A pair of persistent and problematic threat groups affiliated with The Com are actively targeting organizations across multiple critical infrastructure sectors for rapid data theft and extortion attacks, according to CrowdStrike.

The financially-motivated attackers, which CrowdStrike tracks as Cordial Spider and Snarky Spider, have used voice-phishing and social engineering attacks to break into victims’ identity platforms and traverse SaaS environments since at least October 2025, the company said in a report Thursday, which it shared exclusively with CyberScoop prior to release. 

Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, said the subgroups composed of native English speakers primarily target U.S.-based organizations in the academic, aviation, retail, hospitality, automotive, financial services, legal and technology sectors.

This “new wave of ecrime threat actors” are closely aligned with Scattered Spider and linked to other subsets of The Com, including SLSH and ShinyHunters, Meyers said. 

Because these attacks target identity systems and can expose data in other connected services beyond the initial breach point, it’s difficult to determine how many victims have been caught up in these campaigns. 

CrowdStrike’s warning closely follows research Palo Alto Networks’ Unit 42 and the Retail & Hospitality Information Sharing and Analysis Center shared last week about Cordial Spider’s string of attacks targeting organizations in the retail and hospitality industry, among others. 

Cordial and Snarky Spider have set lures via voice calls, text messages and emails directing targeting employees to phishing pages posing as their employer’s legitimate single sign-on page or primary identity provider, researchers said. 

These phishing pages, which capture credentials, session keys or tokens, depending on the workflow, provide attackers an entry point into systems, which they exploit for widespread access across victims’ entire SaaS ecosystems.

Attackers use these initial hooks to remove and establish multi-factor authentication devices, then delete emails and other alerts that would otherwise warn organizations of potential malicious activity, researchers said. 

The data theft for extortion campaigns share striking similarities, but CrowdStrike said the tactics, techniques and procedures for each subgroup are distinct. These variances include hours of operation, different phishing domain providers, preferred operating systems, data leak sites, and the tools or devices they used to register for multi-factor authentication. 

The domain for BlackFile, Cordial Spider’s data-leak site, was offline as of Wednesday, according to Meyers.

CrowdStrike declined to put a range on the groups’ extortion demands, but Unit 42 previously said Cordial Spider, which is also tracked as CL-CRI-1116 and UNC6671, are typically in the seven-figure range.

Some victims that didn’t pay extortion demands have been subjected to DDoS attacks, and Snarky Spider has used more aggressive follow-on harassment tactics, including the swatting of victim organizations’ employees, Meyers said. 

CrowdStrike said Cordial and Snarky Spider also use residential proxy networks — including Mullvad, Oxylabs, NetNut, 9Proxy, Infatica and NSOCKS — to evade IP-based detection and blend in with typical traffic. 

Residential proxy networks, which rely on IP addresses assigned to real home users, can serve a legitimate purpose, but researchers have been warning that unethical or outright criminal operators are abusing these networks to build and support botnets, cybercrime campaigns, espionage and other malicious activity.

Cordial and Snarky Spider haven’t achieved the impact or technical capability of Scattered Spider, but the groups share many commonalities and objectives, Meyers said. 

“They’ve kind of taken their playbook and they’re using a lot of their techniques, but we haven’t really seen the technical sophistication demonstrated by them that we saw from Scattered Spider,” he said. “It’s kind of the new generation of Scattered Spider.”

The post Two new extortion crews are speedrunning the Scattered Spider playbook appeared first on CyberScoop.

Melanie Waddell reports: William Galvin, Massachusetts’ top securities regulator, ordered Fidelity Brokerage Services on Monday to pay $1.25 million for failing to enforce appropriate cybersecurity controls that resulted in a data breach affecting about 77,000 customers. “After learning of the breach, Fidelity also failed to notify many impacted residents, including the relatives and minor children...

Source

Yonhap News reports: Lotte Card has been notified by the financial watchdog that it is liable for around 5 billion won ($3.38 million) in financial penalties and a business suspension of over four months over a massive data leak, informed sources said Thursday. The Financial Supervisory Service recently sent the notice to the credit card...

Source

From the Garante’s press release, below, it sounds like the banking group experienced an insider-wrongdoing breach in which an employee improperly accessed  3,573 customer accounts over a period of two years. Data breach: The Italian Data Protection Authority fines Intesa Sanpaolo €31.8 million for unauthorized access to the banking information of over 3,500 customers for...

Source

Abdelaziz Fathi reports: Blockchain analytics firm Elliptic said the $285 million exploit of Solana-based Drift Protocol shows multiple indicators associated with North Korea’s state-sponsored hacking groups. The firm’s assessment is based on onchain behavior, laundering patterns, and network-level signals that align with previous incidents attributed to DPRK-linked actors. The attack is the largest crypto exploit...

Source

Korea JoongAng Daily reports: Lotte Card was fined 9.6 billion won ($6.5 million) by the Personal Information Protection Commission (PIPC) after 450,000 users’ social registration numbers were leaked. The PIPC decided to impose an administrative fine of 9.62 billion won and a penalty of 4.8 million won on Lotte Card for violations of the Personal Information...

Source

A House Republican introduced legislation Tuesday aimed at deterring cyberattacks against the United States at a time when the Trump administration is prioritizing the punishment of malicious hackers.

Rep. August Pfluger, R-Texas, revived legislation he first sponsored in 2022, the Cyber Deterrence and Response Act. The legislation would direct the executive branch to formally designate foreign parties behind major cyberattacks against the United States as a “critical cyber threat actor” who would be subject to sanctions.  It also would establish a framework for attributing who’s behind cyber attacks, including contributions from cyber agencies and threat intelligence companies.

“As cyberattacks in the United States grow more sophisticated and widespread, we must ensure the Trump administration and all future administrations have a strong framework to hold bad actors accountable and safeguard our national security,” Pfluger said in a news release. “Protecting America’s critical infrastructure from malicious cyberattacks is essential, and this bill does exactly that.”

The legislation is the latest reflection of congressional dismay that began growing last year in response to the Salt Typhoon cyberespionage campaign that infiltrated telecommunications networks, and the sense that the United States wasn’t doing enough to make hackers pay for their behavior.

At a hearing Tuesday, Senate Commerce Chairman Ted Cruz, R-Tex., said the United States needs to do a better job of working “together to detect and deter attacks in real time.”

The Trump administration has said deterrence is one of the first pillars of its forthcoming cyber strategy.

The definition of “critical cyber threat actor” under Pfluger’s bill applies to hackers who disrupt the availability of computer networks, compromise computers that provide services in critical infrastructure, steal significant personal data or trade secrets, destabilize the financial or energy sectors or undermine the election process.

The president could waive sanctions against those designees if it explains its reasoning to Congress in writing, a common clause of sanctions legislation.

Pfluger’s measure is updated in some ways from its 2022 incarnation, such as by giving the Office of the National Cyber Director the leading role in designating critical cyber actors.

The legislation draws on bills that former Rep. Ted Yoho, R-Fla, introduced in past years. That legislation won House approval in 2018, but never advanced further.

The post Legislation would designate ‘critical cyber threat actors,’ direct sanctions against them appeared first on CyberScoop.

The Treasury Department on Tuesday sanctioned eight people and two companies it accused of laundering money obtained from cybercrime and IT worker schemes to fund North Korean government objectives.

According to the department, over the last three years North Korea-linked cybercriminals have stolen over $3 billion, mostly in cryptocurrency. In addition, it said, North Korean IT workers are netting hundreds of millions from schemes by faking their identities. It’s all in service of goals that endanger the security of the world, Treasury said.

The bank, IT company and financial institution personnel that the Office of Foreign Assets Control placed on the sanctions list Tuesday add to an ever-growing list this calendar year of parties the United States associates with North Korean cyber activity.

“North Korean state-sponsored hackers steal and launder money to fund the regime’s nuclear weapons program,” said John Hurley, Treasury undersecretary for terrorism and financial intelligence. “By generating revenue for Pyongyang’s weapons development, these actors directly threaten U.S. and global security.”

The department designated Jang Kuk Chol and Ho Jong Son, two North Korean bankers; Korea Mangyongdae Computer Technology Company, an IT company; U Yong Su, president of that firm; and Ryujong Credit Bank, a North Korea-based financial institution. It also designated five people who work for North Korean financial institutions: Ho Yong Chol, Han Hong Gil, Jong Sung Hyok, Choe Chun Pom and Ri Jin Hyok.

The two bankers stand accused of managing cryptocurrency funds on behalf of a previously designated entity, First Credit Bank. The IT firm allegedly operates IT worker delegations from at least two cities in China. Treasury said Ryujong Credit Bank aids in avoiding sanctions between China and North Korea. The five employees are China or Russia-based North Korean representatives of the financial institutions who have allegedly facilitated illicit transactions.

Last month, a group of countries including the United States and allies in Europe and Asia published its latest report on North Korea’s evasions and violations of United Nations Security Council resolutions, this time focused on Pyongyang’s cyber and IT operations.

“The Democratic People’s Republic of Korea (DPRK or North Korea) is systematically engaged in violations of United Nations Security Council resolutions (UNSCRs) and related evasion activities through its Information Technology (IT) worker deployments and cyber operations, particularly as related to cryptocurrency theft and cryptocurrency laundering activities,” the report states. ”The DPRK’s cyber force is a full-spectrum, national program operating at a sophistication approaching the cyber programs of China and Russia.”

The post North Korean companies, people sanctioned for money laundering from cybercrime, IT worker schemes appeared first on CyberScoop.