Interpol Busts 1,006 Suspects in Africa for a Host of Financial Cybercrimes

Publishing notice and thank you

Metacurity will be on a publishing break starting tomorrow, November 28, in honor of the US Thanksgiving holiday. We resume publication on December 2.

It's the perfect time of year to express our gratitude to our readers, particularly our premium subscribers and our current sponsor (see their ad below - give them some love!) for supporting Metacurity and helping to keep this publication alive.

In your honor, we will donate to RSF: Reporters Without Borders as they continue to fight for free and independent journalism.

Interpol arrested 1,006 suspects in Africa during a massive two-month operation it called Operation Serengeti, clamping down on cybercrime that left tens of thousands of victims, including some who were trafficked, and produced millions in financial damage.

The joint operation with Afripol, the African Union’s police agency, ran from Sept. 2 to Oct. 31 in 19 African countries and targeted criminals behind ransomware, business email compromise, digital extortion, and online scams.

Interpol pinpointed 35,000 victims, with cases linked to nearly $193 million in financial losses worldwide, stating that local police authorities and private sector partners, including internet service providers, played a vital role in the operation.

Enrique Hernandez Gonzalez, Interpol's Assistant Director of Cybercrime Operations, said Serengeti’s results were a “drastic increase” compared to operations in Africa in previous years.

Interpol’s previous cybercrime operations in Africa had only led to 25 arrests in the last two years. (Mark Banchereau / Associated Press)

Related: INTERPOL, BleepingComputer, Cybernews.com, CyberScoop, The Record, The Cyber Express, Help Net Security, DataBreaches.Net, Slashdot, Infosecurity Magazine, HackRead, TechRadar

Two men have been arrested for allegedly stealing data from and extorting dozens of companies that used the cloud data storage company Snowflake, but a third suspect, a prolific hacker known as Kiberphant0m, who remains at large and continues to extort victims publicly, might be a US Army soldier who is or was recently stationed in South Korea.

On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States, which has since indicted him on 20 criminal counts connected to the Snowflake breaches. Another suspect in the Snowflake hacks, John Erin Binns, is an American who is currently incarcerated in Turkey.

Investigators say Moucka, who went by the handles of Judische and Waifu, had tasked Kiberphant0m with selling data stolen from Snowflake customers who refused to pay a ransom to delete their information. Immediately after news broke of Moucka’s arrest, Kiberphant0m was furious and posted on the hacker community BreachForums what they claimed were the AT&T call logs for President-elect Donald J. Trump and Vice President Kamala Harris.

On the same day, Kiberphant0m posted what it claimed was the US National Security Agency's “data schema.”

“This was obtained from the ATNT Snowflake hack which is why ATNT paid an extortion,” Kiberphant0m wrote in a thread on BreachForums. “Why would ATNT pay Waifu for the data when they wouldn’t even pay extortion for over 20M+ SSNs?”

Among the many connections between Kiberphantom and the US military is data from cyberintelligence firm Flashpoint that shows that @kiberphant0m told a fellow member of Dstat on April 10, 2024, that their alternate Telegram username was “@reverseshell,” and did the same two weeks later in the Telegram chat The Jacuzzi. The Telegram ID for this account is 5408575119.

On Nov. 15, 2022, @reverseshell told a fellow member of a Telegram channel called Cecilio Chat that they were a soldier in the US Army.

In a chat from October 2022, Reverseshell was bragging about the speed of the servers they were using, and in reply to another member’s question said that they were accessing the Internet via South Korea Telecom. (Brian Krebs / Krebs on Security)

Related: Hacker News (ycombinator), CSO Online

Sponsor Message

In today's digital landscape, protecting your software supply chain from rising threats is essential. This free whitepaper offers five key strategies for enhancing container security, one of the main attack surfaces in dynamic software development practices. Learn about using SBOMs for transparency, shifting vulnerability detection left, and automating policy enforcement, all for a superior developer experience and securing third-party code.

Interested in reaching the elite audience of cybersecurity decision-makers, public policy professionals, and journalists who read Metacurity? Send an email to info [at] Metacurity.com with the subject line "Sponsorship."

The 5th US Circuit Court of Appeals in New Orleans ruled the US Treasury Department overstepped its authority by sanctioning cryptocurrency mixer Tornado Cash after a North Korean hacking group used the software to launder more than $455 million.

In 2022, the Treasury Department sanctioned Tornado Cash. It said the mixer had been used to launder more than $7 billion of virtual currency since its creation, including $455 million stolen by North Korea-affiliated hacking group Lazarus.

In May, Alexey Pertsev, one of the developers of Tornado Cash, was sentenced to five years and four months in prison by Dutch authorities for helping to launder more than $2 billion. He said in a social media post last week that he’s planning to appeal.

The three-judge panel sided with six crypto mixing service users who argued that the software Tornado Cash uses to conceal ownership of digital assets isn’t subject to sanction under US law “as opposed to the rogue persons and entities who abuse it.”

Coinbase Global, the biggest US cryptocurrency exchange, helped organize and fund the legal challenge, cautioning that the move could hurt the crypto industry.

Circuit Judge Don Willett, writing for the panel, said the government’s concerns about foreign actors laundering funds through the software are “undeniably legitimate,” but federal law only gives the Treasury Department the authority to take action against property. (Madlin Mekelburg / Bloomberg)

Related: Brave New Coin, Coinspeaker, Cryptonews, The Defiant, Crypto News Flash, Decrypt, The Crypto Basic, CCN, Axios, CoinPedia, NDTV, Brave New Coin

Researchers at ESET report that ​the Russian-based RomCom cybercrime group chained two zero-day vulnerabilities in recent attacks targeting Firefox and Tor Browser users across Europe and North America.

The first flaw (CVE-2024-9680) is a use-after-free bug in Firefox's animation timeline feature that allows code execution in the web browser's sandbox. Mozilla patched this vulnerability on October 9, 2024, one day after ESET reported it.

The second zero-day exploited in this campaign is a privilege escalation flaw (CVE-2024-49039) in the Windows Task Scheduler service, allowing attackers to execute code outside the Firefox sandbox. Microsoft addressed this security vulnerability earlier this month, on November 12.

RomCom abused the two vulnerabilities as a zero-day chain exploit, which helped them gain remote code execution without requiring user interaction. Their targets only had to visit an attacker-controlled and maliciously crafted website that downloaded and executed the RomCom backdoor on their system.

Based on the name of one of the JavaScript exploits used in the attacks (main-tor.js), the threat actors also targeted Tor Browser users (versions 12 and 13, according to ESET's analysis).

Once deployed on a victim's device, RomCom malware enabled the attackers to run commands and deploy additional payloads.

"The number of potential targets runs from a single victim per country to as many as 250, according to ESET telemetry," ESET said.

According to ESET, RomCom targets organizations in Lithuania, Ukraine, Europe, and North America for espionage attacks across various industries, including government, defense, energy, pharmaceuticals, and insurance. (Sergiu Gatlan / Bleeping Computer)

Related: We Live Security, Infosecurity Magazine, Dark Reading, Security Week, The Record, Tech Target, Cybernews, Security Affairs

Uniswap Labs announced the launch of what it deems “the largest bounty in history” ahead of the Uniswap v4 release.

The bounty program, currently underway, offers payouts ranging from $2,000 to the full $15.5 million purse for the discovery of unique vulnerabilities that result in code change.

The maximum payout of $15.5 million is only available to researchers who discover unique vulnerabilities in the Uniswap v4 core contracts code that result in code changes.

According to the program's details, vulnerabilities deemed “critical” will be eligible for the top payout, while those labeled “high” could qualify for a payment of up to $1 million. Payouts dip to $100,000 for “medium” risk vulnerabilities and those for low-risk vulnerability findings will be paid out on a “discretionary” basis. 

Beyond the core contracts code, the program also covers vulnerabilities in “other contracts,” other websites, back ends, and Uniswap v4 wallet codes. (Tristan Greene / Cointelegraph)

Related: The Daily Hodl, Cointelegraph, Cryptonews, crypto.news, The Block, BeInCrypto, CoinGape, Coinspeaker, Fortune

In announcing its latest financial results, CrowdStrike said it can't yet confidently predict the financial impact of the failed update to its Falcon software that crashed millions of computers worldwide last July but is confident its third quarter results show customers can't find a better security product.

The security vendor posted $1.01 billion in revenue, $926 million of which came from subscriptions. Year-over-year, that's a 29 percent revenue and 31 percent jump in subscriptions, but it couldn't save the business from a $17 million loss.

Investors were told to expect around $1.03 billion in revenue in Q4, but the company also warned that it doesn’t yet know how its software snafu will impact sales.

CFO Burt Podbere told investors that in the wake of the July 19 incident, customers were reluctant to talk about renewing subscriptions and delayed buying decisions.

CEO George Kurtz was more upbeat, telling investors that CrowdStrike's products are what customers want and need right now as they try to defend against increasing cybercrime.

"I'm encouraged by the conversation that I'm having with our largest customers and a reflection on the fact that they realize that we have the best tech in the industry and the ability to stop breaches," he said, adding that customers are mostly sticking around.

Some small managed services providers have bailed, but the CEO opined they won't be missed. (Simon Sharwood / The Register)

Related: Investopedia, Barron's, Quartz, Marketwatch, Seeking Alpha

Best Thing of the Day: Bye Bye Banshee

Vx-Underground reported that the Banshee Stealer source code was leaked online, made it available on the Vx-Underground GitHub account, and said that the cybercriminals behind the macOS-infecting malware have shut down their operations.

Worst Thing of the Day: When Half of US Citizens Wish to Move to Canada, This Happens

Deepfake videos of Toronto-based lawyer Max Chaudhary asking for money are trying to exploit newcomers to Canada during a time of confusion around new immigration rules.

Closing Thought