New RCEs, Darknet Busts, Kernel Bugs & 25+ More Stories

Cybersecurity Update: Major Forum Takedown, Privacy Lawsuits, and Emerging Threats

This week’s cybersecurity landscape reveals a pattern of quiet but significant shifts—small changes that, when combined, create real problems for individuals, organizations, and governments. From major cybercrime forum takedowns to new privacy lawsuits and emerging attack techniques, the digital world continues to evolve in unexpected ways.

The common thread across these stories is the repurposing of familiar tools for malicious ends. Security controls are being bypassed. Trusted platforms are becoming vulnerabilities. What appears routine on the surface often hides deeper risks.

Here’s what’s happening across the cybersecurity landscape:

Major Cybercrime Forum Takedown
The FBI has seized the notorious RAMP cybercrime forum, disrupting a major hub for ransomware operations. The forum, which launched in 2021 after other platforms banned ransomware promotion, was run by Mikhail Pavlovich Matveev (aka Wazawaka). Despite the takedown, the underground quickly adapts—groups like Nova and DragonForce are already shifting to alternative platforms like Rehub. This demonstrates the resilience of cybercriminal ecosystems and their ability to reconstitute quickly in new spaces.

WhatsApp Privacy Claims Challenged
A new U.S. lawsuit alleges that Meta has made false claims about WhatsApp’s privacy and security, accusing the company of storing and analyzing supposedly “private” communications. Meta has called the lawsuit “frivolous” and plans to pursue sanctions against the plaintiffs’ counsel. The core issue centers on whether WhatsApp’s security is an unbreakable technical lock or a policy lock that employees can open. WhatsApp maintains that messages are private and any contrary claims are false.

Post-Quantum Shift Accelerates
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an initial list of product categories supporting post-quantum cryptography (PQC) standards. This guidance covers cloud services, collaboration software, endpoint security, and networking hardware. The move acknowledges the urgent threat posed by quantum computing to current encryption methods. There are also concerns about “harvest now, decrypt later” strategies, where threat actors collect encrypted data now with plans to decrypt it once quantum computers become available.

Physical Access Systems Exposed
Over 20 security vulnerabilities discovered in Dormakaba physical access control systems could allow hackers to remotely open doors at major organizations. The flaws include hard-coded credentials, weak passwords, lack of authentication, and command injection vulnerabilities. While there’s no evidence these vulnerabilities have been exploited in the wild, the potential impact is significant—attackers could reconfigure controllers, open arbitrary doors, and gain unauthorized physical access to sensitive facilities.

Fake Hiring Lures Steal Logins
A new phishing campaign uses fake recruitment-themed emails impersonating well-known employers and staffing companies. Messages appear in multiple languages and target job seekers in the U.S., U.K., France, Italy, and Spain. Victims are directed to fake pages that harvest credentials or redirect to malicious content. This campaign exploits the trust people place in legitimate hiring processes during vulnerable job-seeking periods.

Trusted Cloud Domains Abused
A novel campaign exploits the trust associated with *.vercel.app domains to bypass email filters and deceive users with financially themed lures like overdue invoices and shipping documents. The campaign uses a Telegram-gated delivery mechanism to filter out security researchers and automated sandboxes, ultimately delivering the legitimate remote access tool GoTo Resolve. This sophisticated approach demonstrates how attackers leverage trusted infrastructure to increase their chances of success.

Cellular Location Precision Reduced
With iOS 26.3, Apple is adding a “limit precise location” setting that reduces location data available to cellular networks. This enhancement increases user privacy by limiting the precision of location data to neighborhood-level rather than specific addresses. The feature is available on iPhone Air, iPhone 16e, and iPad Pro (M5) Wi-Fi + Cellular models from supported network providers in several countries.

Legacy iOS Support Extended
Apple has released security updates for iOS 12 and iOS 15 to extend the digital certificate required for features like iMessage, FaceTime, and device activation to continue working after January 2027. This ensures continued functionality for devices that can’t run newer iOS versions while maintaining security standards.

SEO Poisoning-for-Hire Exposed
A backlink marketplace called HxSEO helps customers get malicious web pages ranked higher in search results. The operation, active since 2020, sells backlinks from compromised legitimate domains to boost phishing pages in search rankings. By purchasing these links, threat actors can ensure their malicious sites appear ahead of legitimate ones when users search for specific keywords. This industrial-scale SEO manipulation makes it harder for users to distinguish legitimate from malicious sites.

Phishing Hijacks Ad Accounts
Meta business accounts belonging to advertising agencies and social media managers are being targeted by phishing campaigns designed to seize control for malicious activities. Attackers change billing information, launch scam ads promoting fake crypto or investment platforms, and remove legitimate administrators. This campaign exploits the trust and access these accounts have to advertising platforms and customer data.

Kernel Bug Flagged as Exploited
CISA has added a security flaw in the Linux kernel to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply patches by February 16, 2026. The vulnerability, tracked as CVE-2018-14634, could allow unprivileged local users to escalate privileges on systems. While there are currently no reports of in-the-wild exploitation, the addition to the KEV catalog indicates serious concern about potential exploitation.

France Pushes Video Sovereignty
The French government plans to replace U.S. videoconferencing apps like Zoom, Microsoft Teams, Google Meet, and Webex with a homegrown alternative named Visio. This move aims to improve security, strengthen digital resilience, and reduce strategic dependencies on external infrastructure. The unified solution will be controlled by the state and based on French technologies.

Student Data Tracking Blocked
Microsoft has been ordered to cease using tracking cookies in Microsoft 365 Education after the Austrian data protection authority found the company illegally installed cookies on devices of minors without consent. These cookies can analyze user behavior, collect browser data, and serve targeted ads. Microsoft has four weeks to cease tracking the complainant.

Cross-Border Swatting Ring Busted
Hungarian and Romanian police have arrested four suspects in connection with bomb threats, false emergency calls, and misuse of personal data. The suspects obtained victims’ phone numbers and personal details through Discord, then used that information to place false emergency calls in their names. This cross-border operation highlights the international nature of such harassment campaigns.

Latin America Hit Hardest
Organizations in Latin America experienced an average of 3,065 cyber attacks per week in December 2025, representing a 26% increase year-over-year. The education sector remained the most targeted industry globally, averaging 4,349 attacks per organization per week. This surge in attacks coincides with accelerating ransomware activity in the region.

Crypto Laundering Ring Punished
Chinese national Jingliang Su was sentenced to 46 months in prison for laundering over $36.9 million from victims in a digital asset investment scam. Su was part of an international criminal network that tricked U.S. victims into transferring funds, which were then laundered through U.S. shell companies, international bank accounts, and digital asset wallets. Eight co-conspirators have pleaded guilty so far.

Major Dark Web Operator Convicted
Raheim Hamilton pleaded guilty to operating Empire Market, a dark web marketplace that facilitated over four million transactions valued at more than $430 million. The illegal products included controlled substances, stolen credentials, counterfeit currency, and hacking tools. Hamilton agreed to forfeit ill-gotten proceeds including bitcoin, Ether, and properties in Virginia.

Darknet Operator Admits Role
Alan Bill pleaded guilty to his involvement in Kingdom Market, a darknet market that sold drugs and stolen personal information between 2021 and 2023. Bill admitted to receiving cryptocurrency from the market and assisting with its forum pages on Reddit and Dread. He has agreed to forfeit cryptocurrency and the market’s domains, which have been shut down by authorities.

Android Theft Defenses Expanded
Google has announced expanded Android theft-protection features that build upon existing protections like Theft Detection Lock and Offline Device Lock. New features include granular controls for Failed Authentication Lock, extended Identity Check coverage, stronger protections against PIN guessing, and optional security questions for Remote Lock initiation. These protections make Android devices harder targets for criminals.

AI-Linked Malware Tooling Spotted
A PureRAT campaign targeting job seekers uses malicious ZIP archives that leverage DLL side-loading to launch batch scripts executing malware. Analysis suggests these tools were authored using artificial intelligence, with detailed comments and numbered steps in Vietnamese. The threat actor is believed to be based in Vietnam and likely sells access to compromised organizations to other actors.

UK-China Cyber Talks Launched
The U.K. and China have established a Cyber Dialogue forum for security officials to discuss cyberattacks and manage threats to each other’s national security. This follows previous U.K. accusations of Chinese threat actors targeting national infrastructure and government systems. The dialogue aims to improve communication and help prevent escalation of cyber tensions.

Poor OPSEC Unmasks Broker
Jordanian national Feras Khalil Ahmad Albashiti pleaded guilty to selling access to networks of at least 50 companies through cybercriminal forums. His poor operational security, including using “r1z” in his LinkedIn profile URL and personal details in WHOIS information, left long-term attribution trails. This case demonstrates how initial access brokers monetize enterprise access while leaving evidence that exposes the ransomware supply chain.

Encryption Flaw Traps Victims
Cybersecurity company Halcyon identified a critical flaw in the encryption process of Sicarii ransomware that makes data recovery impossible even if victims pay the ransom. The malware regenerates new RSA key pairs locally for each execution and discards the private keys, leaving victims without a viable decryption path. This implementation error, possibly caused by AI-assisted tooling, renders attacker-provided decryptors ineffective.

Human-in-the-Loop MFA Bypass
Google-owned Mandiant is tracking voice-phishing attacks targeting single sign-on tools, resulting in data theft and extortion attempts. Multiple threat actors combine voice calls and custom phishing kits to obtain unauthorized access and enroll threat actor-controlled devices into victim MFA for persistent access. This human-led, high-interaction operation bypasses even hardened MFA setups.

React Flaw Fuels Crypto-Mining Attacks
Threat actors have exploited the React Server Components vulnerability (CVE-2025-55182) to infect Russian companies with XMRig-based cryptominers. Other payloads include botnets like Kaiji and Rustobot, as well as the Sliver implant. Russian companies across multiple sectors have also been targeted by a suspected pro-Ukrainian threat group called PhantomCore using phishing with ZIP attachments.

Malware Flood Hits Open Source
Supply chain security company Sonatype logged 454,600 open-source malware packages in 2025, bringing the total to over 1.233 million packages across major repositories. The threat is compounded by AI agents recommending nonexistent or malware-infected packages, exposing developers to new risks. The evolution of open source malware has become industrialized and sustained.

Ransomware Ecosystem Doubles
Ransomware groups claimed between 8,100 and 8,800 victims in 2025, significantly up from about 5,300 in 2023. The number of active groups has surged from about 70 in 2023 to nearly 140 in 2025. While law enforcement efforts are fragmenting major groups, this disruption has led to a more decentralized, competitive, and resilient ransomware landscape.

ATM Malware Ring Charged
The DOJ has announced charges against an additional 31 individuals involved in a massive ATM jackpotting scheme that resulted in the theft of millions of dollars. The attacks used malware called Ploutus to hack into ATMs and force them to dispense cash. Many defendants are Venezuelan and Colombian nationals, including illegal alien members of the Tren de Aragua terrorist organization.

Blockchain-Based C2 Evasion
DeadLock ransomware uses Polygon smart contracts for proxy server address rotation and distribution. The ransomware drops an HTML file that acts as a wrapper for Session, an encrypted messenger, to facilitate direct communication between the operator and victim. This innovative approach uses blockchain technology to manage command and control infrastructure while avoiding traditional data leak sites.

Crypto Laundering Networks Scale Up
Chinese-language money laundering networks (CMLNs) dominate known crypto money laundering activity, processing an estimated 20% of illicit cryptocurrency funds over the past five years. These networks have grown dramatically, increasing from $10 billion in 2020 to over $82 billion in 2025. They use gambling platforms, money movement services, and P2P services without KYC checks to integrate illicit funds into legitimate financial systems.

SMS Fraud Hits Canadians
Threat actors are impersonating government services and trusted national brands in Canada through SMS messages and malicious ads. A significant portion of the activity aligns with the “PayTool” phishing ecosystem, which specializes in traffic violation and fine payment scams targeting Canadians. This campaign enables account takeovers and direct financial fraud through sophisticated social engineering.

Tags: cybersecurity, ransomware, phishing, data breach, malware, hacking, digital privacy, quantum computing, dark web, social engineering

Viral Phrases: “cybersecurity apocalypse,” “digital doomsday,” “hackers strike back,” “privacy under attack,” “quantum threat looms,” “dark web takedown,” “AI-powered malware,” “crypto crime wave,” “SMS scam surge,” “MFA bypass nightmare”

,