The Justice Department on Tuesday said it has seized infrastructure tied to what officials called one of the world’s most prolific criminal marketplaces, used to commit cyber scams and other crimes.

The seized cloud computing account hosted backend infrastructure used by subsidiaries of the Huione Group, a Cambodia-based corporate conglomerate.

At the same time, the Treasury Department announced fresh sanctions and more against Huione and affiliated companies. The administration actions Tuesday add to disruption efforts from last fall against pieces of the same network.

The Trump administration has placed an emphasis on combating transnational cybercrime and other kinds of scams and fraud.

The seized cloud computing account was used to operate Huione Guarantee, also known as Haowang Guarantee, according to Tuesday’s DOJ announcement.

“The Huione Group used this cloud computing account as part of a technological backbone that allowed billions in fraud proceeds to be transferred, moved, and concealed — much of it stolen through Southeast Asian scam centers,” said Tysen Duva, assistant attorney general of the Justice Department’s Criminal Division. “Seizures of these marketplaces is critical in the fight against fraud that affects so many Americans, and to stop avenues for criminal proceeds to be laundered.”

U.S. officials allege that Huione Guarantee operated Telegram channels with discussions about illicit goods and services, including the sale of stolen credit card and sensitive personal information, malware-enabled thefts, human trafficking schemes and the laundering of money from romance and investment scams. Huione Guarantee also allegedly offered escrow services for criminals such as money launderers for cryptocurrency.

Treasury took two steps Tuesday to build on its move in October to sever Huione Group from the U.S. financial system. One was to tack H-Pay Service onto its rule for Huione Group as a successor entity. And it slapped nine people and 26 entities linked to Prince Group with sanctions.

“Huione Group served as a critical node for laundering proceeds of cyber heists and virtual currency investment scams and was used by the Prince Group to transfer and consolidate scam-derived assets,” Treasury’s announcement states.

Also last October, the Justice Department said it seized bitcoin valued at $15 billion from the chairman of the Prince Group, Chen Zhi, and indicted him over alleged cryptocurrency crimes and other schemes. 

An alleged key figure in Chen’s criminal network has been arrested in Cambodia and extradited to China.

The post Justice Department seizes infrastructure used by cyber scam and criminal marketplace appeared first on CyberScoop.

An Algerian man known online as “SPOX” was extradited from Spain and charged with running a black-market cybercrime operation that prosecutors say defrauded thousands of victims and funneled roughly $900,000 through a cryptocurrency account over a three-year period.

Abdellah Belmili, 26, made his initial appearance Monday in the U.S. District Court for the Western District of New York in Buffalo. He faces a single count of conspiracy to commit bank fraud, which carries a maximum sentence of 30 years in prison. 

He was extradited from Spain earlier this month.

Federal investigators say Belmili allegedly created and administered at least two illicit online marketplaces, market0day.com and spoxy.us, that operated similarly to commercial e-commerce platforms. The marketplaces sold financial credentials, phishing kits, compromised email server access, and other tools used to carry out fraud. All transactions on the sites were conducted in Bitcoin.

According to court documents, the FBI became aware of the marketplaces in September 2020 through a confidential source. The site’s administrator was already known to investigators as a prolific creator of phishing kits targeting major U.S. financial institutions.

In 2020, undercover FBI agents used the marketplace to buy a phishing kit designed to replicate JPMorgan Chase’s login page and capture victims’ personal information. Agents also purchased access to a compromised email server. A third item — access to a website control panel — was paid for but never delivered, prompting customer complaints on Belmili’s Telegram channel.

Shortly after those complaints surfaced, Belmili announced he was closing market0day.com and redirecting customers to a new site, spoxy.us, which he described as a “new store for bulk sms,” which typically refers to mass phishing via text message. 

The new site used the same template, color scheme, and navigation structure as its predecessor and was registered using the stolen identity of a 77-year-old Texas resident.

Investigators identified Belmili through a combination of open-source research, search warrants, and records obtained from technology and financial companies. Early versions of his phishing kit code contained his full name, “Dila Belmili,” embedded in the source alongside his Telegram handle and a link to the marketplaces. Facebook accounts linked to the alias “spox_coder” listed “Dila Belmili (spox)” as the display name, and customers had posted complaints about phishing kit purchases directly on his profile.

Records obtained from Google showed that Belmili used his personal email account to search for financial institution logos, hacking tools, and methods for generating fake identities and credit card numbers. The same account received approximately 1,400 emails containing victims’ stolen personal information from active phishing kits targeting American Express, Bank of America, Cash App, JP Morgan Chase, PayPal, and Wells Fargo.

Investigators also found that Belmili had built hidden backdoors into phishing kits he sold to other criminals, allowing him to continue harvesting victim data even after the kits changed hands.

Records from cryptocurrency exchange Binance showed approximately $900,000 deposited into an account registered to Belmili between Jan. 2020 and Jan. 2023. Of that amount, roughly $760,000 was transferred to other accounts or converted into other forms of cryptocurrency, while approximately $41,000 was withdrawn from ATMs. 

In total, investigators identified approximately 595 distinct phishing kits created by Belmili. Analysis of victim data exported to Telegram pages and email accounts linked to the operation identified roughly 5,600 victims in the United States and internationally.

“This defendant thought that he could get away with defrauding thousands of victims out of hundreds of thousands of dollars by using fake names and hiding behind a keyboard to steal bank account and credit card numbers,” said U.S. Attorney Michael DiGiacomo in a release. “This arrest makes clear that, regardless of where you operate, our law enforcement partners will find you – and when they do, you will face the full consequences of your actions.” 

You can read the court documents below. 

The post Algerian man charged with running two cybercrime marketplaces appeared first on CyberScoop.

A federal court ruled Monday that the Trump administration’s national voter database violates federal privacy laws, interferes with Americans’ right to vote, and must be dismantled.

In the ruling, Judge Sparkle L. Sooknanan of the District Court of Washington D.C. wrote that records reviewed by the court show federal agencies knew that the SAVE voter database violated federal laws like the Privacy Act, the Social Security Act and the Administrative Procedure Act, but were “scrambling” to comply with President Trump’s executive order to create a system for mass voter verification.

That pressure resulted in agencies “haphazardly” combining and repurposing the personal information of millions of Americans from different government databases, including citizenship data they knew was unreliable.

“The Court therefore sets aside and vacates the 2025 SAVE modified system and the related notices because they were contrary to law, arbitrary and capricious, in excess of statutory authority, and without observance of procedure required by law,” Sooknanan wrote.

The League of Women Voters, its local affiliate groups and the Electronic Privacy Information Center filed the lawsuit last year. They argued the administration violated privacy laws that restrict the government’s ability to collect or combine private data without congressional authorization.

Sooknanan wrote that the SAVE database violates a prohibition in the Social Security Act against the disclosure of Social Security numbers and other related SSA records as well as substantive and procedural protections in the Privacy Act, which prevent the non-consensual disclosure of certain information both by federal agencies and between federal agencies and require notice and comment.

The court also ruled that SAVE violates the Administrative Procedures Act, which governs how the federal government develops regulations and makes official decisions to ensure they’re fair and impartial.

Sooknanan had earlier declined to rule the database illegal under the Administrative Procedures Act, saying the plaintiffs had failed to prove the data would cause  irreparable harm. In her final ruling, she changed course, writing that the states have since run their voter rolls through the federal government’s modified SAVE system, and some voters have been wrongfully identified as non-citizens and had their voter registrations canceled.

“All in all, the federal government has knowingly trampled on the privacy rights of American citizens in a manner that threatens the sacred right to vote,” Sooknanan wrote. “This Court cannot stand idly by while that happens.”

The ruling reinforces longstanding objections from former government officials and privacy experts over the past year, who have said Congress has repeatedly passed privacy laws explicitly to prevent the executive branch from using Americans’ data in ways not proscribed through law. That is what DHS did last year when it took SAVE, a database meant to process government benefits for legal immigrants, and combined it with data from the Social Security Administration and other agencies to create a new massive database of American voters and their citizenship status.

John Davisson, deputy director of enforcement at EPIC, celebrated the decision in a statement, saying the ruling “underscores that government agencies must follow the law, defend privacy and remain accountable to the public they serve.”

 “Today’s decision is a victory for us all. By halting the illegal consolidation of sensitive personal data across federal agencies, the court has safeguarded not only our privacy rights but also the bedrock of our democracy: the right to vote,” said Davisson. 

The post Court rules SAVE database illegal, orders it dismantled appeared first on CyberScoop.

A Google security engineer was arrested in New York and charged with crimes related to bets he allegedly placed on Polymarket using confidential information he pulled from Google systems, the Justice Department said Wednesday. 

Michele Spagnuolo, a 36-year-old Italian citizen who lives in Switzerland, is accused of placing multiple trades on the prediction marketplace last year that netted him a profit of more than $1.2 million. He allegedly abused internal access to Google’s nonpublic Year in Search data and placed a series of bets on the most searched people on Google in 2025.

“Today’s charges reinforce a decades-old message: corporate insiders cannot use confidential information to turn a profit in our markets,” Jay Clayton, U.S. attorney for the Southern District of New York, said in a statement Wednesday. “Insider trading compromises the integrity of our markets, and the American people want this greed-driven conduct investigated and prosecuted.”

Spagnuolo was charged with violating the Commodity Exchange Act, wire fraud and money laundering, which carry a combined maximum sentence up to 50 years in prison. 

He was also served with a civil complaint by the Commodity Futures Trading Commission that accused him of insider trading. The government agency is seeking restitution, disgorgement, civil monetary penalties, trading and registration bans and a permanent injunction against further regulation violations. 

Spagnuolo has been employed as a security engineer at Google since 2014, where he built products, specifications and led multiple projects in the information security unit, according to his company bio, which has since been taken down. 

A Google spokesperson said the company is working with law enforcement on its investigation. “The employee accessed our marketing material using a tool available to all employees, but using such confidential information to place bets is a serious breach of our policies,” the spokesperson said in a statement. “We’ve placed the employee on leave and will take the appropriate action.”

Spagnuolo did not respond to a request for comment.

In a complaint unsealed Wednesday, a federal investigator said Spagnulo, who used the “AlphaRaccoon” user name on Polymarket, took deliberate steps to conceal his use of nonpublic information, including efforts to obscure the source and ownership of his proceeds. 

Prosecutors noted that Google’s internal software tool, which provided Spagnuolo access to search trends, bore a banner that stated “Google Confidential” in red text, adding that Spagnuolo confirmed he understood the company’s various confidentiality and ethics policies to access the data. 

Spagnuolo allegedly created his Polymarket account in May 2024 and placed a series of trades between later that year risking approximately $2.75 million on 25 outcomes that the market treated as unlikely.

The FBI said it traced Spagnuolo’s Polymarket account to a cryptocurrency wallet he allegedly used to fund the account and initiate multiple transfers. Spagnuolo is also accused of sending multiple transactions through a cryptocurrency swapping service that were received by an account in his name linked to his Italian government ID card. 

Spagnuolo allegedly changed his Polymarket username to an alphanumeric wallet address in early December, after Google released its Year in Search results and multiple users on Discord and X speculated the person between the account was a Google insider.

The post Google security engineer accused of turning confidential search trends into $1.2M win on Polymarket appeared first on CyberScoop.

The company blocked over 1.1 billion accounts and $2.2 billion in potentially fraudulent transactions.

The post Apple Rejected 2 Million App Store Submissions in 2025 for Security and Fraud Prevention appeared first on SecurityWeek.

Today’s enterprise executives are navigating a complex landscape of AI-driven challenges, but none is more urgent than the rapid escalation of AI-generated fraud.

Fraudsters are weaponizing generative AI to automate impersonation and mass-produce synthetic identities at a scale and pace that is rendering enterprises’ long-standing defenses obsolete. This is no longer a slow-moving game of cat and mouse; it is a high-velocity arms race.

To protect the integrity of their platforms, enterprise leaders — particularly in critical infrastructure sectors — must move beyond periodic risk assessments and begin leveraging a new generation of tools that enable defenses to iterate in days rather than months.

Generative AI as a fraud multiplier

While legitimate businesses use generative AI for efficiency, fraudsters exploit it to scale their attacks. We are witnessing a 100-fold increase in synthetic identities and a sevenfold rise in deepfake-driven impersonations over the past 24 months. Deloitte’s Center for Financial Services predicts AI-enabled fraud losses could reach $40 billion in the U.S. by 2027, up from $12.3 billion in 2023.

This is no longer just a back-office technical issue; it has become a top concern for leadership across banks, fintechs, and telcos. Three-quarters (72%) of business leaders anticipate AI-generated fraud, including deepfakes, will be a top operational challenge in 2026, according to an Experian report. Nearly half (46%) of businesses surveyed by Incode in 2025 reported an annual increase in deepfake and generative AI fraud.

Bad actors can now perpetrate fraud at scale by targeting multiple victims at the same time using the same or fewer resources. Consequently, the stakes have escalated rapidly. Enterprises must now find more effective ways to distinguish between reality and fiction before these attacks compromise trust, revenue, and operational continuity.

The new arms race

Fraud prevention has always been a constant game of leapfrog. Now, however, enterprises must adopt highly advanced defenses as they work to thwart fraudsters who have access to the same AI tools and no legal guardrails.

By some estimates, 80% of fraud is easily detectable, while the remaining 20% requires high-level expertise. That’s where most vendors’ performance fails. Sophisticated fraudsters are not only more capable of impersonating identities but are also increasingly networked, sharing intelligence on how to bypass specific company defenses.

Agility as the primary security metric

In this environment, the “7-Day Benchmark” is essential. A defense model must be able to identify a new attack vector, retrain its data sets, and deploy an updated mitigation model within 7 to 10 days. 

One reason so many organizations remain vulnerable to this new generation of attacks is that they rely on third-party vendors whose update cycles can take months to test and deploy. Modern defense requires an approach like Deepsight: a combination of machine learning, behavior checks, and device checks that identify camera injections and synthetic document fraud and verify that the user is a real person.

Defense checklist: 4 questions for every vendor

To narrow this “velocity gap,” executives need to take a closer look at how well equipped their providers are to address this new generation of threats.  Here are four pointed questions to explore:

1. “How accurate is your facial recognition capability? And what third-party certifications do you hold for mobile environments?” Executives should look for solutions that have been independently validated against the most rigorous international standards for biometric spoof testing—such as iBeta Level 3 compliance on both iOS and Android—that simulate well-resourced attackers using professional-grade, hyper-realistic masks.
   • While many providers struggle with consistency across various devices, a top-tier solution will achieve a 0% error rate. (In a 2024 National Institute for Standards and Technology (NIST) evaluation of 158 different developers, using galleries of mugshot, Visa, and Border images, Incode ranked #1 out of all full solution identity verification providers.) 
   • Also, assess the accuracy and performance of algorithms used in facial analysis across a range of use cases, including age estimation, ensuring the technology is unbiased and highly accurate across diverse user populations. (Once again, Incode scored top marks in NIST’s Face Analysis Technology Evaluation for achieving the lowest error and false-positive rates.)
2. “How do you measure and report your own error rates?” Demand a rigorous, audited approach that provides clear metrics on false positives and false negatives for every session.
3. “Do you own your technology or license it?” This determines the speed of iteration. Updates should happen internally in days, not over months-long development cycles dictated by a third party.
4. “How does your network share intelligence to flag repeat offenders?” Inquire whether the vendor can cross-share biometric, VPN, and network data across their entire client base to proactively block known fraudsters before they hit your system.

(For a more complete guide on selecting an identity verification vendor, we recommend getting a complimentary copy of the Gartner Magic Quadrant for Identity Verification.)

Secure your defenses against AI-enabled fraudsters

The era of treating identity verification as a static compliance checkbox is over. As the internet makes identity spoofing easier than ever before, the burden is on leadership to ensure their defenses can evolve at the speed of the adversary.

Audit your vendor ecosystem today: Demand proprietary technology that iterates in days, insist on top-tier independent certifications for mobile environments, and prioritize networks that share real-time intelligence. Organizations that treat trust as a core strategic capability will thrive; those that remain reactive will find themselves increasingly vulnerable in a world where reality is becoming ever more malleable.

Fernanda Sottil is Senior Director of Strategy at Incode Technologies, a leading identity verification company.

Learn more: Find out how Incode helps leading organizations eliminate fraud before it happens.

The post Weaponized AI: The new frontier of fraud and identity spoofing appeared first on CyberScoop.

Our nation has entered a new fraud arms race fueled by AI.

With billions of dollars in fraud losses mounting in both the private and public sectors, it’s clear the old ways of deterring fraud aren’t working. That’s why we need a new playbook that starts with understanding how fraudsters operate, evolving our defenses, and shifting to a proactive posture that doesn’t just fight fraud but actively hunts it down. 

In the AI era, treating fraud as just a front-door problem won’t work. This moment requires industry, government, and consumers to work together, reduce silos, and share real-time intelligence. The goal is to move beyond reactive detection by understanding the lifecycle of a threat—from its formation to its spread—so we can intervene before it establishes a foothold.

For decades, fraud has been treated like a series of isolated incidents. This false assumption has underpinned nearly every past effort to crack down on it. Those efforts, while well-intentioned, have missed the mark. 

Now, in light of the Trump Administration’s Cyber Strategy for America and accompanying executive order, it’s critical to understand the modern fraud landscape and the central role that digital identity exploitation plays within it.

New research from Socure reveals just how dramatically the landscape is evolving. 

Fraud has become industrialized, with organized crime syndicates running operations that are global, systemic, automated, and powered by AI. No organization, service, or program is safe. Fraudsters target government programs, banks, fintech platforms, telecom companies, and more, blurring the lines between public sector fraud, financial crime, and cybercrime.

It used to be that fraud could be detected through the reuse of identity elements across multiple applications: the same email, device, phone number, or IP address used over and over. 

But the data is clear: these links are declining fast. Today’s sophisticated fraudsters are now engineering their attacks to avoid traditional fraud detection patterns. Our research demonstrates that emails will be completely unique within fraud populations as soon as 2027, so we won’t be able to rely on email to identify patterns.

Speed is another defining feature of modern identity fraud. Fraudsters use AI to create clean, durable, synthetic and stolen identities at scale. In one observed campaign, 24,148 synthetic identities were built and launched in under a month, with many attacks occurring within 48 hours. What once took weeks or even months can now be completed in days. 

The rapid rise of identity farms is another indicator of the industrialization of fraud. Identity farms are operated by crime rings to systematically create synthetic or stolen identities over time in order to closely resemble legitimate identities. Matured identities are used to open bank, credit, and money-movement accounts, siphon government benefits, launder funds, and more. These identity farms focus on durable identities that can bypass traditional verification controls.

So what should we do? Simply put, we must go on offense. 

This means treating identity as critical infrastructure and implementing strategies that track how identities were created before the moment of application; expanding signals monitoring to include elements like residential proxies, ISP behavior, and domain registration activity; evaluating velocity and orchestration in real-time; and treating continuous measurement, rapid model iteration, and cross-industry intelligence as core capabilities.

Additionally, given the rapid scaling of fraud, we need more analysis of the complete ecosystem, including dynamic factors like device information, digital footprints, and behavioral biometrics so organizations can effectively distinguish genuine humans from machines. Ultimately, this layered and interconnected approach makes it significantly harder for malicious actors to recreate or steal identities at scale.

Fraud is no longer a series of isolated acts. It is a coordinated, global enterprise built on the exploitation of identity. Until our efforts reflect this new reality, we will continue to fight an imminent and ongoing threat with outdated tools and fall further behind. 

Now is the time to make this strategic shift and finally put fraudsters on their heels. 

Mike Cook serves as head of fraud insights at Socure, the identity and risk platform for the AI age.

The post Don’t just fight fraud, hunt it appeared first on CyberScoop.

A California county sheriff and Republican contender for the state’s gubernatorial race has seized 650,000 physical ballots from Riverside County, saying they were part of an investigation into election fraud tied to redistricting wars.

State officials and election security experts say that the underlying allegations are spurious and local law enforcement do not have the authority to unilaterally investigate or validate election results.

Riverside County Sheriff Chad Bianco said at a news conference Friday that he intended to conduct a hand count of the ballots, which were tied to elections last November, and “compare that result to the total votes recorded.”

In a March 6 letter, California Attorney General Rob Bonta directed Bianco to pause the investigation until the state could review “the factual and legal basis” for the probe and seizure.

Based on an initial review of the warrants and affidavits in the case, Bonta wrote that his “office has serious concerns as to whether probable cause existed to support the issuance of the warrants, and whether your office presented the magistrate with all available evidence as required by law.” 

While Bonta’s letter does not describe the underlying content of the search warrants, it points to a public presentation made by a resident at a Feb. 10 Riverside County Registrar of Voters meeting that “addresses the alleged vote discrepancy that appears to be the basis of your investigation.”

In that meeting, an individual identifying himself as “Errol” — wearing a “Trump 2028” hat — alleged the council had participated in local, state and federal election fraud.

At several points, the individual said he relied on Google for information on individuals and companies he was accusing of receiving improper payments. At another point, he claimed the Riverside County auditor would not disclose the purpose behind thousands of pages of county payments, before saying “you’re not getting the files, I got them put away.”

“We have a lot of problems, you guys. You’ve committed serious fraud here, forever,” the individual alleged, adding that he hoped the members of the council were imprisoned.

Bonta accused Bianco of “flagrantly violating my directives” under the California State Constitution, and threatened court action should he proceed with the investigation and hand recount.

The act by Bianco — who is running third in the state’s open primary for governor this month, per an Emerson College poll — is the second such seizure of ballots to take place this election cycle, following the FBI’s raid of Fulton County, Georgia’s election office.

Gowri Ramachandran, director of elections and security at the Brennan Center for Justice, told CyberScoop that the election allegedly being investigated wasn’t a close race. Further, like virtually every other election, candidates or parties have opportunities to contest irregularities or results, including automatic recounts or recounts paid by candidates or campaigns — along with state courts that regularly adjudicate questions of election outcomes.

“It’s important for people to know none of those processes involve someone coming in and haphazardly coming in and grabbing the ballots,” she said, adding: “I worry if it happens closer to an actual election what it could do to interfere with it.”

Ramachandran said that by seizing physical ballots, which she called “the gold standard” we use for determining ground-level truth about voter intent, Bianco was disrupting the chain of custody that is one of the key processes designed to give voters trust in their elections.

“It should just be a really high bar, not just, ‘I’m suspicious, I want to do a fishing expedition,’” she said. “That’s not enough to have someone who doesn’t have any experience in counting ballots or keeping them safe [to] just come in and grab all that stuff.”

Bonta’s suggestion that Bianco did not materially inform the courts echoes what Fulton County officials alleged in their own lawsuit, which accused the FBI of presenting the judge with a “flagrantly misleading narrative” that omitted key evidence, undermining the government’s basis for investigating the 2020 ballots. 

The post State officials, election experts question California sheriff’s seizure of ballots appeared first on CyberScoop.

The recently released executive order targeting cybercrime, fraud, and predatory schemes uses language the federal government has often avoided. Now, for the first time, the Trump administration is echoing what the cybersecurity industry has been shouting for years: cyber-enabled fraud is a product of transnational organized crime.

That distinction matters because organized crime requires an organized response.

Cybercrime is now the world’s fastest-growing criminal economy, built on stealing from everyday people. It is no longer a loose collection of hoodie-wearing hackers in basements or misfits trading malware in online forums. It is a mature global industry operating at scale. In the entirety of human history, there has not been a transfer of wealth of this magnitude since the era of pillaging empires. We have just gotten so used to it that it feels like background noise.

Modern cybercrime groups look less like street gangs and more like corporations. They run structured operations, complete with HR departments, training pipelines, performance metrics, and technology stacks that rival most enterprise companies. Their attackers don’t rely on sophisticated exploits — they think like expert investigators, systematically probing for weaknesses, exploiting psychological pressure, manipulating insiders, and using deception to move through gaps that defenders left open. They operate around the clock, in every time zone, and increasingly use AI to automate attacks at a scale that once required highly skilled operators.

Worse yet is that many of these operations rely on forced labor. Scam compounds in Southeast Asia run like factory floors, with rows of trafficked workers carrying out romance scams, cryptocurrency fraud, and impersonation schemes under threat of violence.

Their goal is to make fraud faster and more profitable. The result is a global criminal ecosystem that extends far beyond online scams. It fuels human trafficking, weapons smuggling, political corruption, compromised organ systems, and even nuclear programs.

If the federal government is ready to recognize what the industry has known — that cybercrime truly operates like an organized global industry — then responding to it solely through traditional law enforcement is not enough. The question goes beyond how governments apply sanctions, coordinate investigations, or pressure jurisdictions that harbor these operations. The greater question is whether the private sector is willing to help dismantle the infrastructure that allows this industry to thrive.

One word changes everything

I want to be specific about why this executive order is different, because the language is not accidental.

The order doesn’t just call these groups “hackers” or “organized crime.” It calls them transnational criminal organizations (TCOs). That word carries legal and operational weight that most coverage has glossed over. Transnational is the jurisdictional framing that authorizes an entirely different class of response. It is the same threshold that moves a case from local law enforcement to federal jurisdiction and beyond.

Pair that with what follows – “law enforcement, diplomacy, and potential offensive actions” – and you are reading something that goes well beyond a policy memo. Notice the sequence: diplomacy before offensive action is proportionality doctrine. But the administration did not rule out offensive action. The document also calls for deploying the “full suite of U.S. government defensive and offensive cyber operations” and uses the word “shape” as its first pillar of action. In military doctrine, shaping an adversary’s behavior does not mean gentle persuasion. It means force is part of the calculus.

This is not the language of a consumer protection policy. Whoever wrote this has studied the opposition.

An organized threat demands an organized response

The executive order draws a line in the sand: cybercrime has outgrown its origins as a consumer protection issue. It’s now a fundamental threat to economic stability and national security. But tackling an industry operating at this scale requires more than government action alone. The order’s answer is to mobilize the private sector – giving companies the green light to identify and disrupt adversary networks.

That framing matters.

The private sector sees the machinery of cybercrime every day. Security vendors, major platforms, and infrastructure providers spot the command-and-control servers, malicious domains, and payment pipelines that keep these operations moving. Too often, that intelligence is used only to defend commercial interests, when in reality, it should also be used to disrupt the networks behind the attacks. When criminal groups lose core infrastructure, they have to rebuild. That costs time. That costs money. That creates pressure.

At the same time, the order puts a question squarely before the private sector: How far is it willing to go, and under what terms? I spent my career believing “minimal force” matters. Precise, proportionate action prevents escalation and avoids creating cascading problems. As we move beyond a defense-only approach, those principles matter more than ever.

There is another question that sits underneath all of this: How far does “potential offensive actions” actually go? Does it stop at cyberspace? Financial sanctions? Asked bluntly, “Will leaders and shareholders know whether providing threat intelligence ends with a measured network take-down or an all-out drone strike on the fraudulent call center?”

Organizations need to fix the security weaknesses criminals are exploiting for profit. Most attacks in 2026 do not succeed because criminals are brilliant. They succeed because the basics are missing. No multifactor authentication. Weak Identity controls. Unpatched vulnerabilities sit open for months. Criminals don’t care about your industry or company size. They go where it’s easiest.

When organizations ignore basic security controls, they are doing more than accepting risk. They’re subsidizing the criminal infrastructure that exploits those gaps.

Governments must keep pressure on nations that harbor these operations. Large-scale cybercrime thrives where enforcement is weak or non-existent. The order specifically calls out “nations that tolerate predatory activity”—a signal that safe havens won’t be ignored. Stronger coordination across governments, law enforcement, and private industry can make it much harder for criminals to operate at scale.

The order also targets “foreign TCOs and associated networks,” with “associated networks” being a deliberately broad phrase. Defining who qualifies will be critical. Draw the lines too narrowly and the policy won’t work. Too broadly and you risk dangerous escalation.

Simply put, cybercriminal groups are disciplined because discipline pays. Disrupting them will require the same. It will demand pressure on countries that act as safe havens. It will take dismantling the infrastructure behind these schemes. It will require better basic security across every organization that criminals target.

The executive order is right – Cybercrime is organized. It is industrial. It is ruthless. For the first time in a long time, the response looks like it might be, too. Whether the government, private sector, and public can align around what this actually demands, and what it risks, are still unanswered questions.

After years of watching policy documents gather dust while victim numbers grow, I will take action over perfection every time.

Kyle Hanslovan is a former NSA cyberwarfare operator and CEO of Huntress Labs.

The post Washington is right: Cybercrime is organized crime. Now we need to shut down the business model appeared first on CyberScoop.

China-based phishing groups blamed for non-stop scam SMS messages about a supposed wayward package or unpaid toll fee are promoting a new offering, just in time for the holiday shopping season: Phishing kits for mass-creating fake but convincing e-commerce websites that convert customer payment card data into mobile wallets from Apple and Google. Experts say these same phishing groups also are now using SMS lures that promise unclaimed tax refunds and mobile rewards points.

Over the past week, thousands of domain names were registered for scam websites that purport to offer T-Mobile customers the opportunity to claim a large number of rewards points. The phishing domains are being promoted by scam messages sent via Apple’s iMessage service or the functionally equivalent RCS messaging service built into Google phones.

The website scanning service urlscan.io shows thousands of these phishing domains have been deployed in just the past few days alone. The phishing websites will only load if the recipient visits with a mobile device, and they ask for the visitor’s name, address, phone number and payment card data to claim the points.

If card data is submitted, the site will then prompt the user to share a one-time code sent via SMS by their financial institution. In reality, the bank is sending the code because the fraudsters have just attempted to enroll the victim’s phished card details in a mobile wallet from Apple or Google. If the victim also provides that one-time code, the phishers can then link the victim’s card to a mobile device that they physically control.

Pivoting off these T-Mobile phishing domains in urlscan.io reveals a similar scam targeting AT&T customers:

Ford Merrill works in security research at SecAlliance, a CSIS Security Group company. Merrill said multiple China-based cybercriminal groups that sell phishing-as-a-service platforms have been using the mobile points lure for some time, but the scam has only recently been pointed at consumers in the United States.

“These points redemption schemes have not been very popular in the U.S., but have been in other geographies like EU and Asia for a while now,” Merrill said.

A review of other domains flagged by urlscan.io as tied to this Chinese SMS phishing syndicate shows they are also spoofing U.S. state tax authorities, telling recipients they have an unclaimed tax refund. Again, the goal is to phish the user’s payment card information and one-time code.

CAVEAT EMPTOR

Many SMS phishing or “smishing” domains are quickly flagged by browser makers as malicious. But Merrill said one burgeoning area of growth for these phishing kits — fake e-commerce shops — can be far harder to spot because they do not call attention to themselves by spamming the entire world.

Merrill said the same Chinese phishing kits used to blast out package redelivery message scams are equipped with modules that make it simple to quickly deploy a fleet of fake but convincing e-commerce storefronts. Those phony stores are typically advertised on Google and Facebook, and consumers usually end up at them by searching online for deals on specific products.

With these fake e-commerce stores, the customer is supplying their payment card and personal information as part of the normal check-out process, which is then punctuated by a request for a one-time code sent by your financial institution. The fake shopping site claims the code is required by the user’s bank to verify the transaction, but it is sent to the user because the scammers immediately attempt to enroll the supplied card data in a mobile wallet.

According to Merrill, it is only during the check-out process that these fake shops will fetch the malicious code that gives them away as fraudulent, which tends to make it difficult to locate these stores simply by mass-scanning the web. Also, most customers who pay for products through these sites don’t realize they’ve been snookered until weeks later when the purchased item fails to arrive.

“The fake e-commerce sites are tough because a lot of them can fly under the radar,” Merrill said. “They can go months without being shut down, they’re hard to discover, and they generally don’t get flagged by safe browsing tools.”

Happily, reporting these SMS phishing lures and websites is one of the fastest ways to get them properly identified and shut down. Raymond Dijkxhoorn is the CEO and a founding member of SURBL, a widely-used blocklist that flags domains and IP addresses known to be used in unsolicited messages, phishing and malware distribution. SURBL has created a website called smishreport.com that asks users to forward a screenshot of any smishing message(s) received.

“If [a domain is] unlisted, we can find and add the new pattern and kill the rest” of the matching domains, Dijkxhoorn said. “Just make a screenshot and upload. The tool does the rest.”

Merrill said the last few weeks of the calendar year typically see a big uptick in smishing — particularly package redelivery schemes that spoof the U.S. Postal Service or commercial shipping companies.

“Every holiday season there is an explosion in smishing activity,” he said. “Everyone is in a bigger hurry, frantically shopping online, paying less attention than they should, and they’re just in a better mindset to get phished.”

SHOP ONLINE LIKE A SECURITY PRO

As we can see, adopting a shopping strategy of simply buying from the online merchant with the lowest advertised prices can be a bit like playing Russian Roulette with your wallet. Even people who shop mainly at big-name online stores can get scammed if they’re not wary of too-good-to-be-true offers (think third-party sellers on these platforms).

If you don’t know much about the online merchant that has the item you wish to buy, take a few minutes to investigate its reputation. If you’re buying from an online store that is brand new, the risk that you will get scammed increases significantly. How do you know the lifespan of a site selling that must-have gadget at the lowest price? One easy way to get a quick idea is to run a basic WHOIS search on the site’s domain name. The more recent the site’s “created” date, the more likely it is a phantom store.

If you receive a message warning about a problem with an order or shipment, visit the e-commerce or shipping site directly, and avoid clicking on links or attachments — particularly missives that warn of some dire consequences unless you act quickly. Phishers and malware purveyors typically seize upon some kind of emergency to create a false alarm that often causes recipients to temporarily let their guard down.

But it’s not just outright scammers who can trip up your holiday shopping: Often times, items that are advertised at steeper discounts than other online stores make up for it by charging way more than normal for shipping and handling.

So be careful what you agree to: Check to make sure you know how long the item will take to be shipped, and that you understand the store’s return policies. Also, keep an eye out for hidden surcharges, and be wary of blithely clicking “ok” during the checkout process.

Most importantly, keep a close eye on your monthly statements. If I were a fraudster, I’d most definitely wait until the holidays to cram through a bunch of unauthorized charges on stolen cards, so that the bogus purchases would get buried amid a flurry of other legitimate transactions. That’s why it’s key to closely review your credit card bill and to quickly dispute any charges you didn’t authorize.

Lawrence Hoffmann // Election fraud is something I’ve mentioned here recently. The reality we must face here is that any time a digital system is used for voting there is […]

The post Lawrence’s List 090216 appeared first on Black Hills Information Security, Inc..

Increase in Cryptocurrency Leaks After Trump Supports Bitcoin

Recently, Constella Intelligence has observed an increase in attacks and data breaches resulting in cryptocurrency leaks. This surge could be partly attributed to comments made by former President Donald Trump in support of Bitcoin, which may have heightened hackers’ interest in these sites.

Former President Donald Trump has recently positioned himself as a pro-crypto presidential candidate. During his keynote speech at the Bitcoin 2024 conference in Nashville, Tennessee, held from July 25-27, 2024, Trump emphasized the transformative potential of cryptocurrencies. He pledged to make the United States a leader in Bitcoin mining and digital asset management.

These comments could have caused crypto-related sites to increase in value, making them more attractive targets for cybercriminals. As Bitcoin prices surge, the incentive for attacks on these platforms grows, highlighting the need for robust security measures.

Crypto Leaks Overview

In the first half of 2024, over 250 possible breaches or leaks related to cryptocurrencies, NFTs, and Bitcoin have been reported. These potential breaches could have affected users of various cryptocurrency platforms, including Bitcointalk, Crypto.com, Binance, eToro, and others.

Below are examples of how threat actors are offering information about these crypto-related sites on the Dark Web

Zuelacoin Data Leak:

This information was published on March 31, 2024. According to the threat actor the data includes:

• Emails
• Names
• Social media profiles (Twitter, Facebook, Telegram)

Binance Cryptocurrency Leak:

The post was made on May 27, 2024. The exposed information includes:

• Emails
• Full names
• Phones
• Countries

Mobile Apps like CashCoin, Coinbase, and KuCoin:

The threat actor “whix” published this on March 26, 2024. The exposed information includes:

• Emails
• Usernames
• Passwords
• Countries
• IP Addresses
• Payment methods

eToro Cryptocurrency Leak:

The same threat actor also reported this on March 25, 202, where the following information could be found:

• Full names
• Emails
• Countries
• IP Addresses
• Amounts
• Payment methods

Bitcointalk Cryptocurrency Leak:

According to the threat actor on March 25, 2024, a database exposing the following information was published:

• Emails
• Usernames
• Ethereum Addresses

These platforms are integral to the crypto ecosystem, providing services such as trading, wallet management, and social interaction for crypto enthusiasts.

Extent of Infostealer Exposures

Constella Intelligence has checked if the information published could have been produced as the effect of infostealer infections. This check resulted in nearly 4 million users of these cryptocurrency companies being exposed to infostealer data. Most exposures have impacted major cryptocurrency exchange platforms:

1. Binance: More than 2M users exposed.
2. EToro: More than 500k users exposed.
3. Crypto.com: More than 300k users exposed.
4. Localbitcoins: More than 200k users exposed.

Digging into the infostealer exposures, Constella Intelligence also identified what seems to be infostealer infections of potential employees of some of those companies, including Binance.com, eToro.com, Crypto.com, and Localbitcoins.com, among others.

Implications of Crypto-Related Breaches

The exposure of such extensive and sensitive information has significant and far-reaching implications as it endangers the financial security and privacy of millions of users. The compromised data can be exploited for various malicious activities:

1. Identity Theft: Personal information such as full names, addresses, and birthdays can be used to steal identities.
2. Financial Fraud: Payment methods and transaction histories can be exploited to conduct unauthorized transactions.
3. Phishing Attacks: Email addresses and social media profiles can be used to create convincing phishing scams.

Recommendations for Users

To mitigate the risks associated with the recent breaches, users should adopt the following security practices:

1. Use Strong, Unique Passwords: Ensure that each cryptocurrency account has a strong, unique password. Consider using a password manager to generate and store complex passwords securely.
2. Enable Two-Factor Authentication (2FA): Adding an extra layer of security through 2FA can significantly reduce the risk of unauthorized access to accounts.
3. Monitor Crypto Transactions Regularly: Keep a close watch on your cryptocurrency transactions and wallet activity to detect any unauthorized activities. Early detection can help prevent significant financial losses.
4. Be Wary of Phishing Attempts: Be cautious with emails and messages requesting personal information or directing you to log in to your accounts. Verify the authenticity of such requests through official channels.
5. Update Security Settings on Crypto Platforms: Regularly review and update your security settings on cryptocurrency exchanges and wallets. Ensure that all recovery options are up-to-date and secure.