Crypto Kidnappings, DragonForce Ransomware, and Global Privacy Shakeups.
02 June 2025A total of 22 breach events
were found and analysed resulting in 6,199,513 exposed accounts
containing a total of 39 different data types of personal datum
. The breaches found publicly and freely available included ULP Alien TxT File - Episode 15, ULP 0022, Stealer Log 0529, Stealer Log 0530 and National Centre for Disaster Risk Assessment, Prevention, and Reduction - Peru. Sign in to view the full
library of breach events which includes, where available, reference articles relating to
each breach.
Categories of Personal Data Discovered
Contact, Digital Behaviour, Finance, Technology, Geolocation, Sociodemographic, Academic, Career, Relationships, Commerce, National Identifiers, Communication Logs, Unstructured.
Data Breach Analysis
ULP files, shorthand for URL, Login, Password, serve as aggregated lists of credentials harvested from infostealer malware, such as RedLine or Raccoon Stealer. These logs are often dumped en masse and sold or shared across forums and dark web channels. In this case, their appearance in the public domain dramatically increases the risk of mass exploitation, from credential stuffing to financial fraud and unauthorised system access.The presence of Stealer Logs 0529 and 0530 suggests recent harvesting activity and further demonstrates the active circulation of infostealer data. For individuals and businesses alike, the exposure of these credentials can lead to downstream compromises across connected platforms, particularly where password reuse is common.
Of particular concern in this batch is the breach affecting Peru’s National Centre for Disaster Risk Assessment, Prevention, and Reduction. The leak of data from a government agency responsible for national emergency planning could have serious implications, not only for the individuals involved but also for public infrastructure, operational continuity, and national security readiness.
This round of breaches reinforces the urgent need for vigilance around stolen credential circulation, particularly ULP and stealer log datasets. Organisations should accelerate efforts in credential hygiene enforcement, multi-factor authentication, and staff awareness training. Individuals, meanwhile, should assume that previously stored credentials may be compromised and take proactive steps, such as using password managers, rotating passwords, and enabling 2FA across all critical services.
Spotlight
A terrifying story is spreading across crypto and mainstream media outlets: a well-known investor in the digital assets space was kidnapped, tortured, and held for three weeks by a gang seeking access to his crypto wallets. According to multiple reports, the victim was:- Dangled by his ankles from a five-story building
- Beaten and pistol-whipped
- Cut with a chainsaw
- Electrocuted
All in an effort to extract his private keys or wallet credentials.
The investor reportedly escaped on the day he was due to be executed, turning what could have been another silent tragedy into a shocking survival story. The tale has reignited urgent discussions around privacy, personal security, and the very real life-threatening risks of being publicly associated with crypto wealth.
Just two weeks before this latest horror, another kidnap attempt took place in broad daylight on the streets of Paris. The daughter of a crypto CEO was nearly abducted by an armed gang attempting to drag her into a van. Weapons included a handgun and other restraints.
She was saved by quick-thinking bystanders and her boyfriend, who physically intervened.
This isn’t just about phishing emails and data leaks anymore, it’s about real-world consequences of data breaches like the recent Coinbase hack, which may be helping criminals correlate wealth to identity and location. For those in the industry or holding significant amounts of crypto: operational security is no longer optional.
Cybercrime journalist Brian Krebs, known for his KrebsOnSecurity blog, has found himself in the crosshairs once again. Less than two weeks ago, his site was slammed by a massive 6.3 terabit-per-second DDoS attack, one of the largest ever recorded.
While brief, the attack was powerful enough to nearly break the current world record for distributed denial-of-service bandwidth. Krebs believes the attack was launched via a massive botnet of IoT (Internet of Things) devices, hinting at the ever growing vulnerability of our connected world, and the power of threat actors to mobilise it at scale.
A bizarre and troubling situation is unfolding at a mid-sized U.S. data centre company. The business, which operates 10 data centres across the country, is facing what appears to be an ongoing extortion campaign.
Two days ago, every client received a cryptic email reading:
“Dear representatives of the (redacted) administration and users of hosting services…”
The message accuses the company of hosting illegal content, failing to moderate criminal activities, and allowing infrastructure abuse. Then comes the kicker:
- Pay us for our silence, or
- Pay us more to ‘help resolve’ the issues.
All roads lead to a Telegram bot, where the threat actors are running an obvious racket, mixing fake accusations with real fear.
For now, no data appears to be leaked. But the campaign is clearly aimed at shaking confidence in the provider, and it raises the question: is this the next evolution of ransomware, psychological extortion at scale?
Vulnerability Chat
A new ransomware gang called DragonForce is making waves, and not in a good way. The group recently hit a managed service provider (MSP) and its customers by exploiting flaws in a remote monitoring tool called SimpleHelp. DragonForce came on the scene earlier this year, gaining notoriety when Scattered Spider, yes, that cybercrime cartel, used its ransomware to hit big retailers in the UK and US. Now, DragonForce is offering its tools as a service, letting other hackers deploy their own ransomware using its infrastructure. It’s basically turning ransomware into a plug-and-play platform for cybercriminals.Meanwhile, if you’re using an ASUS WiFi or broadband router, it might be time for a firmware check. GreyNoise researchers uncovered a serious vulnerability that’s already being exploited in the wild. Thousands of exposed routers have been compromised, with attackers gaining unauthorised, persistent access. ASUS users are strongly urged to update immediately.
Over at GitHub, researchers from Invariantlabs discovered a vulnerability in its Model Context Protocol (MCP) server. This flaw could let attackers carry out malicious prompt injection attacks that compromise private repository data. The attack scenarios are pretty advanced, think exfiltrating sensitive data or tricking AI tools into executing malicious code.
Apache Tomcat also has a newly disclosed security issue involving its CGI servlet. Under certain configurations, specifically when CGI support is enabled (which it’s not by default), attackers could bypass security restrictions. It’s another reminder that even widely used and trusted open-source tools can contain lurking threats if not configured carefully.
And vBulletin, the popular forum software, is facing two critical security vulnerabilities. One of them is already being exploited in the wild. Researcher Egidio Romano, aka EgiX, pinpointed a flaw involving the misuse of PHP’s Reflection API, something that became more dangerous after changes in PHP 8.1. If you're running a vBulletin-powered forum, patching should be a top priority.
Then there’s ConnectWise, which recently announced it had detected suspicious activity believed to be tied to a state-sponsored actor. Only a “very small number” of customers using its ScreenConnect tool were affected, but the company is taking the breach seriously and has alerted users.
Finally, NASA isn’t immune either. A researcher named Leon Juranić found critical flaws in NASA’s own open-source Common Data Format (CDF) library. These could have been exploited to breach internal systems, but thankfully, the vulnerabilities were reported and fixed before they could be used in the wild.
0 Common Vulnerability and Exposures (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week. See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 460 vulnerabilities during the last week, making the 2025 total 20,045. For more information visit https://nvd.nist.gov/vuln/search/
View the latest critical vulnerabilities, exploited vulnerabilities and EU CSIRT coordinated vulnerabilities from the European Union Agency for Cybersecurity (ENISA) "Vulnerability Database" here: https://euvd.enisa.europa.eu/homepage
Information Privacy Headlines
NHS England is looking into a cyber incident involving two major hospitals, University College London Hospitals (UCLH) and University Hospital Southampton. A spokesperson for UCLH told Digital Health News that a piece of software used to manage mobile devices at the trust was briefly compromised earlier in May. According to Sky News, hackers exploited security flaws in Ivanti’s Endpoint Manager Mobile (EPMM) software, which is commonly used to manage employee smartphones and tablets. It appears that data was stolen in the attack.Over at Meta, internal documents obtained by NPR reveal that the company plans to automate up to 90% of its internal risk assessments. That’s raising alarms, especially from former executives who say this could lead to products being launched with less scrutiny and higher risks. One former Meta staffer told NPR, on the condition of anonymity, that this could mean more features roll out faster, but at the cost of safety and oversight.
A new report from the University of Southampton and the Institute of Public Policy Research sheds light on how workplace surveillance has intensified since the pandemic. The report, titled Negotiating the Future of Work, says that remote work has accelerated the use of monitoring technologies. Many workers now feel that they're under more constant and intrusive watch than ever before, prompting calls for updated laws to protect employee privacy.
Meanwhile, on the island of Jersey, Information Commissioner Paul Vane has launched his office’s 2025 privacy awareness survey. He’s encouraging islanders to take part so his office can better understand how aware people are of their rights under the Data Protection (Jersey) Law of 2018. The results will help shape future outreach and regulatory efforts. If you’re in Jersey, you can find the survey on the commissioner’s website.
In Australia, a major change in privacy law is taking effect this month. The new Privacy and Other Legislation Amendment Act 2024 introduces a statutory tort for serious invasions of privacy. This means individuals can now take legal action if their personal space is intruded upon or if their private data is misused in a serious way. It's a big step forward in giving Australians more control over their personal information and how it's handled.
Scan Any Domain for Free https://breachaware.com/scan