Discover how cybercriminals use 'Infrastructure Laundering' to exploit AWS and Azure for scams, phishing, and money laundering. Learn about FUNNULL CDN's tactics and their global impact on businesses and cybersecurity.

Cybersecurity firm Silent Push has identified a new cybercriminal tactic called “Infrastructure Laundering.” Researchers say this technique is becoming more common in the cybercrime world. According to Silent Push’s Threat Analysis team’s investigation, shared with Hackread.com, through this tactic cybercriminals are exploiting mainstream cloud providers like Amazon Web Services (AWS) and Microsoft Azure.

This method allows threat actors to mask their illicit activities by renting IP addresses from these legitimate providers and linking them to their criminal websites. The FUNNULL content delivery network (CDN) extensively uses this tactic, revealing a direct connection to money laundering, retail phishing schemes, and various online scams.

For your information, infrastructure laundering is a form of cybercrime that involves criminals blending their malicious activities with legitimate web traffic, making it difficult for defenders to block access without disrupting legitimate users. This differs from traditional “bulletproof hosting” services, which operate in lax regulations.

FUNNULL’s operation involves renting thousands of IP addresses from major cloud providers, and then constantly cycling through them to stay ahead of detection.  FUNNULL, reportedly, rented over 1,200 IPs from Amazon and nearly 200 from Microsoft. Most of these have already been taken down, but new IPs are continually acquired. 

Silent Push observed that FUNNULL likely uses stolen or fraudulent accounts to secure these IPs, a process that remains largely invisible to outside observers. The connection between FUNNULL and money laundering services, retail phishing, and “pig butchering” scams, all hosted via this infrastructure laundering, emphasizes the real-world impact of this cybercrime tactic.

A supply chain attack earlier this year, where FUNNULL compromised the popular JavaScript library polyfillio, impacting over 110,000 websites, showcases the sophisticated methods employed by these criminal networks.

Further probing revealed a large cluster of malicious infrastructure, facilitating extensive cybercriminal activities, many orchestrated by Chinese Triad groups. This aligns with the UNODC’s 2024 Report on Transnational Organized Crime, which highlights “the convergence of cyber-enabled fraud, underground banking, and technological innovation in Southeast Asia,” researchers noted.

Moreover, the FUNNULL network of scam/money laundering websites is hosted on a combination of Western IP addresses owned by US companies and Asian hosting providers.

“FUNNULL CDN has been identified as hosting over 200,000 unique hostnames, of which approximately 95% are generated through Domain Generation Algorithms (DGAs),” Silent Push’s blog post revealed.

Infrastructure of the entire campaign (left) – b69885com hosted on Microsoft infrastructure (Via Silent Push)

Researchers noted that Bwin, an online gambling portal, is being abused by FUNNULL with dozens of “Bwin-impersonated sites” found on Microsoft infrastructure. A spokesperson from Bwin’s parent company Entain has confirmed that these are fake sites. However, around a dozen other major online gambling brands’ trademarks are also being abused across tens of thousands of shell gambling websites.

Silent Push investigation into fraudulent IP rentals and the ease with which organizations like FUNNULL can repeatedly rent new IPs despite being linked to known malicious activity raises concerns. Researchers suggest that providers must track the specific CNAME chains used by FUNNULL and actively monitor newly rented IPs being mapped to those CNAMEs to effectively combat this tactic

Amazon, in a public statement, acknowledged the issue and confirmed they were suspending fraudulently acquired accounts. They refuted claims of enabling or profiting from such activity, emphasizing their commitment to investigating and stopping abuse.

FUNNULL Unmasked: AWS, Azure Abused for Global Cybercrime Operations

DeepSeek, a Chinese AI startup, exposed sensitive data by leaving a database open. Wiz Research found chat logs, keys, and backend details accessible.

DeepSeek, a Chinese AI company, has made a name for itself with its AI models that rival OpenAI’s systems. But along with its rise came a serious security issue as researchers at Wiz found that a database tied to the company was left publicly accessible, exposing over a million log entries, backend details, software keys, and more.

****How It Happened****

During a routine security assessment, researchers at Wiz discovered that DeepSeek had an unprotected ClickHouse database, open to anyone with internet access. This database wasn’t just visible; it allowed full control over stored data, meaning an attacker could manipulate or extract critical information without restriction.

The exposed database was linked to multiple subdomains, including:

dev.deepseek.com:9000

oauth2callback.deepseek.com:9000

ClickHouse is an open-source, columnar database management system designed to process analytical queries on large datasets quickly. Originally developed by Yandex, it’s widely used for real-time data analytics, log processing, and business intelligence.

According to Wiz’s blog post, its researchers were able to query the system without authentication, revealing a massive volume of logs containing:

*   **API keys**
*   **Chat histories**
*   **Backend service details**
*   **System operational metadata**

This wasn’t just a minor misconfiguration. The database contained detailed logs of internal system activity, exposing how DeepSeek’s AI tools operate and communicate. Worse yet, the exposure meant attackers could execute commands and extract even more sensitive data directly from the server.

****What Was at Risk?****

DeepSeek’s AI services process large amounts of user-generated data, meaning chat logs could have included personal or proprietary information. The database also stored API keys, which, in the wrong hands, could allow attackers to impersonate DeepSeek’s services or access further internal systems.

Given the expansion of AI startups, security often takes a backseat to development speed. In this case, a simple security lapse exposed valuable internal data, which could have been exploited by cybercriminals.

****DeepSeek’s Response****

Once notified by Wiz, DeepSeek moved quickly to lock down the database and remove public access. However, it remains unclear whether any unauthorized parties accessed the information before it was secured.

****DeepSeek: Privacy and Cybersecurity Concerns****

DeepSeek’s Chinese ownership has already raised concerns among Western governments, with some critics arguing that the chatbot collects excessive personal data, posing privacy risks. Adding to these worries, DeepSeek recently reported a “large malicious attack” that forced the company to suspend new user registrations. Now, with a publicly exposed database compromising sensitive information, the company faces yet another cybersecurity setback.

****Expert Opinion****

Gunter Ollmann, CTO at Cobalt, notes that situations like the DeepSeek issue happen often because the process of getting the product up and running takes priority over security. Also, since DeepSeek has taken a prominent place in the world of AI, the impact could have been huge for companies and individual users.

“The DeepSeek exposure highlights a critical and recurring issue—organizations, especially those innovating rapidly in AI, often prioritize speed over security.” Explained Gunter. “Wiz’s discovery reinforces the importance of proactive security testing, particularly as attack surfaces expand with cloud-based infrastructure and publicly accessible APIs.”

DeepSeek AI Leaks Over a Million Chat Logs and Sensitive Data Online

San Francisco, United States / California, 30th January 2025, CyberNewsWire

**San Francisco, United States / California, January 30th, 2025, CyberNewsWire**

Doppler, the leading provider of secrets management solutions, announced a new integration with Datadog, a cloud application monitoring and security platform. This collaboration provides engineering and operations teams with an integrated solution for securely managing sensitive credentials and gaining insights into cloud environments through real-time monitoring.

In an era of rapid cloud adoption, DevOps and security teams face mounting challenges in safeguarding sensitive data across distributed systems. By combining Doppler’s automated secrets management capabilities with Datadog’s comprehensive monitoring platform, this integration enables teams to enhance their security practices while maintaining operational visibility. Doppler’s automated secrets storage and rotation, paired with Datadog’s continuous monitoring, empowers teams to mitigate risks of secret sprawl and prevent unauthorized access in a scalable, automated fashion.

**Streamlining security and visibility across cloud environments**

Many DevOps teams need help maintaining consistent security practices as secrets are often scattered across environments, increasing the risk of misconfigurations. The Doppler integration with Datadog addresses this issue head-on by creating a centralized workflow for managing secrets and monitoring activity across all environments. With Datadog’s alerts and Doppler’s automated security measures, teams can detect and respond to suspicious activity, helping to ensure security and compliance.

> “We are thrilled to integrate with Datadog to combine our secrets management capabilities with their monitoring platform,” said Brian Vallelunga, CEO and Founder of Doppler. “This integration simplifies security for developers and gives organizations the ability to manage secrets at scale, gaining visibility and control over sensitive information across the entire cloud environment. Together, we’re helping teams protect their data while allowing them to stay focused on building great software.”

**How the Doppler-Datadog Integration Solves Key Security Challenges**

*   **Automated secrets management**: Doppler’s platform automates the rotation, storage, and encryption of secrets, minimizing the risk of human error and unauthorized access.
*   **Real-time monitoring and alerts**: Datadog’s continuous monitoring enables teams to track secret usage, receive alerts for suspicious access, and respond quickly to any anomalies.
*   **Security across hybrid environments**: This integration unifies secrets management and monitoring, providing consistency in security practices across hybrid and multi-cloud setups.

**Centralized deployment for DevOps and Security teams**

The integration allows teams to centralize secrets management in Doppler while benefiting from Datadog’s secret usage observability. This provides a simplified solution for both managing and monitoring sensitive information. This approach enhances security without disrupting workflows, helping organizations to meet compliance requirements, reduce risk, and modernize their operations.

**Availability**

The integration is available now. For more information on how this integration can improve users’ security posture and improve secrets management, users can visit the Datadog Integration Documentation.

**About Doppler**

Doppler is a leader in secrets management, providing a centralized, secure solution that automates handling sensitive information such as API keys, tokens, and credentials. Thousands of development teams worldwide trust Doppler to simplify secrets management, improve operational efficiency, and prevent data breaches.

**Contact**

**Doppler Press**  
**\[email protected\]**

Doppler announces integration with Datadog to streamline security and monitoring

Palo Alto, USA, 30th January 2025, CyberNewsWire

**Palo Alto, USA, January 30th, 2025, CyberNewsWire**

SquareX discloses a new attack technique that shows how malicious extensions can be used to completely hijack the browser, and eventually, the whole device.

**PALO ALTO, Calif., Jan. 30, 2025** — Browser extensions have been under the spotlight in enterprise security news recently due to the wave of OAuth attacks on Chrome extension developers and data exfiltration attacks. However, until now, due to the limitations browser vendors place on the extension subsystem and extensions, it was thought to be impossible for extensions to gain full control of the browser, much less the device.

SquareX researchers Dakshitaa Babu, Arpit Gupta, Sunkugari Tejeswara Reddy and Pankaj Sharma debunked this belief by demonstrating how attackers can use malicious extensions to escalate privileges to conduct a full browser and device takeover, all with minimal user interaction. Critically, the malicious extension only requires read/write capabilities present in the majority of browser extensions on the Chrome Store, including common productivity tools like Grammarly, Calendly and Loom, desensitizing users from granting these permissions. This revelation suggests that virtually any browser extension could potentially serve as an attack vector if created or taken over by an attacker. To the best of our understanding, extensions submitted to the Chrome Store requesting these capabilities are not put through additional security scrutiny at the time of this writing.

The browser syncjacking attack can be broken up into three parts: how the extension silently adds a profile managed by the attacker, hijacks the browser and eventually gains full control of the device.

**Profile Hijacking**

The attack begins with an employee installing any browser extension – this could involve publishing one that masquerades as an AI tool or taking over existing popular extensions that may have up to millions of installations in aggregate. The extension then “silently” authenticates the victim into a Chrome profile managed by the attacker’s Google Workspace. This is all done in an automated manner in a background window, making the whole process almost imperceptible to the victim. Once this authentication occurs, the attacker has full control over the newly managed profile in the victim’s browser, allowing them to push automated policies such as disabling safe browsing and other security features.

Using a very clever social engineering attack that exploits trusted domains, the adversary can then further escalate the profile hijacking attack to steal passwords from the victim’s browser. For example, the malicious extension can open and modify Google’s official support page on how to sync user accounts to prompt the victim to perform the sync with just a few clicks. Once the profile is synced, attackers have full access to all credentials and browsing history stored locally. As this attack only leverages legitimate sites and has no visible sign that it has been modified by the extension, it will not trigger any alarm bells in any security solutions monitoring the network traffic.

**Browser Takeover**

To achieve a full browser takeover, the attacker essentially needs to convert the victim’s Chrome browser into a managed browser. The same extension monitors and intercepts a legitimate download, such as a Zoom update, and replaces it with the attacker’s executable, which contains an enrollment token and registry entry to turn the victim’s Chrome browser into a managed browser. Thinking that they downloaded a Zoom updater, the victim executes the file, which ends up installing a registry entry that instructs the browser to become managed by the attacker’s Google Workspace. This allows the attacker to gain full control over the victim’s browser to disable security features, install additional malicious extensions, exfiltrate data and even silently redirect users to phishing sites. This attack is extremely potent as there is no visual difference between a managed and unmanaged browser. For a regular user, there is no telltale sign that a privilege escalation has occurred unless the victim is highly security aware and goes out of their way to regularly inspect their browser settings and look for associations with an unfamiliar Google Workspace account.

**Device Hijacking**

With the same downloaded file above, the attacker can additionally insert registry entries required for the malicious extension to message native apps. This allows the extension to directly interact with local apps without further authentication. Once the connection is established, attackers can use the extension in conjunction with the local shell and other available native applications to secretly turn on the device camera, capture audio, record screens and install malicious software – essentially providing full access to all applications and confidential data on the device.

The browser syncjacking attack exposes a fundamental flaw in the way remote-managed profiles and browsers are managed. Today, anyone can create a managed workspace account tied to a new domain and a browser extension without any form of identity verification, making it impossible to attribute these attacks. Unfortunately, most enterprises currently have zero visibility into the browser – most do not have managed browsers or profiles, nor any visibility to the extensions employees are installing often based on trending tools and social media recommendations.

What makes this attack particularly dangerous is that it operates with minimal permissions and nearly no user interaction, requiring only a subtle social engineering step using trusted websites – making it almost impossible for employees to detect. While recent incidents like the Cyberhaven breach have already compromised hundreds, if not thousands of organizations, those attacks required relatively complex social engineering to operate. The devastatingly subtle nature of this attack – with an extremely low threshold of user interaction – not only makes this attack extremely potent, but also sheds light on the terrifying possibility that adversaries are already using this technique to compromise enterprises today.

Unless an organization chooses to completely block browser extensions via managed browsers, the browser syncjacking attack will completely bypass existing blacklists and permissions-based policies. SquareX’s founder Vivek Ramachandran says “This research exposes a critical blind spot in enterprise security. Traditional security tools simply can’t see or stop these sophisticated browser-based attacks. What makes this discovery particularly alarming is how it weaponizes seemingly innocent browser extensions into complete device takeover tools, all while flying under the radar of conventional security measures like EDRs and SASE/SSE Secure Web Gateways. A Browser Detection-Response solution isn’t just an option anymore – it’s a necessity. Without visibility and control at the browser level, organizations are essentially leaving their front door wide open to attackers. This attack technique demonstrates why security needs to ‘shift up’ to where the threats are actually happening: in the browser itself.”

SquareX has been conducting pioneering security research on browser extensions, including the DEF CON 32 talk Sneaky Extensions: The MV3 Escape Artists that revealed multiple MV3 compliant malicious extensions. This research team was also the first to discover and disclose the OAuth attack on Chrome extension developers one week before the Cyberhaven breach. SquareX was also responsible for the discovery of Last Mile Reassembly attacks, a new class of client-side attacks that exploits architectural flaws and completely bypasses all Secure Web Gateway solutions. Based on this research, SquareX’s industry-first Browser Detection and Response solution protects enterprises against advanced extension-based attacks including device hijacking attempts by conducting dynamic analysis on all browser extension activity at runtime, providing a risk score to all active extensions across the enterprise and further identifying any attacks that they may be vulnerable to.

For more information about the browser syncjacking attack, additional findings from this research are available at **sqrx.com/research**.

**About SquareX**

SquareX helps organizations detect, mitigate and threat-hunt client-side web attacks happening against their users in real time.

SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

Additionally, with SquareX, enterprises can provide contractors and remote workers with secure access to internal applications, enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Discloses “Browser Syncjacking” , a New Attack Technique that Provides Full Browser and Device Control, Putting Millions at Risk

**SquareX discloses a new attack technique that shows how malicious extensions can be used to completely hijack the browser, and eventually, the whole device.**

**PALO ALTO, Calif., Jan. 30, 2025** — Browser extensions have been under the spotlight in enterprise security news recently due to the wave of OAuth attacks on Chrome extension developers and data exfiltration attacks. However, until now, due to the limitations browser vendors place on the extension subsystem and extensions, it was thought to be impossible for extensions to gain full control of the browser, much less the device.

SquareX researchers Dakshitaa Babu, Arpit Gupta, Sunkugari Tejeswara Reddy and Pankaj Sharma debunked this belief by demonstrating how attackers can use malicious extensions to escalate privileges to conduct a full browser and device takeover, all with minimal user interaction. Critically, the malicious extension only requires read/write capabilities present in the majority of browser extensions on the Chrome Store, including common productivity tools like Grammarly, Calendly and Loom, desensitizing users from granting these permissions. This revelation suggests that virtually any browser extension could potentially serve as an attack vector if created or taken over by an attacker. To the best of our understanding, extensions submitted to the Chrome Store requesting these capabilities are not put through additional security scrutiny at the time of this writing.

The browser syncjacking attack can be broken up into three parts: how the extension silently adds a profile managed by the attacker, hijacks the browser and eventually gains full control of the device.

**Profile Hijacking**

The attack begins with an employee installing any browser extension – this could involve publishing one that masquerades as an AI tool or taking over existing popular extensions that may have up to millions of installations in aggregate. The extension then “silently” authenticates the victim into a Chrome profile managed by the attacker’s Google Workspace. This is all done in an automated manner in a background window, making the whole process almost imperceptible to the victim. Once this authentication occurs, the attacker has full control over the newly managed profile in the victim’s browser, allowing them to push automated policies such as disabling safe browsing and other security features.

Using a very clever social engineering attack that exploits trusted domains, the adversary can then further escalate the profile hijacking attack to steal passwords from the victim’s browser. For example, the malicious extension can open and modify Google’s official support page on how to sync user accounts to prompt the victim to perform the sync with just a few clicks. Once the profile is synced, attackers have full access to all credentials and browsing history stored locally. As this attack only leverages legitimate sites and has no visible sign that it has been modified by the extension, it will not trigger any alarm bells in any security solutions monitoring the network traffic.

**Browser Takeover**

To achieve a full browser takeover, the attacker essentially needs to convert the victim’s Chrome browser into a managed browser. The same extension monitors and intercepts a legitimate download, such as a Zoom update, and replaces it with the attacker’s executable, which contains an enrollment token and registry entry to turn the victim’s Chrome browser into a managed browser. Thinking that they downloaded a Zoom updater, the victim executes the file, which ends up installing a registry entry that instructs the browser to become managed by the attacker’s Google Workspace. This allows the attacker to gain full control over the victim’s browser to disable security features, install additional malicious extensions, exfiltrate data and even silently redirect users to phishing sites. This attack is extremely potent as there is no visual difference between a managed and unmanaged browser. For a regular user, there is no telltale sign that a privilege escalation has occurred unless the victim is highly security aware and goes out of their way to regularly inspect their browser settings and look for associations with an unfamiliar Google Workspace account.

**Device Hijacking**

With the same downloaded file above, the attacker can additionally insert registry entries required for the malicious extension to message native apps. This allows the extension to directly interact with local apps without further authentication. Once the connection is established, attackers can use the extension in conjunction with the local shell and other available native applications to secretly turn on the device camera, capture audio, record screens and install malicious software – essentially providing full access to all applications and confidential data on the device.

The browser syncjacking attack exposes a fundamental flaw in the way remote-managed profiles and browsers are managed. Today, anyone can create a managed workspace account tied to a new domain and a browser extension without any form of identity verification, making it impossible to attribute these attacks. Unfortunately, most enterprises currently have zero visibility into the browser – most do not have managed browsers or profiles, nor any visibility to the extensions employees are installing often based on trending tools and social media recommendations.

What makes this attack particularly dangerous is that it operates with minimal permissions and nearly no user interaction, requiring only a subtle social engineering step using trusted websites – making it almost impossible for employees to detect. While recent incidents like the Cyberhaven breach have already compromised hundreds, if not thousands of organizations, those attacks required relatively complex social engineering to operate. The devastatingly subtle nature of this attack – with an extremely low threshold of user interaction – not only makes this attack extremely potent, but also sheds light on the terrifying possibility that adversaries are already using this technique to compromise enterprises today.

Unless an organization chooses to completely block browser extensions via managed browsers, the browser syncjacking attack will completely bypass existing blacklists and permissions-based policies. SquareX’s founder Vivek Ramachandran says “This research exposes a critical blind spot in enterprise security. Traditional security tools simply can’t see or stop these sophisticated browser-based attacks. What makes this discovery particularly alarming is how it weaponizes seemingly innocent browser extensions into complete device takeover tools, all while flying under the radar of conventional security measures like EDRs and SASE/SSE Secure Web Gateways. A Browser Detection-Response solution isn’t just an option anymore – it’s a necessity. Without visibility and control at the browser level, organizations are essentially leaving their front door wide open to attackers. This attack technique demonstrates why security needs to ‘shift up’ to where the threats are actually happening: in the browser itself.”

SquareX has been conducting pioneering security research on browser extensions, including the DEF CON 32 talk Sneaky Extensions: The MV3 Escape Artists that revealed multiple MV3 compliant malicious extensions. This research team was also the first to discover and disclose the OAuth attack on Chrome extension developers one week before the Cyberhaven breach. SquareX was also responsible for the discovery of Last Mile Reassembly attacks, a new class of client-side attacks that exploits architectural flaws and completely bypasses all Secure Web Gateway solutions. Based on this research, SquareX’s industry-first Browser Detection and Response solution protects enterprises against advanced extension-based attacks including device hijacking attempts by conducting dynamic analysis on all browser extension activity at runtime, providing a risk score to all active extensions across the enterprise and further identifying any attacks that they may be vulnerable to.

For more information about the browser syncjacking attack, additional findings from this research are available at **sqrx.com/research**.

**About SquareX**

SquareX helps organizations detect, mitigate and threat-hunt client-side web attacks happening against their users in real time.

SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

Additionally, with SquareX, enterprises can provide contractors and remote workers with secure access to internal applications, enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Unveils “Browser Syncjacking” Attack Granting Full Browser and Device Control

The FBI has seized Nulled.to, Cracked.to, Sellix.io, and StarkRDP.io in Operation Talent, targeting cybercrime forums and illicit marketplaces.…

The FBI has seized Nulled.to, Cracked.to, Sellix.io, and StarkRDP.io in Operation Talent, targeting cybercrime forums and illicit marketplaces. No arrests confirmed yet.

On January 29, 2025, **reports emerged that** the FBI had seized three major cybercrime and hacking forums: Nulled.to, Cracked.to, and Cracked.io as part of an ongoing operation targeting cybercrime facilitators. Authorities also took down three other domains: StarkRDP.io, Sellix.io, and MySellix.io and pointed their DNS records to FBI servers.

At the time, there was no official confirmation from the FBI about the seizure, nor were there any seizure notices on the affected sites. However, Hackread.com can now confirm that some of these sites are now displaying seizure notices, indicating that they were taken down as part of an operation called Operation Talent.

Those visiting these websites can see a banner displaying the _“_This website has been seized_“_ message.

_“_Operation Talent – This website, as well as the information on the customers and victims of the website, has been seized by international law enforcement partners,_“_ says the seizure notice on Nulled.to and Cracked.to.

Seizure notice on the seized sites (Screenshot credit: Hackread.com)

****What is Operation Talent?****

Operation Talent is an international law enforcement initiative led by the FBI targeting cybercrime forums and associated websites. On January 29, 2025, the operation resulted in the seizure of several domains, including Cracked.io, Nulled.to, StarkRDP.io, Sellix.io, and MySellix.io. These platforms were known for facilitating various cybercriminal activities, such as the distribution of cracked software, stolen credentials, and hacking tools.

The operation was conducted by the FBI along with its international partners including the European Union Agency for Law Enforcement Cooperation (Europol), the Australian Federal Police, Germany’s Federal Criminal Police Office, and others, highlighting the collaborative nature of this operation.

****Seizure of StarkRDP.io, Sellix.io, and MySellix.io********StarkRDP.io****

StarkRDP.io was a virtual hosting provider specializing in Windows and Linux virtual servers, offering various hosting packages with features like instant deployment and dedicated IP addresses. Their services were marketed for automatic deployment within five minutes of payment confirmation. However, the platform was also misused by malicious actors to host scams and facilitate cybercrime activities, ultimately leading to its seizure.

****Sellix.io and MySellix.io****

Sellix SRL is a gateway system that brands itself as a “Cross-Border Finance” service, operating **out of** Bologna, Italy. Hackread.com’s research reveals that the Cracked.to forum **utilized** MySellix.io’s payment services for invoicing and other payment-related transactions, indicating a connection between the two platforms in facilitating financial operations.

DNS records on Sellix.io and MySellix.io have been changed to the ones owned by the FBI (Screenshot credit: Hackread.com)

****Cracked.to’s Statement****

Cracked.to’s administrators have confirmed the seizure on their Telegram channel, calling the event “A sad day indeed for our community.”

“Now that everyone has more clarity on the situation, Cracked.io has been seized under Operation Talent with specific reasons being undisclosed. We are still waiting for the official court documentation from the data centre and the domain host. We will inform you guys further on those details once we have it,” the **announcement** said.

At the time of writing, it remains unclear whether any arrests have been made. However, since Cracked.to’s administrators are still active, it suggests that the forum may resurface under a different domain in the near future.

As of now, neither the FBI nor any U.S. law enforcement agency has issued an official press release regarding the seizures. Hackread.com has reached out to authorities for comment and will provide updates as soon as a response is received. Stay tuned.

1.  **Finnish Dark Web Marketplace PIILOPUOTI Seized**
2.  **Nulled.IO Hacking Forum Hacked, Trove of Data Stolen**
3.  **NetWire Malware Site and Server Seized, Admin Arrested**
4.  **Genesis Market’s Clearnet domain seized; Dark Web site online**
5.  **WT1SHOP Cybercrime Market Seized by US, Portuguese Authorities**

Operation Talent: FBI Seizes Nulled.to, Cracked.to, Sellix.io and more

UAC-0063: A Russian-linked threat actor targeting Central Asia and Europe with sophisticated cyberespionage campaigns, including weaponized documents, data…

UAC-0063: A Russian-linked threat actor targeting Central Asia and Europe with sophisticated cyberespionage campaigns, including weaponized documents, data exfiltration, and advanced malware.

Bitdefender has shared its latest research with Hackread.com ahead of its release, revealing an active espionage campaign by Russia APT28-linked threat actor UAC-0063. According to Bitdefender’s investigation, the actor is specifically targeting high-value entities in Central Asia and European countries like Germany, the UK, Romania, and the Netherlands in a multi-stage attack process involving various malware components and techniques.

UAC-0063 has been active since at least 2021 and has targeted a variety of organizations, including government entities, diplomatic missions, and private companies. In this campaign, the actor employs malicious Microsoft Word documents, a HATVIBE malware loader, and custom-built malware to infiltrate networks. Their operations are characterized by persistence, focusing on maintaining long-term access to compromised systems.

The attack starts with compromised Microsoft Word documents containing malicious macros that, when enabled by the user, deliver the initial malware payload (HATVIBE loader). HATVIBE is an HTA (HTML Application) script that downloads and executes further malicious code from the attacker’s command-and-control (C2) server.

A blurred malicious MS Word document used in the attack prompts users to enable macros to reveal its contents. However, once enabled, it also allows attackers to deploy a malicious payload. (Via Bitdefender)

DownExPyer is used extensively throughout the UAC-0063 attack chain. It is deployed after the initial infection stage, likely by the HATVIBE loader or other malware components. This Python-based malware establishes persistent communication with the C2 server, receives commands, and executes malicious actions on the infected system. 

PyPlunderPlug is a separate script designed to collect files from removable drives connected to the infected system. It focuses on specific file types and copies them to a staging location for potential exfiltration.

The attackers also deploy keyloggers to capture keystrokes entered by the victim, potentially revealing sensitive information like passwords and login credentials. The stolen data is then compressed into smaller archives to facilitate exfiltration and evade detection.

Researchers noted that the actor leverages previously compromised victims to spread the infection. This means the weaponised documents exfiltrated from one victim are used to attack other targets. Moreover, they create scheduled tasks to ensure the persistence of their malware on the compromised system. These tasks automatically execute the malicious code at regular intervals.

Researchers hinted at the involvement of the Russian government in this campaign.

UAC-0063’s arsenal “featuring sophisticated implants like DownExPyer and PyPlunderPlug, combined with well-crafted TTPs, demonstrates a clear focus on espionage and intelligence gathering. The targeting of government entities within specific regions aligns with _potential Russian strategic interests_,” Bitdefender researchers wrote in the blog post.

To mitigate the risks posed by UAC-0063, organizations should enhance their threat intelligence by continuously monitoring feeds from reputable sources, tracking C2 domains and implementing DNS-based blocking mechanisms to prevent network traffic from reaching these malicious domains. Implementing application whitelisting policies and deploying Intrusion Detection and Prevention Systems (IDPS) are crucial for strengthening endpoint and network security. 

1.  **Ukrainian Hackers Breach Email of APT28 Leader**
2.  **Russian Hackers Exploit Firefox 0-Days to Deploy Backdoor**
3.  **Russian Hackers Hit Mail Servers in Europe for Military Intel**
4.  **Russian APT28 Exploiting Windows Flaw with GooseEgg Tool**
5.  **Russian Hackers Shift Tactics, Target Victims with Paid Malware**

Russian UAC-0063 Targets Europe and Central Asia with Advanced Malware

Nulled.to and Cracked.to, major hacking forums, appear seized by the FBI as DNS records point to FBI servers.…

Nulled.to and Cracked.to, major hacking forums, appear seized by the FBI as DNS records point to FBI servers. No official confirmation yet. Cybersecurity experts await updates.

Today, two of the most prominent hacking and cybercrime forums, Nulled.to and Cracked.to, appear to have been seized by the FBI, as indicated by recent changes in their DNS records. However, no official press release or announcement has been made by the agency, leaving both cybercrime and the cybersecurity community speculating about the situation.

****DNS Records Indicate FBI Takeover****

According to publicly available WHOIS and DNS records, both **Nulled.to** and **Cracked.to** have had their **name servers changed to FBI-controlled domains** earlier today, specifically:

****DNS Records for Nulled.to****

*   **Domain Created:** March 5, 2022
*   **Last Edited:** January 30, 2025
*   **Expires:** March 5, 2026
*   **Primary Name Server:** ns1.fbi.seized.gov
*   **Secondary Name Server:** ns2.fbi.seized.gov

****DNS Records for Cracked.to****

*   **Domain Created:** July 27, 2020
*   **Last Edited:** January 30, 2025
*   **Expires:** March 17, 2028
*   **Primary Name Server:** ns1.fbi.seized.gov
*   **Secondary Name Server:** ns2.fbi.seized.gov

These changes indicate a government seizure. However, as of now, no seizure banner is displayed on the websites, and no official press release has been issued by the FBI or any U.S. law enforcement agency.

Screenshot: Hackread.com

****What Were Nulled.to and Cracked.to?****

Both forums were widely known for facilitating various cybercrime activities, including account breaches, where leaked credentials for platforms like Netflix, Steam, and banking accounts were bought and sold. They also served as hubs for cracked software, offering pirated programs and game cheats.

Additionally, discussions on fraud and carding were prevalent, covering illegal financial activities such as credit card fraud and identity theft. Furthermore, users exchanged information and tools related to hacking and exploits, including malware, botnets, and ransomware, making these platforms a major threat to cybersecurity.

****Lack of Official Statement Echos Breach Forums Take Down****

While the DNS changes suggest law enforcement action, the lack of an official announcement brings to mind the failed seizure of BreachForums. On May 15, 2024, the FBI took control of its domain and placed a seizure notice on the homepage but never officially confirmed the action or issued a press release.

On May 17, 2024, the admin and owner of the forum, linked to the ShinyHunters hacker group, boasted about reclaiming the seized domain right under the FBI’s nose. To make things worse for the agency, by May 22, 2024, the forum was fully restored using its original domains. To this day, the FBI has not issued any statement or acknowledged its failure to retain control of the domain.

Nevertheless, historically, when the FBI seizes a website, it displays a seizure notice, as seen in the takedowns of RaidForums, BreachForums (V1), and WeLeakInfo. The absence of such a banner suggests that further action may be in progress.

Hackread.com has reached out to authorities for comment. We will provide updates as soon as we receive a response. Stay tuned.

1.  **Finnish Dark Web Marketplace PIILOPUOTI Seized**
2.  **Nulled.IO Hacking Forum Hacked, Trove of Data Stolen**
3.  **NetWire Malware Site and Server Seized, Admin Arrested**
4.  **Genesis Market’s Clearnet domain seized; Dark Web site online**
5.  **WT1SHOP Cybercrime Market Seized by US, Portuguese Authorities**

FBI Seizes Leading Hacking Forums Cracked.to and Nulled.to

IntelBroker targets Hewlett-Packard Enterprise (HPE) again, claiming to have access to the company’s internal infrastructure and the possibility…

IntelBroker targets Hewlett-Packard Enterprise (HPE) again, claiming to have access to the company’s internal infrastructure and the possibility of selling to access rather than selling data.

**IntelBroker**, a notorious hacker linked to prior high-profile cyberattacks, has announced an alleged new data breach of Hewlett-Packard Enterprise (HPE). The hacker claims to have accessed and cloned new data from HPE’s repositories.

Although the claimed data is 500 MB in size, a relatively smaller size than usual, screenshots shared exclusively with Hackread.com provide insights into what looks like the compromised infrastructure, revealing exposed credentials, internal configurations, and proprietary source code.

This latest breach is the second time IntelBroker has targeted Hewlett Packard Enterprise. In January 2025, as **reported by Hackread.com**, IntelBroker publicly claimed responsibility for compromising HPE’s infrastructure in an earlier attack. That breach, disclosed via Breach Forums and in an exclusive conversation with Hackread.com, involved a substantial exfiltration of sensitive data.

****Latest Claims****

A quick analysis of the data tree and internal screenshots seen by Hackread.com points out at possible extraction of some sensitive data including private keys and certificates, proprietary source code for HPE products, including iLO and Zerto systems, Internal Git repositories and Docker builds.

Additionally, the data tree shows that hackers also allegedly managed to access exposed infrastructure configurations including internal services and endpoints, such as SignonService and Salesforce integrations, Internal DNS and deployment pipelines for microservices, MongoDB credentials, QIDs integrations and more.

Screenshots provided to Hackread.com by IntelBroker

****Plans to Sell Access****

In the first alleged HPE breach, IntelBroker offered the stolen data for sale, demanding payment in Monero cryptocurrency to stay anonymous. This time, however, the hacker claims they plan to release the entire data set for free and sell the access.

> _“I am not sure about selling the data, maybe I will just leak it for free this time, I don’t know yet but my team could be selling the access we have to HPE infrastructure, to interested parties.”_
> 
> IntelBroker told Hackread.com.

Nevertheless, the claims of the new HPE data breach show the urgency for organizations to secure their infrastructure, regularly audit access controls, and monitor for suspicious activity. If validated, this breach represents a major incident for HPE, with long-term implications for their operations and customer trust.

****HPE is NOT HP Inc.****

Hewlett-Packard Enterprise (HPE) and HP Inc. are two separate entities that originated from the **split** of Hewlett-Packard in 2015. HPE focuses on enterprise-level IT solutions, including servers, storage, networking, cloud computing, and software services tailored for businesses.

In contrast, HP Inc. specializes in personal computing devices and printers, targeting consumers and small businesses. While they share a common origin, their operations and focus areas are entirely different.

Hackread.com has reached out to HPE for a statement. Any response from the company will be added to this article as soon as it is received. Stay tuned for updates!

1.  **Hacker Leak Over 10,000 DELL Employee Details**
2.  **Acer Data Breach: Hacker Sells 160GB of Stolen Data**
3.  **Dell Discloses Data Breach As Hacker Sells 49M User Data**
4.  **3 Billion National Public Data Records with SSNs Dumped Online**
5.  **Trello Data Breach: Hacker Dumps Personal Info of Millions of Users**

Hackers Claim 2nd Breach at HP Enterprise, Plan to Sell Access

Advanced phishing campaign targets Poland and Germany, delivering Agent Tesla, Snake Keylogger and newly identified TorNet backdoor via…

Advanced phishing campaign targets Poland and Germany, delivering Agent Tesla, Snake Keylogger and newly identified TorNet backdoor via .tgz attachments. All by leveraging PureCrypter and TOR network for stealthy C2.

A malicious campaign, discovered by Cisco Talos in July 2024, targeted users primarily in Poland and Germany through phishing emails containing malicious attachments disguised as.tgz files. These emails impersonate financial institutions and businesses, often with themes like money transfer confirmations or order receipts. They are primarily written in Polish and German and contain compressed.tgz files.

According to Cisco Talos’ research, shared with Hackread.com ahead of its publishing on Tuesday 28, the actor has deployed other payloads as well, including “Agent Tesla, Snake Keylogger and a new undocumented backdoor, which researchers dubbed TorNet. 

Phishing email in Polish and German language (Via: Cisco Talos)

When a user extracts an attachment from a file, a.NET executable file appears, which downloads the next stage of the attack, the PureCrypter malware, from a remote server or within the loader itself (decrypted using the AES algorithm and loaded into the targeted device’s memory). 

The PureCrypter malware is a Windows dynamic-link library obfuscated with Eziriz’s.NET Reactor obfuscator. It contains encrypted binaries of legitimate DLLs, including Protobuf-net and Microsoft task scheduler DLL, and the TorNet backdoor.

PureCrypter employs various evasion techniques, including disconnecting the victim’s machine from the network before dropping payloads, checking for a virtual machine, sandbox environment, or debugger status, and modifying Windows Defender settings. It ensures persistence by creating a scheduled task that runs every few minutes, even on low battery, and adding entries to the Windows registry to ensure the loader runs on startup. 

Moreover, it drops the TorNet backdoor, which is a relatively new .NET backdoor used in this attack to connect to a C2 server over the TOR network for stealthy communication. It anonymizes the communication with the C2 server, making detection harder. After establishing a connection, it sends identifying information and allows attackers to carry out remote code execution by sending arbitrary.NET assemblies to the C2 server, hence, expanding the attack surface substantially.

Attack flow (Via Cisco Talos)

The campaign uses advanced techniques like network disconnections, Tor network exploitation, and multi-stage payloads. The use of the Tor network further hinders tracking/disruption. This campaign highlights the need for continuous caution and network monitoring to address attackers’ growing threat tactics.

1.  **New WarmCookie Malware in Espionage Campaign**
2.  **23% of Tor browser relays found to be stealing Bitcoin**
3.  **Kronos Variant banking trojan spotted using Tor network**
4.  **Fake Tor Browser Installer Spreading Malware Via YouTube**
5.  **BlackByte Ransomware Exploits VMware Flaw in VPN Attacks**

Source

HackRead