EU cops bust money launderers who set up crypto fraud network

Get your message, announcement, or white paper in front of thousands of cyber leaders, policy makers, and decision-makers for little more than the cost of an annual Metacurity subscription. Click the button below to find out more about our sponsorship options.

European law enforcement authorities arrested nine suspected money launderers who set up a cryptocurrency fraud network that stole over €600 million ($689 million) from victims across multiple countries.

The fraudsters allegedly created fake cryptocurrency investment platforms that looked legitimate and promised high returns, and recruited victims through various means, including social media and cold calling.

Once the victims transferred their cryptocurrency, they were unable to recover their funds, while the criminals successfully laundered more than €600 million in stolen assets using blockchain tools.

The coordinated operation took place on October 27 and 29 in Cyprus, Spain, and Germany, and was coordinated by Eurojust, the European Union's judicial cooperation agency, from its headquarters in The Hague.

"Nine suspects were arrested at their homes in Cyprus, Spain, and Germany on suspicion of their involvement in money laundering from fraudulent activities. At the same time, searches took place that resulted in the seizure of EUR 800 000 in bank accounts, EUR 415 000 in cryptocurrencies, and EUR 300 000 in cash," Eurojust said. (Sergiu Gatlan / Bleeping Computer)

Related: Eurojust, The Record, Bitcoin Magazine, Help Net Security, Infosecurity Magazine

The US Treasury Department’s Office of Foreign Assets Control (OFAC) hit with sanctions IT company Korea Mangyongdae Computer Technology Company (KMCTC) and financial institution Ryujong Credit Bank, accusing the North Korean businesses of being key cogs in Pyongyang’s effort to evade sanctions and bring home earnings from criminal activity.

KMCTC runs the IT worker operation in the Chinese cities of Shenyang and Dandong, the Treasury said. The company helps the IT workers use Chinese nationals as proxies to obtain their earnings and launder them back to North Korea. U Yong Su, one of the men sanctioned, is currently president of KMCTC.

Ryujong Credit Bank helps launder the money earned by IT workers and other North Koreans working overseas, the Treasury said.

“North Korean state-sponsored hackers steal and launder money to fund the regime’s nuclear weapons program,” said John Hurley, the Treasury undersecretary for terrorism and financial intelligence. “By generating revenue for Pyongyang’s weapons development, these actors directly threaten US and global security.”

Seven other men — Jang Kuk Chol, Ho Jong Son, Ho Yong Chol, Han Hong Gil, Jong Sung Hyok, Choe Chun Pom, and Ri Jin Hyok — were also sanctioned for their role as employees of sanctioned companies or facilitators on the broader money laundering scheme.

According to the Treasury Department, Jang Kuk Chol and Ho Jong Son are bankers tied to the previously sanctioned First Credit Bank. The North Koreans helped manage about $5.3 million in cryptocurrency, a portion of which was linked back to a ransomware attack on a US organization.

The department said some of the money also came from IT worker schemes, in which North Koreans use fake or stolen identities to obtain employment in high-paying roles at US companies illicitly.

The five other men serve as North Korean representatives in Russia and China who help facilitate the laundering of millions of dollars in earnings from a variety of schemes, the Treasury said. (Jonathan Greig / The Record)

Related: Bitcoin Magazine, Eurojust, CyberScoop, Decrypt, DL News, Politico, German Federal Foreign Office, The Crypto Times, Associated Press, CoinGape, Cryptonews, Blockonomi, CoinDesk, crypto.news

Research by BR, Netzpolitik.org, and international partners such as Le Monde and L'Echo from the "Databroker Files" series reveals the ease with which sensitive movement data, including that of EU and NATO personnel, can be intercepted.

The reporting team has received free sample material from data brokers, which includes location data from millions of mobile phones from Germany and the EU, with a focus on Belgium—the most recent dataset dates from July 2025.

The analysis of the information, which serves only as a lure for paid subscriptions with more comprehensive holdings, enabled the unambiguous identification of several high-ranking individuals from the Brussels political scene. These include employees of the EU Parliament and the European External Action Service, as well as a diplomat from an EU member state.

The location data reveals users' homes, workplaces, behavior, and preferences. They can document visits to highly sensitive areas such as clinics, religious buildings, party and trade union headquarters, or even brothels and swingers' clubs, thereby disclosing highly sensitive data protection information. (Stefan Krempl / Heise Online)

Related: Netzpolitik, Netzpolitik, TechCrunch, The Record

Documents exposed in a major hack of the Kansas City, Kansas, Police Department reveal the department's Giglio List, a highly secret Veracity Disclosure List, for the first time, along with dramatic details of the misconduct that put officers on it, from incompetence to domestic violence.

Published by the transparency nonprofit Distributed Denial of Secrets, more than one terabyte of hacked documents paint a disturbing picture: Officers with egregious credibility issues—those the department itself investigated and found untrustworthy—were not only allowed to stay on the force but often rose through the ranks or moved on to other departments, without the public knowing.

KCUR and WIRED corroborated the Giglio List found in the hack with testimony from the then-Wyandotte County district attorney in a 2011 case. The whole context of what landed a particular officer on the list was not always evident.

The files are a further indication of what has been an open secret for decades—residents’ accusations that many KCKPD officers were corrupt or racist—and were made very public with the 2022 arrest of Roger Golubski, a retired KCKPD detective accused in two federal cases for allegedly sexually assaulting at least seven women while on duty and protecting a drug dealer’s sex trafficking ring. Golubski told his roommate at the time that he’d rather “eat my gun” than go to jail. He died of an apparent suicide on December 2, 2024, on the first day of his federal court trial.

Golubski’s file also highlights a broader flaw in the Giglio List and the department’s internal misconduct investigations: whether these records accurately reflect an officer’s complete history of misconduct. (Dhruv Mehrotra and Peggy Lowe / Wired)

Related: KCUR

Japanese publishing giant Nikkei announced that its Slack messaging platform had been compromised, exposing the personal information of over 17,000 employees and business partners.

The media giant, which acquired the Financial Times in 2015, currently has 37 foreign editorial bureaus and over 1,500 journalists worldwide.

Nikkei stated that attackers gained access to employee Slack accounts by using authentication credentials stolen after an employee's computer was infected with malware.

Nikkei discovered the security breach in September, which prompted immediate security measures, including mandatory password changes.

"Potentially leaked information includes the names, email addresses, and chat histories for 17,368 individuals registered on Slack," the company said.

Despite the scale of the incident, Nikkei said the stolen information doesn't fall under Japan's Personal Information Protection Law, which mandates reporting for certain data breaches. However, it voluntarily notified the country's Personal Information Protection Commission, citing its commitment to transparency and the incident's "significance."

The publisher added that no information related to confidential sources or reporting activities was compromised during the incident, adding that personal data collected for journalistic purposes remains secure. (Sergiu Gatlan / Bleeping Computer)

Related: CyberInsider, Digital Journal

Researchers at Bitdefender report that the Russian hacker group Curly COMrades is abusing Microsoft Hyper-V in Windows to bypass endpoint detection and response solutions by creating a hidden Alpine Linux-based virtual machine to run malware.

Inside the virtual environment, the threat actor hosted its custom tools, the CurlyShell reverse shell and the CurlCat reverse proxy, which enabled operational stealth and communication.

Curly COMrades is a cyber-espionage threat group believed to be active since mid-2024. Its activities are closely aligned with Russian geopolitical interests.

Bitdefender previously exposed Curly COMrades' activities against government and judicial bodies in Georgia, as well as energy firms in Moldova.

With the help of the Georgian CERT, the Romanian cybersecurity firm uncovered more about the threat actor's latest operation.

The researchers found that in early July, after gaining remote access to two machines, Curly COMrades executed commands to enable Hyper-V and turn off its management interface.

Microsoft includes the Hyper-V native hypervisor technology that provides hardware virtualization capabilities in Windows (Pro and Enterprise) and Windows Server operating systems, allowing users to run virtual machines (VMs).

"The attackers enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine. This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat," Bitdefender explains. (Bill Toulas / Bleeping Computer)

Related: The Register, Bitdefender

The Swedish Authority for Privacy Protection (IMY) is investigating a cyberattack on IT systems supplier Miljödata that exposed data belonging to 1.5 million people.

Miljödata is an IT systems supplier for roughly 80% of Sweden's municipalities. The company disclosed the incident on August 25, saying that the attackers stole data and demanded 1.5 Bitcoin not to leak it.

The attack caused operational disruptions that affected citizens in multiple regions in the country, including Halland, Gotland, Skellefteå, Kalmar, Karlstad, and Mönsterås.

Because of the significant impact, the state monitored the situation from the time of disclosure, with CERT-SE and the police starting to investigate immediately..

According to IMY, the attacker exposed on the dark web data that corresponds to 1.5 million people in the country, creating the basis for investigating potential General Data Protection Regulation (GDPR) violations. (Bill Toulas / Bleeping Computer)

Related: IMY

The Louvre Museum in Paris, victim of an audacious burglary involving a furniture lift last month, has been struggling for over a decade to upgrade outdated software, including that controlling its video surveillance systems, according to a French newspaper report.

Thieves used a furniture lift to break in through a second-floor window on October 19, stealing eight items of jewelry. Alarm systems on the window and on the display case holding the jewelry functioned as expected, according to the French Ministry of Culture, and police were on the scene within three minutes. The raid prompted a top-to-bottom review of security at the museum.

The Inspectorate General of Cultural Affairs (IGAC) submitted its first conclusions last week, prompting the Minister of Culture to recommend new governance rules and security policies, the installation of additional security cameras around the building perimeter, and an urgent update of all security protocols and procedures by year-end. The details of the report remain confidential. (Peter Sayer / CSO Online)

Related: French Ministry of Culture, French Ministry of Culture, Liberation

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

The National Security Agency is confronting a wave of internal strain — including leadership gaps, program cuts, and deferred resignation offers — on top of the ongoing government shutdown that’s left parts of its workforce furloughed.

Renowned for tracking targets across the world’s internet backbone, the Defense Department’s intelligence giant now faces conditions that risk eroding morale among analysts and weakening the agency’s long-term cyber capabilities, sources say.

A significant leadership gap has been in place for seven months. The White House recently backed down on its plans to nominate Lt. Gen. William Hartman to lead the NSA and US Cyber Command, a person with knowledge of the matter said. A search to find candidates for various leadership positions at the agency continues. (David DiMolfetta / NextGov/FCW)

Related: Breaking Defense

Researchers at ZScaler say hundreds of malicious Android apps on Google Play were downloaded more than 40 million times between June 2024 and May 2025.

During the same period, the company observed a 67% year-over-year growth in malware targeting mobile devices, with spyware and banking trojans being a prevalent risk.

Telemetry data shows that threat actors are shifting from traditional card fraud to exploiting mobile payments using phishing, smishing, SIM-swapping, and payment scams.

The transition to attacks based on social engineering is explained by the improved security standards, such as chip-and-PIN technology, and the wide adoption of mobile payments.

"To carry out these attacks, cybercriminals deploy phishing trojans and malicious apps designed to steal financial information and login credentials," Zscaler says. (Bill Toulas / Bleeping Computer)

Related: Zscaler

As voters across the US cast their ballots yesterday, US election officials were operating with sharply reduced support from a federal government agency that had previously helped states and localities counter bomb threats and cyberattacks.

The Cybersecurity and Infrastructure Security Agency abandoned an Election Day situation room it had operated for years to share vital intelligence on physical and cyber threats with state and local authorities, said Paul Lux, chair of the Elections Infrastructure Information Sharing and Analysis Center, a national coalition of election officials.

CISA’s decision to end the information-sharing arrangement follows the dismantling of the agency’s election security team earlier this year. Remaining election personnel with CISA, a unit of the Department of Homeland Security, have since been prohibited from working with or contacting state election officials, according to a person familiar with the matter.

The cuts have sent state and local officials responsible for running elections searching for ways to shore up potential gaps in cybersecurity, threat monitoring, and physical protection of polling places. Changes at Homeland Security are sinking in as the nation confronts a bitterly divided political climate marked by violent outbursts, including the assassination of conservative commentator Charlie Kirk. (Patrick Howell O'Neill / Bloomberg)

Related: Axios

In threat group Qilin's October 12 cyberattack on waste processing company Omrin, the gang stole the citizen service numbers (BSNs), names, and addresses of all residents of Schiermonnikoog.

Schiermonnikoog is the only municipality from which such sensitive data has been stolen. Omrin admitted that it didn't need these BSNs to perform its duties. Data from vacation home owners and company information were also stolen.

The municipality is sending all residents a letter about the hack, but it won't arrive until Tuesday. Therefore, the information is already on the municipality website. The risk of the stolen data is that hackers can more easily commit identity fraud or launch targeted phishing attacks. Phishing involves criminals trying to trick people into sharing personal information. (Tweakers / Nu.nl)

Related: Mezha

Korean police are investigating a suspected malware attack linked to a North Korean hacking group after a human rights activist reported their computer had been used to send an infected file to multiple contacts.

The Gyeonggi Nambu Provincial Police Agency said that its cybersecurity division is leading the investigation after receiving the report from the Seongnam Sujeong Police Precinct on Sept. 22.

The victim, identified as an activist involved in North Korean human rights issues, reported on Sept. 15 that a suspicious KakaoTalk message had been sent to about 30 acquaintances from their account. The message, which the activist said they never wrote, contained a file and a message claiming it offered “ways to relieve stress.”

Police found that the malware used in the attack closely resembles programs typically employed by North Korean state-sponsored hacking groups. Investigators believe the hackers targeted the activist's personal computer to steal information about individuals involved in North Korea-related activities. (JUNG SI-NAE / KoreaJoongAng Daily)

Related: Chosun

CrowdStrike's 2025 European Threat Landscape Report reveals that the company found that physical attacks and kidnappings have increased dramatically, particularly in Europe.

“In January 2025, threat actors kidnapped and attempted to extort the co-founder of Ledger, a prolific cryptocurrency wallet vendor, in France,” the CrowdStrike report said. “Although the threat actors in this case and numerous others have been arrested, the threat persists. Between January 2025 and September 2025, 17 similar incidents occurred in Europe, 13 of which occurred in France.”

Cybersecurity consultants said that they have been hearing similar reports of increased violence to gain system access for quite some time.

The report also detailed some of the global patterns for attack prevalence.

“Entities in Europe are more than twice as likely to be targeted than entities in the Asia Pacific and Japan region,” the report said, adding that the European Union’s GDPR is one of the reasons. “Threat actors have leveraged GDPR data breach penalties to pressure victims into paying ransoms. Several threat actors have threatened to report entities for regulatory noncompliance via their data leak sites, in ransom notes, or during negotiations.”

The report highlighted various statistical attack patterns, including the most targeted verticals (manufacturing, professional services, technology, industrials and engineering, and retail) and the most popular attack methods, including, it said, “Dumping credentials from backup and restore configuration databases, which often store credentials used to access hypervisor infrastructure; remotely encrypting files, executing ransomware, often from an unmanaged system, and running the file encryption process outside of the targeted system; leveraging access to unmanaged systems to steal data and deploy ransomware; and deploying Linux ransomware on VMware ESXi infrastructure.” (Evan Schuman / CSO Online)

Related: CrowdStrike, Industrial Cyber, Technology Magazine, BetaNews, Computer Weekly, Digit, Dark Reading, The Register

At its annual OneCon event in Las Vegas, SentinelOne unveiled a series of new AI-powered solutions for defenders, given that the rise of AI models, prompts, agents, and data pipelines has become the latest attack surface.

Among the cybersecurity giant's new solutions are products premised on the company's recent acquisition of Prompt Security. These solutions include Prompt Security for Employees, which aims to deliver real-time visibility and control over employee GenAI usage; Prompt Security for AI Code Assistants, which seeks to secure the use of GenAI coding tools by instantly redacting secrets, PII, and IP from code to prevent data leaks; Prompt Security for AI Applications; and Prompt Security for Agentic AI (Beta).

SentinelOne is also unveiling products based on its recent acquisition of Observo AI, including what it calls Observo AI Integration with Singularity™ AI SIEM, which the company says "efficiently ingests and normalizes petabytes of data from any source, then prioritizes and routes what matters most into Singularity AI SIEM."

Finally, SentinelOne unveiled its new Wayfinder Threat Detection & Response suite of managed services, "designed to give customers the ultimate Human + AI defense against modern cyber risks." (Kyle Alspach / CRN)

British retailer Marks & Spencer said it will have fully recovered from April's cyber hack by March next year, forecasting second-half profit "at least" in line with last year after it slumped 55.4% in the first half.

The cyberattack meant the 141-year-old M&S, one of the biggest names on the UK high street, was forced to suspend online clothing orders for seven weeks and click-and-collect services for nearly four. Clothing and food availability in stores were also hit, while additional waste and logistics costs were incurred.

But CEO Stuart Machin told reporters a second-half recovery "should give us a solid base to springboard into a new financial year starting April and set M&S up for further growth." (James Davey / Reuters)

Related: Financial Times, BusinessCloud, The Times, City A.M., Wall Street Journal, The Irish Times, Telegraph, The Grocer, RTÉ, The Standard, TheIndustry.fashion, The Independent, UKTN, Bloomberg

Israeli cybersecurity startup Daylight announced it had raised $33 million in a Series A venture funding round.

Craft Ventures led the round with participation from Bain Capital Ventures and Maple VC, alongside a lineup of cybersecurity champions and angel investors, including Assaf Rappaport of Wiz, Ofer Smadari and Leonid Belkind of Torq, Tamar Bar-Ilan of Cyera, Yevgeny Dibrov of Armis, and Ofir Ehrlich of EON. (Meir Orbach / Calcalist)

Related: The Times of Israel, Tech Funding News, Business Insider

Bug bounty and vulnerability disclosure company BugCrowd announced the acquisition of Mayhem Security, an AI-driven offensive security firm. 

Mayhem Security, previously known as ForAllSecure, was founded by David Brumley and Thanassis Avgerinos, both PhDs from Carnegie Mellon University. Mayhem previously gained recognition after winning the 2016 DARPA Cyber Grand Challenge by deploying an autonomous system able to discover, diagnose, and repair software vulnerabilities in real time, earning the first DEF CON Black Badge for a non-human competitor.

By buying Mayhem Security, Bugcrowd plans to bring its bug-hunting tools together in one platform so security testing can happen throughout the entire software process. (Greg Otto / CyberScoop)

Related: PR Newswire, Computer Weekly, BankInfoSecurity, FinTech Global, The Stack, ChannelE2E, Silicon Angle, CRN, Pulse 2.0, Security Week

Best Thing of the Day: Keep Your Travel Plans to Yourself

Airline passengers can opt out of allowing airlines to share their travel information with data broker Airlines Reporting Corporation (ARC).

Worst Thing of the Day: The Feds Make It Easy for the Locals to Scan Your Face

Customs and Border Protection (CBP) publicly released an app that sheriff offices, police departments, and other local or regional law enforcement can use to scan someone’s face as part of immigration enforcement.

Bonus Worst Thing of the Day: Democracy and Breach Gag Orders Don't Mix Well

Journalists told MPs on the House of Commons defence committee that the gag order barring them from reporting on the massive Afghan data breach scandal put the democratic process in the UK into the deep freeze.

Closing Thought