Coupang confirms a data breach affecting 33.7 million users in South Korea, exposing names, contacts and order details. Investigation is ongoing.

Coupang, South Korea’s largest e-commerce company, has disclosed a major data breach affecting nearly the entire domestic user base. The company confirmed unauthorised access to account data belonging to more than 33.7 million customers, with exposed details including names, phone numbers, emails, addresses and order history.

The company initially detected suspicious access on November 18, flagging a breach involving around 4,500 accounts. But as investigators dug deeper, the scale expanded accordingly. The breach is now believed to date back to late June and was traced to a server located outside the country.

Coupang’s homepage (Image credit: Hackread.com)

South Korea’s internet watchdog and law enforcement are actively investigating. Coupang has reported the breach to the National Police Agency, the Personal Information Protection Commission and the Korea Internet & Security Agency.

The company says there is no evidence that sensitive data such as payment information, passwords or account login details were exposed. That claim has been repeated in the FAQ posted to its official website, where Coupang reassures users that credit card data remains secure.

Still, security experts are raising concerns about how long the breach remained active. Piyush Pandey, CEO of access security firm Pathlock, commented that incidents like this highlight the need for early threat detection rather than relying solely on perimeter defences. “In today’s threat environment, success isn’t just about blocking attacks. It’s also about how quickly you can respond once a breach happens,” he said.

Coupang users impacted by the breach are being notified directly via email and text. The company said no follow-up action is required from affected customers, but it warned people to be cautious of phishing attempts that may take advantage of the incident.

So far, no secondary misuse of the leaked data has been reported, but the full impact remains under review. Coupang said its internal teams are working with investigators and pledged to provide updates as more information becomes available.

> _With a total population of 51.7 million, the Coupang data breach impacts approximately 65.2% of South Korea’s population._

The breach adds to a series of recent data incidents affecting major Korean companies, with SK Telecom among those previously targeted. With nearly every South Korean customer affected in this case, Coupang is now facing serious questions about its internal security posture and breach response timeline.

Coupang Data Breach Affects All 33.7 Million South Korean Accounts

Swiss and German police shut down Cryptomixer, seizing servers, domains and 28M dollars in Bitcoin during an Europol backed action targeting crypto laundering.

Swiss and German authorities carried out a coordinated action in Zurich this week to take down Cryptomixer, a cryptocurrency mixing service available on both the clear and dark web through the Tor browser.

Europol, which supervised the operation, said the move followed a long-running investigation into the service’s use by ransomware groups and dark web markets.

During the operation, authorities seized three servers, the cryptomixer.io domain, its clear web and Tor gateways, plus more than fourteen terabytes of data and about €24 million ($28 million) in Bitcoin.

Europol noted that the seized systems provide investigators with data that had previously been concealed by the mixer’s processes. Cryptomixer’s servers now display a seizure notice, and authorities are continuing to examine the data pulled from the infrastructure.

Investigators say Cryptomixer has operated since 2016 and processed more than one point three billion Euros in Bitcoin. The service pooled deposits for extended periods and redistributed them at unrelated times, a method that enabled cybercrime groups to hide transactions connected to ransomware, drug trafficking, weapons trafficking and payment card fraud.

The action was organised under Operation Olympia and backed by Europol’s Joint Cybercrime Action Taskforce. The agency coordinated meetings, handled intelligence exchange and placed forensic specialists on site during the seizure. Eurojust and Empact also supported the judicial and operational work.

The shutdown follows earlier actions against BestMixer.io, Sinbad.io, Blender.io, and Samourai Wallet as investigators worldwide pressure mixers that hide financial trails on public blockchains.

Europol video on the Cryptomixer takedown

German agencies involved included the Federal Criminal Police Office and the Frankfurt Cyber Crime Centre. Swiss participation came from Zurich City Police, Zurich Cantonal Police and the Zurich Public Prosecutor. Europol said further analysis of the seized material is already underway.

Police Seize Cryptomixer Domains, Infrastructure and 28M Dollars in Bitcoin

How you choose to store your assets is one of the most important decisions you’ll make when you…

How you choose to store your assets is one of the most important decisions you’ll make when you step into the **Web3** world. Pick right, and you’ll be able to grow your wealth, interact with blockchain services, and transact with other people without feeling like it’s a total gamble. You’ll also gain something pretty rare to come by in the blockchain space: peace of mind. 

However, if you rush the process, get complacent, or simply don’t put any thought into your storage strategy, then you’re lining yourself up for being one of the next cautionary tales people tell on Reddit. Don’t let that be you.

In this quick guide, we will share what a secure setup really looks like when securing your digital assets, as well as some classic mistakes to watch out for.

****Start With a Safe Environment****

First things first, you need to take a closer look at the device you use every day. If that’s not safe, then nothing else will be either. If your phone or laptop is compromised, perhaps by malware or a keylogger, your wallet will be indirectly compromised too.

The same goes for any operating system you use, or even an application that’s become outdated. If you’re actively accessing your crypto assets on a device, you absolutely need to ensure the environment is safe and that you aren’t unknowingly putting your security at risk. 

The safest play is to thoroughly clean up the environment, such as removing any unwanted apps, keeping your OS and software updated, and removing any browser extensions that track or manipulate activity in the background. Of course, this also means you should never access your crypto accounts while using **public Wi-Fi**.

****Pick a Wallet Setup That Matches Your Risk Level****

The **crypto wallet** you decide to use has huge ramifications on how much risk you’re exposed to when storing, managing, or transferring your coins. If you use a hot wallet (one that’s always connected to the internet), you are naturally more exposed to hacking attempts as your assets are online. 

Cold wallets offer much greater protection because your keys are kept offline, but they aren’t foolproof either. Aside from the extra verification steps you need to complete every time you interact with the blockchain, you also need the discipline to keep your device safe, up to date, and your recovery details secure. 

There’s long been a debate over hot vs cold wallets, but the best strategy isn’t one or the other. It’s a mixture of both. Most Web3 veterans keep a small amount in a hot wallet for convenience, but the bulk of their holdings are locked away in a cold setup for long-term storage.

The real danger isn’t choosing the wrong wallet, but in treating all your assets the same, no matter how much you hold or how often you move them.

****Protect Your Keys the Smart Way****

Your **recovery phrase** controls everything. Whoever holds it has full access to your account and can send your assets wherever they please. It’s absolutely paramount that this stays protected, which is why you should never store it digitally. 

Many newcomers make the mistake of taking a screenshot of their phrase, writing it down in a note-taking app, or saving it on a file-sharing platform like **Google Drive**. 

Instead, it’s a good idea to write down your phrase physically, either on a piece of paper or on thin metal. Doing a backup like this means the only way you can be exposed is if someone ends up with the physical document, which is why many people choose to store them in a safe or a deposit box. 

However you decide to store it, just make sure it’s reachable in an emergency. You may also want to keep multiple physical backups in different locations, just in case of an event like a fire that would likely destroy your backups.

****Safe Habits Every Transaction Needs****

Your crypto assets are never more at risk than when you’re making a transaction. Not only are you logging in and accessing your wallet, but you’re also signing and authorizing a transaction for funds to leave your account. Just one mistake here, and it could spell disaster.

As you would expect, most losses here occur for two main reasons. Rushing and complacency. Maybe you’ve seen a big trading opportunity, and you want to send your funds to a DEX to capitalize on it. Or perhaps you’re so used to interacting with your wallet that you get careless. Both of these scenarios create situations where mistakes and excessive risk-taking can occur. 

The rule of thumb when sending transactions is always to take your time. Double and triple-check the receiving address before you confirm anything. Don’t ever assume that the details are correct. Make sure.

Also, make sure you bookmark any site you’re interacting with and always send to legitimate accounts. People go to great lengths to create fake websites, and they can fool even the most seasoned crypto pros. If something feels off, pause. Hesitation is one of the simplest security tools.

****Know When to Update Your Security Setup****

Your security strategy shouldn’t be something that you just set up once and then forget about. Web3 moves quickly, and new threats and vulnerabilities pop up every day. If you sit still, you make yourself more vulnerable to these new attack vectors. 

With this in mind, make it a habit to review your security setup regularly. This doesn’t mean you need to overhaul everything each week, but a couple of times per year will give you a solid foundation. 

Ask yourself whether the wallet you’re using is still the best fit for your holdings. Do you need to move more assets to your cold storage? Have you done all the software updates for your devices? Even something as simple as changing your passwords on exchanges can make a big difference.  

You should also stay informed about what’s happening in the space. The more you know about what’s going on in Web3 and what threats are out there, the better you can protect yourself and avoid falling victim to them.

****Final Word****

Protecting your digital assets doesn’t need to be complex. All you need to do is put a little thought into it and stick to a routine. You can easily fall into the trap of getting caught up in how fast and exciting the whole Web3 experience is. However, before you begin creating wealth in Web3, you need to establish basic security processes.

Start by cleaning your environment, choosing the best wallet setup for your requirements, protecting your recovery phrase as if your entire financial future depended upon it, and developing the everyday habits that will help you stay secure even as new threats arise. 

(Photo by Shubham Dhage on Unsplash)

What a Secure Setup Really Looks Like for Storing Digital Assets

An Australian man who used fake “evil‑twin” Wi‑Fi networks at airports and on flights to steal travellers’ data has been jailed for 7 years and 4 months.

In April 2024, as reported by Hackread.com, staff on a commercial flight spotted a suspicious Wi‑Fi network, prompting an investigation by the Australian Federal Police (AFP). The man, identified by the media as Michael Clapsis, used a portable wireless hacking device to create “evil‑twin” Wi‑Fi hotspots, fake access points mimicking legitimate airport or airline Wi‑Fi networks.

Travellers who connected were redirected to fake login pages, where the attacker could harvest credentials for email, social media or other accounts. After officers searched his luggage and home, they found devices and records showing he had stolen login credentials and intimate photos and videos belonging to multiple people.

The day after the search warrant was executed, he deleted 1752 files from his cloud storage account and failed in an attempt to remotely wipe his phone. On April 22 and 23, 2024, he used a software tool to access his employer’s laptop without permission and viewed confidential online meetings between his employer and the AFP about the investigation.

According to AFP’s press release, he also unlawfully accessed social media and other online accounts belonging to several women without their knowledge to monitor their activity and steal private photos and videos. On 28 November 2025, a court sentenced him to 7 years and 4 months in prison; he will be eligible for parole after five years.

Michael Clapsis (right) – Image credit: AFP)

The case may sound like a happy ending scenario, but in reality, it is a warning to travellers about the dangers of public Wi‑Fi. An “evil‑twin” attack happens when a hacker sets up a wireless access point that looks real but secretly intercepts all data users share.

Security experts recommend avoiding public Wi‑Fi when possible, using a trusted virtual private network (VPN), disabling automatic connection to open networks and never entering passwords or sensitive information on unfamiliar Wi‑Fi portals.

Evil Twin Wi‑Fi Hacker Jailed for Stealing Data Mid‑Flight

Claymont, Delaware, 1st December 2025, CyberNewsWire

**Claymont, Delaware, December 1st, 2025, CyberNewsWire**

**Lancaster’s arrival brings significant North American channel experience and expertise, supporting usecure’s ambition to cement its position as the market-leading human risk management solution for MSPs.**

usecure today announced the appointment of Kevin Lancaster as a Non-Executive Director. Kevin joins usecure with a wealth of experience in the North American channel and a strong background in human risk management and security awareness. He founded ID Agent, which was later acquired by Kaseya, and has led the Channel Program as CEO, building one of the most established channel communities in the market.

Kevin will work with the board and executive team to support usecure’s continued expansion in the North American channel and help advance the company’s goal of becoming the number one human risk management solution for managed service providers.

Kevin’s appointment comes at a time of rapid momentum for usecure. The company protects half a million end users around the world and works with a broad partner ecosystem, including more than 1,800 MSP partners. In North America, usecure’s growth is supported by leading distribution partners, including Pax8, Contronex, and Sherweb. These partnerships enable MSPs across the region to access and deploy human risk management services through their preferred marketplaces and distributors.

> “Kevin is an outstanding addition to usecure’s board,” **said Charles Preston**, Founder and CEO of usecure. “He brings hands-on channel leadership, deep knowledge of security awareness and human risk management, and a track record of scaling channel-first product and community businesses. Kevin will be instrumental in helping us accelerate the growth we are already seeing in the channel and expand our footprint in North America.”

> Kevin Lancaster commented on the appointment, saying he is excited to join usecure’s board and support the company’s ambitions. “usecure is at a pivotal moment in the evolution of Human Risk Management, and I am thrilled to help accelerate its mission. The team has built something genuinely innovative, and I am looking forward to guiding usecure through its next phase of growth,” said Lancaster.

usecure’s recent industry recognition reflects this momentum. The company was named a finalist in CRN’s ‘Security Vendor of the Year’ and ‘Rising Star’ categories, earning praise from judges in the ‘Security Vendor of the Year’ category. These accolades highlight the company’s commitment to delivering partner-led innovation and measurable human risk reduction for MSPs and their customers.

**About Kevin Lancaster**

Kevin Lancaster is a leading channel expert and tech entrepreneur, best known as the founder of ID Agent, acquired by Kaseya, and as the CEO of Channel Program and BetterTracker. He has built and led channel programs that have driven billions in revenue, scaling cybersecurity and SaaS businesses across the MSP ecosystem. Kevin is widely respected for his deep expertise in cybersecurity innovation and building channel-first communities that accelerate partner success.

**About usecure**

usecure provides human risk management solutions built for the channel. The platform combines automated phishing simulations, bite-sized training, dark web monitoring, and compliance features to help MSPs and internal IT teams reduce human cyber risk through behaviour change and data-driven insights. Today, usecure supports hundreds of thousands of end users and more than 1,800 MSP partners globally and has been recognised by industry awards and peer reviews for its partner-focused approach and impact on reducing human risk.

**Contact**

**Channel Marketing Manager**  
**Hetty Roach**  
**usecure**  
**\[email protected\]**

Kevin Lancaster Joins the usecure Board to Accelerate North American Channel Growth

CloudSEK found over 2,000 fake sites impersonating Amazon and top brands before Cyber Monday and Black Friday. Learn the key fraud signs now to stay safe.

Shoppers looking for great deals this holiday season need to be extra careful, as a massive operation involving over 2,000 fake online stores has been found, timed perfectly to steal money and personal details during peak sales like Black Friday and Cyber Monday.

Cybersecurity firm CloudSEK recently discovered this huge network and shared its research with Hackread.com. According to CloudSEK’s analysis, these aren’t isolated incidents; they are highly organised operations using identical methods to trick people, making this one of the largest coordinated scam efforts seen this shopping season.

The fake sites were identified by their suspicious resource usage and recurring templates. This operation includes two main groups: one with over 750 interconnected sites, 170 of which impersonate Amazon using uniform banners, flipclock-style urgency timers, and misleading trust symbols. The second group comprises over 1,000 .shop domains impersonating major brands like Apple, Samsung, Dell, Ray-Ban, and Xiaomi.

****How Scammers Are Tricking Customers****

These fake shops look real because scammers have used the same basic tools (phishing kits) to quickly build thousands of similar websites. To rush buyers into purchasing, they use fake countdown timers and urgent messages about low stock.

The sites are linked because they all load their designs from the same shared source, like a digital fingerprint, which allowed CloudSEK to trace these stores back to a single criminal group. The sites are spread through social media ads, search results, and messaging apps like WhatsApp and Telegram

Researchers explain that once a shopper decides to buy, they are sent to a shell checkout page, which looks like a standard payment screen but is actually designed to steal sensitive financial details. For example, the domain amaboxreturns.com redirects payment through another unflagged domain, allowing criminals to complete fraudulent transactions without raising alarms. CloudSEK noted that these payment portals often use a China-based provider for hosting.

Use of fake trust badges, scarcity messaging, and fabricated recent-purchase pop-ups to create urgency, and Checkout pages capture full billing and payment details for financial theft (Source: CloudSEK)

“WHOIS records for georgmat.com indicate hosting through a China-based provider (Alibaba Cloud Computing Ltd.) with registration details listing Guangdong as the administrative state. The geographic mismatch between the infrastructure and the impersonated US retail brands increases suspicion and supports the assessment that the domain is being leveraged as part of a fraudulent, holiday-themed payment redirection scheme,” the blog post reads.

Researchers estimate that with a conversion rate of between 3% to 8% of visitors becoming victims, scammers could potentially earn between $2,000 and $12,000 per fake site before it gets shut down. While some fake domains have been closed, many remain active, becoming fully operational right before big sales events to maximise the number of victims.

“If left unchecked, these scams could cause significant financial losses for consumers and erode trust in global e-commerce during its busiest season,” said Ibrahim Saify, Security Researcher, CloudSEK

****What Shoppers Need to Look Out For****

Finding a deal that is too good to be true is the first sign of a scam. To stay safe, CloudSEK says shoppers should watch out for flashy banners or aggressive messages like “Limited Time!” designed to create panic; domain names that combine a brand name with extra words like safe, fast, or sale (like brandname-safe.shop); missing or fake contact information; and identical layouts across different store names.

If you see any of these warning signs, the safest choice is to avoid the site and verify the deal on the brand’s official website.

Over 2,000 Fake Shopping Sites Spotted Before Cyber Monday

New API capabilities and AI-powered Threat Encyclopedia eliminate manual audit preparation, providing real-time compliance evidence and instant threat intelligence.

Quttera today announced major enhancements to its Web Malware Scanner API that transform static security scanning into automated compliance evidence. The update introduces real-time evidence streaming and compliance mapping, directly addressing the manual burden of audit preparation that costs organisations 30-40 hours per audit cycle.

The announcement includes two integrated capabilities: API-driven compliance automation that feeds structured security evidence into GRC platforms and the Quttera Threat Encyclopedia, an AI-powered resource providing instant context for detected threats.

****Automating the Manual Evidence Chase****

Organisations preparing for SOC 2, ISO 27001, and PCI DSS v4.0 audits traditionally spend dozens of hours manually collecting security evidence, exporting reports, capturing screenshots, and mapping findings to compliance controls. This approach creates outdated evidence, doesn’t scale across frameworks, and fails to prove continuous monitoring.

“Security teams are exhausted by the manual ‘evidence chase’ required before every audit,” said Michael Novofastovsky, CTO of Quttera. “We’re transforming malware detection into ‘Evidence-as-Code’ structured, real-time security data that flows automatically into compliance workflows. Whether organisations use Drata, Vanta, or custom GRC systems, our API provides continuous proof without human intervention.”

Quttera’s API converts threat detection into structured JSON with embedded compliance metadata, mapping findings to controls across SOC 2 (CC6.1, CC7.2), PCI DSS v4.0 (Requirements 6.4.3, 11.6.1), ISO 27001, and GDPR simultaneously.

****Addressing PCI DSS v4.0’s New Requirements****

The update specifically targets PCI DSS v4.0 requirements mandatory since March 2025, particularly Requirements 6.4.3 (script authorisation on payment pages) and 11.6.1 (file integrity monitoring). These requirements demand continuous automated detection capabilities that manual processes cannot provide at scale.

“PCI DSS v4.0 requires real-time detection of unauthorised changes to payment scripts,” Novofastovsky explained. “Our API provides timestamped evidence that monitoring is active 24/7, changes are detected automatically, and controls are continuously validated.”

****AI-Powered Threat Intelligence****

The Threat Encyclopedia addresses the context gap security teams face when responding to detections. Integrated directly into scan reports, it provides:

*   Step-by-step remediation guidance
*   Business impact and risk classification
*   Connections to known attack campaigns
*   Technical breakdown of malware behaviour

“We’re automating both sides of the problem,” said Novofastovsky. “The API handles compliance proof. The Threat Encyclopedia handles operational response. Together, they eliminate manual evidence collection and research overhead.”

The Encyclopedia currently documents 80+ web malware categories, with AI-assisted expansion based on emerging threats.

****Key Capabilities****

*   Automated Control Mapping: Detections tagged for multiple compliance frameworks simultaneously
*   Real-Time Evidence Streaming: Continuous JSON feeds replace static PDF reports
*   Behavioural Detection: Heuristic scanning identifies zero-day and polymorphic threats
*   Integration Flexibility: Works with existing GRC platforms via standard REST API

****Availability****

Enhanced capabilities are available immediately to all Quttera API subscribers.

API Documentation: https://quttera.com/quttera-web-malware-scanner-api

Integration Help: https://quttera.com/quttera-anti-malware-api-help

Threats Library: https://threats.quttera.com/

****About Quttera****

Quttera provides automated website security and malware detection solutions, delivering compliance-ready evidence for organisations across financial services, healthcare, e-commerce, and technology sectors. Its comprehensive suite includes advanced heuristic scanning, blacklist monitoring, and remediation services, helping businesses worldwide protect their digital assets and reputation.

****Contact****

CTO  
Michael Novofastovsky  
Quttera  
\[email protected\]

Quttera Launches “Evidence-as-Code” API to Automate Security Compliance for SOC 2 and PCI DSS v4.0

Cybersecurity firm Cato Networks reveals HashJack, a new AI browser vulnerability using the '#' symbol to hide malicious commands. Microsoft and Perplexity fixed the flaw, but Google's Gemini remains at risk.

On November 25, 2025, cybersecurity firm Cato Networks revealed HashJack, a new threat where the simple pound sign (#) in a web address (URL) hides malicious instructions for AI browser assistants like Google’s Gemini, Microsoft’s Copilot, and Perplexity’s Comet.

****The Vulnerability****

HashJack is the first of its kind example of an indirect prompt injection technique, where an attacker hides commands in content the AI will read later, in this case, the URL itself. This allows HashJack to exploit how AI assistants read the full URL, including the section after the # (the URL fragment), which web servers normally ignore.

This allows bad actors to weaponise any legitimate website without hacking the site itself. As Cato Networks’ senior security researcher Vitaly Simonovich explains, the weakness is in the AI assistant’s handling of the URL. Since users trust the legitimate site, they trust the AI’s manipulated advice.

The hidden commands can lead to a variety of malicious actions, including tricking users into revealing their login details (credential theft) and even giving false health-related advice (medical harm). More concerning is that, in advanced agentic modes (where the AI performs tasks automatically), the assistant can be instructed to steal sensitive user data (data exfiltration) by fetching an attacker’s URL in the background.

Furthermore, the AI can be guided to give step-by-step instructions for risky technical tasks, such as opening system ports or downloading a package that is actually malware. Researchers also noted that in some advanced AI browsers, like Perplexity’s Comet, the attack can even escalate to the AI assistant automatically fetching and sending user data to an external address.

HashJack attack chain (Source: Cato Networks)

****Mixed Response from Tech Giants****

The Cato Networks threat research team disclosed their findings to the affected companies starting in July and August of 2025. Microsoft responded quickly, applying a fix for Copilot for Edge on October 27. Perplexity also applied a fix for their Comet browser by November 18, 2025.

Google, however, has not yet resolved the issue for Gemini in Chrome. The report was marked by Google Abuse VRP / Trust & Safety in October 2025 as “Won’t Fix (Intended Behaviour)” with a low severity rating. It is worth noting that the issue remained unresolved at the time the research was published.

Watch the video demonstration of the HashJack attack shared by Cato Networks:

The findings from Cato CTRL™ Threat Research, shared exclusively with Hackread.com, introduce a new class of AI security risk because malicious commands are hidden in URL fragments, bypassing traditional firewalls. This discovery reminds the industry that, as AI assistants handle sensitive data, vendors must urgently fix flaws in AI design to prevent future context manipulation attacks.

HashJack Attack Uses URL ‘#’ to Control AI Browser Behavior

Scattered LAPSUS$ Hunters admin "Rey," allegedly a 15-year-old named Saif Khader from Jordan, has been named in a report linking him to the group. He denies the claim.

A 15‑year‑old in Jordan who goes by the handle “Rey” online has been allegedly identified as a key figure in the hacking crew Scattered Lapsus$ Hunters (SLH/SLSH), a collective said to combine elements of Scattered Spider, Lapsus$, and ShinyHunters. The supposed unmasking and the agreement to speak came earlier this week, after Rey allegedly contacted the reporter directly.

The claim surfaced after cybersecurity reporter KrebsOnSecurity allegedly traced Rey’s real‑world family details and reached out to someone believed to be his father, Zaid Khader, an airline pilot thought to work for Royal Jordanian Airlines. After that message was sent, the teen, whose name is allegedly Saif Al‑Din Khader and who turns 16 next month, got in touch. Saif is allegedly one of three administrators running the SLSH Telegram channel.

****The Clues that Pointed to Rey****

The hacker, who also used the name Hikki‑Chan in the past, allegedly made several simple mistakes that exposed identifying information. He was allegedly an administrator at BreachForums, a criminal marketplace taken down more than once by the FBI.

According to the report by Brian Krebs, Rey allegedly posted a screenshot that revealed his own password while using the Telegram name @wristmug. He also allegedly shared personal hints in a cybercrime channel called Jacuzzi, including that his father was a pilot.

A Telegram message by Rey (Source: KrebsOnSecurity)

Krebs’ investigation allegedly connected this password to the email address [email protected]. Data said to come from a shared family computer in Amman allegedly confirmed the surname Khader and even pointed to the family’s Irish link through the maiden name Ginty, something Rey had allegedly mentioned in chats.

The SLSH group, a mix of three well‑known cybercriminal crews, has been active this year. They have allegedly stolen data from Salesforce systems and threatened companies like Toyota and FedEx with leaks. They have also allegedly tried to recruit company insiders, with one CrowdStrike employee fired after allegedly sending internal screenshots to SLSH.

The group has used malware from known ransomware programs such as ALPHV/BlackCat. Rey, who was allegedly an admin for the Hellcat ransomware group, recently announced what he said was SLSH’s own ransomware service called ShinySp1d3r.

Rey confirming the association with the surname (Source: KrebsOnSecurity)

****SLSH Dismisses Findings****

According to KrebsOnSecurity, Saif claimed he’s been trying to quit the group and has been working with law enforcement since June 2025. “I don’t really care, I just want to move on from all this stuff, even if it’s going to be prison time or whatever they’re gonna say,” the teen said.

In response, SLSH has launched a scathing attack on the report. On its official Telegram channel, the group dismissed the journalist’s findings as a “desperate attempt to damage” their reputation.

The highly sarcastic response directly challenged the reporter’s claims, stating that it is “laughable” to assume a single person would operate under multiple aliases with “completely different techniques.” They also accused the journalist of twisting Saif’s words to make it look like an admission of involvement, claiming that Krebs was obsessed.

“We both know how badly this obsession is hurting you :).”

The post concluded with a stunning challenge: “I’ll pay you 10 BTC if you can publicly reveal my real identity and back it up with real proof.”

****Check out their full response:****

_"From what I can tell, Mr. Krebs, your "research" is nothing more than a desperate attempt to damage my reputation and a cheap way for you to show off.  
_  
_We both know you simply recycled a KELA report from March of this year, downloaded a log, and turned it into an entire article.  
Congratulations, Krebs! You finally learned how to use Google.

1\. The individual in question is indeed indirectly related to me. However, assuming that person is me is laughable. That person continued to operate under aliases such as "o5tdev" (using completely different techniques) long after I began operating as Rey. Does that sound logically possible? Do I have multiple personalities or bipolar disorder? Maybe in your world.

2\. When we spoke, you deliberately fired off questions without ever disclosing it was an "interview." You falsely implied I was connected to ShinySpider ransomware. Out of nowhere\_you asked, "Why are you still going with SLSH?" I answered that it's hard to just walk away from something like that. You then cherry-picked that sentence and twisted it to make it look like an admission of my involvement.

3\. You also asked if ShinySpider was AI-generated.. I said I didn't know and that the only thing i have done was simply sharing the Hellcat source code for them to use as a base. Anyone with half a brain can see that ShinySpider and Hellcat are now completely different ransomware variants. Everyone knows you're just someone who recycles old garbage for a bit of attention.

4\. You structured your article to make it appear as though you contacted "the father" first and that I suddenly reached out to you in panic. In reality, you messaged me first on X, and only later did I message you on Signal saying "Hi, it's Saif!"  
You're probably wondering how I knew you were planning to "expose" me. Simple. It's the same way I know that person is not me, yet still related. Don't worry, Krebs, I know exactly who that Saif is.

5\. You're so intellectually dishonest that you're still trying to pin the "Sp1d3rHunters" persona from last year SnowFlake campaign on me, even though you supposedly have all the logs. You could have verified in five seconds that it wasn't me. So either you're incompetent and can't read your own evidence, or you knowingly pushed a lie. That IS called projection.

6\. You went out of your way to paint me as the "core" of SLSH when you know that's nonsense. Why didn't you write about the other admins and members instead? Or was the only thing you managed to get your hands on a pile of garbage, and (still triggered from all the trolling in the channel) you decided to publish it anyway so you could pretend you "won"?

7\. You attributed a laundry list of TTPs to me: stealer logs, social engineering, phishing, etc. You explicitly claimed the person "Saif" was operating under the alias "o5tdev," defacing websites, probably via WordPress vulns. Does it make any sense that someone would turn from popping WordPress sites to locking down Jaguar Land Rover (causing 1.9 billion EUR in losses), Orange, Telefonica, Schneider Electric, Philips, Apple, and others, all in the span of a few months?

We both know how badly this obsession is hurting you :)  
  
It's time to drop the false accusations and try doing some actual journalism for once. At the very least, take a look at Allison Nixon. She managed to properly trace K1berPhant0m (hes retarded, anyways) and actually contributed to his arrest.

So here's my offer, Brian:

_  
_I'll pay you 10 BTC if you can publicly reveal my real identity and back it up with real proof.  
_  
_I'll pay you 15 BTC if, thanks to your article, I ever get a knock on the door from local law enforcement for the things you accused me of."_

****Infostealer Connection****

Alon Gal, Co-Founder and CTO at Hudson Rock, a cybercrime intelligence company that specialises in infostealer malware, shared his perspective on LinkedIn following the report by KrebsOnSecurity. According to Gal, the individual known as “Rey,” linked to the Hellcat group and several major breaches including Jaguar Land Rover, Schneider Electric and Telefonica, has now been formally doxxed.

Gal noted that cybersecurity firm KELA had already flagged Rey’s suspected identity back in March 2025 using data from an Infostealer infection that exposed previously used aliases on hacking forums.

That infection was linked to a Jordanian individual named Saif Khader. The compromised machine showed early signs of hacking activity, including defacements of Israeli websites and other unsophisticated attacks. However, no law enforcement action followed, even after KELA’s publication.

Gal said he personally examined the infected system at the time and came away with doubts. Comparing Rey’s known behaviour and writing style with what he saw on the compromised machine, Gal believed Rey may have intentionally planted traces of old forum credentials to mislead researchers. The browsing history, tone and skill level didn’t match the persona that went on to run ransomware and extortion operations. That contrast, he said, still surprises him.

Still, Gal acknowledged that according to Krebs’ reporting, Rey himself confirmed that the machine in question was indeed his. In his analysis, Gal raised three main points:

1.  Rey continued operating publicly after being exposed even mocking the original KELA research online, before his account was banned.
2.  The infection dates back to January 2024, meaning law enforcement likely had months to act, but didn’t, despite Rey being one of the most active threat actors in recent memory.
3.  The infected machine displayed a mismatch in language style, search history and OPSEC awareness compared to how Rey operates elsewhere.

Despite this denial, William Wright, CEO of Closed Door Security, shared his views with Hackread.com, stating that this investigation is a “brilliant piece of investigative journalism.” He noted that while positive, “there will be a lot of concern among the general public around how a 15-year-old could cause so much damage to some of the biggest organisations in the UK.”

Wright cautioned that the reality is “not so simple,” adding: “Rey was collaborating with Russian threat actors, using their infrastructure to execute highly sophisticated attacks.” He concluded, “Rey claims to be working with law enforcement now, which is causing trouble across the Scattered Lapsus$ Hunter Telegram channel. This could lead to other members of the gang being identified, but Rey may get off lightly if he supports law enforcement enough.”

Report Names Teen in Scattered LAPSUS$ Hunters, Group Denies

Alisa Viejo, CA, USA, 27th November 2025, CyberNewsWire

**Alisa Viejo, CA, USA, November 27th, 2025, CyberNewsWire**

Gartner has recognized One Identity as a Visionary in the **2025 Gartner Magic Quadrant for Privileged Access Management (PAM)****.** 

In a rapidly transforming market, innovation and demonstrated performance continue to shape expectations. The placement as a Visionary reflects what the company observes across its customer and partner ecosystem, highlighting a collective emphasis on simplified security, accelerated adoption and intelligence-driven identity protection.

**Definition of the Visionary Classification**

> According to Gartner, Visionaries are “noted for their innovative approaches to PAM technologies, methodologies, and means of delivery.” 

Being named a Visionary validates their strategy – blending **AI-driven administration****,** flexible deployment and customer-first design – as we continue building the next era of privileged access management. They believe the focus on streamlined innovation, automation and value is exactly what modern organizations demand. 

**Analyst Observations on One Identity Safeguard for PAM**

One Identity has seen analyst support for several key strengths across the **One Identity Safeguard** and **Cloud PAM Essentials** portfolio: 

*   **Product excellence:** The products received among the highest scores for privileged session management and PEDM for UNIX/Linux and macOS, confirming the depth and reliability of our core platform. 
*   **Customer experience:** Praised for ease of use, intuitive UI, deployment simplicity, and management features, backed by responsive, multi-tier support. 
*   **AI-driven innovation:** With Azure AI-powered natural-language search and AI-assisted configuration, we’re helping security teams move faster, respond smarter and simplify at scale. 
*   **Pricing & value:** Although some of the top PAM solutions are seen as costly, One Identity was recognized specifically for below the market average pricing, particularly for SaaS offerings – delivering enterprise-grade security at exceptional value. 

These strengths extend beyond functional capabilities and reflect how customer feedback influences development priorities, including usability and affordability.

Visionary recognition also reflects the company’s current trajectory, indicating external validation of a path oriented toward leadership and sustained advancement.

**Key Innovations in One Identity Safeguard for Modern PAM**

To meet the pace of identity-driven enterprises, PAM continues to transition from static control to adaptive intelligence. The following seven innovations remain central to modern privileged access management and illustrate how One Identity Safeguard supports evolving requirements:

**Unified, comprehensive PAM**

Enhanced control over privileged access with integrated password vaulting, session recording, and analytics – all within the One Identity Safeguard platform. 

**Flexible deployment**

Expanded support for cloud, on-prem, and hybrid models with scalable, cost-efficient licensing. 

**Streamlined implementation**

Simplified setup through automation tools and cloud-ready configurations that reduce time-to-value. 

**Improved usability**

One Identity Safeguard has a modernized UI, with ease of use, smoother workflows, and in-product help minimizes complexity and training needs. 

**Consistent, top-notch support**

Standardized professional services and strong implementation guidance ensure excellence everywhere. 

**AI-powered administration and documentation**

Contextual in-product guidance and intelligent search deliver faster answers, fewer support tickets and smarter administration. 

**Continuous optimization**

Agile, customer-driven updates in our solutions enhance speed, usability and value across releases. 

**Outlook for Privileged Access Management**

As organizations secure both human and machine identities, the future of PAM demands clarity, automation and intelligence. 

One Identity is uniquely positioned to deliver all three – helping customers protect privileged access, simplify operations and accelerate digital transformation with confidence. 

The 2025 Gartner Magic Quadrant for Privileged Access Management outlines how vision, innovation and customer success continue to influence the evolution of privileged access.

**About One Identity**

One Identity delivers unified identity security solutions that help customers strengthen their overall cybersecurity posture and protect the people, applications, and data essential to business. Their Unified Identity Security Platform encompasses a variety of identity access and management tools, including AI-driven security solutions. One Identity brings together the 4 pillars of IAM: Identity Governance and Administration (IGA), Access Management (AM), Privileged Access Management (PAM), and Active Directory Management (AD Mgmt) capabilities to enable organizations to shift from a fragmented to a holistic approach to identity security. One Identity is trusted and proven on a global scale – managing more than 500 million identities for more than 11,000 organizations worldwide.

Users can find more information here: https://www.oneidentity.com

**Contact**

**Global Corporate Communications**  
**Liberty Pike**  
**One Identity LLC**  
**\[email protected\]**

Source

HackRead