It is expected that India's flagship digital identity infrastructure, the Aadhaar, will undergo significant changes to its regulatory framework in the coming days following a formal amendment to the Aadhaar (Targeted Determination of Services and Benefits Management) Regulations, 2.0. Introducing a new revision in the framework makes facial authentication formally recognized as a legally acceptable method of verifying a person's identity, marking a significant departure from traditional biometric methods such as fingerprinting and iris scans.  The updated regulations introduce a strong compliance framework that focuses on explicit user consent, data minimisation, and privacy protection, as well as a stronger compliance architecture. The government seems to have made a deliberate effort to align Aadhaar's operational model with evolving expectations about biometric governance, data protection, and the safe and responsible use of digital identity systems as they evolved.  In the course of undergoing the regulatory overhaul, the Unique Identification Authority of India has introduced a new digital identity tool called the Aadhaar Verifiable Credential in order to facilitate a secure and tamper-proof identity verification process.  Additionally, the authority has tightened the compliance framework governing offline Aadhaar verification, placing higher accountability on entities that authenticate identities without direct access to the UIDAI system in real time. Aadhaar (Authentication and Offline Verification) Regulations, 2021 have been amended to include these measures, and they were formally published by the UIDAI on December 9 through the Gazette as well as on UIDAI's website.  UIDAI has also launched a dedicated mobile application that provides individuals with a higher degree of control over how their Aadhaar data is shared, which emphasizes the shift towards a user-centric identity ecosystem which is also concerned with privacy.  According to the newly released Aadhaar rules, the use of facial recognition as a valid means of authentication would be officially authorised as of the new Aadhaar rules, while simultaneously tightening consent requirements, purpose-limitations, and data-use requirements to ensure compliance with the Digital Personal Data Protection Act.  In addition, the revisions indicate a substantial shift in the scope of Aadhaar's deployment in terms of how it is useful, extending its application to an increased range of private-sector uses under stricter regulation, so as to extend its usefulness beyond welfare delivery and government services. This change coincides with a preparation on the part of the Unique Identification Authority of India to launch a newly designed mobile application for Aadhaar.  As far as officials are concerned, the application will be capable of supporting Aadhaar-based identification for routine scenarios like event access, registrations at hotels, deliveries, and physical access control, without having to continuously authenticate against a central database in real-time.  Along with the provisions in the updated framework that explicitly acknowledge facial authentication and the existing biometric and one-time password mechanisms, the updated framework is also strengthening provisions governing offline Aadhaar verification, so that identity verification can be carried out in a controlled manner without direct connection to UIDAI's systems.  As part of the revised framework, offline Aadhaar verification is also broadened beyond the limited QR code scanning that was previously used. A number of verification methods have been authorised by UIDAI as a result of this notification, including QR code-based checks, paperless offline e-KYC, Aadhaar Verifiable Credential validation, electronic authentication through Aadhaar, and paper-based offline verification.  Additional mechanisms can be approved as time goes by, with the introduction of the Aadhaar Verifiable Credential, a digitally signed document with cryptographically secure features that contains some demographic data. This is the most significant aspect of this expansion. With the ability to verify locally without constantly consulting UIDAI's central databases, this credential aims to reduce systemic dependency on live authentication while addressing long-standing privacy and data security concerns that have arose.  Additionally, the regulations introduce offline face verification, a system which allows a locally captured picture of the holder of an Aadhaar to be compared to the photo embedded in the credential without having to transmit biometric information over an external network. Furthermore, the amendments establish a formal regulatory framework for entities that conduct these checks, which are called Offline Verification Seeking Entities.  The UIDAI has now mandated that organizations seeking to conduct offline Aadhaar verification must register, submit detailed operational and technical disclosures, and adhere to prescribed procedural safeguards in order to conduct the verification. A number of powers have been granted to the authority, including the ability to review applications, conduct inspections, obtain clarifications, suspend or revoke access in the case of noncompliance.  In addition to clearly outlining grounds for action, the Enforcement provisions also include the use of verification facilities, deviation from UIDAI standards, failure to cooperate with audits, and facilitation of identity-related abuse. A particularly notable aspect of these rules is that they require affected entities to be provided an opportunity to present their case prior to punitive measures being imposed, reinforcing the idea of respecting due process and fairness in regulations.  In the private sector, the verification process using Aadhaar is still largely unstructured at present; hotels, housing societies, and other service providers routinely collect photocopies or images of identity documents, which are then shared informally among vendors, security personnel, and front desk employees with little clarity regarding how they will retain or delete those documents.  By introducing a new registration framework, we hope to replace this fragmented system with a regulated one, in which private organizations will be formally onboarded as Offline Verification Seeking Entities, and they will be required to use UIDAI-approved verification flows in place of storing Aadhaar copies, either physically or digitally. With regard to this transition, one of the key elements of UIDAI's upcoming mobile application will be its ability to enable selective disclosure by allowing residents to choose what information is shared for a particular reason. For example, a hotel may just receive the name and age bracket of the guest, a telecommunication provider the address of the guest, or a delivery service the name and photograph of the visitor, rather than a full identity record.  Aadhaar details will also be stored in the application for family members, biometric locks and unlocks can be performed instantly, and demographic information can be updated directly, thus reducing reliance on paper-based processes. As a result, control is increasingly shifting towards individuals, minimizing the risk of exposure that service providers face to their data and curbing the indefinite circulation of identity documents.  UIDAI has been working on a broader ecosystem-building initiative that includes regulatory pushes, which are part of a larger effort. In November, the organization held a webinar, in which over 250 organizations participated, including hospitality chains, logistics companies, real estate managers, and event planners, in order to prepare for the rollout.  In the midst of ongoing vulnerability concerns surrounding the Aadhaar ecosystem, there has been an outreach to address them. Based on data from the Indian Cyber Crime Coordination Centre, Aadhaar Enabled Payment System transactions are estimated to account for approximately 11 percent of the cyber-enabled financial fraud of 2023, according to the Centre's data.  Several states have reported instances where cloned fingerprints associated with Aadhaar have been used to siphon beneficiary funds, most often after public records or inadequately secure computer systems have leaked data. Aadhaar-based authentication has been viewed as a systemic risk by some privacy experts, saying it could increase systemic risks if safeguards are not developed in parallel with its extension into private access environments.  Researchers from civil society organizations have highlighted earlier this year that anonymized Aadhaar-linked datasets are still at risk of re-identification and that the current data protection law does not regulate anonymized data sufficiently, resulting in a potential breakdown in the new controls when repurposing and processing them downstream.  As a result of the amendments, Aadhaar's role within India's rapidly growing digital economy has been recalibrated, with greater usability balanced with tighter governance, as the amendments take into account a conscious effort to change the status of the system. Through formalizing offline verification, restricting the use of data through selective disclosure, and imposing clearer obligations on private actors, the revised regulations aim to curb informal practices that have long contributed to increased privacy and security risks.  The success of these measures will depend, however, largely on the disciplined implementation of the measures, the continued oversight of the regulatory authorities, and the willingness of industry stakeholders to abandon legacy habits of indiscriminate data collection. There are many advantages to the transition for service providers. They can reduce compliance risks by implementing more efficient, privacy-preserving verification methods.  Residents have a greater chance of controlling their personal data in everyday interactions with providers. As Aadhaar leaves its open access environments behind and moves deeper into private circumstances, continued transparency from UIDAI, regular audits of verification entities, and public awareness around consent and data rights will be critical in preserving trust in Aadhaar and in ensuring that convenience doesn't come at the expense of security. There has been a lot of talk about how large-scale digital identity systems can evolve responsibly in an era where data protection expectations are higher than ever, so if the changes are implemented according to plan, they could serve as a blueprint for future evolution.

  Artificial intelligence is increasingly influencing the cyber security infrastructure, but recent claims about “AI-powered” cybercrime often exaggerate how advanced these threats currently are. While AI is changing how both defenders and attackers operate, evidence does not support the idea that cybercriminals are already running fully autonomous, self-directed AI attacks at scale. For several years, AI has played a defining role in cyber security as organisations modernise their systems. Machine learning tools now assist with threat detection, log analysis, and response automation. At the same time, attackers are exploring how these technologies might support their activities. However, the capabilities of today’s AI tools are frequently overstated, creating a disconnect between public claims and operational reality. Recent attention has been driven by two high-profile reports. One study suggested that artificial intelligence is involved in most ransomware incidents, a conclusion that was later challenged by multiple researchers due to methodological concerns. The report was subsequently withdrawn, reinforcing the importance of careful validation. Another claim emerged when an AI company reported that its model had been misused by state-linked actors to assist in an espionage operation targeting multiple organisations. According to the company’s account, the AI tool supported tasks such as identifying system weaknesses and assisting with movement across networks. However, experts questioned these conclusions due to the absence of technical indicators and the use of common open-source tools that are already widely monitored. Several analysts described the activity as advanced automation rather than genuine artificial intelligence making independent decisions. There are documented cases of attackers experimenting with AI in limited ways. Some ransomware has reportedly used local language models to generate scripts, and certain threat groups appear to rely on generative tools during development. These examples demonstrate experimentation, not a widespread shift in how cybercrime is conducted. Well-established ransomware groups already operate mature development pipelines and rely heavily on experienced human operators. AI tools may help refine existing code, speed up reconnaissance, or improve phishing messages, but they are not replacing human planning or expertise. Malware generated directly by AI systems is often untested, unreliable, and lacks the refinement gained through real-world deployment. Even in reported cases of AI misuse, limitations remain clear. Some models have been shown to fabricate progress or generate incorrect technical details, making continuous human supervision necessary. This undermines the idea of fully independent AI-driven attacks. There are also operational risks for attackers. Campaigns that depend on commercial AI platforms can fail instantly if access is restricted. Open-source alternatives reduce this risk but require more resources and technical skill while offering weaker performance. Cyber authorities have acknowledged that AI will accelerate certain attack techniques, particularly vulnerability research. However, fully autonomous cyberattacks remain speculative. The real challenge is avoiding distraction. AI will influence cyber threats, but not in the dramatic way some headlines suggest. Security efforts should prioritise evidence-based risk, improved visibility, and responsible use of AI to strengthen defences rather than amplify fear.

  Malicious browser extensions sometimes slip into official marketplaces like the Chrome Web Store by disguising themselves as genuine tools. Detecting them becomes even harder when they behave legitimately at first, only turning harmful after users have grown to trust them. This tactic was recently uncovered on Google Chrome and Microsoft Edge. Researchers at Koi Security discovered several extensions on both platforms that functioned normally for years before being updated with malicious code. These updates enabled attackers to monitor user activity, collect sensitive information, and secretly send that data to external servers. The operation, dubbed ShadyPanda, amassed nearly four million downloads and continues to remain active on Edge. Earlier this year, threat actors used a similar approach on Firefox. They first released harmless extensions designed to imitate popular cryptocurrency wallets. After gaining approval, downloads, and positive reviews, they later injected malicious functionality that logged user inputs in form fields, allowing attackers to access and steal crypto assets. According to Koi Security, ShadyPanda originally began as an affiliate fraud scheme. Around 145 extensions posing as wallpaper and productivity tools were published across Chrome and Edge. In the initial phase, these add-ons inserted affiliate tracking codes and generated commission-based revenue through clicks to platforms like eBay, Amazon, and Booking.com. Over time, the campaign escalated to manipulating search results and eventually narrowed down to five extensions launched in 2018 that were later transformed into malware. Some of these extensions gained significant credibility. They were labeled as Featured and Verified on Chrome, and one cache-cleaning tool called Clean Master achieved a 4.8-star rating from thousands of users. In 2024, updates to these extensions introduced malware capable of checking in hourly for commands, maintaining complete browser access, and transmitting user data back to ShadyPanda-controlled servers. These extensions have since been removed from Chrome. In 2023, attackers also introduced five additional extensions to Microsoft Edge, including one called WeTab. Two of these functioned as full-scale spyware, and all remained active at the time of Koi Security’s report. Because malicious extensions often masquerade as legitimate ones, simply scanning your installed add-ons may not reveal any obvious threats. Koi Security has published a list of extension IDs linked to the ShadyPanda campaign, which users should manually check. On Chrome, users can enter chrome://extensions/ in the address bar, enable Developer mode, and view the IDs of installed extensions. These IDs can then be searched individually using the browser’s find function. If none match the listed malicious IDs, the browser is likely safe. If a match is found, the extension should be removed immediately. Edge users can follow the same steps via edge://extensions/. This campaign highlights that even long-installed extensions can later be weaponized. Users should apply the same caution to browser add-ons as they do to mobile or desktop apps. Carefully review extension names, as fake ones often closely resemble legitimate tools. Watch for spelling errors, mismatched descriptions or images, and suspicious review patterns, such as an unusually high number of positive ratings in a short time. Conducting additional checks through online searches or community forums like Reddit can also help verify whether an extension is trustworthy.

 Meanwhile, OpenAI told the press that large language models will get to a level where future generations of these could pose a serious risk to cybersecurity. The company in its blog postingly admitted that powerful AI systems could eventually be used to craft sophisticated cyberattacks, such as developing previously unknown software vulnerabilities or aiding stealthy cyber-espionage operations against well-defended targets. Although this is still theoretical, OpenAI has underlined that the pace with which AI cyber-capability improvements are taking place demands proactive preparation.  The same advances that could make future models attractive for malicious use, according to the company, also offer significant opportunities to strengthen cyber defense. OpenAI said such progress in reasoning, code analysis, and automation has the potential to significantly enhance security teams' ability to identify weaknesses in systems better, audit complex software systems, and remediate vulnerabilities more effectively. Instead of framing the issue as a threat alone, the company cast the issue as a dual-use challenge-one in which adequate management through safeguards and responsible deployment would be required.  In the development of such advanced AI systems, OpenAI says it is investing heavily in defensive cybersecurity applications. This includes helping models improve particularly on tasks related to secure code review, vulnerability discovery, and patch validation. It also mentioned its effort on creating tooling supporting defenders in running critical workflows at scale, notably in environments where manual processes are slow or resource-intensive.  OpenAI identified several technical strategies that it thinks are critical to the mitigation of cyber risk associated with increased capabilities of AI systems: stronger access controls to restrict who has access to sensitive features, hardened infrastructure to prevent abuse, outbound data controls to reduce the risk of information leakage, and continuous monitoring to detect anomalous behavior. These altogether are aimed at reducing the likelihood that advanced capabilities could be leveraged for harmful purposes.  It also announced the forthcoming launch of a new program offering tiered access to additional cybersecurity-related AI capabilities. This is intended to ensure that researchers, enterprises, and security professionals working on legitimate defensive use cases have access to more advanced tooling while providing appropriate restrictions on higher-risk functionality. Specific timelines were not discussed by OpenAI, although it promised that more would be forthcoming very soon.  Meanwhile, OpenAI also announced that it would create a Frontier Risk Council comprising renowned cybersecurity experts and industry practitioners. Its initial mandate will lie in assessing the cyber-related risks that come with frontier AI models. But this is expected to expand beyond this in the near future. Its members will be required to offer advice on the question of where the line should fall between developing capability responsibly and possible misuse. And its input would keep informing future safeguards and evaluation frameworks.  OpenAI also emphasized that the risks of AI-enabled cyber misuse have no single-company or single-platform constraint. Any sophisticated model, across the industry, it said, may be misused if there are no proper controls. To that effect, OpenAI said it continues to collaborate with peers through initiatives such as the Frontier Model Forum, sharing threat modeling insights and best practices.  By recognizing how AI capabilities could be weaponized and where the points of intervention may lie, the company believes, the industry will go a long way toward balancing innovation and security as AI systems continue to evolve.

 The cybercrime landscape in India has witnessed a drastic increase with NCRB data indicating cases jacking up from above 52,000 in 2021 to over 86,000 by 2023 led by fraud and online financial crime. Concurrently, threat intelligence shows that India is now a high‑risk ransomware and dark‑web ecosystem within the Asia‑Pacific region.  NCRB data and growth trend  The report suggests that NCRB’s “Crime in India” figures show an alarming and persistent increase in reported cybercrimes, increasing from just above 52,000 cases in 2021 to beyond 86,000 cases by 2023, owing to increased digitization, online payments and use of mobile internet. This is a 31.2% year-on-year increase between 2022 and 2023 alone and the country’s cybercrime rate has increased from 4.8 to 6.2 cases per lakh population.  Fraud is the most prevalent motive, making up almost 69% of all cybercrime incidents in 2023, followed by sexual exploitation, and extortion, highlighting that attackers mainly prey on financial and personal vulnerabilities. States such as Karnataka, Telangana and Uttar Pradesh account for a large number of cases, reflecting higher IT penetration, urbanisation and digital adoption. Ransomware and dark-web activity Beyond the raw figures of the NCRB, the report places India among an Asia‑Pacific threat map of sorts, drawing upon the Cyble Monthly Threat Landscape Report for July 2025, to show that India is still among the key targets for operators of ransomware. It cited the Warlock ransomware group for targeting an India-based manufacturing firm, exfiltrating HR, financial, and design data, which was then used for extortion and exposure. The report also notes dark‑web listings advertising unauthorized access to an Indian telecom network for around US$35,000, including credentials and critical operational details, highlighting the commoditization of network breaches. Regionally, Thailand, Japan, and Singapore each recorded six ransomware victims in the observed period, with India and the Philippines close behind, and manufacturing, government, and critical infrastructure sectors bearing the brunt of attacks.  Additionally, South Asia is experiencing ideologically driven attacks, exemplified by the pro‑India Team Pelican Hackers, which claimed breaches of major Pakistani research and academic institutions. These campaigns blur the line between classic cybercrime and geopolitical conflict, indicating that Indian networks face both profit‑motivated and politically motivated breachs.

Thousands of devices have been infected with malware through New Zealand's National Cyber Security Center, showing the persistent risk posed by credential-stealing cybercrime, which has been causing New Zealand's National Cyber Security Center to notify individuals after an exposure.  About 26,000 people have been notified by the agency that it is sending an email advising them to visit the Own Your Online portal for instructions on how to remove malicious software from their accounts and strengthen their account security.  As NCSC Chief Operating Officer Michael Jagusch informed me, the alerts were related to Lumma Stealer, which is a highly regarded strain of malware targeting Windows-based devices. There is a danger that this malware can be used to facilitate identity theft or fraud by covertly harvesting sensitive data like email addresses and passwords.  Officials noted that Lumma Stealer and other information-stealing tools are still part of an international cybercrime ecosystem that continues to grow, and so users should be vigilant and take proactive security measures in order to protect themselves. It has been reported that the National Cyber Security Centre of the Government Communications Security Bureau has conducted an assessment and found that it is possible that the malicious activity may have affected approximately 26,000 email addresses countrywide.  As detailed in its statement published on Wednesday, the U.S. Department of Homeland Security has warned that the malware involved in the incident, dubbed Lumma Stealer, is specifically designed to be able to steal sensitive data, including login credentials and other personally identifiable information, from targeted systems. As noted by the NCSC, this threat primarily targets Windows-based devices, and cybercriminals use this threat to facilitate the fraud of personal information and financial fraud. Thus, it highlights the continued exposure of everyday users to sophisticated campaigns aimed at stealing personal data.  The issue was discovered by the National Cyber Security Centre's cyber intelligence partnerships, after the agency first worked with government bodies and financial institutions in order to alert a segment of those affected before expanding the effort to notify the entire public. Introducing the NCSC Chief Operating Officer, Michael Jagusch, he said the center has now moved to a broader direct-contact approach and this is its first time undertaking a public outreach of this sort on such a large scale.  A step he pointed out was that the notifications are genuine and come from the official email address [email protected], which helps recipients distinguish between the legitimate and fraudulent ones. It is noteworthy that a recent BNZ survey indicates similar exposure across small and medium businesses, which is in line with the current campaign, which is targeted at households and individuals.  The research reveals that 65% of small and medium-sized businesses believe scam activity targeting their businesses has increased over the past year; however, 45% of these businesses do not place a high priority on scam awareness or cyber education, despite the fact that their employees routinely handle emails, payment information and customer information.  There were approximately half of surveyed SMEs who reported that they had been scammed in the last 12 months and many of them had been scammed by clicking links, opening attachments, or responding to misleading messages. According to BNZ fraud operations head Margaret Miller, criminals are increasingly exploiting human behavior as a means of committing fraud rather than exploiting technical flaws, targeting business owners and employees who are working on a daily basis.  A substantial number of small business owners reported business financial losses following breaches, with 21% reporting business financial losses, 26% a personal financial loss and 30% experiencing data compromise, all of which had consequences beyond business accounts. According to Miller, the average loss was over $5,000, demonstrating that scammers do not only attempt to steal company funds, but also to steal personal information and sensitive business data in the form of financial fraud.  It is the country's primary authority for helping individuals and companies reduce their cyber risk, and it is housed within the Government Communications Security Bureau. The National Cyber Security Centre offers help to individuals and organisations and is a chief authority on cyber security. It has three core functions that form the basis of its work: helping New Zealanders make informed decisions about their digital security, ensuring strong cyber hygiene is embedded within essential services and in the wider cyber ecosystem in collaboration with key stakeholders, and using its statutory mandate to combat the most serious and harmful cyber threats through the deployment of its specialist capability.  Own Your Online, a central part of this initiative, provides practical tools, guidance and resources designed to make cybersecurity accessible for householders, small businesses, and nonprofit organizations, as well as clear advice on prevention and what to do when an incident occurs. In particular, the NCSC owns the Own Your Online platform, which provides practical tools, guidance, and resources.  There is no doubt that the incident serves as a timely reminder of the increasing sophistication and reach of modern cybercrime, as well as the shared responsibility that must be taken to limit its effects on society. Many experts continue to emphasize the importance of maintaining a safe system, including the use of strong, unique passwords, and the use of multi-factor authentication whenever possible. They advise maintaining your operating system and software up to date as well as using the proper passwords.  Furthermore, users are advised to remain cautious of any unexpected emails or messages they receive, even if they appear to have come from trusted sources. Likewise, users should exclusively communicate through official channels to avoid any confusion.  The focus continues to remain on raising awareness and improving resilience among individuals and organisations with the aim of improving digital awareness and improving collaboration between the authorities and the business and financial sector.  A new approach has been adopted by agencies to encourage early detection, clear communication, and practical guidance that are aimed at reducing immediate harm while also fostering long-term confidence among New Zealanders in navigating an increasingly complex online world.

  Japanese e-commerce firm Askul Corporation has officially confirmed that a ransomware attack earlier this year led to the unauthorized access and theft of data belonging to nearly 740,000 individuals. The company made the disclosure after completing a detailed investigation into the cyber incident that occurred in October. Askul operates a large-scale online platform that provides office supplies and logistics services to both corporate clients and individual consumers. The company is part of the Yahoo! Japan corporate group and plays a significant role in Japan’s business-to-business supply chain. The cyberattack caused serious disruptions to Askul’s internal systems, resulting in an operational shutdown that forced the company to suspend product shipments. This disruption affected a wide range of customers, including major retail partners such as Muji. Following the conclusion of its internal review, Askul clarified the categories of data that were compromised. According to the company, service-related records of approximately 590,000 business customers were accessed. Data connected to around 132,000 individual customers was also involved. In addition, information related to roughly 15,000 business partners, including outsourcing firms, agents, and suppliers, was exposed. The incident further affected personal data linked to about 2,700 executives and employees, including those from group companies. Askul stated that it is deliberately limiting the disclosure of specific details related to the stolen data to reduce the risk of further exploitation. The company confirmed that affected customers and business partners will be informed directly through individual notifications. Regulatory authorities have also been notified. Askul reported the data exposure to Japan’s Personal Information Protection Commission and has implemented long-term monitoring measures to identify and prevent any potential misuse of the compromised information. System recovery remains ongoing. As of December 15, shipping operations had not fully returned to normal, and the company continues to work toward restoring all affected services. Responsibility for the attack has been claimed by the ransomware group known as RansomHouse. The group publicly disclosed the breach at the end of October and later released portions of the stolen data in two separate leaks in November and December. Askul shared limited technical findings regarding how the attackers gained access. The company believes the intrusion began through stolen login credentials associated with an administrator account belonging to an outsourced partner. This account did not have multi-factor authentication enabled, making it easier for attackers to exploit. After entering the network, the attackers conducted internal reconnaissance, collected additional authentication information, and expanded their access to multiple servers. Askul reported that security defenses, including endpoint detection and response tools, were disabled during the attack. The company also noted that several ransomware variants were deployed, some of which bypassed existing detection mechanisms despite recent updates. The attack resulted in both data encryption and widespread system failures. The ransomware was executed simultaneously across multiple servers, and backup files were deliberately erased to prevent rapid system recovery. In response, Askul disconnected affected networks, restricted communication between data centers and logistics facilities, isolated compromised devices, and strengthened endpoint security controls. Multi-factor authentication has since been enforced across critical systems, and all administrator account passwords have been reset. The financial consequences of the incident have not yet been determined. Askul has postponed its earnings report to allow additional time for a comprehensive assessment of the impact.

 Modern SOCs are now grappling with a massive visibility problem, essentially “driving through fog” but now with their headlights dimming rapidly. The playbook for many teams is still looking back: analysts wait for an alert to fire, investigate the incident, and then try to respond.  While understandable due to the high volume of noise and alert fatigue, this reactive attitude leaves the organization exposed. It induces a clouded vision from structural level, where teams cannot observe threat actors conducting attack preparations, they do not predict campaign sequences aimed at their own sector, and are not capable of modifying the defense until after an attack has been launched. Operational costs of delay  Remaining in a reactive state imposes severe penalties on security teams in terms of time, budget, and risk profile.  * Investigation latency: Without broader context, analysts are forced to research every suspicious object from scratch, significantly slowing down response times. * Resource drain: Teams often waste cycles chasing false positives or threats that are irrelevant to their geography or vertical because they lack the intelligence to filter them out. * Increased breach risk: Attackers frequently reuse infrastructure and target specific industries; failing to spot these patterns early hands the advantage to the adversary.  According to security analysts, the only way out is the transition from the current reactive SOC model to an active SOC model powered by Threat Intelligence (TI). Tools like the ANY.RUN Threat Intelligence Lookup serve as a "tactical magnifying glass," converting raw data into operational assets .The use of TI helps the SOC understand the threats currently present in their environment and which alerts must be escalated immediately.  Rise of hybrid threats  One of the major reasons for this imperative change is the increased pace of change in attack infrastructure, specifically hybrid threats. The use of multiple attacks together has now been brought to the fore by recent investigations by the researchers, including Tycoon 2FA and Salty attack kits combining together as one kill chain attack. In these scenarios, one kit may handle the initial lure and reverse proxy, while another manages session hijacking. These combinations effectively break existing detection rules and confuse traditional defense strategies. To address this challenge, IT professionals need behavioral patterns and attack logic visibility in real time, as opposed to only focusing on signatures. Finally, proactive protection based on industry and geo context enables SOC managers to understand the threats that matter to them more effectively while predicting attacks rather than reacting to them.

 Researchers at Horizon3.ai have uncovered several security vulnerabilities within FreePBX, an open-source private branch exchange platform. Among them, one severity flaw could be exploited to bypass authentication if very specific configurations are enabled. The issues were disclosed privately to FreePBX maintainers in mid-September 2025, and the researchers have raised concerns about the exposure of internet-facing PBX deployments.   According to Horizon3.ai's analysis, the disclosed vulnerabilities affect several FreePBX core components and can be exploited by an attacker to achieve unauthorized access, manipulate databases, upload malicious files, and ultimately execute arbitrary commands. One of the most critical finding involves an authentication bypass weakness that could grant attackers access to the FreePBX Administrator Control Panel without needing valid credentials, given specific conditions. This vulnerability manifests itself in situations where the system's authorization mechanism is configured to trust the web server rather than FreePBX's own user management.  Although the authentication bypass is not active in the default FreePBX configuration, it becomes exploitable with the addition of multiple advanced settings enabled. Once these are in place, an attacker can create HTTP requests that contain forged authorization headers as a way to provide administrative access. Researchers pointed out that such access can be used to add malicious users to internal database tables effectively to maintain control of the device. The behavior greatly resembles another FreePBX vulnerability disclosed in the past and that was being actively exploited during the first months of 2025.   Besides the authentication bypass, Horizon3.ai found various SQL injection bugs that impact different endpoints within the platform. These bugs allow authenticated attackers to read from and write to the underlying database by modifying request parameters. Such access can leak call records, credentials, and system configuration data. The researchers also discovered an arbitrary file upload bug that can be exploited as part of having a valid session identifier, thus allowing attacks to upload a PHP-based web shell and use command execution against the underlying server.  This can be used for extracting sensitive system files or establishing deeper persistence. Horizon3.ai noted that the vulnerabilities are fairly low-complexity to exploit and may enable remote code execution by both authenticated and unauthenticated attackers, depending on which endpoint is exposed and how the system is configured. It added that the PBX systems are an attractive target because such boxes are very exposed to the internet and also often integrated deeply into critical communications infrastructure. The FreePBX project has made patches available to address the issues across supported versions, beginning the rollout in incremental fashion between October and December 2025. In light of the findings, the project also disabled the ability to configure authentication providers through the web interface and required administrators to configure this setting through command-line tools. Temporary mitigation guidance issued by those impacted encouraged users to transition to the user manager authentication method, limit overrides to advanced settings, and reboot impacted systems to kill potentially unauthorized sessions. Researchers and FreePBX maintainers have called on administrators to check their environments for compromise-especially in cases where the vulnerable authentication configuration was enabled.  While several vulnerable code paths remain, they require security through additional authentication layers. Security experts underscored that, whenever possible, legacy authentication mechanisms should be avoided because they offer weaker protection against exploitation. The incident serves as a reminder of the importance of secure configuration practices, especially for systems that play a critical role in organizational communications.

  Rockrose Development confirmed over the weekend that it has notified 47,392 individuals about a data breach that occurred in July 2025. The incident exposed sensitive personal information belonging to both residents and employees. According to the company, the compromised data includes names, Social Security numbers, taxpayer identification numbers, driver’s license and passport details, financial account and routing numbers, health insurance information, medical records, and online account credentials. Soon after the breach, a ransomware group known as Play claimed responsibility. The group alleged it had accessed and stolen documents related to Rockrose’s clients, budgeting, payroll, accounting, and tax records, along with identification and financial information. Rockrose has not confirmed the authenticity of Play’s claims. At this time, it remains unclear whether Rockrose paid a ransom, how much was demanded, or the specific method attackers used to gain access to the company’s systems. Comparitech has reached out to Rockrose for comment and stated it will update its reporting if a response is received. “Rockrose determined that unauthorized individuals accessed Rockrose’s systems and claim to have acquired confidential information stored in certain of those systems,” the company stated in its notification to affected individuals. To mitigate potential harm, Rockrose is offering eligible victims 24 months of complimentary identity protection services through Experian. Impacted individuals must enroll by March 31, 2026. Play is a ransomware operation that has been active since June 2022, targeting organizations across sectors such as healthcare, finance, manufacturing, real estate, and education. The group uses a double-extortion strategy, demanding payment not only to decrypt compromised systems but also to prevent stolen data from being leaked or sold. So far in 2025, Play has taken credit for 41 confirmed ransomware attacks, in addition to 339 unverified claims that have not been publicly acknowledged by the affected organizations. Rockrose is not the only construction-related firm allegedly targeted by Play this year. Other organizations that have reported breaches attributed to the group include Rock Solid Stabilization & Reclamation, Gorham Sand & Gravel, Thomas Safran & Associates, and All States Materials Group. Ransomware Trends in Construction and Real Estate Comparitech researchers report that, as of 2025, there have been 12 confirmed ransomware attacks against U.S. construction companies and real estate developers, impacting a total of 69,513 records. The Rockrose incident accounts for the majority of these exposed records and is the largest such attack recorded since tracking began in 2018. Additional recent incidents include breaches at Abhe & Svoboda and Barr & Barr, both reportedly linked to the Akira ransomware group. Ransomware attacks can severely disrupt construction and real estate firms by locking access to systems, stealing sensitive data, and interrupting critical operations such as payroll, billing, communications, and website functionality. Organizations often face the difficult choice of paying a ransom or enduring prolonged downtime and increased fraud risk for customers. Established in 1970, Rockrose Development has acquired, developed, or repositioned approximately 15,000 residential apartments across New York and Washington, DC. The company also manages nearly 6 million square feet of office space, according to information published on its website.

  An investigation by the Bengaluru police has revealed that a sophisticated cyber fraud operation was operating in the city masquerading as Microsoft Technical Support, targeting U.S. citizens in an attempt to defraud them, bringing an end to a transnational scam network that has been working from the city for some time.  On Saturday, the Special Cell of the Cyber Command, in coordination with the Cyber Crime Police of the Whitefield Division, conducted a raid at the premises of a firm known as Musk Communications in response to certain intelligence.  The raid was conducted based on specific intelligence. A number of investigations have revealed that the company, which began operations in August, has established a scam center that is fully functional and consists of approximately 4,500 square feet of space, where employees allegedly pose as Microsoft support technicians in order to deceive foreign nationals and defraud them.  Several individuals have been arrested from the facility for being directly involved in the fraudulent activities, according to police. This operation was designed with the intent of systematically exploiting overseas victims through carefully orchestrated technical support scams, and according to police, 21 individuals have been arrested. Several rented office spaces were used by the racket, where callers dressed up as Microsoft representatives and targeted residents throughout the country as a whole.  A number of victims have been targeted either directly or through deceptive pop-up messages that falsely stated that their computer was infected with malware or had been compromised, leading them to be lured in. Once the callers had established a connection with the target, they convinced them to install remote access applications like AnyDesk or TeamViewer, which allowed the fraudsters to take control of the target computer system.  During these scams, police allege that the accused intentionally generated false technical glitches, frozen computer screens, or generated fake virus alerts to increase anxiety in victims and coerce them into paying for services that were unnecessary, nonexistent, or unreliable.  According to investigators, the group has been charging amounts ranging from several hundred dollars up to several thousand dollars for sham repairs, extended warranties, and counterfeit security subscriptions. According to investigators, the organization may have facilitated the funneling of crores of rupees through international payment gateways designed to obscure financial records for over a year.  The raid resulted in the discovery of 35 computers, 45 mobile phones, Voice over IP-based communication systems, scripted call templates, and extensive customer data logs which contained the details of hundreds of prospective targets and a variety of other items. It has been reported that the arrestees were trained to adopt an American accent so as not to raise suspicion, underscoring the systematic and calculated nature of the fraud. As a result of this case, the police said that cross-border technology support scams are becoming increasingly prevalent, preying on seniors and digitally vulnerable individuals overseas, and that further investigations are currently underway to find out who was behind the fraud, who provided the money, and who was involved in it overseas. According to Bengaluru Police Cyber Crime Division officials, the syndicate targeted victims both in the United States and in the United Kingdom. It falsely appeared to represent itself as Microsoft's technical support department.  During the course of the investigation, it was learned that callers escalated the deception by citing fabricated Federal Trade Commission violations, informing victims that their systems were being compromised or that they were being involved in unlawful online activity. This fraudster has allegedly demanded substantial payments in Bitcoin as a means of resolving these purported threats, and instructed victims to deposit money at cryptocurrency ATMs.  According to police estimates, the individual losses are estimated to have averaged around $10,000. A number of intimidation tactics were employed to pressure compliance by the operation, including false legal penalties and urgent cyber alerts. Senior IPS officers confirmed that the majority of those targeted were elderly individuals who are not familiar with digital security practices.  Further inquiries revealed that there were nearly 85 people employed in Bengaluru to manage the company's data, handle calls, and simulate foreign technology executives, in a professionally layered setup. There were a number of elements involved in the operation, including American accents, detailed scripts, and email addresses that were designed to mimic official Microsoft and U.S. regulatory addresses.  It was the task of those arrested to extract personal and financial information during staged troubleshooting sessions, which then allowed payments to be converted to cryptocurrency, which disguised the financial trail in the process. It has been reported that backend systems linked the operation to foreign digital wallets and crypto exchanges that are already under scrutiny by US authorities.  As a result of this investigation, the investigators are now looking at tracking Bitcoin transactions and identifying international collaborators involved in routing the proceeds. The government is collaborating with Interpol and the federal government to map digital wallet movements and preliminary findings indicate that between August and November 2025, at least $13.5 crore was transferred in multiple tranches through Bitcoin ATMs in multiple batches.  Additionally, analysts are analyzing the seized servers to find out how the syndicate sourced contact information of overseas victims. As officials pointed out, Bengaluru is becoming increasingly vulnerable to cybercrime networks worldwide.  It is due to this that skilled manpower and readily available digital infrastructure are being exploited by fraud rings operating under the cover of technology support firms in Bengaluru, prompting tighter monitoring of the registration of startups, co-working spaces, and tech parks around the city.  Since August, investigators have discovered that the network has contacted 150 victims across the United States and the United Kingdom, coercing them into depositing large sums of money-often close to $10,000-through Bitcoin ATMs, causing them to withdraw substantial sums. In a statement to the IPS, a senior officer stated that authorities are currently extracting and verifying financial information about victims.  The officer also stated that preliminary findings indicate cryptocurrency kiosks are the primary means by which illicit payments are collected. A police report states that the accused posed as a technical support representative for Microsoft around the world and invoked fabricated Federal Trade Commission violations as a way of instilling fear in the public. Under the guise of mandatory security fixes and regulatory compliance procedures, the accused demanded money.  According to the reports, the operation's three key masterminds remain absconding and are believed to have orchestrated similar scams targeting victims across the U.S. and the U.K. since 2022. In a scheme of this magnitude, Musk Communications rented a 4,500-square-foot office space in August at a monthly charge of Rs. 5 lakh, where the gang planned to deploy malicious Facebook ads that were targeted at American users as part of its campaign against the US government.  In the ads, investigators found embedded code that mimicked legitimate security alerts; when clicked on, it would freeze the user's system and trigger a fake pop-up message that appeared to be from Microsoft's global support center with a counterfeit helpline number, which claimed to originate from that support center.  According to the alleged victim, who contacted the number was told that their computer systems had been hacked, IP addresses had been compromised, and their banking information had been compromised, and they were subsequently pressured into making high-value payments using Bitcoin ATMs, which subsequently triggered the scam. According to the Police, the company employed 83 employees, including 21 technical operators who were directly involved in the fraud. The salaries for these employees ranged from $15k to $25k per month. Among the other arrests confirmed by investigators in this case was Ravi Chauhan, an Ahmedabad resident, alleged to have been a major part of recruiting nearly 85 staff members for this operation. This brings the total number of arrests in this case to 22 as the investigation continues to pursue remaining suspects and the financial flows that are tied to this scheme.  There has been a surge in organized cybercrime syndicates operating across borders in recent years, and authorities have issued warnings about the evolving tactics and techniques they are using, particularly those that exploit the trust people have in recognized technology brands internationally.  Moreover, the police emphasized that legitimate companies such as Microsoft should not initiate unsolicited technical support calls, issue pop-up warnings butting into the system immediately, or seek payments through cryptocurrency channels in order to receive support.  It was urged by officials that users, particularly those who were unfamiliar with digital platforms and elderly, should exercise caution when faced with alarming online messages or calls claiming legal or security violations, and that they should verify the claims by going to official websites or using authorised service channels. It has also been emphasized by cybercrime investigators that the need for stronger awareness campaigns needs to be strengthened, short-term commercial rentals need to be closely scrutinized, and online advertising platforms need to be more tightly regulated so they can deliver malicious content on a more regular basis. This investigation is continuing to trace financial flows and international connections, and authorities are stating that the case serves as a reminder of how sophisticated and large-scale modern tech-support fraud really is, underscoring the need for digital literacy, cross-border cooperation, and timely reporting as a way of counteracting scams that take advantage of fear, urgency, and misinformation.

  Cybersecurity researchers have identified a previously undocumented malware operation that leverages GitHub to distribute a threat known as PyStoreRAT. The campaign primarily targets individuals working in information technology, cybersecurity, and open-source intelligence research, exploiting their reliance on open-source tools. The findings were published by Morphisec Threat Labs, which described the operation as a coordinated and deliberate effort rather than random malware distribution. The attackers focused on blending into legitimate developer activity, making the threat difficult to detect during its early stages. PyStoreRAT functions as a Remote Access Trojan, a type of malware that enables attackers to maintain hidden and persistent access to an infected system. Once deployed, it can gather detailed system information, execute commands remotely, and act as a delivery mechanism for additional malicious software. According to the research, the attackers began by reviving dormant GitHub accounts that had shown no activity for extended periods. These accounts were then used to upload software projects that appeared polished, functional, and credible. Many of the repositories were created with the help of artificial intelligence, allowing them to closely resemble genuine open-source tools. The fake projects included OSINT utilities, decentralized finance trading bots, and AI-based applications such as chatbot wrappers. Several of these repositories gained visibility and user trust, with some rising through GitHub’s trending rankings. Only after achieving engagement did the attackers introduce subtle updates that quietly embedded the PyStoreRAT backdoor under the guise of routine maintenance. Once active, PyStoreRAT demonstrates a high degree of adaptability. Morphisec researchers found that it profiles infected systems and can deploy additional payloads, including known data-stealing malware families and Python-based loaders. The malware also modifies its execution behavior when it detects certain endpoint protection products, reducing its exposure to security monitoring. The threat is not limited to a single delivery method. PyStoreRAT can propagate through removable storage devices such as USB drives and continuously retrieves updated components from its operators. Its command-and-control infrastructure relies on a rotating network of servers, allowing attackers to issue new instructions quickly while complicating takedown efforts. Researchers also identified non-English language elements within the malware code, including Russian-language terms. While this does not confirm attribution, Morphisec noted that the level of planning and operational maturity places the campaign well beyond low-effort GitHub-based malware activity. GitHub has removed the majority of the malicious repositories linked to the campaign, though a small number were still accessible at the time of analysis. Security experts stress that developers and researchers should remain cautious when downloading tools, carefully review code changes, and avoid running projects that cannot be independently verified. Morphisec concluded that the campaign surfaces a vastly growing trend, where attackers combine AI-generated content, social engineering, and resilient cloud infrastructure to bypass traditional security defenses, making awareness and verification more critical than ever.

  U.S.-based fintech and data services firm 700Credit has confirmed a major data breach that compromised the personal information of at least 5.6 million individuals. The exposed data includes names, residential addresses, dates of birth, and Social Security numbers. Headquartered in Michigan, 700Credit provides credit reporting, soft-pull prequalification, identity verification, fraud prevention, and compliance solutions to auto, RV, marine, and powersports dealerships nationwide. The company works with nearly 18,000 dealerships, integrating its services directly into dealer systems to access credit bureau data, conduct compliance screenings, and generate mandatory disclosures. According to the company, the breach occurred in October and involved unauthorized access to personal data collected from dealerships between May and October 2025. The incident was disclosed through a notification posted on 700Credit’s website. “700Credit regrets to inform you that our industry was attacked again by a bad actor who had unauthorized access to some of our personally identifiable information (PII) including name, address and social security number.” reads the data breach notification published by the company on its website. “The investigation is ongoing and most importantly there is no indication of any identity theft, fraud, or other misuse of information in relation to this event” Following the discovery, 700Credit brought in external cybersecurity specialists who determined that the breach was confined to the application layer and did not compromise the company’s internal network or core operations. The firm has since notified affected dealers and begun outreach to impacted consumers. The company also reported the incident to federal authorities, including the FBI and the Federal Trade Commission, and coordinated regulatory notifications on behalf of dealerships. It plans to notify state attorneys general and is offering credit monitoring services to those affected. “We pledge to take extraordinary steps necessary to assist consumers and notify required parties on behalf of dealers. We timely notified the FBI and the FTC and confirmed with the FTC that 700Credit’s filing on behalf of all dealers is sufficient to meet dealer obligations to notify the FTC.” continues the notification. In addition, we will be notifying State AG offices on behalf of dealers. Impacted consumers will also be notified and offered credit monitoring services and assistance they may need. 700Credit has also been working directly with NADA.” Michigan Attorney General Dana Nessel has reissued a consumer alert following the breach, which impacted nearly 6 million people nationwide, including more than 160,000 Michigan residents. “If you get a letter from 700Credit, don’t ignore it. It is important that anyone affected by this data breach takes steps as soon as possible to protect their information.” said Michigan attorney general Dana Nessel.” A credit freeze or monitoring services can go a long way in preventing fraud, and I encourage Michiganders to use the tools available to keep their identity safe.” 700Credit is advising consumers to remain vigilant against phishing attempts and scams, strengthen and update passwords, and remove unnecessary stored data. The company also recommends enabling multifactor authentication and regularly reviewing credit reports. Consumers can access free weekly credit reports from Equifax, Experian, and TransUnion through the Annual Credit Report website.

 A popular browser extension called Urban VPN Proxy, available for users of Google’s Chrome browser, has been discovered secretly sniffing out and harvesting confidential AI conversation data of millions of users across sites such as ChatGPT, Claude, Copilot, Gemini, Grok, Meta AI, and Perplexity.  The browser extension, known for providing users with a safe and private manner of accessing any blocked website through a virtual private network, was recently upgraded in July of 2025 and has an added function enabling it to fish out all conversation data between users and AI chat bot systems by injecting specific JavaScript code into these sites. By overriding browser network APIs, the extension is able to collect prompts, responses, conversation IDs, timestamps, session metadata, and the particular AI model in use. The extension's developer, Urban Cyber Security Inc., which also owns BiScience, a company well-known for gathering and profiting from user browsing data, then sends the collected data to remote servers under their control.  The privacy policy of Urban VPN, which was last updated in June 2025, confesses to collecting AI queries and responses for the purposes of "Safe Browsing" and marketing analysis, asserting that any personal data is anonymized and pooled. However, BiScience shares raw, non-anonymized browsing data with business partners, using it for commercial insights and advertising.  Despite the extension offering an “AI protection” feature that warns users about sharing personal information, the data harvesting occurs regardless of whether this feature is enabled, raising concerns about transparency and user consent.The extension and three other similar ones—1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker—all published by Urban Cyber Security Inc., collectively have over eight million installations.  Notably, these extensions bear the “Featured” badge on Chrome and Edge marketplaces, which is intended to signal high quality and adherence to best practices. This badge may mislead users into trusting the extensions, underlining the risk of data misuse through seemingly legitimate channels.  Koi Security’s research highlights how extension marketplaces’ trust signals can be abused to collect sensitive data at scale, particularly as users increasingly share personal details and emotions with AI chatbots. The researcher calls attention to the vulnerability of user data, even with privacy-focused tools, and underscores the need for vigilance and stricter oversight on data collection practices by browser extensions.

 A cyber attack on the Pierce County Library System in the state of Washington has led to the compromise of personal data of over 340,000 people, which is indicative of the rising threat of cybersecurity breaches being posed to public services. This attack has impacted library services in the entire county, along with library users and staff. The incident was made known to the public through breach notification letters published on the website of the Pierce County Library System.  The incident, as revealed in the notification letters, occurred when the library system detected the incident on April 21 and decided to shut all library systems in an effort to control the breach. The library system conducted an investigation that confirmed the breach had taken place.  The library network was also able to identify that the exfiltration of data from individuals who utilized or were part of the institution was successful on May 12. It was established that the hackers had access to the network from April 15 to April 21. Access to sensitive information was gained and exfiltrated during this time. The level of information that was vulnerable varied depending on who was targeted.  The data that was breached for the benefit of the library patrons included names and dates of birth. Though very limited compared to the data for employees, this data is still significant for use in identity-related fraud. The breach had severe implications for current and former employees who worked within the library system. The data that was stolen for them included Social Security numbers, financial accounts, driver’s license numbers, credit card numbers, passports, health insurance, and certain data related to medical matters.  This particular ransomware assault would later be attributed to the INC ransomware gang, which has been responsible for a number of highly detrimental attacks on government bodies over 2025. The gang has previously conducted attacks on bodies such as the Office of the Attorney General of Pennsylvania and a countrywide emergency alert service used by local authority bodies. This type of situation is not the first that has occurred on the level of Pierce County.  In the year 2023, Pierce County was the victim of a ransomware attack on the public transit service that the community utilized heavily because the service was used by 18,000 riders on a daily basis. Public library networks have become a common target for ransomware attacks in recent years. This is because cybercriminals also perceive public libraries as high-stakes targets since community members depend on them for internet access to their catalogs and other digital services, creating a challenge where an organization may feel pressured into paying a ransom demand to resume operations. Such attacks also include national and city library networks in North America.  The current threat environment has led to calls for developing targeted programs within the government in the United States that would evaluate risks for libraries' cybersecurity environments. This involves enhancing data sharing related to cyber attacks and providing libraries with more support and advanced services from firewalls that target libraries specifically.  The increasing digitization efforts by libraries as government institutions further solidify that a breach such as that which Pierce County experienced is a reminder that a continued investment in cybersecurity measures is a necessity.

The Fieldtex Products Corporation, a company that makes contract sewing products and fulfills medical supply orders from U.S. manufacturers, has notified hundreds of thousands of individuals after confirming an attack which compromised sensitive health-related information as a result of ransomware. It was found out that the incident occurred after the company detected strange activity within its network in the middle of August, which led to an internal investigation that went on for a while, but which eventually revealed an unauthorized intrusion into systems containing protected health information relating to affiliated health plans.  According to Fieldtex's breach notification, which was published on November 20, exposed data may include information about people's names, residential addresses, dates of birth, health insurance membership number, plan information, and coverage, as well as genders, health insurance insurance membership numbers and member identification numbers. It has been reported that the breach has affected approximately 238,615 individuals, according to regulatory filings submitted by the U.S. Department of Health and Human Services. The disclosure came in the wake of a public claim made by Akira, a ransomware group that listed Fieldtex's E-First Aid Supplies division on its Tor-based leak site on November 5, asserting that it had exfiltrated over 14 gigabytes of internal data, such as employee, customer, and financial data.  Despite the group's threat of publishing the stolen data, Fieldtex's notice was issued only after no materials had been made public. It has been disclosed that Fieldtex has submitted the incident disclosures to federal regulators in its capacity as a HIPAA business associate, stating that the company is providing direct notice to affected individuals on behalf of clients who have authorized the company to do so. According to Fieldtex's breach disclosure, the organization is a medical supply fulfillment company that provides members with over-the-counter healthcare products delivered through their respective health plans. Fieldtex's role involves handling certain categories of protected health information, which is necessary in the fulfillment of the breach disclosure. As the company reported, it became aware of unauthorized activity on or around August 19.  The company responded by securing its network as well as engaging an independent forensic investigation company to determine the nature and extent of the intrusion. The breach has been caused by the way Fieldtex handled protected health information obtained from members' health plans in its healthcare fulfillment operations, which resulted in this breach.  In a statement issued by the company on August 19, it is said that it detected unauthorized activities within the company's computer systems. As soon as the company became aware of the intrusion, it immediately secured its network and retained an external forensic firm to determine the extent of the breach. However, Fieldtex stated that there is no indication that any data has been misused, even though Fieldtex did not have any conclusive findings of access to protected health information.  It is likely that patients' names, residential addresses, dates of birth, health insurance member identification numbers, plan names, coverage periods, and gender were potentially exposed information. Fieldtex reported that by September 30 it had finished its analysis of the affected data and had immediately notified the associated health plans, which had subsequently offered complimentary credit monitoring services to individuals whose information could have been exposed.  Furthermore, the company added that it has tightened up its network security controls and has reviewed its data protection policies to respond to the incident in response. Requests for more information, including whether any data was exfiltrated or a ransom demand was issued, were not immediately returned.  The Fieldtex team conducted an extensive internal review after becoming aware that sensitive information was in danger of being accessed. This review included determining the type of information contained in the affected files and identifying the individuals whose information was involved. In addition to assessing potentially impacted data, the company also informed the appropriate health plans promptly on September 30, 2025, initiating coordinated response efforts to address the situation.  The company is acting on behalf of clients of the health plan that authorized Fieldtex to provide direct notice to their members and is providing credit monitoring services as a precautionary measure in order to inform potentially affected members.  Meanwhile, the company also reported that it has strengthened security controls across all areas of its network and is currently undergoing a broader review of its data protection policies and procedures with the aim of reducing the likelihood of similar incidents occurring again.  According to Fieldtex, there has been no evidence of an actual or attempted misuse of the information related to the incident, but they advised affected individuals to remain vigilant and to review their account statements and explanations of benefits regularly for any irregularities or errors. In addition to recommending individuals to place fraud alerts with the major credit reporting agencies, such as Equifax, TransUnion, and Experian, in order to provide additional protection, the company also advised them to do so. In the wake of this incident, healthcare-related vendors, who operate behind the scenes of patient care, but tend to deal with large volumes of sensitive personal and insurance data, are being exposed to an increasing risk of cyberattacks.  The cyber security community has repeatedly warned that ransomware groups target third-party service providers with increasing frequency, observing them as a high-value entry point into complex healthcare ecosystems where multiple undesirable effects can be manifested.  It is important that people affected by the breach maintain an active level of vigilance in order to avoid becoming victims of such attacks in the future. This vigilance includes reviewing insurance statements regularly, monitoring credit activity, and responding promptly to any anomalies that may arise. As the Fieldtex incident shows, healthcare organizations and their vendors must take serious steps to ensure they manage their vendors' risk appropriately, monitor their activity continuously, and perform regular security audits in order to reduce their chances of suffering similar attacks in the future.  Organizations that handle protected health information may be faced with increasing pressure as regulatory scrutiny continues to intensify and threat actors refine their tactics.  It is imperative that organizations handle protected health information demonstrate not only compliance with federal requirements, but also a commitment to fostering cybersecurity resilience in order to protect patient trust and operational continuity in the future.

  Web browsers are increasingly evolving beyond basic internet access, and artificial intelligence is becoming a central part of that shift. Neo, an AI-powered browser developed by Norton, is designed to combine browsing, productivity tools, and security features within a single platform. The browser positions itself as a solution for users seeking efficiency, privacy control, and reduced online distractions. Unlike traditional browsers that rely heavily on cloud-based data processing, Neo stores user information directly on the device. This includes browsing history, AI interactions, and saved preferences. By keeping this data local, the browser allows users to decide what information is retained, synchronized, or removed, addressing growing concerns around data exposure and third-party access. Security is another core component of Neo’s design. The browser integrates threat protection technologies intended to identify and block phishing attempts, malicious websites, and other common online risks. These measures aim to provide a safer browsing environment, particularly for users who frequently navigate unfamiliar or high-risk websites. Neo’s artificial intelligence features are embedded directly into the browsing experience. Users can highlight text on a webpage to receive simplified explanations or short summaries, which may help when reading technical, lengthy, or complex content. The browser also includes writing assistance tools that offer real-time grammar corrections and clarity suggestions, supporting everyday tasks such as emails, reports, and online forms. Beyond text-based tools, Neo includes AI-assisted document handling and image-related features. These functions are designed to support content creation and basic processing tasks without requiring additional software. By consolidating these tools within the browser, Neo aims to reduce the need to switch between multiple applications during routine work. To improve usability, Neo features a built-in ad blocker that limits intrusive advertising. Reducing ads not only minimizes visual distractions but can also improve page loading speeds. This approach aims to provide a smoother and more focused browsing experience for both professional and casual use. Tab management is another area where Neo applies automation. Open tabs are grouped based on content type, helping users manage multiple webpages more efficiently. The browser also remembers frequently visited sites and ongoing tasks, allowing users to resume activity without manually reorganizing their workspace. Customization plays a role in Neo’s appeal. Users can adjust the browser’s appearance, create shortcuts, and modify settings to better match their workflow. Neo also supports integration with external applications, enabling notifications and tool access without leaving the browser interface. Overall, Neo reflects a broader trend toward AI-assisted browsing paired with stronger privacy controls. By combining local data storage, built-in security, productivity-focused AI tools, and performance optimization features, the browser presents an alternative approach to how users interact with the web. Whether it reshapes mainstream browsing habits remains to be seen, but it underlines how AI is steadily redefining everyday digital experiences.

33.7 million customer data leaked Data breach is an unfortunate attack that businesses often suffer. Failing to address these breaches is even worse as it costs businesses reputational and privacy damage.  A breach at Coupang that leaked the data of 33.7 million customers has been linked to a former employee who kept access to internal systems after leaving the organization.  About the incident  The news was reported by the Seoul Metropolitan Police Agency with news agencies after an inquiry that involved a raid on Coupang's offices recently. The firm is South Korea's biggest online retailer. It employs 95,000 people and generates an annual revenue of more than $30 billion.  Earlier in December, Coupang reported that it had been hit by a data breach that leaked the personal data of 33.7 million customers such as email IDs, names, order information, and addresses. The incident happened in June, 2025, but the firm found it in November and launched an internal investigation immediately.  The measures In December beginning, Coupang posted an update on the breach, assuring the customers that the leaked data had not been exposed anywhere online.  Even after all this, and Coupang's full cooperation with the authorities, the officials raided the firm's various offices on Tuesday to gather evidence for a detailed enquiry. Recently, Coupang's CEO Park Dae-Jun gave his resignation and apologies to the public for not being able to stop what is now South Korea's worst cybersecurity breach in history.  Police investigation  In the second day of police investigation in Coupang's offices, the officials found that the main suspect was a 43-year old Chinese national who was an employee of the retail giant. The man is called JoongAng, who joined the firm in November 2022 and overlooked the authentication management system. He left the firm in 2024. JoongAng is suspected to have already left South Korea.  What next? According to the police, although Coupang is considered the victim, the business and staff in charge of safeguarding client information may be held accountable if carelessness or other legal infractions are discovered.  Since the beginning of the month, the authorities have received hundreds of reports of Coupang impersonation. Meanwhile, the incident has caused a large amount of phishing activity in the country, affecting almost two-thirds of its population.

 Artificial intelligence is emerging with a new dimension in holiday shopping for consumers, going beyond search capabilities into a more proactive role in exploration and decision-making. Rather than endlessly clicking through online shopping sites, consumers are increasingly turning to AI-powered chatbots to suggest gift ideas, compare prices, and recommend specialized products they may not have thought of otherwise. Such a trend is being fueled by the increasing availability of technology such as Microsoft Copilot, ChatGPT from OpenAI, and Gemini from Google. With basic information such as a few elements of a gift receiver’s interest, age, or hobbies, personalized recommendations can be obtained which will direct such a person to specialized retail stores or distinct products.  Such technology is being viewed increasingly as a means of relieving a busy time of year with thoughtfulness in gift selection despite being rushed. Industry analysts have termed this year a critical milestone in AI-enabled commerce. Although figures quantifying expenditures driven by AI are not available, a report by Salesforce reveals that AI-enabled activities have the potential to impact over one-twentieth of holiday sales globally, amounting to an expenditure in the order of hundreds of billions of dollars. Supportive evidence can be derived from a poll of consumers in countries such as America, Britain, and Ireland, where a majority of them have already adopted AI assistance in shopping, mainly for comparisons and recommendations.  Although AI adoption continues to gain pace, customer satisfaction with AI-driven retail experiences remains a mixed bag. With most consumers stating they have found AI solutions to be helpful, they have not come across experiences they find truly remarkable. Following this, retailers have endeavored to improve product representation in AI-driven recommendations. Experts have cautioned that inaccurate or old product information can work against them in AI-driven recommendations, especially among smaller brands where larger rivals have an advantage in resources.  The technology is also developing in other ways beyond recommenders. Some AI firms have already started working on in-chat checkout systems, which will enable consumers to make purchases without leaving the chat interface. OpenAI has started to integrate in-checkout capabilities into conversations using collaborations with leading platforms, which will allow consumers to browse products and make purchases without leaving chat conversations.  However, this is still in a nascent stage and available on a selective basis to vendors approved by AI firms. The above trend gives a cause for concern with regards to concentration in the market. Experts have indicated that AI firms control gatekeeping, where they get to show which retailers appear on the platform and which do not. Those big brands with organized product information will benefit in this case, but small retailers will need to adjust before being considered. On the other hand, some small businesses feel that AI shopping presents an opportunity rather than a threat. Through their investment in quality content online, small businesses hope to become more accessible to AI shopping systems without necessarily partnering with them.  As AI shopping continues to gain popularity, it will soon become important for a business to organize information coherently in order to succeed. Although AI-powered shopping assists consumers in being better informed and making better decisions, overdependence on such technology can prove counterproductive. Those consumers who do not cross-check the recommendations they receive will appear less well-informed, bringing into focus the need to balance personal acumen with technology in a newly AI-shaped retail market.

 Aleo and Circle are launching USDCx, a new, privacy-centric version of the USDC stablecoin designed to provide "banking-level" confidentiality while maintaining regulatory visibility and dollar backing. The token is launching first on Aleo's testnet and was built using Circle's new xReserve platform, which allows partner blockchains to issue their own USDC-backed assets that interoperate with native USDC liquidity. New role of USDCx  USDCx remains pegged one-to-one with the U.S. dollar, but it is issued on Aleo, a layer-1 blockchain architecture around zero-knowledge proofs for private transactions. Rather than broadcasting clear-text transaction details on-chain, Aleo represents transfers as encrypted data blobs that shield sender, receiver, and amounts from public view.  Circle and Aleo position this as a response to institutional reluctance to use public blockchains, where transaction histories are permanently transparent and can expose sensitive commercial information or trading strategies. By putting stablecoin predictability together with privacy, they hope to make on-chain dollars more palatable to banks, enterprises, and fintech platforms.  Despite the privacy focus, USDCx is not an absolute anonymity network. Every transaction contains a "compliance record," which can be viewed by Circle if a regulatory or law enforcement agency wants information, but not accessible on the main chain. Aleo executives claim this to be a "banking level of privacy," which is a middle-ground balance for confidentiality with regulatory support rather than utilizing absolute anonymity methods found in other private currencies. Target use cases and strategy  Aleo claims strong interest in inbound usage related to payroll processors, infrastructure, and foreign aid projects, and domestic national security-related application requirements for anonymous but traceable flows. Request Finance and Toku, other payroll service providers, and prediction markets are assessing USDCx to support salaries and wages without revealing income information and strategy to a public blockchain.  USDCx on Aleo is a part of a larger strategy being undertaken by Circle that involves its xReserve infrastructure and an upcoming stablecoin-optimized Layer 1 network named "Arc," which aims to make USDC-compatible assets programmable and interoperate across different chains. Aleo, which had raised capital from investors such as a16z and Coinbase Ventures for developing zero-knowledge solutions, believes a mainnet launch for USDCx will follow the end of the current testnet period.

  A new email scam is misusing PayPal’s Subscriptions billing system to send genuine PayPal emails that contain fraudulent purchase claims hidden inside the Customer Service URL field. Over the last few months, multiple users have reported receiving PayPal emails stating, "Your automatic payment is no longer active." While the message appears routine, the Customer Service URL field has been manipulated to display alarming text claiming the recipient bought an expensive product such as a Sony device, MacBook, or iPhone. The embedded message typically mentions a payment ranging between $1,300 and $1,600, includes a suspicious domain name, and provides a phone number that victims are urged to call to cancel or dispute the charge. Scammers use Unicode characters to alter fonts and emphasize certain words, a technique designed to bypass spam filters and keyword detection systems. "http://[domain] [domain] A payment of $1346.99 has been successfully processed. For cancel and inquiries, Contact PayPal support at +1-805-500-6377," reads the customer service URL in the scam email. Although the content is fraudulent, the emails are sent directly from [email protected], which causes confusion and concern among recipients who fear their PayPal accounts may have been compromised. Because the messages originate from PayPal’s legitimate mail servers, they often bypass spam and security filters. The primary objective of this scam is to frighten recipients into believing their account was used to make a costly purchase, prompting them to call the fake “PayPal support” number. Such calls are typically used to carry out bank fraud or persuade victims to install malicious software on their devices. Users who receive these emails are advised not to call the listed number. If there is concern about account security, the safest approach is to log in directly to PayPal and verify whether any unauthorized transaction has occurred. How the PayPal scam works BleepingComputer reviewed a copy of the email and confirmed that it was sent from PayPal’s official infrastructure. Email headers show that the messages pass SPF, DKIM, and DMARC checks and originate from PayPal’s mx15.slc.paypal.com mail server. Further investigation revealed that the same email template can be triggered by using PayPal’s Subscriptions feature. This tool allows merchants to set up recurring billing for services. When a subscription is paused, PayPal automatically sends the subscriber an email stating that their automatic payment is no longer active. Under normal circumstances, PayPal restricts the Customer Service URL field to valid URLs only. However, in this case, scammers appear to be exploiting a weakness in how subscription metadata is handled or using an alternative method—possibly via an API or legacy system—that permits invalid text to be stored in that field. What remains unclear is how these emails reach individuals who never signed up for the subscription. Mail headers indicate that PayPal sends the message to an address believed to belong to a fake subscriber account created by the scammer. This address is likely linked to a Google Workspace mailing list, which automatically forwards the email to all its members—the intended victims. Such forwarding can cause later SPF and DMARC checks to fail, since the message is relayed by servers other than PayPal’s original mail system. PayPal has acknowledged the issue and confirmed that action is being taken. “PayPal does not tolerate fraudulent activity and we work hard to protect our customers from consistently evolving phishing scams," PayPal told BleepingComputer. "We are actively mitigating this matter, and encourage people to always be vigilant online and mindful of unexpected messages. If customers suspect they are a target of a scam, we recommend they contact Customer Support directly through the PayPal app or our Contact page for assistance."

It was the Trump administration's decision to permit Nvidia to regain sales of one of its more powerful artificial intelligence processors to Chinese buyers that sparked a fierce debate in Washington, underscoring the deep tensions between national security policy and economic strategy.  It represents one of the most significant reversals of U.S. technology export controls in recent history, as the semiconductor giant has been allowed to export its H200 artificial intelligence chips to China, which are the second most advanced chips in the world.  The decision was swiftly criticized by China hardliners and Democratic lawmakers, who warned that Beijing could exploit the advanced computing capabilities of the country to speed up military modernization and surveillance.  It was concluded by administration officials, however, that a shift was justified after months of intensive negotiations with industry executives and national security agencies. Among the proposed measures, the U.S. government agreed that economic gains from the technology outweighed earlier fears that it would increase China's technological and military ambitions, including the possibility that the U.S. government would receive a share of its revenues resulting from the technology.  A quick response from the financial markets was observed when former President Donald Trump announced the policy shift on his Truth Social platform on his morning show. Shares of Nvidia soared about 2% after hours of trading after Trump announced the decision, adding to a roughly 3% gain that was recorded earlier in the session as a result of a Semafor report.  The president of China, Xi Jinping, said he informed him personally that the move was being made, noting that Xi responded positively to him, a particularly significant gesture considering that Nvidia's chips are being scrutinized by Chinese regulators so closely.  Trump also noted that the U.S. Commerce Department has been in the process of formalizing the deal, and that the same framework is going to extend to other U.S. chip companies as well, including Advanced Micro Devices and Intel.  As part of the deal, the United States government will be charged a 25 percent government tax, a significant increase from the 15 percent proposed earlier this year, which a White House official confirmed would be collected as an import tax from Taiwan, where the chips are manufactured, before they are processed for export to China, as a form of security.  There was no specific number on how many H200 chips Trump would approve or detail what conditions would apply to the shipment, but he said the shipment would proceed only under safeguards designed to protect the national security of the US.  Officials from the administration described the decision as a calculated compromise, in which they stopped short of allowing exports of Nvidia's most advanced Blackwell chips, while at the same time avoiding a complete ban that could result in a greater opportunity for Chinese companies such as Huawei to dominate the domestic AI chip market.  NVIDIA argued that by offering H200 processors to vetted commercial customers approved by the Commerce Department, it strikes a “thoughtful balance” between American interests and the interests of the companies. Intel declined to comment and AMD and the Commerce Department did not respond to inquiries.  When asked about the approval by the Chinese foreign ministry, they expressed their belief that the cooperation should be mutually beneficial for both sides. Among the most important signals that Trump is trying to loosen long-standing restrictions on the sale of advanced U.S. artificial intelligence technology to Chinese countries is his decision, which is widely viewed as a clear signal of his broader efforts. During this time of intensifying global competition, it is a strategic move aimed at increasing the number of overseas markets for American companies.  In an effort to mend relations among the two countries, Washington has undergone a significant shift in the way it deals with Beijing's controls on rare earth minerals, which provide a significant part of the raw materials for high-tech products in the United States and abroad.  Kush Desai, a White House spokesperson, said that the administration remains committed to preserving American dominance in artificial intelligence, without compromising national security, as Chinese Embassy spokesperson Liu Pengyu urged the United States to take concrete steps to ensure that global supply chains are stable and work efficiently.  Despite requests for comment, the Commerce Department, which oversees export controls, did not respond immediately to my inquiries. Trump’s decision marks a sharp departure from his first term, when he aggressively restricted Chinese access to U.S. technology, which received international attention. China has repeatedly denied allegations that it has misappropriated American intellectual property and repurposed commercial technology for military purposes-claims which Beijing has consistently denied. There is now a belief among senior administration officials that limiting the export of advanced AI chips could slow down the rise of domestic Chinese rivals because it would reduce companies such as Huawei's incentive to develop competing processors, thus slowing their growth.  According to David Sacks, the White House's AI policy lead, the approach is a strategic necessity, stating that if Chinese chips start dominating global markets, it will mean a loss of U.S. technological leadership. Although Stewart Baker, a former senior official at the Department of Homeland Security and the National Security Agency, has argued this rationale is extremely unpopular across Washington, it seems unlikely that China will remain dependent on American chips for years to come. According to Baker, Beijing will inevitably seek to displace American suppliers by developing a self-sufficient industry.  Senator Ron Wyden, a democratic senator who argued that Trump struck a deal that undermined American security interests, expressed similar concerns in his remarks and Representative Raja Krishnamoorthi, who called it a significant national security mistake that benefits America’s foremost strategic rival.  There are, however, those who are China hawks who contend that the practical impact may be more limited than others. For example, James Mulvenon, a longtime Chinese military analyst, who was consulted by the U.S. government when the sanctions against Chinese chipmakers SMIC were imposed. In total, the decision underscores the fact that artificial intelligence hardware has become an important tool in both economic diplomacy and strategic competition.  The administration has taken a calibrated approach to exports by opening a narrow channel while maintaining strict limits on the most advanced technologies. Even though the long-term consequences of this move remain uncertain, it has maintained a balanced approach that seeks to balance commercial interest with security considerations. In order for U.S. policymakers to ensure that well-established oversight mechanisms keep pace with rapid advances in chip capabilities, it will be important to ensure that they prevent the use of such devices for unintended reasons such as military or spying, while maintaining the competitiveness of American firms abroad.  There is no doubt that the episode demonstrates the growing need to take geopolitical risks into account when planning and executing product, supply chain, and investment decisions in the industry. It also signals that lawmakers are having a broader conversation about whether export controls alone can shape technological leadership in an era of rapid technological advances. The outcome of the ongoing battle between Washington and Beijing is unlikely to simply affect the development of artificial intelligence, but it is likely to also determine the rules that govern how strategic technologies are transferred across borders—a matter that will require sustained attention beyond the immediate reaction of the market.

  A newly launched U.S. mobile carrier is questioning long-standing telecom practices by offering phone service without requiring customers to submit personal identification. The company, Phreeli, presents itself as a privacy-focused alternative in an industry known for extensive data collection. Phreeli officially launched in early December and describes its service as being built with privacy at its core. Unlike traditional telecom providers that ask for names, residential addresses, birth dates, and other sensitive information, Phreeli limits its requirements to a ZIP code, a chosen username, and a payment method. According to the company, no customer profiles are created or sold, and user data is not shared for advertising or marketing purposes. Customers can pay using standard payment cards, or opt for cryptocurrency if they wish to reduce traceable financial links. The service operates entirely on a prepaid basis, with no contracts involved. Monthly plans range from lower-cost options for light usage to higher-priced tiers for customers who require more mobile data. The absence of contracts aligns with the company’s approach, as formal agreements typically require verified personal identities. Rather than building its own cellular infrastructure, Phreeli operates as a Mobile Virtual Network Operator. This means it provides service by leasing network access from an established carrier, in this case T-Mobile. This model allows Phreeli to offer nationwide coverage without owning physical towers or equipment. Addressing legal concerns, the company states that U.S. law does not require mobile carriers to collect customer names in order to provide service. To manage billing while preserving anonymity, Phreeli says it uses a system that separates payment information from communication data. This setup relies on cryptographic verification to confirm that accounts are active, without linking call records or data usage to identifiable individuals. The company’s privacy policy notes that information will only be shared when necessary to operate the service or when legally compelled. By limiting the amount of data collected from the start, Phreeli argues that there is little information available even in the event of legal requests. Phreeli was founded by Nicholas Merrill, who previously operated an internet service provider and became involved in a prolonged legal dispute after challenging a government demand for user information. That experience reportedly influenced the company’s data-minimization philosophy. While services that prioritize anonymity are often associated with misuse, Phreeli states that it actively monitors for abusive behavior. Accounts involved in robocalling or scams may face restrictions or suspension. As concerns grow rampant around digital surveillance and commercial data harvesting, Phreeli’s launch sets the stage for a broader discussion about privacy in everyday communication. Whether this model gains mainstream adoption remains uncertain, but it introduces a notable shift in how mobile services can be structured in the United States.

The surveillance industry banned a stalkerware maker after a data breach leaked information of its customers and the people they were spying on. Consumer spyware company Support King can't sell the surveillance software now, the US Federal Trade Commission (FTC) said.  The FTC has denied founder Scott Zuckerman's request to cancel the ban. It is also applicable to other subsidiaries OneClickMonitor and SpyFone. Recently, the FTC announced the move in a press release when Zuckerman petitioned the agency to cancel the ban order in July of 2025.  The FTC banned Zuckerman from “offering, promoting, selling, or advertising any surveillance app, service, or business,” in 2021 and stopped him from running other stalkerware business. Zuckerman had to also delete all the data stored by SpyFone and went through various audits to implement cybersecurity measures for his ventures. Then acting director of the FTC's Bureau of Consumer Protection, Samuel Levine said that the "stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security." Zuckerman in his petition said that the FTC mandate has made it difficult for him to conduct other businesses due to monetary losses, even though Support King is out of business and he now only operates a restaurant and plans other ventures. The ban came from a 2018 incident after a researcher discovered an Amazon S3 bucket of SpyFone that left important data such as selfies, chats, texts, contacts, passwords, logins, and audio recordings exposed online in the open. The leaked data comprised 44,109 email ids. According to Samuel, “SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information." He further said that the "stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security.r According to TechCrunch, after the 2021 order, Zuckerman started running another stalkerware firm. In 2022, TechCrunch found breached data from stalkerware application SpyTrac.  According to the data, freelance developers ran SpyTrac who had direct links with Support King. It was an attempt to escape the FTC ban. Additionally, the breached data contained records from SpyFone, which Support King was supposed to delete. Beside this, the data also contained access keys to the cloud storage of OneClickMonitor, another stalkerware application. 

  As the festive season rolls in with cozy drinks, twinkling lights and gift exchanges, it also brings a sharp spike in online scams. Cybercriminals are working overtime during the holidays, using increasingly advanced tactics to trick people into clicking malicious links or sharing sensitive information. Distinguishing between a real website and a fraudulent one has never been more challenging. Stopping these digital grinches is a constant battle. Data from the FBI’s Internet Crime Complaint Center shows that phishing and spoofing scams drained more than $70 million from victims during the 2024 holiday season alone. What makes these scams particularly dangerous is how convincing they’ve become. Many fraudulent links now use standard “https” encryption and domain names that closely resemble legitimate brands, making them appear authentic at first glance. Clicking on a scam link can lead to serious consequences beyond a ruined holiday mood. Victims may face financial losses, unknowingly hand over credit card details to a fake “Secret Santa,” or download malware that can lock up devices in seconds. Understanding how to identify and avoid scam links is key to staying protected this season. How to identify scam links Scam links commonly appear in phishing emails, text messages, social media messages and other forms of digital communication. Their goal is to lure users into downloading malware or entering personal and financial information on fake websites. Popular schemes include unpaid toll notices, fake investment offers, gold bar scams and fraudulent job opportunities. Cybercriminals often send these messages in bulk, increasingly using artificial intelligence to make them seem legitimate. Despite repeated warnings, enough people fall for these scams each year to keep the cycle going. Here’s how you can avoid taking the bait. 1. Check the URL carefully : “Smartphones do their best to block scam links, so attackers use tricks to make their links clickable,” said Joshua McKenty, CEO of Polyguard.ai, a cybersecurity company that helps businesses protect mobile phones and call centers from AI-driven phishing scams. He advises watching for red flags such as an “@” symbol within the URL or two web addresses combined using a question mark — especially if the first part looks like a trusted site such as Google.com or Apple.com. Dave Meister, a cybersecurity spokesperson for global cybersecurity company Check Point, noted that hovering over a link can often reveal its true destination. He also warned users to be alert for “typo-squatting,” where fake URLs closely mimic real ones, such as using “PayPa1” instead of “PayPal.” 2. Stick to familiar domains : Being familiar with the websites you regularly visit can significantly reduce risk. “Major brands, especially banks and retailers, don't often change up their domain names,” McKenty said. “If the link says Chase.com, it's likely safe. If it says, Chase-Banking-App.com, stay away.” Shortened links are common in text messages and on social media, but they’re risky. “Sadly, there's no safe way to check a shortened URL,” McKenty said, recommending that people avoid clicking them altogether. Links from services like Bit.ly or Shorturl may still display “https://,” which can be misleading. In these cases, it’s important to read the message closely and watch for urgency, threats or pressure to act quickly — all classic scam tactics. Common ways scam links reach victims 1. Text message scams : Not all scams rely on website links. Phone numbers themselves are often used to deceive victims. “People get tricked into clicking a phone number that's not actually their bank or the IRS, and then surrendering identity information on the phone,” McKenty said. Engaging with scammers, even out of curiosity, can make things worse. Responding may signal that your number is active, encouraging repeat attempts. 2. Email scams : Emails remain one of the most costly scam channels. McKenty noted that although text scams are increasing, “the biggest dollar losses are still the classic email scams.” He recommends copying suspicious links into a notes app to inspect them carefully rather than clicking directly. 3. QR code scams : QR codes have also become a growing threat. “QR codes have become the new stealth weapon, used everywhere from restaurant menus to parking meters,” said Meister. “Scammers are known to slap fake codes on top of real ones in public, or embed them in phishing emails, linking to cloned websites or malware downloads,” he said. Before scanning, consider whether the QR code makes sense in that location. Codes found on random objects or in unexpected emails are best avoided. 4. Social media direct messages: Scammers often hijack or impersonate social media accounts belonging to people you know. If a message from a relative or friend suddenly sounds aggressive, sales-driven or out of character — especially if it includes a link — verify by contacting them directly before clicking. What to do if you already clicked a scam link If you’ve clicked on a suspicious link, the outcome depends on your device’s security protections. Firewalls or antivirus software may block the threat automatically. Without protection, however, action may be needed. Here are steps to take immediately: * Install or update antivirus software: Use reputable free or paid antivirus tools to scan and remove potential threats from your computer. * Watch for signs of malware: Phones are not immune. If infected, avoid using financial apps, clear your browser cache, delete unfamiliar apps or perform a factory reset. Contact your device’s tech support if needed. * Notify your bank or card issuer: If you accessed financial accounts on a compromised device, alert your institution as a precaution. * Report the scam: If you lost money, report the incident to the Federal Trade Commission and your local police department. Reporting helps authorities warn others and reduce future victims. Staying alert and informed is your best defense against holiday scams — and the best way to keep the season joyful and secure.