The post North Korean “Laptop Farms” Infiltrated 70 U.S. Companies appeared first on Daily CyberSecurity.

The Federal Bureau of Investigation (FBI) has issued a public warning over a sharp rise in cyber-enabled cargo theft, as threat actors increasingly use digital tactics to impersonate legitimate businesses, hijack freight, and steal high-value shipments. According to the FBI, cybercriminals are targeting transportation and logistics companies involved in shipping, receiving, and insuring cargo. The agency said these attacks have been ongoing since at least 2024 and are now becoming more sophisticated and widespread. Losses linked to cyber-enabled cargo theft have surged significantly. In 2025, estimated cargo theft losses in the United States and Canada reached nearly $725 million, marking a 60 percent increase from the previous year. Confirmed incidents rose by 18 percent, while the average value per theft increased by 36 percent to $273,990, reflecting a shift toward more targeted, high-value shipments.

How Cyber-Enabled Cargo Theft Works

The FBI outlined a structured, multi-step process used in cyber-enabled cargo theft schemes. Attackers begin by compromising accounts of brokers and carriers through phishing techniques such as spoofed emails, fake websites, and malicious links. Victims are often sent emails posing as legitimate business communications, such as carrier agreements or service complaints. These emails include links that lead to phishing websites designed to mimic trusted platforms. Once accessed, these sites deploy malware or remote monitoring tools, allowing attackers to gain full control over systems without detection. After gaining access, cybercriminals exploit online freight marketplaces known as load boards. They impersonate legitimate brokers or carriers and post fake shipment listings, sometimes in large volumes. Unsuspecting carriers bid on these listings and are further compromised through fraudulent agreements or malicious downloads. In the next stage, attackers use the compromised accounts to accept real shipment contracts. They then engage in illegal double-brokering, rerouting freight to unintended locations. Shipment documents are manipulated, including bills of lading, and delivery destinations are altered without the knowledge of the original parties. The final stage of cyber-enabled cargo theft involves physically diverting the cargo. Goods are transferred through cross-docking or transloading to other drivers, often complicit, and then stolen for resale. In some cases, attackers demand ransom payments in exchange for information about the shipment’s location. [caption id="attachment_111803" align="aligncenter" width="972"] Image Source: https://www.ic3.gov/[/caption]

Indicators of Cyber-Enabled Cargo Theft

The FBI has identified several warning signs that may indicate a cyber-enabled cargo theft attempt. These include unexpected communications regarding shipments made in a company’s name, spoofed email domains, and requests to download documents from suspicious links. Other indicators include emails referencing negative service reviews with embedded links, unauthorized changes to email account settings, and slight variations in domain names designed to mimic legitimate organisations. Attackers may also use temporary or internet-based phone numbers to communicate with victims. These tactics are designed to create a sense of urgency or legitimacy, increasing the likelihood that employees will engage with malicious content.

Steps to Prevent Theft

To reduce the risk of cyber-enabled cargo theft, the FBI is urging organisations to adopt stronger verification and security practices. Companies are advised to independently confirm shipment requests using multiple communication channels before releasing goods. The agency recommends implementing multi-layer verification processes and not relying solely on familiar names or email addresses. Businesses should also maintain detailed records of all transactions, including driver identification, vehicle details, and communication logs, to support investigations if needed. Recognising phishing attempts and avoiding interaction with suspicious links remain critical preventive measures.

Reporting Theft Incidents

The FBI has encouraged victims of cyber-enabled cargo theft to report incidents promptly. In addition to contacting local law enforcement, affected organisations should file complaints with the Internet Crime Complaint Center (IC3) or reach out to their nearest FBI field office. The agency said timely reporting can help identify patterns, disrupt criminal networks, and prevent further losses across the logistics sector.

What happened The FBI issued a public service announcement on April 30, 2026, warning the US transportation and logistics industry of a sharp rise in cyber-enabled cargo theft, with estimated losses in the United States and Canada reaching nearly $725 million in 2025. That represents a 60% increase over the prior year. Confirmed cargo theft […]

The post FBI Links Cybercriminals to Sharp Surge in Cargo Theft Attacks appeared first on CISO Whisperer.

The post FBI Links Cybercriminals to Sharp Surge in Cargo Theft Attacks appeared first on Security Boulevard.

The post Cybersecurity Pros Sentenced for Running ALPHV BlackCat Ransomware appeared first on Daily CyberSecurity.

The post The Fall of Versus: Dark Web Mastermind Extradited to the US to Face Life Behind Bars appeared first on Daily CyberSecurity.

The FBI warns of rising cyber cargo theft, with hackers targeting brokers and carriers. Experts say digital attacks are replacing traditional cargo theft.

The FBI has issued a Public Service Announcement (PSA) about a surge in cyber-enabled cargo theft, with hackers increasingly targeting brokers and carriers. This trend confirms earlier findings from Proofpoint and alerts from the NMFTA, which noted that traditional cargo theft is being replaced by more sophisticated, digital attacks across the logistics sector.

“The Federal Bureau of Investigation is publishing this Public Service Announcement (PSA) to warn the public of cyber threat actors increasingly using sophisticated, cyber-enabled tactics to impersonate legitimate businesses to hijack freight, steal high-value shipments, and reroute deliveries, resulting in a surge of strategic cargo theft.” reads the FBI’s PSA.

Crooks are increasingly targeting the U.S. transportation and logistics sector, including brokers and carriers. Since 2024, attackers have used phishing emails, fake websites, and compromised accounts to gain access to systems. They impersonate legitimate companies and post fake load listings to trick victims into handing over goods, which are then diverted and resold.

“Since at least 2024, cyber threat actors have gained unauthorized access to the computer systems of brokers and carriers — typically via spoofed emails, fake URLs, and compromised carrier accounts.” continues the announcement. “The cyber actors pose as victim companies and post fraudulent listings on load boards to deceive shippers, brokers, and carriers into handing over goods, which are redirected from their intended destination and stolen for resale. “

In 2025, cargo theft losses in the U.S. and Canada reached nearly $725 million, up 60% from 2024. Incidents rose 18%, while the average loss per theft increased 36% to $273,990, reflecting a shift toward fewer but higher-value targets.

Cyber-enabled cargo theft follows a structured, multi-step scheme. Attackers first compromise broker or carrier accounts using phishing emails and fake links that install remote access tools. With control of these systems, they impersonate companies and post fake loads on trucking platforms, tricking legitimate carriers into engaging and sometimes infecting them too.

Next, criminals pose as trusted carriers to accept real shipments, then “double-broker” them to unsuspecting drivers while altering documents and delivery details. They may even update official records to appear legitimate.

Finally, the cargo gets redirected, transferred to complicit drivers, and stolen for resale. In some cases, attackers demand ransom to reveal shipment details or location.

The PSA includes indicators to spot cyber-enabled cargo theft attacks. These include unexpected contacts about shipments made in their name without authorization, and emails that mimic real domains but use free providers or slight variations. Messages may push users to click shortened or spoofed links, often tied to fake complaints or documents that deliver malware.

Other red flags include new or suspicious mailbox rules, such as auto-forwarding or deletion. Attackers also use altered email addresses with small changes or added titles. Communication often comes via email or short-lived VoIP phone numbers, sometimes linked to overseas activity.

To prevent cargo theft, businesses should verify shipments using independent and multiple channels before releasing goods. Do not trust names or emails alone—confirm requests with additional authentication. Keep detailed records of drivers, vehicles, and transactions to support investigations and reduce fraud risks.

Companies can spot cyber-enabled cargo theft through several warning signs. These include unexpected contacts about shipments made in their name without authorization, and emails that mimic real domains but use free providers or slight variations. Messages may push users to click shortened or spoofed links, often tied to fake complaints or documents that deliver malware.

Other red flags include new or suspicious mailbox rules, such as auto-forwarding or deletion. Attackers also use altered email addresses with small changes or added titles. Communication often comes via email or short-lived VoIP phone numbers, sometimes linked to overseas activity.

FBI recommends businesses should verify shipments using independent and multiple channels before releasing goods. Do not trust names or emails alone, confirm requests with additional authentication. Keep detailed records of drivers, vehicles, and transactions to support investigations and reduce fraud risks.

Recently Proofpoint researchers observed crooks targeting trucking and logistics companies, running coordinated remote access campaigns to steal cargo and divert payments. These attacks appear to be linked to organized crime.

The findings highlight a growing trend of cyber-enabled cargo theft, where digital intrusions directly support real-world crime. This threat is expanding rapidly, with losses in North America reaching $6.6 billion in 2025, showing how cyberattacks are increasingly used to disrupt supply chains and generate profit.

In November 2025, Proofpoint first reported cybercriminals were targeting trucking and logistics firms with RMM tools (remote monitoring and management software) to steal freight. Active since June 2025, the group works with organized crime to loot goods, mainly food and beverages.

Crooks infiltrate logistics firms, hijack cargo bids, and steal goods, fueling the rise of cyber-enabled freight theft.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cargo theft)

Two US cybersecurity experts jailed for aiding BlackCat ransomware group, extorting victims worldwide and exploiting insider access for profit.

The post The Global Takedown: FBI and International Allies Dismantle Billion-Dollar Pig-Butchering Empires appeared first on Daily CyberSecurity.

In a major international enforcement action, Operation Tri-Force Sentinel, led by Dubai Police, in coordination with the FBI and Chinese Police, has dismantled a large transnational fraud network involved in global financial scams. The Operation Tri-Force Sentinel crackdown resulted in the arrest of 276 individuals linked to organised cyber-enabled fraud activities spanning multiple countries, primarily involving suspects from Southeast Asia. The Operation Tri-Force Sentinel was carried out under the UAE Ministry of Interior and focused on disrupting criminal syndicates running high-yield investment scams, commonly known as HYIS, “pig butchering” schemes, and virtual currency fraud. Authorities confirmed that nine major fraud centres were dismantled during the coordinated action.

276 Arrests and Nine Fraud Centres Dismantled in Operation Tri-Force Sentinel

As part of the operation, law enforcement agencies executed synchronized raids that dismantled three major criminal syndicates operating fraud centres. These centres were responsible for large-scale financial deception campaigns targeting victims across several regions. The operation led to the arrest of 276 suspects, with authorities confirming that the network used advanced social engineering techniques. Victims were reportedly engaged through digital platforms, where trust was gradually built before financial exploitation took place. Dubai Police also confirmed the arrest of a key leader of one of the syndicates in Thailand, carried out in coordination with the Royal Thai Police. The enforcement action marked one of the most significant coordinated strikes against cyber-financial crime groups in recent times under Operation Tri-Force Sentinel. [caption id="attachment_111753" align="aligncenter" width="553"] Image Source: Dubai Police[/caption]

Dubai Police, FBI, and Chinese Police Coordination 

Dubai Police played a central role in directing and executing Operation Tri-Force Sentinel, enabling real-time intelligence sharing between international partners. The collaboration with the FBI and Chinese Police was described as critical to the success of the operation. Dubai Police stated that the operation reflects a proactive strategy to combat evolving transnational financial crime threats. The agency emphasized that coordinated international efforts were essential to dismantling complex criminal networks operating across borders. The FBI highlighted the significance of joint enforcement efforts, stating that the operation demonstrates the effectiveness of coordinated global action in disrupting large-scale fraud schemes. It further noted that the partnership with the UAE authorities, particularly the Dubai Police, played a key role in achieving operational success. Chinese Police also reaffirmed their commitment to combating telecom and financial fraud crimes. They emphasized continued cooperation with global law enforcement agencies to address emerging cross-border criminal activities targeted in Operation Tri-Force Sentinel.

Transnational Fraud Networks and Financial Crime Disruption

The dismantled network operated multiple fraud centres using structured and organised digital fraud models. These included investment scams and cryptocurrency-related fraud schemes that have increasingly affected victims across several countries. Authorities noted that the criminal groups involved in Operation relied heavily on psychological manipulation and digital engagement strategies to execute financial scams at scale. The coordinated enforcement action disrupted key operational infrastructure of these networks in a single phase.

International Cooperation Strengthened 

This operation highlights the growing importance of international cooperation in tackling financial crime networks that operate beyond national borders. The joint action between Dubai Police, the FBI, and the Chinese Police demonstrates strengthened coordination in intelligence sharing and enforcement execution. Officials involved in the operation emphasized that continued collaboration is essential to countering sophisticated fraud networks. The success of Operation reflects the ability of global law enforcement agencies to respond jointly to complex cyber-enabled financial threats. The operation marks a significant step in global efforts to combat organised fraud networks and reinforces the role of coordinated international enforcement in addressing cross-border financial crime.

The post From Shanghai to Houston: The HAFNIUM Hacker Who Stole Vaccine Secrets Faces Justice appeared first on Daily CyberSecurity.

Phishing still hooks users around the world and coaxes them to hand over credentials. But on occasion the good guys take them down, like the FBI in collaboration with Indonesian law enforcement did with W3LLStore marketplace. 

The post FBI, Indonesian Authorities Team to Take Down Site Ripping Off Users for Millions  appeared first on Security Boulevard.

The post The Notification Trap: How Apple’s New iOS Patch Blocks Forensic Recovery of “Deleted” Signal Messages appeared first on Daily CyberSecurity.

Apple patched an iPhone notification bug that let deleted messages linger in system storage, closing a privacy gap exposed by an FBI Signal case.

The post Apple Fixes iPhone Bug After FBI Retrieved Signal Messages appeared first on TechRepublic.

404 Media reports (alternate site):

The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database….

The news shows how forensic extraction—­when someone has physical access to a device and is able to run specialized software on it—­can yield sensitive data derived from secure messaging apps in unexpected places. Signal already has a setting that blocks message content from displaying in push notifications; the case highlights why such a feature might be important for some users to turn on.

“We learned that specifically on iPhones, if one’s settings in the Signal app allow for message notifications and previews to show up on the lock screen, [then] the iPhone will internally store those notifications/message previews in the internal memory of the device,” a supporter of the defendants who was taking notes during the trial told 404 Media.

EDITED TO ADD (4/24): Apple has patched this vulnerability.

Alert this report is a summary of deep web and dark web source-based material and contains some facts that cannot be fully verified due to the nature of the sources. Major Issues BreachForums’ internal collapse and attempts to rebuild were observed. trust was undermined by the betrayal of moderators and the movement of funds, and […]

FBI Atlanta and Indonesian National Police dismantle W3LLSTORE phishing market linked to $20M fraud, seizing domains and detaining developer.

Signal messages may persist in iPhone notification data, enabling FBI access even after deletion, a court case reveals.

Operation Masquerade: The FBI and DoJ disrupted a Russian GRU campaign that hijacked routers via DNS attacks to spy on users and steal credentials.

The Russian-linked threat group APT28 has continued to leverage vulnerable network devices to carry out large-scale DNS hijacking campaigns, enabling adversary-in-the-middle attacks. Recent developments show that these operations have drawn direct intervention from U.S. authorities.  The U.S. Department of Justice and the FBI announced a court-authorized operation to disrupt a network of compromised routers controlled by Russia’s military intelligence unit, widely known as APT28. According to findings aligned with prior reporting from the NCSC, the group has been exploiting routers to intercept communications, harvest credentials, and target individuals and organizations of intelligence interest. 

DNS Hijacking and Adversary-in-the-Middle Tactics 

APT28’s operations include DNS hijacking, a technique that manipulates how domain names are resolved into IP addresses. By altering DNS settings, often at the router level, attackers redirect legitimate traffic through malicious infrastructure. This enables adversary-in-the-middle (AitM) attacks, where victims unknowingly connect to spoofed services. These malicious endpoints are designed to imitate legitimate platforms, allowing attackers to intercept login sessions and extract sensitive data, including passwords, OAuth tokens, and emails. Both the FBI and the NCSC have noted that these attacks can impact browser sessions and desktop applications alike, increasing the scale and effectiveness of credential harvesting.

U.S. Operation Targets APT28 Infrastructure 

The disruption effort, publicly disclosed by the Department of Justice, targeted a network of small office/home office (SOHO) routers compromised by APT28, also known as Fancy Bear, Sofacy, Sednit, STRONTIUM, Forest Blizzard, and Pawn Storm. The group is widely attributed to Russia’s GRU Unit 26165.  Since at least 2024, APT28 actors have exploited known vulnerabilities to gain access to thousands of TP-Link routers globally. After stealing credentials, they modified router configurations to redirect DNS traffic to malicious servers under their control. These operations were initially indiscriminate. However, the attackers implemented automated filtering mechanisms to identify DNS queries of intelligence value. For selected targets, the malicious DNS resolvers returned fraudulent records for domains, particularly those mimicking Microsoft Outlook services, to facilitate adversary-in-the-middle attacks against encrypted traffic.  Through this approach, APT28 was able to harvest unencrypted passwords, authentication tokens, emails, and other sensitive data from devices connected to compromised routers.

Official Statements on the Threat 

U.S. officials described the campaign as both persistent and dangerous. Assistant Attorney General John A. Eisenberg stated, “The GRU’s predatory use of networks in American homes and businesses for its malicious cyber operations remains a serious and persistent threat.”  U.S. Attorney David Metcalf added, “Russian military intelligence once again hijacked Americans’ hardware to commandeer critical data,” emphasizing that the government would continue to respond aggressively to nation-state cyber threats.  FBI officials also stressed the scale of the campaign. Assistant Director Brett Leatherman noted that compromised routers were used globally for espionage, while Special Agent Ted E. Docks highlighted that devices across more than 23 U.S. states had been weaponized. 

How the FBI Disrupted the DNS Hijacking Network 

As part of the court-authorized operation, referred to as Operation Masquerade, the FBI deployed technical measures to neutralize the U.S. portion of APT28’s infrastructure.  According to court documents: 

• The FBI sent commands to compromised routers to collect evidence of APT28 activity. 
• Reset DNS settings, removing malicious resolvers and restoring legitimate ISP configurations.
• Blocked the actors’ ability to regain unauthorized access. 

The operation was carefully tested on affected TP-Link devices to ensure that it did not disrupt normal functionality or collect user content. Importantly, the remediation steps can be reversed by users through factory resets or manual configuration changes. 

Continued Router Exploitation and Infrastructure Tactics 

These developments align closely with earlier findings from the NCSC, which documented how APT28 used Virtual Private Servers (VPSs) as malicious DNS infrastructure. Two main clusters were identified: 

• Cluster One: Focused on modifying DHCP DNS settings in SOHO routers, enabling selective DNS hijacking and adversary-in-the-middle attacks.  
• Cluster Two: Involved forwarding DNS traffic through a layered infrastructure, with some operations targeting high-value devices, including those in Ukraine.  

APT28’s activity has also included exploitation of vulnerabilities such as CVE-2023-50224 in TP-Link routers, allowing attackers to extract credentials and reconfigure DNS settings via crafted HTTP requests.

Targeted Services and Indicators 

APT28’s DNS hijacking campaigns have frequently targeted Microsoft Outlook-related domains, including: 

• autodiscover-s.outlook[.]com  
• imap-mail.outlook[.]com  
• outlook.live[.]com  
• outlook.office[.]com  
• outlook.office365[.]com  

These targets reflect a clear focus on email-based intelligence gathering. Supporting infrastructure includes numerous malicious IP ranges and identifiable server configurations, such as unusual SSH ports and “dnsmasq-2.85” DNS services. 

Mitigation and Security Recommendations 

Both the FBI and the NCSC recommend immediate steps to mitigate risks associated with DNS hijacking and adversary-in-the-middle attacks: 

• Replace end-of-life or unsupported routers  
• Update firmware to the latest available versions  
• Verify DNS settings to ensure they point to legitimate resolvers  
• Disable or secure remote management interfaces  
• Implement firewall rules to limit exposure  
• Enable multi-factor authentication (MFA) to reduce credential abuse  
• Users are also encouraged to monitor their networks and report suspected compromises to appropriate authorities. 

A new U.S. government advisory has raised fresh concerns over Iranian-affiliated APT targeting PLCs, warning that cyberattacks are now moving beyond data theft into direct disruption of industrial systems. Issued on April 7, 2026, the joint alert from the FBI, CISA, NSA and other agencies confirms that Iran-linked threat actors are actively exploiting internet-facing programmable logic controllers (PLCs), with incidents already impacting multiple critical infrastructure sectors. This is not a theoretical threat. According to the advisory, several organizations have experienced operational disruptions and even financial losses after attackers interfered with industrial processes.

From Network Access to Operational Disruption

What makes this campaign stand out is its intent. The Iranian-affiliated APT targeting PLCs activity is not focused on espionage, it is designed to disrupt. Attackers have been manipulating PLC project files and altering data displayed on human machine interface (HMI) and supervisory control and data acquisition (SCADA) systems. In practice, this means operators could be relying on inaccurate data while underlying processes are being changed in real time. The affected sectors include government services, water and wastewater systems, and energy, areas where even minor disruptions can have significant downstream impact. [caption id="attachment_111119" align="aligncenter" width="600"] Image Source: FBI[/caption]

How the Attacks Are Carried Out

The entry point is often simple: internet exposure. The advisory notes that attackers are scanning for publicly accessible PLCs, particularly models such as CompactLogix and Micro850—and connecting to them using legitimate engineering tools like Studio 5000 Logix Designer. Once inside, the activity becomes more deliberate. Threat actors extract configuration files, modify logic, and establish persistence. In some cases, they deploy tools like Dropbear SSH to maintain remote access through port 22. The attacks rely on commonly used industrial communication ports, including 44818, 2222, 102, 22, and 502, allowing malicious traffic to blend in with normal OT operations. Investigators also observed the use of overseas IP addresses and leased third-party infrastructure, suggesting a coordinated and sustained effort rather than opportunistic scanning.

A Campaign That Has Been Building Over Time

The current activity is not happening in isolation. U.S. agencies link it to earlier Iran-aligned operations, including campaigns attributed to the CyberAv3ngers group that targeted PLCs in 2023. What has changed is the persistence. The latest advisory tracks activity spanning from at least January 2025 through March 2026, with ongoing incidents reported as recently as March. Officials suggest the escalation may be tied to broader geopolitical tensions, but the technical pattern is clear: industrial control systems are becoming a repeated target.

Exposure and Weak OT Security

The Iranian-affiliated APT targeting PLCs campaign exposes a long-standing weakness in critical infrastructure, too many industrial devices remain directly accessible from the internet. In many cases, attackers did not need sophisticated exploits. They gained access because systems lacked basic protections like network segmentation, strong authentication, or restricted remote access. The result is a dangerous scenario where adversaries can move from initial access to operational control with relatively little resistance.

What Organizations Are Being Urged to Do

The advisory calls for immediate action, starting with visibility. Organizations are urged to review logs for suspicious traffic, especially connections originating from overseas infrastructure, and check for unusual activity on key OT ports. More broadly, the guidance reinforces a set of practical steps: removing PLCs from direct internet exposure, routing access through secure gateways, enabling stronger authentication controls, and maintaining offline backups of PLC logic and configurations. In some cases, even operational settings matter, such as ensuring controllers remain in “run” mode to prevent unauthorized remote changes.

A Shift in Cyber Threat Priorities

The bigger takeaway is the shift in attacker focus. By targeting PLCs, threat actors are going straight to the systems that control physical processes. This marks a move from cyber intrusion to potential real-world disruption. The advisory also highlight the role of manufacturers, urging a stronger push toward “secure-by-design” systems that are not exposed by default. For now, the warning is clear: as long as industrial systems remain exposed, campaigns like Iranian-affiliated APT targeting PLCs are likely to continue, and could become more disruptive over time.