UK's NCA arrested four people for M&S, Co-Op cyberattacks

Russian hoops player Kasatkin busted in France in connection with ransomware, McDonald's employee chatbot was riddled with absurd flaws, Hackers stole $40m from GMX protocol, Customer data exposed in Bitcoin Depot breach, Hackers run scam messages in old Mt. Gox wallets, much more

UK's NCA arrested four people for M&S, Co-Op cyberattacks
Photo by michael podger / Unsplash
tilt shift photography of dew on spider web
Photo by michael podger / Unsplash

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you can't commit to a subscription today, please consider donating whatever you can. Thank you!

The UK National Crime Agency says that four people, a 20-year-old woman and three males, aged between 17 and 19, have been arrested by police investigating the cyberattacks that have caused havoc at M&S and the Co-op.

They were apprehended on suspicion of Computer Misuse Act offences, blackmail, money laundering, and participating in the activities of an organised crime group.

All four were arrested at their homes in the early hours on Thursday. The police also seized electronic devices.

Paul Foster, head of the NCA's National Cyber Crime Unit, said the arrests were a "significant step" in its investigation.

"But our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice," he added.

The hacks, which began in mid-April, have caused massive disruption for the two retailers and have been attributed to a youth-oriented, loosely organized cybercrime collective known as Scattered Spider.

Some Co-op shelves were left bare for weeks, while M&S expects its operations to be affected until late July, with some IT systems not fully operational until October or November. (Joe Tidy / BBC News)

Related: The Record, Metro.co.uk, The Guardian, Financial Times, Infosecurity Magazine, Digit

Russian professional basketball player Daniil Kasatkin was arrested in France on June 21 at the request of the United States, which suspects him of being part of a ransomware hacking network.

The basketball player disputes these allegations.

Kasatkin, who until recently played for the Moscow team MBA-MAI, was arrested at Paris's Roissy-Charles de Gaulle airport after arriving in France with his fiancée, whom he had just proposed to.

The hacking network the basketball player is suspected of being part of is believed to have used ransomware to attack some 900 companies, including two federal institutions. The attacks date back to 2020-2022, and the damages were not disclosed.

Placed under extradition custody since June 23, Daniil Kasatkin, 26, is accused by the American justice system of having negotiated ransom payments as part of this network, which he denies. The basketball player, who studied for a time in the United States, is the subject of a US arrest warrant for "conspiracy to commit computer fraud" and "computer fraud conspiracy."

"He bought a second-hand computer. He did absolutely nothing. He's stunned," his lawyer, Frédéric Bélot, said.

The basketball player, who said he did not feel safe in prison because of Russia's war on Ukraine, said his weight had already dropped from 95 kg to 89 kg. (Le Monde)

Related: Meduza, The Moscow Times

Until last week, the platform that runs McDonald's employee chatbot Olivia, built by artificial intelligence software firm Paradox.ai, suffered from absurdly basic security flaws, such as allowing any hacker to access the records of every chat Olivia had ever had by entering the username and password “123456."

Security researchers Ian Carroll and Sam Curry revealed that they found simple methods to hack into the backend of the AI chatbot platform on McHire.com. They were able to query the company's databases that held every McHire user's chats with Olivia. The data appears to include as many as 64 million records, including applicants' names, email addresses, and phone numbers.

Paradox confirmed Carroll and Curry’s findings. The company noted that only a fraction of the records Carroll and Curry accessed contained personal information. It said it had verified that the account with the “123456” password that exposed the information “was not accessed by any third party” other than the researchers.

The company also added that it’s instituting a bug bounty program to catch security vulnerabilities better in the future. (Andy Greenberg / Wired)

Related: Ian Carroll, Paradox, India Today, The Daily Beast, Sydney Morning HeraldReddit-hacking, The420

Logging in with the user name 123456 and the password 123456. Source: Ian Carroll and Sam Curry.

The GMX protocol halted trading on GMX V1 after a liquidity pool suffered an exploit on Wednesday, leading to $40 million in funds being stolen and sent to an unknown wallet.

GMX V1 is the first version of the GMX perpetual exchange deployed on the Arbitrum network. The attacked pool is a liquidity provider for the GMX protocol with a basket of underlying digital assets.

The protocol has also announced a temporary suspension in minting and redemption of GLP tokens on both Arbitrum and the layer-1 Avalanche network to protect against any additional fallout from the cybersecurity exploit.

Users of the platform were instructed to turn off leverage and change their settings to turn off GLP minting.

“The exploit does not affect GMX V2, its markets, or liquidity pools, nor the GMX token itself. Based on the available information, the vulnerability is limited to GMX V1 and its GLP pool,” the team said.

Blockchain security company SlowMist attributed the exploit to a design flaw that allowed hackers to manipulate the GLP token price through the calculation of the total assets under management. (Vince Quill / Cointelegraph)

Related: AInvest, The Block, Coin Central, Crypto Head, CryptoRank, The Daily Hodl, The Record, DL News

Bitcoin Depot, an operator of Bitcoin ATMs, is notifying customers of a data breach incident that has exposed their sensitive information.

In a letter sent to affected individuals, the company informs that it first detected suspicious activity on its network last year on June 23.

Although the internal investigation was completed on July 18, 2024, a parallel investigation by federal agencies dictated that public disclosure of the incident should be withheld until it was finished.

“On July 18, 2024, the investigation was complete, and we identified your personal information contained within documents related to certain of our customers that the unauthorized individual obtained,” explains Bitcoin Depot in the letter.

“Unfortunately, we were not able to inform you sooner due to an ongoing investigation. Federal law enforcement requested that Bitcoin Depot wait to provide you notice until after they completed the investigation." (Bill Toulas / Bleeping Computer)

Related: The Record, Cointelegraph, CCN, SC Media, Maine Attorney General, Massachusetts Attorney General

Old BTC held in wallets linked to Mt. Gox have been targeted with scam messages, with hackers abusing the op_return function to embed messages in transactions, creating a new form of phishing.

As BTC trades near record levels, old wallets are looking ever more attractive. Attackers are attempting a new type of phishing by abusing the op_return function on Bitcoin. Using op_return allows the embedding of information in each BTC transaction. This function was also used to create Bitcoin-based NFTs.

Scammers are generating messages that spoof official-looking sites, claiming ownership of the wallet. The message can do nothing to move the coins, but it can urge some users to take action. Some messages embedded in transactions point to sites or forms. Others attempt to claim ownership of the wallet, as in previous cases that tried to exploit older whales.

The attempts at scamming owners mainly targeted whale wallets from the 2011 era. (Cryptorank)

Related: AInvest

A recently emptied whale wallet received an op_return message claiming ownership over the wallet, embedded in a dust transaction. | Source: Blockchain.com

Japan-based Nippon Steel Solutions disclosed a data breach that resulted from the exploitation of a zero-day vulnerability.

Nippon Steel Solutions, also called NS Solutions, offers cloud, cybersecurity, and other IT solutions. The company is a subsidiary of Japanese steel giant Nippon Steel, which recently acquired US Steel in a controversial deal.

Nippon Steel Solutions said that it detected suspicious activity on some servers on March 7. An investigation showed that hackers had exploited a zero-day flaw in unspecified network equipment and gained access to information on customers, partners, and employees. 

In the case of customers, the attackers may have stolen information such as name, company name, and address, job title, affiliation, business email address, and phone number. 

The exposed information in the case of partners includes names and business email addresses. In contrast, in the case of employees, the attackers may have obtained names, business email addresses, job titles, and affiliation. (Eduard Kovacs / Security Week)

Related: Nippon Steel, Security Affairs

Iran International confirmed on Tuesday that recently published materials from the hacked Telegram accounts of its journalists are linked to two separate cyberattacks carried out in the summer of 2024 and January 2025.

The attacks were carried out by Banished Kitten (also referred to as Storm-0842 and Dune) a group that operates under the Cyber Threat Countermeasures Unit of the Domestic Security Directorate of Iran’s Ministry of Intelligence, under the supervision of Yahya Hosseini Panjaki, whose identity was first exposed by Iran International.

Iran International is a Persian-language TV news network that broadcasts 24/7 and has a strong following in Iran, despite government efforts to restrict access to the internet and satellite signals. Tehan has labelled it a terrorist organization. (Iran International)

Related: The Committee to Protect Journalists, Kurdistan24, IRIB News

Researchers at Morphisec report that an Iranian ransomware gang known as Pay2Key.I2P has ramped up operations amid heightened tensions in the Middle East, offering larger profit shares to affiliates who carry out cyberattacks against Israel and the US.

The group is believed to be a successor to the original Pay2Key operation, which has been linked to Iran’s state-backed Fox Kitten hacking group. Fox Kitten has previously carried out cyber-espionage campaigns targeting Israeli and US organizations.

The researchers say  Pay2Key.I2P has adopted a ransomware-as-a-service model and claims to have collected more than $4 million in payments over the past four months.

Since June, the group has offered affiliates an 80% cut of ransom proceeds, up from 70%, if they participate in attacks against Iran’s adversaries.

“Our brothers in Iran are being subjected to military aggression. We are ready to offer a favorable percentage for anyone engaged in an attack against the enemies of Iran,” the group said in a message posted on a darknet forum.

Morphisec said the group seems to be motivated by both money and ideology, and is trying to recruit members on Russian-speaking hacker forums. Researchers believe Pay2Key.I2P collaborates with operators of the Mimic ransomware, which uses code from the defunct Conti gang, whose tools were leaked after it publicly supported Russia’s invasion of Ukraine. (Daryna Antoniuk / The Record)

Related: Morphisec, Stratfor, Security Affairs, The Register, SC Media

Source: Morphisec.

They identified more than 17,000 such sites, which publish fake stories featuring prominent public figures, including national leaders and central bank governors.

The articles falsely linked those figures to “fabricated investment schemes to build trust and get engagement from victims,” the researchers said.

The scam spans more than 50 countries, with websites tailored to local audiences by using native languages, regional celebrities, and well-known financial institutions to appear credible, CTM360 said. Many victims are based in the Middle East, but some in Europe and the United States have also been identified.

The scheme typically begins with ads placed on platforms like Google and Meta, which redirect users to bogus news articles. Clicking these articles leads to fraudulent investment platforms, often branded as Eclipse Earn, Solara, or Vynex, that promise high returns through automated crypto trading, the researchers said.

These platforms are professionally designed to appear legitimate, featuring fake dashboards, manipulated profit data, and fabricated testimonials, CTM360 said.

Victims are asked to register by submitting personal information and uploading identification documents such as national IDs or passports. They are then prompted to deposit an initial amount, usually around $240.

However, no real trading occurs on these platforms, and users don't get their money back. (Daryna Antoniuk / The Record)

Related: CTM360

Stages of the cryptocurrency scheme. Source CTM 360.

Independent researcher g0njxa discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a persisent backdoor that MacPaw's cybersecurity division Moonlock subsequently analyzed.

The researchers say that AMOS malware campaigns have already reached over 120 countries, with the United States, France, Italy, the United Kingdom, and Canada among the most affected, and have the potential to gain full access to thousands of Mac devices worldwide.

Moonlock reports that Atomic has recently shifted from bad distribution channels like cracked software sites, to targeted phishing aimed at cryptocurrency owners, as well as job interview invitations to freelancers.

The analyzed version of the malware comes with an embedded backdoor, uses LaunchDaemons to survive reboots on macOS, ID-based victim tracking, and a new command-and-control infrastructure. (Bill Toulas / Bleeping Computer)

Related: Moonlock, Infosecurity Magazine, r/cybersecurity, HotHardware

Internal message from the AMOS threat campaign. Source g0njxa via Moonlock.

John Tuckner of SecurityAnnex reports that 245 extensions installed on almost 1 million devices have been overriding key security protections to turn browsers into engines that scrape websites on behalf of a paid service.

The extensions serve a wide range of purposes, including managing bookmarks and clipboards, boosting speaker volumes, and generating random numbers. The common thread among all of them: They incorporate MellowTel-js, an open source JavaScript library that allows developers to monetize their extensions.

Tuckner and critics say the monetization works by using the browser extensions to scrape websites on behalf of paying customers, which include advertisers. Tuckner reached this conclusion after uncovering close ties between MellowTel and Olostep, a company that bills itself as "the world's most reliable and cost-effective Web scraping API."

Olostep says its service “avoids all bot detection and can parallelize up to 100K requests in minutes.” Paying customers submit the locations of browsers they want to access specific webpages. Olostep then uses its installed base of extension users to fulfill the request.

A number of the extensions are now inactive on Chrome, Edge, and Firefox. (Dan Goodin / Ars Technica)

Related: Secure Annex

Researchers from Qianxin Technology's RedDrip Team detailed a longstanding espionage attack by a previously unknown Western threat actor they've named "NightEagle Group," or APT-Q-95, that has been exploiting an unknown zero-day in Microsoft Exchange to steal high-value intelligence from China's military and major technology industries.

The threat actor has a history of breaching Microsoft accounts to spy on Chinese organizations of interest to the US: chip manufacturers, companies specializing in artificial intelligence (AI) and quantum technologies, defense contractors, and more.

In this case, over a year, NightEagle appears to have exploited a mysterious bug in Microsoft Exchange to siphon off "all key target emails" from an undisclosed organization, according to RedDrip's description.

The campaign fell apart when Qianxin's network detection and response program identified an abnormal domain name server (DNS) request to the domain "synologyupdates.com." Synology is a Taiwanese manufacturer of network-attached storage (NAS) appliances, but it does not count "synologyupdates" among its registered domains. (Nate Nelson / Dark Reading)

Related: GitHub, CSO Online

Night Eagle attack flow. Source: Qianxin Technology.

The Regional Court of Leipzig in Germany ruled that Meta must pay €5,000 ($5,900) to a German Facebook user who sued the platform for embedding tracking technology in third-party websites, a ruling that could open the door to hefty fines down the road over data privacy violations relating to pixels and similar tools. 

The court ruled that that Meta tracking pixels and software development kits embedded in countless websites and apps collect users’ data without their consent and violate the continent’s General Data Protection Regulation (GDPR).

The ruling in favor of the plaintiff sets a precedent that the court acknowledged will allow countless other users to sue without “explicitly demonstrating individual damages,” according to the court. (Suzanne Smalley / The Record)

Related: VijestiPPC Land, Sachsen.de

Agents from Immigration and Customs Enforcement (ICE) have gained access to a massive database of health and car insurance claims called ISO ClaimSearch and are using it to track down people they want to deport.

The database, which contains details on more than 1.8 billion insurance claims and 58 million medical bills and growing, includes peoples’ names, addresses, telephone and tax identification numbers, license plates, and other sensitive personal information.

Internal ICE material seen by 404 Media says that officers from the agency’s Enforcement and Removal Operations (ERO) section can use ISO ClaimSearch to help find targets. ERO is the section of ICE focused on deportations. The material says ISO ClaimSearch includes data on vehicle and health insurance claims. (Joseph Cox / Motherboard)

Related: Insurance Business

Google released a blog post with more information on how Chrome operates when Android mobile users enable Advanced Protection, highlighting strong security improvements.

Among the enhancemenst in Advancted Protection is enforcing secure connections, which forces Chrome to attempt HTTPS for all sites (public and private) and warns users before connecting to any site over the insecure HTTP; this protects against attackers who may intercept or alter data over unencrypted connections.

Another advancement is complete site isolation, which isolates each website into its own process, preventing one site from accessing data from another, even in the event of a renderer exploit. On Android with more than 4GB of RAM, the feature is active by default; otherwise, it can be enabled under Advanced Protection.

Finally, Advanced Protection offers JavaScript Optimization and Security, which disables high-level JavaScript optimizing compilers in Chrome’s V8 engine to reduce the browser’s attack surface. These optimizers improve performance but have historically been linked to many exploited bugs. It is estimated that disabling them could have mitigated roughly half of such cases, with no significant performance hit on most sites. (Bill Toulas / Bleeping Computer)

Related: Google Security Blog, 9to5Google, GBHackers

Block CEO and Twitter co-founder Jack Dorsey launched an open source chat app called Bitchat, promising to deliver “secure” and “private” messaging without a centralized infrastructure.

The app relies on Bluetooth and end-to-end encryption, unlike traditional messaging apps that rely on the internet. By being decentralized, Bitchat has potential for being a secure app in high-risk environments where the internet is monitored or inaccessible. According to Dorsey’s white paper detailing the app’s protocols and privacy mechanisms, Bitchat’s system design “prioritizes” security. 

But security researchers are questioning the security claims given that the app and its code have not been reviewed or tested for security issues at all, by Dorsey’s own admission.

Since launching, Dorsey has added a warning to Bitchat’s GitHub page: “This software has not received an external security review and may contain vulnerabilities and does not necessarily meet its stated security goals. Do not use it for production use, and do not rely on its security whatsoever until it has been reviewed.” (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: GitHub, Cryptoslate, Bitcoin Magazine, The Cable

Sources say a special team created by Director of National Intelligence Tulsi Gabbard has expressed a desire to gain access to emails and chat logs of the largest US spy agencies to use artificial intelligence tools to ferret out what the administration deems as efforts to undermine its agenda.

The mission of the Director’s Initiative Group, or DIG, is to enforce President Donald Trump’s executive orders to end “weaponization” of the federal government, declassify documents, and halt diversity, equity, and inclusion programs, according to Gabbard’s office.

So far, none of the US spy agencies approached has transferred the data, several people said. (Ellen Nakashima, Warren P. Strobel, and Aaron Schaffer / Washington Post)

Related: The Independent

Cyberstarts, the Israeli venture capital firm best known for its early investment in the cybersecurity company Wiz, has raised $300 million to buy shares from employees of the firm’s portfolio companies, co-founder Gili Raanan said.

Raanan, a former partner at Sequoia Capital, said the goal is to reward long-tenured employees with reliable and recurring opportunities to cash out vested shares. It’s part of a broader effort by Raanan to rethink the venture capital model as startups stay private longer and face new challenges. (Kate Clark / Bloomberg)

Related: Business Wire, Reuters

Best Thing of the Day: A Smart Home Is a Secure Home

More smart home device manufacturers are making it easier for security researchers to report security vulnerabilities. 

Worst Thing of the Day: ICE Is Spying on Protestors

ICE was likely using an IMSI catcher to collect identifying information on cell phones at the protest site at a July 4 protest of its dehumanizing tactics outside one of its offices in Washington state.

Bonus Worst Thing of the Day: Customs and Border Protection Will Soon Be Spying Bigly on the Border

Among the $6 billion allocated for border security policies in Trump's so-called Big, Beautiful Bill is money for military contractor Anduril to build a “virtual wall” of sensor-laden surveillance towers along the US-Mexico border, where computers increasingly carry out the work of detecting and apprehending migrants.

Extra Bonus Worst Thing of the Day: You Can Take Musk Out of the Government But You Can't Take the Government Out of Musk

With Musk long gone from the federal government, his so-called Department of Government Efficiency is continuing its destrictive actions in federal agencies.

Closing Thought

Read more