Operation Deep Sentinel took down infamous darknet drug marketplace Archetyp Market

THIS IS NOT JUST BOILERPLATE - METACURITY NEEDS YOUR HELP

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

In a joint action called Operation Deep Sentinel, law enforcement authorities from six countries took down the Archetyp Market, an infamous darknet drug marketplace that has been operating since May 2020.

Over its five years of activity, the marketplace amassed over 612,000 users with a total transaction volume of over €250 million (approximately $289 million) in Monero cryptocurrency transactions.

As part of this joint action led by German police and supported by Europol and Eurojust, investigators in the Netherlands took down the marketplace's infrastructure, while a 30-year-old German national suspected of being Archetyp Market's administrator was apprehended in Barcelona, Spain.

One Archetyp Market moderator and six of the marketplace's highest vendors were also arrested in Germany and Sweden.

In total, law enforcement officers seized 47 smartphones, 45 computers, narcotics, and assets worth €7.8 million from all suspects during Operation Deep Sentinel. (Sergiu Gatlan / Bleeping Computer)

Related: Europol, Operation Deep Sentinel, The Record, Security Affairs, SecurityWeek, Eurojust, Help Net Security, PCMag, Infosecurity, Cyber Security News, Reuters, Hackread, The Register, CyberScoop, PCMag.com, Reddit - Information Security News, The420CyberNews, Homeland Security Today

Vance Boelter, the man who allegedly assassinated a Democratic Minnesota state representative, murdered her husband, and shot a state senator and his wife at their homes in a violent spree early Saturday morning, may have gotten their addresses or other personal details from online data broker services.

Boelter is accused of shooting Minnesota representative Melissa Hortman and her husband, Mark Hortman, in their home on Saturday. The couple died from their injuries. Authorities claim the suspect also shot state senator John Hoffman and his wife, Yvette Hoffman, in their home earlier that night. The pair is recovering and “incredibly lucky to be alive,” according to a statement from their family.

According to an FBI affidavit, police searched the SUV believed to be the suspect's. They found notebooks that included handwritten lists of “more than 45 Minnesota state and federal public officials, including Representative Hortman, whose home address was written next to her name.” According to the same affidavit, one notebook listed 11 mainstream search platforms for finding people's home addresses and other personal information, like phone numbers and relatives.

“Boelter stalked his victims like prey,” acting US attorney Joseph Thompson alleged at a press conference on Monday. “He researched his victims and their families. He used the internet and other tools to find their addresses and names, the names of their family members.” Thompson also alleged that the suspect surveilled victims' homes.

The suspect faces several charges of second-degree murder.

Privacy and public safety advocates have long argued that the US should regulate data brokers to guarantee that people have better control over the sensitive information available about them. The US has no comprehensive data privacy legislation, and efforts to regulate data brokers from within federal agencies have been mainly quashed. (Lily Hay Newman / Wired)

Related: New York Times, Politico, Tech Times

Threat intelligence researchers are warning of hackers breaching multiple US insurance companies using all the tactics observed with Scattered Spider activity.

Typically, the threat group has a sector-by-sector focus. Previously, they targeted retail organizations in the United Kingdom and then switched to targets in the same sector in the United States.

“Google Threat Intelligence Group is now aware of multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity. We are now seeing incidents in the insurance industry,” John Hultquist, Chief Analyst at Google Threat Intelligence Group (GTIG), said.

Hultquist warns that because the group approaches one sector at a time, “the insurance industry should be on high alert.”

GTIG’s chief researcher says that companies should pay particular attention to potential social engineering attempts on help desks and call centers.

This month alone, two US insurance companies, Erie Insurance and Philadelphia Insurance Companies, reported being victims of cyberattacks. (Ionut Ilascu / Bleeping Computer)

Related: Insurance Business, The Insurer Daily, Cyber Daily, The Register, CyberScoop, Newsweek

Thai authorities arrested multiple Chinese nationals and other Southeast Asian suspects after raiding a Pattaya hotel that housed both an illegal gambling den and offices used by Chinese scammers for ransomware operations.

Immigration Police Division 3 and Chonburi Immigration, working with Pattaya Police and administrative officials, conducted a joint operation to investigate a large-scale illegal gambling operation in Pattaya after receiving reports it was operating from a hotel.

Following intelligence gathering, investigators deployed undercover agents who confirmed suspicious activity at the Antai Holiday Hotel on Soi Phen Yat Chang in Bang Lamung District, Chonburi. The 8-story building showed heavy foreign national activity during nighttime hours, raising suspicions of illegal gambling operations.

Six Chinese nationals were arrested for sending malicious links to Chinese companies for ransomware purposes. (Khaosod English)

Related: Thaiger, Bangkok Post

US officials are offering up to $10 million for details on hackers affiliated with CyberAv3ngers, a group that gained prominence in 2023 and 2024 for a string of cyberattacks on US and Israeli water utilities.

Law enforcement agencies eventually tied CyberAv3ngers to Iran's Islamic Revolutionary Guard Corps Cyber-Electronic Command and, in August, offered a reward for information on at least six Iranian government hackers allegedly behind the effort and placed sanctions on the men.

The State Department issued a new reward centered around an online persona known as Mr. Soul or Mr. Soll. The notice said CyberAv3ngers is associated with the persona and “has launched a series of malicious cyber activities against U.S. critical infrastructure on behalf of Iran's Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).” (Jonathan Greig / The Record)

Eleven years after purchasing WhatsApp, Meta is moving forward with plans to monetize the communication platform with ads in a way that experts say jeopardizes its privacy, particularly given Meta's poor track record of protecting its users' privacy.

The ads will appear in just one segment of the app, Updates, which is used by about 1.5 billion people per day, or roughly half of the app’s total monthly users. Meta said it will collect some user data to help target the ads, including location and language. The company said it will not collect any information from messages or calls.

“The fact that Meta has promised that it’s adding ads to WhatsApp with privacy in mind does not make me trust this new feature,” says Lena Cohen, a staff technologist at the Electronic Frontier Foundation (EFF). “Ads that are targeted based on your personal data are a privacy nightmare, no matter what app they’re on.”

Cohen warns that even though Meta claims it won’t use personally identifiable data, the information it does collect can still be used to reidentify users—especially when combined from other data combed from the web. (Chris Morris / Fast Company)

Related: New York Times, WhatsApp Blog, Meta Newsroom, The Verge, 9to5Mac, Daily Mail, Barron's Online, noyb, The South African, TechCrunch, Trusted Reviews, Times of Oman, BBC, The Hans India, Mirror, Tom's Guide, Fortune, Digit, Newser, Mumbrella, Cult of Mac, USA Today, Marketing Brew, Capital Brief, CBS News, CNBC, MediaPost, Android Authority, Windows Central, WeRSM, MobileSyrup, Fast Company, Telegraph, Cryptopolitan, Sherwood News, The Stack, Lifewire, Android Headlines, Ars Technica, Reclaim The Net, Benzinga, CampaignUK, CNET, Android Central, Adweek, Quartz, MakeUseOf, The Times, PhoneArena, UPI, PCMag, Daring Fireball, TechCabal, iPhone in Canada, The Independent, Business Plus, Neowin, Business Today, TipRanks Financial, WinBuzzer, CyberInsider, TheStreet, Business Standard, 9to5Google, Ukrainian National News, Engadget, SmartCompany, WABetaInfo, Livemint, Inc42 Media, Financial Express, Little Black Book, Thurrott, Irish Examiner, The Hindu BusinessLine, Nairametrics, TheJournal.ie, Mashable, The Sun, GSMArena.com, Financial Times, Business Insider

Yes24, Korea’s largest online bookstore and a major player in the ticketing industry, has issued a formal apology from its CEOs and announced the first round of compensation measures following a crippling ransomware attack that shut down its entire system for five days.

Co-CEOs Kim Seok-hwan and Choi Se-ra expressed deep regret over the disruption that began on June 9, paralyzing Yes24’s services, including its website, mobile app, book sales, and event ticketing.

“We sincerely apologize to all our customers and partners affected by this unprecedented service outage,” the CEOs said. “Yes24 has grown on a foundation of customer trust, and we take seriously the fact that this trust has been shaken. We are mobilizing all available resources to restore services and rebuild that trust.”

As part of its initial compensation plan, Yes24 announced the following measures. Customers unable to attend performances due to failed ticket reservations will receive a refund equivalent to 120 percent of the ticket price, issued as store credit by June 20. Customers who experienced delays in book shipments will receive 2,000 reward points, which are usable as cash on the platform. Expired gift certificates and discount coupons affected by the service outage will be extended.

The company added that additional compensation plans would be announced via its official website. (Hwang Dong-hee / The Korea Herald)

Related: Chosun Biz, KoreaJoongAng Daily, Maeil Business Newspaper

The City of London Police's National Fraud Intelligence Bureau (NFIB) reported a 9% annual increase in reports of romance fraud in the 2024 to 2025 financial year, to 9449.

Victims lost an average of £11,222 ($15,211) each, with men slightly more likely than women to fall victim.

However, female victims were more likely to lose larger sums of money, as they’re more likely to be manipulated over more extended periods, the police force claimed. (Phil Muncaster / Infosecurity Magazine)

Related: City of London Police, Merseyside Police, Leicester Police, Daily Express

A large-scale trial is opening in Lyon this week after discovering a major data leak at a French work agency, Adecco, that left 72,000 victims in one of the most serious data-related frauds ever uncovered in France.

Sixteen people are in the dock at the Lyon correctional court, facing 22 charges, including organized fraud and identity theft.

The central figure is a 20-year-old described by investigators as having “exceptionally high intellectual capacities” and a compulsive drive to find and exploit digital loopholes.

He reportedly continued illicit activities using smuggled smartphones even while awaiting trial.

The case centers on the Adecco temporary work agency’s internal systems breach.

In 2022, a 19-year-old intern at an agency in Besançon, Doubs, sold his login credentials to a contact on an encrypted chat platform. He purportedly did not receive the €15,000 promised for the login details and was arrested shortly afterwards. (The Connexion)

Related: Databreaches.net, Staffing Industry Analysts, Teiss

Researchers at Trend Micro report that the Anubis ransomware-as-a-service (RaaS) operation has added a wiper module to its file-encrypting malware that destroys targeted files, making recovery impossible even if the ransom is paid.

Anubis (not to be confused with the same-name Android malware with a ransomware module) is a relatively new RaaS first observed in December 2024 but became more active at the beginning of the year.

On February 23, the operators announced an affiliate program on the RAMP forum.

The researchers found the wiper in the latest Anubis samples they dissected. They believe the feature was introduced to increase the pressure on the victim to pay quicker instead of stalling negotiations or ignoring them altogether.

The encrypted files are appended with the ‘.anubis’ extension, an HTML ransom note is dropped on impacted directories, and the malware also performs an attempt (failed) to change the desktop wallpaper.

Trend Micro observed that Anubis attacks begin with phishing emails with malicious links or attachments. (Bill Toulas / Bleeping Computer)

Related: Trend Micro, Dark Reading, Security Week, Techzine, SC Media, Tech Radar, TechSpot

An industry whistleblower provided Bloomberg Businessweek and the investigative newsroom Lighthouse Reports with nonpublic phone networking data related to a batch of about 1 million messages carrying two-factor authentication codes sent during June 2023, showing that each one passed through the hands of an obscure Swiss outfit named Fink Telecom Services, which has worked with government spy agencies and surveillance industry contractors to surveil mobile phones and track user location.

Cybersecurity researchers and investigative journalists have published reports alleging Fink’s involvement in multiple instances of infiltrating private online accounts.

The data includes messages with autogenerated login codes and the paths the messages took as they traveled to their final destinations. The senders include Google, Meta, and Amazon.com, several European banks, popular apps such as Tinder and Snapchat, the cryptocurrency exchange Binance, and encrypted chat platforms Signal and WhatsApp. The intended recipients were located in more than 100 countries across five continents.

Fink Telecom Chief Executive Officer Andreas Fink said legal restrictions prevent the company from examining the content of messages it processes. “Our company provides infrastructure and technical services, including signalling and routing capabilities,” he wrote. “We do not analyze or interfere with the traffic transmitted by our clients or their downstream partners.” He also said his company no longer works in surveillance. (Ryan Gallagher, Crofton Black, and Gabriel Geiger / Bloomberg Businessweek)

Related: Lighthouse Reports

Marian Buonincontri, a former Calgary 911 operator accused of feeding protected police information to the rivals of alleged gang members, walked away from her criminal charges Monday after pleading guilty to offences under Alberta's Freedom of Information and Privacy (FOIP) Act.

She initially faced charges of breach of trust, fraudulent use of a computer system, and mischief relating to police data.

Instead, she pleaded guilty to three counts of collecting, using, and/or disclosing personal information between March 1, 2022 to Jan. 26, 2023.

On Monday, Justice Karen Molle agreed with a joint sentencing recommendation and imposed a $30,000 fine, $10,000 for each offence.

After pleading guilty to the FOIP Act charges, Justice Molle dismissed Buonincontri's criminal charges. (Meghan Grant / CBC News)

Related: Calgary Herald

Keir Giles, a prominent British researcher on Russia, announced this weekend that hackers impersonating the US State Department had targeted several of his email accounts “with a sophisticated account takeover.”

Giles, the author of “Russia's War on Everybody” and a consulting fellow at Chatham House, was targeted last year by hackers working for Russia’s intelligence services. He told his contacts to handle any unexpected emails they received from him with caution.

This latest incident follows Giles's being targeted last year by hackers working for Russia’s intelligence services. The hackers impersonated researchers and academics in an ongoing campaign to gain access to their colleagues’ email accounts. Giles’ accounts were not compromised at that time.

Cybersecurity companies Secureworks and Mandiant conducted independent analyses of the emails, attachments, and credential-harvesting infrastructure targeting Giles.

Both companies said they believed a state-sponsored threat group perpetrated the campaign, which the British government has assessed to be operating for the Russian intelligence services and is tracked variously as Iron Frontier, Calisto, Coldriver, or Star Blizzard.

The British government attributed that group to Center 18 of the Russian Federal Security Service (FSB) in 2013. It summoned the Russian ambassador over the hacking group's activities. It accused the Kremlin of being behind a “sustained but unsuccessful” campaign of hack-and-leak operations designed to undermine democratic institutions. (Alexander Martin / The Record)

Related: LinkedIn

Researchers at Check Point report that hackers are hijacking expired or deleted Discord invite links to redirect users to malicious sites that deliver remote access trojans and information-stealing malware.

The campaign relies on a flaw in the Discord invitation system to leverage multistage infections that evade multiple antivirus engines. The researchers say that "the mechanism for creating custom invite links surprisingly lets you reuse expired temporary invite codes, and, in some cases, deleted permanent invite codes."

Additionally, the researchers say that Discord's faulty mechanism does not modify the expiration time of an already generated temporary invitation code when it is reused as a permanent invitation link.

Attackers are monitoring deleted or expired Discord invitations and use them in a campaign that has impacted 1,300 users in the US, UK, France, the Netherlands, and Germany, based on Check Point's download count of the malicious payloads.

The researchers say that cybercriminals are hijacking Discord invite links from legitimate communities and sharing them on social media or official community websites. To add credibility to the deceit, hackers design the malicious servers to look authentic.

A bot that invites users to go through a verification channel launches a typical 'ClickFix' attack. The user is redirected to a website that mimics the Discord UI and pretends that the CAPTCHA failed to load.

To defend against this threat, it is recommended that Discord users avoid trusting old invite links, especially those from months-old posts, treat "verification" requests with extra caution, and never run copied PowerShell commands that you don't fully understand.

Discord server administrators are also recommended to use permanent invites, which are more difficult to hijack. (Bill Toulas / Bleeping Computer)

Related: Check Point, Cybernews, GBHackers, SC Media, XDA

Researchers at Cisco Talos report that a high-severity vulnerability in ASUS Armoury Crate software could allow threat actors to escalate their privileges to SYSTEM level on Windows machines.

The security issue is tracked as CVE-2025-3464 and received a severity score of 8.8 out of 10.

It could be exploited to bypass authorization and affect the AsIO3.sys of the Armoury Crate system management software.

Armoury Crate is ASUS's official system control software for Windows. It provides a centralized interface for controlling RGB lighting (Aura Sync), adjusting fan curves, managing performance profiles and ASUS peripherals, and downloading drivers and firmware updates.

To perform all these functions and provide low-level system monitoring, the software suite uses the kernel driver to access and control hardware features.

To mitigate the security problem, it is recommended to apply the latest update by opening the Armoury Crate app and going to "Settings"> "Update Center"> "Check for Updates"> "Update." (Bill Toulas / Bleeping Computer)

Related: Cisco Talos

Researchers at Trend Micro report that a newly identified threat group they call Water Curse has weaponized GitHub repositories offering what appear to be legitimate pen-testing and other security tools to deliver malware via malicious build scripts and project files.

The campaign threatens the supply chain, particularly cybersecurity professionals, game developers, and DevOps teams that rely on open source tooling.

The multistage malware contained in the repositories has a range of capabilities, including data exfiltration for credentials, browser data, and session tokens, remote access, and long-term persistence on infected systems.

Attackers disguise the malware as legitimate penetration testing utilities, embedding various malware, including an SMTP email bomber and Sakura-RAT, within their Visual Studio project configuration files.

Trend Micro recommends that organizations encourage their teams to validate all third-party code and promote using internal code repositories where feasible. The researchers said improving verification practices, such as flagging unusual build scripts, unfamiliar file behavior, or excessive obfuscation, can significantly reduce risk from this and similar supply chain attacks. (Elizabeth Montalbano / Dark Reading)

Related: Trend Micro

Offensive mobile security researcher “thewhiteh4t” has demonstrated how easy it is to reveal your exact smartphone location without installing malware using a concept tool they developed called Seeker that allows attackers to precisely pinpoint a smartphone’s location without the user installing any malicious app.

The tool relies on social engineering techniques and still requires some user interaction, such as visiting a website and granting permissions.

Mobile Hacker warns that clicking on a simple link can reveal a smartphone’s precise location. The tool's versatility allows it to track any device using HTML. When the tool gets “Location Permission,” it grabs data from GPS hardware and, if it is not present, falls back to IP geolocation or cached coordinates.

The tool can be run on any device with a Linux terminal. It runs a local PHP web server and utilizes tunneling services like ngrok to expose the server online. (Ernestas Naprys / Cybernews)

Related: Mobile Hacker, GitHub

The US Commerce Department's Office of Inspector General reports that the Bureau of Industry and Security couldn’t thwart the watchdog’s simulated cyber incidents, including simulations that set up malicious software within its networks and exfiltrated thousands of fictitious personally identifiable and business information, such as Social Security numbers.

The cybersecurity capabilities of BIS are essential as the bureau is responsible for export controls that help restrict proliferation of weapons of mass destruction and how they’re distributed. That work makes the bureau and Commerce “targets for sophisticated state-sponsored adversaries,” the IG said.

“If BIS does not improve its current capabilities, advanced adversaries could significantly harm sensitive U.S. export control efforts, which affects national security,” the report said. “Whether the threat comes from external actors or insiders, BIS must be ready to handle future attacks.”

As a result, the department’s inspector general made 13 recommendations to increase its cybersecurity posture, including advising the bureau to “establish procedures to respond to incidents” and “restrict network and user access.” Per the report, BIS is working on the recommended actions. (Madison Alder / FedScoop)

Related: Oversight.gov

Best Thing of the Day: Wondering Who the Traitor Is Here

A federal jury in Colorado found that one of the nation’s most prominent election conspiracy theorists, MyPillow founder Mike Lindell, defamed a former employee of Dominion Voting Systems, a leading voting equipment company, calling him a traitor after the 2020 presidential election.

Worst Thing of the Day: You Should Learn Made in America ECommerce Standards First

The Trump Organization announced its mobile service plan and the “​​T1 Phone,” a customized all-gold mobile phone that its creators say will be made in America, which is sold on a website that at least one reporter says charged his card the wrong amount and failed to obtain his address for delivery of the device.

Bonus Worst Thing of the Day: CISA Director Nominee Is Schrödinger's Cat

Sean Plankey, Donald Trump’s nominee to lead the nation’s top cyber defense agency, is stuck in confirmation limbo, delayed by scheduling setbacks and a Senate hold over an unrelated report, deepening uncertainty amid a major operational overhaul.

Closing Thought