Over 60 nations signed a controversial cybercrime convention

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Countries around the globe signed their first UN treaty targeting cybercrime in Hanoi on Saturday, despite opposition from an unlikely band of tech companies and rights groups warning of expanded state surveillance.

The new global legal framework aims to strengthen international cooperation to fight digital crimes, from child pornography to transnational cyberscams and money laundering.

More than 60 countries were seen to sign the declaration Saturday, which means it will go into force once ratified by those states. The European Union, the United States, and Canada sent diplomats and officials to sign the treaty in Hanoi.

The Cybersecurity Tech Accord delegation to the treaty talks, representing more than 160 firms including Meta, Dell, and India's Infosys, was not present in Hanoi. The Accord has dubbed the pact a "surveillance treaty," saying it may facilitate data sharing among governments and criminalize ethical hackers who test systems for vulnerabilities.

UN Secretary General Antonio Guterres described the signing as an "important milestone", but said it was "only the beginning.:

"Every day, sophisticated scams, destroy families, steal migrants and drain billions of dollars from our economy... We need a strong, connected global response," he said at the opening ceremony in Vietnam's capital on Saturday.

The UN Convention against Cybercrime was first proposed by Russian diplomats in 2017 and approved by consensus last year after lengthy negotiations.

Critics say its broad language could lead to abuses of power and enable the cross-border repression of government critics. (AFP and Francesco Guarascio and Khanh Vu / Reuters)

Related: The Record, UN News, Bloomberg, United Nations, The Diplomat, The Straits Times, Nikkei Asia

According to an independent security researcher working with the Cybersecurity Team at SafetyDetectives, the sensitive personal details of more than 450 people holding “top secret” US government security clearances were left exposed online and were included in a database of more than 7,000 individuals who have applied for jobs over the last two years with Democrats in the United States House of Representatives.

The researcher stumbled upon the exposed cache of data and discovered that it was part of a site called DomeWatch. The service is run by the House Democrats and includes videostreams of House floor sessions, calendars of congressional events, and updates on House votes. It also consists of a job board and résumé bank.

After the researcher attempted to notify the House of Representatives’ Office of the Chief Administrator on September 30, the database was secured within hours, and the researcher received a response that said, “Thanks for flagging.” It is unclear how long the data was exposed or if anyone else accessed the information while it was unsecured.

The researcher likened the exposed database to an internal “index” of people who may have applied for open roles. Résumés were not included, they say, but the database contained details typical of a job application process.

The researcher found data including applicants’ short written biographies and fields indicating military service, security clearances, and languages spoken, along with details like names, phone numbers, and email addresses. Each individual was also assigned an internal ID. (Lily Hay Newman and Matt Burgess / Wired)

Related: SafetyDetectives

Researchers from the Institute of Strategic Dialogue (ISD) claim that OpenAI’s ChatGPT, Google’s Gemini, DeepSeek, and xAI’s Grok are pushing Russian state propaganda from sanctioned entities—including citations from Russian state media, sites tied to Russian intelligence or pro-Kremlin narratives—when asked about the war against Ukraine.

They say that Russian propaganda has targeted and exploited data voids—where searches for real-time data provide few results from legitimate sources—to promote false and misleading information. Almost one-fifth of responses to questions about Russia’s war in Ukraine, across the four chatbots they tested, cited Russian state-attributed sources, the ISD research claims.

The researchers asked the chatbots 300 neutral, biased, and “malicious” questions relating to the perception of NATO, peace talks, Ukraine’s military recruitment, Ukrainian refugees, and war crimes committed during the Russian invasion of Ukraine. The researchers used separate accounts for each query in English, Spanish, French, German, and Italian in an experiment in July. The same propaganda issues are still present in October.

The ISD research says chatbots cited Sputnik Globe, Sputnik China, RT (formerly Russia Today), EADaily, the Strategic Culture Foundation, and the R-FBI. Some of the chatbots also cited Russian disinformation networks and Russian journalists or influencers that amplified Kremlin narratives, the research says. Similar previous research has also found that 10 of the most popular chatbots mimic Russian narratives. (Matt Burgess and Natasha Bernal / Wired)

Related: ISD

A data breach at DAA, the authority that manages Dublin and Cork airports, compromised the passenger details of potentially millions of people who used the airport in August.

Boarding pass information for the airport may have been published online by what DAA described as a “cyber-criminal group.”

The authority said that while “passengers who travelled in August do not need to take any immediate action, [they] should remain alert to any unusual activity related to their bookings."

An investigation is ongoing. (Conor Pope / The Irish Times)

Related: RTE, The Journal, HackRead, Travel and Tour World, HackRead

Philippine mobile payments service GCash is under investigation for the alleged breach of data on an estimated 8 million users, which the leading e-wallet platform has strongly denied.

Amid a probe launched by the National Privacy Commission (NPC), Gcash refuted allegations of a data breach even as it said it would work with regulators to clear up the issue.

In a dark web forum on Oct 25, 2025, a post under the user handle “Oversleep8351” caught the attention of Deepweb Konek, a Philippine-based cybersecurity advocacy organization. The forum “G-Xchange/GCash (GXCHPHM2XXX) User Infos by виверна” alleged that GCash user data were up for sale.

According to the post, information was being sold in bundles covering estimated 7 to 8 million user data, coming from transactions and account registration from 2019 to October 2025. It also alleged that the mandatory KYC submitted by the users during account verification had contained valid Philippine identification documents.

In a statement, NPC immediately started an investigation, ordering a Notice to Explain to the e-wallet platform operator G-Xchange Inc. It has also scheduled an online clarificatory conference. (Nami D. Padilla / Inquirer.net)

Related: Interaksyon, PhilStar, DZRH, Philippine News Agency, GMA News Online, Rappler, ABS-CBN, Insider PH, Newsbytes.ph, IB Times, The Manila Times

Russian media outlet RBC reports that a new version of a bill to legalize white-hat hackers is in the works in Russia.

The Federation Council, the FSB, the Interior Ministry (MVD), and infosec companies are reportedly discussing the possibility of creating a registry of white-hat hackers and certifying them. Security and law enforcement agencies, including the FSB, would regulate the work of these specialists.

The initiative proposes creating a unified system of state regulation for all types of research focused on finding vulnerabilities. In the new version of the bill, the term “vulnerability discovery activity” is introduced, which could encompass all forms of vulnerability discovery, erasing the current distinctions within the industry.

According to the document, the following could fall under this definition: commercial bug bounty programs; internal bug bounties, where companies have their own employees hunt for vulnerabilities in their infrastructure; any independent research: actions of individual researchers who, without invitation, test software for vulnerabilities; penetration tests conducted under legal agreements that describe all necessary aspects of interaction between the client company and the company providing the researchers’ services.

Sources tell the publication that regulation of all “vulnerability-hunting activities” is planned to be placed entirely under the control of the security agencies: the Federal Security Service (FSB), the Federal Service for Technical and Export Control (FSTEC), and the National Coordination Center for Computer Incidents (NCCCI). (HackMag)

Related: RBC

Russia's agriculture and food safety agency Rosselkhoznadzor said it was targeted by a large-scale distributed denial-of-service (DDoS) attack last week that affected its online infrastructure, including “VetIS” and “Saturn” — systems that track the movement of agricultural products and chemicals. 

According to reports from the Russian trade outlet Shopper’s, the disruption caused serious delays in food deliveries after the electronic veterinary certification platform Mercury — part of VetIS — became unavailable. Two major dairy producers and a baby food manufacturer said that they were unable to ship products for several hours last Wednesday.

Rosselkhoznadzor said there was “no threat to the integrity or confidentiality” of data stored in its networks. The agency has not commented further on the incident, and no hacker group has claimed responsibility for the attack.

Under Russian law, companies handling meat, milk, eggs, and other animal products must register with Mercury and issue electronic veterinary documents confirming product authenticity and safety. Without these certificates, suppliers cannot legally deliver goods to retailers or processors.

The production movement was paralyzed for half of the day, one company manager said, adding that the lack of an emergency procedure allowing shipments without digital paperwork led to financial losses.

Rosselkhoznadzor denied reports of prolonged disruptions, saying Thursday that the Mercury system was operating “as usual.” As of Friday, the agency’s website was accessible, though it remained unclear whether all affected systems had been fully restored. (Daryna Antoniuk / The Record)

Related: Telegram post, Shoppers Media, Rosng.ru, Security Affairs

Marks & Spencer ditched Indian IT outsourcing giant, Tata Consultancy Services (TCS), accused of being at fault for its devastating cyber attack earlier this year.

The retailer, which lost an estimated £300m from the hack, ended a long-running contract with Tata Consultancy Services (TCS) to operate the FTSE 100 company’s technology helpdesk.

M&S canceled the deal in July, just months after the crippling cyber hack forced it to shut down online sales for weeks and left shelves empty. The Indian group denied it was at fault for the attack, but the move to end the contract so soon afterward will raise questions over why it was not renewed.

The hackers, from a group called Scattered Spider, are said to have gained access to M&S’s systems through “social engineering”, where hackers call technology desk helplines and impersonate executives to get their passwords reset.

In July, Archie Norman, the M&S chairman, told MPs that hackers had used “sophisticated impersonation” to gain entry “involving a third party."

Shortly after the incident, TCS held an internal investigation into whether its technology helpdesk had acted as a gateway for hackers to access M&S’s systems. It later said it had found no fault.

However, Liam Byrne, the chairman of the business select committee, later wrote to TCS asking about its work with M&S. In a letter to MPs earlier this month, TCS said the breach at M&S occurred “in the client’s own environment” and that it had found “no indicators of compromise within the TCS network."

TCS, which is listed in India, is a significant IT contractor to UK businesses and critical national infrastructure, working with dozens of banks and financial firms. (Matthew Field and Hannah Boland / The Telegraph)

Related: The Federal, HDFC Sky, Times of India, Retail Technology Innovation, NDTV, Financial Times

Researchers at Netskope report that attackers are using the open-source red-team tool RedTiger to build an infostealer that collects Discord account data and payment information.

The malware can also steal credentials stored in the browser, cryptocurrency wallet data, and game accounts.

RedTiger is a Python-based penetration testing suite for Windows and Linux that bundles options for scanning networks and cracking passwords, OSINT-related utilities, Discord-focused tools, and a malware builder.

RedTiger's info-stealer component offers the standard capabilities of snatching system info, browser cookies and passwords, crypto wallet files, game files, and Roblox and Discord data. It can also capture webcam snapshots and screenshots of the victim's screen.

Although the project marks its dangerous functions as "legal use only" on GitHub, its free and unconditional distribution and the lack of any safeguards allow easy abuse.

Netskope says threat actors are now abusing RedTiger's info-stealer component, primarily for targeting French Discord account holders.

While Netskope has not shared explicit distribution vectors for the weaponized RedTiger binaries, some standard methods include Discord channels, malicious software download sites, forum posts, malvertising, and YouTube videos.

Users should avoid downloading executables or game tools like mods, "trainers," or "boosters" from unverified sources.

If you suspect compromise, revoke Discord tokens, change passwords, and reinstall your Discord desktop client from the official site. Also, clear saved data from browsers and enable MFA everywhere. (Bill Toulas / Bleeping Computer)

Related: Netskope, SC Media, Techzine

A Turkish hacker group apparently aligned with pro–al-Qaeda Turkish radical organization the Islamic Great East Raiders Front (IBDA-C), a network long empowered and tolerated by the government of President Recep Tayyip Erdogan, has demonstrated its growing capability by breaching airport systems across North America.

In coordinated incidents last week, hackers infiltrated public-address and display systems at several airports in the United States and Canada, broadcasting pro-Hamas and anti-Western propaganda that carried the signature of a cyber collective known as Siberislam, or Mutarrif. The attacks briefly disrupted operations but underscored a worrying expansion of ideologically driven Turkish cyber-activism into Western civilian infrastructure.

The@siberislam account, operating under the alias Seriyyetü’l-Kassam (al-Qassam Brigade) in reference to Hamas’s military wing, the Izz ad-Din al-Qassam Brigades, was created on X in April 2025 and almost immediately began spreading militant propaganda steeped in IBDA-C’s ideological lexicon. The account’s activity mirrored the group’s longstanding hostility toward Israel, the United States, and Western institutions while glorifying martyrdom and jihad.

Its emergence was publicly promoted by Turkish jihadist figure Harun Şimşak, head of the İstanbul Youth Branch of the Büyük Doğu Akıncıları Fikir Sanat ve Dayanışma Derneği (Great Eastern Raiders Association for Thought, Art and Solidarity, BDA), an organization that serves as the legal and ideological continuation of IBDA-C. Şimşak, who has been described as leading an armed faction under the youth wing, celebrated the launch of the Siberislam initiative as a new front for the movement’s digital warfare.

Following the cyberattacks on airport systems in the US and Canada, Şimşak revealed on his X profile that the operation had been carried out by Turkish hacker Mütarrif, also referred to as Siber Akıncı (Cyber Raider), and congratulated him publicly for the operation. (Abdullah Bozkurt / Nordic Monitor)

According to Dr. Web, hackers are using a backdoor in a maliciously modified version of the Telegram X messenger.

This backdoor grants them complete control over their victims’ accounts and allows them to operate without detection.

The malware is sent into devices through deceptive in-app advertisements and third-party app stores that masquerade as legitimate dating and communication platforms. This threat represents a significant escalation in mobile malware distribution, with it spreading across 58,000 infected devices.

In addition, it has also spread across more than 3,000 smartphones, tablets, TV boxes, and some Android-based vehicle systems.

The backdoor distribution started in 2024, with the hacker primarily targeting Brazilian and Indonesian users through Portuguese and Indonesian language templates. The victims come across advertisements within the mobile application, which redirect them to fake app catalogs featuring fake reviews and promotional banners advertising free video chats and dating opportunities. These fake websites deliver apps infused with malware that look the same as the legitimate ones.

Aside from the malicious websites, the backdoor has also infiltrated established third-party repositories, including APKPure, ApkSum, and AndroidP, where it is deceptively posted under the official messenger developer’s name despite having a different digital signature. (Owotunse Adebayo / Cryptopolitan)

Related: Dr. Web, CryptoRank, GBHackers

Microsoft’s Gaming Copilot feature recently hit Windows 11 as a public beta, with the company adding a feature to the operating system’s built-in Xbox Game Bar that sends information about gamers' actions to Microsoft’s servers, including private details on their screen.

The controversy began with a forum post. “This installed automatically on my PC, and watching the network traffic, I realised (sic) it was automatically sending everything I was doing to Microsoft (including an NDA’d game I’m playing,” user RedbullCola said in the forums. “I checked the settings, and by default, it’s set to train on text seen on the screen — it screenshots everything, and OCRs text from in-game and sends it to MS. MS then uses what you’re doing to train their AI models.”

A Microsoft representative said, “When you’re actively using Gaming Copilot in Game Bar, it can use screenshots of your gameplay to get a better understanding of what’s happening in your game and provide you with more helpful responses. These screenshots are not used to train AI models, and Gaming Copilot is an optional feature that only has access to gameplay when you’re playing a game and actively using it.” (Jowi Morales / Tom's Hardware)

Related: xda Developers, TechRadar, Neowin, TechPowerUp, Guru3D

Microsoft has released out-of-band (OOB) security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with publicly available proof-of-concept exploit code.

WSUS is a Microsoft product that enables IT administrators to manage and deliver Windows updates to computers within their network.

Tracked as CVE-2025-59287, this remote code execution (RCE) security flaw affects only Windows servers with the WSUS Server Role enabled, a feature that isn't enabled by default.

The vulnerability can be exploited remotely in low-complexity attacks that do not require user interaction, allowing threat actors without privileges to target vulnerable systems and run malicious code with SYSTEM privileges. This makes it potentially wormable between WSUS servers.

"Windows servers that do not have the WSUS server role enabled are not vulnerable to this vulnerability. If the WSUS server role is enabled, the server will become vulnerable if the fix is not installed before the WSUS server role is enabled," Microsoft explained. (Sergiu Gatlan / Bleeping Computer)

Related: Microsoft, Huntress, Dark Reading, The Register

Brigitte Macron was given a male name on the official French tax portal by a team of cruel hackers, according to a top governmental official.

The French First Lady is locked in a bitter yet bizarre legal battle to prove she is a biological woman as 10 people now face trial for “sexist cyberbullying."

Hackers reportedly altered her name to Jean-Michel on the national tax filing system.

A routine audit of Brigitte’s tax reports in September 2024 discovered the nasty dig, according to the head of the administration for the Macron’s, Tristan Bomme. (Georgie English / The Sun)

Related: The Guardian, The Telegraph

Best Thing of the Day: The Only Decent Tech Company Founder Left?

Although he came up with some notorious tech founder contemporaries, including Peter Thiel, Jeff Bezos, Elon Musk, eBay founder Pierre Omidyar, and Google co-founders Larry Page and Sergey Brin, Wikipedia co-founder Jimmy Wales has emerged as the last decent tech titan left.

Worst Thing of the Day: Let's Track Everyone All the Time for No Freaking Reason

US Border Patrol wants to turn standard 4x4 trucks into AI-powered watchtowers combining radar, cameras, and autonomous tracking to extend surveillance on demand.

Bonus Worst Thing of the Day: Yet Another Reason to Never Check Your Luggage

A cyberattack on poorly secured airport baggage carousels could have devastating national security implications.

Closing Thought