Ransomware negotiator cops to conspiring with cybercrims against US companies

Metacurity is the only daily cybersecurity briefing built for clarity, not agendas—no vendor spin, no echo chamber, just sharp, original aggregation and analysis of what actually matters to security leaders.

If you rely on Metacurity to cut through the noise on policy, industry shifts, and security research, consider supporting us with a paid subscription. Independent coverage like this only exists because readers decide it’s worth it.

Florida man Angelo Martino, who worked as a ransomware negotiator, admitted to conspiring with cybercriminals to carry out attacks against US companies and extort payments.

He shared confidential information about his clients’ negotiating strategies with operators of the BlackCat ransomware variant while working for a US-based cyber incident response firm. The information included insurance limits and internal positions, which helped attackers secure higher ransom payments.

Authorities have seized $10 million in assets from Martino, including cryptocurrency, vehicles, a food truck, and a luxury fishing boat. He faces up to 20 years in prison when sentenced on July 9. Goldberg and Martin also pleaded guilty to the same charge and await sentencing. (Frances Lin / Tampa Bay 28)

Related: Justice Department, My Panhandle, Bleeping Computer

A New South Wales Treasury official, Jagan Ganti Venkata Satya, has been charged by cybercrime detectives over an alleged data breach involving thousands of commercially sensitive government documents spanning the “whole of government."

Police arrested and charged him with accessing or modifying restricted data after receiving reports that more than 5600 sensitive documents had allegedly been accessed and downloaded by a staff member.

NSW Treasurer Daniel Mookhey said the government had declared a significant cyber incident after internal monitoring detected a suspected transfer to an external server of a substantial number of documents containing confidential commercial and financial information.“It is serious information. It is commercial in confidence; information that involves current government negotiations, previous government negotiations and interactions … that’s the reasons why it was declared to be a significant cyber incident,” he said.

Ganti said: “I haven’t done anything corrupt or wrong or sold anything, anything like that”. He said he had fully cooperated with the authorities.

The bureaucrat had worked in Treasury’s commercial team for three years. It dealt with significant government transactions and negotiations with the private sector, Mookhey said. The government was still working through whether third-party information was involved in the alleged breach. (Max Maddison, Michael McGowan, and Patrick Begley / Sydney Morning Herald)

Related: Financial Review, The Mandarin, The Australian, Newswire

Tyler Robert Buchanan of Dundee, Scotland, pleaded guilty in federal court to orchestrating a hacking scheme that stole $8 million in virtual currency from victims across America.

He pleaded guilty to one count of conspiracy to commit wire fraud and one count of aggravated identity theft.

Federal prosecutors said that Buchanan and several co-conspirators ran the scheme from September 2021 to April 2023. They primarily hacked into victims' phones with phishing messages that appeared to be from the victim's company or a contracted supplier. The text messages often said that the employees' accounts were about to be deactivated and asked them to click on a link.

When victims opened these links, they were directed to fraudulent websites designed to mimic legitimate ones. Upon entering their personal information, Buchanan and his co-conspirators were able to exploit the confidential data to access virtual wallets and steal the currency, according to prosecutors.

Buchanan and his co-conspirators targeted at least 45 companies in the United States and abroad, including Canada, India, and the United Kingdom, court documents said.

Buchanan is scheduled for a sentencing hearing on August 21, where he faces a maximum penalty of 22 years in federal prison. (Cara Tabachnick / CBS News)

Related: Justice Department, The Record, Computing, IT Pro, Security Week, The Register

A cyberattack targeting a French government website of the National Agency for Secure Documents (ANTS) used to manage identity documents and driver’s licenses may have exposed users’ personal data, the Interior Ministry said.

ANTS is a government service responsible for processing applications for passports, national identity cards, residence permits, and driver’s licenses.

The Interior Ministry said a “security incident that may involve the disclosure of data from both individual and professional accounts” was detected on April 15.

Initial analysis indicates that several types of personal information linked to individual user accounts may have been exposed. The potentially compromised data includes login credentials, names, email addresses, dates of birth, and the unique identifier associated with each account.

Additional information, including postal addresses, places of birth, and phone numbers, may also have been affected, the ministry said. (Daryna Antoniuk / The Record)

Related: Ministry of the Interior, Security Affairs, The Cyber Express, The Connexion

Anthropic’s Mythos model should be shared with affected organizations to ensure a level playing field in assessing its uses and dangers, according to Bundesbank President Joachim Nagel.

The artificial intelligence platform, whose advances pose cyber threats to the global economy, shouldn’t be held only for a select club of big US corporations, suggested Nagel, who’s also a member of the European Central Bank’s Governing Council.

“We must prevent the misuse of this technology,” he told a conference in Rome on Tuesday. “At the same time, all relevant institutions should have access to such technology to avoid competitive distortions.”

Anthropic’s Mythos model has sparked global fears of a new era of cyber attacks, also threatening the stability of the financial system worldwide. Such worries featured prominently at last week’s IMF spring meetings in Washington. (Mark Schroers / Bloomberg)

Related: Reuters

Vibe-coding platform Lovable is downplaying the finding from a researcher who goes by @weezerOSINT that anyone could open a free account on the service and read other users' sensitive info, including credentials, chat history, and source code.

However, the company’s story keeps changing: First, it attributed the publicly exposed info to "intentional behavior" and "unclear documentation," then threw bug-bounty service HackerOne under the bus.

"Lovable has a mass data breach affecting every project created before November 2025," the researcher posted on X. "I made a Lovable account today and was able to access another user's source code, database credentials, AI chat histories, and customer data are all readable by any free account."

The researcher said they reported the flaw 48 days ago, and that HackerOne labeled it a "duplicate submission" and left it open. The researcher then sent a bug report to HackerOne, and screenshots show a March 3 submission date. Subsequent posts show the AI leaking secrets and personal data in chats.

The leak stems from a Broken Object Level Authorization (BOLA) vulnerability, which occurs when an API exposes endpoints that allow users to access or modify sensitive data belonging to other users due to missing ownership validation.

According to the bug hunter, no offensive hacking is needed to trigger the bug. They say they made five API calls from a free account and gained access to another user's profile, their public projects, and source code, and then extracted database credentials from the source code. (Jessica Lyons / The Register)

Related: Techzine, XDA, GBHackers

A group of 16 Democratic senators called on Donald Trump's Office of Personnel Management to withdraw its plan to collect claims-level health data from federal workers and retirees, expressing “grave concern” that the measure would violate the Health Insurance Portability and Accountability Act and basic tenets of doctor-patient confidentiality.

Last December, OPM published an information collection request in the Federal Register that would require insurers who participate in the Federal Employee Health Benefits and Postal Service Health Benefits programs to provide monthly reports with identifiable health data on their enrollees, prompting unease from both health ethicists and health care providers alike. The notice would require the collection of medical visits, prescriptions, and treatment data, and fails to task insurance carriers with redacting personally identifiable information.

In a letter to OPM Director Scott Kupor on Monday, more than a dozen senators, led by Sens. Adam Schiff (D-CA) and Mark Warner, (D-VA), demanded the agency rescind its request, arguing that the agency’s general “oversight” rationale is insufficient, given the extraordinary nature of OPM’s request.

“Such sweeping access to personal health information would violate the core principles of the Health Insurance Portability and Accountability Act, which was enacted to strictly regulate how protected health information can be disclosed to ensure that patient data is shared only for limited, clearly defined purposes,” they wrote.

“Mass, centralized access to identifiable medical records absent individualized consent, clear necessity, or narrowly tailored legal authority undermines those protections and lacks a valid statutory basis.” (Erich Wagner / Government Executive)

Related: Federal News Network, CBS News, AFGE, KFF Health News

The Seiko USA website was defaced over the weekend, displaying a message from attackers claiming they stole its Shopify customer database and threatening to leak it unless a ransom is paid.

Visitors to the "Press Lounge" section of the site were shown a page titled "HACKED," which replaced normal content with what appeared to be a ransom demand and data breach notification.

The message warned that attackers had gained access to the company's Shopify backend and exfiltrated sensitive customer information.

"This is an urgent security notification regarding your Shopify store. Your customer database has been compromised," read the defaced webpage.

"We have successfully breached your Shopify store's security systems and downloaded the entire customer database."

The attackers warn that the stolen data will be publicly released unless Seiko USA enters into negotiations.

As part of the demand, they instructed the company to locate a specific customer account, identified as ID 8069776801871, within the Shopify admin panel. The threat actors say that a contact email address was added to that account profile and should be used to initiate negotiations. (Lawrence Abrams / Bleeping Computer)

Related: The Times of India, The420

Cyber ​​specialists from the 256th Cyber ​​Assault Division, the Ukrainian Militant analytical group, and the InformNapalm claim they ran a large-scale, multi-year operation during which it was also possible to obtain internal documents of organizations working in the interests of the Russian army.

One of the results was gaining access to closed correspondence and documentation of the Deputy General Director of JSC “Sputnik System “Gonets”” (hereinafter referred to as SS “Gonets”) and his subordinates.

For many months in the period 2023-2025, information was systematically transferred to the Defense Forces of Ukraine. After completing all reconnaissance stages and closing the sources of information extraction, the participants of the operation withstood a long pause to ensure the security of related operations (OPSEC) for the relevant elements.

They have now published a small part of the data, which, on the one hand, serves as confirmation of the hacking of the internal documentation of the SS "Messenger", and on the other hand, may be of interest to the general public and have an additional impact on the mentioned objects of this operation. (Inform Napalm)

Related: Militarnyi

Researchers from ESET report that a new variant of the NGate malware that steals NFC payment data is targeting Android users by hiding in a trojanized version of HandyPay, a legitimate mobile payments processing tool.

NGate was originally documented in mid-2024 and steals payment card information through the mobile device's near-field communication (NFC) chip.

The data is sent to the attacker, who create virtual cards used for unauthorized purchases or withdrawing cash from ATMs with NFC support.

In the earlier versions, the malware used an open-source tool called NFCGate to capture, relay, and replay the payment card information.

NGate was originally documented in mid-2024 and steals payment card information through the mobile device's near-field communication (NFC) chip.

The data is sent to the attacker, who creates virtual cards used for unauthorized purchases or withdrawing cash from ATMs with NFC support.  In the earlier versions, the malware used an open-source tool called NFCGate to capture, relay, and replay the payment card information.

ESET believes the reason behind moving from NFCGate to HandyPay is likely financial, but evasion also plays a key role. The researchers underline the high cost of NFC relaying tools such as NFU Pay and TX-NFC, and the fact that these are “noisy” on infected devices. (Bill Toulas / Bleeping Computer)

Related: Help Net Security, We Live Security, CyberInsider

UK enterprise software consultancy The Adaptavist Group is investigating a security breach after an intruder logged in with stolen credentials, while the ransomware crew known as The Gentlemen claims it grabbed far more than the company is currently admitting.

In a letter to customers, Adaptavist's CEO Simon Haighton-Williams said the biz detected an "IT security incident" in late March after an attacker used compromised login details to gain unauthorized access to some of its systems. The company, which builds and sells tools and services around platforms like Atlassian's Jira and Confluence, has brought in external security specialists and says a forensic investigation is underway to work out what, if anything, was accessed or taken.

The official line, for now at least, is that the systems accessed contained "typical business data," such as contact information, contracts, and NDAs related to client work.

"Please be assured that the data we hold relating to individual customer contacts is that which you would expect to find on a business card: name, business email address, job role, contact number, organization, etc," the post stresses.

In a post on its dark web leak site, The Gentlemen boasted of a "complete infrastructure compromise" and a sprawling cache of stolen data. (Carly Page / The Register)

Related: The Adaptivist Group

Ukrainian hackers disrupted a closed-door meeting at Russia’s Ministry of Industry and Trade, exposing Moscow’s deep dependence on Chinese components in the production of military drones used in the war against Ukraine.

A recording of the meeting, published by Ukrainian prankster Yevgen Volnov, captures officials discussing supply chains for uncrewed aerial vehicles (UAVs). In the audio, one participant acknowledges that nearly all electrical components used in Russian drones are sourced abroad.

“If we’re talking just about electrical components, then 90% is always foreign raw materials. They simply aren’t produced in Russia,” a voice says during the meeting.

Another participant adds that even basic materials are no longer domestically available: “Even the plastic is Chinese now, right? Because there’s no Russian plastic.”

The meeting was abruptly interrupted when Ukrainian hackers broke into the conference feed with explicit threats, warning participants they had been identified.

“All your faces are recorded, so watch your backs. You, the bald one, first,” one of the hackers said. (Alisa Orlova / Kyiv Post)

Related: r/worldnews

Best Thing of the Day: A Moment of Sanity

Donald Trump told CNBC that “it’s possible” there will be a deal allowing Anthropic’s artificial intelligence models to be used within the Department of Defense.

Worst Thing of the Day: Time to Start Wearing Masks to Protests

The Los Angeles Police Department deployed drones made by Skydio, a California-based drone startup that previously marketed its aircraft to consumers but has pivoted to supplying militarized, weapons-compatible hardware for the US army, to spy on No Kings protestors.

Closing Thought