Coinbase Insider Breach: Bribed Support Agents Compromise User Data and Trigger $20M Extortion Attempt
In May 2025, Coinbase, a leading U.S.-based cryptocurrency exchange, disclosed a significant security breach involving the compromise of sensitive customer data. The breach was orchestrated by cybercriminals who bribed overseas customer support agents, particularly in India, to illicitly access and extract user information. This insider threat affected approximately 69,461 individuals, representing less than 1% of Coinbase's monthly transacting users.
The stolen data included names, contact details, masked Social Security numbers, bank account identifiers, government-issued ID images, and account transaction histories. Notably, no passwords, private keys, or funds were compromised, and Coinbase Prime accounts remained unaffected.
The attackers attempted to extort $20 million from Coinbase, threatening to release the stolen data. Coinbase refused to pay the ransom and instead offered a $20 million reward for information leading to the perpetrators' arrest. The company has since terminated the involved support agents and implemented enhanced security measures, including stricter ID verification processes and the establishment of a new U.S.-based support hub. Financially, the breach is projected to cost Coinbase between $180 million and $400 million in remediation and customer reimbursements. This incident underscores the vulnerabilities associated with outsourcing customer support and highlights the importance of robust insider threat detection mechanisms.
https://thehackernews.com/2025/05/coinbase-agents-bribed-data-of-1-users.html
International Operation Dismantles €3M Online Trading Scam
In a major international cybercrime takedown in May 2025, law enforcement agencies from Germany, Cyprus, Albania, the United Kingdom, and Israel—coordinated by Europol and Eurojust—dismantled a large-scale fraudulent trading platform that defrauded hundreds of victims across Europe. The scam, which promised lucrative returns through online investment services, manipulated users by showing fabricated profit graphs and high-performing dashboards designed to appear legitimate and trustworthy.
The criminal enterprise operated by gaining the confidence of unsuspecting investors, typically individuals with little experience in financial trading. Victims were convinced to deposit money into the platform under the pretense of investing in foreign exchange and cryptocurrency markets. As they saw what appeared to be steady profits, they were persuaded to invest larger amounts—sometimes their life savings. However, none of the deposits were actually invested. The platform's backend was entirely fictitious, and the so-called returns were part of an elaborate illusion.
The case began when a German couple reported losing their savings to the platform, triggering a broader investigation. Authorities uncovered a sophisticated network of scammers operating from multiple jurisdictions, complete with call centers, fake company fronts, and digital infrastructure designed to support the fraudulent platform. Police conducted multiple coordinated raids across different countries, leading to several arrests, asset seizures, and the dismantling of the platform's technical infrastructure.
Over €3 million in victim losses have been confirmed so far, though investigators suspect the total impact could be significantly higher due to underreporting and the scale of the operation. The success of the operation highlights the evolving complexity of online fraud schemes and the growing importance of cross-border law enforcement collaboration in tackling cyber-enabled financial crime.
This case serves as a stark reminder of the vulnerabilities facing individuals who engage in online investment platforms, especially those outside regulated financial ecosystems. It also reinforces the need for enhanced public awareness, stronger international cooperation, and improved regulation to mitigate the growing threat of tech-enabled fraud.
https://hackread.com/police-shut-down-fake-trading-platform-scammed-users/
North Korean Operatives Infiltrate U.S. Tech Sector, Diverting $88 Million via Remote Work Fraud
In a sophisticated cyber-espionage campaign spanning six years, North Korean operatives infiltrated the U.S. tech industry by posing as remote IT workers, siphoning off at least $88 million to fund the regime's weapons programs. The U.S. Department of Justice indicted 14 North Korean nationals in December 2024 for their roles in this elaborate scheme. These individuals secured employment at American companies and non-profits using stolen or fabricated identities, often facilitated by fake companies like “Baby Box Info,” “Helix US,” and “Cubix Tech US” that provided fraudulent references and resumes.
Security firm Flashpoint's investigation revealed that the operatives utilised advanced tactics, including deepfake identities, proxy servers, and pseudonymous online accounts, to mask their true origins. They also employed "laptop farms"—networks of devices managed by U.S.-based collaborators—to appear as legitimate domestic workers. One infected computer in Lahore, Pakistan, contained login credentials and browser histories indicating extensive use of Google Translate between English and Korean, hinting at the operatives' origins. Translated messages exposed their methods for creating fake job references and avoiding webcam use during online meetings.
Beyond collecting salaries, these fake IT workers allegedly stole sensitive data, including proprietary source code, and in some cases, extorted their employers by threatening to release the stolen information unless payments were made. The U.S. Treasury has since sanctioned individuals and entities involved in the scheme, emphasising the need for heightened vigilance in remote hiring practices to prevent such infiltrations.
This case underscores the vulnerabilities in remote work environments and the lengths to which state-sponsored actors will go to circumvent international sanctions and fund illicit activities. Companies are urged to implement rigorous identity verification processes and remain alert to potential insider threats.
https://hackread.com/north-korean-hackers-stole-88m-posing-us-tech-workers/
Cetus Protocol Breach: $223 Million DeFi Heist Exposes Smart Contract Vulnerabilities
On May 22, 2025, Cetus Protocol, a decentralised exchange (DEX) operating on the Sui and Aptos blockchains, suffered a significant security breach resulting in the theft of approximately $223 million in digital assets. The attacker exploited a vulnerability in the platform's smart contract, specifically within its liquidity pool mechanisms. By manipulating the pool's tick and liquidity parameters, the hacker was able to drain token reserves across multiple iterations of the exploit.
The breach was facilitated by flaws in an open-source library used by Cetus, which allowed the attacker to manipulate price data and execute unauthorised withdrawals. After the theft, the stolen funds were converted from USDT to USDC and bridged to the Ethereum blockchain, where they were further swapped for Ethereum (ETH).
In response, Cetus promptly paused its smart contracts to prevent further losses and initiated an investigation in collaboration with the Sui Foundation and other ecosystem partners. The platform successfully froze approximately $162 million of the stolen assets and has offered a "whitehat settlement," allowing the attacker to retain $6 million as a bounty if the remaining funds are returned.
https://therecord.media/decentralized-crypto-platform-cetus-theft
Commvault M365 Breach Signals Broader SaaS Vulnerabilities Amid Nation-State Cyber Threats
In May 2025, Commvault, a prominent data protection and backup provider, disclosed a significant security breach involving its Metallic SaaS platform, which operates on Microsoft Azure. The breach exploited a zero-day vulnerability (CVE-2025-3928) in Commvault's web server, allowing state-sponsored threat actors to access client secrets and potentially infiltrate customers' Microsoft 365 (M365) environments. This vulnerability affected both Windows and Linux versions of the platform, prompting Commvault to release patches and rotate compromised credentials.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expressed concerns that this incident may be part of a larger campaign targeting various SaaS companies' cloud applications, especially those with default configurations and elevated permissions. While specific details about other targeted applications remain undisclosed, CISA has added CVE-2025-3928 to its Known Exploited Vulnerabilities catalog and mandated that affected federal agencies implement necessary updates within three weeks.
This breach underscores the critical importance of securing SaaS platforms against sophisticated cyber threats. Organisations are urged to review their application configurations, monitor audit logs, and implement robust security measures to mitigate potential risks associated with such vulnerabilities.
https://thecyberexpress.com/commvault-m365-threat-broader-saas-campaign/#google_vignette
Fake AI Video Tool Ads on Facebook and LinkedIn Spread Infostealers
In a sophisticated cyber campaign uncovered in May 2025, the Vietnam-based group UNC6032 exploited the growing interest in AI tools by distributing malicious ads on Facebook and LinkedIn. These ads impersonated legitimate AI video generators like Luma AI and Canva Dream Lab, directing users to fraudulent websites that mimicked real AI services. Upon interacting with these sites, users were prompted to download files disguised as video outputs, which instead contained malware.
The primary malware deployed, known as STARKVEIL, is a complex program written in Rust. It displays fake error messages to trick users into reopening the program, subsequently installing additional malicious tools such as XWORM, FROSTRIFT backdoors, and the GRIMPULL downloader. These tools enable attackers to steal sensitive information, including login credentials, cookies, and credit card data, and can grant remote access to the victim's system.
Mandiant researchers identified over 30 fake websites associated with this campaign, which collectively reached millions of users through thousands of ads. The attackers continuously rotated domains and created new ads daily to evade detection. This campaign underscores the importance of verifying the authenticity of AI tools and exercising caution when encountering unsolicited ads, especially those offering free or trial versions of popular software.
https://hackread.com/fake-ai-video-tool-ads-facebook-linkedin-infostealers/
Threat actors targeting financial entities in May 2025
Ransomware vs Finance (last three months)
Insights
Cyber Series: June 2025
Stay ahead of the curve with this month’s Cyber Risk Newsletter, your essential briefing on the evolving threat landscape.
Cyber Series: May 2025
Our latest update stresses the need for vigilance, timely patching, and layered defenses to combat rising cyber threats effectively.
The hidden threat to investment growth: Poor cyber security leadership
In today's digitally driven economy, investments are increasingly vulnerable to the risks associated with poor cyber security leadership.
The Digital Operational Resilience Act for private equity: All change for the relationship between firms and vendors
The EU’s Digital Operational Resilience Act (DORA) will apply from 17 January 2025.