Xinjiang region, where rights groups have documented abuses against the Uyghur population and other Muslim communities.

"The government has determined that Hikvision Canada Inc's continued operations in Canada would be injurious to Canada's national security," Joly said on X, adding that the decision was taken after a multi-step review of information provided by Canada's security and intelligence community.

Joly said Canada was also banning the purchase of Hikvision's products in government departments and agencies, and reviewing existing properties to ensure that legacy Hikvision products were not used in the future.

She said the order does not extend to the company's affiliate operations outside Canada but "strongly" encouraged Canadians "to take note of this decision and make their own decisions accordingly." (Ismail Shakil and Kanishka Singh / Reuters)

Related: Bloomberg, Global News, The Bureau, Global Times, The Economic Times, The Globe and Mail, CTV News

German Interior Minister Alexander Dobrindt said Germany is aiming to establish a joint German-Israeli cyber research centre and deepen collaboration between the two countries' intelligence and security agencies.

"Military defence alone is not sufficient for this turning point in security. A significant upgrade in civil defence is also essential to strengthen our overall defensive capabilities," Dobrindt said during a visit to Israel, as reported by Germany's Bild newspaper.

According to the Bild report, Dobrindt outlined a five-point plan aimed at establishing what he called a "Cyber Dome" for Germany, as part of its cyberdefence strategy. (Riham Alkousaa / Reuters)

Related: Bild.de, NDTV, Asharq Al-Awsat, Firstpost, NewsBytes, Tehran Times, Arab News

Wildlife activists who exposed horrific conditions at Scottish salmon farms were subjected to “Big Brother” surveillance by spies for hire working for an elite British army veteran.

Corin Smith, a former fly-fishing guide from the Highlands who has spent years confronting the multinationals that own the farms, believes he was with his young daughter on at least one of the occasions when he was followed and photographed by the former paratrooper Damian Ozenbrook’s operatives.

While a public inquiry is scrutinising spying by police after they infiltrated environmental groups and other campaigns, a Guardian investigation shines a rare light on the private spies-for-hire industry. That industry, which one lawyer calls “a wild west”, ranges from bumbling gumshoes to alumni of the special forces and MI6.

The surveillance of Smith and another wildlife activist, Don Staniford, began after they paddled out to some of the floating cages where millions of salmon are farmed every year, yielding Scotland’s biggest food export, and filmed what was happening inside.

The footage, posted online and broadcast by the BBC in 2018, showed fish crawling with sea lice. Some had chunks of their flesh torn away; others’ spines were twisted.

Three years later, in 2021, Smith discovered an “intelligence report” that the Scottish Salmon Company had commissioned. It was contained in a 653-page response from the company to Smith’s request under data protection law for information it held on him.

Ozenbrook’s private intelligence firm, Blue Square Global, produced the report, which contained images of Smith and fellow activist Don Staniford.

Covert surveillance by state agencies is subject to legislation that includes independent oversight. But once highly trained operatives leave the police, military, or intelligence services, the private firms that deploy them are barely regulated. (Tom Burgis / The Guardian)

Following a major Israeli airstrike on Iran, on 12 June 2025, dozens of anonymous X (formerly Twitter) accounts advocating Scottish independence abruptly went silent.

Many had posted hundreds of times per week, often using pro-independence slogans, anti-UK messaging, and identity cues like “NHS nurse” or “Glaswegian socialist.

Within days, Iran had suffered severe power outages, fuel shortages, and an internet blackout affecting 95 percent of national connectivity.

What appeared at first glance to be a curious coincidence has since emerged as the most visible rupture to date in a long-running foreign influence operation. What emerges is a picture of a state actor, Tehran, deliberately using the Scottish independence issue to weaken its adversary by amplifying internal division.

Iran’s involvement in Scottish political discourse began quietly in 2014.

However, between 2022 and 2024, Iranian-linked online activity escalated significantly through a network of fake X accounts that promoted Scottish independence. Researchers at Clemson University’s Media Forensics Hub identified more than 80 accounts posing as socially conscious British users. Many carried biographies such as “Ex NHS Nurse. (George Allison / UK Defence Journal)

Related: The Telegraph, r/ukpolitics

French newspaper Le Parisien reports that a business student who was interning at Société Générale, a leading multinational bank headquartered in France, is believed to have fed information to SIM swappers who stole from 50 customers of the bank.

The intern’s arrest prompted officers from France’s fraud police (La Brigade des Fraudes aux Moyens de Paiement, BFMP) to identify a series of alleged accomplices, including one person who specialized in taking control of the phone service of victims.

Using information provided by the intern, the SIM swapper would call the comms providers that provided service to customers of Société Générale. He would pretend to be the legitimate phone user, and that his phone had been lost, so that a replacement SIM would be issued to him. Having taken control of the victim’s phone service, the SIM swapper would then receive the one-time passwords sent to those numbers by Société Générale.

With these codes, the gang was able to withdraw money from the bank accounts of victims. In total, it is believed that more than EUR1mn (USD1.15mn) was stolen this way.

Police identified two other alleged accomplices for laundering the stolen money. Raids on their Parisian homes resulted in the discovery of an unspecified amount of cash and 15 luxury designer handbags from top brands including Dior, Louis Vuitton, Chanel, Hermès, Balenciaga, and Givenchy. One of these suspected accomplices is a 26-year-old male national of Chad with a history of violence. He is said to have conducted the money laundering in conjunction with a woman who was not previously known to police. (Eric Priezkalns / CommsRisk)

Related: Le Parisien

Decentralized finance (DeFi) protocol Resupply confirmed a security breach in its wstUSR market, which led to about $9.6 million in crypto losses.

Blockchain security firm Cyvers said the exploit was triggered by a price manipulation attack involving the protocol’s integration with a synthetic stablecoin called cvcrvUSD.

Meir Dolev, Cyvers’ co-founder and chief technology officer, said that the attacker exploited a price manipulation bug in the ResupplyPair contract. “By inflating the share price, they borrowed $10 million reUSD using minimal collateral,” Dolev said.

Cyvers said in the post that the attacker was funded through Tornado Cash, and the stolen funds were swapped to Ether and split across two addresses.

Resupply acknowledged the incident and said, “A full post-mortem will be shared as soon as a complete analysis of the situation has been conducted." (Ezra Reguerra / Cointelgraph)

Related: Resupply, DL News, Coinstats, Unchained, The Block, Coinspeaker

At the TROOPERS security conference in Germany, researchers at cybersecurity company ERNW disclosed three vulnerabilities affecting a Bluetooth chipset present in more than two dozen audio devices from ten vendors that can be exploited for eavesdropping or stealing sensitive information.

The vulnerabilities reside in the Airoha systems on a chip (SoCs), which are widely used in True Wireless Stereo (TWS) earbuds. The issues are not critical, and besides close physical proximity (Bluetooth range), their exploitation also requires “a high technical skill set.”

ERNW researchers say they created a proof-of-concept exploit code that allowed them to read the currently playing media from the targeted headphones.

While such an attack may not present a significant risk, other scenarios leveraging the three bugs could let a threat actor hijack the connection between the mobile phone and an audio Bluetooth device and use the Bluetooth Hands-Free Profile (HFP) to issue commands to the phone. (Ionut Ilascu / Bleeping Computer)

Related: ERNW, Techzine, GBHackers, Heise Online, MakeUseOf

Mohammed Umar Taj of Hyrst Garth, Batley, UK has been sentenced to several months behind bars after launching a cyber-attack against his former employer that resulted in losses of £200,000 ($274,000).

He had already admitted one charge of committing unauthorized acts with intent to impair the operation of or hindering access to a computer. He was sentenced at Leeds Crown Court to seven months and 14 days in custody.

Taj took out his anger on the company just hours after being suspended in July 2022, according to West Yorkshire Police.

He physically accessed the premises and corporate computer systems in order to change logins and multi-factor authentication (MFA). This enabled him to disrupt business operations and those of customers in the UK, Germany, and Bahrain, the police force said. (Phil Muncaster / Infosecurity Magazine)

Related: West Yorkshire Police, DataBreaches.net, The Stack

Ahold Delhaize, one of the world's largest food retail chains, is notifying over 2.2 million individuals that their personal, financial, and health information was stolen in a November ransomware attack that impacted its US systems.

The retail giant revealed that the attackers behind the November breach stole the data of 2,242,521 individuals after gaining access to the company's internal U.S. business systems on November 6, 2024.

While it didn't confirm whether customers' information was also affected, Ahold Delhaize stated that the stolen files may have included internal employment records with personal information obtained while working with current and former Ahold Delhaize USA companies. (Sergiu Gatlan / Bleeping Computer)

Related: Office of the Maine Attorney General, The Register, WABI, Security Week, HackRead

The brand value of SK Telecom, the largest mobile carrier in Korea, dipped sharply in the second quarter of this year in the wake of a massive hacking attack that was made public in April.

The local brand value assessment firm Brandstock on Monday revealed the top 100 brands in the country, in which SK Telecom relinquished its top spot in the telecommunications sector to rival KT Corp. KT's score on the index jumped from 852.6 to 872.9 compared to the previous quarter, moving it up to the 27th overall spot from 41st in the first quarter.

SK Telecom's score plummeted from 890.1 in the first quarter to 850.1, placing it second among mobile carriers and 40th overall. It ranked a few spots above LG UPlus, which came third among the telecom companies. (Yoon Min-sik / The Korea Herald)

Related: KoreaJoongAng Daily

The new Android 16 update has a feature that might be able to warn users when someone is snooping on them using an IMSI-catcher, also known as a stingray or cell-site simulator.

An attacker sets up this device near a target they want to surveil, and it mimics a legitimate cell tower. The stingray tricks nearby mobile devices into connecting to it, allowing the attacker to collect unique identifiers (like the IMEI) and even force them onto an older, more insecure communication protocol. These identifiers allow attackers to target specific devices for analysis, while switching protocols can let them intercept unencrypted text messages and phone calls.

Law enforcement agencies notoriously use these “stingray” devices, but malicious actors can also acquire their technology. 

When the “Network notifications” feature is enabled, Android will post a message in the notification panel and the Safety Center whenever your device switches from an encrypted to an unencrypted network, or vice versa. It will also post an alert in both places when the network accesses your phone’s unique identifiers, detailing the time and number of times they were requested.

Android’s “network notifications” don’t serve as true indicators that the device is actually connected to a fake cell tower, but rather as warnings to the user that this could be happening. (Mishaal Rahman / Android Authority)

Related: Ars Technica, Mobile Syrup, TechRadar, Android Police, TechSpot, WebProNews, TechRadar

New York Governor Kathy Hochul signed into law S.7672A/A.6769A that requires local governments in the state to begin reporting cyberattacks on their networks.

 Under the new law, municipalities and public authorities are required to report cybersecurity incidents within 72 hours to the Division of Homeland Security and Emergency Services (DHSES) and provide notice of payment of a ransom within 24 hours. The legislation also mandates annual cybersecurity awareness training for government employees across New York and sets data protection standards for State-maintained information systems. (James Rundle / Wall Street Journal)

Related: Governor Kathy Hochul

Researchers at the Atlantic Council report that the US market for zero-day flaws is broken, bloated, and falling behind rivals like China.

Chinese hackers famously used multiple zero-day exploits to hack into Google and several defense contractors in 2009 to access and potentially modify source code. Alleged US hackers reportedly used their own collection of multiple zero days around the same time to hack and disrupt the Iranian nuclear program. Zero days can sell for north of $1 million each.

Governments, including both the US and China, source many of their zero-day exploits from a murky, global market of researchers, companies, and entrenched middlemen, according to the paper.

But the supply chain that gets this critical technology to US government customers is bloated, inflating prices and making talent hard to come by, says the Atlantic Council. Big defense contractors, the behemoths of the military-industrial complex, act as entrenched middlemen who extract value but contribute little between researchers and government customers. (Patrick Howell O'Neill / Bloomberg)

Related: The Atlantic Council

Israeli cybersecurity company Cato Networks announced it had raised $359 million in a Series G venture funding round.

 Vitruvian Partners and ION Crossover Partners led the round with the participation of existing investors, including Lightspeed Venture Partners, Acrew Capital, and Adams Street Partners. (James Rundle / Wall Street Journal)

Related: PR Newswire, Techzine, CTech, Ynet News, Economic Times

Voice risk assessment startup Clearspeed announced it had raised $60 million in a Series D venture funding round.

Align Private Capital led the round with participation from IronGate Capital Advisors, Bravo Victor Venture Capital, and KBW Ventures. (Duncan Riley / Silicon Angle)

Related: Business Wire, Clearspeed, Axios, Venture Capital Journal, InfoRiskToday.com, FinSMEs

Best Thing of the Day: There Never Was a 16-Billion Record Breach, Part II

Exposed data investigator Jaye L. Tee produced a detailed and irrefutable exposé of Cybernews' false story of a 16 billion record breach, which is still wrongly grabbing headlines in publications and likely juicing the publication's ad dollar metrics.

Worst Thing of the Day: I Wouldn't Do That If I Were You, Dave

Some AI models are lying, scheming, and threatening their creators, with Anthropic even blackmailing an engineer, threatening to reveal an extramarital affair.

Bonus Worst Thing of the Day: Aren't You Supposed to Be Defending Us?

In an interview with Fox's Maria Bartiromo, Donald Trump diminished the threat of Chinese hacking by saying the US hacks China too, adding, “That's the way the world works. It's a nasty world."

Closing Thought