Europol and 18 countries used AI forensics to identify 51 child victims and 60 suspects in a global online abuse investigation.

An international police taskforce has identified 51 children in an operation targeting online child sexual exploitation, Europol confirmed today. The investigation, which brought together officers from 18 countries, also led to 60 suspects facing criminal proceedings.

The task force met at Europol’s headquarters in The Hague, where specialists analysed more than 5,000 pieces of child exploitation material over two weeks. Investigators worked to collect online evidence that could help identify victims and offenders, a process that relied on both traditional policing skills and AI-driven forensic tools to speed up detection.

According to Europol’s press release, the findings have already led to arrests in several countries. National authorities are now pursuing investigations based on 276 intelligence packages prepared during the operation, building on the leads gathered in The Hague.

In many cases, the material under review was stored on servers in one country, distributed through platforms in another, and linked to victims elsewhere. However, investigators reduced the time it normally takes to connect evidence to actual children by combining resources and sharing intelligence in real time.

Europol said the task force’s model will continue to guide future operations. Its specialists are investing in more advanced forensic techniques and AI-driven tools to process large datasets more efficiently, making it harder for offenders to hide behind encryption, anonymisation, or fragmented storage across multiple platforms.

Cases like this show children are being targeted in online environments where offenders manipulate platforms meant for communication or entertainment. While law enforcement agencies are doing what they should, parents also need to protect their kids by having honest conversations about online risks, setting boundaries, and teaching kids how to report unwanted contact.

1.  1 in 5 Youth Engage in Cybercrime, NCA Finds
2.  Half of Online Child Grooming Cases Now Happen on Snapchat
3.  Online gaming safety for kids: learn how to protect your children
4.  Online Child Exploitation Network 764 Busted; 2 US Leaders Arrested
5.  Top Israeli Cybersecurity Official Arrested in US Child Exploitation Sting

AI Forensics Help Europol Track 51 Children in Global Online Abuse Case

Radware researchers revealed a service-side flaw in OpenAI's ChatGPT. The ShadowLeak attack had used indirect prompt injection to bypass defences and leak sensitive data, but the issue has since been fixed.

A team of security researchers from Cloud Security Solutions provider, Radware, found a way to trick a popular AI tool into giving up a user’s private information. The team, including lead researchers Zvika Babo and Gabi Nakibly, discovered a flaw in OpenAI’s ChatGPT Deep Research agent, a tool that autonomously browses the internet and user documents to create reports. They demonstrated how the agent could be tricked into leaking private data from a user’s Gmail account without their knowledge.

The researchers named the flaw ShadowLeak, describing it as a “zero-click” attack (an attack triggered without the user needing to click on anything), hidden inside a normal-looking email with invisible commands. When a user tells the Deep Research agent to scan their emails, it reads the hidden instructions and, “without user confirmation and without rendering anything in the UI,” sends the user’s private data to a location controlled by the attacker.

****An Invisible Threat****

Unlike past 0-click vulnerabilities like AgentFlayer and EchoLeak, which relied on a user’s web browser, this new method works directly from inside OpenAI’s cloud servers. The researchers called this service-side exfiltration, which makes it much harder to detect with normal security software because it operates entirely behind the scenes. According to the report, it is also “invisible to the user,” as nothing is displayed or rendered.

Image Credit: Radware

The attack uses a method called indirect prompt injection, where malicious commands are hidden inside the data an AI model is designed to process, like an email, and are executed without the user’s knowledge. The malicious email, which could be titled “Restructuring Package – Action Items,” pretends to be a normal message.

Inside, invisible code instructs the agent to find sensitive information and send it to a fake “public employee lookup URL.” The email uses social engineering tricks like asserting “full authorisation” and creating a false sense of urgency to bypass the agent’s safety checks.

The team spent a long trial-and-error phase refining the attack, eventually figuring out how to force the agent to use its own browser.open() tool to execute the malicious command. By telling the agent to encode the stolen information in Base64 as a “security measure,” they were able to make it look harmless and achieve a “100% success rate.”

****The Problem Has Been Fixed****

According to Radware’s blog post, it responsibly reported the issue to OpenAI in June 2025. The vulnerability was fixed by early August and officially acknowledged as resolved by OpenAI on September 3.

Although their proof-of-concept used Gmail, the researchers pointed out that the same technique could also work on other services that connect with the Deep Research tool, such as Google Drive, Microsoft Teams, and GitHub, to steal sensitive business data.

To prevent similar issues, they advise companies to clean up emails before AI tools read them and to constantly monitor what the AI agent is doing to ensure its actions align with the user’s original request.

ShadowLeak Exploit Exposed Gmail Data Through ChatGPT Agent

The UK's spy agency, MI6, has launched a new dark web portal called Silent Courier to securely recruit agents worldwide, particularly from Russia. Learn how this shift to the dark web marks a new era in modern espionage and national security.

The UK’s foreign intelligence service, MI6, has launched a new platform for potential agents to get in touch. Announced on September 19, the platform, called Silent Courier, operates on the dark web and is designed to allow people with sensitive information to safely contact the UK.

The main purpose of Silent Courier is to make it easier for MI6 to find and recruit new spies around the world, especially in places like Russia. Anyone, no matter where they are in the world, who has information about terrorism or hostile intelligence activities can now securely send it to the UK.

Screenshot from the Silent Courier dark web portal

According to a press release from the UK government, the new portal is a key part of a larger plan to improve the country’s security. It comes at a time of a major increase in defence spending, the biggest since the Cold War.

Outgoing MI6 Chief, Sir Richard Moore, announced the platform in Istanbul. In his final public speech as the head of the agency, he said the new portal will help MI6 navigate modern threats. He said, “Our virtual door is open to you,” and invited anyone with information on global instability to get in touch.

Foreign Secretary Yvette Cooper has also commented on the news, saying that the world is changing and threats are growing; therefore, the UK’s intelligence agencies must use the best technology to stay ahead of these challenges and keep the public safe.

Instructions on how to use Silent Courier are available on MI6’s verified YouTube channel. To stay safe, the agency advises people to use a trustworthy VPN and a device not connected to them personally.

This decision represents a major shift in how intelligence agencies operate. For a long time, agencies like MI6 would recruit people through face-to-face meetings and traditional methods

The so-called dark web, accessible through the Tor browser, is designed to hide a user’s location. This makes it a way to protect someone who wants to share secrets, especially if they are in a country with tight surveillance. However, the Tor browser has its own security vulnerabilities, which in some cases can be exploited by hackers for backdoor access or by authorities to deanonymize users.

The UK’s approach follows a similar initiative by the Central Intelligence Agency (CIA) in the United States, which also launched a portal accessible to Russians via the Tor internet browser in May 2022, as reported by _Hackread.com_.

The c initiative aimed to allow Russians who were unhappy with their government’s actions, particularly regarding the war in Ukraine, to securely share secret information with the agency. The CIA also used a series of social media videos in 2023 to recruit Russians.

MI6 Opens Dark Web Portal “Silent Courier” for Russians to Share Secrets

Cyberattack on Collins Aerospace check-in system disrupts major European airports, causing flight delays and cancellations across hubs.

Travellers moving through some of Europe’s busiest airports faced long lines and delays on Friday after a cyberattack disrupted check-in technology used by several hubs. The outage impacted software provided by Collins Aerospace, a major supplier of passenger processing systems, and temporarily forced airports to fall back on manual operations.

At Brussels Airport, staff printed boarding passes by hand while baggage tags had to be written manually. By late morning, the disruption had led to about ten flight cancellations and more than a dozen significant delays. Officials stated that security screening and air traffic control were unaffected, but acknowledged the passenger experience was heavily impacted.

London Heathrow and Berlin Brandenburg also confirmed disruptions, with both airports reporting longer processing times for check-in and bag drop. In Ireland, Dublin and Cork saw limited interruptions, though authorities said the impact was quickly contained.

Situation at the UK’s Heathrow Airport

The most immediate impact on passengers was waiting in long queues and, in some cases, missing flights. Airport spokespeople advised travellers to allow extra time for check-in while systems are being restored. By Friday afternoon, manual procedures were still in place in several locations, though staff worked to reduce delays as much as possible.

The company at the center of the disruption, Collins Aerospace, confirmed it was investigating the incident. Its MUSE (Multi-User System Environment) software, widely used by airlines and airports for passenger management, was the target of the attack. While airlines were not directly hacked, their operations were affected since many rely on the same check-in to coordinate boarding and baggage systems.

****What is the MUSE system?****

This makes airport operations more flexible and efficient, but it also means that if MUSE experiences an outage, multiple airlines and airports can feel the impact at the same time.

The MUSE platform is a common check-in and boarding software used by many airlines and airports worldwide. Instead of each airline running its own system at every airport, MUSE allows several carriers to share the same counters, kiosks, and baggage drop facilities.

Collins Aerospace’s website

****Who’s Behind the Cyber Attack?****

Authorities have not yet said who carried out the cyberattack or how access was gained. Officials noted that no evidence so far suggests passenger data was stolen, but the investigation is still underway.

Cybersecurity experts say that airports increasingly face risks not only from aviation infrastructure being targeted but also from service providers whose technology supports daily operations.

This incident adds to a growing list of cyber events affecting transport infrastructure worldwide, from rail systems to shipping terminals. Earlier this week, UK authorities arrested two individuals linked to the Scattered Spider group during an investigation into a cyberattack on Transport for London (TfL) that caused millions of pounds in damage.

Cyberattack Disrupts Airport Check-In Systems Across Europe

New investigation exposes a China-based ring that sold over 6,500 fake United States and Canadian IDs using well-planned covert packaging. Learn how this operation threatens national security and enables financial crime.

A recent investigation by cybersecurity firm CloudSEK has exposed a major operation based in China that is selling high-quality, counterfeit US and Canadian driver’s licenses and Social Security cards. The company has dubbed the operation “ForgeCraft.”

According to the research white paper, which was shared with Hackread.com, the extensive network has already sold over 6,500 fake IDs to more than 4,500 buyers across North America, generating over $785,000 in revenue.

****Tactics and Consequences****

The investigation, led by CloudSEK’s STRIKE team, exposed a sophisticated operation. The group used a large network of over 83 websites to sell its products. The fake IDs were designed to look just like real documents, complete with scannable barcodes, holograms, and special UV markings.

Nearly 60% (3,800) of buyers were over the age of 25. A specific case study revealed a buyer who purchased 42 counterfeit commercial driver’s licenses linked to two trucking companies with a history of regulatory issues.

These fake IDs can now be used to put unauthorised drivers on the road, engage in illicit activities, pass banking verification, create social media accounts, and even bypass age verification measures to access restricted adult sites.

Currently, according to World Population Review’s data, several US states have either implemented or are in the process of implementing a UK-style online age verification system, and these fake ID cards can enable teens to bypass those restrictions.

The fake IDs also threaten national security by bypassing border and law enforcement checks, may enable financial fraud, including SIM swaps and account takeovers, and can be used to exploit election integrity through voter fraud.

Credit: CloudSEK

****Covert Delivery and Global Reach****

To avoid detection, the group used a clever method of “covert packaging” when shipping the fake IDs through major couriers like FedEx and USPS. The licenses were concealed inside everyday items like purses, toys, or within the layers of cardboard shipping boxes. CloudSEK researchers even obtained a tracking number for a package sent from China to Canada, confirming that the fake IDs were successfully delivered to customers.

To help buyers find the hidden documents, the group also provided tutorial videos on how to tear open the packaging and retrieve the cards. One such video led to an exact match with a customer’s details found in the group’s database, proving the network was active and fulfilling orders.

Social media platforms like TikTok, Facebook, Telegram, and YouTube were used to promote these services with ads that openly boasted about illegal uses like bypassing age restrictions or police checks. The counterfeit IDs were sold for as low as $65 each in bulk. The money was collected through various payment channels, including PayPal, LianLian Pay, and cryptocurrencies like Bitcoin and Ethereum.

Using a combination of human intelligence and online research, CloudSEK could pinpoint the main operator’s location in Xiamen, Fujian, China. Researchers even captured a facial image of the individual through their webcam.

Credit: CloudSEK

This detailed evidence has been shared with authorities in the hopes of disrupting the operation. The firm is urging law enforcement to seize the domains and encouraging courier services like FedEx and DHL to be more watchful in detecting the covert packaging methods.

Ibrahim Saify, a security analyst at CloudSEK, commented on the findings, stating, “This case demonstrates the critical importance of comprehensive threat intelligence in combating sophisticated criminal operations. Without visibility across social media, dark web, and infrastructure channels, investigations of this depth would be nearly impossible.”

Chinese Network Selling Thousands of Fake US and Canadian IDs

New York, New York, 19th September 2025, CyberNewsWire

**New York, New York, September 19th, 2025, CyberNewsWire**

**BreachLock**, the global leader in offensive security, has been recognized as a Sample Vendor for Penetration Testing as a Service (PTaaS) in the 2025 Gartner Hype Cycle for Application Security. The company was also recognized as a sample vendor for Adversarial Exposure Validation (AEV) in the Gartner report, “From Defense to Offense: How to Champion Proactive Cybersecurity.”

This recognition from Gartner, following BreachLock’s designation as a Sample Vendor in multiple other 2025 Hype Cycle reports earlier this year, underscores BreachLock’s commitment to delivering more scalable, flexible, and efficient penetration testing and offensive security solutions for modern security teams.

> Commenting on the recognition, BreachLock Founder & CEO, Seemant Sehgal, expressed, “It’s an honor to be recognized by Gartner so consistently over the years as BreachLock continues to innovate and raise the bar not only in penetration testing, but now in adversarial exposure validation.” He added, “Our growing impact and leadership in the market is a direct reflection of our team’s genuine passion for listening and adapting to our clients’ needs, whether it’s more flexibility, scalability, better vulnerability prioritization, support, or innovative new solutions.” 

BreachLock’s flexible PTaaS delivery model empowers enterprises to test their full-stack attack surface as broadly and frequently as needed, whether that’s periodically or continuously, by combining the power of human expertise, AI efficiency, and automated scalability into a single solution. With BreachLock PTaaS, security teams can identify their vulnerabilities in real-time, visualize attack paths, and easily prioritize remediation based on actual risk so they can be remediated faster and more effectively. 

BreachLock Adversarial Exposure Validation, its Gen AI-powered autonomous red teaming engine, enables enterprises to launch their own unlimited, multi-step attack scenarios in just a few clicks on demand or continuously. AEV thinks and moves like a real attacker, leveraging live threat intelligence, pivoting, and moving laterally to reveal where defenses succeed or fail. With BreachLock AEV, security teams can scale coverage without adding headcount and focus remediation efforts on validated risks that could lead to high-impact breaches. 

Gartner highlights in the Hype Cycle for Application Security that “PTaaS overlaps with adversarial exposure validation (AEV), which is an adjacent market, yet they are different in terms of adoption and operation. AEV focuses on continuous, real-world attack simulations, while PTaaS emphasizes human expertise and integration with development processes for on-demand or continuous testing,” citing this as an obstacle. While PTaaS and AEV are at different stages and do have some overlap, BreachLock offers both solutions in a single platform, simplifying adoption and implementation for customers. 

Looking ahead to the coming years, BreachLock will continue innovating in the offensive security space to help organizations take control of their attack surface, reduce operational complexity, and strengthen defenses as threats evolve. BreachLock remains committed to delivering forward-thinking solutions that empower security teams to safeguard their organizations with confidence. 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

**About BreachLock**

BreachLock is a global leader in offensive security, delivering scalable and continuous security testing. Trusted by global enterprises, BreachLock provides human-led and AI-powered Attack Surface Management, Penetration Testing as a Service (PTaaS), Red Teaming, and Adversarial Exposure Validation (AEV) solutions that help security teams stay ahead of adversaries.

With a mission to make proactive security the new standard, BreachLock is shaping the future of cybersecurity through automation, data-driven intelligence, and expert-driven execution.

**Contact**

**Senior Marketing Executive**  
**Megan Charrois**  
**BreachLock**  
**\[email protected\]**

BreachLock Named Sample Vendor for PTaaS and AEV in Two New 2025 Gartner® Reports

WatchGuard has issued a critical security alert for its Firebox firewalls due to a serious vulnerability, CVE-2025-9242. Learn what this 'out-of-bounds write' flaw means, which Fireware OS versions are affected, and the urgent steps to take to protect your network from remote attacks.

WatchGuard has released security updates to fix a high-risk vulnerability in its Firebox firewalls. This issue, CVE-2025-9242, could allow a remote attacker to take control of a device. The company is urging all users to update their systems right away to avoid potential attacks.

****What Is the Problem?****

This vulnerability is what’s known as an ‘out-of-bounds write’ weakness. Think of a computer’s memory as a series of boxes. An out-of-bounds write happens when a program tries to put data into a box it’s not supposed to, which can mess up the system.

In Firebox’s case, it could let a hacker run their own malicious code on the firewall without needing to be an authenticated user. This type of flaw is very serious because firewalls are meant to protect networks from outside threats. That’s why the issue has been given a high-risk score of 9.3 out of 10.

The problem affects a wide range of devices. This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4\_Update1, 12.0 up to and including 12.11.3 and 2025.1. While the vulnerability is only present if a user had previously set up a certain type of VPN (Virtual Private Network) called IKEv2, WatchGuard says even if those settings were deleted, the device could still be at risk.

As WatchGuard stated in its advisory, “An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code.”

The affected products include the Firebox T15 and T35 models running Fireware OS 12.5.x, as well as numerous other models in the T, M, and Firebox Cloud series that run Fireware OS 12.x and 2025.1.x.

****What to Do Now****

Although there have been no known attacks using this weakness, the risk is real. Attackers often target firewalls because they are a key entry point to a network.

WatchGuard has already released fixes for this problem in several software updates, including versions 12.3.1\_Update3, 12.5.13, 12.11.4, and 2025.1.1. If you own a WatchGuard Firebox, you should check your device’s software version and install the latest update immediately. For users who can’t update right away, WatchGuard recommends a temporary fix by limiting how traffic can get to the VPN.

The company recognised a researcher named “btaol” for finding and reporting this issue.

Several cybersecurity experts weighed in on the seriousness of the issue and shared their thoughts with Hackread.com.

David Matalon, CEO at Venn, called the flaw a “reminder of just how much trust organisations place in perimeter defences.” He added that a layered approach is “critical to limiting the blast radius when vulnerabilities inevitably emerge.”

Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit, highlighted the vulnerability’s persistence, noting that “even if vulnerable VPN configurations have been deleted, systems remain at risk.”

He also pointed out that, according to threat reports, many exploited vulnerabilities in 2025 affected “edge security and gateway products” because they offer an easy way for attackers to get into an organisation.

Frankie Sclafani, Director of Cybersecurity Enablement at Deepwatch, described the CVSS 9.3 score as “the cyber equivalent of a five-alarm fire.” He stressed that for an attacker, “compromising the firewall is the ultimate tactical win,” as it offers a perfect entry point into a network.

WatchGuard Issues Fix for 9.3-Rated Firebox Firewall Vulnerability

Now, especially in a very competitive environment, it is essential to make your name shine. Enterprise SEO solutions…

Now, especially in a very competitive environment, it is essential to make your name shine. Enterprise SEO solutions are crucial for boosting brand authority. Search engine optimisation (SEO) helps to attract more traffic to your content and build your business’s credibility to establish a strong foothold. In this post, we will discuss how these solutions help build brand authority and why you need them.

****The Fundamentals of Enterprise SEO****

Enterprise SEO is the process of optimising websites for complex organisations (depending on size or structure). It aims to rank multiple pages higher on search engines. However, enterprise SEO solutions consider the individual needs of larger organisations, whereas traditional SEO often focuses on smaller businesses. It comprises working in multiple domains or millions of pages and being in sync with your corporation’s objectives.

****Enhancing Online Visibility****

One of the biggest advantages of enterprise SEO is that it improves your business’s visibility online. Proper content optimisation with relevant keywords will ensure that a business website is ranked mostly at the top of the search results. This creates exposure and trust with potential customers. A brand appearing frequently in user searches creates a positive association and strengthens brand recognition.

****Building Trust and Credibility****

A brand’s content authority depends on trust and credibility. Enterprise SEO solutions assist in establishing this with relevant, valuable, and authoritative content. Posting high-quality content that answers users’ queries positions your brand as a reputable source. Search engines prioritise content like this, pushing it even higher in the rankings and visibility.

****Optimising User Experience****

Providing a high-quality user experience is vital for brand authority. Enterprise SEO improves website speed, mobile friendliness, and user navigation. A seamless experience encourages users to stay focused on the site and lessens bounce rates. Happy visitors are more likely to become repeat customers, enhancing brand credibility.

****Content Strategy and Creation****

Content lies at the centre of any SEO strategy. Enterprise search engine optimisation focuses on creating a content strategy aligned with business goals. This strategy involves researching topics that interest the audience and enjoyably providing quality content. Regularly putting out new updates/content ensures the audience keeps coming back for more.

****Leveraging Analytics for Improvement****

Analytics are a key component of enterprise SEO. With proper data analysis, businesses can find the room for improvement and change their strategies accordingly. By knowing what users like and dislike, how they behave, and what trending topics are in their world, content created can be much more focused. Continuously iterating and improving, thus keeping the brand on top of the game via a data-backed approach.

****Local SEO for Global Brands****

Many organisations are considered big and operate in more than one region. Enterprise SEO also includes local SEO, and you want potential customers to see you in specific areas. Optimised content for local audiences can help businesses connect with different customer bases. It enhances brand authority by showing that the company understands regional needs and preferences.

****Adapting to Algorithm Changes****

Search engines regularly update their algorithms, influencing rankings. Enterprise SEO solutions require keeping up with this and adjusting strategies. By being proactive, Businesses can retain their positions while continuing to build authority. This flexibility is vital for long-term success and staying relevant in the competition.

****Collaboration Across Departments****

This means enterprise SEO is not just a one- or two-person job; you must coordinate across departments. It also requires the collective efforts of marketing, IT, and content teams for overall strategic orientation. Such collaboration encourages innovation and efficiency and brings better results. Having an all-in-one strategy not only improves the brand’s authority but also ensures that every element of the business is in accordance with the goals of SEO.

Enterprise SEO Solutions are needed to enhance brand authority. Businesses leveraging visibility, credibility, and convenience through local SEO will strengthen their market share. This can be amplified even further with strategic content, analytics, and local SEO. Partnership and flexibility are the key factors for organisations to maintain their success and authenticity. Accepting enterprise SEO is more than a method; it is a pledge to excellence and market leadership.

(Image by Werner Moser from Pixabay)

How Enterprise SEO Solutions Improve Brand Authority

Two UK teens have been charged in connection with the TfL hack, as investigators link them to Scattered Spider cyberattacks and data breaches.

The cyberattack that disrupted Transport for London (TFL) websites and services in September 2024 has led to charges against two teenagers accused of working with the Scattered Spider hacking group.

Nineteen-year-old Thalha Jubair of East London and eighteen-year-old Owen Flowers of Walsall were arrested by the National Crime Agency on 16 September 2025 and brought before Westminster Magistrates’ Court. Prosecutors allege the pair conspired to breach TfL systems under the Computer Misuse Act, causing millions in damage and impacting parts of London’s critical infrastructure.

The incident did not stop the Underground from running, but it disrupted important services around it. Customers struggled to log into Oyster and contactless payment accounts, and third-party transit apps that rely on TfL’s APIs were knocked offline. Investigators estimate more than £30 million in costs so far, covering remediation, lost revenue, and security upgrades.

Roughly 5,000 Oyster users also had their personal information exposed, including bank details and contact records. TfL confirmed the data leak in its own disclosures, adding further weight to the charges against the accused.

TFL notification that was sent in September 2024

In its press release published today, the NCA described the probe as a “lengthy and complex investigation” in recent years. Paul Foster, deputy director of the agency’s National Cyber Crime Unit, said the attack “caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure.”

****Charges Against Jubair Detail Major Cybercrime Allegations****

According to a press release from the US Department of Justice, Jubair faces charges of conspiracy to commit computer fraud, wire fraud, and money laundering, linked to more than 120 network breaches and extortion schemes against 47 U.S. organisations. Prosecutors say the victims handed over at least $115 million in ransom payments.,

He also faces an additional charge for refusing to provide passwords or PINs to devices seized by investigators. That falls under the Regulation of Investigatory Powers Act, which compels suspects to disclose encryption keys or face prosecution.

Flowers is facing more than the London charges. Court documents also link him to cyberattacks on US healthcare providers SSM Health Care Corporation and Sutter Health. Those cases highlight the cross-border nature of Scattered Spider, a group already associated with high-profile ransomware and extortion campaigns in both North America and Europe.

****One More Arrest****

This is not the first arrest linked to the September 2024 TfL cyberattack. On September 12, 2024, the NCA announced the arrest of a teenager in Walsall, England, connected to the incident. However, the suspect’s name was not disclosed.

As for the latest arrests, the Crown Prosecution Service has said the evidence was strong enough to bring both men to court, stressing that it is in the public interest to pursue the case, given the damage to TfL and the risk to wider critical services.

Scattered Spider has gained a reputation over the past two years for sophisticated social engineering attacks, often targeting corporate IT staff through phishing and voice calls. Security analysts believe the group is made up largely of young hackers who collaborate loosely online, sometimes overlapping with other cybercriminal groups.

Nevertheless, these arrests and the age of alleged hackers align with the NCA’s February 2024 findings, which revealed that 1 in 5 youths in the United Kingdom engage in cybercrime. The agency disclosed that one in five children aged 10-16 in the UK have participated in online activities that violate the Computer Misuse Act.

Two UK Teenagers Charged Over TfL Hack Linked to Scattered Spider

Palo Alto, California, 18th September 2025, CyberNewsWire

**Palo Alto, California, September 18th, 2025, CyberNewsWire**

SquareX first discovered and disclosed Last Mile Reassembly attacks at DEF CON 32 last year, warning the security community of 20+ attacks that allow attackers to bypass all major SASE/SSE solutions and smuggle malware through the browser. Despite responsible disclosures to all major SASE/SSE providers, no vendor has made an official statement to warn its customers about the vulnerability in the past 13 months – until two weeks ago. 

As more attackers are leveraging Last Mile Reassembly techniques to exploit enterprises, SASE/SSE vendors are beginning to recognize that proxy solutions are no longer sufficient to protect against browser based attacks, with Palo Alto Networks being the first to publicly acknowledge that Secure Web Gateways are architecturally unable to defend against Last Mile Reassembly attacks. In the press release, Palo Alto Networks recognized the attack as “encrypted, evasive attacks that assemble inside the browser and bypass traditional secure web gateways.” The release also recognized that “the browser is becoming the new operating system for the enterprise, the primary interface for AI and cloud applications. Securing it is not optional.”

This marks a watershed moment in cybersecurity where a major incumbent SASE/SSE vendor publicly admits the fundamental limitations of Secure Web Gateways (SWGs) and acknowledges the critical importance of browser-native security solutions – exactly what SquareX has been advocating since pioneering this research.

**What are Last Mile Reassembly Attacks?**

Last Mile Reassembly attacks are a class of techniques that exploit architectural limitations of SWGs to smuggle malicious files through the proxy layer, only to be reassembled as functional malware in the victim’s browser. In one technique, attackers break the malware into different chunks. Individually, none of these chunks trigger a detection by SWGs. Once they bypass proxy inspection, the malware is then reassembled in the browser. 

In another example, attackers smuggle these malicious files via binary channels like WebRTC, gRPC and WebSockets. These are common communication channels used by web apps like video conferencing and streaming tools, but are completely unmonitored by SWGs. In fact, many SWGs publicly admit this on their website and recommend their customers disable these channels.

In total, there are over 20 such techniques that completely bypass SWGs. While Palo Alto Networks is the first to publicly admit this limitation, SquareX has demonstrated that all major SASE/SSE vendors are vulnerable and have been in touch with multiple solutions as part of responsible disclosures and to discuss alternative protection mechanisms. 

**Data Splicing Attacks: Exfiltrating Data with Last Mile Reassembly Techniques**

Since the discovery of Last Mile Reassembly Attacks, SquareX’s research team conducted further research to see how attackers can leverage these techniques to steal sensitive data. At BSides San Francisco this year, SquareX’s talk on Data Splicing Attacks demonstrated how similar techniques can be used by insider threats and attackers to share confidential files and copy-paste sensitive data in the browser, completely bypassing both endpoint DLP and cloud SASE/SSE DLP solutions. In fact, there has been an emergence of P2P file sharing sites that allow users to send any file with no DLP inspection.

**The Year of Browser Bugs: Pioneering Critical Browser Security Research**

As the browser becomes one of the most common initial access points for attackers, browser security research plays a critical role in understanding and defending against bleeding edge browser-based attacks. Inspired by the impact of Last Mile Reassembly, SquareX launched a research project called The Year of Browser Bugs, disclosing a major architectural vulnerability every month since January. Some seminal research include Polymorphic Extensions, a malicious extension that can silently impersonate password managers and crypto wallets to steal credentials/crypto and Passkeys Pwned, a major passkey implementation flaw disclosed at DEF CON 33 this year. 

> “Research has always been a core part of SquareX’s DNA. We believe that the only way to defend against bleeding edge attacks is to be one step ahead of attackers. In the past year alone, we’ve discovered over 10 zero day vulnerabilities in the browser, many of which we disclosed at major conferences like DEF CON and Black Hat due to the major threat it poses to organizations,” says Vivek Ramachandran, the Founder of SquareX, “Palo Alto Networks’ recognition of Last Mile Reassembly attacks represents a major shift in incumbent perspectives on browser security. At SquareX, research has continued to inform how we build browser-native defenses, allowing us to protect our customers against Last Mile Reassembly attacks and other novel browser-native attacks even before we disclosed the attack last year.”

As part of their mission to further browser security education, SquareX collaborated with CISOs from major enterprises like Campbell’s and Arista Networks to write The Browser Security Field Manual. Launched at Black Hat this year, the book serves as a technical guide for the cybersecurity practitioners to learn about bleeding edge attacks and mitigation techniques. 

**Fair Use Disclaimer**

This site may contain copyrighted materials (including but not limited to the recent press release by Palo Alto Networks dated September 4, 2025), the use of which has not always been specifically authorised by the copyright owner. Such materials are made available to advance understanding of issues related to Last Mile Reassembly attacks which shall constitute a “fair use” of any such copyrighted material as provided for under the applicable laws. If you wish to use copyrighted material from this site for purposes of your own that go beyond fair use, you must obtain permission from the respective copyright owner.

**About SquareX**

SquareX‘s browser extension turns any browser on any device into an enterprise-grade secure browser. SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively defend against browser-native threats including Last Mile Reassembly Attacks, rogue AI agents, malicious extensions and identity attacks. Unlike dedicated enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, delivering security without compromising user experience. Users can find out more about SquareX’s research-led innovation at www.sqrx.com.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

Source

HackRead