Federal authorities seized 127,271 Bitcoin worth $15 billion from Chen Zhi, alleged leader of a massive cybercrime network operating from Cambodia. The 38-year-old UK-Cambodian national built the Prince Group empire since 2015, running scam compounds across 30+ countries that relied on human trafficking and forced labor.

Chen faces up to 40 years in prison but remains at large. His network scammed over 250 people in New York alone out of millions. The U.S. and UK imposed coordinated sanctions on 146 people and organizations linked to Prince Group, while severing Cambodia's Huione Group from the U.S. financial system for laundering $4 billion in illicit proceeds.

Source: CyberScoop

Cybercriminals are targeting macOS users through fake Homebrew package manager websites that look identical to the real thing. The attackers created convincing replicas of brew.sh using domains like homebrewfaq.org and homebrewclubs.org.

When users visit these spoofed sites to install Homebrew, hidden JavaScript code manipulates their clipboard without permission. Instead of copying just the legitimate installation command, the fake "Copy" button secretly adds malicious code that downloads additional payloads from attacker-controlled servers.

The scam is particularly clever because it runs malicious commands in the background while the real Homebrew installation proceeds normally, making detection difficult. This represents a new twist on supply chain attacks by targeting the installation process rather than compromising official repositories.

Source: Cybersecurity News

Hackers calling themselves Scattered Lapsus$ Hunters have leaked personal details of over 5 million Qantas customers on the dark web after the airline refused to pay ransom demands. The stolen data includes names, email addresses, frequent flyer numbers, and in some cases home addresses, phone numbers, and even meal preferences.

The hackers gained access by calling Qantas call centers in June, pretending to be IT support staff and tricking employees into giving them access to customer service systems. Federal politicians were among those whose home addresses were exposed.

While no credit card details or passwords were stolen, authorities warn of increased scam attempts. Customers should hang up on unexpected calls claiming to be from Qantas and verify contact through official channels ending in qantas.com or qantas.com.au.

Source: The Guardian

Cybercriminals are using a clever new approach called "Beamglea" to phish credentials from industrial and electronics companies. Instead of injecting malicious code into NPM packages, they're abusing the legitimate unpkg.com CDN service to host phishing pages.

The attackers created 175 fake packages with names like "redirect-[random6chars]" that redirect victims to credential-stealing sites. They've targeted over 135 organizations including ArcelorMittal, D-Link, and ThyssenKrupp Nucera, generating 630+ HTML files disguised as purchase orders and technical documents.

Using automated Python tools, hackers customize attacks for each victim, pre-filling email addresses to make phishing pages appear legitimate. The campaign has accumulated 26,000 downloads, though many come from security researchers analyzing the threat.

Source: Security Week

AT&T is settling two massive data breaches for $177 million after hackers exposed personal information of over 170 million customers. The first breach in 2019 leaked Social Security numbers, birth dates, and names of 73 million people, while a 2024 hack accessed phone records of 109 million customers through AT&T's cloud provider Snowflake.

Customers affected by the 2019 breach can claim up to $5,000 with documented losses, or receive tiered payments based on whether their SSN was compromised. Those hit by the 2024 breach can get up to $2,500 with proof of losses, or share the remaining settlement funds equally.

The deadline to file claims is November 18, 2025. Customers affected by both breaches can file separate claims for each incident.

Source: CNET

Security researchers at InfoGuard Labs discovered serious vulnerabilities in Microsoft Defender for Endpoint that allow attackers to bypass authentication and manipulate security responses. The flaws let hackers intercept commands between Defender agents and Microsoft's cloud services using easily obtainable machine and tenant IDs from the Windows registry.

Attackers can spoof isolation commands, making infected devices appear secured in Microsoft's portal while remaining compromised. They can also upload malicious files to investigation packages, potentially tricking security analysts into executing malware during incident reviews.

Reported to Microsoft in July 2025, the company classified these as low-severity issues with no confirmed fixes as of October 2025, despite researchers arguing they pose significant post-breach risks.

Source: Cybersecurity News

Hackers have released personal data from 5 million Qantas customers on the dark web after the airline refused to pay ransom demands. The cybercriminal group Scattered Lapsus$ Hunters leaked email addresses, phone numbers, birth dates, and frequent flyer numbers stolen from a Salesforce database in June.

The breach affects 44 companies globally, including Gap, Toyota, Disney, McDonald's, and Adidas, with up to 1 billion customer records compromised. While no credit card or passport details were included in the Qantas leak, experts warn criminals could use the information for identity theft and personalized phishing scams.

Qantas has established a 24/7 support line for affected customers and implemented additional security measures since the attack.

Source: The Guardian

Chinese threat group Storm-2603 has weaponized Velociraptor, a legitimate digital forensics tool, to launch stealthy ransomware attacks. Cisco Talos researchers discovered the group using this open-source incident response tool to deploy multiple ransomware variants—Warlock, LockBit, and Babuk—on VMware ESXi servers in August.

The hackers exploited an outdated version of Velociraptor with a privilege escalation vulnerability, allowing them to maintain persistent access while avoiding detection. This marks a concerning shift where cybercriminals repurpose security tools designed to protect organizations.

Sophos researchers first documented similar attacks in August, noting threat actors used Velociraptor to establish command-and-control communications. Security teams should audit their Velociraptor installations and monitor for unauthorized binaries to prevent this tool from being turned against them.

Source: Dark Reading

The Georgia Department of Human Services is notifying residents that their personal information may have been exposed after hackers gained unauthorized access to employee email accounts. The Georgia Technology Authority discovered the breach at their email services provider, which hosts DHS accounts containing confidential data.

While there's no evidence that information was actually viewed or misused, potentially exposed data includes names, Social Security numbers, driver's license numbers, medical details, and financial account information. DHS has secured the compromised accounts and launched an investigation.

The agency is mailing notifications to affected individuals and recommends monitoring credit reports and considering fraud alerts with major credit bureaus as a precaution.

Source: CBS News Atlanta

GreyNoise has uncovered a coordinated campaign targeting Cisco, Fortinet, and Palo Alto Networks devices, with attackers using IPs from the same subnets. The firm detected scanning attempts against Cisco ASA devices in September, weeks before two zero-day vulnerabilities were disclosed. These bugs, scoring up to 9.9 on the CVSS scale, were linked to China-based hackers in the ArcaneDoor espionage campaign.

Scanning activity against Palo Alto Networks firewalls spiked 500% over two days, involving 2,200 unique IPs and generating over 1.3 million login attempts. GreyNoise warns that similar spikes typically precede vulnerability disclosures within six weeks, with roughly 80% accuracy for major firewall and VPN vendors.

Source: Security Week