A list of topics we covered in the week of August 11 to August 17 of 2025

August 15, 2025 - A cybercriminal was found selling scanned IDs that were stolen from guests at Italian hotels on underground forums, warned CERT-AGID.

August 15, 2025 - National Public Data has changed ownership. Does this mean your personal information has changed hands too?

August 14, 2025 - Four men from Ghana were extradited for their alleged role in stealing more than $100 million through romance scams and BEC.

August 14, 2025 - Scammers are sending out fake Netflix job offers to get control of Facebook accounts.

August 13, 2025 - In the August 2025 patch Tuesday round Microsoft fixed a total of 111 Microsoft vulnerabilities, some of which are very important.

 A week in security (August 11 &#8211; August 17) 

A vulnerability has been found in ExpressGateway express-gateway up to 1.16.10. Affected is an unknown function in the library lib/rest/routes/apps.js of the component REST Endpoint. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-xfp8-x3j6-h67v: ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/apps.js

A flaw has been found in ExpressGateway express-gateway up to 1.16.10. This issue affects some unknown processing in the library lib/rest/routes/users.js of the component REST Endpoint. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

GHSA-q4rg-7cjj-5r86: ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/users.js

A seller named Chucky_BF is offering 15.8M PayPal logins with emails, passwords, and URLs. The data may come…

A seller named Chucky\_BF is offering 15.8M PayPal logins with emails, passwords, and URLs. The data may come from infostealer malware logs.

A threat actor using the name Chucky\_BF on a cybercrime and hacker forum is advertising what they claim to be a massive **PayPal** data dump. The post describes a trove labeled “Global PayPal Credential Dump 2025,” allegedly containing more than 15.8 million records of email and plaintext password pairs.

The size of the dataset is said to be 1.1GB, and according to the seller, the leak covers accounts from many email providers and users in different parts of the world. What makes this claim threatening is not just the number of exposed accounts but also the type of data said to be included. Other than the email and password combinations, the seller mentions that many records come with URLs directly linked to PayPal services.

Endpoints like /signin, /signup, /connect, and Android-specific URIs are also referenced in the listing. These details suggest that the dump is structured in a way that could make it easier for criminals to automate logins or abuse services.

The description provided by Chucky\_BF describes the dataset as a goldmine for cybercriminals. The threat actor claims the records are “raw email:password:url entries across global domains,” warning that this could lead to credential stuffing, phishing schemes, and fraud operations.

A closer look by Hackread.com at the samples posted in the forum shows Gmail addresses paired with passwords and linked directly to PayPal’s login pages, while another features a user account appearing in both web and mobile formats, showing that the same account details were found in different versions of PayPal’s services, both web and mobile.

The way the data is put together is important. It seems to include a mix of real accounts and test or fake ones, which is often the case with stolen databases. The seller claims most of the passwords look strong and unique, but also admits many are reused. That means people who used the same password on other websites could be at risk well outside PayPal.

As for pricing, Chucky\_BF is asking for 750 US dollars for full access to the 1.1GB dump. That figure positions it in line with other credential dumps of similar size sold in cybercrime markets, which often find buyers among groups looking to monetize stolen accounts through fraud or resale.

If the claims are accurate, this would represent one of the larger PayPal-focused leaks of recent years, with millions of users across Gmail, Yahoo, Hotmail, and country-specific domains implicated.

Screenshot shows alleged PayPal data being sold on a hacker and cybercrime forum (Image credit: Hackread.com)

****Infostealer Logs as the Likely Source****

PayPal has never suffered a direct data breach in which attackers broke into its systems and stole millions of user records. Past incidents, including the one that **involved 35,000 users**, linked to the company have usually been the result of credential stuffing or data harvested elsewhere.

This makes it possible that the newly advertised dataset is not the product of a PayPal system breach at all, but rather the result of **infostealer malware** collecting login details from infected devices and bundling them together.

Additionally, the structure of the dataset shown in the samples shared by the threat actor suggests it may have been collected through infostealer **malware logs**. Infostealers infect personal devices and steal saved login details, browser data, and website activity, which later appear in bulk on cybercrime markets.

The presence of PayPal login URLs and mobile URIs in this dump makes it possible that the information was gathered from infected users worldwide, then compiled to be sold as a single **PayPal-focused leak**.

PayPal itself has not confirmed any such incident, and it is not yet clear whether the dataset is entirely authentic, a mix of real and fabricated records, or a repackaging of older leaks. Hackread.com has also not been able to verify whether the data is genuine, and only PayPal can confirm or deny the claims. The company has been contacted for comment, and this article will be updated accordingly.

Threat Actor Claims to Sell 15.8 Million Plain-Text PayPal Credentials

The Las Vegas Metropolitan Police Department announced the arrest of eight individuals, including a top Israeli official, in…

The Las Vegas Metropolitan Police Department announced the arrest of eight individuals, including a top Israeli official, in a sting operation combating internet crimes against children.

A high-ranking Israeli cybersecurity official was among eight men arrested in a major two-week undercover sting operation, according to a press release from the Las Vegas Metropolitan Police Department.

The operation, which targeted online users seeking to exploit children, was a joint effort by the Nevada Internet Crimes Against Children (ICAC) task force, the FBI’s Child Exploitation Task Force, and multiple local agencies, including the Henderson Police Department and Homeland Security Investigations.

The official has been identified as Tom Artiom Alexandrovich, 38. He was arrested alongside seven other suspects: David Wonnacott-Yahnke, 40; Jose Alberto Perez-Torres, 35; Aniket Brajeshkumar Sadani, 23; James Ramon Reddick, 23; Ramon Manuel Parra Valenzuela, 29; Neal Harrison Creecy, 46; and John Charles Duncan, 49. All eight men face felony charges of luring a child with a computer for a sex act.

A now-deleted LinkedIn profile under his name identified him as the executive director of the Israel Cyber Directorate, an Israeli government agency. At the time of his arrest, Alexandrovich was reportedly in Las Vegas for a major cybersecurity conference called Black Hat Briefings held from August 2-to-7, 2025, in Mandalay Bay, Las Vegas.

Tom Artiom Alexandrovich LinkedIn Profile (Source: X.com (@vxunderground))

A Post Likely from Tom Artiom Alexandrovich after Black Hat Briefings (Source: @icu\_luci )

According to the press release, Alexandrovich was booked into the Henderson Detention Center following his arrest. It is worth noting that under Nevada law, luring a child with a computer for a sex act can carry a prison sentence of one to ten years.

However, the incident has caused some confusion due to conflicting reports from the US and Israeli officials. While the LVMPD confirmed that all eight suspects were arrested and booked, Israel’s Prime Minister’s office has stated that the employee was not arrested but only questioned.

“A state employee who travelled to the US for professional matters was questioned by American authorities during his stay. The employee, who does not hold a diplomatic visa, was not arrested and returned to Israel as scheduled,” the prime minister’s office’s statement reads. Moreover, an Israeli news outlet, Ynet, reported that an employee of the Israel National Cyber Directorate had been questioned by US authorities and was back in his home country.

However, according to The Guardian’s report, Alexandrovich was charged with luring a child for a sex act but was later released and returned to Israel.

Nevertheless, the case shows the real dangers children face online and the ongoing work by law enforcement to protect them. It also shows why international cooperation and constant caution are necessary to bring offenders to justice.

Top Israeli Cybersecurity Official Arrested in US Child Exploitation Sting

Rotherham hacker Al-Tahery Al-Mashriky jailed for 20 months after global cyberattacks, stealing millions of logins and targeting government…

Rotherham hacker Al-Tahery Al-Mashriky jailed for 20 months after global cyberattacks, stealing millions of logins and targeting government websites.

When police knocked on the door of a home in Rotherham, South Yorkshire, in August 2022, they ended a hacking spree that had stretched across North America, the Middle East and Israel. The man behind it, 26-year-old Al-Tahery Al-Mashriky, had spent months hacking into websites and collecting the personal details of millions of unsuspecting people.

Al-Tahery Al-Mashriky (Mugshot via NCA)

Investigators say Al-Mashriky was linked by the UK’s National Crime Agency (NCA) to hacker groups known as the Spider Team and the Yemen Cyber Army. These groups are known for targeting government bodies, media outlets and public organisations while spreading political and ideological messages through cyber attacks.

A forensic examination of his seized laptop and phones revealed that Al-Mashriky hacked into the Yemen Ministry of Foreign Affairs, the Yemen Ministry of Security Media and an Israeli news website. In some cases, he defaced websites to spread his political messages.

In 2015, Hackread.com reported that the Yemen Cyber Army had hacked the official website of the Saudi Ministry of Foreign Affairs, defaced it, stole data and leaked the information online.

Defaced Saudi site shows the political message left by the hacker (GIF credit: Hackread.com)

According to NCA’s press release, Al-Mashriky was a “Serial hacker” looking for fame. On one cybercrime forum, Al-Mashriky bragged that he had compromised more than 3,000 websites in just three months.

He also leaked data, and one of the leaks contained stolen data belonging to over four million Facebook users, as well as login details for services including Netflix and PayPal, all of which could have been used for fraud.

The attacks did not stop at Middle Eastern or Israeli targets. Evidence showed he also compromised faith-based websites in Canada and the United States, as well as the California State Water Board, causing disruption that forced victims into expensive recovery efforts.

Sites defaced by the hacker (Image credit: Hackread.com)

Al-Mashriky pleaded guilty to nine counts under the Computer Misuse Act and on 15 August was sentenced to 20 months in prison.

Paul Foster, deputy director of the NCA’s National Cyber Crime Unit, said the case highlights the human cost behind cybercrime. “Al-Mashriky’s attacks crippled the websites targeted, causing significant disruption to their users and the organisations, just so that he could push the political and ideological views of the Yemen Cyber Army. He had also stolen personal data that could have enabled him to target and defraud millions of people.”

****Cybercrime and The United Kingdom****

Cybercrime linked to the United Kingdom has escalated in recent months. In July, four suspects were arrested from homes across London, Staffordshire and the West Midlands. The group included two 19-year-old men, a 17-year-old boy and a 20-year-old woman.

Prosecutors say they were behind large-scale attacks on major retailers including M&S, Co-op and Harrods. The incident involving M&S alone is reported to have caused around £300 million in damages.

In September 2024, John Andreas Wik, 37, from Beckenham, was arrested after hijacking free public WiFi networks at train stations across the UK to display offensive Islamophobic messages. In July 2025, he was handed a 24-month prison sentence, suspended for two years, which means he will not serve time in jail unless he commits another offence during that period.

“Serial Hacker” Sentenced to 20 Months in UK Prison

Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0 bc-fips (API modules) allows Excessive Allocation. This vulnerability is associated with program files org.Bouncycastle.Crypto.Fips.NativeLoader.

This issue affects Bouncy Castle for Java - BC-FJA 2.1.0: from BC-FJA 2.1.0 through 2.1.0.

GHSA-v6cf-mv9h-c8mc: Bouncy Castle for Java Uncontrolled Resource Consumption Vulnerability

CloudSEK uncovered a Pakistan-based family cybercrime network that spread infostealers via pirated software, netting $4.67M and millions of…

CloudSEK uncovered a Pakistan-based family cybercrime network that spread infostealers via pirated software, netting $4.67M and millions of victims. The operation’s secrets were revealed when the scammers themselves were compromised.

Cybersecurity intelligence firm CloudSEK has uncovered a sophisticated, family-run multi-million-dollar cybercrime operation based out of Pakistan. CloudSEK’s TRIAD team’s investigation revealed a syndicate that’s been active for at least five years.

Reportedly, the group’s primary strategy was to exploit people looking for free, pirated software. They used SEO poisoning and forum spam to post links on legitimate online communities and search engines that led to malicious websites.

Here’s an example from the official HONOR UK community forum here a post titled “Adobe After Effects Crack Free Download Full Version 2024” was used as a lure.

And, another one:

Image via CloudSEK

These sites tricked users into downloading popular cracked software like Adobe After Effects, but in reality, they were installing dangerous infostealer malware, including strains like Lumma, AMOS and Meta. It also stole personal data, from passwords and browser information to cryptocurrency wallet details.

****$4.67 Million in Revenue****

The scale of the operation is large. The report reveals that the network generated over 449 million clicks and more than 1.88 million malware installs. This immense volume brought in an estimated lifetime revenue of at least $4.67 million. CloudSEK estimates the network may have impacted over 10 million victims globally, as stolen data was sold for about $0.47 per credential.

The investigation also explains the group’s internal structure, which was based on two interconnected Pay-Per-Install (PPI) networks: InstallBank and SpaxMedia/Installstera. These systems managed a vast network of 5,239 affiliates, who were paid for each successful malware installation.

Moreover, CloudSEK found that while the operators were based in Pakistan’s Bahawalpur and Faisalabad, their victims were located worldwide. A key finding was the operators’ use of traditional financial services like Payoneer for payments, which is a rare move for a group of this nature. Also, operators shared the same last name, suggesting the criminal enterprise was a multi-generational effort.

****Hackers Caught by Their Own Malware****

A critical turning point in the investigation happened by chance. The operators were ironically infected by their own malware, which allowed CloudSEK’s team to access their private logs.

These logs contained a trove of information, including financial records, internal communications, and admin credentials, which provided the detailed evidence needed to expose the entire network.

> _“The breakthrough in the investigation came ironically: the threat actors themselves were compromised by infostealer malware. The exfiltrated logs from their own machines provided unprecedented insight into their identities, command structure, infrastructure, communications, and finances, ultimately leading to their unmasking.”_
> 
> _“Four principal operators—M\*\* H, M S, Z I, and N I/H/A\* along with S\* H\*\*\* – are identified as key figures in this multiactor network.”_
> 
> CloudSEK

The report goes on to show how these groups are using everyday marketing tactics and even legitimate financial services to carry out their illegal activities in plain sight. Therefore, user awareness is crucial.  Please avoid downloading cracked software, as it remains an easily exploitable avenue for cybercriminals.

Scammers Compromised by Own Malware, Expose $4.67M Operation

Cybersecurity researchers have detailed the inner workings of an Android banking trojan called ERMAC 3.0, uncovering serious shortcomings in the operators' infrastructure.
"The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications," Hunt.io

ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure

Plus: ICE agents accidentally add a random person to a sensitive group chat, Norwegian intelligence blames the Kremlin for hacking a dam, and new facial recognition vans roam the UK.

WIRED copublished an investigation this week with The Markup and CalMatters showing that dozens of data brokers have been hiding their opt-out and personal-data-deletion tools from Google Search, making it harder for people to find and utilize them. The report prompted US senator Maggie Hassan to demand accountability from the companies. WIRED also took a deep dive looking at what the data-analysis giant Palantir actually does.

Reports this week that Russia was likely involved in, or entirely behind, the US Courts records system breach highlight both the stakes of the incident and information that federal investigators seem to still be lacking about what exactly happened. New research is shedding light on the inner workings of the multimillion-dollar gray market for video game cheats. And we've got advice on how to protect yourself against portable point-of-sale scams that can steal your credit card data or other information. Plus, researchers at the Defcon security conference in Las Vegas last week provided open source instructions for how to build your own quantum sensor at low cost—complete with a special, crucial diamond.

But wait, there’s more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Russia Limits Secure Calling on WhatsApp and Telegram**

Russia started blocking WhatsApp and Telegram calls this week, saying that the encryption schemes the communication platforms use to protect customer calls from interception violate information-sharing requirements between tech companies and the government. The platforms have close to 100 million users each in Russia, according to Al Jazeera and Mediascope. The Kremlin has spent years expanding its mechanisms for internet censorship and control, often under the guise of national security and law enforcement.

A WhatsApp spokesperson told WIRED in a statement that “WhatsApp is private, end-to-end encrypted, and defies government attempts to violate people’s right to secure communication, which is why Russia is trying to block it from over 100 million Russian people.”

Reuters reports that Telegram told Russia's RBC Daily that it takes steps to address criminal behavior on its platform, including deploying moderators equipped with AI tools to monitor public discourse and communications on the platform that are not end-to-end encrypted. Telegram said it takes down millions of malicious messages each day.

**US ICE Agents Mistakenly Add Random Civilian to Highly Sensitive Group Chat**

ICE agents inadvertently added a random person to a group chat named “Mass Text,” exposing sensitive discussions including details about a manhunt for a convicted attempted murderer who apparently had been flagged for deportation. The person who was added to the group chat “is not a law enforcement official or associated with the investigation in any way,” according to 404 Media, and “initially thought it was a series of spam messages” after being added to the chat weeks ago.

Messages reportedly included the ICE Field Operations Worksheet for the case, which contains detailed information about the target, as well as communications in which ICE agents appeared to be accessing data from a DMV and license plate readers. The breach is reminiscent of so-called SignalGate, another recent situation in which senior Trump administration cabinet members accidentally included the editor in chief of The Atlantic in a Signal group chat created to plan US air strikes against Houthi rebels in Yemen.

**Norwegian Intelligence Chief Says Russian Hackers Were Behind Dam Cyberattack**

The head of Norway's security police service, Beate Gangås, said this week that it was Russian hackers who targeted a dam in Norway in April and released millions of gallons of water during the four hours that they had control. The Russian embassy denied the allegations in comments to Reuters. Gangås accused Russia of perpetrating the hack in a speech on Thursday, according to Norwegian media.

**English Police Forces Will Have Access to a New Fleet of Facial Recognition Vans**

Police in England will have more access to facial recognition tools. Ministers announced this week that law enforcement will deploy 10 live facial recognition vans around the country that will be used by seven police forces to aid in investigations related to “sex offenders or people wanted for the most serious crimes,” according to Home Secretary Yvette Cooper. Police have increasingly turned to facial recognition in the United Kingdom in recent years, but the vans will represent an additional expansion in England.

Latest News