Free up space on your iPhone fast. Learn 5 proven ways to clear storage, remove clutter, and manage photos, apps, and files with no gimmicks, just results.

If your iPhone feels cramped and storage alerts show up like it’s on a schedule, it’s probably time for a cleanup. Below, we’ll go over easy ways to quickly free up space on iPhone – and talk a bit about storage management in general. These aren’t gimmicks; they’re time-tested methods and tricks that work for anyone, whether you’re rocking an older iPhone or the latest model.

****How to Check What’s Eating Up Space****

The first thing on the checklist is to figure out what’s taking up all that space. Before you start deleting stuff blindly, open up Settings on your iPhone, tap General, and then hit iPhone Storage.

Give it a second to load – once it does, you’ll see a full breakdown: apps, photos, media, messages, system files, and that “Other” section that never quite explains itself. You can read what all those mean in the official iPhone guide – we won’t stop on this too long.

What matters right now is _where_ your space is going. If Photos is at the top? You’ll want to start there. If it’s giant apps like TikTok, Instagram, or games you haven’t touched in months – yep, those might be the real problem. You might even get some auto-suggestions right there in the menu, like “Offload Unused Apps” or “Review Large Attachments.” Take those seriously – they’re built into the system for a reason.

****How to Free Up Storage on iPhone****

Now, we’ll go through the most popular methods from the overall list of methods to free up space on an iPhone, step by step. We’ll start with Photos first, since for most people (and maybe for you), this is where storage goes to die.

****1\. Clean Up Your Photos****

You probably already know how to manually delete photos or videos from the Photos app. You just tap **_Select_**, choose what you don’t need, and hit the **trash icon**. Simple. But also… kinda miserable. That’s hours of scrolling and second-guessing.

So let’s skip the obvious and talk about faster ways to handle photo cleanup.

First, your iPhone actually has a Duplicates album baked into the Photos app. It can help you spot and merge exact photocopies – like when you AirDropped yourself the same shot twice or saved it from Messages. That can be useful… but there are a couple of catches.

1.  It only works with **exact** duplicates – so if the two photos look nearly identical but aren’t pixel-for-pixel twins, they won’t show up.
2.  It takes time. As a lot of folks pointed out on Reddit, your iPhone doesn’t flag duplicates instantly. You might have to wait a few hours (or days) for the indexing to finish before anything appears in that folder.
3.  Even when it _does_ work, it doesn’t always make a huge dent. A few exact copies here and there usually won’t free up gigabytes.

That’s why a lot of us end up turning to third-party tools that offer broader and faster ways to clean up photos. Special attention should go to AI-powered cleaners – these apps use actual machine learning to spot stuff your iPhone can’t. Not just copies, but _similar_ photos. Like ten shots of the same person blinking… and only one where their eyes are open.

One of the best apps we’ve used for this is Clever Cleaner: AI CleanUp App. It’s 100% free, smart, clean, and surprisingly good at figuring out what’s worth keeping.

**Here’s how to use it:**

1.  Download Clever Cleaner from the App Store.
2.  Open the app, go to Similars, and let it group your lookalike photos.
3.  Tap Smart Cleanup.
4.  The AI picks the best shots to keep. Like the selection? Slide to delete. Want to tweak it? Tap a group, pick a different best shot, or skip it.
5.  When you’re done, Hit Move to Trash, then Empty Trash to clear it all out.

It also flags Heavies (your largest files, sorted big to small – something the Photos app _can’t_ do), Screenshots (easy bulk delete), and Lives (lets you convert Live Photos to stills to save space).

After each cleanup, it shows how much space you saved – and reminds you to empty the Recently Deleted album to actually free up space on your iPhone.

****2\. Offload or Delete Unused Apps****

The next way to potentially clear _a lot_ of space on an iPhone is Apps. Especially the ones you haven’t opened in six months but somehow still take up 1.2 GB.

To find and quickly delete the biggest unused apps, do this:

1.  Open Settings.
2.  Tap General.
3.  Go to iPhone Storage.
4.  Wait for the list to load (apps are sorted by size, largest at the top).
5.  Tap any app you don’t use.

Next, you’ve got two options:

*   **Offload**. This deletes the app itself but keeps all your data. If you reinstall later, everything’s still there. Best for apps you _might_ use again.
*   **Delete**. This wipes the app and its data. Good for things you know you’re done with.

Pro tip: if you’re cool with iOS doing this automatically, turn on Offload Unused Apps in iPhone Storage. It silently trims unused apps when space runs low – and puts a little download icon on them so you can grab them back anytime.

****3\. Clear Safari Cache****

If you’ve been using Safari for a while – browsing, shopping, reading articles at 2 a.m. – there’s a good chance it’s been quietly stockpiling data in the background. Website history, cookies, cached images… it all adds up. You won’t see it in the Photos app or under “Media,” but it’s there.

It’s easy to clear it, and no, it _won’t_ delete your saved passwords or bookmarks. It’ll just wipe the behind-the-scenes junk.

**To do it:**

1.  Open Settings.
2.  Scroll down and tap Safari.
3.  Scroll again and tap Clear History and Website Data.
4.  Confirm when it asks.

That’s it. Safari gets a clean slate, and you get a bit more breathing room.

It’s also a good idea to clear the cache in other apps you use often. Safari isn’t the only one. Apps like Chrome, Firefox, Snapchat, WhatsApp, and most social media or browser apps all store cached data too. But, you won’t find those cache-clearing options in iPhone’s main Settings menu.

Each app handles it differently, usually tucked away in the app’s own settings. Some call it “Clear Cache,” others go with “Storage Management” or “Data Usage.” If you’re not sure where to look, check the app’s help guide or support page – there’s usually a quick step-by-step there.

And if you can’t find a clear option at all? Easy fix: delete and reinstall the app. It’s the fastest way to wipe the cache and start fresh. You’ll need to log back in, but you’d be surprised how much space that one move can save.

****4\. Delete Large Message Attachments****

Yes, all those photos, videos, voice notes, and memes you’ve sent and received over the years stay on your iPhone’s local storage. Every single one. Doesn’t matter if it’s from last week or three months ago – they’re still there.

Luckily, there’s a built-in way to review and clear this stuff (at least the biggest offenders) quickly. Here’s how to do it:

1.  Open Settings.
2.  Go to General > iPhone Storage.
3.  Scroll down and tap Messages.
4.  Under _Documents_, tap Review Large Attachments.
5.  You’ll see a list of the bulkiest files buried in your message threads.
6.  Tap Edit, select the ones you don’t need, and hit Delete.

That’s it. Quick and painless (and your conversations stay intact).

If you want to go even further, head to _Settings > Messages > Keep Messages_ and switch it to 30 Days. iOS will automatically toss older messages and their attachments without you lifting a finger.

If you don’t see Review Large Attachments, it means iOS didn’t flag anything big enough in the Messages app to show there – _or_ you simply haven’t accumulated much yet (good for you).

But that doesn’t mean you’re out of options.

You can still clear attachments manually within most messaging apps. Just like with cache, many apps have their own settings to manage storage and remove media files without deleting your entire chat history. This works for the built-in Messages app, and also for third-party apps like WhatsApp, Telegram, and others.

****5\. Remove Downloaded Files****

This one flies under the radar for a lot of people. You download a file – maybe a PDF, a video, a ZIP, or a random invoice – and forget all about it. But your iPhone doesn’t. It quietly saves that file in the **Files** app, or tucked inside whatever app you used to open it.

**Start with the Files app:**

1.  Open Files.
2.  Tap Browse at the bottom.
3.  Go to On My iPhone.
4.  Check folders like _Downloads_, _Documents_, or anything app-specific (Chrome, Acrobat, etc.)
5.  Long-press to delete anything you don’t need.

Then think about apps that save content offline. Netflix, Spotify, YouTube Premium, and even Podcasts – they all store downloaded files locally. You won’t see this storage in the Files app, but you can manage it inside each app’s settings. Look for things like Downloads, Offline Media, or Storage Usage. Some let you clear everything in one tap.

****Final Words****

These 5 methods to clear space on the iPhone we covered above are the same ones we’ve used countless times – and the ones we regularly recommend to others. They’re reliable, and efficient, and cover the main sources of clutter on nearly every device.

Some additional methods/features can help in specific cases:

*   You can activate Optimize iPhone Storage if you use iCloud, this keeps smaller, device-friendly versions of your photos and shifts the full-resolution ones to the cloud. It’s a simple toggle that can save a lot of space without deleting anything.

*   Voice Memos is another one to check. If you use the app often, long or forgotten recordings can quietly take up storage in the background. Clearing them out occasionally can free up more room than you’d expect.

But those are more situational. The five methods in our guide cover the must-dos. They work across devices, they’re easy to repeat, and they don’t require any technical know-how. A simple cleanup with these steps will give any iPhone more breathing room.

If you found these methods helpful, use the buttons below to share on Facebook or tweet it on X – someone else is probably dealing with the same storage headache right now.

How to Clear iPhone Storage

Lattica’s cloud-based solution uses Fully Homomorphic Encryption to query encrypted data on AI models without decrypting it, preserving privacy and bolstering security.

Lattica, an FHE-based platform enabling secure and private use of AI in the cloud, has emerged from stealth. The company is backed by Konstantin Lomashuk’s Cyber Fund, and Sandeep Nailwal, co-founder of Polygon Network and Sentient: The Open AGI Foundation, among others.

Lattica’s technology represents a critical new standard for industries such as healthcare, finance and government sectors, where data privacy and security concerns have limited AI adoption. According to Cisco’s 2025 AI Briefing: CEO Edition, 70% of CEOs surveyed admitted being concerned about the state of their networks due to the rising adoption of AI, with 34% citing security as a major barrier to adoption. 

Fully Homomorphic Encryption (FHE) – the “holy grail” of cryptography in the last decade – ensures all communication between AI providers and end users remains encrypted, without needing to decrypt it, but due to longstanding computational inefficiencies, FHE has yet to be widely adopted. By capitalizing on the latest breakthroughs in the AI acceleration stack, Lattica leverages advanced acceleration techniques to operationalize FHE. 

Led by founder and CEO, Dr. Rotem Tsabary, who holds a PhD in lattice-based cryptography from the Weizmann Institute of Science, Lattica takes advantage of the foundational mathematical similarities between FHE and machine learning to offer a hardware-agnostic, cloud-based platform that utilizes FHE to deliver secure and private use of AI.

A key differentiator powering Lattica’s solution is its Homomorphic Encryption Abstraction Layer (HEAL), which enhances FHE performance and standardizes its acceleration. A cloud-based service, HEAL serves as a universal bridge connecting FHE applications and AI algorithms across a diverse range of hardware including GPUs, TPUs and CPUs, as well as dedicated accelerators like ASICs and FPGAs.

“By combining the advancements of hardware acceleration with software-based optimization, we realized that not only could we improve FHE efficiency to the point of commercial viability, but use it to solve critical data dilemmas holding back AI’s adoption in sensitive industries,“ said Dr. Rotem Tsabary, founder and CEO of Lattica. “We’re enabling practical FHE by developing a solution that is tailor-made for neural networks.”

As part of its emergence from stealth, Lattica has made demos of the platform available on its website, alongside insights from an in-depth survey within the FHE community. Survey results validate Lattica’s approach, revealing that a majority (71%) of respondents believe FHE adoption will be achieved through a combination of hardware and software. 

“Lattica is pushing the boundaries of Fully Homomorphic Encryption, solving one of the most critical challenges in AI security,” said Konstantin Lomashuk, Managing Partner at Cyber Fund. “Cyber Fund is proud to have led Lattica’s pre-seed round. This is the kind of deep-tech innovation that defines the future, and we’re excited to see Lattica leading the way.”

Lattica’s focus on healthcare and finance further underscores the platform’s relevance, with potential applications in secure data analysis for medical research and encrypted financial transactions.

“Lattica’s product-first approach fundamentally transforms sensitive data processing in the AI ecosystem,” said Sandeep Nailwal, co-founder of Polygon Network and investor in Lattica. “Lattica has made FHE a reality that is both practical and scalable, as Tsabary and her research team is proving that advances in the machine learning stack can significantly boost the performance of FHE and have an immediate impact on the market.”

****About Lattica****

Lattica enables querying AI models with Fully Homomorphic Encryption, offering FHE as a hardware-agnostic, cloud-based service. The platform leads in scientific innovation by ensuring that user queries remain encrypted throughout the entire machine-learning inference process.

Lattica’s Homomorphic Encryption Abstraction Layer (HEAL) connects FHE applications, algorithm implementations, and diverse hardware backends, making secure AI computation as accessible as traditional cloud-based AI services. The company is headquartered in Tel Aviv.

Lattica Emerges from Stealth to Solve AI’s Biggest Privacy Challenge with FHE

AOA, DaVita, and Bell Ambulance hit by ransomware in 2025. Over 245K affected as hackers steal patient data,…

AOA, DaVita, and Bell Ambulance hit by ransomware in 2025. Over 245K affected as hackers steal patient data, demand ransoms, and disrupt healthcare services.

This has been a dreadful first quarter for the healthcare sector. After Morphisec’s recent discovery of ResolverRAT malware targeting organisations within the healthcare sectors, three healthcare organizations in the United States have confirmed becoming victims of data breaches this year. These include Alabama Ophthalmology Associates, DaVita, and Bell Ambulance.

Alabama Ophthalmology Associates (AOA), an eye care practice in Alabama, revealed that a data breach occurring between January 22nd and January 30th, 2025, affected a staggering 131,576 individuals. AOA concluded its review of the impacted data on March 19th, 2025, and subsequently began notifying affected individuals.

In its notification (PDF), AOA claims the compromised data includes crucial personal details such as names, Social Security numbers, health insurance information, treatment details, medical record numbers, medical history, and dates of birth. However, they did not mention offering free credit monitoring or identity theft protection, a common practice among breached companies when Social Security numbers are compromised.

The ransomware group BianLian has claimed responsibility for the attack on AOA. This group, known for extorting organizations by threatening to publish stolen data rather than encrypting systems, alleges to have obtained a wide range of sensitive information from AOA, including finance and HR data, patient records, biometric information, and emails.

BianLian’s Data Leak Site Lists AOA (Source: Comparitech)

While BianLian has listed AOA on its data leak site, AOA has not yet verified these claims. It remains unknown the amount demanded, whether AOA paid a ransom, or the specific method used by the attackers to infiltrate AOA’s network.

In a separate incident, Bell Ambulance, a well-established ambulance service provider in southeastern Wisconsin, detected a cybersecurity incident on February 13th, 2025. The company informed its employees about disruptions to their IT systems and initiated an investigation to determine if any information was compromised.

An update on April 22nd confirmed that 114,000 individuals were impacted in this breach, with compromised data potentially including dates of birth, Social Security numbers, driver’s license numbers, financial account information, medical information, and/or health insurance information.

The ransomware group Medusa later claimed responsibility for the attack on March 2nd, 2025, adding that they stole 220 GB of data. The group demanded a $400,000 ransom from Bell Ambulance, threatening to auction the stolen data if their demands were not met within 7 days.

It is worth noting that on April 8, Medusa also claimed a ransomware attack on NASCAR (National Association for Stock Car Auto Racing) demanding a $4 million ransom and threatening to release internal data if payment isn’t made.

DaVita, a Denver-based dialysis firm, was hit by a ransomware attack on April 12, which reportedly encrypted certain on-premises systems. The company is currently addressing the incident, utilizing contingency plans and manual processes, while care delivery continues at its centres and for home care patients. The identity of the ransomware group responsible remains unknown.

“The incident is impacting some of our operations, and while we have implemented interim measures to allow for the restoration of certain functions, we cannot estimate the duration or extent of the disruption at this time,” DaVita’s official statement read.

These attacks further emphasize the urgent need for improving cybersecurity measures within the healthcare sector to protect patient data and ensure the continuity of critical medical services.

Paul Bischoff, Consumer Privacy Advocate at Comparitech, shared his comments with Hackread.com regarding the growing vulnerability of the healthcare sector against cyberattacks, stating, _“_Comparitech researchers logged 16 confirmed ransomware attacks on US hospitals, clinics, and other care providers in 2025, compromising the personal and health data of about 470,000 people._“_

“Ransomware attacks on US hospitals, clinics, and other care providers can cripple key systems and endanger the privacy and security of patients. Providers must pay a ransom or face extended downtime, data loss, and putting patients and staff at increased risk of fraud. Hospitals and clinics may have to resort to pen and paper, cancel certain appointments, and divert patients elsewhere until systems are restored.”

Ransomware Surge Hits US Healthcare: AOA, DaVita and Bell Ambulance Breached

Marks & Spencer (M&S) cyberattack disrupts contactless payments and Click & Collect; investigation launched as retailer apologises and…

Marks & Spencer (M&S) cyberattack disrupts contactless payments and Click & Collect; investigation launched as retailer apologises and claims to boost cybersecurity measures.

British retailer Marks & Spencer (M&S), a company with over 140 years of history in food and clothing, experienced a major cybersecurity incident during the Easter break that disrupted some of its essential services.

This event impacted the ability of customers to make contactless payments in their stores and caused delays in the collection of online orders, known as the Click and Collect service. Many customers took to social media platforms to voice their frustrations regarding these issues.

Stuart Machin, the Chief Executive of M&S, issued an apology to customers, acknowledging the disruptions. He explained that the company had to implement temporary adjustments to their store operations as a protective measure for both their customers and the business itself. While the stores remained open and the M&S website and mobile application continued to function normally, the technical difficulties with contactless payments and Click and Collect caused considerable inconvenience.

Email sent by M&S

In response to this incident, M&S promptly engaged external cybersecurity specialists to conduct a thorough investigation and manage the situation effectively. The company also notified key regulatory bodies, including the Information Commissioner’s Office (ICO), the UK’s data protection authority, and the National Cyber Security Centre. An ICO spokesperson confirmed that they were aware of the incident and were in the process of assessing the information provided by M&S.

Furthermore, M&S assured its investors that they were taking proactive steps to enhance the security of their network and ensure the continuation of customer service. In their statement to the London Stock Exchange, M&S emphasized the paramount importance of customer trust and pledged to provide updates if the situation evolved. 

While M&S informed customers that they were actively working to resolve the “limited” delays affecting Click and Collect orders, some shoppers had reported issues even before the official announcement. These earlier complaints included difficulties using gift cards and vouchers within M&S stores. One customer described the situation as a “total failure for customers,” highlighting the lack of communication that could have prevented unnecessary trips to the stores.

The timeline of the incident indicates that while the main cyber incident impacting contactless payments and Click and Collect began on Monday, there was a separate technical problem affecting only contactless payments that occurred on the preceding Saturday. This suggests that M&S was dealing with technical difficulties throughout the weekend and it wasn’t the immediate aftermath of the main cyber incident.

Nevertheless, this incident follows a pattern of similar attacks on UK organizations in recent years. Transport for London had to shut down numerous online services after a cyberattack, Royal Mail faced severe disruptions to international mail services recently resulting in the attackers leaking 144GB of its internal files, and retailer WH Smith experienced a data breach compromising employee information.

James Hadley, Founder and Chief Innovation Officer, Immersive: “Breaches like M&S’s aren’t rare. While they communicated clearly and likely followed tested response plans, such attacks highlight the gap between perceived and actual cyber resilience. Regular cyber drills and realistic crisis simulations are vital for building real confidence and preparing teams to protect critical data in an increasingly high-risk environment.”

M&S Cyberattack Disrupts Contactless Payments and Click & Collect Services

Fake Alpine Quest app laced with spyware was used to target Russian military Android devices, stealing location data,…

Fake Alpine Quest app laced with spyware was used to target Russian military Android devices, stealing location data, contacts, and sensitive files.

A malicious version of Alpine Quest, a popular Android navigation app, has been found carrying spyware aimed at Russian military personnel. Security researchers at Doctor Web uncovered the modified software embedded with Android.Spy.1292.origin spyware capable of harvesting data and extending its functionality through remote commands.

Alpine Quest is commonly used by outdoor enthusiasts, but it’s also relied on by soldiers in Russia’s military zones due to its offline mapping features. That made it a convenient cover for attackers, who repackaged an older version of the app and pushed it as a free download through a fake Telegram channel. The link led to an app store targeting Russian users, where the infected software was listed as a pro version of the app.

Once installed, the spyware collects all sorts of information. Each time the app is opened, it sends the user’s phone number, account details, contacts, geolocation, and a list of files stored on the device to a remote server. Some of this data is also sent to a Telegram bot controlled by the attackers, including updated location details every time the user moves.

Left: Telegram channel promoting the malicious Alpine Quest app (in Russian via Dr. Web) – Right: English translation of the image using Yandex AI, via Hackread.com.

Doctor Web’s analysis shows that this spyware is capable of more than passive tracking. After identifying which files are available, the malware can be instructed to download new modules designed to extract specific content. Based on its behaviour, the attackers appear especially interested in documents shared through messaging apps like Telegram and WhatsApp. It also seeks out a file called locLog, created by Alpine Quest itself, which logs user movements in detail.

Because the spyware is bundled with a working version of the app, it looks and functions normally, giving it time to operate unnoticed. Its modular design also means its capabilities can grow over time, depending on the attackers’ goals.

Doctor Web advises users to avoid downloading apps from unofficial sources, even when they appear to offer free access to paid features. Even on official app stores, it’s best to avoid installing apps you don’t truly need. Malicious apps have been known to slip past review processes on both Google Play and the App Store.

At the time of writing, the group behind the campaign has not been identified, and it remains unclear whether this operation is domestic or foreign in origin. However, similar operations in the past have been linked to Ukrainian hacktivist groups, including Cyber Resistance, also known as the Ukrainian Cyber Alliance. In 2023, they reportedly **targeted spouses of Russian military personnel**, extracting sensitive and personal data. However, there is still no confirmed attribution for the group behind this spyware campaign.

Fake Alpine Quest Mapping App Spotted Spying on Russian Military

An SSL.com vulnerability allowed attackers to issue valid SSL certificates for major domains by exploiting a bug in…

An SSL.com vulnerability allowed attackers to issue valid SSL certificates for major domains by exploiting a bug in its email-based domain verification method.

Internet security relies on trust, and the Certificate Authority (CA) is a key player in this system as it verifies website identities, and issues SSL/TLS certificates, which encrypt communication between a computer and the website.

However, recently, a serious problem was found with one of these trusted CAs, SSL.com. Researchers discovered a flaw in how SSL.com was checking if someone requesting a certificate actually controlled the domain name, a process called Domain Control Validation (DCV).

SSL.com enables users to verify domain control and obtain a TLS certificate for encrypted HTTPS connections by creating a _validation-contactemail DNS TXT record with the contact email address as the value. SSL.com sends a code and URL to confirm the user’s control of the domain. However, due to this bug, SSL.com now considers the user as the owner of the domain used for the contact email.

This flaw stems from the way email is used to verify control, particularly with MX records, which indicate which servers receive email for that domain. It allowed anyone to receive email at any email address associated with a domain, potentially obtaining a valid SSL certificate for the entire domain. It is specifically related to the BR 3.2.2.4.14 DCV method aka ‘Email to DNS TXT Contact’.

This is a big deal because an attacker wouldn’t need to have complete control over a website e.g., google.com, to get a legitimate-looking certificate as just the email address of an employee or even a free email address that’s somehow linked to the domain is enough.

Malicious actors can use valid SSL certificates to create fake versions of legitimate websites, steal credentials, intercept user communication, and potentially steal sensitive information through a man-in-the-middle attack. A security researcher using the alias _Sec Reporter_ demonstrated this by using an @aliyun.com email address (a webmail service run by Alibaba) to get certificates for aliyun.com and www.aliyun.com.  

This vulnerability affects organizations with publicly accessible email addresses, particularly large companies, domains without strict email control, and domains using CAA (Certification Authority Authorization) DNS records.

SSL.com has acknowledged the issue and explained that besides the test certificate the researcher obtained, they had mistakenly issued ten other certificates in the same way. These certificates, starting as early as June 2024, were for the following domains:

*. medinet.ca, help.gurusoft.com.sg (issued twice), banners.betvictor.com, production-boomi.3day.com, kisales.com (issued four times), and medc.kisales.com (issued four times).

The company also disabled the ‘Email to DNS TXT Contact’ validation method and clarified that “this did not affect the systems and APIs used by Entrust.”

Even though SSL.com’s issue has been resolved, it shows the important steps to maintain website safety. CAA records should be used to tell browsers which companies can issue certificates, public logs should be monitored to catch unauthorised certificates, and email accounts linked to websites should be secure.

SSL.com Vulnerability Allowed Fraudulent SSL Certificates for Major Domains

Terrance, United States / California, 22nd April 2025, CyberNewsWire

**Terrance, United States / California, April 22nd, 2025, CyberNewsWire**

**Joining Criminal IP at Booth S-634 | South Expo, Moscone Center | April 28 – May 1, 2025**

Criminal IP, the global cybersecurity platform specializing in AI-powered threat intelligence and OSINT-based data analytics, will exhibit at RSAC 2025 Conference, held from April 28 to May 1 at the Moscone Center in San Francisco. The company will welcome attendees at Booth S-634 in the South Expo Hall.

**Strengthening Its Global Presence Through Proven Success**

Following its impactful debut at RSAC 2023, Criminal IP has continued to expand its international footprint, establishing partnerships with over 40 global cybersecurity leaders, including Cisco, Tenable, Fortinet, VirusTotal, and Snowflake. Returning to RSAC 2025, the company will further strengthen its position in the global security market by showcasing its latest innovations in Attack Surface Management (ASM) and Cyber Threat Intelligence (CTI).

**Elevating Threat Intelligence with ASM at RSAC**

With a presence in over 150 countries, Criminal IP has positioned itself as a trusted leader in Attack Surface Management (ASM) and Cyber Threat Intelligence (CTI). At RSAC 2025, the company will highlight how its platform empowers security teams with real-time, actionable insights to proactively detect and respond to today’s most advanced cyber threats.

**Live Demonstrations & Strategic Dialogues**

Throughout the event, Criminal IP will host live demos and interactive sessions led by the CEO, senior developers, and global product experts. Visitors will gain exclusive insights into:

*   Real-world applications of ASM for enterprise security
*   Emerging threat trends and response tactics
*   Enhancing CTI workflows with AI and automation

Attendees will experience firsthand how Criminal IP uncovers exposed assets, detects abnormal behaviors, and delivers complete visibility across digital infrastructures.

**Connecting with the Criminal IP Team**

Attendees can arrange 1:1 meetings directly at Booth S-634 or pre-book sessions in advance through the Knowledge Hub > Conference section of the Criminal IP website. The team will be available to discuss how the platform can be tailored to support diverse cybersecurity goals.

The booth will also feature exclusive giveaways and a roulette-style prize draw for all on-site attendees.

> “RSAC continues to be a vital platform for exchanging ideas around proactive security,” said Byungtak Kang, CEO of AI SPERA. “We look forward to showcasing how our ASM-powered threat intelligence helps global organizations safeguard their external attack surfaces.”

**About Criminal IP**

Criminal IP is an all-in-one AI-driven threat intelligence platform that enables organizations to detect, assess, and respond to cyber threats in real time. Powered by massive-scale OSINT data and machine learning, the platform provides complete visibility into exposed assets, suspicious behaviors, and indicators of compromise.

**Contact**

**Michael Sena**  
**AI SPERA**  
**\[email protected\]**

Criminal IP to Showcase Advanced Threat Intelligence at RSAC™ 2025

Threat actors are exploiting bulletproof hosting service Proton66 for malicious activities, including campaigns from SuperBlack ransomware operators, Android…

Threat actors are exploiting bulletproof hosting service Proton66 for malicious activities, including campaigns from SuperBlack ransomware operators, Android malware distribution via hacked WordPress, targeted attacks using XWorm and Strela Stealer, and potential connections to Chang Way Technologies.

Cybersecurity experts at Trustwave’s SpiderLabs have discovered an increase in malicious online activities originating from a Russian “bulletproof” hosting provider known as Proton66. These services, often favoured by cybercriminals due to their relaxed policies, have been linked to a wave of attacks targeting organizations worldwide since January 8, 2025.

Researchers have detailed their findings in a two-part series. The first part highlights a major increase in “mass scanning, credential brute-forcing, and exploitation attempts” coming from Proton66’s network (ASN 198953). This means attackers were actively probing for weaknesses in systems and trying to guess login details on a large scale.

SpiderLabs has also noticed an increase in scanning and exploiting traffic from Proton66’s network from January 8, 2025, with a sharp decline in February. The attacks targeted specific network blocks, the most active being 45.135.232.0/24 and 45.140.17.0/24, while some had been inactive for a significant period, with the last reported malicious activity dating back to July and November 2021.

Traffic Volume Analysis (Source: SpiderLabs)

Notably, the address 193.143.1.65, was observed connected to the operators of a new ransomware strain called SuperBlack, and its operators were distributing “some of the latest critical priority exploits,” researchers noted in the blog post.

The second part discusses malware campaigns linked to Proton66, including compromised WordPress websites redirecting Android users to fake Google Play Store pages likely to steal their information or install malicious apps.

The domain naming conventions used suggest targets speaking English (“us-playmarket.com“), French (“playstors-france.com“), Spanish (“updatestore-spain.com“), and Greek (“playstors-gr.com“).

SpiderLabs also discovered operators deploying Strela Stealer, an information-stealing tool that extracts email login credentials from targeted systems, between January and February 2025.

Another campaign involved XWorm malware targeting users of Korean-speaking chat rooms. Additionally, connections to WeaXor ransomware, a modified version of Mallox that encrypts files and demands a ransom for recovery, were detected. At the time of the report, the WeaXor group was asking for “$2,000, transferred in BTC or USDT.”

Sample Ransom Note (Source: SpiderLabs)

Interestingly, SpiderLabs’ investigation reveals a potential rebranding or connection between Proton66 and Hong Kong-based company, Chang Way Technologies Co. Limited. In November 2024, security firm Intrinsec linked Proton66 and PROSPERO to bulletproof hosting services advertised on underground forums as UNDERGROUND and BEARHOST.

SpiderLabs’s investigation revealed that while the Russian control panel for UNDERGROUND/BEARHOST customers remained at my.31337.ru, the my.31337.hk page was updated with a “CHANGWAY / HOSTWAY” theme. Still, technical connections between the infrastructures remained, suggesting an underlying link.

Technology and financial organizations are the prime targets of this campaign. However, the SuperBlack ransomware group preferred targeting non-profit, engineering, and financial sectors. Research by Forescout linked this IP address to the Mora\_001 threat actor who exploited vulnerabilities in Fortinet FortiOS devices, leading to the deployment of the SuperBlack ransomware.

It is worth noting that hackers have exploited vulnerabilities in Palo Alto Networks’ PAN-OS software (CVE-2025-0108), Mitel MiCollab (CVE-2024-41713), and D-Link NAS devices (CVE-2024-10914). D-Link has announced that the affected devices have reached their end-of-life, therefore, no security updates will be provided.

Nevertheless, researchers strongly recommend that organizations block all the internet address ranges associated with both Proton66 and Chang Way Technologies to protect themselves from potential compromise.

Trey Ford, Chief Information Security Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity, commented on the development, stating that while IPs aren’t reliable indicators of threat actors, since changing scan sources is cheap, patterns like consistent brute-force attempts still matter. “It’s a reminder to monitor login velocity, harden exposed services, and make attacks costly for low-effort actors,” he said.

Russian Host Proton66 Tied to SuperBlack and WeaXor Ransomware

Artificial intelligence is transforming industries, but its adoption also raises ethical and cybersecurity concerns, especially in the regulated…

Artificial intelligence is transforming industries, but its adoption also raises ethical and cybersecurity concerns, especially in the regulated financial sector. Balancing innovation with responsibility is important as organizations harness AI’s potential while protecting data, ensuring fairness, and mitigating risks. 

Navigating this intersection of AI ethics, cybersecurity, and finance requires careful strategy.

****AI in Financial Systems****

AI has revolutionized financial systems by enhancing decision-making processes, optimizing resource allocation, and improving fraud detection capabilities. One prominent area where AI thrives is in trading and market analysis. Algorithms powered by AI can analyze massive datasets in real time, identifying trends and making predictions with remarkable accuracy. 

For example, traders often ask, Can you short futures effectively use AI? The answer lies in leveraging sophisticated machine learning models that evaluate market conditions, predict price movements, and execute trades with precision. 

However, employing AI in such high-stakes environments also brings ethical considerations, such as ensuring transparency in algorithmic decisions and addressing the potential for systemic risks caused by automation. Balancing these advancements with robust governance is essential to maintaining trust and stability in the financial sector.

****Why AI Ethics Matters****

AI Ethics emphasizes fairness, accountability, and transparency in developing and using artificial intelligence systems. It prompts questions like, “Is this decision fair?” or “What are the risks if this algorithm fails?” 

These issues are especially critical in finance, where AI-driven decisions can directly impact people’s financial well-being. Financial tools affect nearly every part of life from securing loans to managing investments making ethical practices essential. 

Financial platforms must ensure their AI systems don’t discriminate based on factors like ethnicity, gender, or socioeconomic status. For instance, algorithms used to determine creditworthiness or loan approvals should be carefully designed and tested to prevent bias. Accountability is just as important; companies need systems to evaluate their AI’s impact and correct mistakes. 

Transparency is another cornerstone of AI Ethics. Consumers should know how their data is collected, used, and analyzed. They also deserve clarity on AI-driven decisions and the reasoning behind them. By prioritizing fairness, accountability, and transparency, companies can build trust and ensure their tools serve users responsibly and equitably.

****The Financial Costs of Cyber Threats****

AI doesn’t just create opportunities; it generates risks too. Cybersecurity is a constant challenge. It’s already critical in finance, but AI raises the stakes further. Imagine someone hacking an AI-driven trading system. This could cause widespread market turmoil in minutes.

The costs don’t stop at financial losses. A data breach can damage a company’s reputation. People lose trust, and rebuilding that trust can take years. Businesses need strong security measures to protect against breaches and ensure their AI systems are strengthened.

****Finding Balance Between Tech and Security****

Innovation and security can often feel at odds. New technologies drive progress but can also create vulnerabilities, as cyber threats evolve just as quickly. Cybersecurity teams must not only respond to threats but also anticipate and address issues before they escalate. 

This challenge becomes even greater with AI-powered systems. While transformative, their complexity makes them prime targets for attacks like data poisoning, adversarial manipulation, or algorithm flaws any of which can have serious consequences. 

To secure these systems, organizations should take a layered approach: regular audits to find vulnerabilities, secure coding to reduce risks, and employee training on handling sensitive data. By acting proactively, businesses can innovate without compromising security.

****The Future of AI Responsibility****

The future of AI is tied to how well we manage its capabilities and risks. Industries must keep asking tough questions. How much control should AI have? How do we hold businesses accountable when things go wrong?

This future depends on a collaborative effort. Governments, businesses, and researchers need to work together. Clear regulations should guide how AI is developed and used. Companies should prioritize ethical practices without cutting corners in pursuit of profits. Transparency, fairness, and strong cybersecurity protocols must remain non-negotiable.

The future of AI is both exciting and daunting. While it holds immense potential to improve our lives, it also poses significant challenges that must be addressed. As we continue to integrate AI into our society, we must do so with caution and responsibility.

We must continue having open discussions about the ethical implications of AI and actively work towards creating regulations and guidelines that prioritize human well-being. We must also hold businesses accountable for their actions and ensure that they uphold ethical practices in the development and use of AI.

(Image by Gerd Altmann from Pixabay)

AI Ethics, Cybersecurity and Finance: Navigating the Intersection

Was your Microsoft Entra ID account locked? Find out about the recent widespread lockouts caused by the new…

Was your Microsoft Entra ID account locked? Find out about the recent widespread lockouts caused by the new MACE Credential Revocation app and a Microsoft error in handling user refresh tokens.

Recently, many companies experienced a problem where their employees suddenly couldn’t log into their Microsoft Entra accounts and expressed concern in a Reddit thread. Microsoft, the company behind Entra ID (previously called Azure Active Directory), has explained what happened.

It seems that a newly introduced component of Microsoft Entra ID called the MACE Credential Revocation app, which is designed to enhance security by identifying compromised credentials, mistakenly flagged many regular users as high risk. This led to widespread account lockouts.

Microsoft has traced the root cause to an internal logging issue with a feature called refresh tokens (how users stay logged), which were being logged within Microsoft’s own systems. Specifically, the standard process is to only log metadata about these short-lived tokens, and the problem arose when a subset of these tokens themselves were being logged internally “for a small percentage of users,” beginning on Friday, April 18th, 2025.

As soon as they realized this mistake on Friday, April 18th, 2025, Microsoft took action to fix it. To keep their customers safe, they decided to make these specific tokens invalid, meaning they would no longer work.

However, this process of making the tokens invalid mistakenly triggered alerts in Entra ID Protection. These alerts, sent out on Sunday, April 20th, 2025, between 4 AM and 9 AM UTC, made it seem like users’ login details might have been stolen.

Microsoft has stated that they don’t have any proof that anyone gained unauthorized access to these tokens. “We have no indication of unauthorized access to these tokens – and if we determine there were any unauthorized access, we will invoke our standard security incident response and communication processes,” the tech giant noted.  

For companies whose users were locked out because they were wrongly marked as high-risk, Microsoft suggests a solution. Administrators can use a feature called Confirm User Safe within Entra ID. This tells the system that even though an alert was raised, the user’s account is actually okay. Microsoft has provided a link to their help documentation that explains how to use this feature and understand the risk alerts. 

Microsoft is still looking into exactly what went wrong and will share a detailed report, called a Post Incident Review (PIR), with all the affected customers and anyone who opened a support ticket.

To be notified when this report is available or to stay updated on any future problems with Azure services, Microsoft recommends setting up Azure Service Health alerts. These alerts can send notifications through email, text messages, and other methods. 

Jim Routh, Chief Trust Officer Saviynt, shared his thoughts on the situation with Hackread.com. He pointed out that even though this caused problems for some Microsoft business customers over the weekend, there were some positive aspects.

“The positive news is that the disruption occurred over the weekend, and today (Monday), customers have the facts along with the fix (corrective actions) necessary for recovery,” he said. ”The vulnerability and the action taken (token invalidation) were ultimately shared by Microsoft in an advisory relatively quickly. This is a sign of health or resilience despite the inconvenience to some enterprise customers over the weekend,” Routh added.

Source

HackRead