Specops Software's analysis reveals how Scattered Spider's persistent help desk exploitation cost Clorox $400 million. Understand the August 2023 breach, its operational disruption, and critical steps organisations must take to protect against similar social engineering threats.

Cleaning products giant Clorox has sued its IT services partner, Cognizant, alleging that a devastating August 2023 ransomware attack that crippled production and cost the company $380 million in lost revenue was due to the firm’s negligence.

In a California Superior Court lawsuit, Clorox claims hackers linked to the Scattered Spider group simply obtained credentials by phoning Cognizant’s service desk for a password reset. Clorox further alleges Cognizant botched its response, prolonging the recovery time.

Now, Specops Software, a security analysis firm, published a detailed analysis of this incident, revealing precisely how this straightforward service desk attack unfolded and offering critical lessons for organisations.

According to their research, shared with Hackread.com, the incident began on August 11, 2023. Attackers, impersonating legitimate employees, placed multiple calls to Cognizant’s service desk. Their goal: to get passwords and Multi-Factor Authentication (MFA) resets for locked-out employees.

Despite Clorox’s clear procedures, the service desk agent reportedly bypassed these protocols, failing to verify the caller’s identity and providing new credentials. Compounding the oversight, no alert emails were sent to the impersonated employee or their manager – a basic notification that could have warned Clorox’s security team.

The hackers then repeated this tactic, gaining access to a second account belonging to an IT-security employee. This instantly elevated their access _to domain-admin privileges_, granting them unrestricted entry to Clorox’s core Active Directory environment, which controls user access across the network.

With high-level credentials, the intruders swiftly disabled security controls, escalated their privileges further, and deployed ransomware across key servers. This silently encrypted data, severing vital links between manufacturing, distribution, and IT systems. Production lines halted, and order fulfilment ceased. Clorox reported $49 million in direct remediation expenses and a staggering $380 million in lost revenue.

The risk of outsourcing critical IT support functions, while offering cost savings, can introduce vulnerabilities. Notably, UK retailer Marks and Spencer’s faced a similar incident where Scattered Spider tricked staff at their IT helpdesk contractor, Tata Consultancy Services (TCS), into resetting privileged credentials, also gaining Active Directory access.

This incident highlights the ongoing threat posed by Scattered Spider (aka 0ktapus, UNC3944). As Hackread.com reported, this group has been involved in numerous high-profile breaches, including MGM Resorts and other major retailers.

Their persistent exploitation of help desks to target VMware vSphere environments for ransomware deployment directly from the hypervisor to the Clorox incident shows that simple human vulnerabilities, if unaddressed, can lead to monumental financial and operational devastation.

To mitigate these risks, organisations must enforce strict Service Level Agreements (SLAs) with contractors, conduct regular red team exercises (simulated attacks) on outsourced processes, and demand transparent, real-time reporting of high-risk activities. Crucially, service desk permissions should be locked down to prevent agents from resetting admin or IT-privileged accounts without secondary approval workflows.

How Scattered Spider Used Fake Calls to Breach Clorox via Cognizant

GLOBAL GROUP Ransomware targets media giant Albavisión, claims 400 GB data theft as it continues hitting global sectors with advanced extortion tactics.

The GLOBAL GROUP ransomware gang is claiming responsibility for a breach of **Albavisión** (albavision.tv), a major Spanish-language media conglomerate based in Miami, Florida. The group also claims to have stolen 400 GB of data.

GLOBAL GROUP is a newly emerged Ransomware-as-a-Service **(RaaS) operation** that has been active since early June 2025. The group has targeted multiple sectors globally, including media and healthcare, with Albavisión listed as its 29th claimed victim since its launch.

What sets GLOBAL GROUP ransomware apart from other gangs is its use of an AI-driven negotiation tool. This system employs chatbots to handle negotiations with victims, particularly those who do not speak English.

In its latest announcement posted earlier today on its dark web leak site, GLOBAL GROUP stated that Albavisión has 15 days to begin negotiations or the allegedly stolen data will be published online. While the exact ransom amount in this case is unknown, a previous incident **observed** by EclecticIQ showed the group demanding 9.5 BTC, which was approximately $1 million at the time.

A look at the ransomware group’s previous listings shows it has so far leaked a complete dataset of 18 victims, which also includes a hospital.

Screenshot from the GLOBAL GROUP ransomware gang’s dark web leak site. (Image credit: Hackread.com)

****Is GLOBAL GROUP Ransomware Targeting Media Giants?****

While GLOBAL GROUP has been targeting a variety of industries, its recent activity suggests a focus on media organisations. For example, the group has listed “RTE” as one of its victims, though no additional details have been provided. RTE (RTÉ) is the national television and radio broadcaster of Ireland.

However, since it remains unclear which entity the group is referring to, Hackread.com does not imply that the Irish media organisation was breached or is the intended target listed as “RTE.”

Another name on the list is Rete Toscana Classica (RTC), an Italian radio station that broadcasts classical music 24 hours a day. Both RTE and RTC have been given 7 days to respond or begin negotiations with the GLOBAL GROUP ransomware gang.

Screenshot from the GLOBAL GROUP ransomware gang’s dark web leak site. (Image credit: Hackread.com)

****Targeting Albavisión: A Calculated Move by GLOBAL GROUP?****

Targeting Albavisión appears to be a calculated move. The multinational media conglomerate operates across Latin America, owning around 45 television channels, 68 radio stations, a print publication, and approximately 65 movie theatres in 14 to 15 Spanish-speaking countries.

The company was founded in 1987 by Remigio Ángel González, a Mexican-born Guatemalan businessman who is known for acquiring struggling media outlets and turning them into profitable operations using syndicated programming and local telenovelas. González is personally estimated to be worth around **$2 billion**, though the exact valuation of the company itself is not publicly disclosed.

Nevertheless, GLOBAL GROUP ransomware is emerging as yet another serious cybersecurity threat to organisations worldwide. While authorities continue to struggle with the growing challenge of ransomware gangs and with even data breach-focused threat actors like Scattered Spider now **moving toward ransomware**, businesses must rethink their security strategies.

This is especially urgent for sectors like healthcare. Implementing clear cybersecurity policies and providing training to all staff, including those with limited access to sensitive data, is essential. Employees should be **educated on phishing scams**, social engineering tactics, and the risks of using work devices for personal activities.

Hackread.com has reached out to Albavisión. This article will be updated accordingly.

GLOBAL GROUP Ransomware Claims Breach of Media Giant Albavisión

A new report from Google's GTIG reveals how UNC3944 (0ktapus) uses social engineering to compromise Active Directory, then exploits VMware vSphere for data theft and direct ransomware deployment. Understand their tactics and learn vital mitigation steps.

A highly “aggressive” cyber campaign, identified in mid-2025 by Google’s Threat Intelligence Group (GTIG), is posing a severe threat to major industries, including retail, airlines, and insurance.

This sophisticated operation is attributed to Scattered Spider, a financially motivated hacking group also known as 0ktapus and UNC3944, which has been involved in high-profile breaches, including those affecting UK retail giants M&S, Harrods, and Co-op.

Although several members of the group have been arrested and charged in the United States and the United Kingdom over attacks on MGM Resorts and major retailers, the group remains highly active and continues to demonstrate a global presence.

In its latest campaign, as reported by GTIG, the group is eyeing compromised Active Directory accounts to gain full control of VMware vSphere environments to steal sensitive data and deploy ransomware directly from the hypervisor.

This method is particularly dangerous as it often bypasses traditional security tools like Endpoint Detection and Response (EDR), which lack visibility into the underlying ESXi hypervisor and vCenter Server Appliance (VCSA).

GTIG outlines how UNC3944 moves from an initial low-level foothold to complete hypervisor control across five methodical phases. The critical entry point involves phone-based social engineering where attackers impersonate a regular employee, making phone calls to the IT help desk. By using publicly available personal information and persuasive tactics, they trick help desk agents into resetting Active Directory passwords.

This initial access allows them to conduct internal reconnaissance, searching for high-value targets like vSphere administrators or powerful Active Directory groups. They then make a second, more informed call, impersonating a privileged administrator to take over their account. This cunning two-step process bypasses standard technical protections by exploiting vulnerabilities in help desk identity verification procedures.

Once privileged Active Directory credentials are stolen, the attackers swiftly move to compromise the vCenter Server. From there, they gain “virtual physical access” to the VCSA. They manipulate the system’s bootloader to achieve root access, enabling SSH, and then deploy a legitimate open-source tool called Teleport. This tool creates a persistent, encrypted communication channel, effectively bypassing most firewalls.

 With this deep control, they can enable SSH on ESXi hosts, reset passwords, and perform an “offline attack” on critical virtual machines, such as Domain Controllers. This involves powering off a target VM, detaching its virtual disk, attaching it to an unmonitored “orphaned” VM, and copying sensitive data like the Active Directory database.

All of this occurs at the hypervisor layer, rendering it invisible to in-guest security agents. Before deploying ransomware, they sabotage recovery efforts by targeting backup infrastructure, deleting jobs and repositories. Finally, they use SSH access to ESXi hosts to push their custom ransomware, forcibly powering off VMs and encrypting files directly from the hypervisor.

Attack chain (Via Google)

“UNC3944’s playbook requires a fundamental shift in defensive strategy, moving from EDR-based threat hunting to proactive, infrastructure-centric defence,” Google warns. The group operates with extreme speed; the entire attack, from initial access to ransomware deployment, “can occur in mere hours.” Therefore, organisations must protect their virtualised assets through strong identity verification, VMware hardening, backup integrity, and continuous monitoring.

“The advanced sophistication Scattered Spider exhibits should have security teams on high alert,” said Thomas Richards, Infrastructure Security Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions.

“Social engineering attacks can be prevented with proper training and a challenge process to validate the caller is who they say they are. By using valid credentials and built-in tools, it is difficult for security teams to discern if they are compromised or not,” he advised.

Scattered Spider Launching Ransomware on Hijacked VMware Systems, Google

macOS flaw dubbed Sploitlight allows attackers to access Apple Intelligence-cached data by abusing Spotlight plugins, bypassing privacy controls.

A newly disclosed macOS vulnerability is allowing attackers to bypass Apple’s privacy controls and access sensitive user data, including files cached by Apple Intelligence. Tracked as CVE-2025-31199, the flaw was identified by Microsoft Threat Intelligence and involves a method that abuses Spotlight plugins to leak protected files.

Microsoft Threat Intelligence, which originally spotted the vulnerability, revealed the flaw and dubbed the exploit “Sploitlight” due to its abuse of Spotlight plugins. While Apple has already released a patch, the technical method behind the exploit should be concerning for macOS users, especially those using Apple’s latest AI-powered features.

It all starts with how Spotlight, macOS’s built-in search tool, handles plugins known as importers. These are designed to help index content from specific apps like Outlook or Photos.

Microsoft researchers found that attackers could modify these importers to scan and leak sensitive data from TCC-protected locations like Downloads and Pictures, even without the user’s permission. The trick? Logging file contents in chunks through the system log, then quietly retrieving them.

However, according to the company’s blog post, it gets worse. Apple Intelligence, installed by default on all ARM-based Macs, stores caches containing geolocation data, photo and video metadata, recognised faces, and even search history.

This information, protected under TCC (Transparency, Consent, and Control) rules, is typically out of reach to apps without user consent. But using Sploitlight, attackers can pull this data directly from the caches, bypassing the system’s consent mechanisms entirely.

Microsoft’s proof-of-concept shows a clear step-by-step process attackers could use to exploit the flaw. By modifying the metadata of a Spotlight plugin, placing it in a specific directory, and triggering a scan, attackers can tap into sensitive folders without ever requesting access. And because these plugins don’t need to be signed, no compilation is necessary. A few tweaks to a text file are all it takes.

Apple’s patch, released in March 2025 for macOS Sequoia, addresses this flaw. Microsoft thanked Apple’s security team for cooperating under Coordinated Vulnerability Disclosure and urged users to install the updates without delay.

The impact goes further than the mechanics of the exploit and affects real user data. Since metadata and facial recognition information sync across Apple devices via iCloud, attackers exploiting a single Mac could also gain indirect insights into iPhones or iPads linked to the same account.

This isn’t the first TCC bypass Apple has dealt with. Earlier examples like powerdir and HM-Surf relied on different system components, but Sploitlight’s use of Spotlight importers makes the attack both subtle and effective. It blurs the lines between trusted operating system components and what can be injected from user-controlled sources.

If you use a Mac, especially one with Apple Intelligence features active, make sure your system is up to date. The fix for CVE-2025-31199 is live and available, and applying it closes off this very specific way of data theft.

macOS Sploitlight Flaw Exposes Apple Intelligence-Cached Data to Attackers

If you’re running a WordPress site and rely on the Post SMTP plugin for email delivery, there’s something…

If you’re running a WordPress site and rely on the Post SMTP plugin for email delivery, there’s something important you should know. A critical vulnerability is affecting versions 3.2.0 and earlier allowed even the lowest-level users, like Subscribers, to access sensitive data and actions they were never supposed to see or perform.

This issue came down to how the plugin handled user permissions in its REST API. The plugin checked only if a user was logged in, but didn’t ask whether that user had the proper role or capabilities to access certain features. This meant that anyone with a basic account could view email logs, resend messages and even access full email content, including password reset messages.

That last part is where things get dangerous. By viewing those password reset emails, a Subscriber-level user could reset the password of an Admin account. From there, they’d have full control over the site. This kind of account takeover risk is about as bad as it gets for any site relying on WordPress.

According to Patch Stack’s report, the fix arrived in version 3.3.0, where the plugin’s developers updated the get_logs_permission function. Instead of just checking whether a user is logged in, it now confirms whether they have the manage_options capability, which typically belongs only to Admins. That change closed the door on the broken access controls and stopped the account takeover threat.

The vulnerability, now tracked as CVE-2025-24000, was originally reported by Denver Jackson through Patchstack’s Zero Day program. The responsible disclosure was made on May 23, 2025, and by June 11, the patched version of Post SMTP was publicly released.

If you’re using this plugin and haven’t updated yet, make sure you’re running version 3.3.0 or higher. Any site with open registration, whether for comments, eCommerce or memberships, is especially at risk if this vulnerability remains unpatched. It’s one of those cases where a small oversight in permissions logic opened up access to highly sensitive data that should never be visible to most users.

Post SMTP Plugin Flaw Allowed Subscribers to Take Over Admin Accounts

The “Tea” app, a new and popular social platform for women, confirmed a major data breach affecting users…

The “Tea” app, a new and popular social platform for women, confirmed a major data breach affecting users who joined before February 2024. The announcement was made on Friday, July 25, 2025, via the app’s official channel (@theteapartyqueens).

****Breach Details****

The breach, occurring at 6:45 a.m. PT, primarily impacted an archived system, not current user data. Approximately 72,000 user-submitted images were compromised. This includes about 13,000 selfies and photo identifications from account verification, and roughly 59,000 images publicly viewable through posts, comments, and direct messages, some dating back over two years. Tea stated that this data was stored to meet law enforcement standards for cyberbullying prevention.

The app requires new users to submit a verification selfie and a photo of their government-issued ID, which is used to verify that new sign-ups are indeed women. The company clarified that no email addresses or phone numbers were accessed, and the affected photos cannot be linked to specific in-app posts.

According to 404 Media, which first reported the incident, the breach may have been triggered by anonymous right-wing trolls on 4chan, an image-based message board, following calls for a “hack and leak” campaign.

These 4chan users claim to have discovered and accessed an exposed database on Firebase (Google’s mobile app development platform) belonging to Tea, subsequently sharing users’ personal data and selfies online. Evidence, including screenshots, 4chan posts, and code, was reviewed by 404 Media.

The vulnerability reportedly stemmed from the app’s Firebase storage bucket being publicly accessible, a practice linked to “vibe coding,” where developers might use AI tools without a sufficient security review. Although the original post has been removed, the compromised data has reportedly spread across various platforms, including other social media sites like X and decentralised networks such as BitTorrent, with some users even creating Google Maps links displaying general coordinates of affected individuals.

****Company Response Under Scrutiny****

The Tea app team stated they are working quickly with internal security teams and trusted experts to address the issue. They asserted that no current or additional data has been accessed.

However, as reported by VX-Underground on X, even over 12 hours after the compromise was reported, the Firebase instance remained accessible, and users could still upload data, seemingly contradicting the company’s claims of immediate remediation.

Source: VX-Underground via X.com

For your information, the “Tea” app is a platform founded by Sean Cook in 2023 where women could share experiences and information about men, including rating them as “red flags” or “green flags,” uploading photos of men (often sourced from social media) and direct sharing of information through group chats.

While positioned as a safety tool, it has faced criticism and legal questions concerning privacy violations and potential defamation, particularly from men. The timing of the breach coincided with the app’s surge in popularity, reaching the top of Apple’s App Store this week.

Tea App Breach: Women Only Dating Platform Leaks 72K User Images

Sublime Security reveals a cunning romance/adult-themed scam targeting German speakers, leveraging Keitaro TDS to deliver an AutoIT-based malware loader. Learn how this sophisticated campaign operates, its deceptive tactics, and the hidden payload.

A recent cyberattack campaign is preying on German speakers with a deceptive adult-themed and romance scam to deliver malware. The sophisticated operation leverages a legitimate traffic distribution system (TDS) called Keitaro TDS to redirect unsuspecting victims to malicious domains. This campaign was discovered by the security research firm Sublime Security, and they exclusively shared their findings with Hackread.com.

Report authors, Sublime Security’s detection engineer Bryan Campbell and threat researcher Brian Baskin, explained that the emails involved in this campaign use enticing language and offer links to explicit content, aiming to draw the recipient in.

A key warning sign identified by Sublime’s AI-powered detection engine was the inclusion of a password for a protected archive directly within the email – a highly unusual practice for legitimate communications. Furthermore, the emails often came from unfamiliar senders with inconsistent names, email addresses, and reply-to details.

****How the Attack Works****

Victims receive emails with two malicious links, one disguised as a video preview image and another linking to an archive file. When clicked, the system checks if the user’s location is in Germany. If it is, a 300MB ISO file is downloaded in the background from a server based in Russia. This file contains the actual malware.

The attackers’ use of Keitaro TDS is crucial. This system allows cybercriminals to precisely target victims, ensuring only individuals from specific regions, like Germany, and even during certain hours, are exposed to the malicious content. This precision helps attackers increase their success rate by tailoring their approach to a specific audience.

Malicious email (Image via Sublime Security)

****The Hidden Threat Within****

Once downloaded, the ISO file is designed to evade detection. After removing extra _junk_ data, the remaining content is a standard container that can be mounted as a drive. This drive then holds another large executable file, “lovely_photos.exe,” and a text document with the password for a self-extracting archive.

Upon execution, the malware prompts for a password, conveniently provided in the original email and the extracted text file. This initiates the extraction of multiple files, including explicit images and other files, into the user’s temporary directory. A batch script then runs, building an AutoIt interpreter to execute a highly disguised AutoIt script.

AutoIt is a legitimate scripting language, but here it’s weaponised. This script further attempts to bypass antivirus software by checking for running services and delaying its execution.

The final AutoIt script, heavily obscured, then establishes persistence by creating a Windows scheduled task named DragonMapper, ensuring the malware runs every time the user logs in. This research serves as a vital reminder that threat actors can create highly targeted campaigns, delivering tailored messages for a higher success rate.

Malicious ISO File Used in Romance Scam Targeting German Speakers

Arizona woman jailed 8.5 years for aiding North Korea's $17 million IT job scam, defrauding over 300 US companies. Learn how to protect your business from such sophisticated cybersecurity threats.

An Arizona woman has been sentenced to over eight years in prison for her significant role in a fraudulent operation that funnelled more than $17 million to North Korea. According to the US Department of Justice (DoJ), Christina Marie Chapman, 50, from Litchfield Park, assisted North Korean Information Technology (IT) workers in posing as US residents to secure remote jobs at 309 American companies, including Fortune 500 corporations.

Image via US DoJ

This case represents one of the largest North Korean IT worker fraud schemes ever prosecuted by the US DoJ, in which Chapman received a sentence of 102 months (8 years) in prison, along with three years of supervised release, for her guilty pleas on February 11 in the District of Columbia. Her charges included conspiracy to commit wire fraud, aggravated identity theft, and conspiracy to launder money.

Chapman’s scheme involved operating a laptop farm at her home, where she received and hosted company computers. This deceptive setup made companies believe the work was being performed within the US. She specifically shipped 49 laptops and other devices supplied by US companies to locations overseas, including multiple shipments to a city in China bordering North Korea.

Equipment seized from Chapman’s home (Source: DoJ)

According to court documents (PDF), she also shipped company laptops overseas, including to a city in China bordering North Korea, and forged payroll checks using 68 stolen American identities. These illicit earnings, falsely reported to US tax and social security agencies, were then transferred to individuals abroad.

The defrauded businesses included a top-five major television network, a Silicon Valley technology company, an aerospace manufacturer, an American car maker, a luxury retail store, and a US media and entertainment company. Some of these companies were actively targeted by the IT workers who kept lists of desired employers.

US officials condemned Chapman’s actions, emphasising how her scheme financially supported North Korea’s nuclear weapons program and jeopardised national security. Acting Assistant Attorney General Matthew R. Galeotti noted the severe consequences for those who aid foreign adversaries.

According to the DoJ’s press release, the FBI and IRS Criminal Investigation led the probe, seizing over 90 laptops from Chapman’s residence in October 2023. These investigations highlight North Korea’s strategy of deploying skilled IT workers globally to obtain remote employment under false pretences, using US-based facilitators to bypass security measures.

Both the FBI and the State Department have recently issued updated advisories and guidance for HR professionals and businesses, urging caution against such threats and detailing methods used by these illicit IT workers to gain access and generate revenue.

To protect against such schemes, authorities advise businesses to scrutinise identity documents, verify employment history, and implement strict protocols for virtual meetings, including requesting unobscured video backgrounds and checking for AI-generated video anomalies.

Arizona Woman Jailed for Helping North Korea in $17M IT Job Scam

Cybersecurity researchers at CloudSEK’s STRIKE team used facial recognition and GPS data to expose a massive, over $2…

Cybersecurity researchers at CloudSEK’s STRIKE team used facial recognition and GPS data to expose a massive, over $2 million, fake currency operation in India. This report details the exposure of individuals and their activities on Facebook and Instagram.

A large-scale counterfeit currency operation is reportedly circulating fake notes worth millions of dollars, which has been brought to light by cybersecurity firm CloudSEK. Its investigation, shared with Hackread.com, CloudSEK’s STRIKE team has not only calculated the vast spread of this illicit trade, estimated at ₹17.5 crore (over $2 million) in fake Indian currency over just six months (December 26, 2024, to June 26, 2025), but has also managed to identify and pinpoint key individuals behind it.

The unique aspect of this exposé lies in the direct attribution of culprits. Using digital forensics, GPS data, and facial recognition technology, CloudSEK has identified and located major players across the Indian state of Maharashtra.

According to Sourajeet Majumder, a security researcher at CloudSEK, “This is the first time that a cyber investigation has offered such precise attribution of counterfeit actors operating in public digital spaces. We didn’t just find content, we identified the key perpetrators.”

Reportedly, bad actors are using popular social media platforms like Facebook and Instagram in this campaign. CloudSEK’s XVigil platform played a crucial role in its detection by monitoring open-source environments for specific terms like “second series” or “A1 notes,” which are codewords used by sellers.

Source: CloudSEK

The investigation revealed over 4,500 posts promoting counterfeit currency and more than 750 accounts or pages involved in selling these fake notes. Furthermore, over 410 unique phone numbers were found to be connected to sellers. These groups even used Meta Ads for paid promotions, openly reaching out to potential buyers. Some sellers went as far as sharing videos, handwritten notes, and even video calls to show the supposed quality of their fake currency, creating a dangerous “trust-based” black market out in the open.

Source: CloudSEK

****Tracking Down the Accused****

CloudSEK’s researchers combined advanced Open Source Intelligence (OSINT) and Human Intelligence (HUMINT) techniques to unmask group administrators and sellers. They collected facial images, phone numbers, exact GPS locations, and social media profiles of the main suspects.

The researchers also identified several accounts operating under aliases such as Vivek Kumar, Karan Pawar, and Sachin Deeva. Geolocation evidence pointed to activity in Jamade Village (Dhule district, Maharashtra) and Pune, strongly suggesting a coordinated syndicate primarily based in Maharashtra, with Dhule being the potential hotspot.

Further probing revealed that the counterfeiters advertise their fake notes through various social media channels using hashtags like #fakecurrency. To gain trust, they engage with buyers via WhatsApp, sharing “proof” images and even offering live video calls. The production involves professional tools like Adobe Photoshop, industrial-grade printers, and paper that sometimes mimics security features like Mahatma Gandhi watermarks and green security threads.

Source: CloudSEK

CloudSEK has shared its findings with relevant law enforcement agencies at both the state and national levels, providing detailed intelligence to aid in disrupting this criminal network and protecting the country’s financial stability.

Researchers Expose Massive Online Fake Currency Operation in India

BreachForums resurfaces on its original .onion domain amid law enforcement crackdowns, raising questions about its admin, safety and future.

The notorious cybercrime and hacker platform BreachForums has mysteriously resurfaced on its original dark web .onion domain. The site appears to be fully restored, including its infrastructure, user-leaked databases, official breach listings and forum posts.

For your information, in early April 2025, both the clearnet and dark web domains of BreachForums went offline without explanation. Members speculated about possible law enforcement action or a forum seizure.

Then, on April 28, as reported by Hackread.com, the forum’s homepage was replaced with a message stating that a MyBB 0-day vulnerability had left the site exposed to infiltration attempts by law enforcement, and it needed to be taken offline until the issue was resolved. That was the last message before BreachForums disappeared.

****Admin N/A?****

However, earlier today, Hackread.com spotted that the platform’s .onion domain had become active again, now under a new admin handle, “N/A.” The identity of “N/A” is unknown, but they claim the forum’s clearnet domain was suspended by the registrar following complaints and pressure from law enforcement.

Additionally, they claim the MyBB vulnerability has been fixed and that the forum was never compromised, with user data remaining protected throughout. “N/A” also addressed reports about the arrests of ShinyHunters members, denying that any original group members have been taken into custody.

For your information, after the arrest of former BreachForums administrator Conor Fitzpatrick, also known as Pompompurin, the forum reemerged under the leadership of the ShinyHunters group. However, in June 2025, authorities claimed to have arrested members of ShinyHunters, along with IntelBroker, another active member who had also served as the group’s administrator.

“N/A” also denied ever giving admin access to IntelBroker, claiming it was part of a strategy to divert law enforcement’s attention away from the original owners. According to the statement, IntelBroker never had administrative access to the forum.

Message from Admin N/A on BreachForums (Image credit: Hackread.com)

****As XSS.IS Falls, BreachForums Reemerges****

The return of BreachForums comes at a time when law enforcement is intensifying efforts against cybercrime. Less than 24 hours ago, in an operation called “Operation Checkmate,” authorities seized the infrastructure of the BlackSuit ransomware group, including two of its .onion domains.

Just a couple of days ago, the Russian-language cybercrime platform XSS.IS was seized following the arrest of its suspected administrator in Ukraine. While its dark web domain remains accessible, posts from admins and moderators suggest plans to revive the forum on other domains. Meanwhile, the return of BreachForums presents yet another challenge for law enforcement agencies.

The return of BreachForums on the dark web, along with plans to restore its clearnet domains, may be seen as good news within cybercrime circles, but it raises serious questions. Is it a honeypot set up by law enforcement? Who is “N/A”? Where is the original admin team if they haven’t been arrested? If you are active on BreachForums, sign in at your own risk, and consider quitting cybercrime for good.

Source

HackRead