Two cyber pros became cybercriminals to launch a ransomware campaign

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Kevin Tyler Martin, formerly a ransomware threat negotiator for River North-based DigitalMint, was among two men indicted for carrying out their own piracy in a plot to extort millions of dollars from a series of companies.

A suspected accomplice who wasn’t indicted was also employed at DigitalMint, court records show.

DigitalMint has denied any wrongdoing, fired both employees, and cooperated with the investigation.

Also indicted was Ryan Clifford Goldberg, an incident response manager for the multinational company Sygnia Cybersecurity Services. Sygnia said Goldberg no longer works for the company, and it “is not the target of this investigation, however, we continue to work closely with law enforcement.”

According to an affidavit filed in September by an FBI agent, the three men began using malicious software in May 2023 “to conduct ransomware attacks against victims,” first hitting a medical company in Florida by locking its servers and demanding $10 million to unlock the systems, court records say.

The FBI agent noted the men ultimately made off with $1.2 million, although it was apparently the only successful attack.

Martin, Goldberg, and the other unnamed suspect are also accused of targeting a pharmaceutical company from Maryland; demanding $5 million from a California doctor’s office; seeking $1 million from an engineering firm in California; and trying to extort $300,000 from a Virginia-based drone manufacturer.

Their scheme continued until April 2025, according to the FBI. Agents interviewed Goldberg that June, “initially denying being involved in the ransomware attacks.” He claimed he was recruited by the third suspect, who wasn’t indicted, described in court records only as “Co-Conspirator 1.”

Goldberg said the $1.2 million the medical company paid in cryptocurrency was routed “through a mixing service and then through multiple cryptocurrency wallets” in an effort to hide the digital cash.

Goldberg told the FBI he engaged in the scheme to get out of debt and feared he was “going to federal prison for the rest of [his] life.” He said Martin told him the FBI had raided the home of “Co-Conspirator 1” on April 3, according to the FBI affidavit.

The following month, Goldberg searched the name of “Co-Conspirator 1” along with “doj.gov,” the Justice Department’s website, records show. He also asked: “Why would somebody who was accused and admitted to an FBI agent be let go but later indicted?”

Ten days after his interview with the FBI, on June 27, Goldberg and his wife flew from Atlanta to Paris on a one-way flight. But at that time, officials believed that Goldberg and his wife were still in Europe.

Martin and Goldberg were indicted Oct. 2 on charges of conspiracy to interfere with interstate commerce by extortion; interference with interstate commerce; and intentional damage to a protected computer. (Tom Schuba / Chicago Sun-Times)

Related: Bloomberg, TechCrunch, CyberScoop, CNN, Dataconomy, Reuters, PCMag, CyberInsider, BleepingComputer, The Register, Lawyer Monthly, CSO Online

Researchers at Proofpoint report that hackers are infiltrating trucking and freight companies in a scheme to steal and sell cargo shipments, a growing campaign that could end up costing companies and consumers billions of dollars.

Proofpoint says it has “high confidence” that the hackers are working with organized crime groups to pull off the cargo thefts. The attackers are particularly targeting trucking carriers and freight brokers, seeking to infect their computer networks with tools that provide remote access, with the ultimate goal of hijacking cargo.

The stolen cargo is likely sold online or shipped overseas, according to the report.

The cyber-enabled heists rely on social engineering and a knowledge of how the industry works, allowing hackers to successfully pass as insiders, according to Proofpoint. The criminals look to exploit supply chain technology intended to move cargo more efficiently. (Emily Forgash / Bloomberg)

Related: Proofpoint, Tom's Hardware, 9to5Mac, Infosecurity, Dark Reading, The Record, SC Media, Security Affairs

Flock Safety does not require law enforcement customers to use multi-factor authentication (MFA), and its voluntary authentication mechanism does not “natively support” phishing-resistant MFA, according to a letter Sen. Ron Wyden (D-OR) and Rep. Raja Krishnamoorthi (D-IL) sent on Monday to FTC Chairman Andrew Ferguson.

Hackers have reportedly stolen at least 35 Flock customer accounts, according to the letter, which cited data from the cybersecurity company Hudson Rock. Phishing-resistant MFA can help shield accounts from breaches.

Flock’s automated license plate reader cameras are now used in more than 8,000 communities nationwide and have become controversial as reports have surfaced of their being used in investigations of abortion patients and undocumented immigrants.

Flock accounts can be used to track the locations of millions of Americans at any time, the letter notes.

“Flock has received vast sums of taxpayer money to build a national surveillance network,” the letter says. “But Flock’s cavalier attitude towards cybersecurity needlessly exposes Americans to the threat of hackers and foreign spies tapping this data.”

In at least four instances, the FTC has issued enforcement actions against companies for failing to use MFA, the letter says, citing agency settlements with Uber, Cheff, Drizly, and Blackbaud.

Flock’s lack of mandatory MFA has allowed law enforcement to see other agencies’ Flock data through improper password sharing, the letter said. As a result, federal agents can access Flock’s systems using passwords belonging to other users without detection, raising “serious questions about the effectiveness of Flock’s cybersecurity defenses,” the letter says. (Suzanne Smalley / The Record)

Related: TechCrunch, Congressman Krishnamoorthi

A state mediation panel said it has advised SK Telecom, the country's top mobile carrier, to pay 300,000 won ($208) in damages to each complainant over a massive data leak in April.

The Personal Information Dispute Mediation Committee said the proposal was agreed upon during a plenary session after a total of 3,998 people, including three cases of group disputes, filed for mediation of disputes involving SK Telecom.

In April, the company reported a large-scale cyberattack on its main servers, during which universal subscriber identity module (USIM) data of its 23 million subscribers was potentially compromised.

In response, it devised a 500 billion-won customer compensation program that included mobile rate cuts, additional data offers, and discount coupons starting in August. (The Korea Times)

Related: The Chosun

Hackers stole at least 50,000 CCTV clips over nine months from facilities across India and sold them online, feeding them into a porn fetish network for profit via 80 CCTV dashboards in seven cities that were compromised using 'admin123' default passwords.

The scam came to light when teaser clips from Payal Maternity Hospital in Rajkot appeared on YouTube channels like “Megha Mbbs” and “cp monda”, leading customers to Telegram groups where the stolen footage was sold.

Officials said the breaches were made possible by default passwords such as “admin123”, enabling hackers to launch automated attacks and collect massive amounts of sensitive footage. (The Times of India)

Related: The Federal, The Economic Times, Varindia

South Australian police launched a third batch of coordinated pre-dawn raids, making a further 55 arrests that were enabled by a formerly secret phone called AN0M application that, in reality, was created by a criminal informant and obtained by the FBI in 2018.

In Australia, the first wave of arrests nabbed more than 220 alleged offenders on more than 520 charges.

A High Court ruling earlier this month backed the use of the intelligence garnered from the communications. The ruling also prompted some of the major players arrested as part of the first sting to begin entering guilty pleas. (Jordanna Schriever / ABC.net.au)

Related: The Register

Hackers pilfered more than $100 million worth of cryptocurrency from the decentralized finance protocol Balancer.

Estimates varied, but most blockchain security firms tracked more than $120 million in losses. At least $99 million of the stolen funds were in ETH.

A mainstay in the DeFi industry, Balancer initially said it is aware of the exploit and is investigating it. Cryptocurrency security experts said the incident was traced back to faulty access control mechanisms that the attackers compromised.

The company released a longer message explaining that the incident began in the early morning.

“Any pools that could be paused have been paused and are now in recovery mode,” the company said, noting that it has ties to several other crypto platforms that they could not unilaterally pause.

“Balancer is committed to operational security, has undergone extensive auditing by top firms, and had bug bounties running for a long time to incentivize independent auditors. We are working closely with our security and legal teams to ensure user safety and are conducting a swift & thorough investigation.”

They are still working with experts to examine what happened and plan to release a post-mortem at some point.

Balancer warned users that fraudulent messages claiming to be from the company’s security team are circulating and should not be interacted with.

Several other blockchain organizations tied to Balancer announced efforts to address the incident. The Berachain Foundation said it halted its network as its team took emergency measures to protect user assets. The organization was able to freeze some funds stolen from its platform. Other crypto platforms like Gnosis, Sonic, Beefy, and others have taken similar measures. (Jonathan Greig / The Record)

Related: CNBC, The Block, CCN, Cryptonews, ForkLog, Bleeping Computer, DL News

Jonathan Levin, chief executive of Chainalysis, told the Financial Times that the rapid growth of so-called DeFi platforms, which operate on blockchains and without intermediaries such as banks, had left their users’ assets at risk of attack.

More than $140bn of crypto assets is held globally on DeFi protocols, according to data provider DefiLlama. Some of the biggest platforms have boomed in popularity this year as investors seek different ways to make money from their crypto tokens, such as lending them out.

DeFi groups are mostly start-ups launched by founders, but some have grown to become multibillion-dollar businesses. Some of the biggest include Aave, which allows its users to lend and borrow their crypto tokens, while EigenLayer is backed by investors including Andreessen Horowitz and Coinbase’s venture arm, and provides token holders with the ability to “restake” their ether tokens to earn returns in the form of more coins.

But security has increasingly become a concern, as crypto hacks continue to rise.

On Monday, more than $100 million was siphoned from DeFi protocol Balancer, according to blockchain data companies, in the latest hack on this corner of the industry. Balancer said it experienced an “exploit” and was conducting a “thorough investigation”. Earlier this year, about $200 million was stolen from the Cetus Protocol, a decentralised exchange, as hackers exploited security vulnerabilities. (Nikou Asgari / Financial Times)

Related: CNBC

According to an audit report of the Federal Reserve's Office of Inspector General, Donald Trump's clampdown on the US Consumer Financial Protection Bureau (CFPB) earlier this year has compounded IT security lapses at the agency through the cancellation of contracts.

The information security program at CFPB – which maintains sensitive and confidential data from investigations, the oversight of companies, and complaints received from members of the public – is "not effective," the report says.

CFPB management accepted its findings and proposed solutions, which the report said would be adequate if implemented.

Claiming the CFPB under previous administrations engaged in politicized enforcement and exceeded its legal authorities, the Trump White House has sought to shrink the agency drastically - proposing to cut the workforce by up to 90% - with top officials, including Trump and acting Director Russell Vought, calling for its outright elimination.

The findings say the agency's data remains vulnerable nine months after the White House took control of the agency and ordered a halt to all activities while granting representatives of the so-called Department of Government Efficiency access to sensitive systems. (Douglas Gillison / Reuters)

Related: Inspector General's Office, American Banker, Forbes

According to a report from extension security platform Secure Annex, a remote access trojan dubbed SleepyDuck, disguised as the well-known Solidity extension in the Open VSX open-source registry, uses an Ethereum smart contract to establish a communication channel with the attacker.

Open VSX is a community-driven registry for extensions compatible with VS Code, which are popular with AI-powered integrated development environments (IDEs) like Cursor and Windsurf.

The extension is still present on Open VSX as 'juan-bianco.solidity-vlang', albeit with a warning from the platform. Even if the default C2 server at sleepyduck[.]xyz is taken down, the contract on the Ethereum blockchain allows the malware to remain functional.

Since its submission to Open VSX with version 0.0.7 and until version 0.1.3 published on November 2nd, the juan-bianco.solidity-vlang package was downloaded 53,439 times and has only one 5-star rating from its author. (Bill Toulas / Bleeping Computer)

Related: SecureAnnex

NHS National Services Scotland (NSS) awarded IT reseller Computacenter a £2.6 million (around $3.4 million) contract for the provision of an AI anti-ransomware platform.

Computacenter will supply the Halcyon platform – from the company of the same name – to support the operation of the Cyber Centre of Excellence (CCoE) for Scotland’s health services.

According to the contract award notice, it is aimed at dealing with the residual risk of ransomware attacks.

It says that Halcyon defends against advanced ransomware attacks and unauthorised access to networks, while complementing existing security measures. It can run on existing devices and has the potential to strengthen NSS’s existing suite of cybersecurity tools significantly.

Anxieties around ransomware have been high in Scotland’s health service since NHS Dumfries was hit by a severe attack by the INC Ransom gang in March of last year, which was followed by the publication of some of the data stolen. (Mark Say / UK Authority)

Related: DIGIT, Public Contracts

Oglethorpe Inc., a Florida-based firm that operates inpatient mental health and addiction recovery treatment facilities in three states, is notifying more than 92,000 patients that their personal and sensitive health information may have been compromised in a data theft hack discovered in June.

Oglethorpe reported the data security incident to the Maine attorney general, on its website describes itself as a provider of management solutions for health centers, wellness clinics and hospitals that specialize in psychiatric services, drug and alcohol detoxification and rehabilitation, eating disorder therapy and behavioral health counseling.

The company has facilities in Florida, Ohio and Louisiana, including Heroes' Mile, a facility in Deland, Florida, that provides mental healthcare to military service veterans experiencing addiction, post-traumatic stress and other psychological problems.

Oglethorpe, in its sample breach notification letter provided to Maine regulators, said that on or about June 6, it detected a network security incident, in which an unauthorized third-party accessed its IT environment. (Marianne Kolbasuk McGee / BankInfoSecurity)

Related: Maine Attorney General

The Department of Homeland Security is directing border-patrol agents to screen all foreign travelers with facial recognition tools as they enter and leave the US, seeking to identify immigrants who entered the country illegally or overstayed visas, the agency said.

Expanding the use of facial recognition at border checkpoints will “make the process for verifying the identity of aliens more efficient, accurate and secure,” DHS said.

The move, set to take effect in late December, would also create a massive biometric database, which DHS is calling a “gallery," on countless non-US citizens that risks becoming a rich source for deepfakes and other cybercrimes, security experts said. Biometric data can include fingerprints or voice patterns to identify individuals. Initially, the new directive will apply only to photos and at commercial airports. The agency plans to eventually extend the screening to all air, sea, and land ports of entry.

“Anytime you collect and build a large, centralized database of biometrics, especially one that can span decades and include data from millions of individuals, it creates the opportunity for long-term risk,” said Patrick Joyce, global resident chief information security officer at cybersecurity firm Proofpoint.

“As we’ve seen in other attacks, such systems are incredibly valuable targets,” Joyce said. (Angus Loten / Wall Street Journal)

Related: Biometric Update

Cloud and AI security startups have two weeks to apply for a program that fast-tracks access to investors and mentors from Amazon Web Services, CrowdStrike, and Nvidia.

The highly competitive Cybersecurity Startup Accelerator, now in its third year, is accepting applications from early-stage startups through November 15. Last year, hundreds applied and just 36 made the cut.

This year's accelerator seeks companies developing technologies around cloud and application security, identity, agentic security, and data security, all of which become increasingly important - and challenging - as organizations seek to integrate AI into their business processes and deploy agents.

As such, startups developing agentic AI security tech, especially around agent governance and agent identity security, are in high demand this year.

"The program is our way to give back to the cybersecurity community - helping promising startups thrive as they tackle real challenges in securing AI, cloud, and data," Daniel Bernard, chief business officer at CrowdStrike, told The Register. "This year, we're opening applications globally to tap the best ideas from around the world, and we expect another highly competitive class of companies."

The first accelerator focused on startups from Europe, the Middle East, and Asia, and last year expanded to include US-based firms.

Startups selected to participate get cloud access, compute, and threat-intel resources from AWS, Nvidia, and CrowdStrike, plus the chance to get in front of cybersecurity investors and technical experts. (Jessica Lyons / The Register)

Related: PYMNTS, Business Wire

Best Thing of the Day: No Debt for You!

The Office of Personnel Management plans to collaborate on a “mass deferment” for a cyber scholarship-for-service program after the government shutdown ends, a spokesman said, as scholarship recipients have sounded fears about being on the hook for their schooling costs during federal hiring freezes and budget cuts.

Bonus Best Thing of the Day: A Trip Down Memory Lane

In its continuing podcast series Cyber Hack, BBC News offers an insightful look at the notorious Russian cybercrime gang Evil Corp.

Worst Thing of the Day: Escalating the Fight

A hacking collective, known as Cyber Toufan, began publishing to Telegram vudei footage from inside Maya Engineering, one of 17 defense companies it targeted after Israel killed more than 100 people in Gaza on Wednesday, alongside mechanical drawings of defense hardware.

Closing Thought