{"id":25118,"date":"2025-07-05T07:00:00","date_gmt":"2025-07-05T04:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/a-cartel-spy-a-dismantled-spanish-ring-and-other-cybersecurity-news\/"},"modified":"2025-07-05T07:00:00","modified_gmt":"2025-07-05T04:00:00","slug":"a-cartel-spy-a-dismantled-spanish-ring-and-other-cybersecurity-news","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/a-cartel-spy-a-dismantled-spanish-ring-and-other-cybersecurity-news\/","title":{"rendered":"A cartel spy, a dismantled Spanish ring, and other cybersecurity news"},"content":{"rendered":"<p>We have gathered the week\u2019s most important cybersecurity news.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>A drug cartel hired a hacker to spy on the FBI.<\/li>\n<li>A Spanish ring stole more than \u20ac460m.<\/li>\n<li>Hackers broke into gamers\u2019 PCs via Call of Duty: WWII.<\/li>\n<li>An app for reporting the whereabouts of immigration agents went viral.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\">A drug cartel hired a hacker to spy on the FBI<\/h2>\n<p>At the end of June, the US Department of Justice <a href=\"https:\/\/techcrunch.com\/2025\/06\/30\/mexican-drug-cartel-hacker-spied-on-fbi-officials-phone-to-track-and-kill-informants-report-says\/\">published a report<\/a> on the FBI\u2019s internal security.<\/p>\n<p>According to the document, in 2018 the Bureau was conducting an investigation that culminated in the arrest of Sinaloa syndicate boss Joaqu\u00edn \u201cEl Chapo\u201d Guzm\u00e1n. An individual linked to the cartel told the FBI the organisation had hired a hacker. The cybercriminal broke into electronic devices and mobile phones and monitored people visiting the US embassy in Mexico\u2019s capital. A key target was an FBI legal attach\u00e9 assistant working abroad.<\/p>\n<p>The hacker used the FBI employee\u2019s phone number to obtain call records and geolocation data. They also tapped into Mexico City\u2019s CCTV system to track the attach\u00e9\u2019s movements and identify the people he met.<\/p>\n<p>According to the source, the cartel used the information to intimidate and kill potential witnesses and informants.<\/p>\n<h2 class=\"wp-block-heading\">Spanish fraud ring stole over \u20ac460m<\/h2>\n<p>Spain\u2019s Civil Guard, together with Europol, <a href=\"https:\/\/www.europol.europa.eu\/media-press\/newsroom\/news\/crypto-investment-fraud-ring-dismantled-in-spain-after-defrauding-5-000-victims-worldwide\">dismantled<\/a> a major fraud network that stole more than \u20ac460m from over 5,000 victims worldwide by pitching fake cryptocurrency investments.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXfidCY2pxQKdwhluypVnR5c-rNCak6NS_MR-ZnC4DnUbXNqwilCnefBKLLnXRGmYMOvgvwhbuF2lDvu7t0f69WieHk7PDQR6vFEQ2eOOdkpyF-JPKzgmJ4_6kSv5eBXwMgmSXXs?key=1B5_XYBhLSc8SiGyjqqAIA\" alt=\"\u0428\u043f\u0438\u043e\u043d \u0438\u0437 \u043d\u0430\u0440\u043a\u043e\u043a\u0430\u0440\u0442\u0435\u043b\u044f, \u0443\u043d\u0438\u0447\u0442\u043e\u0436\u0435\u043d\u0438\u0435 \u0438\u0441\u043f\u0430\u043d\u0441\u043a\u043e\u0439 \u0433\u0440\u0443\u043f\u043f\u0438\u0440\u043e\u0432\u043a\u0438 \u0438 \u0434\u0440\u0443\u0433\u0438\u0435 \u0441\u043e\u0431\u044b\u0442\u0438\u044f \u043a\u0438\u0431\u0435\u0440\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438\"\/><figcaption class=\"wp-element-caption\">A joint Europol operation. Source: <a href=\"https:\/\/www.europol.europa.eu\/media-press\/newsroom\/news\/crypto-investment-fraud-ring-dismantled-in-spain-after-defrauding-5-000-victims-worldwide\">Europol<\/a>.<\/figcaption><\/figure>\n<p>On 25 June, officers arrested three suspects in the Canary Islands and two in Madrid. Europol had coordinated the probe since 2023 and deployed a cryptocurrency expert during the Spanish operation.<\/p>\n<p>Investigators say the organisers built a global fundraising scheme via bank transfers, crypto transactions and cash. They allegedly used payment gateways, accounts on crypto exchanges and a corporate structure linked to Hong Kong. The network worked with salespeople worldwide who lured victims onto bogus investment platforms.<\/p>\n<h2 class=\"wp-block-heading\">Hackers broke into gamers\u2019 PCs via Call of Duty: WWII<\/h2>\n<p>The launch of Call of Duty: WWII triggered mass compromises. On 3 July, two days after release, players <a href=\"https:\/\/t.me\/Russian_OSINT\/5760\">began reporting<\/a> attacks by an unknown hacker using <span data-descr=\"Remote Code Execution \u2014 remote code execution\" class=\"old_tooltip\">RCE<\/span>.\u00a0<\/p>\n<p>Exploiting multiplayer vulnerabilities, the attacker <a href=\"https:\/\/x.com\/vxunderground\/status\/1940639088576811516\/photo\/1\">executes arbitrary commands<\/a> on gamers\u2019 machines during play and streams.\u00a0<\/p>\n<p>Reported antics include forcibly opening Notepad, displaying \u201cundesirable content\u201d on screen and rebooting systems.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Surprised but not surprised it took such a short time for exploits to be found. Thank you for the heads up man. I will say it\u2019s not entirely surprising since it seems anyway that multiplayer is P2P connections and not dedicated servers. I could be wrong, but figured that since\u2026<\/p>\n<p>\u2014 Mike | KRNG Rxqe (@MikeRxqe) <a href=\"https:\/\/twitter.com\/MikeRxqe\/status\/1940458070984831396?ref_src=twsrc%5Etfw\">July 2, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Gamer MikeRxqe believes the game\u2019s outdated P2P network model makes it far easier to obtain players\u2019 IP addresses. In such setups, users connect directly to each other and everyone learns everyone\u2019s IP.<\/p>\n<p>The attacker can then send specially crafted network packets straight to the victim. These masquerade as legitimate game data (movement, shots) but carry a malicious payload.<\/p>\n<p>On 2 July Activision performed \u201cshort-term technical maintenance\u201d on servers, but did not officially link it to the RCE flaw.<\/p>\n<h2 class=\"wp-block-heading\">App for locating immigration agents goes viral\u00a0<\/h2>\n<p>ICEBlock, an iPhone app that lets users anonymously report sightings of US Immigration and Customs Enforcement (ICE) agents, <a href=\"https:\/\/techcrunch.com\/2025\/07\/01\/iceblock-an-app-for-anonymously-reporting-ice-sightings-goes-viral-overnight-after-bondi-criticism\/\">went viral<\/a> after comments by Attorney General Pam Bondi.<\/p>\n<p>Roughly 20,000 ICEBlock users are in Los Angeles, where ICE raids have been frequent in recent weeks. On 2 July, following Bondi\u2019s remarks the day before, the app entered the US free-download charts.<\/p>\n<p>Users can share the locations of ICE agents within roughly an 8 km radius. The app sends alerts when agents are reported nearby.\u00a0<\/p>\n<h2 class=\"wp-block-heading\">Police arrest two hackers who targeted senior officials and journalists<\/h2>\n<p>On 1 July, Spanish police <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/spain-arrests-hackers-who-targeted-politicians-and-journalists\/\">arrested<\/a> two people in Las Palmas province on suspicion of cybercrimes, including data theft from government bodies.<\/p>\n<p>Both suspects were described as \u201ca serious threat to national security.\u201d The investigation began after authorities detected a leak of personal data affecting politicians, central and regional government representatives, and media workers.<\/p>\n<p>The first suspect is believed to have specialised in data exfiltration, while the second handled the money: selling access to databases and accounts and controlling a cryptocurrency wallet for incoming funds.<\/p>\n<p>Both were detained. During searches, police seized numerous electronic devices that could point to new evidence, buyers or accomplices.<\/p>\n<h2 class=\"wp-block-heading\">Crypto-stealing malware learns to revive itself<\/h2>\n<p>North Korean hackers <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/nimdoor-crypto-theft-macos-malware-revives-itself-when-killed\/\">are using<\/a> a new macOS malware family, NimDoor, aimed at cryptocurrency and Web3 organisations.<\/p>\n<p>The attack chain starts with outreach on Telegram and an attempt to persuade targets to install a fake Zoom update. Delivery runs via Calendly and email.<\/p>\n<p>In a <a href=\"https:\/\/www.sentinelone.com\/labs\/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware\/\">report<\/a> published on 2 July, SentinelOne said the attackers used binaries compiled in C++ and Nim to hit macOS\u2014a relatively rare choice.<\/p>\n<p>The most sophisticated element is the event-driven CoreKitAgent app. Notably, it uses persistence mechanisms that make it hard to terminate and remove cleanly.<\/p>\n<h2 class=\"wp-block-heading\">Bluetooth flaw lets hackers eavesdrop on device owners<\/h2>\n<p>At the <a href=\"https:\/\/troopers.de\/\">TROOPERS<\/a> security conference, ERNW researchers <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/bluetooth-flaws-could-let-hackers-spy-through-your-microphone\/\">disclosed<\/a> three vulnerabilities in Airoha system-on-chips (SoCs). They are widely used in speakers, headphones, headsets and wireless microphones across 29 devices.<\/p>\n<p>The Bluetooth chipset can be abused to eavesdrop and steal sensitive information. Devices from Beyerdynamic, Bose, Sony, Marshall, Jabra, JBL, Jlab, EarisMax, MoerLabs and Teufel are at risk.<\/p>\n<p>The security issues allow device takeover. On some smartphones, an attacker within Bluetooth range could extract call history and contact lists.<\/p>\n<p>Airoha has released an updated <span data-descr=\"software development kit\" class=\"old_tooltip\">SDK<\/span> with required mitigations, and manufacturers have begun developing and distributing patches.<\/p>\n<h2 class=\"wp-block-heading\">Contactless-payment attacks have risen 35-fold this year<\/h2>\n<p><a href=\"https:\/\/www.eset.com\/blog\/en\/home-topics-1\/cybersecurity-protection\/now-it-is-certain-nfc-data-for-contactless-payments-are-the-new-target-here-is-what-you-need-to-know\/\">ESET<\/a> reports that thefts via contactless payments continue to surge. In the first half of the year alone, NFC-based attacks worldwide increased 35-fold versus 2024.<\/p>\n<p>The scheme blends familiar techniques (social engineering, phishing, Android malware) with a tool called NFCGate, creating a new attack scenario.\u00a0<\/p>\n<p>The NGate malware relays NFC data between two devices remotely, including bank-card data, and bypasses protections by acting on the victim\u2019s behalf.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXepvNH8O8eimlix7Mu7t5dMJDd0-33tMXFJKeKLRX0-kgWsnBLjPTCaslbqU5GyMBuzzrY9a2gdT5KNBt_38SlW1eHs9iVYrMmC_sKz-V_GKFLlgxcBEMKvfKMpNHRDVPheUmvXjw?key=1B5_XYBhLSc8SiGyjqqAIA\" alt=\"\u0428\u043f\u0438\u043e\u043d \u0438\u0437 \u043d\u0430\u0440\u043a\u043e\u043a\u0430\u0440\u0442\u0435\u043b\u044f, \u0443\u043d\u0438\u0447\u0442\u043e\u0436\u0435\u043d\u0438\u0435 \u0438\u0441\u043f\u0430\u043d\u0441\u043a\u043e\u0439 \u0433\u0440\u0443\u043f\u043f\u0438\u0440\u043e\u0432\u043a\u0438 \u0438 \u0434\u0440\u0443\u0433\u0438\u0435 \u0441\u043e\u0431\u044b\u0442\u0438\u044f \u043a\u0438\u0431\u0435\u0440\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438\"\/><figcaption class=\"wp-element-caption\">Geographic spread of NFC-related Android malware and fraud in H1 2025. Source: <a href=\"https:\/\/www.eset.com\/blog\/en\/home-topics-1\/cybersecurity-protection\/now-it-is-certain-nfc-data-for-contactless-payments-are-the-new-target-here-is-what-you-need-to-know\/\">ESET<\/a>.<\/figcaption><\/figure>\n<p>According to ESET, a fifth of all installed NGate malware worldwide is in Russia. Scammers trick victims into installing it under the guise of a government or banking app and steal funds. In early 2025, <a href=\"https:\/\/www.comnews.ru\/content\/238445\/2025-03-25\/2025-w13\/1008\/moshennik-i-vorota-novaya-skhema-nfcgate-nabrala-populyarnost\">losses reached<\/a> 40 million rubles.<\/p>\n<h2 class=\"wp-block-heading\">Over 40 Firefox extensions found stealing private keys<\/h2>\n<p>The extensions are <a href=\"https:\/\/blog.koi.security\/foxywallet-40-malicious-firefox-extensions-exposed-4c14419de486\">visually indistinguishable<\/a> from the real thing and carry swathes of fake reviews and ratings to build trust.\u00a0<\/p>\n<p>More than 40 rogue Firefox add-ons are designed to steal crypto-wallet data. They impersonate popular platforms including Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet and Filfox.<\/p>\n<p>Once installed, the software quietly exfiltrates data, putting users\u2019 assets at risk. During initialisation, attackers also send the victim\u2019s external IP address, presumably for tracking or targeted attacks.<\/p>\n<p>The campaign has been active since at least April 2025. New malicious extensions were uploaded to the Firefox catalogue as late as the end of June.<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>An engineer from India <a href=\"https:\/\/u1f987.com\/en\/news\/indian-engineer-laundered-drug-proceeds-using-monero\">laundered drug-trafficking proceeds<\/a> via Monero.<\/li>\n<li>A ransom negotiator was <a href=\"https:\/\/u1f987.com\/en\/news\/ransom-negotiator-suspected-of-colluding-with-hackers\">suspected of colluding<\/a> with hackers.<\/li>\n<li>The US <a href=\"https:\/\/u1f987.com\/en\/news\/us-sanctions-imposed-on-bulletproof-hosting-provider\">sanctioned<\/a> a bulletproof hosting provider.<\/li>\n<li>A US crypto startup <a href=\"https:\/\/u1f987.com\/en\/news\/us-crypto-startup-loses-900000-due-to-north-korean-infiltration\">lost<\/a> $900,000 because of North Koreans on its team.<\/li>\n<li>The Resupply protocol will <a href=\"https:\/\/u1f987.com\/en\/news\/resupply-protocol-to-burn-6-million-reusd-following-hack\">burn<\/a> 6m reUSD after a hack.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">What to read this weekend?<\/h2>\n<p>The latest FLMonthly digest answers pressing cybersecurity questions in an interview with Shard\u2019s director of investigations, Grigory Osipov.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have gathered the week\u2019s most important cybersecurity news. A drug cartel hired a hacker to spy on the FBI. A Spanish ring stole more than \u20ac460m. Hackers broke into gamers\u2019 PCs via Call of Duty: WWII. An app for reporting the whereabouts of immigration agents went viral. A drug cartel hired a hacker to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":25117,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-25118","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"29","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/25118","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=25118"}],"version-history":[{"count":0,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/25118\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/25117"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=25118"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=25118"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=25118"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}