DeFi Drained, Rogue AI Unleashed, and Ransomware “Good Guys” Turned Villains.

A total of 35 breach events were found and analysed resulting in 20,016,481 exposed accounts containing a total of 31 different data types of personal datum. The breaches found publicly and freely available included ULP Alien TxT File - Episode 27, MYM, 100 Million ULP, ULP 0036 and Stealer Log 0546. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Impact

This breach set shows a continued pattern where large scale, unstructured data leaks and user generated content platforms are driving exposure at significant scale. The presence of MYM, a subscription based creator platform, suggests that leaks are increasingly affecting environments where privacy and personal identity are closely tied to personal brand and livelihood. The recurrence of ULP Alien TxT Files, including the notably large 100 Million ULP reference, signals that massive data dumps continue to circulate and expand, often without a single “attack” event occurring. Meanwhile, Stealer Log 0546 reinforces the ongoing trend of endpoint compromise feeding the breach ecosystem: malware capturing saved passwords, cookies, and autofill data continues to create persistent, long tail account compromise risk. With 31 different data types represented, these leaks give adversaries enough identity, behavioural, and account metadata to craft unusually convincing phishing and impersonation attempts.

For organisations implicated in this cluster, the implications go beyond immediate exposure. Platforms like MYM rely heavily on trust, and any breach affecting creators risks driving churn, revenue loss, and reputational damage, especially if leaked data intersects with sensitive personal or financial information. The repeated appearance of ULP repositories highlights gaps in data lifecycle governance, where exported or archived datasets are being mishandled, left unsecured, or shared without oversight. Stealer log involvement also indicates that many companies still have limited visibility into endpoint security and credential hygiene, especially across employees, contractors, or partners. The takeaway is clear: organisations cannot rely solely on perimeter security, they need to map where data lives, enforce stronger identity controls, and monitor for leaked credentials continuously, because today’s breaches are being driven as much by forgotten files and infected devices as by direct system intrusions.

Cyber Spotlight

The crypto world has been having a bit of an emotional week. A threat actor found and exploited a vulnerability in Balancer V2, a DeFi protocol that was apparently just minding its business, and siphoned off roughly $120 million USD.

The funds are already being dragged through every mixer and chain swap imaginable, Tornado, bridges, swapping chains faster than a crypto bro tries to explain “liquidity” at a party. The Balancer team is expected to release a Very Serious Statement™ soon, likely containing classics such as:
- “We are investigating.”
- “We’re committed to security.”
- “Funds may or may not be SAFU.”
- “Please stop tagging us so much on Twitter.”

Meanwhile, a new uncensored LLM called DIG is being advertised on Dread (think Reddit, if Reddit lived in a basement and didn’t believe in laws). DIG claims to be:
- As powerful as ChatGPT Turbo
- Completely anonymous
- No restrictions whatsoever
- And also offering free image generation

Which is a combination that absolutely guarantees nothing wholesome is going to happen. The onion service is proudly boasting “No JavaScript. No logs. No limits.”

Translation: Whatever digital abomination you ask it to create is between you and your conscience. And possibly an ethics review board if this ever ends up in daylight.

Now, this one’s a plot twist you’d see in a cybercrime Hollywood show. Three individuals, including:
- A ransomware negotiator from Digital Mint (yes, the guy hired to help victims), and
- A Digital Forensics & Incident Response manager from Sygnia (yes, the guy hired to fix breaches)

…have been arrested for running their own ransomware operation. It’s like hiring a firefighter only to find out he’s been quietly setting forest fires on his lunch break.

The group ran their operation between May 2023 and April 2025, successfully extorting $1.2 million from a medical firm in Florida. They attempted to ransom several more companies (with demands ranging from $300K to $5M) but came up short.

One of the men attempted the classic getaway move: Buy a one-way ticket to France and hope for the best. Unfortunately, law enforcement also knows how airports work, so that plan wrapped up pretty quickly. If convicted, they’re looking at charges under:
- The Hobbs Act (x2)
- The CFAA (x1)

And potentially 50 years each, which is plenty of time to reflect on the phrase “you had one job.”

Vulnerability Chat

Cybersecurity researchers at Zensec have uncovered a major supply chain attack that weaponised trusted Remote Monitoring and Management (RMM) tools to distribute ransomware across several UK organisations. The attackers targeted SimpleHelp, a widely used RMM platform, and exploited critical vulnerabilities to move through managed service providers and into their downstream customers. The investigation links the campaign to two ransomware-as-a-service groups, highlighting the growing risk of attackers abusing the same remote access tools that IT teams rely on every day.

A critical remote code execution vulnerability in the Monsta FTP web based file management tool has also been confirmed to be under active exploitation. The flaw allows attackers to gain full remote access to vulnerable servers without authentication. Researchers at WatchTowr Labs noted that although recent updates attempted to improve input validation, several key weaknesses remained, leaving multiple Monsta FTP versions exposed.

Meanwhile, Cisco has issued a warning about a new attack variant targeting devices running Secure Firewall ASA and FTD software. This new activity builds on previously disclosed vulnerabilities, meaning organisations that haven’t applied patches remain at significant risk. Cisco credited researcher Jahmel Harris with identifying the new attack approach.

In another discovery, the research team at JFrog found a critical vulnerability in tooling used by Node.js developers, specifically involving the Metro JavaScript bundler. The flaw could allow an unauthenticated attacker to remotely execute arbitrary OS commands simply by sending a crafted POST request, a serious threat for software supply chains and CI/CD environments.

Researchers at Tenable have also identified seven different methods attackers can use to trick ChatGPT into leaking private chat history. Most of these attacks rely on indirect prompt injection, exploiting ChatGPT’s built-in memory and external search capabilities. Essentially, the model can be manipulated into pulling and revealing data it was never meant to share.

Finally, a critical RCE vulnerability has been discovered in the npm package `expr-eval`, commonly used in AI and natural language processing workflows. Carnegie Mellon University researchers showed that attackers can inject malicious code by defining custom functions inside the expression parser, potentially allowing system-level commands to run remotely.

2 Common Vulnerability and Exposures (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including:
- CWP; Control Web Panel
- Gladinet; CentreStack and Triofox

See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 1,385 vulnerabilities during the last week, making the 2025 total 40,574. For more information visit https://nvd.nist.gov/vuln/search/

View the latest critical vulnerabilities, exploited vulnerabilities and EU CSIRT coordinated vulnerabilities from the European Union Agency for Cybersecurity (ENISA) "Vulnerability Database" here: https://euvd.enisa.europa.eu/homepage

Information Privacy Headlines

New documents obtained by Politico suggest that some European privacy laws, including the GDPR, may soon be loosened in order to boost competitiveness and support AI development. The key change under discussion is how pseudonymised data is treated. Currently, data that has had personal identifiers removed is still generally protected under GDPR. But under the proposals, that kind of data might no longer receive the same protection, which could open the door to its use in AI training.

Meanwhile, Denmark has put forward a revised version of the EU’s controversial “chat control” proposal. The new version shifts from mandatory to voluntary scanning of private messages. Despite the change in tone, former MEP Patrick Breyer warns that the proposal still poses a threat to Europeans’ right to communicate privately.

Microsoft has also disclosed a privacy issue that could reveal what users are discussing with AI chatbots like ChatGPT, even when those conversations are encrypted. The vulnerability, nicknamed Whisper Leak, means that someone monitoring network traffic could potentially infer the general subject of a discussion, particularly if it touches on sensitive areas like politics or financial investigations.

At Stanford, Jennifer King and her research team have taken a close look at the privacy policies of major AI developers. Their review found several worrying practices, including retaining user data for extended periods, training AI on children’s data, and offering very limited transparency into how personal information is handled. Their advice to users is to be cautious about what they share with AI systems and to opt out of data training whenever that option is available.

A judge in Washington state has ruled that data gathered by police operated automated license plate readers must be made public. The ruling came from Judge Elizabeth Yost Neidzwski, who determined that the images collected by Flock cameras count as public records under state law. The case was brought by a tattoo artist seeking access to the data, and it follows recent reporting that federal authorities accessed Washington’s Flock camera network, potentially in violation of state rules that prohibit the use of such systems for immigration enforcement.

In South Africa, Truecaller is now under investigation following complaints that the popular caller identification app may be violating the country’s data protection law, POPIA. Critics say the app has incorrectly labeled legitimate businesses as spam and then pressured them to pay to be removed. Truecaller denies the accusations, saying it does not charge for removal and that its data permissions comply with local law.

Smarter Protection Starts with Awareness
Data Breach Exposure Scan, Check Any Domain for Free https://breachaware.com/scan