Israeli-linked hackers seized and burned $90 million from Iran's Nobitex exchange

A special note from Metacurity: In the words of Martin Luther King, Jr., we must accept finite disappointment, but never lose infinite hope. Happy Juneteenth!

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

Following initial reports that Israel-linked hackers Predatory Sparrow stole $48 million from Iran’s largest crypto exchange, Nobitex, it turns out the exchange was hacked for $90 million, with the hackers subsequently burning or destroying the stolen currency.

Blockchain analysis firm Elliptic said the hackers “burned” the stolen funds by sending the crypto to inaccessible wallets, effectively taking the money out of circulation. (Zack Whittaker / TechCrunch)

Related: Elliptic, Wired, CyberScoop, Benzinga, NewsBTC, Crypto Briefing, Cointelegraph, crypto.news, BusinessLIVE, NewsMax.com, NFTgators, The Block, The Hill, The Daily Hodl, Coinspeaker, NBC News, Fortune, Decrypt, CNBC, Bitcoin News, The Coin Republic, Blockchain News, Bitcoin Insider, DL News, Bleeping Computer, The Crypto Times, Kurdistan24, The Guardian, Coinpedia Fintech News, CoinGape, CoinDesk, CryptoSlate, CryptoPotato, Watcher Guru, BeInCrypto, Web3 is Going Just Great

Several Iranian television broadcasts were hacked with pictures and calls on the public to rise up and take to the streets in protest against the government.

The opposition-linked Iran International quotes officials as saying it only affected those receiving the broadcasts via satellite, suggesting interference with the satellite signal.

The hacked broadcasts aired footage of the 2022 "Woman, Life, Freedom” protests. The visuals showed women tearing off their hijab and cutting their hair in defiance, followed by a voice-over urging the public to rise and take to the streets against the regime. A logo linked to the IDF's Operation Rising Lion also appeared on the screen.

The footage was from the protest of 2022, against the regime over the death of Mahsa Amini in police custody. (Times of Israel and Kushal Deb / WION)

Related: WION, The Long War Journal, i24News, Ynet News, Daily Mail, Iran International

According to the Fars news agency, which is affiliated with the Iranian Revolutionary Guard Corps, Iran’s cyber command ordered top officials and their security teams to avoid IT equipment connected to telecom networks in a sign they fear digital disruption from Israel.

Lukasz Olejnik, a visiting senior research fellow of the Department of War Studies at King’s College London, said the Iranian decision to avoid connected kit signals “deep concern” that ordinary devices can be hacked and tampered with. “It suggests Tehran fears adversaries can use connected devices to track, intercept, or even target key officials,” he said.

Israel has used connected devices to kill individuals in the past. Last September, it used explosive pagers to hit Hezbollah targets, injuring nearly 3,000 people, a sophisticated and carefully orchestrated attack in which Israeli security services hit the Lebanon-based terrorist group by simultaneously triggering minute quantities of explosive hidden in thousands of modified hand-held devices distributed among Hezbollah operatives. (Antoaneta Roussi and Dana Nickel / Politico EU)

Related: Capacity Media, Washington Examiner, Hindustan Times

Researchers from the University of Toronto’s Citizen Lab report that Keir Giles, a senior consulting fellow for the Russia and Eurasia program at the British think tank Chatham House, was the target of a highly sophisticated and unusually patient attack that used a “novel method” to bypass one of the most well-regarded cyber defense tools, multi-factor authentication (MFA).

Google’s Threat Intelligence Group also released a related blog post on who is behind the compromise of Giles’ accounts, and how he’s not the only one they’ve targeted with that specific technical attack method.

Giles warned over the weekend about State Department impersonators who had compromised his account, promising “more on the how, what and when later.”

On the technical side, the final step was convincing Giles to create and share a screenshot of an app-specific password (ASP), a tool for giving third parties access to users’ accounts that don’t support multi-factor authentication. The hackers leveraged ASPs to compromise Giles’ Google accounts.

Google discovered the compromise, sent Giles a security alert, and locked his accounts. Google said the hackers, called UNC6293, are potentially connected to a unit tied to Russia’s Foreign Intelligence Service, known by names such as APT29, Cozy Bear, or ICECAP.

The deception required a lot of effort and knowledge. For instance, the attackers were likely aware that the State Department’s email server is set up to accept all messages and doesn’t send a bounceback message for non-existent addresses, according to the Citizen Lab report. A large language model might have improved the email’s authentic-sounding English. (Tim Starks / Cyberscoop)

Related: Citizen Lab, Google, The Times, The Record, Reuters, Bloomberg, Security Week, Security Week

Sources say that US satellite company Viasat is the latest publicly identified victim of China's Salt Typhoon hacking and espionage group.

The breach of the California-headquartered satellite and wireless networking company was discovered earlier this year, and Viasat has been working with the government in the aftermath. Verizon, AT&T, and Lumen Technologies were previously identified as being hit by the attack. (Ed. Note: more recently, sources told NextGov/FCW that the group also infiltrated data center giant and broadband company Comcast.)

“Viasat and its independent third-party cybersecurity partner investigated a report of unauthorized access through a compromised device,” the company said. “Upon completing a thorough investigation, no evidence was found to suggest any impact to customers.”

It did not address any impact on its networks, but a follow-up statement said additional information on the government’s investigation was too sensitive to share publicly.

Brett Leatherman, the new head of the FBI’s cyber division, declined to comment on the identity of the hack’s victims, including Viasat. But he said the operation enabled hackers to gain access to tools used by US law enforcement to monitor and surveil persons of interest, as well as to collect call records and compromise the communications of people in government and politics. (Jamie Tarabay / Bloomberg)

Related: PC Mag, Via Satellite, Tech Radar, Reuters, Cybernews, SC Media UK

The US Justice Department announced the largest-ever seizure of cryptocurrency linked to so-called “pig butchering” or romance scams that have cost victims billions globally.

Federal prosecutors filed a civil forfeiture action targeting over $225 million in cryptocurrency traced to a sprawling web of fraudulent investment platforms. Victims were tricked into believing they were investing in legitimate crypto ventures, only to be scammed by criminal networks often operating overseas.

“This seizure of $225.3 million in funds linked to cryptocurrency investment scams marks the largest cryptocurrency seizure in US Secret Service history,” said Shawn Bradstreet, special agent in charge of the US Secret Service’s San Francisco Field Office.

Authorities said the network was connected to at least 400 suspected victims worldwide, including dozens in the US.

The US Secret Service and FBI used blockchain analysis and other tools to trace the cryptocurrency back to stolen assets. The DOJ credited Tether, the world’s largest stablecoin issuer, for assisting in the operation. (MacKenzie Sigalos / CNBC)

Related: US Department of Justice, Tether, Decrypt, Cointelegraph, Coinpedia Fintech News, Mashable, Fortune, PYMNTS.com, US Department of Justice, Blockchain.News, The Block, crypto.news, Benzinga, The Crypto Times, NewsMax.com, Crypto Briefing, Databreaches.net

The San Diego Police Department’s Flock automated license plate recognition (ALPR) database was searched nearly 13,000 times during the early weeks of its implementation in 2023 and 2024, when outside agencies were able to conduct searches due to a database misconfiguration.

California law prohibits sharing ALPR data with out-of-state, federal, or private agencies. However, according to the San Diego Police Department’s 2024 annual surveillance report, information was shared with HSI, Customs, and Border Protection 10 times.

This almost three-week period was initially omitted from the San Diego Police Department’s 2024 annual surveillance report. Department officials said the omission was an oversight.

The department plans to improve its auditing procedures to prevent future omissions. According to Lyndsay Winkley, the department's community liaison manager, the department has also committed to formally resubmitting the surveillance report to reflect that period accurately. (Gabrielle Wallace / Times of San Diego)

Related: KUSI

Researchers at Huntress report that the North Korean BlueNoroff hacking group, also known as Sapphire Sleet or TA444, is deepfaking company executives during Zoom calls to trick employees into installing custom malware on their macOS devices.

Hungtress uncovered a new BlueNoroff attack on June 11, 2025. The primary goal was most likely cryptocurrency theft.

The attackers, who posed as external professionals requesting a meeting, contacted the target, an employee at a tech firm, on Telegram. They sent a message containing a Calendly link for what appeared to be a Google Meet session, but the invite link was actually a fake Zoom domain controlled by the attackers.

When the employee attended the Zoom meeting, deepfake videos of recognizable senior leadership from the employee's company and various external participants were included to add credibility.

During the meeting, the victim encountered issues with their microphone, which didn't work, seemingly due to technical problems. The deepfakes advised the victim to download a supposed Zoom extension that would fix the problem. The link to the extension delivered a payload of eight malicious Mac binaries.

Huntress warns that many Mac users have been lulled into thinking they're less likely to be targeted by malware. (Bill Toulas / Bleeping Computer)

Related: Huntress

Researchers at Cisco Talos report that job applicants in the cryptocurrency and blockchain industry are being targeted by North Korean hackers seeking to infect the devices of potential new hires and steal their data. 

They found a North Korean group dubbed “Famous Chollima” running a campaign since mid-2024 targeting a small number of people primarily based in India.

The group creates fake employers and gets real software engineers, marketing employees, designers, and others to visit skill-testing pages to move forward with their applications.

“Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies,” Cisco Talos said.

“The skill-testing sites attempt to impersonate real companies such as Coinbase, Archblock, Robinhood, Parallel Studios, Uniswap, and others, which helps with the targeting.”

Victims are sent an invite code to a testing website where they are expected to enter their details and answer questions about their skills. Applicants are then asked to record a video for interviewers. 

When the person approves camera access to the site, the site displays instructions asking the applicant to copy and paste code onto their computer to install something for the video. 

Cisco Talos called the malware “PylangGhost” and said it was used exclusively by Famous Chollima. The tactic used in the campaign, known as “ClickFix,” involves hackers trying to take advantage of human problem-solving tendencies by displaying fake error messages or prompts that instruct target users to fix issues by copying, pasting, and launching commands that eventually result in the download of malware. (Jonathan Greig / The Record)

Related: Cisco Talos, GBHackers, Cyber Security News

American healthcare services company Episource warns of a data breach after hackers stole health information of over 5 million people in the United States in a January cyberattack.

Episource says it detected unusual activity on its systems on February 6, 2025. An investigation revealed that hackers accessed and exfiltrated sensitive data stored on these systems between January 27 and the time of the discovery.

"We learned from our investigation that a cybercriminal was able to see and take copies of some data in our computer systems," explains Episource.

"This happened between January 27, 2025 and February 6, 2025.  To date, we are not aware of any misuse of the data." (Bill Toulas / Bleeping Computer)

Related: HHS, Security Affairs, Security Week, The HIPAA Journal, The Record

Researchers at Zimperium say the GodFather Android banking Trojan has evolved significantly, with an advanced on-device virtualization technique targeting financial institutions in Turkey to hijack legitimate mobile banking and cryptocurrency applications more deceptively than ever.

The method creates a complete, isolated virtual environment on the victim's mobile device by installing a malicious "host" application containing a virtualization framework.

This host then downloads and runs a copy of the actual targeted banking or cryptocurrency app within its controlled sandbox, giving attackers "several critical advantages over previously seen malware," according to a report published today.

The method represents a significant leap in mobile threat capabilities beyond the typical overlay tactic, in which an attacker tricks a user into inputting data into what looks like the application but is actually a different user interface.

Godfather has also evolved its evasive maneuvers, employing ZIP manipulation and shifting code to the Java layer to defeat static analysis tools. The combination of new tactics "achieves perfect deception, making it nearly impossible to detect through visual inspection and neutralizing user vigilance," zLabs' researchers noted. (Elizabeth Montalbano / Dark Reading)

Related: Zimperium, HackRead, Tom's Guide, SC Media, GovInfoSecurity

Ontario's Information and Privacy Commissioner (IPC) investigation into a cyberattack that disrupted care at five southwestern Ontario hospitals for months reveals that while there were missteps, the facilities and their IT provider responded appropriately.

The data breach compromised health information from hundreds of thousands of people and temporarily interrupted care for patients at Windsor Regional Hospital, Bluewater Health, Hôtel-Dieu Grace Healthcare, Erie Shores Healthcare, and the Chatham-Kent Health Alliance, as well as a clinic: Tilbury District Family Health Team.

All of these healthcare facilities share an IT provider, TransForm Shared Service Organization, which was the target of the attack.

"In light of the measures taken to contain, investigate and remediate the incident, the investigator finds that the [hospitals, clinic and IT provider] have responded adequately to the breach," reads part of the investigation. (CBC News)

Related: IPC, The Chatham Voice, CK News Today, Databreaches.net

Malaysia’s communications regulator filed a civil suit against two Telegram channels over content it deemed harmful.

The Malaysian Communications and Multimedia Commission found that the channels “Edisi Siasat” and “Edisi Khas” spread content that violated provisions under the Communications and Multimedia Act 1998 and had the potential to erode trust in the country’s institutions and jeopardize peace in society.

According to the regulator, this was the first action against a social media platform provider. It stemmed from Telegram’s failure to manage the content after repeated reports, despite the MCMC’s efforts to negotiate and cooperate.

The MCMC said it had obtained an interim injunction from the High Court to stop the spread of the harmful material and prevent its re-publication. The regulator added that Telegram will be given due space to present its defense. (Anisah Shukry / Bloomberg)

Related: Reuters, StratNews Global, Malay Mail, Business Today, The Vibes

The US Department of Homeland Security warned about the rise in Chinese-manufactured signal jammers in the United States, threatening public safety and civilian aviation.

Customs and Border Protection (CBP) has seen a roughly 830% increase in seizures since 2021, despite Chinese companies’ attempts to subvert inspection.

Signal jammers can disrupt a range of radio frequency channels and pose a threat to emergency response, law enforcement, and critical infrastructure.

US federal law already prohibits the private import, operation, marketing, or sale of any signal jamming equipment that interferes with law enforcement communications, GPS, or radar. (Eurasia Review)

Related: DHS

A recent investigation by Sysdig’s Threat Research Team (TRT) revealed several critical vulnerabilities in GitHub Actions workflows, which could pose serious risks to some major open source projects.

Sysdig exposed how misconfigurations, particularly involving the pull_request_target trigger, could let attackers seize control over active repositories or extract sensitive credentials.

The team demonstrated this by compromising projects from well-known organizations such as MITRE and Splunk. (Efosa Udinmwen / Tech Radar)

Related: Sysdig, devclass, GBHackers

Facebook is adding support for passkeys on its mobile app that will allow users to log into the platform using their device’s authentication method, such as fingerprint, face scan, or PIN.

Meta doesn’t provide a specific timeline for when passkey support will arrive, only saying it will launch on Android and iOS “soon.” The company plans to bring passkey support to the Messenger app, too. (Emma Roth / The Verge)

Related: Meta Newsroom, MacRumors, NERDS.xyz, Lifehacker, Social Media Today, Neowin, Lifewire, Thurrott, Engadget, TechCrunch, Forbes, Slashdot

Researchers at Malwarebytes report that tech support scammers have devised a method to inject fake phone numbers into webpages when a target's web browser visits official sites for Apple, PayPal, Netflix, and other companies.

The ruse threatens to trick users into calling the malicious numbers even when they think they're taking measures to prevent falling for such scams. One of the more common pieces of security advice is to carefully scrutinize a browser's address bar to ensure it points to an organization’s official website.

The ongoing scam is able to bypass such checks. (Dan Goodin / Ars Technica)

Related: Malwarebytes

In collaboration with researchers from Columbia University and the University of Chicago, Barracuda researchers analyzed a dataset of spam emails from February 2022 to April 2025 and found that due to a steady rise, half are now generated using AI tools.

The researchers observed a much slower increase in the use of AI-generated content in business email compromise (BEC), comprising 14% of all attempts in April 2025. (James Coker / Infosecurity Magazine)

Related: Barracuda, Digit, Cybernews

After receiving a 90-day reprieve, the US Justice Department is asking for another month to decide whether to appeal a Mississippi federal judge’s sweeping ruling that determined so-called “tower dumps” are unconstitutional.

Tower Dumps are a frequently used law enforcement technique for pulling large swaths of data from cellular towers, including location information about innocent individuals within the tower's area, to find alleged criminal activity. 

FBI agents in Mississippi had initially submitted four sealed search warrants for a tower dump’s data as part of an investigation into a string of shootings and car thefts involving an unnamed violent gang. US Magistrate Judge Andrew Harris repeatedly declined to authorize the search warrants, even after the DOJ submitted a follow-up memorandum clarifying their position, and a conference call was held with Judge Harris to address his concerns.

The February order marked the first instance in which a judge ruled against law enforcement’s use of tower dumps, extending the scope of an August ruling in a federal appeals court that found the use of a geofence warrant, in which law enforcement sends a request to Google for the location data of phones at a specific location, was unconstitutional. (Seamus Hughes / CourtWatch)

Related: CourtListener

The US Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities Catalog with a TP-Link command injection vulnerability.

While the flaw was discovered two years ago, the current addition means that cybercriminals have been actively exploiting it recently.

The command injection vulnerability is considered highly severe and has an assigned score of 8.8 out of 10. It allows attackers to execute commands on routers without proper authorization.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risk to the federal enterprise,” CISA warns. “Users should discontinue product utilization,” it says. (Ernestas Naprys / Cybernews)

Related: CISA, SC Media, Tech Radar, Cybernews, Tom's Guide

Best Thing of the Day: Keeping the Kiwi Critical Infrastructure Safe

New Zealand is looking at developing minimum standards for protecting critical communications infrastructure.

Worst Thing of the Day: Only Trump Lovers Need Apply

The State Department will review the social media accounts of foreign student visa applicants, with applicants expected to have all social media profiles set to “public" so that government autocrats can look for any indications of "hostility" to the current administration.

Closing Thought