Law enforcement in the US, UK and Canada identified more than $45 million in cryptocurrency and froze $12 million.
The post International Operation Targets Multimillion-Dollar Crypto Theft Schemes appeared first on SecurityWeek.
The document provides a behavior-based model of the tactics and techniques employed by fraudsters.
The post MITRE Releases Fight Fraud Framework appeared first on SecurityWeek.
Our nation has entered a new fraud arms race fueled by AI.
With billions of dollars in fraud losses mounting in both the private and public sectors, it’s clear the old ways of deterring fraud aren’t working. That’s why we need a new playbook that starts with understanding how fraudsters operate, evolving our defenses, and shifting to a proactive posture that doesn’t just fight fraud but actively hunts it down.
In the AI era, treating fraud as just a front-door problem won’t work. This moment requires industry, government, and consumers to work together, reduce silos, and share real-time intelligence. The goal is to move beyond reactive detection by understanding the lifecycle of a threat—from its formation to its spread—so we can intervene before it establishes a foothold.
For decades, fraud has been treated like a series of isolated incidents. This false assumption has underpinned nearly every past effort to crack down on it. Those efforts, while well-intentioned, have missed the mark.
Now, in light of the Trump Administration’s Cyber Strategy for America and accompanying executive order, it’s critical to understand the modern fraud landscape and the central role that digital identity exploitation plays within it.
New research from Socure reveals just how dramatically the landscape is evolving.
Fraud has become industrialized, with organized crime syndicates running operations that are global, systemic, automated, and powered by AI. No organization, service, or program is safe. Fraudsters target government programs, banks, fintech platforms, telecom companies, and more, blurring the lines between public sector fraud, financial crime, and cybercrime.
It used to be that fraud could be detected through the reuse of identity elements across multiple applications: the same email, device, phone number, or IP address used over and over.
But the data is clear: these links are declining fast. Today’s sophisticated fraudsters are now engineering their attacks to avoid traditional fraud detection patterns. Our research demonstrates that emails will be completely unique within fraud populations as soon as 2027, so we won’t be able to rely on email to identify patterns.
Speed is another defining feature of modern identity fraud. Fraudsters use AI to create clean, durable, synthetic and stolen identities at scale. In one observed campaign, 24,148 synthetic identities were built and launched in under a month, with many attacks occurring within 48 hours. What once took weeks or even months can now be completed in days.
The rapid rise of identity farms is another indicator of the industrialization of fraud. Identity farms are operated by crime rings to systematically create synthetic or stolen identities over time in order to closely resemble legitimate identities. Matured identities are used to open bank, credit, and money-movement accounts, siphon government benefits, launder funds, and more. These identity farms focus on durable identities that can bypass traditional verification controls.
So what should we do? Simply put, we must go on offense.
This means treating identity as critical infrastructure and implementing strategies that track how identities were created before the moment of application; expanding signals monitoring to include elements like residential proxies, ISP behavior, and domain registration activity; evaluating velocity and orchestration in real-time; and treating continuous measurement, rapid model iteration, and cross-industry intelligence as core capabilities.
Additionally, given the rapid scaling of fraud, we need more analysis of the complete ecosystem, including dynamic factors like device information, digital footprints, and behavioral biometrics so organizations can effectively distinguish genuine humans from machines. Ultimately, this layered and interconnected approach makes it significantly harder for malicious actors to recreate or steal identities at scale.
Fraud is no longer a series of isolated acts. It is a coordinated, global enterprise built on the exploitation of identity. Until our efforts reflect this new reality, we will continue to fight an imminent and ongoing threat with outdated tools and fall further behind.
Now is the time to make this strategic shift and finally put fraudsters on their heels.
Mike Cook serves as head of fraud insights at Socure, the identity and risk platform for the AI age.
The post Don’t just fight fraud, hunt it appeared first on CyberScoop.
A California county sheriff and Republican contender for the state’s gubernatorial race has seized 650,000 physical ballots from Riverside County, saying they were part of an investigation into election fraud tied to redistricting wars.
State officials and election security experts say that the underlying allegations are spurious and local law enforcement do not have the authority to unilaterally investigate or validate election results.
Riverside County Sheriff Chad Bianco said at a news conference Friday that he intended to conduct a hand count of the ballots, which were tied to elections last November, and “compare that result to the total votes recorded.”
In a March 6 letter, California Attorney General Rob Bonta directed Bianco to pause the investigation until the state could review “the factual and legal basis” for the probe and seizure.
Based on an initial review of the warrants and affidavits in the case, Bonta wrote that his “office has serious concerns as to whether probable cause existed to support the issuance of the warrants, and whether your office presented the magistrate with all available evidence as required by law.”
While Bonta’s letter does not describe the underlying content of the search warrants, it points to a public presentation made by a resident at a Feb. 10 Riverside County Registrar of Voters meeting that “addresses the alleged vote discrepancy that appears to be the basis of your investigation.”
In that meeting, an individual identifying himself as “Errol” — wearing a “Trump 2028” hat — alleged the council had participated in local, state and federal election fraud.
At several points, the individual said he relied on Google for information on individuals and companies he was accusing of receiving improper payments. At another point, he claimed the Riverside County auditor would not disclose the purpose behind thousands of pages of county payments, before saying “you’re not getting the files, I got them put away.”
“We have a lot of problems, you guys. You’ve committed serious fraud here, forever,” the individual alleged, adding that he hoped the members of the council were imprisoned.
Bonta accused Bianco of “flagrantly violating my directives” under the California State Constitution, and threatened court action should he proceed with the investigation and hand recount.
The act by Bianco — who is running third in the state’s open primary for governor this month, per an Emerson College poll — is the second such seizure of ballots to take place this election cycle, following the FBI’s raid of Fulton County, Georgia’s election office.
Gowri Ramachandran, director of elections and security at the Brennan Center for Justice, told CyberScoop that the election allegedly being investigated wasn’t a close race. Further, like virtually every other election, candidates or parties have opportunities to contest irregularities or results, including automatic recounts or recounts paid by candidates or campaigns — along with state courts that regularly adjudicate questions of election outcomes.
“It’s important for people to know none of those processes involve someone coming in and haphazardly coming in and grabbing the ballots,” she said, adding: “I worry if it happens closer to an actual election what it could do to interfere with it.”
Ramachandran said that by seizing physical ballots, which she called “the gold standard” we use for determining ground-level truth about voter intent, Bianco was disrupting the chain of custody that is one of the key processes designed to give voters trust in their elections.
“It should just be a really high bar, not just, ‘I’m suspicious, I want to do a fishing expedition,’” she said. “That’s not enough to have someone who doesn’t have any experience in counting ballots or keeping them safe [to] just come in and grab all that stuff.”
Bonta’s suggestion that Bianco did not materially inform the courts echoes what Fulton County officials alleged in their own lawsuit, which accused the FBI of presenting the judge with a “flagrantly misleading narrative” that omitted key evidence, undermining the government’s basis for investigating the 2020 ballots.
The post State officials, election experts question California sheriff’s seizure of ballots appeared first on CyberScoop.
The recently released executive order targeting cybercrime, fraud, and predatory schemes uses language the federal government has often avoided. Now, for the first time, the Trump administration is echoing what the cybersecurity industry has been shouting for years: cyber-enabled fraud is a product of transnational organized crime.
That distinction matters because organized crime requires an organized response.
Cybercrime is now the world’s fastest-growing criminal economy, built on stealing from everyday people. It is no longer a loose collection of hoodie-wearing hackers in basements or misfits trading malware in online forums. It is a mature global industry operating at scale. In the entirety of human history, there has not been a transfer of wealth of this magnitude since the era of pillaging empires. We have just gotten so used to it that it feels like background noise.
Modern cybercrime groups look less like street gangs and more like corporations. They run structured operations, complete with HR departments, training pipelines, performance metrics, and technology stacks that rival most enterprise companies. Their attackers don’t rely on sophisticated exploits — they think like expert investigators, systematically probing for weaknesses, exploiting psychological pressure, manipulating insiders, and using deception to move through gaps that defenders left open. They operate around the clock, in every time zone, and increasingly use AI to automate attacks at a scale that once required highly skilled operators.
Worse yet is that many of these operations rely on forced labor. Scam compounds in Southeast Asia run like factory floors, with rows of trafficked workers carrying out romance scams, cryptocurrency fraud, and impersonation schemes under threat of violence.
Their goal is to make fraud faster and more profitable. The result is a global criminal ecosystem that extends far beyond online scams. It fuels human trafficking, weapons smuggling, political corruption, compromised organ systems, and even nuclear programs.
If the federal government is ready to recognize what the industry has known — that cybercrime truly operates like an organized global industry — then responding to it solely through traditional law enforcement is not enough. The question goes beyond how governments apply sanctions, coordinate investigations, or pressure jurisdictions that harbor these operations. The greater question is whether the private sector is willing to help dismantle the infrastructure that allows this industry to thrive.
I want to be specific about why this executive order is different, because the language is not accidental.
The order doesn’t just call these groups “hackers” or “organized crime.” It calls them transnational criminal organizations (TCOs). That word carries legal and operational weight that most coverage has glossed over. Transnational is the jurisdictional framing that authorizes an entirely different class of response. It is the same threshold that moves a case from local law enforcement to federal jurisdiction and beyond.
Pair that with what follows – “law enforcement, diplomacy, and potential offensive actions” – and you are reading something that goes well beyond a policy memo. Notice the sequence: diplomacy before offensive action is proportionality doctrine. But the administration did not rule out offensive action. The document also calls for deploying the “full suite of U.S. government defensive and offensive cyber operations” and uses the word “shape” as its first pillar of action. In military doctrine, shaping an adversary’s behavior does not mean gentle persuasion. It means force is part of the calculus.
This is not the language of a consumer protection policy. Whoever wrote this has studied the opposition.
The executive order draws a line in the sand: cybercrime has outgrown its origins as a consumer protection issue. It’s now a fundamental threat to economic stability and national security. But tackling an industry operating at this scale requires more than government action alone. The order’s answer is to mobilize the private sector – giving companies the green light to identify and disrupt adversary networks.
That framing matters.
The private sector sees the machinery of cybercrime every day. Security vendors, major platforms, and infrastructure providers spot the command-and-control servers, malicious domains, and payment pipelines that keep these operations moving. Too often, that intelligence is used only to defend commercial interests, when in reality, it should also be used to disrupt the networks behind the attacks. When criminal groups lose core infrastructure, they have to rebuild. That costs time. That costs money. That creates pressure.
At the same time, the order puts a question squarely before the private sector: How far is it willing to go, and under what terms? I spent my career believing “minimal force” matters. Precise, proportionate action prevents escalation and avoids creating cascading problems. As we move beyond a defense-only approach, those principles matter more than ever.
There is another question that sits underneath all of this: How far does “potential offensive actions” actually go? Does it stop at cyberspace? Financial sanctions? Asked bluntly, “Will leaders and shareholders know whether providing threat intelligence ends with a measured network take-down or an all-out drone strike on the fraudulent call center?”
Organizations need to fix the security weaknesses criminals are exploiting for profit. Most attacks in 2026 do not succeed because criminals are brilliant. They succeed because the basics are missing. No multifactor authentication. Weak Identity controls. Unpatched vulnerabilities sit open for months. Criminals don’t care about your industry or company size. They go where it’s easiest.
When organizations ignore basic security controls, they are doing more than accepting risk. They’re subsidizing the criminal infrastructure that exploits those gaps.
Governments must keep pressure on nations that harbor these operations. Large-scale cybercrime thrives where enforcement is weak or non-existent. The order specifically calls out “nations that tolerate predatory activity”—a signal that safe havens won’t be ignored. Stronger coordination across governments, law enforcement, and private industry can make it much harder for criminals to operate at scale.
The order also targets “foreign TCOs and associated networks,” with “associated networks” being a deliberately broad phrase. Defining who qualifies will be critical. Draw the lines too narrowly and the policy won’t work. Too broadly and you risk dangerous escalation.
Simply put, cybercriminal groups are disciplined because discipline pays. Disrupting them will require the same. It will demand pressure on countries that act as safe havens. It will take dismantling the infrastructure behind these schemes. It will require better basic security across every organization that criminals target.
The executive order is right – Cybercrime is organized. It is industrial. It is ruthless. For the first time in a long time, the response looks like it might be, too. Whether the government, private sector, and public can align around what this actually demands, and what it risks, are still unanswered questions.
After years of watching policy documents gather dust while victim numbers grow, I will take action over perfection every time.
Kyle Hanslovan is a former NSA cyberwarfare operator and CEO of Huntress Labs.
The post Washington is right: Cybercrime is organized crime. Now we need to shut down the business model appeared first on CyberScoop.
Following a federal raid on Fulton County, Georgia’s Elections Office, lawmakers and state election officials sharply criticized the Trump administration, accusing the White House of chasing baseless internet conspiracy theories about fraud in the 2020 election. Officials also warned the raid could set a precedent for similar federal actions targeting the 2026 midterm elections.
According to Fulton County, federal officials seized 700 boxes of records related to the 2020 election, including physical ballots. The search warrant detailing a full list of records and evidence sought by the federal government remains sealed, however, details of the warrant were published by ProPublica Wednesday evening.
In a press conference Thursday, Fulton County Board of Registration and Elections Chair Sherri Allen said the county was already planning to hand over the information at a court hearing scheduled for early February. Meanwhile, Fulton County Commission Chair Robb Pitts expressed concerns about ballot security now that the ballots are no longer in county custody.
At the National Association of Secretaries of State winter conference, Sen. Alex Padilla, D-Calif., said the federal raid should be a reminder “this can happen any point between now and this coming November.”
He also took a shot at the Trump administration’s state voter data collection efforts and the White House’s plan to conduct voter list maintenance “at the federal level.”
“Republican and Democratic secretaries: How does that make you feel about what they think about your integrity and professionalism?” Padilla said. “Those are your offices, your staff and teams.”
Jared Borg, a White House aide at the Office of Intergovernmental Affairs, gave a speech Thursday detailing how the Trump administration is repurposing the federal SAVE database as a voter citizenship verification tool. The database was historically used to track immigrant benefits, and Borg said the DOGE-led overhaul of SAVE in 2025 came in response to requests from states for better functionality to cross-check voters. Previously, SAVE charged states $1 for each name lookup and did not allow bulk searches. Now, Borg said, state officials can run “millions of queries at no cost.”
Afterwards, Borg faced numerous questions and criticisms from state secretaries and officials who challenged the federal government’s role in setting election rules.
Some Republican state officials, like Utah Lt. Governor Deidre Henderson, pushed back hard against the Trump administration’s approach with election officials, pointing to comments from Assistant Attorney General Harmeet Dhillon and others.
“Things that have been said publicly, frankly, are quite appalling,” said Henderson, who oversees elections in her state. “She pretty much slandered all of us, and to me that’s problematic, to publicly claim that Secretaries of State are not doing our jobs and the federal government has to do it for us. That is not okay.”
Arizona Secretary of State Adrian Fontes told CyberScoop that he believes the federal government’s efforts are to serve “the grievance of one person, because he’s a sore loser, and it’s embarrassing.”
“This is outrageous that we’re still relitigating what happened six or seven years ago from a guy who is currently president of the United States,” Fontes said in an interview.
While he’s confident in the integrity of Arizona’s elections should a similar federal raid occur, Fontes noted the “enormous amount of power” prosecutors have.
“They can do enormous damage to the integrity of systems, to the trust that people have in systems, to personal lives, and they can do it through this purportedly legal framework,” he said.
Borg said Director of National Intelligence Tulsi Gabbard, along with Homeland Security Secretary Kristi Noem, would provide further details on the administration’s plans during appearances at the conference on Friday.
Gabbard’s presence at the Fulton County raid has puzzled and alarmed veterans of ODNI’s election team and Democratic lawmakers. Among the concerned lawmakers is Sen. Mark Warner, D-Va, who sits on the Senate Select Committee on Intelligence Committee, which oversees ODNI.
“Why is Tulsi Gabbard at an FBI raid on an election office in Fulton County?” asked Warner, who has long focused on election security issues, from boosting federal funding for states to replace outdated equipment and coordinating with ODNI’s election threats team.
By law, ODNI and its election team are supposed to focus on foreign threats from abroad, such as disinformation campaigns and hack-and-leak operations carried out by hostile governments. Under the Biden administration, the office had a defined process for investigating, vetting and communicating intelligence about ongoing foreign threats to victims. The office also periodically updated Congress and the public about campaigns, including where they originated, what resources were being deployed and who was being targeted.
In these briefings, officials deliberately used neutral language and avoided partisan messaging to prevent the process from appearing politicized.
One possible rationale for Gabbard’s presence: right-wing media has circulated conspiracy theories that claim foreign countries like Venezuela, China or Italy conspired with the CIA and other federal agencies to remotely hack into U.S. voting machines. After U.S. forces raided Venezuela and removed President Nicolas Maduro from power, Trump retweeted a post about one such theory called “Hammer and Scorecard.” Weeks earlier, Trump had suggested he intended to pursue prosecutions for election fraud.
Attorney General Pam Bondi has also directly connected ongoing immigration enforcement efforts in Minnesota to the administration’s push to collect sensitive voter data from states––either voluntarily or through lawsuits. The administration and some states have used this data to aggressively challenge the eligibility of legally registered voters. These challenges often target voters over minor paperwork errors that are decades old. Experts overwhelmingly say such errors have no meaningful impact on voters’ active registration status.
The administration has sued dozens of states, but has lost repeatedly in court. Multiple federal courts have ruled that the DOJ’s demands as legally baseless and are an unconstitutional overreach by the executive branch.
On Thursday, 26 Senate Democrats demanded briefings from Bondi and other administration officials to answer questions about the data gathering efforts. The senators noted that courts have already thrown out the administration’s lawsuits in Oregon and California. Meanwhile, 11 states–including Texas–have provided the administration with voter data, which has “dramatically increased” the amount of voter information flowing to the federal government.
“While most states are resisting this illegal voter roll grab, we are gravely concerned by the amount of sensitive data the Department has already amassed on millions of American voters,” the senators wrote. “The Department has failed to provide Congress, or the public, any information on how it is maintaining this vast amount of data, the guardrails in place to protect state voter information, how the data is to be used, or who in the federal government has access to this sensitive data.”
The post Lawmakers, election officials blast Trump administration after Fulton County raid appeared first on CyberScoop.
For too long, fraud – an illicit economy rivaling the GDP of G20 nations – has been seen as a cost of doing business, a nuisance to be absorbed by banks and consumers. That perception is a dangerous relic.
Modern fraud blends geopolitics with advanced technical tactics, carried out through criminal proxies to target businesses and the public. Yet the global response has remained piecemeal, reactive, and catastrophically inadequate. Fraud is a global security threat, which is why we are launching an international public-private task force in partnership with the US and UK governments and 40 founding members to address it with the urgency it demands.
Industrialization has morphed fraud from petty crime into a strategic tool used by pariahs and gangsters. It subsidizes transnational organized crime and rogue states, undermining the integrity of the global financial system. Cartels run timeshare fraud schemes whilst hostile states increasingly rely on scams and insider fraud networks to supplement their core business models and evade sanctions. Trafficked laborers in Southeast Asia are forced to fuel romance and investment scams. Multinational technology and financial rails are exploited to scale these crimes at breathtaking speed.
Industrialized fraud integrates aspects of asymmetric and economic warfare, inflicting large-scale financial and societal harm while evading conventional defenses. Fraudsters leverage global, industrial-grade tools – bot farms, malware, cryptocurrencies – alongside old-fashioned social engineering, while nations and consumers must guard every vulnerability. Rather than disrupting trade, they drain wealth directly from households. Instead of bombing infrastructure, they erode trust in banks and digital commerce.
North Korea weaponizes cyber-enabled fraud networks to circumvent sanctions and generate revenue, causing significant economic harm while reducing the change of being identified. Global syndicates operate romance and investment scams from enclaves in Myanmar and Cambodia, partnering with militias and corrupt elites in order to funnel proceeds from victims who are invested emotionally and financially. By combining criminal enterprise with geopolitical objectives, this strategy blurs the line between state-sponsored and non-state aggression.
The numbers demand a wakeup call. Nasdaq’s Global Financial Crime Report found $3.1 trillion in illicit funds moved through the global system in 2023, with fraud estimates ranging from $500 billion to over $1 trillion. The costs extend well beyond stolen funds. The same infrastructure that runs romance scams is used for sextortion, drug distribution, human trafficking, and weapons proliferation. “Guarantee markets” like Huione process billions in illicit transactions. Generative AI supercharges fraud: deepfakes, synthetic identities, and automated phishing dramatically cut costs and make attacks far easier to scale.
Technology has expanded the attack surface, giving adversaries unprecedented asymmetric advantages. Fraudsters exploit platforms, messaging apps, and social media to target Americans and Europeans, while financial institutions spend billions on new technology to guard their assets and protect account holders.
Some fintechs provide payment rails that streamline cross-border transfers and bypass regulatory controls. Platforms like Telegram host bazaars for malware, deepfake services, scam websites, and bulk-purchased SIM cards. Hosting and proxy services provide conduits and obfuscation for digital exploits. A multi-tiered infrastructure of deceit spans scam centers, malware, bulletproof hosting, global payment systems, money mules, and shell entities provides scale, sophistication, and layering making industrialized fraud possible.
Fraud networks exploit the gap between a borderless digital world and laws in place within national borders. Malicious actors attack with global reach while hiding behind sovereignty of permissive regimes. They exploit seams between cybersecurity, telecommunications, technology platforms, and the financial sector. Even within banks, silos between cybersecurity, fraud, and anti–money laundering departments create blind spots.
Criminals see this fragmentation as opportunity. Jurisdictional arbitrage, siloed defenses, and slow cross-border processes allow them to operate with impunity. When victims can’t get meaningful recourse, confidence in the financial system erodes. When businesses absorb mounting losses, investment falters. When governments appear powerless, democratic legitimacy suffers.
Understanding fraud as asymmetric warfare reframes it not as isolated financial crime, but as a coordinated assault on trust and economic stability. This should drive strategy beyond piecemeal fixes toward integrated, intelligence-driven countermeasures. If fraud operates as a network, defenses must be equally networked. The cybersecurity model provides a blueprint: real-time intelligence sharing, coordinated incident response, and public-private partnerships. Fraud demands the same investment and urgency, which we are driving under the new ACAMS International Anti-Fraud and Technology Task Force.
Financial institutions and technology platforms must harden payment and identity systems with scalable verification, analytics, and resilience. Governments must build real-time international data-sharing and interdiction capabilities across borders and sectors – banks, social media, telecoms, and payment firms coordinating their response.
Global law enforcement, regulators, diplomats, and multilateral bodies like the UN and Financial Action Task Force should elevate fraud to a strategic priority. To address industrialized fraud’s global nature, we need clear frameworks and measurable commitments for every jurisdiction along the scam supply chain.
The International Anti-Fraud and Technology Task Force represents a critical next phase to accelerate this work, coordinating across international regulators and law enforcement, financial institutions, and technology platforms to make tangible progress across policy, information sharing, capacity building, technology advancements, and public awareness. Without systemic defenses moving faster than fraudsters, we will remain one step behind – exposed, vulnerable, and on the losing side of this shadow war. That changes now.
Carole House serves as a Distinguished Senior Fellow at the Association for Certified Anti-Money Laundering Specialists (ACAMS) and a Senior Fellow at the Atlantic Council GeoEconomics Center. Carole recently departed the White House National Security Council (NSC) as Special Advisor for Cybersecurity and Critical Infrastructure. She previously served as the NSC Director for Cybersecurity and Secure Digital Innovation.
Joby Carpenter is global SME, cryptoassets and illicit finance at ACAMS. He is a global subject matter expert on cryptoassets, illicit finance and emerging threats. Joby has 18 years of experience and expertise in strategic policy making, critical thinking, threat and risk analysis across the U.K. Government, intelligence and regulatory community.
The post Why governments need to treat fraud like cyberwarfare, not customer service appeared first on CyberScoop.
Opexus admits it missed key red flags when it hired twins Muneeb and Sohaib Akhter, as it failed to learn about crimes the brothers pleaded guilty to in 2015, including wire fraud and conspiring to hack into the State Department — offenses committed while they were contractors for federal agencies. The federal government contractor nonetheless maintains it conducted seven-year background checks before hiring the brothers in 2023 and 2024.
Opexus fired them in February, minutes before they allegedly stole and destroyed government data in retaliation. The background checks were “consistent with prevailing government and industry standards with additional requirements for more sensitive work. That said, we fully acknowledge that additional diligence should have been applied,” a spokesperson for Opexus told CyberScoop.
Muneeb and Sohaib Akhter were arrested in Alexandria, Va., Dec. 3 for allegedly committing a series of insider attack crimes during a weeklong window in February that ultimately compromised data from multiple federal agencies, including the Department of Homeland Security, Internal Revenue Service and the Equal Employment Opportunity Commission.
Opexus said it decided to terminate the twins’ employment upon learning of their prior criminal history, but it did not explain how it became aware of their previous crimes nor what prompted a deeper look into their past. The brothers’ previous crimes were widely reported at the time, including details that are readily available via search engine queries on their respective names.
The Washington-based company, which provides services and hosts data for more than 45 federal agencies, admits it made multiple mistakes in the hiring and termination of Muneeb and Sohaib Akhter.
“As with the onboarding, the terminations were not handled in an appropriate manner,” the company spokesperson said.
“While these individuals passed background checks at the time, this incident made clear that our screening protocols needed to be even more robust,” the spokesperson added. “We have since enhanced our vetting processes and implemented additional safeguards designed to strengthen the protection of the systems and information we manage.”
Muneeb Akhter allegedly accessed Opexus’ computer network five minutes after he was fired. Within an hour, he allegedly deleted approximately 96 databases storing U.S. government information hosted by Opexus, including sensitive investigative files and records related to Freedom of Information Act matters, prosecutors said in an indictment.
Muneeb Akhter also that evening allegedly deleted a Homeland Security production database, copied more than 1,800 files belonging to EEOC and stole copies of IRS records including personally identifiable information on at least 450 people.
Opexus said it later addressed errors it made, which failed to ensure the twins could no longer access company computers and systems under its care immediately upon their termination. The spokesperson said the company took “appropriate corrective actions and reinforced training across the human resources function to ensure strict adherence to our standard operating procedures going forward.”
The company said it took other measures in response to these insider attacks that are designed to prevent similar outcomes.
“The individuals responsible for hiring the twins are no longer employed by Opexus, and we have since strengthened our screening protocols across the organization,” the spokesperson said. “These enhancements include expanding our standard background check to 10 years, along with additional safeguards that are now embedded into our standard hiring process.”
Opexus also said it supported customers impacted by the internal breach by helping them restore data and providing resources and subject matter expertise for their internal reviews. “The security of our customers’ information is our No. 1 priority, and we remain committed to continuous improvement in our hiring, compliance and internal controls,” the spokesperson said.
The company said it’s grateful for law enforcement’s actions on this matter, adding that it appreciates that Muneeb and Sohaib Akhter are being held accountable for their alleged crimes.
Sohaib Akhter faces up to six years in prison for password trafficking and conspiracy to commit computer fraud and destroy records.
Muneeb Akhter is charged with conspiracy to commit computer fraud and destroy records, two counts of computer fraud, theft of U.S. government records and two counts of aggravated identity theft. He faces a mandatory minimum penalty of four years in prison for identity theft and up to 45 years in prison for the other charges.
The post Opexus claims background checks missed red flags on twins accused of insider breach appeared first on CyberScoop.
China-based phishing groups blamed for non-stop scam SMS messages about a supposed wayward package or unpaid toll fee are promoting a new offering, just in time for the holiday shopping season: Phishing kits for mass-creating fake but convincing e-commerce websites that convert customer payment card data into mobile wallets from Apple and Google. Experts say these same phishing groups also are now using SMS lures that promise unclaimed tax refunds and mobile rewards points.
Over the past week, thousands of domain names were registered for scam websites that purport to offer T-Mobile customers the opportunity to claim a large number of rewards points. The phishing domains are being promoted by scam messages sent via Apple’s iMessage service or the functionally equivalent RCS messaging service built into Google phones.
An instant message spoofing T-Mobile says the recipient is eligible to claim thousands of rewards points.
The website scanning service urlscan.io shows thousands of these phishing domains have been deployed in just the past few days alone. The phishing websites will only load if the recipient visits with a mobile device, and they ask for the visitor’s name, address, phone number and payment card data to claim the points.
A phishing website registered this week that spoofs T-Mobile.
If card data is submitted, the site will then prompt the user to share a one-time code sent via SMS by their financial institution. In reality, the bank is sending the code because the fraudsters have just attempted to enroll the victim’s phished card details in a mobile wallet from Apple or Google. If the victim also provides that one-time code, the phishers can then link the victim’s card to a mobile device that they physically control.
Pivoting off these T-Mobile phishing domains in urlscan.io reveals a similar scam targeting AT&T customers:
An SMS phishing or “smishing” website targeting AT&T users.
Ford Merrill works in security research at SecAlliance, a CSIS Security Group company. Merrill said multiple China-based cybercriminal groups that sell phishing-as-a-service platforms have been using the mobile points lure for some time, but the scam has only recently been pointed at consumers in the United States.
“These points redemption schemes have not been very popular in the U.S., but have been in other geographies like EU and Asia for a while now,” Merrill said.
A review of other domains flagged by urlscan.io as tied to this Chinese SMS phishing syndicate shows they are also spoofing U.S. state tax authorities, telling recipients they have an unclaimed tax refund. Again, the goal is to phish the user’s payment card information and one-time code.
A text message that spoofs the District of Columbia’s Office of Tax and Revenue.
Many SMS phishing or “smishing” domains are quickly flagged by browser makers as malicious. But Merrill said one burgeoning area of growth for these phishing kits — fake e-commerce shops — can be far harder to spot because they do not call attention to themselves by spamming the entire world.
Merrill said the same Chinese phishing kits used to blast out package redelivery message scams are equipped with modules that make it simple to quickly deploy a fleet of fake but convincing e-commerce storefronts. Those phony stores are typically advertised on Google and Facebook, and consumers usually end up at them by searching online for deals on specific products.
A machine-translated screenshot of an ad from a China-based phishing group promoting their fake e-commerce shop templates.
With these fake e-commerce stores, the customer is supplying their payment card and personal information as part of the normal check-out process, which is then punctuated by a request for a one-time code sent by your financial institution. The fake shopping site claims the code is required by the user’s bank to verify the transaction, but it is sent to the user because the scammers immediately attempt to enroll the supplied card data in a mobile wallet.
According to Merrill, it is only during the check-out process that these fake shops will fetch the malicious code that gives them away as fraudulent, which tends to make it difficult to locate these stores simply by mass-scanning the web. Also, most customers who pay for products through these sites don’t realize they’ve been snookered until weeks later when the purchased item fails to arrive.
“The fake e-commerce sites are tough because a lot of them can fly under the radar,” Merrill said. “They can go months without being shut down, they’re hard to discover, and they generally don’t get flagged by safe browsing tools.”
Happily, reporting these SMS phishing lures and websites is one of the fastest ways to get them properly identified and shut down. Raymond Dijkxhoorn is the CEO and a founding member of SURBL, a widely-used blocklist that flags domains and IP addresses known to be used in unsolicited messages, phishing and malware distribution. SURBL has created a website called smishreport.com that asks users to forward a screenshot of any smishing message(s) received.
“If [a domain is] unlisted, we can find and add the new pattern and kill the rest” of the matching domains, Dijkxhoorn said. “Just make a screenshot and upload. The tool does the rest.”
The SMS phishing reporting site smishreport.com.
Merrill said the last few weeks of the calendar year typically see a big uptick in smishing — particularly package redelivery schemes that spoof the U.S. Postal Service or commercial shipping companies.
“Every holiday season there is an explosion in smishing activity,” he said. “Everyone is in a bigger hurry, frantically shopping online, paying less attention than they should, and they’re just in a better mindset to get phished.”
As we can see, adopting a shopping strategy of simply buying from the online merchant with the lowest advertised prices can be a bit like playing Russian Roulette with your wallet. Even people who shop mainly at big-name online stores can get scammed if they’re not wary of too-good-to-be-true offers (think third-party sellers on these platforms).
If you don’t know much about the online merchant that has the item you wish to buy, take a few minutes to investigate its reputation. If you’re buying from an online store that is brand new, the risk that you will get scammed increases significantly. How do you know the lifespan of a site selling that must-have gadget at the lowest price? One easy way to get a quick idea is to run a basic WHOIS search on the site’s domain name. The more recent the site’s “created” date, the more likely it is a phantom store.
If you receive a message warning about a problem with an order or shipment, visit the e-commerce or shipping site directly, and avoid clicking on links or attachments — particularly missives that warn of some dire consequences unless you act quickly. Phishers and malware purveyors typically seize upon some kind of emergency to create a false alarm that often causes recipients to temporarily let their guard down.
But it’s not just outright scammers who can trip up your holiday shopping: Often times, items that are advertised at steeper discounts than other online stores make up for it by charging way more than normal for shipping and handling.
So be careful what you agree to: Check to make sure you know how long the item will take to be shipped, and that you understand the store’s return policies. Also, keep an eye out for hidden surcharges, and be wary of blithely clicking “ok” during the checkout process.
Most importantly, keep a close eye on your monthly statements. If I were a fraudster, I’d most definitely wait until the holidays to cram through a bunch of unauthorized charges on stolen cards, so that the bogus purchases would get buried amid a flurry of other legitimate transactions. That’s why it’s key to closely review your credit card bill and to quickly dispute any charges you didn’t authorize.
Twin brothers Muneeb and Sohaib Akhter were arrested in Alexandria, Va., Wednesday for allegedly stealing and destroying government data held by a government contractor minutes after they were fired from the company earlier this year, the Justice Department said.
Prosecutors accuse the 34-year-old brothers of the crimes during a weeklong spree in February, compromising data from multiple federal agencies including the Department of Homeland Security, Internal Revenue Service and the Equal Employment Opportunity Commission.
Authorities did not name the federal government contractor, which provides services and hosts data for more than 45 federal agencies, but the company was previously identified as Washington-based Opexus in a Bloomberg report about the insider attack earlier this year. Opexus did not immediately respond to a request for comment.
The brothers are no strangers to law enforcement, the hacking community and government contract work. They previously pleaded guilty in 2015 to wire fraud and conspiring to hack into the State Department and other crimes while they were employed as contractors for federal agencies. Muneeb Akhter was sentenced to 39 months in prison and Sohaib Akhter was sentenced to 24 months in prison at that time.
An investigation aided by more than 20 federal agencies and specialized units alleges the brothers were back at it a decade later, committing cybercrime with privileged access and technical expertise gained from their employment at a government contractor.
“These defendants abused their positions as federal contractors to attack government databases and steal sensitive government information,” Matthew R. Galeotti, acting assistant attorney general with the Justice Department’s Criminal Division, said in a statement. “Their actions jeopardized the security of government systems and disrupted agencies’ ability to serve the American people.”
Muneeb Akhter is accused of deleting approximately 96 databases storing U.S. government information hosted by Opexus, including sensitive investigative files and records related to Freedom of Information Act matters, prosecutors said in an indictment.
Muneeb Akhter also allegedly deleted a Homeland Security production database, copied more than 1,800 files belonging to EEOC and stole copies of IRS records including personally identifiable information on at least 450 people.
Authorities also accused Muneeb Akhter of using an artificial intelligence tool for assistance throughout his alleged conspiracy, querying the tool for advice on how to clear system logs from SQL servers after deleting databases and how to clear all event and application logs from Microsoft Windows Server 2012.
Prosecutors in the U.S. District Court for the Eastern District of Virginia charged Muneeb Akhter with conspiracy to commit computer fraud and destroy records, two counts of computer fraud, theft of U.S. government records and two counts of aggravated identity theft. He faces a mandatory minimum penalty of four years in prison for identity theft and up to 45 years in prison for the other charges.
Sohaib Akhter is accused of trafficking in a password that could access an Opexus computer used by EEOC. He faces up to six years in prison for password trafficking and conspiracy to commit computer fraud and destroy records.
The brothers allegedly cleaned their residence in anticipation of a law enforcement raid and wiped their employer-owned computers by reinstalling the operating system.
“Federal contractors who abuse their positions will be held accountable for their actions,” Joseph V. Cuffari, inspector general at the Department of Homeland Security, said in a statement. “The actions of individuals like Muneeb and Sohaib Akhter are threats to our national security.”
You can read the full indictment below.
The post Twins with hacking history charged in insider data breach affecting multiple federal agencies appeared first on CyberScoop.
A new bipartisan bill introduced in the House would increase the criminal penalties for committing fraud and impersonation with the assistance of AI tools.
The AI Fraud Deterrence Act, introduced by Reps. Ted Lieu, D-Calif., and Neal Dunn, R-Md., would raise the overall ceiling for criminal fines and prison time for fraudsters who use AI tools to create convincing fake audio, video or texts to carry out their schemes.
For instance, the total potential fines incurred for mail fraud, wire fraud, bank fraud and money laundering would all be increased to between $1-2 million, with new language specifying that using AI-assisted tools carries a maximum prison sentence of 20-30 years.
Meanwhile, scammers who use AI to impersonate government officials can be fined up to $1 million and spend 3 years in prison.
“Both everyday Americans and government officials have been victims of fraud and scams using AI, and that can be ruinous for people who fall prey to financial scams, and can be disastrous for our national security if government officials are impersonated by bad actors,” Lieu said in a statement.
The bill comes after a rash of high-profile incidents over the past year where unidentified parties have been able to communicate with or impersonate top U.S. officials in the government, seemingly with the assistance of AI voice and video tools.
In May, The Wall Street Journal reported that federal authorities were investigating fraudulent calls and texts sent to senators, governors, business leaders and other VIPs from someone impersonating White House Chief of Staff Susie Wiles’ voice and number. Wiles reportedly said her phone had been hacked, which President Donald Trump later confirmed publicly, telling the press “they breached the phone; they tried to impersonate her.” Some of the recipients said the voice sounded AI-generated.
Less than two months later, the State Department warned diplomats that someone was impersonating Secretary of State Marco Rubio in voice mails, texts and Signal messages. The messages were sent to at least three foreign ministers, a U.S. senator and a governor in what appeared to be a scam. Rubio was also targeted in a deepfake earlier this year, making it appear he was on CNN vowing to persuade Elon Musk to cut off Starlink access to Ukraine.
Other high-profile figures like singer Taylor Swift have seen their likeness and image used in scams, pornography or political attacks, while former President Joe Biden had his voice cloned by AI in a scheme hatched by a Democratic consultant working for rival Dean Phillips ahead of the 2024 New Hampshire presidential primary.
The post New legislation targets scammers that use AI to deceive appeared first on CyberScoop.
A 20-year-old Florida man at the center of a prolific cybercrime group known as “Scattered Spider” was sentenced to 10 years in federal prison today, and ordered to pay roughly $13 million in restitution to victims.
Noah Michael Urban of Palm Coast, Fla. pleaded guilty in April 2025 to charges of wire fraud and conspiracy. Florida prosecutors alleged Urban conspired with others to steal at least $800,000 from five victims via SIM-swapping attacks that diverted their mobile phone calls and text messages to devices controlled by Urban and his co-conspirators.
A booking photo of Noah Michael Urban released by the Volusia County Sheriff.
Although prosecutors had asked for Urban to serve eight years, Jacksonville news outlet News4Jax.com reports the federal judge in the case today opted to sentence Urban to 120 months in federal prison, ordering him to pay $13 million in restitution and undergo three years of supervised release after his sentence is completed.
In November 2024 Urban was charged by federal prosecutors in Los Angeles as one of five members of Scattered Spider (a.k.a. “Oktapus,” “Scatter Swine” and “UNC3944”), which specialized in SMS and voice phishing attacks that tricked employees at victim companies into entering their credentials and one-time passcodes at phishing websites. Urban pleaded guilty to one count of conspiracy to commit wire fraud in the California case, and the $13 million in restitution is intended to cover victims from both cases.
The targeted SMS scams spanned several months during the summer of 2022, asking employees to click a link and log in at a website that mimicked their employer’s Okta authentication page. Some SMS phishing messages told employees their VPN credentials were expiring and needed to be changed; other missives advised employees about changes to their upcoming work schedule.
That phishing spree netted Urban and others access to more than 130 companies, including Twilio, LastPass, DoorDash, MailChimp, and Plex. The government says the group used that access to steal proprietary company data and customer information, and that members also phished people to steal millions of dollars worth of cryptocurrency.
For many years, Urban’s online hacker aliases “King Bob” and “Sosa” were fixtures of the Com, a mostly Telegram and Discord-based community of English-speaking cybercriminals wherein hackers boast loudly about high-profile exploits and hacks that almost invariably begin with social engineering. King Bob constantly bragged on the Com about stealing unreleased rap music recordings from popular artists, presumably through SIM-swapping attacks. Many of those purloined tracks or “grails” he later sold or gave away on forums.
Noah “King Bob” Urban, posting to Twitter/X around the time of his sentencing today.
Sosa also was active in a particularly destructive group of accomplished criminal SIM-swappers known as “Star Fraud.” Cyberscoop’s AJ Vicens reported in 2023 that individuals within Star Fraud were likely involved in the high-profile Caesars Entertainment and MGM Resorts extortion attacks that same year.
The Star Fraud SIM-swapping group gained the ability to temporarily move targeted mobile numbers to devices they controlled by constantly phishing employees of the major mobile providers. In February 2023, KrebsOnSecurity published data taken from the Telegram channels for Star Fraud and two other SIM-swapping groups showing these crooks focused on SIM-swapping T-Mobile customers, and that they collectively claimed internal access to T-Mobile on 100 separate occasions over a 7-month period in 2022.
Reached via one of his King Bob accounts on Twitter/X, Urban called the sentence unjust, and said the judge in his case discounted his age as a factor.
“The judge purposefully ignored my age as a factor because of the fact another Scattered Spider member hacked him personally during the course of my case,” Urban said in reply to questions, noting that he was sending the messages from a Florida county jail. “He should have been removed as a judge much earlier on. But staying in county jail is torture.”
A court transcript (PDF) from a status hearing in February 2025 shows Urban was telling the truth about the hacking incident that happened while he was in federal custody. It involved an intrusion into a magistrate judge’s email account, where a copy of Urban’s sealed indictment was stolen. The judge told attorneys for both sides that a co-defendant in the California case was trying to find out about Mr. Urban’s activity in the Florida case.
“What it ultimately turned into a was a big faux pas,” Judge Harvey E. Schlesinger said. “The Court’s password…business is handled by an outside contractor. And somebody called the outside contractor representing Judge Toomey saying, ‘I need a password change.’ And they gave out the password change. That’s how whoever was making the phone call got into the court.”
Lawrence Hoffmann // Election fraud is something I’ve mentioned here recently. The reality we must face here is that any time a digital system is used for voting there is […]
The post Lawrence’s List 090216 appeared first on Black Hills Information Security, Inc..
Recently, Constella Intelligence has observed an increase in attacks and data breaches resulting in cryptocurrency leaks. This surge could be partly attributed to comments made by former President Donald Trump in support of Bitcoin, which may have heightened hackers’ interest in these sites.
Former President Donald Trump has recently positioned himself as a pro-crypto presidential candidate. During his keynote speech at the Bitcoin 2024 conference in Nashville, Tennessee, held from July 25-27, 2024, Trump emphasized the transformative potential of cryptocurrencies. He pledged to make the United States a leader in Bitcoin mining and digital asset management.
These comments could have caused crypto-related sites to increase in value, making them more attractive targets for cybercriminals. As Bitcoin prices surge, the incentive for attacks on these platforms grows, highlighting the need for robust security measures.
In the first half of 2024, over 250 possible breaches or leaks related to cryptocurrencies, NFTs, and Bitcoin have been reported. These potential breaches could have affected users of various cryptocurrency platforms, including Bitcointalk, Crypto.com, Binance, eToro, and others.
Below are examples of how threat actors are offering information about these crypto-related sites on the Dark Web
This information was published on March 31, 2024. According to the threat actor the data includes:
The post was made on May 27, 2024. The exposed information includes:
The threat actor “whix” published this on March 26, 2024. The exposed information includes:
The same threat actor also reported this on March 25, 202, where the following information could be found:
According to the threat actor on March 25, 2024, a database exposing the following information was published:
These platforms are integral to the crypto ecosystem, providing services such as trading, wallet management, and social interaction for crypto enthusiasts.
Constella Intelligence has checked if the information published could have been produced as the effect of infostealer infections. This check resulted in nearly 4 million users of these cryptocurrency companies being exposed to infostealer data. Most exposures have impacted major cryptocurrency exchange platforms:
Digging into the infostealer exposures, Constella Intelligence also identified what seems to be infostealer infections of potential employees of some of those companies, including Binance.com, eToro.com, Crypto.com, and Localbitcoins.com, among others.
The exposure of such extensive and sensitive information has significant and far-reaching implications as it endangers the financial security and privacy of millions of users. The compromised data can be exploited for various malicious activities:
To mitigate the risks associated with the recent breaches, users should adopt the following security practices:
Login