SpaceX pulls the plug on 2,000+ Myanmar scam compounds' Starlink devices

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

SpaceX says it has disabled more than 2,000 Starlink devices connected to scam compounds in Myanmar after politicians and others called on the company to crack down on scammers using its kits for fast satellite internet.

Lauren Dreyer, the vice-president of Starlink’s business operations, said in a post on X Tuesday night that the company “proactively identified and disabled over 2,500 Starlink Kits in the vicinity of suspected ‘scam centers’” in Myanmar. She cited the takedowns as an example of how the company takes action when it identifies a violation of its policies, “including working with law enforcement agencies around the world.”

It was unclear when the devices were taken offline. SpaceX did not immediately respond to questions.

Advocates fighting against human trafficking have accused the company for months of facilitating scamming operations by failing to crack down on Starlink’s use for cybercrime. A Wired review of cellphone connection data earlier this year found the technology was being used in at least eight compounds near the Thai border. In February, the Thai government cut off electricity and internet access to a handful of compounds across the border in an attempt to restrict criminals’ access to the tools needed to conduct scams.

Starlink reportedly filled the void, however, leading a Thai politician to tweet at Elon Musk asking him to address the matter. (James Reddick / The Record)

Related: NBC News, PCMag, Ars Technica

Researchers at SentinelLabs report that a spearphishing attack that lasted a single day on October 8 in a campaign called PhantomCaptcha targeted members of the Ukrainian regional government administration and organizations critical for the war relief effort in Ukraine, including the International Committee of the Red Cross, UNICEF, and various NGOs.

The one-day campaign attempted to trick victims into running commands used in ClickFix attacks, disguised as Cloudflare CAPTCHA verification prompts, to install a WebSocket Remote Access Trojan (RAT).

The attacks started with emails impersonating the Ukrainian President’s Office, carrying malicious PDF attachments that linked to a domain impersonating the Zoom (zoomconference[.]app) communication platform.

According to the researchers, a web socket server path likely led to the threat actor engaging in live social engineering calls with the victim. If the client ID did not match, visitors had to pass another security check and prove that they were real people and not robots.

They could complete the fake CAPTCHA  verification by following instructions in Ukrainian that prompted them to press a button to copy a "token" and paste it in the Windows Command Prompt. (Bill Toulas / Bleeping Computer)

Related: SentinelLabs, The Record, Infosecurity Magazine

OpenAI's brand new Atlas browser is more than willing to follow commands maliciously embedded in a web page, an attack type known as indirect prompt injection.

Prompt injection vulnerability is a common flaw among browsers that incorporate AI agents like Perplexity's Comet and Fellou, as noted in a report published by Brave Software, coincidentally amid OpenAI's handwaving about the debut of Atlas.

Indirect prompt injection can occur when an AI model or agent handles content like a web page or image and then treats that content as if it were part of its instructed task. Direct prompt injection refers to instructions entered directly into a model's input box that bypass or override existing system instructions.

Pranav Vishnu, product lead for ChatGPT Atlas, did warn potential users that OpenAI's browser-AI chimera might entail some risk.

It didn't take long for the internet community to demonstrate indirect prompt injection using Atlas, a Chromium-based browser that makes ChatGPT available as an agent capable of processing web page data.

Developer CJ Zafir said in a social media post that he uninstalled Atlas after finding "prompt injections are real."

Another security researcher also reported a successful prompt injection test using Google Docs, which The Register was able to replicate – getting ChatGPT in Atlas to print "Trust No AI" instead of an actual summary when asked to analyze a document.

AI security researcher Johann Rehberger, who has identified numerous other prompt injection attacks on AI models and tools, published his own Google Docs-based prompt injection demonstration in which the "malicious" instructions change the browser mode from dark to light.

Stuckey said that OpenAI's long-term goal is for people to trust the ChatGPT agent as if it were a security-conscious friend or colleague and that the company is working to make that happen. The implication is that it's premature to trust Atlas. (Thomas Claburn / The Register)

Related: Brave, Simon Willison's Weblog, Winbuzzer

There were 116 reported cases of ransomware attacks in the first half of the year, in Japan, matching a record last seen in 2022, data from the Tokyo Metropolitan Police Department show.

“There’s definitely been a trend for Japanese companies to be targeted more and more,” said Lauro Burkart, a Singapore-based official with Israeli cybersecurity firm Sygnia Consulting Ltd. The country has “a lot of lucrative targets,” he said.

Corporate Japan’s slower embrace of digital workflows and limited English proficiency used to be unintentional protective barriers, according to Nobuo Miwa, president of Tokyo-based cybersecurity firm S&J Corp. Ransomware gangs often overlooked targets in the country because many were unfamiliar with crypto payments, making it more difficult for them to pay.

“I’ve actually received multiple inquiries from companies saying they want to pay and asking how to do it,” Miwa said. (Kanoko Matsuyama, Jane Lanhee Lee, and Yui Hasebe / Bloomberg)

Related: Finimize

According to a report from the Multilateral Sanctions Monitoring Team, a group that includes the US and 10 allies and was set up last year to observe North Korea's compliance with UN sanctions, North Korean hackers have pilfered billions of dollars by breaking into cryptocurrency exchanges and creating fake identities to get remote tech jobs at foreign companies.

Officials in Pyongyang orchestrated the clandestine work to finance research and development of nuclear arms, the authors of the 138-page report found. The review was published by the Multilateral Sanctions Monitoring Team, a group that includes the US and 10 allies and was set up last year to observe North Korea's compliance with UN sanctions.

North Korea has also used cryptocurrency to launder money and make military purchases to evade international sanctions tied to its nuclear program, the report said. It detailed how hackers working for North Korea have targeted foreign businesses and organizations with malware designed to disrupt networks and steal sensitive data.

Despite its small size and isolation, North Korea has heavily invested in offensive cyber capabilities and now rivals China and Russia when it comes to the sophistication and capabilities of its hackers, posing a significant threat to foreign governments, businesses, and individuals, the investigators concluded. (David Klepper / Associated Press)

Related: MSMT, State Department, WiredGov, Daily Express, 1News

Researchers at ESET report that an intensified interest by North Korea in ramping up production of advanced unmanned aerial vehicles may be behind recent hacking incidents at a handful of European companies active in the defense sector.

Attacks in Southeastern and Central Europe bearing the hallmarks of the Pyongyang-based threat actor Lazarus Group against a metal engineering company, an aircraft component manufacturer, and a defense company started in late March.

Two of those companies develop drone technology. One is directly involved in the production of UAV models deployed in Ukraine. Kyiv defenders spotted earlier this month North Korean soldiers located in Russia themselves deploying UAVs for aerial reconnaissance missions.

How the three organizations initially fell victim isn't clear. Researchers said it most likely involved social engineering, leading to one or more droppers or downloaders, ultimately resulting in the delivery of the primary payload: ScoringMathTea, a remote-access trojan designed to give attackers complete control over a victim's system.

That and other tools, tactics, and procedures used in the attacks parallel those seen in campaigns tracked as Operation Dream Job, in which Lazarus Group hackers pose as online recruiters in a bid to manipulate developers into downloading malware. (Mathew J. Schwartz / BankInfoSecurity)

Related: We Live Security, Dark Reading

LG Uplus, one of Korea's major mobile carriers, has reported a possible data breach.

The company said that the announcement was a follow-up to LG Uplus President Hong Bum-shik's statement during a parliamentary audit two days earlier that he would report a suspected incident to the Korea Internet and Security Agency.

On the stand, Hong said it had been his understanding that the company was required to make a report only after confirming a cyber infringement. LG Uplus said it decided to report the case not because it had verified the existence of a data breach, but to respond proactively to evidence of a possible case, hoping to ease public concern and clear up misunderstandings.

Earlier, US cybersecurity outlet Phrack reported that a hacking group had infiltrated LG Uplus' internal network and seized data from 8,938 servers, 42,256 accounts, and 167 employees.

Following an internal inspection, LG Uplus notified the Ministry of Science and ICT in August that it had found no evidence of a data breach. (KBS World)

Related: The Korea Herald, The Chosun, Business Korea, The Korea Bizwire, Maeil Business Newspaper, Korea JoongAng Daily

Korea's Personal Information Protection Commission imposed a 463 million won (around $323,000) penalty surcharge on Incruit for leaking job seekers’ personal information.

The Personal Information Protection Commission said on the 23rd that it held a general meeting on the 22nd and decided corrective measures to prevent a recurrence, including imposing a 463 million won penalty surcharge on Incruit for violating personal information protection regulations, newly designating a chief privacy officer (CPO), and supporting damage recovery for data subjects.

Incruit, which operates an online job portal site, suffered a hacking incident in Feb. this year that leaked the personal information of about 7.3 million members in total. It reported the leak to the Personal Information Protection Commission, and the investigation found that Incruit neglected its obligation to take safety measures under the Personal Information Protection Act.

Incruit had previously been subject to sanctions by the Personal Information Protection Commission in July 2023 for a personal information leak. (Lee Jae-eun / Chosun Biz)

Related: Asia Business Daily, Maeil Business Daily, The Chosun Daily

Researchers at Group-IB report that state-sponsored Iranian hacker group MuddyWater has targeted more than 100 government entities in attacks that deployed version 4 of the Phoenix backdoor.

The threat actor is also known as Static Kitten, Mercury, and Seedworm, and it typically targets government and private organizations in the Middle East region.

Starting August 19, the hackers launched a phishing campaign from a compromised account that they accessed through the NordVPN service.

The emails were sent to numerous government and international organizations in the Middle East and North Africa, cybersecurity company Group-IB says in a report today.

According to the researchers, the threat actor took down the server and server-side command-and-control (C2) component on August 24, likely indicating a new stage of the attack that relied on other tools and malware to gather information from compromised systems.

Most of the targets of this MuddyWater campaign are embassies, diplomatic missions, foreign affairs ministries, and consulates. (Bill Toulas / Bleeping Computer)

Related: Group-IB, Iran International, GBHackers, Iran News Update

Wallets linked to the hacked Chinese mining pool LuBian have transferred 15,959 bitcoins, worth an estimated $1.83 billion at current prices, to four separate addresses in what appears to be a coordinated transaction.

Web3 analyst OnchainLens, citing Arkham data, published a thread detailing the breakdown of the outflows.

LuBian, once a relatively obscure Chinese mining pool that later grew significantly, has been the subject of multiple reports in recent weeks, which estimated the stolen coins' present-day value in the billions.

The previously undisclosed 2020 heist involved 127,426 BTC, a massive stash valued at approximately $14.5 billion as of August. That reporting highlighted how opaque custody and internal controls at some smaller pools created opportunities for large-scale misappropriation. (Naga Avan-Nomayo / The Block)

Related: Forklog, Coincentral, Live Bitcoin News

Major Australian electricity, gas, and internet provider Origin Energy has confirmed a data breach involving payment details of more than 700 customers, which were allegedly stolen by an employee who attempted to email the data to their personal email address when they were terminated by the company.

Origin confirmed to Information Age that the employee had attempted to send an encrypted file containing 732 customers’ credit and debit card details to themself on 30 July 2025.

“We have discovered that a former employee acted in serious breach of our policies, procedures, and the standards we require from our employees when handling customer data,” an Origin spokesperson said in a statement.

The company said it was now “contacting potentially impacted individuals to apologize and provide support”, as it could not guarantee the data was safe despite the alleged offender having signed a statutory declaration in which they claimed they had deleted the file. (Tom Williams / Information Age)

Related: Cyber Daily

Blue Cross Blue Shield of Montana is under investigation following a data breach that potentially exposed the personal and medical information of thousands of Montanans.

The breach, which occurred between Nov. 8, 2024, and March 5, 2025, may have compromised names, addresses, billing, and medical data, according to the insurance provider.

Montana State Auditor and Commissioner of Securities and Insurance James Brown has launched an immediate investigation into Blue Cross Blue Shield of Montana (BCBSMT) following a major data breach putting the personal and medical information of up to 462,000 Montana customers at risk.

"This breach is not just a technical lapse. This is a deeply disturbing incident with far-reaching and jaw-dropping consequences for our citizens," said Commissioner Brown. "Montanans have every right to expect their personal data, especially sensitive health information, to be protected by the entities they trust. The severity of this breach underscores the urgent need for robust oversight and our agency to take swift and immediate action to protect Montana consumers."

According to BCBSMT, this breach may have exposed names, addresses, birth dates, billing and medical data, phone numbers, and other sensitive information between November 8, 2024, and March 5, 2025. While BCBSMT says they are notifying affected customers and offering credit monitoring, we are not aware of that happening at this time. Commissioner Brown is taking swift action to ensure Montanans’ rights remain protected and that future violations are prevented. (NBC Montana Staff)

Related: KTVH, Daily Montanan, Bozeman Daily, Databreaches.net

Researchers at GitGuardian report that a critical vulnerability in Smithery.ai, a popular Model Context Protocol (MCP) server hosting service, exposed over 3,000 AI servers and thousands of API keys to potential attackers.

They discovered a simple path traversal flaw that enabled unauthorized access to sensitive infrastructure files, compromising administrative credentials and threatening entire AI ecosystems.

The flaw stemmed from improper validation of the dockerBuildPath configuration value in the registry’s build process.

Attackers could manipulate this parameter to reference locations outside the MCP server code repository, effectively accessing arbitrary files on the builder machine’s filesystem.

By setting the build context to a parent directory and using a malicious Dockerfile, researchers exfiltrated sensitive files, including Docker authentication credentials. (Divya / GBHackers)

Related: GitGuardian

Dating app giant Tinder announced that it’s expanding its facial-verification feature to more users in the US.

The facial-verification feature, known as Face Check, requires new users to verify their identity by submitting a short video selfie. This initiative aims to reduce impersonation on the platform and ensure that people are not connected to bots or fake accounts.

Face Check creates a 3D video scan of the user’s face to verify its similarity with their profile pictures. Members who successfully complete the verification process earn a badge on their profiles, indicating to others that they have been verified. Additionally, the feature identifies whether the same face is utilized across different accounts, providing an additional safeguard against impersonation and fraudulent profiles.

Tinder says that the video selfies are deleted shortly after review, but that it keeps a “non-reversible, encrypted face map and face vector,” which helps verify new photos, spot fraud, and stop people from making duplicate accounts. (Lauren Forristal / TechCrunch)

Related: Tinder Newsroom, Mashable, Bloomberg, Digital Trends, Dallas Morning News, Wired, Entrepreneur

Internet message board Reddit filed a lawsuit in the UD District Court for the Southern District of New York, claiming that four companies had illegally stolen its data by scraping Google search results in which Reddit content appeared.

Three of those companies — SerpApi, a Lithuanian start-up, Oxylabs, and a Russian company, AWMProxy — sold data to A.I. companies like OpenAI and Meta, according to the lawsuit. The fourth company, Perplexity, is a San Francisco start-up that makes an AI search engine.

Reddit said it was seeking a permanent injunction against the companies, as well as financial damages, and wanted to prohibit the use or sale of any previously scraped Reddit data. (Mike Isaac / New York Times)

Related: Reuters, Bloomberg, The Verge, Financial Times, Search Engine Land, CNBC, Adweek

Ancestry-tracing company 23andMe is offering five years of genetic-monitoring services to millions of customers whose DNA data was stolen in a 2023 cyberattack, a move intended to mitigate exposure to impersonation scams, insurance fraud, hate crimes, and blackmail.

But cybersecurity experts say the long-term benefits of the services are unclear. Unlike credit cards or passwords, genetic data is permanent and cannot be updated once hackers obtain it. They argue that capping protections at five years leaves victims—and their families—vulnerable for the rest of their lives.

That has some 23andMe customers worried about the future, despite the promised safeguards.

“The damage is irreversible,” said Salman Jaberi, whose breached 23andMe account contained genetic data and other personal information. Jaberi, a Bahraini immigrant living in the US, said he fears ongoing “religiously and ethnically motivated threats,” based on his pilfered data. “My personal and health data continue to circulate on dark-web markets, and I face constant login and account-takeover attempts,” he said.

Though hackers only broke into roughly 14,000 personal accounts on the 23andMe site—a fraction of the company’s 14 million users—the breached accounts provided access to the personal data of millions of other users who were connected to them through links to other family members. (Angus Loten / Wall Street Journal)

After years of delays and scaled-back ambitions, Google officially killed its Privacy Sandbox, the once-flagship initiative aimed at replacing third-party cookies with privacy-preserving ad technologies.

In a blog post, Anthony Chavez, VP of Privacy Sandbox, confirmed that Google is retiring 10 remaining Sandbox APIs, including Attribution Reporting, Topics, and Protected Audience for both Chrome and Android. The move comes over a year after Google abandoned plans to phase out third-party cookies in Chrome altogether.

The Privacy Sandbox was Google’s answer to growing privacy regulation and industry backlash against cross-site tracking — but its complexity, limited adoption, and regulatory scrutiny stalled momentum. Google is no longer forcing a shift away from third-party cookies, preserving the familiar targeting and measurement tools that power much of digital advertising. (Anu Adegbola / Search Engine Land)

Related: Privacy Sandbox, CSO Online, Forbes, BGR, Phone Arena, Android Authority, Digiday, Engadget

Best Thing of the Day: These Apps Provided Safety for No One

Apple removed Tea, the women’s safety app that went viral earlier this year before facing multiple data breaches, as well as a copycat called TeaOnHer, for failing to meet the company’s terms of use around content moderation and user privacy.

Worst Thing of the Day: Sexual Spies in Silicon Valley Sounds Like Fun

Chinese and Russian operatives are using “sex warfare” to seduce and spy on Silicon Valley professionals.

Bonus Worst Thing of the Day: More Signs of a Cyber Agency on the Verge of a Nervous Breakdown

The Trump administration effectively closed the division of the Cybersecurity and Infrastructure Security Agency that coordinates critical infrastructure cybersecurity improvements with states and local governments, private businesses, and foreign countries.

Closing Thought