Set for January 2026 at Automotive World in Tokyo, the contest will have six categories, including Tesla, infotainment systems, EV chargers, and automotive OSes.
The post Over $3 Million in Prizes Offered at Pwn2Own Automotive 2026 appeared first on SecurityWeek.
Suspected Iranian hackers infiltrated former national security adviser John Bolton’s email account and threatened to release sensitive materials, his indictment alleges.
The indictment on charges that Bolton mishandled classified information, released Thursday, comes after President Donald Trump’s unprecedented public call for the Justice Department to prosecute his enemies. Bolton served under Trump in his first term as national security adviser and since has become a critic.
The passage of the indictment related to the Iranian hackers seeks to demonstrate a representative of Bolton knew his personal emails included information they shouldn’t have.
In early July of 2021, according to the indictment, the Bolton representative contacted the FBI to alert the bureau about the apparent hack, and their suspicion that it was someone from Iran. The indictment states that it was “a cyber actor believed to be associated with the Islamic Republic of Iran.”
The Justice Department had recently closed an investigation into whether Bolton illegally published classified information in a memoir. Later that July, the apparent hackers threatened to release Bolton’s emails, drawing comparisons to the leak of 2016 Democratic presidential candidate Hillary Clinton’s emails.
“I do not think you would be interested in the FBI being aware of the leaked content of John’s email (some of which have been attached), especially after the recent acquittal,” the threatening note from on or about July 25 read, the indictment states. “This could be the biggest scandal since Hillary’s emails were leaked, but this time on the GOP side! Contact me before it’s too late.”
Days later — on or about July 28, the indictment states — Bolton’s representative also told the FBI that they were “[j]ust sending you the text (not the documents [the hacker] attached since there might be sensitive information in them.)”
According to the indictment, “A day later, on or about July 29, 2021, Bolton’s representative told the FBI that Bolton would be deleting the contents of his personal email account that had been hacked.”
Bolton got one more message from the apparent hackers in August. “OK John … As you want (apparently), we’ll disseminate the expurgated sections of your book by reference to your leaked email…” It’s not clear if the hackers followed through on the threat, or what they demanded of Bolton not to release the sections.
Bolton didn’t disclose to the FBI that he had used a hacked email account to share classified information with two unnamed relatives, “nor did he tell the FBI that the hackers now held this information,” the indictment reads.
A search warrant affidavit released last month contains a passage headed “Hack of Bolton AOL Account by Foreign Entity,” but the passage itself is redacted.
Bolton surrendered to authorities on Friday. The law firm of the lawyer defending did not immediately respond to an email about the indictment passages related to the alleged hack, but his attorney, Abbe Lowell, has denied Bolton committed any crimes.
“These charges stem from portions of Ambassador Bolton’s personal diaries over his 45-year career — records that are unclassified, shared only with his immediate family, and known to the FBI as far back as 2021,” Lowell said in a statement. “Like many public officials throughout history, Ambassador Bolton kept diaries — that is not a crime.”
The post John Bolton indictment says suspected Iranian hackers accessed his emails, issued threats appeared first on CyberScoop.
Clop, the notorious ransomware group, began targeting Oracle E-Business Suite customers three months ago and started exploiting a zero-day affecting the enterprise platform to steal massive amounts of data from victims as early as Aug. 9, Google Threat Intelligence Group and Mandiant said in a report Thursday.
“We’re still assessing the scope of this incident, but we believe it affected dozens of organizations. Some historic Clop data extortion campaigns have had hundreds of victims,” John Hultquist, chief analyst at GTIG, said in a statement. “Unfortunately large scale zero-day campaigns like this are becoming a regular feature of cybercrime.”
The new timeline provided by Google’s incident response firm and security researchers confirms malicious activity against Oracle E-Business Suite customers began almost three months before Clop sent extortion emails to executives of alleged victim organizations demanding payment on Sept. 29.
Oracle disclosed the critical zero-day vulnerability — CVE-2025-61882 — Saturday, two days after it said its customers had received extortion emails following exploitation of vulnerabilities it previously identified and addressed in a July security update.
The widespread attack spree actually involved at least five distinct defects, including the zero-day, that were chained together to achieve pre-authenticated remote code execution, watchTowr researchers said earlier this week.
Researchers at watchTowr reproduced the full exploit chain after obtaining a proof of concept and published a flow chart depicting how attackers chained multiple vulnerabilities together.
“It’s currently unclear which specific vulnerabilities or exploit chains correspond to CVE-2025-61882, however, GTIG assesses that Oracle EBS servers updated through the patch released on Oct. 4 are likely no longer vulnerable to known exploitation chains,” Google said in the report.
Researchers identified suspicious traffic that may point to early attempts at exploitation prior to Oracle’s July security update, but Google has not confirmed the precise nature of that activity.
Many customers remain exposed and potentially vulnerable to attacks. Shadowserver scans found 576 potentially vulnerable instances of Oracle E-Business Suite on Oct. 6, with the majority of those IPs based in the United States.
Clop’s ransom demands have reached up to $50 million, according to Halcyon. “We have seen seven- and eight-figure demands thus far,” Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, told CyberScoop.
Investigations into Clop’s activity underscore the stealthy nature of the threat group’s operations, including the use of multi-stage fileless malware designed to evade file-based detection. Other critical details remain unknown and cybercriminals from other groups have complicated analysis through unsubstantiated claims.
Mandiant said it observed artifacts on Oct. 3 that overlap with an exploit leaked in a Telegram group dubbed “Scattered LAPSUS$ Hunters.” Yet, Google hasn’t gathered enough evidence to definitively link the malicious July 2025 activity with this exploit.
“At this time, GTIG does not assess that actors associated with UNC6240 (also known as “Shiny Hunters”) were involved in this exploitation activity,” Google said in the report.
While multiple pieces of evidence indicate Clop is behind the attacks, Google said it’s possible other threat groups are involved.
Clop has successfully intruded multiple technology vendors’ systems, particularly file-transfer services, allowing it to steal data on many downstream customers. The threat group achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.
The post Dozens of Oracle customers impacted by Clop data theft for extortion campaign appeared first on CyberScoop.
Two teenagers were arrested in the United Kingdom this week, accused of associating with the sprawling criminal collective known as The Com, and participating in many high-profile and damaging cyberattacks on critical infrastructure globally.
Thalha Jubair, 19 of London, and Owen Flowers, 18 of Walsall, England, were arrested at their residences Tuesday and charged with crimes related to the cyberattack on the Transport for London in September 2024, the U.K.’s National Crime Agency said.
Jubair and Flowers were allegedly highly involved in many other cyberattacks attributed to Scattered Spider, a nebulous offshoot of The Com that commits ransomware and data extortion. The Com is composed of thousands of members, splintered into three primary subsets of interconnected networks that commit swatting, extortion and sextortion of minors, violent crime and various other cybercrimes, according to the FBI.
The Justice Department on Thursday unsealed charges against Jubair, a U.K. national, accusing him of participating in at least 120 cyberattacks as part of Scattered Spider’s sweeping extortion scheme from May 2022 to September 2025, including 47 U.S.-based organizations. Victims of those attacks paid at least $115 million in ransom payments, authorities said.
“These malicious attacks caused widespread disruption to U.S. businesses and organizations, including critical infrastructure and the federal court system, highlighting the significant and growing threat posed by brazen cybercriminals,” Matthew Galeotti, acting assistant attorney general in the Justice Department’s Criminal Division, said in a statement.
Jubair and co-conspirators allegedly broke into networks of U.S. companies via social engineering, stole and encrypted data, demanded ransom payments and committed money laundering.
Law enforcement seized cryptocurrency wallets on a server allegedly controlled by Jubair in July 2024 and seized cryptocurrency worth about $36 million at the time. He allegedly transferred a portion of cryptocurrency that originated from one of his victims, worth about $8.4 million at the time, to another wallet.
Authorities also specifically accused Jubair, also known as “EarthtoStar,” “Brad,” “Austin” and “@autistic,” of intruding networks of a U.S.-based critical infrastructure company and the U.S. courts in October 2024 and January 2025.
Flowers was initially arrested by British police last year for his alleged involvement in the attack on Transport of London, just days after the incident. At that time, investigators found evidence of and have since charged Flowers for alleged involvement in other attacks, specifically those targeting U.S.-based health care companies SSM Health Care Corp. and Sutter Health in 2023.
“Finally,” Allison Nixon, chief research officer at Unit 221B, said in reaction to news of Jubair and Flowers’ arrests. “Jubair and Flowers are like many members of The Com who seek to achieve heroic status by committing so many crimes they get famous for harming society on a massive scale.”
Jubair is charged in the U.S. District Court for the District of New Jersey with computer fraud conspiracy, two counts of computer fraud, wire fraud conspiracy, two counts of wire fraud, and money laundering conspiracy. He faces up to 95 years in prison if convicted.
Jubair and Flowers were both scheduled to appear in court in the U.K. on Thursday to face charges under the country’s Computer Misuse Act.
The Justice Department didn’t say if efforts are underway to extradite Jubair to face charges in the United States. The agency did not immediately respond to a request for comment.
“Today’s charges make it clear that no cybercriminal is beyond our reach,” Brett Leatherman, assistant director of the FBI’s Cyber Division, said in a statement. “If you attack American companies or citizens, we will find you, we will expose you and we will seek justice.”
The post UK arrests two teens accused of heavy involvement in yearslong Scattered Spider attack spree appeared first on CyberScoop.
Salesloft pinned the root cause of the Drift supply-chain attacks to a threat group gaining access to its GitHub account as far back as March, the company said in an update Saturday.
During a 10-day period in mid-August, the threat group compromised and stole data from hundreds of organizations.
The threat group, which Google tracks as UNC6395, spent time lurking in the Salesloft application environment, downloaded content from multiple repositories, added a guest user and set up workflows over a monthslong period through June, according to Salesloft.
“The threat actor then accessed Drift’s Amazon Web Services environment and obtained OAuth tokens for Drift customers’ technology integrations,” the company said. “The threat actor used the stolen OAuth tokens to access data via Drift integrations.”
The update marks the most significant details shared yet by Salesloft since Google security researchers first warned about the “widespread data theft campaign” last month. The company is still withholding key details as its incident response firm, Mandiant, has transitioned to confirm the quality of its forensic investigation.
Salesloft has not explained how its GitHub account was accessed, what attackers did in its environment, nor how the threat group accessed Drift’s AWS environment and obtained OAuth tokens. The company also hasn’t explained why OAuth tokens were stored in the cloud environment, and if the stolen OAuth tokens were for internal integrations with third-party platforms or customers’ OAuth tokens for individual integrations.
The company has not responded to multiple requests for comment dating back to Aug. 26, when news of the attacks first surfaced.
Analysts and researchers acknowledge that Salesloft may still be seeking definitive answers about what went wrong, yet the company already misfired when it erroneously claimed exposure was limited to Drift customer instances integrated with Salesforce. Days later, Google Cloud’s incident response firm Mandiant said Salesloft Drift customers were compromised en masse, potentially snagging any user that integrated the AI chat agent platform to another third-party service.
“I don’t think they’re being fully transparent. They’re still holding some stuff back,” said Paddy Harrington, senior analyst at Forrester.
Salesloft’s post-incident investigation thus far underscores multiple areas where the company’s security practices and controls were apparently less than adequate, according to Harrington.
Nathaniel Jones, VP of security and AI strategy at Darktrace, said he hopes more information will be shared once the investigation is complete. “They’ve confirmed the breach and downstream impacts but stopped short of saying how the attacker got in,” he added.
“They’ve boxed in the Drift environment, taken it offline, rotated credentials, and emphasized containment. That’s all good practice,” Jones said.
Salesloft took Drift offline Friday and said the move was temporary “to fortify the security of the application and its associated infrastructure.” Salesloft rotated all centrally managed keys for OAuth users, but customers who manage Drift connections to third-party applications via API keys need to revoke existing keys directly with the third-party provider’s application, the company said.
The Salesloft platform, which has been technically segmented from Drift and confirmed uncompromised, according to Mandiant, restored connections with Salesforce Sunday, the company said.
Salesloft doesn’t know when Drift will be restored and brought back online. Yet, the company may need to make significant changes to regain trust as the lingering and still unknown effects of the damage caused by the breach stain Drift’s reputation.
“They’re probably going to have to rename that thing. The name alone is now totally tainted,” Harrington said. “They could reintroduce the product, but they’re going to have to totally talk about a rearchitecture change.”
Key details are still missing about how the attack occurred, and customers need to understand the true scope of the supply-chain attack and the extent of data stolen, he added.
“We’re in a time where attackers are going to find the least-protected asset and they’re going to go for it, and they struck gold here. Holy crap, did they strike gold,” Harrington said. “This thing just keeps getting worse and worse and worse.”
The post Salesloft Drift security incident started with undetected GitHub access appeared first on CyberScoop.
Multiple security and technology companies have been swept up in a far-reaching attack spree originating at Salesloft Drift, including Cloudflare, PagerDuty, Palo Alto Networks, SpyCloud and Zscaler.
Victim organizations continue to come forward as customers of the third-party AI chat agent hunt for evidence of compromise or receive notices from Salesloft and other companies involved in response, recovery and ongoing attack investigations.
Salesloft initially claimed exposure was limited to customers integrated with Salesforce. Yet, Google Threat Intelligence Group and Mandiant Consulting — Google’s incident response firm which is now working with Salesloft — said any platform integrated with Drift is potentially compromised.
The root cause of the attacks, specifically how the threat group that Google tracks as UNC6395 gained initial access to Salesloft Drift, remains unconfirmed. “There is no evidence of any unusual or malicious activity with the Salesloft platform,” Salesloft said in an update Saturday.
On Monday, the company said “Drift will be taken offline in the very near future,” rendering the platform inaccessible and the Drift chatbot unavailable on customer websites. “This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality,” the company added.
Salesloft, which acquired Drift in February 2024, has not responded to requests for comment since news of the attacks first surfaced last week.
The company announced an agreement to merge with Clari, a competitor in the customer-relationship management space, one day before the attacks started Aug. 8. In the merger announcement, the combined companies said they will serve more than 5,000 organizations globally across all industries.
The exposure caused by the attacks has cast widespread concern, as customers seek clarity about the unfolding disaster. Salesloft customers are assessing if they were impacted, and then sifting through data to determine the extent to which they or their customers were compromised.
The attacks did not hit every Salesloft Drift customer. Some Salesloft Drift customers, when contacted by CyberScoop, confirmed they were not implicated by the attacks and found no evidence that corporate or customer data was compromised.
Okta said it was not impacted by the incident, but confirmed it was a target based on indicators of compromise Google Threat Intelligence Group shared last week. “The threat actor attempted to use a compromised token to access our Salesforce instance, but the attack failed because the connection originated from an unauthorized IP address,” the company said in a blog post Tuesday.
Many other businesses were less fortunate.
Sam Curry, chief information security officer at Zscaler, said the company’s Salesloft Drift integration with Salesforce was the point of unauthorized access. The company was using Salesloft Drift integrated with other platforms, but they were not impacted, he added.
Data on a large number of Zscaler’s customers was exposed, including names, business email addresses, job titles, phone numbers, location details, Zscaler product licensing and commercial information, and plain text content from some support cases.
“No product, service, or infrastructure was affected,” Curry said. “We are looking to hear from Salesloft Drift and from Salesforce if there are any other findings since this happened in their infrastructure.”
Curry said Zscaler was already in the process of ending its relationship with Salesloft Drift for unrelated reasons.
Palo Alto Networks on Tuesday confirmed that it, too, was one of hundreds of organizations impacted by the supply chain attack. The company’s incident response business Unit 42 confirmed the incident was limited to its Salesforce environment, adding that no Palo Alto Networks products or services were impacted.
“Most of the exfiltrated data was business contact information,” a Palo Alto Networks spokesperson told CyberScoop in an email. “However, a small number of customers who included sensitive information, such as credentials, in their recent case notes might also have had that data compromised.”
Cloudflare said any information customers shared with the company’s support system — including logs, tokens or passwords — should be considered compromised. The company said it found 104 Cloudflare API tokens in the compromised data and, while it found no evidence of abuse, rotated the tokens out of an abundance of caution.
The company also maintained that no Cloudflare services or infrastructure were compromised.
“We are responsible for the choice of tools we use in support of our business,” a group of Cloudflare security leaders said in a blog post Tuesday. “This breach has let our customers down. For that, we sincerely apologize.”
Former Salesloft Drift customers were impacted as well. In a blog post announcing some data contained in its Salesforce environment was exposed, SpyCloud said it was previously a customer of Salesloft and Drift, but not currently.
Google previously said the data theft campaign occurred over a 10-day period last month, potentially impacting more than 700 organizations.
The post Salesloft Drift attacks hit Cloudflare, Palo Alto Networks, Zscaler appeared first on CyberScoop.
Authorities and threat intelligence analysts alike relish taking ransomware operators off the board. Holding cybercriminals accountable through arrest, imprisonment, or genuine reform creates a powerful deterrent and advances the ultimate goal of a safer internet for everyone.
Getting to that point is a remarkably tough task for defenders. Ransomware attacks are often initiated by people living in countries that aren’t bound by extradition treaties with the United States or don’t cooperate with international law enforcement. When those obstructions aren’t in place, authorities can amass resources to hunt down those responsible for cyberattacks and bring them to justice.
The fight against cybercrime is grueling, and wins don’t typically countervail the losses. For nearly a decade, police have often made high-profile announcements about arresting cybercriminals, keeping them in custody until their court dates and seizing their ill-gotten gains. These acts send a clear message to the public and potential offenders that cybercrime is a serious offense, and authorities are taking swift, visible measures to uphold the law.
Ianis Aleksandrovich Antropenko exemplifies the profile of a modern cybercriminal, yet, unlike many others who have faced strict prosecution for similar offenses, the Justice Department has granted him liberties rarely extended to such suspects.
The 36-year-old Russian national was arrested almost a year ago in California for his alleged involvement in multiple ransomware attacks from at least May 2018 to August 2022. Yet, he was released on bail the day of his arrest and continues to live with few restrictions in Southern California awaiting trial for multiple felonies.
Antropenko is charged with conspiracy to commit computer fraud and abuse, computer fraud and abuse, and conspiracy to commit money laundering. He is accused of using Zeppelin ransomware to attack multiple people, businesses and organizations globally, including victims based in the U.S.
Antropenko pleaded not guilty to the charges in October.
The Justice Department recently announced it seized more than $2.8 million in cryptocurrency, nearly $71,000 in cash and two luxury vehicles from Antropenko in February 2024. His alleged crimes were publicly revealed for the first time last month when authorities unsealed various court documents.
Antropenko’s arrest and pending trial marks another potential win against ransomware, but many experts told CyberScoop they are stunned he remains free on bail. This rare flash of deferment in a case involving a prolific alleged cybercriminal is even more shocking considering his multiple run-ins with police since his 2024 arrest.
Antropenko violated conditions for his pretrial release at least three times in a four-month period this year, including two arrests in California involving dangerous behavior while under the influence of drugs and alcohol. Authorities haven’t explained why Antropenko was released pending trial, nor why parole officers and a judge repeatedly allowed him to remain out of jail following these infractions.
“On average, most ransomware actors, if they are brought into custody, are remanded because of a flight risk,” said Cynthia Kaiser, senior vice president of the ransomware research center at Halcyon.
“It’s rare to have a ransomware actor in U.S. custody,” the former deputy assistant director at the FBI Cyber Division told CyberScoop. “Typically, if the FBI believes that the person is a flight risk it would make the case for bond to be denied.”
Prosecutors in the U.S. District Court for the Northern District of Texas did not flag Antropenko as a flight risk in this case.
In the past year, other alleged ransomware suspects or cybercriminals — Noah Urban, Cameron Wagenius, Connor Moucka and Artem Stryzhak among them — were all detained pending trial. Urban, who was sentenced last month to 10 years in prison, and Wagenius, who has pleaded guilty to some charges, were arrested in the United States. Moucka and Stryzhak were arrested elsewhere and extradited to the U.S.
Pretrial treatment of cybercrime suspects hasn’t always adhered to strict norms, especially when the accused’s mental health status was taken into account. Paige Thompson, who was arrested in July 2019 for hacking and stealing data from Capital One and dozens of other organizations for a cryptocurrency mining scheme, was deemed a “serious flight risk” by prosecutors, but still released pending trial four months later.
A U.S. district judge in Seattle determined Thompson didn’t pose a threat to the community and previously told attorneys he was “very concerned” that Thompson would not receive adequate mental health treatment from the Bureau of Prisons.
Thompson was found guilty of multiple counts and sentenced in October 2022 to time served and five years of probation, much to the chagrin of prosecutors. A federal appeals court overruled the district court judge’s sentence earlier this year, calling the punishment “substantially unreasonable.”
Yevgeniy Nikulin, a Russian national arrested in October 2016 on charges related to breaching a database containing 117 million passwords from LinkedIn, Dropbox and other services, was extradited to the U.S. from the Czech Republic in 2018 and ruled fit to stand trial, despite exhibiting mental illness symptoms throughout his incarceration and trial. He was detained pending trial and sentenced to 88 months in prison in September 2020.
Notwithstanding these variances in previous cases, some experts are struck by other irregularities in Antropenko’s case, including his conditions of release. He is not banned from using the internet or computers, but limited to devices and services disclosed during supervision that are subject to monitoring.
More lenient conditions of release are typically offered in exchange for cooperation, according to threat analysts and a former FBI special agent who specialized in cybersecurity investigations.
“The investigators that tracked him down will certainly want to know who the bigger fish are, and they’ll want to figure out who else they could take down,” the former FBI special agent, speaking on condition of anonymity, told CyberScoop. “If he’s willing to cooperate, then normally the federal system will do good things for you.”
Authorities imposed travel restrictions on Antropenko, required him to surrender his passport, banned him from entering a Russian embassy or consulate and are monitoring his location.
The federal case against Antropenko accentuates how finite resources can put law enforcement and federal investigators at a disadvantage as they confront a constant crush of cybercrime.
The FBI and prosecutors accuse Antropenko of deploying ransomware and extorting victims by email, and implicate him and his ex-wife, Valeriia Bednarchik, in the laundering of ransomware proceeds. Investigators traced the path of ransom payments, money laundering techniques and services, and determined the seized accounts, cash and vehicles were derived from criminal proceeds.
The FBI said it found at least 48 cryptocurrency addresses referenced in Antropenko’s email account — china.helper@aol.com, which he registered in May 2018 — including “emails that received or negotiated ransom payments” and emails about other ransomware attacks.
A cluster of Bitcoin addresses owned by Antropenko “had received a total of approximately 101 Bitcoin” as of Feb. 5, 2024. Out of this amount, 64.6 Bitcoin was sent to the cryptocurrency mixing service ChipMixer, according to the FBI. As of today’s rates, the current value of 101 Bitcoin is almost $10.9 million.
The 2023 takedown of ChipMixer, which was used by criminals to launder more than $3 billion in cryptocurrency starting in 2017, provided crucial evidence for this investigation, according to Ian Gray, VP of intelligence at Flashpoint.
“Only after law enforcement seized ChipMixer’s infrastructure could investigators trace the funds linked to accounts registered in Antropenko’s name,” he said. “The sophistication of Bitcoin tracing and clustering techniques also likely contributed to the timing, as law enforcement has adopted software and tools more widely.”
Prosecutors allege that Antropenko and Bednarchik funneled money from computer fraud victims through ChipMixer, then back to their own exchange accounts. Antropenko also allegedly arranged in-person cryptocurrency-to-cash swaps in the U.S., depositing the cash in small sums under $10,000 into his bank account.
FBI investigators traced Antropenko’s activities via accounts he held at Proton Mail, PayPal and Bank of America, and accounts he and Bednarchik controlled at Binance and Apple. In Bednarchik’s iCloud account, agents found a seed phrase for a crypto wallet that had received over 40 Bitcoin from Antropenko’s accounts, as well as evidence she had agreed to safeguard a disguised copy of this phrase so the funds could be accessed if Antropenko became unavailable. Her account also contained joint tax returns with Antropenko and photos showing large amounts of U.S. cash.
Authorities also seized cash and two luxury vehicles from the apartment Antropenko and Bednarchik once shared in Irvine, Calif. This included a Lexus LX 570 that Antropenko purchased for more than $123,000 in November 2022 and a 2022 BMW X6M that Antropenko and Bednarchik purchased for $150,000 in cash in November 2021. Photos of vehicles matching those descriptions are depicted on Antropenko’s public Instagram account.
Ransomware operators have been assisted by their spouses in other cases, but their partners’ involvement is typically limited to money laundering, Allan Liska, threat intelligence analyst at Recorded Future, told CyberScoop.
While many ransomware operators and affiliates operate outside of Russia now, it is rare for a Russian national to live in the U.S. while initiating ransomware attacks for as long as Antropenko allegedly did, Liska said.
“It sounds like he may have had additional information about other people, maybe bigger fish that law enforcement could go after,” he said.
The U.S. District Court for the Northern District of Texas declined to answer questions or provide additional information. The most recent attorney on record for Antropenko did not respond to a request for comment.
Antropenko didn’t just inflict damages on his cybercrime victims, as alleged by prosecutors. His volatility erupted around those closest to him, according to Bednarchik, who accused him of domestic violence in temporary restraining orders she filed against Antropenko in April and May 2022.
Bednarchik has been identified as Antropenko’s unnamed co-conspirator through court documents and public records. While authorities said they plan to bring charges against her, no cases are currently pending.
In court filings, Bednarchik painted a picture of a controlling relationship, writing that Antropenko “constantly threatens me with full custody of our son, because he has a lot of money” and expressing fears he might take their child to Russia without permission.
Court records reveal the family lived together in Miami and later Irvine until 2022. Despite Bednarchik reporting only $800 monthly income from her clothing business, she estimated Antropenko earned $50,000 per month from “cryptocurrency dividends,” describing him as “the breadwinner for the family.”
When Antropenko was arrested in September 2024, Bednarchik posted his $10,000 bail, identifying herself in the affidavit as his ex-wife.
“She’s either being redacted because she’s a victim or because she is collaborating with law enforcement and has been able to get her name redacted,” Zach Edwards, senior threat analyst at Silent Push, told CyberScoop.
Authorities did not describe the extent to which Antropenko was involved with Zeppelin ransomware. Prosecutors mention unnamed co-conspirators in some court documents, indicating they are investigating or aware of others involved in the ransomware-as-a-service operation.
The Cybersecurity and Infrastructure Security Agency said Zeppelin ransomware victims include a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies and organizations in the health care and medical industries.
Zeppelin, a variant of the Delphi-based Vega malware, was used from at least 2019 to mid-2022, the agency said in an August 2022 advisory. A ransom note included in CISA’s advisory listed an AOL address for communication regarding extortion payments.
Prosecutors and investigators working on Antropenko’s case said Zeppelin ransomware affected about 138 U.S. victims since March 2020, including a data analysis company and its CEO based in the Dallas region where Antropenko faces federal charges.
Prosecutors have consistently declared the case against Antropenko “complex,” with evidence surpassing 7 terabytes of data, including personally identifiable information of victims, such as names, addresses, photos and bank account numbers.
Zeppelin and Antropenko’s alleged activities rose during the second wave of ransomware, when many cybercriminals were winging it and law enforcement activity was at a lull, Liska said. “If you start off with a mistake, that mistake is going to catch up to you,” he said.
Indeed, threat researchers and analysts attribute Antropenko’s capture to “sloppy” behaviors and practices, including his use of major U.S. service providers.
“Antropenko’s operational security was remarkably poor,” Gray said.
“He used a personal PayPal account linked to recovery emails for ransomware operations, shared usernames between banking and ransomware accounts, and stored sensitive information like cryptocurrency seed phrases and photos of large cash amounts in iCloud accounts,” he continued. “These OPSEC failures ultimately led to law enforcement identifying Antropenko.”
While prosecutors push Antropenko’s trial date further down the road — currently set for Feb. 6, 2026 — his personal life has been unraveling. He was hospitalized on a mental health hold on Dec. 31, 2024, and spent a week in a behavioral health hospital, according to a pretrial release violation report.
Antropenko told his probation officer that his ex-wife took his son from him unexpectedly, which led to a significant bout of depression and increase in alcohol consumption. “While walking around his RV park intoxicated, he was approached by an individual who offered him an unknown drug,” which he assumed was some type of methamphetamine, Antropenko’s probation officer wrote in the court filing.
Antropenko said he had little recollection of the events that followed. Once he was placed in a police car after law enforcement arrived the following morning, “he assumed he was being arrested which exacerbated his depression, prompting him to bang his head on the window of the police car, after which he recalls regaining consciousness in the hospital,” the probation officer said. No charges were filed.
Almost two months later, Antropenko was arrested for public intoxication in Riverside County, Calif., when he was found laying unresponsive in the center divider of a roadway. Antropenko told his probation officer he sat down on a curb near his home to smoke a cigarette after consuming four to five beers and was feeling tired, so he fell asleep. He was released the following day.
A U.S. magistrate judge in Texas allowed Antropenko to remain out on bond and modified the conditions of his release to include a ban on alcohol consumption and submit to regular alcohol testing.
“It strikes me as unusual to have so many drug violations and stay out on bail,” Kaiser said. “It would be overly lenient if they were still perpetrating crimes obviously against others. It appears he’s harming himself.”
In April, Antropenko contacted his parole officer to make an unsolicited admission to cocaine use, according to a court document filed in May. “The defendant stated that he attended a birthday celebration for a friend’s sister. When he went to the restroom some ‘random people’ offered him a ‘bump of cocaine,’” his probation officer said. The court took no further action.
“Even if he is a cooperating witness, he has been given a lot of freedom, a lot more freedom than we normally see in this case,” Liska said. “I can’t think of any case, of anybody this high profile, that has been given this level of freedom, cooperating or not.”
Edwards is also dismayed Antropenko remains out on bail pending trial.
“It’s wild that a citizen from Russia who has been accused of partnering with serious global threat actors and is out on bail for leading a ransomware campaign, has been arrested multiple times for issues associated with alcohol, including passing out on a street in public, and also admitted to using cocaine while out on bail, and yet his bail hasn’t been revoked,” he said.
Former law enforcement officials were less shocked about the circumstances of Antropenko’s case than security analysts.
Adam Marrè, chief information security officer at Arctic Wolf, said the post-arrest privileges granted to Antropenko aren’t that odd, especially since Antropenko’s alleged pretrial release violations don’t have anything to do with cybercrime.
Marrè said Antropenko’s alleged violations would have frustrated him when he was a special agent at the FBI investigating cybercrime, but he understands the court’s decisions, adding “people are innocent until proven guilty.”
It’s important to note the FBI is focused on outcomes, according to Kaiser. “Getting money back to victims who were stolen from is more important than punishing some guy, especially if he’s not doing [ransomware] activities anymore,” she said.
“It’s hard to arrest these people in the first place and stop them, which means it’s very complicated to deter them over a long period of time,” Kaiser added. “There’s no one arrest that’s going to stop these types of activities.”
The post Prolific Russian ransomware operator living in California enjoys rare leniency awaiting trial appeared first on CyberScoop.
China’s reliance on domestic technology companies to carry out large-scale hacking operations—as highlighted by the U.S. government and its allies this week—is a weakness that poses risks for Beijing, a top FBI official told CyberScoop.
Cyber agencies from around the world published an alert Wednesday about what officials have described as an indiscriminate cyberespionage campaign from Chinese Communist Party-backed hackers like the group known as Salt Typhoon. The alert also named three Chinese companies that it says have assisted that hacking.
“These enabling companies, they failed,” Jason Bilnoski, deputy assistant director in the FBI’s cyber division, told CyberScoop. “This investigation, and that of our partners, are exposing that the use of these enabling companies by the CCP is a failure.”
The lack of control China has over what those companies do precisely created an opening for investigators, Bilnoski said.
“They have this unregulated system of using these enabling companies, and it does create a risk between CCP-sanctioned actions and the mistakes by these enabling private companies that they are utilizing,” he said.
The alert about the hacking campaign tracks activity from Salt Typhoon and other Chinese government-linked groups dating back to 2021, which it says Chinese entities have also assisted.
“These companies provide cyber-related products and services to China’s intelligence services, including multiple units in the People’s Liberation Army and Ministry of State Security,” the alert states. “The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world.”
One of the named companies, Sichuan Juxinhe Network Technology, is already the subject of U.S. sanctions. That firm has not responded publicly to the U..S. accusations to date, nor apparently have the other two. The Chinese government routinely denies backing hacking activities.
Under a series of laws that China passed dating back to 2014, the government has imposed obligations on companies that do business domestically on the handling of sensitive data, among other rules.
“Historically, the CCP has used shell companies like those listed here in the [advisory] to conduct this nefarious activity, and no doubt they will continue to do so,” Bilnoski said. “But we’re going to continue after them. We have a long memory, so if it’s today, tomorrow, we’re going to continue to identify, uncover and expose their activities.”
Defending networks can’t just be the role of the government, though, he said — thus the alert that went beyond warnings to the telecommunications companies that Salt Typhoon made headlines by hacking.
The timing of the alert was simple, he said: As the FBI and its partners conducted their investigations, responded to the attacks and assisted victims, they released it as soon as it was ready to go.
“It’s important that we understand that it doesn’t matter if you’re Fortune 500, small business — we should not and we cannot assume that our systems are secure,” Bilnoski said. “We need the American people, we need our partners around the world to take action here, not just with Salt Typhoon, but with all the indiscriminate actions that the CCP has been undertaking over the last few years.”
The post Top FBI official says Chinese reliance on domestic firms for hacking is a weakness appeared first on CyberScoop.
Authorities claim they’ve gained control of Rapper Bot and stopped attacks emanating from what they described as “among the most powerful DDoS botnets to have ever existed.”
The takeover and effective disruption of the botnet, also known as Eleven Eleven Botnet and CowBot, occurred after officials identified and served a warrant at the Oregon residence of a 22-year-old man who allegedly developed and ran the operation since at least 2021.
Ethan Foltz of Eugene, Ore., was charged with one count of aiding and abetting computer intrusions in the U.S. District Court for the District of Alaska on Tuesday. He faces a maximum penalty of up to 10 years in prison, the Justice Department said.
Rapper Bot allegedly conducted more than 370,000 attacks, targeting 18,000 unique victims across 1,000 unique autonomous system numbers from April to early August, according to officials.
The botnet, which primarily infected digital video recorders and Wi-Fi routers, infected between 65,000 and 95,000 devices to regularly conduct high-tempo DDoS attacks. Officials said Rapper Bot regularly conducted DDoS attacks measured between two to three terabits per second, adding that Rapper Bot’s largest attack may have exceeded six terabits per second.
Rapper Bot attacks impacted 80 countries, with DDoS attacks most heavily concentrated in China, Japan, the United States, Ireland and Hong Kong, officials said.
“Because Rapper Bot has been in operation since at least 2021, there is a strong likelihood that there are millions of victims, in terms of infected IoT devices, as well as millions of Rapper Bot initiated DDoS attacks,” a special agent with the Defense Criminal Investigative Service said in an affidavit for the criminal complaint against Foltz.
Investigators traced the botnet to Foltz after linking the botnet’s hosting provider to a PayPal account. Under court order, PayPal sent records to investigators indicating Foltz controlled the account and shared email addresses he associated with the account. Investigators said they determined the same IP address was used to access Foltz’s Gmail, PayPal and internet service provider simultaneously, despite his apparent use of VPN services.
Google accounts linked to Foltz revealed extensive evidence linking him to Rapper Bot, according to investigators. Foltz conducted searches for “RapperBot” and “Rapper Bot” more than 100 times, and sometimes after conducting these searches he viewed cybersecurity blogs, indicating he might have been monitoring what was known about the botnet in real time, officials said in the court documents.
DCIS served a warrant at Foltz’s residence in Oregon on Aug. 6, and during a recorded interview “Foltz stated that he was the primary administrator of Rapper Bot.” Foltz also named his primary partner as a person he only knew as “SlayKings,” adding that the botnet code was derived from the Mirai, Tsunami and fBot botnets.
Upon an official’s request, Foltz terminated Rapper Bot’s outbound attack capabilities and passed the administrative control of Rapper Bot to DCIS personnel. Foltz hasn’t been arrested but officials familiar with the case said they’ve requested summons in this case.
Akamai, Amazon Web Services, Cloudflare, Digital Ocean, Flashpoint, Google, PayPal and Unit 221B assisted law enforcement with the investigation.
The post Officials gain control of Rapper Bot DDoS botnet, charge lead developer and administrator appeared first on CyberScoop.
Google this week changed how it publicly discloses vulnerabilities in a bid to give defenders early details about new software defects it discovers, shortening the early window of time between a vendor releasing a patch and customers installing the security update.
Project Zero, Google’s squad of security researchers who find and study zero-day vulnerabilities, will now publicly share when it discovers a vulnerability within one week of reporting that defect to the vendor. Google said these reports will include the affected product and name of the vendor or open-source project responsible for the software or hardware, the date the report was filed and when the 90-day disclosure deadline expires.
Google’s new trial policy addresses a nagging, persistent challenge in vulnerability management, spanning from discovery to disclosure and patch release to adoption. Tim Willis, head of Project Zero, described this delay as the “upstream patch gap,” in a blog post announcing the change.
“This is the period when an upstream vendor has a fix available, but downstream dependents, who are ultimately responsible for shipping fixes to users, haven’t yet integrated it into their end product,” Willis said. “We’ve observed that this upstream gap significantly extends the vulnerability lifecycle.”
Google insists the policy change will not help attackers, yet may put additional public pressure and attention on unfixed defects. Google hopes this will encourage stronger communication between upstream vendors and downstream customers or dependents, resulting in faster patch development and increased patch adoption, Willis said.
“This data will make it easier for researchers and the public to track how long it takes for a fix to travel from the initial report, all the way to a user’s device,” he said in the blog post.
Project Zero will continue to adhere to a 90+30 disclosure deadline policy that gives vendors 90 days to fix a defect before public disclosure, and 30 days for customers to install the patch. When a vendor addresses a vulnerability before 90 days pass, the 30-day deadline for customers to patch kicks in. If a vendor doesn’t release a patch within 90 days, Project Zero makes details about the vulnerability public.
Early reports of discovered vulnerabilities will not include technical details, proof-of-concept code or information Google believes would help attackers discover the defect until the deadline. Willis described the policy as “an alert, not a blueprint for attackers.”
Zero-day defects are an unyielding problem for defenders, posing a steady risk to enterprise systems and critical infrastructure. Google Threat Intelligence Group tracked 75 zero-day vulnerabilities exploited in the wild last year, noting that zero-day exploitation is targeting a greater number and wider variety of technologies.
Three of the four most-exploited vulnerabilities in 2024, all of which were contained in edge devices, were initially exploited as zero-days, Mandiant said in its annual M-Trends report released in April.
Project Zero researchers will monitor the effects of this change to when it publicly discloses newly discovered vulnerabilities. “We hope it achieves our ultimate goal,” Willis said, engendering “a safer ecosystem where vulnerabilities are remediated not just in an upstream code repository, but on the devices, systems and services that people use every day.”
The post Project Zero disclosure policy change puts vendors on early notice appeared first on CyberScoop.
Ukrainian authorities Tuesday arrested the alleged administrator of XSS.is, a Russian-language cybercrime forum, following a four-year investigation by the Paris public prosecutor’s office.
Law enforcement officials from France and Europol seized the domain of the influential forum following the arrest. Authorities have not named the suspected administrator of XSS.is.
The forum, which was active since 2013, had more than 50,000 registered users and was a key marketplace for stolen data, malware, access to compromised systems and ransomware services, officials said. “It has long been a central platform for some of the most active and dangerous cybercriminal networks, used to coordinate, advertise and recruit,” Europol said in a news release.
Officials accuse the forum’s administrator of running technical operations and playing a central role in enabling cybercrime. Messages intercepted by authorities during the investigation revealed the suspect made more than $8.2 million in advertising and facilitation fees.
“Investigators believe he has been active in the cybercrime ecosystem for nearly two decades, and maintained close ties to several major threat actors over the years,” Europol said in the new release about the arrest and takedown operation. Authorities also accuse the suspect of running thesecure.biz, a Jabber-powered private messaging service for cybercrime that remains online as of press time.
The cybercrime unit of the Paris public prosecutor’s office opened an investigation into XSS.is in July 2021 and deployed French police investigators on the ground in Ukraine, with Europol’s support, in September 2024.
The arrest in Kyiv, Ukraine, followed a series of coordinated law enforcement actions, including evidence gathering and the dismantling of the cybercrime forum’s infrastructure. Authorities said data seized during the investigation will be analyzed to support ongoing investigations across Europe and elsewhere.
The Paris public prosecutor’s office said the alleged administrator of XSS.is was identified as part of a wiretap.
The post Authorities in Ukraine nab alleged admin of Russian-language cybercrime forum appeared first on CyberScoop.
United Natural Foods said the cyberattack that prompted the food distributor and wholesaler to completely shut down its network last month resulted in lost sales of up to $400 million. Executives, during a business update call Wednesday with analysts and investors, said the financial impact from the attack is largely contained to the current quarter, which ends in early August.
The operational interruption caused by the cyberattack, which the company discovered June 5 and disclosed four days later, will result in a net income loss of up to $60 million. Executives did not mention a ransom demand or payment during the call.
The attack on Whole Foods Market’s primary distributor was part of an ongoing attack spree linked to Scattered Spider, a financially motivated cybercrime collective that’s hit dozens of companies in the retail, insurance and aviation industries since it regrouped earlier this year.
The orders United Natural Foods was unable to fill — resulting in empty store shelves and spoilage in the wake of the attack — shows the wide financial impact of cybercrime. The company operates 52 distribution centers that fulfill about 250,000 products from more than 11,000 suppliers to 30,000 customer locations in North America.
“Because of the unique role UNFI plays in the food-supply chain, we recognize that this cyber incident impacted our customers and the industry we serve. We never want to be the reason that a local grocer is out of stock on a product that their shoppers count on,” CEO Sandy Douglas said during the call.
Direct costs related to the attack include an estimated $20 million incurred as the company used manual workarounds while systems were offline, and $5 million for remediation costs, including third-party cybersecurity, legal and governance experts brought in to assist with response and recovery efforts.
United Natural Foods expects its cyber insurance policy to sufficiently offset those recovery and remediation costs, but noted that reimbursement will likely arrive in fiscal year 2026, which starts in August.
Meantime, the company has mostly recovered and returned to normal operations. “As of this week, our commercial operating capacity has been restored to normalized levels, average outbound fill rates, on-time deliveries and units shipped are at or close to pre-incident levels, with some variation across distribution centers. We expect continued improvement as we complete our recovery in the coming weeks,” Douglas said.
United Natural Foods restored its primary electronic ordering systems June 16, 10 days after it took systems down, Douglas added. While the restoration is ongoing for some less critical tools, including customized reporting platforms, the company has achieved the bulk of its recovery requirements.
“By June 26 we had safely restored our core systems and broadly returned to more normal operating capacity across our distribution network,” Douglas said. “Since then, we’ve continued working closely with our customers and suppliers to catch up on various business processes, including purchase orders, invoicing and payments that were temporarily delayed during the disruption period.”
The post United Natural Foods loses up to $400M in sales after cyberattack appeared first on CyberScoop.
A financially motivated threat group is attacking organizations using fully patched, end-of-life SonicWall Secure Mobile Access 100 series appliances, Google Threat Intelligence Group said in a report released Wednesday.
The group, which Google identifies as UNC6148, is using previously stolen admin credentials to gain access to SonicWall SMA 100 series appliances, remote access VPN devices the vendor stopped selling and supporting earlier this year. UNC6148 is likely intruding networks to steal data for extortion and possibly deploy ransomware, according to researchers.
The attacks stress the consistent risk SonicWall customers have confronted via exploited vulnerabilities, especially a series of defects affecting the outdated SonicWall SMA 100 series devices.
The vendor appears 14 times on the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since late 2021. Half of those exploited vulnerabilities affect SonicWall SMA 100 appliances, including three of the four defects added to CISA’s catalog this year.
“In response to the evolving threat landscape — and in alignment with our commitment to transparency and customer protection — SonicWall plans to accelerate the end-of-support date for the SMA 100,” Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop.
“SonicWall has been actively guiding customers toward more modern, secure solutions such as our Cloud Secure Edge service and the SMA 1000 series,” he added
“We understand that not all customers have transitioned yet, and we remain committed to supporting existing SMA 100 deployments with firmware updates throughout the remaining lifecycle. These updates may become more frequent as we prioritize risk mitigation and the ongoing protection of our user base,” Fitzgerald said.
Google said it lacks evidence for the initial infection vector UNC6148 used to access SonicWall devices because the threat group’s malware selectively removes log entries. Yet, researchers said several vulnerabilities could have been exploited by UNC6148, including CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039 or CVE-2025-32819.
“UNC6148 may have used one of the mentioned CVEs to obtain administrator credentials prior to the targeted appliance being updated to the latest firmware version (10.2.1.15-81sv), and then used them to later establish a VPN session before possibly exploiting another unknown vulnerability after the appliance was fully updated,” Zander Work, senior security engineer at Google Threat Intelligence Group, said in an email.
“However, there was insufficient forensic data to confirm this for incidents that we have investigated to date,” Work added.
Insights into post-compromise activities are also limited. “We believe that UNC6148 may conduct data theft for extortion or possibly ransomware deployment as the end-stage goal of their intrusions, but haven’t been able to confirm this due to limited investigative insights at this time,” Work said.
One of UNC6148’s targeted victims appeared on the World Leaks data leak site in June, and the threat group’s activity overlaps with SonicWall exploitation in late 2023 and early 2024, including attacks involving the deployment of Abyss-branded ransomware, according to Google.
Exploited SonicWall defects are popular vectors for ransomware, with the majority of the vendor’s CVEs on CISA’s catalog — 9 out of 14 — known to be used in ransomware campaigns, according to the federal agency.
Mandiant learned more about UNC6148’s technical operations during an investigation into an attack in June. In that attack, UNC6148 established a SSL VPN session on a SMA 100 series appliance using local administrator credentials before it deployed a reverse shell through unknown means.
The reverse shell allowed the threat group to perform reconnaissance, manipulate files, and export and import settings to the SMA 100 appliance, before it deployed the OVERSTEP backdoor, which Google shared technical details about in its report.
The investigation helped Google “learn more about how [UNC6148] may leverage previously compromised SonicWall appliances for further intrusion operations, even after organizations have applied security updates,” Work said.
Google and SonicWall declined to say how many SonicWall SMA 100 devices have been abused by UNC6148, nor how many organizations have been impacted by this ongoing campaign.
The post SonicWall customers hit by fresh, ongoing attacks targeting fully patched SMA 100 devices appeared first on CyberScoop.
You may have read some of our previous blog posts on Artificial Intelligence (AI). We discussed things like using PyRIT to help automate attacks. We also covered the dangers of […]
The post Getting Started with AI Hacking: Part 1 appeared first on Black Hills Information Security, Inc..
In the world of cybersecurity, it’s important to understand what attack surfaces exist. The best way to understand something is by first doing it. Whether you’re an aspiring penetration tester, […]
The post Wi-Fi Forge: Practice Wi-Fi Security Without Hardware appeared first on Black Hills Information Security, Inc..
by Austin Kaiser // Intern Hacking a satellite is not a new thing. Satellites have been around since 1957. The first satellite launched was called Sputnik 1 and was launched […]
The post Satellite Hacking appeared first on Black Hills Information Security, Inc..
Hey guys, my name is Connor. I am a web developer here at BHIS who also loves hacking phones. Particularly, Android phones! Today, I am going to show you the basics […]
The post How to Install LineageOS on Your Android Device appeared first on Black Hills Information Security, Inc..
This is part three of the blog series, Offensive IoT for Red Team Implants. We will be building off from where we left off in the last post, which can […]
The post Offensive IoT for Red Team Implants (Part 3) appeared first on Black Hills Information Security, Inc..
This is Part Two of the blog series, Offensive IoT for Red Team Implants, so if you have not read PART ONE, I would encourage you do to so first […]
The post Offensive IoT for Red Team Implants (Part 2) appeared first on Black Hills Information Security, Inc..
This is part one of a multipart blog series on researching a new generation of hardware implants and how using solutions from the world of IoT can unleash new capabilities. […]
The post Offensive IoT for Red Team Implants – Part 1 appeared first on Black Hills Information Security, Inc..
Login