FBI seizes top piracy sites leaking unreleased and pirated video games with millions of downloads and 170 million dollars in losses for developers and publishers.

The Department of Justice and the FBI’s Atlanta Field Office confirmed today that they have seized and dismantled several notorious online marketplaces distributing pirated video games.

The targeted sites had gained popularity for leaking unreleased titles to millions of users worldwide. Visitors who try to reach these domains now see a federal notice stating **“This website has been seized”** and “**This domain has been seized by the Federal Bureau of Investigation”** instead of download links.

The full list of seized websites includes the following:

*   Nswdl.com
*   Nsw2u.com
*   Ps4pkg.com
*   Ps4pkg.net
*   Mgnetu.com
*   Game-2u.com
*   Bigngame.com

According to the FBI’s press release, from late February through May, an estimated 3.2 million illegal downloads took place through just one of the main services connected to these sites. The financial impact stands at roughly $170 million in losses to publishers and developers.

Screenshot from the now-seized and popular Game-2u.com (Image credit: Hackread.com)

The agency further revealed that for more than four years, these networks distributed early copies of some of the most anticipated games, often days or weeks before their official launch.

The FBI’s move to seize the sites’ domains cuts off access to vast libraries of pirated content and removes infrastructure that supported further distribution. The operation involved support from the Dutch FIOD agency (Fiscal Information and Investigation Service).

Game studios have always complained that leaks hurt their sales, drain the hard work of developers and ruin the excitement they build before a big launch. The FBI says grabbing these early copies for free doesn’t just hit big companies but also affects the people who spend years making the games in the first place.

While the domains are now in government hands, the global fight against online piracy will continue. The people behind these sites could face prosecution once investigators finish their work. For now, some of the internet’s busiest sources for leaked games have gone down, cutting off millions of downloads in the process.

FBI Seizes Major Sites Sharing Unreleased and Pirated Video Games

A new SafetyDetectives study reveals the surprising extent of Google tracking across the web in the US, UK, Switzerland, and Sweden. Discover how Google Analytics, AdSense, and YouTube embeds collect your data, even when using DuckDuckGo.

Google and its tracking of user activity is nothing now but a recent study by SafetyDetectives, conducted across the US, UK, Switzerland, and Sweden, reveals the pervasive nature of Google’s tracking mechanisms across the internet.

The research, shared with Hackread.com, indicates that while privacy-focused search engines like DuckDuckGo can reduce exposure, completely escaping Google’s reach remains a significant challenge. The study simulated locations using a virtual machine and VPN to ensure accurate regional data collection.

The findings reveal that Google’s tracking extends far beyond its own products, embedded deeply within countless websites through tools like Google Analytics, AdSense, and YouTube embeds. This data helps Google build detailed user profiles for targeted advertising and personalisation, the researchers claim.

Source: SafetyDetectives

****Google’s Deep Reach and Content-Specific Tracking****

The study highlights that Google tracking can be reduced by 50% with DuckDuckGo, particularly in countries with stronger privacy regulations like Switzerland and Sweden. For instance, Google Analytics, a tool for website traffic analysis, appeared on only 14%–17% of DuckDuckGo visits in these privacy-focused nations, a notable drop from 45%–53% when using Google Search.

However, the report also found that in the US, over 40% of pages still sent data to Google even when DuckDuckGo was used. In the UK, a slight improvement was observed, with tracking dropping from 47% on Google to 29% with DuckDuckGo. Google Analytics, described as “everywhere,” was detected in one in five DuckDuckGo sessions across all four countries.

The research also pinpointed specific content categories where Google tracking is more prevalent. Such as YouTube and product-related searches consistently triggered a higher likelihood of Google tracking, regardless of the search engine used.

Conversely, visits to platforms like Wikipedia and TikTok showed minimal to no Google tracking. This suggests that the type of content accessed plays a crucial role in the extent of data collection by Google.

****Geographic Differences and Tracker Types****

The study emphasises that location significantly influences the degree of Google tracking. In the US, Google trackers were nearly unavoidable, often present on 100% of websites visited in some tests, even when a privacy-focused alternative like DuckDuckGo was employed.

This was primarily due to embedded analytics and ads on news and commercial sites. In contrast, Sweden and Switzerland demonstrated fewer instances of tracking, with DuckDuckGo proving more effective in blocking trackers, especially on news articles and Wikipedia.

Source: SafetyDetectives

Google Analytics emerged as the most widely used tracker across all four countries, appearing on nearly 50% of visited sites, reflecting its deep integration into web infrastructure. Other prominent trackers included Google Services (APIs, Maps, Fonts, Gtag), which are general services integrating Google’s infrastructure. Their integration was particularly high in Sweden and the US.

DoubleClick, an ad tracking service, appeared more frequently in Switzerland, while YouTube embeds, allowing videos to be played on other sites, showed higher usage in the US and UK compared to Sweden or Switzerland.

This comprehensive data highlights that even with privacy regulations like GDPR, Google’s embedded services continue to collect user data, making a complete escape difficult for the average internet user.

New Study Shows Google Tracking Persists Even With Privacy Tools

14 arrested in major HMRC phishing scam raids across UK & Romania. Learn about the multi-million-pound tax fraud operation.

A major international operation has led to the arrest of 14 individuals suspected of involvement in a large-scale phishing attack that defrauded UK taxpayers of an estimated £47 million.

The arrests, primarily in Romania, were the result of a joint effort between criminal investigators from HMRC (Her Majesty’s Revenue and Customs), the UK’s tax authority, and over 100 Romanian police officers.

****Operation Details****

The coordinated raids across Romania led to the detention of 13 people, both men and women, aged between 23 and 53. Separately, a 38-year-old man was arrested in Preston, UK, in connection with the same cybercrime network.

Authorities seized luxury cars and significant amounts of cash during the operations. Those arrested face charges including computer fraud, money laundering, and illegally accessing computer systems.

This action follows earlier arrests in November in Bucharest, where two men, aged 27 and 36, were detained for similar cybercrime and fraud offences. The Romanian authorities have also released a video showcasing the police raids.

The criminal gangs behind the scam used phishing, which involves tricking individuals into revealing their personal information. This stolen data was then used to submit fraudulent claims for tax repayments, including PAYE (Pay As You Earn), VAT (Value Added Tax), and Child Benefit payments, effectively creating new online tax accounts in victims’ names.

****The Cost and Controversy****

The scale of the fraud, which saw over 100,000 taxpayer accounts compromised, has drawn significant attention. The incident became particularly controversial when HMRC’s new chief executive, John-Paul Marks, and his deputy appeared before the Treasury Committee without disclosing details of the breach. Dame Meg Hillier DBE MP, Chair of the Treasury Committee, later sent a letter to HMRC, stating that their failure to report the incident was “unacceptable.”

****Urgent Warning Issued****

Following the arrests, HMRC has issued an urgent warning to the public about tax fraud. Simon Grunwell, Operational Lead in HMRC’s Fraud Investigation Service, emphasised the importance of international cooperation in combating tax crime. He confirmed ongoing investigations and thanked Romanian partners for their support. HMRC stated they have already taken steps to protect customers whose accounts were targeted.

“Phishing is often seen as a low-level threat, because attacks are easy to execute and require no real computing skill; however, the attacks are rife and very successful. Almost every breach today has a human element and it is vital the security industry and government work harder to thwart this threat,” said William Wright, CEO of Closed Door Security.

“Tax scams are one of the biggest risks to citizens in the UK as criminals are adopting tactics to make them highly convincing, often using a mix of emails, post and SMS to send out fraudulent comms,” warned William.

William further warned taxpayers to be cautious of text and phishing messages that ask for their personal or organisational information while pretending to be HMRC. He also stressed the importance of social precautions when filing taxes, especially around deadlines like the self-assessment in January.

14 Arrested in Romania for £47 Million UK Tax Phishing Scam

Disclosure: The information in this article highlights Elsner’s Magento development offerings and related solutions.

Imagine slashing shipping costs by 30% while speeding up deliveries, and watching 4-star reviews roll in. That is the power of Magento 2 shipping automation. It is reshaping how stores handle logistics and how customers experience fulfillment.

For store owners, shipping can be a mess. Too many carriers. Too many zones. Too much manual work. Delays hurt satisfaction. Errors kill trust. And rising shipping fees? They crush margins.

**_Did you know that over 56% of cart abandonments happen due to unexpected shipping costs? That is not just lost revenue, it is lost growth._**

Magento 2 automation fixes this. It connects carriers instantly. It prints labels on its own. It keeps customers updated, without requiring your team to do a thing. You save time. Costs drop. Buyers stay happy. No chaos. No guesswork. Just smart, scalable shipping. This post explores how Magento development services, backed by industry leaders like Elsner, help you unlock that transformation without burning through time or budget.

****Why Automate Shipping in Magento 2?****

Manual carrier selection and rate comparison eat time and cash. Errors happen. And if you cannot show live prices at checkout? You risk abandoned carts. This way, adopting shipping automation:

*   Reduces manual order handling by 40‑60%
*   Enables real‑time carrier rate quotes for transparency
*   Gives you multi‑carrier flexibility, FedEx, UPS, USPS, DHL
*   Integrates returns/refunds directly into your backend
*   Empowers smarter fulfilment decisions: pick‑ups, drop‑offs, regional warehouses

Elsner, a Magento 2 development company, configures dynamic rate logic, labels, and notifications to help merchants stay lean and maintain their margins intact.

****The Elsner Edge: Magento 2 Shipping Automation Approach****

**Step**

**What Elsner Does**

**Your Benefit**

**1\. Discovery**

Assess current logistics, carriers, and volumes

Pinpoint bottlenecks & overspent services

**2\. Carrier Setup**

Connect FedEx, USPS, UPS, DHL, live rates

Offer the best rates & options at checkout

**3\. Custom Logic**

Automate carrier/packaging rules

Maximize profit per order

**4\. Label & Tracking**

Print labels, auto‑email tracking info

Save payroll & delight customers

**5\. Returns Flow**

Generate return labels, dashboards

Simplify reverse logistics

**6\. Testing + Training**

QA in staging, train your team

Smooth go‑live, zero confusion

When you hire dedicated Magento developers from Elsner, they enforce best practices in coding, performance, and security.

****Key Shipping Automation Features Worth Deploying****

These features do not just make shipping easier; they turn it into a competitive edge.

****Real-Time Shipping Rate Quotes****

Show live shipping rates at checkout. No estimates. No surprises. Your customer sees accurate pricing based on their address and selected items. This builds trust and reduces cart abandonment instantly.

****Auto Label Printing****

Let your system handle the paperwork. Once an order is placed, the correct shipping label is automatically generated. Your team does not need to click anything. This saves time and reduces the likelihood of human errors.

****Split Shipment Support****

Not everything comes from the same warehouse. Split shipping ensures that items from different locations are shipped simultaneously. Customers receive packages faster. Inventory stays organised across channels.

****Free Shipping Thresholds****

Offer free shipping, but on your terms. Set rules like “Free shipping over $50” and let the system manage it. No need to manually apply coupons or check eligibility. It just works.

****Smart Packing Logic****

Why ship a small item in a giant box? Packing logic calculates dimensions, weight, and box types. This reduces waste. It also cuts costs on shipping and packaging materials.

****Shipping API Plug-ins****

Connect with top carriers like FedEx, UPS, DHL, and USPS. APIs let your store pull real-time data from these services. This includes rates, transit times, and shipping options.

****Tracking Updates****

Customers want updates. Automation sends real-time tracking links via email or SMS. No one on your team needs to copy-paste or follow up manually. Everyone stays in the loop.

****Return Portal Integration****

Make returns easier for everyone. Add a self-service return portal to your store. Customers download pre-paid labels. You manage returns without emails or support tickets piling up.

Each feature adds a direct benefit to both store owners and customers. These are not just conveniences; they are cost-saving, time-saving essentials when scaling with Magento 2. As a Magento B2B agency, Elsner stands out by building modular features that enable agile and scalable custom Magento E-commerce development.

****How Does This Cut Costs & Boost CX?********Staff Time Saved****

Manual shipping takes time. Clicking through orders. Printing labels. Copy-pasting tracking links. All of it adds up. Shipping automation removes most of these steps. You reclaim hours every day. Labour costs drop. Staff focus shifts to value-driven tasks.

****Lower Shipping Fees****

Not all carriers charge the same. Smart automation tools compare shipping rates in real time. They choose the most affordable shipping method. No guesswork. No overpaying. You save on every package.

****Reduced Errors****

Wrong labels mean delayed packages. Or lost inventory. Or angry customers. Auto-generated labels fix this. The system pulls the right info every time. Accuracy jumps. Mis-shipments go down. Reputation goes up.

****Fewer Cart Abandons****

Customers love clarity. Show them exact shipping rates and delivery estimates at checkout. No surprises. This builds confidence. And when buyers feel informed, they check out faster. Abandonment rates drop noticeably.

****Less Return Stress****

Returns do not need to be a headache. Self-service portals handle it. Customers generate return labels on their own. No back-and-forth, long email chains.  No confusion. It simplifies life for both your team and your buyers.

****Analytics Perks****

Know which carrier delivers fastest. Automation tools come with built-in dashboards. Get detailed analytics and make decisions that support the growth of your business. The track failed deliveries or late shipments. Better data leads to better shipping decisions. That is a long-term win.

All these gains are powered by structured Magento enterprise development. When paired with strategic Magento website development services, your store becomes faster, leaner, and far more customer-focused. The outcome? Lower costs. Better experiences. And ROI keeps climbing.

****Migrating from Magento 1? They’ve Got You Covered****

Elsner often helps merchants with Magento 1 to Magento 2 migration. Here’s how shipping automates post‑migration:

*   Port shipping rules, carrier integrations, and custom logic
*   Rebuild checkout flow to support automation
*   Train staff on new shipping toolsets
*   Validate shipping data using Magento migration service best practices

Elsner’s data migration from Magento 1 to 2 experts makes sure shipping history, customer addresses, and tracking numbers get migrated correctly without any loss of data..

****Hiring the Right Expert: Why Elsner Stands Out?****

You could hire Magento programmers on a freelance basis, but here is what you get with Elsner:

*   Certified Magento team with access to full Magento 2 development services
*   Formal QA, version control, UI/UX testing
*   Clear SLAs and support packages
*   Ownership of delivered code and documentation

Need to hire certified Magento developers? You get seasoned pros who follow Magento’s coding standards. Plus, Elsner’s background as a Magento E‑commerce agency spans from startups to enterprise-level operations.

****Post‑Implementation: Measuring Success****

After Elsner deploys shipping automation, use these KPIs to measure improvement:

*   **Fulfilment time** (hrs/order) – target: < 1 hour
*   **Shipping cost/order** – target: –15‑30% YOY
*   **Order accuracy** – target: 99‑100%
*   **Cart abandonment (shipping step)** – target: < 5%
*   **Return requests** – target: lower than industry avg

With their Magento migration service, Elsner ensures a smooth transition while preserving key shipping configurations, so businesses can track and optimise performance from day one.

****Wrapping Up****

Cutting costs and enhancing customer experience might sound like conflicting goals, but with Magento 2 shipping automation, you can do both. Elsner’s Magento development services and seasoned experts make it happen seamlessly. From live shipping rates at checkout to auto‑generated labels and integrated returns, you deliver an elevated experience while trimming logistics spending.

If you want to hire dedicated Magento developers who build shipping systems tailored to your store, look no further. Ready to make shipping your competitive advantage?

Magento 2 Shipping Automation: Cut Costs While Enhancing Customer Experience

Major security flaw in McDonald’s AI hiring tool McHire exposed 64M job applications. Discover how an IDOR vulnerability…

Major security flaw in McDonald’s AI hiring tool McHire exposed 64M job applications. Discover how an IDOR vulnerability and weak default credentials led to a massive leak of personal data and the swift remediation by Paradox.ai.

A vulnerability in McHire, the AI-powered recruitment platform used by a vast majority of McDonald’s franchisees, exposed the personal information of over 64 million job applicants. The vulnerability, discovered by security researchers Ian Carroll and Sam Curry, allowed unauthorised access to sensitive data, including names, email addresses, phone numbers, and home addresses.

The investigation began after reports surfaced on Reddit about the McHire chatbot, named Olivia and developed by Paradox.ai, giving strange responses. Researchers quickly found two critical weaknesses. First, the administration login for restaurant owners on McHire accepted easily guessable default credentials: “123456” for both username and password. This simple entry granted them administrator access to a test restaurant account within the system.

Source: Reddit

The second, and more serious, issue was an Insecure Direct Object Reference (IDOR) on an internal API. An IDOR means that by simply changing a number in a web address (in this case, a lead\_id tied to applicant chats), anyone with a McHire account could access confidential information from other applicants’ chat interactions.

According to their blog post, researchers noted that this allowed them to view details from millions of job applications, including unmasked contact information and even authentication tokens that could be used to log in as the applicants themselves and see their raw chat messages.

Source: Ian Carroll

The McHire platform, accessible via https://jobs.mchire.com/, guides job seekers through an automated process, including a personality test from Traitify.com. Applicants interact with Olivia, providing their contact details and shift preferences.

It was while observing a test application from the restaurant owner’s side that the researchers stumbled upon the vulnerable API. They noticed a request to fetch candidate information, PUT /api/lead/cem-xhr, which used a lead_id that could be altered to view other applicants’ data.

Upon realising the vast scale of the potential data exposure, the researchers immediately initiated disclosure procedures. They contacted Paradox.ai and McDonald’s on June 30, 2025, at 5:46 PM ET.

McDonald’s acknowledged the report shortly after, and by June 30, 2025, at 7:31 PM ET, the default administrative credentials were no longer functional. Paradox.ai confirmed that the issues had been fully resolved by July 1, 2025, at 10:18 PM ET. Both companies have stated their commitment to data security following the swift remediation of this critical vulnerability.

“This incident is a reminder that when companies rush to deploy AI in customer-facing workflows without proper oversight, they expose themselves and millions of users to unnecessary risk,” said Kobi Nissan, Co-Founder & CEO at MineOS, a global data privacy management firm.

“The issue here isn’t the AI itself, but the lack of basic security hygiene and governance around it. Any AI system that collects or processes personal data must be subject to the same privacy, security, and access controls as core business systems,” explained Kobi.

“That means authentication, auditability, and integration into broader risk workflows, not siloed deployments that fly under the radar. As adoption accelerates, businesses need to treat AI not as a novelty but as a regulated asset and implement frameworks that ensure accountability from the start,” he advised.

McDonald’s AI Hiring Tool McHire Leaked Data of 64 Million Job Seekers

Four suspects arrested by the NCA in April/May 2025 cyberattacks on M&S, Co-op, and Harrods. Learn about the social engineering, ransomware disruption, and estimated £300M impact on M&S.

In a major development, the UK’s National Crime Agency (NCA) has announced the arrest of four individuals in connection with a series of cyberattacks that impacted major UK retailers Marks & Spencer (M&S), Co-op Group, and Harrods in April and May 2025. These arrests mark a crucial step in an ongoing investigation that remains a top priority for the agency.

****The Attacks and Their Impact****

The cyber criminals gained access to the retailers’ computer systems through aggressive social engineering tactics, which involve manipulating individuals to gain confidential information or access. This likely involved exploiting a common third-party supplier. The attacks caused considerable disruption, particularly for M&S, which saw its online shopping suspended and food deliveries affected. Even nearly three months later, M&S has not fully recovered, with its chairman, Archie Norman, estimating a cost of £300 million in lost profits due to the incident.

M&S customers were also instructed to change their account passwords following a significant data theft. The company expects its operations to be affected until late July, with some IT systems not fully operational until October or November.

While Co-op and Harrods also faced intrusions, they proved more resilient, and the impact on their operations was less severe. Co-op had to disconnect some IT systems, and Harrods also shut off systems to mitigate damage. The attacks involved malicious software, or ransomware, which scrambles data and demands payment for its release.

****Suspects Apprehended****

The four individuals, as per the NCA’s press release, including two men aged 19, a 17-year-old male, and a 20-year-old woman, were apprehended early on Thursday morning, July 10, 2025, at their homes across London, Staffordshire, and the West Midlands. One of the 19-year-old men is from Latvia, while the others are British nationals.

They are suspected of multiple offences under the Computer Misuse Act of 1990, a law that criminalises unauthorised access to computer material, as well as blackmail, money laundering, and participating in the activities of an organised crime group. Electronic devices have been seized from their properties for detailed forensic examination.

The NCA’s operation received support from the West Midlands Regional Organised Crime Unit (ROCU) and the East Midlands Special Operations Unit. Paul Foster, Deputy Director of the NCA’s National Cyber Crime Unit, praised the swift progress, stating that “Today’s arrests are a significant step in that investigation.”

He emphasised that the collaboration with affected organisations like M&S, Co-op, and Harrods was vital to the investigation’s success, highlighting the importance of businesses engaging with law enforcement after cyber incidents. The investigation continues with international partners to bring all responsible parties to justice.

UK Arrests Woman and Three Men for Cyberattacks on M&S Co-op and Harrods

Cybersecurity researcher Jeremiah Fowler uncovered a massive 286GB data exposure at Texas-based Rockerbox, a tax credit consultancy. Exposed data includes SSNs, DD214s, and financial details, raising serious identity theft and fraud concerns.

A data exposure has come to light at Rockerbox, a tax credit consultancy based in Texas, USA. Cybersecurity researcher Jeremiah Fowler recently uncovered a non-password-protected database highlighting a significant security lapse, the findings of which were reported by vpnMentor and shared with HackRead.com.

Rockerbox, identified as a tax credit consulting company, helps businesses across the United States identify and manage employer-focused tax incentives through programs like the Work Opportunity Tax Credit (WOTC), Employee Retention Tax Credit (ERTC), R&D credits, and Empowerment Zone credits.

****Scope of Compromised Data****

The exposure involved an alarming 245,949 records, totalling 286.9 GB of data. This extensive dataset comprised various forms of personally identifiable information (PII), including full names, dates of birth (DOB), Social Security Numbers (SSN), and physical addresses.

For your information, PII is information that can identify an individual, directly or indirectly, while SSN is a unique nine-digit identifier used for tracking earnings and for various governmental purposes in the US.

Screenshots of identification documents (Source: vpnMentor)

According to Fowler’s report, the exposed records also contained sensitive identification documents such as driver’s licenses and DD214 forms, which are Certificates of Release or Discharge from Active Duty issued by the US Department of Defence, serving as official documentation of a veteran’s military service.

Furthermore, a wide array of employment and tax-related materials were compromised. This included applications for tax credit programs, alongside official acceptance or denial letters, often containing intricate financial and personal details. While some files were access-denied, many documents were readily available to anyone with internet access.

Even certain password-protected PDF files had their filenames exposed, revealing PII like employer and applicant names. Fowler highlighted a theoretical risk that numeric parts of these filenames could contain passwords, advising against embedding such data.

****Potential Risks for Affected Individuals****

Rockerbox, known for aiding businesses across the US with tax incentives in sectors like restaurant and hospitality, healthcare, manufacturing, food processing, and skilled trades, now faces scrutiny over its data handling. The comprehensive exposure creates significant potential for targeted phishing attacks, identity theft, and financial fraud, as malicious actors could leverage this deep well of personal and financial information for illicit gain.

Fowler immediately notified Rockerbox, and the database was subsequently secured and restricted from public access several days later. However, no reply to his responsible disclosure notice was received. Also, it remains unknown if the database was directly managed by Rockerbox or a third-party contractor, how long it was exposed before discovery, or if other unauthorised parties gained access.

“For companies and organizations that collect and store potentially sensitive personal data in cloud storage repositories, it is important to implement the proper security measures to protect that information. This starts with access controls and limiting who (from both inside and outside of the organization) can see and manipulate which pieces of information,” Fowler concluded.

Server with Rockerbox Tax Firm Data Exposed 286GB of Records

A Chinese state-sponsored hacker, Xu Zewei, 33, has been arrested for his alleged role in the widespread HAFNIUM cyber attacks and theft of COVID-19 research. Learn about the charges and China's Ministry of State Security involvement.

In a significant development in international cybercrime efforts, Xu Zewei, a 33-year-old Chinese national, was apprehended in Milan, Italy, on July 3, 2025. The arrest was made at the request of the United States, where Xu faces serious charges related to widespread computer intrusions.

Xu, alongside his co-defendant Zhang Yu, 44, is named in a nine-count indictment unsealed in the Southern District of Texas. The charges stem from their alleged involvement in cyberattacks carried out between February 2020 and June 2021. These intrusions include the notorious HAFNIUM (aka Silk Typhoon) campaign, which compromised thousands of computers globally, including many within the United States.

According to the US Department of Justice’s July 8 press release, Xu Zewei was directed in his hacking activities by officers from China’s Ministry of State Security (MSS), specifically its Shanghai State Security Bureau (SSSB). It must be noted that MSS and SSSB are intelligence agencies responsible for China’s domestic counterintelligence, non-military foreign intelligence, and aspects of its internal security.

Xu was allegedly employed by Shanghai Powerock Network Co. Ltd. (Powerock), a company identified as one of many “enabling” entities that conduct hacking operations for the Chinese government.

“This arrest underscores the United States’ patient and tireless commitment to pursuing hackers who seek to steal information belonging to U.S. companies and universities,” stated Assistant Attorney General John A. Eisenberg. US Attorney Nicholas Ganjei for the Southern District of Texas added that Xu was allegedly “hacking and stealing crucial COVID-19 research at the behest of the Chinese government.”

****Targeting Vital Research and Global Systems****

The indictment (PDF) details how Xu and his co-conspirators targeted US-based universities, immunologists, and virologists involved in COVID-19 vaccine, treatment, and testing research in early 2020. Xu reportedly confirmed compromising a research university in the Southern District of Texas in February 2020 and was directed to access specific email accounts of researchers.

Later, in late 2020, Xu and his associates exploited vulnerabilities in Microsoft Exchange Server, a widely used email product. This exploitation was central to the HAFNIUM campaign, a large-scale intrusion that became public in March 2021 when Microsoft disclosed it.

“Through HAFNIUM, the CCP targeted over 60,000 US entities, successfully victimizing more than 12,700 in order to steal sensitive information,” noted Assistant Director Brett Leatherman of the FBI’s Cyber Division.

Victims of the HAFNIUM campaign included another university in Texas and a global law firm, where information related to US policymakers and government agencies was sought. Xu faces multiple charges, including conspiracy to commit wire fraud, wire fraud, conspiracy to cause damage to protected computers, and aggravated identity theft.

These charges carry significant penalties, with some counts carrying a maximum of 20 years in prison. Xu is currently awaiting extradition to the US whereas his co-defendant, Zhang Yu, remains at large.

US Announces Arresting Chinese Hacker Linked to HAFNIUM Group

Identity-based cyberattacks soar 156%, driven by cheap Phishing-as-a-Service & infostealer malware. Learn how criminals bypass MFA to steal credentials, access bank accounts, and compromise business emails.

According to cybersecurity researchers at eSentire, infostealer malware and advanced phishing toolkits are behind a massive 156% jump in cyberattacks targeting user logins and identity information impacting both office and remote workers.

eSentire’s report, shared with Hackread.com also noted attackers increasingly focusing on stealing login details and session cookies, which they then use to commit financial crimes like Business Email Compromise (BEC) and cryptocurrency theft.

****The Rise of Phishing and Infostealers-as-a-Service****

A key factor driving this surge, as per the report (PDF) is the availability of Phishing-as-a-Service (PhaaS) platforms, which lower the technical skill and cost needed for criminals to launch attacks. Platforms like Tycoon 2FA, for example, offer pre-made phishing pages for popular platforms like Microsoft 365 and Google Workspace for as little as $200 to $300 per month.

Typical Tycoon 2FA Campaign Structure (Source: eSentire)

These services use clever Adversary-in-the-Middle (AitM) techniques, acting as a go-between to capture login credentials and even authentication tokens in real-time, often bypassing multi-factor authentication (MFA) within minutes. BEC cases, specifically, have seen a 60% year-on-year increase, making up 41% of all attacks in the first quarter of 2025.

Typical Tycoon 2FA Campaign Structure (Source: eSentire)

A recent State of Browser Security Report by Menlo Security identified over 752,000 browser-based phishing attacks across more than 800 businesses, a 140% increase from the previous year, highlighting how browsers have become a major target. This trend also includes an emerging infostealer named Acreed, first seen in February 2025, which is now competing in these dark online markets, especially after law enforcement disrupted the infrastructure of another prominent infostealer, Lumma Stealer, in May 2025.

****Protecting Your Online Identity****

The rapid shift from opportunistic attacks to systematic, service-driven operations means that criminals are moving from stealing credentials to committing fraud within hours. With 78% of identified PhaaS operations originating from the United States (though this often reflects hosting location, not the attacker’s true base), the global reach of these threats is significant.

Organizations and individuals are strongly advised to enhance their cybersecurity. This includes adopting phishing-resistant authentication methods, establishing continuous monitoring for unusual login attempts or changes, and remaining alert about unsolicited emails and attachments. The speed and sophistication of these identity-based attacks make proactive defence measures more critical than ever.

_“_This report effectively mirrors the trends observed by Ontinue’s Cyber Defense Center over the past year. With the rise of a lucrative underground economy powered by Phishing-as-a-Service (PhaaS) platforms like Tycoon2FA, even low-skilled threat actors can now gain initial access without exploiting technical vulnerabilities,_“_ said Will Bailey, Senior SOC Analyst at Ontinue.

_“_As a result, phishing and identity-based attacks have become a persistent cat-and-mouse game between attackers and defenders,_“_ Will warned. _“_This underscores the critical need for a 24/7 Managed Detection and Response (MDR) service that includes identity threat detection and response enabling organizations to revoke session tokens and terminate active sessions in real time,_“_ he advised.

Infostealers-as-a-Service Push Identity Hacks to Record Highs

Pakistan’s APT36 Transparent Tribe uses phishing and Linux malware to target Indian defence systems running BOSS Linux says Cyfirma.

A sophisticated cyber espionage operation, believed to be run by a group known as APT36 (also called Transparent Tribe), is now targeting Indian defence personnel and organizations. This Pakistan-based group is targeting systems running BOSS Linux (Bharat Operating System Solutions), an Indian Linux distribution based on Debian commonly used by Indian government agencies.

This shows a new step in their attacks since they’re now using malicious software designed specifically for Linux environments. This threat was reported by cybersecurity firm Cyfirma, and the findings were shared with Hackread.com.

Cyfirma researchers first observed this new attack on June 7, 2025. As per their research, the attackers are employing cunning phishing emails to trick their targets. These emails come with a compressed file, typically an archived ZIP file “Cyber-Security-Advisory.zip,” which contains a harmful ‘.desktop’ file– essentially a shortcut used in Linux systems.

Attack Flow (Source: Cyfirma)

When a victim opens this shortcut, two things happen at once. First, to create a diversion, a normal-looking PowerPoint file appears, seemingly to distract the user and make the attack seem legitimate. This is achieved by the .desktop file secretly downloading and then opening the PowerPoint file.

Second, in the background, another malicious program (named BOSS.elf, saved locally as client.elf) is secretly downloaded and run. This hidden program is an Executable and Linkable Format (ELF) binary, which is a standard file format for executable programs on Linux, just like an .exe file on Windows. It is written in the Go programming language and serves as the primary payload designed to compromise the host system and facilitate unauthorized access.

Malicious Files (Source: Cyfirma)

The malware also attempts to connect to a control server at the IP address 101.99.92.182 on port 12520. It’s important to note that the domain sorlastore.com has been identified by security researchers as malicious infrastructure actively used by APT36, particularly against personnel and systems within the Indian defence sector.

This multi-step attack is designed to get past security checks and avoid being noticed, allowing the attackers to maintain access to sensitive computer systems. The use of malware specifically built for Linux shows that APT36’s capabilities are growing, posing a greater danger to vital government and defence computer networks.

Hackread.com has diligently monitored the activities of the Transparent Tribe since its emergence. They gained prominence with Operation C-Major in March 2016, which used spear-phishing and an Adobe Reader vulnerability to distribute spyware to Indian military employees and steal login details from Indian army officials via a malicious Android app called SmeshApp.

More recently, in July 2024, the group was observed disguising Android spyware CapraRAT as popular mobile apps like “Crazy Games” and “TikTok” to steal data. This latest campaign indicates an expansion of their targets beyond just military personnel and also highlights their continued dedication to Indian targets and their adaptable approach to exploiting various platforms.

Therefore, organizations, especially those in the public sector using Linux-based systems, are urged to take this threat very seriously. Strong cybersecurity measures and threat detection tools are crucial to protect against these evolving attacks.

_“_Even a PowerPoint presentation has the power to help automate, but it should only do so when you know it’s legitimate,_“_ emphasised Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM).

_“_Prevention improves when BOSS Linux images disable the auto-execution of desktop shortcuts and enforce application-allow lists that limit what runs outside signed repositories,_“_ _“_PowerPoint viewers should open in read-only mode and downloads from untrusted networks should land in a no-execute mount. Zero trust segmentation keeps a compromised workstation isolated from classified enclaves,_“_ Jason advised.