An Algerian man known online as “SPOX” was extradited from Spain and charged with running a black-market cybercrime operation that prosecutors say defrauded thousands of victims and funneled roughly $900,000 through a cryptocurrency account over a three-year period.

Abdellah Belmili, 26, made his initial appearance Monday in the U.S. District Court for the Western District of New York in Buffalo. He faces a single count of conspiracy to commit bank fraud, which carries a maximum sentence of 30 years in prison. 

He was extradited from Spain earlier this month.

Federal investigators say Belmili allegedly created and administered at least two illicit online marketplaces, market0day.com and spoxy.us, that operated similarly to commercial e-commerce platforms. The marketplaces sold financial credentials, phishing kits, compromised email server access, and other tools used to carry out fraud. All transactions on the sites were conducted in Bitcoin.

According to court documents, the FBI became aware of the marketplaces in September 2020 through a confidential source. The site’s administrator was already known to investigators as a prolific creator of phishing kits targeting major U.S. financial institutions.

In 2020, undercover FBI agents used the marketplace to buy a phishing kit designed to replicate JPMorgan Chase’s login page and capture victims’ personal information. Agents also purchased access to a compromised email server. A third item — access to a website control panel — was paid for but never delivered, prompting customer complaints on Belmili’s Telegram channel.

Shortly after those complaints surfaced, Belmili announced he was closing market0day.com and redirecting customers to a new site, spoxy.us, which he described as a “new store for bulk sms,” which typically refers to mass phishing via text message. 

The new site used the same template, color scheme, and navigation structure as its predecessor and was registered using the stolen identity of a 77-year-old Texas resident.

Investigators identified Belmili through a combination of open-source research, search warrants, and records obtained from technology and financial companies. Early versions of his phishing kit code contained his full name, “Dila Belmili,” embedded in the source alongside his Telegram handle and a link to the marketplaces. Facebook accounts linked to the alias “spox_coder” listed “Dila Belmili (spox)” as the display name, and customers had posted complaints about phishing kit purchases directly on his profile.

Records obtained from Google showed that Belmili used his personal email account to search for financial institution logos, hacking tools, and methods for generating fake identities and credit card numbers. The same account received approximately 1,400 emails containing victims’ stolen personal information from active phishing kits targeting American Express, Bank of America, Cash App, JP Morgan Chase, PayPal, and Wells Fargo.

Investigators also found that Belmili had built hidden backdoors into phishing kits he sold to other criminals, allowing him to continue harvesting victim data even after the kits changed hands.

Records from cryptocurrency exchange Binance showed approximately $900,000 deposited into an account registered to Belmili between Jan. 2020 and Jan. 2023. Of that amount, roughly $760,000 was transferred to other accounts or converted into other forms of cryptocurrency, while approximately $41,000 was withdrawn from ATMs. 

In total, investigators identified approximately 595 distinct phishing kits created by Belmili. Analysis of victim data exported to Telegram pages and email accounts linked to the operation identified roughly 5,600 victims in the United States and internationally.

“This defendant thought that he could get away with defrauding thousands of victims out of hundreds of thousands of dollars by using fake names and hiding behind a keyboard to steal bank account and credit card numbers,” said U.S. Attorney Michael DiGiacomo in a release. “This arrest makes clear that, regardless of where you operate, our law enforcement partners will find you – and when they do, you will face the full consequences of your actions.” 

You can read the court documents below. 

The post Algerian man charged with running two cybercrime marketplaces appeared first on CyberScoop.

The FBI, along with Google and Lumen Technologies, took down a major cybercrime network based in China that was responsible for an estimated $1.9 billion in losses, officials said Friday. 

Outsider, which provided phishing kits and hosted infrastructure for cybercriminals since July 2023, facilitated a wave of phishing attacks against people and businesses in 55 countries, including the United States, the FBI said in a LinkedIn post.

The jointly coordinated effort dubbed “Operation Ghost Hook” netted the seizure of several domains of the group’s core admin servers, a Shopify storefront, roughly $100,000 from Outsider payment wallets and thousands of domains registered through U.S.-based providers, officials said.

The FBI said it also used an Outsider Telegram bot to access information on the cybercrime network’s customers.

“The criminals behind Outsider Enterprise built a business out of impersonating trusted brands to defraud hundreds of thousands of victims,” Brett Leatherman, assistant director of the FBI’s cyber division, said in a statement.

Authorities traced Outsider’s phishing domains to nearly 3.9 million stolen credit cards.

Google, one of the vendors impersonated by the phishing kits, described Outsider as a massive AI-powered operation. 

Outsider provided its phishing kit, which allowed cybercriminals to create fake sites and phishing campaigns to steal credit cards, bank account credentials and personal data, for a weekly subscription as low as $88 per week, the company said in a civil lawsuit it filed to dismantle the cybercrime network’s infrastructure. 

The China-based group behind the operation encouraged and provided step-by-step instructions for customers to use Gemini and other AI platforms to generate custom code for phishing lures and corresponding sites for illegitimate missed packages, overdue highway tolls, parking violations, issues with a brokerage account or wireless carrier rewards.

“The Outsider software allows scammers to request multiple types of verification from victims, including SMS, PIN, email and app verification,” Google wrote in the lawsuit filed in the U.S. District for the Southern District of New York. “This flexibility enables the enterprise to defeat various forms of authentication security.”

Google said it’s working with AT&T, T-Mobile and Verizon to intercept the spam messages before they reach customers, but these types of phishing attacks are prevalent and have been spreading for years. 

Google is also pushing for legislative action, including a series of bills, to combat these scams, General Counsel Halimah DeLaine Prado wrote in a blog post.

“Litigation alone won’t end this,” she wrote. “As threats evolve, our laws must, too.”

Google said it doesn’t know the real names of the people or entities involved in Outsider, but said the operation is supported by multiple cybercrime groups providing different roles with overlapping infrastructure.

The FBI said the takedown was part of Operation Riptide, an ongoing campaign targeting cybercriminals and the infrastructure and financial networks they use to commit fraud.

The post FBI takes down massive China-based cybercrime network that caused $1.9B in losses appeared first on CyberScoop.

Cybersecurity threats to the 2026 midterm elections are targeting the accounts and platforms that campaigns, donors and voters use to communicate, according to a security report released Monday by Check Point Software Technologies.

So far in this election cycle, threats are not aimed at voting machines or ballot-counting systems. Instead, threat actors are going after the email accounts, websites and fundraising platforms that election organizations depend on.

Jeremy Fuchs, a campaign manager for Check Point, told CyberScoop that the report’s core findings reflect a broader trend in cybersecurity: Bad actors are using AI to make their attacks larger and more effective.

“The barrier to entry is lower and the quality is so much higher than it was three years ago, 10 years ago, that everything is going to look more realistic and it’s going to be more effective at accomplishing whatever goals [attackers] have,” he said.

Email remains the easiest way for hackers to perpetuate election-related schemes. Check Point found that 82% of malicious attacks arrive through email, where threat actors covertly trick users into handing over their passwords for major fundraising sites. Approximately 9,500 stolen passwords were tied to ActBlue, which collects donations for Democratic candidates. Approximately 6,500 were linked to WinRed, a Republican fundraising platform.

Fuchs noted that this information may not be directly used for election-related schemes, yet could be leveraged for opportunistic follow-on attempts at accessing other accounts.

“Whenever an exposure like this happens, whether it’s with a political site or not, oftentimes it’s saved for later,” he said. “If I have your email and password, if I have your phone number, I can just start an attack, a simple phishing attack that has nothing to do with the election right now.”

Threat actors are also registering many new websites with election-related names. In January, about 1,300 new websites included the word “election” and about 4,010 included the word “vote.” These websites can be used for phishing scams, where hackers trick people into giving up their passwords by pretending to be legitimate election organizations.

Fuchs noted that not every website may turn out to be malicious, but the speed with which these sites have been established — especially when legitimate campaign sites have been running years before an election — has led researchers to believe that the majority will be used for nefarious purposes. 

“If you’re spinning up these websites very quickly and at scale, there’s a reason for it,” he said. 

Misinformation and manipulated content present another layer of concern, especially as AI-generated political content has become increasingly visible in the 2026 cycle. Earlier this month, OpenAI rolled out a suite of tools and safeguards that’s meant to provide a layer of security for this particular election cycle.

Fuchs said this AI-powered manipulation is only going to grow as we get closer to Election Day, and as the models get better, so too will actors’ ability to deceive people with fake content. 

“It’s really hard to make sense of these things when the AI, and the attacks, have just become so good,” he said. “It was hard when they weren’t good. So now imagine how much harder it’s going to be when it is good, and it’s continuing to get better and better.” 

Fuchs warned that the speed at which AI-powered election threats are evolving presents a challenge that extends beyond technical defenses, saying that the true challenge lies in a threat landscape that’s changing faster than public understanding can keep pace.

“There’s so much more that we as a society can truly fathom,” he told CyberScoop. Generative AI “is moving so fast. It’s getting so good. And if we’re not having those conversations about, ‘hey, this is how things might change,’ all this stuff is just going to continue to get more difficult and more difficult. And it’s going to flare at these inflection points, whether an election is kind of the perfect place for it, because there’s just so much at stake for so many people.”

You read the full report on Check Point’s website. 

Update, 6/2/2026, 4:30 p.m.: This story has been amended to further clarify how threat actors are obtaining passwords for campaign donation sites.

The post Election threats are focused on campaign systems, not voting machines appeared first on CyberScoop.

Silent Ransom Group, a long-running data extortion operation, continues to hit U.S.-based law firms by impersonating IT support and, in some cases, visiting victims in person to gain physical access to computers, the FBI said in an alert Tuesday.

The closed group, which likely operates from Russia and emerged in 2022 after Conti disbanded, has claimed responsibility for more than 100 attacks with activity surging during the past few months, according to researchers.

The FBI’s warning comes exactly one year after the agency released a previous alert about Silent Ransom Group consistently targeting law firms since mid-2023. The group doesn’t deploy encryption, but its dual use of social engineering and in-person visits for data theft is extremely rare with no known parallels across the vast cybercrime ecosystem, multiple experts told CyberScoop.

“There were probably a lot of times that this failed before it started succeeding because there’s a lot of trial-and-error involved,” said Allan Liska, field chief information security officer at Recorded Future. Whereas other ransomware groups would rather move on to other tactics or targets, “Silent Ransom Group has seen the value especially in going after law firms, and so they’re willing to put the extra effort into it,” he added. 

The data extortion group, which is also tracked as Chatty Spider, UNC3753 and Storm-0252, isn’t as prolific as more high-tempo ransomware groups. Yet, it’s having a noticeable impact due to its proven knack for attacking organizations in the legal sector.

Halcyon tracked 134 ransomware incidents against law firms and legal services during the first quarter of this year, making it the fourth-most targeted industry accounting for more than 6% of all ransomware attacks the company tracked during the period. 

Silent Ransom Group and Inc, a ransomware-as-a-service operation dating back to mid-2023, are largely responsible for that uptick, said Cynthia Kaiser, senior vice president at Halycon’s Ransomware Research Center.

“Silent was the first group to really just be targeting law firms, and they’ve targeted major law firms” with a clear understanding of what’s most problematic for organizations in that segment, she added. “The theft of data in and of itself is the biggest issue for the law firms, so they’re tailoring a lot of their operations around what they know about the sector.”

Law firms are a rich target because data theft creates huge privilege and reputational problems, which creates the perception they might be more willing to pay high extortion demands, Kaiser said.

Silent Ransom Group’s social engineering scheme involves phone calls or phishing emails that urge employees to call one of the group’s associates posing as IT support, the FBI said. If the group’s attempt to gain access to the employee’s computer via remote access tools fails, it sends an associate to the victim’s location to physically attach a storage device to the victim’s workstation. 

This extra step is unique and places Silent Ransom Group in a completely different mode of operation than its peers in ransomware and data theft extortion. Some aggressive data theft extortion groups have harassed and threatened executives and employees with physical violence, but in-person visits for data theft are extraordinary.

“While Flashpoint has observed threat actors soliciting or co-opting both witting and unwitting insiders, we have not observed them physically sending attackers to victim locations. This tactic carries significant risk, as threat actors are able to use technology to obscure their real-world identities,” said Ian Gray, vice president of cyber threat intelligence operations at Flashpoint. 

Joe Slowik, director of cybersecurity alerting strategy at Dataminr, said it’s easy to question why potential victims would fall for this tactic. “However, humans in the workplace need to implicitly trust others to get their jobs done,” he said. 

“Questioning everything, while seemingly desirable, introduces significant friction and distrust in workplace environments and limits productivity in arbitrary ways,” Slowik added. “Criminal entities will continue to prey on human weaknesses and dependencies for success, and placing the burden solely on employees to defend against this is unfair and unreasonable.”

The FBI did not provide details about the people Silent Ransom Group uses to initiate the fake IT support calls or visit victims in person. Yet, with the group’s operators based in Russia, researchers speculate gig workers or subcontractors are playing a critical role by placing voice-based phishing calls in a common language and visiting victims at their workplace. 

Liska said he’s under the impression the group is using freelance taskers that don’t necessarily know they are committing a crime. “They may be suspicious, but you know, they need the money,” he said. 

“It’s kind of like a Doordash person that delivers Arby’s,” Liska said. “You know you’re doing really bad things to people, but you know what, they’re paying you to deliver.”

The post FBI warns US-based law firms to be on the lookout for cybercrime group that steals data in person appeared first on CyberScoop.

The FBI is warning organizations and defenders about Kali365, a growing phishing-as-a-service platform that retrieves Microsoft 365 access tokens, issuing a public service announcement Thursday. 

The toolkit bypasses multi-factor authentication and abuses OAuth device code authorizations via phishing lures impersonating common enterprise services. This technique grants cybercriminal-controlled applications access to Microsoft 365 accounts, opening victims up to a host of follow-on malicious activity, including data theft, fraud, extortion and ransomware attacks.

Kali365 is one of many rapidly emerging device-code phishing tools, which are gaining popularity as a more effective means for cybercriminals to circumvent security controls while abusing legitimate Microsoft device authorization pages, according to researchers. 

Instead of gaining access to accounts via phishing kits that steal credentials and second-factor authentication codes, device-code phishing platforms connect a malicious app to a legitimate account with a single code. The process requires fewer steps and less interaction with the user, but victims do have to copy-and-paste a code generated by the Kali365 platform to grant access.

“We see quite a bit of this device-code phishing activity, but so much of it looks really similar. They’re all using the same types of lures, the same types of content, the same branding,” Selena Larson, senior threat researcher at Proofpoint, told CyberScoop. “It is very much AI generated, AI driven, and the threat actors, I think, are finding it pretty effective because we’re seeing this shift happen kind of all at once.”

Proofpoint researchers observed seven device-code phishing tools that looked nearly identical during a 10-day period last month.

Device-code phishing isn’t new, but platforms like Kali365 have integrated new techniques that differ from MFA phishing, and might be more effective as a result. “It’s something that people might not be used to. It’s a little bit sleeker,” Larson said.

This also partly explains why these cybercriminal tools are growing so quickly. Larson said Proofpoint observed an explosion in device-code phishing activity starting in February. 

By April, Kali365 was up and running and primarily distributed on Telegram, according to the FBI. “Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” the agency said in the public warning. 

Researchers at Arctic Wolf Labs, which has also been tracking large-scale campaigns linked to Kali365, said the platform charges affiliates $250 for 30 days of service or $2,000 for a full year.

Kali365 stores the OAuth access and refresh tokens it captures, and makes those available to affiliates on its platform. Those tokens can also be shared and reused by other cybercriminals who didn’t participate in the initial phishing lure, Arctic Wolf researchers added. 

The FBI also noted that these Microsoft 365 tokens provide persistent access, allowing attackers to wade through multiple Microsoft services without a password or additional MFA requests. 

“Identity can be very, very powerful once you’re in an organization,” Larson said, adding that attackers can abuse that access to impersonate people, access and steal data for extortion, commit fraud and deploy malware.

The post FBI warns about fast-growing phishing kit targeting Microsoft 365 users appeared first on CyberScoop.

Interpol coordinated an expansive investigation with 13 countries in the Middle East and North Africa to disrupt and take down cybercrime operations, including phishing services and tools, malware and scams. The law enforcement effort netted 201 arrests, led to the seizure of 53 servers and disrupted multiple cybercrime services, Interpol said Monday.

Operation Ramz, which the law enforcement organization said was the first large-scale effort of its kind in the region, also identified 382 suspects over a four-month period ending in February. The collective countermeasures allowed authorities to pin the various malicious activities to nearly 4,000 victims.

“In a world where cybercriminals exploit the digital landscape without borders, Operation Rams demonstrates the effectiveness of global collaboration,” Neal Jetton, Interpol’s director of cybercrime, said in a statement.

Police in Jordan tracked down a computer involved in financial fraud scams and, during a raid, found 15 people carrying out the scams who were later determined to be victims of human trafficking. The victims were recruited under false promises of employment from their home countries in Asia and had their passports confiscated upon arrival in Jordan, officials said. 

A pair of ringleaders behind the operation, who forced or coerced the victims to participate in the scheme, were arrested, according to Interpol. 

Law enforcement agencies in Algeria dismantled a phishing service by seizing a server and other devices linked to the operation. Moroccan authorities also seized multiple devices containing banking data and software for phishing operations.

Officials in Oman remediated a server containing sensitive information that was infected with malware, and compromised by vulnerabilities. Meanwhile, investigators in Qatar identified and secured multiple compromised devices that were being used, unbeknownst to their owners, of spreading malicious threats. 

Authorities involved in the months-long effort gathered almost 8,000 pieces of data that was shared among participating countries to support ongoing investigations.

Operation Ramz was supported by Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia and the United Arab Emirates. Multiple companies and organizations also helped Interpol track illegal cyber activities and identify malicious servers, including Group-IB, Kaspersky, the Shadowserver Foundation, Team Cymru and Trend Micro. 

“Interpol is dedicated to working with its member countries and private sector partners to take down malicious infrastructure, disrupt criminal groups and bring perpetrators to justice,” Jetton said.

The post Interpol leads cybercrime crackdown across 13 countries in Middle East, North Africa appeared first on CyberScoop.

A core leader of the hacker subset of The Com responsible for a series of high-profile phishing attacks and cryptocurrency thefts from September 2021 to April 2023 pleaded guilty to federal charges, the Justice Department said Friday. 

Tyler Robert Buchanan of Dundee, Scotland, pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft. The 24-year-old was arrested by Spanish police in Palma in 2024 as he attempted to board a charter flight to Naples, Italy. 

Buchanan has been in federal custody since April 2025 and faces up to 22 years in federal prison at his sentencing, which is scheduled for August 21. 

The British national and his co-conspirators, including Noah Michael Urban, who was sentenced to a 10-year federal prison sentence last year, harvested thousands of credentials via phishing and stole more than $8 million in cryptocurrency from U.S. residents via SIM-swapping attacks.

Victims included high net worth individuals and businesses in the entertainment, telecom, technology, business process outsourcing, IT, cloud and virtual currency sectors, officials said.

Buchanan and his co-conspirators were part of an aggressive subset of The Com coined Scattered Spider. While The Com and its offshoots don’t operate with formal leaders in the traditional sense, Buchanan played a crucial role in the operation, according to Allison Nixon, chief research officer at Unit 221B.

“[Buchanan] was the glue that held this gang together. His success at wiping out victims’ savings made him a target for both law enforcement and rival Com gangs,” Nixon told CyberScoop.

“[Buchanan] is part of an older generation that came from certain toxic gaming servers before the pandemic. People from this generation learned hacking in order to steal vanity usernames and bully kids before using it to steal peoples’ savings,” she added.

Federal authorities filed charges against five individuals with links to the Scattered Spider cybercrime outfit in 2024. Buchanan and Urban’s alleged co-conspirators — Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo and Joel Martin Evans — still face charges in the case, officials said. 

Nixon lauded law enforcement for acting decisively to arrest Buchanan during a brief window of opportunity while he was traveling internationally. 

“Com members are obsessed with private jets and foreign vacations, and the feds took that dream away with one arrest,” she said. 

The tactic, which U.S. officials also use against Russian cybercriminals, works because most countries are willing to support in the arrest of foreign criminals, thereby keeping them out of their respective jurisdictions, Nixon said. 

“As a foreigner, he was caught in a weaker legal position than if he was arrested at home, and cases following this tactic tend to have very long sentences,” she added. “The takeaway for Com members watching this case is that criminal foreigners associated with violence are the lowest class in every country. And that’s what Com members are when they travel.”

The Justice Department said Buchanan and his co-conspirators defrauded at least a dozen companies and their employees throughout the United States. A digital device police found at his residence in April 2023 contained personal data on numerous individuals and victim companies, according to his plea agreement.

It’s unclear what transpired between that search in April 2023 in Scotland and his June 2024 arrest at a resort city on the Spanish island of Mallorca. Moreover, his plea agreement doesn’t include the entirety of his alleged crimes. 

Buchanan attracted a lot of attention and successfully coordinated many attacks before a rival Com gang allegedly broke into his home and used a blowtorch on him to extract crypto keys in his possession, according to Nixon. 

Following his arrest, Spanish police said Buchanan had gained control of bitcoin worth more than $27 million at that time. 

While early leaders of Scattered Spider have been arrested or sentenced for their crimes, others have filled those roles with even more exceptional impact. 

The Com has grown to thousands of members, typically between 11 and 25 years old, splintered into three primary subsets the FBI describes as Hacker Com, In Real Life Com and Extortion Com.

Criminal acts committed by these multiple, interconnected networks include swatting, extortion and sextortion of minors, production and distribution of child sexual abuse material, violent crime and various other cybercrimes. 

You can read the indictment against Buchanan and some of his co-conspirators below.

The post Scottish man pleads guilty to attack spree that created Scattered Spider’s notoriety appeared first on CyberScoop.

An apparent hack-for-hire campaign from a group with suspected Indian government connections targeted Middle Eastern and North African journalists and activists using spyware, three collaborating organizations said in reports published Wednesday.

The attacks shared infrastructure that pointed to the advanced persistent threat group known as Bitter, which most frequently targets government, military, diplomatic and critical infrastructure sectors across South Asia, according to conclusions from researchers at Access Now, Lookout and SMEX.

Each group took on a different piece of the puzzle:

• Access Now got calls on its helpline that led it to examine a spearphishing campaign in 2023 and 2024. It contacted Lookout for technical support about the malware it encountered.
• Lookout attributed the malware to Bitter, concluding it was a likely hack-for-hire campaign, using the Android ProSpy spyware.
• SMEX dived into a spearphishing campaign targeting a prominent Lebanese journalist last year, collaborating with Access Now to discover shared infrastructure between the campaigns.

One of the victims, independent Egyptian journalist Mostafa Al-A’sar, said he contacted Access Now after receiving a suspicious link from someone he’d been talking to about a job position. He was skeptical because his phone had been targeted before, when he was arrested in Egypt in 2018.

The lesson for journalists and civil society groups is that cybersecurity “is not a luxury,” he said.

“I feel like I’m threatened,” Al-A’sar said, and even though he was living in exile, he feels like “they are still following me. I also felt worried about my family, about my friends, about my sources.”

The combined research found a wider campaign than just the original victims.

“Our joint findings expose an espionage campaign that has been operational since at least 2022 until present day primarily targeting civil society members and potentially government officials in the Middle East,” Lookout wrote. “The operation features a combination of targeted spearphishing delivered through fake social media accounts and messaging applications leveraging persistent social engineering efforts, which may result in the delivery of Android spyware depending on the target’s device.”

The Committee to Protect Journalists condemned the campaign.

“Spying on journalists is often the first step in a broader pattern of intimidation, threats, and attacks,” said the group’s regional director, Sara Qudah. “These actions endanger not only journalists’ personal safety, but also their sources and their ability to do their work. Authorities in the region must stop weaponizing technology and financial resources to surveil journalists.”

Access Now said it didn’t have enough information to attribute who was behind the attacks it identified.

ESET first published research on the ProSpy malware last year, after finding it targeting residents of the United Arab Emirates.

The post Hack-for-hire spyware campaign targets journalists in Middle East, North Africa appeared first on CyberScoop.

Cybercrime remains a booming business. 

Annual cybercrime losses amounted to almost $20.9 billion last year, reflecting a 26% increase from 2024, the FBI’s Internet Crime Complaint Center (IC3) said in its annual report Tuesday.

The comprehensive study exposes a worsening digital crime environment that is driving financial losses, with momentum moving in the wrong direction and compounding at an alarming rate. Annual cybercrime losses have jumped almost 400% from $4.2 billion in 2020, and cumulative losses in that five-year period surpassed $71.3 billion.

The FBI’s IC3, which formed as the country’s central hub for cybercrime reporting in 2000, is busier than ever. “We now average almost 3,000 complaints per day,” Jose Perez, the FBI’s operations director for its criminal and cyber branch, wrote in the report. 

The annual internet crime report highlights growing and sustaining trends. Yet, the scope of the study is limited and relies entirely on cybercrime incidents submitted to the FBI. 

The full impact of cybercrime remains murky, as an unknown number of victims suffer in the shadows and never report the crimes they endure.

The FBI received more than 1 million complaints last year, with victims aged over 60 reporting the largest amount of crimes that also resulted in the greatest amount of total losses by age group. Victims at least 60 years old filed 201,000 complaints with losses totaling nearly $7.75 billion, or about 37% of all cybercrime-related losses last year.

Investment-related fraud remained the largest component of cybercrime losses in 2025, reaching almost $8.65 billion. Business email compromise took the No. 2 spot with almost $3.05 billion in losses, followed by tech support scams at more than $2.1 billion. 

Cryptocurrency was the primary conduit for fraud linked to investment and tech support scams last year, while wire transfers composed the bulk of fraud resulting from business email compromise, according to the report.

Phishing was the most commonly reported type of cybercrime last year, followed by extortion, investment scams and personal data breaches. The FBI tallied losses amounting to $122.5 million from extortion and $32.3 million from ransomware last year.

The FBI also received more than 75,000 reports of sextortion last year, including more than 5,700 submissions that were referred to the National Center for Missing and Exploited Children.

The top five cyber threats reported to IC3 in 2025 included data breaches at 39%, ransomware at 36%, SIM swapping at 10%, malware at 9% and botnets at 7%. 

The FBI received more than 3,600 complaints reporting ransomware last year. The five most reported variants included Akira, Qilin, INC, BianLian and Play.

Each of the 16 critical infrastructure sectors reported ransomware attacks last year, and the most heavily targeted included health care, manufacturing, financial services, government and IT.

The IC3 primarily receives complaints from U.S. residents and businesses, but it also received complaints from more than 200 countries last year, which accounted for nearly $1.6 billion in total losses. 

While losses and the sheer amount of cybercrime continued to climb last year, “the FBI continues to disrupt and deter malicious cyber actors — and shift the cost from victims to our adversaries,” Perez wrote in the report.

“It has never been more important to be diligent with your cybersecurity, social media footprint, and electronic interactions,” he added. “Cyber threats and cyber-enabled crime will continue to evolve as the world embraces emerging technologies such as artificial intelligence.”

The post Cybercrime losses jumped 26% to $20.9 billion in 2025 appeared first on CyberScoop.

A phishing campaign tied to AI cloud-hosting service Railway has given hackers access to the Microsoft cloud accounts for hundreds of businesses, according to researchers at Huntress.

Rich Mozeleski, product manager for Huntress’ identity team, told CyberScoop the campaign is currently tied to a smaller actor and approximately a dozen IP addresses, but has managed to compromise hundreds of targets in the past few weeks.

In early March it was compromising a few dozen targets a day, but starting March 3, there was a “massive increase” in that tempo. Mozeleski said that in addition to being more sophisticated than usual, there were no identical emails or domains used, leading researchers to suspect that they may have been generated through artificial intelligence tools. The templates ranged from traditional email lures to QR codes and co-opted file-share sites.

“Just the amount of it was like Pandora’s Box had opened, and the efficacy was just through the roof,” Mozeleski said.

A custom file download phishing lure used in the campaign. Researchers believe the attackers used AI to generate unique lures at scale. (Source: Huntress)

The phishing campaign exploits Microsoft’s authentication flow for devices such as smart TVs, printers and terminals, which gives the attacker valid OAuth tokens for that account for up to 90 days without needing a password or multifactor authentication.

Ultimately, Huntress has seen hundreds of its customers fall for the phishing scams, though they claim to have prevented post-compromise activity in all cases. But they also believe that group represents only a small fraction of the likely total victim set, which could number in the thousands.

The affected entities span a range of sectors: construction and trade companies, law firms, nonprofits, real estate, manufacturing, finance and insurance, healthcare, government and public safety organizations were all among the 344 victims detailed in the Huntress blog.

To protect customers, Mozeleski said Huntress issued a conditional access policy update Wednesday to 60,000 Microsoft cloud tenants on emails coming from Railway domains, an act he described as “not anything we’ve ever done before.”

Weaponizing vibe-coded infrastructure

Researchers believe the attackers were weaponizing Railway’s Platform as a Service — built to help non-coders build websites and tools — to spin up credential harvesting infrastructure for the campaign.

By using compromised domains and pumping out bespoke lures, the phishing emails avoid most commercial email filtering solutions. It’s not clear if they used Railway’s AI tool or a separate one to generate the lures. Either way, all the attacks Huntress has observed are coming through Railway.com IP infrastructure.

In response to questions from CyberScoop on Friday, Railway solutions engineer Angelo Saraceno said the company is aware of the incident and was first contacted by Huntress on March 6 regarding phishing traffic originating from a specific IP address and three domains. “The associated accounts were banned and the domains were blocked,” Saraceno said.

“Our heuristics are built to catch correlations: repeated credit cards, shared code sources, overlapping infrastructure,” he wrote in an email. “When a campaign avoids those signals, it gets further than we’d like.”

Saraceno called Railway’s fraud detection “a balance” between catching bad actors and getting flooded with false positives, pointing to an incident in February when fine-tuning in the company’s automated abuse enforcement system led to a customer outage.

Earlier Friday, Mozeleski told CyberScoop that Huntress continued to see more than 50 compromises a day tied to Railway phishing domains. When asked what more Railway could have done to prevent abuse of their platform, he said vetting and validation on the free use of their product could be improved. He pointed to products with similar trials, like MailChimp and HubSpot, that have controls and oversight in place so users can’t “go pump in a million contacts and start spamming.”

“Do not allow anybody to come in, start a trial, spin up resources, and start using your infrastructure” for cyberattacks, he said.

One of the more striking contrasts of the campaign was the use of AI to create phishing infrastructure akin to a state-sponsored threat actor or advanced cybercriminal group in service of a garden-variety phishing scam.

It bolsters warnings coming from cybersecurity experts that low-level cybercriminals — often called “script kiddies” for their reliance on automated hacking tools — are poised to become one of the biggest beneficiaries of the generative AI era. Last month, John Hultquist, chief analyst at Google’s Threat Intelligence Group, said that he expects that AI tools will help “smaller cybercriminal outfits more than state-sponsored hackers.”

Testimonials on Railway’s website tout the service’s ability to deliver “vertical auto-scale out of the box”, while another said it “makes spinning up self-hosted third-party tools almost effortless.”

It may also give them a leg up on victim organizations that have more restrictive internal policies around the use of AI for cyber defense.

“We are seeing crooks as the first movers of AI,” said Prakash Ramamurthy, chief product officer at Huntress. “They don’t have any qualms about PII, they don’t have any qualms about model training … and this incident, just in the sheer pace at which it has evolved, is kind of a testament to that.”

The post An AI-powered phishing campaign has compromised hundreds of organizations appeared first on CyberScoop.

Voice-based phishing, a form of social engineering where attackers call employees or IT help desks under false pretenses in an attempt to gain access to victim networks, surged in 2025, Mandiant said Monday in its annual M-Trends report. 

These points of intrusion, which have been a hallmark of attacks attributed to members of the cybercrime collective The Com, including offshoots such as Scattered Spider, accounted for 11% of all incidents Mandiant investigated last year.

Exploited vulnerabilities remained the top initial access vector for the sixth-consecutive year, giving attackers footholds in 32% of all incidents last year, the company said. Yet, the rise of voice phishing marks a concerning shift in tactics, especially in large-scale attacks with sweeping impacts.

“This type of social engineering attack is extremely powerful. It is more time consuming, obviously it requires skills and impersonation skills that the threat actors need to have, especially when they contact their IT help desk,” Jurgen Kutscher, vice president at Mandiant, told CyberScoop. “We’ve clearly seen several threat actors being very specialized and very successful with this type of attack.”

Voice-based phishing was at the root of multiple attack sprees Mandiant responded to last year, including campaigns targeting Salesforce customers attributed to threat groups Google Threat Intelligence Group tracks as UNC6040 and UNC6240.

This global shift in attacks was most clearly seen in the sharp drop in email-based phishing., For years, phishing has been a popular method because it’s cheap and requires little technical skill. It works much like high-volume advertising — a spray-and-pray strategy focused on reaching as many people as possible rather than specific targeting.

Email phishing is no longer a top initial access vector, according to Mandiant. The incident response firm said it was only responsible for 6% of intrusions last year, down from 14% in 2024 and 22% in 2022.

“The higher the investment, the higher the payout needs to be,” Kutscher said. “[Interactive phishing] takes a significant amount of time and investment. So as an attacker, you’ve got to do that when you believe that there’s a significant return.”

These techniques are difficult to defend against because they’re designed to exploit human instincts and bypass many security controls. “We’ve always said, unfortunately the human tends to be the weakest link,” Kutscher said. 

Social engineering, of course, wasn’t the only way attackers gained access to victim networks last year. Exploited defects remain a persistent problem.

The top three vulnerabilities Mandiant observed as the initial access vector in 2025 include CVE-2025-31324 in SAP NetWeaver, CVE-2025-61882 in Oracle E-Business Suite and CVE-2025-53770 in Microsoft SharePoint.

Attackers of various origins and objectives exploited all three of the vulnerabilities en masse and as zero-days. 

Mandiant clocked 500,000 combined hours of incident response investigations globally last year, up from 450,000 hours in 2024.

Technology companies were the most frequently attacked in 2025, accounting for 17% of all incidents. The following most-targeted industries included finance at 14.6%, business and professional services at 13.3% and health care at 11.9%.

The post The phone call is the new phishing email appeared first on CyberScoop.

Russian intelligence-affiliated hackers have gained access to thousands of users’ messaging apps with a global phishing campaign, the FBI and the Cybersecurity and Infrastructure Security Agency warned in a public service announcement on Friday.

The high-value targets they’re pursuing include current and former U.S. government officials, political figures, military personnel and journalists, the two agencies said in the joint PSA about the hackers’ attempts to infiltrate commercial messaging applications (CMAs).

The U.S. alert comes on the heels of an earlier warning from Dutch authorities, who said last week that Russian hackers were “engaged in a large-scale global attempt” to take over WhatsApp and Signal accounts. The Dutch warning likewise followed a similar warning from Germany in February.

The U.S. agencies emphasized that the hackers had not been able to bypass end-to-end encryption, instead manipulating users into giving up access. The scheme involves hackers posing as Signal help personnel, then inviting them to click a link or provide verification codes or account personal identification number.

“After compromising an account, malicious actors can view the victims’ messages and contact lists, send messages, and conduct additional phishing against other CMA accounts,” the PSA explains. “(Note: reporting shows that the threat actors specifically target Signal accounts but can apply similar methods against other CMAs).”

However, “CMA users who strengthen their personal cybersecurity and defend against social engineering attempts can reduce the risk of account compromise and limit the effectiveness of the threat actors’ current tactics, techniques, and procedures,” the agencies said.

The Russian campaign is just the latest to seek to bypass the protections commercial messaging apps offer. CISA in November warned about spyware targeting of messaging apps. 

There sometimes has been a Russian intelligence nexus to the recent targeting. Google Threat Intelligence Group shined a spotlight last year on Russian attempts to target Signal users in Ukraine.

‘We anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war,” the company said.

The post FBI, CISA issue PSA on Russian intelligence campaign to target messaging apps appeared first on CyberScoop.

Washington has rediscovered consequences. Just not consistently.

The March 6 executive order rests on a simple, correct idea: cyber-enabled fraud persists because it is profitable, scalable, and too often tolerated. So the government’s answer is to raise the cost. More coordination. More disruption. More prosecutions. More diplomatic pressure on the states that shelter these operations.

Good.

But weeks ago, an OMB Memo rescinded earlier federal software supply chain memos issued during the Biden administration. In practice, that pulled back from the prior attestation-centered model and made tools like the Secure Software Development Attestation Form and SBOM requests optional rather than durable expectations.

Put plainly, we are getting tougher on the people exploiting digital systems while getting softer on the conditions that make those systems so easy to exploit.

The executive order gets something important right. Cyber-enabled fraud is not a collection of random online annoyances. It is an industrialized form of predation: ransomware, phishing, impersonation, sextortion, and financial fraud that’s run as repeatable business models, often transnational and sometimes protected by permissive states. The order responds with a more centralized federal posture built around disruption, coordination, intelligence sharing, prosecution, resilience, and international pressure.

That is directionally correct. Criminal ecosystems do not retreat because we publish better guidance. They retreat when the cost of doing business rises.

But then we arrive at software.

The critique of the old federal assurance regime is not entirely wrong. Compliance can become theater. Bureaucracies are very good at turning legitimate security goals into rituals of form collection and checkbox management. Some skepticism was warranted. OMB says as much explicitly, arguing the prior model became burdensome and prioritized compliance over genuine security investment.

Still, the failure of bad compliance is not proof that accountability itself was the problem.

That is where the logic breaks. The administration is clearly willing to believe that criminal actors respond to deterrence. It is willing to use prosecutions, sanctions, visa restrictions, and coordinated pressure downstream. But upstream, where insecure technology shapes the terrain those criminals exploit, the theory suddenly changes. There, we are told to trust discretion. Local judgment. Flexible, risk-based decisions.

Sometimes that is wisdom. Often it is just a more elegant way of saying no one wants a hard requirement.

This is also why my own position has not changed. In a post I wrote in 2024, I argued that the industry did not need softer expectations or another round of polite encouragement. It needed more concrete action and consequences strong enough to change incentives. The problem was never that we were demanding too much accountability. The problem was that insecure software remained too cheap to ship.

That is the deeper issue. Cybercrime at scale does not thrive only because criminals exist. It thrives because the environment rewards them. Weak identity systems, brittle software, sprawling dependency chains, poor visibility, and diffuse accountability all make predation cheaper. The people who ship avoidable risk rarely absorb the full cost of it. Everyone else does.

So these two policy moves, taken together, reveal something uncomfortable. The government seems to believe in consequences for cybercriminals, but not quite in consequences for insecure production. It wants deterrence for the scammer, but discretion for the supplier.

A coherent cyber strategy would do both. It would aggressively disrupt criminal networks and also create meaningful pressure for secure-by-design production and procurement. It would recognize that punishing attackers matters, but so does changing the terrain that keeps making attack profitable.

The administration is right about one thing: cybercrime will not shrink until the costs of predation rise.

The unanswered question is why that logic should stop at the edge of the scam center.

Brian Fox is the co-founder and CTO of Sonatype.

The post If consequences matter, they should apply to vendors, too appeared first on CyberScoop.