Point of View

Just when you thought the cyber underworld might take a breather, it instead reached for the espresso and doubled down.

ShinyHunters Declares Open Season

In last week’s episode of “Threat Actors Behaving Badly”, ShinyHunters made it abundantly clear: BreachForums clones were on borrowed time. No vague threats. No cryptic riddles. Just a clean, direct warning: “We will begin taking targeted action… You know who you are.”

Nothing says “good morning” like a personalised cyber death sentence. And, as promised, the follow-through arrived promptly. One clone admin was unmasked (never a great career milestone), and more importantly, the BreachForums Version 5 user database was leaked into the wild.

Now it’s being hoovered up by everyone with a vested interest, law enforcement, rival threat actors, and security researchers. Think of it as the internet’s least exclusive VIP list.

Fear Factor: 10/10. The reaction? Immediate.

Several well-known figures behind BreachForums clones quietly packed up shop and disappeared faster than unsecured S3 buckets after a headline breach. For a brief moment, it looked like ShinyHunters had achieved something governments have been trying to do for years, scare cybercriminals into early retirement.

Imagine being more feared than global law enforcement. That’s not influence… that’s branding.

Plot Twist: The Forum Strikes Back

But before anyone could celebrate too loudly, the inevitable happened. BreachForums is back. Again. Because of course it is.

The “new” iteration wasted no time setting the tone “Not an exit scam… treat this as the real BreachForums… use new identities and improve OPSEC.”

A clean slate, apparently. Nothing says “fresh start” like politely reminding users not to reuse the same identity that just got leaked. It’s less phoenix-from-the-ashes, more hydra-with-a-hosting-plan.

Meanwhile, In the Real World…

While cybercriminals were busy rebranding, the Director of the FBI, Kash Patel, had a rather inconvenient week, his personal email was compromised. Allegedly by Iranian-backed actors. Not ideal.

The response? Swift, decisive, and very American: Within five hours, the U.S. government dropped a $10 million bounty for information on anyone conducting state-sponsored cyber attacks.

That’s not just escalation. That’s turning cyber attribution into a high-stakes game show. “Hack the US, win a prize, or have one put on your head.”

And Now… Surveillance, But Make It Stylish

As if things weren’t already lively, NVIDIA decided to enter the chat with a new always-on, low-power facial recognition chip. Designed for consumer devices. Laptops, drones, robotics. You know, the usual. Naturally, this has triggered mild concern, and by “mild,” we mean the entire team collectively reaching for metaphorical tinfoil hats.

CEO Jensen Huang has already been vocal about supporting defence initiatives, and with NVIDIA partnering up with Palantir (yes, that Palantir), the vibes are… let’s say strategically ominous.

We’re not saying it’s Skynet. We’re just saying Skynet would probably start like this.

This month wasn’t just chaotic, it was revealing.
• Cybercriminal ecosystems remain fragile, but far from defeated
• Reputation now carries more weight than infrastructure
• Nation-state tensions are bleeding further into public cyber discourse
• And big tech continues to blur the line between convenience and surveillance

In short: the internet remains undefeated in its ability to escalate everything, everywhere, all at once. Stay tuned. It’s only getting louder.

Sources
• Statements attributed to ShinyHunters
• BreachForums activity and database leak reporting
• U.S. Rewards for Justice announcement (X)
• Public reporting on FBI Director email compromise
• NVIDIA product announcements and partnerships with Palantir

If there was an award for “Most Chaotic Entrance of the Month,” Kimwolf would already be clearing shelf space.

The headline act? A botnet, allegedly powered by around 1.4 million compromised IoT devices, because apparently your smart toaster yearns for cybercrime, decided it would take a little stroll into the I2P network. And by “a little stroll,” we mean it tried to shove roughly 700,000 hostile nodes through the door at once.

Subtlety was not invited.

First, A Quick Refresher

I2P, for the uninitiated, is anonymity infrastructure with a slightly different flavour to Tor.

Tor is your classic onion routing setup, layered encryption, peel it back one relay at a time.

I2P? It prefers garlic routing. Multiple encrypted messages bundled together into one transmission. Efficient. Discreet. Mediterranean, almost.

It also separates inbound and outbound tunnels, making traffic analysis considerably trickier. Clever architecture. Early-2000s vintage. Niche, but purposeful. Typically running at around 15,000 active nodes, not sprawling, but sturdy.

Until 3rd February.

When 15,000 Meets 700,000

Kimwolf’s operators were already feeling the heat. Security researchers had reportedly taken aim at around 500 of their core command-and-control servers, and that tends to ruin anyone’s week.

So the alleged strategy? Strengthen and obfuscate the botnet by leveraging I2P’s anonymity. Blend in. Disappear into the encrypted garlic mist.

Instead, they stampede-charged the network with 700,000 malicious nodes.

The result? Less “stealth infiltration.” More “elephant in a porcelain factory.”

The sudden flood completely swamped I2P’s routing capacity. Legitimate routers froze. Connections buckled. The protocol choked under the weight. In trying to hide inside the network, they effectively body-slammed it.

Cyber subtlety, this was not.

A Self-Inflicted Sybil

Shortly after, the operators reportedly admitted on Discord that they had accidentally triggered a Sybil attack, the technical term for flooding a decentralised network with fake nodes until the real ones can’t function properly.

In short: they tried to make themselves harder to track and instead DoS’d the very anonymity layer they were hoping to weaponise.

It’s the digital equivalent of hiding in a crowd by driving a tank into it.

For added context, this is the same botnet ecosystem believed to have powered one of last year’s largest DDoS attacks, peaking at 31.4 terabits per second. This is not small-time mischief. This is industrial-grade disruption.

And yet, even industrial-scale botnets can trip over their own ambition.

The Counterpunch

To I2P’s credit, the development team moved quickly. Within days, updates were released featuring:
* Post-quantum encryption enhancements
* Sybil attack mitigations
* Stability improvements for saturated routing environments

The network remains operational, though not yet fully restored to its pre-incident scale and stability. Recovery in decentralised ecosystems is more marathon than sprint.

But there’s a quiet irony here.

An anonymity network designed to resist surveillance was stress-tested not by regulators or law enforcement, but by criminals overplaying their hand.

The Bigger Picture

This wasn’t just a botnet mishap. It was a live-fire demonstration of how fragile decentralised systems can become when weaponised at scale.

It also highlights a recurring truth in cyber operations: scale amplifies power, but it also amplifies mistakes.

Kimwolf tried to disappear into the shadows. Instead, it turned on the floodlights.

Sometimes the garlic bites back.

January wasted no time reminding everyone that the internet never forgets, and karma has a calendar.

We’ll start with Empire Market, one of the largest dark web marketplaces of its era. Operating between 2018 and 2020, Empire processed over four million transactions and became a fan favorite in underground circles. It offered the usual greatest hits: cannabis, cocaine, stolen credit cards, counterfeit goods, and malware, all wrapped in a slick interface that made avoiding street deals feel almost… convenient.

Then, in 2020, Empire did what so many before it had done: exit scammed its users for an estimated $30 million in crypto and vanished into the night. Or so they thought.

Fast-forward to today, and reality has finally caught up. Raheim Hamilton, the market’s co-creator, has entered a plea deal and is set to be sentenced on June 17 in the Northern District of Illinois. There’s a mandatory minimum of ten years in federal prison, proving once again that while crypto transactions are fast, consequences can take their sweet time.

Next up: BreachForums, or more accurately, the ongoing BreachForums reboot disaster.

At this point, there have been so many failed resurrection attempts that calling it “a comeback” feels generous. Currently, there are two competing versions of BreachForums operating simultaneously on the dark web. In true crime-forum fashion, they absolutely hate each other. Let’s call them BF1 and BF2.

BF1’s admins managed to leak BF2’s private Telegram staff chats, posting them to Doxbin alongside a full dox of BF2’s admin, including name, religion, education, and approximate location. Because why stop at screenshots when you can go full scorched earth? Not to be outdone, BF2’s admin allegedly obtained the personal phone numbers of BF1’s admins and possibly staff, and reportedly started calling one of their mothers. Yes. Someone’s mum.

Law enforcement, meanwhile, is likely watching this unfold like it’s a Netflix limited series. This kind of infighting doesn’t just destroy forums, it creates beautifully detailed evidence trails that future arrest warrants are built on.

And finally, January ended with a reminder that crypto crime consequences vary wildly depending on jurisdiction.

The Chinese government executed 11 members of the Ming crime family for operating a massive crypto scam empire out of Myanmar. The operation employed more than 10,000 people, running large-scale “pig butchering” scams, long-term romance frauds designed to drain victims emotionally and financially.

Employees who tried to leave were reportedly beaten or killed. The operation collapsed in 2023 when members of the crime family were captured in Myanmar and handed over to China by ethnic militias. The verdict? Swift. Final. Unambiguous.

So, January in summary:
- Exit scammers finally got exit scammed by reality
- Dark web forums turned into soap operas
- And one government made it very clear where it stands on crypto fraud
New year. Same internet.

This months cyber spotlight, vulnerability chat & privacy headlines.

Breach, Bots & Deepfake Drama
https://breachaware.com/research/breach-bots-and-deepfake-drama
A total of 9 breach events were found and analysed resulting in 1,860,834 exposed accounts containing a total of 21 different data types of personal datum. The breaches found publicly and freely available included 1M+ Valid USA Forex 1 Million, Aternos [2], Costco - Taiwan, Do Big GPT and Alain Afflelou.

Encrypted Mayhem, Mega Leaks & AI Under Fire.
https://breachaware.com/research/encrypted-mayhem-mega-leaks-and-ai-under-fire
A total of 24 breach events were found and analysed resulting in 14,347,979 exposed accounts containing a total of 32 different data types of personal datum. The breaches found publicly and freely available included Instagram, Thermomix, Air Miles España Loyalty Program - Travel Club, Giglio and Qantas [Sample Data].

One Breach to Rule Them All: Why No Organisation Is Ever “Unaffected”
https://breachaware.com/research/one-breach-to-rule-them-all-why-no-organisation-is-ever-unaffected
A total of 19 breach events were found and analysed resulting in 52,354,695 exposed accounts containing a total of 36 different data types of personal datum. The breaches found publicly and freely available included ULP Alien Txt File - Episode 31, ULP 0038, ULP 0039, Stealer Log 0550 and WebDo.

If you thought the month was going to be quiet, you clearly underestimated the internet’s ability to resurrect decade old controversies and annoy law enforcement in entirely new ways.

Let’s start with a true crypto classic: Silk Road.

Yes, that Silk Road, the Tor based marketplace launched in 2011 by Ross Ulbricht, shut down by the FBI in 2013, and followed by a legal saga so extreme it still makes civil libertarians wince. Ross was handed two life sentences without parole at the age of 26, aided by a deeply questionable murder for hire narrative that continues to raise eyebrows to this day.

Fast forward through a decade long “Free Ross” campaign, a Trump pardon last year, and suddenly we’re asking the question law enforcement hoped would never resurface: Did they actually find all the Bitcoin?

According to Coinbase director Conor Grogan, roughly 430 BTC, currently worth about £27 million, remains linked to dormant Silk Road wallets that Ross may still control. These wallets had been sitting quietly, minding their own business, until December 10th, when 176 transactions fired off in under four hours. Casual.

Ross, speaking from prison, has previously promised he’d never break the law again if released. Which is great. Unfortunately for the authorities, Bitcoin moving ≠ laws being broken, just nerves being shattered. One imagines the feds aren’t thrilled watching digital money they’d very much like to confiscate suddenly start stretching its legs. If that Bitcoin gets laundered properly, it’ll be about as traceable as their original crypto expertise circa 2013.

Speaking of law enforcement frustration, let’s talk GrapheneOS.

This privacy focused operating system, running exclusively on Google Pixel phones, is estimated to be used by 250,000 to 400,000 people worldwide. The number is fuzzy because, and brace yourself, it doesn’t collect telemetry or usage data. Imagine building tech that doesn’t spy on its users. Radical.

Sure, that’s tiny compared to the billions glued to Android and iOS, but GrapheneOS has carved out a loyal following among privacy advocates and cybersecurity professionals. Unfortunately, it’s also carved out a migraine for law enforcement.

Their favourite digital forensics toy, Cellebrite, can’t crack these devices. Tragic. As a result, agencies across Europe and the US have begun profiling Pixel users, suggesting that criminals must obviously be choosing secure phones on purpose. Because heaven forbid regular people want privacy too.

Earlier this month, things escalated. GrapheneOS announced it was shutting down all operations in France, citing outrageously false and unsubstantiated claims made by French law enforcement, claims that were then happily laundered through state and corporate media as fact. The project says it was never given the opportunity to respond.

So, to recap:
- Old Bitcoin is waking up
- Privacy tech is doing its job
- Law enforcement is… not coping well

Honestly, if this is the future, it’s going to be a very entertaining one.

Smarter Protection Starts with Awareness

Data Breach Scan, Check Any Domain for Free https://breachaware.com/scan

This months cyber spotlight, vulnerability chat & privacy headlines.

Dark Web Admin Exposed, Trident Ransomware Strikes & Airbus Issues Critical Patch.
https://breachaware.com/research/dark-web-admin-exposed-trident-ransomware-strikes-and-airbus-issues-critical-patch
A total of 34 breach events were found and analysed resulting in 6,558,157 exposed accounts containing a total of 39 different data types of personal datum. The breaches found publicly and freely available included ULP 0037, Stealer Log 0549, Stealer Log 0548, Ekonika and 123 Casting.

Dark Web Busts, CLOP Hits Ivy League & Global Exploits Erupt.
https://breachaware.com/research/dark-web-busts-cl0p-hits-ivy-league-and-global-exploits-erupt
A total of 7 breach events were found and analysed resulting in 342,933 exposed accounts containing a total of 19 different data types of personal datum. The breaches found publicly and freely available included Queen Mary University of London, France Casse, Artists and Clients, Refer Life and e-Retail.

Ransomware Slumps, RaidForums Relaunches & VAS Crackdown Success.
https://breachaware.com/research/ransomware-slumps-raidforums-relaunches-and-vas-crackdown-success
A total of 17 breach events were found and analysed resulting in 2,686,286 exposed accounts containing a total of 30 different data types of personal datum. The breaches found publicly and freely available included France Travail, Miljodata, Corporate Mails Dump, 1 Million Pholoniex Email List [Sample] and Emirates Philatelic Association - EPA.

Forums Get Doxed, RaidForums Speedruns Death & Microsoft Blinks.
https://breachaware.com/research/forums-get-doxed-raidforums-speedruns-death-and-microsoft-blinks
A total of 12 breach events were found and analysed resulting in 6,036,789 exposed accounts containing a total of 54 different data types of personal datum. The breaches found publicly and freely available included ULP Alien Txt File - Episode 29, Venezuela Citizen Databases, Turing, Webové Stránky and WithPropel.

Account Takeover scams are booming, which is great news for nobody except threat actors and whatever dodgy Telegram groups they hang out in.

The FBI announced last week that ATOs have skyrocketed this year, with criminals pocketing a casual $262 million since January. Victims have filed 5,100+ complaints, which is honestly impressive given that most people don’t even bother reporting crime unless it interrupts your favourite video streaming app.

Threat actors are now going full chef’s kiss with their phishing emails, sliding into online banking and payroll systems like they’re speed-running a tutorial. They’re also abusing SEO, which is deeply offensive, Google rankings used to be for small businesses, influencers, and pyramid schemes… not cybercriminals trying to steal your 2FA codes.

The FBI is once again shouting into the void about using MFA and stronger passwords. Which, let’s be honest, means half of the world will continue using Password123 until the heat death of the universe.

In the category of “world’s worst criminals,” we have the insider at CrowdStrike who sold out access to one of the biggest cybersecurity companies in the world… for $25,000.

Yes.
Twenty. Five. Thousand. Dollars.
Before tax.

The threat actor collective Scattered Lapsus$ Hunters, or ShinyHunters, or whatever their rotating name of the week is, claims they paid the insider for screenshots of internal systems. They even got SSO authentication cookies… but by that point, the insider had already been caught, booted, and presumably escorted out of the building with the world’s most awkward cardboard box.

CrowdStrike fired him immediately (obviously), notified the relevant agencies, and is now probably installing retina scanners in the bathrooms. Moral of the story: If you’re going to betray a Fortune 500 cybersecurity company, maybe charge more than the price of a used Honda.

A cyber intelligence watchdog has noticed something very interesting happening on a well-known carding site, the kind that sells stolen credit cards, bank credentials, and probably your grandmother’s debit PIN.

The DNS records appear to have been touched by… the FBI. Which means one of two things:
1. A major FBI takedown is incoming,
2. Or the carding site admins have finally messed up so badly that even their DNS got stage-fright.

If the feds have seized control, this would be a devastating blow for the carding underground, and a massive win for law enforcement. It’s basically the cybercrime equivalent of waking up to find out your favourite illegal marketplace now redirects to a big, angry FBI splash page.

We’ll keep an eye on this one. It’s either a takedown, a sting, or a spectacularly funny misconfiguration.

Smarter Protection Starts with Awareness

Data Breach Scan, Check Any Domain for Free https://breachaware.com/scan

This months cyber spotlight, vulnerability chat & privacy headlines.

Malware Makers Arrested, Fake CAPTCHAs Get Thirsty, and Teen Ransomware Falls Apart Instantly.
https://breachaware.com/research/malware-makers-arrested-fake-captchas-get-thirsty-and-teen-ransomware-falls-apart-instantly
A total of 21 breach events were found and analysed resulting in 12,901,859 exposed accounts containing a total of 28 different data types of personal datum. The breaches found publicly and freely available included ULP 0035, MyVidster, TurkNet, César Vallejo University and Wbia.

DeFi Drained, Rogue AI Unleashed, and Ransomware “Good Guys” Turned Villains.
https://breachaware.com/research/defi-drained-rogue-ai-unleashed-and-ransomware-good-guys-turned-villains
A total of 35 breach events were found and analysed resulting in 20,016,481 exposed accounts containing a total of 31 different data types of personal datum. The breaches found publicly and freely available included ULP Alien TxT File - Episode 27, MYM, 100 Million ULP, ULP 0036 and Stealer Log 0546.

Crypto Scammer Dismembered, FBI Director Doxxed & Cybercrime Forums Crushed.
https://breachaware.com/research/crypto-scammer-dismembered-fbi-director-doxxed-and-cybercrime-forums-crushed
A total of 18 breach events were found and analysed resulting in 4,940,527 exposed accounts containing a total of 30 different data types of personal datum. The breaches found publicly and freely available included ULP Alien Txt File - Episode 28, Stealer Log 0547, joom-dmps, Crypto Email Database 2025 and TISZA Világ.

Shiny Hunters Level Up, Crypto Thugs Jailed & Cloudflare Shakes the Internet.
https://breachaware.com/research/shiny-hunters-level-up-crypto-thugs-jailed-and-cloudflare-shakes-the-internet
A total of 10 breach events were found and analysed resulting in 380,308 exposed accounts containing a total of 23 different data types of personal datum. The breaches found publicly and freely available included Millicom.com, L’ Assurance Retraite, Conasems (Conselho Nacional de Secretarias Municipais de Saúde), Secretariat of Public Education (SEP) - Mexico and Nemopro.

The vibes in the cybercrime community right now?
Tense. Awkward. Like someone turned on the big lights at the end of a rave.

Just a couple of years ago, underground forums were basically digital speakeasies, a cosy little criminal Starbucks where everyone knew your alias, nobody asked questions, and “OPSEC” was something you pretended to have. But now? The mood has shifted. The walls feel closer. The sheriffs are definitely in town.

In last week’s Insight, we joked about how the latest BreachForums clone probably had the shelf life of a ripe avocado. Well. Turns out the avocado is already brown.

The forum didn’t get seized, oh no, that would be too straightforward. It’s been… listed for sale. Like a slightly haunted Airbnb. Meanwhile, other forums are getting yeeted off domain providers faster than you can say DMCA who?

Constant migrations, domain hopping, “We moved again guys, update your bookmarks”… At this point, threat actors need a loyalty punch card: 10 domain suspensions = 1 free onion mirror.

And in the middle of this, Shiny Hunters recently announced: “The era of forums is over.”

Which is either:
1. Deep philosophical cyberpunk foreshadowing
2. Or someone got really emotional after their domain registrar sent them a mean email

Meanwhile, in Baltimore... The U.S. Secret Service has been busy doing the cyber equivalent of spring cleaning. They pulled 22 card skimmers out of POS terminals across the city after inspecting 3,000+ of them.

Which is both:
- Productive
- And a sign that criminals are once again relying on the “classic hits” like vinyl, but for fraud.

Honestly, someone out there is running a skimmer operation like it’s still 2011 and the Dubstep is about to drop.

And Then There’s the Aisuru Botnet, Feeling Very Proud of Itself. Aisuru briefly overtook almost every site on the internet to become Cloudflare’s most globally accessed domain, second only to Google for a bit.

Yes. A botnet. Almost beat Google.

Somewhere, a threat actor is pouring champagne into a gaming chair cupholder saying, “Mama, I made it.”

Aisuru was behind a 20 terabits-per-second DDoS attack this month. Which is… well… that’s not “someone’s mad their Minecraft server is down.” That’s “we want the internet to have a panic attack.”

The botnet is built mostly from infected consumer routers and CCTV DVR/NVR units, because apparently people will lock their front doors but leave their camera systems online with admin / admin.

They publicly claim they won’t attack governments or intelligence agencies. Which, realistically, usually means: they are the government or intelligence agencies. At least part-time. With dental.

Either way, they are absolutely thrilled to be trending. Finally, a dark web group that doesn’t have to pretend they're humble.

In Summary
- Cybercrime forums are now playing musical chairs with domain registrars
- Shiny Hunters has declared the forum era “over” (again, possibly mid-tantrum)
- The Secret Service is doing cardio in Baltimore
- And a botnet just became more popular than Netflix for a day

Honestly, if the internet had a sitcom, this would be the episode where everyone needs a group therapist.

Smarter Protection Starts with Awareness
Data Breach Scan, Check Any Domain for Free https://breachaware.com/scan

This months cyber spotlight, vulnerability chat & privacy headlines.

Bitcoin Queen Falls, Discord Breached, and the Air Force Fumbles Data.
https://breachaware.com/research/bitcoin-queen-falls-discord-breached-and-the-air-force-fumbles-data
A total of 15 breach events were found and analysed resulting in 7,314,425 exposed accounts containing a total of 40 different data types of personal datum. The breaches found publicly and freely available included Duna TV, ULP 0033, Stealer Log 0542, Tries Digital Indonesia and Crypto Emails 500k.

Discord Bribery Scandal, BreachForums Seized (Again) & Korea’s Cloud Meltdown.
https://breachaware.com/research/discord-bribery-scandal-breachforums-seized-again-and-koreas-cloud-meltdown
A total of 27 breach events were found and analysed resulting in 10,915,864 exposed accounts containing a total of 36 different data types of personal datum. The breaches found publicly and freely available included ULP Alien TxT File - Episode 25, Cherry Digital, FOAT, Stealer Log 0543 and Stealer Log 0544.

Europol Cracks SIMCARTEL, Monopoly Market Collapses & Shiny Hunters Implode.
https://breachaware.com/research/europol-cracks-simcartel-monopoly-market-collapses-and-shiny-hunters-implode
A total of 28 breach events were found and analysed resulting in 7,895,154 exposed accounts containing a total of 36 different data types of personal datum. The breaches found publicly and freely available included ULP Alien TxT File - Episode 26, Detsky Mir Group, VC Telecoms, ULP 0034 and Ambab Infotech.

Smart Beds Crash, Linux Under Siege & BreachForums Rises Again.
https://breachaware.com/research/smart-beds-crash-linux-under-siege-and-breachforums-rises-again
A total of 20 breach events were found and analysed resulting in 5,484,019 exposed accounts containing a total of 36 different data types of personal datum. The breaches found publicly and freely available included VX Case, crypto.com, Stealer Log 0545, 1.5 Million Israeli Settlers and Absolut Info Systems.

First up: X, formerly known as Twitter (but let’s be honest, still Twitter).
Rumour has it they’ve had a little “security incident.” A cyber gang allegedly slid into VX-Underground’s DMs with screenshots of an Okta account belonging to an X employee. The internet promptly split into two camps:
- Camp A: “Holy hell, they popped Twitter again!”
- Camp B: “That’s just Photoshop with a Red Bull problem.”

Was it a breach? Was it an AI-generated fever dream? Nobody knows. But one thing’s certain: if it was real, Elon is probably already drafting a tweet blaming the woke mind virus. Time will tell.

Then we have the BBC ransomware almost-caper. This one reads like a rejected Black Mirror script. The Medusa ransomware gang tried to recruit a BBC insider, except instead of targeting someone with actual admin access, they messaged… a cybersecurity reporter. Yes, a guy who literally writes articles about ransomware. Smooth, lads.

The reporter, being a journalist (and therefore contractually obligated to stay curious), played along. Medusa dangled 0.5 BTC as a down payment and promised him 15–25% of whatever ransom they squeezed out of Auntie Beeb. “You’ll never have to work again,” they bragged.

Cute pitch. Only slight snag: laundering millions in crypto isn’t exactly as easy as cashing in your Tesco Clubcard points. And their follow-up move? Spamming the poor reporter with MFA requests in an attempt to “test something.” I mean… come on. You can’t make this stuff up. In the end, the Beeb yanked the journo’s access, Medusa went back to the drawing board, and the reporter walked away with one hell of a story.

Meanwhile, in Manchester: VAAS (Violence-as-a-Service) reared its very ugly head. Yes, you read that right, violence is now available as a subscription model. Forget “Ransomware-as-a-Service.” We’re in the age of Uber with brass knuckles.

Case in point: thugs broke into the home of an elderly woman in her 80s, beat her up, and trashed her house, all because they were looking for someone else entirely. Horrific. And all because someone, somewhere, paid for a beatdown via the dark web’s new gig economy.

Now here’s the kicker: the actual target in this case was allegedly involved in producing CSAM and zoophilia content (yes, the worst of the worst). So, was the attack “justice” or just straight-up reckless brutality? Doesn’t matter. The granny should never have been caught in the crossfire. If VAAS really wants to market itself as the cyber underworld’s new ethical enforcement service, maybe step one should be: “don’t assault pensioners.” Just saying.

So, to recap the chaos:
- Twitter might have been breached… or maybe someone just had too much fun with MidJourney.
- A ransomware gang tried to bribe a journalist, proving that even criminals can’t be bothered to do proper LinkedIn recon.
- And VAAS reminded us that the dark web’s version of Deliveroo is just as messy and morally bankrupt as you’d expect.

Honestly, the underground economy keeps finding new ways to make late-stage capitalism look boring.

Smarter Protection Starts with Awareness
Data Breach Scan, Check Any Domain for Free https://breachaware.com/scan

This months cyber spotlight, vulnerability chat & privacy headlines.

Hackers Pay for Tattoos, Cloudflare Mocked, and Ransomware Cartel Dreams.
https://breachaware.com/research/hackers-pay-for-tattoos-cloudflare-mocked-and-ransomware-cartel-dreams
A total of 26 breach events were found and analysed resulting in 21,504,511 exposed accounts containing a total of 27 different data types of personal datum. The breaches found publicly and freely available included ULP Alien TxT File - Episode 22, Skyeng, LinkedIn [sample data], QQ Mail and Allianz Life.

Leaked LLM Chats, PomPompurin Sentenced, and LAPSUS$ Bows Out.
https://breachaware.com/research/leaked-llm-chats-pompompurin-sentenced-and-lapsuss-bows-out
A total of 22 breach events were found and analysed resulting in 10,974,592 exposed accounts containing a total of 31 different data types of personal datum. The breaches found publicly and freely available included ULP Alien TxT File - Episode 23, Slate and Tell, WoW Health, My Conan and Humanists Community in Silicon Valley (HCSV).

ShinyHunters’ Fake Retirement, Baphomet Returns, and New Mega-Flaws.
https://breachaware.com/research/shinyhunters-fake-retirement-baphomet-returns-and-new-mega-flaws
A total of 35 breach events were found and analysed resulting in 14,577,201 exposed accounts containing a total of 36 different data types of personal datum. The breaches found publicly and freely available included ULP Alien TxT File - Episode 24, ULP 0032, Stealer Log 0541, Yellowpages Directory and College Dekho.

Violence-as-a-Service Emerges, ShinyHunters Escalate, and New Mega-Flaws.
https://breachaware.com/research/violence-as-a-service-emerges-shinyhunters-escalate-and-new-mega-flaws
A total of 9 breach events were found and analysed resulting in 5,897,816 exposed accounts containing a total of 21 different data types of personal datum. The breaches found publicly and freely available included Bouygues Telecom, American Income Life, Wagner Technical Services, Coinbase (sample data) [2] and Chinese Adult Forum.