Two deadly Ransomware Attacks on European hospitals show cybercrime now risks lives not just data with patients dying after treatment delays.

Cybercrime is often seen as a threat to privacy or money, but recent years show it can cost lives too. Ransomware, once just a way for criminals to **lock files for cash**, now disrupts hospitals and treatment, turning data extortion into a real danger for patients who need urgent care. When hospitals can’t access vital systems, people can and do die, a harsh reality now witnessed in Europe not once but twice.

****Death in the United Kingdom****

In June 2024, as **reported** by Hackread.com, the UK’s National Health Service suffered one of its most serious cyber incidents. The Russian-speaking Qilin ransomware group broke into Synnovis, a company that handles pathology services for major London hospitals like King’s College and Guy’s & St Thomas’.

This attack crippled blood test services across the capital, delaying vital operations and treatments. According to an **incident update** from the College issued last week, one patient, who needed urgent care, died unexpectedly during this crisis. Investigators confirmed the ransomware attack was a factor. The Qilin gang didn’t care that their demand for money put human lives on the line, they published stolen files online as proof of their crime, using patient safety as leverage.

****Death in Germany****

Four years earlier, a similar incident took place in Germany. **In September 2020**, hackers targeted Düsseldorf University Hospital with ransomware that shut down around 30 servers. Doctors had no choice but to shut the emergency department.

As a result, a critically ill woman who arrived needing urgent surgery had to be sent 32 kilometers (almost 20 miles) away. The delay cost her life. Local prosecutors considered **charging** the attackers with negligent homicide, a rare but deserved move against criminals who turned people’s medical emergencies into their payday.

****Ransomware and Windows Operating System****

These tragedies go on to show that hospitals remain lucrative and soft targets for cybercriminals. Many hospitals **still rely on Windows systems**, which attract ransomware because most malware is built to hit Windows environments.

Protecting these systems is possible but demands serious discipline, up-to-date backups stored safely offline, strong passwords and multi-factor logins, constant patching and smart network setups that keep infections from spreading unchecked. Staff also need training since many ransomware attacks start with a **human factor** and their single careless click on a fake email.

The use of legacy OS in healthcare is a whole new scandal as Kaspersky’s 2021 **report** found 73% of healthcare providers using medical equipment with a legacy OS. A legacy operating system is an old system that its developers no longer actively support or update. It’s usually been replaced by newer versions and doesn’t get the security fixes or patches needed to stay protected, which leaves it more open to attacks.

Some argue that Linux could help because fewer ransomware strains target it, and its security model makes it harder for malware to gain deep control. That’s true to a point, but moving an entire hospital to Linux is next to impossible because critical devices like lab equipment, MRI scanners, and medical record systems run on Windows-only software approved and supported by specific vendors. Hospitals can’t just replace them overnight.

Therefore, unfortunately, it all comes back to a better approach to increasing security on the systems they already use rather than imagining an easy switch that won’t happen anytime soon. Additionally, the Kaspersky report mentioned earlier found that hospitals use legacy operating systems from both Windows and Linux. So what’s the point of using Linux if it’s an outdated version?

****Fancy Alliance is Not Working****

In November 2023, a US-led alliance of 40 countries **announced** plans to target the ransomware ecosystem with new efforts to disrupt ransom payments, dismantle criminal infrastructure, and share intelligence across borders.

Yet by February 2025, ransomware attacks had surged by a **record 126%** as cyber criminals exploited file transfer vulnerabilities, infostealers, and AI-driven tactics to stay ahead.

Remember, these are 2 deaths but imagine an emergency in a city where dozens of people suddenly need urgent hospital care, maybe a major accident or an outbreak that floods the ER with critical patients. Now what if the same hospital is locked out of its own systems because ransomware has crippled lab reports, scans and patient records.

Doctors are forced to guess or work blind. Life-saving operations get delayed. Ambulances are turned away. What happens then? It’s obvious when hospitals get hacked, the damage doesn’t stop at data. It can leave an entire city helpless at the worst possible moment.

****Ransomware Gangs Targeting Healthcare and Hospitals Are Parasites****

What makes this all worse is the people behind these attacks. Ransomware gangs like **Qilin** are not brilliant hackers, they are parasites living off broken systems, careless setups and human mistakes. They hide in safe countries that turn a blind eye to their crimes.

These governments should stop pretending this is a normal petty crime and start treating it as the threat to human life it is. Any country giving shelter to ransomware criminals should hunt them down, seize their profits and put them behind bars for every life their greed destroys.

In the end, hospitals shouldn’t be forced to choose between saving lives and paying off criminals. These two deaths are proof that ransomware is no longer just about data, it’s about whether patients live or die when cyber criminals shut systems down. That should be enough to push every hospital, vendor and government to take this threat as seriously as it deserves.

How 2 Ransomware Attacks on 2 Hospitals Led to 2 Deaths in Europe

Palo Alto, California, 30th June 2025, CyberNewsWire

**Palo Alto, California, June 30th, 2025, CyberNewsWire**

Every security practitioner knows that employees are the weakest link in an organization, but this is no longer the case. SquareX’s research reveals that Browser AI Agents are more likely to fall prey to cyberattacks than employees, making them the new weakest link that enterprise security teams need to look out for. 

Browser AI Agents are software applications that act on behalf of users to access and interact with web content. Users can instruct these agents to automate browser-based tasks such as flight bookings, scheduling meetings, sending emails, and even simple research tasks. The productivity gains that Browser AI Agents provide make them an extremely compelling tool for employees and organizations alike. Indeed, a survey from PWC found that 79% of organizations have already adopted browser agents today. 

Yet, Browser AI Agents expose organizations to a massive security risk. These agents are trained to complete the tasks they are instructed to do, with little to no understanding of the security implications of their actions. Unlike human employees, Browser AI Agents are not subject to regular security awareness training. They cannot recognize visual warning signs like suspicious URLs, excessive permission requests, or unusual website designs that typically alert employees of a malicious site. Consequently, Browser AI Agents are more likely to fall prey to browser-based attacks than even a regular employee. Even if it is possible for users to add these guardrails, the overhead required to extensively write the security risk of every task performed by the agent in every prompt would probably outweigh the productivity gains. More importantly, employees using Browser AI Agents are unlikely to have enough security expertise to be able to write such a prompt in the first place.  

With the popular open-source Browser Use framework used by thousands of organizations, SquareX demonstrated how the Browser AI Agent, instructed to find and register for a file-sharing tool, succumbed to an OAuth attack. In the process of completing its task, it granted a malicious app complete access to the user’s email despite multiple suspicious signals – irrelevant permissions, unfamiliar brands, suspicious URLs – that likely would have stopped most employees from granting these permissions. In other scenarios, these agents might expose the user’s credit card information to a phishing site while trying to purchase groceries or disclose sensitive data when responding to emails from an impersonation attack. 

Unfortunately, neither browsers nor traditional security tools can differentiate between actions performed by users and these agents. Thus, it is critical for enterprises working with Browser AI Agents to provide browser-native guardrails that will prevent agents and employees alike from falling prey to these attacks.

> Vivek Ramachandran, Founder & CEO of SquareX, warns, “The arrival of Browser AI Agents have dethroned employees as the weakest link within organizations. Optimistically, these agents have the security awareness of an average employee, making them vulnerable to even the most basic attacks, let alone bleeding-edge ones. Critically, these Browser AI Agents are running on behalf of the user, with the same privilege level to access enterprise resources. Until the day browsers develop native guardrails for Browser AI Agents, enterprises must incorporate browser-native solutions like Browser Detection and Response to prevent these agents from being tricked into performing malicious tasks. Eventually, the new generation of identity and access management tools will also have to take into account Browser AI Agent identities to implement granular access controls on agentic workflows.”

To learn more about this security research, users can visit http://sqrx.com/browser-ai-agents .

SquareX’s research team is also holding a webinar on **July 11, 10am PT/1pm ET** to dive deeper into the research findings. To register, users can click here. 

**About SquareX**

SquareX’s browser extension turns any browser on any device into an enterprise-grade secure browser. SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively detect, mitigate, and threat-hunt client-side web attacks, including malicious browser extensions, advanced spearphishing, browser-native ransomware, genAI DLP, and more. Unlike legacy security approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables security leaders to reduce their attack surface, gain actionable intelligence, and strengthen their enterprise cybersecurity posture against the newest threat vector – the browser. Find out more on www.sqrx.com.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Reveals that Employees are No Longer the Weakest Link, Browser AI Agents Are

Plus: US feds charge alleged masterminds behind infamous forum, Scattered Spider targets airlines, and hackers open a valve at a Norwegian dam.

WIRED published a shocking investigation this week based on records, including audio recordings, of hundreds of emergency calls from United States Immigration and Customs Enforcement (ICE) detention centers. The calls—which include reports of incidents of staff sexual assaults, suicide attempts, and head injuries—indicate a system inundated by life-threatening incidents, delayed treatment, and overcrowding.

In a 6-3 decision on Friday, the US Supreme Court upheld a Texas porn ID law, finding that age verification for explicit sites is constitutional. In a dissent, Justice Elena Kagan warned that this determination ignores First Amendment precedent and will have privacy implications for adults.

Looking at the US bombing of Iranian nuclear sites last weekend, President Donald Trump posted initial announcements of the strikes on the social Network Truth Social, which then began suffering intermittent outages. And WIRED reported on assessments of the damage to the nuclear sites based on satellite photos taken before and after the bombing.

Meanwhile, Taiwan is scrambling to make its own unmanned aerial vehicles domestically as drones increasingly become a crucial weapon of war. The urgency comes as a potential conflict with China looms. And Telegram launched a purge of Chinese cryptocurrency markets last month, banning black markets that sold tens of billions of dollars in crypto-scam-related services. Now, though, the markets are rebranding and bouncing back with no further action from the communication platform.

But wait, there’s more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Immigration and Customs Enforcement (ICE) is now using a mobile app called Mobile Fortify that allegedly allows agents to identify individuals by pointing a smartphone at their face or capturing contactless fingerprints, 404 Media reports. The app reportedly taps into government databases, including Customs and Border Protection’s Traveler Verification Service and a DHS biometric intelligence system, in an attempt to match facial images taken in the field against prior government-collected records. ICE says the tool is intended to help officers identify “unknown subjects,” but civil liberties advocates tell 404 Media that it may open the door to surveillance-driven profiling and wrongful arrests.

Nathan Freed Wessler of the ACLU told the site, “Face recognition technology is notoriously unreliable, frequently generating false matches and resulting in a number of known wrongful arrests across the country. Immigration agents relying on this technology to try to identify people on the street is a recipe for disaster. Congress has never authorized DHS to use face recognition technology in this way, and the agency should shut this dangerous experiment down."

**US Feds Charge Group of Alleged Hackers Behind a Notorious Cybercrime Forum**

Global law enforcement this week announced the bust of a group of alleged cybercriminal hackers accused of carrying out years of profit-focused data breaches and running a notorious cybercriminal forum and market known as Breachforums. French authorities arrested four members of the group who went by the names “ShinyHunters,” “Hollow,” “Noct,” and “Depressed,” though the police sources who shared the news with the French newspaper Le Parisien didn’t reveal the suspects’ real names. The US Justice Department, meanwhile, criminally charged Kai West, a young British man, with carrying out a broad, years-long hacking spree under the handle “Intelbroker” that inflicted $25 million total damage against victims before he was arrested in February. In addition to hacking and selling vast troves of stolen data, the group—or at least some subset of its members—appears to have served as administrators for Breachforums, a notorious sales forum for cybercriminal information and tools that was shut down in a law enforcement operation in 2023 but was later relaunched by its staff.

**Scattered Spider Hackers Shift Their Targeting to the Airline Industry**

The loose cybercriminal gang known as Scattered Spider has carried out data theft and ransomware incidents for years, most recently targeting the grocery industry, other retailers, and the insurance industry in the US and the UK. Now cybersecurity analysts at Mandiant and Palo Alto Networks say the group is turning their attention to the aviation and transportation sector. Specifically, hackers were behind a cybersecurity incident last week that took down some IT systems and the mobile app for Canadian airline WestJet, Axios reports. Now Hawaiian Airlines has said it’s experiencing a “cybersecurity incident” affecting its network, though it hasn’t yet revealed more details or any evidence that Scattered Spider is responsible. Cybersecurity firms tracking the group warn that other potential aviation and transportation industry targets should be on the lookout for the group, which often uses sophisticated social engineering to trick staff into letting them bypass multi-factor authentication and gain a foothold on target systems.

**Hackers Breach a Norwegian Dam to Open Valve**

Here’s a curiosity that we missed a couple weeks ago: A rare industrial control system hijacking incident in which an unknown hacker appears to have messed with the computer systems that control the Lake Risevatnet dam in southwest Norway, opening a valve to its maximum setting. The tampering, the motivation for which was far from clear, increased the dam’s water flow by nearly 500 liters a second, but didn’t come close to approaching a dangerous level. No one appears to have spotted the change for close to four hours. Officials told the Norwegian energy news outlet Energiteknikk, which broke the story, that a weak password on a web-accessible control panel allowed the unauthorized access.

ICE Rolls Facial Recognition Tools Out to Officers' Phones

The threat actor behind the GIFTEDCROOK malware has made significant updates to turn the malicious program from a basic browser data stealer to a potent intelligence-gathering tool.
"Recent campaigns in June 2025 demonstrate GIFTEDCROOK's enhanced ability to exfiltrate a broad range of sensitive documents from the devices of targeted individuals, including potentially proprietary files and

GIFTEDCROOK Malware Evolves: From Browser Stealer to Intelligence-Gathering Tool

Facebook, the social network platform owned by Meta, is asking for users to upload pictures from their phones to suggest collages, recaps, and other ideas using artificial intelligence (AI), including those that have not been directly uploaded to the service.
According to TechCrunch, which first reported the feature, users are being served a new pop-up message asking for permission to "allow

Facebook’s New AI Tool Asks to Upload Your Photos for Story Ideas, Sparking Privacy Concerns

An invitation to sign a DocuSign document went through mysterious ways and a way-too-easy Captcha to fingerprint the target.

On my daily rounds, I encountered a phishing attempt that used a not completely unusual, yet clever delivery method. What began as a seemingly routine DocuSign notification turned into a multi-layered deception involving Webflow, a shady redirect, and a legitimate Google login page.

Webflow is a visual website builder that allows designers and developers to create custom, responsive websites. It’s a no-code solution that allows users to visually design, build, and launch websites directly in the browser

The attack all starts with an email claiming to be from a known contact, referencing a completed DocuSign document.

The email asking the receiver to sign an eDocument

The email passed SPF, DKIM, and DMARC, giving it a false sense of legitimacy. The link to “view the completed document” led to a Webflow preview URL. Designers can use these URLs to prototype websites and showcase their work. At this point, it started to look suspicious but not overtly malicious.

However, preview links are not standard for DocuSign and should always raise eyebrows. A legitimate DocuSign request would point to:

*   docusign.com
*   docusign.net
*   docusign.eu (for European users)

But by going through the legitimate Webflow domain the phishers made sure that their first stage was unlikely to get blocked.

Despite me always advising people not to do that, I clicked through (on a Virtual Machine, not my actual computer).

The Webflow preview displayed a mock DocuSign-style interface with a single button: **“View Document.”**

The webflow preview page

Now it was getting hairy. That button linked to a domain that screamed red flag:  
s‍jw.ywmzoebuntt.es

The domain looks like a randomized string, a known tactic in phishing infrastructure to evade reputation-based defenses.

Clicking the “View document” button brought me to this fake Captcha which is clearly not designed to stop anyone from proceeding.

Click any 4 images

Captcha’s are commonly used in phishing schemes to make victims think they’re going through legitimate security verification, but clearly the phishers did not want to overwhelm any potential targets. “Click on any 4 images to prove you’re human” might be the lowest bar ever imagined for a security screening.

After this huge intellectual struggle, I was redirected to Google’s actual login page.

No fake form, no malware download, just Google. That’s what makes this kind of attack easy to miss and even easier to underestimate.

What likely happened is this: the malicious link briefly displayed a cloaked page for fingerprinting. It harvested browser metadata like IP address, user agent, language, screen resolution, and then forwarded me to Google to complete the illusion of safety. My system was likely dismissed based on my system fingerprint, meaning I was not the intended target, so I got sent to a “safe place.”

This is phishing with a twist, a data reconnaissance operation that scopes a target and refines follow-up attacks. The link triggered a cascade of suspicious behaviors: querying BIOS and CPU identifiers, probing browser storage, and modifying user registry entries (all while I was wondering why all Captcha’s are not like that).

If you’ve clicked a link like this:

*   Clear your browser cache and cookies.
*   Check your account login history.
*   Enable 2FA if you haven’t already.
*   Run a full antivirus/malware scan.

Remember: the absence of obvious malware doesn’t mean the attempt failed. It may mean the attackers are just getting started.

This attack looked highly targeted. To avoid falling victim, you should:

*   Not click on links in unsollicited emails. Contact the alleged sender through a separate channel before proceeding.
*   Familiarize yourself with the normal procedure, so uncommon events will be red flags.
*   Use an active antimalware solution with web protection to keep you safe.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Fake DocuSign email hides tricky phishing attempt 

Threat intelligence firm GreyNoise is warning of a "notable surge" in scanning activity targeting Progress MOVEit Transfer systems starting May 27, 2025—suggesting that attackers may be preparing for another mass exploitation campaign or probing for unpatched systems.MOVEit Transfer is a popular managed file transfer solution used by businesses and government agencies to share sensitive data

MOVEit Transfer Faces Increased Threats as Scanning Surges and CVE Flaws Are Targeted

FBI tracked IntelBroker as UK’s Kai West using an email address, crypto trails, YouTube activity and forum posts after dozens of high-profile data breaches and darknet activity.

Authorities in the United States have charged a British national, Kai Logan West, widely known online as “**IntelBroker**“, with a series of high-profile data breaches that collectively caused at least $25 million in damages to companies worldwide. The 23-year-old was arrested in France in February 2025 and now faces extradition to the United States to stand trial in the Southern District of New York.

As **reported** by Hackread.com, IntelBroker’s arrest was followed by several others, including four individuals linked to the ShinyHunters hacker group. Both IntelBroker and members of ShinyHunters were **involved** in administering and moderating the cybercrime and data breach forum BreachForums.

The **unsealed complaint** (PDF), dated February 2025, lays bare the FBI’s two-year investigation into West’s cybercrime operations, connecting him to dozens of data breaches, sales of stolen data, and the leadership of a hacking collective operating on clear and dark web forums.

****Who Is IntelBroker?****

Using aliases like “IntelBroker” and “Kyle Northern”, West built a reputation on a clear and dark web forum known in the indictment as “Forum‑1” ( BreachForums). Operating under the banner of a hacking crew called CyberN (formerly “The Boys”), IntelBroker offered hacked databases from government agencies, healthcare providers, telecommunications firms, and internet service providers.

Between 2023 and early 2025, West authored at least 158 threads offering stolen data on Forum‑1, with 41 of them involving US companies. The FBI notes that at least $2 million worth of **Monero cryptocurrency** was solicited for the stolen information.

In 2024, IntelBroker was listed as the “owner” of Forum‑1, and his fame skyrocketed as he gave away some data leaks for free to boost credibility, gather a following, and attract buyers.

****How the FBI Tracked Down IntelBroker****

What West didn’t know was that FBI agents were watching closely. The bureau deployed undercover officers posing as buyers on Forum‑1. On at least two occasions, agents purchased stolen data directly from IntelBroker.

In January 2023, one agent bought an API key and login credentials for a company dubbed “Victim‑7.” Although the credentials were limited in value, the transaction became a key element in tracking his identity when IntelBroker asked for payment in Bitcoin (instead of Monero) and provided a wallet address that could be traced on the blockchain.

FBI blockchain analysts followed the money and found that:

*   The Bitcoin wallet used for the transaction had been seeded from another wallet linked to an account on a financial platform called Ramp.
*   That Ramp account was registered using a UK provisional driving license issued to Kai Logan West.
*   The same identity, Kai West, also owned a Coinbase account under the alias Kyle Northern, but with KYC verification; confirming it was the same individual.

Provisional driving licence of Kai West (Image via US Justice Department complaint)

Further connecting the dots, both accounts were linked to a Gmail address used by West for personal matters, including:

*   Cloud-stored selfies
*   Receipts and ID documents
*   UK University Housing and Tuition communications
*   Videos showcasing networking tools like “GPRS Smash”

The email also included a student certificate showing West was enrolled in a Cyber Security program.

****Online Footprints and Forum Activity****

West didn’t just transact carelessly, he also exposed himself by linking his online activity to personal behaviour. His IntelBroker posts on Forum‑1 often referenced YouTube videos that he had just viewed from his personal email account, and he regularly updated his signature block to list members of his hacking group, which made it easier to trace his involvement across multiple threads.

When Forum‑1 was **seized and shut down in 2024** and relaunched, all old posts inherited the updated signature, creating a consistent trail of West’s activity and affiliations dating back to early 2023.

One of the YouTube videos posted by IntelBroker on BreachForums (Image via US Justice Department complaint)

****The Victim List: Telecoms, Healthcare, ISPs****

The indictment outlines at least six victims, referred to only as Victim‑1 through Victim‑6. Victim‑1, a telecom provider, had data exfiltrated and deleted from a hosting server in Manhattan, resulting in damage estimated in the hundreds of thousands.

Victim‑3, a municipal healthcare provider, had the personal and health data of over 56,000 individuals stolen, which West later sold to an undercover FBI agent for $1,000 in Monero. Victim‑6, an internet service provider, was compromised using information from previous leaks to breach an internal server.

In each case, West publicly offered proof samples, negotiated sales via private messages, and accepted only Monero to maintain anonymity, though the paper trail caught up.

However, since Hackread.com exclusively reported on IntelBroker’s data breaches, here is a comprehensive list of data breaches and leaks claimed by the hacker:

Here is the list sorted from shortest to longest by character count:

1.  **AMD**
2.  **Apple**
3.  **Cisco**
4.  **Nokia**
5.  **US DoD**
6.  **Europol**
7.  **T-Mobile**
8.  **Robert Half**
9.  **Space Eyes**
10.  **Home Depot**
11.  **Tech in Asia**
12.  **General Electric**
13.  **LA Intl. Airport**
14.  **HSBC & Barclays Bank**
15.  **Facebook Marketplace**
16.  **Weee! Grocery Service**
17.  **UAE’s Lulu Hypermarket**
18.  **US Federal Contractor Acuity**
19.  **Hewlett Packard Enterprise (HPE)**
20.  **MIT Technology Review Magazine**
21.  **An unnamed but “Top” Cybersecurity Firm**

****Criminal Charges****

West has been charged with four federal offences:

1.  Wire fraud
2.  Conspiracy to commit wire fraud
3.  Conspiracy to commit computer intrusions
4.  Accessing a protected computer to defraud and obtain value

Each carries the potential for several years in prison, particularly when involving health data or affecting critical infrastructure.

The FBI’s Special Agent Carson Hughes and US Attorney Jay Clayton emphasized the global reach and danger of IntelBroker’s operations. The FBI called the case “a warning” to cybercriminals who believe online anonymity shields them from consequences.

****Did IntelBroker Work for the UK’s National Crime Agency?****

Kai West presented himself professionally as a cybersecurity researcher and operated under two separate identities on LinkedIn, one as Kyle Northern and the other as K West. This was first flagged by **Nathaniel Fried**, Co-founder and CEO at 0xbowio, who shared details of West’s dual profiles with Hackread.com.

Notably, the Kyle Northern profile claimed he worked as a Security Researcher Trainee at the UK’s National Crime Agency (NCA) from September to October 2019. If accurate, this role could have involved access to classified systems, as the NCA deals with serious organized crime and national security. While the NCA affiliation remains unverified, West’s claimed background in cybersecurity and his academic path suggest the possibility shouldn’t be dismissed outright.

Kai Logan West on LinkedIn (Screenshot credit: Hackread.com)

West remains in French custody, and US officials are actively **seeking** extradition. If convicted, he could face decades behind bars. Meanwhile, Forum‑1 has been offline since April 2025, **reportedly** due to a MyBB zero-day vulnerability. Many of its members have since migrated to other platforms, including DarkForums and the Russian-language cybercrime forum XSS.

The exposure of IntelBroker stands out as a major cybercrime takedown. What made it possible was a mix of undercover FBI work, cryptocurrency tracking, and even old-school email evidence, all of which helped track one of the most well-known figures on cybercrime forums.

How an Email, Crypto Wallet and YouTube Activity Led the FBI to IntelBroker

A British national arrested earlier this year in France was charged by the US Department of Justice in connection with a string of major cyberattacks.

'IntelBroker' Suspect Arrested, Charged in High-Profile Breaches

This week, Joe reflects on his unique path into cybersecurity and shares honest advice for breaking into the field. Plus, learn how cybercriminals are abusing AI to launch more sophisticated attacks and what you can do to stay protected.

Thursday, June 26, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Happy summer, friends! I hope everyone is staying cool and/or warm. 

I am fresh back from an exhaustive but great time in San Diego at Cisco Live U.S. It was so good to see colleagues, meet new friends and pet many therapy dogs in the Splunk booth. As often happens to me, I was approached by someone who was looking for mentorship and guidance in how to get into a cybersecurity career. It’s not unusual for me to be approached by folks looking to get into cybersecurity. I’m the large, bearded guy with the Talos shirt, so I stick out.  

So, I’m often asked how I got the career I have in cybersecurity and how others can do the same. For a guy who often has a quip or answer for most things, I always pause here. I can’t help but think of my entire career and the dumb luck and hard work that landed me where I’m at. Giving that summation to others wouldn’t be fair, because... well, my journey wasn’t a linear one. I think for many of my peers, the same applies. We found cybersecurity as a career through a series of events that organically landed us in this field. In my case, moreso than others, the path isn’t easy to follow because there was no clearly staked path for me to follow, either. 

I’ll explain as best I can: One today might go to school and graduate with a degree in information security and/or some security certificates, then begin the job hunt for an entry level gig. These types of degrees, certificates and even jobs simply didn’t exist in any meaningful way or numbers when I started my career. If you wanted to learn cybersecurity, there weren’t classes to take — you got a computer science degree and figured it out. I, like many in the GenX world, started as an IT professional. As the industry and cyber threats evolved, the career space over the years shifted and we found ourselves helping fight the good fight and keeping folks secure. 

Today is truly different, and I’m so happy about it and the opportunities it can give others. I’m envious of the school degrees, industry certifications and mentorship programs that exist today that did not exist for me. There is also an incredibly helpful information security community that provides hacking tutorials, or Capture the Flag competitions (CTFs) or hackathons that I would have loved to have been a part of in my formative years.  

By now, I know you’re thinking, "Cool story, grandpa, but answer the question: how do I get a job in cybersecurity?" In my estimation, the answers are as follows:  

1.  Have a good attitude. 
2.  Be easy to work with. 
3.  Be a forever student. 
4.  Be bad at giving up. 
5.  Find and join a (preferably local) security community. 
6.  Grow where you are planted. 

Notice that none of those things mention anything specifically technical. No malware reverse engineering, red teaming, threat intelligence or security analyzing. I can tell you that to work at Talos, you must exhibit strong traits of all six of those things I listed. One through five makes sense. Good hackers are tenacious, smart, work well with others and seek out fellow friends to network and hack with. 

Number six though – what’s up with that? Simply put, life deals us all a hand of cards that we must play, and those cards may not be great. For example, you want to get a job in cybersecurity, but you’re a primary care giver of a family member and you don’t have a lot of freedom. You might be financially constrained. You may have health issues or a disability that limits some options. Or you simply just have a job that you don’t like, and a career in security calls out to you, but the bills don’t pay themselves. This is all common, and you’re a bit “stuck.”  

So while you’re stuck, find ways to grow where you’re planted. Study. Network locally or online. Try a CTF or a hacking competition. Whatever you do, just keep growing yourself, your skillset and your network. You can do it. And before you know it, you’ll have that career helping to fight the good fight with the rest of us. 

I believe in you! You got this! 

**The one big thing **

Cybercriminals are increasingly exploiting Large Language Models (LLMs) by using uncensored versions, developing their own malicious LLMs or "jailbreaking" legitimate ones to bypass safety protocols. These compromised or malicious LLMs are then used to generate highly convincing phishing campaigns, create harmful code and automate various cybercrime operations, making attacks more sophisticated and scalable. 

**Why do I care? **

Cybercriminals’ widespread abuse of LLMs lowers the barrier to entry for sophisticated attacks, making it easier for even less skilled actors to launch effective campaigns. This means you’re more likely to run into highly convincing phishing attempts, scams and malware that are difficult to distinguish from legitimate communications, putting your personal info and company security at higher risk. 

**So now what? **

Given this evolving threat landscape, it’s important to be extra vigilant and skeptical online. Treat all online communications with caution, even if they look perfectly authentic. For individuals, that means double-checking emails and messages for anything fishy, no matter how well-written they seem. For businesses, it's time to beef up your cybersecurity defenses, invest in smart threat detection and keep your employees sharp on how to spot and report these increasingly clever social engineering tricks.

**Top security headlines of the week **

**New AI Jailbreak Bypasses Guardrails With Ease**   
On topic with our latest blog, the new “Echo Chamber” attack bypasses advanced LLM safeguards by subtly manipulating conversational context, proving highly effective across leading AI models. (SecurityWeek)

**US insurance giant Aflac says customers’ personal data stolen during cyberattack**   
Aflac says hackers stole an unknown quantity of its customers’ personal information from its network during a cyberattack earlier this month. (TechCrunch) 

**APT28 Uses Signal Chat to Deploy New Malware in Ukraine**    
A new cyber attack campaign by the Russia-linked APT28 (aka UAC-0001) threat actors using Signal chat messages to deliver two new malware families dubbed BEARDSHELL and COVENANT. (The Hacker News) 

**UK watchdog fines 23andMe over 2023 data breach**   
The U.K. data protection watchdog has fined 23andMe £2.31 million ($3.1 million) for failing to protect U.K. residents’ personal and genetic data prior to its 2023 data breach. (TechCrunch) 

**Can’t get enough Talos? **

**Decrement by one to rule them all: AsIO3.sys driver exploitation**   
Learn how our researcher, Marcin Noga, found two critical vulnerabilities in ASUS’ Armory Crate and AI Suite drivers. 

**Talos Takes: Teaching LLMs to spot malicious PowerShell scripts**   
Hazel chats with Ryan Fetterman from the SURGe team to explore his new research on how LLMs can assist security operations centers in identifying malicious PowerShell scripts.

**Leveraging Detections from the Splunk Threat Research Team & Cisco Talos**  
Wednesday, July 23  
11:00 a.m. to 12:00 p.m. PDT  
Join us for a discussion around the latest security detections developed for the SOC and how to find and remediate threats, faster.

**Upcoming events where you can find Talos **

*   REcon (June 27 – 29) Montreal, Canada 
*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: 05883fccb64dd4357c229ccca669afdacbfa0bc9a1c8d857f5205aed0a81e00a**   
MD5: 71b973dbdfc7b52ae10afa4d0ad2b78f   
VirusTotal: https://www.virustotal.com/gui/file/05883fccb64dd4357c229ccca669afdacbfa0bc9a1c8d857f5205aed0a81e00a/details   
Typical Filename: PCAppStore.exe   
Claimed Product: PC App Store   
Detection Name: Riskware/VeryFast 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details  
Typical Filename: IMG001.exe    
Claimed Product: N/A   
Detection Name: Simple\_Custom\_Detection   

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**   
MD5: 8c69830a50fb85d8a794fa46643493b2    
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details    
Typical Filename: AAct.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Dropper.Generic::1201 

**SHA 256: 2a753cdc8c5401dcb67f3be58751a32ce23c875f8720a70459533b30e5ba4f1f**   
MD5: 7d5a9a41157fb0002f5234b4512e0ac2   
VirusTotal: https://www.virustotal.com/gui/file/2a753cdc8c5401dcb67f3be58751a32ce23c875f8720a70459533b30e5ba4f1f/details   
Typical Filename: pros.exe   
Claimed Product: N/A   
Detection Name: Trojan.GenericKD.76128711

Tag

#intel