The US, UK, and Australia sanction Russian bulletproof hosting providers
Alice Guo sentenced to life for running scam compound, Samourai Wallet operator sentenced to four years, SK Telecom rejects breach mediation proposal, USBP is massively surveilling Americans, Trump to preempt state AI safety laws, Eternidade Stealer gets more aggressive in Brazil, much more
Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.
If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!
The United States, the United Kingdom, and Australia announced sanctions targeting Russian bulletproof hosting (BPH) providers that have supported ransomware gangs and other cybercrime operations.
BPH providers that lease servers to cybercriminals to help them hinder disruption efforts targeting their malicious activities, including phishing attacks, malware delivery, command and control operations, and illicit content hosting. They market themselves as "bulletproof" because they ignore victim complaints and law enforcement takedown requests.
The US Department of the Treasury's Office of Foreign Assets Control (OFAC) designated Media Land, which has provided services to various cybercrime marketplaces and multiple ransomware groups, including LockBit, BlackSuit, and Play, as well as three sister companies (Media Land Technology, Data Center Kirishi, and ML Cloud).
Media Land's infrastructure was also used in distributed denial-of-service (DDoS) attacks against U.S. companies and critical infrastructure, including telecommunications systems, according to U.S. officials.
The sanctions also target three Media Land executives: Aleksandr Volosovik (who has advertised the business on cybercriminal forums under the alias "Yalishanda"), Kirill Zatolokin (who collects customer payments), and Yulia Pankova (who assisted with legal issues and finances).
OFAC also designated Aeza Group LLC, another BPH service provider previously sanctioned in July, and UK-based Hypercore Ltd, which Aeza used as a front company after being sanctioned, along with Serbian and Uzbek companies that provided technical support.
"These so-called bulletproof hosting service providers like Media Land provide cybercriminals essential services to aid them in attacking businesses in the United States and in allied countries," said Under Secretary of the Treasury for Terrorism and Financial Intelligence John K. Hurley.
Five Eyes cybersecurity agencies also released joint guidance to help internet service providers and network defenders mitigate cybercriminal activity using infrastructure provided by bulletproof hosting providers. (Sergiu Gatlan / Bleeping Computer)
Related: US Treasury Department, CISA, CyberScoop, GOV.UK, NCA, Australian Minister for Foreign Affairs, Associated Press, UPI, The Record, iTnews, The Cyber Express, TechCrunch, Reuters, The Cyber Express, HackRead, Reuters, News.com, The Register, Cybersecurity Dive, UPI, WebProNews, DeviceSecurity.io, Elliptic, IJR
Alice Guo, a Chinese national who became a mayor in the Philippines while masquerading as a Filipina, has been sentenced to life in prison along with seven others on human trafficking charges related to a massive scam center she ran.
Guo, who served as mayor of a town north of Manila, was found guilty of overseeing a Chinese-operated online gambling centre where hundreds of people were forced to run scams or risk torture.
The sprawling complex – which included office buildings, luxury villas, and a large swimming pool – was raided in March 2024 after a Vietnamese worker escaped and called the police.
More than 700 Filipinos, Chinese, Vietnamese, Malaysians, Taiwanese, Indonesians, and Rwandans were found on site, along with documents allegedly showing that Guo was president of a company that owned the compound.
All eight defendants, some of whom were foreign nationals, were sentenced to life in prison, state prosecutor Olivia Torrevillas said outside a regional courthouse in Manila. (AFP)
Related: Korea Times News, rthk, New York Times, South China Morning Post, Al Jazeera, BBC News, Reuters, DW, Channel News Asia
One of the rare cryptocurrency prosecutions under the Trump administration led to a four-year prison term for William Lonergan Hill, a bitcoin wallet operator accused of helping launder more than $200 million from illegal dark web transactions by founding and operating the crypto mixing service Samourai Wallet.
The sentence is one year less than the maximum five-year prison term for the crime, with the judge stating that Hill's crime was "very serious" and that people should be deterred from engaging in this kind of activity.
Hill, 67, pleaded guilty to the charge in July as part of a deal with federal prosecutors.
The other Samourai Wallet co-founder, Keonne Rodriguez, was sentenced by the same judge to a five-year prison term this month. Hill and Rodriguez also agreed to a forfeiture of $237 million and a fine of $400,000 as part of their plea deal.
Hill apologized in court for the harm and pain that he caused his victims and his family members, including his wife. (Miles J. Herszenhorn / Bloomberg)
Related: Justice Department, The Block, JD Supra
Korea's SK Telecom has reportedly decided internally not to accept a mediation proposal from the Personal Information Protection Commission's Dispute Mediation Committee, which demanded compensation of 300,000 Korean won (or around $200) per victim of a personal information leak.
According to industry sources on the 20th, SK Telecom plans to submit a formal rejection of the mediation proposal to the committee later that day. The committee had delivered a decision on the 5th, ordering SK Telecom to pay 300,000 Korean won to each of the 3,998 applicants, totaling approximately 1.1994 billion Korean won or around $816,000. Since the mediation process terminates if either party rejects it, the applicants will have no choice but to pursue civil litigation.
The rejection is reportedly due to the enormous financial burden SK Telecom would face. If all victims—approximately 23 million people—filed similar claims under the same conditions, the total compensation could reach up to 6.09 trillion Korean won or around $10 billion based on the committee's criteria. (Choi A-ri / The Chosun Daily)
Related: KoreaJoongAng Daily, Maeil Business Newspaper, The Korea Bizwire, Asia Business Daily
The US Border Patrol is massively surveilling millions of American drivers nationwide in a secretive program to identify and detain people whose travel patterns it deems suspicious.
The predictive intelligence program has resulted in people being stopped, searched, and, in some cases, arrested. A network of cameras scans and records vehicle license plate information, and an algorithm flags vehicles deemed suspicious based on where they came from, where they were going, and which route they took. Federal agents, in turn, may then flag local law enforcement.
Once limited to policing the nation’s boundaries, the Border Patrol has built a surveillance system stretching into the country’s interior that can monitor ordinary Americans’ daily actions and connections for anomalies instead of simply targeting wanted suspects. Started about a decade ago to fight illegal border-related activities and the trafficking of both drugs and people, it has expanded over the past five years. (Byron Tau and Garance Burke / Associated Press)
Related: Associated Press
Donald Trump is considering signing an executive order as soon as Friday that would give the federal government unilateral power over regulating artificial intelligence, including the creation of an “AI Litigation Task Force” overseen by the Attorney General, “whose sole responsibility shall be to challenge State AI laws.”
According to a draft of the order, the Task Force would be able to sue states whose laws are deemed to obstruct the growth of the AI industry, citing California’s recent laws on AI safety and “catastrophic risk”, and a Colorado law that prevents “algorithmic discrimination”. The Task Force will occasionally consult with a group of White House Special Advisors, including David Sacks, a billionaire venture capitalist and the Special Advisor for AI and Crypto.
Trump has recently and repeatedly posted his desire to have a state AI law moratorium, and reiterated it on Wednesday during his appearance at the US-Saudi Investment Forum, couching it as a way to fight “woke” ideology. “You can’t go through 50 states. You have to get one approval. 50 is a disaster. Because you’ll have one woke state, and you’ll have to do all woke. You’ll be back in the woke business. We don’t have woke anymore in this country. It’s virtually illegal. You’ll have a couple of wokesters.” (Tina Nguyen / The Verge)
Related: Wired, The Information, Washington Post, NBC News, Decrypt, FedScoop, Politico, Transformer, Reuters, Benzinga, Quartz, Bloomberg, Wall Street Journal, Axios, Music Technology Policy, Punchbowl News, International Business Times, Bloomberg Government, The Hill, Semafor, Forbes, r/politics, r/fednews
Researchers from Trustwave SpiderLabs observed a newly identified banking Trojan known as Eternidade Stealer pushing Brazil’s cybercrime ecosystem into a more aggressive phase, with attackers using WhatsApp as both an entry point and a propagation tool.
The malware combines a WhatsApp-propagating worm, a Delphi-based stealer, and an MSI dropper to harvest financial data, system details, and contact lists used for rapid lateral spread.
The researchers noted that a shift to Python for WhatsApp hijacking, along with dynamic command-and-control (C2) retrieval through IMAP, marks a notable evolution in the threat actor’s toolkit.
The Trustwave SpiderLabs team traced the campaign’s backend to several related domains and panels used for redirect management and victim tracking.
Logs showed 454 connection attempts from 38 countries, with only a handful originating in Brazil, despite the malware’s regional focus.
Most visitors used desktop systems, suggesting that the campaign was designed for workstation environments rather than mobile endpoints. (Alessandro Mascellino / Infosecurity Magazine)
Related: OneSafe, TrustWave, Crypto News
A data breach at St. Anthony Hospital could have exposed the personal information of patients, staff, and others, according to hospital officials.
In February, the hospital learned a “small number” of employee accounts had been accessed by an “unauthorized actor,” launching an investigation with an outside cybersecurity firm.
The hospital, located at 2875 W. 19th St., said they have yet to be notified of anyone impacted but would contact anyone whose personal information was compromised. The data potentially at risk could include personal information, such as names, addresses, dates of birth, Social Security numbers, medical record numbers, patient account numbers, prescription information, and an individual’s medical history. (Sun-Times Wire / Chicago Public Media)
Related: CBS News, Chicago Tribune, HIPAA Journal
Cyberscurity firm Fortinet announced patches for 17 vulnerabilities, including a zero-day resolved with the latest FortiWeb updates, the second FortiWeb zero-day publicly disclosed within a week, after the company confirmed on November 14 that CVE-2025-64446 (CVSS score of 9.1), a critical-severity path traversal issue, had been targeted in attacks.
Tracked as CVE-2025-58034 (CVSS score of 6.7), the bug is described as an OS command injection issue that authenticated attackers can exploit to execute arbitrary code on the underlying system, via crafted HTTP requests or CLI commands.
“Fortinet has observed this to be exploited in the wild,” the vendor notes in its advisory, without providing details on the attacks.
Fortinet patched both exploited vulnerabilities in FortiWeb versions 8.0.2, 7.6.6, 7.4.11, 7.2.12, and 7.0.12. Users should update their deployments as soon as possible.
Simultaneously with Fortinet’s advisory on the second zero-day, the US cybersecurity agency CISA added the security defect to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it within a week. (Ionut Arghire / Security Week)
Related: The Register, Dark Reading, Techzine, The HIPAA Journal, SC Media
Pajemploi, the French social security service for parents and home-based childcare providers, has suffered a data breach that may have exposed personal information of 1.2 million individuals.
The incident impacts registered professional caregivers working for private employers, typically parents using the Pajemploi service part of URSSAF - the French organization that collects social security contributions from employers and individuals.
"The Pajemploi service has been the victim of a theft of personal data belonging to employees of private employers using the Pajemploi service," reads the announcement from the agency.
"This cyberattack, detected on November 14, could have affected up to 1.2 million employees of private employers using the Pajemploi service," the public service says.
Pajemploi's disclosure highlights that the hackers did not have access to bank account numbers (IBANs), email addresses, phone numbers, or account passwords.
Each person affected by the cybersecurity incident will be notified by Pajemploi individually. (Bill Toulas / Bleeping Computer)
Related: Urssaf, SC Media, The Connexion, RTL
Cisco announced its Resilient Infrastructure initiative, calling it the company's next step in its security evolution, focused on reducing the attack surface in its portfolio, increasing protection of sensitive data, and enabling defenders with more robust capabilities to monitor and detect threats in network infrastructure.
Cisco says this effort makes it incredibly obvious when customers are configuring insecure features that introduce new and unnecessary risks into their networks. Initially, customers will receive increased security warnings that recommend discontinuing the use of any insecure features.
In subsequent releases, features will be disabled by default or require additional steps to allow for configuration. Eventually, insecure options will be removed entirely. (Cisco)
Related: Cisco, Cisco Blogs
Cybersecurity company Guardio has raised $80 million in a Series B venture funding round.
ION Crossover Partners led the round. (Ivan Mehta / TechCrunch)
Related: Guardio, Silicon Angle, Pulse 2.0, WebProNews, Calcalist, Globes, TechinAsia
Bedrock Data, a provider of a DSPM, or data security posture management, platform for data-centric security, governance, and management, raised $25 million in a Series A funding round
Greylock Partners led the round with participation from Mangusta Capital, Mantis Venture Capital, Pier 88 Investment Partners, and other investors. (Chris Metinko / Axios)
Related: FinSMEs, Business Wire, MSSP Alert, Wilson Sonsini
Doppel, a San Francisco, CA-based provider of an AI-native social engineering defense (SED) platform, announced it had raised $70 million in a Series C funding round.
Bessemer Venture Partners led the round, with participation from George Kurtz, CEO of CrowdStrike, NTT DOCOMO Ventures, Aurum Partners, and a group of athlete investors led by WNBA players Nneka Ogwumike, Breanna Stewart, and Kelsey Plum, who joined the round through the a16z Cultural Leadership Fund. (Allie Garfinkle / Fortune)
Related: FinSMEs, Doppel, VC News Daily, Ventureburn
Incode Technologies Inc., an identity verification platform, is in preliminary talks to raise between $150 million and $300 million from investors at a valuation of as much as $3 billion, according to people familiar with the matter.
The company currently has annual recurring revenue of $170 million, said one of the people, all of whom asked not to be identified, discussing private information. The startup did not immediately respond to a request for comment. (Yazhou Sun and Mayumi Negishi / Bloomberg)
Palo Alto Networks announced it will acquire Chronosphere, a cloud observability platform, for $3.35 billion in cash and equity, marking the cybersecurity company’s latest move to expand beyond its traditional security perimeter into adjacent infrastructure monitoring capabilities.
The acquisition represents a significant bet on the convergence of security and operational observability as organizations grapple with increasingly complex AI workloads and cloud-native applications. The deal underscores how the demands of artificial intelligence infrastructure are reshaping enterprise software markets and driving consolidation across previously distinct technology categories. (Greg Otto / CyberScoop)
Related: CRN, Bloomberg, Verdict
Best Thing of the Day: Here's Your Stinking Samsung Phone Back
Despite widespread theft of smartphones, thieves are returning stolen Android phones to the owners because they really only prize iPhones.
Worst Thing of the Day: Hey Australia, Is It OK If One of Our Nastiest Lawmakers Stupidly Butts Into Your Business?
US House Judiciary Chair Jim Jordan, a Republican, accused Australian eSafety Commissioner Julie Inman Grant of colluding with pro-censorship bodies by participating in a Stanford University panel of "foreign officials who have directly targeted American speech and represent a serious threat to the First Amendment."
Closing Thought
