Feds raid 29 North Korean laptop farms used to infiltrate US companies

Check out my latest CSO piece on how CISOs need to update their defense playbooks as cybercriminals move faster and smarter.

Important Publishing Notice: Metacurity is on a publishing break until Monday, July 7. Stay safe, sane, and cool out there, dear readers.

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you can't commit to a subscription today, please consider donating whatever you can. Thank you!

The US Justice Department announced coordinated actions against the Democratic People’s Republic of North Korea (DPRK) government’s schemes to fund its regime through remote information technology (IT) work for US companies that involved two indictments, an arrest, searches of 29 known or suspected “laptop farms” across 16 states, and the seizure of 29 financial accounts used to launder illicit funds and 21 fraudulent websites.

From 2021 until 2024, the co-conspirators allegedly impersonated more than 80 US individuals to get remote jobs at more than 100 American companies, causing $3 million in damages due to legal fees, data breach remediation efforts, and more.

The group allegedly ran laptop farms inside the United States, which the North Korean IT workers could essentially use as proxies to hide their provenance, according to the DOJ. At times, they used hardware devices known as keyboard-video-mouse (KVM) switches, which allow one person to control multiple computers from a single keyboard and mouse.

The group allegedly also ran shell companies inside the US to make it seem like the North Korean IT workers were affiliated with legitimate local companies, and to receive money that would then be transferred abroad, the DOJ said.

The fraudulent scheme allegedly also involved the North Korean workers stealing sensitive data, such as source code, from the companies they were working for, such as from an unnamed California-based defense contractor “that develops artificial intelligence-powered equipment and technologies.”

The feds also said they seized at least 21 web domains, 29 financial accounts used to launder tens of thousands of dollars, and more than 70 laptops and remote access devices, including KVMs.

Five North Korean nationals were indicted for wire fraud and money laundering after they stole more than $900,000 in crypto from two unnamed companies, thanks to their use of fake or stolen identities, the DOJ said. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: US Department of Justice, Criminal Indictment, Wired, Microsoft Security Blog, Associated Press, Bloomberg, The Register, Fox News, UPI, CyberScoop, CSO Online, The Record, Wall Street Journal, Defense Post, Security Week, Databreach Today, Business Insider, Politico EU, PaymentSecurity.io

The US FBI, National Security Agency, the Department of Defense Cyber Crime Center (DC3), and Cybersecurity and Infrastructure Security Agency (CISA) warned that Iranian-affiliated hackers may target US companies and critical infrastructure operators, particularly defense organizations with holdings or relationships with Israeli research and defense firms.

However, the authorities said there are no indications of a coordinated Iranian-linked malicious cyber campaign so far.

Cybersecurity researchers and defenders in Israel and the US have so far seen little Iranian-linked cyber activity of consequence in the wake of the war launched by Israel on June 13, followed by US strikes on Iranian nuclear facilities on June 22.

The agencies said Iranian state-sponsored hackers are known to exploit existing vulnerabilities in unpatched or outdated software, compromise internet-connected accounts and devices that use default or weak passwords, and work with ransomware operators to encrypt, steal, and leak sensitive information. (A.J. Vicens / Reuters)

Related: CISA, The Record, Infosecurity Magazine, NextGov/FCW, The Hill, Bloomberg, Bleeping Computer, CNN, Homeland Security Today, Security Week

Europol announced that a cryptocurrency investment fraud ring that investigators said laundered 460 million euros ($540 million) using a worldwide network of accomplices has been dismantled in Spain.

Spanish police led the operation against the criminal network, and law enforcement agencies from France, Estonia, and the United States were also involved.

Five people were arrested as a result of the operation, with three arrested on the Canary Islands and two in Madrid.

Investigators suspect the organisation of establishing a corporate and banking network based in Hong Kong, using payment gateways and user accounts in the names of different people and in different exchanges to receive, store, and transfer criminal funds. (Sudip Kar-Gupta / Reuters)

Related: Europol, BleepingComputer, Decrypt, CoinDesk, Coinpedia Fintech News, crypto.news

Iran-linked hackers have threatened to disclose more emails stolen from US President Donald Trump's circle, after distributing a prior batch to the media ahead of the 2024 US election.

In online chats, the hackers, who go by the pseudonym Robert, said they had roughly 100 gigabytes of emails from the accounts of White House Chief of Staff Susie Wiles, Trump lawyer Lindsey Halligan, Trump adviser Roger Stone and porn star-turned-Trump antagonist Stormy Daniels.

Robert raised the possibility of selling the material but otherwise did not provide details of their plans. The hackers did not describe the content of the emails.

Attorney General Pam Bondi described the intrusion as "an unconscionable cyber-attack.

"The White House and the FBI responded with a statement from FBI Director Kash Patel, who said: "Anyone associated with any kind of breach of national security will be fully investigated and prosecuted to the fullest extent of the law."

"This so-called cyber 'attack' is nothing more than digital propaganda, and the targets are no coincidence. This is a calculated smear campaign meant to damage President Trump and discredit honorable public servants who serve our country with distinction," the Cybersecurity and Infrastructure Security Agency CISA said in a post on X.

Robert materialized in the final months of the 2024 presidential campaign, when they claimed to have breached the email accounts of several Trump allies, including Wiles. The hackers then distributed emails to journalists. (Raphael Satter / Reuters)

Related: Axios, Newsweek, WION, The Jerusalem Post, The Straits Times, The New Voice of Ukraine

The International Criminal Court announced it has been targeted by a “sophisticated” cyberattack and is taking measures to limit any damage.

The ICC, which was also hit by a cyberattack in 2023, said the latest incident had been contained but did not elaborate further on the impact or possible motive.

“A Court-wide impact analysis is being carried out, and steps are already being taken to mitigate any effects of the incident,” the court said in a statement.

The attack happened last week at the same time that The Hague hosted a summit of 32 NATO leaders at a conference center near the court amid tight security, including measures to guard against cyberattacks. (Molly Quell / Associated Press)

Related: ICC, IT News, Israel National News, AFP, Inquirer.net, Euronews, Techzine, Rappler, Cyber Daily

The US Treasury Department has experienced three major hacks in the past five years, including two that have come to light since December, followed by a decimation of its cybersecurity leadership instigated by Elon Musk’s Department of Government Efficiency.

An investigation reveals new details about the hacks that underscore concerns about the department's cybersecurity defense dating back years. In all three instances, the department failed to deploy security measures that might have prevented the breaches or flagged the intruders sooner.

For example, in April, the Treasury branch that regulates national banks, the Office of the Comptroller of the Currency, disclosed that hackers had infiltrated its emails starting in May 2023. To log in and review the data, the hackers used commercially available virtual private network software that should have triggered internal alarms, according to people familiar with the matter.

In a hack that Treasury disclosed last year, suspected Chinese spies broke into the computers of then-Secretary Janet Yellen and other senior leaders from late September to mid-November, according to a Treasury document. They got in by breaching the security software used by the department's help desk to access staff computers remotely. The hackers used that capability to rifle through laptops and desktops during regular daytime working hours in China, according to two of the people, but Treasury’s surveillance systems weren't calibrated to look for unusual login patterns coming from that security software outside of regular US work hours.

In the third cyberattack, which was discovered in December 2020 and began earlier that year, alleged Russian hackers, according to department documents, spied on the emails of a small group of Treasury employees.

The head of Treasury’s cyber incident response team told investigators that the attack could have been stopped earlier. Still, for a simple oversight, his team didn’t have someone checking data collected on the department’s computer systems for suspicious activity, according to documents. (Jordan Robertson, Hannah Levitt, Jake Bleiberg, and Jason Leopold / Bloomberg)

Agents with the Federal Bureau of Investigation (FBI) briefed Capitol Hill staff on hardening the security of their mobile devices, after a contacts list stolen from the personal phone of White House Chief of Staff Susie Wiles was reportedly used to fuel a series of text messages and phone calls impersonating her to US lawmakers.

But in a letter to FBI Director Kash Patel, Sen. Ron Wyden, Democrat of Oregon and one of the Senate’s most tech-savvy lawmakers, says the feds aren’t doing enough to recommend more appropriate security protections that are already built into most consumer mobile devices.

According to Wyden, the FBI's advice to Senate staffers was primarily limited to remedial tips, such as not clicking on suspicious links or attachments, not using public WiFi networks, turning off Bluetooth, keeping phone software up to date, and rebooting regularly.

“This is insufficient to protect Senate employees and other high-value targets against foreign spies using advanced cyber tools,” Wyden wrote in a letter sent today to FBI Director Kash Patel. “Well-funded foreign intelligence agencies do not have to rely on phishing messages and malicious attachments to infect unsuspecting victims with spyware. Cyber mercenary companies sell their government customers advanced ‘zero-click’ capabilities to deliver spyware that do not require any action by the victim.”

Wyden stressed that the FBI should encourage lawmakers and their staff to enable anti-spyware defenses built into Apple’s iOS and Google’s Android phone software to help counter sophisticated attacks.

These include Apple’s Lockdown Mode, which is designed for users who are worried they may be subject to targeted attacks. Lockdown Mode restricts non-essential iOS features to reduce the device’s overall attack surface. Google Android devices carry a similar feature called Advanced Protection Mode. (Brian Krebs / Krebs on Security)

Related: Senator Ron Wyden

The Swiss nonprofit health organization Radix has confirmed that its systems were breached earlier this month by a ransomware group calling itself Sarcoma.

The Swiss government also issued a statement noting that "various federal offices" are among Radix's customers, and officials are evaluating what data was compromised and that Radix has "no direct access" to government systems.

Sarcoma is a relatively new ransomware group, first detected in October 2024. In February, the group claimed responsibility for an attack on Unimicron, a printed circuit board manufacturer in Taiwan.

Radix has not specified what kind of data was affected, but said it would be able to restore it from backups. The exact method of the attack is still under investigation, the agency added. (Daryna Antoniuk / The Record)

Related: Radix, Swiss Federal Authorities, Bleeping Computer

The Federal Bureau of Investigation (FBI) has warned Americans of cybercriminals impersonating health fraud investigators to steal their sensitive information.

The FBI cautioned that scammers posing as "legitimate health insurers and their investigative team members" are emailing or messaging potential victims to pressure them into providing personal or health data that can later be used for fraudulent purposes.

"These criminals are sending emails and text messages to patients and health care providers, disguising them as legitimate communications from trusted health care authorities," the FBI said.

"The messages are designed to pressure victims into disclosing protected health information, medical records, personal financial details, or providing reimbursements for alleged service overpayments or non-covered services."

The FBI also shared several tips to help protect against fraudulent attempts, advising Americans to be cautious of unsolicited emails, texts, and calls that request personal information and never to click on links contained in such suspicious messages. (Sergiu Gatlan / Bleeping Computer)

Related: IC3, Becker's Hospital Review

Cloudflare says that starting June 9, 2025, Russian internet service providers (ISPs) began throttling access to websites and services protected by Cloudflare, making sites inaccessible from the country.

The throttling is so aggressive, reportedly only allowing users to download the first 16 KB of any web asset, that it effectively breaks most Cloudflare-backed sites for Russian netizens.

Cloudflare maintains that it has not received formal communication about this from the Russian state but considers this action part of the country’s broader strategy to oust Western tech firms from the domestic market.

The internet company states that it is in no position to remediate the situation, as the throttling is outside its control, and there are no effective workarounds or mitigations to address the access problems it causes.

"As the throttling is being applied by local ISPs, the action is outside of Cloudflare’s control, and we are unable, at this time, to restore reliable, high-performance access to Cloudflare products and protected websites for Russian users in a lawful manner," stated Cloudflare.

According to reports, the same type of throttling affects other Western internet service providers, including Hetzner (Germany), DigitalOcean (US), and OVH (France). (Bill Toulas / Bleeping Computer)

Related: Cloudflare, PPC, The Record, The Insider

Company executives say the dating app Tinder now mandates that new users in California verify their profiles using facial recognition technology.

The move aims to reduce impersonation and is part of Tinder parent Match Group's broader effort to improve trust and safety amid ongoing user frustration.

The Face Check feature prompts users to take a short video selfie during onboarding. The biometric face scan, powered by FaceTec, then confirms the person is real and present and whether their face matches their profile photos. It also checks if the face is used across multiple accounts.

Tinder has already launched Face Check in Colombia and Canada. Tinder chose California as the next test market due to its size, demographics, and strong online safety and privacy laws. (Kerry Flynn / Axios)

Related: TechCrunch

Best Thing of the Day: Something's Going Right Down Under

The number of Australian entities paying a ransom in the wake of a ransomware attack has dropped significantly, down from 66 percent in 2024 to just 41 percent this year.

Worst Thing of the Day: Would You Trust These Guys With Prison Reform?

Google, Amazon, Microsoft, and Palantir have suggested implanting tracking devices under offenders’ skin in the UK to keep track of prisoners as a solution to prison crowding and overstretched resources.

Closing Thought