More than 300 cyber criminals arrested in Africa
An international crackdown on cyber scams led to over 300 arrests across seven African countries, targeting criminals behind mobile banking, investment, and messaging app fraud. Dubbed Operation Red Card, authorities uncovered cross-border networks that defrauded over 5,000 victims, with Nigeria alone arresting 130 suspects, including 113 foreign nationals. In South Africa, 40 individuals were caught running a SIM box fraud operation, while in Zambia, hackers using malicious links to steal banking data were taken down. Overall, the investigation led to the seizure of 26 vehicles, 16 houses, 39 plots of land and 685 devices.
(Interpol), (The Record), (Bleeping Computer)
23andMe bankruptcy puts millions of DNA records at risk
23andMe filed for bankruptcy on Monday and many are asking the question, what’s going to happen to all of that personal information? Some have raised major concerns that its vast database of genetic data could be sold off to the highest bidder. While the company insists privacy protections will remain intact, court documents make it clear that all assets—including customer DNA records—are on the table. California’s Attorney General issued a release ahead of the announcement urging users to delete their data immediately, warning that unlike passwords, genetic information is permanent, instructions on how to delete that data can be found in today’s show notes.
(The Record), (CyberScoop),(California Attorney General Release)
Ukraine’s state railway partially down after attack
A massive cyberattack on Ukraine’s state railway, Ukrzaliznytsia, has disrupted online ticket sales, forcing passengers into long lines at ticket booths but not affecting train schedules . The company called the attack “systematic and multi-layered” and is working with Ukraine’s security services to restore systems while testing for vulnerabilities. Officials have not attributed the attack to a specific group yet, and they are unsure when every system will be back up and operational.
(The Record), (Bleeping Computer)
China-linked APT hid in telecom network for years
China-linked APT group Weaver Ant spent over four years inside an Asian telecom provider’s network, using compromised Zyxel routers to hide traffic and infrastructure. Researchers at Sygnia uncovered the intrusion, which relied on web shell tunneling—linking multiple web shells like China Chopper and the custom-built INMemory to move laterally and maintain persistence. The group exfiltrated credentials, access logs, and network configurations while evading detection through encryption, SMB lateral movement, and disabling security logs.
(Dark Reading), (Sygnia), (Bleeping Computer)
Huge thanks to our sponsor, ThreatLocker
NIST struggles to keep up
The National Institute of Standards and Technology (NIST) is struggling to clear a growing backlog of CVEs in the National Vulnerability Database (NVD), with a 32% increase in submissions last year exacerbating the issue. Despite maintaining processing rates, the backlog continues to grow, and NIST anticipates even higher submission volumes in 2025. The delays are impacting organizations’ ability to access timely vulnerability data, creating a gap between reported issues and actionable intelligence despite efforts in increasing staff.
New ransomware group makes quick impact
A new ransomware-as-a-service launched just earlier this month, VanHelsingRaaS has already caused significant damage. Within just two weeks the group compromised three victims with ransoms as high as $500,000. The service offers affiliates 80% of ransom payments, with a $5,000 deposit required for new users, and targets multiple platforms, including Windows, Linux, and ESXi. Despite its advanced features, the ransomware has some developmental flaws, like mismatched file extensions, and the group has one rule: to not encrypt systems in Commonwealth of Independent States (CIS) countries, which is common for criminal groups tied to Russia.
Next.js flaw allows attackers to bypass security checks
A critical vulnerability, CVE-2025-29927, has been discovered in the Next.js framework, allowing attackers to bypass authorization checks by sending requests with a specific header. With more than 9 million weekly downloads, Next.js is a popular React framework on npm. The flaw impacts all versions prior to 15.2.3, 14.2.25, 13.5.9, and 12.3.5, and affects self-hosted instances using “next start” with “output: standalone.” Users are urged to upgrade immediately, and those unable to patch should block requests containing the ‘x-middleware-subrequest’ header to prevent exploitation.
Snowflake attack suspect to stand trial in U.S.
Canadian citizen Connor Moucka has agreed to extradition to the U.S. to face 20 federal charges for his alleged role in the massive Snowflake attacks that compromised data from 165 companies. Prosecutors say Moucka, along with co-conspirators John Binns and Cameron Wagenius, extorted victims for $2.5 million and are linked to “The Com,” a cybercrime network involved in extortion and violence. The official timeline for Moucka’s extradition remains unclear.