Europol Cracks SIMCARTEL, Monopoly Market Collapses & Shiny Hunters Implode.

A total of 28 breach events were found and analysed resulting in 7,895,154 exposed accounts containing a total of 36 different data types of personal datum. The breaches found publicly and freely available included ULP Alien TxT File - Episode 26, Detsky Mir Group, VC Telecoms, ULP 0034 and Ambab Infotech. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Impact

This latest set of breaches highlights a growing blend of corporate, retail, and infrastructure-level data exposures, with Detsky Mir Group, VC Telecoms, and Ambab Infotech showing how interconnected and data-rich industries are now sharing similar vulnerabilities. The reappearance of ULP Alien TxT File and associated repositories points to the ongoing challenge of unsecured data handling, internal files and exports continuing to surface publicly without oversight. The exposure of data from a major retail group like Detsky Mir is particularly concerning, as it could involve sensitive customer information related to families and children, opening the door to identity theft or targeted scams. Likewise, telecom-related leaks (VC Telecoms) can lead to credential reuse, SIM swap fraud, or direct exploitation of communication networks. Across the 36 data types revealed, adversaries are gaining deeper context around individuals and corporate behaviours, allowing for far more precise and sustained exploitation campaigns.

For the affected organisations, the implications are substantial. The presence of both corporate data and consumer information in freely available breaches underscores a lack of visibility across data flows and storage endpoints, a problem that spans industries and geographies. Companies like Ambab Infotech, which often play a role in supporting other businesses digitally, represent the growing supply chain dimension of data risk: a breach in one vendor can cascade across multiple client environments. Telecom and retail organisations face regulatory exposure, while technology service providers face questions about internal security standards and client data stewardship. Collectively, this breach cluster reinforces that modern data protection isn’t just about cybersecurity, it’s about ecosystem accountability, where every participant in a digital value chain must uphold consistent security and governance practices to prevent the next ULP-style exposure from resurfacing.

Cyber Spotlight

Law enforcement has been on an absolute tear this week with Operation SIMCARTEL, a joint strike led by Europol and Croatia’s Policija, among others. The target? A massive SIM-box network that could make any telecom engineer weep, 1,200 devices running 40,000 SIM cards.

After 26 searches and five arrests in Latvia, police seized five servers and two domains, effectively pulling the plug on what may have been the world’s largest cyber-enabled call-and-spam operation. The footage released by Europol looks like a deleted scene from Mr Robot 4 1/2: rows of racks buzzing with SIMs, LED lights blinking like a Christmas tree of fraud.

These setups are a spammer’s dream, perfect for phishing, harassment, and those delightful MFA-fatigue attacks that make your phone vibrate like it’s possessed. One can only imagine the moment the carriers noticed thousands of SIMs in one spot and thought, “Huh, maybe this isn’t just a very enthusiastic Microsoft brand ambassador.”

Meanwhile, the dark-web drug bazaar Monopoly Market has officially hit the “Game Over” screen. U.S. prosecutors have charged Milomir Desnica, 33, a dual citizen of Croatia and Serbia, with conspiracy to distribute and possess with intent to distribute more than 50 grams of meth, plus money laundering.

According to the Department of Justice, the FBI’s Washington Field Office Hi-Tech Opioid Task Force teamed up with Germany’s Zentrale Kriminalinspektion Oldenburg Cybercrime Unit to locate Desnica after what sounds like a long game of digital cat-and-mouse.

The DOJ hinted that many old-school darknet admins are learning the hard way that Bitcoin “tumblers” aren’t magic invisibility cloaks anymore. Investigators can now back-trace transactions through those old mixers faster than you can say “plausible deniability.” The moral: the dark web’s nostalgia for 2015-era OPSEC is aging about as well as unpatched PHP code.

And finally, the latest episode of Hackers Behaving Badly. The Shiny Hunters, or someone pretending to be them, just had their clearnet site hijacked, and it now redirects to a taunting message aimed squarely at “James from the Scattered.” The note reads “Hello James from the scattered :) You should hide from now on and disband Scattered. Doing the work the FBI couldn’t… The real Shiny Hunters are not you…”

(The rest of the message devolves into language unfit for polite company.)

After watching these groups for a while, it really does feel like the Shiny Hunters brand has been hijacked, the tone and tactics just don’t match the original crew’s flair. Whether this is infighting, impersonation, or an undercover sting, one thing’s for sure: someone’s sleeping a little less soundly this week.

Vulnerability Chat

A new security tool called DefenderWrite, developed by cybersecurity researcher Two Seven One Three, is stirring debate in the infosec community. The tool takes advantage of whitelisted Windows programs to bypass protections and write arbitrary files into antivirus executable folders, potentially allowing malware to persist or evade detection. The tool’s release on GitHub has reignited discussions about the delicate balance between maintaining antivirus functionality and preventing abuse in enterprise systems.

Meanwhile, F5 Networks has confirmed a security breach that resulted in attackers stealing both source code and vulnerability information tied to its BIG-IP networking and security product line. The company has enlisted CrowdStrike, Mandiant, and other cybersecurity experts to investigate the incident and assess the potential impact.

In the cryptocurrency world, a serious flaw in the Libbitcoin Explorer (bx) 3.x series has exposed more than 120,000 Bitcoin private keys, according to crypto wallet provider OneKey. The issue stemmed from a weak random number generator that relied on system time, making wallet keys alarmingly predictable. OneKey later clarified on its Chinese-language account that the so-called “Milk Sad” vulnerability does not affect the security of mnemonic phrases or private keys within its own software or hardware wallets.

Google’s Project Zero team has also flagged a new critical zero-click vulnerability in Dolby Digital Plus (DDP) audio decoding software. Researchers Ivan Fratric and Natalie Silvanovich found that the flaw could let attackers execute malicious code remotely through seemingly harmless audio messages, highlighting how even media files can become attack vectors.

Finally, SAP has rolled out security patches addressing 13 vulnerabilities, including additional hardening for a critical bug in SAP NetWeaver AS Java that could allow arbitrary command execution.

6 Common Vulnerability and Exposures (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including:
- IGEL; IGEL OS
- Microsoft; Windows
- Rapid7; Velociraptor
- SKYSEA, Client View
- Adobe; Experience Manager (AEM) Forms

See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 891 vulnerabilities during the last week, making the 2025 total 37,916. For more information visit https://nvd.nist.gov/vuln/search/

View the latest critical vulnerabilities, exploited vulnerabilities and EU CSIRT coordinated vulnerabilities from the European Union Agency for Cybersecurity (ENISA) "Vulnerability Database" here: https://euvd.enisa.europa.eu/homepage

Information Privacy Headlines

Australia has recorded its first civil penalty under the Privacy Act, with Australian Clinical Labs ordered to pay $5.8 million following a major data breach that exposed sensitive information. Regulators noted that future penalties could be far steeper, with the current maximum set at $50 million, three times the benefit gained, or 30% of adjusted turnover for serious privacy violations.

WhatsApp is rolling out a new privacy feature that lets users create unique usernames instead of sharing their phone numbers. Currently in beta, the update aims to give users greater control over their privacy, particularly in large group chats and business conversations, mirroring similar privacy models seen on platforms like Instagram and Telegram.

Meanwhile, after years of development delays and scaled-back ambitions, Google has officially ended its Privacy Sandbox initiative, once touted as the company’s flagship replacement for third-party cookies. The move marks the quiet conclusion of an effort that aimed to create more privacy-preserving ad technologies but faced mounting criticism from advertisers, privacy advocates, and regulators alike.

Smarter Protection Starts with Awareness
Data Breach Exposure Scan, Check Any Domain for Free https://breachaware.com/scan