This week on the Lock and Code podcast, we revisit an interview with Joseph Cox about the largest FBI sting operation ever carried out.

_This week on the Lock and Code podcast…_

For decades, digital rights activists, technologists, and cybersecurity experts have worried about what would happen if the US government secretly broke into people’s encrypted communications.

The weird thing, though, is that, in 2018, it already happened. Sort of.

US intelligence agencies, including the FBI and NSA, have long sought what is called a “backdoor” into the secure and private messages that are traded through platforms like WhatsApp, Signal, and Apple’s Messages. These applications all provide what is called “end-to-end encryption,” and while the technology guarantees confidentiality for journalists, human rights activists, political dissidents, and everyday people across the world, it also, according to the US government, provides cover for criminals.

But to access any single criminal or criminal suspect’s encrypted messages would require an entire reworking of the technology itself, opening up not just one person’s communications to surveillance, but everyone’s. This longstanding struggle is commonly referred to as The Crypto Wars, and it dates back to the 1950s during the Cold War, when the US government created export control regulations to protect encryption technology from reaching outside countries.

But several years ago, the high stakes in these Crypto Wars became somewhat theoretical, as the FBI gained access to the communications and whereabouts of hundreds of suspected criminals, and they did it without “breaking” any encryption whatsover.

It all happened with the help of Anom, a budding company behind an allegedly “secure” phone that promised users a bevy of secretive technological features, like end-to-end encrypted messaging, remote data wiping, secure storage vaults, and even voice scrambling. But, unbeknownst to Anom’s users, the entire company was a front for law enforcement. On Anom phones, every message, every photo, every piece of incriminating evidence, and every order to kill someone, was collected and delivered, in full view, to the FBI.

Today, on the Lock and Code podcast with host David Ruiz, we revisit a 2024 interview with 404 Media cofounder and investigative reporter Joseph Cox about the wild, true story of Anom. How did it work, was it “legal,” where did the FBI learn to run a tech startup, and why, amidst decades of debate, are some people ignoring the one real-life example of global forces successfully installing a backdoor into a company?

> The public…and law enforcement, as well, \[have\] had to speculate about what a backdoor in a tech product would actually look like. Well, here’s the answer. This is literally what happens when there is a backdoor, and I find it crazy that not more people are paying attention to it.

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 How the FBI got everything it wanted (re-air) (Lock and Code S06E15) 

Palo Alto, California, 29th July 2025, CyberNewsWire

**Palo Alto, California, July 29th, 2025, CyberNewsWire**

Despite the expanding use of browser extensions, the majority of enterprises and individuals still rely on labels such as “Verified” and “Chrome Featured” provided by extension stores as a security indicator. The recent Geco Colorpick case exemplifies how these certifications provide nothing more than a false sense of security – Koi Research disclosed 18 malicious extensions that distributed spyware to 2.3M users, with most bearing the well-trusted “Verified” status.

SquareX researchers disclosed the technological reason behind this vulnerability, highlighting an architectural flaw in Browser DevTools that prevents browser vendors and enterprises from performing the thorough security analysis many enterprises expect.

> “Aside from the fact that thousands of extension updates and submissions are being made daily, it is simply impossible for browser vendors to monitor and assess an extension’s security posture at runtime,” says Nishant Sharma, Head of Security Research at SquareX, “This is because existing DevTools were designed to inspect web pages. Extensions are complex beasts that can behave dynamically, work across multiple tabs and have “superpowers” that allow them to easily bypass detection via rudimentary Browser DevTool telemetry.”

In other words, even if browser vendors were not inundated by the sheer quantity of extension submission requests, the architectural limitations of Browser DevTools today would still allow numerous malicious extensions to pass DevTool based security inspections. 

Browser DevTools were introduced in the late 2000s, long pre-dating the widespread extension adoption. These tools were invented to help users and web developers debug websites and inspect web page elements. However, browser extensions have unique capabilities to, among others, modify, take screenshots and inject scripts into multiple web pages, which cannot be easily monitored and attributed by Browser DevTools. For example, an extension may make a network request through a web page by injecting a script into the page. With Browser DevTools, there is no way to differentiate network requests made by the web page itself and those by an extension.

Detailed in the technical blog, SquareX’s researchers propose a novel approach that uses the combination of a modified browser and Browser AI Agents to plug this gap. The modified browser exposes critical telemetry required to understand an extension’s true behavior, while the Browser AI Agent simulates different user personas to incite various extension behaviors at runtime for monitoring and security analysis. This not only allows a dynamic analysis of the extension, but also discoveries of various “hidden” extension behaviors that are only triggered by time, a certain user action or device environments. Named the Extension Monitoring Sandbox, the research details the necessary modifications required for the modified browser. 

The revelation of Browser DevTools’ architectural limitations exposes a fundamental security gap that has led to millions of users being compromised. As browser extensions become a core part of the enterprise workflow, it is critical for enterprises to move from superficial labels to solutions specifically designed to tackle extension security. It is absolutely critical for browser vendors, enterprises and security vendors to work closely together in tackling what has become one of the fastest emerging threat vectors.

This August, SquareX is offering a free enterprise-wide extension audit in August. The audit involves conducting an extensive audit of all extensions installed across the organization using all three components of the SquareX Extension Analysis Framework – metadata analysis, static code analysis and dynamic analysis with the Extension Monitoring Sandbox – providing a full analysis of the organization’s extension risk exposure and a risk score for each extension.

**About** **SquareX**

SquareX’s browser extension transforms any browser on any device into an enterprise-grade secure browser. SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively detect, mitigate, and threat-hunt client-side web attacks including malicious browser extensions, advanced spearphishing, browser-native ransomware, GenAI data loss prevention, and more.

Unlike legacy security approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables security leaders to reduce their attack surface, gain actionable intelligence, and strengthen their enterprise cybersecurity posture against the newest threat vector – the browser.

More information available at: sqrx.com

**Reference**

http://www.bleepingcomputer.com/news/security/malicious-chrome-extensions-with-17m-installs-found-on-web-store/

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Discloses Architectural Limitations of Browser DevTools in Debugging Malicious Extensions

A law requiring UK internet users to verify their age to access adult content has led to a huge surge in VPN downloads—and has experts worried about the future of free expression online.

After the United Kingdom’s Online Safety Act went into effect on Friday, requiring porn platforms and other adult content sites to implement user age verification mechanisms, use of virtual private networks (VPNs) and other circumvention tools spiked in the UK over the weekend.

Experts had expected the surge, given that similar trends have been visible in other countries that have implemented age check laws. But as a new wave of age check regulations debuts, open internet advocates warn that the uptick in use of circumvention tools in the UK is the latest example of how an escalating cat-and-mouse game can develop between people looking to anonymously access services online and governments seeking to enforce content restrictions.

The Online Safety Act requires that websites hosting porn, self-harm, suicide, and eating disorder content implement “highly effective” age checks for visitors from the UK. These checks can include uploading an ID document and selfie for validation and analysis. And along with increased demand for services like VPNs—which allow users to mask basic indicators of their physical location online—people have also been playing around with other creative workarounds. In some cases, reportedly, you can even use the video game _Death Stranding_’s photo mode to take a selfie of character Sam Porter Bridges and submit it to access age-gated forum content.

For proponents of the law, there is progress to point to as well. The UK’s communications regulator Ofcom says that more than 6,600 porn websites have introduced age checks so far. And major social platforms like Reddit, X, and Bluesky have also added age verification for content that is now restricted in the UK or are in the process of doing so. Microsoft has even started rolling out voluntary age checks for Xbox users in the UK. But even if this movement is satisfactory for now, digital rights advocates point out that normalizing such mechanisms creates the possibility that they will be enforced more aggressively in the future.

“I think people just want to show that we can make some progress on this without thinking about what the consequences of the progress will be,” says Daniel Kahn Gillmor, a senior staff technologist at the American Civil Liberties Union. “We do know that there are some things that you can do to help kids have a better relationship with digital tools. And that involves having an adequate social support network; it involves listening when kids run into problems and making sure that they have functioning emotional relationships with adults who can respond to them. But instead what we’re looking for is a quick technological fix, and those technological fixes have consequences.”

Seema Shah, VP of research and insights at the market intelligence firm Sensor Tower, says five VPN apps have experienced particularly “explosive growth” and reached the top 10 free apps on Apple’s UK App Store by Monday.

“According to Sensor Tower estimates, iOS devices have seen a greater spike in VPN downloads in the UK, as downloads across the selected VPN apps are up an average of 100 percent day-over-day over the past four days on iOS versus a 5 percent day-over-day increase for Android devices,” Shah says.

Multiple VPN makers have also reported spikes in visitors and sign-ups in recent days. In a post on X on Friday, Proton VPN claimed that “just a few minutes after the Online Safety Act went into effect last night, Proton VPN sign-ups originating in the UK surged by more than 1,400%.” David Peterson, general manager of Proton VPN, told WIRED that since then there has been a sustained 1,800 percent increase in daily sign-ups.

Also on Friday, the Windscribe VPN service posted a screenshot on X claiming to show a spike in new subscribers. The makers of the AdGuard VPN claimed that they have seen a 2.5X increase in install rates from the UK since Friday.

Nord Security, the company behind the NordVPN app, says it has seen a “1,000 percent increase in purchases” of subscriptions from the UK since the day before the new laws went into effect. “Such spikes in demand for VPNs are not unusual,” Laura Tyrylyte, Nord Security’s head of public relations, tells WIRED. She adds in a statement that “whenever a government announces an increase in surveillance, internet restrictions, or other types of constraints, people turn to privacy tools.”

People living under repressive governments that impose extensive internet censorship—like China, Russia, and Iran—have long relied on circumvention tools like VPNs and other technologies to maintain anonymity and access blocked content. But as countries that have long claimed to champion the open internet and access to information, like the United States, begin considering or adopting age verification laws meant to protect children, the boundaries for protecting digital rights online quickly become extremely murky.

“There will be a large number of people who are using circumvention tech for a range of reasons” to get around age verification laws, the ACLU’s Kahn Gillmor says. “So then as a government you’re in a situation where either you’re obliging the websites to do this on everyone globally, that way legal jurisdiction isn’t what matters, or you’re encouraging people to use workarounds—which then ultimately puts you in the position of being opposed to censorship-circumvention tools.”

Age Verification Laws Send VPN Use Soaring—and Threaten the Open Internet

Summary The growing adoption of large language models (LLMs) in enterprise workflows has introduced a new class of adversarial techniques: indirect prompt injection. Indirect prompt injection can be used against systems that leverage large language models (LLMs) to process untrusted data. Fundamentally, the risk is that an attacker could provide specially crafted data that the LLM misinterprets as instructions.

How Microsoft defends against indirect prompt injection attacks

A new report from Google's GTIG reveals how UNC3944 (0ktapus) uses social engineering to compromise Active Directory, then exploits VMware vSphere for data theft and direct ransomware deployment. Understand their tactics and learn vital mitigation steps.

A highly “aggressive” cyber campaign, identified in mid-2025 by Google’s Threat Intelligence Group (GTIG), is posing a severe threat to major industries, including retail, airlines, and insurance.

This sophisticated operation is attributed to Scattered Spider, a financially motivated hacking group also known as 0ktapus and UNC3944, which has been involved in high-profile breaches, including those affecting UK retail giants M&S, Harrods, and Co-op.

Although several members of the group have been arrested and charged in the United States and the United Kingdom over attacks on MGM Resorts and major retailers, the group remains highly active and continues to demonstrate a global presence.

In its latest campaign, as reported by GTIG, the group is eyeing compromised Active Directory accounts to gain full control of VMware vSphere environments to steal sensitive data and deploy ransomware directly from the hypervisor.

This method is particularly dangerous as it often bypasses traditional security tools like Endpoint Detection and Response (EDR), which lack visibility into the underlying ESXi hypervisor and vCenter Server Appliance (VCSA).

GTIG outlines how UNC3944 moves from an initial low-level foothold to complete hypervisor control across five methodical phases. The critical entry point involves phone-based social engineering where attackers impersonate a regular employee, making phone calls to the IT help desk. By using publicly available personal information and persuasive tactics, they trick help desk agents into resetting Active Directory passwords.

This initial access allows them to conduct internal reconnaissance, searching for high-value targets like vSphere administrators or powerful Active Directory groups. They then make a second, more informed call, impersonating a privileged administrator to take over their account. This cunning two-step process bypasses standard technical protections by exploiting vulnerabilities in help desk identity verification procedures.

Once privileged Active Directory credentials are stolen, the attackers swiftly move to compromise the vCenter Server. From there, they gain “virtual physical access” to the VCSA. They manipulate the system’s bootloader to achieve root access, enabling SSH, and then deploy a legitimate open-source tool called Teleport. This tool creates a persistent, encrypted communication channel, effectively bypassing most firewalls.

 With this deep control, they can enable SSH on ESXi hosts, reset passwords, and perform an “offline attack” on critical virtual machines, such as Domain Controllers. This involves powering off a target VM, detaching its virtual disk, attaching it to an unmonitored “orphaned” VM, and copying sensitive data like the Active Directory database.

All of this occurs at the hypervisor layer, rendering it invisible to in-guest security agents. Before deploying ransomware, they sabotage recovery efforts by targeting backup infrastructure, deleting jobs and repositories. Finally, they use SSH access to ESXi hosts to push their custom ransomware, forcibly powering off VMs and encrypting files directly from the hypervisor.

Attack chain (Via Google)

“UNC3944’s playbook requires a fundamental shift in defensive strategy, moving from EDR-based threat hunting to proactive, infrastructure-centric defence,” Google warns. The group operates with extreme speed; the entire attack, from initial access to ransomware deployment, “can occur in mere hours.” Therefore, organisations must protect their virtualised assets through strong identity verification, VMware hardening, backup integrity, and continuous monitoring.

“The advanced sophistication Scattered Spider exhibits should have security teams on high alert,” said Thomas Richards, Infrastructure Security Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions.

“Social engineering attacks can be prevented with proper training and a challenge process to validate the caller is who they say they are. By using valid credentials and built-in tools, it is difficult for security teams to discern if they are compromised or not,” he advised.

Scattered Spider Launching Ransomware on Hijacked VMware Systems, Google

macOS flaw dubbed Sploitlight allows attackers to access Apple Intelligence-cached data by abusing Spotlight plugins, bypassing privacy controls.

A newly disclosed macOS vulnerability is allowing attackers to bypass Apple’s privacy controls and access sensitive user data, including files cached by Apple Intelligence. Tracked as CVE-2025-31199, the flaw was identified by Microsoft Threat Intelligence and involves a method that abuses Spotlight plugins to leak protected files.

Microsoft Threat Intelligence, which originally spotted the vulnerability, revealed the flaw and dubbed the exploit “Sploitlight” due to its abuse of Spotlight plugins. While Apple has already released a patch, the technical method behind the exploit should be concerning for macOS users, especially those using Apple’s latest AI-powered features.

It all starts with how Spotlight, macOS’s built-in search tool, handles plugins known as importers. These are designed to help index content from specific apps like Outlook or Photos.

Microsoft researchers found that attackers could modify these importers to scan and leak sensitive data from TCC-protected locations like Downloads and Pictures, even without the user’s permission. The trick? Logging file contents in chunks through the system log, then quietly retrieving them.

However, according to the company’s blog post, it gets worse. Apple Intelligence, installed by default on all ARM-based Macs, stores caches containing geolocation data, photo and video metadata, recognised faces, and even search history.

This information, protected under TCC (Transparency, Consent, and Control) rules, is typically out of reach to apps without user consent. But using Sploitlight, attackers can pull this data directly from the caches, bypassing the system’s consent mechanisms entirely.

Microsoft’s proof-of-concept shows a clear step-by-step process attackers could use to exploit the flaw. By modifying the metadata of a Spotlight plugin, placing it in a specific directory, and triggering a scan, attackers can tap into sensitive folders without ever requesting access. And because these plugins don’t need to be signed, no compilation is necessary. A few tweaks to a text file are all it takes.

Apple’s patch, released in March 2025 for macOS Sequoia, addresses this flaw. Microsoft thanked Apple’s security team for cooperating under Coordinated Vulnerability Disclosure and urged users to install the updates without delay.

The impact goes further than the mechanics of the exploit and affects real user data. Since metadata and facial recognition information sync across Apple devices via iCloud, attackers exploiting a single Mac could also gain indirect insights into iPhones or iPads linked to the same account.

This isn’t the first TCC bypass Apple has dealt with. Earlier examples like powerdir and HM-Surf relied on different system components, but Sploitlight’s use of Spotlight importers makes the attack both subtle and effective. It blurs the lines between trusted operating system components and what can be injected from user-controlled sources.

If you use a Mac, especially one with Apple Intelligence features active, make sure your system is up to date. The fix for CVE-2025-31199 is live and available, and applying it closes off this very specific way of data theft.

macOS Sploitlight Flaw Exposes Apple Intelligence-Cached Data to Attackers

### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-25mx-8f3v-8wh7. This link is maintained to preserve external references.

### Original Description
The sequoia-openpgp crate before 1.16.0 for Rust allows out-of-bounds array access and a panic.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Spark New
        
        Build and deploy intelligent apps
        
    *   GitHub Models New
        
        Manage and compare prompts
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-rfx3-ffrp-6875

**Duplicate Advisory: sequoia-openpgp vulnerable to out-of-bounds array access leading to panic**

Low severity GitHub Reviewed Published Jul 28, 2025 to the GitHub Advisory Database • Updated Jul 28, 2025

Withdrawn This advisory was withdrawn on Jul 28, 2025

**Package**

cargo sequoia-openpgp (Rust)

**Affected versions**

< 1.1.1

\>= 1.2.0, < 1.8.1

\>= 1.9.0, < 1.16.0

**Patched versions**

1.1.1

1.8.1

1.16.0

**Description**

Published by the National Vulnerability Database

Jul 28, 2025

Published to the GitHub Advisory Database

Jul 28, 2025

Last updated

Jul 28, 2025

**EPSS score**

GHSA-rfx3-ffrp-6875: Duplicate Advisory: sequoia-openpgp vulnerable to out-of-bounds array access leading to panic

Cybersecurity researchers at CloudSEK’s STRIKE team used facial recognition and GPS data to expose a massive, over $2…

Cybersecurity researchers at CloudSEK’s STRIKE team used facial recognition and GPS data to expose a massive, over $2 million, fake currency operation in India. This report details the exposure of individuals and their activities on Facebook and Instagram.

A large-scale counterfeit currency operation is reportedly circulating fake notes worth millions of dollars, which has been brought to light by cybersecurity firm CloudSEK. Its investigation, shared with Hackread.com, CloudSEK’s STRIKE team has not only calculated the vast spread of this illicit trade, estimated at ₹17.5 crore (over $2 million) in fake Indian currency over just six months (December 26, 2024, to June 26, 2025), but has also managed to identify and pinpoint key individuals behind it.

The unique aspect of this exposé lies in the direct attribution of culprits. Using digital forensics, GPS data, and facial recognition technology, CloudSEK has identified and located major players across the Indian state of Maharashtra.

According to Sourajeet Majumder, a security researcher at CloudSEK, “This is the first time that a cyber investigation has offered such precise attribution of counterfeit actors operating in public digital spaces. We didn’t just find content, we identified the key perpetrators.”

Reportedly, bad actors are using popular social media platforms like Facebook and Instagram in this campaign. CloudSEK’s XVigil platform played a crucial role in its detection by monitoring open-source environments for specific terms like “second series” or “A1 notes,” which are codewords used by sellers.

Source: CloudSEK

The investigation revealed over 4,500 posts promoting counterfeit currency and more than 750 accounts or pages involved in selling these fake notes. Furthermore, over 410 unique phone numbers were found to be connected to sellers. These groups even used Meta Ads for paid promotions, openly reaching out to potential buyers. Some sellers went as far as sharing videos, handwritten notes, and even video calls to show the supposed quality of their fake currency, creating a dangerous “trust-based” black market out in the open.

Source: CloudSEK

****Tracking Down the Accused****

CloudSEK’s researchers combined advanced Open Source Intelligence (OSINT) and Human Intelligence (HUMINT) techniques to unmask group administrators and sellers. They collected facial images, phone numbers, exact GPS locations, and social media profiles of the main suspects.

The researchers also identified several accounts operating under aliases such as Vivek Kumar, Karan Pawar, and Sachin Deeva. Geolocation evidence pointed to activity in Jamade Village (Dhule district, Maharashtra) and Pune, strongly suggesting a coordinated syndicate primarily based in Maharashtra, with Dhule being the potential hotspot.

Further probing revealed that the counterfeiters advertise their fake notes through various social media channels using hashtags like #fakecurrency. To gain trust, they engage with buyers via WhatsApp, sharing “proof” images and even offering live video calls. The production involves professional tools like Adobe Photoshop, industrial-grade printers, and paper that sometimes mimics security features like Mahatma Gandhi watermarks and green security threads.

Source: CloudSEK

CloudSEK has shared its findings with relevant law enforcement agencies at both the state and national levels, providing detailed intelligence to aid in disrupting this criminal network and protecting the country’s financial stability.

Researchers Expose Massive Online Fake Currency Operation in India

BreachForums resurfaces on its original .onion domain amid law enforcement crackdowns, raising questions about its admin, safety and future.

The notorious cybercrime and hacker platform BreachForums has mysteriously resurfaced on its original dark web .onion domain. The site appears to be fully restored, including its infrastructure, user-leaked databases, official breach listings and forum posts.

For your information, in early April 2025, both the clearnet and dark web domains of BreachForums went offline without explanation. Members speculated about possible law enforcement action or a forum seizure.

Then, on April 28, as reported by Hackread.com, the forum’s homepage was replaced with a message stating that a MyBB 0-day vulnerability had left the site exposed to infiltration attempts by law enforcement, and it needed to be taken offline until the issue was resolved. That was the last message before BreachForums disappeared.

****Admin N/A?****

However, earlier today, Hackread.com spotted that the platform’s .onion domain had become active again, now under a new admin handle, “N/A.” The identity of “N/A” is unknown, but they claim the forum’s clearnet domain was suspended by the registrar following complaints and pressure from law enforcement.

Additionally, they claim the MyBB vulnerability has been fixed and that the forum was never compromised, with user data remaining protected throughout. “N/A” also addressed reports about the arrests of ShinyHunters members, denying that any original group members have been taken into custody.

For your information, after the arrest of former BreachForums administrator Conor Fitzpatrick, also known as Pompompurin, the forum reemerged under the leadership of the ShinyHunters group. However, in June 2025, authorities claimed to have arrested members of ShinyHunters, along with IntelBroker, another active member who had also served as the group’s administrator.

“N/A” also denied ever giving admin access to IntelBroker, claiming it was part of a strategy to divert law enforcement’s attention away from the original owners. According to the statement, IntelBroker never had administrative access to the forum.

Message from Admin N/A on BreachForums (Image credit: Hackread.com)

****As XSS.IS Falls, BreachForums Reemerges****

The return of BreachForums comes at a time when law enforcement is intensifying efforts against cybercrime. Less than 24 hours ago, in an operation called “Operation Checkmate,” authorities seized the infrastructure of the BlackSuit ransomware group, including two of its .onion domains.

Just a couple of days ago, the Russian-language cybercrime platform XSS.IS was seized following the arrest of its suspected administrator in Ukraine. While its dark web domain remains accessible, posts from admins and moderators suggest plans to revive the forum on other domains. Meanwhile, the return of BreachForums presents yet another challenge for law enforcement agencies.

The return of BreachForums on the dark web, along with plans to restore its clearnet domains, may be seen as good news within cybercrime circles, but it raises serious questions. Is it a honeypot set up by law enforcement? Who is “N/A”? Where is the original admin team if they haven’t been arrested? If you are active on BreachForums, sign in at your own risk, and consider quitting cybercrime for good.

BreachForums Resurfaces on Original Dark Web (.onion) Address

International law enforcement agencies, including the FBI and Europol, have successfully seized the infrastructure of the notorious BlackSuit ransomware gang in Operation Checkmate. This article details the takedown, BlackSuit's origins, and the ongoing fight against evolving cyber threats.

International law enforcement has dealt a significant blow to cybercrime this week, successfully seizing the vital online infrastructure of the notorious BlackSuit ransomware gang. In a coordinated international operation dubbed “Operation Checkmate,” authorities specifically targeted and took control of the group’s .onion data leak sites and negotiation platforms, which had compromised hundreds of organisations globally in recent years.

The seizure has been confirmed as two of the BlackSuit domains (1, 2) now display a banner announcing their closure by law enforcement, marking a major victory against ransomware threats worldwide.

This operation involved strong collaboration among numerous agencies from various countries, including the United States Department of Homeland Security, the FBI, Europol, the UK’s National Crime Agency, and law enforcement from Germany, Ukraine, Lithuania, and Canada. Cybersecurity firm Bitdefender also played a key role.

****How BlackSuit Operated****

BlackSuit, which emerged in April/May 2023, used a “double-extortion” method to target a wide range of victims, including hospitals, schools, businesses, and government bodies. They showed no specific preference for industry or organisation size, targeting both large enterprises and small and medium-sized businesses (SMBs).

However, similar to its predecessor, Royal ransomware, it appears that groups within the Commonwealth of Independent States (CIS) were deliberately avoided.

Regarding attack tactics, first, they would break into computer networks, encrypting important files and making systems unusable. Then, they would steal sensitive data. If victims refused to pay the ransom, BlackSuit threatened to publish the stolen information on their leak sites, adding more pressure. These seized websites were essential for BlackSuit to communicate with victims and store stolen data, making it difficult for the gang to profit from their illegal activities now.

****A Threat That Keeps Growing****

Security experts believe BlackSuit likely evolved from earlier ransomware groups, possibly linked to the Royal ransomware gang or even the well-known Conti syndicate. BlackSuit itself is a rebrand of Royal ransomware, which was active from September 2022 to June 2023 and is known to have demanded over $500 million in ransoms from hundreds of organisations worldwide. Notable victims of BlackSuit include the Japanese company Kadokawa, Tampa Bay Zoo, and Octapharma, a blood plasma collection organisation.

While Operation Checkmate is a major success, cybersecurity experts warn that ransomware groups often reappear under new names. In fact, Cisco Talos threat intelligence reported on July 24, 2025, that evidence suggests some former BlackSuit members may have already rebranded as “Chaos ransomware,” operating since February 2025.

This new group reportedly uses similar attack methods, including double extortion, and targets systems across Windows, ESXi, Linux, and NAS. However, Operation Checkmate clearly demonstrates that international teamwork is a powerful tool against global cybercrime.

Tag

#intel