US charges 13 men with stealing $264 million in crypto

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Federal prosecutors charged 13 men in what court records describe as a wide-ranging conspiracy to identify victims with substantial holdings of cryptocurrency, steal those assets, and then launder the proceeds.

More than $265 million in crypto was stolen from the victims, according to a superseding indictment.

The participants, Americans and foreign nationals who allegedly became friends on online gaming platforms, are accused of spending lavishly after the thefts, including $9 million on exotic cars and $4 million on nightclubs, as well as on multiple rental properties.

One of the defendants, 20-year-old Singapore native Malone Lam, was previously arrested and charged in connection with the largest of those thefts, which netted about $245 million in bitcoin from a man in Washington, DC, in mid-August.

That theft is believed to have led to the brazen kidnapping in suburban Connecticut of the parents of one of Lam’s alleged co-conspirators by a crew of thugs from Florida who prosecutors say planned to hold the parents for ransom from their newly rich son.

It also allegedly enabled Lam to purchase more than 30 exotic automobiles, including Ferraris, Lamborghinis, Mercedes G Wagons, a Rolls-Royce, a McLaren, and a Pagani, the superseding indictment says. He also allegedly bought a watch for $2 million. (Dan Mangan / CNBC)

Related: Justice Department, Indictment, Databreaches.net, BeInCrypto, Bleeping Computer, Cryptorank

Sources say US energy officials are reassessing the risk posed by Chinese-made devices that play a critical role in renewable energy infrastructure after unexplained communication equipment was found inside some of them.

Power inverters, predominantly produced in China, are used worldwide to connect solar panels and wind turbines to electricity grids. They are also found in batteries, heat pumps, and electric vehicle chargers.

While inverters are built to allow remote access for updates and maintenance, the utility companies that use them typically install firewalls to prevent direct communication back to China.

However, the sources said rogue communication devices not listed in product documents have been found in some Chinese solar power inverters by US experts who strip down equipment hooked up to grids to check for security issues. Over the past nine months, undocumented communication devices, including cellular radios, have also been found in some batteries from multiple Chinese suppliers. (Sarah Mcfarlane / Reuters)

Related: Industrial Cyber, PV Magazine, Business Magazine, Interesting Engineering, TechRadar, Digitimes, The Economic Times, Business Standard, Seeking Alpha

The FBI warned that “malicious actors” are impersonating senior US officials in artificial intelligence-generated voice memos that target current and former government officials and their contacts.

“If you receive a message claiming to be from a senior US official, do not assume it is authentic,” the FBI said.

The Bureau said that since last month, the scammers have “sent text messages and AI-generated voice messages — techniques known as smishing and vishing, respectively — that claim to come from a senior US official to establish rapport before gaining access to personal accounts.”

The announcement said that, among other things, the scammers gain access to those accounts by sending their targets malicious links, which they claim will move conversations to a separate messaging platform.

By accessing US officials’ personal or government accounts, the bad actors could target other officials or their associates using stolen information. (Kevin Breuninger / CNBC)

Related: IC3, CNN, Reuters, Cyberscoop, Security Week, IT Pro, UPI, Ars Technica, Cointelegraph, The Cyber Express, Cybernews

Researchers at ESET report that Fancy Bear, the hacking group linked to Russia’s Main Intelligence Directorate (GRU), has been targeting the email accounts of high-ranking Ukrainian officials and executives at defense contractors located in other countries who sell weapons and equipment to Kyiv.

The campaign, which has been ongoing since at least 2023, has taken advantage of spearphishing and cross-site scripting vulnerabilities in various webmail software products, including Roundcube, Horde, MDaemon, and Zimbra.

Just one of those vulnerabilities was a zero-day that ESET researchers suspect was first identified by Fancy Bear, also known as APT28 or “Sednit” in ESET’s tracking terminology. The group was observed leveraging CVE-2024-11182 in November 2024 emails sent to two Ukrainian state-owned defense companies and a Ukrainian civilian air transport company.  

The remaining webmail programs were compromised using known vulnerabilities that already had patches available. There is evidence that the Russian hacking group has been heavily focused on webmail software since 2023, steadily identifying and adding more vulnerabilities that can target and break into various programs.

According to the report, the victims in 2024 alone included officials from regional national governments in Ukraine, Greece, Cameroon, and Serbia, military officials in Ukraine and Ecuador, and employees of defense contracting firms in Ukraine, Romania, and Bulgaria. (Derek B. Johnson / Cyberscoop)

Related: ESET, Odessa-Journal, The Record, Help Net Security

In what experts are calling a novel legal outcome, the 22-year-old former administrator of the cybercrime community Breachforums, Conor Brian Fitzpatrick, a.k.a. “Pompompurin,” will forfeit nearly $700,000 to settle a civil lawsuit from a health insurance company whose customer data was posted for sale on the forum in 2023.

On January 18, 2023, Breachforums denizens posted for sale tens of thousands of records—including Social Security numbers, dates of birth, addresses, and phone numbers—stolen from Nonstop Health, an insurance provider based in Concord, Calif.

Class-action attorneys sued Nonstop Health, which added Fitzpatrick as a third-party defendant to the civil litigation in November 2023, several months after the FBI arrested him and criminally charged him with access device fraud and CSAM possession. In January 2025, Nonstop agreed to pay $1.5 million to settle the class action.

Jill Fertel is a former prosecutor who runs the cyber litigation practice at Cipriani & Werner, the law firm representing Nonstop Health. Fertel said this is the first and only case where a cybercriminal or anyone related to the security incident was named in civil litigation.

Despite admitting to possessing more than 600 CSAM images and personally operating Breachforums, Fitzpatrick was sentenced in January 2024 to time served and 20 years of supervised release. Federal prosecutors objected, arguing that his punishment failed to adequately reflect the seriousness of his crimes or serve as a deterrent. (Brian Krebs / Krebs on Security)

A CrowdStrike investigation revealed that Brain Cipher, the hacker group that gained access to Rhode Island’s state benefits system last year, making the private data of more than 640,000 people vulnerable, did so in July, five months before state officials realized it.

State officials also revealed that thousands of people who were not initially thought to be affected by the breach had also had their data stolen. They will be alerted in the coming weeks.

The hacker and ransomware group, Brain Cipher, first accessed the system on July 2, 2024, by entering credentials to RIBridges’ virtual private network, or VPN. Through November, the hacker could browse files and folders tied to RIBridges, according to a summary of the investigation completed by CrowdStrike, and released by Governor Dan McKee‘s administration.

Brian Tardiff, the state’s chief digital officer, said Brain Cipher accessed the system using the username and password of an employee of Deloitte, the state’s vendor who oversees it.

McKee said the state will “pursue all avenues to ensure accountability” against Deloitte. Attorney General Peter Neronha‘s Office is reviewing the matter.

Related: Governor Dan McKee, CrowdStrike, WLNE, WPRI, WJAR, Newport Buzz, Rhode Island Current, The Providence Journal, GoLocalPro

An extensive investigation by Sophos X-Ops, pulled from thousands of posts on two Russian-language and three English-language cybercrime forums, uncovered chatty cybercriminals seeking to help each other launder their money with more common business pursuits.

Cybercriminals prop up businesses with their ill-gotten gains, from drive-thru coffee shops to real estate, education, pharmaceuticals, construction, software development, and cybersecurity companies and services.

Users on these forums proposed selling spyware to pentesters and corporations, developing exploits, or finding vulnerabilities in local businesses’ networks to turn that into an opportunity to sell protective services. “I accidentally found myself in this situation, raised a lot of money and got a regular client,” an unnamed user wrote, according to Sophos.

Researchers also observed proposals for security startups specializing in vulnerability research and a hash decryption service using a commercial cloud provider. One user recommended an investment in a prominent cybersecurity vendor. (Matt Kapko / Cyberscoop)

Related: Sophos, Cybernews

According to a report by the Russian Audit Chamber, a cyberattack on Russia's national case management and electronic court filing system wiped out about a third of its case archive.

The system, known as “Pravosudiye” (meaning “justice” in Russian), was hacked last October and was down for a month, disrupting the operation of Russian court websites, communication networks, and email services.

The attack was claimed by the pro-Ukraine hacking group BO Team, which has previously collaborated with Ukrainian military intelligence in operations against Russian entities. Ukrainian authorities have not publicly confirmed any official military intelligence participation in this incident.

The report said that after the breach, the Pravosudiye system lost nearly 89 million court files stored in a “consolidated database” containing all decisions from Russian courts.

Local media reported that the missing records should still be accessible on individual district and local court websites, but compiling them into a single archive could be difficult.

The Audit Chamber's report also revealed a troubling security lapse in the Pravosudiye system: The last external security check of its websites was conducted in 2015, and the system itself has not been fully updated since its implementation. The system runs on outdated foreign software, with all data and copies stored in a single data center.

In March, Russia’s Federal Security Service (FSB) raided IT companies involved in developing an information system for Moscow's courts, which is part of the Pravosudiye system. Local media reported that the FSB's actions were triggered by concerns about the legality of the budget funds allocated to the project. Since 2003, the Russian government has allocated 65.2 billion rubles ($810 million) to Pravosudiye. (Daryna Antoniuk / The Record)

Criminals have targeted mid-sized brokerages in Japan after the country’s biggest securities firms added additional protection for online trading.

Okasan Securities Co. and Iwai Cosmo Securities Co. said they had been hit by fraudulent trading. Iwai Cosmo said a third party had gained access to client accounts and conducted illicit trades in Japanese equities.

The hacking of online trading accounts has exploded in Japan, surging more than 10-fold in April from March. (Ryo Horiuchi / Bloomberg)

Related: Business Times

Hundreds of victims are surfacing worldwide from zero-day cyberattacks on SAP, Europe’s biggest software manufacturer, in a campaign that one leading cyber expert compares to the vast Chinese government-linked Salt Typhoon and Volt Typhoon breaches of critical infrastructure.

The zero-day vulnerabilities, previously unknown to researchers or companies but discovered by malicious hackers, received patches this month and last month, but there are signs that they could get worse before they get better.

Ransomware gangs are now reported to be exploiting it, beyond the original Chinese government-connected attackers.

Several companies have been tracking the vulnerability and its consequences, including Onapsis, which DeWalt’s company invests in, along with EclecticIQ, ReliaQuest, and Google’s Mandiant.

Onapsis has collaborated with Mandiant to develop an open-source tool to help organizations detect the attack, which is exceptionally stealthy, according to Mariano Nunez, CEO of Onapsis, who believes there are likely thousands of victims. (Tim Starks / Cyberscoop)

Related: Bleeping Computer, TechRadar, Bleeping Computer, Security Week

A push is gearing up to renew an expiring 10-year-old cybersecurity law, the 2015 Cybersecurity Information Sharing Act, that was viewed at its initial passage as the most significant cybersecurity legislation Congress had ever passed, and that advocates say now fosters several important threat-sharing initiatives.

The act safeguards companies that voluntarily share threat intelligence data with the government or each other, such as federal antitrust exemptions and shields against state and federal disclosure laws.

The law's reauthorization faces several hurdles, including uncertainty about who will lead the bill in the House and Senate, potential privacy concerns, a tight timeline, and other competing priorities. Some also believe the law could use updates to fit today’s threats, potentially introducing further complications.

However, its renewal has some bipartisan support, including among leaders of committees important to its passage, and outside groups are optimistic that it can win congressional approval.

The push is in the early stages, but there’s a “growing recognition” that it needs to be reauthorized, said Matthew Eggers, vice president of cybersecurity policy in the US Chamber of Commerce’s cyber, intelligence, and security division. (Tim Starks / Cyberscoop)

Related: NextGov/FCW, Federal News Network

The Pwn2Own Berlin 2025 hacking competition organized by Trend Micro’s Zero Day Initiative (ZDI) is taking place these days in Berlin, Germany, and on the first day participants earned a total of $260,000.

Pwn2Own Berlin 2025 introduces AI hacking. The first-ever winner in this category is Sina Kheirkhah of Summoning Team, who earned $20,000 for an exploit targeting the Chroma open-source AI application database.

The same researcher earned an additional $15,000 for a different exploit in the same category. He successfully hacked an NVIDIA Triton Inference Server, but it has been marked as a ‘collision’ because the vendor had known about the bug but had yet to patch it.

Viettel Cyber Security earned the same amount for another known NVIDIA Triton vulnerability that the tech giant had yet to patch.

The Star Labs team earned the highest single reward on the first day, which received $60,000 for an exploit chain involving a Linux kernel vulnerability to perform a Docker Desktop escape and ultimately execute code on the underlying operating system.

Team Prison Break got $40,000 for escaping Oracle VirtualBox and executing code on the underlying OS.

Others earned between $15,000 and $30,000 for Red Hat and Windows 11 exploits. (Eduard Kovacs / Security Week)

Related: Zero Day Initiative, Beta News, PC Perspective, Bleeping Computer

Cybersecurity firm Proofpoint is acquiring European rival Hornetsecurity for north of $1 billion to strengthen its European presence as it explores a return to public markets.

The deal marks the single largest acquisition in Proofpoint’s history.

Proofpoint, which private equity giant Thoma Bravo currently owns, said Hornetsecurity would help deepen its expertise in the managed service provider (MSP) ecosystem. (Ryan Browne / CNBC)

Related: CyberScoop, Business Wire, CRN, SiliconANGLE, Channel Futures, The Record, PYMNTS.com, CSO Online

Best Thing of the Day: It Turns Out That Maybe Crime Doesn't Pay as Well as You Thought

Russian cybercriminal Andrei Tarasov, who fled his country due to "political persecution" and claims to have been granted asylum in Ukraine, hasn't exactly reaped the luxury rewards he expected.

Worst Thing of the Day: Is It More Than Two But Less Than a Million?

The US Department of Homeland Security won’t tell Congress how many employees at the Cybersecurity and Infrastructure Security Agency it has fired or pushed to leave.

Bonus Worst Thing of the Day: Brains Circling Down the NSA's Drain

Dave Luber, who was named the NSA’s director of cybersecurity last year, will retire on May 30.

Closing Thought