Cybersecurity

Zcash tumbled after disclosure of critical counterfeiting flaw

20k Instagram accounts hacked in attack that abused AI tool, Router flaw powers rise of shape-shifting C0XMO botnet, Ransomware gang sends fake IT staff into victim offices, ShinyHunters-linked leak exposes millions of DentaQuest records, Chinese cyber spies hid in Microsoft 365 for 18 months, more

Metacurity is the only daily cybersecurity briefing built for clarity, not agendas—no vendor spin, no echo chamber, just sharp, original aggregation and analysis of what actually matters to security leaders.

Each day, Metacurity is read by thousands of cyber leaders, including some of the industry's top CISOs, security architects, practitioners, vendors, analysts, and journalists.

If you rely on Metacurity to cut through the noise on policy, industry shifts, and security research, consider supporting us with a paid subscription. Independent coverage like this only exists because readers decide it’s worth it.

Upgrade my subscription

Privacy coin Zcash plunged double digits overnight last week after developers disclosed a critical vulnerability in the protocol's Orchard shielded pool that could have allowed undetectable counterfeiting for over four years.

It dropped from Wednesday's local top of $635 to an intraday low of $309 on Thursday, according to CoinGecko data. It has since recovered slightly to around $330, down 37.8% on the day.

The vulnerability was discovered on May 29 by security researcher Taylor Hornby using AI-assisted auditing tools.

It resided in two lines of code within the Orchard circuit, the cryptographic component governing Zcash's shielded transactions, and allowed a malicious actor to create counterfeit ZEC inside the shielded pool with no on-chain signature. Had the bug been exploited before discovery, there would have been no way to prove it.

"The vulnerability was present from Orchard's activation in May 2022 until the emergency fix was deployed on June 1, 2026," Shielded Labs, the organization behind Zcash development, wrote in a disclosure post. "Due to the privacy properties of Orchard and the nature of the bug, there is no definitive way to determine, using only cryptography, whether such exploitation occurred." (Akash Girimath / Decrypt)

Meta says roughly 20,000 Instagram accounts may have been hacked in a recent attack abusing an AI-powered account recovery support tool.

Hackers compromised many Instagram accounts simply by asking Meta’s chatbot to link their own email address to the targeted account. This enabled the hackers to reset the account password and take control of it.

Many high-profile accounts were reportedly compromised and sold on the dark web. The list of impacted accounts included those of the Obama White House, Sephora, and US Space Force Chief Master Sergeant John Bentivegna.

Some cybercriminals shared videos and instructions on how the attack worked.

Meta is now informing authorities about the incident’s impact, telling the Maine Attorney General’s Office that the total number of potentially affected individuals is 20,225.

However, Amber Hannah, Meta’s associate general counsel for incident response legal, indicated that the total number could actually be smaller. The company has counted users who had their passwords reset via the support tool, did not have 2FA enabled, and whose accounts were likely accessed by hackers. However, some of these accounts may have been accessed by their legitimate owners rather than hackers.

Meta’s disclosure to the Maine AG reveals that the exploitation of its High Touch Support (HTS) tool was discovered on May 31.

The tool is designed to help users regain access to accounts after they have been locked out, and hackers have abused a vulnerability in the tool to reset Instagram passwords. (Eduard Kovacs / Security Week)

Researchers at Fortinet report that a new variant of the Gafgyt botnet called C0XMO is targeting DD-WRT router firmware and can move to other device types with various CPU architectures.

The researchers found samples for ARM, MIPS, PowerPC, SuperH, x86, x86_64, and other architectures, featuring exploits for DVRs, routers, video management platforms, and Android-based devices.

The botnet was seen targeting a Japanese technology company, but researchers discovered that the source IP address was for a device located in Germany.

Fortinet researchers discovered C0XMO and highlighted its modular design, which allows operators to update its exploitation techniques, add/remove targeted architectures, and expand its lateral movement capabilities independently of the main payload.

Fundamentally, C0XMO remains a malware for launching distributed denial-of-service (DDoS) attacks and supports 19 methods, including UDP/TCP/SYN/ICMP floods, “ping of death,” NTP/Memcached amplification, Discord voice UDP floods, and Valve-specific floods.

According to the researchers, the C0XMO botnet malware is delivered by exploiting CVE-2021-27137, a buffer overflow vulnerability caused by insufficient user input. It can be leveraged without authentication and leads to executing arbitrary code. (Bill Toulas / Bleeping Computer)

The exploitation of the CVE-2021-27137 vulnerability. Source: Fortinet.

Google’s cybersecurity teams, Mandiant and Google Threat Intelligence Group, jointly accused the cybercriminal gang known as Silent Ransom Group of attempting to steal victims’ information “using physical, in-person access” in attacks from January through May of this year that targeted “dozens” of victims.

Last month, the FBI published an alert warning that Silent Ransom Group had been targeting law firms with social engineering and phishing attacks pretending to be IT support employees. But in some cases, the group sent fake IT support personnel to the victims’ offices, where they connected to employees’ computers and used USB drives or remote access tools to steal data such as contracts, personal information like Social Security numbers, and financial and tax records.

According to Google Mandiant, the group that they track as UNC3753, also known as Luna Moth and Chatty Spider, also uses more traditional methods, such as phishing emails, follow-up phone calls, and social engineering. The cybercriminals pretend to be the company’s IT support to trick victims into granting access to their computers. (Lorenzo Franceschi-Bicchierai / TechCrunch)

UNC3753 attack lifecycle. Source: Mandiant.

A data breach at the dental benefits administrator DentaQuest has reportedly exposed the sensitive data of 2.6 million accounts.

The security incident came to light last month, when the infamous extortion group ShinyHunters listed the company on its data leak site and claimed to have stolen more than 234 GB of data.

Following what the threat actor describes as a failure to reach an agreement with the company, the data was publicly leaked.

On June 2, DentaQuest confirmed on its website that its networks had been breached and the incident caused “limited disruption” in customer service.

“DentaQuest is actively managing a cybersecurity incident involving unauthorized access to a limited portion of our network,” reads the statement. “Upon discovery of the initial incident, we took immediate action to secure our environment, contain the attack, and mitigate the threat.”

“Our systems remain fully operational, and we continue to serve our clients with limited disruption.” The firm also stated that it engaged external experts to help with the investigation and determine the data that was compromised.

Yesterday, data breach alerting service Have I Been Pwned (HIBP) analyzed the leaked information and found that it contained records for 2.6 million accounts. (Bill Toulas / Bleeping Computer)

DentaQuest posting on ShinyHunters site. Source: Bleeping Computer.

Researchers at Volexity report that a Chinese espionage group tracked as UNC5221 has been accessing Microsoft 365 environments using the Brickstorm backdoor and previously undocumented malware named Plenet and AgentPSD.

An investigation into the incident revealed that the threat actor had gained access to the victim network at least 18 months before detection and had also compromised the victim organization's managed services provider (MSP).

UNC5221 is also tracked as VerdantBamboo and has been involved in attacks that exploited zero-day vulnerabilities in edge devices since at least 2023.

The threat actor used the Brickstorm backdoor undetected in the environments of various targets in the United States for more than a year until the breaches were discovered around March 2025.

Volexity describes Brickstorm as "an advanced malware implant." Initial variants were written in Golang, then new variants emerged, written in Rust.

In April 2024, Google documented UNC5221 activity using the backdoor, and then again in September 2025, describing attacks against legal services, software-as-a-service providers, business process outsourcers, and technology companies.

CISA warned about Brickstorm being deployed by Chinese hackers against VMware vSphere servers, and, more recently, Google reported that UNC6201 deployed it against Dell RecoverPoint for Virtual Machines. (Bill Toulas / Bleeping Computer)

Related: Volexity

The Women's News Agency (NÛJINHA), the Kurdish all-female news agency, announced that it had suffered a cyber attack targeting its media platforms and technical infrastructure, stating that the attack resulted in the deletion of numerous publications across its Persian, Arabic, and English sections, as well as a temporary disruption to broadcasting services.

The agency said the attack occurred on Saturday evening (June 6th), noting that a cyber attack team identified as "Hindala and the Resistance Axis" or "Hendhela" adopted the operation, released statements containing threats directed at the Kurdish people, Kurdish institutions, and the agency itself, along with what it described as hate speech and direct threats targeting journalism and staff members working there.

The agency stated that the attack damaged its technical infrastructure and temporarily halted its media operations. However, after intensive efforts, its technical team was able to restore platform functionality and resume access to published content.

It added that the entity behind the attack has continued to disseminate threatening messages, claiming ongoing cyber attacks against the agency and possessing information regarding its institutional locations. These messages also contained expressions targeting the Kurdish people and their institutions, as well as threats related to political and military developments in the region.

The NÛJINHA agency mentioned that what has occurred goes beyond being a technical attack; it constitutes a political targeting of women's voices and independent journalism. It emphasized that the agency is committed to highlighting the conditions of women in the Middle East and conveying the perspectives of those affected by wars, violence, and discrimination. (Hawar News Agency)

Related: Jinha, ANF News

Nigeria's Department of State Services (DSS) has joined ongoing investigations into an alleged breach of the Independent National Electoral Commission (INEC) voter database, as the electoral body intensifies efforts to trace the source of the leak to internal access points within its system.

The development follows growing concerns over the circulation of sensitive voter information linked to a candidate in a recent political party primary in the Federal Capital Territory, raising fresh questions about data security within Nigeria’s electoral infrastructure.

INEC, in a statement, confirmed that preliminary findings from its ongoing audit suggest the incident did not result from external hacking but rather from authorized credentials that may have been misused by an insider within its Continuous Voter Registration (CVR) system. (Priscilla Iwedike / The Guardian)

Everyone is racing to adopt AI. But if your security foundation is weak, AI won’t save you — it will amplify the risk.

That’s the core message behind my just-published new book, The NIST 2.0 Cybersecurity Framework: Practical Risk Management Using Real-World Incidents. Rather than treating cybersecurity as a compliance exercise, the book shows how organizations can build resilient security programs grounded in real operational failures and lessons learned.

Wiley is currently offering Metacurity readers a 20% discount with code ENG20. Don't wait! Order your copy today! Email me to find out about bulk purchases for your organization or special customized print runs for your team.

Order your copy and save 20%

New AI models, such as Anthropic’s Claude Mythos and OpenAI’s GPT 5.5-Cyber, have advanced faster than US legislation regulating the technology can keep pace.

They have both shown a remarkable ability to identify software vulnerabilities and launch cyberattacks — skills that hackers and cyber adversaries are hungry to exploit.

Recent estimates suggest that the US has at most six to 12 months before Beijing gains access to a frontier model with prowess comparable to Mythos or GPT 5.5-Cyber or develops an AI competitor that could eventually be wielded as a cyber weapon.

“It’s a hurricane warning, not a seawall,” Rob T. Lee, chief AI officer at cybersecurity research company the SANS Institute, said of the time the U.S. has to prepare before this new wave of hyper-advanced AI models changes the cybersecurity calculus entirely.

Both Anthropic and OpenAI initially limited testing of their newest AI models to a small group of trusted defenders when the models were first announced in April, as the companies weighed the immense consequences of the technology’s wider release. That same month, China reportedly asked Anthropic to trial Mythos but was rebuffed. (Dana Nickel and Maggie Miller / Politico)

Related: Rob Lee on LinkedIn

NATO only narrowly beat out Russia in a simulated set of online cyber campaigns aimed at sowing discord and confusing the local population when faced with a serious crisis.

In addition to a blackout attack on an energy grid, participants also tested two other scenarios: how authorities would communicate in case of a major flood and if hackers hijacked their banking system.

Ukrainian officials were assigned the role of Karti villains, who flooded social media with AI-generated messages blaming each crisis on government incompetence and corruption, while offering to send assistance to beleaguered residents.

The Karti team lost only narrowly in two of the scenarios, according to the scorecard compiled by a panel of judges, which included academics and disinformation specialists.

NATO opened its Joint Analysis, Training and Education Center (Jatec) last year to help allies draw lessons from Ukraine’s battlefield experience and improve the alliance’s preparedness for future Russian aggression. One-third of Jatec’s staff of 60 are seconded from Kyiv, including personnel from Ukraine’s armed forces, defense ministry and intelligence services. (Raphael Minder / Financial Times)

Related: Censor.net, Ukrainska Pravda, RBC-Ukraine

One of the largest hospital trusts in England has confirmed thousands of patient test results were stolen in a cyber attack in 2024.

Mid and South Essex NHS Foundation Trust (MSE), which runs Broomfield hospital in Chelmsford as well as Basildon and Southend hospitals, said the breach involved 2,380 records.

The data was taken from the computer drives of a third‑party testing provider, Synnovis, that analyzed blood, urine and tissue samples.

The trust, which was notified about the breach in December, said it would be contacting those affected.

The trust is one of an undisclosed number of NHS organizations whose confidential patient data was involved in the data breach.

Last week, Bedfordshire Hospitals NHS Foundation Trust revealed almost 33,000 of its patients had their data stolen in the same hack.

According to Synnovis, the data was published on the dark web. (Nikki Fox and Matt Precey / BBC News)

Related: The Mirror, Databreaches.net, Echo

Microsoft has said it will tighten human-rights controls when working with national security agencies after an inquiry into how the Israeli military used its cloud technology for the mass surveillance of Palestinians.

Microsoft announced the completion of the inquiry and a series of new measures that include changes to how the company oversees employees with security clearances issued by foreign governments.

Microsoft ordered the inquiry last year in response to a Guardian investigation with Israeli-Palestinian publication +972 Magazine and Hebrew-language outlet Local Call revealing how the Israeli military used the company’s cloud to store a vast trove of intercepted Palestinian phone calls.

Shortly after the inquiry was launched, Microsoft terminated the Israeli military’s access to cloud and AI services used to support the surveillance project after initial findings showed its spy agency, Unit 8200, had violated the company’s terms of service.

In a summary of the inquiry’s outcome, Microsoft said its “factual findings remain the same,” and it would adopt a series of recommendations intended to improve the “effectiveness of our human-rights governance”.

Described as a “final update” on the situation, the announcement attempts to draw a line under a challenging episode for Microsoft that placed a spotlight on the role played by its technology in the Israeli military’s bombardment of Gaza and operations in the occupied West Bank.

The Guardian investigation last year found Unit 8200 had used Microsoft’s Azure cloud platform to operate an indiscriminate system that allowed its intelligence officers to collect, play back and analyze the content of millions of Palestinian cellular phone calls every day. (Harry Davies and Yuval Abraham / The Guardian)

Related: Times of India, Ynet News, Arab News

Russia’s security services shut parts of a special surveillance system protecting President Vladimir Putin and his closest aides in the wake of Ayatollah Ali Khamenei’s assassination in Tehran, according to two people familiar with the matter.

The system — which is separate from the nearly 300,000 cameras that surveil Moscow’s citizens — was only turned back on after engineers combed through it in an attempt to seal it off from the internet hermetically, said one of the people.

The extraordinary precautions were taken after Israeli intelligence harvested vast amounts of video footage from Iran’s traffic cameras to help pinpoint the exact location and timing of a February 28 meeting between Khamenei and his closest aides. Several top security officials were killed at the meeting in the opening salvo of the joint US-Israel war on the Islamic Republic.

The assassination was a dramatic demonstration of a nascent technological leap: the use of artificial intelligence to parse through millions of hours of video, collected by thousands of cameras, in order to find and surveil targets. (Mehul Srivastava and Christopher Miller / Financial Times)

Related: Money Control, Dev.ua, Mezha

OpenAI has begun rolling out Lockdown Mode, an optional security setting designed to offer users advanced protection from prompt injection attacks.

OpenAI is billing Lockdown Mode as a sort of last line of defense against prompt injections, building on the robust protections that it says it already offers through ChatGPT, its models and backend systems. "Lockdown Mode is not intended for everyone," OpenAI explains. "It is designed for people and organizations that handle sensitive data and want stricter protection from data exfiltration risks related to prompt injection."

The company also notes that Lockdown Mode won't stop prompt injections from appearing in content ChatGPT processes. Instead, it's designed to prevent an attacker from extracting sensitive data from your account by limiting network requests that someone could exploit. Lockdown Mode is available to all personal accounts, including those using ChatGPT through OpenAI's free tier.

To activate it, open ChatGPT's settings menu and select Safety and security. Under Advanced security, tap Lockdown mode and flip on the toggle. You can temporarily disable the additional protection by selecting Manage from the status message that appears above the chat window and selecting Turn off for this chat. (Igor Bonifacic / Engadget)

India's Central Board of Secondary Education (CBSE) has moved its re-evaluation process to a newly secured evaluation portal after an expert panel from IIT Kanpur and IIT Madras cleared the platform following a security review.

The decision comes days after CBSE's re-evaluation system was targeted by a large-scale cyberattack on June 3, when nearly 3.8 million malicious packets were directed at the portal in an apparent attempt to disrupt verification and re-evaluation services.

An IIT panel member said that CBSE has decided not to use the services of Coempt Eduteck Pvt Ltd for scanning answer sheets during the ongoing re-evaluation process. The expert added that the earlier platform contained several security weaknesses that could have exposed examination data and records through multiple access points. (India Today NE)

"Human error" caused a data breach involving police officers and staff payroll information, the Norfolk Constabulary in the UK said.

Norfolk Constabulary apologized that a file was mistakenly sent to a former officer, which was then deleted.

It said there was no "evidence that the information has been further shared or misused" and added that the breach has been reported to the Information Commissioner's Office (ICO). (Alex Pope / BBC News)

In a blog post with guest author and independent security researcher Buchodi, Include Security documented how the company Bright Data facilitates modern AI models scraping training data from the Internet using its residential proxy network.

Bright Data is a data-collection company that sells access to what it markets as the world’s largest residential proxy network of 400M+ home IP addresses that its customers route web-scraping traffic through. The supply behind that network comes from an SDK: a piece of software embedded in consumer apps that, with the user’s consent, turns their phone or smart TV into one of those exit nodes.

Petflix, a Roku app documented by The Verge, is a representative case. Its opt-in screen reads: “To enjoy Petflix for free with fewer ads, you are allowing Bright Data to occasionally use your device’s free resources and IP address to download public web data from the internet. Bright Data will only use your IP address for approved business-related use cases. None of your personal information is accessed or collected except your IP address. Period.” The Petflix dialog says “occasionally.” The SDK’s publicly queryable config sets max_bw_monthly_wifi: 200,000,000,000 bytes — a 200 GB default monthly WiFi budget. (Include Security)

Best Thing of the Day: Someone's Got to Do It

In what is likely just the tip of the iceberg, a WIRED analysis has documented dozens of public instances of companies, governments, NGOs, and educational establishments stepping away from US technology companies in favor of open source or local alternatives.

Worst Thing of the Day: Not a Man Who's Worried About Rigged Elections

Trump's DOJ canceled election-integrity training for prosecutors and FBI agents, deleted a 281-page guide to prosecuting election offenses, fired most of the lawyers in its Public Integrity Section, and failed to replace the director of its Election Crimes Branch.

Bonus Worst Thing of the Day: No Wonder the World Wants to Ditch US Tech

Silicon Valley companies, including Meta, have decided to embrace MAGA politics, some for “rather more self-interested” reasons; the former UK deputy prime minister and former head of global affairs at Meta, Nick Clegg, has said.