Two deadly Ransomware Attacks on European hospitals show cybercrime now risks lives not just data with patients dying after treatment delays.

Cybercrime is often seen as a threat to privacy or money, but recent years show it can cost lives too. Ransomware, once just a way for criminals to **lock files for cash**, now disrupts hospitals and treatment, turning data extortion into a real danger for patients who need urgent care. When hospitals can’t access vital systems, people can and do die, a harsh reality now witnessed in Europe not once but twice.

****Death in the United Kingdom****

In June 2024, as **reported** by Hackread.com, the UK’s National Health Service suffered one of its most serious cyber incidents. The Russian-speaking Qilin ransomware group broke into Synnovis, a company that handles pathology services for major London hospitals like King’s College and Guy’s & St Thomas’.

This attack crippled blood test services across the capital, delaying vital operations and treatments. According to an **incident update** from the College issued last week, one patient, who needed urgent care, died unexpectedly during this crisis. Investigators confirmed the ransomware attack was a factor. The Qilin gang didn’t care that their demand for money put human lives on the line, they published stolen files online as proof of their crime, using patient safety as leverage.

****Death in Germany****

Four years earlier, a similar incident took place in Germany. **In September 2020**, hackers targeted Düsseldorf University Hospital with ransomware that shut down around 30 servers. Doctors had no choice but to shut the emergency department.

As a result, a critically ill woman who arrived needing urgent surgery had to be sent 32 kilometers (almost 20 miles) away. The delay cost her life. Local prosecutors considered **charging** the attackers with negligent homicide, a rare but deserved move against criminals who turned people’s medical emergencies into their payday.

****Ransomware and Windows Operating System****

These tragedies go on to show that hospitals remain lucrative and soft targets for cybercriminals. Many hospitals **still rely on Windows systems**, which attract ransomware because most malware is built to hit Windows environments.

Protecting these systems is possible but demands serious discipline, up-to-date backups stored safely offline, strong passwords and multi-factor logins, constant patching and smart network setups that keep infections from spreading unchecked. Staff also need training since many ransomware attacks start with a **human factor** and their single careless click on a fake email.

The use of legacy OS in healthcare is a whole new scandal as Kaspersky’s 2021 **report** found 73% of healthcare providers using medical equipment with a legacy OS. A legacy operating system is an old system that its developers no longer actively support or update. It’s usually been replaced by newer versions and doesn’t get the security fixes or patches needed to stay protected, which leaves it more open to attacks.

Some argue that Linux could help because fewer ransomware strains target it, and its security model makes it harder for malware to gain deep control. That’s true to a point, but moving an entire hospital to Linux is next to impossible because critical devices like lab equipment, MRI scanners, and medical record systems run on Windows-only software approved and supported by specific vendors. Hospitals can’t just replace them overnight.

Therefore, unfortunately, it all comes back to a better approach to increasing security on the systems they already use rather than imagining an easy switch that won’t happen anytime soon. Additionally, the Kaspersky report mentioned earlier found that hospitals use legacy operating systems from both Windows and Linux. So what’s the point of using Linux if it’s an outdated version?

****Fancy Alliance is Not Working****

In November 2023, a US-led alliance of 40 countries **announced** plans to target the ransomware ecosystem with new efforts to disrupt ransom payments, dismantle criminal infrastructure, and share intelligence across borders.

Yet by February 2025, ransomware attacks had surged by a **record 126%** as cyber criminals exploited file transfer vulnerabilities, infostealers, and AI-driven tactics to stay ahead.

Remember, these are 2 deaths but imagine an emergency in a city where dozens of people suddenly need urgent hospital care, maybe a major accident or an outbreak that floods the ER with critical patients. Now what if the same hospital is locked out of its own systems because ransomware has crippled lab reports, scans and patient records.

Doctors are forced to guess or work blind. Life-saving operations get delayed. Ambulances are turned away. What happens then? It’s obvious when hospitals get hacked, the damage doesn’t stop at data. It can leave an entire city helpless at the worst possible moment.

****Ransomware Gangs Targeting Healthcare and Hospitals Are Parasites****

What makes this all worse is the people behind these attacks. Ransomware gangs like **Qilin** are not brilliant hackers, they are parasites living off broken systems, careless setups and human mistakes. They hide in safe countries that turn a blind eye to their crimes.

These governments should stop pretending this is a normal petty crime and start treating it as the threat to human life it is. Any country giving shelter to ransomware criminals should hunt them down, seize their profits and put them behind bars for every life their greed destroys.

In the end, hospitals shouldn’t be forced to choose between saving lives and paying off criminals. These two deaths are proof that ransomware is no longer just about data, it’s about whether patients live or die when cyber criminals shut systems down. That should be enough to push every hospital, vendor and government to take this threat as seriously as it deserves.

How 2 Ransomware Attacks on 2 Hospitals Led to 2 Deaths in Europe

Palo Alto, California, 30th June 2025, CyberNewsWire

**Palo Alto, California, June 30th, 2025, CyberNewsWire**

Every security practitioner knows that employees are the weakest link in an organization, but this is no longer the case. SquareX’s research reveals that Browser AI Agents are more likely to fall prey to cyberattacks than employees, making them the new weakest link that enterprise security teams need to look out for. 

Browser AI Agents are software applications that act on behalf of users to access and interact with web content. Users can instruct these agents to automate browser-based tasks such as flight bookings, scheduling meetings, sending emails, and even simple research tasks. The productivity gains that Browser AI Agents provide make them an extremely compelling tool for employees and organizations alike. Indeed, a survey from PWC found that 79% of organizations have already adopted browser agents today. 

Yet, Browser AI Agents expose organizations to a massive security risk. These agents are trained to complete the tasks they are instructed to do, with little to no understanding of the security implications of their actions. Unlike human employees, Browser AI Agents are not subject to regular security awareness training. They cannot recognize visual warning signs like suspicious URLs, excessive permission requests, or unusual website designs that typically alert employees of a malicious site. Consequently, Browser AI Agents are more likely to fall prey to browser-based attacks than even a regular employee. Even if it is possible for users to add these guardrails, the overhead required to extensively write the security risk of every task performed by the agent in every prompt would probably outweigh the productivity gains. More importantly, employees using Browser AI Agents are unlikely to have enough security expertise to be able to write such a prompt in the first place.  

With the popular open-source Browser Use framework used by thousands of organizations, SquareX demonstrated how the Browser AI Agent, instructed to find and register for a file-sharing tool, succumbed to an OAuth attack. In the process of completing its task, it granted a malicious app complete access to the user’s email despite multiple suspicious signals – irrelevant permissions, unfamiliar brands, suspicious URLs – that likely would have stopped most employees from granting these permissions. In other scenarios, these agents might expose the user’s credit card information to a phishing site while trying to purchase groceries or disclose sensitive data when responding to emails from an impersonation attack. 

Unfortunately, neither browsers nor traditional security tools can differentiate between actions performed by users and these agents. Thus, it is critical for enterprises working with Browser AI Agents to provide browser-native guardrails that will prevent agents and employees alike from falling prey to these attacks.

> Vivek Ramachandran, Founder & CEO of SquareX, warns, “The arrival of Browser AI Agents have dethroned employees as the weakest link within organizations. Optimistically, these agents have the security awareness of an average employee, making them vulnerable to even the most basic attacks, let alone bleeding-edge ones. Critically, these Browser AI Agents are running on behalf of the user, with the same privilege level to access enterprise resources. Until the day browsers develop native guardrails for Browser AI Agents, enterprises must incorporate browser-native solutions like Browser Detection and Response to prevent these agents from being tricked into performing malicious tasks. Eventually, the new generation of identity and access management tools will also have to take into account Browser AI Agent identities to implement granular access controls on agentic workflows.”

To learn more about this security research, users can visit http://sqrx.com/browser-ai-agents .

SquareX’s research team is also holding a webinar on **July 11, 10am PT/1pm ET** to dive deeper into the research findings. To register, users can click here. 

**About SquareX**

SquareX’s browser extension turns any browser on any device into an enterprise-grade secure browser. SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively detect, mitigate, and threat-hunt client-side web attacks, including malicious browser extensions, advanced spearphishing, browser-native ransomware, genAI DLP, and more. Unlike legacy security approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables security leaders to reduce their attack surface, gain actionable intelligence, and strengthen their enterprise cybersecurity posture against the newest threat vector – the browser. Find out more on www.sqrx.com.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Reveals that Employees are No Longer the Weakest Link, Browser AI Agents Are

Unidentified hackers breached a Norwegian dam's control system in April, opening its valve for hours due to a weak password. Learn how simple vulnerabilities threaten critical infrastructure.

In a concerning incident this April, unidentified hackers managed to breach the control systems of a Norwegian dam. Reportedly, hackers breached the control systems of a Norwegian dam, causing its water valve to open fully. The incident occurred at the Lake Risevatnet dam, situated near the city of Svelgen in Southwest Norway. The valve remained open for four hours before the unauthorized activity was detected.

According to the Norwegian energy news outlet, Energiteknikk, the hack did not pose a danger, as the water flow barely exceeded the dam’s minimum requirement. The valve released an additional 497 litres per second, but officials noted that the riverbed could handle a much larger volume, up to 20,000 litres per second.

****Vulnerable Control Systems Highlighted****

The incident was discovered on April 7 by the dam’s owner, Breivika Eiendom. Norwegian authorities, including NSM (National Security Authority), NVE (Norwegian Water Resources and Energy Directorate), and Kripos (a special agency of the Norwegian Police Service), were alerted on April 10, and an investigation is now underway.

Officials suspect the breach occurred because the valve’s web-accessible control panel was protected by a weak password. Breivika technical manager Bjarte Steinhovden speculated this was the likely vulnerability. The initial point of entry allowed attackers to bypass authentication controls and gain direct access to the operational technology (OT) environment.

****Broader Threats to Essential Services****

This incident is not isolated as such intrusions into vital infrastructure have occurred in the past. For instance, Hackread.com reported in April 2023, that Israel faced a wave of cyberattacks, with authorities believing they were part of OpIsrael, a campaign by pro-Palestinian hackers.

Among the targets were Israel’s irrigation systems, which saw several water monitors malfunction. The targets included irrigation and wastewater treatment systems in areas like the Hula Valley, the Jordan Valley, and the Galil Sewage Corporation. These cases show how simple vulnerabilities, like easy-to-guess passwords, can be exploited by threat actors.

****Lessons for Critical Infrastructure Protection****

While this particular facility primarily serves a fish farm and is not connected to Norway’s power grid, the incident shows a critical security lesson for essential infrastructure worldwide. It demonstrates how easily basic security failures, especially weak credentials, can compromise vital systems.

It also highlights that remote access, proper authentication, and clear ownership of cyber-physical interfaces should be standard security practices. The fact that the attack persisted for four hours undetected also indicates the importance of sufficient monitoring for critical infrastructure like dams. Effective cybersecurity practices, including strong passwords and multi-factor authentication (requiring more than one way to prove identity), are crucial for protecting these essential services.

Norwegian Dam Valve Forced Open for Hours in Cyberattack

Grocery giant Ahold Delhaize USA faced a major data breach affecting over 2.2 million employees. Learn what sensitive info was stolen and the ransomware group behind the Nov 2024 attack.

A data breach at Ahold Delhaize USA Services, LLC, a company providing support to the major East Coast grocery retailer Ahold Delhaize USA, has affected more than 2.2 million (2,242,521) individuals (including over 95,000 Mainers).

The incident, which involved unauthorized access to internal US business systems, occurred between November 5th and 6th, 2024, leading to the theft of highly sensitive personal, financial, and health information primarily belonging to current and former employees.

Ahold Delhaize USA is a prominent name in the US grocery sector, operating popular brands such as Food Lion, Giant Food, The GIANT Company, Hannaford, and Stop & Shop. According to Ahold Delhaize USA’s official statement, the company is notifying those impacted and is providing two years of complimentary credit monitoring and identity protection services. A help desk has also been established to assist individuals with inquiries.

****Details of the Cyberattack****

Ahold Delhaize USA Services detected the cybersecurity issue on November 6, 2024, and swiftly launched an investigation with the help of leading external cybersecurity experts., also coordinated with US federal law enforcement.

The investigation revealed that an unauthorized third party had gained access to and obtained files from one of their internal US file repositories. While the company quickly took some systems offline to contain the issue, leading to temporary disruptions for online orders and pharmacy services, these systems were soon restored.

The stolen data varied from person to person but was extensive, as per the breach notification submitted to the Maine Attorney General. It included names, contact details, dates of birth, government-issued identification numbers like Social Security numbers, passport numbers, and driver’s license numbers. Financial account records, including bank account numbers, were also compromised.

Additionally, health information, specifically workers’ compensation details and medical records within employment histories, along with other employment-related data, were exposed.

“Our review of the impacted files is still ongoing. At this time, we believe that many associates who were working for Ahold Delhaize Group, Ahold Delhaize Europe & Indonesia (EBS), Albert Heijn, Etos, Gall & Gall and the Ahold Delhaize Coffee Company in the Netherlands and who were on the payroll in April 2021 may have been affected by this issue,” the company noted.

Ahold Delhaize confirms that it found “no indication that customer payment or pharmacy systems were compromised” and “no customer credit card numbers contained in the affected files,” suggesting the focus of the attack was on employee data.

****Ransomware Group Claims Responsibility****

In a development that surfaced on April 16, 2025, the INC ransomware group publicly claimed responsibility for breaching Ahold Delhaize on their dark data leak website and threatened to release it fully after providing samples.

INC Ransomware on its dark web leak blog (Image: Hackread.com)

This group, active since mid-2023, often uses tactics like phishing emails or exploit kit malware to gain access. They are known for avoiding attacks in Russia, possibly indicating a base there or in a neighbouring country.

Ahold Delhaize confirmed on April 17, 2025, that data had indeed been stolen and began reviewing the affected files to identify the personal information at risk. This complex investigation, which has taken seven months to identify affected US individuals and also uncovered some Dutch employment data from April 2021, highlights the intricate nature of responding to such cyber incidents.

“To date, this is one of the most significant data breaches following a ransomware attack, particularly within the food and beverage sector,” said Rebecca Moody, Head of Data Research at Comparitech. “In fact, since we began tracking ransomware attacks at the start of 2018, this attack on Ahold Delhaize is the largest within the food and beverage sector (based on records affected).”

“In most cases, attacks on this sector have focused on system encryption, as this is often where the most disruption is caused. For example, from 2018 to the present, the average number of records breached in a ransomware attack on a food and beverage company was 53,200,_“_ explained Rebecca.

_“_This highlights the severity of this breach as well as the new focus on data theft (as well as system encryption) for the majority of ransomware gangs. It is likely that we’ll see larger data breaches within the food and beverage industry going forward. We are also yet to see the extent of the breaches on the UK’s Marks & Spencer and Co-op attacks this year.”

Ahold Delhaize Confirms Data Breach of 2.2M amid INC Ransomware Claims

A patient's death is confirmed linked to the June 2024 ransomware attack by the Qilin ransomware gang on Synnovis, crippling London's NHS. Learn about the disruptions and Impact.

A patient’s death has been officially connected to a cyber attack carried out by the **Qilin ransomware** group that crippled pathology services at several major NHS hospitals in London last year. The cyber attack on Synnovis, a key pathology provider, caused widespread disruption to vital diagnostic services, delaying critical blood test results and impacting patient care significantly.

King’s College Hospital NHS Foundation Trust **confirmed** that a patient unexpectedly died during the cyber-incident. A spokesperson for the trust revealed that a detailed review of the patient’s care found multiple contributing factors, including “a long wait for a blood test result due to the cyber attack impacting pathology services at the time.”

The findings of this safety investigation have been shared with the patient’s family. Synnovis CEO, Mark Dollar, expressed deep sadness, stating, “Our hearts go out to the family involved.”

****Widespread Chaos and Data Theft****

Hackread.com **reported on this incident** on June 4, 2024, highlighting the chaos across London’s healthcare system. The attack occurred on June 3, 2024, targeting Synnovis, which provides diagnostics, testing, and digital pathology in southeast London. This incident brought blood testing across multiple NHS trusts, including King’s College, Guy’s and St Thomas’, and Lewisham and Greenwich hospitals, along with GP practices, to a halt.

The disruption was extensive, affecting more than 10,000 outpatient appointments and leading to the postponement of 1,710 operations at King’s College and Guy’s and St Thomas’ NHS Foundation Trusts.

Additionally, as per Sky News, 1,100 cancer treatments were delayed. Healthcare providers faced challenges with blood transfusions and matching, forcing them to use universal O-type blood, which contributed to a national shortage of O-type supplies, as explained by NHS England.

Nearly 600 patient safety incidents were linked to the attack, with two cases classified as severe, indicating permanent damage or life-threatening delays, according to revised figures from 2025. Synnovis also reported having to discard 20,000 degraded blood samples from 13,500 patients due to the inability to test them.

The **Russian cybercriminal group Qilin** is believed to be responsible. The group also allegedly published almost 400GB of stolen sensitive data online, including patient names, dates of birth, NHS numbers, blood test descriptions, and financial arrangements between hospitals and Synnovis, on its darknet site and Telegram channel.

****A Precedent for Fatal Cyberattacks****

This tragic death draws parallels with a similar incident in Germany on September 18, 2020, **as reported** by Hackread.com. In that case, a ransomware attack on University Hospital Düsseldorf (UKD) caused IT systems to fail. An emergency patient needing urgent treatment had to be rerouted to another hospital 32 kilometers away, leading to her death.

Investigators later found the attackers had mistakenly targeted the university, not the hospital and provided a decryption key when informed of their error. The vulnerability exploited in that attack, **Citrix ADC CVE-2019-19781**, had a patch available a month prior, emphasizing the critical need for timely cybersecurity updates in healthcare as these tragic incidents highlight the severe human cost of cyberattacks on medical facilities.

Qilin Ransomware Attack on NHS Causes Patient Death in the UK

Cybercriminals use malicious AI models to write malware and phishing scams Cisco Talos warns of rising threats from uncensored and custom AI tools.

New research from Cisco Talos reveals a rise in cybercriminals abusing Large Language Models (LLMs) to enhance their illicit activities. These powerful AI tools, known for generating text, solving problems, and writing code, are, reportedly, being manipulated to launch more sophisticated and widespread attacks.

For your information, LLMs are designed with built-in safety features, including alignment (training to minimize bias) and guardrails (real-time mechanisms to prevent harmful outputs). For instance, a legitimate LLM like ChatGPT would refuse to generate a phishing email. However, cybercriminals are actively seeking ways around these protections.

Talos’s investigation, shared with Hackread.com highlights three primary methods used by adversaries:

**Uncensored LLMs**: These models, lacking safety constraints, readily produce sensitive or harmful content. Examples include OnionGPT and WhiteRabbitNeo, which can generate offensive security tools or phishing emails. Frameworks like Ollama allow users to run uncensored models, such as Llama 2 Uncensored, on their own machines.

**Custom-Built Criminal LLMs**: Some enterprising cybercriminals are developing their own LLMs specifically designed for malicious purposes. Names like GhostGPT, WormGPT, DarkGPT, DarkestGPT, and FraudGPT are advertised on the dark web, boasting features like creating malware, phishing pages, and hacking tools.

**Jailbreaking Legitimate LLMs**: This involves tricking existing LLMs into ignoring their safety protocols through clever prompt injection techniques. Methods observed include using encoded language (like Base64), appending random text (adversarial suffixes), role-playing scenarios (e.g., DAN or Grandma jailbreak), and even exploiting the model’s self-awareness (meta prompting).

The dark web has become a marketplace for these malicious LLMs. FraudGPT, for example, advertised features ranging from writing malicious code and creating undetectable malware to finding vulnerable websites and generating phishing content.

However, the market isn’t without its risks for criminals themselves; Talos researchers found that the alleged developer of FraudGPT, CanadianKingpin12, was scamming potential buyers out of cryptocurrency by promising a non-existent product.

Image via Cisco Talos

Beyond direct illicit content generation, cybercriminals are leveraging LLMs for tasks similar to legitimate users, but with a malicious twist. In December 2024, Anthropic, developers of Claude LLM, noted programming, content creation, and research as top uses for their model. Similarly, criminal LLMs are used for:

*   Programming: Crafting ransomware, remote access Trojans, wipers, and code obfuscation.

*   Content Creation: Generating convincing phishing emails, landing pages, and configuration files.

*   Research: Verifying stolen credit card numbers, scanning for vulnerabilities, and even brainstorming new criminal schemes.

LLMs are also becoming targets themselves. Attackers are distributing backdoored models on platforms like Hugging Face, embedding malicious code that runs when downloaded. Furthermore, LLMs that use external data sources (Retrieval Augmented Generation or RAG) can be vulnerable to data poisoning, where attackers manipulate the data to influence the LLM’s responses.

Cisco Talos anticipates that as AI technology continues to advance, cybercriminals will increasingly adopt LLMs to streamline their operations, effectively acting as a “force multiplier” for existing attack methods rather than creating entirely new “cyber weapons.”

Malicious AI Models Are Behind a New Wave of Cybercrime, Cisco Talos

Forcepoint’s X-Labs reveals Remcos malware using new tricky phishing emails from compromised accounts and advanced evasion techniques like…

Forcepoint’s X-Labs reveals Remcos malware using new tricky phishing emails from compromised accounts and advanced evasion techniques like path bypass to infiltrate systems, steal credentials, and maintain long-term control. Learn how to spot the signs.

Cybersecurity experts at Forcepoint’s X-Labs are warning about the continued activity of Remcos malware, a sophisticated threat that consistently adapts to bypass security measures and maintain a hidden presence on infected computers. This malware, often delivered through convincing phishing attacks, allows attackers to establish long-term access.

Reportedly, campaigns observed between 2024-2025 show Remcos malware remains highly active, continually adapting to stay hidden, researchers noted in the blog post shared with Hackread.com.

The initial infection typically begins with a deceptive email originating from compromised accounts of small businesses or schools. These are legitimate accounts that have been hacked, making the emails appear trustworthy and less likely to be flagged as suspicious.

Malicious Email (Source: Forcepoint)

These emails carry malicious Windows shortcut (.LNK) files, disguised and hidden inside compressed archive attachments. Once a user falls for the trick and opens the malicious file, Remcos quietly installs itself, creating hidden folders on the victim’s computer.

What makes these folders particularly tricky is that they are “spoofed Windows directories by exploiting path-parsing bypass techniques like prefixing paths with \\\\?.” This technique, which involves using a special NT Object Manager path prefix, allows the malware to mimic legitimate system directories like C:\Windows\SysWOW64, making it incredibly difficult for security tools to spot.

After initial installation, Remcos sets up ways to stay on the system for a long time without being detected. It achieves this by creating scheduled tasks and other stealthy methods, ensuring it can keep a backdoor open for attackers. The malware even tries to weaken Windows’ User Account Control (UAC) by changing a registry setting, allowing it to run with higher privileges without the usual secure prompts.

Remcos attack chain (Source: Forcepoint)

The malicious LNK files themselves contain hidden PowerShell code, which downloads a .dat file containing an executable program in Base64 format – a method of encoding data to make it look like regular text, often used by malware to bypass detection.

This file then decodes into an executable program, typically disguised with a PDF icon but using a .pif extension, an unusual and rarely used shortcut file type. This executable then creates copies of itself, a .URL shortcut file, and four heavily disguised batch files with special symbols and meaningless foreign text, all designed to bypass antivirus detection.

Once fully operational, Remcos gives attackers complete control, enabling them to steal passwords, capture screenshots, copy files, and monitor user activity, including checking internet connection, system language, and country codes to refine their targeting.

Organizations and individuals are urged to be alert, looking out for unusual shortcuts, strange file paths, and changes in folder names, as these can be indicators of a Remcos infection.

New Stealthy Remcos Malware Campaigns Target Businesses and Schools

Tech Transparency Project warns Chinese-owned VPNs like Turbo VPN and X-VPN remain on Apple and Google app stores, raising national security concerns.

A recent report by the Washington, D.C.-based Tech Transparency Project (TTP) reveals that numerous free Virtual Private Network (VPN) apps, despite earlier warnings, continue to be available on both Apple’s App Store and Google’s Play Store, posing major privacy and national security risks.

According to the organisation’s claims, these apps, many with hidden ties to Chinese companies, could be exposing sensitive user data to the Chinese government. For your information, VPNs are tools designed to create a secure, encrypted connection over the internet, masking a user’s identity and online activity.

However, some users express concern about VPN services owned by Chinese companies due to privacy and data security considerations. Under Chinese national security laws (PDF), companies can be compelled to hand over user data to the government. This is particularly concerning because VPNs have access to a user’s entire web activity, making the data highly sensitive.

TTP’s initial report from April 1, 2025, revealed that over 20 of the top 100 free VPNs on the US Apple App Store in 2024 were linked to Chinese ownership. Many of these apps intentionally concealed their origins through shell companies.

It is worth noting that several apps were connected to Qihoo 360, a Chinese cybersecurity firm that the US has sanctioned due to its alleged links with China’s People’s Liberation Army.

One notable instance involves Autumn Breeze Pte. Ltd., listed as Snap VPN developer on Google Play Store. It asserts “no affiliation with Qihoo 360,” emphasizing a strict “no-log policy.” However, TTP’s research reveals Qihoo 360 acquired Autumn Breeze Pte. Ltd in 2020, and sold it to undisclosed parties after US sanctions. Corporate records for Autumn Breeze continue to list a Chinese director, whose name matches a Chinese national who’d led Qihoo 360’s mobile security unit.

Despite some apps, like Thunder VPN and Snap VPN, being removed from Apple’s App Store after media inquiries, TTP’s follow-up check in early May 2025 confirmed that many Chinese-owned VPNs remain available.

For instance, Turbo VPN and VPN Proxy Master, both linked to Qihoo 360, continue to be offered on Apple’s platform. The Google Play Store also hosts several Qihoo 360-connected apps, including Snap VPN and Signal Secure VPN, alongside other Chinese-owned VPNs like X-VPN and VPNify.

The report further suggests that Apple and Google may be financially benefiting from these potentially risky applications. Many of these free VPNs offer in-app purchases or display advertisements, from which both tech giants take a percentage of revenue (Apple typically charges 30% or 15%, while Google charges 15% up to $1 million in sales and 30% thereafter).

This suggests a financial incentive for the platforms to continue hosting these apps, despite the privacy implications for American users, researchers noted in their blog post shared with Hackread.com.

Screenshot via TTP

Neither Apple nor Google have responded to TTP’s requests for comment on these findings or their policies regarding data sharing by VPNs. Users are advised to exercise caution and thoroughly research the ownership and privacy policies of any VPN service they intend to use.

_“_Let’s think about how TikTok’s story unfolded: massive reach, secret ownership, and extensive data collection, which may have left U.S. soil but these VPN apps are even more concerning as they don’t just track your preferences; they monitor everything you do online,_“_ said Chad Cragle, Chief Information Security Officer at Deepwatch.

_“_When owned by Chinese companies and hidden behind layers of shell companies, it becomes a serious concern. Apple advocates for protecting our privacy, yet these apps are still accessible. Google? They often allow nearly any app on their store,_“_ claimed Chad.

_“_It’s time for the platforms to take responsibility and set the example. You can’t claim to prioritize privacy if you’re letting other parties control the playbook. If they don’t properly scrutinize these apps, they’re not just passively allowing it, they’re helping to create the problem. And let’s be honest, this isn’t just about privacy; it’s about national security, too,_“_ he emphasised.

Researchers Warn Free VPNs Could Leak US Data to China

FBI tracked IntelBroker as UK’s Kai West using an email address, crypto trails, YouTube activity and forum posts after dozens of high-profile data breaches and darknet activity.

Authorities in the United States have charged a British national, Kai Logan West, widely known online as “**IntelBroker**“, with a series of high-profile data breaches that collectively caused at least $25 million in damages to companies worldwide. The 23-year-old was arrested in France in February 2025 and now faces extradition to the United States to stand trial in the Southern District of New York.

As **reported** by Hackread.com, IntelBroker’s arrest was followed by several others, including four individuals linked to the ShinyHunters hacker group. Both IntelBroker and members of ShinyHunters were **involved** in administering and moderating the cybercrime and data breach forum BreachForums.

The **unsealed complaint** (PDF), dated February 2025, lays bare the FBI’s two-year investigation into West’s cybercrime operations, connecting him to dozens of data breaches, sales of stolen data, and the leadership of a hacking collective operating on clear and dark web forums.

****Who Is IntelBroker?****

Using aliases like “IntelBroker” and “Kyle Northern”, West built a reputation on a clear and dark web forum known in the indictment as “Forum‑1” ( BreachForums). Operating under the banner of a hacking crew called CyberN (formerly “The Boys”), IntelBroker offered hacked databases from government agencies, healthcare providers, telecommunications firms, and internet service providers.

Between 2023 and early 2025, West authored at least 158 threads offering stolen data on Forum‑1, with 41 of them involving US companies. The FBI notes that at least $2 million worth of **Monero cryptocurrency** was solicited for the stolen information.

In 2024, IntelBroker was listed as the “owner” of Forum‑1, and his fame skyrocketed as he gave away some data leaks for free to boost credibility, gather a following, and attract buyers.

****How the FBI Tracked Down IntelBroker****

What West didn’t know was that FBI agents were watching closely. The bureau deployed undercover officers posing as buyers on Forum‑1. On at least two occasions, agents purchased stolen data directly from IntelBroker.

In January 2023, one agent bought an API key and login credentials for a company dubbed “Victim‑7.” Although the credentials were limited in value, the transaction became a key element in tracking his identity when IntelBroker asked for payment in Bitcoin (instead of Monero) and provided a wallet address that could be traced on the blockchain.

FBI blockchain analysts followed the money and found that:

*   The Bitcoin wallet used for the transaction had been seeded from another wallet linked to an account on a financial platform called Ramp.
*   That Ramp account was registered using a UK provisional driving license issued to Kai Logan West.
*   The same identity, Kai West, also owned a Coinbase account under the alias Kyle Northern, but with KYC verification; confirming it was the same individual.

Provisional driving licence of Kai West (Image via US Justice Department complaint)

Further connecting the dots, both accounts were linked to a Gmail address used by West for personal matters, including:

*   Cloud-stored selfies
*   Receipts and ID documents
*   UK University Housing and Tuition communications
*   Videos showcasing networking tools like “GPRS Smash”

The email also included a student certificate showing West was enrolled in a Cyber Security program.

****Online Footprints and Forum Activity****

West didn’t just transact carelessly, he also exposed himself by linking his online activity to personal behaviour. His IntelBroker posts on Forum‑1 often referenced YouTube videos that he had just viewed from his personal email account, and he regularly updated his signature block to list members of his hacking group, which made it easier to trace his involvement across multiple threads.

When Forum‑1 was **seized and shut down in 2024** and relaunched, all old posts inherited the updated signature, creating a consistent trail of West’s activity and affiliations dating back to early 2023.

One of the YouTube videos posted by IntelBroker on BreachForums (Image via US Justice Department complaint)

****The Victim List: Telecoms, Healthcare, ISPs****

The indictment outlines at least six victims, referred to only as Victim‑1 through Victim‑6. Victim‑1, a telecom provider, had data exfiltrated and deleted from a hosting server in Manhattan, resulting in damage estimated in the hundreds of thousands.

Victim‑3, a municipal healthcare provider, had the personal and health data of over 56,000 individuals stolen, which West later sold to an undercover FBI agent for $1,000 in Monero. Victim‑6, an internet service provider, was compromised using information from previous leaks to breach an internal server.

In each case, West publicly offered proof samples, negotiated sales via private messages, and accepted only Monero to maintain anonymity, though the paper trail caught up.

However, since Hackread.com exclusively reported on IntelBroker’s data breaches, here is a comprehensive list of data breaches and leaks claimed by the hacker:

Here is the list sorted from shortest to longest by character count:

1.  **AMD**
2.  **Apple**
3.  **Cisco**
4.  **Nokia**
5.  **US DoD**
6.  **Europol**
7.  **T-Mobile**
8.  **Robert Half**
9.  **Space Eyes**
10.  **Home Depot**
11.  **Tech in Asia**
12.  **General Electric**
13.  **LA Intl. Airport**
14.  **HSBC & Barclays Bank**
15.  **Facebook Marketplace**
16.  **Weee! Grocery Service**
17.  **UAE’s Lulu Hypermarket**
18.  **US Federal Contractor Acuity**
19.  **Hewlett Packard Enterprise (HPE)**
20.  **MIT Technology Review Magazine**
21.  **An unnamed but “Top” Cybersecurity Firm**

****Criminal Charges****

West has been charged with four federal offences:

1.  Wire fraud
2.  Conspiracy to commit wire fraud
3.  Conspiracy to commit computer intrusions
4.  Accessing a protected computer to defraud and obtain value

Each carries the potential for several years in prison, particularly when involving health data or affecting critical infrastructure.

The FBI’s Special Agent Carson Hughes and US Attorney Jay Clayton emphasized the global reach and danger of IntelBroker’s operations. The FBI called the case “a warning” to cybercriminals who believe online anonymity shields them from consequences.

****Did IntelBroker Work for the UK’s National Crime Agency?****

Kai West presented himself professionally as a cybersecurity researcher and operated under two separate identities on LinkedIn, one as Kyle Northern and the other as K West. This was first flagged by **Nathaniel Fried**, Co-founder and CEO at 0xbowio, who shared details of West’s dual profiles with Hackread.com.

Notably, the Kyle Northern profile claimed he worked as a Security Researcher Trainee at the UK’s National Crime Agency (NCA) from September to October 2019. If accurate, this role could have involved access to classified systems, as the NCA deals with serious organized crime and national security. While the NCA affiliation remains unverified, West’s claimed background in cybersecurity and his academic path suggest the possibility shouldn’t be dismissed outright.

Kai Logan West on LinkedIn (Screenshot credit: Hackread.com)

West remains in French custody, and US officials are actively **seeking** extradition. If convicted, he could face decades behind bars. Meanwhile, Forum‑1 has been offline since April 2025, **reportedly** due to a MyBB zero-day vulnerability. Many of its members have since migrated to other platforms, including DarkForums and the Russian-language cybercrime forum XSS.

The exposure of IntelBroker stands out as a major cybercrime takedown. What made it possible was a mix of undercover FBI work, cryptocurrency tracking, and even old-school email evidence, all of which helped track one of the most well-known figures on cybercrime forums.

How an Email, Crypto Wallet and YouTube Activity Led the FBI to IntelBroker

ZURICH, Switzerland – Zurich-based automation platform Flowable has been recognized as a Representative Vendor in the Gartner newly released…

**ZURICH, Switzerland** – Zurich-based automation platform Flowable has been recognized as a Representative Vendor in the Gartner newly released Market Guide for Business Process Automation (BPA), which we feel reinforces its role in delivering AI-enhanced, standards-driven workflow solutions for complex enterprise environments.

As enterprise environments become increasingly dynamic, automation platforms must support varied use cases across departments and systems. Modern BPA solutions now integrate intelligent agents, rule engines, and human-led decisions to improve speed, consistency, and adaptability. Our key takeaway from this report is that it recommends evaluating platforms that integrate these inputs into a single system governed for visibility and accountability.

We feel that Flowable meets this guidance by offering an open framework that supports regulatory needs while enabling fast, process-driven outcomes.

****Flowable’s Role in Intelligent Automation****

In our view, Flowable’s inclusion in the Market Guide acknowledges its unified platform’s ability to coordinate AI models, people, and business logic through a low-code, open-standards framework.

This approach directly supports enterprise teams managing high-stakes processes like claims handling, customer onboarding, and risk management.

The platform allows users to manage both predictable tasks and unstructured work in the same environment. Insurance claims, loan origination, and service escalations, for instance, can all be addressed without jumping between tools or sacrificing oversight.

****Championing Agentic AI for Adaptive Business Processes****

Flowable is a front-runner in “agentic” automation, a method of embedding AI agents, systems, and people into a single operational layer. Businesses today require platforms that connect diverse endpoints, AI models, RPA bots, and human input, into coordinated, auditable flows.

Flowable’s approach is grounded in dynamic case management, allowing organizations to manage both routine operations and irregular scenarios in the same interface, driving operational clarity and flexibility.

****Focused Governance and Built-in Transparency****

Flowable integrates oversight directly into process design. Its system includes model tracking, rule enforcement, version control, and auditing features that are vital for industries like banking and healthcare.

Every decision can be traced and evaluated, allowing organizations to meet stringent internal standards and regulatory demands without slowing down operations. This is in direct response to industry demand for transparent, governed automation, where oversight cannot be compromised.

****Integration Without Vendor Lock-in****

By supporting global automation standards of BPMN, CMMN, and DMN, Flowable aligns with open enterprise connectivity and avoids proprietary constraints. Its architecture is designed to connect with existing infrastructure, allowing organizations to expand automation without overhauling what already works. This approach ensures that companies can scale automation projects while maintaining flexibility in technology decisions.

****Delivering Business Value to Key Decision Makers****

Choosing the right enterprise automation platform impacts every area of an organization. Flowable reflects practical benefits for operations, transformation, risk, and finance leaders across large enterprises.

*   **Operational Efficiency**: Flowable automates entire departmental processes, reducing manual hand-offs and errors. Operations leaders gain a unified view of workflows, improve productivity, and enable teams to focus on high-value work while the platform manages routine and exception-driven tasks.
*   **Agility and Continuous Improvement**: Transformation directors and CXOs benefit from the platform’s flexibility. New AI tools or policy changes can be incorporated quickly, allowing rapid response to evolving business needs without extensive retraining or redevelopment.
*   **Governance and Compliance**: Every automated decision is fully traceable, auditable, and governed, meeting the rising need for “new forms of management and governance” recently identified by Forrester. Audit trails, policy enforcement, and approval checkpoints are embedded into workflows to meet internal and regulatory standards.
*   **Customer Experience and Financial ROI**: Coordinated automation helps deliver better outcomes at lower operating costs. Tasks like customer onboarding, account updates, and claims can be resolved faster through consistent, AI-personalized processes that operate 24/7 across omnichannel touchpoints.

Flowable empowers enterprises to move faster, operate smarter, and maintain governance at scale. Its enterprise automation platform focuses its design on transparency, adaptability, and real-world value.

****Gartner disclaimers****

Gartner, Market Guide for Business Process Automation Tools, 20 May 2025, Tushar Srivastava, et. Al. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation.

Gartner’s research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

****About:****

Flowable is a global provider of enterprise automation software, headquartered in Zurich, Switzerland. Since 2010, it has helped organizations coordinate business automation, people, and processes through a unified platform built on open standards. It serves leading enterprises across sectors where adaptability and accountability are essential. 

****Media Contact****

Violet Diamanti-Race  
Senior Product Marketing Manager  
\[email protected\]  
+41 31 329 09 00  
Website: flowable.com

Source

HackRead