Jamf security experts have found a new version of MacSync Stealer. Disguised as a zk-call app, it uses official notarization to bypass security and steal your saved passwords.

For years, Mac users have felt a sense of security thanks to Apple’s strict notarization process, a system that ensures an app’s safety. However, a new report from Apple device security experts at Jamf Threat Labs shows that hackers are finding ways to get that official seal of approval for their own malicious tools.

Researchers were able to identify this trick while tracking a software called MacSync Stealer. In the past, attackers relied on “clunky” tricks like drag-to-terminal or ClickFix, which forced users to manually drag files into the Mac’s Terminal or paste coded commands to trigger an infection. The version discovered now is much more dangerous because it removes these manual steps entirely.

****Bypassing the Digital Guard****

This latest version arrives disguised as a harmless installer for a chat app called ‘zk-call.’ What makes this specific attack so sneaky is that it was code-signed and notarised. This means the hackers used a fraudulent Developer Team ID (GNJLS3UYZ4) to make the Mac believe the software was legitimate.

According to Jamf’s blog post, shared with Hackread.com, the file was even ‘inflated’ with large, useless PDFs to make it look like a heavy, professional application.

Further probing revealed that once you open the installer (specifically a file named zk-call-messenger-installer-3.9.2-lts.dmg), a hidden script starts working in the background. It doesn’t start causing trouble right away, though. “This shift in distribution reflects a broader trend,” the researchers noted, where malware acts more like a “sleeper agent” to avoid detection.

Installation Instructions and notarization visible on installer details (Source: Jamf Threat Labs)

****A Patient Thief****

What’s interesting is that MacSync Stealer is surprisingly patient. It creates a log file at UserSyncWorker.log to track its own activity. If it sees that it has already run within the last hour (3,600 seconds), it simply goes to sleep. This ‘throttling’ makes it much harder for security software to notice a constant, suspicious flow of data.

The end goal is a direct hit on your privacy because the software specifically hunts for the login.keychain-db. This is the master file where your Mac stores every password you’ve ever saved. To get inside, it may trigger a fake pop-up asking for your system password. So, if you see a random request for your password immediately after installing a new app, it’s a massive red flag.

Apple has since revoked the digital certificate used by these attackers, but the incident shows that a notarised app isn’t always a safe one.

New MacSync Stealer Disguised as Trusted Mac App Hunts Saved Passwords

Interpol said law enforcement across 19 countries made 574 arrests and recovered $3 million, against a backdrop of spiraling cybercrime in the region, including business email compromise, digital extortion, and ransomware schemes.

Sprawling 'Operation Sentinel' Neutralizes African Cybercrime Syndicates

Cybersecurity researchers have discovered two malicious Google Chrome extensions with the same name and published by the same developer that come with capabilities to intercept traffic and capture user credentials.
The extensions are advertised as a "multi-location network speed test plug-in" for developers and foreign trade personnel. Both the browser add-ons are available for download as of

Cybersecurity researchers have discovered two malicious Google Chrome extensions with the same name and published by the same developer that come with capabilities to intercept traffic and capture user credentials.

The extensions are advertised as a "multi-location network speed test plug-in" for developers and foreign trade personnel. Both the browser add-ons are available for download as of writing. The details of the extensions are as follows -

*   Phantom Shuttle (ID: fbfldogmkadejddihifklefknmikncaj) - 2,000 users (Published on November 26, 2017)
*   Phantom Shuttle (ID: ocpcmfmiidofonkbodpdhgddhlcmcofd) - 180 users (Published on April 27, 2023)

"Users pay subscriptions ranging from ¥9.9 to ¥95.9 CNY ($1.40 to $13.50 USD), believing they're purchasing a legitimate VPN service, but both variants perform identical malicious operations," Socket security researcher Kush Pandya said.

"Behind the subscription facade, the extensions execute complete traffic interception through authentication credential injection, operate as man-in-the-middle proxies, and continuously exfiltrate user data to the threat actor's C2 \[command-and-control\] server."

Once unsuspecting users make the payment, they receive VIP status and the extensions auto-enable "smarty" proxy mode, which routes traffic from over 170 targeted domains through the C2 infrastructure.

The extensions work as advertised to reinforce the illusion of a functional product. They perform actual latency tests on proxy servers and display connection status, while keeping users in the dark about their main goal, which is to intercept network traffic and steal credentials.

This involves malicious modifications prepended to two JavaScript libraries, namely, jquery-1.12.2.min.js and scripts.js, that come bundled with the extensions. The code is designed to automatically inject hard-coded proxy credentials (topfany / 963852wei) into every HTTP authentication challenge across all websites by registering a listener on chrome.webRequest.onAuthRequired.

"When any website or service requests HTTP authentication (Basic Auth, Digest Auth, or proxy authentication), this listener fires before the browser displays a credential prompt," Pandya explained. "It immediately responds with the hardcoded proxy credentials, completely transparent to the user. The asyncBlocking mode ensures synchronous credential injection, preventing any user interaction."

Once users authenticate to a proxy server, the extension configures Chrome's proxy settings using a Proxy Auto-Configuration (PAC) script to implement three modes -

*   close, which disables the proxy feature
*   always, which routes all web traffic through the proxy
*   smarty, which routes a hard-coded list of more than 170 high-value domains through the proxy

The list of domains includes developer platforms (GitHub, Stack Overflow, Docker), cloud services (Amazon Web Services, Digital Ocean, Microsoft Azure), enterprise solutions (Cisco, IBM, VMware), social media (Facebook, Instagram, Twitter), and adult content sites. The inclusion of pornographic sites is likely an attempt to blackmail victims, Socket theorized.

The net result of this behavior is that user web traffic is routed through threat actor-controlled proxies while the extension maintains a 60-second heartbeat to its C2 server at phantomshuttle\[.\]space, a domain that remains operational. It also grants the attacker a "man-in-the-middle" (MitM) position to capture traffic, manipulate responses, and inject arbitrary payloads.

More importantly, the heartbeat message transmits a VIP user's email, password in plaintext, and version number to an external server via an HTTP GET request every five minutes for continuous credential exfiltration and session monitoring.

"The combination of heartbeat exfiltration (credentials and metadata) plus proxy MitM (real-time traffic capture) provides comprehensive data theft capabilities operating continuously while the extension remains active," Socket said.

Put differently, the extension captures passwords, credit card numbers, authentication cookies, browsing history, form data, API keys, and access tokens from users accessing the targeted domains while VIP mode is active. What's more, the theft of developer secrets could pave the way for supply chain attacks.

It's currently not known who is behind the eight-year-old operation, but the use of Chinese language in the extension description, the presence of Alipay/WeChat Pay integration to make payments, and the use of Alibaba Cloud to host the C2 domain points to a China-based operation.

"The subscription model creates victim retention while generating revenue, and the professional infrastructure with payment integration presents a facade of legitimacy," Socket said. "Users believe they're purchasing a VPN service while unknowingly enabling complete traffic compromise."

The findings highlight how browser-based extensions are becoming an unmanaged risk layer for enterprises. Users who have installed the extensions are advised to remove them as soon as possible. For security teams, it's essential to deploy extension allowlisting, monitor for extensions with subscription payment systems combined with proxy permissions, and implement network monitoring for suspicious proxy authentication attempts.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites

Romania’s national water authority, Romanian Waters, was hit by a major ransomware attack affecting 1,000 systems but dams remain safe. Learn how authorities are fighting back without paying the ransom.

Romania’s national water authority, Romanian Waters (Administrația Națională Apele Române), is currently working to recover from a major ransomware attack that began on December 20, 2025.

According to the National Cyber Security Directorate (DNSC) press release, the incident has affected approximately 1,000 computer systems, including workstations, email services, and web servers.

The DNSC is Romania’s official body responsible for protecting the national critical infrastructure. Because water is considered “critical infrastructure” under Romania’s Government Emergency Ordinance No. 98/2010, any threat to its management is seen as a direct risk to national safety.

****What was Impacted****

The attack spread across the main office and reached 10 out of the 11 regional river management branches, impacting offices in Oradea, Cluj, Iași, Siret, and Buzău. The disruption knocked out several key digital tools:

*   Database and Domain Name Servers (DNS).
*   Email, web servers, and Windows workstations.
*   Geographical Information Systems (GIS) used for mapping water data.

Because the official website remains offline, authorities are sharing information through alternative sources like social media. While digital tools are down, the most vital infrastructure, like dams and flood defences, remains safe, and so does the agency’s Operational Technology (OT). On-site staff are managing these systems manually using radios and telephones to ensure everything continues to run smoothly.

****A Hidden Threat in Plain Sight****

Initial investigation suggests that the hackers used a unique method to lock the agency out of its files. Instead of a custom virus, they exploited BitLocker, a legitimate security tool built into Windows. By turning this tool against the agency, the hackers encrypted data while making it harder for security software to spot the trouble. However, at this point, the exact way the attackers entered the network is still unknown.

The DNSC confirmed that the attackers left a digital note demanding negotiations within seven days. However, the agency is standing firm. The official policy is “neither contact nor negotiate with cyberattackers” to ensure that criminal activity is not rewarded or funded.

****Protecting the Future****

It is worth noting that the Romanian Waters network was not yet part of the country’s central cyber-protection system operated by the National Cyberint Center (CNC). However, steps are now being taken to move the agency under this national security umbrella using intelligent technologies.

Currently, technical teams from the Romanian Intelligence Service (SRI) and other state authorities are working to limit the impact. The DNSC recently shared this update:

> 🔔 UPDATE – Incident cibernetic Administrația Națională „Apele Române”
> 
> Investigația atacului de tip ransomware este în desfășurare, iar echipele tehnice și autoritățile competente acționează pentru limitarea impactului și restaurarea sistemelor IT. pic.twitter.com/65S9yXloI4
> 
> — Directoratul Național de Securitate Cibernetică (@DNSC\_RO) December 22, 2025

While the cleanup continues, the public is asked to avoid contacting the agency’s IT staff so they can focus on getting the systems back online.

****OT Vulnerabilities and Cyber Threats to Water Infrastructure****

The ransomware attack on Romanian Waters highlights a growing trend: operational technology (OT) systems that control physical infrastructure are increasingly under threat from cyber attackers.

Water utilities, dams, treatment plants, and related OT environments combine networked digital systems with physical processes, making them a high‑value target for both criminals and state‑linked actors.

One notable example occurred in Norway earlier in 2025, when attackers breached the control system of a dam and opened its discharge valve for hours by exploiting weak credentials on an exposed control interface. The incident, blamed on pro-Russian hackers, went undetected for several hours, showing how simple security gaps can lead to direct manipulation of infrastructure systems.

In the United States, federal warnings have repeatedly pointed to ransomware and other attacks against water facility ICS/SCADA systems, with multiple facilities impacted over the years.

In the UK, concerns around water infrastructure security are also growing. Investigations have revealed that many control systems used by water companies are exposed online and often lack even the most basic protection.

Additionally, weak passwords, outdated software and poor network segmentation leave these systems open to tampering. If targeted, these flaws could put clean water access, flood defences or treatment facilities at risk. It’s a reminder that while the physical systems may seem secure, the online side of it also needs attention.

Photo by Amritanshu Sikdar on Unsplash)

Ransomware Hits Romanian Water Authority, 1000 Systems Knocked Offline

Hacktivists have scraped almost 100% of the content available on Spotify. Is there anything users need to worry about?

Hacktivist group Anna’s Archive claims to have scraped almost all of Spotify’s catalog and is now seeding it via BitTorrent, effectively turning a streaming platform into a roughly 300 TB pirate “preservation archive.”

On its blog, the group states:

> “A while ago, we discovered a way to scrape Spotify at scale. We saw a role for us here to build a music archive primarily aimed at preservation.”

Spotify insists that the hacktivists obtained no user data. Still, the incident highlights how large‑scale scraping, digital rights management (DRM) circumvention, and weak abuse controls can turn major content platforms into high‑value targets.

Anna’s Archive claims it obtained metadata for around 256 million tracks and audio files for roughly 86 million songs, totaling close to 300 TB. Reportedly, this represents about 99.9% of Spotify’s catalog and roughly 99.6% of all streams.

Spotify says it has “identified and disabled the nefarious user accounts that engaged in unlawful scraping” and implemented new safeguards.

From a security perspective, this incident is a textbook example of how scraping can escalate beyond “just metadata” into industrial‑scale content theft. By combining public APIs, token abuse, rate‑limit evasion, and DRM bypass techniques, attackers can extract protected content at scale. If you can create or compromise enough accounts and make them appear legitimate, you can chip away at content protections over time.

The “Spotify scrape” will likely be framed as a copyright story. But from a security angle, it serves as a reminder: if a platform exposes content or metadata at scale, someone will eventually automate access to it, weaponize it, and redistribute it.

And hiding behind violations of terms and conditions—which have never stopped criminals—is not effective security control.

**How does this affect you?**

There is currently no indication that passwords, payment details, or private playlists were exposed. This incident is purely about content and metadata, not user databases. That said, scammers may still claim otherwise. Be cautious of messages alleging your account data was compromised and asking for your login details.

Some general Spotify security tips, to be on the safe side:

*   If you have reused your Spotify password elsewhere or shared your credentials, consider changing your password for peace of mind.
*   Regularly review active sessions on streaming services and revoke anything you do not recognize. Spotify does not offer per-device session management, but you can sign out of all devices via **Account > Settings and privacy** on the Spotify website.
*   Avoid unofficial downloaders, converters, or “Spotify mods” that ask for your login or broad OAuth permissions. These tools often rely on the same kind of scraping infrastructure—or worse, function as credential-stealing malware.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 Hacktivists claim near-total Spotify music scrape 

A law enforcement operation coordinated by INTERPOL has led to the recovery of $3 million and the arrest of 574 suspects by authorities from 19 countries, amidst a continued crackdown on cybercrime networks in Africa.
The coordinated effort, named Operation Sentinel, took place between October 27 and November 27, 2025, and mainly focused on business email compromise (BEC), digital extortion, and

A law enforcement operation coordinated by INTERPOL has led to the recovery of $3 million and the arrest of 574 suspects by authorities from 19 countries, amidst a continued crackdown on cybercrime networks in Africa.

The coordinated effort, named Operation Sentinel, took place between October 27 and November 27, 2025, and mainly focused on business email compromise (BEC), digital extortion, and ransomware on the continent.

Participating nations included Benin, Botswana, Burkina Faso, Cameroon, Chad, Congo, Djibouti, Democratic Republic of the Congo, Gabon, Ghana, Kenya, Malawi, Nigeria, Senegal, South Africa, South Sudan, Uganda, Zambia, and Zimbabwe.

Over the course of the initiative, more than 6,000 malicious links were taken down and six distinct ransomware variants were decrypted. The names of the ransomware families were not disclosed. The investigated incidents were linked to estimated financial losses exceeding $21 million, INTERPOL added.

Multiple suspects have been arrested in connection with a ransomware attack targeting an unnamed Ghanaian financial institution that encrypted 100 terabytes of data and stole about $120,000.

In addition, Ghanaian authorities took down a cyber fraud network operating across Ghana and Nigeria that defrauded more than 200 victims of over $400,000 using well-designed websites and mobile apps, which impersonated popular fast-food brands to collect payments for fake orders.

As part of the effort, 10 individuals were apprehended, 100 digital devices were seized, and 30 fraudulent servers were taken offline.

Law enforcement from Benin also dismantled 43 malicious domains and 4,318 social media accounts that were used to further extortion schemes and scams. The operation culminated in the arrest of 106 people.

"The scale and sophistication of cyber attacks across Africa are accelerating, especially against critical sectors like finance and energy," Neal Jetton, INTERPOL's director of cybercrime, said.

Operation Sentinel is part of the African Joint Operation against Cybercrime (AFJOC), which aims to enhance the capabilities of national law enforcement agencies in Africa and better disrupt cybercriminal activity in the region.

**Ukrainian National Pleads Guilty to Nefilim Ransomware Attacks**

The disclosure comes as a 35-year-old from Ukraine pleaded guilty in the U.S. to using Nefilim ransomware to attack companies in the country and elsewhere in his capacity as an affiliate. Artem Aleksandrovych Stryzhak was arrested in Spain in June 2024 and extradited to the U.S. earlier this April.

In September, the Justice Department (DoJ) charged another Ukrainian national, Volodymyr Viktorovich Tymoshchuk, for his role as the administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations between December 2018 and October 2021.

Tymoshchuk remains at large, although authorities have announced a $11 million reward for information leading to his arrest or conviction. Tymoshchuk is also on the most wanted lists of both the U.S. Federal Bureau of Investigation (FBI) and the European Union (E.U.). Nefilim's victims span the U.S., Germany, the Netherlands, Norway, and Switzerland.

"In June 2021, Nefilim administrators gave Stryzhak access to the Nefilim ransomware code in exchange for 20 percent of his ransom proceeds," the DoJ said. "Stryzhak and others researched potential victims after gaining unauthorized access to their networks, including by using online databases to obtain information about the companies' net worth, size, and contact information."

Around July 2021, a Nefilim administrator is said to have encouraged Stryzhak to target companies in the U.S., Canada, and Australia with more than $200 million dollars in annual revenue. Nefilim operated under a double extortion model, pressurizing victims to pay up or risk getting their stolen data published on a publicly accessible data leaks site known as Corporate Leaks that was maintained by the administrators.

Stryzhak pleaded guilty to conspiracy to commit fraud related to computers in connection with his Nefilim ransomware activities. He is scheduled to be sentenced on May 6, 2026. If found guilty, he faces a maximum penalty of 10 years in prison.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

INTERPOL Arrests 574 in Africa; Ukrainian Ransomware Affiliate Pleads Guilty

Online black markets once lurked in the shadows of the dark web. Today, they’ve moved onto public platforms like Telegram—and are racking up historic illicit fortunes.

When black markets for drugs, guns, and all manner of contraband first sprang up on the dark web more than a decade ago, it seemed that cryptocurrency and the technical sophistication of the anonymity software Tor were the keys to carrying out billions of dollars worth of untouchable, illicit transactions online.

Now, all of that looks a bit passé. In 2025, all it takes to get away with _tens_ of billions of dollars in black-market crypto deals is a messaging platform willing to host scammers and human traffickers, enough persistence to relaunch channels and accounts on that service when they’re occasionally banned, and fluency in Chinese.

The ecosystem of marketplaces for Chinese-speaking crypto scammers hosted on the messaging service Telegram have now grown to be bigger than ever before, according to a new analysis from the crypto tracing firm Elliptic. Despite a brief drop after Telegram banned two of the biggest such markets in early 2025, the two current top markets, known as Tudou Guarantee and Xinbi Guarantee, are together enabling close to $2 billion a month in money-laundering transactions, sales of scam tools like stolen data, fake investment websites, and AI deepfake tools, as well as other black market services as varied as pregnancy surrogacy and teen prostitution.

The crypto romance and investment scams regrettably known as “pig butchering”—carried out largely from compounds in Southeast Asia staffed with thousands of human trafficking victims—have grown to become the world’s most lucrative form of cybercrime. They pull in around $10 billion annually from US victims alone, according to the FBI. By selling money-laundering services and other scam-related offerings to those operations, markets like Tudou Guarantee and Xinbi Guarantee have grown in parallel to an immense scale.

“When you consider illicit use of crypto assets, there really isn’t anything larger right now,” says Tom Robinson, Elliptic’s cofounder and chief scientist.

In fact, these criminal trading zones aren’t simply the biggest online black markets of the moment, but the biggest in history. AlphaBay was once the biggest dark-web market for drugs, stolen data, and hacking tools. Described by the FBI as 10 times the size of the original Silk Road dark-web drug market at its peak, AlphaBay facilitated more than $1 billion in transactions over its two and a half years online. Hydra, a Russian dark-web market that also offered money-laundering services to cryptocurrency thieves and ransomware groups, did more than $5 billion in transactions over its seven years of operation.

By comparison, Huione Guarantee, the Chinese-language, Telegram-based market used largely by crypto scammers, facilitated a stunning $27 billion in transactions from 2021 to 2025, according to Elliptic, dwarfing every online black market before it, even as it operated in full public view on Telegram’s messaging platform. Elliptic has called it simply “the largest illicit online marketplace to have ever operated.”

WIRED reached out on Telegram to administrators of both Tudou Guarantee and Xinbi Guarantee for comment but didn’t receive a response.

In May, Telegram seemed to finally take action, banning Huione Guarantee—which had rebranded as Haowang Guarantee—after it was named as a money-laundering operation by the US Treasury’s Financial Crimes Enforcement Network. But since then, Tudou Guarantee, in which Haowang Guarantee owns a stake, has grown to fill that same position. Elliptic now measures its transactions at $1.1 billion a month, close to Haowang’s $1.4 billion a month. The second-biggest crypto scam market, Xinbi Guarantee, has meanwhile grown to $850 million a month—despite also being banned in May and relaunching—adding up to more total market volume than ever. And those two black markets are just two of around 30 that Elliptic tracks, together carrying out tens of billions of dollars in annual transactions.

When WIRED wrote to Telegram in June to point out how these markets had rebuilt their criminal empires in plain sight—in fact, a WIRED reporter had even been present in a Telegram channel where Elliptic shared its findings about Tudou Guarantee’s and Xinbi Guarantee’s rebound with Telegram corporate contacts—the company responded that it had decided not to ban the markets again, arguing that they offered an outlet for Chinese users looking for financial freedom from “capital controls” that “often leave citizens with little choice but to seek alternative avenues for moving funds internationally.” “We assess reports on a case-by-case basis and categorically reject blanket bans—particularly when users are attempting to circumvent oppressive restrictions imposed by authoritarian regimes,” Telegram’s June statement to WIRED continued. “We remain unwavering in our commitment to safeguarding user privacy and defending fundamental freedoms, including the right to financial autonomy.”

But Elliptic and other scam-industry analysts have rejected that argument, pointing out that the vast majority of activity in markets like Tudou Guarantee and Xinbi Guarantee is criminal. Aside from scam-related services, they also sell prostitution—posts on Xinbo include suggestions of sex trafficking of minors in posts advertising “lolita” or “young girl” sex workers. The scam operation customers they service, too, are widely documented to use forced laborers in often brutal, modern slavery compounds.

“They have the ability to shut down a scam economy and the trafficking of human beings. Instead, they’re hosting Craigslist for crypto scammers,” says Erin West, a former Santa Clara County, California, prosecutor who now leads the Operation Shamrock anti-scam organization. “These are bad guys enabling bad-guy business on their bad-guy platform.”

Aside from Telegram, the cryptocurrency Tether also plays a key role in scam markets—the popular “stablecoin” is the preferred tool for all of the markets’ money-laundering transactions. Unlike most crypto, Tether has a centralized structure that would allow the company—also called Tether—that backs that digital currency to seize or freeze funds at will, yet it has rarely interfered with the vast money flows it enables.

Neither Telegram nor Tether responded to WIRED’s requests for comment on their roles in enabling Tudou Guarantee and Xinbi Guarantee’s black market transactions.

Tether and Telegram’s efforts to combat the ballooning scam industry’s use of their tools is comparable to Southeast Asian law enforcement’s minimal, often performative shows of raiding scam compounds, only to allow them to rebuild and resume operation, argues Jacob Sims, a visiting fellow at Harvard’s Asia Center who focuses on transnational crime. “There is impunity on all levels that prevents any meaningful disruption,” says Sims.

Sims argues that only focused and cooperative international government and law enforcement pressure, comparable to the global effort to combat terrorism or drug trafficking, will change that lax approach, including from companies that are facilitating the scam epidemic.

The response to this ballooning scam industry “hasn’t risen to that level of coordination and urgency yet,” Sims says. “And it needs to before we see this thing prioritized at the level that is actually commensurate with the damage it’s causing.”

Chinese Crypto Scammers on Telegram Are Fueling the Biggest Darknet Markets Ever

Spotify has confirmed a massive unauthorised data scrape involving 256 million track records and 86 million audio files. Learn how "Anna’s Archive" bypassed security, and why experts warn against downloading the leaked files.

In a surprising turn for the music world, a pirate activist group known as Anna’s Archive has announced that it successfully copied a huge amount of information from Spotify. The group, calling themselves a team of preservationists, claims to have gathered details on 256 million songs and secured approximately 86 million audio files.

Image credit: Anna’s Archive

As we know it, Spotify is the world’s leading streaming platform; however, this group argues that relying on one company to keep our cultural history safe is risky. Anna’s Archive noted that many preservation efforts focus too much on famous artists or high-quality files that are too big to store easily, while their archive will be a “snapshot” of music as it exists in 2025.

****How the Data Was Taken****

It is worth noting that this was not a traditional “hack” where someone stole passwords or credit card info, but a massive data scrape. The group found a way to use Spotify’s own systems to gather metadata (the digital labels for songs like the artist’s name and album title) and bypass digital locks to get the audio.

The group has organised their findings into a specialised file called “spotify\_clean.sqlite3.” This is like a highly organised digital filing cabinet that maps out the connections between every artist, album, and song on the platform.

Moreover, the group claims they were careful to ensure this was a “lossless” copy, keeping the data exactly as it appears in Spotify’s internal systems so that no details were lost. This structured setup would allow anyone with the right skills to rebuild a searchable music library from scratch.

_“_We backed up Spotify (metadata and music files). It’s distributed in bulk torrents (~300TB), grouped by popularity. This release includes the largest publicly available music metadata database with 256 million tracks and 186 million unique ISRCs,_“_ the group wrote in its blog post.

****The Popularity Filter****

Anna’s Archive team was very strategic and didn’t just grab every song at random. They used Spotify’s own “popularity metric” to decide what to save first:

**The Popular Hits:** About 86 million songs were saved in their original quality. This covers 99.6% of what people actually listen to on the app.

**The Zero Play Tracks:** For songs that nobody listens to, they used a lower audio quality to save space. They explained that while an expert might hear the difference, it sounds the same to most people.

Image credit: Anna’s Archive

****Spotify’s Official Response****

The group, which usually focuses on saving digital copies of books, claims this latest project is a “humble attempt” to protect the world’s music from being lost to time. Spotify clearly disagrees and was quick to respond. A company spokesperson released the following statement:

“Spotify has identified and disabled the nefarious user accounts that engaged in unlawful scraping. We’ve implemented new safeguards… and are actively working with our industry partners to protect creators.”

While the metadata is already online as of December 21, 2025, the actual music files are still being released in stages because they are so large, nearly 300 terabytes in total.

****Expert’s Take: Is Your Account Safe?****

While the idea of a ‘free Spotify’ sounds tempting, experts warn that there are real dangers. Nathan Webb, Principal Consultant at Acumen Cyber, shared with Hackread.com that those who try to download these files through “torrents” (peer-to-peer sharing) are taking a risk, as there is “little validation that you’re actually downloading something legitimate,” because people could easily hide viruses in the files.

“In reality, those who were pirating music always had the means to do so, hence why P2P Torrenting has been chosen to start distributing this data. This dump will just make music files accessible for those who already have the skills to achieve this.” Cyber stated.

Those who do choose to torrent should know it comes at a risk because there is little validation that you’re actually downloading something legitimate; it may be that we see some increase in those claiming to be redistributing these files when in reality they are up to something more nefarious,” he warned.

Pirate Group Anna’s Archive Copies 256M Spotify Songs in Data Scrape

The U.S. Justice Department (DoJ) on Monday announced the seizure of a web domain and database that it said was used to further a criminal scheme designed to target and defraud Americans by means of bank account takeover fraud.
The domain in question, web3adspanels[.]org, was used as a backend web panel to host and manipulate illegally harvested bank login credentials. Users to the website are

Financial Crime / Law Enforcement

The U.S. Justice Department (DoJ) on Monday announced the seizure of a web domain and database that it said was used to further a criminal scheme designed to target and defraud Americans by means of bank account takeover fraud.

The domain in question, web3adspanels\[.\]org, was used as a backend web panel to host and manipulate illegally harvested bank login credentials. Users to the website are now greeted by a seizure banner that says the domain was taken down in an international law enforcement operation led by authorities from the U.S. and Estonia.

"The criminal group perpetrating the bank account takeover fraud delivered fraudulent advertisements through search engines, including Google and Bing," the DoJ said. "These fraudulent advertisements imitate the sponsored search engine advertisements used by legitimate banking entities."

The ads served as a conduit to redirect unsuspecting users to fake bank websites operated by the threat actors, who harvested login credentials entered by victims through an unspecified malicious software program built into the sites. The stolen credentials were then used by the criminals to sign into legitimate bank websites to take over victims' accounts and drain their funds.

The scheme is estimated to have claimed 19 victims across the U.S. to date, including two companies in the Northern District of Georgia, leading to attempted losses of approximately $28 million and actual losses of approximately $14.6 million.

The DoJ said the confiscated domain stored the stolen login credentials of thousands of victims, in addition to hosting a backend server to facilitate takeover fraud as recently as last month.

According to information shared by the U.S. Federal Bureau of Investigation (FBI), the Internet Crime Complaint Center (IC3) has received more than 5,100 complaints related to bank account takeover fraud since January 2025, with reported losses upwards of $262 million.

Users are advised to exercise caution when sharing about themselves online or on social media; regularly monitor accounts for any financial irregularities; use unique, complex passwords; ensure the correctness of banking website URLs before signing in; and stay vigilant against phishing attacks or suspicious callers.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

U.S. DoJ Seizes Fraud Domain Behind $14.6 Million Bank Account Takeover Scheme

Here’s how a fake clip from 2019 wound up in the latest Justice Department Epstein files dump.

An unlabeled video from the most recent release of Jeffrey Epstein files from the Department of Justice is circulating on social media. While the 12-second video purports to show Epstein’s suicide in his prison cell, the preceding document in the production makes clear that it did not originate from the DOJ itself.

“Came across a purported video of Epstein's suicide (leaked by anonymous source),” the email reads, referencing an attachment and linking to a Google Drive file. “Is this real???”

WIRED spoke with the owner of the phone number listed on the website included in the email’s signature. Ali Kabbaj, who identified himself as an independent journalist, said that he found the video on the dark web and sent it to federal investigators in 2021 for confirmation. He says he never got a reply.

“I’m shocked I’m in these files,” he told WIRED.

The video first surfaced when Drop Site News shared it on X as “a 12 second video from 4:29 am on the day Jeffrey Epstein died.” While this latest round of Epstein files aren’t yet on the DOJ’s website, they had apparently guessed the link by following the URL formatting of previous releases. WIRED identified the email associated with the video by following that same formatting to view the preceding file.

The link to the video file on the DOJ’s website now seems to be broken, but the footage appears to match a video that appeared on YouTube in 2019. The person who uploaded the video describes its contents as “rendering 3D graphics.” DOJ did not return an immediate request for comment on why the link was no longer working, but over the weekend the department removed several other files from its website for additional review and redaction.

In a June 2023 report on Jeffrey Epstein’s time in prison, the DOJ’s Office of the Inspector General concluded that there was no video camera in Epstein’s cell. Indeed, on the night Epstein died, “​​recorded video evidence … for the SHU area where Epstein was housed was only available from one prison security camera due to a malfunction of MCC New York’s Digital Video Recorder system that occurred on July 29, 2019.” New York City’s chief medical examiner ruled Epstein’s death a suicide in August 2019.

Still, conspiracy theories have followed Epstein’s death, fueled in part by the circumstances of what video evidence is available. In July, the DOJ released what it described as “full raw” surveillance footage from the prison camera that was operational. As WIRED first reported, metadata indicated that the footage had instead been modified. Further WIRED analysis revealed that the video was in fact two clips that had been stitched together, cutting out nearly three minutes of footage in the process.

The Epstein Files Transparency Act requires that the DOJ publish all unclassified records in its possession related to the investigation and prosecution of Epstein. So far, the files the DOJ has released include photos of Epstein’s island home and Manhattan townhouse, Epstein associates including Ghislaine Maxwell and former US president Bill Clinton, and various travel records and grand jury materials.

Tag

#git