Twin brother hackers arrested for US government hacking, data destruction spree

'Tis the season to be generous. Please support Metacurity in our mission to end infosec news overload.

Metacurity is a pure labor of love and is the only daily newsletter that delivers the critical infosec developments you need to know, scanned from thousands of sources and smartly summarized.

But to continue delivering our daily updates, we need your support. Please consider upgrading to an annual paid subscription today.

If you can't upgrade to a paid subscription today, please consider donating what you can.

The US Justice Department announced that twin brothers Muneeb and Sohaib Akhter were arrested in Alexandria, Va., for allegedly stealing and destroying government data held by a government contractor minutes after they were fired from the company earlier this year.

Prosecutors accuse the 34-year-old brothers of the crimes during a weeklong spree in February, compromising data from multiple federal agencies, including the Department of Homeland Security, Internal Revenue Service, and the Equal Employment Opportunity Commission.

Authorities did not name the federal government contractor, which provides services and hosts data for more than 45 federal agencies, but the company was previously identified as Washington-based Opexus in a Bloomberg report about the insider attack earlier this year. Opexus did not immediately respond to a request for comment.

The brothers are no strangers to law enforcement, the hacking community, and government contract work.  They previously pleaded guilty in 2015 to wire fraud and conspiring to hack into the State Department and other crimes while they were employed as contractors for federal agencies. Muneeb Akhter was sentenced to 39 months in prison, and Sohaib Akhter was sentenced to 24 months in prison at that time. (Matt Kapko / CyberScoop)

Related: Justice Department, Axios, WRIC, DataBreaches.Net

A UK public inquiry that concluded Russian President Vladimir Putin ordered the Novichok nerve agent attack on Russian double agent Sergei Skripal in 2018, in an act that led to the death of an innocent woman, also zeroed in on eight cyber military intelligence officers for GRU cyber operations targeting Sergei and his daughter Julia Skripal with X-agent malware.

The GRU officers were also accused of the actual attempted murders of Sergei and Julia.

Sanctions will also hit a further three officers in the GRU responsible for orchestrating hostile activity in Ukraine and across Europe, including plotting a terror attack on Ukrainian supermarkets targeting innocent civilians.

The GRU regularly attempts to conduct hybrid operations, including using cyber-attacks and spreading disinformation with the intent to cause devastating real-world consequences, as well as recruiting criminal proxies to do their dirty work. (Gov.UK)

Related: Reuters, BBC News, Daily Mail, The US Sun

Security researchers and code developers are scrambling to patch and investigate a critical vulnerability affecting React Server Components, an open-source library used widely across the internet and embedded into many essential software frameworks.

The rapid response underscores the potential consequences of exploitation. Although no attacks have been observed or reported, researchers expect them soon and are urgently mobilizing resources to address the defect.

The vulnerability – CVE-2025-55182 – was discovered by Lachlan Davidson, a developer and lead of security innovation at Carapace, and reported to Meta on Saturday. Meta and the React team created a patch and worked with affected hosting providers to address the defect on Monday before the public disclosure on Wednesday.

“The reason there’s been such a measured response to this vulnerability is because exploitation is inevitable,” Ben Harris, CEO and founder of watchTowr, told CyberScoop. “We should be expecting attackers to start exploiting this vulnerability truly imminently.”

React is one of the most extensively used application frameworks, putting large swaths of web applications at risk. “Our data shows that these libraries can be found in vulnerable versions in around 39% of cloud environments,” said Amitai Cohen, threat vector intel lead at Wiz. (Matt Kapko / CyberScoop)

Related: React, The Register, WinBuzzer, WebProNews, Dark Reading, Wiz, CVE, Vercel on GitHub, Vercel, Ars Technica, Analytics India Magazine, Next.js by Vercel, GitHub,  Hacker News (ycombinator), Hacker News *ycombinator), r/reactjs, CSO Online,

According to new data released by Anthropic, AI agents matched the performance of skilled human attackers in more than half of the smart contract exploits recorded on major blockchains over the last five years.

Anthropic evaluated ten frontier models, including Llama 3, Sonnet 3.7, Opus 4, GPT-5, and DeepSeek V3, on a dataset of 405 historical smart contract exploits. The agents produced working attacks against 207 of them, totaling $550 million in simulated stolen funds.

The findings showed how quickly automated systems can weaponize vulnerabilities and identify new ones that developers have not addressed.

To measure current capabilities, Anthropic plotted each model’s total exploit revenue against its release date using only the 34 contracts exploited after March 2025.

“Although total exploit revenue is an imperfect metric—since a few outlier exploits dominate the total revenue—we highlight it over attack success rate because attackers care about how much money AI agents can extract, not the number or difficulty of the bugs they find,” the company wrote. (Jason Nelson / Decrypt)

Related: Security Affairs. Cointelegraph, WinBuzzer, CoinDesk, The Block, Anthropic, Cryptonews, Forbes, Hacker News (ycombinator)

Arizona Attorney General Kris Mayes announced that Arizona is the latest state to sue Temu and its parent company, PDD Holdings, over allegations that the Chinese online retailer is stealing customers’ data.

Mayes said the app deceives customers about the quality of its low-cost products and collects what she described as a shocking amount of sensitive data without the consent of users, including GPS locations and a list of other apps on users’ phones.

According to the lawsuit, prosecutors are concerned about Temu being subject to laws in China that require Chinese companies to hand over data requested by the government, and that its code is designed to evade security reviews.

“It can detect everywhere you go, to a doctor’s office, to a public library, to a political event, to your friends’ houses,” Mayes said during a news conference. “So the scope of this invasion of privacy is enormous, and that’s why I consider it possibly the gravest violation of the Arizona Consumer Fraud Act that we have ever seen in Arizona.”

Arizona’s top prosecutor also said the state wants to protect businesses from being “ripped off” by the online retailer, alleging the company has copied the intellectual property of brands that include the Arizona Cardinals and Arizona State University. (Sejal Govindarao / Associated Press)

Related:  Attorney General's Office, Newser, Bloomberg Law, Axios, KJZZ, Courthouse News Service, Washington Times, The American Bazaar, Sourcing Journal, China Retail News

Mauro Eldritch, a hacker and threat intelligence specialist at BCA LTD, said that in an unprecedented intelligence operation, he and another researcher exposed how North Korean IT recruiters target and lure developers into renting their identities for illicit fundraising.

He found multiple accounts on GitHub that were spamming repositories with a recruitment announcement for individuals who would attend technical interviews (.NET, Java, C#, Python, JavaScript, Ruby, Golang, Blockchain) under a provided fake identity.

The candidate would not have to be proficient in the technical areas, as the recruiter would assist “to respond to interviewers effectively.”

To make the offer more attractive, the DPRK agent set the financial expectation to “around $3000 per month.”

Eldritch accepted the challenge and developed a plan with Heiner García from the NorthScan threat intelligence initiative for uncovering North Korean IT worker infiltration.

The two researchers used sandbox services from ANY.RUN,  a company that provides solutions for interactive malware analysis and threat intelligence, is to set up a simulated laptop farm honeypot that could record the activity in real time for later analysis of the tactics and tools used in the operation.

García assumed the role of the rookie engineer responding to the recruitment offer. He posed as a previously contacted individual, a developer named Andy Jones, based in the United States.

The researchers created a new GitHub profile that mimicked Jones’ down to the public repositories and associated details.

After setting up the sandboxed ANY.RUN environment, based in Germany, and tunneled the connection through a residential proxy to appear US-based, the researchers were ready to let the “recruiter” connect remotely to their “laptop.”

Through a variety of actions, the researchers recorded their interactions with the North Koreans and obtained more information about the operation, the individuals involved, potential partners from different countries, and the tools and tricks used. (Ionut Ilascu / Bleeping Computer)

Related: Cryptoslate

Cybersecurity experts have issued a major warning after a viral video link, dubbed the '19-minute video,' spread rapidly across social media platforms, including Instagram and X (formerly Twitter).

Victims attempting to watch the intimate clip are being targeted by sophisticated scammers using the video's popularity to distribute malware and steal banking credentials.

Beyond the immediate risk of the scam, users are also strongly cautioned against circulating or forwarding such explicit material, as doing so constitutes an offense under Indian law. 

Various statutes impose severe penalties for such actions. Specifically, under the IT Act, Section 67, circulating obscene material online is punishable with up to three years in jail and a ₹5 lakh fine for the first offence. (Zee Media Bureau)

Related: NDTV, Hindustan Times, The Economic Times

PC hardware giant ASUS confirmed that it is aware of a cybersecurity incident impacting one of its third-party suppliers, following allegations that the Everest ransomware operation hacked the company.

“An ASUS supplier was hacked,” ASUS said in a statement.

“This affected some of the camera source code for ASUS phones. This incident has not impacted ASUS products, internal company systems, or user privacy. ASUS continues to strengthen supply chain security in compliance with cybersecurity standards.”

The statement follows a 2 December post on Everest’s leak site that claimed the hackers had compromised “camera source code” alongside a one-terabyte database. Since then, however, Everest has released more details of the allegedly stolen data.

“The files include data from ASUS, ArcSoft, Qualcomm,” Everest said.

The hackers also claimed to have the following data:

“Binary segmentation modules, Source code & patches, RAM dumps & memory logs, AI models & weights, OEM internal tools & firmware, Test videos, Calibration & dual-camera data, Image datasets, Crash logs & debug reports, Evaluation & performance reports, HDR, fusion, post processing data, Test APKs, experimental apps, Scripts & automation, Small config binary calibration files.” (David Hollingworth / Cyber Daily)

Related: Taipei Times, Focus Taiwan, SC Media, HackRead

Personal details of current and former students at 12 schools, employees’ bank account numbers, and images of cheques were put on the dark web following the hack against a Winnipeg school division.

Pembina Trails School Division revealed additional findings after cybersecurity experts did a deep dive into digital files and concluded their investigation of the December 2024 ransomware attack.

“While we know a group of cybercriminals is responsible for the incident, the investigation was unable to determine a specific cause of the incident,” Superintendent and CEO Shelley Amos said in a statement. “We come out of this incident with heightened awareness regarding cyber threats and better equipped to face them in the future.”

The hacker group known as Rhysida tried to sell almost one million files, including personal details and photos of students and staff, for $1.6 million in January after the division refused to pay a ransom. The files were later dumped on the dark web. (Chris Kitching / Free Press)

Related: CBC

Medical imaging provider Pro Medicus confirmed that it incurred a data breach by an unknown third party in July.

Pro Medicus said it investigated the unauthorised access of a single email inbox and engaged external cybersecurity experts to contain the incident.

The company does not believe any commercially sensitive information was accessed, and did not incur any financial loss or operational impact following the incident.

Analysis of the breach found that personally identifiable information for around 100 current and former Pro Medicus employees could "potentially have been accessed."

Pro Medicus said it has notified all of those potentially impacted. It also notified relevant governmental authorities in accordance with applicable laws and regulations. (Hugo Mathers / Capital Brief)

Related: Pro Medicus, TipRanks

Freedom Mobile, the fourth-largest wireless carrier in Canada, disclosed a data breach after attackers hacked into its customer account management platform and stole the personal information of an undisclosed number of customers.

Founded in 2008 as Wind Mobile by telecommunications provider Globalive, Freedom has over 2,2 million subscribers and now says it provides coverage to 99% of Canadians.

Vidéotron, a subsidiary of Canadian telecommunications company Québecor, acquired Freedom in 2023, creating the country's fourth major wireless carrier with more than 3.5 million mobile customers and nearly 7,500 employees.

Freedom said it detected a breach of its customer account management platform on October 23.

The personal and contact information exposed in the incident includes first and last names, home addresses, dates of birth, home and/or cell phone numbers, and Freedom Mobile account numbers. (Sergiu Gatlan / Bleeping Computer)

Related: Freedom Mobile

Fintech company Marquis is notifying dozens of U.S. banks and credit unions that they had customer data stolen in a cyberattack earlier this year.

Details of the cyberattack emerged this week after Marquis filed data breach notices with several U.S. states confirming its August 14 incident as a ransomware attack.

Texas-based Marquis is a marketing and compliance provider that allows banks and other financial institutions to collect and visualize all of their customer data in one place. 

At least 400,000 people are so far confirmed affected by the data breach, according to legally required disclosures filed in the states of Iowa, Maine, Texas, Massachusetts, and New Hampshire that TechCrunch has reviewed.

Texas has the largest number of state residents so far who had data stolen in the breach, affecting at least 354,000 people.

Marquis said in its notice to Maine’s attorney general that banking customers with the Maine State Credit Union accounted for the majority of its data breach notifications, or around one-in-nine people who are known to be affected throughout the state.

The number of individuals affected by the breach is expected to rise as more data breach notifications roll in from other states.

Marquis said the hackers stole customer names, dates of birth, postal addresses, and financial information, such as bank account, debit, and credit card numbers. Marquis said the hackers also stole customers’ Social Security numbers.

According to its most recent notices, Marquis blamed the ransomware attack on hackers who exploited a vulnerability in its SonicWall firewall. The vulnerability was considered a zero-day, meaning the flaw was not known to SonicWall or its customers before hackers maliciously exploited it.

Marquis did not attribute the ransomware attack to a particular group, but the Akira ransomware gang was reportedly behind the mass-hacks targeting SonicWall customers at the time. (Zack Whittaker / TechCrunch)

Related: Maine Attorney General, Reuters, Bitget, Bleeping Computer

Wiz researchers report that the second Shai-Hulud attack last week exposed around 400,000 raw secrets after infecting hundreds of packages in the NPM (Node Package Manager) registry and publishing stolen data in 30,000 GitHub repositories.

Although just about 10,000 of the exposed secrets were verified as valid by the open-source TruffleHog scanning tool, the researchers say that more than 60% of the leaked NPM tokens were still valid as of December 1st.

The Shai-Hulud threat emerged in mid-September, compromising 187 NPM packages with a self-propagating payload that identified account tokens using TruffleHog, injected a malicious script into the packages, and automatically published them on the platform.

In the second attack, the malware impacted over 800 packages (counting all infected versions of a package) and included a destructive mechanism that wiped the victim’s home directory if certain conditions were met. (Bill Toulas / Bleeping Computer)

Related: Wiz, SC Media

Researchers at Wordfence report that attackers are exploiting a critical-severity privilege escalation vulnerability (CVE-2025–8489) in the King Addons for Elementor plugin for WordPress, which lets them obtain administrative permissions during the registration process.

The threat activity started on October 31, just a day after the issue was publicly disclosed. So far, the Wordfence security scanner from Defiant, a company that provides security services for WordPress websites, has blocked more than 48,400 exploit attempts.

King Addons is a third-party add-on for Elementor, a popular visual page builder plugin for WordPress sites. It is used on roughly 10,000 websites, providing additional widgets, templates, and features.

CVE-2025–8489, discovered by researcher Peter Thaleikis, is a flaw in the plugin’s registration handler that allows anyone signing up to specify their user role on the website, including the administrator role, without enforcing any restrictions.

According to observations from Wordfence, attackers send a crafted ‘admin-ajax.php’ request specifying ‘user_role=administrator,’ to create rogue admin accounts on targeted sites.

Website owners are advised to upgrade to version 51.1.35 of King Addons, which addresses CVE-2025–8489, released on September 25. (Bill Toulas / Bleeping Computer)

Related: Wordfence, Security Affairs, Security Week, Red Hot Cyber

The Trump administration is ending a pay incentive program intended to hire and retain experts in the federal government’s primary civilian cybersecurity agency, the Cybersecurity and Infrastructure Security Agency, which has already seen firings, resignations, and reassignments.

The program covered nearly half of the employees at CISA. It was created to help the agency compete with the private sector for top talent, but it has come under fire for mismanagement and abuse, including providing extra pay to employees without critical cybersecurity skills.

Still, cybersecurity experts warned that ending the extra pay will inevitably lead to more departures at the agency, further weakening the federal government’s defenses against cyberattacks.

CISA has already lost more than a third of its workforce since last fall, according to a September internal memo reviewed by Bloomberg News. The agency is also dealing with critical leadership vacancies, and the administration’s choice to lead the agency has been stalled in Congress. (Patrick Howell O'Neill / Bloomberg)

Related: r/fednews

According to a new edition of the Future of Life Institute's AI safety index, the safety practices of major artificial intelligence companies, such as Anthropic, OpenAI, xAI, and Meta, are "far short of emerging global standards."

The institute said the safety evaluation, conducted by an independent panel of experts, found that while the companies were busy racing to develop superintelligence, none had a robust strategy for controlling such advanced systems.

The study comes amid heightened public concern about the societal impact of smarter-than-human systems capable of reasoning and logical thinking, after several cases of suicide and self-harm were tied to AI chatbots.

"Despite recent uproar over AI-powered hacking and AI driving people to psychosis and self-harm, US AI companies remain less regulated than restaurants and continue lobbying against binding safety standards," said Max Tegmark, MIT professor and Future of Life president. (Zaheer Kachwala and Arnav Mishra / Reuters)

Related: AI Safety Index, Computing, Axios, Quartz, India Today, Asia Financial, Euronews

The European Commission launched an antitrust investigation into Meta over its new policy on artificial intelligence providers’ access to WhatsApp.

The Commission said it was concerned that the US tech giant’s business terms might prevent rival AI groups from offering their services through WhatsApp.

The new investigation falls under traditional antitrust laws rather than the Digital Markets Act, the EU’s landmark legislation designed to tackle the dominance of the big online platforms, but which has been the particular focus of attacks by the Trump administration. (Barbara Moens / Financial Times)

Related: CNBC, Global Banking and Finance Review, Reuters, Wall Street Journal, Bloomberg

Artificial-intelligence cybersecurity startup 7AI raised $130 million in a Series A venture funding round, an unusually high amount for early-stage financing as investors bet big on AI in cybersecurity.

The round was led by Index Ventures, with participation from all existing seed investors, including Greylock Partners, Charles River Ventures, and Spark Capital. Blackstone Innovations Investments also participated as a new investor. (James Rundle / Wall Street Journal)

Related: Business Wire

Cloud software maker ServiceNow Inc. announced that it has signed an agreement to acquire data security platform company Veza Inc. for an undisclosed sum, but one that has been rumored to be more than $1 billion.

Founded in 2020, Veza offers an identity-security platform that is focused on helping organizations answer a fundamental question: “Who can — and should — take what action on what data.”

Veza’s platform offers the Veza Access Graph, a unified, metadata-driven graph that ingests and normalizes identity and permission data from across an enterprise’s systems, including support for data lakes, databases, cloud infrastructure, software-as-a-service apps, on-premises systems, and custom applications.

The graph builds a map of all identities, be they human, machine, or third-party, and their entitlements to deliver complete visibility into who has access to what and via which permissions. (Duncan Riley / Silicon Angle)

Related: Silicon Republic, investor.servicenow.com, The Information, Pulse 2.0, ITPro, CRN, diginomica, Constellation Research

Best Thing of the Day: CISA Will Finally Get a Leader After a Rudderless Eleven Months

At long last, CISA Director nominee Sean Plankey appears to be slated for his Senate confirmation today.

Bonus Best Thing of the Day: A Graphic Novella to Break Your Heart

Anand RK, Suparna Sharma, and Natalie Obiko Pearson have produced a poignant graphic novel that shows the internal terror that online scammers can induce in their victims.

Worst Thing of the Day: Babies As a Target Audience for AI Slop

Some YouTube creators are leaning into low-effort, low-quality AI videos to target babies starting at under age two.

Closing Thought