US feds seize nearly $8 million from fake DPRK IT workers
Cellebrite buys Corellium for $200m, Play gang breached 900 orgs, Two ViLE members sentenced, UK revenue offices lost $64m to phishing scam, One-fifth of Ukraine IP space under Russian control, Cairncross defends his lack of tech expertise, Ukraine claims hack of Russian aviation giant, much more
Don't miss my latest CSO piece that examines the shared challenges but diverging paths that Sean Plankey and Sean Cairncross, the Trump administration's top two nominated cybersecurity leaders, will face.
Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.
If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!
The US Justice Department announced that authorities seized $7.74 million from North Korean nationals as they attempted to launder cryptocurrency obtained by IT workers who gained illegal employment and funneled the wages to the North Korean regime.
The allegedly illegally obtained funds were linked to Sim Hyon Sop, a North Korean Foreign Trade Bank representative, and Kim Sang Man, CEO of Chinyong, an outfit associated with North Korea’s Ministry of Defense, the Justice Department said. In 2023, North Korean nationals were added to the Treasury Department’s Office of Foreign Assets Control’s list of sanctioned individuals.
“The FBI’s investigation has revealed a massive campaign by North Korean IT workers to defraud U.S. businesses by obtaining employment using the stolen identities of American citizens,” Roman Rozhavsky, assistant director of the FBI’s Counterintelligence Division, said.
Federal prosecutors previously charged Sim for allegedly conspiring with North Korean technical workers to gain remote employment at companies based in the United States and elsewhere, and conspiring with cryptocurrency traders to launder ill-gotten proceeds from those employers.
The Justice Department accused Kim of acting as an intermediary between the North Korean IT workers and the North Korean Foreign Trade Bank to facilitate the transfer of funds to Sim. Officials said Chinyong, the organization Kim runs, employs groups of North Korean IT workers operating in Russia, Laos, and other countries. (Matt Kapko / Cyberscoop)
Related: Justice Department, Court Listener, Cointelegraph, crypto.news, cryptorank, Cybernews, Reddit, Fortune Crypto, NK News
Cellebrite, one of the largest providers of phone forensics tools, has acquired Corellium for $200 million, a major merger that promises to give law enforcement unprecedented tooling for extracting data from seized electronics.
Corellium makes virtual versions of Android and iPhones for security researchers to hack.
The deal is a coup for founder and CTO Chris Wade, who in the last five years alone settled a major copyright lawsuit from Apple and received a pardon from President Trump for his role in providing proxy servers to a pair of spammers who were convicted of cybercrimes in the mid-2000s. Wade avoided prison time by doing undercover work for the Department of Justice.
Wade will start a new chapter as the chief technology officer at Cellebrite, which is listed on the Nasdaq with a $4 billion market cap and posted over $400 million in revenue in 2024.
The $200 million deal will consist of $150 million in cash, $20 million of restricted stock, and another $30 million in cash if certain, unspecified performance milestones are hit over the next two years. (Thomas Brewster / Forbes)
Related: Paladin Capital Group, Cyberscoop, Security Week, TechCrunch, GlobeNewswire News Room, Dark Reading, The Register, CTech, Guru Focus
In an update to a joint advisory with CISA and the Australian Cyber Security Centre, the FBI said that the Play ransomware gang had breached roughly 900 organizations as of May 2025, three times the number of victims reported in October 2023.
"Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe. Play ransomware was among the most active ransomware groups in 2024," the FBI warned.
"As of May 2025, FBI was aware of approximately 900 affected entities allegedly exploited by the ransomware actors."
In guidance issued by the FBI, CISA, and the Australian Cyber Security Centre, security teams are urged to prioritize keeping their systems, software, and firmware up to date to reduce the likelihood that unpatched vulnerabilities are exploited in Play ransomware attacks.
Defenders are also advised to implement multifactor authentication (MFA) across all services, focusing on VPN, webmail, and accounts with access to critical systems in their organizations' networks.
Additionally, they should maintain offline data backups and develop and test a recovery routine as part of their organization's standard security practices. (Sergiu Gatlan / Bleeping Computer)
Related: The Record, CISA, HotHardware, Cybersecurity Dive, SC Media, CyberInsider, Tech Monitor, Cyber Security News, Forbes, Security Affairs
The US Justice Department announced that District Judge Frederic Block sentenced Sagar Steven Singh, also known as “Weep,” to 27 months’ imprisonment for conspiracy to commit computer intrusion and aggravated identify theft, a sentence that followed the May 30 sentencing of Nicholas Ceraolo, also known as “Convict,” “Anon,” and “Ominous,” to 25 months’ imprisonment for the same offenses.
Both individuals were members of a group of cybercriminals named ViLE
To collect sensitive information on their victims, they use methods such as tricking customer service employees, submitting fraudulent legal requests to social media companies, bribing corporate insiders, and searching public and private online databases.
"The defendants impersonated law enforcement, illegally accessed government databases, and even faked life-threatening situations to bypass criminal procedures through which they could obtain sensitive personal information," said Michael Alfonso, an Acting Special Agent in Charge with Homeland Security Investigations (HSI).
"They threatened innocent victims' livelihoods and were found to have joked about their deceptive, exploitative, and calculated scheme in messages with each other." (Sergiu Gatlin / Bleeping Computer)
Related: Justice Department, GBHackers
A group of MPs has heard that the UK's HM Revenue and Customs has lost £47m (around $64 million) after a phishing scam breached tens of thousands of tax accounts.
Two senior tax authority civil servants told the Treasury committee on Wednesday that 100,000 people had been contacted, or were in the process of being contacted, after their accounts were locked down in what the officials said was an “organised crime” incident that began last year.
Taxpayers affected would suffer “no financial loss”, said John-Paul Marks, HMRC’s chief executive.
He told the committee: “It’s about 0.2% of the PAYE population, around 100,000 people, who we have written to, are writing to, to notify them that we detected activity on their PAYE account.” (Nadeem Badshah / The Guardian)
Related: TechInformed, The Record, BBC News, China Daily, Reuters, The Independent, Colitco, Daily Mail
Researchers at internet performance measurement firm Kentik discovered that since February 2022, Ukraine has seen nearly one-fifth of its Internet space come under Russian control or sold to Internet address brokers.
Their analysis indicates that large chunks of Ukrainian Internet address space are now in the hands of shadowy proxy and anonymity services nested at some of America’s largest Internet service providers (ISPs).
Kentik found that while most ISPs in Ukraine haven’t changed their infrastructure much since the war began in 2022, others have resorted to selling swathes of their valuable IPv4 address space just to keep the lights on.
For example, Kentik found that Ukraine’s incumbent ISP, Ukrtelecom, is now routing just 29 percent of the IPv4 address ranges that the company controlled at the start of the war.
Although much of that former IP space remains dormant, Ukrtelecom told Kentik’s Doug Madory they were forced to sell many of their address blocks “to secure financial stability and continue delivering essential services.” (Brian Krebs / Krebs on Security)
Related: Kentik, The Register
Trump's nominee to head the Office of the National Cyber Director, Sean Cairncross, told the Senate Homeland Security and Governmental Affairs Committee at his confirmation hearing that "working with our interagency partners is vital."
Cairncross, a former White House and Republican National Committee official and the former head of the federal Millennium Challenge Corporation, who has run his own consultancy, also touted his credentials to serve as national cyber director. Michigan Sen. Gary Peters, the top Democrat on the panel, asked about his lack of cyber experience compared to his predecessors in the office.
“It’s true I don’t have a technical background in cyber, but in my roles running private organizations and national party committees, I’ve been on the user side of this,” he said. “I’ve had to deal with foreign nation attacks on our systems. We’ve worked with the FBI and the intelligence community to learn about them, to stop them, and to monitor those attacks. On the management side, I’ve run thousands of people and billions of dollars in funds, and in doing those jobs, I surround myself with smart people.” (Tim Starks / Cyberscoop)
Related: The Record, The Register, NextGov, The Record, Meritalk, Bank Info Security, Cybersecurity Dive
The cyber unit of Ukraine’s Military Intelligence (HUR) said it carried out a large-scale operation targeting Russia’s aviation giant, the United Aircraft Company (UAC) Tupolev division, successor to the Soviet-era Tupolev Design Bureau, a key developer of strategic bombers for the Russian military.
One source said that Ukrainian operatives obtained more than 4.4 gigabytes of highly classified internal data with strategic significance as a result of the breach.
The stolen files include internal communications among company leadership, personal data of Tupolev staff, home addresses, resumes of engineers and designers, procurement records, and protocols from closed-door meetings.
“The value of the data obtained is hard to overstate. There is now virtually nothing secret left in Tupolev’s operations as far as Ukrainian intelligence is concerned,” the source said. (Kateryna Zakharchenko / Kyiv Post)
Related: SC Media, Cybernews, Bleeping Computer
Researchers at iVerify report that iPhones tied to people in an EU member state's government, a political campaign, media organizations and an AI company could have all been targeted as part of a spyware operation that targeted the victims via the "Nickname" feature in iOS, which sends a notification whenever someone's iCloud photo or name changes.
Three phones showed unusual crashes that iVerify considers potential signs of tampering. In one case, a "high-value target in an EU member state" received a threat notification from Apple about a month after such a crash occurred on their device.
Apple said it fixed the flaw that enabled the campaign, but disputes that it was ever used to hack devices. (Sam Sabin / Axios)
Related: iVerify, iVerify, Forbes, NBC News
In its latest report on malicious AI uses, OpenAI said it had disrupted several attempts to leverage its artificial-intelligence models for cyber threats and covert influence operations that likely originated from China, underscoring the security challenges AI poses as the technology becomes more powerful.
While misuse occurred in several countries, OpenAI said it believes a “significant number” of violations came from China, noting that four of 10 sample cases in its latest report likely had a Chinese origin.
In one such case, the company banned ChatGPT accounts, which claimed to be using OpenAI’s models to generate social media posts for a covert influence operation. The company said a user stated in a prompt that they worked for China’s propaganda department, though it cautioned it didn’t have independent proof to verify its claim. (Mauro Orru / Wall Street Journal)
Related: OpenAI, Reuters, Axios, NPR
The Marks & Spencer hackers sent an abusive email directly to the company's CEO Stuart Machin, gloating about their actions and demanding payment.
The broken English message was sent on April 23 from the hacker group DragonForce using an employee email account.
The email confirms for the first time that M&S has been hacked by the ransomware group – something that M&S has so far refused to acknowledge.
"We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers," the hackers wrote. "The dragon wants to speak to you so please head over to [our darknet website]."
The email was apparently sent using the account of an employee from the Indian IT giant Tata Consultancy Services (TCS), which has provided IT services to M&S for over a decade.
The Indian IT worker in London has an M&S email address but is a paid TCS employee. It appears as though he himself was hacked in the attack. (Joe Tidy / BBC News)
Related: Retail Gazette, The Industry.Fashion
Researchers at Censys said that a stray artifact in a TLS certificate led them to discover that hundreds of control-room dashboards for US water utilities were sitting a click away from the public internet, and dozens of them offered complete, no-password control over pumps, valves, and chemical feeds.
They learned that every affected utility used the identical web server layout generated by the HMI software. The researchers parsed the title tags into a spreadsheet displaying the product, the owner and the location and found strings confirming the hosts were municipal water facilities.
All the systems were found in three states: Authenticated (credentials required), Read-only (viewable without control), and the unnerving Unauthenticated (full access without credentials).
Because the targets were public utilities, Censys skipped the usual slow, one-by-one disclosure and sent a bulk report to the US Environmental Protection Agency and the unnamed HMI vendor. (Ryan Naraine / Security Week)
Related: Censys, Industrial Cyber
An investigation into the collapse of the Assad regime revealed a significant technical dimension, particularly a spyware application named STFD-686 that was distributed among Syrian army officers via Telegram.
Android SpyMax spyware was able to exfiltrate sensitive data from soldiers' smartphones and played a part in taking over the regime in Syria.
SpyMax is an Android Remote Access Trojan (RAT) that emerged as part of the broader SpyNote malware family, first surfacing in underground forums around 2018. Designed to infiltrate Android devices covertly, SpyMax offers attackers full control over infected phones, enabling surveillance via camera and microphone, GPS tracking, message interception, and more.
While initially sold on hacking forums, SpyMax was eventually leaked and cracked, making it freely accessible to a broader range of cybercriminals.
The attack began with a phishing campaign targeting Syrian military personnel. A seemingly legitimate mobile application was distributed via a Telegram channel disguised as STFD-686, encouraging users to install it voluntarily.
This case shows that smartphone espionage doesn’t need costly zero-day exploits or advanced spyware. Off-the-shelf tools like Android SpyMax and smart phishing and social engineering can produce high-impact results. Even military targets can be compromised using cheap, widely available tools delivered through trusted channels. (Mobile Hacker)
Related: r/netsec, r/cybersecurity
In its new international digital strategy, the European Union publicly stated what many have said in private: Europe is nowhere near able to wean itself off US Big Tech.
Instead, the EU is promoting collaboration with the US as well as with other tech players, including China, Japan, India, and South Korea. “Decoupling is unrealistic and cooperation will remain significant across the technological value chain,” the report reads. (Pieter Haeck and Mathieu Pollet / Politico)
Related: European Commission, The European Sting, The Fast Mode, The Cyber Express, Reuters, Tech Policy Press
Chainalysis says that ex-convict and Silk Road creator Ross Ulbricht, who was pardoned for a host of crimes by Donald Trump, was paid $31 million last weekend from the long-defunct dark-web black market AlphaBay.
Chainalysis says the funds emerged from AlphaBay around 2016 and 2017. Given the amount of the donation, Chainalysis suggests it might have come from someone who acted as a large-scale seller on the market. (Andy Greenberg / Wired)
Related: Cointelegraph, UTodayThreatRay
In a two-part report, Proofpoint and ThreatRay researchers say they have uncovered new evidence linking the Indian government to a long-running threat actor known as Bitter, also tracked as TA397.
The group has been involved in cyber-espionage operations targeting government and defense organizations across Asia, Europe, and South America.
Although Bitter has been active for years, earlier assessments did not definitively attribute it to the Indian state.
The new research highlights stronger technical overlaps and consistent targeting patterns, suggesting it is highly likely that the group spies on behalf of India’s government. (Daryna Antoniuk / The Record)
Related: Proofpoint, ThreatRay
As first spotted by HackRead, a threat actor has re-released data from a 2021 AT&T breach affecting 70 million customers, this time combining previously separate files to directly link Social Security numbers and birth dates to individual users.
The AT&T data was released on a popular Russian-speaking hacking forum, where a threat actor claimed it was stolen during the 2024 AT&T Snowflake data theft attack, which exposed the call logs of 109 million customers.
AT&T said they are investigating the data, but also believe it originates from the known breach and was repackaged into a new leak.
"It is not uncommon for cybercriminals to repackage previously disclosed data for financial gain. We just learned about claims that AT&T data is being made available for sale on dark web forums, and we are conducting a full investigation," AT&T said (Lawrence Abrams / Bleeping Computer)
Related: HackRead, Bank Info Security, r/cybersecurity
In what’s likely the most significant data leak ever to hit China, billions of documents with financial data, WeChat and Alipay details, and other sensitive personal data were exposed to the public.
The supermassive data leak likely exposed hundreds of millions of users, primarily from China. A 631 gigabytes-strong database was left without a password, publicizing a mind-boggling 4 billion records.
Bob Dyachenko, cybersecurity researcher and owner at SecurityDiscovery.com, and the Cybernews team discovered billions upon billions of exposed records on an open instance.
The exposed instance was quickly taken down. This also prevented the team from revealing the identity of the database's owners. However, collecting and maintaining this database requires time and effort, often linked to threat actors, governments, or very motivated researchers. (Vilius Petkauskas / Cybernews)
Related: Tom's Guide
Kirill Firsov, the CEO of the cybersecurity company FearsOff, discovered that hackers are likely starting to exploit CVE-2025-49113, a critical vulnerability in the widely used Roundcube open-source webmail application that allows remote execution.
The security issue has been present in Roundcube for over a decade and impacts versions of Roundcube webmail 1.1.0 through 1.6.10. It received a patch on June 1st.
It took attackers a couple of days to reverse engineer the fix, weaponize the vulnerability, and sell a working exploit on at least one hacker forum. According to Firsov, at least one vulnerability broker pays up to $50,000 for an RCE exploit in Roundcube. (Ionut Ilascu / Bleeping Computer)
Related: FearsOff, SC Media, Security Affairs, WebProNews, Heise Online
Rep. Andrew Garbarino (R-NY), chairman of the House Homeland Security subcommittee on cybersecurity, is apprehensive about the Department of Homeland Security’s plans to end Mobile App Vetting (MAV), a program that vets mobile apps for federal agencies managed by the Cybersecurity and Infrastructure Security Agency.
In a letter to DHS Secretary Kristi Noem, Garbarino said “The termination of mobile device security programs would not only create a void in the ability to assess vulnerabilities on mobile devices, but also send the wrong signal to FCEB agencies, which are currently on heightened alert about the cybersecurity posture of their mobile devices due to Salt Typhoon." (Tim Starks / Cyberscoop)
Related: NextGov
Best Thing of the Day: Data Thief and Crypto Fraudster Take It on the Chin
The feud between Elon Musk and Donald Trump wiped $152 billion of value from Tesla’s market cap and more than $100 million in value from TrumpCoin.
Worst Thing of the Day: The Tip of the DOGE Bad AI Iceberg No Doubt
DOGE workers assigned the task of cutting DEI-related contracts at the Department of Veterans Affairs used a flawed AI model that hallucinated a lot.
Closing Thought
