The company, one of four finalists in this year's Black Hat USA Startup Spotlight competition, uses multi-agent system to build AI Digital Employees.

Startup Spotlight: Twine Security Tackles the Execution Gap

A seller named Chucky_BF is offering 15.8M PayPal logins with emails, passwords, and URLs. The data may come…

A seller named Chucky\_BF is offering 15.8M PayPal logins with emails, passwords, and URLs. The data may come from infostealer malware logs.

A threat actor using the name Chucky\_BF on a cybercrime and hacker forum is advertising what they claim to be a massive **PayPal** data dump. The post describes a trove labeled “Global PayPal Credential Dump 2025,” allegedly containing more than 15.8 million records of email and plaintext password pairs.

The size of the dataset is said to be 1.1GB, and according to the seller, the leak covers accounts from many email providers and users in different parts of the world. What makes this claim threatening is not just the number of exposed accounts but also the type of data said to be included. Other than the email and password combinations, the seller mentions that many records come with URLs directly linked to PayPal services.

Endpoints like /signin, /signup, /connect, and Android-specific URIs are also referenced in the listing. These details suggest that the dump is structured in a way that could make it easier for criminals to automate logins or abuse services.

The description provided by Chucky\_BF describes the dataset as a goldmine for cybercriminals. The threat actor claims the records are “raw email:password:url entries across global domains,” warning that this could lead to credential stuffing, phishing schemes, and fraud operations.

A closer look by Hackread.com at the samples posted in the forum shows Gmail addresses paired with passwords and linked directly to PayPal’s login pages, while another features a user account appearing in both web and mobile formats, showing that the same account details were found in different versions of PayPal’s services, both web and mobile.

The way the data is put together is important. It seems to include a mix of real accounts and test or fake ones, which is often the case with stolen databases. The seller claims most of the passwords look strong and unique, but also admits many are reused. That means people who used the same password on other websites could be at risk well outside PayPal.

As for pricing, Chucky\_BF is asking for 750 US dollars for full access to the 1.1GB dump. That figure positions it in line with other credential dumps of similar size sold in cybercrime markets, which often find buyers among groups looking to monetize stolen accounts through fraud or resale.

If the claims are accurate, this would represent one of the larger PayPal-focused leaks of recent years, with millions of users across Gmail, Yahoo, Hotmail, and country-specific domains implicated.

Screenshot shows alleged PayPal data being sold on a hacker and cybercrime forum (Image credit: Hackread.com)

****Infostealer Logs as the Likely Source****

PayPal has never suffered a direct data breach in which attackers broke into its systems and stole millions of user records. Past incidents, including the one that **involved 35,000 users**, linked to the company have usually been the result of credential stuffing or data harvested elsewhere.

This makes it possible that the newly advertised dataset is not the product of a PayPal system breach at all, but rather the result of **infostealer malware** collecting login details from infected devices and bundling them together.

Additionally, the structure of the dataset shown in the samples shared by the threat actor suggests it may have been collected through infostealer **malware logs**. Infostealers infect personal devices and steal saved login details, browser data, and website activity, which later appear in bulk on cybercrime markets.

The presence of PayPal login URLs and mobile URIs in this dump makes it possible that the information was gathered from infected users worldwide, then compiled to be sold as a single **PayPal-focused leak**.

PayPal itself has not confirmed any such incident, and it is not yet clear whether the dataset is entirely authentic, a mix of real and fabricated records, or a repackaging of older leaks. Hackread.com has also not been able to verify whether the data is genuine, and only PayPal can confirm or deny the claims. The company has been contacted for comment, and this article will be updated accordingly.

Threat Actor Claims to Sell 15.8 Million Plain-Text PayPal Credentials

The Las Vegas Metropolitan Police Department announced the arrest of eight individuals, including a top Israeli official, in…

The Las Vegas Metropolitan Police Department announced the arrest of eight individuals, including a top Israeli official, in a sting operation combating internet crimes against children.

A high-ranking Israeli cybersecurity official was among eight men arrested in a major two-week undercover sting operation, according to a press release from the Las Vegas Metropolitan Police Department.

The operation, which targeted online users seeking to exploit children, was a joint effort by the Nevada Internet Crimes Against Children (ICAC) task force, the FBI’s Child Exploitation Task Force, and multiple local agencies, including the Henderson Police Department and Homeland Security Investigations.

The official has been identified as Tom Artiom Alexandrovich, 38. He was arrested alongside seven other suspects: David Wonnacott-Yahnke, 40; Jose Alberto Perez-Torres, 35; Aniket Brajeshkumar Sadani, 23; James Ramon Reddick, 23; Ramon Manuel Parra Valenzuela, 29; Neal Harrison Creecy, 46; and John Charles Duncan, 49. All eight men face felony charges of luring a child with a computer for a sex act.

A now-deleted LinkedIn profile under his name identified him as the executive director of the Israel Cyber Directorate, an Israeli government agency. At the time of his arrest, Alexandrovich was reportedly in Las Vegas for a major cybersecurity conference called Black Hat Briefings held from August 2-to-7, 2025, in Mandalay Bay, Las Vegas.

Tom Artiom Alexandrovich LinkedIn Profile (Source: X.com (@vxunderground))

A Post Likely from Tom Artiom Alexandrovich after Black Hat Briefings (Source: @icu\_luci )

According to the press release, Alexandrovich was booked into the Henderson Detention Center following his arrest. It is worth noting that under Nevada law, luring a child with a computer for a sex act can carry a prison sentence of one to ten years.

However, the incident has caused some confusion due to conflicting reports from the US and Israeli officials. While the LVMPD confirmed that all eight suspects were arrested and booked, Israel’s Prime Minister’s office has stated that the employee was not arrested but only questioned.

“A state employee who travelled to the US for professional matters was questioned by American authorities during his stay. The employee, who does not hold a diplomatic visa, was not arrested and returned to Israel as scheduled,” the prime minister’s office’s statement reads. Moreover, an Israeli news outlet, Ynet, reported that an employee of the Israel National Cyber Directorate had been questioned by US authorities and was back in his home country.

However, according to The Guardian’s report, Alexandrovich was charged with luring a child for a sex act but was later released and returned to Israel.

Nevertheless, the case shows the real dangers children face online and the ongoing work by law enforcement to protect them. It also shows why international cooperation and constant caution are necessary to bring offenders to justice.

Top Israeli Cybersecurity Official Arrested in US Child Exploitation Sting

Rotherham hacker Al-Tahery Al-Mashriky jailed for 20 months after global cyberattacks, stealing millions of logins and targeting government…

Rotherham hacker Al-Tahery Al-Mashriky jailed for 20 months after global cyberattacks, stealing millions of logins and targeting government websites.

When police knocked on the door of a home in Rotherham, South Yorkshire, in August 2022, they ended a hacking spree that had stretched across North America, the Middle East and Israel. The man behind it, 26-year-old Al-Tahery Al-Mashriky, had spent months hacking into websites and collecting the personal details of millions of unsuspecting people.

Al-Tahery Al-Mashriky (Mugshot via NCA)

Investigators say Al-Mashriky was linked by the UK’s National Crime Agency (NCA) to hacker groups known as the Spider Team and the Yemen Cyber Army. These groups are known for targeting government bodies, media outlets and public organisations while spreading political and ideological messages through cyber attacks.

A forensic examination of his seized laptop and phones revealed that Al-Mashriky hacked into the Yemen Ministry of Foreign Affairs, the Yemen Ministry of Security Media and an Israeli news website. In some cases, he defaced websites to spread his political messages.

In 2015, Hackread.com reported that the Yemen Cyber Army had hacked the official website of the Saudi Ministry of Foreign Affairs, defaced it, stole data and leaked the information online.

Defaced Saudi site shows the political message left by the hacker (GIF credit: Hackread.com)

According to NCA’s press release, Al-Mashriky was a “Serial hacker” looking for fame. On one cybercrime forum, Al-Mashriky bragged that he had compromised more than 3,000 websites in just three months.

He also leaked data, and one of the leaks contained stolen data belonging to over four million Facebook users, as well as login details for services including Netflix and PayPal, all of which could have been used for fraud.

The attacks did not stop at Middle Eastern or Israeli targets. Evidence showed he also compromised faith-based websites in Canada and the United States, as well as the California State Water Board, causing disruption that forced victims into expensive recovery efforts.

Sites defaced by the hacker (Image credit: Hackread.com)

Al-Mashriky pleaded guilty to nine counts under the Computer Misuse Act and on 15 August was sentenced to 20 months in prison.

Paul Foster, deputy director of the NCA’s National Cyber Crime Unit, said the case highlights the human cost behind cybercrime. “Al-Mashriky’s attacks crippled the websites targeted, causing significant disruption to their users and the organisations, just so that he could push the political and ideological views of the Yemen Cyber Army. He had also stolen personal data that could have enabled him to target and defraud millions of people.”

****Cybercrime and The United Kingdom****

Cybercrime linked to the United Kingdom has escalated in recent months. In July, four suspects were arrested from homes across London, Staffordshire and the West Midlands. The group included two 19-year-old men, a 17-year-old boy and a 20-year-old woman.

Prosecutors say they were behind large-scale attacks on major retailers including M&S, Co-op and Harrods. The incident involving M&S alone is reported to have caused around £300 million in damages.

In September 2024, John Andreas Wik, 37, from Beckenham, was arrested after hijacking free public WiFi networks at train stations across the UK to display offensive Islamophobic messages. In July 2025, he was handed a 24-month prison sentence, suspended for two years, which means he will not serve time in jail unless he commits another offence during that period.

“Serial Hacker” Sentenced to 20 Months in UK Prison

CloudSEK uncovered a Pakistan-based family cybercrime network that spread infostealers via pirated software, netting $4.67M and millions of…

CloudSEK uncovered a Pakistan-based family cybercrime network that spread infostealers via pirated software, netting $4.67M and millions of victims. The operation’s secrets were revealed when the scammers themselves were compromised.

Cybersecurity intelligence firm CloudSEK has uncovered a sophisticated, family-run multi-million-dollar cybercrime operation based out of Pakistan. CloudSEK’s TRIAD team’s investigation revealed a syndicate that’s been active for at least five years.

Reportedly, the group’s primary strategy was to exploit people looking for free, pirated software. They used SEO poisoning and forum spam to post links on legitimate online communities and search engines that led to malicious websites.

Here’s an example from the official HONOR UK community forum here a post titled “Adobe After Effects Crack Free Download Full Version 2024” was used as a lure.

And, another one:

Image via CloudSEK

These sites tricked users into downloading popular cracked software like Adobe After Effects, but in reality, they were installing dangerous infostealer malware, including strains like Lumma, AMOS and Meta. It also stole personal data, from passwords and browser information to cryptocurrency wallet details.

****$4.67 Million in Revenue****

The scale of the operation is large. The report reveals that the network generated over 449 million clicks and more than 1.88 million malware installs. This immense volume brought in an estimated lifetime revenue of at least $4.67 million. CloudSEK estimates the network may have impacted over 10 million victims globally, as stolen data was sold for about $0.47 per credential.

The investigation also explains the group’s internal structure, which was based on two interconnected Pay-Per-Install (PPI) networks: InstallBank and SpaxMedia/Installstera. These systems managed a vast network of 5,239 affiliates, who were paid for each successful malware installation.

Moreover, CloudSEK found that while the operators were based in Pakistan’s Bahawalpur and Faisalabad, their victims were located worldwide. A key finding was the operators’ use of traditional financial services like Payoneer for payments, which is a rare move for a group of this nature. Also, operators shared the same last name, suggesting the criminal enterprise was a multi-generational effort.

****Hackers Caught by Their Own Malware****

A critical turning point in the investigation happened by chance. The operators were ironically infected by their own malware, which allowed CloudSEK’s team to access their private logs.

These logs contained a trove of information, including financial records, internal communications, and admin credentials, which provided the detailed evidence needed to expose the entire network.

> _“The breakthrough in the investigation came ironically: the threat actors themselves were compromised by infostealer malware. The exfiltrated logs from their own machines provided unprecedented insight into their identities, command structure, infrastructure, communications, and finances, ultimately leading to their unmasking.”_
> 
> _“Four principal operators—M\*\* H, M S, Z I, and N I/H/A\* along with S\* H\*\*\* – are identified as key figures in this multiactor network.”_
> 
> CloudSEK

The report goes on to show how these groups are using everyday marketing tactics and even legitimate financial services to carry out their illegal activities in plain sight. Therefore, user awareness is crucial.  Please avoid downloading cracked software, as it remains an easily exploitable avenue for cybercriminals.

Scammers Compromised by Own Malware, Expose $4.67M Operation

Cybersecurity researchers have detailed the inner workings of an Android banking trojan called ERMAC 3.0, uncovering serious shortcomings in the operators' infrastructure.
"The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications," Hunt.io

ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure

Plus: ICE agents accidentally add a random person to a sensitive group chat, Norwegian intelligence blames the Kremlin for hacking a dam, and new facial recognition vans roam the UK.

WIRED copublished an investigation this week with The Markup and CalMatters showing that dozens of data brokers have been hiding their opt-out and personal-data-deletion tools from Google Search, making it harder for people to find and utilize them. The report prompted US senator Maggie Hassan to demand accountability from the companies. WIRED also took a deep dive looking at what the data-analysis giant Palantir actually does.

Reports this week that Russia was likely involved in, or entirely behind, the US Courts records system breach highlight both the stakes of the incident and information that federal investigators seem to still be lacking about what exactly happened. New research is shedding light on the inner workings of the multimillion-dollar gray market for video game cheats. And we've got advice on how to protect yourself against portable point-of-sale scams that can steal your credit card data or other information. Plus, researchers at the Defcon security conference in Las Vegas last week provided open source instructions for how to build your own quantum sensor at low cost—complete with a special, crucial diamond.

But wait, there’s more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Russia Limits Secure Calling on WhatsApp and Telegram**

Russia started blocking WhatsApp and Telegram calls this week, saying that the encryption schemes the communication platforms use to protect customer calls from interception violate information-sharing requirements between tech companies and the government. The platforms have close to 100 million users each in Russia, according to Al Jazeera and Mediascope. The Kremlin has spent years expanding its mechanisms for internet censorship and control, often under the guise of national security and law enforcement.

A WhatsApp spokesperson told WIRED in a statement that “WhatsApp is private, end-to-end encrypted, and defies government attempts to violate people’s right to secure communication, which is why Russia is trying to block it from over 100 million Russian people.”

Reuters reports that Telegram told Russia's RBC Daily that it takes steps to address criminal behavior on its platform, including deploying moderators equipped with AI tools to monitor public discourse and communications on the platform that are not end-to-end encrypted. Telegram said it takes down millions of malicious messages each day.

**US ICE Agents Mistakenly Add Random Civilian to Highly Sensitive Group Chat**

ICE agents inadvertently added a random person to a group chat named “Mass Text,” exposing sensitive discussions including details about a manhunt for a convicted attempted murderer who apparently had been flagged for deportation. The person who was added to the group chat “is not a law enforcement official or associated with the investigation in any way,” according to 404 Media, and “initially thought it was a series of spam messages” after being added to the chat weeks ago.

Messages reportedly included the ICE Field Operations Worksheet for the case, which contains detailed information about the target, as well as communications in which ICE agents appeared to be accessing data from a DMV and license plate readers. The breach is reminiscent of so-called SignalGate, another recent situation in which senior Trump administration cabinet members accidentally included the editor in chief of The Atlantic in a Signal group chat created to plan US air strikes against Houthi rebels in Yemen.

**Norwegian Intelligence Chief Says Russian Hackers Were Behind Dam Cyberattack**

The head of Norway's security police service, Beate Gangås, said this week that it was Russian hackers who targeted a dam in Norway in April and released millions of gallons of water during the four hours that they had control. The Russian embassy denied the allegations in comments to Reuters. Gangås accused Russia of perpetrating the hack in a speech on Thursday, according to Norwegian media.

**English Police Forces Will Have Access to a New Fleet of Facial Recognition Vans**

Police in England will have more access to facial recognition tools. Ministers announced this week that law enforcement will deploy 10 live facial recognition vans around the country that will be used by seven police forces to aid in investigations related to “sex offenders or people wanted for the most serious crimes,” according to Home Secretary Yvette Cooper. Police have increasingly turned to facial recognition in the United Kingdom in recent years, but the vans will represent an additional expansion in England.

Russia Is Cracking Down on End-to-End Encrypted Calls

The threat actor known as EncryptHub is continuing to exploit a now-patched security flaw impacting Microsoft Windows to deliver malicious payloads.
Trustwave SpiderLabs said it recently observed an EncryptHub campaign that brings together social engineering and the exploitation of a vulnerability in the Microsoft Management Console (MMC) framework (CVE-2025-26633, aka MSC EvilTwin) to trigger

Russian Group EncryptHub Exploits MSC EvilTwin Vulnerability to Deploy Fickle Stealer Malware

RealDefense Opens $10M Fund to Help OEMs Monetize Installs With SmartScan Cybersecurity SDK

While several cybercrime groups have embraced "EDR killers," researchers say the deep knowledge and technical skills demonstrated by Crypto24 signify a dangerous escalation.

Latest News