Coupang CEO resigns as cops raid the company's HQ for a second time

Don't miss my latest CSO piece, which delivers a run-down of some of the key cyber provisions in the 2026 NDAA compromise bill released earlier this week.

During this holiday season, give your security team the gift of Metacurity by upgrading your subscription to a highly cost-effective site license. Check out our two main options by clicking the button below or contact info@metacurity.com to customize a license for your organization.

Coupang Chief Executive Officer Park Dae-jun resigned over his failure to prevent South Korea’s largest-ever data breach, which set off a regulatory and political backlash against the country’s dominant online retailer.

The company said in a statement that Park had stepped down over his role in the breach. It appointed Harold Rogers, chief administrative officer for the retailer’s US-based parent company Coupang Inc., as interim head.

Park becomes the highest-profile casualty of a crisis that’s prompted a government investigation and disrupted the lives of millions across Korea. Nearly two-thirds of people in the country were affected by the breach, which granted unauthorized access to their shipping addresses and phone numbers.

Police raided Coupang’s headquarters this week in search of evidence that could help them determine how the breach took place, as well as the identity of the hacker.

Moreover, police raided Coupang's headquarters for a second day today, continuing their investigation into a massive personal data leak that has affected more than 30 million customers.

The cyber unit of the Seoul Metropolitan Police Agency sent its investigators to the Coupang headquarters in Songpa, eastern Seoul, with a search warrant to seize evidence related to the data breach, a day after they raided the compound for about 10 hours. (Yoolim Lee / Bloomberg and Kim Seung-yeon / Yohnap News)

Related: Financial Times, The Korea Times, CNBC, Reuters, New York Times, Blockchain.News, The Cyber Express, Tech in Asia, Benzinga, KED Global, Fortune, Yonhap News, UPI, KED Global

California resident Evan Tangeman pleaded guilty to RICO conspiracy charges this week after being accused by the DOJ of buying homes and laundering money on behalf of a criminal gang that stole cryptocurrency through social engineering schemes.

Tangeman became the ninth person to plead guilty as part of a wider Justice Department takedown of a criminal group known as the Social Engineering Enterprise. 

The group gained access to databases of people with large amounts of cryptocurrency and either scammed them into providing access to their funds or broke into their homes to physically steal devices. Members of the group were previously charged with stealing more than $263 million worth of cryptocurrency from a victim in Washington, D.C.

Tangeman helped the group launder millions of dollars worth of stolen cryptocurrency and assisted them in renting lavish mansions across California and Florida, where they lived and conducted the crimes. He will be sentenced on April 24, 2026.

On Monday, a superseding indictment was also unsealed, charging three more members of the Social Engineering Enterprise with crimes related to the conspiracy. 

Several members have been recently arrested in Miami and Dubai. (Jonathan Greig / The Record)

Related: Justice Department, Hoodline, The Block, Decrypt, Bitdefender, The Street, CryptoRank, Cryptopolitan

The US Department of Justice unveiled additional charges against a Ukrainian woman, Victoria Eduardovna Dubranova, accused of supporting Russian state-backed cyberattacks against critical infrastructure.

She was indicted over her alleged links to a Moscow-sponsored group, the DOJ said. Dubranova was extradited to the US earlier this year over her alleged support for another Russian group. She has pleaded not guilty in both cases.

“Talicious Russian cyber activity — whether conducted directly by state actors or their criminal proxies — aimed at furthering Russia’s geopolitical interests,” US Assistant Attorney General for National Security John Eisenberg said in the statement.

Both groups Dubranova is accused of working with, CyberArmyofRussia_Reborn (CARR) and NoName057(16), have strong links to the Russian government, according to the DOJ.

CARR was founded, funded, and directed by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, known as GRU, the statement said. The group claimed credit for hundreds of cyberattacks worldwide, including attacks against critical infrastructure in the United States.

If convicted, Dubranova faces a sentence of up to 27 years in federal prison. The US Department of State is offering rewards of up to $10 million for information on individuals associated with CARR and NoName. (Jane Lanhee Lee / Bloomberg)

Related: Justice Department, EPA, Reuters, CISA

The National Police in Spain arrested a suspected 19-year-old hacker in Barcelona for allegedly stealing and attempting to sell 64 million records obtained from breaches at nine companies.

The teen now faces charges related to involvement in cybercrime, unauthorized access and disclosure of private data, and privacy violations.

"The cybercriminal accessed nine different companies where he obtained millions of private personal records that he later sold online," the police said.

The police launched an investigation into the cybercriminal in June, after the authorities became aware of breaches at the unnamed firms.

Eventually, the suspect was located in Igualada, Barcelona, and it was confirmed that he held 64,000,000 private records. These records include full names, home addresses, email addresses, phone numbers, DNI numbers, and IBAN codes. (Bill Toulas / Bleeping Computer)

Related: Policia Nacional, Ara, CyberInsider, Fire Emergency New Zealand

The Ukrainian GUR Cyber Corps attacked Russia's leading logistics company Eltrans+ on Dec. 6 and deactivated more than 700 computers and servers while encrypting 165 terabytes of critical data

Eltrans+ is among the top 10 largest customs representatives and freight forwarders in Russia. More than 5,000 Russian small, medium, and large businesses use the services of "Eltrans+".

The company carries out international and domestic transportation (road, sea, air, multimodal), warehouse storage, transportation of consolidated cargo, as well as full customs clearance of goods.

"Eltrans+" is engaged in the delivery of sanctioned goods, as well as various electronic components from China, which are used by the Russian military-industrial complex.

Moreover, the access control system, video surveillance data storage and backup system were affected, network equipment, along with the core of the data center, was deactivated and disabled, declarations for all cargo were destroyed, and all company websites were "defaced", which now greet Russian users with the Day of the Armed Forces of Ukraine. (UNN)

Related: Ukrainian News, EMPR Media, Online.UA, Mezha, The New Voice of Ukraine, RBC-Ukraine, Kyiv Post, The Kyiv Independent, TVP World, SC Media

Cyberpolice of Chernivtsi region in Ukraine, together with the SBU, exposed a resident of Bukovyna who hacked social media accounts and sold them on a hacker forum.

The man faces up to 15 years in prison.

Law enforcement officers established that the man independently created malicious software for automatically hacking user accounts on social networks and other platforms. The victims were primarily citizens of the USA and Europe.

In addition, the man administered a bot farm with more than 5,000 accounts.

Authorities conducted searches in the suspect's apartment and car and seized computer equipment and mobile devices with evidence of illegal activity. (UNN)

Related: National Police of Ukraine, Mezha

For the final Patch Tuesday of 2025, Microsoft issued fixes for at least 56 security flaws in its Windows operating systems and supported software, including ix at least 56 security flaws in its Windows operating systems and supported software. 

The zero-day flaw is CVE-2025-62221, a privilege escalation vulnerability affecting Windows 10 and later editions. The weakness resides in a component called the “Windows Cloud Files Mini Filter Driver” — a system driver that enables cloud applications to access file system functionalities.

Only three of the flaws earned Microsoft’s most dire “critical” rating: Both CVE-2025-62554 and CVE-2025-62557 involve Microsoft Office, and both can be exploited merely by viewing a booby-trapped email message in the Preview Pane. Another critical bug — CVE-2025-62562 — involves Microsoft Outlook, although Redmond says the Preview Pane is not an attack vector with this one.

One of the more interesting vulnerabilities patched this month is CVE-2025-64671, a remote code execution flaw in the Github Copilot Plugin for Jetbrains AI-based coding assistant that is used by Microsoft and GitHub.

The other publicly disclosed vulnerability patched today is CVE-2025-54100, a remote code execution bug in Windows PowerShell on Windows Server 2008 and later that allows an unauthenticated attacker to run code in the security context of the user. (Brian Krebs / Krebs on Security)

Related: Security Week, Forbes, Zero Day Initiative, Petri, Bleeping Computer, Dark Reading, The Register, Help Net Security, Neowin, CyberScoop, Infosecurity Magazine, Tom's Guide, SANS Institute, Ask Woody, Rapid7, CSO Online

The GCSB’s National Cyber Security Centre (NCSC) is emailing thousands of New Zealanders to notify them that their devices may be impacted by malicious software.

The NCSC email directs recipients to the NCSC’s Own Your Online website for advice on how to remove the malware and provides general cybersecurity advice to help address potential risk to their online accounts.

Emails are going out to around 26,000 email addresses.

The NCSC’s Chief Operating Officer, Michael Jagusch, says the email relates to malware known as Lumma Stealer, which typically impacts devices using Microsoft Windows operating systems.

The malicious software is designed to steal sensitive information, like email addresses and passwords, from devices typically for the purposes of fraud or identity theft. (NCSC)

Related: Newstalk ZB, Stuff, The Post

American IT software company Ivanti warned customers to patch a newly disclosed vulnerability in its Endpoint Manager (EPM) solution that could allow attackers to execute code remotely.

Ivanti delivers system and IT asset management solutions to over 40,000 companies via a network of more than 7,000 organizations worldwide. The company's EPM software is an all-in-one endpoint management tool for managing client devices across popular platforms, including Windows, macOS, Linux, Chrome OS, and IoT.

Tracked as CVE-2025-10573, this critical security flaw can be exploited by remote, unauthenticated threat actors to execute arbitrary JavaScript code through low-complexity cross-site scripting attacks that require user interaction.

"An attacker with unauthenticated access to the primary EPM web service can join fake managed endpoints to the EPM server to poison the administrator web dashboard with malicious JavaScript," explained Rapid7 staff security researcher Ryan Emmons, who reported the vulnerability in August.

"When an Ivanti EPM administrator views one of the poisoned dashboard interfaces during normal usage, that passive user interaction will trigger client-side JavaScript execution, resulting in the attacker gaining control of the administrator’s session."

Ivanti also released security updates to address three high-severity vulnerabilities, two of which (CVE-2025-13659 and CVE-2025-13662) could allow unauthenticated attackers to execute arbitrary code on unpatched systems. (Sergiu Gatlan / Bleeping Computer)

Related: Rapid7, Security Affairs, Computing

New research from Cydome’s cybersecurity team identified an active campaign of a new variant of the Mirai botnet, designated as Broadside, targeting the maritime logistics sector, exploiting a vulnerability (CVE-2024-3721) in TBK DVR (digital video recorders) devices in use by shipping companies on vessels, among others.

“Unlike previous Mirai variants, Broadside employs a custom C2 protocol, a unique ‘Magic Header’ signature, and an advanced ‘Judge, Jury, and Executioner’ module for exclusivity,” the Cydome Research Team said.

“Technically, it diverges from standard Mirai by utilizing Netlink kernel sockets for stealthy, event-driven process monitoring (replacing noisy filesystem polling), and employing payload polymorphism to evade static defenses.”

Crucially, Cydome mentioned that the threat extends beyond denial-of-service attacks; analysis confirms that Broadside actively attempts to harvest system credential files. This indicates a secondary objective of privilege escalation and lateral movement, transforming the compromised device from a simple bot into a strategic foothold. (Anna Ribeiro / Industrial Cyber)

Related:  Cydome, r/InfoSecNews, eSecurityPlanet, Security Affairs

Binance founder Changpeng Zhao said the WeChat account of newly appointed co-CEO Yi He was hacked late Tuesday and used to promote a little-known memecoin, turning the breach into a pump-and-dump scheme that briefly sent the asset surging on some decentralized exchanges.

Zhao said the attackers used the compromised account to circulate memecoin endorsements and urged users to ignore the messages.

“Web2 social media security is not that strong. Stay safu!” he wrote on X. “Do not buy meme coins from the hackers posts."

On-chain data shows the hack quickly shifted from a social-engineering breach to a trading exploit.

Analytics account Lookonchain identified two newly created wallets that accumulated roughly 21.16 million MUBARA tokens — a little-known memecoin on decentralized exchanges — by spending 19,479 USDT across PancakeSwap and related routes.

As the fake endorsement spread through WeChat channels, trading volume and price spiked sharply on Dexscreener charts.

The wallets then began offloading the position as fresh liquidity arrived. (Shaurya Malwa, AI Boost / CoinDesk)

Related: crypto.news, Cryptopolitan, BeInCrypto, CoinCentral, Cryptonews, CryptoRank

The official account for Paramount Pictures on X, the social network formerly known as Twitter, was seemingly compromised Tuesday — with someone rewriting the description in the account’s bio to read: “Proud arm of the fascist regime.”

The hack of Paramount Pictures’ X account, which has nearly 3.5 million followers, came a day after David Ellison’s Paramount Skydance launched a direct-to-shareholders hostile takeover effort for Warner Bros. Discovery. That was three days after Netflix and WBD announced an agreement under which the streamer would buy WB’s studios, HBO, HBO Max, and games divisions.

The official description for the Paramount Pictures account on the social network had changed back to: “The official X account for Paramount Pictures.” (Todd Spangler / Variety)

Related: r/technology, International Business Times, Times of India

Cybersecurity insurance provider Coalition announced its cybersecurity insurance policies will now cover certain deepfake incidents, including ones that lead to reputational harm.

The coverage will also include response services such as forensic analysis, legal support for takedown and removal for deepfakes online and crisis communications assistance.

Michael Phillips, head of Coalition’s cyber portfolio underwriting, said Coalition has covered deepfake-enabled fraud leading to fraudulent transfers since last year.

Now, coverage is being expanded to “any video, image, or audio content that is created or manipulated through the use of AI by a third party, and that falsely purports to be authentic content depicting any past or present executive or employee, or falsely frames the organization’s products or services.” (Derek B. Johnson / CyberScoop)

Related: Coalition, Silicon Angle

Best Thing of the Day: Cut Off One Head, Two More TTakeIts Place

Alternative social media platforms surged in popularity in Australia on Wednesday after the nation’s landmark ban on under-16s drove children to non-restricted apps.

Worst Thing of the Day: And Please Send All This To Us in Plain Text

A US Customs and Border Protection proposal posted to the Federal Register suggests the United States could begin requiring visitors from countries on the visa waiver program to provide up to five years of their social media history.

Closing Thought