European authorities dismantle the Cryptomixer service that laundered illicit Bitcoin

'Tis the season to be generous. Please support Metacurity in our mission to end infosec news overload.

Metacurity is a pure labor of love and is the only daily newsletter that delivers the critical infosec developments you need to know, scanned from thousands of sources and smartly summarized.

But to continue delivering our daily updates, we need your support. Please consider upgrading to an annual paid subscription today.

If you can't upgrade to a paid subscription today, please consider donating what you can.

Europol announced that as part of Operation Olympia, Cryptomixer, a cryptocurrency-mixing service allegedly used by cybercriminals to launder illicit bitcoin, was dismantled in a coordinated law-enforcement operation in Zurich.

The takedown, carried out Nov. 24–28 by Swiss and German police alongside Europol, resulted in the seizure of three servers, the cryptomixer.io domain, more than 25 million euros ($29 million) in bitcoin, and over 12 terabytes of data.

The authorities said Cryptomixer has facilitated more than 1.3 billion euros in bitcoin laundering since 2016. Its long settlement windows and randomized distribution patterns made it a preferred tool for obfuscating proceeds from drug trafficking, weapons sales, ransomware attack,s and payment-card fraud, they said. (Jamie Crawley, AI Boost / CoinDesk)

Related: Europol, Operation Olympia, Reuters, Bleeping Computer, CyberScoop, Dark Reading, The Record, Help Net Security, Cybersecurity Dive, Security Affairs, DigWatch, SC Media, SecurityWeek, HackRead, TechCrunch

India's telecoms ministry has privately asked smartphone makers to preload all new devices with a state-owned cyber security app that cannot be deleted, a government order showed, a move likely to antagonise Apple and privacy advocates.

Apple, which has previously locked horns with the telecoms regulator over the development of a government anti-spam mobile app, is among the companies, such as Samsung, Vivo, Oppo, and Xiaomi, bound by the new order.

The November 28 order gives major smartphone companies 90 days to ensure that the government's Sanchar Saathi app is pre-installed on new mobile phones, with a provision that users cannot disable it.

For devices already in the supply chain, manufacturers should push the app to phones via software updates, the ministry said in its order, which was not made public and was sent privately to select companies.

The government said the app was essential to combat "serious endangerment" of telecom cybersecurity from duplicate or spoofed IMEI numbers, which enable scams and network misuse. Apple's iOS powered an estimated 4.5% of 735 million smartphones in India by mid-2025, with the rest using Android, Counterpoint Research says.

While Apple pre-installs its own proprietary apps on phones, its internal policies prohibit the installation of any government or third-party app before the sale of a smartphone, a source with direct knowledge of the matter said. (Aditya Kalra and Munsif Vengattil / Reuters)

Related: Indian Ministry of Communications, BBC News, Reuters, The Hindu, Computerworld, MacRumors, Engadget, The Indian Express, The Verge, SammyGuru, iDrop News, Reuters, The Hindu BusinessLine, MediaNama, Moneycontrol, Business Today, Inc42 Media, COINOTAG, GSMArena.com, Digit, The Register, The Week, Livemint, 9to5Mac, AppleInsider, NDTV Profit, Tech in Asia, Al Jazeera, Entrackr, MacTech.com, MacDailyNews, Hacker News, r/privacy, r/kolkata, r/IndiaTech, r/mumbai, r/unitedstatesofindia, r/Kerala, r/news, r/technology, r/india, Slashdot

The Indian Department of Telecommunications (DoT) issued directions to app-based communication service providers to make it impossible for their users to use services without a SIM, a move that follows the Department declaring that the Telecommunication Cybersecurity Amendment Rules, 2025, bring in the category of telecommunication identifier user entity (TIUE) under the scope of telecom regulations.

The amendment introduced a new category of service provider called the Telecommunication Identifier User Entity (TIUE), which would fulfill a range of cybersecurity obligations, including using a Mobile Number Validation (MNV) Platform to verify the customers or users associated with a telecommunication identifier for services linked to such an identifier.

Besides validation, the government can also direct TIUEs to stop using a specific telecom identifier to identify customers or deliver services.

The new directions, which have been sent to WhatsApp, Telegram, Signal, Arattai, Snapchat, ShareChat, JioChat, and Josh, effectively recognise these companies as TIUEs. They require platforms to ensure that SIM cards remain continuously linked to their services within the next 90 days.

For website or web-app-based access, TIUEs must ensure users are logged out periodically (not later than 6 hours) and must offer an option to relink accounts through a QR-code-based method. (Kamya Pandey / MediaNama)

Related:  Business Today, Inc42 Media, The Economic Times, MediaBrief, The Hindu BusinessLine, Digit, WABetaInfo, Firstpost, Moneycontrol, The Cyber Express, SammyGuru, Times of India, Livemint, Forbes, NDTV Profit, India Today, The Indian Express, The Economic Times, Business Standard, NDTV Profit, News18, Onmanorama, The Indian Express, The Hindu, MediaBrief,  Moneycontrol,  The Hans India, Financial Times, Invezz, Cyber Kendra, Associated Press

Korean president Lee Jae Myung ordered a swift investigation into the massive data breach at e-commerce giant Coupang and signaled that his administration may seek punitive damages to prevent similar lapses, calling the incident “astonishing” in scale and negligence.

Lee criticized Coupang for failing to detect the breach for nearly five months following the initial intrusion in June, even as personal information belonging to an estimated 34 million users, including names, addresses, and phone numbers, was siphoned out.

“It is shocking that the company failed to recognize the leak for five months despite the magnitude of the damage,” Lee said. He urged regulators to overhaul what he described as Korea’s entrenched practice of downplaying personal data protection, which he called “a key asset in the AI and digital age.”

Lee told ministries to enforce penalties under existing law and to advance discussions on adopting punitive damages, citing international examples. Korea currently operates strictly under a compensatory damages principle, meaning courts cannot award penalties that exceed the amount directly proven as harm — a framework critics say lets major corporations escape meaningful accountability.

According to findings presented by the Ministry of Science and ICT at a parliamentary session, the breach lasted from June 24 to Nov. 8. A review of Coupang’s server logs from July through November confirmed that private data from at least 30 million accounts had been accessed. (Yoon Min-sik / Korea Herald)

Related: The Chosun Daily, Bloomberg, Modern Diplomacy, Yonhap, Reuters, Business Korea, The Chosun Daily, Donga,  Korea Times News, News - English [KBS WORLD Radio],  UPI.com, Korea Times News, South China Morning Post

Korean cybersecurity company ESTSecurity reports it has found circulating online fake tax invoice files embedded with malicious code linked to North Korean hackers in a security threat targeting South Koreans.

ESTSecurity said it has identified KimJongRAT-infected files circulating online, noting the remote access Trojan is believed to be linked to the Pyongyang-sponsored hacking group Kimsuky.

The file, disguised as a PDF document, actually contained a shortcut that directed users to a link leading to the download of malicious files. (Yonhap News)

Related: ESTSecurity, GBHackers, KoreraJongAng Daily

Researchers at Koi Security discovered that a long-running malware operation known as "ShadyPanda" has amassed over 4.3 million installations of seemingly legitimate Chrome and Edge browser extensions that evolved into malware.

The operation unfolded in distinct phases that gradually introduced additional malicious functionality, turning the browser extension from a legitimate tool into spyware.

The ShadyPanda campaign consists of 145 malicious extensions (20 Chrome and 125 Edge) over the years. While Google has removed them from the Web Store, Koi reports that the campaign remains active on the Microsoft Edge Add-ons platform, with one extension listed as having 3 million installs.

A notable extension in this set is Clean Master on the Google Chrome Store, which had 200,000 installs at the time it was detected as malicious. In total, the extensions that carried the same payload had reached 300,000 installs. (Bill Toulas / Bleeping Computer)

Related: Koi Security, The Register

Researchers at ESET report that Iranian nation-state hackers known as MuddyWater took inspiration from a mobile phone time-killing mainstay, saying they spotted hackers downloading malware masquerading as the Snake video game.

A callback to the game - it came preloaded onto Nokia phones by default starting in 1998, although its origins date to the 1970s - isn't nostalgia, the researchers say. Just as the game delays reaction time to the player control commands, a dropper deployed by the group commonly tracked as MuddyWater introduces execution delays to avoid detection by antivirus tools that check for rapid malicious activity.

Eset said it spotted MuddyWater targeting telecoms, government agencies, and the oil and energy sectors in Israel and Egypt. It's possible, cybersecurity firm researchers said, that MuddyWater is acting as an initial access broker for other Tehran hacking operations, based on the overlap they observed between the group and other known Iranian threat actors.

MuddyWater hackers in this campaign continued their usual practice of gaining access through phishing emails. The messages often contain PDF attachments with links to remote monitoring and management tools hosted on free file-sharing platforms. Although the tools deployed by MuddyWater have improved, the threat actor's "continued reliance on this familiar playbook" makes it relatively easy for cyberdefenders to detect and block its activity.

Variations of a loader already known to be in MuddyWater's arsenal, dubbed the "Fooder" loader, masqueraded as the Snake game. The loader used the same delay logic in Snake to introduce execution delays in the loader itself in a bid to go undetected. (David Perera / BankInfoSecurity)

Related: WeLiveSecurity, HelpNetSecurity, CyberInsider

Google disclosed two actively exploited zero-day vulnerabilities, which it addressed among a total of 107 defects in the company’s monthly security update for Android devices.

The zero-days — CVE-2025-48633 and CVE-2025-48572 — are both high-severity defects affecting the Android framework, which attackers can exploit to access information and escalate privileges, respectively.

Google said both vulnerabilities, which had not been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog as of Monday afternoon, may be under limited, targeted exploitation. (Matt Kapko / CyberScoop)

Related: Android Security Bulletin, Infosecurity Magazine, Security Week, Security Affairs

Lausanne cybersecurity start-up Saporo, a graph-native identity security company that lets defenders see enterprise environments the way attackers do, announced it had raised €7 million (around $8.1 million) in a Series A venture funding round.

TIN Capital led the round with participation from G+D Ventures, CDP Venture Capital through its Corporate Partners I – ServiceTech fund, XAnge, Lightbird VC, and Session VC. (David Cendon Garcia / EU Startups)

Related: Tech.eu

Dublin-based cyber start-up Mirror Security announced it had raised a pre-seed fundraise of $2.5 million to scale its encryption platform for AI security.

Sure Valley Ventures and Atlantic Bridge led the round, along with support from strategic angel investors. (Colin Ryan / Silicon Republic)

Related: University College Dublin, Business Post, Startups Magazine

Best Thing of the Day: Protecting Children the Right Way

The UK's Information Commissioner’s Office (ICO) said it would be scrutinizing ten popular mobile games after parents expressed concern that titles may be breaking privacy laws.

Worst Thing of the Day: When You've Leaked Data on an Entire Nation, Maybe You Should Keep Your Apology Up

South Korean retail giant Coupang faced criticism in the National Assembly after it was revealed that the company quietly removed an apology statement it had posted two days following a personal information leak affecting 33.7 million customers.

Closing Thought