Alleged key leaders in 764 online exploitation group arrested, face life in prison

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

The US Justice Department announced that two men, Leonidas Varagiannis and Prasan Nepal, alleged to have played key roles in the virulent online child exploitation network known as 764, have been arrested and charged and face potential life in prison.

The pair allegedly led a core subgroup of 764 known as “764 Inferno,” which targeted vulnerable people, including children, with tactics designed to induce self-harm.

They were also involved in making and distributing child sexual abuse material, which was combined with other “gore and violent material to create digital 'Lorebooks,'" according to the DOJ, which were then traded among group members and treated as currency to recruit new members or maintain status within the network.

Nepal, known as “Trippy,” was arrested on April 22 in North Carolina. Varagiannis, known as “War,” is a US citizen living in Greece. He was arrested there on Monday. The US Attorney's Office in Washington, D.C., did not immediately respond to a request for comment about Varagiannis' extradition.

Related: Justice.gov, Justice.gov, USA Today, CBS News, WXII, HackRead, Texas Border Business

Polish police dismantled an international cybercrime group accused of defrauding dozens of victims out of nearly $665,000.

Nine people were detained in connection with the case. Investigators said the suspects, who ranged in age from 19 to 51 years old, posed as bank employees and law enforcement officers to trick victims into transferring funds to fraudulent accounts. In total, at least 55 people were targeted.

According to police, the group used spoofing software to impersonate phone numbers belonging to banks, prosecutors' offices, and police departments. The stolen funds were later converted into cryptocurrencies.

The alleged scheme began in April 2023, and the police said the group operated across several countries. Most of the suspects are Ukrainian nationals, while others come from Georgia, Moldova, and Azerbaijan. Polish authorities previously charged 46 other individuals in connection with the operation.

A court has ordered pre-trial detention for some of the suspects, and three Ukrainian nationals have been banned from entering Poland and some other European countries. The detainees face charges including participation in an organized criminal group, money laundering, and illegally accessing online banking data — offenses that carry penalties of up to 15 years in prison. (Daryna Antoniuk / The Record)

Related: Policja.pl

The FBI shared 42,000 phishing domains tied to the LabHost cybercrime platform, one of the largest global phishing-as-a-service (PhaaS) platforms that was dismantled in April 2024.

The published domains were registered between November 2021 and April 2024, the time of their seizure, and are being shared to increase awareness and provide indicators of compromise.

LabHost was a major PhaaS platform that sold access to an extensive set of phishing kits targeting U.S. and Canadian banks for between $179 and $300 per month.

It featured extensive customization options, advanced 2FA-bypassing mechanisms, automatic SMS-based interactions with victims, and a real-time campaign management panel.

In April 2024, a global law enforcement operation backed by investigations in 19 countries led to the dismantling of the platform, which at the time had 10,000 customers worldwide.

The list is shared with a note of caution that it hasn't been validated, so errors may exist.

"FBI has not validated every domain name, and the list may contain typographical or similar errors from LabHost user input," explains the FBI. (Bill Toulas / Bleeping Computer)

Related: IC3, Infosecurity Magazine, GBHackers

This year's RSA conference, attended by over 40,000 cybersecurity professionals, generated massive press coverage from a host of industry and general press news sources.

Here is a round-up of just some of the most critical reports flowing from the event:

--Former head of the Cybersecurity and Infrastructure Security Agency (CISA) Jen Easterly slammed President Donald Trump for mandating loyalty to a single person over the US Constitution, saying that the losses of personnel at CISA are occurring "because there is a mandate for loyalty to a person over loyalty to the Constitution of the United States of America," which, she said is a loss for the American people. (Alexander Culafi / Dark Reading)

Related: The Register

--Policymakers were clear that Salt Typhoon, a China-backed APT, is a terrifying adversary, having demonstrated uncanny skill in breaching sensitive networks. The current lack of action against the group is "bullshit," according to Mark Montgomery, Senior Director of the Center on Cyber and Technology Innovation. (Becky Bracken / Dark Reading)

Related: The Register, Cyberscoop

--Brett Leatherman, FBI deputy assistant director of cyber operations, said that the number of Salt Typhoon victims identified remains at nine but added, "We continue to work with a lot more telcos and companies where there may be suspected breaches. Attribution can be a tough thing; we are working with the companies to better understand the attribution." (Martin Matishak / The Record)

--Mandiant Consulting CTO Charles Carmakal said that there are hundreds of Fortune 500 organizations that have unwittingly hired North Korean IT workers and that Google has been caught up in this trend with North Korean job applicants appearing in its hiring pipeline, although the company has hired none. (Matt Kapko / Cyberscoop)

Related: The Register, PCMag, Security Week

--AI is shaping the future of cybersecurity defenses and the talk of vendors and panelists at the conference, with defenders currently holding the competitive advantage over threat actors in using AI technology. (David Gee/ CSO Online)

Related: Dark Reading, IT Pro

A new report from Group-IB offers an in-depth look at RansomHub's affiliate recruitment methods, negotiation tactics, and aggressive extortion strategies since the operation became inactive on April 1.

Among Group-IB's observations is that cybercriminals associated with the operation may have migrated to the Russian-language speaking Qilin RaaS operation and are continuing their attacks under that banner.

GuidePoint Security earlier this month noted that a "series of internal disagreements" between RansomHub administrators and some affiliates had caused disruptions within the RaaS operation. The disagreements stirred unease among other RansomHub affiliates, who began diverting their communications with victims to rival platforms. (Jai Vijayan / Dark Reading)

Related: Group-IB, SC Media

Microsoft says it has no plans to change a remote login protocol in Windows that allows people to log in to machines using passwords that have been revoked.

Password changes are among the first steps people should take in the event that a password has been leaked or an account has been compromised. People expect that once they've taken this step, none of the devices that relied on the password can be accessed.

The Remote Desktop Protocol (RDP) will, in many cases, continue trusting a password even after a user has changed it. Microsoft says the behavior is a design decision to ensure users never get locked out.

Independent security researcher Daniel Wade reported the behavior earlier this month to the Microsoft Security Response Center. In the report, he provided step-by-step instructions for reproducing the behavior. He went on to warn that the design defies nearly universal expectations that once a password has been changed, it can no longer give access to any devices or accounts associated with it.

In response, Microsoft said the behavior is a “design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline.” As such, Microsoft said the behavior doesn’t meet the definition of a security vulnerability, and company engineers have no plans to change it. (Dan Goodin / Ars Technica)

Related: GovTech, Hacker News, r/technology, Lobsters, Ars OpenForum

A major Japanese logistics provider, Tokyo-based Kintetsu World Express (KWE), confirmed this week that it had fallen victim to a ransomware attack, disrupting some of its systems.

The attack was first discovered on April 23, when KWE reported service disruptions affecting certain customers. However, no additional details were provided at that time.

The company has not said if a ransom was demanded, and if so, whether it would pay. The investigation into the incident is ongoing. (Daryna Antoniuk / The Record)

Related: KWE, The Loadstar

Researchers at ESET report that a China-aligned APT threat actor named "TheWizards" abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.

The group has been active since at least 2022, targeting entities in the Philippines, Cambodia, the United Arab Emirates, China, and Hong Kong. Victims include individuals, gambling companies, and other organizations.

The attacks utilize a custom tool dubbed "Spellbinder" by ESET that abuses the IPv6 Stateless Address Autoconfiguration (SLAAC) feature to conduct SLACC attacks.

SLAAC is a feature of the IPv6 networking protocol that allows devices to automatically configure their own IP addresses and default gateway without needing a DHCP server. Instead, it utilizes Router Advertisement (RA) messages to receive IP addresses from IPv6-supported routers.

The hacker's Spellbinder tool abuses this feature by sending spoofed RA messages over the network, causing nearby systems to automatically receive a new IPv6 IP address, new DNS servers, and a new, preferred IPv6 gateway.

This default gateway, though, is the IP address of the Spellbinder tool, which allows it to intercept communications and reroute traffic through attacker-controlled servers.

ESET says the malware monitors for domains belonging to the following companies: Tencent, Baidu, Xunlei, Youku, iQIYI, Kingsoft, Mango TV, Funshion, Yuodao, Xiaomi, Xiaomi Miui, PPLive, Meitu, Quihoo 360, and Baofeng.

The tool then redirects those requests to download and install malicious updates that deploy a backdoor named "WizardNet."

To protect against these types of attacks, organizations can monitor IPv6 traffic or turn off the protocol if it is not required in their environment. (Lawrence Abrams / Bleeping Computer)

Related: We Live Security, Techzine, GBHackers

​Ascension, one of the largest private healthcare systems in the United States, is notifying patients that their personal and health information was stolen in a December 2024 data theft attack, which affected a former business partner.

The health network operates 142 hospitals nationwide, has over 142,000 employees, and has reported a total revenue of $28.3 billion in 2023.

"On December 5, 2024, we learned that Ascension patient information may have been involved in a potential security incident. We immediately initiated an investigation to determine whether and how a security incident occurred," Ascension says in data breach notifications sent to affected individuals.

"Our investigation determined on January 21, 2025, that Ascension inadvertently disclosed information to a former business partner, and some of this information was likely stolen from them due to a vulnerability in third-party software used by the former business partner."

Depending on the impacted patient, the attackers gained access to a combination of personal information, including name, address, phone number(s), email address, date of birth, race, gender, and Social Security numbers (SSNs).

They could also access personal health information related to inpatient visits, including the physician's name, admission and discharge dates, diagnosis and billing codes, medical record number, and insurance company name. (Sergiu Gatlan / Bleeping Computer)

Related: Ascension Data Breach Notification, Security Week, Mlive, WoodTV

Researchers at WordFence say a new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it.

The malware provides attackers with persistent access, remote code execution, and JavaScript injection. At the same time, it remains hidden from the plugin dashboard to evade detection. (Bill Toulas / Bleeping Computer)

Related: Wordfence, Infosecurity Magazine, Techzine, HackRead

The Oregon Department of Environmental Quality (DEQ) sent an email to members of the public, media organizations, and other state agencies containing a press release related to Food Waste Prevention Week, which had a link that led to its website being hacked by, presumably, the Rhysida ransomware gang.

The link was intended to take people to a website where they could register for a community event about how to prevent food waste. But that site had been hijacked.

On April 8, DEQ warned its staff not to click a link in a press release it had sent in the email, and then shut down its networks as it faced a massive cyberattack.

The agency's employees are frustrated by the agency's response because it’s not clear if other state agencies that received DEQ’s press release have become vulnerable to the attack. (April Ehrlich / Oregon Public Broadcasting)

Related: Oregon.gov, Oregon Public Broadcasting, The Observer

Texas Health and Human Services Commission began notifying another 33,529 recipients of state benefits that their private information had been improperly accessed.

The latest announcement comes as the state agency continues to investigate a series of breaches by its own employees of its database for Medicaid, food stamp and other assistance programs.

Three months ago, the state notified 61,104 Texans that state employees may have improperly accessed their personal information. At that time, seven state employees tied to the breach had been fired including two who stole from recipients food stamp cards.

In February, the agency notified lawmakers that another two state employees had been fired, bringing to a total of nine state employees who had accessed individuals’ accounts without a stated business reason. (Terry Langford / The Texas Tribune)

Related: Texas Health and Human Services, KVUE, KXAN

According to academic researchers at the University of Texas at San Antonio, the University of Oklahoma and Virginia Tech, AI-generated computer code is rife with references to non-existent third-party libraries, creating a golden opportunity for supply-chain attacks that poison legitimate programs with malicious packages that can steal data, plant backdoors, and carry out other nefarious actions.

The study, which used 16 of the most widely used large language models to generate 576,000 code samples, found that 440,000 of the package dependencies they contained were “hallucinated,” meaning they were non-existent.

Open source models hallucinated the most, with 21 percent of the dependencies linking to non-existent libraries. A dependency is an essential code component that a separate piece of code requires to work correctly. Dependencies save developers the hassle of rewriting code and are an integral part of the modern software supply chain. (Dan Goodin / Ars Technica)

Related: Slashdot, arxiv.org

In a notice sent to Ray Ban Meta owners, Meta said it updated the privacy policy for its AI glasses, giving the tech giant more power over what data it can store and use to train its AI models.

The company outlined two key changes. First, “Meta AI with camera use is always enabled on your glasses unless you turn off ‘Hey Meta,” the email said; the latter refers to the hands-free voice command functionality.

Meta is taking after Amazon by no longer allowing Ray-Ban Meta owners to opt out of having their voice recordings stored in the cloud. “The option to disable voice recordings storage is no longer available, but you can delete recordings anytime in settings,” the company wrote.

In its voice privacy notice, Meta states that “voice transcripts and stored audio recordings are otherwise stored for up to one year to help improve Meta’s products.” If the company detects that a voice interaction was accidental, those recordings are deleted after a shorter 90-day window.

Meta wants to continue providing its AI models with heaps of data on which to train and improve subsequent results. Some users began noticing these policy changes in March, but at least in the United States, Meta says they went into effect as of April 29th. (Chris Welch / The Verge)

Related: Meta, Meta, PetaPixel, The Decoder, Laptop Mag, TechCrunch

Bridget Bean, acting director of the Cybersecurity and Infrastructure Security Agency, told employees that it is unclear when a plan to reduce and restructure the agency’s workforce will be finalized.

The plan has been drafted, but it needs to be reviewed by the Department of Homeland Security, the White House, and the Office of Personnel Management, acting Director Bridget Bean said.

Around 1,300 people are expected to be cut from CISA’s ranks. Much remains unknown, but the National Risk Management Center (NRMC), which analyzes risks to cyber and critical infrastructure, is expected to face significant reductions.

The plan’s release will also be slowed down by the need to allow feedback from Sean Plankey, who has been nominated as CISA director, she said. (Suzanne Smalley / The Record)

Fintech verified identity platform Persona announced it had raised $200 million in a Series E venture funding round.

Founders Fund and Ribbit Capital led the round with participation from existing investors, including BOND, Coatue, First Round Capital, Index Ventures, and Chemistry. (Maria Deutscher / Silicon Angle)

Related: Persona, PR Newswire, AIThority, Finextra, PYMNTS, Financial IT, Pitchbook, The Paypers, Forbes

In Memoriam

Julia Parsons, a US Navy code breaker during World War II who was among the last survivors of a top-secret team of code-breaking women that unscrambled messages to and from German U-boats, died at 104.

Best Thing of the Day: Hegseth Had to Break His Pick to Use Signal

In his cryptology blog Electrospaces.net, Dutch security researcher Peter Koop offers an encyclopedic explanation, replete with photos, of all the secure communications options available to US Secretary of Defense Pete Hegseth, illustrating just what great lengths Hegseth had to go to to use the Signal app.

Worst Thing of the Day: Using Mug Shots to Barter a Bad Deal

The Milwaukee Police Department is proposing trading 2.5 million mug shots for facial recognition technology access with the company Biometrica.

Bonus Worst Thing of the Day: Now This Is Beyond the Pale

Shoppers have reported a shortage of one of Marks and Spencer's (M&S) most iconic candy treats, Percy Pig, as a consequence of the retailer's ransomware attack.

Closing Thought