This Fourth of July, Bruce, the 25-foot mechanical shark from Jaws, shares how his saltwater struggles mirror the need for real-world cybersecurity stress testing.

Thursday, July 3, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Hi, I’m Bruce, the 25-foot mechanical star of “Jaws.”  

This summer marks 50 years since my 4 minutes of screentime kept people out of the water for decades. Maybe this Fourth of July weekend you’re planning to sea-shanty your way to a special screening? If you do, here’s a little behind-the-scenes story on how my endless malfunctions almost made Spielberg hang up his director hat before you could say “phone home.” 

I was built for a studio tank — a predictable and safe environment. But Spielberg, in pursuit of realism, had other plans. He threw me into the Atlantic, where the salt water, rolling waves and unruly weather conditions caused more chaos than anybody had bargained for. 

Each day, my hydraulics jammed, my pneumatics corroded and my paint peeled like a sunburned tourist on Amity Beach.

There were days when the crew could only capture one or two shots before either I broke, the weather broke, or one of the actors’ egos broke. Every night they’d patch me up and whisper an assortment of four-letter words into my rusty gills.

My saving grace became Verna Fields, aka “Mother Cutter.” Spielberg’s editor was the one to suggest they only use fleeting moments of footage starring yours truly. While I bobbed around like a skydancer on a windless day, Verna worked her magic: stitching reactions, cutting away at just the right moment and building tension with empty water. She turned me from a potential failure to a legend. 

And thus, I became a lesson in what happens when you build for a predictable environment but deploy in the wild. Sound familiar? 

I’ve been told that readers of Talos’ Threat Source Newsletter are security folks, and I’ve been asked to write something just for you. Here it goes… 

*   _“You’re gonna need a bigger boat.”_ Overprepare. Expect things to go wrong.  
*   _“It’s only an island if you look at it from the water.”_ Perspective matters. Make sure your alerts are honed to spot the things that really matter. 
*   _“Smile, you son of a…”_ Sometimes, your last line of defense is your defining moment. Should everything else fail, make sure you have something left in the tank. 

In cybersecurity, your green ticked audit checklists mean nothing if you haven’t pressure-tested your environment against real red teamers. Incident response plans need ocean trials, not just bullet points. 

If I have a legacy beyond people sticking their noggin in my teeth for “the gram,” it’s this: Build your defenses for salt water, not studio tanks. And remember, the mayor always wants to keep the network open... 

_Editor’s note: I’d like to thank Bruce for his time and perspective, and I hope he found our studio a relaxing place to write. I’m also sorry that I only had two barrels and not the requested three for him to play with._ 

_Bruce’s story is why_ _Cisco Talos Incident Response_ _exists: to help you prepare for the effects of salt water before they wreak havoc on your system. With Talos IR, you can stress test your defenses using real world scenarios and incident responders who’ve experienced just about everything there is to see._ 

_Enjoy the Fourth of July weekend, and remember to listen out for the_ duh dun.

**The one big thing **

Cisco Talos has enhanced its email threat detection engine to address brand impersonation tactics using PDF payloads in phishing attacks. These attacks often exploit popular brands to steal sensitive information, employing methods like QR code phishing and telephone-oriented attack delivery (TOAD), where victims are tricked into calling adversary-controlled phone numbers. Adobe’s e-signature service and PDF annotations have also been abused to bypass detection systems. 

**Why do I care? **

Phishing attacks are getting sneakier, using PDFs and trusted brands to trick people into giving up personal info or downloading malicious software. If you're not careful, you could fall for one of these scams, especially since attackers are using clever tactics like fake phone numbers or QR codes to seem legitimate. 

**So now what? **

Be extra cautious with emails containing PDFs, even if they look legit. Avoid scanning QR codes or calling phone numbers from unsolicited emails. Cisco’s detection tools are updated often, but staying vigilant and double-checking anything suspicious is your best defense.

**Top security headlines of the week **

**Europol Dismantles $540 Million Cryptocurrency Fraud Network, Arrests Five Suspects**   
The international effort, codenamed Operation Borrelli was carried out by the Spanish Guardia Civil, along with support from law enforcement authorities from Estonia, France, and the United States. (The Hacker News) 

**International Criminal Court hit by new 'sophisticated' cyberattack**   
In a statement yesterday, the ICC revealed that it had contained a "sophisticated and targeted" cybersecurity incident, which was discovered by systems in place to detect cyberattacks targeting its systems. (Bleeping Computer) 

**Windows’ Infamous ‘Blue Screen of Death’ Will Soon Turn Black**   
After more than 40 years of being set against a very recognizable blue, the updated error message will soon be displayed across a black background. (SecurityWeek) 

**Ahold Delhaize Data Breach Impacts 2.2 Million People**   
The incident impacted Giant Food pharmacies, Food Lion and Stop & Shop, among others. Stolen information may include names, contact info, date of birth, SSN, passport number, financial account information and more. (SecurityWeek) 

**Germany asks Google, Apple remove DeepSeek AI from app stores**   
The Berlin Commissioner for Data Protection has formally requested Google and Apple to remove the DeepSeek AI application from the application stores due to GDPR violations. (Bleeping Computer)

**Can’t get enough Talos? **

**Decrement by one to rule them all: AsIO3.sys driver exploitation**   
Learn how our researcher, Marcin Noga, found two critical vulnerabilities in ASUS’ Armory Crate and AI Suite drivers.

**Talos Takes: Teaching LLMs to spot malicious PowerShell scripts**   
Hazel chats with Ryan Fetterman from the SURGe team to explore his new research on how LLMs can assist security operations centers in identifying malicious PowerShell scripts.

**Beers with Talos: Terms and conceptions may apply**  
In this episode, the crew reassembles after a totally intentional and not-at-all accidental hiatus. They cover AI-assisted IVF, a possible underground war against dairy, and the real heroes: conference dogs.

**Upcoming events where you can find Talos **

*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: cd697cc93851d0b1939a7557b9ee9b3c0f56aab4336dd00ff6531f94f7e0e836**   
MD5: c94c094513f02d63be5ae3415bba8031   
VirusTotal: https://www.virustotal.com/gui/file/cd697cc93851d0b1939a7557b9ee9b3c0f56aab4336dd00ff6531f94f7e0e836/details  
Typical Filename: setup   
Claimed Product: N/A   
Detection Name: W32.Variant:Gen.28iv.1201 

**SHA 256: 57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536**   
MD5: 79b075dc4fce7321f3be049719f3ce27   
VirusTotal: https://www.virustotal.com/gui/file/57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536/details   
Typical Filename: RemCom.exe   
Claimed Product: N/A   
Detection Name: W32.57A6D1BDBD-100.SBX.VIOC 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details  
Typical Filename: IMG001.exe    
Claimed Product: N/A   
Detection Name: Simple\_Custom\_Detection   

**SHA 256: 061e13a4fc9f1d4da0671082d5e4666f316bb251f13eded93f9cdb4a584d0bc0**   
MD5: 8d74e04c022cadad5b05888d1cafedd0  
VirusTotal: https://www.virustotal.com/gui/file/061e13a4fc9f1d4da0671082d5e4666f316bb251f13eded93f9cdb4a584d0bc0/details  
Typical Filename: smhost.exe   
Claimed Product: N/A   
Detection Name: Artemis:Lazy.27fx.in14.Talos

**SHA 256: 2eb95ef4c4c24f1e38a5c8b556d78b71c8a8fb2589ed8c5b95e9d18659bde293**  
MD5: N/A  
VirusTotal: N/A, use https://talosintelligence.com/sha\_searches  
Typical Filename: N/A  
Claimed Product: N/A  
Detection Name: W32.2EB95EF4C4-100.SBX.TG

A message from Bruce the mechanical shark

Silent Push exposes thousands of fake e-commerce websites spoofing major brands like Apple and Michael Kors. Learn how this Chinese phishing scam targets shoppers and steals financial data, impacting global consumers.

Cybersecurity firm Silent Push has exposed a massive phishing scam originating from China, which has created thousands of fake e-commerce websites designed to trick online shoppers. These fraudulent sites mimic well-known brands and aim to steal sensitive financial information, impacting both English and Spanish-speaking consumers worldwide.

According to Silent Push’s research, shared with Hackread.com ahead of its publishing on July 2nd, 2025, the investigation began after a crucial tip from Mexican journalist Ignacio Gómez Villaseñor.

Villaseñor’s May 26, 2025, X/Twitter post highlighted a threat actor specifically targeting Hot Sale 2025, a major annual sales event in Mexico, similar to Black Friday in the United States. It ran from May 26 to June 3, 2025, and is sponsored by the Asociación Mexicana de Ventas Online (AMVO).

****How the Scam Works****

The scammers create convincing fake versions of popular retail websites, including those of Apple, Harbor Freight Tools, Michael Kors, REI, Wayfair, and Wrangler Jeans. While these sites appear to offer products, they do not process actual purchases. Instead, they are designed to capture credit card details entered by unsuspecting users.

The “harborfrieghtshop” fake website (Source: Silent Push)

A key finding from tests carried out by Publimetro México, as reported by Gómez Villaseñor, was that “by entering false bank card data into these portals, the system reacts as if you were actually processing a payment.”

This includes displaying “reserved cart” timers and logos of legitimate payment services like Visa, MasterCard, PayPal, Oxxo, and SPEI. This elaborate simulation is intended to build trust and allow the criminals to steal information without immediate suspicion.

****Credit Card Theft and More****

Silent Push also found that some of these fake websites, such as rizzingupcartcom, integrated real Google Pay purchase widgets. While Google Pay typically offers enhanced security by using virtual card numbers, the threat actors still exploit this by simply not delivering the “purchased” goods after payment, researchers noted. This means even payments made through Google Pay are at risk of leading to financial loss, even if the direct credit card details are not compromised.

Silent Push has high confidence in the Chinese origin of this network, based on a private technical fingerprint found within the scam’s infrastructure, which includes Chinese words and characters. The sheer scale of the operation is significant, with thousands of fraudulent domains identified.

Many of these sites show sloppy errors, like harborfrieghtshop (a misspelling of Harbor Freight) which strangely displayed a cloned version of the Wrangler Jeans site. Other examples include guitarcentersalecom, which offered children’s accessories instead of musical instruments, and nordstromltemscom (note the “l” instead of an “i” in “items”) which was a direct copy of the fake Guitar Center site.

Despite some of these sites being taken down, thousands were still active as of June 2025, highlighting the persistent nature of this threat. Silent Push continues to track this widespread phishing campaign and urges consumers to be cautious when shopping online.

New Fake Marketplace From China Mimics Top Retail Brands for Fraud

SentinelLabs uncovers NimDoor, new North Korea-aligned macOS malware targeting Web3 and crypto firms. Exploits Nim, AppleScript, and steals Keychain, browser, shell, and Telegram data.

A new report from SentinelLabs, released on July 2, 2025, reveals a sophisticated cyberattack campaign targeting Web3 and cryptocurrency companies. Threat actors aligned with North Korea are aggressively exploiting macOS systems with a newly discovered malware called NimDoor, utilizing complex, multi-stage attacks and encrypted communications to remain undetected.

The research, authored by Phil Stokes and Raffaele Sabato and shared with Hackread.com, highlights the attackers’ shift towards less common, cross-platform programming languages like Nim. This change complicates efforts to detect and analyse their malicious activities.

The group also uses AppleScript in clever ways, not just for the initial breach but also as simple, hard-to-spot backdoors. Their methods show a clear improvement in staying hidden and persistent, including using encrypted WebSocket (wss) communication and unusual ways to maintain access even after malware is supposedly shut down.

****How the Attacks Works****

The attacks begin with a familiar social engineering trick: hackers pretend to be trusted contacts on platforms like Telegram, inviting targets to fake Zoom meetings. They send emails with a malicious Zoom SDK update script designed to look legitimate but is actually heavily disguised with thousands of lines of hidden code. This script then downloads more harmful programs from attacker-controlled websites, which often use names similar to real Zoom domains to fool users.

The fake Zoom update notification (Credit: SentinelLabs)

Once inside, the infection process becomes multi-layered. The hackers deploy several tools, including a C++ program that injects malicious code into legitimate processes, a rare technique for macOS malware. This allows them to steal sensitive data like browser information, Keychain passwords, shell history, and Telegram chat histories.

According to SentinelLabs’ blog post, they also install the Nim-compiled ‘NimDoor’ malware, which sets up long-term access. This includes a component named “GoogIe LLC” (note the deceptive capital ‘i’ instead of a lowercase ‘L’), which helps the malware blend in. Interestingly, the malware includes a unique feature that triggers its main components and ensures continued access if a user tries to close it or the system reboots.

****Another Day, Another North Korean Campaign****

SentinelLabs’ analysis shows that these North Korean-aligned actors are constantly developing new ways to bypass security. Their use of Nim, a language that allows them to embed complex behaviours within compiled programs, makes it harder for security experts to understand how the malware works. Additionally, using AppleScript for simple tasks like regularly checking in with their servers helps them avoid using more traditional, easily detectable hacking tools.

The report goes on to show how important it is for companies to strengthen their defences as these threats keep changing. As hackers try out new programming languages and more advanced tactics, cybersecurity researchers need to update how they detect and stop these attacks. SentinelLabs sums it up by calling them “inevitable attacks” that everyone should be ready for.

N Korean Hackers Drop NimDoor macOS Malware Via Fake Zoom Updates

Facebook's pursuit of your personal data continues, and now it has a new target: photos on your phone that you haven't shared with it yet.

Facebook’s pursuit of your personal data continues apace, and now it has a new target: photos on your phone that you haven’t shared with it yet.

Techcrunch reports that the social media giant is now asking its users to peek at the photos on their phones’ camera rolls. In return it will give them new ideas to view their photos.

In a pop-up message seen by some of the site’s users, Facebook asks users to “allow cloud processing” of the photos in their camera roll. “To create ideas for you, we’ll select media from your camera roll and upload it to our cloud on an ongoing basis, based on info like time, location or theme,” the message says.

Image courtesy of Techcrunch

The site will then offer things like collages, recaps, AI restyling or themes like birthdays or graduations, it continues, adding that Facebook won’t use the photos to target you for ads.

But what else might Meta do with those photos? Its AI terms of service allow it to analyze the images you load using AI, “including facial features”.

Incidentally, you can’t share any images with Meta that contain images of people in Illinois or Texas unless you’re legally authorized to consent on their behalf, it warns. That’s likely because both those states have strict laws around the use of biometric data, including facial recognition, in photos. We’re not sure how that works, then, if you grant the company unfettered access to your camera roll which includes photos of your trip to Chicago or Austin to visit friends and family.

Another question is over whether the company will scan children’s images. If you have an aversion to sharing your kids’ photos on Facebook, this could be a real issue.

We can extend this into even more worrying areas. What if you have photos of your kids in the bath that you don’t want an AI to train on? Or if you have intimate photos of yourself or a partner on your phone?

Facebook reserves the right to subject any content to “automated or manual (i.e. human) review and through third-party vendors in some instances”. There’s nothing in Meta’s messaging that seems to stop it from subjecting your camera roll photos to this.

Facebook has made camera roll cloud processing an opt-in service, meaning that you must deliberately select it for the app to start scanning your camera roll. However, this wasn’t enough for at least one Reddit commenter, who warned that you can’t control your photos once you share them with others.

“So although I always uninstall Facebook and Instagram, if I share a photo of me with my family, Meta will still get to analyze it, because at least one of them will still have those apps installed,” they said. In general, reactions to the story seem negative.

Facebook isn’t the only company that allows you to automatically upload your photos to the cloud. Apple offers this as part of its tightly integrated photos service, and has been producing montages and other assets from its users’ photos for a long time.

Apple says that it only uses AI to analyze your photos on your local device, and while it stores them in the cloud it doesn’t access them there. However it also says that it has “a worldwide, royalty-free, perpetual, nonexclusive license to use the materials you submit within the Services and related marketing as well as to use the materials you submit for Apple internal purposes.” Those services include iCloud+. iCloud is the cloud service that stores your photos.

Google, which also allows you to automatically upload photos to its service, says that you own your photos but retains the right to modify and create derivative works on your content, and to share it with contractors.

Google’s past relationship with photo users has been problematic. It once deleted a dad’s account after he took an image of his son’s groin to send to a doctor and it was automatically uploaded to the cloud, where Google identified it as child sexual abuse material. Law enforcement considered him innocent. Google refused to reinstate his services.

Our advice? If you’re going to allow a service to automatically analyze the photos you take, be sure that you completely trust that service. Check to see if it has been accused of mishandling users’ data in the past, such as Meta was here, here, and of course here.

That’s not enough, though. Be careful who else you share your photos with, and under what circumstances. If you do share them, do so only with those you trust. Include a caveat to ensure that they know how you’re comfortable with them using those photos, and what you’re not OK with them doing.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Facebook wants to look at your entire camera roll for &#8220;AI restyling&#8221; suggestions, and more 

Agents with the Federal Bureau of Investigation (FBI) briefed Capitol Hill staff recently on hardening the security of their mobile devices, after a contacts list stolen from the personal phone of the White House Chief of Staff Susie Wiles was reportedly used to fuel a series of text messages and phone calls impersonating her to U.S. lawmakers. But in a letter this week to the FBI, one of the Senate's most tech-savvy lawmakers says the feds aren't doing enough to recommend more appropriate security protections that are already built into most consumer mobile devices.

Agents with the **Federal Bureau of Investigation** (FBI) briefed Capitol Hill staff recently on hardening the security of their mobile devices, after a contacts list stolen from the personal phone of the White House Chief of Staff **Susie Wiles** was reportedly used to fuel a series of text messages and phone calls impersonating her to U.S. lawmakers. But in a letter this week to the FBI, one of the Senate’s most tech-savvy lawmakers says the feds aren’t doing enough to recommend more appropriate security protections that are already built into most consumer mobile devices.

A screenshot of the first page from Sen. Wyden’s letter to FBI Director Kash Patel.

On May 29, **The Wall Street Journal** reported that federal authorities were investigating a clandestine effort to impersonate Ms. Wiles via text messages and in phone calls that may have used AI to spoof her voice. According to The Journal, Wiles told associates her cellphone contacts were hacked, giving the impersonator access to the private phone numbers of some of the country’s most influential people.

The execution of this phishing and impersonation campaign — whatever its goals may have been — suggested the attackers were financially motivated, and not particularly sophisticated.

“It became clear to some of the lawmakers that the requests were suspicious when the impersonator began asking questions about Trump that Wiles should have known the answers to—and in one case, when the impersonator asked for a cash transfer, some of the people said,” the Journal wrote. “In many cases, the impersonator’s grammar was broken and the messages were more formal than the way Wiles typically communicates, people who have received the messages said. The calls and text messages also didn’t come from Wiles’s phone number.”

Sophisticated or not, the impersonation campaign was soon punctuated by the murder of Minnesota House of Representatives Speaker **Emerita Melissa Hortman** and her husband, and the shooting of Minnesota State Senator **John Hoffman** and his wife. So when FBI agents offered in mid-June to brief U.S. Senate staff on mobile threats, more than 140 staffers took them up on that invitation (a remarkably high number considering that no food was offered at the event).

But according to **Sen. Ron Wyden** (D-Ore.), the advice the FBI provided to Senate staffers was largely limited to remedial tips, such as not clicking on suspicious links or attachments, not using public wifi networks, turning off bluetooth, keeping phone software up to date, and rebooting regularly.

“This is insufficient to protect Senate employees and other high-value targets against foreign spies using advanced cyber tools,” Wyden wrote in a letter sent today to **FBI Director Kash Patel**. “Well-funded foreign intelligence agencies do not have to rely on phishing messages and malicious attachments to infect unsuspecting victims with spyware. Cyber mercenary companies sell their government customers advanced ‘zero-click’ capabilities to deliver spyware that do not require any action by the victim.”

Wyden stressed that to help counter sophisticated attacks, the FBI should be encouraging lawmakers and their staff to enable anti-spyware defenses that are built into Apple’s iOS and Google’s Android phone software.

These include Apple’s Lockdown Mode, which is designed for users who are worried they may be subject to targeted attacks. Lockdown Mode restricts non-essential iOS features to reduce the device’s overall attack surface. Google Android devices carry a similar feature called Advanced Protection Mode.

Wyden also urged the FBI to update its training to recommend a number of other steps that people can take to make their mobile devices less trackable, including the use of ad blockers to guard against malicious advertisements, disabling ad tracking IDs in mobile devices, and opting out of commercial data brokers (the suspect charged in the Minnesota shootings reportedly used multiple people-search services to find the home addresses of his targets).

The senator’s letter notes that while the FBI has recommended all of the above precautions in various advisories issued over the years, the advice the agency is giving now to the nation’s leaders needs to be more comprehensive, actionable and urgent.

“In spite of the seriousness of the threat, the FBI has yet to provide effective defensive guidance,” Wyden said.

**Nicholas Weaver** is a researcher with the **International Computer Science Institute**, a nonprofit in Berkeley, Calif. Weaver said Lockdown Mode or Advanced Protection will mitigate many vulnerabilities, and should be the default setting for all members of Congress and their staff.

“Lawmakers are at exceptional risk and need to be exceptionally protected,” Weaver said. “Their computers should be locked down and well administered, etc. And the same applies to staffers.”

Weaver noted that Apple’s Lockdown Mode has a track record of blocking zero-day attacks on iOS applications; in September 2023, **Citizen Lab** documented how Lockdown Mode foiled a zero-click flaw capable of installing spyware on iOS devices without any interaction from the victim.

Earlier this month, Citizen Lab researchers documented a zero-click attack used to infect the iOS devices of two journalists with Paragon’s Graphite spyware. The vulnerability could be exploited merely by sending the target a booby-trapped media file delivered via iMessage. Apple also recently updated its advisory for the zero-click flaw (CVE-2025-43200), noting that it was mitigated as of iOS 18.3.1, which was released in February 2025.

Apple has not commented on whether CVE-2025-43200 could be exploited on devices with Lockdown Mode turned on. But HelpNetSecurity observed that at the same time Apple addressed CVE-2025-43200 back in February, the company fixed another vulnerability flagged by Citizen Lab researcher **Bill Marczak**: CVE-2025-24200, which Apple said was used in an extremely sophisticated _physical_ attack against specific targeted individuals that allowed attackers to disable USB Restricted Mode on a locked device.

In other words, the flaw could apparently be exploited only if the attacker had physical access to the targeted vulnerable device. And as the old infosec industry adage goes, if an adversary has physical access to your device, it’s most likely not your device anymore.

I can’t speak to Google’s Advanced Protection Mode personally, because I don’t use Google or Android devices. But I have had Apple’s Lockdown Mode enabled on all of my Apple devices since it was first made available in September 2022. I can only think of a single occasion when one of my apps failed to work properly with Lockdown Mode turned on, and in that case I was able to add a temporary exception for that app in Lockdown Mode’s settings.

My main gripe with Lockdown Mode was captured in a March 2025 column by TechCrunch’s **Lorenzo Francheschi-Bicchierai**, who wrote about its penchant for periodically sending mystifying notifications that someone has been blocked from contacting you, even though nothing then prevents you from contacting that person directly. This has happened to me at least twice, and in both cases the person in question was already an approved contact, and said they had not attempted to reach out.

Although it would be nice if Apple’s Lockdown Mode sent fewer, less alarming and more informative alerts, the occasional baffling warning message is hardly enough to make me turn it off.

Senator Chides FBI for Weak Advice on Mobile Security

This week on the Lock and Code podcast, we speak with Becky Holmes about how she tricks, angers, and jabs at romance scammers online.

_This week on the Lock and Code podcast…_

There’s a unique counter response to romance scammers.

Her name is Becky Holmes.

Holmes, an expert and author on romance scams, has spent years responding to nearly every romance scammer who lands a message in her inbox. She told one scammer pretending to be Brad Pitt that she needed immediate help hiding the body of one of her murder victims. She made one romance scammer laugh at her immediate willingness to take an international flight to see him. She has told scammers she lives at addresses with lewd street names, she has sent pictures of apples—the produce—to scammers requesting Apple gift cards, and she’s even tricked a scammer impersonating Mark Wahlberg that she might be experimenting with cannibalism.

Though Holmes routinely gets a laugh online, she’s also coordinated with law enforcement to get several romance scammers shut down. And every effort counts, as romance scams are still a dangerous threat to everyday people.

Rather than tricking a person into donating to a bogus charity, or fooling someone into entering their username and password on a fake website, romance scammers ensnare their targets through prolonged campaigns of affection.

They reach out on social media platforms like Facebook, LinkedIn, X, or Instagram and they bear a simple message: They love you. They know you’re a stranger, but they sense a connection, and after all, they just want to talk.

A romance scammer’s advances can be appealing for two reasons. One, some romance scammers target divorcees and widows, making their romantic gestures welcome and comforting. Two, some romance scammers dress up their messages with the allure of celebrity by impersonating famous actors and musicians like Tom Cruise, Brad Pitt, and Keanu Reeves.

These scams are effective, too, to sometimes devastating consequences. According to recent research from Malwarebytes, 10% of the public have been the victims of romance scams, and a small portion of romance scam victims have lost $10,000 or more.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Holmes about her experiences online with romance scammers, whether AI is changing online fraud, and why the rules for protection and scam identification have changed in an increasingly advanced, technological world.

>  ”I’ve seen videos of scammers actually making these real life video manipulation calls where you’ve got some guy sitting one side of the world pretending to be somewhere else completely, and he’s talking into his phone and it’s coming out on the other person’s phone as a different image with a different voice.”

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Corpse-eating selfies, and other ways to trick scammers (Lock and Code S06E14) 

Apple and Google espouse strong values about data privacy, but they allow programs from a Big Brother state to thrive on their app stores, researchers allege.

Top Apple, Google VPN Apps May Help China Spy on Users

In a 6-3 decision, the Supreme Court held that age verification for explicit sites is constitutional. In a dissent, Justice Elena Kagan warned it burdens adults and ignores First Amendment precedent.

If you try to access Pornhub, one of the world’s biggest websites, from any of 17 US states, you’ll be blocked. Pornhub’s parent company, Aylo Holdings, has restricted access in response to a slew of laws that says Pornhub itself should be responsible for checking that every visitor is over 18. Now, the United States Supreme Court has made a decision on a key age verification law, which could have ramifications for the entire country and the wider internet as a whole.

On Friday, in a 6–3 decision that could reshape the landscape of online privacy and free speech, the Supreme Court upheld in full the Texas age verification law—one of the first passed in the country—requiring many websites publishing pornographic content to check that all visitors are over 18. The law, TX HB1181, says sites that are “more than one-third sexual material” can face fines of up to $10,000 per day if they don’t put in place age verification systems, plus extra penalties of up to $250,000. It also states websites should display health warnings about the potential health risks of pornography.

Writing for the majority, Justice Clarence Thomas said that because the law "simply requires proof of age to access content that is obscene to minors, it does not directly regulate adults’ protected speech," adding, "adults have no First Amendment right to avoid age verification."

In her dissent, Justice Elena Kagan argued that the Texas law imposes a direct and unconstitutional burden on adults’ access to protected speech. “A State may not care much about safeguarding adults’ access to sexually explicit speech; a State may even prefer to curtail those materials for everyone,” she wrote, “but the First Amendment protects those sexually explicit materials, for every adult.”

The ruling marks a major victory for Texas attorney general Ken Paxton, who defended the law amid fierce opposition from digital rights groups and the adult entertainment industry.

Legislators in Texas passed HB1181 in early 2023, but it was struck down in the US District Court for the Western District of Texas for potentially being unconstitutional before the law went into effect. Adult industry group the Free Speech Coalition, among others, challenged the Texas law on the grounds that it violates the First Amendment by restricting adults’ access to constitutionally protected speech. In March last year, a Fifth Circuit appeals court upheld the Texas law before the Free Speech Coalition took the case to the Supreme Court in a January hearing.

In recent years, a wave of age verification laws have been proposed in states across the country. More than half of US states have passed or have tried to pass age verification laws, according to a tracker published by the Free Speech Coalition.

“Efforts to regulate online pornography are often the opening move in broader campaigns to censor the internet,” Jess Miers, a visiting assistant professor of law at the University of Akron School of Law, said before the decision. “While this case focuses on mandatory age verification for adult content, state lawmakers are hoping it provides a legal foundation to impose sweeping restrictions on a wide range of online material.”

Attempts to get pornographic websites to implement age checks—more than just clicking a button saying you are over 18—have been accelerating over the past decade, since government officials in the UK passed laws on age verification checks only to delay and abandon them in 2019. Since then, though, a wave of companies and technologies selling age-checking software has rapidly expanded and matured. Adult websites and pornographers aren’t against introducing robust age checks; they say they don’t want children to be exposed to illicit content.

Multiple methods of age verification, which is often called age assurance, have been proposed or developed in recent years, with regulators and governments around the world pushing for them to be used to stop children accessing content that may not be suitable for them. These age verification methods can include, but aren’t limited to, checking someone’s identity against government ID, providing banking details, or using face-checking systems that can predict someone’s age.

Typically, third-party companies are developing the age-checking methods, with adult websites paying to use their services. This can mean people do not directly share their ID documents or other details used to verify their age directly with pornography websites or the companies that own them. Some companies, including Pornhub owner Aylo Holdings and Meta, have argued that age checks should happen by Google and Apple on their respective app stores. Those companies don’t agree.

Repeatedly, privacy and civil liberties experts have stated that any data collection or understanding of how people consume pornography could have devastating consequences if there’s a data breach or information is leaked. (One ID verification company suffered a data breach last year.) Unscrupulous companies could also sell or share data, privacy advocates say.

Last week, the preliminary results of an age checking trial in Australia, which has passed laws to ban under-16s from social media apps, found such systems may not be effective. Plus, age checks can often be easily circumvented by using a VPN. Aylo has claimed that current age verification proposals aren’t effective and push people to smaller websites, which may have fewer safety tools in place to moderate images and videos.

Despite potential concerns, laws mandating companies use age verification systems are being introduced around the world, and multiple companies are adopting the systems. Since 2022, Instagram has been using facial age estimation software to check people’s ages. In April, chat app Discord announced it is testing face scans in the UK and Australia. Regulators in Germany have been pursuing age checks—going as far as to fine individuals posting on X (then Twitter) in 2023—for years. Last week, Pornhub returned to France—it pulled services relating to the country’s age checking at the start of June—after a court ruling limited the law. And by July this year, porn sites and social media platforms operating in the UK are required to introduce “robust” age checks. Pornhub owner Aylo announced on Thursday that it would adopt "government approved age assurance methods” to comply with the law.

With the Supreme Court’s Friday decision, the threat to pornography and sexual expression in the country may be more grave. The Heritage Foundation’s Project 2025 plan, which has been partially followed by the US government, has suggested criminalizing pornography and shutting down its producers. Earlier this year, Senator Mike Lee of Utah proposed the Interstate Obscenity Definition Act, which could redefine what’s considered “obscene” content and potentially ban pornography entirely.

“Once the state has the authority to restrict access to adult content, it will almost certainly broaden the definition of ‘material harmful to minors,’” Miers says. “This could include reproductive health information, LGBTQ+ resources, and educational content related to race, gender, or diversity.”

_Additional reporting by Dell Cameron._

US Supreme Court Upholds Texas Porn ID Law

Tech Transparency Project warns Chinese-owned VPNs like Turbo VPN and X-VPN remain on Apple and Google app stores, raising national security concerns.

A recent report by the Washington, D.C.-based Tech Transparency Project (TTP) reveals that numerous free Virtual Private Network (VPN) apps, despite earlier warnings, continue to be available on both Apple’s App Store and Google’s Play Store, posing major privacy and national security risks.

According to the organisation’s claims, these apps, many with hidden ties to Chinese companies, could be exposing sensitive user data to the Chinese government. For your information, VPNs are tools designed to create a secure, encrypted connection over the internet, masking a user’s identity and online activity.

However, some users express concern about VPN services owned by Chinese companies due to privacy and data security considerations. Under Chinese national security laws (PDF), companies can be compelled to hand over user data to the government. This is particularly concerning because VPNs have access to a user’s entire web activity, making the data highly sensitive.

TTP’s initial report from April 1, 2025, revealed that over 20 of the top 100 free VPNs on the US Apple App Store in 2024 were linked to Chinese ownership. Many of these apps intentionally concealed their origins through shell companies.

It is worth noting that several apps were connected to Qihoo 360, a Chinese cybersecurity firm that the US has sanctioned due to its alleged links with China’s People’s Liberation Army.

One notable instance involves Autumn Breeze Pte. Ltd., listed as Snap VPN developer on Google Play Store. It asserts “no affiliation with Qihoo 360,” emphasizing a strict “no-log policy.” However, TTP’s research reveals Qihoo 360 acquired Autumn Breeze Pte. Ltd in 2020, and sold it to undisclosed parties after US sanctions. Corporate records for Autumn Breeze continue to list a Chinese director, whose name matches a Chinese national who’d led Qihoo 360’s mobile security unit.

Despite some apps, like Thunder VPN and Snap VPN, being removed from Apple’s App Store after media inquiries, TTP’s follow-up check in early May 2025 confirmed that many Chinese-owned VPNs remain available.

For instance, Turbo VPN and VPN Proxy Master, both linked to Qihoo 360, continue to be offered on Apple’s platform. The Google Play Store also hosts several Qihoo 360-connected apps, including Snap VPN and Signal Secure VPN, alongside other Chinese-owned VPNs like X-VPN and VPNify.

The report further suggests that Apple and Google may be financially benefiting from these potentially risky applications. Many of these free VPNs offer in-app purchases or display advertisements, from which both tech giants take a percentage of revenue (Apple typically charges 30% or 15%, while Google charges 15% up to $1 million in sales and 30% thereafter).

This suggests a financial incentive for the platforms to continue hosting these apps, despite the privacy implications for American users, researchers noted in their blog post shared with Hackread.com.

Screenshot via TTP

Neither Apple nor Google have responded to TTP’s requests for comment on these findings or their policies regarding data sharing by VPNs. Users are advised to exercise caution and thoroughly research the ownership and privacy policies of any VPN service they intend to use.

_“_Let’s think about how TikTok’s story unfolded: massive reach, secret ownership, and extensive data collection, which may have left U.S. soil but these VPN apps are even more concerning as they don’t just track your preferences; they monitor everything you do online,_“_ said Chad Cragle, Chief Information Security Officer at Deepwatch.

_“_When owned by Chinese companies and hidden behind layers of shell companies, it becomes a serious concern. Apple advocates for protecting our privacy, yet these apps are still accessible. Google? They often allow nearly any app on their store,_“_ claimed Chad.

_“_It’s time for the platforms to take responsibility and set the example. You can’t claim to prioritize privacy if you’re letting other parties control the playbook. If they don’t properly scrutinize these apps, they’re not just passively allowing it, they’re helping to create the problem. And let’s be honest, this isn’t just about privacy; it’s about national security, too,_“_ he emphasised.

Researchers Warn Free VPNs Could Leak US Data to China

FBI tracked IntelBroker as UK’s Kai West using an email address, crypto trails, YouTube activity and forum posts after dozens of high-profile data breaches and darknet activity.

Authorities in the United States have charged a British national, Kai Logan West, widely known online as “**IntelBroker**“, with a series of high-profile data breaches that collectively caused at least $25 million in damages to companies worldwide. The 23-year-old was arrested in France in February 2025 and now faces extradition to the United States to stand trial in the Southern District of New York.

As **reported** by Hackread.com, IntelBroker’s arrest was followed by several others, including four individuals linked to the ShinyHunters hacker group. Both IntelBroker and members of ShinyHunters were **involved** in administering and moderating the cybercrime and data breach forum BreachForums.

The **unsealed complaint** (PDF), dated February 2025, lays bare the FBI’s two-year investigation into West’s cybercrime operations, connecting him to dozens of data breaches, sales of stolen data, and the leadership of a hacking collective operating on clear and dark web forums.

****Who Is IntelBroker?****

Using aliases like “IntelBroker” and “Kyle Northern”, West built a reputation on a clear and dark web forum known in the indictment as “Forum‑1” ( BreachForums). Operating under the banner of a hacking crew called CyberN (formerly “The Boys”), IntelBroker offered hacked databases from government agencies, healthcare providers, telecommunications firms, and internet service providers.

Between 2023 and early 2025, West authored at least 158 threads offering stolen data on Forum‑1, with 41 of them involving US companies. The FBI notes that at least $2 million worth of **Monero cryptocurrency** was solicited for the stolen information.

In 2024, IntelBroker was listed as the “owner” of Forum‑1, and his fame skyrocketed as he gave away some data leaks for free to boost credibility, gather a following, and attract buyers.

****How the FBI Tracked Down IntelBroker****

What West didn’t know was that FBI agents were watching closely. The bureau deployed undercover officers posing as buyers on Forum‑1. On at least two occasions, agents purchased stolen data directly from IntelBroker.

In January 2023, one agent bought an API key and login credentials for a company dubbed “Victim‑7.” Although the credentials were limited in value, the transaction became a key element in tracking his identity when IntelBroker asked for payment in Bitcoin (instead of Monero) and provided a wallet address that could be traced on the blockchain.

FBI blockchain analysts followed the money and found that:

*   The Bitcoin wallet used for the transaction had been seeded from another wallet linked to an account on a financial platform called Ramp.
*   That Ramp account was registered using a UK provisional driving license issued to Kai Logan West.
*   The same identity, Kai West, also owned a Coinbase account under the alias Kyle Northern, but with KYC verification; confirming it was the same individual.

Provisional driving licence of Kai West (Image via US Justice Department complaint)

Further connecting the dots, both accounts were linked to a Gmail address used by West for personal matters, including:

*   Cloud-stored selfies
*   Receipts and ID documents
*   UK University Housing and Tuition communications
*   Videos showcasing networking tools like “GPRS Smash”

The email also included a student certificate showing West was enrolled in a Cyber Security program.

****Online Footprints and Forum Activity****

West didn’t just transact carelessly, he also exposed himself by linking his online activity to personal behaviour. His IntelBroker posts on Forum‑1 often referenced YouTube videos that he had just viewed from his personal email account, and he regularly updated his signature block to list members of his hacking group, which made it easier to trace his involvement across multiple threads.

When Forum‑1 was **seized and shut down in 2024** and relaunched, all old posts inherited the updated signature, creating a consistent trail of West’s activity and affiliations dating back to early 2023.

One of the YouTube videos posted by IntelBroker on BreachForums (Image via US Justice Department complaint)

****The Victim List: Telecoms, Healthcare, ISPs****

The indictment outlines at least six victims, referred to only as Victim‑1 through Victim‑6. Victim‑1, a telecom provider, had data exfiltrated and deleted from a hosting server in Manhattan, resulting in damage estimated in the hundreds of thousands.

Victim‑3, a municipal healthcare provider, had the personal and health data of over 56,000 individuals stolen, which West later sold to an undercover FBI agent for $1,000 in Monero. Victim‑6, an internet service provider, was compromised using information from previous leaks to breach an internal server.

In each case, West publicly offered proof samples, negotiated sales via private messages, and accepted only Monero to maintain anonymity, though the paper trail caught up.

However, since Hackread.com exclusively reported on IntelBroker’s data breaches, here is a comprehensive list of data breaches and leaks claimed by the hacker:

Here is the list sorted from shortest to longest by character count:

1.  **AMD**
2.  **Apple**
3.  **Cisco**
4.  **Nokia**
5.  **US DoD**
6.  **Europol**
7.  **T-Mobile**
8.  **Robert Half**
9.  **Space Eyes**
10.  **Home Depot**
11.  **Tech in Asia**
12.  **General Electric**
13.  **LA Intl. Airport**
14.  **HSBC & Barclays Bank**
15.  **Facebook Marketplace**
16.  **Weee! Grocery Service**
17.  **UAE’s Lulu Hypermarket**
18.  **US Federal Contractor Acuity**
19.  **Hewlett Packard Enterprise (HPE)**
20.  **MIT Technology Review Magazine**
21.  **An unnamed but “Top” Cybersecurity Firm**

****Criminal Charges****

West has been charged with four federal offences:

1.  Wire fraud
2.  Conspiracy to commit wire fraud
3.  Conspiracy to commit computer intrusions
4.  Accessing a protected computer to defraud and obtain value

Each carries the potential for several years in prison, particularly when involving health data or affecting critical infrastructure.

The FBI’s Special Agent Carson Hughes and US Attorney Jay Clayton emphasized the global reach and danger of IntelBroker’s operations. The FBI called the case “a warning” to cybercriminals who believe online anonymity shields them from consequences.

****Did IntelBroker Work for the UK’s National Crime Agency?****

Kai West presented himself professionally as a cybersecurity researcher and operated under two separate identities on LinkedIn, one as Kyle Northern and the other as K West. This was first flagged by **Nathaniel Fried**, Co-founder and CEO at 0xbowio, who shared details of West’s dual profiles with Hackread.com.

Notably, the Kyle Northern profile claimed he worked as a Security Researcher Trainee at the UK’s National Crime Agency (NCA) from September to October 2019. If accurate, this role could have involved access to classified systems, as the NCA deals with serious organized crime and national security. While the NCA affiliation remains unverified, West’s claimed background in cybersecurity and his academic path suggest the possibility shouldn’t be dismissed outright.

Kai Logan West on LinkedIn (Screenshot credit: Hackread.com)

West remains in French custody, and US officials are actively **seeking** extradition. If convicted, he could face decades behind bars. Meanwhile, Forum‑1 has been offline since April 2025, **reportedly** due to a MyBB zero-day vulnerability. Many of its members have since migrated to other platforms, including DarkForums and the Russian-language cybercrime forum XSS.

The exposure of IntelBroker stands out as a major cybercrime takedown. What made it possible was a mix of undercover FBI work, cryptocurrency tracking, and even old-school email evidence, all of which helped track one of the most well-known figures on cybercrime forums.

Tag

#apple