EU lawmaker investigating Pegasus abuse was hacked with Pegasus spyware

FBI disrupts NetNut-linked proxy infrastructure, Russian hackers expose UK gov't credentials, India probes iPhone 18 Pro supply-chain leak, UK minister compares AI risks to Hiroshima, Sanctioned states increasingly rely on crypto, First fully AI-run ransomware attack spotted, much more

Share
EU lawmaker investigating Pegasus abuse was hacked with Pegasus spyware
Source: F70A7474

Metacurity is the cybersecurity industry's daily reality check—independent, agenda-free coverage that cuts through vendor hype, social media noise, and recycled talking points to explain what matters and why.

Trusted by thousands of cybersecurity professionals, including many of the industry's most influential security leaders, Metacurity delivers the context, analysis, and perspective that busy readers don't have time to assemble themselves.

If you find value in that work, please consider becoming a paid subscriber. Metacurity remains independent because its readers choose to support it.

According to a new forensic analysis from Citizen Lab, Greek politician Stelios Kouloglou’s iPhone was hacked with the very same Pegasus spyware at the center of investigations he was undertaking into how intrusive spyware had been used to hack business leaders, law enforcement officials, and politicians, part of the European Parliament’s PEGA Committee.

Citizen Lab's report, which could send shock waves through political circles in Europe, says it is the first time that a member of the PEGA Committee has been identified as having been a victim of the Pegasus spyware while they were working within the group.

The researchers say they do not have conclusive evidence of what government or entity was behind the attacks on Kouloglou’s device, but they note that whoever perpetrated the attacks would have potentially gotten access to internal information about the committee’s activities and findings, potentially violating EU parliamentary confidentiality requirements and people’s privacy.

John Scott-Railton, a Citizen Lab senior researcher, emphasizes that while the targeting occurred a few years ago, the irony of the episode underscores how endemic—and brazen—spyware targeting has become in the EU and beyond. “It’s open spyware season on Europe’s lawmakers,” he says. “The European Parliament, national parliaments, nobody is prepared.”

The European investigation into the use of Pegasus and other spyware in 2022 was prompted in large part by the Pegasus Project, consisting of research and reporting from more than a dozen media outlets and nongovernment organizations on a huge leak from the NSO Group. The data showed the scale and broad scope of Pegasus use around the world, with at least 180 journalists among those reportedly targeted by the spyware. (Lily Hay Newman and Matt Burgess / Wired)

Related:  Citizen Lab, The Guardian, Reuters, Amnesty International, TechCrunch, The420CyberNewsThe New ArabCyber Security News, Al Jazeera, Euractiv, The Times

The Federal Bureau of Investigation (FBI) said it worked with industry partners to seize hundreds of domains associated with NetNut, a sprawling residential proxy service operated by the publicly traded Israeli company Alarum Technologies.

The action comes roughly two weeks after multiple security firms published findings connecting NetNut to the Popa botnet, a collection of at least two million devices that have been compromised by malicious software with little or no consent from victims.

A seizure notice on affected websites thanked Google, Lumen, Shadowserver and other industry partners for their help in dismantling hundreds of domains tied to the Popa botnet, which experts say has long been synonymous with NetNut’s residential proxy infrastructure.

The Google Threat Intelligence Group (GTIG) said NetNut’s proxy network is widely resold and white-labeled by a number of third-party proxy providers, and that its services are heavily sought out by cybercriminals seeking to obfuscate the source of their malicious traffic. The GTIG said that in a single week during June 2026, they observed 316 distinct clusters of threat actors using suspected NetNut exit nodes, including cybercriminal and espionage groups.

Google said it disabled Google accounts and services used by NetNut for malware command and control, and that it shared technical intelligence on NetNut’s software development kits (SDKs) and backend infrastructure with platform providers, law enforcement and research firms. The company also disabled apps known to bundle NetNut’s various SDKs.

Omer Weiss, legal counsel for NetNut parent Alarum Technologies, said the company was aware of the FBI seizure and cooperating with investigators.

“Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account,” Weiss said in a written statement. (Brian Krebs / Krebs on Security)

Related: Google Cloud, Bloomberg, The Register - SecurityReddit - Information Security NewsSecurity AffairsInfosecurity Magazine, Bleeping Computer, DataBreachToday, Infosecurity Magazine, Ynet News, Globes, CTech, Reuters

Seizure banner on the NetNut home page.

Russian hackers infiltrated the email accounts of UK government officials and overseas Foreign Office staff in a major national security breach.

In the sophisticated and ongoing attack – nicknamed FortiBleed by researchers – hackers stole login credentials belonging to government staff, granting unauthorized access to sensitive systems and threatening further infiltration across Whitehall departments.

The breach compromised more than 80,000 firewalls provided by Fortinet. Exploiting a vulnerability in the systems, the attackers used previously stolen data to bypass security perimeters designed to protect some of the UK’s most critical national infrastructure.

A list of breached accounts seen by The Telegraph reveals that credentials for overseas Foreign Office staff and local government officials across the UK have been exposed.

The breach included emails and coinciding passwords, allowing hackers – and anyone willing to pay them – the potential ability to infiltrate sensitive Whitehall systems. Dark web forums are trading access to the logins for as much as $60,000 (£44,000).

Breached accounts include those belonging to IT staff at British embassies in Thailand and Mauritius, as well as staff in Derbyshire and Waltham Forest, east London.

Among the credentials up for sale are login details for a range of institutions providing critical services and national infrastructure, including the NHS, energy providers and key suppliers of medicines across the country. (Richard Holmes / The Telegraph)

Related: Insurance Business, UNN, The Sun, Informat, Anadolu Agency, Crypto Briefing, DPA

India is investigating a data breach at Tata Electronics ​that exposed documents linked to Apple's unreleased iPhone ‌18 Pro, S. Krishnan, secretary at the Ministry of Electronics and Information Technology, said in the government's first public comments on the incident.

Sensitive lists of components ​and suppliers, as well as photos of iPhone ​18 Pro models, are among files that were ⁠posted on the dark web by a ransomware ​group called World Leaks that stole data from Tata Electronics, Apple's Indian supplier.

Apple is expected to release its iPhone 18 Pro and Pro Max in ​September. The leak ​contains at ⁠least six files that expose which companies are producing specific components for the iPhone ​18 Pro models, information that Apple does ​not ⁠disclose in its public database of suppliers. (Aditya Kalra ​and Arpan Chaturvedi / Reuters)

Related: The Hindu BusinessLine, Business TodayiThinkDifferentClash ReportMoneycontrol, Fortune India

Artificial intelligence poses a “Hiroshima”-style risk to humanity if governments do not agree to curb how it is developed, UK foreign secretary Yvette Cooper has warned.

Cooper urged countries, including the US and China, to agree international rules for AI, saying she believes the issue will dominate foreign policy over the next two years.

In an essay covering her thoughts on everything from emerging technology to Palestine published by Chatham House, Cooper said the world was at a dangerous moment, not least because of what she sees as the permanent withdrawal of the US from its role as a global arbiter. (Kiran Stacey / The Guardian)

Related: Chatham House, Bloomberg, The National, The Independent, Crypto Briefing

According to Chainalysis, Iran, Russia, North Korea and other targets of sanctions have dramatically increased their use of virtual currencies to duck US pressure, handling around $100 billion worth of crypto last year alone.

They are also becoming more sophisticated in how they navigate the market, creating their own digital tokens and crypto exchanges to help process transactionsthe firms and Western authorities say.

Iran and Russia have used virtual cash to buy drones and weapon parts, and Russia has used it to pay salaries for seafarers who smuggle their sanctioned crude around the world, according to Western officials and crypto analytics firms. North Korea, which has mastered the art of stealing crypto through hacks and other cybercrimes, has used it to buy fuel and military equipment, officials say.

Using crypto enables them to bypass traditional banks, which play a central role in policing sanctions imposed by the US and others. (Patricia Kowsmann / Wall Street Journal)

Related: Wu Blockchain, Seoul Economic Daily, PYMNTS, Crypto Briefing

Researchers at Sysdig identified what they believe is the first documented case of a ransomware operation, JadePuffer, conducted entirely by a large language model (LLM) agent.

JadePuffer used an autonomous AI agent for reconnaissance on the target, to steal credentials, move laterally, establish persistence, escalate privileges, and encrypt data.

The researchers say that the AI agent adapted to failures during the intrusion, much like a human operator would handle obstacles.

JadePuffer gained initial access to the target by exploiting CVE-2025-3248, an unauthenticated remote code execution vulnerability in Langflow, a popular open-source framework used for building LLM apps.

The vendor fixed the flaw on April 1, 2025, and in early May of the same year, CISA tagged it as exploited in attacks targeting internet-exposed endpoints, usually deployed with minimal hardening but containing cloud credentials and API keys. (Bill Toulas / Bleeping Computer)

Related: Sysdig, Security Affairs, The Register, Times of India, SC Media, HackRead, National Vulnerability Database, BankInfoSecurity.comThe Next WebSecurityWeekDigital TrendsThe IndependentCyber Security News, RuntimeWire, Digital Trends, Times of India

Rapid iteration steps. Source: Sysdig

A 15-year-old high school student has been arrested on suspicion of launching a cyberattack facilitated by ChatGPT against the operator of an anime streaming service in 2025 that caused the cancellation of more than 46,000 subscription accounts.

Arrested on July 4, the male high school student from Saitama Prefecture near Tokyo allegedly used ChatGPT to disrupt the Bandai Channel streaming service operated by Bandai Namco Filmworks.

The student allegedly sent false information to the company’s servers between around 5 pm and 8.45 pm on Nov 4, causing the unauthorized cancellation of 46,812 subscription accounts, according to the police.

The attack partially disrupted the company’s operations on Nov 6, until it resumed full service in December after completing repairs to its systems. The company consulted police about the incident. (The Straits Times)

Related: NHK, The Japan Times, The Mainichi, Nippon.com, TBS News Dig, r/anime

On June 29, Belgian Federal Police Special Units were able to arrest a suspected criminal central to a phishing organization in an Airbnb in Antwerp, and a second suspect was also found.

Following questioning by the FGP East Flanders, the 19-year-old main suspect was brought before the investigating judge, who decided to place him under an arrest warrant. The other suspect was not detained.

The investigation, led by the investigating judge, is continuing to tackle the entire gang and recover as much money as possible for the benefit of the victims. (Federal Politie)

Related: International Cyber Digest, Crypto Briefing

The personal details of around 70,000 people in Singapore, including NRIC, or National Registration Identity Card, numbers and addresses, have been compromised following a data breach involving the Singapore Land Authority’s (SLA) vendor, IBM.

On July 3, SLA said it was informed about the data security incident by IBM, which it had appointed to support and maintain the Singapore Titles Automated Registration System (STARS) and eLodgment System (ELS).

IBM also managed the development and systems-integration testing environment for STARS and ELS.

SLA said that the vendor had informed the government agency of a security incident on June 12, and possible unauthorized access to personal information on June 15.

Preliminary investigations found that there was unauthorized access to a data set created for vendor development and testing, SLA said. (Lee Li Ying and Ann Chen / Straits Times)

Related: VN Express, Computer Weekly, Malay Mail, Channel News Asia, Asia One, The Independent Singapore News

The malware, which Jamf researchers have named PamStealer, is being distributed through websites designed to mimic the legitimate website of Maccy, a widely used free open-source clipboard history tracker. Users who land on these fraudulent sites and attempt to download what they believe is a legitimate copy of the application instead receive malicious files engineered to compromise their system silently and extract sensitive authentication credentials.

PamStealer's delivery mechanism relies on AppleScript files disguised as legitimate Maccy installer packages and distributed within disk images, a format Mac users commonly associate with trusted software installations. When a user opens and attempts to run the file, the script triggers a payload chain that begins tracking information on the targeted Mac and transmits collected data to an external threat actor controlling the attack. (George Anton / International Business Times)

Related: Jamf, Grafa, CyberPress, Apple Insider, Cyber Security News, Tech Times, HackRead, CryptoNews, Decrypt

Fake domain site on which the download dropper is hosted. Source: Jamf.

Vietnamese authorities have arrested and are prosecuting seven people believed to be behind HiAnime, the anime streaming platform that was until this year the largest piracy site of its kind in the world.

The Alliance for Creativity and Entertainment (ACE), the anti-piracy coalition backed by the Motion Picture Association, confirmed the action on July 2, 2026.

According to ACE, the operation was carried out by Vietnam's Ministry of Public Security, specifically C03, the Economic Crimes Investigation Department, and A05, the Department of Cybersecurity and High-Tech Crime Prevention. ACE credited US Homeland Security Investigations and the Department of Justice for their support in what it described as a multi-year investigation. (International Cyber Digest)

Related: CBR, WION, mshale

Researchers at Fortinet's FortiGuard Labs report that a banking trojan long used against victims in Brazil has been retooled to target banking customers in Spain and Portugal, using phishing PDFs, steganography and geofencing to stay hidden.

They said the malware, known as Ousaban, has been active against the two countries since May 2026.

A banking trojan from the same Latin American family as Casbaneiro, it now comes wrapped in extra layers of evasion designed to keep it in front of intended victims and away from researchers.

Once running, Ousaban watches for the victim to open one of dozens of targeted banking services, including Santander, BBVA, CaixaBank, Revolut and Caixa Geral de Depósitos.

When it spots one, its toolkit includes screenshots, keylogging, clipboard injection and remote control, and it displays fake bank screens to trick users into handing over their details. (Alessandro Mascellino / Infosecurty Magazine)

Related: Fortinet, Cyber Press, GBHackers, Cyber Security News


AI is not a cybersecurity strategy.

Organizations with strong security programs will use AI to move faster. Organizations with weak security programs will use AI to create bigger, faster failures.

That's why I wrote The NIST 2.0 Cybersecurity Framework: Practical Risk Management Using Real-World Incidents. The book moves beyond compliance checklists and theory to show how real organizations succeed—or fail—when security fundamentals break down.

If you're trying to build a resilient security program in the age of AI, this book provides a practical roadmap grounded in actual incidents and operational experience.

Order your copy today, and contact me about bulk orders or customized editions for your organization.


South Korea’s financial regulator has issued a consumer warning after discovering that hackers used sophisticated phishing pages embedded in some domestic online shopping sites to steal thousands of payment card credentials, raising concerns over fraudulent transactions and identity theft.

The Financial Supervisory Service (FSS) raised its consumer alert to the “caution” level after being notified by the Financial Security Institute that attackers had compromised payment processes on several local e-commerce platforms.

As of June 29, authorities had identified 5,707 cases in which organized cybercriminals allegedly obtained payment card information through the scheme.

According to the FSS, the attackers inserted fake payment pages that closely resembled legitimate checkout screens on vulnerable online shopping sites. The fraudulent pages prompted shoppers to enter excessive personal information—including resident registration numbers and card passwords—that would not normally be required during a standard payment process. (Korea Bizwire)

Related: SBS News, Chosun Biz, Bloomingbit, The Chosun Daily

The Spanish government has reportedly begun telling state-backed firms to avoid signing new contracts with US billionaire Peter Thiel’s company.

It comes amid fears that sensitive national security information could be leaked, according to Spanish publication El Confidencial.

Board members of several publicly listed companies told the newspaper they have been ordered to avoid signing any contracts with the data firm that could jeopardize national sovereignty or strategic information.

Moncloa, Spain’s official government website, has not issued any official announcement about banning Palantir outright.

But sources told El Confidencial that public and private companies controlled by SEPI, the country’s sovereign wealth fund and state-owned industrial holding company, have been told to blacklist the data firm. (Jacob Paul / LBC)

Related: El Confidencial, Anadolu Ajansi, Middle East Eye, Crypto Briefing, Olive Press

Flipper Devices says development of the Flipper Zero firmware will continue, albeit with a smaller internal team and greater reliance on community contributions.

The announcement comes as the gadget maker decided to focus on building new devices, like the Flipper One open Linux platform, for which the company turned to the community's help to complete development.

There is also the newly launched Busy Bar device, designed to help people with Attention Deficit Hyperactivity Disorder (ADHD) reduce distractions, slated for open sale on July 14 in the US, UK, Europe, and Canada. (Bill Toulas / Bleeping Computer)

Related: Flipper, Cyber Security News, Help Net Security

An announcement on the Mechanical Turk website says that on July 30, 2026, the crowdsourcing service will close to new customers.

Amazon Web Services says the decision was made after “careful consideration,” adding, “Existing customers can continue to use the service as normal. AWS continues to invest in security and availability improvements for Mechanical Turk, but we do not plan to introduce new features.”

First launched in 2005, Mechanical Turk was a marketplace where people were paid tiny amounts to perform simple tasks that resisted full automation — things like completing CAPTCHA challenges or identifying the basic sentiment in a sentence.

In its heyday, the service was at the center of debates around the ethics of crowdsourced labor, and it even played a small role in the early stages of the Facebook-Cambridge Analytica scandal.

Beginning in 2018, Amazon began billing it as a way for companies to annotate data to train neural networks as part of its SageMaker AI service. (Anthony Ha / TechCrunch)

Related: AWS, The Register, Silicon Angle

According to Mobile Index by data analytics firm IGAWorks, Coupang’s MAU (monthly active users) reached 35.0917 million people last month—the highest figure since November last year.

Following the hacking incident, Coupang’s user count declined for two consecutive months from January to February this year, as some users began canceling their accounts. In particular, February saw a record low of 33.6407 million people, the smallest number since June last year. However, the figure rebounded sharply to 35.034 million people in March, signaling a recovery from the aftermath of the security breach.

Payment volumes also rose. Mobile Index data shows that Coupang’s estimated credit/debit card transaction amount was 4.3373 trillion Korean won in December last year, immediately after the breach, but climbed to 4.8337 trillion Korean won last month. (Kim Kang-han / The Chosun Daily)

Related: Maeil Business, The Chosun Daily, KoreaJoongAng Daily, The Korea Economic Daily

Best Thing of the Day: Bringing Germany Into the 21st Century

Germany plans to give its spy agencies powers to hack, disrupt and deceive foreign attackers in a major overhaul of post-war intelligence limits, aiming to harden its response to growing cyber and hybrid ​threats.

Bonus Best Thing of the Day: You Can Stuff Your Court Injunction Down a Rat Hole

DataBreaches.net is pushing back against what it sees as an attempt to use court injunctions to suppress reporting on a major data breach and the public-interest issues surrounding it.

Worst Thing of the Day: Breaches Hit a High Point Down Under

Newly published statistics reveal that 2025 saw the highest number of data breach notifications being reported to the Office of the Australian Information Commissioner (OAIC) since the mandatory data breach reporting scheme commenced in 2018.

Bonus Worst Thing of the Day: Will No One Stop Pedophiles These Days?

Instagram has been running paid adverts promoting child sexual abuse material in India, a BBC Eye investigation has found.

Closing Thought

Read more