Crime  2024  2023  2022 2021 2020

Rogue WordPress Plugin Exposes E-Commerce Sites to Credit Card Theft
23.12.23  Crime  The Hacker News
Threat hunters have discovered a rogue WordPress plugin that's capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information.

The skimming activity is part of a Magecart campaign targeting e-commerce websites, according to Sucuri.

"As with many other malicious or fake WordPress plugins it contains some deceptive information at the top of the file to give it a veneer of legitimacy," security researcher Ben Martin said. "In this case, comments claim the code to be 'WordPress Cache Addons.'"

Malicious plugins typically find their way to WordPress sites via either a compromised admin user or the exploitation of security flaws in another plugin already installed on the site.

Post installation, the plugin replicates itself to the mu-plugins (or must-use plugins) directory so that it's automatically enabled and conceals its presence from the admin panel.

"Since the only way to remove any of the mu-plugins is by manually removing the file the malware goes out of its way to prevent this," Martin explained. "The malware accomplishes this by unregistering callback functions for hooks that plugins like this normally use."

The fraudulent plugin also comes with an optionF to create and hide an administrator user account from the legitimate website admin to avoid raising red flags and have sustained access to the target for extended periods of time.

The ultimate objective of the campaign is to inject credit card stealing malware in the checkout pages and exfiltrate the information to an actor-controlled domain.

"Since many WordPress infections occur from compromised wp-admin administrator users it only stands to reason that they've needed to work within the constraints of the access levels that they have, and installing plugins is certainly one of the key abilities that WordPress admins possess," Martin said.

The disclosure arrives weeks after the WordPress security community warned of a phishing campaign that alerts users of an unrelated security flaw in the web content management system and tricks them into installing a plugin under the guise of a patch. The plugin, for its part, creates an admin user and deploys a web shell for persistent remote access.

Sucuri said that the threat actors behind the campaign are leveraging the "RESERVED" status associated with a CVE identifier, which happens when it has been reserved for use by a CVE Numbering Authority (CNA) or security researcher, but the details are yet to be filled.


It also comes as the website security firm discovered another Magecart campaign that uses the WebSocket communications protocol to insert the skimmer code on online storefronts. The malware then gets triggered upon clicking a fake "Complete Order" button that's overlaid on top of the legitimate checkout button.

Europol's spotlight report on online fraud released this week described digital skimming as a persistent threat that results in the theft, re-sale, and misuse of credit card data. "A major evolution in digital skimming is the shift from the use of front-end malware to back-end malware, making it more difficult to detect," it said.

The E.U. law enforcement agency said it also notified 443 online merchants that their customers' credit card or payment card data had been compromised via skimming attacks.

Group-IB, which also partnered with Europol on the cross-border cybercrime fighting operation codenamed Digital Skimming Action, said it detected and identified 23 families of JS-sniffers, including ATMZOW, health_check, FirstKiss, FakeGA, AngryBeaver, Inter, and R3nin, which were used against companies in 17 different countries across Europe and the Americas.

"In total, 132 JS-sniffer families are known, as of the end of 2023, to have compromised websites worldwide," the Singapore-headquartered firm added.

That's not all. Bogus ads on Google Search and Twitter for cryptocurrency platforms have been found to promote a cryptocurrency drainer named MS Drainer that's estimated to have already plundered $58.98 million from 63,210 victims since March 2023 via a network of 10,072 phishing websites.

"By targeting specific audiences through Google search terms and the following base of X, they can select specific targets and launch continuous phishing campaigns at a very low cost," ScamSniffer said.

3,500 Arrested in Global Operation HAECHI-IV Targeting Financial Criminals
21.12.23  Crime  The Hacker News
A six-month-long international police operation codenamed HAECHI-IV has resulted in the arrests of nearly 3,500 individuals and seizures worth $300 million across 34 countries.

The exercise, which took place from July through December 2023, took aim at various types of financial crimes such as voice phishing, romance scams, online sextortion, investment fraud, money laundering associated with illegal online gambling, business email compromise fraud, and e-commerce fraud.

In addition, authorities froze associated bank and virtual asset service provider (VASP) accounts in an effort to shut off access to criminal proceeds. In total, authorities blocked 82,112 suspicious bank accounts, confiscating $199 million in hard currency and $101 million in virtual assets.

"Cooperation between Filipino and Korean authorities led to the arrest in Manila of a high-profile online gambling criminal after a two-year manhunt by Korea's National Police Agency," Interpol, an international police organization, said.

Investment fraud, business email compromise, and e-commerce fraud accounted for 75% of the cases, the agency added, stating it detected a new scam in South Korea that involved the sale of non-fungible tokens (NFTs) with promises of huge returns, only for the operators to stage a rug pull and abruptly abandon the project.

Another novel trend concerned the use of artificial intelligence (AI) and deepfake technology to elevate the authenticity of scams, enabling criminals to impersonate people known to the targets, as well as deceive, defraud, harass, and extort victims through impersonation scams, online sexual blackmail, and investment fraud.

HAECHI-IV comes more than a year after HAECHI-III, which led to the seizure of $130 million worth of virtual assets in connection with a global crackdown on cyber-enabled financial crimes and money laundering.

"The seizure of $300 million represents a staggering sum and clearly illustrates the incentive behind today's explosive growth of transnational organized crime," Interpol's Stephen Kavanagh said. "This vast accumulation of unlawful wealth is a serious threat to global security and weakens the economic stability of nations worldwide."

Group-IB Co-Founder Sentenced to 14 Years in Russian Prison for Alleged High Treason
27.7.23  Crime  The Hacker News
A city court in Moscow on Wednesday convicted Group-IB co-founder and CEO Ilya Sachkov of "high treason" and jailed him for 14 years in a "strict regime colony" over accusations of passing information to foreign spies.

"The court found Sachkov guilty under Article 275 of the Russian Criminal Code (high treason) sentencing him to 14 years of incarceration in a maximum-security jail, restriction of freedom for one year and a fine of 500,000 rubles (about $5,550)," state news agency TASS reported.

Sachkov, who has been in custody since September 2021 and denied wrongdoing, had been accused of handing over classified information to foreign intelligence in 2011, which the prosecutors said caused reputational damage to Russia's national interests. The exact nature of the charges is unclear.

The 37-year-old is expected to appeal the decision, Bloomberg said, adding, "Sachkov was alleged to have given the U.S. government information regarding a hacking team in Moscow's GRU military intelligence service — dubbed 'Fancy Bear' by U.S. cybersecurity companies — and its efforts to influence the 2016 US presidential election."

Group-IB, originally founded in Russia in 2003 and now headquartered in Singapore, said "we have had full confidence in Ilya's innocence" and that he "has been denied a chance for an impartial trial."

"All the materials of the case are kept classified, and all hearings were held in complete secrecy with no public scrutiny," the cybersecurity company further noted. "As a result, we might never know the pretext for his conviction."
The cybersecurity company completely exited Russia earlier this April, with its local business operating as a standalone company under the new brand F.A.C.C.T. (short for Fight Against Cybercrime Technologies).

"This is a tough moment for all of us and a rainy day for the cybersecurity market," Valery Baulin, general director of F.A.C.C.T. said in a statement. "Ilya Sachkov, my friend, colleague, creator of one of the most successful high-tech companies in the field of cybersecurity, was sent to a colony as a result of a 'speedy trial.'"

EncroChat Bust Leads to 6,558 Criminals' Arrests and €900 Million Seizure
28.6.23  Crime  The Hacker News
EncroChat
Europol on Tuesday announced that the takedown of EncroChat in July 2020 led to 6,558 arrests worldwide and the seizure of €900 million in illicit criminal proceeds.

The law enforcement agency said that a subsequent joint investigation initiated by French and Dutch authorities intercepted and analyzed over 115 million conversations that took place over the encrypted messaging platform between no less than 60,000 users.

Now almost three years later, the information obtained from digital correspondence has resulted in -

Arrests of 6,558 suspects, including 197 high-value targets
7,134 years of imprisonment of convicted criminals
Confiscation of €739.7 million in cash
Freeze of €154.1 million frozen in assets or bank accounts
Seizure of 30.5 million pills of chemical drugs
Seizure of 103.5 tonnes of cocaine, 163.4 tonnes of cannabis, and 3.3 tonnes of heroin
Seizure of 971 vehicles, 83 boats, and 40 planes
Seizure of 271 estates or homes, and
Seizure of 923 weapons, as well as 21,750 rounds of ammunition and 68 explosives
A majority of EncroChat users are said to be members of organized crime rings (34.8) and drug trafficking groups (33.29%). The remainder engaged in money laundering (14%), murders (11.5%), and firearms trafficking (6.4%).

EncroChat was an encrypted phone network that was used by organized crime groups to plot drug deals, money laundering, extortion, and even murders. "User hotspots were particularly present in source and destination countries for cocaine and cannabis trade, as well as in money laundering centers," Europol said at the time.

Cybersecurity
The Android devices were marketed as offering "perfect anonymity" to users, allowing them to operate with impunity through features like automatic deletion of messages and options to automatically erase them from a distance by the reseller.

"EncroChat sold crypto telephones for around EUR 1,000 each, on an international scale," Europol said. "It also offered subscriptions with worldwide coverage, at a cost of EUR 1,500 for a six-month period, with 24/7 support."

Unbeknownst to the users, the platform was infiltrated by French and Dutch law enforcement in early 2020, offering valuable insight into the groups and their modus operandi. The company's servers, which were operating from France, were taken down.

The illegal use of encrypted communications has since led to the dismantling of another service called Sky ECC in March 2021. In June 2021, U.S. and Australian officials disclosed that they ran an encrypted chat service called ANoM (aka AN0M) for nearly three years to intercept 27 million messages exchanged between criminal gang members globally.

20-Year-Old Russian LockBit Ransomware Affiliate Arrested in Arizona
16.6.23  Crime  The Hacker News
The U.S. Department of Justice (DoJ) on Thursday unveiled charges against a Russian national for his alleged involvement in deploying LockBit ransomware to targets in the U.S., Asia, Europe, and Africa.

Ruslan Magomedovich Astamirov, 20, of Chechen Republic has been accused of perpetrating at least five attacks between August 2020 and March 2023. He was arrested in the state of Arizona last month.

"Astamirov allegedly participated in a conspiracy with other members of the LockBit ransomware campaign to commit wire fraud and to intentionally damage protected computers and make ransom demands through the use and deployment of ransomware," the DoJ said.

Astamirov, as part of his LockBit-related activities, managed various email addresses, IP addresses, and other online accounts to deploy the ransomware and communicate with the victims.

Law enforcement agencies said they were able to trace a chunk of an unnamed victim's ransom payment to a virtual currency address operated by Astamirov.

The defendant, if convicted, faces a maximum penalty of 20 years in prison on the first charge and a maximum penalty of five years in prison on the second charge.

Astamirov is the third individual to be prosecuted in the U.S. in connection with LockBit after Mikhail Vasiliev, who is currently awaiting extradition to the U.S., and Mikhail Pavlovich Matveev, who was indicted last month for his participation in LockBit, Babuk, and Hive ransomware. Matveev remains at large.

In a recent interview with The Record, Matveev said he was not surprised by the Federal Bureau of Investigation's (FBI) decision to include his name in the Cyber Most Wanted list and that the "news about me will be forgotten very soon."

Matveev, who said he is self-taught, also admitted to his role as an affiliate for the now-defunct Hive operation, and professed his desire to "take IT in Russia to the next level."
The DoJ statement also comes a day after cybersecurity authorities from Australia, Canada, France, Germany, New Zealand, the U.K., and the U.S. released a joint advisory warning of LockBit ransomware.

LockBit functions under the ransomware-as-a-service (RaaS) model, in which the core team recruits affiliates to carry out the attacks against corporate networks on their behalf in return for a cut of the ill-gotten proceeds.

The affiliates are known to employ double extortion techniques by first encrypting victim data and then exfiltrating that data while threatening to post that stolen data on leak sites in an attempt to pressurize the targets into paying ransoms.

The group is estimated to have launched nearly 1,700 attacks since emerging on the scene in late 2019, although the exact number is believed to be higher since the dark web data leak site only reveals the names and leaked data of victims who refuse to pay ransoms.

U.K. Fraudster Behind iSpoof Scam Receives 13-Year Jail Term for Cyber Crimes
24.5.23  Crime  The Hacker News
Cyber Crimes
A U.K. national responsible for his role as the administrator of the now-defunct iSpoof online phone number spoofing service has been sentenced to 13 years and 4 months in prison.

Tejay Fletcher, 35, of Western Gateway, London, was awarded the sentence on May 18, 2023. He pleaded guilty last month to a number of cyber offenses, including facilitating fraud and possessing and transferring criminal property.

iSpoof, which was available as a paid service, allowed fraudsters to mask their phone numbers and masquerade as representatives from banks, tax offices, and other official bodies to defraud victims.

The help desk scam purported to warn targets of suspicious activity on their accounts and tricked them into disclosing sensitive financial information or transferring money to accounts under the threat actor's control.

According to the U.K. Metropolitan Police, the criminals assumed false identities as representatives of various banks such as Barclays, Santander, HSBC, Lloyds, Halifax, First Direct, Natwest, Nationwide, and TSB.

"The website offered a number of packages for users who would buy, in Bitcoin, the number of minutes they wanted to use the software to make calls," the Met said in a statement.

The total losses to victims in the U.K. alone is said to be more than £48 million ($59.8 million), with confirmed global losses estimated to be at least £100 million ($124.6 million).

iSpoof was dismantled in November 2022 as part of a coordinated law enforcement exercise, resulting in the arrest of Fletcher and 168 other individuals linked to the operation.

Fletcher is believed to have made around £1.7 - £1.9 million ($2.1 - $2.3 million) in illicit proceeds, in addition to owning a Range Rover, a Lamborghini Urus, and high-end watches from Rolex and Audemars Piguet.
"Fletcher spent time marketing iSpoof on the Telegram Channel, The iSpoof Club," the Met noted. "Fletcher set up the channel to promote iSpoof and would update users and promote updates and developments to the website."

A search of his home after his arrest in November 2022 uncovered more than 30 mobile phones and a number of SIM cards that were used to pull off the scheme.

"By setting up iSpoof, Fletcher created a gateway for thousands of criminals to defraud innocent victims out of millions of pounds," Detective Superintendent Helen Rance said. "Meanwhile he was living a luxury lifestyle benefitting from the profits."

U.S. Offers $10 Million Bounty for Capture of Notorious Russian Ransomware Operator
17.5.23  Crime  The Hacker News
Russian Ransomware Operator
A Russian national has been charged and indicted by the U.S. Department of Justice (DoJ) for launching ransomware attacks against "thousands of victims" in the country and across the world.

Mikhail Pavlovich Matveev (aka Wazawaka, m1x, Boriselcin, and Uhodiransomwar), the 30-year-old individual in question, is alleged to be a "central figure" in the development and deployment of LockBit, Babuk, and Hive ransomware variants since at least June 2020.

"These victims include law enforcement and other government agencies, hospitals, and schools," DoJ said. "Total ransom demands allegedly made by the members of these three global ransomware campaigns to their victims amount to as much as $400 million, while total victim ransom payments amount to as much as $200 million."

LockBit, Babuk, and Hive operate alike, leveraging unlawfully obtained access to exfiltrate valuable data and deploy ransomware on compromised networks. The threat actors also threaten to publicize the stolen information on a data leak site in an attempt to negotiate a ransom amount with victims.

Matveev has been charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, which is unlikely, he faces over 20 years in prison.

The U.S. State Department has also announced an award of up to $10 million for information that leads to the arrest and/or conviction of Matveev.

Separately, the Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions against the defendant, stating he claimed "his illicit activities will be tolerated by local authorities provided that he remains loyal to Russia."

According to cybersecurity journalist Brian Krebs, one of Matveev's alter egos included Orange, which the defendant used to establish the now-defunct Russian Anonymous Marketplace (aka RAMP) darknet forum.

Despite the flurry of law enforcement actions to crack down on the cybercrime ecosystem in recent years, the ransomware-as-a-service (RaaS) model continues to be a lucrative one, offering affiliates high-profit margins without having to develop and maintain the malware themselves.

The financial mechanics associated with RaaS has also lowered the barrier to entry for aspiring cybercriminals, who can avail the services offered by the ransomware developers to mount the attacks and pocket the lion's share of the ill-gotten proceeds.

Australian and U.S. authorities release BianLian ransomware alert#
The development comes as U.S. and Australian cybersecurity agencies released a joint advisory on BianLian ransomware, a double extortion group that has targeted several critical infrastructure, professional services, and property development sectors since June 2022.

"The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega," according to the advisory.

Czech cybersecurity firm Avast, earlier this year, published a free decryptor for BianLian ransomware to help victims of the malware recover locked files without having to pay the threat actors.

The security bulletin also arrives amid the emergence of a new ransomware strain dubbed LokiLocker that shares similarities with another locker called BlackBit and has been observed actively targeting entities in South Korea.

Former Ubiquiti Employee Gets 6 Years in Jail for $2 Million Crypto Extortion Case
15.5.23  Crime  The Hacker News
A former employee of Ubiquiti has been sentenced to six years in jail after he pleaded guilty to posing as an anonymous hacker and a whistleblower in an attempt to extort almost $2 million worth of cryptocurrency while working at the company.

Nickolas Sharp, 37, was arrested in December 2021 for using his insider access as a senior developer to steal confidential data and sending an anonymous email asking the network technology provider to pay 50 bitcoin (about $2 million at the time) in exchange for the siphoned information.

Ubiquiti, however, didn't yield to the ransom attempt and instead looped in law enforcement, which eventually identified Sharp as the hacker after tracing a VPN connection to a Surfshark account purchased with his PayPal account.

"Sharp repeatedly misused his administrative access to download gigabytes of confidential data from his employer," the U.S. Justice Department said, adding he "modified session file names to attempt to make it appear as if other coworkers were responsible for his malicious sessions."

The Oregon-based defendant, besides giving false statements denying any knowledge of the extortion scheme, tampered with log retention policies and other files in order to conceal his unauthorized activity on the company's network.

Sharp, who was employed at Ubiquiti from August 2018 through late March 2021, pleaded guilty earlier this February to falsely spreading the news that the company had been hacked by an unidentified perpetrator who had acquired administrator access to the firm's AWS accounts.
The fabricated security breach led to Ubiquiti's stock price sliding approximately 20% in March 2021, causing it to lose over $4 billion in market capitalization.

Ubiquiti formally disclosed the "incident" in January 2021, describing it as a case of "unauthorized access to certain of our information technology systems hosted by a third-party cloud provider." It further urged users to change their passwords and enable two-factor authentication.

In addition to the prison term, Sharp has been "sentenced to three years of supervised release and ordered to pay restitution of $1,590,487 and to forfeit personal property used or intended to be used in connection with these offenses."

Spanish Police Takes Down Massive Cybercrime Ring, 40 Arrested
12.5.23  Crime  The Hacker News
The National Police of Spain said it arrested 40 individuals for their alleged involvement in an organized crime gang called Trinitarians.

Among those apprehended include two hackers who carried out bank scams through phishing and smishing techniques and 15 other members of the crime syndicate, who have all been charged with a number of offenses such as bank fraud, forging documents, identity theft, and money laundering.

In all, the nefarious scheme is believed to have defrauded more than 300,000 victims, resulting in losses of over €700,000.

"The criminal organization used hacking tools and business logistics to carry out computer scams," officials said.

To pull off the attacks, the cybercriminals sent bogus links via SMS that, when clicked, redirected users to a phishing panel masquerading as legitimate financial institutions to steal their credentials and abuse the access to request for loans and link the cards to cryptocurrency wallets under their control.

These SMS messages sought to induce a false sense of urgency and increase the actors' chance of success by urging the recipients to click on the accompanying link in order to resolve a purported security issue with their bank accounts.

The stolen cards were used to purchase digital assets, which were then cashed out to fund the group's operations, such as paying legal fees, sending money to members in prison, and the purchase of narcotics and weapons.

Some of the illicit proceeds were also sent to foreign bank accounts, from where other group members used the money to purchase real estate in the Dominican Republic.

"They also had an extensive network of mules that they used to receive money from bank transfers and withdraw it through ATMs," the National Police said.

Another scam perpetrated by the outfit entailed contracting point-of-sale (PoS) terminals by setting up front companies to make false purchases.

Authorities said 13 house searches were carried out in the provinces of Madrid, Seville, and Guadalajara, leading to the confiscation of computer equipment, padlocks, €5,000 in cash, lock-picking toolkits, and other documents containing information about the gang's organizational structure.

U.S. Authorities Seize 13 Domains Offering Criminal DDoS-for-Hire Services
10.5.23  Crime  The Hacker News
DDoS-for-Hire Services
U.S. authorities have announced the seizure of 13 internet domains that offered DDoS-for-hire services to other criminal actors.

The takedown is part of an ongoing international initiative dubbed Operation PowerOFF that's aimed at dismantling criminal DDoS-for-hire infrastructures worldwide.

The development comes almost five months after a "sweep" in December 2022 dismantled 48 similar services for abetting paying users to launch distributed denial-of-service (DDoS) attacks against targets of interest.

This includes school districts, universities, financial institutions, and government websites, according to the U.S. Department of Justice (DoJ).

Ten of the 13 illicit domains seized are "reincarnations" of booter or stresser services that were previously shuttered towards the end of last year.

"In recent years, booter services have continued to proliferate, as they offer a low barrier to entry for users looking to engage in cybercriminal activity," DoJ said in a press release on Monday.

"In addition to harming victims by disrupting or degrading access to the internet, attacks from booter services can also completely sever internet connections for other customers served by the same internet service provider via a shared connection point."

Parallel to the domain seizures, the DoJ also said that four of the six individuals who were charged in December 2022 in connection with operating the services have entered into a guilty plea.

DDoS-for-Hire Services
The defendants – Jeremiah Sam Evans Miller, 23, of San Antonio, Texas; Angel Manuel Colon Jr., 37, of Belleview, Florida; Shamar Shattock, 19, of Margate, Florida; and Cory Anthony Palmer, 23, of Lauderhill, Florida – are expected to be sentenced later this year.

Try2Check Card-Checking Service Goes Down#
The announcement comes days after the disruption of Try2Check (aka Try2Services) following a decade-long investigation, an illegal online platform that enabled threat actors to check the status of stolen credit card numbers in their possession and determine if they were valid and active.

The DoJ also charged a 43-year-old Russian national, Denis Gennadievich Kulkov, for his role in creating and turning the service into a "primary tool of the illicit credit card trade," with the State Department offering a $10 million reward for information leading to his arrest.

The department is further extending a separate bounty of up to $1 million for any specifics that will help to identify other key leaders of the Try2Check cybercrime group.

The fraudulent platform, per the indictment, allegedly misused the systems of a prominent U.S.-based payment processing firm to perform the card checks by exploiting its preauthorization service. The name of the company was not disclosed.

Try2Check, which launched in 2005, is estimated to have processed tens of millions of credit card checks every year and facilitated the operations of several major card shops like Joker's Stash that specialized in bulk trafficking of stolen credit cards. As of February 2022, a single card check cost $0.20.

"Through the illegal operation of his websites, the defendant made at least $18 million in bitcoin (as well as an unknown amount through other payment systems), which he used to purchase a Ferrari, among other luxury items," the DoJ noted.

The indictment against Kulkov also arrives weeks after Denis Mihaqlovic Dubnikov, who pleaded guilty to charges of money laundering for the Ryuk ransomware gang earlier this year, was sentenced to time served and ordered to forfeit $2,000 in illegal profits.

Operation SpecTor: $53.4 Million Seized, 288 Vendors Arrested in Dark Web Drug Bust
3.5.23  Crime  The Hacker News
An international law enforcement operation has resulted in the arrest of 288 vendors who are believed to be involved in drug trafficking on the dark web, adding to a long list of criminal enterprises that have been shuttered in recent years.

The effort, codenamed Operation SpecTor, also saw the authorities confiscating more than $53.4 million in cash and virtual currencies, 850 kg of drugs, and 117 firearms.

The largest number of arrests were made in the U.S. (153), followed by the U.K. (55), Germany (52), the Netherlands (10), Austria (9), France (5), Switzerland (2), Poland (1), and Brazil (1).

"This represents the most funds seized and the highest number of arrests in any coordinated international action," U.S. Attorney General Merrick B. Garland said. "The drug traffickers are confident that, by operating anonymously on the dark web, they can operate outside the bounds of the law. They are wrong."

The arrests stem from evidence gathered after the takedown of the Monopoly marketplace by German authorities in December 2021. DarkDotFail, in early January 2022, revealed that the criminal bazaar's servers were likely seized by law enforcement, although there was no official announcement.

"The vendors arrested as a result of the police action against Monopoly Market were also active on other illicit marketplaces, further impeding the trade of drugs and illicit goods on the dark web," Europol said in a statement.

Operation SpecTor
"As a result, 288 vendors and buyers who engaged in tens of thousands of sales of illicit goods were arrested across Europe, the United States, and Brazil."

Europol said a number of these apprehended individuals were considered as high-value targets, adding law enforcement agencies gained access to the vendors' extensive buyer lists, potentially exposing "thousands of customers" who are now at risk of prosecution.

Operation SpecTor is a successor to DisrupTor and DarkHunTor, which led to the arrest of 329 alleged suspects in 2020 and 2021 for buying, selling, and coordinating the sale of outlawed goods across underground marketplaces and shops.

The development also comes as the U.S. Federal Bureau of Investigation (FBI) and the National Police of Ukraine seized nine virtual currency exchanges for knowingly offering cryptocurrency conversion services to criminal actors responsible for ransomware and other scams.

"These nine seized domains, 24xbtc.com, 100btc.pro, pridechange.com, 101crypta.com, uxbtc.com, trust-exchange.org, bitcoin24.exchange, paybtc.pro, and owl.gold offered anonymous cryptocurrency exchange services to website visitors," the Justice Department said.

The dismantling is part of a broader effort undertaken by governments in Europe and the U.S. to target infrastructure used by malicious actors to launder illegal proceeds and obscure the money trails.

Cyber Police of Ukraine Busted Phishing Gang Responsible for $4.33 Million Scam
1.4.23  Crime  The Hacker News
The Cyber Police of Ukraine, in collaboration with law enforcement officials from Czechia, has arrested several members of a cybercriminal gang that set up phishing sites to target European users.

Two of the apprehended affiliates are believed to be organizers, with 10 others detained in other territories across the European Union.

The suspects are alleged to have created more than 100 phishing portals aimed at users in France, Spain, Poland, Czechia, Portugal, and other nations in the region.

These websites masqueraded as online portals offering heavily discounted products below market prices to lure unsuspecting users into placing fake "orders."

In reality, the financial information entered on those websites to complete the payments were used to siphon money from the victims' accounts.

"For the fraudulent scheme, the participants also created two call centers, in Vinnytsia and in Lviv, and involved operators in their work," the Cyber Police said. "Their role was to convince customers to make purchases."
The nefarious scheme is estimated to have duped over 1,000 individuals, earning the operators approximately $4.33 million in illicit profits.

As part of the probe, law enforcement authorities carried out over 30 searches and confiscated mobile phones, SIM cards, and computer equipment used to carry out the activities.

Criminal proceedings have been initiated against the perpetrators, who may face a maximum sentence of up to 12 years in prison.

20-Year-Old BreachForums Founder Faces Up to 5 Years in Prison
28.3.23  Crime  The Hacker News
Conor Brian Fitzpatrick, the 20-year-old founder and the administrator of the now-defunct BreachForums has been formally charged in the U.S. with conspiracy to commit access device fraud.

If proven guilty, Fitzpatrick, who went by the online moniker "pompompurin," faces a maximum penalty of up to five years in prison. He was arrested on March 15, 2023.

"Cybercrime victimizes and steals financial and personal information from millions of innocent people," said U.S. Attorney Jessica D. Aber for the Eastern District of Virginia. "This arrest sends a direct message to cybercriminals: your exploitative and illegal conduct will be discovered, and you will be brought to justice."

The development comes days after Baphomet, the individual who had taken over the responsibilities of BreachForums, shut down the website, citing concerns that law enforcement may have obtained access to its backend. The Department of Justice (DoJ) has since confirmed that it conducted a disruption operation that caused the illicit criminal platform to go offline.

BreachForums, per Fitzpatrick, was created in March 2022 to fill the void left by RaidForums, which was taken down a month before as part of an international law enforcement operation.

It served as a marketplace for trading hacked or stolen data, including bank account information, Social Security numbers, hacking tools, and databases containing personally identifying information (PII).

In new court documents released on March 24, 2023, it has come to light that undercover agents working for the U.S. Federal Bureau of Investigation (FBI) purchased five sets of data offered for sale, with Fitzpatrick acting as a middleman to complete the transactions.

Fitzpatrick's links to pompompurin came from nine IP addresses associated with telecom service provider Verizon that he used to access the account on RaidForums and a major OPSEC failure on the defendant's part.

"The RaidForums records also contained [...] communication between pompompurin and omnipotent [the RaidForums administrator] on or about November 28, 2020, in which pompompurin specifically mentions to omnipotent that he had searched for the email address conorfitzpatrick02@gmail.com and name 'conorfitzpatrick' within a database of breached data from 'Ai.type,'" according to the affidavit.

It's worth noting that the Android keyboard app Ai.type suffered a data breach in December 2017, leading to the accidental leak of emails, phone numbers, and locations pertaining to 31 million users.

Further data obtained from Google showed that Fitzpatrick registered a new Google account with the email address conorfitzpatrick2002@gmail.com in May 2019 to replace conorfitzpatrick02@gmail.com, which was closed around April 2020.

What's more, a search for conorfitzpatrick02@gmail.com on the data breach notification service Have I Been Pwned (HIBP) corroborates the fact the old email address was indeed exposed in the Ai.type breach.

"The recovery email address for conorfitzpatrick2002@gmail.com was funmc59tm@gmail.com," the affidavit reads. "Subscriber records for this account reveal that the account was registered under the name 'a a,' and created on or about December 28, 2018 from the IP address 74.101.151.4."

"Records received from Verizon, in turn, revealed that IP address 74.101.151.4 was registered to a customer with the last name Fitzpatrick at [a residence located on Union Avenue in Peekskill, New York]."

The investigation also turned up evidence of Fitzpatrick logging into various virtual private network (VPN) providers from September 2021 to May 2022 to obscure his true location and connect to different accounts, including the Google Account linked to conorfitzpatrick2002@gmail.com.

One of those masked IP addresses was further used to sign in to a Zoom account under the name of "pompompurin" with an e-mail address of pompompurin@riseup.net, records obtained by the FBI from Zoom reveal. Interestingly, Fitzpatrick is said to have used the pompompurin@riseup.net email address to register on RaidForums.

Also unearthed by the agency is a Purse.io cryptocurrency account that was registered with the email address conorfitzpatrick2002@gmail.com and "was funded exclusively by a Bitcoin address that pompompurin had discussed in posts on RaidForums." Records from Purse.io showed that the account was used to purchase "several items" and ship them to his address in Peekskill.

On top of that, the FBI secured a warrant to get his real-time cell phone GPS location from Verizon, allowing the authorities to determine that he was logged in to BreachForums while his phone's physical location showed he was at his home.

But that's not all. In yet another OPSEC error, Fitzpatrick made the mistake of logging into BreachForums on June 27, 2022, without using a VPN service or the TOR browser, thereby exposing the real IP address (69.115.201.194).

Based on data received from Apple, the same IP address was used to access the iCloud account about 97 times between May 19, 2022, and June 2, 2022.

"Fitzpatrick has used the same VPNs and IP addresses to log into the email account conorfitzpatrick2002@gmail.com, the Conor Fitzpatrick Purse.io account, the pompompurin account on RaidForums, and the pompompurin account on BreachForums, among other accounts," FBI's John Longmire said.

In the aftermath of the release of the affidavit, Baphomet said "you shouldn't trust anyone to handle your own OPSEC," adding "I never made this assumption as an admin, and no one else should have either."

U.K. National Crime Agency Sets Up Fake DDoS-For-Hire Sites to Catch Cybercriminals
28.3.23  Crime  The Hacker News
DDoS-For-Hire Sites
In what's a case of setting a thief to catch a thief, the U.K. National Crime Agency (NCA) revealed that it has created a network of fake DDoS-for-hire websites to infiltrate the online criminal underground.

"All of the NCA-run sites, which have so far been accessed by around several thousand people, have been created to look like they offer the tools and services that enable cyber criminals to execute these attacks," the law enforcement agency said.

"However, after users register, rather than being given access to cyber crime tools, their data is collated by investigators."

The effort is part of an ongoing international joint effort called Operation PowerOFF in collaboration with authorities from the U.S., the Netherlands, Germany, Poland, and Europol aimed at dismantling criminal DDoS-for-hire infrastructures worldwide.

DDoS-for-hire (aka "Booter" or "Stresser") services rent out access to a network of infected devices to other criminal actors seeking to launch distributed denial-of-service (DDoS) attacks against websites and force them offline.

Such illegal platforms offer a range of membership options, charging their clientele anywhere between $10 to $2,500 per month.

"Their ease of access means these tools and services have made it easier for people with low level cyber skills to commit offences," the NCA noted back in December 2022, when a coordinated exercise led to the dismantling of 48 booter sites.

The NCA said it will not reveal the number of sites it's operating so that individuals who plan on using such services in the future will have to consider if it's worth the risk.

"Booter services are a key enabler of cyber crime," Alan Merrett, a member of the NCA's National Cyber Crime Unit, said in a statement.

"The perceived anonymity and ease of use afforded by these services means that DDoS has become an attractive entry-level crime, allowing individuals with little technical ability to commit cyber offences with ease."

This is not the first time law enforcement agencies have stealthily operated fake services to combat criminal activity in the digital sphere.

In June 2021, the U.S. Federal Bureau of Investigation (FBI) and Australian Federal Police (AFP) revealed that they ran an encrypted chat service called ANoM for nearly three years to intercept 27 million messages exchanged between criminal gang members globally.

BreachForums Administrator Baphomet Shuts Down Infamous Hacking Forum
22.3.23  Crime  The Hacker News
In a sudden turn of events, Baphomet, the current administrator of BreachForums, said in an update on March 21, 2023, that the hacking forum has been officially taken down but emphasized that "it's not the end."

"You are allowed to hate me, and disagree with my decision but I promise what is to come will be better for us all," Baphomet noted in a message posted on the BreachForums Telegram channel.

The shutdown is suspected to have been prompted by suspicions that law enforcement may have obtained access to the site's configurations, source code, and information about the forum's users.

The development follows the arrest of its administrator Conor Brian Fitzpatrick (aka "pompompurin"), who has been charged with a single count of conspiracy to commit access device fraud.

Over the past few months, BreachForums filled the void left by RaidForums last year, becoming a lucrative destination to purchase and sell stolen databases from various companies and organizations.

BreachForums
But with the shuttering of BreachForums, the move could spur cybercriminals to migrate to underground forums to peddle their warez.

The development also comes as Telegram continues to be a hub for cybercrime activities, facilitating the sale of malware, personal and corporate data dumps, and other illicit goods such as counterfeits and drugs.

"Threat actors will likely continue to have an appetite for breached databases, and it remains to be seen if this can be through an alternative venue, or requires a new forum entirely," cybersecurity firm Flashpoint said.

Pompompurin Unmasked: Infamous BreachForums Mastermind Arrested in New York
18.3.23  Crime  The Hacker News
BreachForums
U.S. law enforcement authorities have arrested a New York man in connection with running the infamous BreachForums hacking forum under the online alias "Pompompurin."

The development, first reported by Bloomberg Law, comes after News 12 Westchester, earlier this week, said that federal investigators "spent hours inside and outside of a home in Peekskill."

"At one point, investigators were seen removing several bags of evidence from the house," the New York-based local news service added.

According to an affidavit filed by the Federal Bureau of Investigation (FBI), the suspect identified himself as Conor Brian Fitzpatrick and that he admitted to being the owner of the BreachForums website.

"When I arrested the defendant on March 15, 2023, he stated to me in substance and in part that: a) his name was Conor Brian Fitzpatrick; b) he used the alias 'pompompurin,' and c) he was the owner and administrator of 'BreachForums,'" FBI Special Agent, John Longmire, said.

Fitzpatrick has been charged with one count of conspiracy to solicit individuals with the purpose of selling unauthorized access devices.

The defendant was released a day later on a $300,000 bond signed by his parents and is scheduled to appear before the District Court for the Eastern District of Virginia on March 24, 2023.

Besides being barred from obtaining a passport or other international travel document, Fitzpatrick has been restricted from contacting his co-conspirators and using a narcotic drug or other controlled substances unless prescribed by a licensed medical practitioner.

BreachForums emerged last year three weeks after a coordinated law enforcement operation seized control of RaidForums in March 2022.

"In the threat actor's welcoming thread, 'pompompurin' stated that they had created BreachForums as an alternative to RaidForums but that it was 'not affiliated with RaidForums in any capacity,'" cybersecurity firm Flashpoint said at the time.


The forum has since attracted notoriety for hosting stolen databases belonging to several companies, often including sensitive personal information.

In the wake of Fitzpatrick's arrest, another forum user named Baphomet said they were taking ownership of the website, noting that there is no evidence of "access or modifications to Breached infra."

"My only response to [law enforcement], or any media outlet is that I have no concerns for myself at the moment," Baphomet said in the announcement. "OPSEC has been my focus from day one, and thankfully I don't think any mountain lions will be attacking me in my little fishing boat."

The development comes as the Cyber Police of Ukraine announced the arrest of a 25-year-old developer who created a remote access trojan that infected over 10,000 computers under the guise of gaming apps.

Brazil seizing Flipper Zero shipments to prevent use in crime
12.3.23  Crime  Bleepingcomputer 
The Brazilian National Telecommunications Agency is seizing incoming Flipper Zero purchases due to its alleged use in criminal activity, with purchasers stating that the government agency has rejected all attempts to certify the equipment.

Flipper Zero is a portable multi-function cybersecurity tool that allows pentesters and hacking enthusiasts to tinker with a wide range of hardware by supporting RFID emulation, digital access key cloning, radio communications, NFC, infrared, Bluetooth, and more.

Since it was released, security researchers have demonstrated Flipper Zero's features on social media, showing how it can trigger doorbells, perform replay attacks to open garage doors and unlock cars, and be used as a digital key.

Brazil requiring certification
Multiple people in Brazil who purchased the Flipper Zero hacking tool have reported that their shipments are being redirected to Brazil's telecommunications agency, Anatel, due to a lack of certification with the country's Radio Frequencies department.

This type of seizure is usually associated with compliance with the country's electronic and telecommunications standards for devices emitting radio signals.

Because Flipper Devices INC is not certified in Brazil according to this standard, it's not allowed to circulate freely in the Brazilian market.

Flipper Zero shippment seized by Anatel
Source: Reddit
However, as the Electronic Frontier Foundation (EFF) explains in a recent report and from emails seen by BleepingComputer, the Anatel agency has flagged the device as a tool used for criminal purposes, making its clearance complicated and preventing it from reaching its final destination.

Flipper Zero has gained a reputation from users who showcased its hacking capabilities on social media to perform illegal activities such as unlocking cars, changing gas pump prices, intercepting and storing remote control signals, opening garage doors, and more.

Although the device does not use hardware that is illegal or impossible to find elsewhere, its market success fueled a wave of negative media attention that portrayed it as a risk to society.

The unexpected interceptions of the $169 portable multi-functional tool created for pen-testers and hacking enthusiasts began at the start of the year and are still ensuing.

Buyers from Brazil have been exchanging advice on Reddit in the past couple of months, trying to get their items cleared by Anatel.

A user has posted analytical instructions on applying to Anatel for a personal homologation certificate for Flipper Zero, which should make it usable by the buyer, albeit preventing resells to others in Brazil.

However, many buyers report that the agency has rejected this certification procedure because Flipper Zero is allegedly being used to facilitate crime.

"Anatel's certification area informs that the equipment called FLIPPER ZERO has been used in the country by malicious users in facilitating a crime or criminal misdemeanor and, as provided for in item II of Art. 60 of the Regulation for Conformity Assessment and Homologation of Telecommunications Products (annex to Resolution No. 715, of October 23, 2019), Anatel has rejected all homologation requests for the product in question, in order to collaborate in the protection of Brazilian citizens against criminal actions," reads a letter received by Flipper Zero customers in Brazil.

Anatel concludes the message by saying that the item will be sent back to the post office with the suggestion to return it to the sender.

Anatel rejecting a certification request
Anatel rejecting a certification request
(HiroshiSakamoto1)
EFF argues that the Brazilian authorities outright banning Flipper Zero in the country will limit the security researchers' access to powerful portable cybersecurity tools, harming their work and negatively impacting the field.

"The Flipper Zero has clear uses: penetration testing to facilitate hardening of a home network or organizational infrastructure, hardware research, security research, protocol development, use by radio hobbyists, and many more," argues EFF.

"The creation, possession or distribution of tools related to security research should not be criminalized or otherwise restricted."

Those who purchased the devices from Joomf and have had their Flipper Zero seized have been told they would be reimbursed.

BleepingComputer has requested comment on the above from Anatel and FlipperZero, but we have not heard back by publication time.