Black Basta suspects’ homes raided; gang leader added to most-wanted list

"Darkness cannot drive out darkness; only light can do that. Hate cannot drive out hate; only love can do that." Dr. Martin Luther King.

Support independent media - upgrade your Metacurity subscription today.

Metacurity is one of the few independent media outlets delivering a daily round-up of the critical infosec developments you should know. For years, we have worked to scan thousands of sources to deliver you summarized and aggregated news to help you keep your organizations secure.

We value all of our readers, but the paid subscribers help us keep plugging away at our mission of ending infosec news overload. Please, please help keep Metacurity alive with a paid subscription. Thank you!

If you can't afford a paid subscription right now, please consider donating whatever you can. Thanks.

Ukrainian and German law enforcement authorities identified two Ukrainians suspected of working for the Russia-linked ransomware group Black Basta and have placed the group’s alleged leader, a Russian national, on an international wanted list.

The two Black Basta suspects, who were operating from western Ukraine, allegedly specialized in breaching protected systems and preparing ransomware attacks by extracting login credentials from compromised networks. Police described them as so-called “hash crackers,” responsible for recovering passwords from stolen data using specialized software.

The stolen credentials were later used to gain unauthorized access to internal corporate systems, escalate privileges within networks, steal sensitive data, and deploy ransomware designed to encrypt systems and extort cryptocurrency payments from victims.

Digital storage devices and cryptocurrency assets were seized during searches at the suspects’ homes in Ukraine’s Ivano-Frankivsk and Lviv regions. Ukrainian prosecutors said analysis of the seized material is ongoing.

Germany’s Federal Criminal Police Office (BKA) identified the suspected leader of the group as Oleg Nefedov, a 36-year-old Russian national, who is wanted on suspicion of forming a criminal organization abroad, large-scale extortion, and related cyber offenses.

As the group’s alleged ringleader, Nefedov is suspected of selecting targets, recruiting members, assigning tasks, negotiating ransom payments, and distributing proceeds obtained through extortion. Ransoms were typically demanded in cryptocurrency.

Authorities said he operated under multiple online aliases — including tramp, tr, gg, kurva, AA, Washingt0n, and S.Jimmi — and may also have had ties to another notorious ransomware group, Conti.

German police said Nefedov is believed to be in Russia, although his exact whereabouts are unknown. He has been placed on an international wanted list through Interpol. (Daryna Antoniuk / The Record)

Related: EU Most Wanted, Interpol, BKA, Bleeping Computer, Cyberpolice.gov.ua, The Cyber Express, Security Affairs, Cyber Daily, The Register, Cyber Daily

Feras Khalil Ahmad Albashiti, a Jordanian national, pleaded guilty to operating as an access broker, selling access to at least 50 victim company networks he broke into by exploiting two commercial firewall products in 2023.

He lived in the Republic of Georgia at the time, sold an undercover FBI agent unauthorized access to the victim networks on a cybercrime forum under the moniker “r1z” in May 2023, authorities said in court records.

The undercover FBI agent continued communicating with Albashiti for the next five months, uncovering evidence of additional alleged crimes. He’s accused of selling malware that could turn off endpoint detection and response products from three different companies.

Albashiti proved the malware worked when, unbeknownst to him, the FBI observed him use the EDR-killing malware on an FBI server the agency granted him access to as part of its investigation.

The undercover agent purchased additional malware from Albashiti capable of elevating internal user privileges without authorization and a modified version of a commercially available pentesting tool, according to an affidavit filed in the US District Court of New Jersey.

Investigators discovered the IP address Albashiti used to access the FBI server was previously used to intrude on government systems belonging to a US territory and a ransomware attack against a US manufacturing company in June 2023 that resulted in at least $50 million in losses. (Matt Kapko / CyberScoop)

Related: Justice Department

According to sources, the acting head of CISA, Madhu Gottumukkala, took steps last Thursday to remove the agency’s chief information officer, Robert Costello, but was blocked after other political appointees at the department objected.

The personnel spat began late last Thursday afternoon after Costello was given a so-called management-directed reassignment, meaning he had roughly one week to decide whether to move to another part of the Department of Homeland Security — which houses CISA — or resign, said the people. All three were granted anonymity for fear of retribution.

Other senior political appointees at the department, including Nick Anderson, CISA’s executive assistant director for cybersecurity, were not given a heads-up about the decision and were not happy with it, said the people.

They immediately “raised hell” and questioned the justification for Costello’s surprise ejection from the agency, said the first of the three officials.

DHS headquarters decided to pause and then fully stop Costello’s reassignment before the end of the day Friday, added the three officials. (John Sakellariadis / Politico)

Iranian activist Nariman Gharib seemingly discovered a campaign by Iran that aimed to steal Gmail and other online credentials, compromise WhatsApp accounts, and conduct surveillance by stealing location data, photos, and audio recordings. 

According to Gharib, the WhatsApp message he received contained a suspicious link, which loaded a phishing site in the victim’s browser.

Gharib shared the full phishing link with TechCrunch soon after his post, allowing us to capture a copy of the source code of the phishing web page used in the attack.

TechCrunch identified a way to view a real-time copy of all the victims’ responses saved on the attacker’s server, which was left exposed and accessible without a password. This data revealed dozens of victims who had unwittingly entered their credentials into the phishing site and were subsequently likely hacked.

The list includes a Middle Eastern academic working in national security studies; the boss of an Israeli drone maker; a senior Lebanese cabinet minister; at least one journalist; and people in the United States or with US phone numbers.  (Zack Whittaker / TechCrunch)

Related: GitHub

Nicholas Moore of Tennessee pleaded guilty to hacking the US Supreme Court’s filing system more than two dozen times.

He also admitted that he illegally accessed records from AmeriCorps’ computer servers and a Department of Veterans Affairs electronic platform.

District Judge Beryl Howell in Washington, DC, is scheduled to sentence Moore on April 17.

Moore pleaded guilty to one misdemeanor count of computer fraud, which carries a maximum prison sentence of one year. US Attorney Jeanine Pirro’s office charged him last week.

In 2023, Moore used stolen credentials to hack into the Supreme Court’s filing system on 25 different days, a court filing says. He accessed personal records belonging to the person whose credentials he used, then posted information about the person on an Instagram account using the handle “@ihackedthegovernment,” according to the filing. (Michael Kunzelman / Associated Press)

Related: Statement of the Offense, Justice Department, Security Affairs

South Korean cybersecurity firm Genians reports that North Korea-linked hackers are using emails that impersonate human rights organizations and financial institutions to lure targets into opening malicious files.

The campaign, dubbed "Operation Poseidon," has been attributed to the Konni hacking cluster, a group linked by security researchers to Pyongyang-backed cyber operations and known for conducting long-running advanced persistent threat, or APT, campaigns.

"The threat actor was identified as repeatedly employing social engineering tactics by impersonating North Korean human rights organizations and financial institutions in South Korea," Genians said.

The spearphishing emails relied on links that appeared trustworthy because they passed through legitimate online advertising and click-tracking systems commonly used to track user engagement. By embedding malicious destinations behind trusted tracking URLs, the attackers were able to bypass email security filters and reduce suspicion among recipients. (Thomas Maresca / UPI)

Related: Genians, Korea JoongAng Daily, The Korea Times, Yohnap News

Iranian state television satellite transmissions were reportedly disrupted by hackers, who broadcast footage supporting exiled Crown Prince Reza Pahlavi and urged security forces not to "point your weapons at the people."

The hacked broadcast, aired across multiple channels of the Islamic Republic of Iran Broadcasting, included two clips of Pahlavi and graphics encouraging the military to join the nation for freedom. (Jon Gambrell / Associated Press)

Related: Sky News, Ynet News, New York Sun, Security Affairs, Israel Hayom

Brussels is to propose phasing out Chinese-made equipment from critical infrastructure in the EU, barring companies such as Huawei and ZTE from telecommunications networks, solar energy systems, and security scanners, according to officials. 

The move comes as the EU revamps its security and tech policy by rethinking its dependence on big US tech companies as well as Chinese “high-risk” suppliers, which some officials fear could be used to collect sensitive data. The US has long banned Huawei from government networks.

The EU’s cyber security proposal, which will be presented on Tuesday, is expected to make an existing voluntary regime to restrict or exclude high-risk vendors from their networks mandatory for EU countries, the people said.  

Previous recommendations have been unevenly implemented, with several European countries continuing to rely on such “high-risk” suppliers. Spain last summer signed a €12mn contract with Huawei for it to provide the hardware to store wiretaps authorised by judges for law enforcement and the intelligence services. (Barbara Moens / Financial Times)

Related: Euractiv, r/EU_Economics

Nearly four out of five crypto projects that suffer a major hack never fully regain their footing, according to Mitchell Amador, CEO of Web3 security platform Immunefi.

Amador said that most protocols enter a state of paralysis the moment an exploit is discovered. “Most protocols are fundamentally unaware of the extent to which they are exposed to hacks, and are not operationally prepared for a major security incident,” he said.

According to Amador, the first hours after a breach are often the most damaging. Without a predefined incident plan, teams hesitate, debate next steps, and underestimate how deep the compromise may go. “Decision-making slows as teams scramble to understand what happened, leading to improvisation and delayed action,” he said, adding that this is frequently when additional losses occur. (Amin Haqshanas / Cointelegraph)

Related: CryptoRank, Yellow

Monero's native token XMR hit an all-time high of $797.73 on Jan. 14, coinciding with a series of multi-million dollar swaps to Monero following a social engineering attack.

“The attacker began converting the stolen LTC & BTC to Monero via multiple instant exchanges, causing the XMR price to sharply increase,” crypto sleuth ZachXBT said.

While details of the theft are still largely unknown, ZachXBT pointed to several suspected wallets associated with the alleged robbery.

One wallet (0b4fc3e) appears to be a consolidation address for about $43.7 million worth of bitcoin. This address received the majority of its funds through about 10 high-value transactions totaling between 39–47 BTC, and smaller transfers. Those funds were ultimately sent to an address beginning c3b4ccc, after an intermediate stop at bc1qlux. There’s no clear on-chain evidence that these particular funds have been swapped to Monero, a popular privacy chain.

Another suspected address (bc1qpsmh) received over 1108 BTC, worth about $105 million, which was then split three times in two 35 BTC sends and a 928 BTC send. The three recipient addresses have continued to break down the funds, further complicating the web of transactions. An additional 2.05 million LTC also appear to have been moved following a similar modus operandi.

None of the flagged addresses have been publicly labeled on common explorers, and these may be just simple wallet-to-wallet transfers for common address rotation. (Daniel Kuhn / The Block)

Related: Web3 is Going Just Great. Cointelegraph, Bitcoin Insider, BeInCrypto, CoinDesk, CryptoPotato, The Crypto Times, NullTX, Coinpedia Fintech News, Crypto Briefing, The Defiant

Best Thing of the Day: Relying on Three Decades of Experience

Chrisma Jackson, the top cybersecurity boss for Sandia National Laboratories, explains why she is well-positioned to protect the nation's nuclear secrets.

Bonus Best Thing of the Day: I Trust the MI5 on This One

Despite the political uproar of China consolidating its diplomatic venues into one "mega-embassy" in London, MI5 thinks the move will make it easier to track China's espionage efforts in the country.

Worst Thing of the Day: No Rest From Hacking for the Dead

Despite managing sensitive data of millions, funeral companies in South Korea remain exempt from information security regulations, raising concerns over data protection and ransomware risks.

Closing Thought