The Treasury Department is soliciting public feedback on whether it should change a terrorism risk insurance program to address cyber-related losses.

In a Federal Register notice set for publication Wednesday, Treasury seeks comment from the public for a mandatory report it must deliver to Congress this summer on the effectiveness of the terrorism risk insurance program (TRIP) created by the 2002 Terrorism Risk Insurance Act. That law arose from the Sept. 11 terror attacks and provided a federal backstop to make terrorism risk insurance more available and affordable.

Some experts have suggested that the cyber insurance industry should also get a federal backstop as the industry struggles to develop fully. With the law set to expire at the end of 2027, tying it to the reauthorization of the terrorism risk insurance law could be one way to get Congress to create such a cyber backstop.

Among the topics Treasury hopes commenters will address before it sends the report to Congress in June is the interaction between the terrorism risk insurance law and program, and cybersecurity. The agency will accept comments until May 8.

That includes: “Any potential changes to TRIA or TRIP that would encourage the take up of insurance for cyber-related losses arising from acts of terrorism as defined under TRIA, including, but not limited to the potential modification of the lines of insurance covered by TRIP and revisions to any of the current sharing mechanisms for cyber-related losses, such as, for example, the individual insurer deductible or the federal share percentage.”

In 2021, Treasury issued a rule making it clear that TRIP could cover cyber losses when written in a TRIP-eligible line of insurance. However, a Government Accountability Office report last year outlined some of the limitations there.

“Because TRIA was designed specifically as a federal backstop for losses from acts of terrorism, only losses from cyberattacks certified by Treasury as acts of terrorism would have TRIA coverage,” it states. “As a result, even large cyberattacks that result in catastrophic losses would not be covered under TRIA if they were not certified as acts of terrorism.”

Treasury said in its Federal Register notice that it wants feedback on cyber-related terrorism losses within TRIP and losses outside of it.

Cyberattacks would need to meet definitions under the terrorism risk insurance law to be certified. They need to be violent or otherwise dangerous to life, property or infrastructure, and designed to influence the U.S. population or government. Damage to U.S. organizations outside the United States still might not qualify.

Medical device maker Stryker recently suffered a wiper attack, with the pro-Palestinian, Iranian government-linked group Handala taking credit. It said the attack was in retaliation for U.S. and Israel military strikes against Iran, specifically a U.S. missile strike on a school that killed 175 people, according to Iran’s government.

The post Treasury asks whether terrorism risk insurance program should bolster cyber coverage appeared first on CyberScoop.

The Trump administration is plotting an interagency body to confront malign hackers, pilot programs to secure critical infrastructure across states and other steps tied to its freshly-released cyber strategy, National Cyber Director Sean Cairncross said Monday.

The “interagency cell” will bring together agencies like the Justice Department, the Department of State, the FBI and the Pentagon, which will make it clear that going on cyber offense isn’t just about attacking enemies in cyberspace, Cairncross said.

“Sure, that’s part of it, but that’s not all of it,” he said at an event hosted by USTelecom. It will include diplomatic efforts, arrests and more, he said. “As President Trump has made clear, he expects results, and he’s empowered the team under him to go get them.”

A series of pilot programs will be catered to specific critical infrastructure industries in specific states, such as water in Texas and beef in South Dakota, Cairncross said. Different sectors operate at more or less mature levels, he said.

“One of the things that we are working to do is to align those sectors and prioritize those sectors in a way that makes sense,” he said.

Cairncross said the administration wants to share information with industry better, and will be looking as well at revising regulations in some instances. One of those instances is the Securities and Exchange Commission’s 2023 incident disclosure rule, which drew some of the most vehement industry opposition under the Biden administration’s’ pursuit of cyber regulations. The idea is to make sure they “make sense for industry,” Cairncross said.

But the administration also will have things it seeks from the private sector. That will include bringing together CEOs and sending the message to them that “you need to dedicate some real resources,” he said.

Cairncross has spoken before about wanting to establish an academy to address education and training in a nation with persistent cybersecurity job openings, but there’s more attached to it, he said.

The effort, which Cairncross said the administration would release details on soon, will also include a foundry (which “will be able to scale with private capital new innovation, and deploy it more quickly”) and an accelerator (“so when there’s preceded financing on on projects to really ramp that up and be able to scale as well and overcome some of the procurement hurdles that are often based in in this space”).

Cairncross said at a second event Monday that another forthcoming step was a law enforcement pilot program to better share information with state and local governments.

“We’re looking for ways to streamline information sharing from the USG side,” Cairncross said at a Billington Cybersecurity event, using the acronym for “U.S. government.” “Often, ‘how’ we know things is extremely sensitive, ‘what’ we know is less so,” he said. The goal is “to figure out how to communicate that in a helpful, actionable way.”

Updated, 3/9/26: to include comments about law enforcement pilot program.

The post Sean Cairncross lays out what’s coming next for Trump’s cyber strategy appeared first on CyberScoop.

Another Department of Homeland Security shutdown would hamper the Cybersecurity and Infrastructure Security Agency’s ability to respond to threats, offer services, develop new capabilities and finish writing a key regulation, its acting director told Congress Wednesday.

Some of those activities would continue on a limited basis, while others would halt entirely, acting CISA leader Madhu Gottumukkala testified before the House Appropriations Subcommittee on Homeland Security.

“A lapse in funding would impede CISA’s ability to perform … good work,” he told the panel. “When the government shuts down, our adversaries do not.”

As lawmakers held the hearing, DHS was hurtling toward another potential shutdown as Democrats and Republicans clashed over Trump administration immigration policies and enforcement, with a focus most recently on the massive influx of DHS officers in Minneapolis, where those officers have killed multiple U.S. citizens.

Republicans said at the hearing the testimony should persuade Democrats to fund DHS, since its border operations are largely funded by last year’s budget reconciliation law and a shutdown would mainly harm DHS’s other agencies. Democrats said the hearing was “for show,” as they have put forward proposals to fund the rest of DHS as the immigration debate continues — and as 90% of DHS would continue operating under a shutdown, as the panel’s top Democrat, Henry Cuellar of Texas, asserted.

Gottumukkala said CISA planned to designate 888 of its 2,341 employees as “excepted,” meaning they could continue to work during a shutdown, albeit without pay.

“We will do everything we can to meet our mission during the shutdown,” he said. “Uncertainty and those missed paychecks are a serious hardship.”

CISA has reduced its personnel by a third under the second presidency of Donald Trump.

A shutdown “would delay deploying cybersecurity services and capabilities to federal agencies, leaving significant gaps in security programs,” Gottumukkala said in his written testimony. “CISA’s capacity to provide timely and actionable guidance to help partners defend their networks would be degraded.”

There’s a divide between activities CISA could continue in some capacity versus those they would have to shutter entirely during a funding lapse, he said.

“Limited activities include responding to imminent threats, sharing timely vulnerability and incident information, maintaining our 24/7 operations center, and operating cybersecurity shared services,” Gottumukkala said. “However, CISA would not perform any strategic planning, development of cybersecurity advice and guidance, or development of new technical capabilities.”

There would likely be delays in activities like issuing binding operational directives to federal agencies or completing the already-delayed regulations stemming from the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), the latter of which would require critical infrastructure operators to report major cyber incidents to CISA and would be paused during a shutdown, he said.

Gottumukkala’s testimony is the latest before Congress to focus on personnel at CISA. The chairman of the Appropriations subcommittee, Rep. Mark Amodei, R-Nev., chided Gottumukkala for what he said were delays in CISA providing a reorganization plan to the panel.

“We’ve been professional. We’ve been respectful,” Amodei said. “We expect exactly the same thing in return.”

The post Acting CISA chief says DHS funding lapse would limit, halt some agency work appeared first on CyberScoop.

The internet domain registration system is a major weakness that malicious hackers can exploit, but is often being overlooked, a senior Secret Service official said Thursday.

“It is staggering to me that we live in a world where domain registrars and registrars will do bulk registration of various spellings of a major institution’s brand name to create URLs to then use in phishing campaigns or in fraudulent advertising,” the official, Matt Noyes, said at a conference in Washington, D.C.

It was one of two areas Noyes identified as attack vectors that aren’t adequately being addressed during a panel at the 2026 Identity, Authentication and the Road Ahead Policy Forum, along with susceptibility to business email compromise scams.

The problem is in how the Internet Assigned Numbers Authority (IANA) functions, he said. A decade ago, the United States relinquished its control of that process.

“It’s not discussed normally in polite company, but very important … for the handful of people that engage in Internet governance,” Noyes said.

‘Think about every phishing campaign that contains a link, whether that’s sent by SMS or email,” he said. “They want a URL that is deceptive. That is an identity weakness there in how internet assigned names and numbers function; there was not sufficient validation that the person registering that domain name has rights to that — owns a trade right.”

That forces companies like Microsoft and Google to seek court-ordered takedown operations on the “back end,” as Noyes described it. However, Noyes suggested that internet companies could address the problem proactively.

“That is fundamentally a failure of internet governance that we have not created identity checks to ensure that when someone is registering names and numbers or concentrating a huge amount of abuse in fraudulent activity in particular ASN, autonomous system numbers, that it’s getting addressed and cleaned up,” he said. “The major internet players in the U.S., they could change the nature of the internet and change the governance of that, to clean that up when there’s a heavy concentration of abuse and fraud.”

That would involve not selling certain ads or showing certain results in web searches, Noyes said. “It could be addressed that way, but that’s that underpinning that gets neglected because it’s not in that direct consumer account interaction,” he said.

And on business email compromise, which involves sending fake emails to solicit fraudulent payments, “we put implicit trust that the person we think we’re communicating with controls an email address routinely. That trust is not earned. The system isn’t designed that way.”

Business email compromise routinely accounts for a significant amount of internet-enabled fraud losses annually in the United States.

The post The ‘staggering’ cybersecurity weakness that isn’t getting enough focus, according to a top Secret Service official appeared first on CyberScoop.

A hacker who pleaded guilty to conspiring to launder billions of dollars worth of bitcoin stolen in the 2016 Bitfinex hack has been released from prison, a little more than one year after being sentenced to a five-year stint.

Ilya Lichtenstein posted on X that his early release came as a result of a bipartisan 2018 law that President Donald Trump signed in his first term that was meant to reduce the federal inmate population.

“Thanks to President Trump’s First Step Act, I have been released from prison early,” he wrote last week. “I remain committed to making a positive impact in cybersecurity as soon as I can.”

The Bitfinext hack eventually led to what the Justice Department said was, at the time of the arrest of Lichtenstein in 2022, the then-biggest federal recovery and seizure of stolen bitcoin, worth $3.6 billion. Authorities accused Lichtenstein and his wife, Heather Morgan — a rapper on the side who went by the name Razzlekhan — of laundering $4.5 billion from the Bitfinex hack.

It’s a quick reversal from Lichtenstein’s sentence issued in November 2024. At the time of the arrest of the Manhattan couple, law enforcement touted its pursuit of crypto criminals.  

“Today’s arrests, and the department’s largest financial seizure ever, show that cryptocurrency is not a safe haven for criminals,” said then-Deputy Attorney General Lisa Monaco. “In a futile effort to maintain digital anonymity, the defendants laundered stolen funds through a labyrinth of cryptocurrency transactions.”

Lichtenstein on X hailed himself as a “hacker on the road to redemption,” adding, “To the supporters, thank you for everything. To the haters, I look forward to proving you wrong.”

Morgan hailed his release, too.

In response to a request for comment, a Bureau of Prisons spokesperson indicated that while Lichtenstein is out of prison, he remains in a form of confinement.

“Ilya Lichtenstein is currently in the custody of the Bureau of Prisons (BOP),” said the spokesperson, Randilee Giamusso. “Mr. Lichtenstein transferred from the Federal Correctional Institution (FCI) Allenwood Low on December 30, 2025, to community confinement overseen by the BOP’s Sacramento Residential Reentry Management (RRM) Office.

“Community confinement means the individual is in either home confinement or a Residential Reentry Center (RRC, or halfway house). He has a projected release date of January 25, 2026,” Giamusso said.

The Justice Department did not respond to a request for comment. The FBI declined to comment. A U.S. official told CNBC that Lichtenstein “has served significant time on his sentence and is currently on home confinement consistent with statute and Bureau of Prisons policies.”

Updated 1/5/26: to include comment from the Bureau of Prisons.

The post Convicted Bitfinex bitcoin launderer freed from prison, thanks Trump law appeared first on CyberScoop.

Ransomware is on the decline, according to a study the Treasury Department released Thursday, pointing to fewer attacks and payments following an all-time spike in activity in 2023.

The Financial Crimes Enforcement Network (FinCEN) report on ransomware trends concluded more positive development in payments — the critical and most visible layer of attacks that have fueled the rise of these financially-motivated crimes for years. Total payments slid 33% from about $1.1 billion in 2023 to $734 million last year, federal researchers found.

Cybercrime experts and authorities have consistently pointed to payments as the most important measure of ransomware activity, asserting that cutting off the main driver of these crimes provides the best chance for creating a lasting deterrence of future attacks.

Dwindling ransomware payments from 2023 to 2024 is a positive sign, but it’s too early to celebrate the shift as an enduring decline. Payments previously jumped 77% year-over-year in 2023 and total ransomware payments during the three-year period ending in December 2024 topped $2.1 billion.

The three-year payments total is just slightly below the $2.4 billion in ransomware payments FinCEN attributed to the previous nine-year period ending in 2021.

The number of victims confronting ransomware still remains a largely unchanged epidemic, according to the study based on Bank Secrecy Act data from organizations that reported attacks to FinCEN. Officials received reports of 1,476 ransomware attacks last year, a mere 2% decrease from 1,512 incidents in 2023.

The report concluded manufacturing, financial services and healthcare organizations were the most heavily impacted by ransomware attacks last year. The manufacturing industry reported 456 incidents associated with almost $285 million in payments.

Organizations in the financial services sector reported 432 incidents last year linked to nearly $366 million in payments, and the healthcare industry reported 389 attacks totaling about $305 million in payments, the report found.

Officials said they identified 267 unique ransomware variants between 2022 and 2024. ALPHV/BlackCat was the most heavily reported ransomware variant, followed by Akira, LockBit, Phobos and Black Basta. 

FinCEN said 10 ransomware variants were responsible for a cumulative $1.5 billion in payments from 2022 to 2024.

The post Is ransomware finally on the decline? Treasury data offers cautious hope appeared first on CyberScoop.

European authorities shut down and seized the assets of Cryptomixer, a cryptocurrency mixing service that allegedly facilitated more than $1.5 billion in money laundering for cybercriminals and other illegal activity, Europol said Monday. 

The weeklong operation, part of “Operation Olympia,” netted the seizure of nearly $28 million in Bitcoin, three servers in Switzerland, the cryptomixer.io domain and more than 12 terabytes of data, officials said. The site currently displays a seizure notice, warning that anyone using or operating cybercriminal services is subject to investigation and prosecution. 

The takedown is part of a broader global law enforcement effort to disrupt, confiscate and obtain additional information on the various services cybercriminals rely upon and the individuals leading these operations. 

Cryptomixer, which was accessible on the clear and dark web, mixed more than $1.5 billion in Bitcoin through its infrastructure since its founding in 2016, according to Europol. Officials described the mixing service as “the platform of choice” for cybercriminals and various crimes, including ransomware, payment card fraud, and drugs and weapons trafficking. 

“Deposited funds from various users were pooled for a long and randomised period before being redistributed to destination addresses, again at random times,” Europol said. “Mixing services such as Cryptomixer offer their clients anonymity and are often used before criminals redirect their laundered assets to cryptocurrency exchanges.”

North Korean-linked Lazarus Group used Cryptomixer and similar services before it shifted to high-volume attacks, according to TRM Labs. Lazarus Group stole $1.46 billion in Ethereum from Bybit in February and laundered $160 million within two days of the attack. 

“North Korea now appears to prioritize speed and automation over traditional anonymity,” researchers said in the wake of the largest cryptocurrency theft on record.

Officials also referenced the 2023 takedown of ChipMixer, the largest mixing service at that time, as an example of law enforcement agencies’ sustained effort to target cryptocurrency mixing services. ChipMixer was allegedly responsible for more than $3 billion in transactions since it began operations in 2017.

The Cryptomixer shutdown drew support from Europol, Eurojust and multiple law enforcement agencies from Germany and Switzerland.

The post Authorities take down Cryptomixer, seize $28M in Switzerland appeared first on CyberScoop.

The Treasury Department, along with officials from the United Kingdom and Australia, imposed sanctions Wednesday against two bulletproof hosting providers and key people involved in their operations, in a globally coordinated effort aimed at thwarting the role these services have in enabling ransomware, phishing operations, and data extortion campaigns around the world. 

Authorities sanctioned Media Land, three of its leaders and three affiliated companies for allegedly supporting ransomware operations and other cybercrime. The Russia-based bulletproof hosting provider has provided services to ransomware groups, including LockBit, BlackSuit and Play, officials said.

Authorities imposed sanctions on Media Land’s general director Alexsandr Volosovik, Kirill Zatolokin, Yulia Pankova and subsidiaries ML Cloud, Media Land Technology and Data Center Kirishi. 

“Media Land has been impactful largely because of its longevity. Recorded Future can trace attackers using their infrastructure back to at least 2015 — 10 years of activity,” Allan Liska, threat intelligence analyst at Recorded Future, told CyberScoop.

“Targeting this kind of infrastructure can have a disruptive effect on the ransomware ecosystem,” he said. “It’s not the same as a takedown, but it makes it much more difficult for these threat actors to operate and continue to provide services.”

Cyber authorities with the Five Eyes intelligence alliance and the Netherlands also released a mitigation guide Wednesday, which offers tips to help defenders thwart cybercrime made possible by this infrastructure. Efforts to impair these services “requires a nuanced approach because bulletproof hosting infrastructure is integrated into legitimate internet infrastructure systems, and actions from internet service providers or network defenders may impact legitimate activity,” officials said in a mitigation guide released Wednesday.

Despite the sanctions, Media Land’s infrastructure will remain online until the organization’s peering partners cut off key services, said Zach Edwards, senior threat analyst at Silent Push. One of those partners, JSC RetnNet is also based in Russia, but its other peering partner, RETN Limited, is a U.K.-based ISP, he said.

“The bulletproof hosting ecosystem is thriving and growing,” Edwards said, adding “we still need law enforcement to put more pressure on the peering partners who help to get bulletproof hosting infrastructure online and accessible to the rest of the internet.”

Cybercriminals use bulletproof hosting infrastructure to obfuscate their activities, including malware delivery, phishing, and host content and services that support ransomware, data extortion and denial of service attacks, officials said. 

“Bulletproof hosting is one of the core enablers of modern cybercrime,” Madhu Gottumukkala, acting director of the Cybersecurity and Infrastructure Security Agency, said in a statement.

Officials also took action against companies and individuals who helped the previously sanctioned Aeza Group evade sanctions and reconstitute operations under new infrastructure and leadership.

U.K.-based Hypercore, Maksim Vladimirovich Makarov, the new alleged director of Azea, and Ilya Vladislavovich Zakirov were targeted with sanctions for supporting Aeza Group’s ongoing activity. Officials also sanctioned Smart Digital Ideas DOO and Datavice MCHJ for providing technical infrastructure to Azea.

“Bulletproof hosting providers are hosting the majority of cybercrime infrastructure used by a wide range of global threat actors for ransomware attacks, phishing campaigns, malware delivery and everything in between,” Edwards said. 

“Focusing on these malicious hosts should be a top law-enforcement priority to ensure we’re not just playing Whac-A-Mole with individual threat actors for years to come.”

The post Five Eyes just made life harder for bulletproof hosting providers appeared first on CyberScoop.

The Justice Department notched a few more wins in the fight against North Korean cryptocurrency heists and the regime’s expansive scheme to get remote IT workers hired at U.S. businesses. 

Officials’ countermeasures to these schemes, which ultimately launder ill-gotten money to North Korea’s government, involve the targeting of U.S.-based facilitators who provide forged or stolen identities and laptop farms for North Korean operatives, and the seizure of cryptocurrency linked to theft. Law enforcement wins on both fronts are stacking up.

Oleksandr Didenko, a 28-year-old Ukrainian national, pleaded guilty to wire fraud conspiracy and aggravated identity theft in the U.S. District Court for the District of Columbia Monday for stealing the identities of U.S. citizens and selling them to overseas IT workers. His years-long scheme helped North Korean IT workers gain employment at 40 U.S. companies, officials said. 

Didenko ran a site, upworksell.com, to sell stolen identities and paid co-conspirators to receive and host laptop farms in Virginia, Tennessee and California, according to court records. Didenko managed up to 871 identities through the laptop farms and collaborated with other co-conspirators in the United States.

In late 2023, following a request from one of his customers, Didenko sent a computer to a laptop farm run by Christina Chapman in Arizona, officials said. Chapman was arrested in May 2024 and sentenced to 102 months in prison for participating in the scheme.

Didenko’s site was seized following Chapman’s arrest. In late 2024, he was arrested by Polish police later extradited to the United States. Didenko agreed to forfeit more than $1.4 million, and his sentencing is scheduled for Feb. 19, 2026.

Justice Department officials applauded other recent court case wins, demonstrating the arduous work required to find and punish those who facilitate the North Korean remote IT worker scheme.

Three U.S. nationals — Audricus Phagnasay, 24, Jason Salazar, 30, and Alexander Paul Travis, 34 — each pleaded guilty to wire fraud conspiracy in the U.S. District Court for the Southern District of Georgia Thursday for providing U.S. identities to remote North Korean IT workers. 

The trio hosted U.S. company-provided laptops at their homes and installed remote-access software so the North Korean operatives could appear to be working in the country. The group also helped remote IT workers pass employer vetting and, in the case of Travis and Salazar, took drug tests on behalf of the North Koreans, officials said.

The scheme supported by the three men facilitated about $1.28 million in salary from victim U.S. companies from September 2019 through November 2022. Yet, the financial cuts for their assistance was relatively low. Travis, an active-duty member of the U.S. Army at the time, received about $51,000 while Phagasay and Salazar each pocketed about $3,500 and $4,500, respectively.

Last week, another U.S. national, 30-year-old Erick Ntekereze Prince, pleaded guilty to wire fraud conspiracy in the U.S. District Court for the Southern District of Florida for his yearslong involvement in the North Korean IT worker scheme. Prince’s company Taggcar was contracted to supply IT workers to victim U.S. companies from June 2020 through August 2024.

Officials said Prince earned more than $89,000 from the scheme, which also involved hosting company-provided laptops at Florida residences and installing remote-access software. Prince was indicted and charged in January along with his alleged co-conspirators, who collectively obtained work for North Korean IT workers at 64 U.S. companies, earning nearly $950,000 in salary payments.

The five people who pleaded guilty during the past week impacted more than 136 U.S. victim companies, officials said. Their crimes generated more than $2.2 million for North Korea’s regime and compromised the identities of at least 18 U.S. residents. 

“These actions demonstrate the department’s comprehensive approach to disrupting North Korean efforts to finance their weapons program on the backs of Americans,” John A. Eisenberg, assistant attorney general for national security, said in a statement. “The department will use every available tool to protect our nation from this regime’s depredations.”

Finally, the Justice Department said it seized more than $15 million in cryptocurrency from APT38, a nation-state hacking group with ties to North Korea. Officials said the seized funds were traced to four separate virtual currency heists in 2023.

The post DOJ lauds series of gains against North Korean IT worker scheme, crypto thefts appeared first on CyberScoop.

The phishing kit Lighthouse, which has aided text scams like those soliciting victims to pay unpaid road tolls, appears to have been hampered shortly after Google filed a lawsuit aimed at its creators.

Google said on Thursday that Lighthouse had been shut down. Two other organizations that have tracked the suspected Chinese operators of Lighthouse said they saw signs it had at least been disrupted.

“This shut down of Lighthouse’s operations is a win for everyone,” said Halimah DeLaine Prado, general counsel at Google. “We will continue to hold malicious scammers accountable and protect consumers.”

Members of the syndicate, known to some by the name Smishing Triad, had been corresponding on Telegram channels.

“We can confirm that all Lighthouse Telegram channels previously tracked have been deleted or taken down due to Telegram TOS violations,” Kasey Best, the director of threat intelligence at Silent Push, told CyberScoop. “We are tracking many websites still active and using Lighthouse kit code, as well as phishing kits used by other Smishing Triad threat actors, but there could be backend changes with Lighthouse or other disruptions in this criminal ecosystem which are just starting to be seen.

“Either way, this is a positive sign for Google’s lawsuit, and we look forward to increased pressure against smishing threat actors based mostly in China,” Best continued.

Ford Merrill, lead researcher at SecAlliance, told CyberScoop that it “can confirm that several domains historically associated with Lighthouse infrastructure appear to no longer be resolving to DNS requests at present.”

Google filed its lawsuit in the U.S. District Court for the Southern District of New York. They allege that 25 unnamed individuals behind Lighthouse have violated racketeering, trademark and anti-hacking laws with their prolific SMS phishing, or “smishing,” platform.

The post Google, researchers see signs that Lighthouse text scammers disrupted after lawsuit appeared first on CyberScoop.

Google on Wednesday filed a lawsuit against pesky text message scammers — like those who flood targets with notices that they have unpaid road tolls, or have a package waiting — in an attempt to disrupt a “phishing for dummies” operation the company accuses of victimizing more than 1 million people.

The lawsuit against 25 unnamed individuals believed to reside in China takes aim at those behind the phishing-as-a-service kit known as Lighthouse and its “staggering” scale.

“Defendants are a group of foreign cybercriminals who have engaged in relentless phishing attacks against millions of innocent victims, including Google customers, to steal personal and financial information,” the lawsuit filed in the U.S. District Court for the Southern District of New York reads. “These attacks have collectively swindled innocent victims out of millions of dollars and harmed Google through the unauthorized use of its trademarks and services.”

Google alleges that the defendants violated multiple laws in their SMS phishing, or “smishing,” operation: the Racketeer Influenced and Corrupt Organizations Act, the Lanham Act that governs trademark law and the main federal anti-hacking statute, the Computer Fraud and Abuse Act. Some of the smishing messages make use of Google product logos, and target Google customers.

The civil suit seeks a temporary restraining order and damages against the unnamed individuals. Google is asking the court to compel hosting providers to block Lighthouse-connected IP addresses and fraudulent domains from using those services. The company also hopes that it can help raise user awareness by filing the suit.

Other organizations have tracked the scope of Lighthouse and its ilk. One firm found that in a 20-day period, 200,000 Lighthouse-created websites attracted more than 1 million victims in 121 countries.

Another said that between July 2023 and October 2024, Chinese smishing syndicates compromised between 12.7 million and 115 million payment cards in the United States alone.  Over that same timeframe, Google’s suit states, Lighthouse users also launched 32,094 distinct U.S. Postal Service phishing sites.

“The scam is simple: criminals send a text message, prompting recipients to click a link and share information such as email credentials, banking information and more,” Google explained in a blog post announcing the suit. “They exploit the reputations of Google and other brands by illegally displaying our trademarks and services on fraudulent websites.”

In addition to the lawsuit, Google on Wednesday endorsed three bills from House and Senate members to combat fraud. Those bills are the Guarding Unprotected Aging Retirees from Deception (GUARD) Act, which would permit state and local law enforcement to use federal grants to investigate financial scams aimed at retirees; the Foreign Robocall Elimination Act, which would create a task force to fight foreign-originated robocalls; and the Scam Compound Accountability and Mobilization (SCAM) Act, which would direct an executive branch national strategy to counter scam compounds.

“Legal action can address a single operation; robust public policy can address the broader threat of scams,” Halimah DeLaine Prado, general counsel for Google, wrote in the blog post.

The post Google files lawsuit against Lighthouse ‘phishing for dummies’ text scammers appeared first on CyberScoop.

A federal agency that supplies budget and economic information to Congress has suffered a cybersecurity incident, reportedly at the hands of a suspected foreign party.

A spokesperson for the Congressional Budget Office (CBO) acknowledged the incident Thursday after The Washington Post reported that the office was hacked, with the attackers potentially accessing communications between lawmakers and researchers at the agency.

“The Congressional Budget Office has identified the security incident, has taken immediate action to contain it, and has implemented additional monitoring and new security controls to further protect the agency’s systems going forward,” said the CBO spokesperson, Caitlin Emma. 

Congress established the office in 1974 to serve as a nonpartisan research organization for the legislative branch. Republicans took aim at the CBO this year when it assessed that a GOP tax and spending policy bill would add trillions to the national debt, prompting conservatives to criticize its conclusions.

It’s not unprecedented for unauthorized parties to obtain access to sensitive information from congressional offices. Hackers who broke into the Library of Congress last year were able to read email correspondence with offices on Capitol Hill. And breach of a health insurance marketplace two years ago exposed the data of House staffers.

The CBO says it has 275 staffers. It requested a budget of $76 million for fiscal 2026, an 8% increase. Nearly half of the increase would “address increased costs to enhance the agency’s cybersecurity and IT infrastructure; such improvements are critical to protecting sensitive data and improving the agency’s computing power for analyzing complex data sets,” according to that request.

The Post reported that officials believe they caught the intrusion early.

“The incident is being investigated and work for the Congress continues,” Emma said. “Like other government agencies and private sector entities, CBO occasionally faces threats to its network and continually monitors to address those threats.”

Greg Otto contributed reporting to this story.

The post Agency that provides budget data to Congress hit with security incident appeared first on CyberScoop.

The Treasury Department on Tuesday sanctioned eight people and two companies it accused of laundering money obtained from cybercrime and IT worker schemes to fund North Korean government objectives.

According to the department, over the last three years North Korea-linked cybercriminals have stolen over $3 billion, mostly in cryptocurrency. In addition, it said, North Korean IT workers are netting hundreds of millions from schemes by faking their identities. It’s all in service of goals that endanger the security of the world, Treasury said.

The bank, IT company and financial institution personnel that the Office of Foreign Assets Control placed on the sanctions list Tuesday add to an ever-growing list this calendar year of parties the United States associates with North Korean cyber activity.

“North Korean state-sponsored hackers steal and launder money to fund the regime’s nuclear weapons program,” said John Hurley, Treasury undersecretary for terrorism and financial intelligence. “By generating revenue for Pyongyang’s weapons development, these actors directly threaten U.S. and global security.”

The department designated Jang Kuk Chol and Ho Jong Son, two North Korean bankers; Korea Mangyongdae Computer Technology Company, an IT company; U Yong Su, president of that firm; and Ryujong Credit Bank, a North Korea-based financial institution. It also designated five people who work for North Korean financial institutions: Ho Yong Chol, Han Hong Gil, Jong Sung Hyok, Choe Chun Pom and Ri Jin Hyok.

The two bankers stand accused of managing cryptocurrency funds on behalf of a previously designated entity, First Credit Bank. The IT firm allegedly operates IT worker delegations from at least two cities in China. Treasury said Ryujong Credit Bank aids in avoiding sanctions between China and North Korea. The five employees are China or Russia-based North Korean representatives of the financial institutions who have allegedly facilitated illicit transactions.

Last month, a group of countries including the United States and allies in Europe and Asia published its latest report on North Korea’s evasions and violations of United Nations Security Council resolutions, this time focused on Pyongyang’s cyber and IT operations.

“The Democratic People’s Republic of Korea (DPRK or North Korea) is systematically engaged in violations of United Nations Security Council resolutions (UNSCRs) and related evasion activities through its Information Technology (IT) worker deployments and cyber operations, particularly as related to cryptocurrency theft and cryptocurrency laundering activities,” the report states. ”The DPRK’s cyber force is a full-spectrum, national program operating at a sophistication approaching the cyber programs of China and Russia.”

The post North Korean companies, people sanctioned for money laundering from cybercrime, IT worker schemes appeared first on CyberScoop.