Medusa Ransomware breached NASCAR, demanded $4 million, leaked sensitive data including maps and staff info, exposing major security failures. The incident was exclusively reported by Hackread.com.

In April 2025, Hackread.com exclusively reported that the Medusa ransomware group had claimed responsibility for breaching the National Association for Stock Car Auto Racing (NASCAR) and was demanding a $4 million ransom. NASCAR has now confirmed that its systems were indeed compromised, validating Hackread.com’s earlier reporting.

Medusa Ransomware’s dark web leak site (Credit: Hackread.com)

According to the data breach notification filed with the Office of the Maine Attorney General, the incident occurred on March 31, 2025, and was discovered on June 24, 2025. However, Hackread.com had alerted NASCAR about Medusa’s breach claims on April 8, 2025, but the company neither responded nor acknowledged the inquiry.

While NASCAR did not disclose how many individuals were affected, it confirmed that the stolen data included files containing names and Social Security numbers. However, Hackread.com’s analysis of the sample data leaked by Medusa on its dark web site revealed that the exposure went far beyond just those details.

A preliminary review of the leaked documents indicates they contain detailed maps of raceway grounds, staff email addresses, names and job titles, as well as credential-related information, pointing to a genuine compromise of both operational and logistical data.

Screenshot from the leaked sample data from the Medusa ransomware gang’s dark web leak site (Credit: Hackread.com)  

Nevertheless, NASCAR has notified the affected individuals and is offering one year of credit monitoring and identity theft protection services through Experian.

This also isn’t the first time NASCAR has been linked to a ransomware incident. In July 2016, a prominent NASCAR team suffered a major ransomware attack when its chief’s computer was infected with a TeslaCrypt variant. The attackers encrypted all files on the system and demanded payment in Bitcoin.

****The FBI Had Warned About Medusa Months Before the NASCAR Breach****

Medusa ransomware has been around since 2021, but its operations have escalated in recent years. One of the group’s more high-profile attacks hit Minneapolis Public Schools in 2023, where it dumped sensitive student and staff data after demanding, and not receiving, a $1 million ransom. Over time, Medusa has also gone after hospitals, city governments, and telecom companies, often leaking massive amounts of internal documents when victims refuse to pay.

Just a few months ago, Medusa grabbed attention again by using stolen digital certificates to shut down anti-malware tools on compromised systems. That move, noted in a March 25 report, allowed them to remain hidden and move through networks without detection.

Before that, on March 13 2025, the FBI and CISA released a joint security alert urging organisations to step up proper cybersecurity protection. Their guidance included enabling multi-factor authentication and keeping an eye out for suspicious certificate activity.

“Medusa’s $4 million ransom demand from NASCAR is significant. So far this year, the group has issued an average ransom of just under $300,000, making this demand over 10 times higher,” said Rebecca Moody, Head of Data Research at Comparitech.

“There could be several reasons for that, including NASCAR’s high-profile status or the volume of data stolen. While the full impact of the NASCAR breach is still unclear, Medusa is already behind one of this year’s largest ransomware-related breaches, with Bell Ambulance reporting 114,000 affected.”

NASCAR Confirms Medusa Ransomware Breach After $4M Demand

A cybercriminal managed to insert malicious files leading to info stealers in a pre-release of a game on the Steam platform

A cybercriminal known as EncryptHub (aka Larva-208) has reportedly abused the online game platform Steam to distribute information stealers.

EncryptHub managed to sneak malicious files into the Chemia game files hosted on Steam. Chemia is an adventurous survival type of game that puts the player in a world ravaged by a catastrophic natural disaster… which is nothing compared to the real-world disasters that can be caused by information stealers.

Chemia has not been publicly released yet, but was available as an early access on Steam. Steam offers Early Access to certain games primarily as a development model that allows players to purchase and play games while they are still in progress, rather than waiting for a full official release. It helps developers to receive direct, ongoing feedback from the community which they can use to find bugs, balance gameplay, and improve features.

According to security researchers at the Proactive Defense Against Future Threats (PRODAFT), the initial compromise took place on July 22, 2025. EncryptHub added a Trojan downloader to the game files that runs alongside the actual application.

The downloader establishes persistence on the affected machine and distributes Fickle Stealer, HijackLoader, and Vidar.

Vidar is a Malware-as-a-Service information stealer which uses public networks such as social media, communication platforms—and Steam—as parts of its Command & Control infrastructure.

HijackLoader is a malware loader used by attackers to load additional malware (such as Trojans like Danabot or the RedLine stealer) onto infected computers.

The Fickle stealer is a relatively new information stealer which uses PowerShell scripts to bypass User Account Control (UAC) and can steal sensitive files, system information, browser-stored data, cryptocurrency wallet details, and more.

As we explained many times before, information stealers can turn your life upside down. Depending on what is stored on the infected device the consequences can range from financial damage to identity theft.

In another case of abuse of the Steam platform, we saw a cybercriminal use a sniper video game to distribute malware to unsuspecting gamers. But that criminal didn’t circulate the malicious demo on Steam directly. Instead, the game’s Steam page featured a link to the developer’s external website promoting a demo that turned out to be malware.

A month before that, a game called PirateFi was released on Steam, but turned out to be circulating malware amongst gamers.

With Steam’s huge userbase (over 100 million monthly active users), a compromised game can serve as a direct path for cybercriminals to get hold of valuable digital assets, direct financial information, and personal information.

**How to stay safe**

Some tips to help gamers stay clear of downloading malicious software:

*   Do not act on direct messages and other unsolicited ways to try out some game. Random people asking you to download something should be treated as suspicious.
*   Verify invitations from “friends” through a different channel, such as texting them directly or contacting them on another social media platform. This is because their current account may have been compromised.
*   Make sure to run an up-to-date and active anti-malware solution on your computer.

_Malwarebytes blocking the domain hosting the Powershell script_

If you have tried the Chemia game, run a full system anti-malware scan.

**Indicators of compromise**

**Domains:**

soft-gets\[.\]com

reaitek\[.\]com

safesurf.fastdomain-uoemathhvq.workers\[.\]dev

**Fickle downloader hash:**  
ed076c27b420bfa66c251488b4121913fa461367a60c5fa32cee3953efcae32b

**Fickle Stealer hash:**

6fb7fd9763d6b269793c80bbc03a1be358390781af4b698fba1591cb8dbb8825

**Vidar Stealer has:**

2cd8c0e75cf76381f06dfe465a542e52eefa713b0bea2557763e0c0c45b21481

**HijackLoader hashes:**

9a733b2de84e2bf466287abd034b04b18c8c269535606e8f6403eee2a3b288c4

12935315254175719cbbaad0b213204ddebd4100ffc551d54f8cf39ced1be227

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Steam games abused to deliver malware once again 

**Path-Traversal -> Arbitrary File Write in Assemblyline Service Client**

---

## 1. Summary  
The Assemblyline 4 **service client** (`task_handler.py`) accepts a SHA-256 value returned by the service **server** and uses it directly as a local file name.  
> No validation / sanitisation is performed.

A **malicious or compromised server** (or any MITM that can speak to client) can return a path-traversal payload such as  
`../../../etc/cron.d/evil`  
and force the client to write the downloaded bytes to an arbitrary location on disk.

---

## 2. Affected Versions  
| Item | Value |
|---|---|
| **Component** | `assemblyline-service-client` |
| **Repository** | [CybercentreCanada/assemblyline-service-client](https://github.com/CybercentreCanada/assemblyline-service-client) |
| **Affected** | **All releases up to master branch.**  |

---

## 4. Technical Details

| Field | Content |
|---|---|
| **Location** | `assemblyline_service_client/task_handler.py`, inside `download_file()` |
| **Vulnerable Line** | `file_path = os.path.join(self.tasking_dir, sha256)` |
| **Root Cause** | The `sha256` string is taken directly from the service-server JSON response and used as a file name without any validation or sanitisation. |
| **Exploit Flow** | 1. Attacker (service server) returns HTTP 200 for `GET /api/v1/file/../../../etc/cron.d/evil`.<br>2. Client writes the response body to `/etc/cron.d/evil`.<br>3. Achieves arbitrary file write (code execution if file is executable). |

---

## 5. Impact  
- **Integrity** – Overwrite any file writable by the service UID (often root).  
- **Availability** – Corrupt critical files or exhaust disk space.  
- **Code Execution** – Drop cron jobs, systemd units, or overwrite binaries.

---

## 6. Mitigation / Fix

```python
import re

_SHA256_RE = re.compile(r'^[0-9a-fA-F]{64}\Z')

def download_file(self, sha256: str, sid: str) -> Optional[str]:
    if not _SHA256_RE.fullmatch(sha256):
        self.log.error(f"[{sid}] Invalid SHA256: {sha256}")
        self.status = STATUSES.ERROR_FOUND
        return None
    # or your preferred way to check if a string is a shasum.
```
---

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-75jv-vfxf-3865

**Assemblyline 4 service client vulnerable to Arbitrary Write through path traversal in Client code**

**Package**

pip assemblyline-service-client (pip)

**Affected versions**

< 4.6.0.stable11

\>= 4.6.1.dev0, < 4.6.1.dev138

**Patched versions**

4.6.0.stable11

4.6.1.dev138

**Path-Traversal -> Arbitrary File Write in Assemblyline Service Client**

**1\. Summary**

The Assemblyline 4 **service client** (task_handler.py) accepts a SHA-256 value returned by the service **server** and uses it directly as a local file name.

> No validation / sanitisation is performed.

A **malicious or compromised server** (or any MITM that can speak to client) can return a path-traversal payload such as  
../../../etc/cron.d/evil  
and force the client to write the downloaded bytes to an arbitrary location on disk.

**2\. Affected Versions**

Item

Value

**Component**

assemblyline-service-client

**Repository**

CybercentreCanada/assemblyline-service-client

**Affected**

**All releases up to master branch.**

**4\. Technical Details**

Field

Content

**Location**

assemblyline_service_client/task_handler.py, inside download_file()

**Vulnerable Line**

file_path = os.path.join(self.tasking_dir, sha256)

**Root Cause**

The sha256 string is taken directly from the service-server JSON response and used as a file name without any validation or sanitisation.

**Exploit Flow**

1\. Attacker (service server) returns HTTP 200 for GET /api/v1/file/../../../etc/cron.d/evil.  
2\. Client writes the response body to /etc/cron.d/evil.  
3\. Achieves arbitrary file write (code execution if file is executable).

**5\. Impact**

*   **Integrity** – Overwrite any file writable by the service UID (often root).
*   **Availability** – Corrupt critical files or exhaust disk space.
*   **Code Execution** – Drop cron jobs, systemd units, or overwrite binaries.

**6\. Mitigation / Fix**

import re

\_SHA256\_RE \= re.compile(r'^\[0-9a-fA-F\]{64}\\Z')

def download\_file(self, sha256: str, sid: str) \-> Optional\[str\]:
    if not \_SHA256\_RE.fullmatch(sha256):
        self.log.error(f"\[{sid}\] Invalid SHA256: {sha256}")
        self.status \= STATUSES.ERROR\_FOUND
        return None
    \# or your preferred way to check if a string is a shasum.

**References**

*   GHSA-75jv-vfxf-3865
*   CybercentreCanada/assemblyline-service-client@351414e

Published to the GitHub Advisory Database

Jul 25, 2025

Last updated

Jul 25, 2025

GHSA-75jv-vfxf-3865: Assemblyline 4 service client vulnerable to Arbitrary Write through path traversal in Client code 

A hacker injected a malicious prompt into Amazon Q via GitHub, aiming to delete user files and wipe AWS data, exposing a major security flaw.

A security vulnerability recently surfaced involving Amazon’s AI coding assistant, ‘Q’, integrated with VS Code. The incident, reported by 404 Media, revealed a lapse in Amazon’s security protocols, allowing a hacker to insert malicious commands into a publicly released update.

The hacker, using a temporary GitHub account, managed to submit a pull request that granted them administrative access. Within this unauthorised update, destructive instructions were embedded, directing the AI assistant to potentially delete user files and wipe clean Amazon Web Services (AWS) environments.

Despite the severe nature of these commands, which were also intended to log the actions in a file named /tmp/CLEANER.LOG, Amazon reportedly merged and released the compromised version without detection.

The company later removed the flawed update from its records without any public announcement, raising questions about transparency. Corey Quinn, Chief Cloud Economist at The Duckbill Group, expressed scepticism regarding Amazon’s “security is our top priority” statement in light of this event.

“If this is what it looks like when security is the top priority, I can’t wait to see what happens when it’s ranked second,” Quinn wrote in his post on LinkedIn.

****The Mechanism of the Attack****

The core of the issue lies in how the hacker manipulated an open-source pull request. By doing so, they managed to inject commands into Amazon’s Q coding assistant. While these instructions were unlikely to auto-execute without direct user interaction, the incident critically exposed how AI agents can become silent carriers for system-level attacks.

It highlighted a gap in the verification process for code integrated into production systems, especially for AI-driven tools. The malicious code aimed to exploit the AI’s capabilities to perform destructive actions on a user’s system and cloud resources.

> Yesterday’s incident with Amazon Q was a wake-up call about how AI agents can be attacked.
> 
> PromptKit is trying to solve similar problems and help prevent them from happening again.
> 
> read full post👇https://t.co/atOWfilWFq
> 
> — Mr. Ånand (Studio1HQ) (@Astrodevil\_) July 24, 2025

****A New Solution Emerges****

In response to such vulnerabilities, Jozu has released a new tool called “PromptKit.” This system, accessible via a single command, offers a local reverse proxy to record OpenAI-compatible traffic and provides a command-line interface (CLI) and text-based user interface (TUI) for exploring, tagging, comparing, and publishing prompts.

Jozu announced on X.com that PromptKit is a local-first, open-source tool aiming to provide auditable and production-safe prompt management, addressing a systemic risk as reliance on generative AI grows.

> Today, we’re releasing a first version of Jozu PromptKit
> 
> → a local-first tool for capturing, reviewing, and managing LLM prompt interactions.
> 
> It ensures policy-controlled workflows for verified, auditable prompt artifacts in production
> 
> Free to try and open source. pic.twitter.com/0Up4mc1Vy9
> 
> — Jozu (@Jozu\_AI) July 24, 2025

Görkem Ercan, CTO of Jozu, told Hackread.com that PromptKit is designed to bridge the gap between prompt experimentation and deployment. It establishes a policy-controlled workflow, ensuring that only verified and audited prompt artefacts, unlike the raw, unverified text that impacted AWS, reach production.

Ercan further emphasised that this tool would have replaced the failed human verification process with a strict, policy- and signing-based workflow, effectively catching the malicious intent before it went live.

Hacker Added Prompt to Amazon Q to Erase Files and Cloud Data

Phishers are using legitimate looking Instagram emails in order to scam users.

A phishing campaign targeting Instagram users is doing the rounds. There are plenty of those around, but when we took a look at this particular email, it seemed a bit different to the normal phishing emails that point to scammy websites.

The email looked like this, which is very similar to the one Instagram sends if it wants you to confirm your identity:

> “Hi {name}  
> Someone tried to log in to your Instagram account.  
> If this was you, please use the following code to confirm your identity:  
> 231342  
> If this wasn’t you, please \[Report this user\] to secure your account.”  

Instead of linking to a phishing website, which is most common with emails like this, both the “Report this user” and “Remove your email address” links are mailto: links. Clicking on a mailto: link opens your default email program with a pre-addressed message with the subject line “Report this user to secure your account” or “Remove your email address from this account” for the second link.

The email addresses in these links all had unsuspicious looking domains, made to look similar to legitimate ones. We call this technique of registering domain names “typosquatting.”

In the case we researched the email addresses were:

*   prestige@vacasa[.]uk.com (typosquat of vacasa.com vacation rentals)
*   ministry@syntec[.]uk.com (typosquat of syntechnologies.co.uk hardware provider)
*   technique@pdftools[.]com.de (typosquat of pdf-tools.com software provider)
*   service@boss[.]eu.com (several possibilities)
*   threaten@famy[.]in.net (science news site, possibly compromised)
*   difficulty@blackdiamond[.]com.se (known malicious domain)
*   anticipation@salomonshoes[.]us.com (typosquat of salomon.com running shoes)

We sent an email to these addresses from a dummy account to see what happened. Unfortunately, most of them were dead in the water when our email reached them. However, we did find that a lot of the servers were hosted at the same IP address.

Research of the IP address showed that there were many more domains set up, likely with the same objective in mind.

**Why mailto: links?**

Many email filters look for links to malicious domains and new ones get added fairly quickly, so the domains and emails are only useful for one day (on average). Using mailto: links can therefore help attackers avoid automated flagging or URL reputation checks.

It also saves the cybercriminals work. They don’t need to set up a fake website, which in this case would be an Instagram clone, or all the back end infrastructure needed to harvest the credentials. All they need to do now is watch the email inbox and wait for victims.

Receiving an email validates that the email address the phishing mail was sent to is active and someone is using it. That opens the victim up for further attempts. By engaging in a conversation, attackers can directly request sensitive information in a less obvious way than with a phishing form, often through continued correspondence.

Victims may feel safer replying to an email than clicking on a suspicious link. The fear of instant repercussions is smaller when you’re sending an email than for visiting an unknown website.

In March, 2025, security awareness provider Phishing Tackle reported about a phishing campaign targeting Meta users, which aimed to steal access to Instagram business accounts. The scam used step-by-step instructions and fake chat support to trick users.

In that case, the scammers threatened users with a suspension of the account due to advertising violations, but it showed once more that influential Instagram accounts are an attractive target for phishers. They can use compromised accounts for other campaigns or sell the harvested credentials to other cybercriminals.

But even if you’re not a business or bedecked with followers, if someone compromises your Instagram account they can lock you out and then demand money to give you back the account. Sadly, many people feel forced to pay because they don’t want to lose years of photos and their associated memories.

**How to avoid Instagram phishing**

Since we can expect to see more phishing campaigns that use mailto: links, here are some tips to avoid falling victim to such a scam.

*   As with regular links, scrutinize the destination of an email link. Even if the domain looks legitimate, your Instagram account isn’t secured by a shoe maker or vacation provider, or someone using a gmail address. The email address should be one that belongs to Instagram or Meta.
*   Remember that legitimate companies will not ask you to mail them your account details, credentials, or other sensitive information.
*   If there’s an urgency to respond to an email, take a pause before you do. This is a classic scammer trick to get you to act before you can think.
*   Don’t reply if the warning looks suspicious in any way. Sending an email will tell the phishers that your email address is active, and it will be targeted even more.
*   Do an online search about the email you received, in case others are posting about similar scams.
*   Use Malwarebytes Scam Guard to assess the message. It will tell you whether it’s a scam or give you tips how you can find out if it isn’t sure.

 Watch out: Instagram users targeted in novel phishing campaign 

Chennai, India, 25th July 2025, CyberNewsWire

**Chennai, India, July 25th, 2025, CyberNewsWire**

xonPlus, a real-time digital risk alerting system, officially launches today to help security teams detect credential exposures before attackers exploit them. The platform detects data breaches and alerts teams and systems to respond instantly.

Built by the team behind XposedOrNot, an open-source breach detection tool used by thousands, xonPlus gives organizations instant visibility when their email addresses or domains appear in breach dumps or dark web forums.

Every day, credentials are exposed in data breaches, often without the affected organizations being immediately aware. In many cases, security teams are first alerted to incidents through ransom demands, threat intelligence reports, or internal support tickets. xonPlus addresses this challenge by providing real-time monitoring of enterprise assets, delivering alerts within minutes of confirmed credential exposure.

> “We kept hearing the same thing: teams had good security stacks, but still found out about exposed credentials too late,” said Devanand Premkumar, Founder of xonPlus.

One compromised login is enough to pivot inside a network. xonPlus gives teams the early warning signal they’ve been missing.

**Built on Proven Foundation**

xonPlus leverages the intelligence infrastructure of XposedOrNot, which has tracked 10+ billions of breach records over the last 8 years and serves millions of queries globally. The platform runs on secure infrastructure powered by Cloudflare and Google Cloud, ensuring enterprise-grade reliability and performance for security-critical operations.

**Key Capabilities**

*   **Real-Time Detection**: Getting alerts within minutes when company credentials appear in a breach, including breach source, exposure date, and recommended next steps.
*   **Seamless Integration**: Works with existing security infrastructure, including SIEM, Slack, Microsoft Teams, and email systems.
*   **Developer-First API**: High-throughput API with rate limits, auth tokens, and audit logs for embedding breach intelligence into security workflows.
*   **Enterprise Scale**: Monitoring unlimited domains and millions of email addresses with customizable alert thresholds.

**Addressing Market Need**

Unlike large threat intel platforms requiring long contracts and complex setups, xonPlus offers transparent monthly pricing with 5x to 10x cost efficiency compared to traditional costly solutions. It complements existing security stacks by focusing purely on breach exposure detection.

The platform serves three primary use cases: 

*   **xonEnterprise** for domain-wide monitoring, 
*   **xonConsumer** for customer breach alerts, and 
*   **xonAPI** for developers building security tools.

**Target Market**

**xonPlus** is designed for security teams needing earlier breach visibility, startups and SMBs without full SOC coverage, developers integrating breach detection capabilities, and risk teams focused on account takeover prevention and minimizing ransomware infections.

Teams using xonPlus have cut detection time from weeks to minutes, enabling them to lock compromised accounts before attackers gain access.

**Availability**

xonPlus is immediately available as a SaaS platform with monthly subscription plans.

**Users can learn more**: https://plus.xposedornot.com/

**Users can launch the story**: https://blog.xposedornot.com/xonplus-launch/

**About xonPlus**

xonPlus is built by the team behind XposedOrNot, the open-source breach detection platform that has helped millions of users check their exposure to data breaches. Based in Chennai, India, the company focuses on making breach intelligence accessible to security teams of all sizes.

**Contact**

**Founder**  
**Devanand Premkumar**  
**\[email protected\]**

xonPlus Launches Real-Time Breach Alerting Platform for Enterprise Credential Exposure

Starting today, UK adults will have to prove their age to access porn online. Experts warn that a global wave of age-check laws threatens to chill speech and ultimately harm children and adults alike.

Beginning today, millions of adults trying to access pornography in the United Kingdom will be required to prove that they are over the age of 18. Under sweeping new online child safety laws coming into force, self-reporting checkboxes that allow anyone to claim adulthood on porn websites will be replaced by age-estimating face scans, ID document uploads, credit card checks, and more. Some of the biggest porn websites—including Pornhub and YouPorn—have said that they will comply with the new rules. And social media sites like BlueSky, Reddit, Discord, Grindr, and X are introducing UK age checks to block children from seeing harmful content.

Ultimately, though, it's not just Brits who will see such changes. Around the world, a new wave of child protection laws are forcing a profound shift that could normalize rigorous age checks broadly across the web. Some of the measures are designed to specifically block minors from accessing adult material, while others are meant to stop children from using social media platforms or accessing harmful content. In the UK, age checks are now required by websites and apps that host porn, self-harm, suicide, and eating disorder content.

Protecting children online is a consequential and urgent issue, but privacy and human rights advocates have long warned that, while they may be well-intentioned, age checks introduce a range of speech and surveillance issues that could ultimately snowball online.

“Age verification impedes people’s ability to anonymously access information online,” says Riana Pfefferkorn, a policy researcher at Stanford University. “That includes information that adults have every right to access but might not want anyone else knowing they’re consuming—such as pornography—as well as information that kids want to access but that for political reasons gets deemed inappropriate for them, such as accurate information about sex, reproductive health information, and LGBTQ content.”

Efforts that have been mounting over the past decade to introduce strong age checks online have recently gained traction. Last month, the United States Supreme Court paved the way for states to require porn websites to check that visitors are at least 18 using age-verification technologies. Pornhub, for example, has already blocked access to visitors in at least 20 states as laws have been passed. Meanwhile, courts in France ruled last week that porn sites can check users' ages. Ireland implemented age checking laws for video websites this week. The European Commission is testing an age-verification app. And in December, Australia’s strict social media ban for children under 16 will take effect, introducing checks for social media and people logged in to search engines.

“If people choose not to log on \[to search engines\] to avoid age assurance checks, this could have a wide-reaching impact on the streamlined, integrated ways people search for online information,” says Lisa Given, a professor of information sciences at RMIT University in Australia who has been closely following the country’s age-checking policies. “It will also affect the level of privacy people have come to expect from being able to search freely online, which may change how and where they search for information.”

****Coming of Age****

Though the recent wave of court decisions and legislation around age verification is new, multiple online platforms and services have required some form of age checking for years. The British age-verification company Yoti, which works on multiple digital identity technologies including face scanning to estimate ages, says it has done more than 850 million age checks and completes more than 1 million per day. “Brands around the world in different sectors are using this technology, including social media, gaming, adult, dating, retail, and vaping,” a Yoti spokesperson told WIRED in an email.

Age-verification mechanisms come in multiple forms. The UK’s Online Safety Act, which is being overseen by communications regulator Ofcom, lists seven “highly effective” approaches that websites can use. Typically websites will employ third-party companies from the growing age-assurance industry rather than checking ages directly themselves.

Standard age verification is done by uploading a form of government identification and a selfie, using a digital identity service, or submitting credit records or other financial documentation. There are also age estimation services. For example, “email-based” age estimation, according to the UK’s Ofcom, will analyze data on where your email address has been used and for how long as part of a calculation of how old you are. Age estimation services that try to predict someone’s age from a selfie or a video are also increasingly common. Their performance varies, though, depending on how accurate the underlying algorithms are. Many systems offer accuracy of “plus or minus 18 months.” Some physical stores in France that sell tobacco already use facial estimation systems as well.

There are potential privacy and security risks that come with all the approaches, though, such as excessive data gathering, government surveillance, and the threat of data breaches. And opponents of age verification argue that the technologies are not reliable and can be circumvented. Last year, for example, an Israeli ID-verification company exposed driver's licenses and other sensitive data because of a technical oversight. A study commissioned by Green politicians in Europe last year concluded that, while there were some “promising” privacy-preserving methods for age checks, there is ultimately “misalignment between the urgency with which governments are pushing for age assurance and the time needed to develop robust, safe, and trustworthy age assurance technology.” Preliminary results released in June from a study in Australia found multiple problems with age-checking systems.

“The question isn't whether there will be a data breach connected to age verification, it's when,” says Alison Boden, executive director of Free Speech Coalition, a US-based adult entertainment industry trade association. “So, people circumvent the laws. In the best case, they use VPNs to protect their identities. And in the worst case, they turn to websites that flout the law, and then risk being exposed to illegal content like child sexual abuse material and nonconsensual intimate imagery. And this is all in service of policies that have clearly been shown to be ineffective.”

In general, many porn sites and other adult content platforms say that they are in favor of age checks but don’t agree with current approaches.

Proponents of age verification say that it is possible to minimize data collection. Third-party providers can limit the personal information that is shared with individual sites conducting age verification. And, particularly, these third parties can use what are known as authentication tokens, so people can confirm their age once and then produce this credential across multiple sites and providers as verification.

“Our members do over a billion anonymized age checks a year, so our best argument is our track record—and we know that will just continue to improve because of the strict application of data minimization principles,” says Iain Corby, the executive director of the industry group Age Verification Providers Association. “There is no need to retain any personal data after an age check is completed, and if you don’t keep data, it can’t be lost or stolen.”

****Aging Out****

The practical realities of widespread age verification are messy, though. For one thing, sites and services may not comply with regulations. Ofcom, the UK regulator, says that it may issue fines to websites that do not put age checks in place. It already has 11 investigations open. Additionally, not all people have the proper ID or other documents to prove their age when signing up for sites.

“No solution to this is perfect,” says Rachel Coldicutt, the executive director of Careful Industries and a former Ofcom nonexecutive director. “Age verification assumes that all services and platforms that host harmful content are good and lawful actors and that devices don’t get shared. In lots of families, someone aged under 16 or 18 would easily be able to log in to a device that belongs to one of their parents, so unless age verification is required on every login to a site or app it would be quite easy to get access to age-restricted content by using an adult’s device.”

In general, too, many experts note that age verification is broadly unpopular. People feel uncomfortable scanning their face or handing over personal details to view content or participate in online discourse, especially when they are trying to use a service or view content that is intimate or otherwise personal in nature. As a result, age verification can have a chilling effect on speech and the free flow of information online.

And since people can use circumvention tools like VPNs to skirt national laws, there are limits to how effective these policies can be in isolation, which has the potential to tip off a sort of validation and surveillance arms race. There is often a spike in VPN interest when a country introduces new age-check laws.

“A critical point is that while these measures are intended to keep children safe from harmful content, my concern is that these measures will give parents and other members of the public a false sense of security,” says Given, the Australian academic. She adds that there should be greater government investment in education for young people, parents, and teachers about potential online harms, plus more support for people who use social media to access critical information.

As Stanford’s Pfefferkorn puts it, “Ultimately, age verification tech actually poses a risk to the kids it is supposed to protect. It chills their ability to access information, and it can put them at risk of privacy violations, identity theft, and other security issues.”

The Age-Checked Internet Has Arrived

New Scavenger Trojan steals crypto wallet data using fake game mods and browser flaws, targeting MetaMask, Exodus, Bitwarden, and other popular apps.

The latest report from Doctor Web has detailed a malware campaign involving a new family of trojans called Trojan.Scavenger (Scavenger Trojan). These aren’t your typical malicious files that simply run in the background and steal data; they’re carefully structured to abuse a vulnerability in how Windows loads certain components. The attackers used this to infect targeted systems and extract sensitive information, especially from crypto wallets and password managers.

It all started when Doctor Web looked into a targeted attack on a Russian enterprise. During the investigation, their team noticed the attackers were taking advantage of DLL Search Order Hijacking.

This method lets malicious files get into software by faking to be legitimate components. The trick is placing a fake DLL in the same folder as the target application, giving it priority over the real system version. Once launched, the fake file runs as if it were part of the original app, giving it access to everything the app can reach.

According to Doctor Web’s report, after adding protection against this technique to their antivirus suite, the company began collecting telemetry data. That’s when they noticed some users were being served unknown malicious files through their browsers.

This led the researchers to the discovery of the Trojan.Scavenger campaign. It later became clear that attackers were distributing this malware in multiple stages and using various bait methods like game patches and cheats to lure victims into running it.

One infection route used a three-stage loader chain. The first component, Trojan.Scavenger1, was disguised as a performance patch for the game Oblivion Remastered. Victims were instructed to drop the fake DLL into the game’s folder.

The file name was deliberately chosen to match a legitimate Windows DLL so it would get loaded instead of the real one. But in this specific game version, the exploit failed because the developers had properly configured the loading process. Still, the same trick could succeed in other programs.

Researchers further noted that when the Trojan does manage to run, it downloads the next stage, Trojan.Scavenger.2, which then pulls in additional modules, Trojan.Scavenger.3 and Trojan.Scavenger.4. One of these, Trojan.Scavenger.3, pretends to be a system library and gets placed into the folder of Chromium-based browsers like Chrome, Edge, Opera, and Yandex. Because of the loading flaw, the browser ends up running the malicious file instead of the real system version.

This version of the Trojan tampers with the browser’s internal security features. It disables the sandbox and blocks the check that verifies browser extensions. Then it edits copies of popular extensions, including the following:

*   Slush
*   Phantom
*   LastPass
*   MetaMask
*   Bitwarden

The originals remain untouched, but the browser is tricked into using the tampered versions. These altered versions are designed to silently send data, such as mnemonic phrases and stored passwords, to the attacker’s server.

Meanwhile, Trojan.Scavenger.4 similarly targets the Exodus crypto wallet. It gets loaded when the app starts, using the same DLL hijacking method. Once inside, it taps into the app’s engine to scan for key data like the mnemonic phrase and the file storing the private key. That information is then sent to the attacker.

In another version of the campaign, the attackers skip the first trojan and start directly with a modified Trojan.Scavenger.2. This one uses a file with an .ASI extension, often associated with game mods or plugins. For example, users might be told to install a file called “Enhanced Native Trainer.asi” into their GTA game folder. The game recognises it as a plugin and runs it automatically, allowing the infection chain to continue from there.

Across all versions of this malware, the trojans share some key behaviour patterns. They check if they’re being launched inside a virtual machine or debug environment and will stop working if they detect one. This is a common method used to avoid detection during security research.

Another shared feature is how they communicate with their control server. They use a two-step handshake to set up an encrypted channel, first asking for part of the encryption key, then verifying the connection by sending encrypted timestamps. Any requests sent without this setup are ignored by the server.

Doctor Web reached out to the software developers whose apps were vulnerable, but most of them declined to fix the DLL hijacking flaw. Therefore, users must exercise caution and avoid downloading apps from third-party stores, refrain from using pirated games and keep their anti-virus software updated.

Scavenger Trojan Targets Crypto Wallets via Game Mods and Browser Flaws

KrebsOnSecurity recently heard from a reader whose boss's email account got phished and was used to trick one of the company's customers into sending a large payment to scammers. An investigation into the attacker's infrastructure points to a long-running Nigerian cybercrime group that is actively targeting established companies in the transportation and aviation industries.

KrebsOnSecurity recently heard from a reader whose boss’s email account got phished and was used to trick one of the company’s customers into sending a large payment to scammers. An investigation into the attacker’s infrastructure points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries.

Image: Shutterstock, Mr. Teerapon Tiuekhom.

A reader who works in the transportation industry sent a tip about a recent successful phishing campaign that tricked an executive at the company into entering their credentials at a fake Microsoft 365 login page. From there, the attackers quickly mined the executive’s inbox for past communications about invoices, copying and modifying some of those messages with new invoice demands that were sent to some of the company’s customers and partners.

Speaking on condition of anonymity, the reader said the resulting phishing emails to customers came from a newly registered domain name that was remarkably similar to their employer’s domain, and that at least one of their customers fell for the ruse and paid a phony invoice. They said the attackers had spun up a look-alike domain just a few hours after the executive’s inbox credentials were phished, and that the scam resulted in a customer suffering a six-figure financial loss.

The reader also shared that the email addresses in the registration records for the imposter domain — **roomservice801@gmail.com** — is tied to many such phishing domains. Indeed, a search on this email address at **DomainTools.com** finds it is associated with at least 240 domains registered in 2024 or 2025. Virtually all of them mimic legitimate domains for companies in the aerospace and transportation industries worldwide.

An Internet search for this email address reveals a humorous blog post from 2020 on the Russian forum hackware\[.\]ru, which found roomservice801@gmail.com was tied to a phishing attack that used the lure of phony invoices to trick the recipient into logging in at a fake Microsoft login page. We’ll come back to this research in a moment.

**JUSTY JOHN**

DomainTools shows that some of the early domains registered to roomservice801@gmail.com in 2016 include other useful information. For example, the WHOIS records for **alhhomaidhicentre\[.\]biz** reference the technical contact of “**Justy John**” and the email address **justyjohn50@yahoo.com**.

A search at DomainTools found justyjohn50@yahoo.com has been registering one-off phishing domains since at least 2012. At this point, I was convinced that some security company surely had already published an analysis of this particular threat group, but I didn’t yet have enough information to draw any solid conclusions.

DomainTools says the Justy John email address is tied to more than two dozen domains registered since 2012, but we can find hundreds more phishing domains and related email addresses simply by pivoting on details in the registration records for these Justy John domains. For example, the street address used by the Justy John domain **axisupdate\[.\]net** — 7902 Pelleaux Road in Knoxville, TN — also appears in the registration records for accountauthenticate\[.\]com, acctlogin\[.\]biz, and loginaccount\[.\]biz, all of which at one point included the email address **rsmith60646@gmail.com**.

That Rsmith Gmail address is connected to the 2012 phishing domain alibala\[.\]biz (one character off of the Chinese e-commerce giant alibaba.com, with a different top-level domain of .biz). A search in DomainTools on the phone number in those domain records — 1.7736491613 — reveals even more phishing domains as well as the Nigerian phone number “2348062918302” and the email address **michsmith59@gmail.com**.

DomainTools shows michsmith59@gmail.com appears in the registration records for the domain **seltrock\[.\]com**, which was used in the phishing attack documented in the 2020 Russian blog post mentioned earlier. At this point, we are just two steps away from identifying the threat actor group.

The same Nigerian phone number shows up in dozens of domain registrations that reference the email address **sebastinekelly69@gmail.com**, including **26i3\[.\]net**, **costamere\[.\]com**, **danagruop\[.\]us**, and **dividrilling\[.\]com**. A Web search on any of those domains finds they were indexed in an “indicator of compromise” list on GitHub maintained by **Palo Alto Networks**‘ **Unit 42** research team.

**SILVERTERRIER**

According to Unit 42, the domains are the handiwork of a vast cybercrime group based in Nigeria that it dubbed “**SilverTerrier**” back in 2014. In an October 2021 report, Palo Alto said SilverTerrier excels at so-called “**business e-mail compromise**” or **BEC** scams, which target legitimate business email accounts through social engineering or computer intrusion activities. BEC criminals use that access to initiate or redirect the transfer of business funds for personal gain.

Palo Alto says SilverTerrier encompasses hundreds of BEC fraudsters, some of whom have been arrested in various international law enforcement operations by **Interpol**. In 2022, Interpol and the Nigeria Police Force arrested 11 alleged SilverTerrier members, including a prominent SilverTerrier leader who’d been flaunting his wealth on social media for years. Unfortunately, the lure of easy money, endemic poverty and corruption, and low barriers to entry for cybercrime in Nigeria conspire to provide a constant stream of new recruits.

BEC scams were the 7th most reported crime tracked by the FBI’s **Internet Crime Complaint Center** (IC3) in 2024, generating more than 21,000 complaints. However, BEC scams were the second most costly form of cybercrime reported to the feds last year, with _nearly $2.8 billion in claimed losses_. In its 2025 Fraud and Control Survey Report, the **Association for Financial Professionals** found 63 percent of organizations experienced a BEC last year.

Poking at some of the email addresses that spool out from this research reveals a number of Facebook accounts for people residing in Nigeria or in the United Arab Emirates, many of whom do not appear to have tried to mask their real-life identities. Palo Alto’s Unit 42 researchers reached a similar conclusion, noting that although a small subset of these crooks went to great lengths to conceal their identities, it was usually simple to learn their identities on social media accounts and the major messaging services.

Palo Alto said BEC actors have become far more organized over time, and that while it remains easy to find actors working as a group, the practice of using one phone number, email address or alias to register malicious infrastructure in support of multiple actors has made it far more time consuming (but not impossible) for cybersecurity and law enforcement organizations to sort out which actors committed specific crimes.

“We continue to find that SilverTerrier actors, regardless of geographical location, are often connected through only a few degrees of separation on social media platforms,” the researchers wrote.

**FINANCIAL FRAUD KILL CHAIN**

Palo Alto has published a useful list of recommendations that organizations can adopt to minimize the incidence and impact of BEC attacks. Many of those tips are prophylactic, such as conducting regular employee security training and reviewing network security policies.

But one recommendation — getting familiar with a process known as the “**financial fraud kill chain**” or FFKC — bears specific mention because it offers the single best hope for BEC victims who are seeking to claw back payments made to fraudsters, and yet far too many victims don’t know it exists until it is too late.

Image: ic3.gov.

As explained in this FBI primer, the International Financial Fraud Kill Chain is a partnership between federal law enforcement and financial entities whose purpose is to freeze fraudulent funds wired by victims. According to the FBI, viable victim complaints filed with ic3.gov promptly after a fraudulent transfer (generally less than 72 hours) will be automatically triaged by the Financial Crimes Enforcement Network (FinCEN).

The FBI noted in its IC3 annual report (PDF) that the FFKC had a 66 percent success rate in 2024. Viable ic3.gov complaints involve losses of at least $50,000, and include all records from the victim or victim bank, as well as a completed FFKC form (provided by FinCEN) containing victim information, recipient information, bank names, account numbers, location, SWIFT, and any additional information.

Phishers Target Aviation Execs to Scam Customers

Staff augmentation is a strategy for smart tech teams looking to launch something big. Trying to plug skill gaps or scale without the overhead? Collaborate with a trusted IT staff augmentation company.

The demand for skilled tech professionals shows no signs of slowing down in 2025. You may be running a startup with a tight runway or a large enterprise juggling multiple projects. It doesn’t matter. Getting the right tech talent is critical. IT staff augmentation comes to the rescue. It allows companies to scale their teams fast, fill skills gaps, and stay agile without the lengthy process of hiring full-time employees. It is like having a remote bench of seasoned developers, designers, and engineers.

The number of vendors is so huge. Then, who can you trust? Shall we go deeper and share with you the best IT staff augmentation firms in the USA as per their reputation, customer feedback, and tech capabilities? They have frontend rockstars, backend magicians, or full-stack geniuses; whichever talent you require, these companies can provide that.

****Innowise****

*   Founded: 2007
*   Headquarters: St. Petersburg, Florida
*   Team Size: 2500+ professionals globally

If you are looking for a reliable, fast-moving IT staff augmentation partner with deep expertise across technologies, Innowise is one of the top names to mention. They have been quietly building a reputation for delivering skilled developers and engineers. Whether you need to scale your JavaScript team, boost your .NET capacity, or bring in niche AI/ML talent, Innowise has experts ready to go.

Why companies love Innowise:

*   Global reach, local presence – The company is based in Europe. However, their US headquarters makes it easy for American clients to collaborate.
*   Top 3% talent – Every developer is rigorously tested and trained before joining client projects.
*   Industry versatility – They understand any domain, from healthcare and fintech to eCommerce and logistics.
*   Flexibility – You can scale up or down in days.

Innowise strikes a balance between cost-efficiency and premium quality. This makes them a top pick for US-based companies.

****Toptal****

*   Founded: 2010
*   Headquarters: San Francisco, CA
*   Known For: Exclusive network of top freelancers

Toptal has become synonymous with top-tier freelance talent. Their IT staff augmentation offering provides businesses with access to developers, designers, finance experts, and project managers. Toptal claims to only accept the top 3% of applicants. This means that you are getting highly skilled, pre-vetted professionals.

Why choose Toptal:

*   Impressive talent quality
*   Speedy onboarding (within 48 hours)
*   Great for urgent, high-stakes projects

Keep in mind that Toptal is on the pricier end. It is a better option for companies with bigger budgets, a need for hyper-specific skill sets, and the requirement to fix security vulnerabilities.

****Andela****

*   Founded: 2014
*   Headquarters: New York, NY
*   Strength: Diverse talent across Africa, Latin America, and beyond

Andela originally focused on African developers but has since expanded its global reach. Their staff augmentation model works particularly well for long-term projects. They have worked with bigger companies. GitHub, ViacomCBS, and Cloudflare are some of their most prominent customers.

Highlights:

*   Diversity-driven teams
*   Time zone alignment with US clients
*   Excellent onboarding process and cultural training

If you are looking for smart, cost-effective talent with strong communication skills, Andela is a solid pick.

****Cognizant Softvision****

*   Headquarters: Austin, TX
*   Parent Company: Cognizant
*   Strength: Deep enterprise integration

For mid-to-large enterprises that need to scale fast with minimal risk, Cognizant Softvision offers tech squads that integrate seamlessly with your internal teams. They are especially good for digital transformation projects, mobile app development, and cloud-native solutions.

What stands out:

*   Global delivery centers
*   Enterprise-ready engineers
*   Great for complex systems

If your company is on the Fortune 500 list or heading there, this one is worth considering.

****BairesDev****

*   Headquarters: San Francisco, CA
*   Talent Base: Latin America
*   Strength: Nearshore IT staff augmentation

BairesDev is one of the fastest-growing tech staffing providers in the US. They pull top developers from Latin America. This means shared time zones, strong cultural fit, and faster feedback loops. They’ve worked with big brands, from Google and Rolls-Royce to Pinterest.

Pros:

*   Flexible hiring models
*   Fluent English-speaking professionals
*   Cost-effective compared to US-based devs

They are an especially great fit if you are looking to scale fast without compromising quality or communication.

****EPAM Systems****

*   Founded: 1993
*   Headquarters: Newtown, PA
*   Strength: Deep technical know-how and enterprise scale

EPAM is a global giant in software engineering and digital product development. Their staff augmentation services are tailored to large-scale, complex projects, especially in regulated industries. So if you are working in healthcare, banking, and insurance, EPAM is a company that you can fully trust.

What makes EPAM stand out:

*   Massive global talent pool
*   Domain-specific expertise
*   Ideal for long-term engagements

If you are building something big and need a partner who can go the distance, EPAM delivers.

****N-iX****

*   Founded: 2002
*   Headquarters: Lviv, Ukraine (with US offices)
*   Team Size: 2000+
*   Strength: Mid-size businesses and tech startups

N-iX has a strong reputation for providing dedicated development teams and IT staff augmentation for US clients. Their talent comes primarily from Eastern Europe. You can get engineers, QA, UX/UI, and PM specialists from them.

Why clients like N-iX:

*   Transparent pricing
*   Agile-friendly teams
*   High retention rates

They are a good choice for startups and SMBs needing extra engineering muscle without burning through the runway.

****Scalable Path****

*   Headquarters: San Francisco, CA
*   Model: Freelance and team augmentation hybrid

Scalable Path offers strong tech teams through a hands-on matching process. Instead of just picking from a list, they help you design your ideal team and hand-select talent to meet those needs.

What’s nice:

*   High-touch matching process
*   Developers across many time zones
*   Great for growing digital products

The company is perfect if you are scaling a SaaS or building out your MVP and want quality over quantity.

Staff augmentation is no longer a trend. It is a core strategy for smart tech teams looking to launch something big. Whether you are trying to plug skill gaps, speed up delivery, or scale without the overhead of hiring full-time, working with a trusted IT staff augmentation company can make all the difference. So go ahead and pick a provider from the list.

(Top, Featured Photo by Christina @ wocintechchat.com on Unsplash)

Tag

#git