{"id":21407,"date":"2025-02-22T07:00:00","date_gmt":"2025-02-22T05:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/gps-deanonymisation-a-chatbot-fed-with-hacker-chats-and-other-cybersecurity-highlights\/"},"modified":"2025-02-22T07:00:00","modified_gmt":"2025-02-22T05:00:00","slug":"gps-deanonymisation-a-chatbot-fed-with-hacker-chats-and-other-cybersecurity-highlights","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/gps-deanonymisation-a-chatbot-fed-with-hacker-chats-and-other-cybersecurity-highlights\/","title":{"rendered":"GPS deanonymisation, a chatbot fed with hacker chats, and other cybersecurity highlights"},"content":{"rendered":"<p>We have compiled the week\u2019s most important cybersecurity news.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>Researchers fed the leaked Black Basta chat logs to ChatGPT.<\/li>\n<li>A Gravy Analytics data leak enabled user deanonymisation.<\/li>\n<li>Ukrainian hackers claimed to have breached CarMoney.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\"><strong>Leaked Black Basta chats were fed to ChatGPT<\/strong><\/h2>\n<p>On February 11 an unknown insider released an archive of the Black Basta ransomware gang\u2019s internal Matrix chats. Cyberthreat researchers at PRODAFT <a href=\"https:\/\/x.com\/PRODAFT\/status\/1892572675857420335\">noted<\/a> it.<\/p>\n<p>The logs span September 2023 to September 2024. They include crypto-wallet addresses, victims\u2019 accounts, and descriptions of phishing schemes and intrusion tactics.<\/p>\n<p>They also expose the identities of some members, notably the gang\u2019s presumed leader Oleg Nefedov (aliases GG, AA, \u201cTrump\u201d) and two likely administrators, Lapa and YY.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Leaked BlackBasta chat logs contain messages spanning from September 18, 2023, to September 28, 2024. Let&#8217;s analyze the statements disclosed by the leaker:<br \/>\u2014 Lapa is one of the key administrators of BlackBasta and is constantly busy with administrative tasks. Holding this\u2026 <a href=\"https:\/\/t.co\/KxQVKZBp75\">https:\/\/t.co\/KxQVKZBp75<\/a> <a href=\"https:\/\/t.co\/BibWU5P9e8\">pic.twitter.com\/BibWU5P9e8<\/a><\/p>\n<p>\u2014 3xp0rt (@3xp0rtblog) <a href=\"https:\/\/twitter.com\/3xp0rtblog\/status\/1892583537879994632?ref_src=twsrc%5Etfw\">February 20, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Hudson Rock passed more than a million internal messages to the ChatGPT-based <a href=\"https:\/\/chatgpt.com\/g\/g-67b80f8b69f08191923d8e6c3fb929b6-blackbastagpt\">BlackBastaGPT<\/a> for analysis.<\/p>\n<p>Experts believe the leak may have been the result of <a href=\"https:\/\/x.com\/PRODAFT\/status\/1892636346885235092\">internal infighting<\/a> within the group.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Gravy Analytics leak led to user deanonymisation<\/strong><\/h2>\n<p>A January <a href=\"https:\/\/fido.nrk.no\/8a09133d2b14a7e72c31006ef2611b22fd78d7c6bfd7cc62f7d35f13b3c2d338\/Datatilsynet_Unacast_Security%20Incident%20Notification_Redacted.pdf\">breach<\/a> at US location-tracking firm Gravy Analytics caused a major leak of user data worldwide\u2014from Russia to the United States. The broker resold geolocation data gathered by <a href=\"https:\/\/gist.github.com\/fs0c131y\/f498b21cba9ee23956fc7d7629262e9d\">thousands of mobile apps<\/a>.<\/p>\n<p>The leaked dataset is tied to advertising identifiers\u2014IDFA for iOS and AAID for Android\u2014which often allows tracking people\u2019s movements and, in some cases, deanonymising them.<\/p>\n<p>In an experiment, researcher Baptiste Robert traced one user\u2019s path from New York\u2019s Columbus Circle to his home in Tennessee and, the next day, to his parents\u2019 residence. Relying solely on <span data-descr=\"open-source intelligence \u2014 intelligence from open sources\" class=\"old_tooltip\">OSINT<\/span>, he learned a great deal about the person, including his mother\u2019s name and that his late father was a US Air Force veteran.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p lang=\"en\" dir=\"ltr\">Example of deanonymization:<br \/>\u2014 Dec 29, 7:08 PM: Seen at Columbus Circle, NYC.<br \/>\u2014 Later: Returned home to a TN town with a registered locksmith business.<br \/>\u2014 Next day: Visited his mother, Carol. His father was an USAF vet and passed 3 years ago.<\/p>\n<p>Yes, you can be tracked. <a href=\"https:\/\/t.co\/MtViWTbpgf\">pic.twitter.com\/MtViWTbpgf<\/a><\/p>\n<p>\u2014 Baptiste Robert (@fs0c131y) <a href=\"https:\/\/twitter.com\/fs0c131y\/status\/1877128999240962290?ref_src=twsrc%5Etfw\">January 8, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The Gravy Analytics leak highlighted the serious risks of the data-broker industry.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Signal users were targeted via device linking<\/strong><\/h2>\n<p>Google\u2019s Threat Intelligence Group <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/russia-targeting-signal-messenger\/\">reported<\/a> that Russian hackers are actively attempting to compromise Signal accounts by abusing the device-linking feature. Potential victims are tricked into scanning malicious QR codes to sync the messenger with an attacker\u2019s device.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXf4GDMyN6imqX4ZHpnvzPZmX4pSNwvcAgxvz9IA4MMaEoE_wDuYD0tJDf1WhQv_OBoTB2rceYgZZubeljqkAxbzw7I-ChrO93Wn8FicVLOY9ZJKlyTV-FWuGXmD0uTNV5g5KRoCDQ?key=TgYRmi8dAtSAE6mUCk8qq09a\" alt=\"GPS-\u0434\u0435\u0430\u043d\u043e\u043d, \u0447\u0430\u0442-\u0431\u043e\u0442 \u0441 \u043f\u0435\u0440\u0435\u043f\u0438\u0441\u043a\u043e\u0439 \u0445\u0430\u043a\u0435\u0440\u043e\u0432 \u0438 \u0434\u0440\u0443\u0433\u0438\u0435 \u0441\u043e\u0431\u044b\u0442\u0438\u044f \u043a\u0438\u0431\u0435\u0440\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438\"\/><figcaption class=\"wp-element-caption\">Malicious QR code. Source: Google Threat Intelligence Group.<\/figcaption><\/figure>\n<p>For targeted attacks, phishing links are disguised as Signal group invitations or as pairing instructions from a legitimate website.<\/p>\n<p>The technique is dangerous because it does not require a full device compromise to monitor protected conversations.<\/p>\n<p>Signal users are advised to update the app to the latest version, which includes improved protection against the phishing attacks identified by Google.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Researchers found new DPRK malware that tampers with crypto wallets<\/strong><\/h2>\n<p>North Korea\u2019s Lazarus hackers used a previously unknown JavaScript malware, Marstech1, in targeted attacks on blockchain developers, according to SecurityScorecard.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">? North Korea\u2019s <a href=\"https:\/\/twitter.com\/Lazarus?ref_src=twsrc%5Etfw\">@Lazarus<\/a> Group is Targeting Developers\u2014Again ?<br \/>The STRIKE team just uncovered Operation Marstech Mayhem\u2014a new malware campaign spreading through <a href=\"https:\/\/twitter.com\/github?ref_src=twsrc%5Etfw\">@GitHub<\/a> and NPM packages. Developers are unknowingly pulling infected repositories into their projects, putting\u2026 <a href=\"https:\/\/t.co\/1Cic14u1NP\">pic.twitter.com\/1Cic14u1NP<\/a><\/p>\n<p>\u2014 SecurityScorecard (@security_score) <a href=\"https:\/\/twitter.com\/security_score\/status\/1890086318199214458?ref_src=twsrc%5Etfw\">February 13, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The malware is embedded into websites or <span data-descr=\"node package manager \u2014 the standard package manager\" class=\"old_tooltip\">npm<\/span> packages tied to various cryptocurrency projects. Once on a victim\u2019s device, it scans Chromium-browser directories for the MetaMask, Exodus and Atomic Wallet extensions, then alters their settings.<\/p>\n<p>Marstech1 was first observed in 2024. At least 233 victims in the US, Europe and Asia have already been affected.<\/p>\n<p>Researchers traced the malware to a public GitHub repository created by the now-banned profile SuccessFriend.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Ukrainian hackers claim breach of CarMoney<\/strong><\/h2>\n<p>Hackers from the \u201cUkrainian Cyber Alliance\u201d <a href=\"https:\/\/t.me\/UCAgroup\/44\">said<\/a> they breached the infrastructure of the Russian microfinance firm CarMoney and accessed data on a large number of the organisation\u2019s borrowers. Among them are units of the <span data-descr=\"Main Directorate of the General Staff of the Armed Forces of the Russian Federation\" class=\"old_tooltip\">GRU<\/span>, the FSB and military units.<\/p>\n<p>As proof, the group published, among other things, two loan applications in the names of service members Dmitry Solovyov and Maxim Vagin.<\/p>\n<p>The Telegram channel <a href=\"https:\/\/t.me\/agentstvonews\/9203\">\u201cAgency\u201d<\/a> examined the leaks and found information on people with matching names, dates and places of birth. However, the outlet could not independently verify the information presented by the hackers.<\/p>\n<p>CarMoney\u2019s press office <a href=\"https:\/\/vk.com\/wall-122101881_2802?ysclid=m7dek2b15b127805201\">said<\/a> on its VK page that \u201cone of the company\u2019s old websites\u201d was breached and that personal data of clients and investors was not affected. Nevertheless, \u201cto prevent consequences\u201d, specialists disabled all systems while monitoring was carried out.<\/p>\n<p>CarMoney\u2019s founder is Eduard Gurinovich, <a href=\"https:\/\/u1f987.com\/en\/news\/gurinovich-addresses-connection-with-hamster-kombat\">calling<\/a> himself the exclusive partner of the game Hamster Kombat in Russia. Journalists, citing the outlet \u201cSobesednik\u201d, also noted that a stake in CarMoney belongs to Lyudmila, the former wife of President Vladimir Putin.<\/p>\n<h2 class=\"wp-block-heading\"><strong>On New Year\u2019s Eve Russians were hit by a large cryptominer infection<\/strong><\/h2>\n<p>Kaspersky researchers found that on December 31, 2024 cybercriminals launched a mass infection campaign, delivering the XMRig cryptominer via trojanised versions of popular games on torrent sites. The StaryDobry attack ran for a month.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">New Year\u2019s Eve wasn\u2019t the only thing <a href=\"https:\/\/twitter.com\/hashtag\/StaryDobry?src=hash&#038;ref_src=twsrc%5Etfw\">#StaryDobry<\/a> crashed. ?<\/p>\n<p>On December 31, our experts discovered that cybercriminals had launched a mass infection campaign, hiding <a href=\"https:\/\/twitter.com\/hashtag\/XMRig?src=hash&#038;ref_src=twsrc%5Etfw\">#XMRig<\/a> cryptominers inside trojanized game torrents. With a multi-stage execution chain and stealthy evasion\u2026 <a href=\"https:\/\/t.co\/ZGdtKWD1Ni\">pic.twitter.com\/ZGdtKWD1Ni<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/1892886981715099859?ref_src=twsrc%5Etfw\">February 21, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The malicious releases of BeamNG.drive, Garry\u2019s Mod, Dyson Sphere Program, Universe Sandbox and Plutocracy were prepared in advance and uploaded to torrent trackers around September 2024. Among the compromised installers were popular simulators and sandboxes requiring minimal disk space.<\/p>\n<p>After installation, the cryptominer checked the number of CPU cores and would not run if there were fewer than eight. The attackers also hosted the mining pool server on their own infrastructure rather than a public one, complicating efforts to track their proceeds.<\/p>\n<p>The campaign affected individuals and enterprises worldwide, including in Russia, Brazil, Germany, Belarus and Kazakhstan.<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>Exchange Bybit lost $1.46bn in a breach.<\/li>\n<li>Pi Network\u2019s token price plunged 50% after a CEX listing.<\/li>\n<li>Grok named Elon Musk the chief disinformer.<\/li>\n<li>SafeMoon\u2019s CTO pleaded guilty to $200m crypto fraud.<\/li>\n<li>Russia set a date for banks to connect to a crypto-transaction analytics service.<\/li>\n<li>The SEC reshaped its crypto unit.<\/li>\n<li>BestChange was unblocked in Russia.<\/li>\n<li>A former employee of Bybit\u2019s payroll provider was sentenced for stealing $5.7m.<\/li>\n<li>zkLend will allocate $400,000 under a compensation plan for hack victims.<\/li>\n<li>Millions stolen from Phemex moved to new addresses.<\/li>\n<li>Sanctioned entities received $15.8bn via cryptocurrencies in 2024.<\/li>\n<li>A macOS malware that swaps Bitcoin addresses improved its stealth.<\/li>\n<li>Russian authorities dropped claims against Vinnik.<\/li>\n<li>Researchers found a crypto-key stealer in a Steam game.<\/li>\n<li>Report: HTX sent more than 380,000 security notifications in January.<\/li>\n<li>Abstract users reported funds stolen via Cardex; the team later stated the loss amount.<\/li>\n<li>Four Norwegians were charged with $80m fraud.<\/li>\n<li>Binance\u2019s chief warned of a \u201cnew\u201d seed-phrase scam.<\/li>\n<li>Ethereum validators were urged to update the Geth client \u201cto avoid losses\u201d.<\/li>\n<li>Dave Portnoy bought a fake LIBRA for $170,000.<\/li>\n<li>In Russia, a Telegram-channel admin was detained for extorting bitcoins.<\/li>\n<li>Scammers launched a fake memecoin in the name of a Saudi prince.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\"><strong>What to read this weekend?<\/strong><\/h2>\n<p>We investigate who actually stands behind the series of \u201cpresidential\u201d memecoins.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have compiled the week\u2019s most important cybersecurity news. Researchers fed the leaked Black Basta chat logs to ChatGPT. A Gravy Analytics data leak enabled user deanonymisation. Ukrainian hackers claimed to have breached CarMoney. Leaked Black Basta chats were fed to ChatGPT On February 11 an unknown insider released an archive of the Black Basta [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":21406,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-21407","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"91","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/21407","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=21407"}],"version-history":[{"count":0,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/21407\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/21406"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=21407"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=21407"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=21407"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}