Joint law enforcement operation took down the dark web CSAM platform Kidflix

Waltz had at least 20 Signal group chats going, Indiana cyber prof has not been detained or charged, Musk worker bragged about hacking and pirating software, Oracle had a second breach, NSA and others warn of C2 creator Fast Flux, Royal Mail and Samsung Germany breached via same supplier, much more

Joint law enforcement operation took down the dark web CSAM platform Kidflix

Metacurity is a reader-supported publication that requires a lot of work and relies on the generous support of our paid readers. Please consider supporting Metacurity with an upgraded subscription. Thank you.

If you can't commit to a subscription today, please consider donating whatever you can. Thank you!

Following a joint action coordinated by German law enforcement, Kidflix, one of the largest platforms used to host, share, and stream child sexual abuse material (CSAM) on the dark web, was shut down on March 11.

Dubbed Operation Stream, this joint international investigation is led by the State Criminal Police of Bavaria (Bayerisches Landeskriminalamt) and the Bavarian Central Office for the Prosecution of Cybercrime (ZCB).

The joint operation was also supported by Europol analysts from the European Cybercrime Centre (EC3), who analyzed thousands of videos, providing evidence to facilitate the investigation.

Operation Stream started in 2022 and has so far led to 79 arrests, 1,393 suspects identified, and over 3,000 electronic devices seized between March 10 and March 23, 2025.

According to the Dutch National Police, information about the suspects has been shared with investigation authorities in 35 countries, who had official warning conversations with them between March 10 and March 21.

Many of the suspects identified during Operation Stream were cross-referenced with Europolțs databases, showing that a large portion of those involved in child sexual exploitation are often repeat offenders already on law enforcement's radar.

​Launched in 2021, Kidflix hosted over 91,000 unique videos with a total running time of 6,288 hours while it was active. Roughly 3.5 new videos were uploaded to the dark web platform every hour, many previously unknown to law enforcement. (Sergiu Gatlan / Bleeping Computer)

Related: Europol, Politie.nl, The Record, Ars Technica, CTV News, France24, GBHackers, CBS NewsHackreadnltimes.nlBelfast Live, PCMag, DW, Fudzilla, Cybernews, The420, Rappler

Four sources who have been personally added to the chats say that national security adviser Mike Waltz’s team regularly sets up chats on Signal to coordinate official work on issues including Ukraine, China, Gaza, Middle East policy, Africa, and Europe.

Two people said they were in or know directly about at least 20 such chats. All four said they saw instances of sensitive information being discussed.

It’s a more extensive use of the app than previously reported. It sheds new light on how the Trump administration’s national security team commonly relies on Signal, a publicly available messaging app, to conduct its work.

Veteran national security officials have warned that the practice potentially violates regulations on protecting sensitive national security information from foreign adversaries and federal recordkeeping laws if the chats are automatically deleted. (Dasha Burns / Politico)

Related: The Guardian, Reuters, Boing Boing, Common Dreams, Gizmodo

Prominent Indiana University cybersecurity professor XiaoFeng Wang who was abruptly fired and disappeared from public view has not been detained, and there are no pending criminal charges against him or his wife, Nianli Ma, his attorney Jason Covert said.

On March 28, the FBI and Department of Homeland Security simultaneously searched two homes associated with the couple. That was also the same day the university terminated his employment.

Covert told Reuters neither Wang nor his wife has been arrested, and there “are no pending criminal charges as far as we are aware.”

Riana Pfefferkorn, a researcher at Stanford University, filed a motion on April 1 asking a federal judge in the Southern District of Indiana to unseal the warrants and supporting materials, including supporting affidavits, used by the government to enable the searches of Wang and Ma's homes.

A federal judge on April 2 ordered the United States Attorney for the Southern District of Indiana to respond to the motion by April 17.

Alex Tanford, an Indiana University professor of law and president of the Bloomington chapter of the American Association of University Professors, said he had been in touch with Wang, including on the day of his firing.

Tanford told Reuters that a complaint was filed with the university in mid-February accusing Wang of research misconduct by failing to properly disclose who was the principal investigator on a grant application and not fully listing all co-authors on an article, a charge that “seemed trivial.”

By March 13 or 14, “the matter escalated,” Tanford said, and Wang was informed he would be temporarily suspended, banned from his office, and denied access to computers, research, and data while the investigation continued, interim measures that are permitted under the university’s research misconduct policy. (AJ Vicens / Reuters)

Related: IDS News, Wired, WTHR, South China Morning Post, Indiana Daily Student

Elon Musk devotee Christopher Stanley, a 33-year-old engineer who has worked at Musk's social media company X and space-launch company SpaceX and is currently a senior advisor in the US Deputy Attorney General's office, previously bragged about hacking and distributing pirated software, according to archived copies of his former websites.

Stanley ran a series of websites and forums starting as far back as 2006, when he was 15, registration data preserved by the internet intelligence firm DomainTools shows. Several of those sites distributed pirated ebooks, bootleg software, and video game cheats, according to copies maintained by the Internet Archive, a nonprofit whose 'Wayback Machine' preserves old websites,

Stanley boasted about hacking into websites on at least two forums, according to archived posts, one of which dates to when he was 19. At the time, he said he had put his hacking days behind him. However, a YouTube video he posted in 2014 shows his involvement in the breach of customer data by a rival hacking group when he was 23. (Raphael Satter and Sarah N. Lynch / Reuters)

Related: Ars Technica

In the second cybersecurity breach that the software company acknowledged to clients in the last month, Oracle told customers that a hacker had broken into a computer system and stole old client log-in credentials, according to two people familiar with the matter.

Oracle staff informed some clients this week that the attacker gained access to usernames, passkeys, and encrypted passwords, according to the people, who spoke on condition that they not be identified because they are not authorized to discuss the matter.

Oracle also told them that the FBI and cybersecurity firm CrowdStrike are investigating the incident, according to the people, who added that the attacker sought an extortion payment from the company. The people said Oracle told customers that the intrusion was separate from another hack that the company flagged for some hhealthcarecustomers last month. (Jake Bleiberg / Bloomberg)

Related: Reuters, Tech Radar, Tech in Asia, Health Exec

The US National Security Agency and its partners issued an advisory on a new technique called Fast Flux, which the agency says enables cybercriminals and nation-state actors to create resilient, highly available command and control (C2) infrastructure and hide malicious activities.

NSA says the infrastructure makes tracking and blocking malicious activity more difficult and can be used by threat actors to conduct espionage and obscure other cyber techniques, such as phishing campaigns and distributed denial of service attempts.

“Fast flux is an ongoing, serious threat to national security, and this guidance shares important insight we’ve gathered about the threat,” said Dave Luber, NSA Cybersecurity Director. “It is imperative cybersecurity providers, especially Protective DNS providers," following guidelines issued by the group, Luber said.

NSA and the partnering agencies recommend that cybersecurity providers implement a multi-layered approach to detection and that organizations leverage Protective DNS (PDNS) services that offer protection from fast flux-enabled threats. Organizations—especially those within the Department of Defense (DoD) and Defense Industrial Base (DIB)—should use cybersecurity and PDNS services that aid in blocking malicious activity.

The partner agencies include the Cybersecurity and Infrastructure Security Agency (CISA); the Federal Bureau of Investigation (FBI); the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC); the Canadian Centre for Cyber Security (CCCS); and the New Zealand National Cyber Security Centre (NCSC-NZ). (NSA)

Related: CISA, NSA, NSA, NSA

The UK's ​Royal Mail is investigating claims of a security breach after a threat actor leaked over 144GB of data allegedly stolen from the company's systems.

A Royal Mail spokesperson said that the British postal service is aware of an incident at Spectos GmbH, a third-party data collection and analytics service provider.

Spectos confirmed that its systems were breached on March 29, and the attackers gained access to customer data.

The threat actor behind this leak (who uses the "GHNA" handle on BreachForums) released 16,549 files allegedly containing Royal Mail customers' personally identifiable information (including names, addresses, planned delivery dates, and more) and other confidential documents.

GHNA says the leaked documents also include Mailchimp mailing lists, datasets containing delivery/post office locations, the WordPress SQL database for mail agents.uk, internal Zoom meeting video recordings between Spectos and the Royal Mail Group, and more.

Cybersecurity company Hudson Rock says the attackers gained access to Royal Mail systems using the credentials of a Spectos employee compromised in a 2021 info stealer malware incident.

"In this case, the infected Spectos employee's credentials provided a gateway to Royal Mail Group's systems," Hudson Rock CTO Alon Gal said. "The stolen data sat dormant until recently, when it was weaponized in these high-profile leaks."

Separately, Hudson Rock reported GHNA has published approximately 270,000 customer records allegedly stolen from Samsung Germany’s ticketing system.

The threat actor gained access to Samsung’s system using the stolen credentials of a Spectos GmbH account. (Sergiu Gatlan / Bleeping Computer and Ionut Arghire / Security Week)

Related: Infostealers, Infosecurity Magazine, Teiss, Tech Monitor, Digit, HackRead, Cybernews, The Register, Cyber Daily, SC Media, Infostealers, eSecurity Planet, it-Daily

Royal Mail leak on BreachForums (BleepingComputer)
Samsung Electronics Germany leak on BreachForums. Source: Hudson Rock.

The Lower Sioux Indian Community in South Central Minnesota warned residents that a cyberattack had disrupted the local healthcare facility, government center, and casino.

The tribe said it was forced to activate incident response protocols following a cybersecurity incident discovered on some systems connected to Jackpot Junction, the tribe's local casino. 

The tribe "continued to take measures to contain the incident, including taking some systems offline (tribal phones, fax machines, and emails)," officials said in a social media post. 

“The Tribe is working with third party experts to address the incident, with the goal of returning to normal operations as quickly and as safely as possible.”

The tribe provided temporary phone numbers for the local health center, the dental center, the retail optical facility, and the local pharmacy. Those needing to fill prescriptions were urged to use an app provided by the pharmacy. (Jonathan Greig / The Record)

Related: Lower Sioux Indian Community, Star Tribune, Red Lake Nation News, CDC Gaming, Gambling News, Databreaches.net

In the wake of the Signalgate disaster, Senate Minority Leader Chuck Schumer (D-NY) introduced a bill to establish security training for President Trump's White House personnel members.

Schumer's bill, the Operational Security (OPSEC) Act of 2025, would establish a new office to train administration officials in security protocols and to identify counterintelligence operations.

It would also create a congressionally-appointed board to advise administration officials on best practices in security training. (Stephen Neukam / Axios)

Related: Senate Democrats

Researchers at Netscout report that DDoS attacks, once the preserve of petty criminals, are becoming a staple of geopolitical conflict as new technology supercharges their disruptive power.

They report that almost 17 million DDoS attacks occurred in 2024—up from more than 13 million in 2023—and many were correlated to conflicts and political unrest.

Amid the war in Gaza in 2024, there was a near-3,000% surge in DDoS attacks on Israel compared to normal levels and an almost 1,500% jump in attacks on Georgia, where protests erupted over a controversial law cracking down on civil society groups/

Netscout pointed to “NoName057(16)” as a leading actor of politically motivated attacks. The pro-Russian group has taken credit for attacks on Ukraine, and the report said the hackers also waged a disruptive campaign against government websites in countries including the UK, Belgium, and Spain. (Ryan Gallagher / Bloomberg)

Related: Netscout, BetaNews, CointelegraphForbesAdvanced TelevisionITProRisky Business, Netscout

Researchers at Group-IB report that big-game ransomware crew Hunters International says its criminal undertaking has become "unpromising, low-converting, and extremely risky," and it is mulling shifting tactics amid an apparent rebrand.

Group-IB believes a spinoff - which will focus on extortion involving purely the theft of data - is under formation by the gang's senior personnel.

Group-IB says that Hunters International announced the project's closure to its own crew in November, telling affiliates a rebrand to "World Leaks" was already underway.

World Leaks launched its dark web page on January 1, focusing on theft-only tactics – so no ransomware. It is just theft of information and using that to extract as much value as possible from victims or anyone interested in the pilfered data. (Connor Jones / The Register)

Related: Group-IB

A statement from Hunters about closing the project. Source: Group-IB

Some parents lost the ability to track the locations of their children using a T-Mobile tracking device and app and instead were shown the exact locations of random other children around the country.

T-Mobile sells a small GPS tracker for parents called SyncUP, which they can use to track the locations of young children without cell phones. "Jenna," a parent who uses SyncUP to keep track of her three-year-old and six-year-old children, logged in Tuesday and, instead of seeing if her kids had left school yet, was shown the exact, real-time locations of eight random children around the country, not the locations of her own kids.

Jenna is not alone. On Twitter, Reddit, and Facebook, parents say that they were also shown the locations of random people instead of their children or partners. T-Mobile also offers a device called SyncUp DRIVE, which is a dedicated car-tracking device. In a Reddit thread called “SyncUp sharing locations of other users,” several posters said that they were being shown other people’s locations on their SyncUp DRIVE. 

A T-Mobile crisis communications manager said: "Yesterday we fully resolved a temporary system issue with our SyncUP products that resulted from a planned technology update. We are in the process of understanding potential impacts to a small number of customers and will reach out to any as needed. We apologize for any inconvenience." (Emanuel Maiberg / 404 Media)

Related: Daily Mail, Phone Arena

Cybersecurity firm Kaspersky has uncovered thousands of counterfeit Android smartphones sold online, with malware preinstalled designed to steal crypto and other sensitive data. 

The Android devices are sold at reduced prices but are riddled with a version of the Triada Trojan that infects every process and gives the attackers “almost unlimited control” over the device. 

The authors of the new version of Triada are actively monetizing their efforts; judging by the analysis of transactions, they were able to transfer about $270,000 in various cryptocurrencies to their crypto wallets.

The trojan’s other capabilities include stealing user account information and intercepting incoming and outgoing texts, including two-factor authentication. (Stephen Katte / Cointelegraph)

Related: Kaspersky, PCMag

CISA said Resurge resembles several other strains previously identified by Google and government officials in Japan.

But Resurge, CISA said, contains distinctive commands that can manipulate system integrity checks, modify files, harvest credentials, create accounts, reset passwords, escalate permissions, and more. 

CISA said it analyzed three files “obtained from a critical infrastructure’s Ivanti Connect Secure device” after threat actors exploited a bug tracked as CVE-2025-0282. In addition to Resurge, the incident responders found a second variant that tampered with Ivanti device logs and a third that allowed the hackers to perform other functions on the compromised devices.

CVE-2025-0282 affects Connect Secure, Ivanti’s Policy Secure, and ZTA Gateway products. On January 8, CISA confirmed the bug was being exploited after Ivanti published an advisory about it.

The cybersecurity agency urged administrators last week to conduct factory resets of their Ivanti devices, reset credentials and passwords for all accounts, and more. CISA added that any potential victims should reach out for assistance. (Jonathan Greig / The Record)

Related: CISA, Dark Reading, SC Media, The Register, GBHackers, The Stack, The Cyber Express, Security Week, Heise Online

Polish Prime Minister Donald Tusk said that his centrist political party, the Civic Platform party, was the target of a cyberattack and suggested that it could have been interference from the east, meaning Russia or Belarus, ahead of Poland’s presidential election next month.

Jan Grabiec, the head of Tusk’s office, told the Polish state news agency PAP that the cyberattack consisted of an attempt to take control of the computers of Civic Platform office employees and election staff over about a dozen hours.

The frontrunner is the Civic Platform candidate, Warsaw Mayor Rafał Trzaskowski, who, like Tusk, is a pro-European Union centrist. He has been polling around 35%. (Associated Press)

Related: Reuters, Euronews, TVP World, Notes from Poland, Ukrinform, Express, The Brussels Times, PAP

Security researcher Evan Connelly discovered that a vulnerability in Verizon's Call Filter feature allowed customers to access the incoming call logs for another Verizon Wireless number through an unsecured API request.

Connelly discovered the flaw on February 22, 2025, and Verizon fixed it sometime in the following month. However, the total period of exposure is unknown.

Although the researcher commends Verizon for its prompt response to his disclosure, he highlighted worrying practices the telecom firm has followed in handling subscribers' call data.

The vulnerable API endpoint used by Call Filter appears to be hosted on a server owned by a separate telecommunications technology firm called Cequint, which specializes in caller identification services.

Cequint's own website is offline, and public information about them is limited, raising concerns about how sensitive Verizon call data is handled. (Bill Toulas / Bleeping Computer)

Related: Evan Connelly, CISO Series, GBHackers, Cybernews

The hacker behind the $9.6 million exploit of the decentralized money-lending protocol zkLend in February claims they’ve just fallen victim to a phishing website impersonating Tornado Cash, resulting in the loss of a significant portion of the stolen funds.

The hacker claims to have lost 2,930 Ether from the stolen funds to a phishing website posing as a front-end for Tornado Cash.

In a series of March 31 transfers, the zkLend thief sent 100 Ether at a time to an address named Tornado.Cash: Router, finishing with three deposits of 10 Ether. (Stephen Katte / Cointelgraph)

Related: Web3IsGoingJustGreat, TronWeekly, The Shib Daily, crypto.news

The people said that various parties involved in the talks do not appear to be taking Amazon’s bid seriously. According to a person briefed on the matter, the bid came via an offer letter addressed to Vice President JD Vance and Howard Lutnick, the commerce secretary.

Other reports suggest the White House has reviewed a menu of options in recent weeks, including a scenario in which investors outside China would increase their ownership of TikTok while Beijing-based ByteDance would retain ownership of the powerful algorithm that recommends what people see on the popular video app.

Still, other reports state that Mobile technology company AppLovin has made a bid for TikTok and talked to casino magnate Steve Wynn about backing it, according to people familiar with the matter.

The Trump administration’s April 5 deadline to sell or shut down TikTok is fast approaching. (Lauren HirschMaggie HabermanZolan Kanno-YoungsKaren Weise and Sapna Maheshwari / New York Times, Drew Harwell, Cat Zakrzewski and Naomi Nix / Washington Post, Dana Mattioli, Jessica Toonkel and Alex Leary / Wall Street Journal)

Related: Financial Times, WiredInvestor's Business DailyAppleInsider9to5MacYahoo Finance, Wall Street Journal, Associated PressBloombergSearch Engine LandEngadgetReutersThe BlockNBC NewsThe HillGeekWire9to5MacNew York PostMacRumorsInvestor's Business DailyTechCrunchDaily MailCapital BriefTelegraphFinancial ExpressHuffPostFox BusinessBarron's OnlineNew York SunCOINOTAG NEWSTipRanks FinancialTMZ.comiPhone in Canada BlogThe WrapHypebeastMotley FoolProactiveDexertoMashablePetaPixelAnadolu Ajansı …masslive.comMedia Play NewsQuartzThe IndependentBGRVanity FairCord Cutters NewsWatcher GuruThe US SunThe SunYahoo FinanceThe Post MillennialSherwood NewsReasonJust The News, Forexlive, The VergeLas Vegas Review-JournalCNBCB&TMobilegamer.bizYahoo FinanceAdweekCNBCSherwood NewsDeseret NewsTipRanks Financial

A heated discussion broke out at a local commission meeting in Hamilton County, TN, after county Mayor Weston Wamp said he was left in the dark about a possible data breach for weeks. He claimed other county officials received a notice before he did.

Hamilton County officials held a closed-door meeting over how a memo relating to that breach got leaked.

The breach affects the records of people who used Hamilton County emergency services. (Lily Butler / Newschannel9)

Related: Newschannel 9, Government Technology, Chattanooga Times Free Press, WDEF, Local3News, Teiss, The Chattanoogan

AI-powered data security company Cyberhaven announced it had raised $100M in a Series D venture funding round.

StepStone Group led the funding along with new investors Schroders and Industry Ventures. (Ryan Naraine / Security Week)

Related: Silicon Angle, BankInfoSecurity, KETK, Forbes, FinSMEs

Artificial intelligence cybersecurity company Adaptive Security announced it had raised $43 million in venture funding.

Andreessen Horowitz (a16z) and the OpenAI Startup Fund led the round. Additional participating investors include Abstract Ventures, Eniac Ventures, CrossBeam Ventures, and K5, along with executives from Google, Workday, Shopify, Plaid, Paxos, and others. (Laya Neelakandan / CNBC)

Related: SecurityWeek, Adaptive SecurityCryptoSlateSiliconANGLE, VC News Daily

Best Thing of the Day: The Good Old Days of Private Floppy Disks

An exhibition by the UK's Information Commissioner’s Office (ICO), which opened at Manchester Central Library this week, charts the evolution of data privacy through 40 items, including floppy disks, a Tesco club card, Amazon Alexa, and more.

Worst Thing of the Day: Dwindling Cyber Support for Ukraine

Growing political divides in Washington and shifting global priorities have raised concerns about sustained cybersecurity support for Ukraine. 

Closing Thought

Courtesy of ‪@tomtomorrow.bsky.social‬

,