Data from research suggests that the global cryptocurrency market will at least triple by 2030, increasing to an…

Data from research suggests that the global cryptocurrency market will at least triple by 2030, increasing to an amount of nearly $5 billion. Once the holistic use of AI is fully incorporated into this infrastructure, data management, crypto-economics, and our money are poised to see significant growth and work smarter.

Just when we think Bitcoin had a price of zero when it first debuted in 2009 and now has hit a valuation of $104602.03, we can state that the cryptocurrency market is increasingly optimistic, evolving from a niche concept to a driving force in today’s economy. 

The likes of Bitcoin and Ethereum are set to become part of our everyday lives, making it impossible to ignore how curiosity has become a viable investment and urging us to wonder whether we could benefit from digital assets, too.

Cryptocurrency means vision and heightened perspective, and it can offer you so much if you have enough confidence to move away from the comfort of traditional financial methods. This force of innovation is actively embraced by countless individuals who dared to see potential, while others saw it as a waste of time and energy. 

Although it wasn’t easy to succeed as they had to learn so much and approach this ecosystem from multiple facets, such as considering risks, prioritizing liquidity, reading crypto charts, and mastering emotions, a significant number of participants made it. You can be one of them.

Therefore, we are here to offer you a little perspective on how to spread your investments across different sectors, validating the fact that there’s always more to see and do when immersing yourself in this ecosystem.

****Diversify By Coins And Tokens** **

Diversifying your digital ownership of digital coins is one of the most obvious ways to create a well-balanced portfolio. Here is what you can choose from as a beginner investor:

*   **Payment tokens** such as Bitcoin and Ethereum can be used for transactions, access features within a specific platform, and engage in network governance. We expect to see a growth in their use for broader applications. While Ethereum focuses on faster transactions and greater scalability, Bitcoin prioritizes security and stability, remaining more stable overall. 
*   **Security tokens** such as Polymath, tZERO, Harbor, and Securitize represent and convey ownership in tangible assets like real estate and commodities. They encapsulate real asset and debt tokens, as well as security token offerings (STOs) and tokenized funds. 
*   **Utility tokens** such as Binance Coin, Chainlink, and Filecoin possess a particular use case within a blockchain or crypto ecosystem. They provide access to features or services offered by a specific platform. Although they do not represent opportunities, they might allow you to pay for services or participate in governance decisions within the platform. 
*   **Governance tokens** such as Uniswap and Compound empower holders to have a say in how the project is managed, giving them a voice regarding protocol upgrades, fee structures, and numerous other operational aspects. 
*   **Basic Attention Token** is an Ethereum-based ERC-20 token that aims to improve the fairness and security of digital advertising by compensating participants for their attention and publishers for their content. 
*   **Non-fungible tokens (NFTs)** represent ownership of both digital collectibles and real-world assets, allowing for appliances to a significant number of industries, such as shipping, luxury items, exclusive content, merch, and government records. 

****Diversify By Focusing On Industry Sectors** **

Another viable way to spread your investments would be to consider cryptocurrency projects that focus on different industries, such as:

*   **Healthcare-focused cryptocurrencies** such as MediBloc, Dentacoin, Galeon, and BioPassport empower patients with greater control over their information, streamlining payments and reducing costs. 
*   **Supply chain-focused cryptocurrencies** such as VeChain (VET) facilitate global trade through enhanced transparency, increased efficiency, improved trust, and reduced fraud. 
*   **Transportation-focused cryptocurrencies** such as Mass Vehicle Ledger and ParkinGO aim to innovate and improve multiple aspects of the transportation sector and facilitate applications such as payment for public transport, Mobility-as-a-Service, and cargo management. 
*   **Climate change-focused cryptocurrencies** usually employ consensus mechanisms like Proof-of-Stake (PoS) or other energy-efficient alternatives, offering crypto enthusiasts the opportunity to aim for a greener future. 

****Diversify With Asset Class On Your Mind** **

You can choose to diversify within various crypto and blockchain sectors, broadening your exposure to different asset classes. For instance, cryptocurrency stocks are shares in notorious traded companies and funds that are substantially exposed to cryptocurrency. You can buy stock of companies within the crypto sector or stock that belongs to companies with extensive crypto holdings.

Moreover, bonds and real estate are also a viable option to spread your investments. El Salvador, the Singapore Exchange, the European Investment Bank, and the World Bank have already issued blockchain-based crypto bonds. At the same time, numerous Real estate tokenization platforms such as Honey Bricks have shown a tremendous interest in digital tokens, supporting fractional ownership of real estate through purchasing them. 

****Diversify By Geographical Location** **

Diversifying your portfolio through investing across multiple regions is a feasible method to mitigate risks associated with specific market environments and ever-changing regulatory decisions. You should experience projects from various places worldwide, especially with areas known for crypto innovation and non-problematic regulatory environments such as the US, Asia, and Europe, ensuring a balance between coins, altcoins, and stablecoins.

In this manner, your portfolio will gain exposure to a heightened range of technological innovation, securing a better position during economic or regulatory volatility. 

****The Importance Of Diversifying Your Crypto Portfolio** **

Spreading investments across different types of crypto assets can substantially reduce the risk of compromising your success by over-concentrating on a single asset’s performance, shifting your portfolio values towards higher outcomes.

As we have already discussed, the thing you can do is diversify your investments; lastly, we shall state that common mistakes to watch out for also include chasing short-term trends, ignoring asset correlation, over-diversification, and neglecting research and rebalancing.

Image via FreePik

What Are Some Ways To Diversify Your Crypto Portfolio In 2025?

Scammers are exploiting Microsoft 365 Direct Send to spoof internal emails targeting US firms bypassing security filters with…

Scammers are exploiting Microsoft 365 Direct Send to spoof internal emails targeting US firms bypassing security filters with phishing attacks using fake voicemails and QR codes.

Cyber security researchers at Varonis Threat Labs have exposed a sophisticated new phishing campaign that exploits a little-known feature within Microsoft 365 to deliver malicious emails.

This attack, which started in May 2025 and has been consistently active, has already targeted over 70 organizations, with a significant majority, 95%, being US-based organizations.

The unique aspect of this campaign is its ability to “spoof internal users without ever needing to compromise an account,” making it particularly difficult for traditional email security systems to detect, researchers noted in the blog post shared with Hackread.com.

****Exploiting Direct Send****

The campaign leverages Microsoft 365’s Direct Send feature, designed for internal devices like printers to send emails without requiring user authentication. According to Varonis, attackers are abusing this feature.

Tom Barnea, from Varonis Threat Labs, highlighted in the report that this method works because “no login or credentials are required.” Threat actors simply need a few publicly available details, such as a company’s domain and internal email address formats, which are often easy to guess.

By using Direct Send, criminals can craft emails that appear to originate from within an organization, even though they are sent from an external source. This allows the malicious messages to bypass common email security checks, as they are often treated by Microsoft’s own filters and third-party solutions as legitimate internal communications.

Furthermore, Varonis observed that these spoofed emails often mimic voicemail notifications, containing a PDF attachment with a QR code. Scanning this QR code directs victims to a fake Microsoft 365 login page designed to steal credentials.

Image: Varonis

****Detecting and Defending Against the Threat****

Organizations need to be vigilant to detect this new form of attack. Varonis advises checking email message headers for signs like external IP addresses sending to a Microsoft 365 “smart host” (e.g., tenantname.mail.protection.outlook.com), or failures in authentication checks like SPF, DKIM, or DMARC for internal domains. Behavioural clues, such as emails sent from a users to themselves or messages originating from unusual geographical locations without any corresponding login activity, are also strong indicators.

To prevent falling victim, Varonis recommends enabling the Reject Direct Send setting in the Exchange Admin Center and implementing a strict DMARC policy. User education is key, particularly warning staff about the dangers of QR code attachments in Quishing (QR Phishing) attacks.

Finally, enforcing Multi-Factor Authentication (MFA) for all users and having Conditional Access Policies in place can protect accounts even if credentials are stolen through these sophisticated phishing attempts.

Scammers Use Microsoft 365 Direct Send to Spoof Emails Targeting US Firms

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

Alert fatigue, slow detection, and delayed response times directly impact your team’s effectiveness and your organization’s risk posture. These problems often trace back to one thing: not having the right tools to understand threats quickly and clearly.

Most security teams are still stuck dealing with vague alerts or waiting for time-consuming manual analysis. What they need instead is instant visibility into how a threat behaves, what it targets, and how dangerous it really is.

Let’s discover how you can improve those Key Performance Indicators (KPIs) with faster, more effective threat analysis using the right tool.

****The Right Solutions Can Transform Your Security Operations****

When your team has access to clear, immediate threat insights, everything changes. Detection gets faster, responses become more precise, and analysts spend less time chasing dead ends.

The right solution can help you:

*   Cut down alert noise and focus on real threats
*   Reduce manual analysis and free up analyst time
*   Improve detection accuracy with deeper behavioral visibility
*   Speed up decision-making with context-rich threat data
*   Strengthen overall SOC performance with scalable workflows

For instance, interactive sandboxes like ANY.RUN provides real-time visibility into how a threat behaves, from the moment it detonates to the tactics it uses, giving your team the clarity they need to act with confidence.

****1.   Reduce Mean Time to Detect and Increase Detection Rate****

Slow detection often comes down to one thing: a lack of visibility. Security teams waste time trying to understand what a file is doing, especially when threats hide behind user interaction or uncommon file types.

ANY.RUN solves this by combining real-time behaviour monitoring with safe, interactive analysis. Analysts can engage with suspicious files, just like they would on a real machine, while the sandbox captures every action and uncovers the full execution chain.

View analysis session with full attack chain

In the following analysis session, an SVG attack is exposed with a file pretending to be a PDF and containing several hidden components, such as a .si file and a malicious DLL.

SVG analyzed inside ANY.RUN sandbox revealing its full attack range

ANY.RUN flags the sample as malicious (visible in the top-right corner) and displays the entire process tree on the right, showing how the payload was executed.

Why this is important for your SOC:

*   Analysts don’t waste time guessing; they see exactly what happens from start to finish
*   The process tree reveals each step of the attack, no reverse engineering needed
*   Malicious behavior is detected automatically in minutes, not hours
*   Teams can reduce Mean Time to Detect, avoid false negatives, and focus on real threats

Experience how ANY.RUN can cut detection time, reveal full attack behaviour, and help your SOC make smarter, faster decisions Get a 14-day trial of ANY.RUN now.

Faster detection means faster response and that leads to measurable improvements in your security KPIs.

****2.   Speed up Response and Inform Better Security Decisions****

Fast detection is only part of the equation. To respond effectively, your team needs to understand what the threat is trying to do, where it’s headed, and how it fits into a broader attack chain.

ANY.RUN provides that context instantly, with detailed process data, automated TTP mapping, and support for API-based integrations that let you respond faster and smarter.

View analysis session with Keylogger

In this example, a Snake Keylogger sample is delivered through an archive file. ANY.RUN automatically extracts the file and detonates the payload inside a safe environment. Within seconds, the sandbox labels the session as malicious and highlights the exact process that dropped the keylogger.

Malicious process with relevant TTPs revealed inside ANY.RUN sandbox

To understand the attack’s scope, analysts simply click the MITRE ATT&CK tab. From there, they get a full breakdown of the tactics and techniques used, like credential theft, persistence via registry keys, and evasion through disabling event logs.

Complete TTP mapping with a single click, no extra tools required

Why this is important for your SOC:

*   The sandbox automatically extracts and detonates files; no manual unpacking needed
*   Analysts can see TTPs instantly using MITRE ATT&CK, with no extra investigation overhead
*   Security teams can automate responses based on the analysis results received through API integrations
*   Insights are clear enough to act on immediately and detailed enough to support incident reports

When your team understands the threat’s intent, behaviour, and context upfront, they can move faster and respond with confidence.

****3.   Enrich Threat Hunting and Proactive Defense****

Stopping today’s alert is good but stopping tomorrow’s breach is better. ANY.RUN turns every analysis session into a springboard for proactive defence by putting all indicators and malware configs in one place.

Using the same Snake Keylogger sample:

Click _IOC_**.** Hashes, domains, IPs, file paths, and registry keys are collected automatically.

Gathered IOCs related to Snake Keylogger attack

**Open _MalConf_.** The sandbox extracts embedded configuration data (C2 addresses, encryption keys, protocol details) that SIEMs rarely catch on their own.

Malicious configurations detected inside ANY.RUN sandbox

**Build detection rules.** Feed those indicators into YARA, Sigma, or your EDR to hunt for related activity across the environment.

Why this is important for your SOC:

*   Analysts spend seconds gathering IOCs instead of digging through logs.
*   Threat hunters pivot faster, reducing the window of exposure.
*   New rules based on real-world samples raise overall detection coverage without extra headcount.

With clear, consolidated threat intel from ANY.RUN, your team moves from reactive firefighting to proactive protection and your risk scores trend in the right direction.

****Turn Detection into Decisive Action That Moves Your KPIs****

Improving security KPIs is about giving your team the visibility and control to act with confidence, reduce time spent on false positives, and respond before damage is done.

With ANY.RUN’s interactive sandbox, your analysts can detect hidden threats in minutes, understand their full behaviour, map out TTPs instantly, and extract IOCs without delay. No time lost jumping between tools. Just clear, actionable insight from the first click to the final report.

Whether you’re aiming to reduce Mean Time to Detect, raise your detection rate, or strengthen your threat-hunting program, ANY.RUN makes your SOC faster, smarter, and more effective across every level.

How SOCs Improve Key Cybersecurity KPIs with Better Threat Analysis

Two deadly Ransomware Attacks on European hospitals show cybercrime now risks lives not just data with patients dying after treatment delays.

Cybercrime is often seen as a threat to privacy or money, but recent years show it can cost lives too. Ransomware, once just a way for criminals to **lock files for cash**, now disrupts hospitals and treatment, turning data extortion into a real danger for patients who need urgent care. When hospitals can’t access vital systems, people can and do die, a harsh reality now witnessed in Europe not once but twice.

****Death in the United Kingdom****

In June 2024, as **reported** by Hackread.com, the UK’s National Health Service suffered one of its most serious cyber incidents. The Russian-speaking Qilin ransomware group broke into Synnovis, a company that handles pathology services for major London hospitals like King’s College and Guy’s & St Thomas’.

This attack crippled blood test services across the capital, delaying vital operations and treatments. According to an **incident update** from the College issued last week, one patient, who needed urgent care, died unexpectedly during this crisis. Investigators confirmed the ransomware attack was a factor. The Qilin gang didn’t care that their demand for money put human lives on the line, they published stolen files online as proof of their crime, using patient safety as leverage.

****Death in Germany****

Four years earlier, a similar incident took place in Germany. **In September 2020**, hackers targeted Düsseldorf University Hospital with ransomware that shut down around 30 servers. Doctors had no choice but to shut the emergency department.

As a result, a critically ill woman who arrived needing urgent surgery had to be sent 32 kilometers (almost 20 miles) away. The delay cost her life. Local prosecutors considered **charging** the attackers with negligent homicide, a rare but deserved move against criminals who turned people’s medical emergencies into their payday.

****Ransomware and Windows Operating System****

These tragedies go on to show that hospitals remain lucrative and soft targets for cybercriminals. Many hospitals **still rely on Windows systems**, which attract ransomware because most malware is built to hit Windows environments.

Protecting these systems is possible but demands serious discipline, up-to-date backups stored safely offline, strong passwords and multi-factor logins, constant patching and smart network setups that keep infections from spreading unchecked. Staff also need training since many ransomware attacks start with a **human factor** and their single careless click on a fake email.

The use of legacy OS in healthcare is a whole new scandal as Kaspersky’s 2021 **report** found 73% of healthcare providers using medical equipment with a legacy OS. A legacy operating system is an old system that its developers no longer actively support or update. It’s usually been replaced by newer versions and doesn’t get the security fixes or patches needed to stay protected, which leaves it more open to attacks.

Some argue that Linux could help because fewer ransomware strains target it, and its security model makes it harder for malware to gain deep control. That’s true to a point, but moving an entire hospital to Linux is next to impossible because critical devices like lab equipment, MRI scanners, and medical record systems run on Windows-only software approved and supported by specific vendors. Hospitals can’t just replace them overnight.

Therefore, unfortunately, it all comes back to a better approach to increasing security on the systems they already use rather than imagining an easy switch that won’t happen anytime soon. Additionally, the Kaspersky report mentioned earlier found that hospitals use legacy operating systems from both Windows and Linux. So what’s the point of using Linux if it’s an outdated version?

****Fancy Alliance is Not Working****

In November 2023, a US-led alliance of 40 countries **announced** plans to target the ransomware ecosystem with new efforts to disrupt ransom payments, dismantle criminal infrastructure, and share intelligence across borders.

Yet by February 2025, ransomware attacks had surged by a **record 126%** as cyber criminals exploited file transfer vulnerabilities, infostealers, and AI-driven tactics to stay ahead.

Remember, these are 2 deaths but imagine an emergency in a city where dozens of people suddenly need urgent hospital care, maybe a major accident or an outbreak that floods the ER with critical patients. Now what if the same hospital is locked out of its own systems because ransomware has crippled lab reports, scans and patient records.

Doctors are forced to guess or work blind. Life-saving operations get delayed. Ambulances are turned away. What happens then? It’s obvious when hospitals get hacked, the damage doesn’t stop at data. It can leave an entire city helpless at the worst possible moment.

****Ransomware Gangs Targeting Healthcare and Hospitals Are Parasites****

What makes this all worse is the people behind these attacks. Ransomware gangs like **Qilin** are not brilliant hackers, they are parasites living off broken systems, careless setups and human mistakes. They hide in safe countries that turn a blind eye to their crimes.

These governments should stop pretending this is a normal petty crime and start treating it as the threat to human life it is. Any country giving shelter to ransomware criminals should hunt them down, seize their profits and put them behind bars for every life their greed destroys.

In the end, hospitals shouldn’t be forced to choose between saving lives and paying off criminals. These two deaths are proof that ransomware is no longer just about data, it’s about whether patients live or die when cyber criminals shut systems down. That should be enough to push every hospital, vendor and government to take this threat as seriously as it deserves.

How 2 Ransomware Attacks on 2 Hospitals Led to 2 Deaths in Europe

Palo Alto, California, 30th June 2025, CyberNewsWire

**Palo Alto, California, June 30th, 2025, CyberNewsWire**

Every security practitioner knows that employees are the weakest link in an organization, but this is no longer the case. SquareX’s research reveals that Browser AI Agents are more likely to fall prey to cyberattacks than employees, making them the new weakest link that enterprise security teams need to look out for. 

Browser AI Agents are software applications that act on behalf of users to access and interact with web content. Users can instruct these agents to automate browser-based tasks such as flight bookings, scheduling meetings, sending emails, and even simple research tasks. The productivity gains that Browser AI Agents provide make them an extremely compelling tool for employees and organizations alike. Indeed, a survey from PWC found that 79% of organizations have already adopted browser agents today. 

Yet, Browser AI Agents expose organizations to a massive security risk. These agents are trained to complete the tasks they are instructed to do, with little to no understanding of the security implications of their actions. Unlike human employees, Browser AI Agents are not subject to regular security awareness training. They cannot recognize visual warning signs like suspicious URLs, excessive permission requests, or unusual website designs that typically alert employees of a malicious site. Consequently, Browser AI Agents are more likely to fall prey to browser-based attacks than even a regular employee. Even if it is possible for users to add these guardrails, the overhead required to extensively write the security risk of every task performed by the agent in every prompt would probably outweigh the productivity gains. More importantly, employees using Browser AI Agents are unlikely to have enough security expertise to be able to write such a prompt in the first place.  

With the popular open-source Browser Use framework used by thousands of organizations, SquareX demonstrated how the Browser AI Agent, instructed to find and register for a file-sharing tool, succumbed to an OAuth attack. In the process of completing its task, it granted a malicious app complete access to the user’s email despite multiple suspicious signals – irrelevant permissions, unfamiliar brands, suspicious URLs – that likely would have stopped most employees from granting these permissions. In other scenarios, these agents might expose the user’s credit card information to a phishing site while trying to purchase groceries or disclose sensitive data when responding to emails from an impersonation attack. 

Unfortunately, neither browsers nor traditional security tools can differentiate between actions performed by users and these agents. Thus, it is critical for enterprises working with Browser AI Agents to provide browser-native guardrails that will prevent agents and employees alike from falling prey to these attacks.

> Vivek Ramachandran, Founder & CEO of SquareX, warns, “The arrival of Browser AI Agents have dethroned employees as the weakest link within organizations. Optimistically, these agents have the security awareness of an average employee, making them vulnerable to even the most basic attacks, let alone bleeding-edge ones. Critically, these Browser AI Agents are running on behalf of the user, with the same privilege level to access enterprise resources. Until the day browsers develop native guardrails for Browser AI Agents, enterprises must incorporate browser-native solutions like Browser Detection and Response to prevent these agents from being tricked into performing malicious tasks. Eventually, the new generation of identity and access management tools will also have to take into account Browser AI Agent identities to implement granular access controls on agentic workflows.”

To learn more about this security research, users can visit http://sqrx.com/browser-ai-agents .

SquareX’s research team is also holding a webinar on **July 11, 10am PT/1pm ET** to dive deeper into the research findings. To register, users can click here. 

**About SquareX**

SquareX’s browser extension turns any browser on any device into an enterprise-grade secure browser. SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively detect, mitigate, and threat-hunt client-side web attacks, including malicious browser extensions, advanced spearphishing, browser-native ransomware, genAI DLP, and more. Unlike legacy security approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables security leaders to reduce their attack surface, gain actionable intelligence, and strengthen their enterprise cybersecurity posture against the newest threat vector – the browser. Find out more on www.sqrx.com.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Reveals that Employees are No Longer the Weakest Link, Browser AI Agents Are

Unidentified hackers breached a Norwegian dam's control system in April, opening its valve for hours due to a weak password. Learn how simple vulnerabilities threaten critical infrastructure.

In a concerning incident this April, unidentified hackers managed to breach the control systems of a Norwegian dam. Reportedly, hackers breached the control systems of a Norwegian dam, causing its water valve to open fully. The incident occurred at the Lake Risevatnet dam, situated near the city of Svelgen in Southwest Norway. The valve remained open for four hours before the unauthorized activity was detected.

According to the Norwegian energy news outlet, Energiteknikk, the hack did not pose a danger, as the water flow barely exceeded the dam’s minimum requirement. The valve released an additional 497 litres per second, but officials noted that the riverbed could handle a much larger volume, up to 20,000 litres per second.

****Vulnerable Control Systems Highlighted****

The incident was discovered on April 7 by the dam’s owner, Breivika Eiendom. Norwegian authorities, including NSM (National Security Authority), NVE (Norwegian Water Resources and Energy Directorate), and Kripos (a special agency of the Norwegian Police Service), were alerted on April 10, and an investigation is now underway.

Officials suspect the breach occurred because the valve’s web-accessible control panel was protected by a weak password. Breivika technical manager Bjarte Steinhovden speculated this was the likely vulnerability. The initial point of entry allowed attackers to bypass authentication controls and gain direct access to the operational technology (OT) environment.

****Broader Threats to Essential Services****

This incident is not isolated as such intrusions into vital infrastructure have occurred in the past. For instance, Hackread.com reported in April 2023, that Israel faced a wave of cyberattacks, with authorities believing they were part of OpIsrael, a campaign by pro-Palestinian hackers.

Among the targets were Israel’s irrigation systems, which saw several water monitors malfunction. The targets included irrigation and wastewater treatment systems in areas like the Hula Valley, the Jordan Valley, and the Galil Sewage Corporation. These cases show how simple vulnerabilities, like easy-to-guess passwords, can be exploited by threat actors.

****Lessons for Critical Infrastructure Protection****

While this particular facility primarily serves a fish farm and is not connected to Norway’s power grid, the incident shows a critical security lesson for essential infrastructure worldwide. It demonstrates how easily basic security failures, especially weak credentials, can compromise vital systems.

It also highlights that remote access, proper authentication, and clear ownership of cyber-physical interfaces should be standard security practices. The fact that the attack persisted for four hours undetected also indicates the importance of sufficient monitoring for critical infrastructure like dams. Effective cybersecurity practices, including strong passwords and multi-factor authentication (requiring more than one way to prove identity), are crucial for protecting these essential services.

Norwegian Dam Valve Forced Open for Hours in Cyberattack

Grocery giant Ahold Delhaize USA faced a major data breach affecting over 2.2 million employees. Learn what sensitive info was stolen and the ransomware group behind the Nov 2024 attack.

A data breach at Ahold Delhaize USA Services, LLC, a company providing support to the major East Coast grocery retailer Ahold Delhaize USA, has affected more than 2.2 million (2,242,521) individuals (including over 95,000 Mainers).

The incident, which involved unauthorized access to internal US business systems, occurred between November 5th and 6th, 2024, leading to the theft of highly sensitive personal, financial, and health information primarily belonging to current and former employees.

Ahold Delhaize USA is a prominent name in the US grocery sector, operating popular brands such as Food Lion, Giant Food, The GIANT Company, Hannaford, and Stop & Shop. According to Ahold Delhaize USA’s official statement, the company is notifying those impacted and is providing two years of complimentary credit monitoring and identity protection services. A help desk has also been established to assist individuals with inquiries.

****Details of the Cyberattack****

Ahold Delhaize USA Services detected the cybersecurity issue on November 6, 2024, and swiftly launched an investigation with the help of leading external cybersecurity experts., also coordinated with US federal law enforcement.

The investigation revealed that an unauthorized third party had gained access to and obtained files from one of their internal US file repositories. While the company quickly took some systems offline to contain the issue, leading to temporary disruptions for online orders and pharmacy services, these systems were soon restored.

The stolen data varied from person to person but was extensive, as per the breach notification submitted to the Maine Attorney General. It included names, contact details, dates of birth, government-issued identification numbers like Social Security numbers, passport numbers, and driver’s license numbers. Financial account records, including bank account numbers, were also compromised.

Additionally, health information, specifically workers’ compensation details and medical records within employment histories, along with other employment-related data, were exposed.

“Our review of the impacted files is still ongoing. At this time, we believe that many associates who were working for Ahold Delhaize Group, Ahold Delhaize Europe & Indonesia (EBS), Albert Heijn, Etos, Gall & Gall and the Ahold Delhaize Coffee Company in the Netherlands and who were on the payroll in April 2021 may have been affected by this issue,” the company noted.

Ahold Delhaize confirms that it found “no indication that customer payment or pharmacy systems were compromised” and “no customer credit card numbers contained in the affected files,” suggesting the focus of the attack was on employee data.

****Ransomware Group Claims Responsibility****

In a development that surfaced on April 16, 2025, the INC ransomware group publicly claimed responsibility for breaching Ahold Delhaize on their dark data leak website and threatened to release it fully after providing samples.

INC Ransomware on its dark web leak blog (Image: Hackread.com)

This group, active since mid-2023, often uses tactics like phishing emails or exploit kit malware to gain access. They are known for avoiding attacks in Russia, possibly indicating a base there or in a neighbouring country.

Ahold Delhaize confirmed on April 17, 2025, that data had indeed been stolen and began reviewing the affected files to identify the personal information at risk. This complex investigation, which has taken seven months to identify affected US individuals and also uncovered some Dutch employment data from April 2021, highlights the intricate nature of responding to such cyber incidents.

“To date, this is one of the most significant data breaches following a ransomware attack, particularly within the food and beverage sector,” said Rebecca Moody, Head of Data Research at Comparitech. “In fact, since we began tracking ransomware attacks at the start of 2018, this attack on Ahold Delhaize is the largest within the food and beverage sector (based on records affected).”

“In most cases, attacks on this sector have focused on system encryption, as this is often where the most disruption is caused. For example, from 2018 to the present, the average number of records breached in a ransomware attack on a food and beverage company was 53,200,_“_ explained Rebecca.

_“_This highlights the severity of this breach as well as the new focus on data theft (as well as system encryption) for the majority of ransomware gangs. It is likely that we’ll see larger data breaches within the food and beverage industry going forward. We are also yet to see the extent of the breaches on the UK’s Marks & Spencer and Co-op attacks this year.”

Ahold Delhaize Confirms Data Breach of 2.2M amid INC Ransomware Claims

A patient's death is confirmed linked to the June 2024 ransomware attack by the Qilin ransomware gang on Synnovis, crippling London's NHS. Learn about the disruptions and Impact.

A patient’s death has been officially connected to a cyber attack carried out by the **Qilin ransomware** group that crippled pathology services at several major NHS hospitals in London last year. The cyber attack on Synnovis, a key pathology provider, caused widespread disruption to vital diagnostic services, delaying critical blood test results and impacting patient care significantly.

King’s College Hospital NHS Foundation Trust **confirmed** that a patient unexpectedly died during the cyber-incident. A spokesperson for the trust revealed that a detailed review of the patient’s care found multiple contributing factors, including “a long wait for a blood test result due to the cyber attack impacting pathology services at the time.”

The findings of this safety investigation have been shared with the patient’s family. Synnovis CEO, Mark Dollar, expressed deep sadness, stating, “Our hearts go out to the family involved.”

****Widespread Chaos and Data Theft****

Hackread.com **reported on this incident** on June 4, 2024, highlighting the chaos across London’s healthcare system. The attack occurred on June 3, 2024, targeting Synnovis, which provides diagnostics, testing, and digital pathology in southeast London. This incident brought blood testing across multiple NHS trusts, including King’s College, Guy’s and St Thomas’, and Lewisham and Greenwich hospitals, along with GP practices, to a halt.

The disruption was extensive, affecting more than 10,000 outpatient appointments and leading to the postponement of 1,710 operations at King’s College and Guy’s and St Thomas’ NHS Foundation Trusts.

Additionally, as per Sky News, 1,100 cancer treatments were delayed. Healthcare providers faced challenges with blood transfusions and matching, forcing them to use universal O-type blood, which contributed to a national shortage of O-type supplies, as explained by NHS England.

Nearly 600 patient safety incidents were linked to the attack, with two cases classified as severe, indicating permanent damage or life-threatening delays, according to revised figures from 2025. Synnovis also reported having to discard 20,000 degraded blood samples from 13,500 patients due to the inability to test them.

The **Russian cybercriminal group Qilin** is believed to be responsible. The group also allegedly published almost 400GB of stolen sensitive data online, including patient names, dates of birth, NHS numbers, blood test descriptions, and financial arrangements between hospitals and Synnovis, on its darknet site and Telegram channel.

****A Precedent for Fatal Cyberattacks****

This tragic death draws parallels with a similar incident in Germany on September 18, 2020, **as reported** by Hackread.com. In that case, a ransomware attack on University Hospital Düsseldorf (UKD) caused IT systems to fail. An emergency patient needing urgent treatment had to be rerouted to another hospital 32 kilometers away, leading to her death.

Investigators later found the attackers had mistakenly targeted the university, not the hospital and provided a decryption key when informed of their error. The vulnerability exploited in that attack, **Citrix ADC CVE-2019-19781**, had a patch available a month prior, emphasizing the critical need for timely cybersecurity updates in healthcare as these tragic incidents highlight the severe human cost of cyberattacks on medical facilities.

Qilin Ransomware Attack on NHS Causes Patient Death in the UK

Cybercriminals use malicious AI models to write malware and phishing scams Cisco Talos warns of rising threats from uncensored and custom AI tools.

New research from Cisco Talos reveals a rise in cybercriminals abusing Large Language Models (LLMs) to enhance their illicit activities. These powerful AI tools, known for generating text, solving problems, and writing code, are, reportedly, being manipulated to launch more sophisticated and widespread attacks.

For your information, LLMs are designed with built-in safety features, including alignment (training to minimize bias) and guardrails (real-time mechanisms to prevent harmful outputs). For instance, a legitimate LLM like ChatGPT would refuse to generate a phishing email. However, cybercriminals are actively seeking ways around these protections.

Talos’s investigation, shared with Hackread.com highlights three primary methods used by adversaries:

**Uncensored LLMs**: These models, lacking safety constraints, readily produce sensitive or harmful content. Examples include OnionGPT and WhiteRabbitNeo, which can generate offensive security tools or phishing emails. Frameworks like Ollama allow users to run uncensored models, such as Llama 2 Uncensored, on their own machines.

**Custom-Built Criminal LLMs**: Some enterprising cybercriminals are developing their own LLMs specifically designed for malicious purposes. Names like GhostGPT, WormGPT, DarkGPT, DarkestGPT, and FraudGPT are advertised on the dark web, boasting features like creating malware, phishing pages, and hacking tools.

**Jailbreaking Legitimate LLMs**: This involves tricking existing LLMs into ignoring their safety protocols through clever prompt injection techniques. Methods observed include using encoded language (like Base64), appending random text (adversarial suffixes), role-playing scenarios (e.g., DAN or Grandma jailbreak), and even exploiting the model’s self-awareness (meta prompting).

The dark web has become a marketplace for these malicious LLMs. FraudGPT, for example, advertised features ranging from writing malicious code and creating undetectable malware to finding vulnerable websites and generating phishing content.

However, the market isn’t without its risks for criminals themselves; Talos researchers found that the alleged developer of FraudGPT, CanadianKingpin12, was scamming potential buyers out of cryptocurrency by promising a non-existent product.

Image via Cisco Talos

Beyond direct illicit content generation, cybercriminals are leveraging LLMs for tasks similar to legitimate users, but with a malicious twist. In December 2024, Anthropic, developers of Claude LLM, noted programming, content creation, and research as top uses for their model. Similarly, criminal LLMs are used for:

*   Programming: Crafting ransomware, remote access Trojans, wipers, and code obfuscation.

*   Content Creation: Generating convincing phishing emails, landing pages, and configuration files.

*   Research: Verifying stolen credit card numbers, scanning for vulnerabilities, and even brainstorming new criminal schemes.

LLMs are also becoming targets themselves. Attackers are distributing backdoored models on platforms like Hugging Face, embedding malicious code that runs when downloaded. Furthermore, LLMs that use external data sources (Retrieval Augmented Generation or RAG) can be vulnerable to data poisoning, where attackers manipulate the data to influence the LLM’s responses.

Cisco Talos anticipates that as AI technology continues to advance, cybercriminals will increasingly adopt LLMs to streamline their operations, effectively acting as a “force multiplier” for existing attack methods rather than creating entirely new “cyber weapons.”

Malicious AI Models Are Behind a New Wave of Cybercrime, Cisco Talos

Forcepoint’s X-Labs reveals Remcos malware using new tricky phishing emails from compromised accounts and advanced evasion techniques like…

Forcepoint’s X-Labs reveals Remcos malware using new tricky phishing emails from compromised accounts and advanced evasion techniques like path bypass to infiltrate systems, steal credentials, and maintain long-term control. Learn how to spot the signs.

Cybersecurity experts at Forcepoint’s X-Labs are warning about the continued activity of Remcos malware, a sophisticated threat that consistently adapts to bypass security measures and maintain a hidden presence on infected computers. This malware, often delivered through convincing phishing attacks, allows attackers to establish long-term access.

Reportedly, campaigns observed between 2024-2025 show Remcos malware remains highly active, continually adapting to stay hidden, researchers noted in the blog post shared with Hackread.com.

The initial infection typically begins with a deceptive email originating from compromised accounts of small businesses or schools. These are legitimate accounts that have been hacked, making the emails appear trustworthy and less likely to be flagged as suspicious.

Malicious Email (Source: Forcepoint)

These emails carry malicious Windows shortcut (.LNK) files, disguised and hidden inside compressed archive attachments. Once a user falls for the trick and opens the malicious file, Remcos quietly installs itself, creating hidden folders on the victim’s computer.

What makes these folders particularly tricky is that they are “spoofed Windows directories by exploiting path-parsing bypass techniques like prefixing paths with \\\\?.” This technique, which involves using a special NT Object Manager path prefix, allows the malware to mimic legitimate system directories like C:\Windows\SysWOW64, making it incredibly difficult for security tools to spot.

After initial installation, Remcos sets up ways to stay on the system for a long time without being detected. It achieves this by creating scheduled tasks and other stealthy methods, ensuring it can keep a backdoor open for attackers. The malware even tries to weaken Windows’ User Account Control (UAC) by changing a registry setting, allowing it to run with higher privileges without the usual secure prompts.

Remcos attack chain (Source: Forcepoint)

The malicious LNK files themselves contain hidden PowerShell code, which downloads a .dat file containing an executable program in Base64 format – a method of encoding data to make it look like regular text, often used by malware to bypass detection.

This file then decodes into an executable program, typically disguised with a PDF icon but using a .pif extension, an unusual and rarely used shortcut file type. This executable then creates copies of itself, a .URL shortcut file, and four heavily disguised batch files with special symbols and meaningless foreign text, all designed to bypass antivirus detection.

Once fully operational, Remcos gives attackers complete control, enabling them to steal passwords, capture screenshots, copy files, and monitor user activity, including checking internet connection, system language, and country codes to refine their targeting.

Organizations and individuals are urged to be alert, looking out for unusual shortcuts, strange file paths, and changes in folder names, as these can be indicators of a Remcos infection.

Source

HackRead