Brutkey

BrianKrebs
@briankrebs@infosec.exchange
BrianKrebs
@briankrebs@infosec.exchange

New, from me: Who Got Arrested in the Raid on the XSS Crime Forum?

On July 22, 2025, the European police agency Europol said a long-running investigation led by the French Police resulted in the arrest of a 38-year-old administrator of XSS, a Russian-language cybercrime forum with more than 50,000 members. The action has triggered an ongoing frenzy of speculation and panic among XSS denizens about the identity of the unnamed suspect, but the consensus is that he is a pivotal figure in the crime forum scene who goes by the hacker handle "Toha." Here's a deep dive on what's knowable about Toha, and a short stab at who got nabbed.

https://krebsonsecurity.com/2025/08/who-got-arrested-in-the-raid-on-the-xss-crime-forum/

An unnamed 38-year-old man was arrested in Kiev last month on suspicion of administering the cybercrime forum XSS. Image: ssu.gov.ua. He is wearing dark shorts and a blue-grey t-shirt and is holding a document. His face is blurred out, and he is standing between two men in SBU uniforms.
BrianKrebs
@briankrebs@infosec.exchange

WaPo reports Edward "Big Balls" Coristine was injured in a carjacking. Trump and Musk are using the incident to float the idea of taking federal control over Washington, D.C.

https://www.washingtonpost.com/dc-md-va/2025/08/05/trump-doge-worker-washington-dc-crime/

A picture of Edward Coristine lying bloody on the ground with his shirt off. He has blood on his face chest, hands and pants, and is looking down. A long post from Trump on Truth Social is partially screenshotted next to his picture.
BrianKrebs
@briankrebs@infosec.exchange

New, from me:

Scammers Unleash Flood of Slick Online Gaming Sites

Fraudsters are flooding Discord and other social media platforms with ads for hundreds of polished online gaming and wagering websites that lure people with free credits and eventually abscond with any cryptocurrency funds deposited by players. Here’s a closer look at the social engineering tactics and remarkable traits of this sprawling network of more than 1,200 scam sites.

....The gaming sites all require users to create a free account to claim their $2,500 credit, which they can use to play any number of extremely polished video games that ask users to bet on each action. At the scam website gamblerbeast[.]com, for example, visitors can pick from dozens of games like B-Ball Blitz, in which you play a basketball pro who is taking shots from the free throw line against a single opponent, and you bet on your ability to sink each shot.

The financial part of this scam begins when users try to cash out any β€œwinnings.” At that point, the gaming site will reject the request and prompt the user to make a β€œverification deposit” of cryptocurrency β€” typically around $100 β€” before any money can be distributed. Those who deposit cryptocurrency funds are soon asked for additional payments.

https://krebsonsecurity.com/2025/07/scammers-unleash-flood-of-slick-online-gaming-sites/

Here's what some of these scam gambling (scambling?) sites look like. They're pretty polished.

https://www.youtube.com/watch?v=lNjqXIq1s5g

An alert pops up when you try to withdraw winnings from these gambling platforms: It shows a black exclamation point in a red circle under the message "withdrawal error." "Your withdrawal of $2,500.00 was rejected because you did not pass verification." According to Curacao Gaming regulations you need to verify your details. Verification of your account will take no more than 15 minutes. we apologize for the inconvenience." A screenshot of the fake gambling site spinora dot cc, which features attractive young women holding or throwing cards, or just smiling at the camera. A fake news story superimposed under a BBC masthead says the world famous YouTuber Mr.Beast is launching an exciting new challenge! He has introduced a unique promotional offer on his new website Gambwex dot com. But using the promo code "BONUS" you can instantly claim a $2,500." Below is a stock photo of MrBeast announcing his Beast Games platform.
BrianKrebs
@briankrebs@infosec.exchange

New, by me: A Dark Adtech Empire Fed by Fake CAPTCHAs

Late last year, security researchers made a startling discovery: Kremlin-backed disinformation campaigns were bypassing moderation on social media platforms by leveraging the same malicious advertising technology that powers a sprawling ecosystem of online hucksters and website hackers. A new report on the fallout from that investigation finds this dark ad tech industry is far more resilient and incestuous than previously known.

https://krebsonsecurity.com/2025/06/inside-a-dark-adtech-empire-fed-by-fake-captchas/

An archive.org snapshot of the LosPollos push monetization affiliate network. The LosPollos ad network incorporates many elements and references from the hit series β€œBreaking Bad,” mirroring the fictional β€œLos Pollos Hermanos” restaurant chain that served as a money laundering operation for a violent methamphetamine cartel. The LosPollos advertising website invokes characters and themes from the hit show Breaking Bad. In the center is a lego version of the meth cook and main co-star Jesse, standing in front of a what appears to be a meth lab. The logo for LosPollos (upper left) is the image of Gustavo Fring, the fictional chicken restaurant chain owner in the show.
BrianKrebs
@briankrebs@infosec.exchange

I learned a lot writing this, and there is a lot more here to pick at.

Ukraine has seen nearly one-fifth of its Internet space come under Russian control or sold to Internet address brokers since February 2022, a new study finds. The analysis indicates large chunks of Ukrainian Internet address space are now in the hands of shadowy proxy and anonymity services that are nested at some of America’s largest Internet service providers (ISPs).

"...A cursory review of all Internet address blocks currently routed through AT&T β€” as seen in public records maintained by the Internet backbone provider Hurricane Electric β€” shows a preponderance of country flags other than the United States, including networks originating in Hungary, Lithuania, Moldova, Mauritius, Palestine, Seychelles, Slovenia, and Ukraine.

Asked about the apparent high incidence of proxy services routing foreign address blocks through AT&T, the telecommunications giant said it recently changed its policy about originating routes for network blocks that are not owned and managed by AT&T. That new policy, spelled out in a February 2025 update to AT&T’s terms of service, gives those customers until Sept. 1, 2025 to originate their own IP space from their own autonomous system number (ASN), a unique number assigned to each ISP (AT&T’s is AS7018).

https://krebsonsecurity.com/2025/06/proxy-services-feast-on-ukraines-ip-address-exodus/

An illustration of a circle with the Ukrainian flag colors of blue on top and yellow on bottom. The circle shows many small what appear to be circuits branching out in all directions. In the background are 1s and 0s.
BrianKrebs
@briankrebs@infosec.exchange

Today's story: U.S. Sanctions Cloud Provider β€˜Funnull’ as Top Source of β€˜Pig Butchering’ Scams

The U.S. government today imposed economic sanctions on Funnull Technology Inc., a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams known as β€œpig butchering.” In January 2025, KrebsOnSecurity detailed how Funnull was being used as a content delivery network that catered to cybercriminals seeking to route their traffic through U.S.-based cloud providers.

The Treasury Department said Funnull’s operations are linked to the majority of virtual currency investment scam websites reported to the FBI. The agency said Funnull directly facilitated pig butchering and other schemes that resulted in more than $200 million in financial losses by Americans.

KrebsOnSecurity’s January story on Funnull was based on research from the security firm Silent Push, which discovered in October 2024 that a vast number of domains hosted via Funnull were promoting gambling sites that bore the logo of the Suncity Group, a Chinese entity named in a 2024 UN report (PDF) for laundering millions of dollars for the North Korean state-sponsored hacking group Lazarus.

Silent Push revisited Funnull’s infrastructure in January 2025 and found Funnull was still using many of the same Amazon and Microsoft cloud Internet addresses identified as malicious in its October report. Both Amazon and Microsoft pledged to rid their networks of Funnull’s presence following that story, but according to Silent Push’s Zach Edwards only one of those companies has followed through.

https://krebsonsecurity.com/2025/05/u-s-sanctions-cloud-provider-funnull-as-top-source-of-pig-butchering-scams/

A graphic from the FBI explaining how Funnull generated a slew of new domains on a regular basis and mapped them to Internet addresses on U.S. cloud providers.This is a really complex graphic with lots of subdomains and CNAMEs and DGA domains being mapped to the same IP address.
BrianKrebs
@briankrebs@infosec.exchange

Oh yay. Our dystopian AI agentic future is now at 4.0

https://news.ycombinator.com/item?id=44063703

For a clue at how new agentic AI is for most noobs (including me), agentic is not even technically a globally accepted word yet AFAICT.

BrianKrebs
@briankrebs@infosec.exchange

I'm pretty sure Mastodon is the first social network I've been on that didn't immediately ask me to betray all of the people in my address book.