Google sues AI-powered scam ring behind fake carrier rewards texts

Metacurity is the only daily cybersecurity briefing built for clarity, not agendas—no vendor spin, no echo chamber, just sharp, original aggregation and analysis of what actually matters to security leaders.

Each day, Metacurity is read by thousands of cyber leaders, including some of the industry's top CISOs, security architects, practitioners, vendors, analysts, and journalists.

If you rely on Metacurity to cut through the noise on policy, industry shifts, and security research, consider supporting us with a paid subscription. Independent coverage like this only exists because readers decide it’s worth it.

Researchers at Google report that the scammers who have been bombarding American smartphones with fake messages about packages and toll-road fines have pivoted to impersonating the phone companies, using artificial intelligence to create realistic-looking fake websites.

That's why the tech giant sued today a group of scammers it describes as one of the most prolific bad actors in the spamosphere. The company said it is the first case against a defendant employing Google’s Gemini AI model.

Google and law enforcement call the group “Outsider Enterprise” and say it is sending messages telling people they have mobile-phone-company rewards points to use up. To pressure victims into giving up their account information, they tell them they need to log in immediately before their points expire to claim such things as free headphones or Apple Watches.

A link in the message goes to a website modeled after the phone carrier. To make it easier to create such websites, the group developed a guide for using Gemini to generate computer code, one of the most popular uses of AI models. The ultimate goal of many of these scams is to steal credit card numbers that can then be resold or used to buy gift cards or luxury items.

The addition of AI allowed the group to circulate hundreds of website templates. It used the same tactics by telling consumers there was a problem with their brokerage accounts. Using more than 8,000 phishing websites, Outsider has stolen an estimated 3.87 million credit card numbers from victims in dozens of countries, leading to $1.9 billion in losses since July 2023, the Federal Bureau of Investigation said. The FBI and telecom companies are working with Google on its case.

Google says it received some 55,000 reports of suspicious messages on Google Messages, the default text platform for Android users, in the two-week period that ended June 1, including many allegedly from Outsider. Because of AI, the total number of websites that could be created in a scheme like Outsider’s is effectively unlimited, Google said.  (Robert McMillan and Amrith Ramkumar / Wall Street Journal)

Related: Google, New York Times, Bloomberg Law, Washington Examiner, Bloomberg, Cyber Daily, Anadolu Ajansı, The Keyword

Oracle warned its corporate customers that there is a critical-rated vulnerability in its PeopleSoft software, which large companies use to manage payroll and human resources, a day after a cybercrime group took credit for abusing the flaw as part of a mass-hacking campaign.

Oracle issued its warning after the hacking group ShinyHunters claimed to have breached more than 100 organizations that use PeopleSoft servers.

Mandiant, the Google-owned security unit that investigates cyberattacks, warned that the new Oracle flaw is the same bug that the ShinyHunters group is abusing in its hacking campaign targeting PeopleSoft customers. 

Oracle, which has not released a patch for the vulnerability at the time of writing, said in the advisory that the bug can be exploited over the internet without needing any authentication, such as a password. 

The tech giant recommended that customers who use PeopleSoft software apply its mitigations to prevent exploitation. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Google Cloud, Oracle, BleepingComputer, Silicon Canals, SecurityWeek, Reuters, The Next Web, Cyber Security News, The Register, PYMNTS, Help Net Security

Israeli firm BlackCore, suspected of interfering in France's local elections in March, is also suspected of meddling in elections ‌in New York City and Scotland, and operating in Angola and Togo, France's disinformation detection service, Viginum, said.

Last month, Reuters revealed that French authorities suspected BlackCore was behind an online smear campaign targeting three mayoral candidates from the hard-left, pro-Palestine France Unbowed party (LFI) in the local elections.

At a press conference on Thursday alongside French Prime Minister Sebastien Lecornu, ​Viginum chief Marc-Antoine Brillant said technical work had led them to BlackCore. Viginum subsequently presented a detailed report on BlackCore's alleged actions ​around the world.

"This modus operandi was not limited to municipal elections in France," he said. "It also appears to have ⁠been used to carry out foreign digital interference operations in other countries or regions, such as Angola, Togo, the elections in Scotland, and the 2025 ​municipal election in New York."

However, Brillant said it was still unclear who had commissioned BlackCore to meddle in France. (Gabriel Stargardter / Reuters)

Related: sgdsn.gouv.fr, Middle East Eye, Haaretz, The Jerusalem Post, UNN, Silicon UK, RBC-Ukraine, The Herald, The National

Europol announced that law enforcement has dismantled the “AudiA6” cryptocurrency service allegedly used by ransomware actors and other cybercriminals to launder more than $380 million.

Europol says that the service has been linked to more than 15 distinct international investigations of ransomware attacks.

It is believed that the platform acted as a central money laundering hub between 2022 and 2025.

The service was marketed as a “professional cryptocurrency mixing service,” but all it did was accept cybercrime proceeds, move the money around through complex transaction routes that obscured its origin, and return it “cleaned” to the holders in about an hour, minus a 3-10% service commission.

Past reports from Intel471 and blockchain investigator ZachXBT exposed AudiA6 for facilitating illegal activity.

The investigation involved authorities from 11 countries across Europe, America, and Asia, who Europol and Eurojust supported.

Europol states that the action was possible due to the arrest in Poland in September 2025 of a Ukrainian national linked to AudiA6.

The forensic examination of the suspect’s devices helped investigators identify key individuals behind the operation and eventually locate and arrest them in Georgia. (Bill Toulas / Bleeping Computer)

Related: Help Net Security, Europol, US Department of Justice, Europol, The Block, Decrypt, The Philadelphia Inquirer, Bitcoin Magazine, Protos, crypto.news

Drug manufacturer Novo Nordisk, maker of the blockbuster weight-loss drug Wegovy, said it has identified a security incident in which certain information, ​including patient data from some clinical trials, was copied externally without ‌authorization from its internal IT systems.

The company said it has launched a probe with the assistance of external ​cybersecurity experts and is in contact with the relevant authorities.

"The incident ​affected a limited amount of information related to patients ⁠participating in some of our clinical trials," Novo said in ​its statement, without disclosing what type of trials.

The potential categories of ​personal data affected may include patient ID, year of birth, sex, and health or immunogenicity data, among others, it added.

In its statement, Novo said the information is not directly ​linked to any patients by name or other direct identifiers, and it does not ‌consider ⁠the incident to enable any third party to identify participants in its clinical trials. (Sriparna Roy / Reuters)

Related: Globe Newswire, Bleeping Computer, MedWatch, PharmaLive, ET Pharma, Fierce Pharma, CNA

In an unusual misinformation campaign, fraudulent data breach disclosures were submitted to Maine’s official breach portal and publicly posted before their legitimacy could be verified, prompting companies to deny the claims.

A notice allegedly filed by multiplayer social virtual reality platform VRChat is the most recent entry in the state Attorney General's breach disclosure database.

However, a company representative said the breach notification is fake and has been filed using the name of a fictitious employee.

VRChat is a multiplayer social virtual reality platform built on Unity and originally released for Windows and Oculus Rift in 2014, where users interact as customizable avatars in user-created virtual worlds.

The fake VRChat data breach entry notes that personal data of more than 2.4 million users was exposed to hackers after they gained access to the company's cloud environment.

Whoever submitted the false information made the effort to draft a notification letter for affected individuals, which claimed that the hacking incident occurred between May 10 and 12.

The false letter appears legitimate, filled with details about unauthorized access, results of a forensic investigation, actions taken after detecting the hack, claims that steps have been taken to increase security, and what users should do to increase protection for their accounts.

Charles Tupper, Head of Community at VRChat, said that the data breach notification in the database of the Maine Office of the Attorney General is fraudulent: "VRChat did not submit this Notice of Data Incident, and the employee/email cited does not exist. We have no reason to believe that our data or systems have been compromised."

The Maine Office of the Attorney General said that "the notice will be coming down" and that they were "not aware of another example of intentional misrepresentation of the notice filings." (Bill Toulas / Bleeping Computer)

Related: Bleeping Computer, Upload, Cybersecurity Insiders, Malwarebytes, The Register

Vietnamese police busted a group suspected of trying to establish a large-scale online scam center in the country, authorities said on Friday, as criminal networks spread their operations across Southeast Asia.

Police in Phu Tho province ​uncovered and disrupted a transnational group linked to online fraud syndicates operating in Cambodia, preventing it from ​setting up what they described as a major scam hub in Vietnam, the Ministry of ⁠Public Security said in a statement.

Four people were arrested, including a Chinese national and three Vietnamese, according to ​the statement.

Investigators said the group had rented multiple resorts, farmstays and villas in Hanoi, Lao Cai and Phu Tho to ​house dozens of people as part of their preparations, adding that many of them had previously worked at scam centers in Cambodia.

Police also seized dozens of computers, hundreds of mobile phones and internet devices allegedly used for online fraud, saying the site was close ​to becoming operational.

The raid "prevented the formation of a large-scale transnational high-tech fraud center within Vietnam," and also helped ​safeguard national security and protect people's assets, the ministry said. (Khanh Vu / Reuters)

Related: Tuoi Tre News, The Business Times, dantri.com.vn, Saigon News

Kyushu Electric Power Co. in Japan has disclosed a physical security incident that affects private data of more than 10 million customers.

In an official announcement, the company explains that the IT staff regularly performs backups to manage server storage. Due to capacity constraints, on April 27, an external storage device was used for the task.

The drive was then stored in a server room cabinet protected by multiple physical security layers. On May 26, when IT staff went to retrieve it, they found the cabinet had been left unlocked, and the driver was missing.

Kyushu Electric Power Company is one of Japan's major regional electric utilities, supplying electricity across the Kyushu region, which includes the prefectures of Fukuoka, Saga, Nagasaki, Kumamoto, Oita, Miyazaki, and Kagoshima.

The overall population of the Kyushu region is 12.6 million, and the company stated that the incident impacts up to 10.9 million accounts. (Bill Toulas / Bleeping Computer)

Related: MustShareNews, NHK, Kyuden.co.jp, Asahi, Cyber Insider

An Iran-linked hacker group claims to have breached FBI drones and has threatened to target the World Cup that kicked off this week, a monitoring group says.

The SITE Intelligence Group, an organization that monitors jihadist groups, publishes a statement from Handala, saying they have had access “for months” to “every image and every suspect” captured by first-person view (FPV) drones used by the FBI.

The hackers say the drones featured facial recognition and license plate screening deployed for counterterrorism.

“Better tighten your World Cup security, we don’t like some of those teams at all. Don’t forget: FPVs are everywhere; you never know when one might end up right in your team’s bus,” Handala says in the statement quoted by SITE.

The FBI is deploying drones around World Cup stadiums to protect against unauthorized aircraft.

Drone flights will be banned over US stadiums hosting matches, as well as over fan events related to the tournament that kicked off yesterday. (AFP)

Related: WANA, ABC News

Humanity Protocol’s native token H collapsed more than 80% on Tuesday after attackers compromised private keys tied to the project, seized bridge admin controls, and stole more than $36 million across Ethereum and BNB Chain.

In a detailed thread, Humanity Protocol said the Monday attack was coordinated across Ethereum and BSC and traced to a breach that occurred "after an employee's laptop was compromised."

The project's H token plunged from highs of $0.73132 on Monday to a Tuesday morning low of $0.079606, per CoinGecko data, a drop of 89%. H is currently trading near $0.20, down 73% on the day, erasing much of a rally that had pushed the token close to its all-time high of $0.80 just a week earlier.

Founder Terence Kwok confirmed the breach and told users to stay clear of the project's infrastructure. (Vismaya V / Decrypt)

Related: Biometric Update, CCN, CryptoRank, Yellow

A group of cryptographers has built what they describe as the foundation for a new generation of end-to-end encrypted apps, with a new metaphor: Instead of a mere pipe, they want to create “spaces” where users can hold group conversations, host information on a server, collectively make changes to it, invite in new collaborators or kick them out, all while maintaining the same strong encryption protections that prevent the server or network eavesdroppers from accessing their data.

That cryptographer team, including contributors from Harvard, Microsoft Research, and former developers of the end-to-end encrypted messenger Signal, today release a “preview” of Encrypted Spaces, an early version of a set of open-source code libraries, which is part of an architecture they've designed to allow anyone to easily build a rigorously end-to-end encrypted app that nonetheless enables all of the complex collaboration features that users demand from software today.

The group says it saw an opportunity in the migration from single-user apps and one-to-one messengers to multiuser collaboration tools. The transition comes at the same time as the advent of new cryptographic tricks—namely, “zero-knowledge proofs”—that enable computers to manipulate and verify the integrity of encrypted data without seeing its contents. “These pieces kind of fall into place to leave us with a moment of technological shift where we can inject encryption and privacy,” says Nora Trapp, an engineer at Harvard’s Applied Social Media Lab who has also worked as a technical lead for Signal. “We want to provide the technological surface area for developers to build all these apps in a privacy-preserving way."

Among the cryptographers working on the project is Trevor Perrin, the co-creator of the Signal protocol, the open-source encrypted messaging system used not only in the hundred-million-plus phones with Signal installed but also in the billions of devices that use WhatsApp and Facebook Messenger. (Andy Greenberg / Wired)

Related: Encrypted Spaces, Berkman Klein Center, Microsoft, r/crypto

Coinbase's quantum advisory council is urging blockchain developers to begin preparing for a post-quantum future now, arguing that the technical work of upgrading Bitcoin, Ethereum, and other networks shouldn't wait for consensus on what to do with vulnerable or abandoned coins.

In a new report released Thursday, the council identified one of the most contentious questions facing the industry of what happens to the cryptocurrency whose owners never migrate to quantum-safe addresses.

“No quantum computer can break blockchain cryptography right now,” the council wrote. “But timelines are uncertain, and the crypto community needs to start preparing now rather than debating exactly when the threat will arrive.”

Launched in January, Coinbase's Independent Advisory Board on Quantum Computing and Blockchain brings together researchers from academia and industry, including representatives from Stanford University, the University of Texas at Austin, the Ethereum Foundation, Eigen Labs, Bar-Ilan University, and UC Santa Barbara, to study quantum risks to blockchain networks. (Jason Nelson / Decrypt)

Related: Coinbase, CryptoRank, Bitcoin World

Everyone is racing to adopt AI. But if your security foundation is weak, AI won’t save you — it will amplify the risk.

That’s the core message behind my just-published new book, The NIST 2.0 Cybersecurity Framework: Practical Risk Management Using Real-World Incidents. Rather than treating cybersecurity as a compliance exercise, the book shows how organizations can build resilient security programs grounded in real operational failures and lessons learned.

Wiley is currently offering Metacurity readers a 20% discount with code ENG20. Don't wait! Order your copy today! Email me to find out about bulk purchases for your organization or special customized print runs for your team.

The European Data Protection Board (EDPB) has adopted a common template for data breach notifications as part of efforts to simplify GDPR compliance and improve consistency across the EU.

The template is intended to help organizations and Data Protection Authorities structure, harmonize, and unify breach notification processes. The template is designed to ensure that data breach notifications contain the information required under Article 33 of the GDPR, which governs the notification of personal data breaches to supervisory authorities.

The EDPB said the common format should make it easier for organizations to submit timely data breach notifications and help responsible authorities assess cases. The template includes predefined fields, response options, and guidance to help organizations complete notifications more efficiently.

The EDPB said the approach could reduce administrative costs and save time, particularly for smaller organizations that lack dedicated data protection or legal expertise.

The template will be subject to public consultation until 5 August 2026. Following the consultation, the EDPB will determine the timeline for implementation by national Data Protection Authorities. (Digwatch)

Related: European Data Protection Board, CNIL

Best Thing of the Day: Let's Make This Mandatory Now

The European Commission published the final version of its voluntary Code of Practice on marking and labeling of AI-generated content that requires deepfakes and AI-generated or AI-manipulated text to be clearly labeled.

Worst Thing of the Day: This Is How a Scourge on Humanity Acts

Elon Musk’s Grok chatbot is still being used to produce and host nonconsensual explicit images and videos of women, months after Musk’s artificial intelligence firm xAI said it would introduce restrictions to stop the creation of potentially harmful sexualized deepfakes.

Closing Thought