Korean cops raid Coupang HQ looking for security lapses, breach perpetrator clues

Despite worries by some experts that vendor reports on AI cyber threats are merely hype to sell new defensive tools, most senior defenders and threat intel experts say CISOs who dismiss AI in the attack chain do so at their own risk. Don't miss my most recent CSO piece on how ignoring AI threats could prove costly.

During this holiday season, give your security team the gift of Metacurity by upgrading your subscription to a highly cost-effective site license. Check out our two main options by clicking the button below or contact info@metacurity.com to customize a license for your organization.

Korean police raided the headquarters of e-commerce giant Coupang over a massive breach of personal information that affected some 34 million people of the nation's 52 million population, officials said.

The search and seizure took place after Coupang disclosed late last month that personal information of 33.7 million customers had been compromised, including their names, phone numbers, email addresses, and delivery details.

The Seoul Metropolitan Police Agency's cyber investigation team sent officials to the company's headquarters in southern Seoul to search for internal documents and records related to the breach.

Police reportedly seek to check for possible lapses in Coupang's security while tracking down the suspect behind the leak.

"Based on the secured digital evidence, (we) plan to comprehensively determine the overall facts of the case, such as the leaker of the personal information as well as the route and cause of the leak," a police official said.

The troubles for Coupang continue to mount as a punitive damages lawsuit is expected to be filed in a US court as early as this month against the company. A South Korean law firm, Daeryun, which is currently pursuing damages litigation against Coupang domestically, has announced plans to file a separate lawsuit targeting the legal responsibility of Coupang's US headquarters.

SJKP, the US branch of Daeryun Law Firm, held a press conference at its Manhattan office and revealed that it is preparing a class-action lawsuit against Coupang's US headquarters in the US District Court for the Southern District of New York. (Chae Yun-hwan / Yonhap News and Yoon Ju-heon / The Chosun Daily)

Related: Bloomberg, Nikkei Asia, Tech in Asia, AFP

Under a compromise agreement between House and Senate negotiators on the fiscal 2026 National Defense Authorization Act (NDAA), which contains numerous cybersecurity provisions, including one that requires the Defense Security ensure wireless mobile phones given to its senior leaders and others working on sensitive national security missions meet a list of cybersecurity requirements, such as data encryption.

The bill also directs the department to make sure that behavioral health specialists with proper security clearances are dispatched to the United States Cyber Command and the Cyber Mission Force. It follows in the tradition of past provisions of defense policy bills to address the mental health needs of personnel there.

The department is further told to revise mandatory training on cybersecurity for members of the Armed Forces and civilian employees “to include content related to the unique cybersecurity challenges posed by the use of artificial intelligence.”

Beyond the cyber provisions, the bill removed provisions for 2026 that would have ensured military members’ right to repair their own equipment.

The move is a blow to the broader right-to-repair movement, which advocates for policies that make it easier for device users, owners, or third parties to work on and repair devices without needing to get—or pay for—manufacturer approval. (Tim Starks / CyberScoop and Boone Ashworth / Wired)

Related: DefenseScoop, InsideDefense.com, InsideCyberSecurity.com, Defense One, Homeland Security Today, Engadget, PIRG, DefenseScoop, r/Military

The US Federal Trade Commission ruled that Scott Zuckerman, the founder of consumer spyware company Support King and its subsidiaries, who was banned from the surveillance industry after a data breach that exposed the personal information of its customers, as well as the people they were spying on, will not be able to go back to selling the invasive software.

The FTC denied a petition to cancel the ban made by Zuckerman.

In 2021, the FTC banned Zuckerman from “offering, promoting, selling, or advertising any surveillance app, service, or business,” effectively preventing him from running another stalkerware business. The agency also ordered Zuckerman to delete all the data collected by SpyFone, as well as to undergo frequent audits and establish certain cybersecurity practices for his businesses. 

In his petition, Zuckerman claimed that the FTC order’s security requirements have made it harder for him to run his other businesses due to financial costs, even though Support King is no longer in operation and he now only runs a restaurant and plans other “tourism ventures” in Puerto Rico, according to the petition. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: FTC, Bloomberg Government

Commonwealth Bank of Australia paid a penalty of A$792,000 ($524,462.40) after the country's competition regulator accused the lender of breaching consumer data rules, both parties said.

The Australian Competition & Consumer Commission (ACCC) had issued CBA four infringement notices for allegedly breaching Consumer Data Right (CDR) Rules, saying the bank failed to enable data sharing for some business and partnership accounts.

Australia's CDR allows consumers to share their data with accredited third parties to get better deals on products and services.

"This is the highest total penalty to date for an alleged breach of the CDR Rules," ACCC Deputy Chair Catriona Lowe said, adding that this should serve as a reminder that failure to comply with the rules may result in enforcement action.
Consumers had complained that they faced difficulties accessing CDR-enabled products and services, according to the regulator.

CBA, however, said it identified and voluntarily reported the issue to the ACCC and has accepted the investigation's findings. (Sneha Kumar / Reuters)

Related: Financial IT, FX News Group, Asian Banking and Finance, InnovationAUS, Cyber Daily

In its latest public service announcement, the FBI warns of criminals altering images shared on social media and using them as fake proof of life photos in virtual kidnapping ransom scams.

The FBI says criminals contact victims via text message, claiming to have kidnapped a family member and demanding ransom payments.

However, as the FBI explained, virtual kidnapping scams involve no actual abduction. Instead, criminals use manipulated images found on social networks and publicly available information to create convincing scenarios designed to pressure victims into paying ransoms before verifying that their loved ones are safe.

"Criminal actors typically will contact their victims through text message, claiming they have kidnapped their loved one and demand a ransom be paid for their release," the FBI said.

"Oftentimes, the criminal actor will express significant claims of violence towards the loved one if the ransom is not paid immediately. The criminal actor will then send what appears to be a genuine photo or video of the victim's loved one, which upon close inspection often reveals inaccuracies when compared to confirmed photos of the loved one."

The law enforcement agency advised the public to be cautious of scammers who often create a false sense of urgency and to assess the validity of the kidnappers' claims carefully. (Sergiu Gatlan / Bleeping Computer)

Related: IC3, The Register, WPSD, Android Headlines

A new Australian law that bars children under 16 from having social media accounts goes into effect on Wednesday, serving as a test case for what many parents say feels like this generation’s Sisyphean task — shielding children from the risks associated with social media until they are capable of navigating it responsibly.

But today's teenagers, born around the same time that Instagram and Snapchat were first released, are digital natives. Most know how to use VPNs, which may help them evade the ban. Many fudged their ages when they first signed up, to get around the minimum age of 13 for many social media services. Others have used their parents’ information to get accounts, or have older siblings whose identities they can co-opt.

Currently, 10 social media services are covered by the ban: Facebook, Instagram, Kick, Reddit, Snapchat, Threads, TikTok, Twitch, X, and YouTube. The companies have said that they do not believe a blanket ban is the best way to keep children safe, but that they will nevertheless deactivate accounts of children under 16.

Under Reddit’s new rules, Australian users will be asked to provide their birth dates when signing up, and all account holders will be subject to age-prediction models. 

Reddit, known for hosting online discussions on a wide range of topics, said it disagrees with some elements of the new requirements and that the law’s application to its platform is “arbitrary” and “legally erroneous,” adding that most of its users are adults.

Virtual private networks, or VPNs, which can disguise a user’s location and offer a potential workaround for accessing banned platforms, are also gaining. Demand for VPNs surged 103% on Sunday compared to the daily average for the previous 28 days, according to global VPN monitoring platform Top10VPN. (Victoria Kim / New York Times and Newley Purnell / Bloomberg)

Related: eSafety Commissioner, Bloomberg, BBC News, The Guardian, BBC News, Reuters, WION, The Washington Post, Bloomberg, Financial Times, Associated Press, Crikey, Daily Sabah, CNET, The Guardian, Windows Report, Mashable, Tech in Asia, Euro Weekly News, Reddit Help, RTÉ, Mumbrella, The Economic Times, r/RedditSafety

Researchers at Koi Security report that Bitcoin Black and Codo AI, two malicious extensions on Microsoft's Visual Studio Code Marketplace, infect developers' machines with information-stealing malware that can take screenshots, steal credentials, crypto wallets, and hijack browser sessions.

The extensions masquerade as a color theme and an AI assistant, respectively, and were published under the developer name 'BigBlack.' 

At the time of writing, Codo AI was still present in the marketplace, although it counted fewer than 30 downloads. Bitcoin Black's counter showed only one install.

According to Koi Security, the Bitcoin Black malicious extension features a "*" activation event that executes on every VSCode action. It can also run PowerShell code, something that a theme does not need and should be a red flag.

Both extensions deliver a legitimate executable of the Lightshot screenshot tool and a malicious DLL file that is loaded via the DLL hijacking technique to deploy the infostealer under the name runtime.exe.

The malicious DLL is flagged as a threat by 29 out of the 72 antivirus engines on Virus Total, the researchers note. (Bill Toulas / Bleeping Computer)

Related: Koi Security, The420

Celebrity social media protection company Spikerz said that hackers impersonating celebrities like Taylor Swift and her team contributed to fleecing fans for $5.3 billion online in 2025, as AI has made online scams more successful.

In August, hackers simultaneously took over the Instagram accounts of artists including Adele, Future, the late Michael Jackson, Tyla, and Pink Floyd for a cryptocurrency scam that fleeced fans of at least $49,000. Hackers impersonating Johnny Depp, his team, and his voice online scammed one fan out of $350,000 and hundreds of others to ultimately get away with millions.

While scammers target all public figures, they are increasingly focused on musicians and the music industry because of the trust and fandom they build online, with Taylor Swift, Sabrina Carpenter, and Billie Eilish being the most targeted artists in 2025, according to the report. Artist managers rely on social platforms like TikTok, Instagram, and X to market tours, albums, and engage fans, and those platforms “are being turned into high-risk entry points for fraud and brand damage.”

The report found that scammers target Swifties with convincing fake tickets, merch, and VIP experiences, while Carpenters’ young fanbase is targeted by clone accounts offering “fake meet-and-greet offers, pre-sale links, and counterfeit merch drops.” Billie Eilish hackers have run fake livestreams or giveaways that mimic her image.

Other artists frequently targeted by impersonation scams include BTS, Adele, Ed Sheeran, and BLACKPINK, according to the report. (Elizabeth Dilts Marshall / Billboard)

Related: Spikerz, Mandatory

Pet products and services giant Petco disclosed a data breach in a filing with California’s attorney general, which the company says involves the personal information of its customers.

The state published a sample of the notification letter that Petco is sending to customers affected by the breach. In the letter, Petco said that it identified “a setting within one of our software applications that inadvertently allowed certain files to be accessible online,” adding that the company discovered the issue on its own, and “immediately took steps to correct the issue and to remove the files from further online access.”

The letter, however, does not specify what type of customers’ personal information was exposed during the security lapse.

Petco spokesperson Ventura Olvera told TechCrunch that the company had “provided further information to individuals whose information was involved.” (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: California Attorney General, UPI, SC Media, Mashable, WebProNews

The NHS Barts Health hospital in London is seeking assistance from the UK High Court to stymie anyone from sharing data stolen from it by the ransomware group Clop in August.

The hospital said the group accessed data, which the group posted to its darkweb portal.

The hackers did not compromise its "core IT infrastructure," but accessed invoice data that consisted of names and addresses of patients and staff liable for payments, said NHS Barts Health, which runs five hospitals and is one of the largest trusts in England. The database also contained information related to Barking, Havering, and Redbridge University Hospitals NHS Trusts.

The hospital warned that the attackers could use the data to trick breach victims into sharing sensitive information or making payments.

"We are working with Barts Health NHS Trust and NHS England to fully understand the impact of the incident," a National Cyber Security Centre spokesperson said. An NHS England spokesperson added that the August Clop hack did not compromise any other hospitals. (Akshaya Asokan / BankInfoSecurity)

Related: NHS Barts Health, SC Media, HackRead

The widow of slain Saudi dissident Jamal Khashoggi filed a legal complaint in France accusing Saudi Arabia of using Israeli spyware to steal data from her phones before he was killed, her lawyers said.

Hanan Elatr Khashoggi, whose husband was murdered at the kingdom's Istanbul consulate in October 2018, alleged her data was in part stolen in France, where she landed repeatedly while working as an air hostess, according to a copy of the complaint seen by AFP.

Citizen Lab, a specialised research body at the University of Toronto, found that her two telephones were infected by Pegasus, a tool made by Israel-based firm NSO Group, in April 2018, the complaint showed.

It said the infection coincided with her interrogation at an airport in the United Arab Emirates, a staunch ally of Saudi Arabia.

"It would be unthinkable not to establish a link between this interception (of information) and the actions that led to the murder" of her husband, attorneys William Bourdon and Vincent Brengarth said in a joint statement to AFP. (AFP)

Related: AL-Monitor, The New Arab

Saviynt, an identity and access management startup, raised $700 million in an outsize Series B funding round, reflecting a heated market for internal safeguards as companies race to automate business processes, the company said.

KKR led the round with participation from Sixth Street Growth and TenEleven, as well as new funding from existing Series A investor Carrick Capital Partners. (Angus Loten / Wall Street Journal)

Related: PR Newswire

Best Thing of the Day: Paying Ransomware Victims At Least Some of Their Due

Ireland's Health Service Executive is offering victims of its 2021 ransomware attack €750 (around $872) in compensation, plus an additional sum of €650 (around $756_ per person for legal costs.

Worst Thing of the Day: Letting AI Run Amok

Donald Trump said that he will sign an executive order designed to rein in artificial intelligence laws at the state level by implementing a “one rule” approach.

Bonus Worst Thing of the Day: Only Four of Sixty-Four AV Systems Spotted This Linux Malware

Application security researcher Sachin Verlekar demoed how anti-virus solutions let engineered Linux malware enter a protected system.

Extra Bonus Worst Thing of the Day: An Arsenal of Hacking Equipment Is Never a Good Thing

Three Ukrainian men found with an arsenal of hacking equipment were arrested in Poland, amid concerns they could be plotting to orchestrate cyberattacks on the country’s IT infrastructure.

Closing Thought