Last week on Malwarebytes Labs: Last week on ThreatDown: Stay safe!

June 23, 2025 - Russian hackers have convinced targets to share their app passwords in very sophisticated and targeted social engineering attacks.

June 19, 2025 - Researchers have uncovered 30 exposed data sets containing over 16 billion login credentials which were likely harvested by infostealers.

June 19, 2025 - Toy company Mattel has announced a deal with OpenAI to create AI-powered toys, but digital rights advocates have urged caution.

June 18, 2025 - Several Instagram ads have been found impersonating banks, including the usage of deepfake videos to defraud consumers.

June 18, 2025 - These five communication channels are favored by scammers to try and trick victims at least once a week—if not more.

 A week in security (June 15 &#8211; June 21) 

In scan.rs in spytrap-adb before 0.3.5, matches for known stalkerware are not rendered in the interactive user interface.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-5p2p-6g2c-hf7m: spytrap-adb Omission of Security-relevant Information

The US concentrated its attack on Fordow, an enrichment plant built hundreds of feet underground. Aerial photos give important clues about what damage the “bunker-buster” bombs may have caused.

When the United States bombed Iran in the early hours of Sunday local time, it targeted three facilities central to the country’s nuclear ambitions: the Fordow uranium enrichment plant, the Natanz nuclear facility, and the Isfahan nuclear technology center. Newly released satellite images show the impact of the attack—at least, what can be seen on the ground.

The brunt of the bombing focused on Fordow, where US forces dropped a dozen GBU-57 massive ordnance penetrators as part of its “Midnight Hammer” operation. These 30,000-pound “bunker-buster” bombs are designed to penetrate as deep as 200 feet into the earth before detonating. The Fordow complex is approximately 260 feet underground.

That gap accounts for some of the uncertainty over exactly how much damage the Fordow site sustained. President Donald Trump shared a post on his Truth Social platform following the attack that declared “Fordow is gone,” and later said in a televised address that “Iran’s key nuclear enrichment facilities have been completely and totally obliterated.” His own military, however, was slightly more circumspect about the outcome in a Sunday morning briefing. “It would be way too early for me to comment on what may or may not still be there,” said general Dan Caine, chairman of the Joint Chiefs of Staff.

Satellite imagery can inherently only tell you so much about a structure that is situated so far below the surface of the earth. But before and after imagery is the best publicly available information about the bombing’s impact.

A satellite image from before the US bombing of Fordow.

Photo: MAXAR Technologies/Handout via Reuters

A satellite image from after the US bombing of Fordow.

Photo: MAXAR Technologies/Handout via Reuters

“What we see are six craters, two clusters of three, where there were 12 massive ordnance penetrators dropped,” says Jeffrey Lewis, director of the East Asia Nonproliferation Program at the Middlebury Institute's James Martin Center for Nonproliferation Studies. “The idea is you hit the same spot over and over again to kind of dig down.”

The specific locations of those craters matter as well, says Joseph Rodgers, deputy director and fellow at the Center for Strategic and International Studies’ Project on Nuclear Issues. While the entrance tunnels to the Fordow complex appear not to have been targeted, US bombs fell on what are likely ventilation shafts, based on satellite images of early construction at the site.

“The reason that you’d want to target a ventilation shaft is that it’s a more direct route to the core components of the underground facility,” says Rodgers.

That direct route is especially important given how deep underground Fordow was built. The US military relies on “basically a computer model” of the facility, says Lewis, which tells them “how much pressure it could take before it would severely damage everything inside and maybe even collapse the facility.” By bombarding specific targeted areas with multiple munitions, the US didn’t need bombs capable of penetrating the full 260 feet to cause substantial damage.

“They’re probably not trying to get all the way into the facility. They’re probably just trying to get close enough to it and crush it with a shockwave,” Lewis says. “If you send a big enough shockwave through that facility, it’s going to kill people, break stuff, damage the integrity of it.”

A closer satellite view shows the impact craters and a nearby support structure.

Photo: MAXAR Technologies/Handout via Reuters

It’s also notable what US bombs didn’t hit. The oblong white building in satellite images of Fordow is likely key support infrastructure for the facility, potentially providing everything from air-conditioning to backup power generation. “The US didn’t even bother targeting it. That clearly indicates to me that they weren’t trying to temporarily shut down the facility,” Rodgers says. “We targeted these apparent ventilation shafts so that we could structurally destroy or do as much damage as we could rather than temporarily try to shut down Fordow.”

Once a long-held secret, Fordow's existence was first officially acknowledged by the Iranian government in 2009. The facility is believed to be capable of enriching uranium to 60 percent. From there, experts say, it can relatively quickly be further enriched to 90 percent, the level needed for constructing nuclear weapons.

The US bombing came more than a week after Israel launched a series of attacks on Iran with the stated goal of stopping Tehran’s nuclear program. Israel lacks munitions capable of reaching deeply buried facilities like Fordow, which appears to be why the US entered the fray.

It is currently unclear how impactful this weekend’s bombing campaign will be on Iran’s long-term nuclear ambitions. Lewis says the strike was “tactically brilliant, but strategically incomplete,” because Iranians still have nuclear material that can be enriched to weapons-grade levels. “They still have underground facilities where they could do that, and they still have the ability to produce centrifuge components, so they can still make the centrifuges for the facilities.”

Further complicating the assessment of the Fordow damage is that satellite images from earlier last week show a significant amount of activity at the site, including more than a dozen trucks going to and from it. “I think there were some defense operations going on,” says Rodgers. “They probably brought those dump trucks in to try to seal off the tunnel entrances, to help protect against attacks.” There’s also the possibility that Iran was able to move nuclear material out of the facility before the attack, limiting the bombing’s usefulness.

Ultimately, Iran’s nuclear program has likely “been damaged,” Lewis says. “It has not been eliminated.”

What Satellite Images Reveal About the US Bombing of Iran's Nuclear Sites

Scammers used Inferno Drainer to steal $43,000 in crypto from 110 CoinMarketCap users through a fake wallet prompt embedded in the site’s front-end.

A coordinated crypto theft operation targeting CoinMarketCap users has been exposed after leaked images surfaced from a Telegram channel known as TheCommsLeaks. The attack used a convincing wallet connection prompt embedded in CoinMarketCap’s own interface, tricking users into handing over access to their wallets. The result? more than $43,000 worth of crypto funds drained in hours.

According to Tammy H, a Senior Threat Intelligence Researcher and Certified Dark Web Investigator at Flare.io, a Canada-based cybercrime intelligence firm, the attack was carried out using Inferno Drainer, a known wallet-draining toolkit that’s been linked to previous campaigns.

****A Pop-Up with a Price****

The method was simple but effective. Users visiting CoinMarketCap were presented with a prompt asking them to “Verify Your Wallet” to access features. It looked identical to legitimate pop-ups seen on the platform, giving users no reason to doubt it. However, once connected, wallets were quietly emptied of whatever assets they held.

Video credit: apoorv.eth on X (Twitter)

A source cited in the leak claimed the prompt appeared across nearly every page on the site. “Make it where it appears on every page,” read one message. “Most people have coins pinned… the second they render the site.”

The attacker seemed focused on increasing visibility and maximizing wallet connections. Some reports suggest that even the connect button began malfunctioning due to being rendered too many times.

****Inside the Leak****

As per Tommy H’s analysis, the Telegram channel TheCommsLeaks began sharing details around 7:30 PM local time on June 20. The messages included screenshots showing a live dashboard used by the attacker. These visuals displayed wallet connections, token transfers and total values drained in real time.

Early numbers showed 67 successful hits and over 1,300 wallet connections. The payout was already past $21,000 within the first wave. By the time the campaign ended, the final haul had climbed to $43,266, drained from 110 victims.

Tokens siphoned off included SOL, XRP, EVT, and smaller coins like PENGU and SHDW. One transaction involving $1,769 in XRP was linked to a wallet visible on BscScan, offering public confirmation of the theft.

However, the researcher noted that not every attempt succeeded. Logs from the attacker’s toolkit also showed multiple failed drains, typically due to wallets holding unsupported tokens or negligible balances.

Attackers on Telegram

****What Happened on CoinMarketCap?****

After growing speculation over whether the attack came from a spoofed domain, CoinMarketCap addressed the issue directly. In a statement published on X, the company said a doodle image displayed on their homepage had triggered malicious code through an embedded API call. This vulnerability caused the unauthorized wallet prompt to appear for some users.

The company confirmed that its security team responded immediately after detecting the issue. The malicious content was removed, and internal systems were patched to prevent further abuse.

“All systems are now fully operational, and CoinMarketCap is safe and secure for all users,” the company stated, adding that it continues to monitor the situation and provide support.

This incident goes on to show how small interface changes, even those involving something as harmless as a homepage doodle, can be leveraged for large-scale damage. While the use of a legitimate platform’s own environment to deploy malicious prompts is extremely concerning, it reflects how easily trust in familiar interfaces can be misused.

In a separate incident reported by Hackread just last week, scammers exploited search ads to trick users into calling fake support numbers shown on real websites like Apple and PayPal. Though technically unrelated, both cases show how attackers rely on user assumptions about what’s safe to interact with online.

For now, users are advised to avoid connecting wallets directly through pop-ups and verify any prompt against the platform’s official guidance. If something looks familiar, that doesn’t always mean it’s safe.

Scammers Use Inferno Drainer to Steal $43K from CoinMarketCap Users

The social network started experiencing global outages within minutes of Donald Trump posting details of a US military strike on Iran.

Truth Social malfunctioned on Saturday night amid President Donald Trump’s announcement that the United States had bombed Iran’s nuclear facilities.

Starting around 8 pm ET on Saturday, attempts to load the social network, which is owned by Trump Media & Technology Group (TMTG), displayed error messages. “Network failed,” a message on Truth Social reads. “Please try again.”

Trump’s initial Truth Social announcement that the United States had entered Israel’s war against Iran posted at 7:46 pm ET, stating that the US had waged a “very successful attack on the three Nuclear sites in Iran, including Fordow, Natanz, and Esfahan.” Trump’s account on the social media platform X posted a screenshot of the bombing announcement at 7:53 pm ET.

“All planes are now outside of Iran air space. A full payload of BOMBS was dropped on the primary site, Fordow,” Trump continued. “All planes are safely on their way home. Congratulations to our great American Warriors. There is not another military in the World that could have done this. NOW IS THE TIME FOR PEACE! Thank you for your attention to this matter.”

Trump frequently shares posts to Truth Social about issues of national and international importance. The president appeared to post multiple times after news of the US bombings against Iran were first announced. Trump’s stake in Truth Social’s parent company, TMTG, is currently worth more than $2 billion.

DownDetector, a website that crowdsources service outages, saw an influx of reports of Truth Social going down around 8 pm. The reason for the apparent outage was not immediately clear. NetBlocks, which monitors internet accessibility, posted on BlueSky just before 9 pm ET: “Truth Social is experiencing international outages for many users after US President Donald Trump announces strikes on three nuclear sites in Iran; incident not related to country-level internet disruptions or filtering.”

Truth Social did not immediately respond to WIRED’s requests for comment.

US and Iranian officials, speaking on the condition of anonymity, confirmed to The New York Times that US forces had conducted airstrikes on the Fordo and Natanz facilities. The condition of the US targets were not yet confirmed as of just before 9 pm ET.

Israel first began bombing targets in Iran on June 13. The two countries have repeatedly targeted each other since.

On Wednesday, Truth Social reportedly sent an email to at least some users encouraging them to follow Trump’s account. The email read in part, “If you aren’t following President Donald J. Trump on Truth Social, you’re missing an essential resource for navigating world affairs today.”

Trump will hold a televised address at 10 pm ET, according to the White House press secretary, Karoline Leavitt.

Truth Social Crashes as Trump Live-Posts Iran Bombing

A new FS-ISAC and Akamai report warns that sophisticated DDoS attacks are severely impacting the global financial sector, leading to multi-day outages. Learn about these evolving threats and how institutions can strengthen defences.

A new joint report released today by FS-ISAC, a non-profit organization focused on financial cybersecurity, and Akamai Technologies, a leading cybersecurity and cloud company, reveals a worrying trend: Distributed Denial-of-Service attacks (DDoS attacks) are increasingly targeting the global financial sector.

These attacks aim to overwhelm online services, disrupting customer access and business operations, ultimately eroding trust and impacting profits. The report, shared with Hackread.com, emphasises the growing sophistication and strategic nature of these cyber threats.

****Evolving Attack Strategies and Key Findings****

According to the report, the financial services sector was the primary target for large-scale DDoS attacks in 2024, which involved flooding a system with massive amounts of traffic, with a notable surge in October 2024. Attacks specifically targeting the application layer of financial services grew by 23% between 2023 and 2024.

The report also notes a rise in more precise attacks against financial firms’ Application Programming Interfaces (APIs) with a 58% rise observed between 2023-24 which allow different software to communicate, and their customer-facing websites.

These targeted assaults are harder to spot because they mimic normal user behaviour, indicating a higher level of skill among cybercriminals. In 2024, a single attack campaign targeting multiple banks resulted in service disruptions that lasted for several days, illustrating the severe impact these incidents can have.

Teresa Walsh, FS-ISAC’s Chief Intelligence Officer, commented on this shift, stating, “DDoS attacks are becoming increasingly sophisticated, evolving from simple network flooding to targeted, multi-dimensional assaults that exploit intricate vulnerabilities across the entire supply chain.”

The use of DDoS-for-Hire services, where attackers can pay others to launch attacks, is also common. Geopolitical events, such as the Hamas-Israel and Russia-Ukraine conflicts, have also fuelled an increase in hacktivism, where cyberattacks are carried out for political reasons.

On the other hand, the Asia Pacific region experienced a sharp rise in these large-scale attacks, accounting for 38% of all volumetric DDoS attacks in 2024, a significant jump from 11% in 2023.

****Building Stronger Defences****

To help financial institutions better prepare, FS-ISAC and Akamai have introduced a five-level DDoS Maturity Model. This model helps organizations evaluate their current strengths and weaknesses in defending against DDoS attacks, allowing them to identify areas for improvement, prioritize investments, and boost their ability to withstand these threats.

Steve Winterfeld, Advisory CISO at Akamai, emphasized the ongoing nature of the threat: “Threat actors will continue to leverage DDoS attacks to exploit the security of our institutions.” He highlighted that effective defences involve implementing mitigation strategies, maintaining strong cybersecurity practices, and adopting industry best practices.

It must be noted that this collaboration is part of Akamai’s involvement in FS-ISAC’s Critical Providers Program, launched in 2022 to enhance supply chain security within the financial sector.

Report Warns of Sophisticated DDoS Campaigns Crippling Global Banks

European police, led by Denmark and Sweden, are arresting individuals in a crackdown on violence-as-a-service, where criminal groups recruit teenagers online for contract killings. Learn about Europol's OTF GRIMM task force and how they're fighting this disturbing trend.

European law enforcement agencies, led by Denmark and Sweden, are intensifying their fight against a disturbing new criminal trend: the online recruitment of young people, some as young as 14, to carry out contract killings. This practice, termed violence-as-a-service, sees criminal groups using encrypted online platforms to offer money for shootings, often across national borders.

As per Europol’s press release, recent efforts, spearheaded by Denmark’s National Special Crime Unit and the Swedish Police, have led to several arrests. Following investigations into violent acts, including a shooting in Kokkedal on May 7, 2025, seven individuals, aged between 14 and 26, have either been arrested or surrendered from countries like Sweden and Morocco.

Among those caught are two 18-year-old men from Western Sweden, suspected of actively recruiting youngsters for these deadly tasks. Authorities indicate that some suspects also provided weapons, ammunition, and safe places for these young attackers.

****International Alliance Against Online Crime****

This alarming development has prompted a stronger international response. Europol launched Operational Taskforce (OTF) GRIMM in April 2025 to directly address the use of encrypted services for coordinating contract killings across Europe. The task force now includes Belgium, Denmark, Finland, France, Germany, Iceland (the latest country to join), the Netherlands, Norway, Sweden, and Europol itself, with more nations expected to join soon.

Andy Kraag, Head of Europol’s European Serious Organised Crime Centre, highlighted the severity, stating, “Teenagers being paid to pull the trigger, this is what organised crime looks like in 2025. This is calculated outsourcing of murder by criminal networks that treat human lives as disposable assets.”

****A Familiar Crime****

This isn’t the first time online platforms have been exploited for grave crimes. As Hackread.com recently reported that the global 764 network child abuse ring, led by individuals like Leonidas Varagiannis (21) and Prasan Nepal (20), also used encrypted apps to orchestrate horrific exploitation.

This past case, resulting in arrests in the US and Greece, underscores a persistent challenge: the anonymous nature of digital spaces can facilitate serious criminal activity, including those involving minors.

Europol encourages parents and communities to look for early signs of criminal recruitment, such as sudden behavioural changes or unexplained wealth, offering guides for protection. Law enforcement continues to track the masterminds behind these operations, aiming to dismantle their hidden online infrastructure.

Violence-as-a-Service: Encrypted Apps Used in Recruiting Teens as Hitmen

Plus: Ukrainian hackers reportedly knock out a key Russian internet provider, China’s Salt Typhoon hackers claim another victim, and the UK hits 23andMe with a hefty fine over its 2023 data breach.

Amid Israeli airstrikes this week and the imminent threat of further escalations by the United States, Iran started severely limiting internet connectivity for its citizens, limiting Iranians' access to crucial information and intentionally pushing them toward domestic apps that may not be secure. Meanwhile, the Israel-tied hacking group known as Predatory Sparrow is waging cyberwar on Iran’s financial system, attacking Iran’s Sepah Bank and destroying more than $90 million in cryptocurrency held by the Iranian crypto exchange Nobitex.

With the US still reeling from last weekend's violent shooting spree in Minnesota targeting Democratic state lawmakers and their families, an FBI affidavit indicates that the suspected shooter allegedly used data broker sites to find targets’ addresses and potentially other personal information about them. The finding highlights the potential dangers of widely available personal data.

This week, WIRED published its How to Win a Fight package, which includes our roundup of tools for tracking the Trump administration’s attacks on civil liberties, plus the most up-to-date versions of our guides to protecting yourself from government surveillance, protesting safely in the age of surveillance, and protecting yourself from phone searches at the US Border. While you're at it, don't forget to print your own copy of the How to Win a Fight zine! Better yet, print two and leave one at your local coffee shop or library.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Israel Reports That Iran Is Hacking Security Cameras for Spying**

Israeli officials said this week that Iran is compromising private security cameras around Israel to conduct espionage as the two countries exchange missile strikes after an initial Israeli barrage. A former Israeli cybersecurity official warned on public radio this week that Israelis should confirm that their home security cameras are protected by strong passwords or shut them down. “We know that in the past two or three days, the Iranians have been trying to connect to cameras to understand what happened and where their missiles hit to improve their precision,” Refael Franco, the former deputy director general of the Israel National Cyber Directorate, said. Like many internet-of-things devices, surveillance cameras are notoriously vulnerable to takeover if they are not secured with strong account protections. They have previously been targeted in other conflicts for intelligence gathering.

**Ukrainian Hack Reportedly Caused Comms Blackouts, Data Deletion in Russia**

The Kyiv Post reported this week that hackers from Ukraine’s Main Intelligence Directorate (HUR) launched a cyberattack against Russian internet service provider Orion Telecom that disabled 370 servers, took down roughly 500 network switches, and wiped backup systems to hinder recovery. The attacks reportedly caused internet and television outages. Orion Telecom reportedly said that it was recovering from a large DDoS attack and would quickly restore service. The attack came on June 12, the national holiday known as Russia Day. “Happy holiday, disrespectful Russians," the attackers wrote in a message circulated on Telegram groups. "Soon you’ll be living in the Stone Age—and we’ll help you get there. Glory to Ukraine.” The attackers claim to be part of Ukraine's BO Team hacking group. Sources told the Kyiv Post that Russian security agencies working on the country's war against Ukraine use Orion Telecom and were affected by the connectivity outages.

**Viasat ID’ed as Another Victim in China’s Salt Typhoon Telecom Hacking Spree**

Bloomberg reported this week that the satellite communication firm Viasat discovered a breach earlier this year perpetrated by China's Salt Typhoon espionage-focused hacking group. In early December, US authorities revealed that Salt Typhoon hackers had embedded themselves in major US telecoms, including AT&T and Verizon. After revelations last year of the group's extensive telecom hacking spree in the US and elsewhere, WIRED reported in February that Salt Typhoon was still actively breaching new victims. Viasat says it has been cooperating with federal authorities to investigate its breach.

**23andMe Hit With UK Fine Over 2023 Data Breach**

The United Kingdom's Information Commissioner’s Office (ICO) said this week that it issued a £2.31 million ($3.1 million) fine to the beleaguered genetic testing company 23andMe as a result of the company's damaging 2023 data breach. Attackers were able to access user accounts and their data using stolen login credentials, because at the time 23andMe did not require that users set up two-factor authentication, which the ICO says violated the UK's data protection law. The company has since mandated this protection for all users. More than 155,000 UK residents had their data stolen in the breach, according to the ICO, which said that 23andMe “did not have additional verification steps for users to access and download their raw genetic data” when the breach occurred.

Israel Says Iran Is Hacking Security Cameras for Spying

The April 2025 cyber attacks targeting U.K. retailers Marks & Spencer and Co-op have been classified as a "single combined cyber event."
That's according to an assessment from the Cyber Monitoring Centre (CMC), a U.K.-based independent, non-profit body set up by the insurance industry to categorize major cyber events.
"Given that one threat actor claimed responsibility for both M&S and

Scattered Spider Behind Cyberattacks on M&S and Co-op, Causing Up to $592M in Damages

At this week's re:Inforce 2025 conference, the cloud giant introduced new capabilities to several core security products to provide customers with better visibility and more context on potential threats.

Latest News