Disney agrees to a $10M settlement with the DOJ and FTC over YouTube privacy violations. Learn how the COPPA ruling affects kids' data and Disney's new rules.

In a major move to protect families online, the US Department of Justice (DoJ) announced on December 31, 2025, that Disney has agreed to pay a $10 million civil penalty. The settlement comes after a deep look into how the company handled its massive YouTube presence.

****What Went Wrong?****

According to DoJ’s press release, Disney was accused of breaking the Children’s Online Privacy Protection Act, a law most of us know as COPPA. For your information, COPPA is the rule that stops websites from collecting personal data on kids under 13 without a parent saying it’s okay first. The government’s complaint, filed in a California federal court, claimed that Disney didn’t properly label its videos as being for children.

Because of this, Disney and its partners ended up targeting ads at kids and gathering their info without ever asking the parents. As we know it, Disney’s videos are incredibly popular on YouTube and have been watched billions of times. But because Disney didn’t label these videos as “for kids,” the company skipped the privacy rules that are supposed to automatically protect children, the DoJ explained.

“The government alleged that Disney improperly failed to designate YouTube video content as directed toward children. As a result, Disney, and others acting on Disney’s behalf, targeted advertising toward children on YouTube and unlawfully collected children’s information without parental notice and consent, in violation of COPPA.”

****The Government Steps In****

The Federal Trade Commission (FTC) was the group that originally looked into the matter before handing it over to the Justice Department. Further investigation revealed that Disney failed to designate its content correctly despite its popularity with young audiences.

“The Department will take swift action to root out any unlawful infringement on parents’ rights,” noted Assistant Attorney General Brett A. Shumate. He made it clear that the government wants to ensure parents, not corporations, decide how a child’s data is used.

****Problem for Families****

This isn’t the first time a major platform has faced heat for how it treats children’s data. As Hackread.com recently reported, Roblox was hit with a lawsuit in California for “covertly harvesting data” from its young users. While Disney mislabelled videos, the Roblox suit claims the company used hidden tools to track mouse movements and chat messages to build secret profiles of players.

It must be noted that this isn’t just about the money. While $10 million is a significant fine, the court order also forces Disney Worldwide Services and Disney Entertainment Operations to change how they work. Reportedly, Disney now has to build a specific program to make sure they stay in line with COPPA rules on YouTube from now on.

The legal team involved included names like Zachary A. Dietert and Jacqueline Ford, who worked to finalize this deal. For now, the settlement proves that even the biggest names in entertainment have to play by the rules when it comes to the youngest viewers.

(Photo by Tingey Injury Law Firm on Unsplash)

Disney Fined $10M for Violating Children’s Privacy Laws on YouTube

Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config.

This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2.

Users are recommended to upgrade to version 1.10.3 or upper, which fixes the issue.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-f8r6-6222-9pvc: Apache Kyuubi Server vulnerable to Path Traversal

Cybersecurity researchers have disclosed details of a new Python-based information stealer called VVS Stealer (also styled as VVS $tealer) that's capable of harvesting Discord credentials and tokens.
The stealer is said to have been on sale on Telegram as far back as April 2025, according to a report from Palo Alto Networks Unit 42.
"VVS stealer's code is obfuscated by Pyarmor," researchers

Threat Intelligence / Windows Security

Cybersecurity researchers have disclosed details of a new Python-based information stealer called **VVS Stealer** (also styled as VVS $tealer) that's capable of harvesting Discord credentials and tokens.

The stealer is said to have been on sale on Telegram as far back as April 2025, according to a report from Palo Alto Networks Unit 42.

"VVS stealer's code is obfuscated by Pyarmor," researchers Pranay Kumar Chhaparwal and Lee Wei Yeong said. "This tool is used to obfuscate Python scripts to hinder static analysis and signature-based detection. Pyarmor can be used for legitimate purposes and also leveraged to build stealthy malware."

Advertised on Telegram as the "ultimate stealer," it's available for €10 ($11.69) for a weekly subscription. It can also be purchased at different pricing tiers: €20 ($23) for a month, €40 ($47) for three months, €90 ($105) for a year, and €199 ($232) for a lifetime license, making it one of the cheapest stealers for sale.

According to a report published by Deep Code in late April 2025, the stealer is believed to be the work of a French-speaking threat actor, who is also active in stealer-related Telegram groups such as Myth Stеaler and Еуes Steаlеr GC.

The Pyarmor-protected VVS Stealer malware is distributed as a PyInstaller package. Once launched, the stealer sets up persistence by adding itself to the Windows Startup folder to ensure that it's automatically launched following a system reboot.

It also displays fake "Fatal Error" pop-up alerts that instruct users to restart their computers to resolve an error and steal a wide range of data -

*   Discord data (tokens and account information)
*   Web browser data from Chromium and Firefox (cookies, history, passwords, and autofill information)
*   Screenshots

VVS Stealer is also designed to perform Discord injection attacks so as to hijack active sessions on the compromised device. To achieve this, it first terminates the Discord application, if it's already running. Then, it downloads an obfuscated JavaScript payload from a remote server that's responsible for monitoring network traffic via the Chrome DevTools Protocol (CDP).

"Malware authors are increasingly leveraging advanced obfuscation techniques to evade detection by cybersecurity tools, making their malicious software harder to analyze and reverse-engineer," the company said. "Because Python is easy for malware authors to use and the complex obfuscation used by this threat, the result is a highly effective and stealthy malware family."

The disclosure comes as Hudson Rock detailed how threat actors are using information stealers to siphon administrative credentials from legitimate businesses and then leverage their infrastructure to distribute the malware via ClickFix\-style campaigns, creating a self-perpetuating loop.

"A significant percentage of domains hosting these campaigns are not malicious infrastructure set up by attackers, but legitimate businesses whose administrative credentials were stolen by the very infostealers they are now distributing," the company said.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

New VVS Stealer Malware Targets Discord Accounts via Obfuscated Python Code

Security researcher in "Martha Root" in Pink Power Ranger deletes white supremacist dating sites live onstage, leaks 8,000 profiles and 100GB of data at Chaos Communication Congress (CCC) 2025.

A self-described security researcher operating under the pseudonym Martha Root has breached and exposed thousands of user profiles from a WordPress hosted white supremacist dating website, WhiteDate and two associated platforms, WhiteChild and WhiteDeal.

The incident was discussed during the 39th Chaos Communication Congress (CCC) in Hamburg in late December 2025, and has since drawn both praise and controversy across cybersecurity and political circles.

Root, whose identity remains unknown, published the leaked data on a site she created called okstupid.lol, a play on mainstream dating service OkCupid. A subset of user profiles is now browsable via an interactive map, while the full dataset has been archived through Distributed Denial of Secrets (DDoSecrets), a whistleblower platform known for hosting sensitive leaks.

Homepage of OkStupid.lol

****A Quiet Operation, Then a Public Reveal****

The operation, according to reports Root, involved herself infiltrating the WhiteDate platform and quietly extracting detailed information from user profiles. She also deployed a custom-built AI chatbot to engage with users and gather data more efficiently, effectively automating social engineering at scale. The goal was to “gather as much data as possible before the site went offline or noticed,” Root said.

As seen by Hackread.com, more than 8,000 user profiles and roughly 100 GB of data were extracted. The leaked dataset contains highly detailed personal information, including:

The breach appears to have exposed:

*   Over 8,000 user profiles
*   Profile photos, bios, and declared beliefs
*   Internal communications and admin-level data
*   Information possibly linking users to other accounts
*   Metadata from uploaded images, some containing GPS coordinates.

In her CCC talk, Root reportedly demonstrated how some users reused usernames or email patterns, allowing connections to profiles on mainstream social platforms or previous leaks.

A video of her CCC presentation is now available online, confirming that the onstage demonstration, including the moment she deleted the main WhiteDate website – all this, while she wore a pink Power Ranger costume during the presentation.

> _Imagine calling yourselves the “master race” but forgetting to secure your own website —maybe try mastering to host WordPress before world domination.  
> _
> 
> Martha Root

****Target: WhiteDate and Ideology-Motivated Infrastructure****

WhiteDate, which claimed to be a “dating platform for white people with traditional European values,” was explicitly built around white nationalist and ethnonationalist ideologies. The site marketed itself as a “counter to woke culture” and used far-right imagery and talking points in its branding.

WhiteDate’s own servers reportedly failed to properly secure user information or restrict bot activity. Root exploited those vulnerabilities to access the underlying infrastructure and map out user data with minimal resistance. She also claims to have identified the site’s owner and administrative team, though those details have not been published.

Two additional far-right platforms, AryanDate and NationalistConnect, were also caught up in the data scraping, though it’s unclear whether Root’s method of access was the same for each.

Watch as Martha Root deletes all targeted white supremacist dating websites along with other linked infrastructure – Video source: Chaos Communication Congress (CCC) – Via @IntCyberDigest on X

****Publishing the Data: okstupid.lol and DDoSecrets****

Root created okstupid.lol as a satirical front-end to the leak, letting anyone view sanitized versions of the profiles with photo redactions and pseudonyms. However, the full unredacted dataset has been handed over to DDoSecrets, a group that has published troves of leaked content over the years including police documents, fascist group chat logs, and financial data from authoritarian regimes.

Watch Martha Root’s as she explains the hack:

****Legal and Social Fallout****

There has been no formal response from the owners of WhiteDate. The site’s domain went offline shortly after the CCC event and remains down with “nginx - 404 Not Found” error message as of this writing. It is not known whether legal action is being pursued, though Root’s anonymity and the site’s ideological nature may limit options for recourse.

In Germany, where the CCC took place and where hate speech and extremist content are prosecuted more aggressively than in many other countries, the online reaction to the leak has been largely supportive across activist and antifascist circles.

Some screenshots showing reaction from public

****Who Is Martha Root?****

The name Martha Root is itself a historical reference, a nod to an early 20th-century peace activist and writer. This alias is part of a pattern among some modern-day infosec figures who adopt names of past radicals or subversives as symbolic identities.

Nevertheless, little is known about Root other than her technical capability and antifascist intent. The CCC presentation focused on methods and outcomes, not identity. As a result, the data is out, the site is gone, and the fallout is ongoing.

Researcher Wipes White Supremacist Dating Sites, Leaks Data on okstupid.lol

Resecurity denies breach claims by ShinyHunters, says attackers accessed a honeypot with fake data. No real systems or customer info were compromised.

Cybersecurity firm Resecurity has responded to recent claims made by the hacking group ShinyHunters, **who earlier today** alleged they had successfully breached the company’s internal systems and exfiltrated sensitive data. The firm, however, says the hackers were interacting with a honeypot, not their real infrastructure.

****ShinyHunters’ Claim****

On January 3, ShinyHunters announced via their Telegram channel that they had “gained full access” to Resecurity’s internal systems. The group claimed to have obtained employee records, internal chat logs, threat intelligence files, client data, and more.

They also shared multiple screenshots that appeared to show access to backend dashboards, user profiles, tokens, and internal chat discussions. The leak was positioned as a retaliatory move, with the group accusing Resecurity of previously attempting to social engineer them under the guise of fake buyers on dark web forums.

****Resecurity’s Response****

Resecurity countered the allegations with a detailed statement to Hackread.com and referred to its December 24, 2025’s **blog post** titled “Synthetic Data: A New Frontier for Cyber Deception and Honeypots.” According to the company, the attackers were interacting with a simulated environment specifically designed to deceive and log unauthorised activity.

The honeypot, as described, included synthetic employee accounts, fake apps, and isolated infrastructure unrelated to real operations or customers. One such decoy was reportedly planted via a dark web marketplace using a bait account. The company shared evidence of this setup with Hackread.com, including logs of the attackers’ interactions and screenshots showing repeated access to fake accounts such as [email protected].

In a screenshot shared publicly, the attacker’s activity is mapped across various IP addresses, some of which appear to be real and unmasked due to proxy failures. This, according to Resecurity, supports their assertion that the environment worked as intended, recording detailed behavioural data on the intruder.

Screenshot via Resecurity

****No Impact Claimed****

Resecurity stated that no actual client data, passwords, or operational systems were affected. The honeypot was isolated from production environments, and the incident caused no disruption or breach of real assets. The firm also emphasised that its use of synthetic data and deception tactics is a common counterintelligence strategy for identifying and studying threat actors.

In addition, Resecurity linked to a prior **blog post** from September 2025 detailing the activity of groups including ShinyHunters, suggesting the attack may have been motivated in part by their ongoing exposure of such actors.

****Bottom Line****

ShinyHunters presented what they framed as a major breach, but Resecurity has responded with a clear denial backed by logs and timing that suggest the incident was part of a controlled trap. Until further details emerge, the situation suggests that the honeypot strategy may have worked as intended in misleading the group and logging their activity.

Resecurity Says ShinyHunters Fell for Honeypot After Breach Claim

This article has been updated with a statement from Resecurity. A separate, updated article covering the incident has…

This article has been updated with a statement from Resecurity. A separate, updated article covering the incident has also been published, titled: _**Resecurity Says ShinyHunters Fell for Honeypot After Breach Claim**_.

The hacking group ShinyHunters has claimed responsibility for breaching **Resecurity**, a US-based cybersecurity company headquartered in Los Angeles. In a public Telegram post shared earlier today, the group announced it had gained full access to internal systems and released a set of screenshots to support its claim.

The images depict several internal Resecurity dashboards, user management panels, token databases, and employee communication channels. The interfaces shown include sensitive user data, API keys, access tokens, and internal Mattermost chat conversations.

In their post, **ShinyHunters** claimed they exfiltrated:

*   Full internal chats and logs
*   Internal plans discussed in chat logs
*   A complete client list with related details
*   Threat intelligence data, reports, and management documents
*   Employee information, including names, email addresses, and authentication tokens.

****Screenshots Analysed****

The screenshots analysed by Hackread.com show user accounts linked to corporate domains, user tokens under **Firebase Cloud Messaging** (FCM), and internal chat conversations referring to reports on scam numbers and moderation actions.

One image shows admin and user panels with real-time access tokens and email accounts, while another displays a list of employee profiles with active statuses and API credentials exposed. Hackread.com also cross-checked the names visible in the screenshots on LinkedIn, and they appear to be linked to Resecurity.

In a message accompanying the images, ShinyHunters accused Resecurity of attempting to infiltrate or deceive threat actor groups by posing as buyers on **dark web markets**. They referenced a previous incident involving a database related to Vietnam’s financial systems, stating that Resecurity staff sought free samples while claiming to be potential clients. ShinyHunters framed the alleged breach as retaliation for these tactics.

Screenshots shared by ShinyHunters – Hackread.com have redacted them for privacy reasons.

They also mentioned collaboration with the Devman ransomware group in executing the attack. The post references prior claims involving other high-profile breaches, such as **CrowdStrike**, framing this incident as part of a continued effort targeting firms they label as hypocritical or deceptive.

ShinyHunters announced their claims on Telegram (Image credit: Hackread.com)

****Unconfirmed For Now****

As of now, Resecurity has not issued any public response or confirmation regarding the breach. The authenticity and scope of the compromise remain unverified by third-party sources. If confirmed, the incident would mark Resecurity as the first major target publicly claimed by ShinyHunters in 2026.

Resecurity has **previously worked with both government** and private sector entities in cybercrime investigation, threat attribution, and digital forensics. This said breach could have implications for partners, clients, and broader trust in their services, particularly if sensitive intelligence or client data was exposed.

More information is expected as the situation develops.

****Update:****

Following the publication, Resecurity responded and clarified that the environment accessed by the threat actor was part of a controlled honeypot operation. According to the company, synthetic data and decoy applications were deployed intentionally to monitor malicious activity, with no link to real customer systems or internal operations.

Resecurity stated there was no data loss, no exposure of actual passwords, and no impact on clients. They also published a detailed log of the attacker’s activity, including a screenshot showing multiple entries tied to the fake honeypot email address [email protected], along with IP addresses and endpoint requests. The screenshot further supports their claim that the actor was interacting with a decoy system rather than any production environment.

More on this is **available here**.

ShinyHunters Claim Breach of US Cybersecurity Firm Resecurity (Updated)

RondoDox hackers exploit the React2Shell flaw in Next.js to target 90,000+ devices, including routers, smart cameras, and small business websites.

If you have a smart camera at home or a small website for your business, you could be helping hackers without even knowing it, as cyber criminals are breaking into thousands of everyday devices using the RondoDox botnet. They are building a botnet, which is basically a giant army of hijacked computers that they control from far away.

According to a report from CloudSEK, these attackers are now exploiting a critical flaw called React2Shell (CVE-2025-55182). This flaw is found in Next.js, a popular tool used to build websites. It is very dangerous because it lets hackers take over a computer or server without needing a password.

****A Calculated Three-Step Takeover****

Right after this security flaw was discovered in December 2025, the RondoDox group began hunting for victims. Data from the Shadowserver Foundation shows that over 90,300 systems were left wide open by the end of the year. While the US has the most at-risk devices (over 68,000), thousands of others are vulnerable in Germany, France, and India.

Loggers used by threat actors (Source: CloudSEK)

Further investigation revealed that the hackers didn’t just start overnight; they used a three-step plan to grow, starting in early 2025 when they tested for basic website weaknesses like SQL injection to trick databases. By the summer, they began mass-scanning for popular platforms like WordPress and Drupal, while also targeting home Wavlink routers. By the end of the year, the attack became fully automated.

In their blog post, researchers noted six control centres sending out ten different versions of the virus to hit almost any type of machine architecture, from high-end cloud servers to basic home equipment.

****Who is at Risk?****

RondoDox can infect almost any device. The most common targets are:

*   Websites: Any site built with Next.js or WordPress.
*   Home Routers: Brands like D-Link, Netgear, and TP-Link.
*   Smart Tech: IP cameras and other gadgets connected to your Wi-Fi.

****The Hacker’s Toolkit****

Once inside, the hackers install hidden programs with strange names. They use “/nuts/poop” to steal the device’s power to mine digital currency and “/nuts/x86,” a version of the infamous Mirai malware, to help the botnet spread.

Perhaps the most aggressive tool is “/nuts/bolts.” This “health checker” scans the device every 45 seconds to kill any other rival viruses. It even wipes out old digital footprints to make RondoDox the sole owner of your device.

The best way to stay safe is to keep your technology updated. If you run a website, install the latest security fixes for Next.js right away. For your home, it is a smart move to connect gadgets like smart cameras to a separate Wi-Fi network so that if a hacker gets into a camera, they cannot reach your private phone or computer. Also, you should check your router’s settings and install any new software updates immediately.

RondoDox Botnet is Using React2Shell to Hijack Thousands of Unpatched Devices

Being targeted by sophisticated spyware is relatively rare, but experts say that everyone needs to stay vigilant as this dangerous malware continues to proliferate worldwide.

In December, hundreds of iPhone and Android users received a threat notification, warning them their device had been targeted by spyware. Days later, Apple and Google patched security holes that experts think were used to plant the stealthy malware on a select group of devices.

Spyware is so dangerous because the adversary is able to see and hear everything you do on your smartphone, including via encrypted messaging apps such as WhatsApp and Signal. But it tends to be extremely targeted against dissidents, journalists, politicians, and business leaders operating in certain sectors.

The malware has hit a number of high-profile people, including former Amazon CEO Jeff Bezos and Hanan Elatr, wife of murdered Saudi dissident Jamal Khashoggi—who were both compromised by NSO Group’s Pegasus spyware.

Today, spyware remains just as prolific in these circles, but experts think its impact could be widening. In early December, as Google issued its threat notification, the tech firm’s researchers detailed how an exploit chain was used to install Predator spyware surreptitiously onto a device.

It came after an alert issued by the US Cybersecurity and Infrastructure Security Agency (CISA), warning users that adversaries are “actively leveraging” commercial spyware to target mobile messaging applications.

As the risk increases, what can you do to protect your Android device or Apple iPhone?

**Zero-Click Attacks**

Spyware often hits smartphones in so-called zero-click attacks, meaning your phone can become infected without clicking a link, downloading a malicious image, or any other kind of user interaction.

The attack cannot be mitigated via the usual routes. If the malware has infected your smartphone, adversaries can “read messages, observe keystrokes, take screenshots, monitor notifications, and access banking apps,” according to Pieter Arntz, a senior malware researcher at security firm Malwarebytes.

With full system access, spyware can “exfiltrate data such as emails and texts, send messages, steal credentials, and log in to cloud systems,” says Rocky Cole, cofounder of iVerify, an app that helps users to detect spyware.

Aside from zero-click attacks, spyware can infect a device when someone clicks on a compromised link sent over text, email, or social media. Meanwhile, the malware can hide in malicious apps that appear to be legit. It can also be concealed in an image file and downloaded via a message, or get onto your smartphone due to vulnerabilities in your browser.

Infection usually starts through malicious links and fake apps, but it is also taking place via “more subtle methods,” says Richard LaTulip, a field CISO at security company Recorded Future, which collaborated with Google’s threat intelligence team on the Predator spyware findings.

LaTulip cites the example of recent research on malicious browser extensions affecting millions of users that shows “how seemingly harmless tools can become surveillance devices.”

These techniques, often developed by nation-state adversaries linked to governments, indicate a trend toward “more covert, persistent, and device-level compromises,” he says.

**A Bigger Problem**

Over the past few years, spyware has become a growing issue. Governments and the companies that make the malware say the surveillance tools are used to target only criminals and terrorists, or for national security purposes.

“But the truth is that human rights activists, journalists, and many others across the world have been unlawfully targeted with spyware,” Rebecca White, Amnesty International’s researcher on targeted surveillance, tells WIRED. “In this way, spyware can be used as a tool of repression—to silence people speaking truth to power.”

Thai activist Niraphorn Onnkhaow is a prime example. Between 2020 and 2021, at the height of Thailand’s pro-democracy protests, Onnkhaow was targeted 14 times by Pegasus spyware. Soon afterward, she decided to end her role in the protest movement amid fears that her private data could be weaponized against her.

“Data can be weaponized and lead to more abuse, online and offline—especially for people who already face discrimination based on their identity; for example, on the basis of gender or race,” White says.

Beyond activists, mobile spyware appears to be targeting a wider subset of people, often within a business environment. The malware is hitting “a wide range of society,” from government officials to financial IT workers, says iVerify’s Cole. “Increasingly, it's used beyond intelligence gathering, to steal credentials for enterprise access.”

**Signs You’ve Been Hit**

Spyware is difficult to detect—especially sophisticated strains such as Pegasus and Predator, which are typically only discovered via forensic analysis. But you might notice some subtle signs, such as your device overheating or slowing down, or your camera or mic activating when they’re not supposed to be in use.

While advanced spyware may leave little to no visible trace, sudden drops in performance or changes in connectivity can serve as early warning signs, says LaTulip.

One more obvious indicator of being hit by a sophisticated campaign is an official threat notification from Apple, Meta, or Google. This “should be taken seriously,” White says.

Another sign is leaked private information that you haven’t shared previously, or if colleagues or friends have been compromised.

**How to Prevent and Mitigate Spyware**

The most reliable way to mitigate spyware is to prevent your device being taken over in the first place. If you think you may be at risk, Apple offers Lockdown Mode, which includes a higher level of security with reduced functionality that has improved over time as the feature has been updated. For example, it blocks most message attachments and incoming FaceTime calls.

To enable Lockdown Mode on your iPhone, go to **Settings** > **Privacy & Security** > **Lockdown Mode** and tap **Turn On Lockdown Mode**.

Ivan Krstić, vice president of Apple security engineering and architecture, tells WIRED there “has never been a successful, widespread malware attack” against the iPhone. The only system-level iOS attacks Apple has seen in the wild come from mercenary spyware, according to the iPhone maker. In other words, iPhones have been infected with spyware, but only the most sophisticated type, Krstić says.

Krstić describes how mercenary spyware is “historically associated with state actors and costs millions of dollars to target a very small number of specific individuals and their devices.” He adds that Apple has continued to develop new methods for combating spyware, including Lockdown Mode and Memory Integrity Enforcement.” Introduced alongside the latest iPhone line-up, Memory Integrity Enforcement is a “comprehensive, always-on memory-safety protection,” which helps prevent memory corruption exploits often used in spyware attack chains.

Krstić is confident about Memory Integrity Enforcement’s advancements, claiming that the new feature is “the most significant upgrade to memory safety in the history of consumer operating systems.”

Google offers spyware protection for Android called Advanced Protection, which has been enhanced in Android 16 with intrusion logging, USB protection and the option to disable auto-reconnect to insecure networks. It can be enabled via your **Settings** > **Security & Privacy** > **Other Settings** > **Advanced Protection**.

In addition to using anti-spyware features, all users should be mindful of clicking links from strangers, says White. “Pay attention to changes in devices’ functioning. Using a reputable VPN can help prevent some forms of surveillance and censorship,” she says. “Evaluate any new requests for social media followers before accepting. Visit Amnesty’s secure onion website, privately and anonymously, using the Tor network’s browser.”

More generally, exercise “strict control” over what gets installed on your device, adds Arntz.

At the same time, avoid side-loading on Android and ensure your mobile operating system and apps are fully updated. “Patches often close the same vulnerabilities that spyware relies on,” warns LaTulip.

Experts say spyware can be temporarily disrupted by turning your smartphone off and on again. However, if the malware does get on your device, the best course of action is to ditch it altogether.

Alongside Amnesty, several organizations can support members of civil society concerned they have been targeted with spyware, such as Access Now and Reporters Without Borders.

Above all, operate with a healthy skepticism, says LaTulip. “Assume compromise is possible, but avoid the paranoia that shuts down normal use.”

How to Protect Your iPhone or Android Device From Spyware

The world of finance has undergone a remarkable transformation with the rise of digital wallets and financial technology…

The world of finance has undergone a remarkable transformation with the rise of digital wallets and financial technology platforms. As people continue to rely on mobile and online tools to manage their money, security has become a central concern.

Convenience and accessibility come with risks, especially when they involve sensitive financial data. Protecting your digital wallet means understanding how fintech security works, what threats exist, and what measures you can take to safeguard your information.

****Understanding the Foundation of Fintech Security****

Fintech platforms are built to make financial transactions faster, easier, and more efficient. However, the same features that make these tools attractive also make them vulnerable to cyber threats. Digital wallets store a combination of personal details, authentication data, and financial information. If these are compromised, the results can be devastating.

Security in fintech revolves around three key principles: authentication, encryption, and monitoring. Authentication ensures that only authorised users access their accounts. Encryption keeps data secure as it travels across digital networks. Monitoring helps identify and prevent suspicious activity before it turns into a serious breach.

****The Role of Ongoing Monitoring and Data Protection****

In addition to traditional security tools, fintech companies have introduced advanced mechanisms for continuous protection. Ongoing monitoring ensures that transactions and user behaviour are analysed in real time, helping identify unusual activity. This proactive approach enables faster responses to threats and minimises the damage caused by potential intrusions.

One area where continuous vigilance plays an important role is through the use of credit monitoring services. These services alert users to any unexpected changes in their credit profiles, such as new accounts being opened or inquiries made without authorisation.

They act as an early warning system for potential identity theft, giving users the opportunity to act quickly before major damage occurs. This complements the security measures built into fintech platforms, offering a more comprehensive defence against digital fraud.

****Recognising the Common Threats to Your Digital Wallet****

Cybercriminals continuously adapt their tactics to exploit vulnerabilities in digital finance systems. Phishing scams remain one of the most common methods used to steal user credentials. These scams often appear as legitimate messages or emails urging users to update their information or verify transactions. Once the user provides their details, the attacker gains access to their account.

Another frequent threat involves malware designed to capture keystrokes or screen activity. This type of software can infiltrate a user’s device when they download suspicious apps or click on unverified links. In some cases, attackers may even disguise their software as harmless financial tools, tricking users into installing them.

Public Wi-Fi networks can also pose significant dangers. Using unsecured networks to access your digital wallet may expose your data to interception. Hackers can easily monitor data transmissions on open networks, capturing sensitive information like login credentials or account numbers.

****How Encryption Keeps Transactions Secure****

Encryption is one of the most effective defences in fintech security. It ensures that any information sent between your device and the platform’s servers remains unreadable to unauthorised parties. Even if a hacker intercepts the data, the encrypted format prevents them from understanding or misusing it.

Modern fintech applications use advanced encryption algorithms that constantly evolve to stay ahead of cyber threats. These algorithms transform information into complex codes that can only be decoded with a unique digital key. This key is stored securely and is accessible only to authorised systems.

****The Importance of Personal Security Practices****

No matter how advanced fintech systems become, user behaviour still plays a critical role in maintaining security. Strong passwords, secure devices, and cautious online habits form the foundation of personal protection.

Users should avoid using the same password across multiple accounts and update them periodically. Passwords should include a mix of letters, numbers, and symbols to make them harder to guess. Enabling biometric verification and multi-factor authentication wherever possible adds another layer of safety.

Keeping devices updated is equally important. Software updates often include patches for newly discovered security flaws. Ignoring them can leave devices vulnerable to exploitation. It is also advisable to install trusted security software that can detect and remove potential threats before they cause harm.

When making online transactions, users should confirm that the website or app is secure. Look for secure connections that begin with “https” and avoid sharing sensitive information through unsecured forms or links. Awareness and vigilance can go a long way in preventing security breaches.

****Building Trust Through Transparency and Regulation****

Fintech security is not solely about technology; it also involves trust. Users place significant confidence in platforms that manage their money. That trust is earned through transparency and compliance with established regulations.

Reputable fintech providers are required to follow strict data protection laws that dictate how user information can be collected, stored, and processed. They must also maintain open communication about their security policies, including how they handle breaches and user complaints.

Transparency reassures users that their data is not being misused and that the company is taking proactive measures to prevent unauthorised access. It also creates accountability, ensuring that providers remain committed to maintaining strong security practices.

Users should always take time to review the privacy and security sections of a fintech platform’s website. Understanding how a company protects its users helps make informed decisions about which platforms to trust.

****Moving Forward with Awareness and Responsibility****

As digital wallets continue to redefine how people manage their money, maintaining security awareness has never been more important. The responsibility for protection lies not only with fintech companies but also with users who must remain alert and informed.

The convenience of mobile payments, online transfers, and digital budgeting tools is undeniable. Yet every advancement in technology introduces new potential risks. Staying educated about fintech security, using strong authentication methods, and monitoring financial activity regularly are essential habits that can prevent serious problems.

Ultimately, protecting your digital wallet means taking control of your financial security. By combining technological safeguards with mindful personal practices, users can enjoy the benefits of fintech with greater confidence and peace of mind.

(Photo by Shubham Dhage on Unsplash)

Protecting Your Digital Wallet: What You Need to Know About Fintech Security

### Summary
SSTI is possible via first name and last name parameters provided by lowest-privileged users.
### Details
1. Go to `http://127.0.0.1:8000/` and login or signup 
2. Go to `http://127.0.0.1:8000/customer/account/profile`
3. Now edit the first name and last name to {{7*7}}
4. Notice it appears as 49

### POC
- Video attached with the report: https://github.com/user-attachments/assets/f93932b5-2a57-4f34-897e-4151a5168912

### Impact
This can lead to RCE, command injection.

Tag

#web