WordPress sites are under threat from a deceptive anti-malware plugin. Learn how this malware grants backdoor access, hides…

WordPress sites are under threat from a deceptive anti-malware plugin. Learn how this malware grants backdoor access, hides itself, and even modifies core files like wp-cron.php for persistence. Stay protected.

Security researchers at Wordfence recently uncovered a tricky piece of malware targeting WordPress websites. This malicious software is designed to look like a genuine anti-malware plugin, often appearing in the file system with names such as ‘WP-antymalwary-bot.php’.

According to Wordfence Threat Intelligence Team’s technical blog post, this fake plugin contains several dangerous capabilities. Such as, it allows attackers to control an infected website, hide from the WordPress admin dashboard, and execute malicious code remotely. It also has a “pinging” function that sends information back to a C&C server, spreads into other directories, and injects harmful JavaScript, which is then used to display unwanted advertisements.

Further analysis revealed that the malware uses a check_plugin GET parameter for status checks and, more dangerously, an emergency_login GET parameter for immediate admin access by providing a password. It also uses the REST API for remote code execution via a POST request to execute_admin_command, enabling cache clearing or injecting PHP code into theme headers. The hide\_plugin\_from\_list function conceals it from the admin dashboard.

The malware often comes with a modified wp-cron.php file that can reactivate the plugin if removed, meaning even if the plugin file is deleted, the malicious code in wp-cron.php can reinstall it upon the next site visit, ensuring persistence.

An updated version reports to a C&C server (45.61.136.85) and differently handles code injection by fetching from a foreign ads.php file and injecting JavaScript into the header. It also stores ad server URLs, anticipating future use.

Initial infection likely occurs via wp-cron.php, possibly through compromised hosting or FTP credentials. The malware has been seen under names like WP-antymalwary-bot.php and addons.php.

According to the company’s blog post, the issue was discovered on January 22, 2025, during a website cleanup performed by a Wordfence security analyst after which a specific malware signature (a unique identifier for the malicious code) was released.

Since then, many new versions of this malware have emerged, but Wordfence confirms that their original signature from January is still effective at detecting them. To provide an extra layer of security, a firewall rule (a set of instructions to block malicious activity) was released on April 23, 2025, for Wordfence Premium, Care, and Response users, preventing the execution of the malware file. Free Wordfence users will receive this additional protection on May 23, 2025.

This WordPress malware, cleverly disguised as a security plugin, demonstrates the persistent and increasingly sophisticated threats targeting website owners. Its advanced persistence mechanism makes thorough cleanup crucial for affected websites. Lastly, website owners are strongly advised to stay informed about emerging threats, utilize reputable security plugins, and ensure timely updates to protect their sites effectively.

Sneaky WordPress Malware Disguised as Anti-Malware Plugin

Retailer Acts Swiftly to Limit Threat as UK Retail Sector Faces Growing Digital Risks

The Co-operative Group has confirmed it shut down parts of its IT network after detecting an attempted cyberattack, in what is the latest incident to affect a major UK retailer. The move was described as precautionary and aimed at containing the threat before any systems could be compromised.

Although the shutdown affected internal functions such as virtual desktops, stock systems, and contact centre operations, Co-op reassured the public that all food stores, home delivery services, and funeral operations are running as normal.

“There is no evidence that customer data has been accessed,” the company said in a statement. “We took swift action to protect our systems and continue to monitor the situation closely.”

This incident follows a more disruptive attack on M&S (Marks & Spencer) earlier this month, which impacted contactless payments, and online orders, and led to temporary stock shortages. That breach was linked to the cybercriminal group known as Scattered Spider, which has previously targeted large organisations across the US and UK.

At this time, there is no confirmed connection between the two incidents, but cybersecurity analysts say the timing raises questions about coordinated threats aimed at UK retail.

Scattered Spider, also known for targeting MGM Resorts in 2023 and its social engineering tactics and use of legitimate IT tools for malicious purposes has gained notoriety for bypassing traditional security measures by targeting employees directly. Their suspected involvement in the M&S breach has prompted heightened alertness across the sector.

Co-op has brought in external cybersecurity experts and is working with law enforcement as part of an ongoing investigation. While the company has not provided a timeline for full system restoration, it emphasised that day-to-day operations will continue uninterrupted for customers.

Scott Dawson, CEO of payment processor DECTA, commented on the Co-op cyberattack, warning that “retailers can no longer afford to treat resilience as optional.” He pointed to recent breaches, including at Marks & Spencer, as evidence that outdated systems and fragmented security can’t withstand modern threats.

Dawson stressed the need for standardized resilience metrics and proactive, built-in recovery strategies, saying that without them, businesses risk system-wide breakdowns and lasting damage to customer trust.

The attack adds to growing concern over cybersecurity in retail, a sector increasingly targeted due to its reliance on digital infrastructure and high volumes of sensitive customer information.

Retailers are now facing increased pressure to balance seamless digital experiences with robust security controls. Co-op’s quick response may have prevented a more damaging breach, but it also reflects the rising frequency and sophistication of attacks facing businesses of all sizes.

UK Retail Giant Co-op Shuts Down IT Systems After Cyberattack Attempt

Google enhances cybersecurity with Agentic AI, launching Unified Security to fight zero-day exploits, enterprise threats, and credential-based attacks.…

Google enhances cybersecurity with Agentic AI, launching Unified Security to fight zero-day exploits, enterprise threats, and credential-based attacks.

Google’s Threat Intelligence Group (GTIG) has released its findings for 2024, revealing a slight decrease in the exploitation of zero-day vulnerabilities compared to the previous year, with 75 instances tracked. However, GTIG emphasizes that this decrease is likely a temporary fluctuation within an overall upward trend of zero-day exploitation.

The M-Trends 2025 report, based on extensive incident investigations in 2024, highlights that while exploits remain the most common initial access point for attackers, the use of stolen credentials is on the rise, with the financial sector being the primary target. The report further details that the most common initial infection vector in observed attacks was via exploits (33%), followed by stolen credentials (16%), and email phishing (14%). Here’s a detailed breakdown:

(Source: Google)

Notably, there was a continued rise in attacks targeting enterprise-specific technologies, accounting for 44% of all zero-days exploited, primarily focusing on security and networking products. Cyber espionage actors, including government-backed groups and commercial surveillance vendors, remained the leading culprits behind attributed zero-day exploits, making up over half of the total. For the first time, North Korean actors were credited with exploiting the same number of zero-days as groups linked to China.

Simultaneously, Google Cloud Security is focusing on empowering security teams against such threats, especially with the integration of Artificial Intelligence. To combat these threats, Google has launched Google Unified Security, a platform that converges threat intelligence from Mandiant with security operations, cloud security, and secure enterprise browsing, all enhanced by Gemini AI, and aimed at enabling proactive security measures.

Source (Google)

Specifically, Google Security Operations now offers “Curated Detections” and “Applied Threat Intelligence Rule Packs” based on M-Trends 2025 findings to help detect malicious activities like infostealer malware and cloud compromise.

Google is also focusing on the development of “agentic AI” in security operations, utilizing intelligent AI agents to automate routine tasks like alert triage, investigation, response, threat research, and detection engineering. These agents are designed to learn and act autonomously, allowing security teams to focus on more complex threats. Google has introduced AI-powered features like an alert triage agent and a malware analysis agent, with plans for further development in their “SecOps Labs.”

Furthermore, the tech giant is aiming for an “agentic SOC” where AI enhances and automates security workflows. The tech giant is also promoting open standards like the Agent2Agent protocol and open-sourcing their Model Context Protocol (MCP) servers for interoperability between different security tools and vendors.

Casey Charrier, Senior Analyst at Google Threat Intelligence Group, told Hackread.com that while zero-day exploitation is growing steadily, efforts by major vendors are reducing attacks on historically targeted products. However, threat actors are now shifting focus to enterprise tools, highlighting the need for broader vendor action.

Google Introduces Agentic AI to Combat Cybersecurity Threats

China-linked hackers targeted Uyghur activists using a Trojanized UyghurEditPP app in a spear-phishing campaign, Citizen Lab researchers reveal.…

China-linked hackers targeted Uyghur activists using a Trojanized UyghurEditPP app in a spear-phishing campaign, Citizen Lab researchers reveal.

Citizen Lab reveals a targeted spear phishing campaign aimed at Uyghur activists, deploying surveillance malware disguised as a legitimate Uyghur language tool. Learn about the attack methods and suspected Chinese government involvement.

In March 2025, several leading figures within the World Uyghur Congress (WUC), an international organization based in Munich that advocates for the rights of the Uyghur people, became the targets of a carefully orchestrated cyber espionage attempt.

Researchers at the University of Toronto’s Citizen Lab report that these individuals received warnings from Google, indicating that their online accounts were under attack, allegedly, by state-sponsored actors. 

Google Alerts Sent to WUC (Source: The Citizen Lab)

The method used in this campaign was spear phishing, which is a targeted form of attack where emails are crafted to appear legitimate and trustworthy to specific individuals. In this case, the malicious emails impersonated a known contact from a partner organization of the WUC.

Phishing Email (Source: The Citizen Lab)

These emails contained links to Google Drive, which, if clicked, would lead to the download of a password-protected archive file. This archive held a compromised version of UyghurEditPP, a genuine open-source word processing and spell-check tool specifically designed for the Uyghur language.

The recipients had no idea that this seemingly harmless application was Trojanized, meaning it contained a hidden backdoor. Once the infected UyghurEditPP was executed on a victim’s computer, this backdoor would silently gather system information, including the machine name, username, IP address, operating system version, and a unique hash derived from the hardware. This data was then transmitted to a remote command-and-control (C2) server.

The server’s operators could then send instructions back to the infected device, enabling them to perform various malicious actions such as downloading files from the target, uploading additional malicious files (including further malware), and executing commands through uploaded plugins. 

The Citizen Lab’s analysis of the campaign’s infrastructure reveals two distinct command-and-control clusters. The first, likely active between June 2024 and February 2025, used domain names mimicking the UyghurEditPP tool’s developer (gheyretcom, gheyretnet, and uheyretcom).

The second, targeting the WUC between December 2024 and March 2025, used subdomains registered through Dynu Services, incorporating Uyghur words but not directly referencing the tool or its developer.

Both clusters shared the same Microsoft certificate and used IP addresses belonging to Choopa LLC, a hosting provider used by various cyber threat actors. This dual infrastructure either indicates attackers’ shifting tactics or targeting of different segments within the Uyghur community.

Furthermore, researchers highlighted the high level of social engineering in the delivery method of the surveillance malware, which itself was not as technologically advanced. The attackers demonstrated a deep understanding of the Uyghur community, leveraging the trust of the original developer of UyghurEditPP, known to members of the WUC.

This suggests a highly customized and targeted operation, possibly beginning in May 2024. The campaign likely involved (PDF) ties to the Chinese government, aligning with their known efforts to conduct transnational repression against the Uyghur community.

China Hackers Used Trojanized UyghurEditPP App to Target Uyghur Activists

Frankfurt am Main, Germany, 30th April 2025, CyberNewsWire

**Frankfurt am Main, Germany, April 30th, 2025, CyberNewsWire**

**Link11 has fully integrated DOSarrest and Reblaze to become one of Europe’s leading providers of network security, web application security, and application performance**

Link11, DOSarrest, and Reblaze have combined their strengths into a single, integrated platform with a new brand identity. The result: a consistent user experience, maximum efficiency, and seamless security. As a European provider, Link11 addresses the current business risks associated with geopolitical uncertainties and growing compliance requirements. At the same time, the company secures business-critical processes worldwide through the synergies created.

With the acquisitions of DOSarrest in 2021 and Reblaze Technologies in 2024, Link11 has expanded its market position. The new Link11 WAAP (Web Application and API Protection) SaaS platform combines comprehensive DDoS protection against web attacks with ML-based adaptive security and API protection. The result is an unmatched combination of adaptive real-time traffic filtering, AI-powered bot detection, and a next-gen web application firewall for secure and encrypted interactions in a single suite.

At the end of 2023, Link11 secured an investment of €26.5 million from Pride Capital Partners. This financing will support the company’s planned product developments and international go-to-market strategy.

**Maximum security through proprietary, sovereign cloud infrastructure and artificial intelligence**

Link11 is setting new standards in protection against DDoS attacks by using its own AI-based technology. The patented DDoS filter secures all traffic within the Link11 cloud – faster and more efficiently than conventional solutions. The advantages over competitors lie in users’ full control over scaling and intelligent real-time analysis of traffic, as well as continuous learning from attacks.

While other providers rely on third-party infrastructures such as AWS or Google, Link11 controls its own cloud infrastructure. This allows protection mechanisms to work in real time – without delays that can have critical consequences in a DDoS attack. As one of Europe’s leading IT security providers, Link11 enables platform-independent protection, even in multi-cloud environments.

**Technological independence as a security factor**

The solution is designed for workloads in any cloud environment. Link11’s network was developed specifically for modern cybersecurity requirements and sovereignty. It strengthens security at the network edge, accelerates global content delivery, and provides resilience and data sovereignty.

> Jens-Philipp Jung, founder and CEO of Link11: “Cybersecurity today means resilience against threats and outages. European companies that set global standards in data protection should also insist on independence when it comes to their cyber resilience. Especially in times of geopolitical uncertainty, sovereign, powerful and trustworthy IT solutions are needed. With Link11, we are demonstrating what European cutting-edge technology can achieve: maximum resilience, top performance and uncompromising compliance – independently and confidently”.

**European companies should rely on an EU-based DDoS protection provider**

Recent surveys of cybersecurity managers show that, given the option, independent and trustworthy security solutions from Europe will be used more in the future. Link11 has been successfully providing its services to companies such as financial institutions, media companies, retail and logistics companies, and the public sector for many years. With a strong brand and a multi-layered security approach, Link11 helps its customers reduce their dependence on cybersecurity. The goal is to make security architectures more resilient – technologically, functionally, and geopolitically. 

YouTube link: Link11 – Always at your side

**About Link11**

Link11 is a specialized European IT security provider that protects global infrastructures and web applications from cyberattacks. Its cloud-based IT security solutions help companies worldwide strengthen the cyber resilience of their networks and critical applications and avoid business interruptions. Link11 is a BSI-qualified provider of DDoS protection for critical infrastructure. With ISO 27001 certification, it meets the highest standards in data security.  

**Contact**

**Lisa Froehlich**  
**Link11 GmbH**  
**\[email protected\]**

Link11 brings three brands together on one platform with new branding

The cyberattack on Marks & Spencer (M&S) is linked to the notorious Scattered Spider group. Explore the severe…

The cyberattack on Marks & Spencer (M&S) is linked to the notorious Scattered Spider group. Explore the severe impact of the incident on M&S, including contactless payment failures, online delivery delays, and significant stock shortages in physical locations.

The recent cyber-attack that significantly disrupted operations at the British retailer Marks & Spencer (M&S) has now been linked to a notorious hacking collective known as Scattered Spider, the same group implicated in the high-profile 2023 attack on MGM Resorts.

As per Hackread.com’s initial report on April 23, 2025, the attack resulted in the shutdown of contactless payment systems, the Click and Collect order service, and delays in online deliveries, causing customer frustrations over the inability to use these crucial services. The report also noted that M&S had paused online orders and that cyber security experts believed the symptoms were consistent with a ransomware attack, where data is encrypted, and a ransom is demanded for its release.

The latest updates reveal astonishing details. Reportedly, hackers’ initial access to M&S’s systems may have occurred much earlier, in February, when they, allegedly, stole the NTDS.dit file from the Windows domain. This file is a crucial database containing all the user accounts and passwords for a Windows network managed by Active Directory Services. Obtaining and cracking this file would have provided the attackers with a list of plain-text passwords, enabling them to move laterally across the M&S network and gain control over more systems.

Following this initial access, investigation reveals that the attackers deployed the DragonForce encryptor against M&S’s virtual machines running on VMware ESXi hosts, with the main attack being launched on April 24th. Investigators have now pointed towards Scattered Spider as the responsible group.

The incident has had a significant impact, extending beyond crippling online services. The company has admitted to “pockets of limited availability” in its physical stores, with customers reporting empty shelves nationwide, suggesting disruptions to the supply chain. Moreover, online purchases have been paused, and gift card transactions are still affected.

The financial impact is significant, with around £650 million reportedly wiped off M&S’s stock market valuation and estimated daily losses from the online sales suspension could be around £3.5 million.

The retailer has been tight-lipped about the specifics of the cyber-attack and the timeline for full recovery, stating that taking systems offline was a proactive measure leading to the current shortages and is working to restore normalcy. However, in-store staff anticipate disruptions could last another week.

As per Hackread.com’s assessment of Scattered Spider, it is a unique hacking group that doesn’t operate as a cohesive unit but as a collection of individuals who vary with each attack, making them hard to track. They are known for using advanced social engineering and BlackCat ransomware.

Many members are believed to be native English speakers from Western Europe and the USA. Although some members were arrested in the USA and UK, Scattered Spider remains active and dangerous, as shown by their alleged involvement in the M&S cyber-attack, highlighting their continued ability to disrupt major organizations.

Scattered Spider Suspected in Major M&S Cyberattack

San Francisco, United States, 29th April 2025, CyberNewsWire

**San Francisco, United States, April 29th, 2025, CyberNewsWire**

**By fusing agentic AI and contextual threat intelligence, SecAI transforms investigation from a bottleneck into a force multiplier.**

SecAI, an AI-enriched threat intelligence company, made its official debut today at RSA Conference 2025 in San Francisco, marking the company’s first public appearance on the global cybersecurity stage. At the event, the SecAI team is showcasing the latest version of its platform to security professionals from around the world.

The updated **SecAI Investigator** platform is purpose-built to solve one of cybersecurity’s most stubborn challenges: efficient threat investigation. It tackles this by combining two key innovations. First, it delivers curated, high-fidelity threat intelligence, which includes clear verdicts, multi-dimensional labels, and rich context like historical attack behavior through a unified interface. Second, it’s designed from the ground up with an AI-native architecture. The platform leverages advanced AI techniques not only for natural language interaction, but for deep information integration, contextual security reasoning, and suggest remediation options. 

SecAI Booth At RSA Conference 2025, N-6570

> “We believe the future of cybersecurity lies in intelligent systems that can think and adapt like seasoned analysts,” said **Chase Lee, Managing Director at SecAI**. “Threat investigation has remained one of the most human-intensive parts of the SOC, but it doesn’t have to be. By combining deep threat intelligence with agentic AI, we’re not just accelerating investigations—we’re reshaping what’s possible in cyber defense. This is about giving security teams superhuman capabilities to meet the scale and speed of modern threats.”

In the security operations lifecycle—typically divided into detection, investigation, and response—automation has advanced detection and response dramatically over the past decade. But investigation remains a critical bottlenecks, often consuming over 70% of analysts’ time. SecAI believes that effective investigation depends on two essential capabilities: accurately gathering and organizing relevant information, and making sound, timely judgments. The main blockers today are:

*   A lack of timely, comprehensive threat intelligence
*   Ineffective methods for connecting data points to practical workflows

SecAI Investigator addresses both. By streamlining the investigation process, the platform enables analysts to rapidly evaluate the nature and relevance of IPs, domains, and threat actors, dive deep into logs and alerts, and make faster, more confident decisions.

Looking ahead, SecAI plans to roll out API and threat intelligence feed integrations, allowing customers to embed SecAI’s contextual threat intelligence directly into their existing systems and workflows. This will enable real-time enrichment, faster responses, and more scalable intelligence-driven operations across teams.

Users can visit SecAI Investigator to explore the platform or connect with the SecAI team at RSA Conference 2025 at Booth 6570 for live demos and early access.

**About SecAI**

SecAI is an AI-native cybersecurity company specializing in threat detection, investigation, and response. By deeply analyzing adversary tactics, techniques, and procedures (TTPs) and fusing advanced generative AI with rich, contextual threat intelligence, SecAI delivers smarter, faster, and more effective solutions for modern security teams. The team’s mission is to transform cybersecurity operations by empowering analysts with intelligent systems that scale expertise and accelerate decision-making.

**Contact**

**PR Manager**  
**Nicholas Tan**  
**SecAI**  
**\[email protected\]**

SecAI Debuts at RSA 2025, Redefining Threat Investigation with AI

Postal codes now play a key role in cybersecurity, fraud prevention, and digital identity verification, raising new concerns…

Postal codes now play a key role in cybersecurity, fraud prevention, and digital identity verification, raising new concerns over privacy and data security.

When you think about cybersecurity threats, postal codes probably aren’t the first thing that comes to mind. Yet behind the scenes, postal code data plays a quiet but critical role in everything from fraud detection to digital identity verification and the security of these datasets is becoming increasingly important in a world where everything is interconnected and impacting each other more than ever.

Postal codes (or ZIP codes, postcodes, or international postal codes) aren’t just a convenience for mail delivery anymore. They’re embedded into e-commerce systems, identity verification checks, logistics operations, and even financial fraud detection algorithms. Every time you enter your address for a delivery, bank transaction, or online order, your postal code is being used to verify your identity, calculate risk, and protect businesses from fraudulent activities.

As defined by the GDPR, postal codes may constitute personal data when they allow for the identification of an individual, either alone or when combined with other datasets. (Article 4(1) of the GDPR defines personal data as any information relating to an identified or identifiable natural person.)

****Postal Codes and Fraud Detection****

Payment processors and banks routinely use postal code matching as a security measure. For example, Address Verification Services (AVS) in credit card processing match the billing address and ZIP/postal code entered by a customer against what’s on file with the issuing bank. A mismatch can flag a transaction as high risk.

In e-commerce, fraud prevention systems analyze patterns of postal code usage to detect suspicious behaviour. Unusual combinations of IP addresses, postal codes, and shipping addresses can indicate synthetic identities or organized fraud attempts. Having access to complete and accurate postal code data becomes crucial for companies trying to catch subtle inconsistencies and block bad actors.

According to data specialists at GeoPostcodes, detailed postal databases can strengthen fraud detection by supporting precise location validation and enabling early warnings of anomalous activity.

****Postal Codes and Privacy Risks****

Postal code data is also considered sensitive from a privacy standpoint. In areas with small populations, a postal code alone can sometimes narrow down an individual’s location to just a few households. This kind of geolocation can expose users to targeted attacks, doxxing, or unwanted surveillance.

Threat actors have increasingly exploited location metadata, including postal codes, in cyberstalking, phishing attacks, and spear-phishing campaigns. Even seemingly harmless public datasets that include postal codes can be cross-referenced with other leaked data to uncover private information.

The dependence on postal codes for identity verification creates another security gap: if an attacker gains access to your personal address information (through a data breach, phishing, or social engineering), they can easily bypass systems that rely heavily on postal code checks.

****Securing Postal Code Data****

As postal codes play a growing role in authentication and fraud analysis, organizations must treat postal data with the same rigour they apply to other forms of personally identifiable information (PII). That means:

*   Limiting internal access to location data
*   Encrypting postal code fields in databases
*   Using secure APIs when validating addresses
*   Regularly updating postal datasets to avoid errors or inconsistencies

GeoPostcodes notes that keeping postal datasets current is especially important for organizations working across multiple countries, where postal boundaries change frequently and inconsistencies can introduce vulnerabilities.

Postal codes are no longer just a tool for sorting mail. In today’s digital world, they’re part of the infrastructure supporting cybersecurity, fraud prevention, and identity verification. Since businesses continue to depend on accurate geolocation data, maintaining the security of postal code databases will be vital for protecting users and reducing cybersecurity risks.

How Postal Code Data Impacts Cybersecurity, Privacy and Fraud Prevention

BreachForums posts a PGP-signed message explaining the sudden April 2025 shutdown. Admins cite MyBB 0day vulnerability impacting the…

BreachForums posts a PGP-signed message explaining the sudden April 2025 shutdown. Admins cite MyBB 0day vulnerability impacting the site, plan return, deny seizure, and warn of clones.

In early April 2025, the well-known cybercrime and data breach forum BreachForums disappeared from the internet without explanation. The forum, administered and **owned by the hacker group ShinyHunters**, went offline without any farewell note or clarification, triggering widespread speculation about a possible law enforcement seizure.

Despite these concerns, DNS records for BreachForums remained unchanged, showing the original nameservers at **DDoS-Guard**, not the typical Cloudflare nameservers seen when the FBI seizes criminal infrastructure. This consistency hinted that the site had not fallen into the hands of authorities but left many questions unanswered.

    BreachForums.st DNS Records:
    
    185.129.101.200
    
    185.129.103.200
    
    ns1.ddos-guard.net
    
    ns2.ddos-guard.net
    
    Typical FBI Seizure DNS Records:
    
    plato.ns.cloudflare.com
    
    jocelyn.ns.cloudflare.com

****BreachForums Plans to Return****

Earlier today (April 28, 2025), visitors to Breachforums.st have been met with a new development: a detailed message posted on the homepage, allegedly from the forum’s administration, signed with a PGP key.

According to the statement, the administrators shut down operations after confirming the existence of a MyBB 0day vulnerability that left the forum exposed to infiltration attempts by law enforcement agencies.

It is worth noting that in June 2023, when BreachForums was revived under ShinyHunters’ control, it **suffered a data breach**. The forum administrator attributed the incident to a MyBB 0day vulnerability, which led to the leak of personal details belonging to over 4,000 members.

However, in the latest update, the administrators claimed they acted quickly once they received credible information about the security risk through trusted contacts. They initiated an incident response protocol, shut down infrastructure, and conducted an audit of their systems.

Their findings suggested that although the forum software was vulnerable, the infrastructure had not been compromised and no data had been stolen. The statement also apologized to staff and users for the extended silence, citing operational security as the top priority during the crisis. BreachForums announced that work is underway on a complete rewrite of the forum backend to prevent future vulnerabilities.

Additionally, the message warned users against engaging with various BreachForums clones that have surfaced online, suggesting that these are likely law enforcement honeypots designed to lure and identify cyber criminals. The administrators emphasized that no arrests had taken place and that the original team remained intact.

Screenshot from the BreachForums’ homepage (Image credit: Hackread.com)

****But Some Questions Remain Unanswered****

What the message does not explain is why ShinyHunters deleted their Telegram account. BreachForums had a large and active community on Telegram. What happened to that account, and why were no updates provided on Telegram before taking down the forum?

The sudden disappearance and equally sudden reappearance of BreachForums have raised further concerns within cybercrime circles. While the operators insist the platform remained secure, the revelation of a zero-day vulnerability in the forum software raises new questions about the operational risks associated with underground forums.

**ShinyHunters**, the hacker group tied to the forum’s ownership, has been linked to several high-profile data breaches over the past few years, which places BreachForums under constant scrutiny by law enforcement agencies worldwide.

The situation is likely to develop as cybersecurity researchers, law enforcement, and threat actors react to the forum’s unexpected return. Until then, BreachForums’ future remains uncertain.

BreachForums Displays Message About Shutdown, Cites MyBB 0day Flaw

Toronto, Canada, 28th April 2025, CyberNewsWire

Windscribe, a globally used privacy-first VPN service, announced today that its founder, Yegor Sak, has been fully acquitted by a court in Athens, Greece, following a two-year legal battle in which Sak was personally charged in connection with an alleged internet offence by an unknown user of the service.

The case centred around a Windscribe-owned server in Finland that was allegedly used to breach a system in Greece. Greek authorities, in cooperation with INTERPOL, traced the IP address to Windscribe’s infrastructure and, unlike standard international procedures, proceeded to initiate criminal proceedings against Sak himself, rather than pursuing information through standard corporate channels.

“This was not just about me,” said Sak. “It was about drawing a hard legal line around the role of privacy infrastructure providers. As we do not log user activity, we cannot hand over what we do not have.”

The charges against Sak were formally dismissed on April 11, 2025. The court did not find sufficient evidence to implicate Sak or Windscribe in any wrongdoing.

****A Case with Global Ramifications****

The legal proceedings unfolded against the backdrop of increasing pressure on privacy tech companies worldwide. While most law enforcement agencies issue subpoenas to VPN providers when criminal activity is suspected, Windscribe routinely responds that it is unable to comply due to its strict no-logs policy, a response that is almost always accepted without escalation.

This case, however, deviated sharply from that norm. After subpoenaing the data center provider in Finland, which yielded the account holder’s name Sak; Greek authorities immediately started criminal proceedings. No information was requested from Windscribe, and the first time the company heard of the issue was after the receipt of the legal summons. 

“This sets a concerning precedent for anyone who owns servers that could be used by others,” said Sak. “If upheld, it could have criminalized infrastructure ownership for actions taken by anonymous users.”

****Why Windscribe Won’t Keep Logs****

Windscribe believes that the internet should be free of censorship, personal data harvesting, targeted advertising, and geographic restrictions. Adherence to this philosophy is taken very seriously, the company does not pay for any advertisements or promoted content; it’s a key tenet of its ethics and philosophy.

Sak emphasized that Windscribe remains committed to user privacy and operational transparency. “Some say VPNs should be banned because a few people misuse them,” said Sak. “By that logic, we should also ban hammers and cars.”

The case underscored a central challenge for privacy providers: assisting with legal investigations requires collecting user logs, a step that fundamentally compromises the trust and utility of a privacy service. Once stored, these logs can be compelled by courts in jurisdictions where speech itself is criminalized.

“Today it’s hacking. Tomorrow it could be speaking ill of a dictator’s beard,” said Sak. “We’d rather fight in court than betray our users.”

****About Windscribe****

Founded in 2016, Windscribe is a VPN and privacy tools provider trusted by tens of millions of users worldwide to safeguard online privacy and bypass censorship. With a strict no-logs policy, open-source apps, and a record of fighting for user rights in court, Windscribe remains one of the most transparent and principled providers in the privacy tech space.

****Media Contact:****

Yegor Sak  
\[email protected\]

Source

HackRead