While AI CEOs worry governments might nationalize AI, others are advocating for something similar. Canadian security professional Bruce Schneier and Harvard data scientist Nathan Sanders published this call to action in Canada's most widely-read newspaper (with a readership over 6 million): "Canada Needs Nationalized, Public AI." While there are Canadian AI companies, they remain for-profit enterprises, their interests not necessarily aligned with our collective good. The only real alternative is to be bold and invest in a wholly Canadian public AI: an AI model built and funded by Canada for Canadians, as public infrastructure. This would give Canadians access to the myriad of benefits from AI without having to depend on the U.S. or other countries. It would mean Canadian universities and public agencies building and operating AI models optimized not for global scale and corporate profit, but for practical use by Canadians... We are already on our way to having AI become an inextricable part of society. To ensure stability and prosperity for this country, Canadian users and developers must be able to turn to AI models built, controlled, and operated publicly in Canada instead of building on corporate platforms, American or otherwise... [Switzerland's funding of a public AI model, Apertus] represents precisely the paradigm shift Canada should embrace: AI as public infrastructure, like systems for transportation, water, or electricity, rather than private commodity... Public AI systems can incorporate mechanisms for genuine public input and democratic oversight on critical ethical questions: how to handle copyrighted works in training data, how to mitigate bias, how to distribute access when demand outstrips capacity, and how to license use for sensitive applications like policing or medicine... Canada already has many of the building blocks for public AI. The country has world-class AI research institutions, including the Vector Institute, Mila, and CIFAR, which pioneered much of the deep learning revolution. Canada's $2-billion Sovereign AI Compute Strategy provides substantial funding. What's needed now is a reorientation away from viewing this as an opportunity to attract private capital, and toward a fully open public AI model. Long-time Slashdot reader sinij has a different opinion. "To me, this sounds dystopian, because I can also imagine AI declining your permits, renewal of license, or medication due to misalignment or 'greater good' reasons." But the Schneier/Sanders essays argues this creates "an alternative ownership structure for AI technology" that is allocating decision-making authority and value "to national public institutions rather than foreign corporations."

Read more of this story at Slashdot.

Authorities from 14 countries shut down LeakBase, seized its domains and arrested multiple people allegedly involved in the cybercrime marketplace for stolen data and hacking tools, the Justice Department said Wednesday.

LeakBase had more than 142,000 members, ranking it among the world’s largest forums for cybercriminals. The site, which was available on the open web, contained a massive archive of hacked databases including hundreds of millions of account credentials, officials said. 

The stolen databases, which included data from U.S. corporations and individuals, were linked to many high-profile attacks, according to officials. Data seized by authorities revealed a trove of credit and debit card numbers, banking account and routing information, credentials for account takeovers, sensitive business records and personally identifiable information. 

“The FBI, Europol, and law enforcement agencies from around the world executed a takedown of LeakBase, one of the largest online cybercriminal platforms, seizing users’ accounts, posts, credit details, private messages and IP logs for evidentiary purposes,” Brett Leatherman, assistant director at the FBI’s cyber division, said in a statement. 

Law enforcement agencies involved in the globally coordinated takedown operation, which began Tuesday, executed search warrants, made arrests and interviewed people in the United States, Australia, Belgium, Poland, Portugal, Romania, Spain and the United Kingdom.

Officials did not immediately name any suspects, but some of the activity occurred in San Diego and Provo, Utah. Officials said the FBI’s field offices in San Diego and Salt Lake City, which is investigating the case, participated in the operation domestically. The Provo Police Department was also involved.

“Hiding behind a screen does not shield cybercriminals from accountability,” Robert Bohls, special agent in charge at the FBI Salt Lake City field office, said in a statement.

Authorities identified multiple users who believed they were operating anonymously by seizing the forum’s database.

“This international operation demonstrates the strength of our global alliances and our shared commitment to disrupting platforms that facilitate the theft of data and the victimization of innocent people and organizations worldwide,” Bohls added. “Together, we will continue to identify, dismantle, and hold accountable those who seek to profit from cybercrime, no matter where they operate.”

Europol, which hosted the coordinated operation in The Hague, described LeakBase as a “central hub in the cybercrime ecosystem” that specialized in leaked databases and stealer logs. The English-language site, which has been active since 2021, contained more than 32,000 posts and more than 215,000 private messages. 

Authorities collectively engaged in around 100 enforcement actions globally and took measures against 37 of the platform’s most active users Tuesday, according to Europol.

The technical disruption phase got underway Wednesday and the site now displays a seizure page. Officials from Canada, Germany, Greece, Kosovo, Malaysia and The Netherlands also support the investigation.

“Together with our partners, we are sending a message that no criminal is truly anonymous online and removing an easy point of access to stolen information on American businesses and individuals,” Leatherman said. “The FBI will continue to defend the homeland by dismantling the key services that cybercriminals use to facilitate their attacks.”

The post Authorities from 14 countries shut down major cybercrime forum LeakBase appeared first on CyberScoop.

Microsoft announced Wednesday that it worked with international law enforcement to seize infrastructure used to run cybercrime subscription service RedVDS and organized civil actions in the United States and United Kingdom to disrupt its further use. 

RedVDS has enabled at least $40 million in fraud losses in the U.S. since March 2025, according to Microsoft. Victims that are joining Microsoft as co-plaintiffs in the civil action include Alabama-based H2 Pharma, a pharmaceutical company that lost more than $7.3 million, and Florida-based Gatehouse Dock Condominium Association, which was tricked out of nearly $500,000. 

“For as little as US $24 a month, RedVDS provides criminals with access to disposable virtual computers that make fraud cheap, scalable and difficult to trace,” Steven Masada, assistant general counsel at Microsoft Digital Crimes Unit, said in a blog post. “It provides access to cheap, effective, and disposable virtual computers running unlicensed software, including Windows, allowing criminals to operate quickly, anonymously and across borders.”

Microsoft said a joint operation with Europol and authorities in Germany allowed it to seize RedVDS’s infrastructure and take the marketplace offline. Cybercriminals used the site, which included a loyalty program and referral bonuses for customers, to send high-volume phishing attacks, host infrastructure for scams and facilitate fraud such as business email compromise.

Microsoft customers were among those impacted by RedVDS’s tools and services. 

“Since September 2025, RedVDS‑enabled attacks have led to the compromise or fraudulent access of more than 191,000 Microsoft email accounts across over 130,000 organizations worldwide,” Masada said in the blog post. “These figures represent only a subset of the impacted accounts across all technology providers, illustrating how quickly this infrastructure increases the scale of cyberattacks.”

Over the course of a month, more than 2,600 RedVDS virtual machines sent Microsoft customers an average of one million phishing messages per day, Masada added. 

RedVDS facilitated payment diversion fraud against organizations like H2 Pharma and the Gatehouse Dock Condominium Association through business email compromise. The marketplace was also used to compromise the accounts of realtors, escrow agents and title companies to divert payments, according to Microsoft.

More than 9,000 customers, many in Canada and Australia, were directly impacted by real estate-related fraud aided by RedVDS. Microsoft Threat Intelligence said other scams enabled by RedVDS hit organizations in construction, manufacturing, healthcare, logistics, education and legal services.

Researchers said the marketplace’s user interface was loaded with features that allowed eager cybercriminals to purchase unlicensed and inexpensive Windows-based remote desktop protocol servers with full administrator control. RedVDS reused a single, cloned Windows host image across the service, which allowed researchers to find unique technical fingerprints.

The group that develops and operates RedVDS is tracked by Microsoft as Storm-2470. At least five additional cybercrime groups and cybercriminals who used the Racoon0365 phishing service prior to its takedown in October were also using RedVDS infrastructure, according to Microsoft Threat Intelligence.

RedVDS’s site first launched in 2019 and has remained in operation since providing servers in the U.S., U.K., Canada, France, the Netherlands and Germany. The marketplace “has become a prolific tool for cybercriminals in the past year, facilitating thousands of attacks, including credential theft, account takeovers and mass phishing,” researchers said in a report.

RedVDS rented servers from third-party hosting providers, including at least five hosting companies in the U.S., Canada, U.K., France and the Netherlands. This allowed RedVDS to provision IP addresses in geolocations close to targets, allowing cybercriminals to evade location-based security filters and blend in with normal data center traffic, researchers added. 

“Cybercrime today is powered by shared infrastructure, which means disrupting individual attackers is not enough,” Masada said. “Through this coordinated action, Microsoft has disrupted RedVDS’s operations, including seizing two domains that host the RedVDS marketplace and customer portal, while also laying the groundwork to identify the individuals behind them.”

The post Microsoft seizes RedVDS infrastructure, disrupts fast-growing cybercrime marketplace appeared first on CyberScoop.

Artem Aleksandrovych Stryzhak, a 35-year-old Ukrainian national, pleaded guilty Friday to multiple crimes stemming from his involvement in a string of ransomware attacks targeting U.S. and Europe-based organizations from mid 2018 to late 2021. He faces up to 10 years in jail for conspiracy to commit fraud, including extortion. 

Stryzhak was arrested in Spain in June 2024 and extradited to the United States in April. Authorities are still looking for his alleged co-conspirator Volodymyr Tymoshchuk and announced a $11 million reward for information leading to his arrest or conviction.

“The defendant used Nefilim ransomware to target high-revenue companies in the United States, steal data and extort victims,” Joseph Nocella, U.S. attorney for the Eastern District of New York, said in a statement.

“We remain determined to capture Stryzhak’s codefendant and partner in crime, Volodymyr Tymoshchuk, and bring him to justice in a U.S. courtroom,” Nocella added. Officials accuse Tymoshchuk of acting as an administrator of the Nefilim ransomware group and described him as a serial cybercriminal associated with multiple ransomware strains.

Attacks involving Nefilim ransomware caused millions of dollars in losses from extortion payments and damage to victim networks, officials said. Stryzhak and his co-conspirators allegedly customized executable ransomware files for each victim, creating unique decryption keys and unique ransom notes. 

The ransomware group primarily targeted companies located in the United States, Canada and Australia with more than $100 million in annual revenue, and extorted victims by threatening to publish stolen data. The crew researched companies after they broke into their networks to determine their net worth, size and contact information.

Stryzhak’s victims in the U.S. include an engineering consulting company based in France, an aviation industry company in New York, a chemical company in Ohio, an insurance company in Illinois, a company in the construction industry in Texas, a pet care company in Missouri, an international eyewear company and a company in the oil and gas transportation industry. 

Stryzhak and his co-conspirators also used Nefilim ransomware to encrypt victim networks in Germany, the Netherlands, Norway and Switzerland, prosecutors said. 

Officials said Stryzhak’s crimes began when he gained access to the Nefilim ransomware code in June 2021 in exchange for 20% of his ransom proceeds.

“Cybercriminals may hide behind screens, but they leave digital footprints everywhere,” Christopher Johnson, special agent in charge of the FBI’s field office in Springfield, Illinois, said in a statement. 

“The FBI follows these digital trails relentlessly — across networks, borders, and time — until those responsible are held accountable,” Johnson added. “Today is a remarkable accomplishment, but we will not stop until we have captured all those responsible for the Nefilim ransomware.”

The post Ukrainian national pleads guilty to Nefilim ransomware attacks appeared first on CyberScoop.

The Treasury Department, along with officials from the United Kingdom and Australia, imposed sanctions Wednesday against two bulletproof hosting providers and key people involved in their operations, in a globally coordinated effort aimed at thwarting the role these services have in enabling ransomware, phishing operations, and data extortion campaigns around the world. 

Authorities sanctioned Media Land, three of its leaders and three affiliated companies for allegedly supporting ransomware operations and other cybercrime. The Russia-based bulletproof hosting provider has provided services to ransomware groups, including LockBit, BlackSuit and Play, officials said.

Authorities imposed sanctions on Media Land’s general director Alexsandr Volosovik, Kirill Zatolokin, Yulia Pankova and subsidiaries ML Cloud, Media Land Technology and Data Center Kirishi. 

“Media Land has been impactful largely because of its longevity. Recorded Future can trace attackers using their infrastructure back to at least 2015 — 10 years of activity,” Allan Liska, threat intelligence analyst at Recorded Future, told CyberScoop.

“Targeting this kind of infrastructure can have a disruptive effect on the ransomware ecosystem,” he said. “It’s not the same as a takedown, but it makes it much more difficult for these threat actors to operate and continue to provide services.”

Cyber authorities with the Five Eyes intelligence alliance and the Netherlands also released a mitigation guide Wednesday, which offers tips to help defenders thwart cybercrime made possible by this infrastructure. Efforts to impair these services “requires a nuanced approach because bulletproof hosting infrastructure is integrated into legitimate internet infrastructure systems, and actions from internet service providers or network defenders may impact legitimate activity,” officials said in a mitigation guide released Wednesday.

Despite the sanctions, Media Land’s infrastructure will remain online until the organization’s peering partners cut off key services, said Zach Edwards, senior threat analyst at Silent Push. One of those partners, JSC RetnNet is also based in Russia, but its other peering partner, RETN Limited, is a U.K.-based ISP, he said.

“The bulletproof hosting ecosystem is thriving and growing,” Edwards said, adding “we still need law enforcement to put more pressure on the peering partners who help to get bulletproof hosting infrastructure online and accessible to the rest of the internet.”

Cybercriminals use bulletproof hosting infrastructure to obfuscate their activities, including malware delivery, phishing, and host content and services that support ransomware, data extortion and denial of service attacks, officials said. 

“Bulletproof hosting is one of the core enablers of modern cybercrime,” Madhu Gottumukkala, acting director of the Cybersecurity and Infrastructure Security Agency, said in a statement.

Officials also took action against companies and individuals who helped the previously sanctioned Aeza Group evade sanctions and reconstitute operations under new infrastructure and leadership.

U.K.-based Hypercore, Maksim Vladimirovich Makarov, the new alleged director of Azea, and Ilya Vladislavovich Zakirov were targeted with sanctions for supporting Aeza Group’s ongoing activity. Officials also sanctioned Smart Digital Ideas DOO and Datavice MCHJ for providing technical infrastructure to Azea.

“Bulletproof hosting providers are hosting the majority of cybercrime infrastructure used by a wide range of global threat actors for ransomware attacks, phishing campaigns, malware delivery and everything in between,” Edwards said. 

“Focusing on these malicious hosts should be a top law-enforcement priority to ensure we’re not just playing Whac-A-Mole with individual threat actors for years to come.”

The post Five Eyes just made life harder for bulletproof hosting providers appeared first on CyberScoop.

Cybersecurity experts from multiple federal agencies released guidance to help organizations bolster their defenses against attacks on on-premises Microsoft Exchange Servers, resurfacing and building upon previously shared advice that generally applies to most technology.

The Cybersecurity and Infrastructure Security Agency said the security blueprint for Microsoft Exchange Server is a follow-up effort to an emergency directive the agency released in August for CVE-2025-53786, a high-severity defect affecting on-premises Microsoft Exchange servers. CISA jointly issued the guide Thursday with the National Security Agency and cyber agencies in Australia and Canada.

Nick Andersen, executive assistant director for cybersecurity at CISA, said the guidance isn’t in response to any specific vulnerability or attack, but rather reflects that organizations are under constant threat. “Many organizations depend on Microsoft Exchange to perform these critical communication functions, and that necessitates a strong degree of protection from malicious actors,” he said during a media briefing Thursday.

The recommendations aren’t particularly new and should come as no surprise to security and IT professionals. The guide synthesizes security advice shared by Microsoft, security experts and the industry at large. The majority of works cited in the guide, more than 60, link back to blogs and advice scattered around Microsoft sites. 

“The individual recommendations are known good practices. What stands out to me is the detailed implementation guidance and how the guide stitches the compilation of recommendations into a game plan for improved security,” Andrew Grotto, research scholar at Stanford University’s Center for International Security and Cooperation, told CyberScoop.

“It’s a practical and very usable guide,” he said. “It also begs the question of why Microsoft has never produced something quite like this.”

Microsoft declined to answer questions or provide additional information. 

The guide encourages on-premises Microsoft Exchange Server customers to restrict administrative access, implement multi-factor authentication, enforce strict transport layer security configurations and adopt zero-trust security principles. It also advises organizations to patch regularly and migrate off end-of-life Microsoft Exchange Servers. 

“The most effective defense is ensuring all Exchange Servers are running the latest version and cumulative update patches,” Andersen said. “Delaying or failing to apply security patches increases the risk of vulnerability exploitation and puts your entire network at risk, as well as the larger ecosystem.”

Microsoft’s level of involvement in the development of the guidance is unclear. Andersen did not address that directly, but said CISA is grateful to Microsoft and other vendors who participate in the vendor ecosystem with the federal government.

“We wanted to be able to have something, given both the criticality and sort of the level of participation that we have with this partner, to outline some of those best practices,” Andersen said.

Microsoft Exchange Server is heavily targeted by nation-state attackers and cybercriminals. The popular enterprise technology appears 16 times on CISA’s known exploited vulnerabilities catalog dating back to 2021, and 12 of those vulnerabilities are known to be used in ransomware attacks. That year, the U.S. government and its allies blamed China for exploiting an Exchange flaw that led to a rash of ransomware attacks affecting tens of thousands of victims. 

To Grotto, the recommendations in the guide underscore how complex Microsoft Exchange is, “and complexity is the enemy of security,” he said. “For Microsoft, complexity is the customer’s problem, not theirs.”

The federal and international agencies’ effort was likely driven by what they determined to be an unmet need, according to Grotto. 

“Governments do not normally step in to provide detailed guidance on behalf of private companies on how to safely operate their products,” he said. “The fact that a multilateral coalition of security and intelligence agencies felt that they needed to produce something like this is a devastating commentary on Microsoft’s security posture.”

The post CISA, NSA offer guidance to better protect Microsoft Exchange Servers appeared first on CyberScoop.

Financial regulators in Canada this week levied $176 million in fines against Cryptomus, a digital payments platform that supports dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services. The penalties for violating Canada’s anti money-laundering laws come ten months after KrebsOnSecurity noted that Cryptomus’s Vancouver street address was home to dozens of foreign currency dealers, money transfer businesses, and cryptocurrency exchanges — none of which were physically located there.

On October 16, the Financial Transactions and Reports Analysis Center of Canada (FINTRAC) imposed a $176,960,190 penalty on Xeltox Enterprises Ltd., more commonly known as the cryptocurrency payments platform Cryptomus.

FINTRAC found that Cryptomus failed to submit suspicious transaction reports in cases where there were reasonable grounds to suspect that they were related to the laundering of proceeds connected to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion.

“Given that numerous violations in this case were connected to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion, FINTRAC was compelled to take this unprecedented enforcement action,” said Sarah Paquet, director and CEO at the regulatory agency.

In December 2024, KrebsOnSecurity covered research by blockchain analyst and investigator Richard Sanders, who’d spent several months signing up for various cybercrime services, and then tracking where their customer funds go from there. The 122 services targeted in Sanders’s research all used Cryptomus, and included some of the more prominent businesses advertising on the cybercrime forums, such as:

-abuse-friendly or “bulletproof” hosting providers like anonvm[.]wtf, and PQHosting;
-sites selling aged email, financial, or social media accounts, such as verif[.]work and kopeechka[.]store;
-anonymity or “proxy” providers like crazyrdp[.]com and rdp[.]monster;
-anonymous SMS services, including anonsim[.]net and smsboss[.]pro.

Sanders found at least 56 cryptocurrency exchanges were using Cryptomus to process transactions, including financial entities with names like casher[.]su, grumbot[.]com, flymoney[.]biz, obama[.]ru and swop[.]is.

“These platforms were built for Russian speakers, and they each advertised the ability to anonymously swap one form of cryptocurrency for another,” the December 2024 story noted. “They also allowed the exchange of cryptocurrency for cash in accounts at some of Russia’s largest banks — nearly all of which are currently sanctioned by the United States and other western nations.”

Reached for comment on FINTRAC’s action, Sanders told KrebsOnSecurity he was surprised it took them so long.

“I have no idea why they don’t just sanction them or prosecute them,” Sanders said. “I’m not let down with the fine amount but it’s also just going to be the cost of doing business to them.”

The $173 million fine is a significant sum for FINTRAC, which imposed 23 such penalties last year totaling less than $26 million. But Sanders says FINTRAC still has much work to do in pursuing other shadowy money service businesses (MSBs) that are registered in Canada but are likely money laundering fronts for entities based in Russia and Iran.

In an investigation published in July 2024, CTV National News and the Investigative Journalism Foundation (IJF) documented dozens of cases across Canada where multiple MSBs are incorporated at the same address, often without the knowledge or consent of the location’s actual occupant.

Their inquiry found that the street address for Cryptomus parent Xeltox Enterprises was listed as the home of at least 76 foreign currency dealers, eight MSBs, and six cryptocurrency exchanges. At that address is a three-story building that used to be a bank and now houses a massage therapy clinic and a co-working space. But the news outlets found none of the MSBs or currency dealers were paying for services at that co-working space.

The reporters also found another collection of 97 MSBs clustered at an address for a commercial office suite in Ontario, even though there was no evidence any of these companies had ever arranged for any business services at that address.