Russia arrests alleged LeakBase admin after global cybercrime forum takedown

If you rely on Metacurity to make sense of cybersecurity policy, industry developments, and security research, please consider supporting the newsletter with a paid subscription.

Metacurity is a daily infosec intelligence layer written independently of vendor marketing, PR-driven threat intelligence, and the cyber media echo chamber. Paid subscriptions make it possible to keep producing clear, straightforward analysis every day. Please consider upgrading your subscription. Thank you!

Russian police arrested the alleged administrator of LeakBase, a major cybercrime forum, according to state news agency TASS.

The platform had been described by the US Department of Justice as one of the world’s largest hubs for cybercriminal activity, facilitating the exchange of hacking tools, stolen credentials, and illicit data. Earlier this month, US authorities and Europol announced they had dismantled the site and seized a database containing more than 142,000 members and 215,000 messages.

TASS reported that the suspected operator—whose identity has not been publicly disclosed—is a resident of Taganrog, a coastal city in southern Russia, and is believed to be the forum’s creator. Western authorities have not confirmed involvement in the arrest. Europol spokesperson Claire Georges said the agency did not cooperate with Russian authorities and played no role in the detention, while the Justice Department did not immediately respond to requests for comment.

Launched in 2021, LeakBase hosted vast troves of compromised data, including hundreds of millions of usernames and passwords, banking details, and credit card information. The takedown was part of a coordinated international law enforcement effort spanning 14 countries, leading to search warrants, arrests, and interviews across Europe, Australia, and the United States, underscoring the global scope of the operation. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: TASS, Security Affairs, Heise Online, Cyber Press, Bleeping Computer

An Armenian national, Hambardzum Minasyan, was extradited to the United States and appeared in a Texas court on Wednesday to face charges tied to the RedLine infostealer malware.

Prosecutors allege he conspired to commit access device fraud, violate the Computer Fraud and Abuse Act, and launder money, describing RedLine as one of the most widely used credential-stealing tools targeting individuals and major corporations.

According to the indictment, Minasyan allegedly helped develop and operate RedLine by setting up infrastructure, including virtual private servers and file-sharing repositories used to distribute the malware to affiliates. He is also accused of managing cryptocurrency accounts to collect payments and coordinating with co-conspirators to support users, steal financial data, and launder proceeds.

The case follows a broader international crackdown on infostealer operations, including the 2024 Operation Magnus effort involving US and European authorities to disrupt RedLine and its successor, Meta. Eurojust supported Minasyan’s extradition, while US prosecutors have previously charged other alleged developers, including Russian national Maxim Rudometov. (Tim Starks / CyberScoop)

Related: Justice Department, Security Week, The Cyber Express, Bleeping Computer

A ransomware attack disrupted digital systems at Spain’s Port of Vigo, forcing officials to disconnect affected networks and shift some operations to manual processes.

The attack, detected early Tuesday, impacted servers used to manage cargo traffic and other services, with authorities confirming that some systems were locked, and a ransom demand was issued.

In response, the port’s technology team isolated compromised systems to contain the incident. Port president Carlos Botana said systems will remain offline until security teams are fully confident the threat has been eliminated, with no clear timeline for restoring normal digital operations.

While ships and cargo handling continue to function, logistics coordination has been significantly affected, requiring paper-based workarounds. An investigation is underway to determine how attackers gained access and whether any sensitive data was compromised, with officials describing the incident as financially motivated and no group yet claiming responsibility. (Daryna Antoniuk / The Record)

Related: The Cyber Express

Researchers at Netskope Threat Labs uncovered a widespread AI-assisted campaign distributing more than 300 trojanized GitHub packages targeting developers, gamers, and general users.

The operation, dubbed “TroyDen’s Lure Factory,” uses a variety of lures—including OpenClaw AI deployment tools, game cheats, crypto bots, and phone tracking apps—to entice victims into downloading malicious software.

The packages contain a LuaJIT-based Trojan engineered to evade detection by splitting its payload into two components that appear benign on their own but execute maliciously together. Once activated, the malware captures screenshots, steals credentials, collects geolocation data, and exfiltrates information to a command-and-control server. The attackers also made the repositories appear legitimate through polished documentation and credible-looking contributor activity.

The campaign reflects a broader shift toward AI-enabled, scalable cybercrime operations that can generate convincing lures at volume while bypassing automated defenses. By targeting the software supply chain and exploiting trust in open-source platforms, the activity underscores the need for more rigorous scrutiny of seemingly legitimate GitHub packages before use. (Elizabeth Montalbano / Dark Reading)

Related: Netskope

During proactive research in the OPSWAT Critical Infrastructure Protection (CIP) Lab, OPSWAT Unit 515 identified four vulnerabilities affecting Cisco Catalyst 9300 Series switches.

Two of these issues (CVE-2026-20114 and CVE-2026-20110) can be chained by an authenticated low-privilege Web UI user to escalate privileges and force the device into maintenance mode, creating a full denial of service condition that may require on-site intervention to restore normal operations.

In line with responsible disclosure best practices, OPSWAT reported these findings to Cisco PSIRT and coordinated validation and remediation before public disclosure. (OPSWAT)

Related: Cisco, Cisco

Puerto Rico’s Department of Transportation was forced to cancel all upcoming appointments at the agency that handles driver’s licenses, permits, and vehicle registrations due to a cyberattack.

Government officials announced the incident on Tuesday and provided an update on Wednesday, writing that the Puerto Rico Innovation and Technology Service (PRITS) is working with the Department of Transportation to restore systems at the agency.

Poincaré Díaz, executive director of PRITS, said they were forced to disconnect all of the Transportation Department’s systems after a cyberattack was discovered on Monday.

"Our absolute priority is the protection of Puerto Ricans’ data. Our specialized technical teams have been working around the clock to determine the scope of this event and to check each system to ensure the total integrity of the information before proceeding with the restoration of services," Díaz said.

Díaz added that cyber incident response protocols were initiated once a security monitoring system discovered the attack. The statement claims the attack “was stopped” and that there is no evidence that data was stolen.

As a result of the disconnections, services at Centros de Servicios al Conductor (CESCO) — the agency responsible for issuing licenses, permits and vehicle registrations — cancelled all appointments. Facebook posts from the agency are filled with comments from residents asking when their appointments will be rescheduled.

In a statement on Wednesday, the Department of Transportation said it is still working with PRITS “to complete the necessary technical tests before restoring services at CESCO.” (Jonathan Greig / The Record)

Related: Department of Transportation on Facebook

Researchers at Sansec report that attackers are actively exploiting the critical “PolyShell” vulnerability in Magento Open Source and Adobe Commerce, with mass exploitation beginning just two days after public disclosure.

The campaign has already impacted 56.7% of vulnerable online stores, highlighting the rapid weaponization of the flaw, which affects Magento’s REST API and enables remote code execution or account takeover through malicious file uploads.

Although Adobe released a fix in version 2.4.9-beta1 on March 10, a stable patch is not yet available, leaving many production systems exposed. Sansec has identified active scanning from attacker infrastructure targeting unpatched stores, underscoring the urgency for mitigation while organizations await an official production release.

In some attacks, threat actors are deploying a novel WebRTC-based payment skimmer that exfiltrates stolen card data over encrypted UDP channels, helping it evade traditional security controls. The lightweight malware executes in stages and bypasses protections like Content Security Policy, with one confirmed infection affecting a major global carmaker’s e-commerce site. (Bill Toulas / Bleeping Computer)

Related: Sansec

Google is accelerating its timeline for preparing for “Q Day,” the point at which quantum computers could break widely used cryptographic systems, setting a target of 2029.

The company is urging the broader industry to adopt post-quantum cryptography (PQC) to replace vulnerable standards like RSA and elliptic curve cryptography, warning that the threat is already relevant due to “store-now, decrypt-later” attacks.

As part of this push, Google is beginning to integrate PQC into Android, including support for the ML-DSA digital signature algorithm in Android 17. These capabilities are being embedded into core security features such as verified boot, remote attestation, and the Android Keystore, with plans to eventually migrate the Play Store and app signing infrastructure—changes that will place new demands on developers.

The move reflects rapid advances in quantum computing that have lowered the estimated resources needed to break encryption, prompting greater urgency across the industry. While government timelines for quantum readiness generally extend into the early 2030s, Google’s 2029 target signals a more aggressive stance on preparing for the potential disruption of global cryptographic systems. (Dan Goodin / Ars Technica)

Related: The Keyword, DL News, Help Net Security, Google Online Security Blog, PhoneArena, The Quantum Insider, Android Authority, Gizmodo, WinBuzzer, crypto.news, Neowin, SiliconANGLE, CryptoPotato, CyberScoop, Decrypt, ComputerWeekly.com,  r/1Password, r/Android

Apple has introduced age verification requirements in the UK, requiring users to confirm they are at least 18 to access certain features.

The company will verify ages using payment methods on file or by requesting ID scans, while automatically enabling content filters for underage users or those who do not verify. Children under 13 will not be able to create accounts without a parent or guardian.

The move aligns with the UK’s Online Safety Act, which aims to protect young users from harmful content, including material related to self-harm, suicide, and eating disorders. Regulator Ofcom said Apple’s measures support broader efforts to limit children’s exposure to online risks, even though app stores are not explicitly required to enforce age checks.

The rollout reflects a wider global push to regulate minors’ access to digital platforms, with countries like Australia implementing social media bans for children. However, Apple and other tech companies have previously pushed back on being responsible for age verification, arguing it raises privacy concerns and that individual apps are better suited to handle user age checks. (Amy Thomson / Bloomberg)

Related: Apple, Mac Observer, BBC News, The Guardian, 9to5Mac, Engadget, The Verge, The Independent

Indian authorities ordered a nationwide audit of CCTV cameras following the discovery of an alleged Pakistan-backed surveillance operation targeting critical infrastructure.

The investigation began after police in Ghaziabad uncovered solar-powered cameras positioned near railway stations and other sensitive sites, which were reportedly transmitting footage via cellular networks to viewers in Pakistan.

Further probes identified additional cameras in multiple locations, with authorities alleging that operatives recruited local citizens to install them. The incident comes amid longstanding tensions between India and Pakistan, raising concerns that foreign actors may have exploited gaps in India’s surveillance and telecommunications safeguards, including the misuse of SIM cards.

The government’s audit reflects fears that vulnerable or poorly secured CCTV systems could be widely compromised, a known risk given such devices’ history of weak security and exploitation in botnets. While India has established certification standards for approved cameras, officials acknowledge that unauthorized devices can still be deployed, underscoring ongoing security challenges. (Simon Sharwood / The Register)

Related: News18, Bhaskar English, The New Indian Express

Shirine Khoury-Haq, the boss of the Co-op Group, is to step down from the retail and funerals giant after a turbulent year, which included a damaging cyber attack and claims of a “toxic” environment at the business.

Her departure came as the retail group also slid to an underlying loss for the past year after swallowing a £285 million hit to sales from the cyber attack.

She will step down as chief executive on March 29, with Kate Allum taking over as interim chief executive of the business.

Ms Allum is a member-nominated director on the Co-op Group board and will lead the business while it searches for a successor. (Henry Saker-Clark / Press Association)

Related: BBC News, The Independent, City AM

Politico launched a security review after a private telephone conversation between one of its reporters and an EU official about issues connected to Hungary and Ukraine was apparently intercepted and the recording published online.

The nine-minute audio clip, from a call that took place on March 3, was uploaded to YouTube on March 16. It has been listened to 5,100 times, according to YouTube data.

“Our internal reviews have found no evidence that any devices, networks, or systems have been compromised,” Kate Day, POLITICO’s senior executive editor in Europe, and Carrie Budoff Brown, POLITICO’s executive editor and executive vice president, said in an email to employees.

The incident involved surreptitious recording of a phone call between Ursula von der Leyen’s chief spinmeister, Alexandra Henman, and Politico reporter Gerardo Fortuna.

The ostensible purpose of the call was that Fortuna was trying to establish the veracity of this report in the Financial Times. In short, he wanted to know whether the Commission was pressuring Ukraine to allow EU inspectors access to the damaged Druzhba pipeline, which supplies both Hungary and Slovakia with oil. (Zoya Sheftalovich / Politico and Matthew Karnitschnig / Euractiv)

Related: Euractiv, Index.hu

Best Thing of the Day: Only One of Thousands of Lawsuits

A jury found that Meta and YouTube harmed a young user with design features that were addictive and led to her mental health distress and ordered Meta to pay $4.2 million in combined compensatory and punitive damages, while YouTube must pay $1.8 million.

Worst Thing of the Day: Even the Tiniest Mental Health Agency Is a Target

The Maine mental health agency, AMHC, was the subject, of a ransomware attack this month, allegedly perpetrated by the Russia-based cybercrime group Qilin.

Closing Thought