Welcome to your weekly roundup of cyber news, where every headline gives you a peek into the world of online battles. This week, we look at a huge crypto theft, reveal some sneaky AI scam tricks, and discuss big changes in data protection.Let these stories spark your interest and help you understand the changing threats in our digital world. Threat of the WeekLazarus Group Linked to Record-Setting $1.5 Billion Crypto Theft The North Korean Lazarus Group has been linked to a "sophisticated" attack that led to the theft of over $1.5 billion worth of cryptocurrency from one of Bybit's cold wallets, making it the largest ever single crypto heist in history. Bybit said it detected unauthorized activity within one of our Ethereum (ETH) Cold Wallets during a planned routine transfer process on February 21, 2025, at around 12:30 p.m. UTC. The incident makes it the biggest-ever cryptocurrency heist reported to date, dwarfing that of Ronin Network ($624 million), Poly Network ($611 million), and BNB Bridge ($586 million).Download Report Top NewsOpenAI Bans ChatGPT Accounts for Malicious Activities OpenAI has revealed that it banned several clusters of accounts that used its ChatGPT tool for a wide range of malicious purposes. This included a network likely originating from China that used its artificial intelligence (AI) models to develop a suspected surveillance tool that's designed to ingest and analyze posts and comments from platforms such as X, Facebook, YouTube, Instagram, Telegram, and Reddit. Other instances of ChatGPT abuse consisted of creating social media content and long-form articles critical of the U.S., generating comments for propagating romance-baiting scams on social media, and assisting with malware development.Apple Drops iCloud's Advanced Data Protection in the U.K. Apple has stopped offering its Advanced Data Protection (ADP) feature for iCloud in the United Kingdom with immediate effect, rather than complying with government demands for backdoor access to encrypted user data. "We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy," the company said. The development comes shortly after reports emerged that the U.K. government had ordered Apple to build a backdoor that grants blanket access to any Apple user's iCloud content.Salt Typhoon Leverages Years-Old Cisco Flaw for Initial Access The China-linked hacking group called Salt Typhoon leveraged a now-patched security flaw impacting Cisco devices (CVE-2018-0171) and obtaining legitimate victim login credentials as part of a targeted campaign aimed at major U.S. telecommunications companies. Besides relying extensively on living-off-the-land (LOTL) techniques to evade detection, the attacks have led to the deployment of a bespoke utility called JumbledPath that allows them to execute a packet capture on a remote Cisco device through an actor-defined jump-host. Cisco described the threat actor as highly sophisticated and well-funded, consistent with state-sponsored hacking activity.Russian Hackers Exploit Signal's Linking Feature Multiple Russia-aligned threat actors have been observed targeting individuals of interest via malicious QR codes that exploit the privacy-focused messaging app Signal's "linked devices" feature to gain unauthorized access to their accounts and eavesdrop on the messages. The attacks have been attributed to two clusters tracked as UNC5792 and UNC4221. The development comes as similar attacks have also been recorded against WhatsApp.Winnti Stages RevivalStone Campaign Targeting Japan Winnti, a subgroup with the APT41 Chinese threat activity cluster, targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024 that delivered a wide range of malware, including a rootkit that's capable of intercepting TCP/IP Network Interface, as well as creating covert channels with infected endpoints within the intranet. The activity has been codenamed RevivalStone. Trending CVEsYour go-to software could be hiding dangerous security flawsdon't wait until it's too late! Update now and stay ahead of the threats before they catch you off guard.This week's list includes CVE-2025-24989 (Microsoft Power Pages), CVE-2025-23209 (Craft CMS), CVE-2024-12284 (Citrix NetScaler Console and NetScaler Agent), CVE-2025-26465, CVE-2025-26466 (OpenSSH), CVE-2025-21589 (Juniper Networks Session Smart Router), CVE-2024-12510, CVE-2024-12511 (Xerox VersaLink C7025 Multifunction printer), CVE-2025-0366 (Jupiter X Core plugin), CVE-2024-50379, CVE-2024-56337, CVE-2024-52316, CVE-2024-50379, CVE-2024-56337 (Atlassian), CVE-2024-53900, CVE-2025-23061 (Mongoose library), CVE-2025-26776 (NotFound Chaty Pro plugin), CVE-2025-26763 (MetaSlider Responsive Slider by MetaSlider plugin), CVE-2024-54756 (ZDoom Team GZDoom), CVE-2024-57401 (Uniclare Student Portal), CVE-2025-20059 (Ping Identity PingAM Java Policy Agent), CVE-2025-0868 (DocsGPT), CVE-2025-1023, CVE-2025-1132, CVE-2025-1133, CVE-2025-1134, CVE-2025-1135 (ChurchCRM), CVE-2024-57045 (D-Link DIR-859 router), CVE-2024-57050 (TP-Link WR840N v6 router), CVE-2024-57049 (TP-Link Archer c20 router), CVE 2025-26794 (Exim), CVE-2024-50608, CVE-2024-50609 (Fluent Bit), CVE-2024-54961 (Nagios XI), CVE-2025-23115, and CVE-2025-23116 (Ubiquiti UniFi Protect Camera). Around the Cyber WorldU.S. Army Soldier Pleads Guilty to AT&T and Verizon Hacks Cameron John Wagenius (aka Kiberphant0m), a 20-year-old U.S. Army soldier, who was arrested early last month over AT&T and Verizon hacking, has pleaded guilty to two counts of unlawful transfer of confidential phone records information in 2024. He faces up to 10 years of prison for each count. Wagenius is also believed to have collaborated with Connor Riley Moucka (aka Judische) and John Binns, both of whom have been accused of stealing data from and extorting dozens of companies by breaking into their Snowflake instances.Two Estonian Nationals Plead Guilty in $577M Cryptocurrency Fraud Scheme Two Estonian nationals, Sergei Potapenko and Ivan Turgin, both 40, have pleaded guilty for the operation of a massive, multi-faceted cryptocurrency Ponzi scheme that claimed hundreds of thousands of people from across the world, including in the U.S. They have also agreed to forfeit assets valued over $400 million obtained during the operation of the illicit scheme. The defendants "sold contracts to customers entitling them to a share of cryptocurrency mined by the defendants' purported cryptocurrency mining service, HashFlare," the Justice Department said. "Between 2015 and 2019, Hashflare's sales totaled more than $577 million, but HashFlare did not possess the requisite computing capacity to perform the vast majority of the mining the defendants told HashFlare customers it performed." Potapenko and Turgin each pleaded guilty to one count of conspiracy to commit wire fraud. If convicted, they each face a maximum penalty of 20 years in prison. The disclosure comes as Indian law enforcement authorities seized nearly $190 million in cryptocurrency tied to the BitConnect scam. BitConnect is estimated to have defrauded over 4,000 investors across 95 countries, amassing $2.4 billion before its collapse in 2018. Its founder Satish Kumbhani was charged by the U.S. in 2022, but he remained a fugitive until his whereabouts were traced to Ahmedabad.Thailand Rescues 7,000 People from Myanmar Call Centers Thailand Prime Minister Paetongtarn Shinawatra said some 7,000 people have been rescued from illegal call center operations in Myanmar, and are waiting to be transferred to the country. In recent years, Myanmar, Cambodia, and Laos have become hotspots for illicit romance baiting scams, with most of them run by organized cybercrime syndicates and staffed by people who were illegally trafficked into the region under the promise of high-paying jobs. They are then tortured and enslaved into running scams such as romance fraud and fake investment schemes online. "We are facing an epidemic in the growth of financial fraud, leading to individuals, often vulnerable people, and companies being defrauded on a massive and global scale," INTERPOL noted last year. The United Nations estimated that scams targeting victims across East and Southeast Asia caused financial losses between $18 billion and $37 billion in 2023.Sanctioned Entities Fueled $16 billion in Crypto Activity Sanctioned entities and jurisdictions were responsible for nearly $115.8 billion in cryptocurrency activity last year, accounting for about 39% of all illicit crypto transactions. "In a departure from prior years, sanctioned jurisdictions accounted for a record share of total sanctions-related activity compared to individual entities, commanding nearly 60% of value by the end of 2024," Chainalysis said. This is driven by the continued emergence of no-KYC exchanges despite enforcement actions, as well as the resurgence of Tornado Cash, which has been the target of sanctions and arrests. "The increase in Tornado Cash usage in 2024 was largely driven by stolen funds, which reached a three-year high, accounting for 24.4% of total inflows," the blockchain intelligence firm said. Another notable factor is the increasing use of digital currencies by Iranian services for sanctions-related crypto activity. Cryptocurrency outflows from Iran reached $4.18 billion in 2024, up about 70% year-over-year.U.S. Releases Russian Cybercriminal in Prison Swap Alexander Vinnik, who pleaded guilty last year to money laundering charges in connection with operating the now-dismantled BTC-e cryptocurrency exchange, has been handed over by the U.S. government to Russia in exchange for Marc Fogel, a school teacher sentenced to 14 years in prison for drug trafficking charges. He was originally arrested in Greece in 2017. His sentencing was scheduled to take place in June 2025.Black Hat SEO Campaign Targets Indian Sites Threat actors have infiltrated Indian government, educational, and financial services websites, using malicious JavaScript code that leverage search engine optimization (SEO) poisoning techniques to redirect users to sketchy websites promoting online betting and other investment-focused games that claim to offer referral bonus. "Targets of interest include websites with .gov.in , .ac.in TLDs and the usage of keyword stuffing mentioning well known financial brands in India," CloudSEK said. "Over 150 government portals, most belonging to state governments, have been affected at scale." It's currently not known how these websites are being compromised. A similar campaign targeting Malaysian government websites has also been reported in the past.Sky ECC Distributors Arrested in Spain, Netherlands Four distributors of the encrypted communications service Sky ECC, which was used extensively by criminals, have been arrested in Spain and the Netherlands. The two suspects arrested in Spain are said to be the leading global distributors of the service, generating over 13.5 million ($14 million) in profits. In March 2021, Europol announced that it was able to crack open Sky ECC's encryption, thereby allowing law enforcement to monitor the communications of 70,000 users and expose the criminal activity occurring on the platform.In late January, the Dutch Police announced the arrest of two men from Amsterdam and Arnhem for allegedly selling Sky ECC phones in the country. Italian Spyware Maker Linked to Malicious WhatsApp Clones An Italian spyware company named SIO, which offers solutions for monitoring suspect activities, gathering intelligence, or conducting covert operations, has been attributed as behind malicious Android apps that impersonate WhatsApp and other popular apps and are designed to steal private data from a target's device. The findings, reported by TechCrunch, demonstrate the various methods used to deploy such invasive software against individuals of interest. The spyware, codenamed Spyrtacus, can steal text messages, instant messaging chats, contacts, call logs, ambient audio, and images, among others. It's currently not known who was targeted with the spyware. The oldest artifact, per Lookout, dates back to 2019 and the most recent sample was discovered in mid-October 2024. Interestingly, Kaspersky revealed in May 2024 that it observed Spyrtacus being used to target individuals in Italy, stating it shared similarities with another stalkerware malware named HelloSpy. "The threat actor first started distributing the malicious APK via Google Play in 2018, but switched to malicious web pages forged to imitate legitimate resources relating to the most common Italian internet service providers in 2019," the company said. The development comes as iVerify said it discovered 11 new cases of Pegasus spyware infection in December 2024 that go beyond politicians and activists. "The new confirmed detections, involving known variants of Pegasus from 2021-2023, include attacks against users across government, finance, logistics, and real estate industries," iVerify said, adding in about half the cases, the victims did not receive any Threat Notifications from Apple.CryptoBytes Unleashes UxCryptor Malware The financially motivated Russian threat actor known as CryptoBytes has been linked to a new ransomware called UxCryptor that uses leaked builders to create and distribute their malware. The group is active since at least 2023. "UxCryptor is part of a broader trend of ransomware families that use leaked builders, making it accessible to less technically skilled malware operators," the SonicWall Capture Labs threat research team said. "It is often delivered alongside other malware types, such as Remote Access Trojans (RATs) or information stealers, to maximize the impact of an attack. The malware is designed to encrypt files on the victim's system, demanding payment in cryptocurrency for decryption."Threat Actors Take a Mere 48 Minutes to Go From Initial Access to Lateral Movement Cybersecurity company ReliaQuest, which recently responded to a manufacturing sector breach involving phishing and data exfiltration, said the attack achieved a breakout time of just 48 minutes, indicating that adversaries are moving faster than defenders can respond. The attack involved the use of email bombing techniques reminiscent of Black Basta ransomware, followed by sending a Microsoft Teams message to trick victims into granting them remote access via Quick Assist. "One user granted the threat actor control of their machine for over 10 minutes, giving the threat actor ample time to progress their attack," ReliaQuest said.Russia Plans New Measures to Tackle Cybercrime The Russian government is said to have approved a series of measures aimed at combating cyber fraud. This includes tougher punishments for attackers, longer prison terms, and strengthening international cooperation by allowing the extradition of criminals hiding abroad to Russia for trial and punishment. Expert WebinarWebinar 1: Build Resilient Identity: Learn to Reduce Security Debt Before It Costs You Join our exclusive webinar with Karl Henrik Smith and Adam Boucher as they reveal the Secure Identity Assessmenta clear roadmap to close identity gaps, cut security debt, and future-proof your defenses in 2025. Learn practical steps to streamline workflows, mitigate risks, and optimize resource allocation, ensuring your organization stays one step ahead of cyber threats. Secure your spot now and transform your identity security strategy.Webinar 2: Transform Your Code Security with One Smart Engine Join our exclusive webinar with Palo Alto Networks' Amir Kaushansky to explore ASPMthe unified, smarter approach to application security. Learn how merging code insights with runtime data bridges gaps in traditional AppSec, prioritizes risks, and shifts your strategy from reactive patching to proactive prevention. Reserve your seat today.P.S. Know someone who could use these? Share it. Cybersecurity ToolsGhidra 11.3 It makes your cybersecurity work easier and faster. With built-in Python3 support and new tools to connect source code to binaries, it helps you find problems in software quickly. Built by experts at the NSA, this update works on Windows, macOS, and Linux, giving you a smart and simple way to tackle even the toughest challenges in reverse engineering.RansomWhen It is an easy-to-use open-source tool designed to help you protect your data in the cloud. It works by scanning your CloudTrail logs to spot unusual activity that might signal a ransomware attack using AWS KMS. By identifying which identities have risky permissions, RansomWhen alerts you before an attacker can lock your S3 buckets and hold your data for ransom. This tool gives you a simple, proactive way to defend against sophisticated cyber threats. Tip of the WeekEasy Steps to Supercharge Your Password Manager In today's digital world, using an advanced password manager isn't just about storing passwordsit's about creating a secure digital fortress. First, enable two-factor authentication (2FA) for your password manager to ensure that even if someone gets hold of your master password, they'll need an extra code to gain access. Use the built-in password generator to create long, unique passwords for every account, mixing letters, numbers, and symbols to make them nearly impossible to guess. Regularly run security audits within your manager to spot weak or repeated passwords, and take advantage of breach monitoring features that alert you if any of your credentials show up in data breaches. When you need to share a password, use the manager's secure sharing option to keep the data encrypted. Finally, ensure your password database is backed up in an encrypted format so you can safely restore your data if needed. These simple yet advanced steps turn your password manager into a powerful tool for keeping your online life secure.ConclusionWe've seen a lot of action in the cyber world this week, with criminals facing charges and new scams coming to light. These stories remind us that keeping informed is key to online safety. Thanks for joining us, and we look forward to keeping you updated next week.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.