Israel-linked hackers destroyed data at Iran’s state-owned Bank Sepah
Israel-linked hackers stole $48m in crypto from Iran, Iran urges removal of WhatsApp from phones, Iran shuts down internet amid Israel strikes, US critical infrastructure girds for Iranian cyber threats, UK ICO fines 23andMe $3.1m over 2023 breach, Chinese spies invest heavily in AI, so much more


THIS IS NOT JUST BOILERPLATE - METACURITY NEEDS YOUR HELP
Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.
If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!
An anti-Iranian government hacking group known as Gonjeshke Darande, or “Predatory Sparrow," with potential ties to Israel and a track record of destructive cyberattacks on Iran, claimed in social media posts that it had destroyed data at Iran’s state-owned Bank Sepah.
The incident comes amid increasing hostilities between Israel and Iran, after Israel attacked multiple military and nuclear targets in Iran last week.
The group said it hacked the bank because it “circumvented international sanctions and used the people of Iran’s money to finance the regime’s terrorist proxies, its ballistic missile program and its military nuclear program.”
“Disrupting the availability of this bank’s funds, or triggering a broader collapse of trust in Iranian banks, could have major impacts there,” Rob Joyce, the former top cybersecurity official at the NSA, said.
“Any cyber response to this whole episode is probably going to take time. There’s likely to be significant cyber activity, but it may take some time for these operations to spin up,” John Hultquist, chief analyst at Google Threat Intelligence Group, said.
The bank's website was offline on Tuesday, and its London-based subsidiary, Bank Sepah International plc, did not immediately respond to an emailed request for comment. Customers were having problems accessing their accounts, according to Israeli media. (AJ Vicens and James Pearson / Reuters and Matt Kapko / Cyberscoop)
Related: TechCrunch, Iran International, Haaretz, Jerusalem Post, Digital Watch Observatory, HealthcareInfoSecurity.com, Axios, The Record, Times of Israel, The Times, JNS, BankInfoSecurity, Iran International, Long War Journal, DigWatch, Middle East Forum, AL-Monitor, Bloomberg, Ynet News, The Register

The hacker group known as "Gonjeshke Darande," or "predatory sparrow," announced that it stole $48 million in cryptocurrency used by Iran to fund terror, and will release more crucial internal information.
The group said it would "release Nobitex's source code and internal information from their internal network" in 24 hours.
Nobitex deals in digital currencies and crypto. According to the group, the crypto company assists the regime in funding Iranian terrorism and uses virtual currencies to bypass sanctions.
The hacker group, which is reportedly affiliated with Israel, targeted Nobitex and stole $48 million in total.
The hackers warned Iranians: "Collaborating with a terrorist financing infrastructure puts your assets at risk! Act before it's too late. (Amichai Stein / Jerusalem Post)
Related: Crypto Briefing, CCN, Coindesk, TronWeekly, Israel National News, Türkiye, Coinfomania, Coinpedia
Iranian state television urged people to remove WhatsApp from their smartphones, alleging without specific evidence that the messaging app gathered user information to send to Israel.
In a statement, WhatsApp said it was “concerned these false reports will be an excuse for our services to be blocked at a time when people need them the most.” WhatsApp uses end-to-end encryption, meaning a service provider in the middle can’t read a message.
“We do not track your precise location, we don’t keep logs of who everyone is messaging, and we do not track the personal messages people are sending one another,” it added. “We do not provide bulk information to any government.”
However, Gregory Falco, an assistant professor of engineering at Cornell University and cybersecurity expert, said it’s been demonstrated that it’s possible to understand WhatsApp metadata that is not encrypted.
Iran has blocked access to various social media platforms over the years, but many people use proxies and virtual private networks, or VPNs, to access them. It banned WhatsApp and Google Play in 2022 during mass protests against the government over the death of a woman held by the country’s morality police. (Kelvin Chan and Barbara Ortutay / Associated Press)
Related: CBS News, Middle East Eye, Mint, Al Jazeera, EuroNews, The Conversation, Iraqi News
Iran plunged into a near-total internet blackout as Israel continued to bombard the country, according to two companies that track global internet connectivity, Kentinc and Netblocks.
The drop appears to be a result of a decision by Iran’s government, rather than Israeli strikes on infrastructure. Fatemeh Mohajerani, a spokesperson for Iran’s government, said it had restricted internet access in response to Israeli cyberattacks.
Iran’s government has historically shut down or reduced its internet connectivity with the outside world in times of civil unrest. Most recently, in 2019, it implemented a six-day complete blackout as protesters took to the streets across the country and the government issued a crackdown on civilians, reportedly leading to the deaths of more than 100 people. (Kevin Collier / NBC News)
Related: DL News, The Verge, CBS News, Ukrainian National News, Cryptopolitan, r/worldnews, Slashdot
Virtually every critical infrastructure sector in the US is on high alert amid a deepening conflict between Iran and Israel, though no major new cyber threat activity has been publicly reported so far.
“Iranian cyber activity has not been as extensive outside of the Middle East but could shift in light of the military actions,” said John Hultquist, chief analyst for Google Threat Intelligence Group.
As the conflict evolves — and particularly if the US decides to strike Iran directly — “targets in the United States could be reprioritized for action by Iran’s cyber threat capability,” he said.
Beyond federal resources, thousands of the nation’s critical infrastructure operators turn to information sharing and analysis centers and organizations, or ISACs, for threat intelligence.
The Food and Ag-ISAC, whose members include the Hershey Company, Tyson, and Conagra, and the Information Technology ISAC, whose members include Intel, IBM, and AT&T, issued a joint alert late last week, strongly urging US companies to step up their security efforts to prepare for likely Iranian cyberattacks.
ISACs for the electricity, aviation, financial services, and state and local government sectors are also on alert.
Jabbour said his organization is working with the National Council of ISACs on scanning for these threats, and noted that the council had stood up a program following the first strikes by Israel on Iran late last week to monitor for specific threats to US infrastructure. (Maggie Miller / Politico)
The UK's Information Commissioner's Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) have released the results of their year-long joint investigation into a massive 2023 data breach of DNA testing firm, with the UK watchdog fining the company £2.31 million ($3.1 million) for failing to protect U.K. residents’ personal and genetic data.
In 2023, hackers stole private data on over 6.9 million users over a months-long campaign by accessing thousands of accounts using stolen credentials. 23andMe did not require its users to use multi-factor authentication, which the ICO said broke U.K. data protection law. (Zack Whittaker / TechCrunch and Global News)
Related: ICO, Business Matters, Tech Monitor, BBC News, TechRadar, Computing, Nasdaq, Globe and Mail, MakeUseOf, CNET, The Canadian Press
Researchers at Recorded Future’s Insikt Group report that Chinese spy services have invested heavily in artificial intelligence to create new tools to speed analysis, provide early warning of threats, and potentially help shape operational plans during a war.
Their report comes amid rising concern about how Chinese spy agencies will use AI to power covert actions, as Western intelligence services also embrace the technology.
The researchers reviewed the People’s Liberation Army's patent applications, publicly available contracts, and other material to better understand how China’s military and intelligence services have invested in artificial intelligence.
Recorded Future found that China is probably using a mix of large language models and technology to analyze vast amounts of data and communicate its results in human language. Meta and OpenAI are thought to be among the American models China uses, along with Chinese models from DeepSeek, Zhipu AI, and others. (Julian E. Barnes / The New York Times)
Related: Recorded Future, Recorded Future

The US Federal Trade Commission (FTC) announced that UK-based payment processor Paddle.com and its US subsidiary will pay $5 million to settle Federal Trade Commission (FTC) allegations that the company facilitated deceptive tech-support schemes that harmed many US consumers, including older adults.
According to the FTC, Paddle failed to perform adequate screening and fraud prevention, enabling foreign operators like Restoro, Reimage, and PC Vark to exploit the US credit card system.
These schemes used fake virus alerts and pop-up warnings, often impersonating Microsoft or McAfee, to lure consumers into buying unneeded software or tech support services and charged them via unauthorized subscription renewals.
PC Vark sold scareware through deceptive alerts and routed victims to call centers. Paddle processed $12.5 million for PC Vark, despite numerous complaints and chargeback rates exceeding 7%. (Bill Toulas / Bleeping Computer)
Related: FTC, Fintech Futures, PYMNTS, Payments Journal, Finextra
Swiss banks UBS and Pictet said they had suffered a data leak due to a cyber attack on a provider in Switzerland that did not compromise client information, although a report said thousands of UBS workers' data was affected.
Swiss newspaper Le Temps (in French only, behind paywall) said that files containing details of tens of thousands of UBS employees were stolen from the Baar-based business service company Chain IQ, whose website lists KPMG and Mizuho among its clients.
"A cyber attack at an external supplier has led to information about UBS and several other companies being stolen. No client data has been affected," UBS said.
"As soon as UBS became aware of the incident, it took swift and decisive action to avoid any impact on its operations."
Le Temps reported that the leaked cache also included the number of a direct internal line to UBS CEO Sergio Ermotti.
Chain IQ said it and 19 other companies were targeted in the attack, resulting in leaked data being published online on the darknet. (Oliver Hirt, Dave Graham, Tomasz Janowski, and Bernadette Baum / Reuters)
Related: Wall Street Journal, Bloomberg, Swiss.info
Erie Insurance says it has control of its systems after a weeklong network outage that many have speculated was caused by the cybercrime gang Scattered Spider, but the company says there are no signs of a ransomware attack, according to a June 17 company statement.
“At this time, we have control of our systems,” the statement read. “We have seen no evidence of ransomware, and there is no indication of ongoing threat actor activity.”
On June 8, Erie Insurance confirmed that an outage had affected all its systems and locked customers out of their online accounts. On June 11, in a filing with the Securities and Exchange Commission, Erie Insurance described the event as an "information security event" and said it was working with law enforcement.
Despite the company indicating no ransomware involvement, two federal class-action lawsuits have been filed, claiming the outage was caused by such an attack. Neither suit provides evidence to support the claim. (A.J. Rao / GoErie)
Related: Erie Insurance, Cybernews, Insurance Journal, YourErie
Automotive giant Scania confirmed it suffered a cybersecurity incident where threat actors used compromised credentials to breach its Financial Services systems and steal insurance claim documents.
Scania said the attackers emailed several Scania employees, threatening to leak the data online unless their demands were met.
Late last week, threat monitoring platform Hackmanac spotted a hacking forum post by a threat actor named 'hensi,' selling data they claimed to have stolen from 'insurance.scania.com,' offering it to a single exclusive buyer.
Scania said their systems were breached on May 28, 2025, using an external IT partner's credentials stolen by infostealer malware. (Bill Toulas / Bleeping Computer)
Related: Cyber Daily, Techzine, GBHackers, SC Media

UK Retailer Co-op will offer its members £10 (around $13.5) off a minimum shop of £40 (around $54) following disruption caused by a recent cyber attack.
The grocery chain said it had not yet wholly recovered from being targeted by hackers last month, who stole a significant amount of customer data.
Although the offer appears generous, one analyst said most customers do not spend £40 or more per shop, so it would not appeal to many people.
The one-off deal, which runs from Wednesday for a week, is open to existing Co-op members and any shoppers wanting to sign up, but not to staff. (Tom Espiner / BBC News)
Related: Retail Gazette, The Independent, The Standard, Tech Digest, Daily Record, Manchester Evening News, Liverpool Echo
Fortinet security researcher Pei Han Liao reports that a threat actor is targeting organizations in Taiwan in a sophisticated and evolving campaign to steal data for likely use in future attacks.
The attackers are delivering malware through phishing emails impersonating Taiwan’s National Taxation Bureau and other government entities, using themes related to taxes, pensions, and public services.
Data that the adversary has been harvesting includes user information, IP address, computer name, and system-related information such as operating system and version, system architecture, CPU frequency, processor count, memory size, and registry values. (Jai Vijayan / Dark Reading)
Related: Fortinet

A hacker has managed to steal only around $132,000 from their attack on the crypto protocol Meta Pool, which created $27 million worth of tokens they could have stolen.
The attack was foiled by low liquidity and a pause on the exploited smart contract.
The attacker was able to mint 9,705 of the liquid staking protocol’s token mpETH worth nearly $27 million, but only managed to steal around 52.5 Ether (ETH), worth just over $132,000 from the liquidity swap pools, Meta Pool said.
It added that some of the affected pools had low liquidity and volumes, making it harder for the attack to be carried out. Its “early detection systems” helped its team quickly pause the affected contract, preventing “further unauthorized activity or additional losses.”
Meta Pool co-founder Claudio Cossio said the hacker exploited a “fast unstake functionality,” allowing them to mint thousands of mpETH tokens.
Generally, after unstacking crypto, there is a waiting period before it becomes transferable; however, with fast unstacking, also known as flash unstacking, the waiting period is voided, provided specific conditions are met.
Blockchain security firm PeckShield posted to X that the staking contract had a “critical bug,” which allowed the hacker to mint mpETH for free, but the “low liquidity of mpETH limited the profit.” (Stephen Katte / Cointelegraph)
Related: Meta Pool, Web3IsGoingJustGreat, CoinDesk, Crypto News
Alex Protocol, a Bitcoin decentralized finance (DeFi) platform on the Stacks blockchain, suffered an exploit on June 6, resulting in $8.3 million in digital asset losses.
Alex Protocol said the breach was caused by a vulnerability in its self-listing verification logic. The attacker used the flaw to drain liquidity from several asset pools.
In response to the incident, Alex Lab Foundation, the organization supporting the protocol, pledged to reimburse affected users using its full treasury reserves. (Ezra Reguerra / Cointelegraph)
Related: Web3IsGoingJustGreat, The Block, Crypto Briefing
Researchers at Radware say that the Cambodian activist group the AnonsecKh group, which goes by Bl4ckCyb3r on Telegram, has ramped up cyberattacks against Thai entities following a flare-up in a long-running dispute between the two countries over contested border areas.
The group claimed at least 73 attacks on Thai organizations in the two weeks following a May 28 incident in which a Cambodian soldier was killed in a skirmish with Thai forces.
The hacktivist group first claimed attacks on Thai government websites in March, and expanded their scope to Thai academic and private-sector entities that same month.
Their attacks typically involve distributed denial-of-service (DDoS) campaigns, which flood and often paralyze targeted servers with traffic and defacement. The group reportedly increased its activity after the Thai army stated on June 6 that it is “now ready for a high-level military operation.”
Almost half of the observed incidents involve Thai government or military websites, while manufacturing companies account for more than a quarter of claimed targets.
According to the cyber analysis site Hackmanac, between June 4 and June 10, the group claimed to target the Thai Ministry of Defense, the Ministry of Foreign Affairs, and the Bangkok Metropolitan Administration, among others. (James Reddick / The Record)
Related: Radware

Yes24, one of Korea’s largest online bookstores, will compensate millions of customers after a ransomware attack earlier this month paralyzed its platform and disrupted service for several days.
According to a statement posted on its website, the company announced that it would distribute 5,000 won ($3.60) vouchers to all users who made online purchases in the past year. These vouchers can be used to purchase books, albums, and tickets for performances and shows.
Yes24 will also provide a free shipping coupon to all users who purchased products online in the past 12 months, while those who bought e-books during the same period will receive a 5,000 won voucher exclusively for e-book purchases.
Details such as voucher expiration dates are available in the notice posted on the company's website. (Korea JoongAng Daily)
Related: Allkpop, Maeil Business Newspaper, Chosun Biz
Work management platform Asana is warning users of its new Model Context Protocol (MCP) feature that a flaw in its implementation potentially led to data exposure from their instances to other users and vice versa.
The data exposure was due to a logic flaw in the MCP system and not the result of a hack, but the risk that arises from the incident could still be significant in some cases.
However, a software bug in the MCP server exposed data from Asana instances to other MCP users, with the data type being limited to each user's access scope.
The MCP server had been taken offline, but Asana's status page indicates that it has returned to normal operational status as planned on June 17, 17:00 UTC. (Bill Toulas / Bleeping Computer)
Related: Upguard
The DragonForce ransomware-as-a-service operation has listed Western Australia-based Pressure Dynamics as a victim on its darknet leak site, with the company acknowledges it has experienced a cyber incident.
DragonForce listed the company in a 17 June update, in which it claimed to have stolen 106.84 gigabytes of data from it.
The data has already been published in full and appears to consist of two folders, labelled Engineering and Operations, respectively. The documents include historical site, customer reports, and detailed technical drawings of equipment. One folder, however, contains pathology and medical reports relating to several of Pressure Dynamics’ employees.
Pressure Dynamics has said it is aware of the hackers’ claims. A company spokesperson told Cyber Daily that it has been in touch with staff and clients impacted by the event and that the relevant authorities have been informed. (David Hollingworth / Cyber Daily)
Related: HookPhish
Researchers at Cato Networks report that multiple variants of jailbroken and uncensored AI tools being sold on hacker forums were likely generated using popular commercial large language models from Mistral AI and X’s Grok.
Some commercial AI companies have sought to build guardrails into their models for safety and security, preventing them from explicitly coding malware or relaying detailed instructions for building bombs or other malicious behaviors. A parallel underground market has emerged offering to sell more uncensored versions of the technology.
These “WormGPTs," named after one of the original AI tools first advertised on underground hacker forums in 2023, are usually cobbled together from open-source models and other toolsets and can generate code, search for and analyze vulnerabilities, and are then marketed and sold online.
Catp discovered previously unreported WormGPT variants powered by xAI’s Grok and Mistral AI’s Mixtral.
The pricing structure for these tools ranges from subscription-based payment models (around €550 or $631 for a yearly license) to private setups, which can cost as high as €5,000 or $5,740. (Derek B. Johnson / Cyberscoop)
Related: Cato Networks

The Markup and CalMatters found that state-run health care websites nationwide, meant to provide a simple way to shop for insurance, have quietly sent visitors’ sensitive health information to Google and social media companies.
The data, including prescription drug names and dosages, was sent by web trackers on state exchanges set up under the Affordable Care Act to help Americans purchase health coverage.
The exchange websites ask users to answer questions about their health histories to find the most relevant information on plans. However, when visitors sometimes respond to sensitive questions, the invisible trackers send that information to platforms like Google, LinkedIn, and Snapchat.
The Markup and CalMatters audited the websites of all 19 states that independently operate their own online health exchanges. While most of the sites contained advertising trackers of some kind, the Markup and CalMatters found that four states, Nevada, Maine, Rhode Island, and Massachusetts, exposed visitors’ sensitive health information.
After being contacted by The Markup and CalMatters, Nevada’s health exchange stopped sending visitors’ data to Snapchat, and Massachusetts stopped sending data to LinkedIn. The Markup and CalMatters also found that Nevada stopped sending data to LinkedIn in early May, as we were testing. (Colin Lecher and Tomas Apodaca / The Markup)
Related: GitHub
Ten Democratic lawmakers sent a letter to Palantir demanding that the technology company answer questions about its expanding federal contracts under the Trump administration.
The letter cited a May New York Times article reporting that the Trump administration had broadened Palantir’s work across the government, with the company receiving more than $113 million in federal government spending since President Trump took office.
Officials said the White House was laying the groundwork, partly by using Palantir technology, to consolidate data across the government and compile a master list of potential personal information on Americans.
Senator Ron Wyden of Oregon and Representative Alexandria Ocasio-Cortez of New York drafted the letter. Other members of Congress who signed included Senators Elizabeth Warren and Edward J. Markey of Massachusetts.
After The Times published the article about Palantir, the company said on X that the report “is blatantly untrue” and published a blog post denying it was a vendor on a project to unify databases across federal agencies.
The company said, “Palantir does not build surveillance technology, and we are not building a central database on Americans — nor will we.” (Sheera Frenkel / New York Times)
Related: Wyden-AOC Letter, FedScoop, The Hill, Nextgov/FCW
Spanish grid operator REE's failure to calculate the correct mix of energy was one of the factors hindering the grid's ability to cope with a surge in voltage that led to the massive blackout across Spain and Portugal on April 28, a government investigation concluded.
The report also blames power generators for the worst-ever blackout to hit Spain and Portugal. Some conventional power plants, such as nuclear and gas-fired plants, failed to help maintain an appropriate voltage level in the power system that day.
"The system did not have sufficient voltage control capabilities," Spanish Energy Minister Sara Aagesen said.
While several factors contributed to that day's events, Aagesen confirmed that the ultimate cause was a voltage surge that the grid could not absorb. This surge triggered a cascade of generation disconnections.
The government said it would propose measures to strengthen the grid and improve its ability to control voltage in the system. It would also push to integrate the peninsula with the European grid further, it said. (Inti Landauro, David Latona and Pietro Lombardi / Reuters)
Related: Sky News, Associated Press, The Guardian, Financial Times, Bloomberg, The European Conservative, France24
Donald Trump intends to extend again the deadline for when TikTok must be separated from its Chinese owner, ByteDance, or face a ban in the United States, its third reprieve this year.
Karoline Leavitt, the White House press secretary, said Trump would sign an executive order this week giving TikTok 90 more days, to mid-September, to find a new owner to comply with a federal law that requires the company to change its ownership structure to resolve national security concerns. TikTok’s current deadline is Thursday. (Sapna Maheshwari / New York Times)
Related: CNBC, CNN, NBC News, Silicon Republic, Thurrott, Axios, GSMArena.com, Politico, Financial Times, USA Today, Variety, Business Insider, SiliconANGLE, Ukrainian National News, SFist, Business Standard, Mashable, The Register, Agence France-Presse, Digital Music News, BBC, Engadget, MacRumors, Forbes, 9to5Mac, Raw Story, The Verge, Wall Street Journal, Forexlive, ZeroHedge News, Bloomberg, CBS News, The Hill, Above the Law, KEYE
Best Thing of the Day: A Productive Role for the US Government
The Foundation for the Defense of Democracies recommends that the US government should act as a reinsurer to accelerate the maturation of the cyber insurance market.
Worst Thing of the Day: No One Is Surprised But Egads
Researchers at EON report that half of organizations have difficulty locating backup data when they need it.
Closing Thought
