Ransomware attacks netted cybercrime groups a total of $813.5 million in 2024, a decline from $1.25 billion in 2023.
The total amount extorted during the first half of 2024 stood at $459.8 million, blockchain intelligence firm Chainalysis said, adding payment activity slumped after July 2024 by about 3.94%.
"The number of ransomware events increased into H2, but on-chain payments declined,

Ransomware Extortion Drops to $813.5M in 2024, Down from $1.25B in 2023

The North Korea-linked nation-state hacking group known as Kimsuky has been observed conducting spear-phishing attacks to deliver an information stealer malware named forceCopy, according to new findings from the AhnLab Security Intelligence Center (ASEC).
The attacks commence with phishing emails containing a Windows shortcut (LNK) file that's disguised as a Microsoft Office or PDF document.

North Korean APT Kimsuky Uses forceCopy Malware to Steal Browser-Stored Credentials

Experts question whether Edward Coristine, a DOGE staffer who has gone by “Big Balls” online, would pass the background check typically required for access to sensitive US government systems.

A young technologist known online as “Big Balls,” who works for Elon Musk's so-called Department of Government Efficiency (DOGE), has access to sensitive US government systems. But his professional and online history call into question whether he would pass the background check typically required to obtain security clearances, security experts tell WIRED.

Edward Coristine, a 19-year-old high school graduate, established at least five different companies in the last four years, with entities registered in Connecticut, Delaware, and the United Kingdom, most of which were not listed on his now-deleted LinkedIn profile. Coristine also briefly worked in 2022 at Path Network, a network monitoring firm known for hiring reformed blackhat hackers. Someone using a Telegram handle tied to Coristine also solicited a cyberattack-for-hire service later that year.

Coristine did not respond to multiple requests for comment.

One of the companies Coristine founded, Tesla.Sexy LLC, was set up in 2021, when he would have been around 16 years old. Coristine is listed as the founder and CEO of the company, according to business records reviewed by WIRED.

Tesla.Sexy LLC controls dozens of web domains, including at least two Russian-registered domains. One of those domains, which is still active, offers a service called Helfie, which is an AI bot for Discord servers targeting the Russian market. While the operation of a Russian website would not violate US sanctions preventing Americans doing business with Russian companies, it could potentially be a factor in a security clearance review.

"Foreign connections, whether it's foreign contacts with friends or domain names registered in foreign countries, would be flagged by any agency during the security investigation process," Joseph Shelzi, a former US Army intelligence officer who held security clearance for a decade and managed the security clearance of other units under his command, tells WIRED.

A longtime former US intelligence analyst, who requested anonymity to speak on sensitive topics, agrees. “There's little chance that he could have passed a background check for privileged access to government systems,” they allege.

Another domain under Coristine’s control is faster.pw. The website is currently inactive, but an archived version from October 25, 2022 shows content in Chinese that stated the service helped provide “multiple encrypted cross-border networks.”

Prior to joining DOGE, Coristine worked for several months of 2024 at Elon Musk’s Neuralink brain implant startup, and, as WIRED previously reported, is now listed in Office of Personnel Management records as an “expert” at that agency, which oversees personnel matters for the federal government. Employees of the General Services Administration say he also joined calls where they were made to justify their jobs and to review code they’ve written.

Other elements of Coristine’s personal record reviewed by WIRED, government security experts say, would also raise questions about obtaining security clearances necessary to access privileged government data. These same experts further wonder about the vetting process for DOGE staff—and, given Coristine’s history, whether he underwent any such background check.

The White House did not immediately respond to questions about what level of clearance, if any, Corisitine has and, if so, how it was granted.

At Path Network, Coristine worked as a systems engineer from April to June of 2022, according to his now-deleted LinkedIn résumé. Path has at times listed as employees Eric Taylor, also known as Cosmo the God, a well-known former cybercriminal and member of the hacker group UGNazis, as well as Matthew Flannery, an Australian convicted hacker whom police allege was a member of the hacker group LulzSec. It’s unclear whether Coristine worked at Path concurrently with those hackers, and WIRED found no evidence that either Coristine or other Path employees engaged in illegal activity while at the company.

“If I was doing the background investigation on him, I would probably have recommended against hiring him for the work he’s doing,” says EJ Hilbert, a former FBI agent who also briefly served as the CEO of Path Network prior to Coristine’s employment there. “I’m not opposed to the idea of cleaning up the government. But I am questioning the people that are doing it.”

**Got a tip?**

_Are you a current or former US government employee? We'd like to hear from you. Using a nonwork phone or computer, contact the reporters securely on Signal at Andy.01 (Andy Greenberg), DavidGilbert.01 (David Gilbert), or +1 (347) 722-1347 (Lily Hay Newman)._

Potential concerns about Coristine extend beyond his work history. Archived Telegram messages shared with WIRED show that, in November 2022, a person using the handle “JoeyCrafter” posted to a Telegram channel focused on so-called distributed denial of service (DDoS) cyberattacks that bombard victim sites with junk traffic to knock them offline. In his messages, JoeyCrafter—which records from Discord, Telegram, and the networking protocol BGP indicate was a handle used by Coristine—writes that he’s “looking for a capable, powerful and reliable L7” that accepts bitcoin payments. That line, in the context of a DDoS-for-hire Telegram channel, suggests he was looking for someone who could carry out a layer-7 attack, a certain form of DDoS. A DDoS-for-hire service with the name Dstat.cc was seized in a multinational law enforcement operation last year.

The JoeyCrafter Telegram account had previously used the name “Rivage,” a name linked to Coristine on Discord and at Path, according to Path internal communications shared with WIRED. Both the Rivage Discord and Telegram accounts at times promoted Coristine’s DiamondCDN startup. It’s not clear whether the JoeyCrafter message was followed by an actual DDoS attack. (In the internal messages among Path staff, a question is asked about Rivage, at which point an individual clarifies they are speaking about “Edward.”)

"It does depend on which government agency is sponsoring your security clearance request, but everything that you've just mentioned would absolutely raise red flags during the investigative process," says Shelzi, the former US Army intelligence officer. He adds that a secret security clearance could be completed in as little as 50 days, while a top-secret security clearance could take anywhere from 90 days to a year to complete.

Coristine’s online history, including a LinkedIn account where he calls himself Big Balls, has disappeared recently. He also previously used an account on X with the username @edwardbigballer. The account had a bio that read: “Technology. Arsenal. Golden State Warriors. Space Travel.”

Prior to using the @edwardbigballer username, Coristine was linked to an account featuring the screen name “Steven French” featuring a picture of what appears to be Humpty Dumpty smoking a cigar. In multiple posts from 2020 and 2021, the account can be seen responding to posts from Musk. Coristine’s X account is currently set to private.

Davi Ottenheimer, a longtime security operations and compliance manager, says many factors about Coristine’s employment history and online footprint could raise questions about his ability to obtain security clearance.

“Limited real work experience is a risk,” says Ottenheimer, as an example. “Plus his handle is literally Big Balls.”

DOGE Teen Owns ‘Tesla.Sexy LLC’ and Worked at Startup That Has Hired Convicted Hackers

Cheap banking scams are often easier to pull off in a country with older devices, fewer regulations, and experienced fraudsters.

Source: Jayant Bahel via Alamy Stock Photo

A series of fake banking apps are making the rounds in India, mimicking trusted institutions to steal credentials and, ultimately, money.

The scale of the campaign is impressive, featuring nearly 900 different malware samples tied to around 1,000 different phone numbers used to perpetrate the fraud. Researchers from Zimperium observed all those malware couched in apps that mimic billion-dollar financial institutions, designed to target regular people across India.

**Banking Fraud in East India**

Across India, regular people have been receiving WhatsApp messages carrying malicious Android Package Kit (APK) files. Once downloaded, these APKs open into fake apps mimicking one of more than a dozen banks, including most of the largest in India: HDFC Bank, ICICI Bank, the State Bank of India (SBL), and others.

Source: Zimperium

The apps ask victims to submit their most sensitive financial information, including their mobile banking credentials, credit and debit card numbers, ATM PINs, Permanent Account Number (PAN) Card — used for various financial and government purposes, like paying taxes or opening a bank account — and Aadhar Card, and equivalent to a Social Security number (SSN).

To allow the attackers to log into victims' bank accounts, the malware intercepts one-time passwords sent via SMS, and redirects them either to an attacker-controlled phone number, or a command-and-control (C2) server running on Firebase.

Related:Russian APT Phishes Kazakh Gov't for Strategic Intel

The malware also sports stealth and anti-analysis measures, like "packing," where the malware is compressed, encrypted, and obfuscated to the point of illegibility. It can install itself invisibly by taking advantage of accessibility services, and obtain all conceivable permissions on users' devices by simply prodding a user to thoughtlessly hit "Allow" when it asks nicely.

"Since you don't see the app, it's not easy to uninstall it," explains Nico Chiaraviglio, chief scientist at Zimperium. "And then you \[have to deal with the\] higher permissions. So if you want to uninstall the app, the device will say you cannot install it because it's a system app. You basically need to connect the phone to a computer and uninstall it using the Android Debug Bridge (ADB). It's not something that you can do from a regular user's standpoint."

**Why Fraud Works in India**

Phone numbers tied to the campaign lovingly named "FatBoyPanel" have tended to concentrate in eastern states: West Bengal (30.2%), Bihar (22.6%), Jharkjand (10%).

That FatBoyPanel seems to be going so well, Chiaraviglio thinks, comes down to a couple of obvious factors. First: older, outdated phones are common in East India, and, "If you want to run some sort of exploit, it's easier to do on older devices," he says.

Related:Chinese APT Group Is Ransacking Japan's Secrets

"It's also widely known that there are a lot of scammers in India," he adds. In this campaign, "They are targeting some specific apps, and this basically tells you that the attackers are Indians, and that they know the market that they are working in."

One thing surprised him, he says: "We publish a report every year on banking Trojans, and we see most of them targeting many different countries at the same time. It's very uncommon that we see a campaign that is only targeting one country."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Basket of Bank Trojans Defraud Citizens of East India

While probabilities may be based on subjective information, when used in an objective framework, they demonstrate an effective way to improve the value of hard decisions.

Source: Agata Gładykowska via Alamy Stock Photo

COMMENTARY

Many cybersecurity leaders kick off each new year with predictions for the year to come. You may have seen a deluge of them over the last month or so: "Cyberattacks will continue to be a problem." "This certain country will ban ransom payments." 

But as a cybersecurity company founder and CEO, as well as a licensed insurance broker, I believe that, instead of predictions, what we really need to protect ourselves is a better understanding of probability. Why? Predictions do not inspire solutions. Probabilities do. 

To understand why probability is so important in cybersecurity — and why it makes non-data-driven predictions highly impractical — let's look at what probability actually is. 

**Understanding the Nuances of Probability**

Traditional understandings of probability tend to be misguided. Many treat it as simply the frequency of events over many trials (think: flipping a coin). This requires extremely large datasets, and those datasets must be stable and consistent. Fighting threat actors, though, is famously neither a stable nor a consistent endeavor. Cybersecurity is thus inherently dynamic and uncertain; we require a more nuanced paradigm.

Bayesian probability, which views probability as a "degree of belief" based on available data and expert judgment, allows for the flexibility and adaptability needed in cybersecurity. While data may be limited and conditions evolve quickly, we can still use this approach to build risk models for a company's unique threat surface. These risk models combine the aforementioned data-driven probabilities with variables like control maturity, cyber-insurance claims data, and business and industry-specific factors to create accurate, up-to-date risk assessments. This Bayesian probability model is thus what I refer to when I say "probability." 

**Learning From Insurance **

We can glean a lot about cyber-risk and probability from what may sound like a surprising source: insurance data. Because my company provides cyber insurance as well as risk management strategies, we have visibility into just how many insurance claims actually become "material" to a company. In other words, we can see not only the number of attacks our clients faced — but also what the real financial impacts were. While we saw the frequency of claims rise by nearly 35% in 2024, these claims actually became material at a lower rate than we saw in 2023. 

What does this mean? At the most granular level, it means that companies in our portfolio aren't losing as much money from cyberattacks as they could have. That's encouraging in itself, but it also suggests a broader, encouraging trend: cybercrime is here to stay, but companies are getting better at withstanding the worst of the effects. And we're not alone in seeing this positive trend: Coveware recently reported a major decline in ransom payment rates, while Palo Alto Networks predicts a shift in the effectiveness of ransomware demands as organizations increasingly invest in not only better security postures, but more cyber resilient architectures overall. 

Whether through risk management strategies, a more cyber-aware and proactive board, investments in cyber insurance and best-in-class security tools, or a combination of these, companies are growing more resilient, even as cyber criminals get smarter and faster. 

**Putting Data and AI to Work**

These improvements in mitigating damages from cyberattacks over the past year are not happening in isolation. They are a result of a renewed, better focus on putting security and risk data to work. When we have the right data — and the right probability models — we can adopt a far more informed understanding of what's to come in the future, and what the potential impacts are.

For us, that means building a complex model based on the data we have. Our models are constructed as a network of event triggers and input signals; taken together, they inform the probability that losses will occur, the range of losses when they do occur, and the probabilities associated with the size of the losses in the range. We do this according to the kind of perils that can materialize into those losses, including business disruption, data breach, fraud, and extortion. 

The rate at which perils result in losses is influenced by the maturity of the security controls that our customers have. We tune the relationship between these signals, their level, and their output based on our experts' degrees of belief, cyber claims data, and firmographic data. This large network facilitates our probabilistic reasoning — and the results we observe tend to be quite accurate. 

**Resisting the FUD Mentality**

Fear, uncertainty, and doubt (FUD) often cloud our vision when it comes to cybersecurity decision-making and future projections. That's understandable: Cyberattacks on large organizations have affected many of us directly. Maybe you couldn't get a prescription in time after the Change Healthcare attack. Or perhaps you received a notice that your data had been breached as a result of an attack on AT&T. Even if you haven't been personally affected, an onslaught of doom-and-gloom headlines can make it tempting to look to the future and assume disaster is imminent — or worse yet, that there's nothing we can do about it. 

But when we remove our FUD glasses and look at the cold, hard data, those assumptions become glaringly incorrect. That's why assessing risk with a probabilistic model can give us far better insight into not only what's likely to happen, but what the actual impacts may be. And when we better understand potential impacts, we can conceptualize far more effective solutions. Think: choosing comprehensive security tools that protect whatever a company identifies its "crown jewels" to be; building a full team behind a company's chief information security officer (CISO) and adding new cyber-savvy board members; and even investing in cyber insurance. 

Furthermore, it's probability — not predictions lacking hard data — that helps us quickly make important decisions under pressure and uncertainty. While probabilities may be based on subjective information, when used in an objective framework, they demonstrate an effective way to improve the value of the hard decisions we make. And when we feel more confident in these decisions, we get better solutions that can make us essentially invincible to whatever cybercriminals may throw our way this year.

**About the Author**

CEO & Co-Founder, Resilience

Vishaal Hariprasad, best known as "V8," co-founded what is now known as Resilience in 2016 to bridge the divide between cyber insurance and cybersecurity. As a licensed insurance broker and producer, as well as a veteran of both the US Air Force and the cybersecurity industry, Vishaal brings the leadership skills he honed in his years with the military to his position as CEO for Resilience. After graduating from the United States Air Force Academy, V8 was commissioned to military service as a Cyber Operations Officer for the Air Force. Hariprasad is an Iraq War veteran and a recipient of a Bronze Star Medal. In 2012, he co-founded Morta Security, which was acquired by Palo Alto Networks, where he then served as a threat intelligence architect. In 2015, V8 was tapped to serve as a founding partner at the Pentagon's newly established Defense Innovation Unit Experimental (DIUx) in Mountain View, California, an office under the Secretary of Defense charged with leveraging commercial technology to solve defense challenges. V8 holds a B.A. in Mathematics from the US Air Force Academy and an M.S. in Information Technology from Virginia Polytechnic Institute and State University (Virginia Tech).

Why Cybersecurity Needs Probability — Not Predictions

Ransomware gangs continued to wreak havoc in 2024, but new research shows that the amounts victims paid these cybercriminals fell by hundreds of millions of dollars.

For much of the past year, the trail of destruction and mayhem left behind by ransomware hackers was on full display. Digital extortion gangs paralyzed hundreds of US pharmacies and clinics through their attack on Change Healthcare, exploited security vulnerabilities in the customer accounts of cloud provider Snowflake to breach a string of high-profile targets, and extracted a record $75 million from a single victim.

Yet beneath those headlines, the numbers tell a surprising story: Ransomware payments actually fell overall in 2024—and in the second half of the year dropped more precipitously than in any six-month period on record.

Cryptocurrency tracing firm Chainalysis today released a portion of its annual crime report focused on tracking the ransomware industry, which found that ransomware victims’ extortion payments totaled $814 million in 2024, a drop of 35 percent compared to the record $1.25 billion that hackers extracted from ransomware victims the previous year. Breaking down the payments over the course of 2024 shows an even more positive trend: Hackers collected just $321 million from July through December compared to $492 million the previous half year, the biggest falloff in payments between two six-month periods that Chainalysis has ever seen.

“The drastic reversal of the trends we were seeing in the first half of the year to the second was quite surprising,” says Jackie Burns Koven, who leads cyber threat intelligence at Chainalysis. She suggests that dropoff is likely due to law enforcement takedowns and disruptions, some of which had delayed effects that weren't immediately apparent in the first half of the year as ransomware victims and the cybersecurity industry grappled with catastrophic attacks.

“Don't get me wrong: For everyone who's a defender or an incident responder, it's been _a year,_" Burns Koven says. “But it is noteworthy that for the major attacks that occurred last year, those groups don't exist anymore or have been laying low. There's been a strong signal from law enforcement that if you cross the line, there's going to be consequences.”

US and UK law enforcement scored two significant disruptions of major ransomware groups around the beginning of 2024: Six days before Christmas of 2023, the FBI announced that it had found vulnerabilities in the encryption software used by the group known as BlackCat or AlphV, distributed decryption keys to victims to foil the group’s extortion tactics, and taken down the dark-web sites the group had used to issue its threats. Two months later, in February of 2024, the UK’s National Crime Agency carried out an operation against the notorious ransomware group Lockbit, hijacking its infrastructure, seizing its cryptocurrency wallets, taking down its dark-web sites, and even obtaining information about its members and cybercriminal partners.

Initially, however, both groups seemed to bounce back from those busts. AlphV in February announced that it had hacked Change Healthcare, disabling payments at hundreds of US clinics and pharmacies and extracting $22 million from the United Healthcare–owned company in one of the worst health-care-related ransomware incidents in history. Lockbit, too, seemed to shake off the NCA’s blows, immediately launching a new dark-web site where it continued to extort victims old and new.

But in fact, both law enforcement operations may have been more successful than they appeared. AlphV, after receiving its $22 million ransom from Change Healthcare, pulled a so-called “exit scam,” taking the money and disappearing rather than sharing it with the hacker partners who had carried out the Change breach. Lockbit, too, largely fell off the map in the months that followed the NCA’s takedown, due perhaps to the cybercriminal underground’s distrust of the group and its alleged leader, Dmitry Khoroshev, when it became clear the NCA had identified him. In May of 2024, Khoroshev was also sanctioned by the US Treasury, making it far more legally complicated for Lockbit victims to pay a ransom to the group.

While the vacuum left behind by those major players in the ransomware ecosystem was filled by newer groups during the second half of 2024, many of them didn’t have the skills or experience to go after targets as big and as well defended as Lockbit and AlphV had, says Burns Koven. The result, she says, was far smaller ransom payments, often in the tens of thousands of dollars rather than the millions or tens of millions.

“Their talent is not quite as robust as their predecessors,“ Burns Koven says of the newer generation of ransomware gangs. “We're seeing the hangover of these law enforcement takedowns, not just directly targeting individuals and strains of malware but also the infrastructure and tools and services that had been used to help perpetuate these attacks.”

Last year actually saw more ransomware incidents than the previous year, says Allan Liska, a threat intelligence analyst focused on ransomware at the security firm Recorded Future. The firm counted 4,634 attacks in 2024 versus 4,400 in 2023. But the lower ransom amounts received by those newer ransomware groups suggests they may have been favoring quantity over quality, he says. “What we're seeing in terms of payments is a reflection of newer threat actors being attracted by the amount of money that they see you can make in ransomware, trying to get into the game and not being very good at it,” Liska says.

In addition to major law enforcement actions at the beginning of 2024, Chainalysis attributes the decline in payments during the second half of the year to heightened global awareness about the threat of ransomware, leading to more mature defenses and response plans within governments and other institutions. And Burns Koven adds that cryptocurrency regulation and law enforcement crackdowns on money laundering infrastructure, including mixers that help criminals anonymize and obfuscate the source of their ill-gotten cryptocurrencies, have also eroded ransomware actors’ abilities to handle payments without specialized knowledge.

While the decline in payments during the second half of 2024 is significant for being the largest ever in Chainalysis’s data, the number of ransomware attacks and volume of payments has fluctuated and declined before. Notably, researchers saw a marked decrease in activity in 2022, a year in which Chainalysis placed total ransomware payments at $655 million compared to $1.07 billion in 2021 and nearly $1 billion in 2020. But while governments and defenders were initially heartened that their deterrence efforts were working, ransomware surged back as an even more dire threat in 2023, totaling, by Chainalysis’s count, $1.25 billion in payments that year.

"I think ebbs and flows are inevitable," says Brett Callow, a managing director at FTI Consulting and longtime ransomware researcher. "If the baddies had a couple of brilliant quarters, a dip will follow, same as if the goodies had some good quarters. That's why we really need to analyze trends over a longer period, because increases and decreases over shorter periods don't really tell us much.”

Additionally, researchers have long warned that it is difficult to get truly reliable numbers about the volume of ransomware attacks and an accurate total of payments each year. This is partly the result of attackers attempting to inflate their records and make themselves seem more effective and menacing by claiming old data breaches as new attacks or simply making up attacks that they haven’t actually carried out. And it is always difficult to get accurate numbers about ransomware (not to mention digital scams more broadly), because stigma and regulatory requirements often keep victims from coming forward. This makes ransomware forecasting more of an art than a science.

"My vibe from the second half of 2024 is that if there was a decrease, there will also be a rebound," Callow says.

Chainalysis researchers are clear that the 2024 payment decline is not a guarantee of future reductions in ransomware attacks. But Burns Coven emphasizes that for defenders who are in the trenches on incident response, the data point is useful for making the case that sustained investment in ransomware defense is worthwhile.

“We're still standing in the rubble, right? We can't go tell everyone, everything's great, we solved ransomware—they’re continuing to go after schools, after hospitals and critical infrastructure," says Burns Koven. But, she adds, “I don't think anybody's necessarily celebrating. I think it's a signal of what work needs to be continued.”

Despite Catastrophic Hacks, Ransomware Payments Dropped Dramatically Last Year

Fraud groups are using cutting-edge technology to scale their operations to create fake identities and execute fraud campaigns.

Source: Mike via Adobe Stock Photo

Question: How are modern fraud groups using generative artificial intelligence (GenAI) and deepfakes to steal millions of dollars?

Answer: If you imagine a fake identity document, what springs to mind? Is it a faded World War II-era identity card with a false name written in neat script next to a black and white photo? Is it a driver's license from a state you had never actually been to with your photo and a fake name, address, and birthday that you showed to the bars in your college town so you could drink when you were underage? Sometimes those documents worked. Sometimes they didn't.

The forgeries created by modern fraud groups use cutting-edge AI-driven deepfake technology to create fake identities, avatars, and documents that even a trained eye would have trouble spotting, says Ofer Freidman, chief business development officer of identity verification and ID management automation company AU10TIX. These groups are using GenAI to steal personal data, craft convincing fake identities, and execute fraud schemes.

Fraudsters acquire personal data from individuals through a combination of methods, including phishing, social engineering, and hacking corporate databases. They can also buy the information from cybercrime marketplaces. They can then use an AI system to randomize the information, such as names, addresses, and document numbers, to generate new fake identities. AI is better at avoiding repetitive patterns than humans, making it more likely that these fake identities will evade detection systems and monitors, Friedman says. 

Traditional forgeries could be identified by spotting inconsistencies, such as mismatched shadows or areas that were low resolution compared to the rest. While there are ways to identify deepfakes (such as counting the fingers on the person's hands), each model is getting better at producing uniform, high-quality content. 

For fraudsters, every payday doesn't need to be huge because they are operating in an "industrialized, systematic way," Friedman says. "You can go for $1 million or you can go 100 times for $10,000. It's the same effort because it's a machine doing it for you, unlike the good old days when you actually had to do it one by one."

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

How Are Modern Fraud Groups Using GenAI and Deepfakes?

The security startup's autonomous security remediation platform uses off-the-shelf large language models (LLMs) to analyze security alerts and apply the fixes.

Source: Ronstik via Alamy Stock Photo

NEWS BRIEF

Developers and security teams are bombarded with too many security alerts. Security tools are finding issues, but organizations lack the staff and time to address the most severe security findings. That is why there has been a lot of discussion on how artificial intelligence (AI) can help prioritize and triage the volume of security alerts to a more manageable amount.

Backline, which came out of stealth on Jan. 30, goes a step further, using AI agents to remediate security vulnerabilities and misconfigurations automatically. The autonomous security remediation platform integrates seamlessly with the organization's existing security tools and consolidates the information into a centralized security findings lake, the company said. The AI-native remediation playbooks the platform uses have been enriched with customer-specific context, Backline said.

Backline's autonomous security remediation platform can safely implement verified code and configuration changes. Backline's agents analyze security findings, gather necessary context, determine the optimal fix for the organization's environment, implement the necessary changes, and then test the fixes. Teams can choose their preferred level of oversight and automation.

When the AI agent needs human analysts to intervene or provide more context, it contacts the relevant engineers using tools such as Jira, Slack, and GitHub.

As part of the launch, Backline also raised $9 million in seed funding from StageOne Ventures, Evolution Equity Partners, and Gradient. Backline's co-founder and CEO, Maor Goldberg, previously co-founded Whitebox Security, which he sold to SailPoint in 2015, and Apolicy, which was sold to Sysdig in 2021. Goldberg left Sysdig in 2024 to start Backline with Eran Leib, chief customer officer, and Aviad Chen, vice president of research and development.

Backline Tackles Enterprise Security Backlogs With AI

Ransomware actors are offering individuals millions to turn on their employers and divulge private company information, in a brand-new cybercrime tactic.

Source: Mayam studio via Shutterstock

Ransomware actors are utilizing a previously unseen tactic in their ransomware notes: posting advertisements to solicit insider information.

Researchers at the GroupSense threat intelligence team shared their findings with Dark Reading, including screenshots of the strategies these gangs are using. Groups including Sarcoma and another syndicate believed to be impersonating LockBit ransomware, known as DoNex, have adopted the strategy, the firm noted.

Part of one ransomware note includes the usual details stating that the company is in critical condition, its backups destroyed, and databases exported. Farther down in the message, however, the group states: "If you help us find this company's dirty laundry you will be rewarded. You can tell your friends about us. If you or your friend hates his boss, write to us and we will make him cry and the real hero will get a reward from us."

In a different ransom note, the threat actors write: "Would you like to earn millions of dollars $$$ ?  Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.  You can provide us accounting data for the access to any company, for example, login and password to RDP, VP, corporate email, etc. "

Related:Credential Theft Becomes Cybercriminals' Favorite Target

A ransom note from a threat group impersonating LockBit. Source: GroupSense

The threat actors then go on to detail how those who are interested can open their letter and launch a virus on their work computer. The communication is done through Tox messenger so that the users privacy is "guaranteed."

Kurtis Minder, CEO and founder at GroupSense, notes that the company sees a variety of ransom notes in the course of incident response, however, it's only been this past week that its researchers have noticed the "pseudo advertisements" at the bottom of these notes.

"I've been asking my team and kind of speculating as to why this would be a good place to put an advertisement," says Minder. "I don't know the right answer, but obviously these notes do get passed around." He notes that these threat actors may maintain a "why not" attitude toward incorporating such ads into their ransom notes. And when one ransomware actor starts a new tactic, the rest are quick to follow.

But for any individuals interested in taking up such an offer from cybercriminals, it's better to be safe than sorry.

"These folks have no accountability, so there's no guarantee you would get paid anything," Minder adds. "You trying to capitalize on this is pretty risky from an outcome perspective."

GroupSense continues to look through past ransom notes to find any earlier indication of the trend, and Minder says he expects to find more ads in addition to those already discovered.

Related:Ferret Malware Added to 'Contagious Interview' Campaign

The news comes as ransomware activity continues to grow, with cyberattackers raking in hefty profits despite a rash of law enforcement actions over the course of the past year.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Cybercriminals Court Traitorous Insiders via Ransom Notes

The FBI joined authorities across Europe last week in seizing domain names for Cracked and Nulled, English-language cybercrime forums with millions of users that trafficked in stolen data, hacking tools and malware. An investigation into the history of these communities shows their apparent co-founders quite openly operate an Internet service provider and a pair of e-commerce platforms catering to buyers and sellers on both forums.

The **FBI** joined authorities across Europe last week in seizing domain names for **Cracked** and **Nulled**, English-language cybercrime forums with millions of users that trafficked in stolen data, hacking tools and malware. An investigation into the history of these communities shows their apparent co-founders quite openly operate an Internet service provider and a pair of e-commerce platforms catering to buyers and sellers on both forums.

In this 2019 post from Cracked, a forum moderator told the author of the post (Buddie) that the owner of the RDP service was the founder of Nulled, a.k.a. “Finndev.” Image: Ke-la.com.

On Jan. 30, the **U.S. Department of Justice** said it seized eight domain names that were used to operate Cracked, a cybercrime forum that sprang up in 2018 and attracted more than four million users. The DOJ said the law enforcement action, dubbed Operation Talent, also seized domains tied to **Sellix**, Cracked’s payment processor.

In addition, the government seized the domain names for two popular anonymity services that were heavily advertised on Cracked and Nulled and allowed customers to rent virtual servers: StarkRDP\[.\]io, and rdp\[.\]sh.

Those archived webpages show both RDP services were owned by an entity called **1337 Services Gmbh**. According to corporate records compiled by **Northdata.com**, 1337 Services GmbH is also known as **AS210558** and is incorporated in Hamburg, Germany.

The Cracked forum administrator went by the nicknames “**FlorainN**” and “**StarkRDP**” on multiple cybercrime forums. Meanwhile, a LinkedIn profile for a **Florian M**. from Germany refers to this person as the co-founder of Sellix and founder of 1337 Services GmbH.

Northdata’s business profile for 1337 Services GmbH shows the company is controlled by two individuals: 32-year-old **Florian Marzahl** and **Finn Alexander Grimpe**, 28.

An organization chart showing the owners of 1337 Services GmbH as Florian Marzahl and Finn Grimpe. Image: Northdata.com.

Neither Marzahl nor Grimpe responded to requests for comment. But Grimpe’s first name is interesting because it corresponds to the nickname chosen by the founder of Nulled, who goes by the monikers “Finn” and “Finndev.” NorthData reveals that Grimpe was the founder of a German entity called **DreamDrive GmbH**, which rented out high-end sports cars and motorcycles.

According to the cyber intelligence firm Intel 471, a user named Finndev registered on multiple cybercrime forums, including **Raidforums** \[seized by the FBI in 2022\], **Void\[.\]to**, and **vDOS**, a DDoS-for-hire service that was shut down in 2016 after its founders were arrested.

The email address used for those accounts was **f.grimpe@gmail.com**. DomainTools.com reports f.grimpe@gmail.com was used to register at least nine domain names, including **nulled\[.\]lol** and **nulled\[.\]it**. Neither of these domains were among those seized in Operation Talent.

Intel471 finds the user FlorainN registered across multiple cybercrime forums using the email address **olivia.messla@outlook.de**. The breach tracking service Constella Intelligence says this email address used the same password (and slight variations of it) across many accounts online — including at hacker forums — and that the same password was used in connection with dozens of other email addresses, such as **florianmarzahl@hotmail.de,** and **fmarzahl137@gmail.com**.

The Justice Department said the Nulled marketplace had more than five million members, and has been selling stolen login credentials, stolen identification documents and hacking services, as well as tools for carrying out cybercrime and fraud, since 2016.

Perhaps fittingly, both Cracked and Nulled have been hacked over the years, exposing countless private messages between forum users. A review of those messages archived by Intel 471 showed that dozens of early forum members referred privately to Finndev as the owner of **shoppy\[.\]gg**, an e-commerce platform that caters to the same clientele as Sellix.

Shoppy was not targeted as part of Operation Talent, and its website remains online. Northdata reports that Shoppy’s business name — **Shoppy Ecommerce Ltd.** — is registered at an address in Gan-Ner, Israel, but there is no ownership information about this entity. Shoppy did not respond to requests for comment.

Constella found that a user named Shoppy registered on Cracked in 2019 using the email address **finn@shoppy\[.\]gg**. Constella says that email address is tied to a Twitter/X account for Shoppy Ecommerce in Israel.

The DOJ said one of the alleged administrators of Nulled, a 29-year-old Argentinian national named **Lucas Sohn**, was arrested in Spain. The government has not announced any other arrests or charges associated with Operation Talent.

Indeed, both StarkRDP and FloraiN have posted to their accounts on **Telegram** that there were no charges levied against the proprietors of 1337 Services GmbH. FlorainN told former customers they were in the process of moving to a new name and domain for StarkRDP, where existing accounts and balances would be transferred.

“StarkRDP has always been operating by the law and is not involved in any of these alleged crimes and the legal process will confirm this,” the StarkRDP Telegram account wrote on January 30. “All of your servers are safe and they have not been collected in this operation. The only things that were seized is the website server and our domain. Unfortunately, no one can tell who took it and with whom we can talk about it. Therefore, we will restart operation soon, under a different name, to close the chapter \[of\] ‘StarkRDP.'”

Tag

#intel