US indicts three Russians tied to sanctioned bulletproof hoster, offers $10 million reward

Microsoft patches record 570 flaws, including two exploited zero-days, White House launches AI vulnerability-sharing hub dubbed Gold Eagle, Oracle leads race to build Japan’s top-secret cloud infrastructure, Finnish hacker Kivimäki wanted after losing final appeal, much more

Share
US indicts three Russians tied to sanctioned bulletproof hoster, offers $10 million reward

Metacurity is the cybersecurity industry's daily reality check—an independent briefing that cuts through vendor spin, social media outrage, and endless recycled narratives to explain what actually matters and why.

Every weekday, thousands of cybersecurity professionals—including many of the industry's most respected security leaders—rely on Metacurity to separate signal from noise. We do the reading, research, and analysis so you don't have to.

If Metacurity helps you stay informed, save time, or see the bigger picture, please consider becoming a paid subscriber. Reader support is what keeps Metacurity independent, agenda-free, and focused on serving the cybersecurity community—not advertisers, vendors, or investors.

Federal prosecutors unsealed an indictment against three Russians associated with a bulletproof hosting provider sanctioned by the US and two allies in November.

The US government also posted a reward of up to $10 million for information in the case.

The Russians face multiple charges for allegedly providing cybercriminals with infrastructure and tech support through the St. Petersburg-based business Media Land and a sister company, ML Cloud.

Aleksandr Volosovik, aka "Yalishanda," owned Media Land, while Yulia Pankova owned ML Cloud, prosecutors said Tuesday. The third defendant, Kirill Zatolokin, was responsible for collecting payments for Media Land and coordinating services with cybercriminals, authorities said in announcing the sanctions last year.

The indictment, filed in December 2024, accuses all three with conspiracy to commit and aid and abet computer fraud; conspiracy to commit wire fraud; wire fraud; and conspiracy to commit money laundering. Bulletproof hosting services promise to help criminals evade law enforcement.

The document cites 44 unnamed victims who suffered $62 million in losses from cybercriminal groups aided by Media Land and ML Cloud.

“From their overseas safe haven, these defendants ran the criminal infrastructure that powered attacks on critical institutions across our nation,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Their actions put the American public at risk.”

Volosovik, Pankova and Zatolokin are known residents of St. Petersburg, authorities said. Russia and the U.S. do not have an extradition treaty. Moscow recently warned Russians not to travel to countries that routinely send criminal suspects to the U.S.

The State Department’s announcement of the $10 million bounty under its Rewards for Justice program emphasizes the search for information about foreign government links to the activities of Media Land and ML Cloud. (Joe Warminsky / The Record)

Related: Justice Department, Rewards for Justice, The Cyber Express, Databreaches.net, Crypto Briefing, Becker's Health IT, Reuters, Databreaches.net, IT News

Microsoft's July 2026 Patch Tuesday landed with a bang, encompassing security updates for a record-breaking 570 flaws, including two zero-day vulnerabilities exploited in attacks and one publicly disclosed.

Patch Tuesday addresses 59 "Critical" vulnerabilities, 48 of which are remote code execution, 9 are elevation of privilege, 1 is a security bypass, and 1 is a spoofing.

The number of flaws does not include flaws in Mariner, Azure OpenAI, Azure Synapse, M365 Copilot, Microsoft Exchange Online, Microsoft Edge for Android, and Microsoft Entra Provisioning Service that were fixed by Microsoft earlier this month.

There were also a massive 468 Microsoft Edge/Chromium flaws that were fixed by Google this month, which were excluded from this Patch Tuesday roundup. As part of last month's June Patch Tuesday, Google fixed 360 flaws that were later ported to Microsoft Edge.

Last week, Microsoft warned that there would be an increase in Patch Tuesday security updates as it has begun to use an AI-powered vulnerability discovery system to identify more security flaws across its Windows codebase before attackers can exploit them.

This month's Patch Tuesday fixes three zero-day vulnerabilities, with two exploited in attacks and one publicly disclosed.

The two actively exploited zero-days addressed during this month's Patch Tuesday are: CVE-2026-56155 - Active Directory Federation Services Elevation of Privilege Vulnerability, which grants administrative privileges, and CVE-2026-56164 - Microsoft SharePoint Server Elevation of Privilege Vulnerability, which allows a remote attacker to gain elevated privileges. (Lawrence Abrams / Bleeping Computer)

Related: The Register, CyberScoop, The Verge, Cisco Talos, Thurrott, Krebs on Security, Lifehacker, Windows Central, Notebookcheck, Neowin, Help Net Security, Bleeping Computer, Windows Latest, SANS Internet Storm Center, r/cybersecurity, Ask Woody, Tenable BlogZero Day Initiative - Blog, The Stack, CSO Online

The Trump administration unveiled its new federal clearinghouse for sharing AI cyber threat information between the government and private sector, and said the project is already receiving threat intelligence on cybersecurity vulnerabilities and prioritizing patching.

Created last month through a White House executive order, “Gold Eagle” will be managed by the Department of the Treasury, with contributions from the Cybersecurity and Infrastructure Security Agency, Department of Homeland Security, and Department of Defense, as well as open-source software providers, critical infrastructure operators, and industry.

Gold Eagle is meant to help both public and private organizations find, fix, and patch vulnerabilities found using AI tools before they’re discovered and exploited by bad actors. The work will involve using AI to find cybersecurity vulnerabilities in victim systems and software, and Secretary of Homeland Security Markwayne Mullin said it would also further explore ways for the technology to be leveraged for cyber defense.

A senior White House official told reporters on a background call that closed-source models from frontier AI models, including Anthropic’s Mythos, will be used to discover vulnerabilities.

White House officials said they worked with the Software Engineering Institute, SEI at Carnegie Mellon University, to develop a new platform, the Vulnerability Information and Coordination Environment – or VINTS – to receive third-party reports on AI-discovered vulnerabilities. According to the White House, the system has already begun collecting intelligence on vulnerabilities and prioritizing patches. (Derek B. Johnson / CyberScoop)

Related: White House, CNNPoliticoThe Information, Bloomberg LawReutersWall Street JournalPaymentSecurity.io, Nextgov/FCW

Oracle is winning the race to sell top-secret cloud services to Japan that the US says are critical to secure intelligence sharing between Tokyo and allies as they face growing threats from China.

The Texas-based company is leading Amazon Web Services, Microsoft and Google to provide the “air-gapped” cloud, according to seven people familiar with talks between the tech groups, Tokyo and Washington.

Japan opted for a US cloud computing company after extensive discussions with Washington and a conversation between President Donald Trump and Prime Minister Sanae Takaichi in March.

The US has long wanted Japan to install stronger cyber security because its existing systems are very vulnerable to Chinese hacking. The urgency has risen as it pushes Tokyo to increase co-production of weapons and boost deterrence against China.US officials also believe Japan needs tighter cyber security to have a chance of joining Five Eyes, an intelligence-sharing group comprising the US, UK, Australia, New Zealand and Canada. 

UK and Japanese officials said their plans to co-build a next-generation fighter jet had increased pressure on Tokyo to build more secure infrastructure for sharing secret data. (Demetri Sevastopulo and Leo Lewis / Financial Times)

Related: Benzinga

Finnish police have reportedly issued a wanted notice for convicted hacker Aleksanteri Kivimäki after the country's Supreme Court refused to hear his appeal, paving the way for authorities to return him to prison in one of Finland's most high-profile cybercrime cases.

The Supreme Court's decision leaves in place a February Court of Appeal ruling that sentenced Kivimäki to nearly seven years in prison for hacking psychotherapy provider Vastaamo and later extorting both the company and its patients, according to Finnish media.

Following the ruling, Eastern Uusimaa Police said they issued the wanted notice at the request of Finland's Criminal Sanctions Agency. Officers have been instructed to arrest Kivimäki if he is located and transfer him to Vantaa Prison to serve the rest of his sentence.

His lawyer, Peter Jaari, told Finnish media that he does not know where his client is but believes Kivimäki is outside Finland.

The Court of Appeal convicted Kivimäki of aggravated data breach, attempted extortion and unlawfully distributing private information. The judges said the crimes were carefully planned, driven by financial gain and caused exceptional harm to a large number of especially vulnerable victims.

The court said the offenses would normally have justified the maximum available sentence. However, it reduced Kivimäki's prison term by one month because he reached compensation agreements with some of the victims. (Daryna Antoniuk / The Record)

Related: Helsinki Times, YLE, ILTA Sanomat, Iltalehti, Databreaches.net

The District of Nevada's US Attorney's Office announced that a federal grand jury indicted two men for an alleged scheme to steal money from ATMs in Reno and Sparks in ATM jackpotting attacks.

Kleiber Jovanny Garcia Rojas and Yeiker Andres Diaz-Calatayud, also known as Jose Soto, allegedly stole approximately $76,000 in cash.

Court documents and statements made in court on June 3 claimed the two installed a digital device on an ATM at a federal credit union, which allowed them to bypass security functions and withdraw cash.

Garcia Rojas and Diaz-Calatayud were each charged with one count of bank theft, according to the release. If convicted, they could each face the maximum of 10 years in prison.

A jury trial is scheduled for Sept. 15 before U.S. District Judge Anne Traum. (Jaedyn Young / The Reno Gazette Journal)

Related: Justice.gov, KRXI, KTVN

The Spanish Police dismantled a cybercrime and money-laundering organization that made €140 million ($160 million) from investment fraud and business email compromise (BEC) attacks.

As part of the law enforcement operation, four people were arrested in Spain, Portugal, and Panama.

The police describe the operation as an industrial-level scheme as it involved at least 800 bank accounts, 120 business accounts, and 67 external accomplices who acted as “money mules.”

The investigation has confirmed that €94 million ($107 million) was channeled through the network and linked another €61 million ($69.5 million) to the group, tying it specifically to BEC operations that took place in 2024.

The police announcement calls this “CEO fraud” and “false-invoice fraud,” indicating the use of social engineering tactics such as impersonating high-ranking executives and diverting payments to bank accounts controlled by the fraudsters.

The investigation into the cybercrime operation started after the police detected signs of money laundering in 19 companies linked to it.

Following the identification of the main suspects, an international police operation was organized with the help of Interpol and Europol.

In this context, six premises in Barcelona, Girona, and Tarragona, as well as in the city of Porto in Portugal, were raided and searched, and another suspect was also arrested in Panama.

The two suspects arrested outside Spain left the country recently but continued to operate from their foreign bases in support of the cybercrime scheme.

The police agents seized 15 computers and over 170 smartphones, believed to have been used for executing thousands of fraudulent transfers.

Additionally, €3 million ($3.4 million) of crime proceeds was frozen immediately and will be made available to victims of the cybercrime ring. (Bill Toulas / Bleeping Computer)

Related: Policia, Help Net Security

KFC Japan has announced that a cyberattack affecting one of its third-party logistics providers is disrupting food deliveries to restaurants nationwide, raising the possibility of product shortages, reduced operating hours, and temporary store closures.

The company has suspended all online ordering services as it works with its logistics partner to restore normal operations.

KFC Japan said the disruption stems from an unauthorized third-party intrusion into the logistics company's systems responsible for delivering ingredients to the hundreds of restaurants the fast-food chain operates nationwide.

According to the company, the attack occurred on July 13, 2026, when the outsourced logistics provider experienced a system failure due to unauthorized access. The outage has affected the operator's logistics and distribution centers, preventing normal food deliveries to KFC restaurants beginning on July 14.

The company said all KFC locations in Japan could be affected by the incident, and customers may encounter out-of-stock menu items, limited product availability, shortened business hours, or, in some cases, temporary store closures depending on local inventory levels.

In addition to in-store disruptions, KFC Japan has temporarily suspended its digital ordering channels, including its official mobile app, website ordering platform, delivery services, and third-party delivery integrations. The company did not specify when those services will return, stating only that recovery timelines remain unknown while its logistics partner works to restore affected systems.

KFC Japan has not identified the logistics company involved, nor has it disclosed the nature of the cyberattack or whether ransomware was deployed. (Amar Ćemanović / Cyber Insider)

Related: Japan KFC, Nikkei Asia, Asia News Network, SC Media, The Loadstar, Japan News

AI security firm Manifold says two vulnerabilities it reported to Anthropic in May remain exploitable in the latest version of Claude for Chrome, the company’s agentic browser extension.

According to Manifold, the flaws let a malicious browser extension trigger Claude into taking actions on a user’s behalf without any genuine click or approval from the victim. An attacker could exploit them to read Gmail messages, Google Docs documents, and calendar entries.

The core issue is related to a fix Anthropic shipped earlier this year in response to a similar vulnerability dubbed ClaudeBleed. That update restricted which prompts an outside webpage could feed into Claude, narrowing the extension’s exposure to a fixed set of pre-approved tasks.

Manifold found that the mechanism used to activate those tasks doesn’t verify whether a click actually came from a real user, meaning another extension can fake the interaction and set the process in motion.

In the extension’s default setting, the attack triggers a confirmation prompt before anything sensitive happens. However, if a user has enabled the extension’s more autonomous mode (‘Act without asking’), the attacker’s action can proceed without any visible warning.

Manifold also flagged a second, related design gap: a way for Claude’s side panel to launch directly into that no-confirmation mode based on a parameter in its own URL, with no user action required to unlock it. (Eduard Kovacs / Security Week)

Related: Manifold, Cyber Press, Cyber Security News

A live view of the runtime signals Manifold raises when agents and their tool calls drift from expected behavior. Source: Manifold.

The British public should begin taking “small but important steps” to secure and protect water, power supplies and basic phone signal in case of further severe weather emergencies, national crises or cyber-attacks, Downing Street has said.

Darren Jones, the chief secretary to the prime minister, told MPs “the risks we face from climate change cannot be underestimated”, and warned of the “significant and prolonged disruption to essential services” extreme weather events could cause.

Jones also said the combination of increasingly sophisticated artificial intelligence and the conflict in the Middle East and Russia’s war in Ukraine could enable criminals to carry out “hostile cyber-attacks against businesses and critical infrastructure."

As a result, the UK’s national risk register has been updated with seven new crises, including the threat of foreign interference in UK democracy, the risk of cyber-attacks on data infrastructure, water infrastructure and police systems, and a “digital resilience failure” scenario, based on the global technology outage caused by the CrowdStrike disruption in 2024. (Aletha Adu / The Guardian)

Related: RBC-Ukraine, The Independent, Telegraph

Silicon-to-systems design firm Synopsys says it has found no evidence of a data breach after a cybercrime group claimed to have hacked its systems and gained access to valuable data belonging to one of its major customers, Bosch.

A new ransomware group named D1R in recent days listed Synopsys and Bosch on its Tor-based leak website. The cybercriminals claimed to have exploited a vulnerability in Synopsys’ website to access a corporate client database containing 40,000 entries, and they are threatening to leak the stolen data unless a ransom is paid.

Separately, D1R claimed to have hacked German engineering and technology giant Bosch using data obtained from Synopsys. The cybercriminals allegedly obtained valuable intellectual property belonging to Bosch. (Eduard Kovacs / Security Week)

Related: SC Media, Databreaches.net

The Air Force is scrambling to get employees across the service back online after weeks of rolling cybersecurity quarantines locked numerous troops and civilians out of their computers, sometimes for days.

A quarantine kicks in to protect military networks from cyberattacks if a computer isn’t routinely updated with new software patches. But as the Air Force pushes out patches more often to stay ahead of digital threats, employees must make sure those updates are in place — or find their device rendered unusable.

The lockouts have created headaches at multiple bases and the Pentagon as the service continues rolling out forcewide software updates.

While quarantines aren’t new, the scale of the ongoing issue is unusual. The outage allegedly hit tens of thousands of devices, according to an anonymous post on “Air Force amn/nco/snco,” an unofficial Facebook page popular with airmen. (Rachel S. Cohen / Federal News Network)

Related: Facebook

Researchers at Arctic Wolf say a threat actor has published hundreds of fake GitHub repositories impersonating legitimate software and security projects to distribute infostealer malware.

The campaign drew traffic from search results for security products, cryptocurrency services, financial tools, developer utilities, secure email providers, macOS utilities, and gaming software.

The malware collects data from more than 19 web browsers, steals info from 32 cryptocurrency wallets, and exfiltrates sensitive details from messaging and social media apps.

ArcticWolf identified the activity after finding that one of its products was impersonated in the campaign starting June 26.

In total, the researchers uncovered 292 fake repositories, each including a README file with a download link directing visitors to a malicious download page. (Bill Toulas / Bleeping Computer)

Related: Arctic Wolf

Fake GitHub repository featuring badges of authenticity. Source: Arctic Wolf

SonicWall warns that threat actors have been exploiting two SMA1000 vulnerabilities, tracked as CVE-2026-15409 and CVE-2026-15410, in zero-day attacks and urges customers to install the newly released security updates.

CVE-2026-15409 is a critical (CVSS 10.0) server-side request forgery (SSRF) vulnerability in the SMA1000 Appliance Work Place interface that allows a remote, unauthenticated attacker to force an appliance to make requests to unintended locations.

CVE-2026-15410 is a high-severity (CVSS 7.2) post-authentication code injection flaw in the SMA1000 Appliance Management Console that could allow a remote authenticated administrator to execute arbitrary operating system commands.

While CVE-2026-15410 requires administrator privileges, SonicWall assigned the advisory an overall CVSS score of 10.0.

SonicWall says it investigated multiple incidents and confirmed that both vulnerabilities are being actively exploited. (Lawrence Abrams / Bleeping Computer)

Related: SonicWall, Security Affairs, Security Week

The researcher who exposed Grok Build uploading users' entire repositories to cloud storage says the transfers have stopped after a server-side change.

Elon Musk has separately promised that all previously uploaded user data will be deleted.

AI safety researcher Cereblab published a report on Sunday about their investigation into Grok Build, SpaceXAI's command-line interface (CLI), and the data exchanged between the CLI and SpaceXAI's servers.

Cereblab found that when Grok Build reads or processes a file, the contents of that file are transmitted without redaction to a Google Cloud Storage bucket used by SpaceXAI. Further, they claimed that Grok Build packages entire repos and uploads them as Git bundles, instead of just uploading the files required to answer a user's prompt.

According to Cereblab's report, SpaceXAI's data retention went far beyond that of other CLIs, such as Claude Code, Gemini, and Codex, which open individual files rather than entire repos before uploading them along with their Git histories.

The researcher tested the behavior using a benign prompt. They instructed the CLI to reply with "OK," and specifically ordered it not to open any files.

Grok Build uploaded the entire repo regardless, along with its full Git history containing secrets that were deleted months prior – a finding Cereblab reproduced using a separate repo.

Other Grok Build users reported similar results after Cereblab published their report, including one whose entire user directory, containing SSH keys, password manager databases, and more, was opened and uploaded.

The findings attracted enough attention for SpaceXAI execs and Musk to comment on them publicly, as well as prompting the company to implement a remedy quickly. (Connor Jones / The Register)

Related: Cereblab, IXBT, Zamin, Databreaches.net, Tech Times, The Verge, Hindustan Times, Crypto Briefing, WinBuzzer, FirstPost

Microsoft has announced that passkeys will become the default authentication method for the Entra ID enterprise identity service starting September 2026.

Passkeys will be enabled automatically for Entra ID users now using phone-based SMS and voice authentication, which will be retired in February 2027 across all tenants.

However, users who are already signing into their accounts with passkeys, Windows Hello for Business, FIDO2 security keys, smart cards, or any other phishing-resistant method will be able to continue using those methods. (Sergiu Gatlan / Bleeping Computer)

Related: Microsoft, Cyber Security News, CSO Online, Redmond Mag, Biometric Update, Petri, Neowin, Help Net Security, Heise Online

Timeline for SMS/voice authentication retirement. Source: Microsoft.

Security firm Certo says cyberstalkers are increasingly exploiting Google Chrome's built-in synchronization feature to secretly monitor victims' web activity without installing spyware or compromising their devices.

Certo says it has received a growing number of reports involving the tactic, which relies on briefly accessing a victim's device and signing in to Chrome with an attacker-controlled Google account.

The technique reflects a broader shift away from traditional stalkerware, as modern mobile operating systems have made spyware deployment more difficult through stronger security protections, stricter app store policies, and improved malware detection.

The method itself is straightforward. An attacker only needs a brief opportunity to unlock the victim's phone, tablet, or computer and open Chrome. They then add a Google account they control and ensure Chrome Sync is enabled. From that point onward, Chrome synchronizes browsing history with the attacker's account, allowing them to review the victim's activity remotely from any device logged into that account. (Alex Lekander / Cyber Insider)

Related: Certo

Checking the connected account. Source: Certo.

Twelve days after Sysdig documented the first end-to-end AI-agent ransomware operation, Ant Group's AI Security Lab has released a free, open-source guardrail framework designed to intercept the exact attack sequence that campaign used.

The tool, SingGuard-NSFA, is now available on GitHub and Hugging Face and can run inline in any autonomous agent pipeline — catching prompt injection attempts, credential-theft patterns, malicious code execution, and permission misuse before they become irreversible real-world consequences.

For teams running AI agents in production, this is the first purpose-built, auditable tool designed to address the threat class that JadePuffer proved is no longer theoretical. (Mireya Ramsey / Tech Times)

Related: Business Wire, Help Net Security, Fintech Finance News

The genetic testing company formerly known as 23andMe has agreed to pay $18 million to 42 states to settle litigation stemming from a 2023 breach that exposed sensitive personal data of nearly 7 million customers.

The company, now called Chrome Holding Co., filed the proposed settlement agreement Tuesday in the United States Bankruptcy Court for the Eastern District of Missouri.

23andMe filed for Chapter 11 bankruptcy in 2025. The states had filed claims in the bankruptcy seeking roughly $100 billion in alleged damages, which the estate said would be costly and time-consuming to litigate. The proposed agreement, which needs to be approved by Judge Brian C. Walsh, would bring an end to states’ claims tied to the breach.

The settlement proposal also includes a five-year ban on the company from directly selling goods or services to consumers, as well as collecting or maintaining personally identifiable information beyond what is required by the agreement. (Ethan Schenker / Bloomberg Law)

Related: KARE11, PhillyVoice, WAOW, WPXI, Audacy, Daily Voice, Eastern Shore Undercover, WKOW, WNYT, Erie News Now, WNEM, PennLive, Statesman Journal, AZ Family, Valley News Live, WMTV, KTAR, Straight Arrow News, WGAL, KWWL, WGMD, KOTA, WZMQ, WBAY

Cybersecurity stocks jumped after IBM CEO Arvind Krishna flagged cyber fears as a top priority for customers in the company’s preliminary second-quarter results.

During the period, Krishna said customers shifted spending to servers and memory and that “rapidly-evolving, industry-wide cybersecurity concerns” distracted customers.

The rise of advanced artificial intelligence models such as Anthropic’s Mythos has spurred mass anxiety on Wall Street and worries of quicker, more sophisticated cyberattacks.

Krishna told CNBC’s Sara Eisen that some major deals were put on hold toward the end of the quarter as businesses rethink spending.

“Mythos is making people pause to say, wait, how much do I need to spend on cyber? They’re pausing on new deals until they know,” Krishna told Eisen. “We don’t see our software being disrupted by AI at all.” (Samantha Subin / CNBC)

Related: Barron's Online, The Hans IndiaITProThe Indian ExpressMotley FoolBlockonomi, Bloomberg

Best Thing of the Day: Let This Be the Beginning of a Beautiful Trend

New York became the first US state to halt construction ​of large new data centers, imposing a one-year moratorium as concerns grow that the facilities driving the artificial-intelligence boom are raising power costs, straining water ‌supplies and burdening local communities.

Worst Thing of the Day: Russia Takes Its Denialism Cue from China

Russia on Tuesday slammed as “baseless” accusations by the European Union and Britain that its intelligence agencies were behind a campaign of cyber attacks on Europe.

Bonus Worst Thing of the Day: We Think 16 and 17-Year-Olds Know About VPNs

The United Kingdom will require social media companies to implement a default block for adolescent users aged 16 and 17 at certain hours, the country’s Department for Science, Innovation & Technology said.

Closing Thought

Read more