The company, one of four finalists in this year's Black Hat USA Startup Spotlight competition, uses multi-agent system to build AI Digital Employees.

Startup Spotlight: Twine Security Tackles the Execution Gap

The threat actor known as Bloody Wolf has been attributed to a cyber attack campaign that has targeted Kyrgyzstan since at least June 2025 with the goal of delivering NetSupport RAT.
As of October 2025, the activity has expanded to also single out Uzbekistan, Group-IB researchers Amirbek Kurbanov and Volen Kayo said in a report published in collaboration with Ukuk, a state enterprise under the

Malware / Social Engineering

The threat actor known as **Bloody Wolf** has been attributed to a cyber attack campaign that has targeted Kyrgyzstan since at least June 2025 with the goal of delivering NetSupport RAT.

As of October 2025, the activity has expanded to also single out Uzbekistan, Group-IB researchers Amirbek Kurbanov and Volen Kayo said in a report published in collaboration with Ukuk, a state enterprise under the Prosecutor General's office of the Kyrgyz Republic. The attacks have targeted finance, government, and information technology (IT) sectors.

"Those threat actors would impersonate the \[Kyrgyzstan's\] Ministry of Justice through official looking PDF documents and domain names, which in turn hosted malicious Java Archive (JAR) files designed to deploy the NetSupport RAT," the Singapore-headquartered company said.

"This combination of social engineering and accessible tooling allows Bloody Wolf to remain effective while keeping a low operational profile."

Bloody Wolf is the name assigned to a hacking group of unknown provenance that has used spear-phishing attacks to target entities in Kazakhstan and Russia using tools like STRRAT and NetSupport. The group is assessed to be active since at least late 2023.

The targeting of Kyrgyzstan and Uzbekistan using similar initial access techniques marks an expansion of the threat actor's operations in Central Asia, primarily impersonating trusted government ministries in phishing emails to distribute weaponized links or attachments.

The attack chains more or less follow the same approach in that the message recipients are tricked into clicking on links that download malicious Java archive (JAR) loader files along with instructions to install Java Runtime.

While the email claims the installation is necessary to view the documents, the reality is that it's used to execute the loader. Once launched, the loader then proceeds to fetch the next-stage payload (i.e., NetSupport RAT) from infrastructure that's under the attacker's control and set up persistence in three ways -

*   Creating a scheduled task
*   Adding a Windows Registry value
*   Dropping a batch script to the folder "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"

The Uzbekistan phase of the campaign is notable for incorporating geofencing restrictions, thereby causing requests originating outside of the country to be redirected to the legitimate data.egov\[.\]uz website. Requests from within Uzbekistan have been found to trigger the download of the JAR file from an embedded link within the PDF attachment.

Group-IB said the JAR loaders observed in the campaigns are built with Java 8, which was released in March 2014. It's believed that the attackers are using a bespoke JAR generator or template to spawn these artifacts. The NetSupport RAT payload is a old version of NetSupport Manager from October 2013.

"Bloody Wolf has demonstrated how low-cost, commercially available tools can be weaponized into sophisticated, regionally targeted cyber operations," it said. "By exploiting trust in government institutions and leveraging simple JAR-based loaders, the group continues to maintain a strong foothold across the Central Asian threat landscape."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Bloody Wolf Expands Java-based NetSupport RAT Attacks in Kyrgyzstan and Uzbekistan

Scattered LAPSUS$ Hunters admin "Rey," allegedly a 15-year-old named Saif Khader from Jordan, has been named in a report linking him to the group. He denies the claim.

A 15‑year‑old in Jordan who goes by the handle “Rey” online has been allegedly identified as a key figure in the hacking crew Scattered Lapsus$ Hunters (SLH/SLSH), a collective said to combine elements of Scattered Spider, Lapsus$, and ShinyHunters. The supposed unmasking and the agreement to speak came earlier this week, after Rey allegedly contacted the reporter directly.

The claim surfaced after cybersecurity reporter KrebsOnSecurity allegedly traced Rey’s real‑world family details and reached out to someone believed to be his father, Zaid Khader, an airline pilot thought to work for Royal Jordanian Airlines. After that message was sent, the teen, whose name is allegedly Saif Al‑Din Khader and who turns 16 next month, got in touch. Saif is allegedly one of three administrators running the SLSH Telegram channel.

****The Clues that Pointed to Rey****

The hacker, who also used the name Hikki‑Chan in the past, allegedly made several simple mistakes that exposed identifying information. He was allegedly an administrator at BreachForums, a criminal marketplace taken down more than once by the FBI.

According to the report by Brian Krebs, Rey allegedly posted a screenshot that revealed his own password while using the Telegram name @wristmug. He also allegedly shared personal hints in a cybercrime channel called Jacuzzi, including that his father was a pilot.

A Telegram message by Rey (Source: KrebsOnSecurity)

Krebs’ investigation allegedly connected this password to the email address [email protected]. Data said to come from a shared family computer in Amman allegedly confirmed the surname Khader and even pointed to the family’s Irish link through the maiden name Ginty, something Rey had allegedly mentioned in chats.

The SLSH group, a mix of three well‑known cybercriminal crews, has been active this year. They have allegedly stolen data from Salesforce systems and threatened companies like Toyota and FedEx with leaks. They have also allegedly tried to recruit company insiders, with one CrowdStrike employee fired after allegedly sending internal screenshots to SLSH.

The group has used malware from known ransomware programs such as ALPHV/BlackCat. Rey, who was allegedly an admin for the Hellcat ransomware group, recently announced what he said was SLSH’s own ransomware service called ShinySp1d3r.

Rey confirming the association with the surname (Source: KrebsOnSecurity)

****SLSH Dismisses Findings****

According to KrebsOnSecurity, Saif claimed he’s been trying to quit the group and has been working with law enforcement since June 2025. “I don’t really care, I just want to move on from all this stuff, even if it’s going to be prison time or whatever they’re gonna say,” the teen said.

In response, SLSH has launched a scathing attack on the report. On its official Telegram channel, the group dismissed the journalist’s findings as a “desperate attempt to damage” their reputation.

The highly sarcastic response directly challenged the reporter’s claims, stating that it is “laughable” to assume a single person would operate under multiple aliases with “completely different techniques.” They also accused the journalist of twisting Saif’s words to make it look like an admission of involvement, claiming that Krebs was obsessed.

“We both know how badly this obsession is hurting you :).”

The post concluded with a stunning challenge: “I’ll pay you 10 BTC if you can publicly reveal my real identity and back it up with real proof.”

****Check out their full response:****

_"From what I can tell, Mr. Krebs, your "research" is nothing more than a desperate attempt to damage my reputation and a cheap way for you to show off.  
_  
_We both know you simply recycled a KELA report from March of this year, downloaded a log, and turned it into an entire article.  
Congratulations, Krebs! You finally learned how to use Google.

1\. The individual in question is indeed indirectly related to me. However, assuming that person is me is laughable. That person continued to operate under aliases such as "o5tdev" (using completely different techniques) long after I began operating as Rey. Does that sound logically possible? Do I have multiple personalities or bipolar disorder? Maybe in your world.

2\. When we spoke, you deliberately fired off questions without ever disclosing it was an "interview." You falsely implied I was connected to ShinySpider ransomware. Out of nowhere\_you asked, "Why are you still going with SLSH?" I answered that it's hard to just walk away from something like that. You then cherry-picked that sentence and twisted it to make it look like an admission of my involvement.

3\. You also asked if ShinySpider was AI-generated.. I said I didn't know and that the only thing i have done was simply sharing the Hellcat source code for them to use as a base. Anyone with half a brain can see that ShinySpider and Hellcat are now completely different ransomware variants. Everyone knows you're just someone who recycles old garbage for a bit of attention.

4\. You structured your article to make it appear as though you contacted "the father" first and that I suddenly reached out to you in panic. In reality, you messaged me first on X, and only later did I message you on Signal saying "Hi, it's Saif!"  
You're probably wondering how I knew you were planning to "expose" me. Simple. It's the same way I know that person is not me, yet still related. Don't worry, Krebs, I know exactly who that Saif is.

5\. You're so intellectually dishonest that you're still trying to pin the "Sp1d3rHunters" persona from last year SnowFlake campaign on me, even though you supposedly have all the logs. You could have verified in five seconds that it wasn't me. So either you're incompetent and can't read your own evidence, or you knowingly pushed a lie. That IS called projection.

6\. You went out of your way to paint me as the "core" of SLSH when you know that's nonsense. Why didn't you write about the other admins and members instead? Or was the only thing you managed to get your hands on a pile of garbage, and (still triggered from all the trolling in the channel) you decided to publish it anyway so you could pretend you "won"?

7\. You attributed a laundry list of TTPs to me: stealer logs, social engineering, phishing, etc. You explicitly claimed the person "Saif" was operating under the alias "o5tdev," defacing websites, probably via WordPress vulns. Does it make any sense that someone would turn from popping WordPress sites to locking down Jaguar Land Rover (causing 1.9 billion EUR in losses), Orange, Telefonica, Schneider Electric, Philips, Apple, and others, all in the span of a few months?

We both know how badly this obsession is hurting you :)  
  
It's time to drop the false accusations and try doing some actual journalism for once. At the very least, take a look at Allison Nixon. She managed to properly trace K1berPhant0m (hes retarded, anyways) and actually contributed to his arrest.

So here's my offer, Brian:

_  
_I'll pay you 10 BTC if you can publicly reveal my real identity and back it up with real proof.  
_  
_I'll pay you 15 BTC if, thanks to your article, I ever get a knock on the door from local law enforcement for the things you accused me of."_

****Infostealer Connection****

Alon Gal, Co-Founder and CTO at Hudson Rock, a cybercrime intelligence company that specialises in infostealer malware, shared his perspective on LinkedIn following the report by KrebsOnSecurity. According to Gal, the individual known as “Rey,” linked to the Hellcat group and several major breaches including Jaguar Land Rover, Schneider Electric and Telefonica, has now been formally doxxed.

Gal noted that cybersecurity firm KELA had already flagged Rey’s suspected identity back in March 2025 using data from an Infostealer infection that exposed previously used aliases on hacking forums.

That infection was linked to a Jordanian individual named Saif Khader. The compromised machine showed early signs of hacking activity, including defacements of Israeli websites and other unsophisticated attacks. However, no law enforcement action followed, even after KELA’s publication.

Gal said he personally examined the infected system at the time and came away with doubts. Comparing Rey’s known behaviour and writing style with what he saw on the compromised machine, Gal believed Rey may have intentionally planted traces of old forum credentials to mislead researchers. The browsing history, tone and skill level didn’t match the persona that went on to run ransomware and extortion operations. That contrast, he said, still surprises him.

Still, Gal acknowledged that according to Krebs’ reporting, Rey himself confirmed that the machine in question was indeed his. In his analysis, Gal raised three main points:

1.  Rey continued operating publicly after being exposed even mocking the original KELA research online, before his account was banned.
2.  The infection dates back to January 2024, meaning law enforcement likely had months to act, but didn’t, despite Rey being one of the most active threat actors in recent memory.
3.  The infected machine displayed a mismatch in language style, search history and OPSEC awareness compared to how Rey operates elsewhere.

Despite this denial, William Wright, CEO of Closed Door Security, shared his views with Hackread.com, stating that this investigation is a “brilliant piece of investigative journalism.” He noted that while positive, “there will be a lot of concern among the general public around how a 15-year-old could cause so much damage to some of the biggest organisations in the UK.”

Wright cautioned that the reality is “not so simple,” adding: “Rey was collaborating with Russian threat actors, using their infrastructure to execute highly sophisticated attacks.” He concluded, “Rey claims to be working with law enforcement now, which is causing trouble across the Scattered Lapsus$ Hunter Telegram channel. This could lead to other members of the gang being identified, but Rey may get off lightly if he supports law enforcement enough.”

Report Names Teen in Scattered LAPSUS$ Hunters, Group Denies

Microsoft has announced plans to improve the security of Entra ID authentication by blocking unauthorized script injection attacks starting a year from now.
The update to its Content Security Policy (CSP) aims to enhance the Entra ID sign-in experience at "login.microsoftonline[.]com" by only letting scripts from trusted Microsoft domains run.
"This update strengthens security and adds an extra

Web Security / Zero Trust

Microsoft has announced plans to improve the security of Entra ID authentication by blocking unauthorized script injection attacks starting a year from now.

The update to its Content Security Policy (CSP) aims to enhance the Entra ID sign-in experience at "login.microsoftonline\[.\]com" by only letting scripts from trusted Microsoft domains run.

"This update strengthens security and adds an extra layer of protection by allowing only scripts from trusted Microsoft domains to run during authentication, blocking unauthorized or injected code from executing during the sign-in experience," the Windows maker said.

Specifically, it only allows script downloads from Microsoft trusted CDN domains and inline script execution from a Microsoft trusted source. The updated policy is limited to browser-based sign-in experiences for URLs beginning with login.microsoftonline.com. Microsoft Entra External ID will not be affected.

The change, which has been described as a proactive measure, is part of Microsoft's Secure Future Initiative (SFI) and is designed to safeguard users against cross-site scripting (XSS) attacks that make it possible to inject malicious code into websites. It's expected to be rolled out globally starting mid-to-late October 2026.

Microsoft is urging organizations to test their sign-in flows thoroughly ahead of time to ensure that there are no issues and the sign-in experience has no friction.

It's also advising customers to refrain from using browser extensions or tools that inject code or script into the Microsoft Entra sign-in experience. Those who follow this approach are recommended to switch to other tools that don't inject code.

To identify any CSP violations, users can go through a sign-in flow with the dev console open and access the browser's Console tool within the developer tools to check for errors that say "Refused to load the script" for going against the "script-src" and "nonce" directives.

Microsoft's SFI is a multi-year effort that seeks to put security above all else when designing new products and better prepare for the growing sophistication of cyber threats.

It was first launched in November 2023 and expanded in May 2024 following a report from the U.S. Cyber Safety Review Board (CSRB), which concluded that the company's "security culture was inadequate and requires an overhaul."

In its third progress report published this month, the tech giant said it has deployed over 50 new detections in its infrastructure to target high-priority tactics, techniques, and procedures, and that the adoption of phishing-resistant multi-factor authentication (MFA) for users and devices has hit 99.6%.

Other notable changes enacted by Microsoft are as follows -

*   Enforced Mandatory MFA across all services, including for all Azure service users
*   Introduced Automatic recovery capabilities via Quick Machine Recovery, expanded passkey and Windows Hello support, and improved memory safety in UEFI firmware and drivers by using Rust
*   Migrated 95% of Microsoft Entra ID signing VMs to Azure Confidential Compute and moved 94.3% of Microsoft Entra ID security token validation to its standard identity Software Development Kit (SDK)
*   Discontinued the use of Active Directory Federation Services (ADFS) in our productivity environment
*   Decommissioned 560,000 additional unused and aged tenants and 83,000 unused Microsoft Entra ID apps across Microsoft production and productivity environments
*   Advanced threat hunting by centrally tracking 98% of production infrastructure
*   Achieved complete network device inventory and mature asset lifecycle management
*   Almost entirely locked code signing to production identities
*   Published 1,096 CVEs, including 53 no-action cloud CVEs, and paid out $17 million in bounties

"To align with Zero Trust principles, organizations should automate vulnerability detection, response, and remediation using integrated security tools and threat intelligence," Microsoft said. "Maintaining real-time visibility into security incidents across hybrid and cloud environments enables faster containment and recovery."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Microsoft to Block Unauthorized Scripts in Entra ID Logins with 2026 CSP Update

Alisa Viejo, CA, USA, 27th November 2025, CyberNewsWire

**Alisa Viejo, CA, USA, November 27th, 2025, CyberNewsWire**

Gartner has recognized One Identity as a Visionary in the **2025 Gartner Magic Quadrant for Privileged Access Management (PAM)****.** 

In a rapidly transforming market, innovation and demonstrated performance continue to shape expectations. The placement as a Visionary reflects what the company observes across its customer and partner ecosystem, highlighting a collective emphasis on simplified security, accelerated adoption and intelligence-driven identity protection.

**Definition of the Visionary Classification**

> According to Gartner, Visionaries are “noted for their innovative approaches to PAM technologies, methodologies, and means of delivery.” 

Being named a Visionary validates their strategy – blending **AI-driven administration****,** flexible deployment and customer-first design – as we continue building the next era of privileged access management. They believe the focus on streamlined innovation, automation and value is exactly what modern organizations demand. 

**Analyst Observations on One Identity Safeguard for PAM**

One Identity has seen analyst support for several key strengths across the **One Identity Safeguard** and **Cloud PAM Essentials** portfolio: 

*   **Product excellence:** The products received among the highest scores for privileged session management and PEDM for UNIX/Linux and macOS, confirming the depth and reliability of our core platform. 
*   **Customer experience:** Praised for ease of use, intuitive UI, deployment simplicity, and management features, backed by responsive, multi-tier support. 
*   **AI-driven innovation:** With Azure AI-powered natural-language search and AI-assisted configuration, we’re helping security teams move faster, respond smarter and simplify at scale. 
*   **Pricing & value:** Although some of the top PAM solutions are seen as costly, One Identity was recognized specifically for below the market average pricing, particularly for SaaS offerings – delivering enterprise-grade security at exceptional value. 

These strengths extend beyond functional capabilities and reflect how customer feedback influences development priorities, including usability and affordability.

Visionary recognition also reflects the company’s current trajectory, indicating external validation of a path oriented toward leadership and sustained advancement.

**Key Innovations in One Identity Safeguard for Modern PAM**

To meet the pace of identity-driven enterprises, PAM continues to transition from static control to adaptive intelligence. The following seven innovations remain central to modern privileged access management and illustrate how One Identity Safeguard supports evolving requirements:

**Unified, comprehensive PAM**

Enhanced control over privileged access with integrated password vaulting, session recording, and analytics – all within the One Identity Safeguard platform. 

**Flexible deployment**

Expanded support for cloud, on-prem, and hybrid models with scalable, cost-efficient licensing. 

**Streamlined implementation**

Simplified setup through automation tools and cloud-ready configurations that reduce time-to-value. 

**Improved usability**

One Identity Safeguard has a modernized UI, with ease of use, smoother workflows, and in-product help minimizes complexity and training needs. 

**Consistent, top-notch support**

Standardized professional services and strong implementation guidance ensure excellence everywhere. 

**AI-powered administration and documentation**

Contextual in-product guidance and intelligent search deliver faster answers, fewer support tickets and smarter administration. 

**Continuous optimization**

Agile, customer-driven updates in our solutions enhance speed, usability and value across releases. 

**Outlook for Privileged Access Management**

As organizations secure both human and machine identities, the future of PAM demands clarity, automation and intelligence. 

One Identity is uniquely positioned to deliver all three – helping customers protect privileged access, simplify operations and accelerate digital transformation with confidence. 

The 2025 Gartner Magic Quadrant for Privileged Access Management outlines how vision, innovation and customer success continue to influence the evolution of privileged access.

**About One Identity**

One Identity delivers unified identity security solutions that help customers strengthen their overall cybersecurity posture and protect the people, applications, and data essential to business. Their Unified Identity Security Platform encompasses a variety of identity access and management tools, including AI-driven security solutions. One Identity brings together the 4 pillars of IAM: Identity Governance and Administration (IGA), Access Management (AM), Privileged Access Management (PAM), and Active Directory Management (AD Mgmt) capabilities to enable organizations to shift from a fragmented to a holistic approach to identity security. One Identity is trusted and proven on a global scale – managing more than 500 million identities for more than 11,000 organizations worldwide.

Users can find more information here: https://www.oneidentity.com

**Contact**

**Global Corporate Communications**  
**Liberty Pike**  
**One Identity LLC**  
**\[email protected\]**

One Identity Safeguard Named a Visionary in the 2025 Gartner Magic Quadrant for PAM

A ransomware attack against the CodeRED emergency alert platform has triggered warnings across the US.

A nationwide cyberattack against the OnSolve CodeRED emergency notifications system has prompted cities and counties across the US to warn residents and advise them to change their passwords.

CodeRED is used by local governments to deliver fast, targeted alerts during severe weather, evacuations, missing persons, and other urgent events. Both the data breach and the service outage have serious implications for communities.

The OnSolve CodeRED system is a cloud-based platform used by city, county, and state agencies to send emergency alerts via voice calls, SMS, email, mobile app notifications, and national alerting systems. Because of the incident, some regions temporarily lost access to the system and had to rely on social media or other methods to reach the public.

To avoid confusion: CodeRED is not the same as the Emergency Alert System (EAS), which is the federal government-managed emergency notifications system. The CodeRED emergency notification system is a voluntary program where residents can sign up to receive notifications and emergency alerts affecting the city they live in.

**What’s happened?**

Among the many affected municipalities, the City of Cambridge’s Emergency Communications, Police, and Fire Departments issued an alert urging users to change their passwords, especially if they reused the same password elsewhere. Similar advisories have been published by towns and counties in multiple states as the scale of the attack became clear.

The City of University Park, Texas, also warned residents:

> “As a precaution, we want to make residents aware of a recent cybersecurity incident involving the City’s third-party emergency alert system, CodeRED. We were notified that a cybercriminal group targeted the system, which caused disruption and may have compromised some user data. This incident did not affect any City systems or services and remains isolated to the CodeRED software.”

The cause is reportedly a ransomware attack claimed by the INC Ransom group. The group posted screenshots that appear to show stolen customer data, including email addresses and associated clear-text passwords.

The INC Ransom group also published part of the alleged ransom negotiation, suggesting that Crisis24 (the provider behind CodeRED) initially offered $100,000, later increasing the offer to $150,000, which INC rejected.

The incident forced Crisis24 to shut down its legacy environment and rebuild the system in a new, isolated infrastructure. Some regions, such as Douglas County, Colorado, have terminated their CodeRED contracts following the outage.

****Why this matters****

Cyberattacks happen, and data breaches are not always preventable. But storing your subscriber database—including passwords in clear text—seems rather careless. Providers should assume people reuse passwords, especially for accounts they don’t view as very sensitive.

Not that ransomware groups care, of course, but systems like CodeRED genuinely saves lives. When that system goes down or cannot be trusted, communities may miss evacuation orders, severe weather warnings, or active-shooter alerts when minutes matter.

Users are now being told to change their passwords, sometimes across multiple websites. But has everyone been notified? And even if they have, will they actually take action?

**Protecting yourself after a data breach**

If you think you have been the victim of a data breach, here are steps you can take to protect yourself:

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA****).** If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for impersonators.** The thieves may contact you posing as the breached platform. Check the official website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to let sites remember your card details, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring**, which alerts you if your personal information is found being traded illegally online and helps you recover after.

**We don’t just report on threats—we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

 Millions at risk after nationwide CodeRED alert system outage and data breach 

Cronos launches x402 PayTech Hackathon with $42K prize pool to drive AI-powered on-chain payments using agent tech and Crypto.com tools.

Cronos has launched the x402 PayTech Hackathon, a global challenge with $42,000 in prizes aimed at pushing forward the future of AI-integrated blockchain payments. Developers worldwide are invited to build tools and applications using agent-based payment tech, the Crypto.com AI Agent SDK and the latest infrastructure upgrades across the Cronos and Crypto.com ecosystem.

This new initiative lines up with Cronos’ long-term plan to serve as a foundation for institutional tokenisation and AI-driven finance. The network has seen major technical improvements recently, including a tenfold drop in gas fees, a 400% jump in daily transaction volume, and faster block times now clocking in at under one second. These changes position Cronos as a strong platform for building high-performance AI-native applications.

Participants will be encouraged to experiment with automated transaction flows, smart wallet behaviour powered by AI, real-world asset integrations and developer tools that support agentic logic. With full access to the Cronos and Crypto.com infrastructure, developers can create solutions that bridge traditional finance and decentralised protocols, potentially reaching millions of users worldwide.

Registration opens today on DoraHacks, with the build phase set to run from early December through late January.

“This hackathon is a testing ground for what happens when AI agents can not only process data but also move value,” said Mirko Zhao, Head of Cronos Labs. “Thanks to our recent upgrades and new developer frameworks, teams now have the tools they need to bring real AI-native applications to life. We’re excited to see what comes out of it.”

Developers who participate will gain access to workshops, live office hours, technical documentation and a growing resource library covering everything from the Cronos EVM to x402’s programmable payments. Top teams may also be selected for further support after the hackathon, including grants, incubation and collaboration within the Cronos ecosystem.

****About Cronos Labs****

Cronos is a blockchain platform backed by Crypto.com and supported by over 500 contributing developers and partners. It serves more than 150 million users and is focused on building DeFi infrastructure that makes tokenised assets more accessible, secure and scalable.

The Cronos ecosystem spans three networks:

*   **Cronos EVM**: An Ethereum-compatible chain built with the Cosmos SDK
*   **Cronos POS**: A Cosmos-based network optimised for payments and NFTs
*   **Cronos zkEVM**: A high-speed Ethereum Layer 2 secured by zero-knowledge proofs.

With more than $6 billion in user assets and over 100 million transactions processed, Cronos ranks among the top 15 blockchain ecosystems. Transaction fees on the network are paid using $CRO, its native token.

Cronos Labs, the accelerator arm of the project, focuses on supporting early-stage projects in DeFi, GameFi and AI development.

Learn more at cronos.org or follow @cronos\_chain on X.

Cronos Kicks Off $42K Global Hackathon Focused on AI-Powered On-Chain Payments

Scammers are stepping up their game for the holidays, impersonating brands to trick people into handing over their accounts.

The FBI has issued a public service announcement warning about a surge in account takeover (ATO) fraud, and the timing lines up with a major alert Amazon has just sent to its 300 million customers about brand impersonation scams.

**How ATO fraud works**

Account takeover fraud is just what it says: Scammers figure out a way to hijack your account and use it for their own gain. It affects everything from email and social media to retailer, travel, and banking accounts. Criminals use plenty of tactics, including malware on your computer or phone, or “credential stuffing,” where they try compromised passwords across lots of sites.

The FBI’s new alert focuses on attackers who impersonate customer support or tech support from your bank. Amazon’s warning describes almost identical techniques, but aimed at Amazon shoppers instead of banking customers.

Attackers send texts, emails and make phone calls designed to fool you into giving away your username and password, and even your multi-factor authentication (MFA) codes. Once they’re in the account, scammers quickly reset passwords or other access controls, locking you out of your own account.

****Fake websites, fake alerts, and fake customer support****

The FBI highlights another technique used for similar purposes: website-based phishing. The scammer will direct you to a fake site that looks just like your bank’s login page. The moment you enter your details, the criminals steal them and use them on the real banking site.

Amazon says the same thing is happening to its customers. In a warning email sent November 24, it listed the attacks it is seeing most often:

*   Fake delivery notices or account-issue messages
*   Third-party ads offering unbelievable deals
*   Messages via unofficial channels requesting login or payment information
*   Links to look-alike websites
*   Unsolicited “Amazon support” phone calls

One of the FBI’s examples mirrors this almost exactly: Attackers claim there has been fraudulent activity on your account and urge you to click a link to “fix” it, but it sends you straight to a phishing site.

**How do the scammers get you to these sites?**

Search engine optimization (SEO) poisoning is one common technique, the FBI says. Scammers buy ads with search engines that direct users to their malicious sites. Many mimic household names with tiny variations that are easy to miss when you’re in a hurry.

Amazon’s warning is backed up by research from FortiGuard Labs, which found that 19,000+ new domains set up to imitate major retail brands. 2,900 of those were proven to be malicious.

This wave of impersonation attacks isn’t limited to search ads and look-alike domains. Researchers have also uncovered a system called Matrix Push C2 that abuses browser push notifications to deliver fake alerts designed to look like they’re from trusted brands such as Netflix, PayPal, and Cloudflare. Once clicked, those alerts lead victims to phishing pages or malware, giving attackers yet another path to steal login details or take over accounts.

**A growing epidemic**

This type of fraud is on the rise. According to TransUnion, digital account takeover climbed 21% from H1 2024 to H1 2025, and 141% since H1 2021. It’s big business; the FBI has received over 5,100 complaints since January, and says that losses have hit $262 million.

This is a popular time for scammers to ramp up ATO fraud. Amazon’s alert comes at one of the busiest online shopping periods of the year—Black Friday and the run-up to the holidays.

And while MFA is important, it doesn’t always save you. Proofpoint found that 65% of compromised accounts had MFA enabled. But if you give up your secrets to a scammer, they have the keys to the kingdom.

Passwordless options such as passkeys promise better security because then there’s no MFA code to give up (you just use biometric access or click on a browser prompt to log in). However, those are still relatively uncommon compared to passwords, and when they do exist, people don’t often use them.

**How to protect yourself**

Cybercriminals prey on the vulnerable and the distracted. Brand impersonation works because attackers lean hard on urgency. They claim your account has been breached, or a large transaction has gone through, or a delivery can’t be completed.

Scammers are experts at using fear to get past your emotional defenses. In one inventive twist highlighted by the FBI, scammers told victims their details were used for firearms purchases, then transferred them to a fake “law enforcement” accomplice. Once fear kicks in, people act fast.

Whether the scammer is posing as Amazon, your bank, or a courier service, the same rules apply:

*   **Bookmark your bank and retailer login pages.** Don’t search for them, as results can be spoofed.
*   **Use official apps.** Download your bank or Amazon app directly from an official link, not through a search engine.
*   **Be stingy with personal info.** Pet names, schools, and birthdays can help criminals with “security questions.”
*   **Be skeptical of caller ID.** It can be spoofed. Hang up, then call back using a verified number.
*   **Use passkeys if offered.** They cut out SMS codes entirely and help prevent phishing.
*   **Never share one-time codes.** No legitimate company will ask.

Amazon also reminds users:

*   It will **never** ask for payment information over the phone.
*   It will **never** send emails asking customers to verify login details.
*   All account changes, tracking, and refunds should go through the Amazon app or website only.

If you do think you’ve been hit by an ATO scam, contact your bank immediately to try and recall or reverse any fraudulent transactions. It might still not be too late, but every second counts. Also, file a complaint with the FBI’s IC3 online crime unit.

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 Holiday shoppers targeted as Amazon and FBI warn of surge in account takeover attacks 

OpenAI confirmed a third-party data breach via Mixpanel, exposing limited API user metadata like names, emails and browser…

OpenAI confirmed a third-party data breach via Mixpanel, exposing limited API user metadata like names, emails and browser info. OpenAI systems were not breached, and no passwords, API keys, chats or payment data were exposed.

OpenAI has confirmed a data breach involving **Mixpanel**, a third-party analytics tool it used to monitor API dashboard activity. This wasn’t a direct attack on OpenAI’s systems but a compromise of Mixpanel, where an attacker accessed and exported data linked to API users.

To be specific, this wasn’t about passwords, payment info or anything that gives direct access. What got taken was account metadata, the kind of stuff analytics tools collect by default, including:

*   Name
*   Email address
*   Referring website
*   City, state or country
*   Internal user or org ID
*   Browser and operating system

OpenAI **responded** by immediately removing Mixpanel from its production systems and launched a review to identify what was affected. It has since notified all impacted users. The company is also conducting a broader audit of its external vendors and has advised users to turn on multi-factor authentication and be cautious with unsolicited messages or phishing attempts.

It’s worth clarifying that regular ChatGPT users weren’t affected. The exposure was limited to those who interacted with OpenAI through its **API platform**.

Mixpanel **confirmed** that it had detected suspicious access on one of its service environments and that the attacker had exported data belonging to multiple customers, including OpenAI. The company says it has since resolved the vulnerability and engaged external security experts to investigate.

This kind of third-party breach is **far from rare**. Many companies rely on analytics providers, payment processors, and support platforms, each of which brings a certain level of risk. While no system is bulletproof, what matters is how companies react once something breaks. In this case, OpenAI took its vendor offline, dug through the damage, and notified those affected without delay.

**Ben Schilz**, CEO of Wire, weighed in on the incident with a broader perspective, stating that the real issue isn’t just the breach itself, but the growing reliance on third-party tools that companies don’t fully control. He pointed to the need for “digital sovereignty,” stressing that organisations need to stay in charge of their own data and security rather than handing over that control to external vendors.

The good news is that ChatGPT user data wasn’t affected, and OpenAI has already cut off the third-party vendor involved. The downside is that some data was stolen, and there’s a real chance it could be leaked or used in phishing attempts targeting those same users.

Therefore, be cautious with any emails claiming to be from OpenAI or Mixpanel, especially ones asking you to reset passwords or review security settings. It’s also a good time to enable two-factor authentication on both your OpenAI account and the email linked to it.

OpenAI API User Data Exposed in Mixpanel Breach, ChatGPT Unaffected

Hackers have been busy again this week. From fake voice calls and AI-powered malware to huge money-laundering busts and new scams, there’s a lot happening in the cyber world.
Criminals are getting creative — using smart tricks to steal data, sound real, and hide in plain sight. But they’re not the only ones moving fast. Governments and security teams are fighting back, shutting down fake

Latest News