Cybersecurity

Cops bust up NoName057(16) by seizing servers, issuing warrants, and raiding homes

6.5m Co-op members' data were stolen, Cambodia busts 1k for cybercrime, Thai police raid Cambodian tycoon's homes in scam probe, DoJ busts one and charges three other alleged Ryuk actors, Aussie right-wing party hit by ransomware, China cyberspies on Taiwan's semiconductor industry, much more

Cynthia B Brumfield

17 Jul 2025 — 15 min read

A Word of Gratitude

Humble, heartfelt thanks to the Metacurity readers who have donated their precious funds or signed up for paid subscriptions over the past week. I'm blown away.

You are fantastic human beings, and please know that I've been mulling over the best way to thank you all.

For those of you who would like to support Metacurity's continued operations, you can sign up for a paid subscription below.

Upgrade my subscription

Or if you're not ready to commit to a subscription, consider donating what you can.

Donate what you can

Europol and Eurojust announced that Operation Eastwood, an international law enforcement operation conducted this week, targeted the members of and infrastructure used by a pro-Russian hacktivist group, NoName057(16), which has launched DDoS attacks across Europe since early 2022.

The effort, which relied on the participation of twelve countries, disrupted over 100 servers worldwide and resulted in two arrests, seven international arrest warrants, and 24 house searches across multiple jurisdictions. It broke up a cybercrime network that had mobilized an estimated 4,000 members who conducted attacks against entities in countries across Europe and in Israel.

NoName057(16) used Telegram channels, specialized forums, and messaging applications to distribute attack tools, tutorials, and plans. The group employed gamification techniques, including leaderboards, badges, and cryptocurrency rewards, to keep members active, particularly targeting younger individuals by claiming the group was defending or working on behalf of Russia.

Group members relied on the open-source “DDoSia” platform and a botnet comprising several hundred servers, which allowed the group to scale attack capacity. Participants downloaded malware that enabled them to contribute computing resources to coordinated attacks, with the most active contributors receiving financial incentives in cryptocurrency.

The group chose its targets based on political events. At first, they attacked websites in Ukraine. Later, they expanded their attacks to countries in NATO and organizations that support Ukraine. Some of their attacks took place during the European elections, affecting Swedish government agencies and bank websites.

They also timed attacks with major political events, including the Ukrainian president’s speech to the Swiss parliament and the NATO summit in the Netherlands. (Greg Otto / Cyberscoop)

Shirine Khoury-Haq, CEO of UK grocery chain the Co-op, has apologised to its customers after admitting that all 6.5 million of the mutual’s members had their data stolen in a recent cyberattack.

She said she was “incredibly sorry” for the attack in which hackers obtained names, addresses, and contact information. She said no financial information, such as credit or debit card details, or transaction data, was stolen in the hack, which occurred in April.

“We know a lot of that information is out there anyway, but people will be worried and all members should be concerned,” she said.

The group, which owns more than 2,000 grocery stores, more than 800 funeral parlours, and also offers legal and financial services, was forced to shut down parts of its IT systems in late April after discovering an attempted hack, days after Marks & Spencer also faced a serious cyber-incident.

Last week, four people, including three teenagers, were arrested at addresses in the West Midlands, Staffordshire, and London as part of an investigation into the cyberattacks on the Co-op, M&S, and Harrods, which all occurred within days of one another.

Separately, the Co-op announced a new strategic partnership with The Hacking Games, a UK-based social impact business, to help prevent cybercrime by identifying young cyber talent and channelling their skills into positive, ethical careers.

The partnership, a long-term initiative with ambitions to develop into a large-scale national movement, activated through a wide-scale, multi-channel approach, begins with an independent research study led by Professor Lusthaus of the University of Oxford, a leading expert on the social dimensions of cybercrime and hacking. (Sarah Butler / The Guardian and the Co-Op)

Cambodia said that an order by Prime Minister Hun Manet for government bodies to crack down on cybercrime operations being run in the country had resulted in the arrest of more than 1,000 suspects so far this week.

Hun Manet issued the order authorizing state action for “maintaining and protecting security, public order, and social safety.”

“The government has observed that online scams are currently causing threats and insecurity in the world and the region. In Cambodia, foreign criminal groups have also infiltrated to engage in online scams,” a statement from Hun Manet said.

More than 1,000 suspects were arrested in raids in at least five provinces between Monday and Wednesday, according to statements from Information Minister Neth Pheaktra and police.

Those detained included more than 200 Vietnamese, 27 Chinese, and 75 suspects from Taiwan, and 85 Cambodians in the capital, Phnom Penh, and the southern city of Sihanoukville. Police also seized equipment, including computers and hundreds of mobile phones.

At least 270 Indonesians, including 45 women, were arrested Wednesday in Poipet, a town on the border with Thailand notorious for cyber scams and gambling operations, the minister said. Elsewhere, police in the northeastern province of Kratie arrested 312 people, including nationals of Thailand, Bangladesh, Indonesia, Myanmar, and Vietnam, while 27 people from Vietnam, China, and Myanmar were detained in the western province of Pursat. (Grant Peck / Associated Press)

Amid a deepening diplomatic row between Cambodia and Thailand that began over a border spat and has led to the suspension of Thai Prime Minister Paetongtarn Shinawatra, Thai police raided seven properties allegedly connected to a prominent Cambodian senator and tycoon, Kok An, accused of involvement in the online scamming industry.

Police raided two houses in Sa Kaeo province belonging to two women who authorities say help manage a high-rise scam compound in the Cambodian border city of Poipet. The compound is run by one of Kok’s daughters, Juree Khlongkijjakol, the authorities allege.

Police also raided two offices and a house in Bangkok allegedly connected to Juree, as well as an office and residence tied to her sister, Phu Chelin. On Monday, police issued arrest warrants for Kok’s daughters and his son, who they identified as Kittisak, for their alleged involvement in transnational crime.

They issued an arrest warrant earlier in July for Kok, the owner of a cluster of properties in Poipet, including Crown Casino Resort. They announced that they would ask Interpol to issue a Red Notice for his detention.

On July 8, Thai police raided 19 properties allegedly connected to Kok’s scam network and seized assets worth more than $33.8 million, the Bangkok Post reported. (James Reddick / The Record)

The Justice Department announced that Karen Serobovich Vardanyan, an Armenian national, is in federal custody and faces charges stemming from their alleged involvement in a spree of attacks in 2019 and 2020 involving Ryuk ransomware.

He was extradited from Ukraine to the United States on June 18 and pleaded not guilty to the charges in his first appearance in federal court on June 20. Vardanyan is awaiting a seven-day jury trial scheduled to begin Aug. 26.

Prosecutors charged Vardanyan with conspiracy, fraud in connection with computers, and extortion in connection with computers. He faces a maximum of five years in federal prison and a fine of $250,000 for each charge.

Vardanyan and his co-conspirators, a pair of 53-year-old Ukrainian nationals, Oleg Nikolayevich Lyulyava and Andrii Leonydovich Prykhodchenko, and 45-year-old Armenian national Levon Georgiyovych Avetisyan, are accused of illegally accessing computer networks to deploy Ryuk ransomware on hundreds of compromised servers and workstations between March 2019 and September 2020. (Matt Kapko / Cyberscoop)

Clive Palmer’s United Australia Party and Trumpets of Patriots party suffered a ransomware attack that could include all of the emails and documents held by the party.

An email was sent by the United Australia Party to its mailing list saying it suffered a data breach last month. “On 23 June 2025, we identified unauthorised access to our servers resulting in access to, and the possible exfiltration of, certain data records. We were the subject of a ransomware cyberattack,” it says. A near identical statement was posted on the Trumpet of Patriots website.

The messages say that the records accessed could include “all emails to and from the [party] (including their attachments) and documents and records created and or held electronically by the [party] at any time in the past," which might encompass information provided to the party, such as email addresses, phone numbers, banking records and other confidential documents.

The messages also say it does “not know comprehensively what information of yours was on the server” and that it will not notify all the individuals because it is “impractical”.

It also says it has reported the breach to the Office of the Information Commissioner and the Australian Signals Directorate. (Cam Wilson / Crikey)

Researchers at Proofpoint say Chinese-linked hackers are targeting the Taiwanese semiconductor industry and investment analysts as part of a string of cyber espionage campaigns.

The previously unreported hacking campaigns were carried out by at least three distinct Chinese-linked groups primarily between March and June of this year, with some activity likely ongoing.

Among the Chinese threat actors is a China-aligned threat actor tracked as UNK_FistBump targeting semiconductor design, manufacturing, and supply chain organizations in employment-themed phishing campaigns resulting in the delivery of Cobalt Strike or the custom Voldemort backdoor.

Another China-aligned threat actor, tracked as UNK_DropPitch, targets individuals in multiple major investment firms who specialize in investment analysis, specifically within the Taiwanese semiconductor industry.

Finally, Proofpoint also observed an actor tracked as UNK_SparkyCarp conducting credential phishing activity against a Taiwanese semiconductor company using a custom Adversary in the Middle (AiTM) phishing kit.

This development comes as rising restrictions by Washington on exports to China of US-designed chips that are often manufactured in Taiwan.

China's chip industry has been working to replace its dwindling supply of sophisticated US chips, especially those used in artificial intelligence.

Proofpoint says approximately 15 to 20 organizations, ranging from small businesses, analysts employed by at least one US-headquartered international bank, and large global enterprises, faced attacks. (A.J. Vicens / Reuters and Proofpoint)

*UNK_FistBump RAR archive containing two distinct infection chains.* Source: Proofpoint.

Analysts warn that Donald Trump's reported move to lift federal restrictions on selling some of Nvidia's advanced artificial intelligence semiconductor chips to China could undercut the United States' lead in the global AI race.

The unexpected announcement came not from the White House, but from a Nvidia blog post, after the semiconductor giant's CEO, Jensen Huang, met with Trump and senior officials from Beijing in recent days.

The company said it would soon file applications to sell its H20 GPU chip in China once again, and "the US government has assured Nvidia that licenses will be granted."

The company also said that it had created a "new, fully compliant" pro GPU designed to power complex AI systems in smart factories and logistics while aiming to advance its mission to "democratize AI." But industry specialists told Information Security Media Group the administration's move could erode the nation's long-range technological edge, undercut its strategic position in critical technologies, and ultimately enable China to build artificial intelligence models that compete with leading American platforms. (Chris Riotta / Data Breach Today)

Google's Threat Intelligence Group reports that unknown miscreants are exploiting fully patched, end-of-life SonicWall VPNs to deploy a previously unknown backdoor and rootkit, likely for data theft and extortion.

The intel analysts attribute the ongoing campaign to UNC6148 - UNC in Google's threat-actor naming taxonomy stands for "Uncategorized." They appear to be using a backdoor rootkit dubbed OVERSTEP.

Once the miscreants compromised the SonicWall appliances, they deployed a previously unknown backdoor written in C. The malware modified the appliance's boot process to maintain persistent access, enabling the criminals to steal sensitive credentials and conceal their own components.

The researchers assess "with high confidence" that the criminals are abusing previously stolen credentials and one-time password seeds, which allow them to maintain access to the compromised SonicWall Secure Mobile Access (SMA) 100 series appliances even after organizations have patched the buggy VPNs.

A Google spokesperson said the number of known victims is "limited," and urged businesses that use these SonicWall devices to analyze them for signs of compromise, especially if they are vulnerable to any of the earlier known CVEs, following the steps outlined in the "Hunting and Detection" section of its technical analysis. This lists several indicators of compromise and other artifacts to help defenders find — and boot off — OVERSTEP on their systems. (Jessica Lyons / The Register)

Fowler says that the data appeared to be from a customer relationship management, or CRM, system that is used to organize client data in businesses and other organizations. The trove contained more than 1.1 million records and was 2.49 GB.

After multiple contact attempts, the Gladney Center closed the database from public view. (Lily Hay Newman / Wired)

Related: Website Planet

Researchers from Domain Tools discovered a malicious binary called Joke Screenmate, a strain of nuisance malware that interferes with the normal and safe functions of a computer, inside domain name system (DNS) records that map domain names to their corresponding numerical IP addresses, which allows it to go unmonitored by security tools.

The file was converted from binary format into hexadecimal, an encoding scheme that uses the digits 0 through 9 and the letters A through F to represent binary values in a compact combination of characters.

The hexadecimal representation was then broken up into hundreds of chunks. Each chunk was stashed inside the DNS record of a different subdomain of the domain whitetreecollective[.]com.

Specifically, the chunks were placed inside the TXT record, a portion of a DNS record capable of storing any arbitrary text. TXT records are often used to prove ownership of a site when setting up services like Google Workspace.

An attacker who managed to get a toehold into a protected network could then retrieve each chunk using an innocuous-looking series of DNS requests, reassembling them, and then converting them back into binary format. The technique allows the malware to be retrieved through traffic that can be hard to monitor closely.

As encrypted forms of IP lookups—known as DOH (DNS over HTTPS) and DOT (DNS over TLS)—gain adoption, the difficulty will likely grow. (Dan Goodin / Ars Technica)

Crypto exchange BigONE confirmed a $27 million breach stemming from a hot wallet exploit on July 16 and states that all user funds will be fully reimbursed.

In an official statement, the exchange said it detected “abnormal movements” tied to a third-party attack and has since identified and contained the vector. All private keys remain secure, and no additional losses are expected.

BigONE said user balances are safe, and all losses will be covered in full using a combination of internal reserves (BTC, ETH, SOL, USDT, XIN) and external borrowing to restore liquidity for niche tokens.

Deposits and trading resumed within hours, but withdrawals will be delayed until further security reinforcements are complete. (Shaurya Malwa / CoinDesk)

Researchers at Rescurity report that one of the main banks in the Indian Ocean island nation of the Seychelles, the Seychelles Commercial Bank (SCB), is being targeted in an apparent extortion attempt, with a hacker posting that they have stolen client data for sale on the dark web.

Resecurity is investigating the cyberattack against Seychelles Commercial Bank (SCB) and managed to obtain a sample of the data and shared it with OCCRP.

The dataset includes SCB client names, addresses, and dates of birth, as well as account types and balances, some exceeding several million. The accounts themselves do not appear to have been breached.

A statement by the bank reported to a local newspaper said that no funds of the account holders have been accessed. (Alena Koroleva / OCCRP)

Related: GovInfoSecurity

Luxury fashion giant Louis Vuitton confirmed that breaches impacting customers in the UK, South Korea, and Turkey stem from the same security incident, which is believed to be linked to the ShinyHunters extortion group.

Since last week, the retailer has been notifying customers that their info was exposed in a data breach, first in South Korea, then in Turkey, and on Friday in the United Kingdom.

"Despite all security measures in place, on July 2, 2025, we became aware of a personal data breach resulting from the exfiltration of certain personal data of some of our clients following an unauthorized access to our system," reads Louis Vuitton's data breach notifications sent to customers.

"We would like to assure you that our cybersecurity teams have taken care of the incident with the utmost diligence and attention. Technical measures were immediately taken to contain the incident after its occurrence, notably by blocking the unauthorized access.

"Louis Vuitton teams are mobilized to cooperate with the competent authorities which have been notified, including the Information Commissioner's Office (the ICO)."

Louis Vuitton confirmed that no payment information was compromised from the database accessed during the incident. (Lawrence Abrams / Bleeping Computer)

Related: HackRead, The Record, SC Media

Google said it used a security-specific AI agent that it calls Big Sleep to detect a second critical vulnerability that was on the radar of threat actors but had not yet been exploited.

Big Sleep detected a critical security flaw in the SQLite relational database management system, indexed as CVE-2025-6965, which could lead to memory corruption.

The bug was only known to threat actors, Google said, and was about to be exploited before it was patched.

However, the vulnerability was fixed by SQLite before impacting users of the RDBMS.

The company's Project Zero researchers built Big Sleep, announced in November last year, together with Google's DeepMind AI division. (Juha Saarinen / IT News)

United Natural Foods Inc (UNFI) flagged about a $350 million to $400 million hit to its fiscal 2025 net sales from a June 5 cyber incident.

The grocery distributor took certain systems offline after the activity was discovered on June 5. United Foods said it expects the anticipated insurance proceeds to be adequate for the incident. (Neil J Kanatt / Reuters)

Researchers at the Shadowserver Foundation report that multiple Fortinet FortiWeb instances recently infected with web shells are believed to have been compromised using public exploits for a recently patched remote code execution (RCE) flaw tracked as CVE-2025-25257.

The Foundation observed 85 infections on July 14 and 77 on the next day. They say these Fortinet FortiWeb instances are believed to be compromised through the CVE-2025-25257 flaw.

CVE-2025-25257 is a critical pre-authenticated RCE via SQL injection (SQLi) affecting FortiWeb 7.6.0 through 7.6.3 7.4.0 7.4.7, 7.4.0 through 7.4.7, and 7.0.0 through 7.0.10.

Fortinet released patches on July 8, 2025, urging users to upgrade to FortiWeb 7.6.4, 7.4.8, 7.2.11, or 7.0.11 and later versions of each branch. (Bill Toulas / Bleeping Computer)

Related: ShadowServer

Distribution of infected Fortinet FortiWeb instances. Source: Shadowserver Foundation.

During the International Conference on Cyber Security at Fordham University in New York City, Kristina Walter, director of the NSA’s Cybersecurity Collaboration Center, said that the Chinese threat actor Volt Typhoon had failed to maintain its persistence in penetrating US networks.

“The good news is, they really failed. They wanted to persist in domestic networks very quietly for a very long time so that if and when they needed to disrupt those networks, they could. They were not successful in that campaign,” she said.

“We, with private sector, with FBI, found them, understood how they were using the operating systems, how they're using legitimate credentials to maintain persistence, and frankly, we equipped the entire private sector and US government to hunt for them and detect them.”

Brett Leatherman, who was recently appointed assistant director for cyber at the FBI, echoed those remarks and noted that Volt Typhoon was specifically focused on critical infrastructure centered around the US Navy, particularly in island communities like Guam.

Leatherman said US efforts to shine a light on the campaign forced Chinese actors to pull back, adapt their tactics, and burn previous methods they used to breach critical infrastructure systems. (Jonathan Greig / The Record)

Private equity business, Limerston Capital, acquired Doncaster, UK-based managed security service provider, DigitalXRAID.

The acquired firm specialises in vulnerability management, threat intelligence, information security, penetration testing, security consultancy, and security operations center (SOC) services. (The Business Desk)

Best Thing of the Day: Signs of Cybersecurity Life in the Trump Administration

Nick Polk, branch director for federal cybersecurity at the Office of Management and Budget, says that White House cybersecurity officials are working on an updated “zero trust 2.0” strategy.

Bonus Best Thing of the Day: Is Congress Getting Its Cyber Groove Back?

Congress is set to revisit Stuxnet, the malware that wreaked havoc on Iran’s nuclear program 15 years ago, during a House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection on July 22 in the hopes that the pioneering attack can guide today’s critical infrastructure policy debate.

Worst Thing of the Day: China Beefs Up Hacking Campaigns With Private Sector Contractors

A new private industry outsourcing model is allowing China to get more aggressive in its state-sponsored hacking campaigns.

Bonus Worst Thing of the Day: Move Over Marco Rubio, Make Way for Amber

Hackers used deepfake AI voice technology to take over a Charlotte, NC, woman's product reselling channel on TikTok.