Ex-Amazon Engineer Sentenced to Three Years for Stealing Millions in Cryptocurrency

A US District Court judge ordered Shakeeb Ahmed, a former Amazon.com software engineer who admitted to stealing millions of dollars in cryptocurrency by hacking two decentralized finance platforms, to spend three years behind bars.

Ahmed pleaded guilty in December to taking advantage of flaws in the DeFi platforms’ so-called smart contracts to insert fake pricing data, generating about $12 million of inflated and unearned profits that he was able to withdraw in cryptocurrency.

One of the platforms Ahmed hacked wasn’t identified by prosecutors but appears to be Crema Finance, based on details in the indictment. The other was Nirvana Finance, which shut down shortly after Ahmed’s July 2022 hack.

Prosecutors had recommended a sentence of four years in prison for what they said was a “first-of-its-kind” conviction for hacking smart contracts. They noted Ahmed’s acceptance of responsibility and that he surrendered most of his ill-gotten gains but said incarceration was warranted because of the seriousness of his crimes and to deter others.

Lawyers for Ahmed, an immigrant from Saudi Arabia, had sought a sentence of probation, saying his two hacks took place when his mental health was poor. They noted that he hadn’t spent the stolen funds except to pay for a sibling’s medical procedure.

Ahmed told the judge he was “filled with shame and disappointment” for his actions, though he also downplayed their seriousness. (Chris Dolmetsch / Bloomberg)

Related: US Department of Justice, BleepingComputer, Blockworks, CoinDesk, The Block, TechCrunch, Cointelegraph, crypto.news, CryptoSlate, The Verge, Milk Road, CoinGape, The Crypto Times, Web3 is Going Just Great

Streaming video platform Roku said it uncovered a new credential stuffing attack impacting 576,000 accounts.

The company said it discovered the attack while investigating last month’s security breach, in which 15,000 accounts were compromised.

“After concluding our investigation of this first incident, we notified affected customers in early March and continued to monitor account activity closely to protect our customers and their personal information,” Roku said. “Through this monitoring we identified a second incident, which impacted approximately 576,000 additional accounts.”

“In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information,” the Roku statement continued.

The company says it has reset the passwords for the impacted accounts, alerted the owners about the breach, and turned on two-factor authentication for all accounts. (Alex Weprin / Hollywood Reporter)

Related: Roku, Bleeping Computer, The Verge, Techopedia, CNN, CBS News, Wall Street Journal, Engadget, Variety, PCMag, Dexerto, TechHive, Wall TechCrunch, Los Angeles Times, Light Reading, BGR, MobileSyrup, Neowin, Axios, Cybernews.com, Deadline, The Streamable, Reuters, Cord Cutters News, iPhone in Canada Blog, Deadline, The Wrap, r/Technology

Dutch chipmaker Nexperia, owned by Shanghai-listed Wingtech Technology Co., said it had been hit with a ransomware attack, with the attackers, a relatively new group known as the Dunghill group, now threatening to publish its most sensitive customer information if a ransom is not paid.

Hundreds of gigabytes of sensitive material, including trade secrets, chip designs, and hundreds of folders with customer data from SpaceX, Apple, and Huawei, among others, were stolen during the incident.

As proof, the criminals have published dozens of these confidential documents on the dark web, the hidden part of the internet. This includes internal emails and the passport of a former senior vice president of the company. RTL News has verified these documents.

The Dunhill group calls itself “an international team of technical specialists who conduct research in the field of information security.” It says its primary goal is to make the world a safer place. "Yes, security costs money and so does our time. That is why we offer our services for a fee," the criminals write.

Nexperia reported the incident to the police and the Dutch Data Protection Authority: "We took immediate action and disconnected the systems involved. Together with our external cybersecurity expert Fox-IT, Nexperia continues to investigate the full scope and impact of the matter." (Daniel Verlaan / RTL Nieuws)

Related: Bloomberg, nltimes.nl, Reuters, eeNews Europe, Computing, Cyber Security News, Techzine, Cybernews

The US Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions on Hudhayfa Samir Abdallah al-Kahlut, also known as Abu Ubaida, a Hamas official they believe leads “the cyber influence department” of the organization’s military wing in Gaza.”

US officials claimed al-Kahlut has been involved in “procuring servers and domains in Iran to host the official al-Qassam Brigades website in cooperation with Iranian institutions.”

He has served as public spokesperson for the Izz al-Din al-Qassam Brigades since at least 2007. The Treasury Department said al-Kahlut has publicly threatened to execute civilian hostages kidnapped during the October 7 terrorist attacks in Israel.

Brian Nelson, undersecretary of the Treasury for terrorism and financial intelligence, said the sanctions are designed to disrupt Hamas’ ability to conduct attacks both through cyberwarfare and the production of unmanned aerial vehicles (UAV).

“Treasury, in coordination with our allies and partners, will continue to target Hamas’s facilitation networks wherever they operate, including in the cyber domain,” he said in a statement.

The sanctions include two other officials allegedly involved in the production of mortars, mobile launchers for Grad rockets and UAVs. The European Union also announced sanctions against Hamas and several related entities. (Jonathan Greig / The Record)

Related: Treasury.gov, Reuters, UPI

An Iranian cyber group named Handala claims to have breached Israel's radar systems and sent hundreds of thousands of threatening text messages to Israeli citizens.

The group alleged it infiltrated the radar systems and dispatched 500,000 text messages to Israeli citizens. "You have only a few hours to fix the systems," the message warned.

In the wake of escalating tensions over a potential Iranian attack, Handala publicized a statement on social networks, asserting they had penetrated Israel's radar defenses. The announcement, shared via Telegram, was scant on details but emphasized its significant success, potentially undermining Israel's national security. "You have only a few hours to repair the radar systems," the attackers reiterated in their message.

"People will pay for the crimes and foolishness of your leaders. There is no doubt that your leaders will regret these foolish ventures. Evacuate the cities; perhaps you will see less damage!" the message stated. "Do not hesitate and do not sleep; the chance to escape is less than ten seconds, and perhaps your city will be chosen."

The attackers' claims remain unverified by official Israeli sources. (Yinon Ben Shoshan / Jerusalem Post)

Related: Cyber Daily

Federal authorities announced the arrest of a Van Nuys man, Edmond Chakhmakhchyan, who allegedly schemed to market and sell a Hive malware remote access trojan initially marketed as Firebird that gave purchasers control over computers and enabled them to access victims’ private communications, their login credentials, and other personal information.

The indictment charges Chakhmakhchyan, who allegedly used the screen name Corruption, with one count of conspiracy to advertise a device as an interception device, transmitting a code to intentionally cause damage to a protected computer, and intentionally accessing a computer to obtain information, as well as one count of advertising a device as an interception device. Each count carries a maximum sentence of five years in federal prison.

The indictment alleges an agreement between the malware’s creator and Chakhmakhchyan in which the defendant allegedly posted ads for the Hive remote access trojan, or RAT, on the Hack Forums website, accepted Bitcoin payments for licenses to use the Hive RAT and provided customer service to those who purchased the licenses.

Customers purchasing the malware would transmit Hive RAT to protected computers and gain unauthorized control over and access to those devices, allowing the RAT purchaser to close or disable programs, browse files, record keystrokes, access incoming and outgoing communications, and steal victim passwords and other credentials for bank accounts and cryptocurrency wallets, all without the victims’ knowledge or permission, according to the indictment.

Chakhmakhchyan allegedly began working with the creator of the Hive RAT, previously known as “Firebird,” about four years ago and advertised the RAT’s many features online. Chakhmakhchyan allegedly also sold a license for the Hive RAT to an undercover law enforcement agency employee.

He pleaded not guilty to charges contained in a two-count indictment and was ordered back to court on June 4. His bond was set at $70,000.

The Australian Federal Police (AFP) said an Australian man was arrested as a co-defendant in the operation, stemming from the same law enforcement investigation that caught Chakhmakhchyan. The Australian man has been charged with twelve counts of computer offenses. (Los Angeles Daily News and AFP)

Related: Justice.gov, Hoodline

Following a disastrous ransomware attack by the ALPHV/Blackcat group on Change Healthcare, RansomHub, a relatively new ransomware group, has posted to its dark website that it has four terabytes of Change Healthcare’s stolen data, which it threatened to sell to the “highest bidder” if Change Healthcare didn’t pay an unspecified ransom.

Despite some assessments that RansomHub might be ALPHV in a new guise, the group says it is not affiliated with ALPHV and “can’t say” how much it’s demanding as a ransom payment.

A representative for the group sent WIRED several screenshots of what appeared to be patient records and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and later took its name.

While WIRED could not fully confirm RansomHub’s claims, the samples suggest that this second extortion attempt against Change Healthcare may be more than an empty threat. “For anyone doubting that we have the data, and to anyone speculating the criticality and the sensitivity of the data, the images should be enough to show the magnitude and importance of the situation and clear the unrealistic and childish theories,” the RansomHub contact tells WIRED.

Some cybersecurity experts believe the data obtained by RansomHub is real. RansomHub has claimed that data stolen during the original attack “remains with the affiliate,” and AlphV did not directly have the data originally. (Andy Greenberg and Matt Burgess / Wired)

Related: CPO Magazine

Canadian retail chain Giant Tiger disclosed a data breach in March 2024, with a threat actor now publicly claiming responsibility for the breach and leaking 2.8 million records on a hacker forum that they claim are of Giant Tiger customers.

The threat actor claims to have uploaded the "full" database of Giant Tiger customer records stolen in March 2024. "In March 2024, the Canadian discount store chain Giant Tiger Stores Limited... suffered a data breach that exposed over 2.8 million clients," the threat actor said.

The data set has been leaked essentially for free. Although the download link to the set has to be unlocked by spending "8 credits," such credits are typically trivially generated by forum members by, for example, commenting on existing posts or contributing new posts.

"On March 4, 2024, Giant Tiger became aware of security concerns related to a third-party vendor we use to manage customer communications and engagement," a Giant Tiger spokesperson said.

"We determined that contact information belonging to certain Giant Tiger customers was obtained without authorization. We sent notices to all relevant customers informing them of the situation."

As of April 12th, the leaked data set has been added to the "Have I Been Pwned?" database. (Ax Sharma / Bleeping Computer)

Related: Security Affairs, Cybernews

The cybercrime group Hunter’s International seems to be involved in the recent cyberattack on Japan’s leading eyeglass lens maker, Hoya Corporation and is demanding a $10 million ransom for a file decryptor and not to release files stolen during the attack.

Hoya disclosed a cyberattack earlier this month that impacted production and order processing, with several of its business divisions experiencing IT outages.

Although the group has not yet publicly claimed responsibility for this attack, according to interested parties, a ransom of $10 million was initially demanded, and the cybercriminals claimed to have stolen more than 1.7 million files for a total of 2 TB of data. (Valéry Rieß-Marchive / LeMagIT)

Related: JB Press, Bleeping Computer, SC Media, Tom’s Hardware, SC Media, Cyber Daily

In a public service announcement, the US Federal Bureau of Investigation warned of a massive ongoing wave of SMS phishing attacks targeting Americans with lures regarding unpaid road toll fees.

These attacks started last month, and the federal law enforcement agency says thousands of people have already reported that the scammers have targeted them.

"Since early-March 2024, the FBI Internet Crime Complaint Center (IC3) has received over 2,000 complaints reporting smishing texts representing road toll collection service from at least three states," the FBI said.

According to the FBI, the malicious text messages contain almost identical language and claim the recipient owes money for unpaid tolls. For instance, all reports mention the attackers using "outstanding toll amount" to trick the targets into clicking an embedded hyperlink.

"However, the link provided within the text is created to impersonate the state's toll service name, and phone numbers appear to change between states," the FBI said.

​Pennsylvania Turnpike, one of the road toll services whose customers were targeted in these attacks, cautioned those receiving the phishing messages not to tap the links.

"Some customers have received phishing-attempt text messages claiming to be from the PA Turnpike's toll services. If you receive such a text, providing you with a link to pay an outstanding toll, do not click on the link, and delete the text," the service said on Monday.

"BE AWARE: We have received multiple concerns regarding the attached scam text message in our area. This link will send you to a fake Turnpike website and collect your information!" the Pennsylvania State Police also warned.

While the FBI did not mention E-ZPass (a toll collection system used across Eastern, Midwestern, and Southern United States) in its PSA, the threat actors have also been targeting E-ZPass customers since March. (Sergiu Gatlan / Bleeping Computer)

Related: FBI, Infosecurity Magazine, PC Mag

A probe into abuse of powers and dereliction of duties that began on March 18 has now led Polish prosecutors to build a case against current and former government officials actively believed to have deployed powerful commercial spyware against opposition party members and their allies.

Prosecutors have asked 31 victims they believe were likely targeted by Pegasus spyware to share their stories. Senior government officials have said the investigation could lead to arrests.

In September, Poland's Senate released the results of a special commission’s probe into the spyware’s usage, paying particular attention to the hack of an opposition politician in 2019, describing "gross violations of constitutional standards.”

The commission revealed at the time that it had alerted prosecutors to the potential for criminal charges against former and current Polish ministers for using or abetting the use of spyware.

Current Polish President Andrzej Duda is a former PiS member who is thought to remain loyal to the party. However, the country has elected Donald Tusk, the leader of a different and more centrist party, as its new prime minister. Duda has served as president since 2015.

Tusk, who became prime minister in December, said in February that he could prove state authorities used the powerful spyware to monitor a “very long” list of individuals.

According to local news reporting at the time, the prime minister also revealed that he had found documents that “confirm 100%” the prior administration illegally used Pegasus. (Suzanne Smalley / The Record)

Related: Polish Press Agency

Delinea Secret Server Cloud customers, also known as Thycotic Secret Server, had a mysterious outage on Friday due to a “security incident” visible on a service status page.

Delinea Secret Server Cloud is a privileged access management product that allows the storage and rotation of credentials. Its competitors include CyberArk.

The temporary unavailability of Delinea’s Secret Server Cloud was due to a blog post published by security engineer Johnny Yu on Wednesday.

The company said it became aware of a critical vulnerability in the Secret Server SOAP API, which could allow an attacker to bypass authentication, and published indicators of compromise related to the incident.

On Saturday, the company dealt with the situation by blocking SOAP endpoints for Secret Server Cloud customers until it could patch the cloud service, which it did on the same day.

Delinea says they believe no customer data was impacted. (Kevin Beaumont / DoublePulsar)

Related: Delinea, Delinea, Help Net Security, StraightBlast

Yevhenii Panchenko, the chief of the division of the Cyberpolice Department of the National Police of Ukraine, offered details of and insights into how his group operates and its shift in focus and priorities since the start of Russia’s war against the country.

During a talk at the Chainalysis LINKS conference, Panchenko said that the Cyberpolice comprises around a thousand employees, of which about forty track crypto-related crimes. The Cyberpolice’s responsibility is to combat “all manifestations of cybercrime in cyberspace,” said Panchenko. But after the war started, he said, “We were also responsible for the active struggle against the aggression in cyberspace.”

In a wide-ranging interview with TechCrunch, Panchenko said that some of his group’s responsibilities since the war began include tracking what war crimes Russian soldiers are committing in the country, which they sometimes post on social media; monitoring the flow of cryptocurrency funding the war; exposing disinformation campaigns; investigating ransomware attacks; and training citizens on good cybersecurity practices. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Chainalysis

As part of its first subscription service, Privacy Pro, privacy-oriented browser DuckDuckGo launched a new browser-based tool that automatically scans data broker websites for users' names and addresses and requests that they be removed.

Gabriel Weinberg, the company’s founder and CEO, says the personal-information-removal product is the first of its kind where users don’t have to submit any of their details to the tool’s owners. The service will request that information be removed and then continually check if new records have been added, Weinberg says.

Weinberg says the subscription offering, which is initially available only in the US for $9.99 per month or $99.99 per year, is part of an effort to add to the privacy-focused tools it provides within its web browser and search engine. (Matt Burgess / Wired)

Related: DuckDuckGo, Engadget, TechCrunch, LifeHacker, The Verge, CNET, ZDNet, MacRumors, 9to5Mac, Bleeping Computer, BGR, Android Police, Neowin, How-To-Geek

Academic researchers at the University of Pennsylvania analyzed a nationally representative sample of 100 non-federal acute care hospitals and discovered that 96 percent of their websites transmitted user data to third parties, frequently using tracking technologies on their websites to share user information with Google, Meta, data brokers, and other third parties.

Additionally, not all of these websites even had a privacy policy. Of the 71 percent that did, 56 percent disclosed specific third-party companies that could receive user information.

The researchers' latest work builds on a study they published a year ago of 3,747 US non-federal hospital websites. That found 98.6 percent tracked and transferred visitors' data to large tech and social media companies, advertising firms, and data brokers. (Jessica Lyons / The Register)

Related: JAMA Network, SC Media

According to someone familiar with the deal, Noname Security, a cybersecurity startup that protects APIs, is in advanced talks with Akamai Technologies to sell itself for $500 million.

While the potential deal price is half that of Noname’s last private valuation, those who invested at the early stage will receive a meaningful return from the sale. Meanwhile, the deal should allow the later-stage investors, particularly those who invested in the last round, to get a full return on the capital they put in, if not the profit they hoped for during those heady days of 2021 when money was flowing and valuations were optimistic.

The person said the deal values the company at about 15X annual recurring revenue. Noname’s approximately 200 employees are expected to transition to Akamai if the sale closes. (Marina Temkin / TechCrunch)

Best Thing of the Day: More Proof That Cats Are Creatures From Outer Space

Senior Engineering Manager at Credit Karma was alerted to a DDoS attack by his cat, who was awakened at 3 am by an unusually timed bout of hair grooming.

Worst Thing of the Day: Talking the Talk But Not Walking the Walk

Despite touting herself as a champion of internet privacy, Senator Maria Cantwell (D-WA) has repeatedly upended negotiations on national privacy legislation.

Closing Thought