Resistant AI will use the funding to expand its fraud detection and transaction monitoring offerings to new markets.
The post Fraud Prevention Firm Resistant AI Raises $25 Million appeared first on SecurityWeek.
Voting rights groups are asking a court to block an ongoing Trump administration effort to merge disparate federal and state voter data into a massive citizenship and voter fraud database.
Last week, the League of Women Voters, the Electronic Privacy Information Center (EPIC) and five individuals sued the federal government in D.C. District Court, saying it was ignoring decades of federal privacy law to create enormous “national data banks” of personal information on Americans.
On Tuesday, the coalition, represented by Democracy Forward Foundation, Citizens for Responsibility and Ethics in Washington (CREW), and Fair Elections Center, asked the court for an emergency injunction to halt the Trump administration’s efforts to transform the Systematic Alien Verification for Entitlements into an immense technological tool to track potential noncitizens registered to vote. Until this year, SAVE was an incomplete and limited federal database meant to track immigrants seeking federal benefits.
“This administration’s attempt to manipulate federal data systems to unlawfully target its own citizens and purge voters is one of the most serious threats to free and fair elections in decades,” Celina Stewart, CEO of the League of Women Voters, said in a statement. “The League is asking the court to act swiftly to stop this abuse of power before it disenfranchises lawful voters. Every citizen deserves privacy, fairness, and the freedom to vote without fear of government interference.”
In an Oct. 7 court filing, the groups said an immediate injunction was needed to prevent permanent privacy harms due to the “illegal and secretive consolidation of millions of Americans’ sensitive personal data across government agencies into centralized data systems” through SAVE.
“While Plaintiffs’ Complaint challenges a broader set of Defendants’ unlawful data consolidation, Plaintiffs here seek emergency relief concerning one particularly harmful and urgent facet of Defendants’ conduct: their overhaul of the Systematic Alien Verification for Entitlements (“SAVE”) system,” the groups wrote.
In addition to SAVE, the lawsuit also claims the existence of “at least one other Interagency Data System that consolidates other data sources from around the government that might have information concerning immigrants into a centralized ‘data lake’ housed at” U.S. Citizenship Immigration Services.
Federal agencies collect massive amounts of data on Americans as part of their work, but the groups argue the 1974 Privacy Act and other privacy laws were explicitly designed to prevent the kind of large, centralized federal datasets on Americans the administration is putting together. Subsequent legislative updates in 1988 amended the Privacy Act to specifically prohibit the use of “computer matching programs” that compare data across different agencies without informing Congress or publicizing the written agreements between agencies.
“For decades, these protections have guarded against improper data pooling across federal agencies, preventing the government from building a potentially dangerous tool for surveilling and investigating Americans without guardrails,” the voting groups wrote. “Until now.”
As CyberScoop reported earlier this year, USCIS, along with the Department of Government Efficiency (DOGE), began merging SAVE data with other major federal data streams — including federal Social Security data — while removing fees and building in the technical capacity for states to conduct easier, bulk searches of voters against the database. The Department of Justice has sought voter data from all 50 states, with some cooperating and others refusing. Last month, the administration sued six states to force them to hand over voter data that would be used in SAVE.
Less than a week before the suit was filed, the Social Security Administration released a redacted copy of its information-sharing agreement with the Department of Homeland Security, which claims that “personnel have been directed to comply, to the maximum extent possible and permissible under law … taking into account federal statutory requirements, including the Privacy Act of 1974 … as well as other laws, rules, regulations, policies, and requirements regarding verification, information sharing, and confidentiality.”
Administration officials say the overhaul is needed to crack down on instances of noncitizen voting and other forms of voter fraud, but such fraud is exceedingly rare outside a handful of isolated cases, as numerous academic studies and post-election audits have proven.
DOGE officials were singled out in the lawsuit for particularly egregious violations, accused of embarking on a “months-long campaign to access, collect and consolidate vast troves of personal data about millions of U.S. citizens and residents stored at multiple federal agencies.”
An executive order from the Trump administration earlier this year sought to explicitly empower the DOGE administrator, along with DHS, to “review” state voter registration lists and other records to identify noncitizen voters. That order is still the subject of ongoing lawsuits challenging its legality.
In this case, the plaintiffs claim the need for emergency relief is urgent as the Trump administration is simultaneously challenging the accuracy of state voter rolls in courts across the country, while “encouraging and enabling states to use unreliable [Social Security Administration] citizenship data pooled in the overhauled SAVE system to begin purging voter rolls ahead of fast-approaching November elections and to open criminal investigations of alleged non-citizen voting.”
“Both the ongoing misuse of Plaintiffs’ sensitive SSA data through the overhauled SAVE system, and the increased risk of cybertheft and additional misuse, qualify as irreparable injuries,” the filing states.
The post Voting groups ask court for immediate halt to Trump admin’s SAVE database overhaul appeared first on CyberScoop.
The company will invest in its AI and real-time detection platform, in global expansion, and in strategic partnerships.
The post Fraud Prevention Company SEON Raises $80 Million in Series C Funding appeared first on SecurityWeek.
Authorities and threat intelligence analysts alike relish taking ransomware operators off the board. Holding cybercriminals accountable through arrest, imprisonment, or genuine reform creates a powerful deterrent and advances the ultimate goal of a safer internet for everyone.
Getting to that point is a remarkably tough task for defenders. Ransomware attacks are often initiated by people living in countries that aren’t bound by extradition treaties with the United States or don’t cooperate with international law enforcement. When those obstructions aren’t in place, authorities can amass resources to hunt down those responsible for cyberattacks and bring them to justice.
The fight against cybercrime is grueling, and wins don’t typically countervail the losses. For nearly a decade, police have often made high-profile announcements about arresting cybercriminals, keeping them in custody until their court dates and seizing their ill-gotten gains. These acts send a clear message to the public and potential offenders that cybercrime is a serious offense, and authorities are taking swift, visible measures to uphold the law.
Ianis Aleksandrovich Antropenko exemplifies the profile of a modern cybercriminal, yet, unlike many others who have faced strict prosecution for similar offenses, the Justice Department has granted him liberties rarely extended to such suspects.
The 36-year-old Russian national was arrested almost a year ago in California for his alleged involvement in multiple ransomware attacks from at least May 2018 to August 2022. Yet, he was released on bail the day of his arrest and continues to live with few restrictions in Southern California awaiting trial for multiple felonies.
Antropenko is charged with conspiracy to commit computer fraud and abuse, computer fraud and abuse, and conspiracy to commit money laundering. He is accused of using Zeppelin ransomware to attack multiple people, businesses and organizations globally, including victims based in the U.S.
Antropenko pleaded not guilty to the charges in October.
The Justice Department recently announced it seized more than $2.8 million in cryptocurrency, nearly $71,000 in cash and two luxury vehicles from Antropenko in February 2024. His alleged crimes were publicly revealed for the first time last month when authorities unsealed various court documents.
Antropenko’s arrest and pending trial marks another potential win against ransomware, but many experts told CyberScoop they are stunned he remains free on bail. This rare flash of deferment in a case involving a prolific alleged cybercriminal is even more shocking considering his multiple run-ins with police since his 2024 arrest.
Antropenko violated conditions for his pretrial release at least three times in a four-month period this year, including two arrests in California involving dangerous behavior while under the influence of drugs and alcohol. Authorities haven’t explained why Antropenko was released pending trial, nor why parole officers and a judge repeatedly allowed him to remain out of jail following these infractions.
“On average, most ransomware actors, if they are brought into custody, are remanded because of a flight risk,” said Cynthia Kaiser, senior vice president of the ransomware research center at Halcyon.
“It’s rare to have a ransomware actor in U.S. custody,” the former deputy assistant director at the FBI Cyber Division told CyberScoop. “Typically, if the FBI believes that the person is a flight risk it would make the case for bond to be denied.”
Prosecutors in the U.S. District Court for the Northern District of Texas did not flag Antropenko as a flight risk in this case.
In the past year, other alleged ransomware suspects or cybercriminals — Noah Urban, Cameron Wagenius, Connor Moucka and Artem Stryzhak among them — were all detained pending trial. Urban, who was sentenced last month to 10 years in prison, and Wagenius, who has pleaded guilty to some charges, were arrested in the United States. Moucka and Stryzhak were arrested elsewhere and extradited to the U.S.
Pretrial treatment of cybercrime suspects hasn’t always adhered to strict norms, especially when the accused’s mental health status was taken into account. Paige Thompson, who was arrested in July 2019 for hacking and stealing data from Capital One and dozens of other organizations for a cryptocurrency mining scheme, was deemed a “serious flight risk” by prosecutors, but still released pending trial four months later.
A U.S. district judge in Seattle determined Thompson didn’t pose a threat to the community and previously told attorneys he was “very concerned” that Thompson would not receive adequate mental health treatment from the Bureau of Prisons.
Thompson was found guilty of multiple counts and sentenced in October 2022 to time served and five years of probation, much to the chagrin of prosecutors. A federal appeals court overruled the district court judge’s sentence earlier this year, calling the punishment “substantially unreasonable.”
Yevgeniy Nikulin, a Russian national arrested in October 2016 on charges related to breaching a database containing 117 million passwords from LinkedIn, Dropbox and other services, was extradited to the U.S. from the Czech Republic in 2018 and ruled fit to stand trial, despite exhibiting mental illness symptoms throughout his incarceration and trial. He was detained pending trial and sentenced to 88 months in prison in September 2020.
Notwithstanding these variances in previous cases, some experts are struck by other irregularities in Antropenko’s case, including his conditions of release. He is not banned from using the internet or computers, but limited to devices and services disclosed during supervision that are subject to monitoring.
More lenient conditions of release are typically offered in exchange for cooperation, according to threat analysts and a former FBI special agent who specialized in cybersecurity investigations.
“The investigators that tracked him down will certainly want to know who the bigger fish are, and they’ll want to figure out who else they could take down,” the former FBI special agent, speaking on condition of anonymity, told CyberScoop. “If he’s willing to cooperate, then normally the federal system will do good things for you.”
Authorities imposed travel restrictions on Antropenko, required him to surrender his passport, banned him from entering a Russian embassy or consulate and are monitoring his location.
The federal case against Antropenko accentuates how finite resources can put law enforcement and federal investigators at a disadvantage as they confront a constant crush of cybercrime.
The FBI and prosecutors accuse Antropenko of deploying ransomware and extorting victims by email, and implicate him and his ex-wife, Valeriia Bednarchik, in the laundering of ransomware proceeds. Investigators traced the path of ransom payments, money laundering techniques and services, and determined the seized accounts, cash and vehicles were derived from criminal proceeds.
The FBI said it found at least 48 cryptocurrency addresses referenced in Antropenko’s email account — china.helper@aol.com, which he registered in May 2018 — including “emails that received or negotiated ransom payments” and emails about other ransomware attacks.
A cluster of Bitcoin addresses owned by Antropenko “had received a total of approximately 101 Bitcoin” as of Feb. 5, 2024. Out of this amount, 64.6 Bitcoin was sent to the cryptocurrency mixing service ChipMixer, according to the FBI. As of today’s rates, the current value of 101 Bitcoin is almost $10.9 million.
The 2023 takedown of ChipMixer, which was used by criminals to launder more than $3 billion in cryptocurrency starting in 2017, provided crucial evidence for this investigation, according to Ian Gray, VP of intelligence at Flashpoint.
“Only after law enforcement seized ChipMixer’s infrastructure could investigators trace the funds linked to accounts registered in Antropenko’s name,” he said. “The sophistication of Bitcoin tracing and clustering techniques also likely contributed to the timing, as law enforcement has adopted software and tools more widely.”
Prosecutors allege that Antropenko and Bednarchik funneled money from computer fraud victims through ChipMixer, then back to their own exchange accounts. Antropenko also allegedly arranged in-person cryptocurrency-to-cash swaps in the U.S., depositing the cash in small sums under $10,000 into his bank account.
FBI investigators traced Antropenko’s activities via accounts he held at Proton Mail, PayPal and Bank of America, and accounts he and Bednarchik controlled at Binance and Apple. In Bednarchik’s iCloud account, agents found a seed phrase for a crypto wallet that had received over 40 Bitcoin from Antropenko’s accounts, as well as evidence she had agreed to safeguard a disguised copy of this phrase so the funds could be accessed if Antropenko became unavailable. Her account also contained joint tax returns with Antropenko and photos showing large amounts of U.S. cash.
Authorities also seized cash and two luxury vehicles from the apartment Antropenko and Bednarchik once shared in Irvine, Calif. This included a Lexus LX 570 that Antropenko purchased for more than $123,000 in November 2022 and a 2022 BMW X6M that Antropenko and Bednarchik purchased for $150,000 in cash in November 2021. Photos of vehicles matching those descriptions are depicted on Antropenko’s public Instagram account.
Ransomware operators have been assisted by their spouses in other cases, but their partners’ involvement is typically limited to money laundering, Allan Liska, threat intelligence analyst at Recorded Future, told CyberScoop.
While many ransomware operators and affiliates operate outside of Russia now, it is rare for a Russian national to live in the U.S. while initiating ransomware attacks for as long as Antropenko allegedly did, Liska said.
“It sounds like he may have had additional information about other people, maybe bigger fish that law enforcement could go after,” he said.
The U.S. District Court for the Northern District of Texas declined to answer questions or provide additional information. The most recent attorney on record for Antropenko did not respond to a request for comment.
Antropenko didn’t just inflict damages on his cybercrime victims, as alleged by prosecutors. His volatility erupted around those closest to him, according to Bednarchik, who accused him of domestic violence in temporary restraining orders she filed against Antropenko in April and May 2022.
Bednarchik has been identified as Antropenko’s unnamed co-conspirator through court documents and public records. While authorities said they plan to bring charges against her, no cases are currently pending.
In court filings, Bednarchik painted a picture of a controlling relationship, writing that Antropenko “constantly threatens me with full custody of our son, because he has a lot of money” and expressing fears he might take their child to Russia without permission.
Court records reveal the family lived together in Miami and later Irvine until 2022. Despite Bednarchik reporting only $800 monthly income from her clothing business, she estimated Antropenko earned $50,000 per month from “cryptocurrency dividends,” describing him as “the breadwinner for the family.”
When Antropenko was arrested in September 2024, Bednarchik posted his $10,000 bail, identifying herself in the affidavit as his ex-wife.
“She’s either being redacted because she’s a victim or because she is collaborating with law enforcement and has been able to get her name redacted,” Zach Edwards, senior threat analyst at Silent Push, told CyberScoop.
Authorities did not describe the extent to which Antropenko was involved with Zeppelin ransomware. Prosecutors mention unnamed co-conspirators in some court documents, indicating they are investigating or aware of others involved in the ransomware-as-a-service operation.
The Cybersecurity and Infrastructure Security Agency said Zeppelin ransomware victims include a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies and organizations in the health care and medical industries.
Zeppelin, a variant of the Delphi-based Vega malware, was used from at least 2019 to mid-2022, the agency said in an August 2022 advisory. A ransom note included in CISA’s advisory listed an AOL address for communication regarding extortion payments.
Prosecutors and investigators working on Antropenko’s case said Zeppelin ransomware affected about 138 U.S. victims since March 2020, including a data analysis company and its CEO based in the Dallas region where Antropenko faces federal charges.
Prosecutors have consistently declared the case against Antropenko “complex,” with evidence surpassing 7 terabytes of data, including personally identifiable information of victims, such as names, addresses, photos and bank account numbers.
Zeppelin and Antropenko’s alleged activities rose during the second wave of ransomware, when many cybercriminals were winging it and law enforcement activity was at a lull, Liska said. “If you start off with a mistake, that mistake is going to catch up to you,” he said.
Indeed, threat researchers and analysts attribute Antropenko’s capture to “sloppy” behaviors and practices, including his use of major U.S. service providers.
“Antropenko’s operational security was remarkably poor,” Gray said.
“He used a personal PayPal account linked to recovery emails for ransomware operations, shared usernames between banking and ransomware accounts, and stored sensitive information like cryptocurrency seed phrases and photos of large cash amounts in iCloud accounts,” he continued. “These OPSEC failures ultimately led to law enforcement identifying Antropenko.”
While prosecutors push Antropenko’s trial date further down the road — currently set for Feb. 6, 2026 — his personal life has been unraveling. He was hospitalized on a mental health hold on Dec. 31, 2024, and spent a week in a behavioral health hospital, according to a pretrial release violation report.
Antropenko told his probation officer that his ex-wife took his son from him unexpectedly, which led to a significant bout of depression and increase in alcohol consumption. “While walking around his RV park intoxicated, he was approached by an individual who offered him an unknown drug,” which he assumed was some type of methamphetamine, Antropenko’s probation officer wrote in the court filing.
Antropenko said he had little recollection of the events that followed. Once he was placed in a police car after law enforcement arrived the following morning, “he assumed he was being arrested which exacerbated his depression, prompting him to bang his head on the window of the police car, after which he recalls regaining consciousness in the hospital,” the probation officer said. No charges were filed.
Almost two months later, Antropenko was arrested for public intoxication in Riverside County, Calif., when he was found laying unresponsive in the center divider of a roadway. Antropenko told his probation officer he sat down on a curb near his home to smoke a cigarette after consuming four to five beers and was feeling tired, so he fell asleep. He was released the following day.
A U.S. magistrate judge in Texas allowed Antropenko to remain out on bond and modified the conditions of his release to include a ban on alcohol consumption and submit to regular alcohol testing.
“It strikes me as unusual to have so many drug violations and stay out on bail,” Kaiser said. “It would be overly lenient if they were still perpetrating crimes obviously against others. It appears he’s harming himself.”
In April, Antropenko contacted his parole officer to make an unsolicited admission to cocaine use, according to a court document filed in May. “The defendant stated that he attended a birthday celebration for a friend’s sister. When he went to the restroom some ‘random people’ offered him a ‘bump of cocaine,’” his probation officer said. The court took no further action.
“Even if he is a cooperating witness, he has been given a lot of freedom, a lot more freedom than we normally see in this case,” Liska said. “I can’t think of any case, of anybody this high profile, that has been given this level of freedom, cooperating or not.”
Edwards is also dismayed Antropenko remains out on bail pending trial.
“It’s wild that a citizen from Russia who has been accused of partnering with serious global threat actors and is out on bail for leading a ransomware campaign, has been arrested multiple times for issues associated with alcohol, including passing out on a street in public, and also admitted to using cocaine while out on bail, and yet his bail hasn’t been revoked,” he said.
Former law enforcement officials were less shocked about the circumstances of Antropenko’s case than security analysts.
Adam Marrè, chief information security officer at Arctic Wolf, said the post-arrest privileges granted to Antropenko aren’t that odd, especially since Antropenko’s alleged pretrial release violations don’t have anything to do with cybercrime.
Marrè said Antropenko’s alleged violations would have frustrated him when he was a special agent at the FBI investigating cybercrime, but he understands the court’s decisions, adding “people are innocent until proven guilty.”
It’s important to note the FBI is focused on outcomes, according to Kaiser. “Getting money back to victims who were stolen from is more important than punishing some guy, especially if he’s not doing [ransomware] activities anymore,” she said.
“It’s hard to arrest these people in the first place and stop them, which means it’s very complicated to deter them over a long period of time,” Kaiser added. “There’s no one arrest that’s going to stop these types of activities.”
The post Prolific Russian ransomware operator living in California enjoys rare leniency awaiting trial appeared first on CyberScoop.
Election officials should brace for direct attacks from the Trump administration and its state GOP allies on the integrity of U.S. elections — and plan for the possibility that federal agencies once charged with protecting elections will leverage their authorities to interfere in the process, a voting rights nonprofit warned.
In a report released Wednesday, researchers at the Brennan Center for Justice say the Trump administration’s actions suggest that the White House is preparing for an unprecedented federal intervention in the way elections are administered ahead of 2026 and 2028.
Those interventions include attempts to enact state-level bans or restrictions on mail-in voting, the use of lawsuits or criminal charges against election officials who don’t follow President Donald Trump’s orders, pushing mass state voter roll purges based on potentially inaccurate citizenship data, the deployment of the military in American cities and towns to intimidate voters and state officials, and the potential decertification or seizure of voting machines.
The scenarios are all based on actions the administration has already taken this year or in its first term, statements made by Trump and his aides, lawsuits filed by the Department of Justice and supporting efforts from Republican-led state legislatures.
Lawrence Norden, vice president for the elections and government program at the Brennan Center and one of the report’s authors, told CyberScoop that the document is targeted at three audiences who will be on the front lines in Trump’s war for control over elections: state election officials, policymakers and the public at large.
In 2020, the public was subjected to a deluge of false and unproven claims around election fraud, dead voters and hacked voting machines. While those claims had limited effect influencing voters outside of Trump’s orbit, many federal officials — including Chris Krebs, his own nominee for cybersecurity and election security chief — contradicted his claims of mass fraud. This April, Trump ordered the Justice Department to investigate Krebs for his statements about the 2020 election.
This year, the Department of Homeland Security hired Marci McCarthy and Heather Honey, who both actively tried to overturn the results of the 2020 election. McCarthy is now the top public affairs official at CISA, while Honey was recently named to a position overseeing election security efforts at DHS. Other agencies, like the FBI and the DOJ, have shifted from supporting state elections to investigating and suing election offices over their voter registration practices.
Whatever the administration ends up doing, Norden said it would be wise to plan ahead for different possibilities.
“One of the most effective ways to defeat misleading or false information is to call it out ahead of time, so when it comes to [dubious] reports we might see from government agencies, better to call it out now and say that this is part of a concerted effort and there are reasons not to trust it,” Norden said.
Meanwhile, he said policymakers at the state level “need to be planning and preparing for the next steps” to protect their constitutional rights while running upcoming elections.
“So being ready to have the backs of their election officials, being ready for politicized investigations that may come, being ready for efforts to interfere in the ability of election officials to run their elections according to state law, they need to be preparing for that now,” Norden said.
One possibility floated in the report is the administration moving to decertify voting machines used in some or most states through the Election Assistance Commission. Last week, Trump argued against mail-in ballots and “voting machines,” claiming an executive order that limited their use would soon be issued. The EAC is responsible for overseeing the labs that test and certify voting machines nationwide to ensure they are secure and meet the necessary standards.
While the White House later walked back the possibility of an executive order, the administration has already attempted to compel the EAC to alter voter registration forms to require proof of citizenship and withhold federal funding to states that do not cooperate with federal agencies on election-related matters. A federal judge has nullified parts of that order.
Such certifications are technically voluntary on the part of voting machine manufacturers, but states and localities have overwhelmingly treated them as industry standard when purchasing their machines. Depending on the timing, the mass decertification of certain systems ahead of an election could inject chaos among states, which cannot easily or quickly buy, replace, and test new voting equipment.
For states that do count votes using decertified machines, it could lead the public and political leaders to question the legitimacy of future results. This may give the Trump administration more support to sow doubt and challenge how states run their elections, the type of ballots they accept and how they process vote counts.
The perception of voting impropriety in any future messaging from the Trump administration, even if it is false, is a key issue states will also have to contend with. All politicians use repetition in their political messaging, but for Trump, it is especially crucial to how he communicates, regardless of the actual facts.
Stacy Rosenberg, an associate teaching professor at Carnegie Mellon’s public policy school, told CyberScoop that Trump’s rhetorical style requires aggressive repetition around simple themes — like mass noncitizen voting and poorly maintained voter rolls —, because they help create the political will for the administration and its allies to take more extreme actions that couldn’t otherwise be justified based on law or precedent.
“The attempt to have federalized voting is not something we typically see in the United States, so when elections are questioned, there may be people who say, ‘well, it’s justified for the federal government to come in and make changes,’” Rosenberg said. “We’ll have to see how the courts handle that. It doesn’t really fall into the domain of an executive order, so I think the question is: what can they do that the courts will allow?”
Norden said that while it’s clear the president doesn’t have the kind of direct authority over state-run elections he’s claiming, he does have the power to “both mislead and to intimidate people, whether it’s election officials or voters.”
“The good news is that if we see them for what they are, those are limited powers,” Norden said. “As long as the states step up and defend their elections, as long as voters come out and vote, that’s not enough to undermine elections. But we have to see what’s happening for [that defense] to be effective.”
In terms of counter messaging on the part of states, Rosenberg said much will rest on how courts respond to federal challenges, but from a strategy perspective “the number one thing [election officials] have to know is, you’re going to be called fake news.”
The Trump White House has “continued that line of attack through his first term to his present day. The way they want to control the message by saying everyone else’s message is false is a persistent strategy,” she said.
Pointing to the administration’s previous efforts to strong-arm universities and law firms, Rosenberg noted that while no one was left unscathed, those who fared best tended to confront Trump head-on rather than try to accommodate him.
“I think all you can do is stand your ground, file your lawsuits or counter lawsuits as you need to, but I think you need to continue to do the ethical hard work that you’ve done prior to the administration,” she said.
The post Trump administration setting the stage for elections power grab, voting rights group warns appeared first on CyberScoop.
A 20-year-old Florida man at the center of a prolific cybercrime group known as “Scattered Spider” was sentenced to 10 years in federal prison today, and ordered to pay roughly $13 million in restitution to victims.
Noah Michael Urban of Palm Coast, Fla. pleaded guilty in April 2025 to charges of wire fraud and conspiracy. Florida prosecutors alleged Urban conspired with others to steal at least $800,000 from five victims via SIM-swapping attacks that diverted their mobile phone calls and text messages to devices controlled by Urban and his co-conspirators.
A booking photo of Noah Michael Urban released by the Volusia County Sheriff.
Although prosecutors had asked for Urban to serve eight years, Jacksonville news outlet News4Jax.com reports the federal judge in the case today opted to sentence Urban to 120 months in federal prison, ordering him to pay $13 million in restitution and undergo three years of supervised release after his sentence is completed.
In November 2024 Urban was charged by federal prosecutors in Los Angeles as one of five members of Scattered Spider (a.k.a. “Oktapus,” “Scatter Swine” and “UNC3944”), which specialized in SMS and voice phishing attacks that tricked employees at victim companies into entering their credentials and one-time passcodes at phishing websites. Urban pleaded guilty to one count of conspiracy to commit wire fraud in the California case, and the $13 million in restitution is intended to cover victims from both cases.
The targeted SMS scams spanned several months during the summer of 2022, asking employees to click a link and log in at a website that mimicked their employer’s Okta authentication page. Some SMS phishing messages told employees their VPN credentials were expiring and needed to be changed; other missives advised employees about changes to their upcoming work schedule.
That phishing spree netted Urban and others access to more than 130 companies, including Twilio, LastPass, DoorDash, MailChimp, and Plex. The government says the group used that access to steal proprietary company data and customer information, and that members also phished people to steal millions of dollars worth of cryptocurrency.
For many years, Urban’s online hacker aliases “King Bob” and “Sosa” were fixtures of the Com, a mostly Telegram and Discord-based community of English-speaking cybercriminals wherein hackers boast loudly about high-profile exploits and hacks that almost invariably begin with social engineering. King Bob constantly bragged on the Com about stealing unreleased rap music recordings from popular artists, presumably through SIM-swapping attacks. Many of those purloined tracks or “grails” he later sold or gave away on forums.
Noah “King Bob” Urban, posting to Twitter/X around the time of his sentencing today.
Sosa also was active in a particularly destructive group of accomplished criminal SIM-swappers known as “Star Fraud.” Cyberscoop’s AJ Vicens reported in 2023 that individuals within Star Fraud were likely involved in the high-profile Caesars Entertainment and MGM Resorts extortion attacks that same year.
The Star Fraud SIM-swapping group gained the ability to temporarily move targeted mobile numbers to devices they controlled by constantly phishing employees of the major mobile providers. In February 2023, KrebsOnSecurity published data taken from the Telegram channels for Star Fraud and two other SIM-swapping groups showing these crooks focused on SIM-swapping T-Mobile customers, and that they collectively claimed internal access to T-Mobile on 100 separate occasions over a 7-month period in 2022.
Reached via one of his King Bob accounts on Twitter/X, Urban called the sentence unjust, and said the judge in his case discounted his age as a factor.
“The judge purposefully ignored my age as a factor because of the fact another Scattered Spider member hacked him personally during the course of my case,” Urban said in reply to questions, noting that he was sending the messages from a Florida county jail. “He should have been removed as a judge much earlier on. But staying in county jail is torture.”
A court transcript (PDF) from a status hearing in February 2025 shows Urban was telling the truth about the hacking incident that happened while he was in federal custody. It involved an intrusion into a magistrate judge’s email account, where a copy of Urban’s sealed indictment was stolen. The judge told attorneys for both sides that a co-defendant in the California case was trying to find out about Mr. Urban’s activity in the Florida case.
“What it ultimately turned into a was a big faux pas,” Judge Harvey E. Schlesinger said. “The Court’s password…business is handled by an outside contractor. And somebody called the outside contractor representing Judge Toomey saying, ‘I need a password change.’ And they gave out the password change. That’s how whoever was making the phone call got into the court.”
French authorities extradited a 39-year-old Nigerian national to the United States Monday for allegedly hacking into tax preparation businesses and participating in a years-long conspiracy to defraud the Internal Revenue Service and state tax agencies.
Chukwuemeka Victor Amachukwu and his Nigeria-based co-conspirators, including Kinglsey Uchelue Utulu, are accused of obtaining about $2.5 million in fraudulent tax refunds from 2019 to 2023, the Justice Department said Tuesday. The conspirators sought fraudulent tax refunds of at least $8.4 million, according to prosecutors.
“Amachukwu allegedly operated multiple illicit fraud schemes — identity theft, computer intrusions via spearphishing, and false investments — profiting at the costs of others,” said FBI Assistant Director in Charge Christopher G. Raia said in a statement.
Prosecutors accuse Amachukwu and his co-conspirators of accessing computer systems of tax preparation businesses in New York, Texas and other states via spearphishing emails. The cybercrime crew allegedly filed false tax returns with federal and state authorities using identities stolen from the victim organizations.
In one of those attacks, in May 2021, members of the conspiracy sent a spearfishing email to an employee of a New York-based tax preparation business, which infected the firm’s computer systems with malware, according to an unsealed indictment.
Authorities said Amachukwu and his co-conspirators also used the stolen identities to file fraudulent claims with the Small Business Administration’s Economic Injury Disaster Loan program, obtaining at least $819,000 in payouts.
Amachukwu faces up to 47 years in prison for multiple charges, including conspiracy to commit computer intrusions, two counts of conspiracy to commit wire fraud, two counts of wire fraud and aggravated identity theft.
“Amachukwu also allegedly took part in a separate fraud scheme that promised his victims valuable investments that did not in fact exist,” U.S. Attorney Jay Clayton said in a statement. Officials said Amachukwu stole millions of dollars of his victims’ money from this scheme.
The FBI, Justice Department’s Office of International Affairs and the U.S. Marshals Service assisted the investigation, which led to Amachukwu’s arrest and extradition from France.
The post Nigerian accused of hacking tax preparation businesses extradited to US appeared first on CyberScoop.
A 21-year-old former Army soldier pleaded guilty Tuesday to charges stemming from a series of attacks and extortion attempts last year on telecommunications companies, including AT&T.
Cameron John Wagenius, who identified himself as “kiberphant0m” and “cyb3rph4nt0m” on online criminal forums, conducted extensive malicious activity for years, including while he was on active duty, the Justice Department said.
Wagenius pleaded guilty to conspiring to commit wire fraud, extortion in relation to computer fraud and aggravated identity theft. He faces a maximum of 27 years in prison for the charges and is scheduled for sentencing on Oct. 6. Wagenius previously pleaded guilty to two counts of unlawful transfer of confidential phone records information in connection with this conspiracy, the Justice Department said.
“This is one of the most significant wins in the fight against cybercrime,” Allison Nixon, chief research officer at Unit 221B, told CyberScoop. “The cybersecurity workers helping the victims through a storm, federal law enforcement with the fastest federal arrest I have ever witnessed, and the prosecutors now destroying them in court — all brought their A game and they deserve to celebrate tonight.”
Details prosecutors shared about Wagenius as part of their ongoing investigation underscore the bold actions cybercriminals take to extort multiple victims at scale and evade capture. Prior to his arrest in December, Wagenius attempted to sell stolen information to a foreign intelligence service as part of a broader attempt to defect to Russia or another country that he believed would allow him to avoid arrest.
Officials said Wagenius and co-conspirators attempted to defraud at least 10 victim organizations by obtaining login credentials for the organizations’ networks. In November, Wagenius made multiple attempts to extort $500,000 from a major telecommunications company while threatening to leak call records of high-ranking public officials, according to court documents filed in February.
“[Wagenius’] greatest significance is in how absolutely destroyed he’s getting,” Nixon said, adding that he was part of a gang that made threats against Nixon and Unit221B, which specializes in breaking the anonymity of English-speaking cybercriminals.
“He was in the Army, living on base in Texas, when he leaked the hacked call records of President Trump and his family in a failed bid to extort AT&T,” Nixon said. “He pled guilty without even a plea bargain, and the government might still file additional charges. Amazing.”
Authorities did not name Wagenius’ alleged victims in court filings. AT&T in July confirmed cybercriminals accessed the company’s Snowflake environment in April and stole six months of phone and text records of “nearly all” of its customers.
Wagenius’ alleged co-conspirators, Connor Moucka and John Binns, were indicted in November for allegedly extorting more than 10 organizations after breaking into cloud platforms used by AT&T and other major companies. Moucka, a Canadian citizen, consented to extradition to the United States in March to face 20 federal charges stemming from his alleged involvement in a series of attacks targeting as many as 165 Snowflake customers, one of the most widespread and damaging attack sprees on record.
Some of the records allegedly in Wagenius’ possession were stolen in the attack spree on Snowflake customer databases, according to cybercrime researchers. Federal law enforcement also found evidence on seized Wagenius’ devices indicating he had access to thousands of stolen identification documents and large amounts of cryptocurrency.
Justice Department officials said Wagnius and his co-conspirators attempted to extort at least $1 million from victim data owners. “They successfully sold at least some of this stolen data and also used stolen data to perpetuate other frauds, including SIM-swapping,” officials said in a news release.
“Cybercriminals are shockingly slow to update their threat model, and still operate on the assumption that they won’t be jailed and will get a job in the industry afterwards,” Nixon said. “As multi-decade sentences pile up, reality will set in: Brazen cybercriminals are much more likely to die in prison than they used to, and anonymity isn’t real.”
The post Former Army soldier pleads guilty to widespread attack spree linked to AT&T, Snowflake and others appeared first on CyberScoop.
Authorities in at least two U.S. states last week independently announced arrests of Chinese nationals accused of perpetrating a novel form of tap-to-pay fraud using mobile devices. Details released by authorities so far indicate the mobile wallets being used by the scammers were created through online phishing scams, and that the accused were relying on a custom Android app to relay tap-to-pay transactions from mobile devices located in China.
Image: WLVT-8.
Authorities in Knoxville, Tennessee last week said they arrested 11 Chinese nationals accused of buying tens of thousands of dollars worth of gift cards at local retailers with mobile wallets created through online phishing scams. The Knox County Sheriff’s office said the arrests are considered the first in the nation for a new type of tap-to-pay fraud.
Responding to questions about what makes this scheme so remarkable, Knox County said that while it appears the fraudsters are simply buying gift cards, in fact they are using multiple transactions to purchase various gift cards and are plying their scam from state to state.
“These offenders have been traveling nationwide, using stolen credit card information to purchase gift cards and launder funds,” Knox County Chief Deputy Bernie Lyon wrote. “During Monday’s operation, we recovered gift cards valued at over $23,000, all bought with unsuspecting victims’ information.”
Asked for specifics about the mobile devices seized from the suspects, Lyon said “tap-to-pay fraud involves a group utilizing Android phones to conduct Apple Pay transactions utilizing stolen or compromised credit/debit card information,” [emphasis added].
Lyon declined to offer additional specifics about the mechanics of the scam, citing an ongoing investigation.
Ford Merrill works in security research at SecAlliance, a CSIS Security Group company. Merrill said there aren’t many valid use cases for Android phones to transmit Apple Pay transactions. That is, he said, unless they are running a custom Android app that KrebsOnSecurity wrote about last month as part of a deep dive into the operations of China-based phishing cartels that are breathing new life into the payment card fraud industry (a.k.a. “carding”).
How are these China-based phishing groups obtaining stolen payment card data and then loading it onto Google and Apple phones? It all starts with phishing.
If you own a mobile phone, the chances are excellent that at some point in the past two years it has received at least one phishing message that spoofs the U.S. Postal Service to supposedly collect some outstanding delivery fee, or an SMS that pretends to be a local toll road operator warning of a delinquent toll fee.
These messages are being sent through sophisticated phishing kits sold by several cybercriminals based in mainland China. And they are not traditional SMS phishing or “smishing” messages, as they bypass the mobile networks entirely. Rather, the missives are sent through the Apple iMessage service and through RCS, the functionally equivalent technology on Google phones.
People who enter their payment card data at one of these sites will be told their financial institution needs to verify the small transaction by sending a one-time passcode to the customer’s mobile device. In reality, that code will be sent by the victim’s financial institution in response to a request by the fraudsters to link the phished card data to a mobile wallet.
If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control. These phones are then loaded with multiple stolen wallets (often between 5-10 per device) and sold in bulk to scammers on Telegram.
An image from the Telegram channel for a popular Chinese smishing kit vendor shows 10 mobile phones for sale, each loaded with 5-7 digital wallets from different financial institutions.
Merrill found that at least one of the Chinese phishing groups sells an Android app called “Z-NFC” that can relay a valid NFC transaction to anywhere in the world. The user simply waves their phone at a local payment terminal that accepts Apple or Google pay, and the app relays an NFC transaction over the Internet from a phone in China.
“I would be shocked if this wasn’t the NFC relay app,” Merrill said, concerning the arrested suspects in Tennessee.
Merrill said the Z-NFC software can work from anywhere in the world, and that one phishing gang offers the software for $500 a month.
“It can relay both NFC enabled tap-to-pay as well as any digital wallet,” Merrill said. “They even have 24-hour support.”
On March 16, the ABC affiliate in Sacramento (ABC10), Calif. aired a segment about two Chinese nationals who were arrested after using an app to run stolen credit cards at a local Target store. The news story quoted investigators saying the men were trying to buy gift cards using a mobile app that cycled through more than 80 stolen payment cards.
ABC10 reported that while most of those transactions were declined, the suspects still made off with $1,400 worth of gift cards. After their arrests, both men reportedly admitted that they were being paid $250 a day to conduct the fraudulent transactions.
Merrill said it’s not unusual for fraud groups to advertise this kind of work on social media networks, including TikTok.
A CBS News story on the Sacramento arrests said one of the suspects tried to use 42 separate bank cards, but that 32 were declined. Even so, the man still was reportedly able to spend $855 in the transactions.
Likewise, the suspect’s alleged accomplice tried 48 transactions on separate cards, finding success 11 times and spending $633, CBS reported.
“It’s interesting that so many of the cards were declined,” Merrill said. “One reason this might be is that banks are getting better at detecting this type of fraud. The other could be that the cards were already used and so they were already flagged for fraud even before these guys had a chance to use them. So there could be some element of just sending these guys out to stores to see if it works, and if not they’re on their own.”
Merrill’s investigation into the Telegram sales channels for these China-based phishing gangs shows their phishing sites are actively manned by fraudsters who sit in front of giant racks of Apple and Google phones that are used to send the spam and respond to replies in real time.
In other words, the phishing websites are powered by real human operators as long as new messages are being sent. Merrill said the criminals appear to send only a few dozen messages at a time, likely because completing the scam takes manual work by the human operators in China. After all, most one-time codes used for mobile wallet provisioning are generally only good for a few minutes before they expire.
For more on how these China-based mobile phishing groups operate, check out How Phished Data Turns Into Apple and Google Wallets.
The ashtray says: You’ve been phishing all night.
Lawrence Hoffmann // Election fraud is something I’ve mentioned here recently. The reality we must face here is that any time a digital system is used for voting there is […]
The post Lawrence’s List 090216 appeared first on Black Hills Information Security, Inc..
Recently, Constella Intelligence has observed an increase in attacks and data breaches resulting in cryptocurrency leaks. This surge could be partly attributed to comments made by former President Donald Trump in support of Bitcoin, which may have heightened hackers’ interest in these sites.
Former President Donald Trump has recently positioned himself as a pro-crypto presidential candidate. During his keynote speech at the Bitcoin 2024 conference in Nashville, Tennessee, held from July 25-27, 2024, Trump emphasized the transformative potential of cryptocurrencies. He pledged to make the United States a leader in Bitcoin mining and digital asset management.
These comments could have caused crypto-related sites to increase in value, making them more attractive targets for cybercriminals. As Bitcoin prices surge, the incentive for attacks on these platforms grows, highlighting the need for robust security measures.
In the first half of 2024, over 250 possible breaches or leaks related to cryptocurrencies, NFTs, and Bitcoin have been reported. These potential breaches could have affected users of various cryptocurrency platforms, including Bitcointalk, Crypto.com, Binance, eToro, and others.
Below are examples of how threat actors are offering information about these crypto-related sites on the Dark Web
This information was published on March 31, 2024. According to the threat actor the data includes:
The post was made on May 27, 2024. The exposed information includes:
The threat actor “whix” published this on March 26, 2024. The exposed information includes:
The same threat actor also reported this on March 25, 202, where the following information could be found:
According to the threat actor on March 25, 2024, a database exposing the following information was published:
These platforms are integral to the crypto ecosystem, providing services such as trading, wallet management, and social interaction for crypto enthusiasts.
Constella Intelligence has checked if the information published could have been produced as the effect of infostealer infections. This check resulted in nearly 4 million users of these cryptocurrency companies being exposed to infostealer data. Most exposures have impacted major cryptocurrency exchange platforms:
Digging into the infostealer exposures, Constella Intelligence also identified what seems to be infostealer infections of potential employees of some of those companies, including Binance.com, eToro.com, Crypto.com, and Localbitcoins.com, among others.
The exposure of such extensive and sensitive information has significant and far-reaching implications as it endangers the financial security and privacy of millions of users. The compromised data can be exploited for various malicious activities:
To mitigate the risks associated with the recent breaches, users should adopt the following security practices:
Login