October 14, 2025 • 10 mins
Corporate Extortion and the Fall of BreachForums: Tracking ShinyHunters
In this episode of "Upwardly Mobile," we dive into the world of high-stakes corporate extortion, focusing on the sophisticated cybercriminal group ShinyHunters (also tracked as UNC6040) and the subsequent takedown of their infamous platform, BreachForums. The sources detail how the FBI, in collaboration with French law enforcement authorities, seized the Breachforums.hn domain, which the Scattered Lapsus$ Hunters (a gang linked to ShinyHunters, Scattered Spider, and Lapsus$) were using as a data leak and extortion site. This action involved switching the domain’s nameservers to ns1.fbi.seized.gov and ns2.fbi.seized.gov. ShinyHunters confirmed the seizure, noting that law enforcement gained access to BreachForums database backups dating back to 2023 and escrow databases since the latest reboot, effectively declaring that "the era of forums is over". Despite the clearnet site takedown, the threat actors maintained that their Tor dark web site was still accessible and that the seizure would not affect their campaign. The Massive Salesforce Extortion Campaign The core focus of the Scattered Lapsus$ Hunters’ recent activity was an extensive Salesforce extortion campaign. This campaign originated in May 2025 when ShinyHunters launched a social engineering campaign using voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal. The hackers claimed to have stolen more than one billion records containing customer information. The long list of affected companies included major corporations such as FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, and Chanel. Salesforce has publicly stated that they will not engage, negotiate with, or pay any extortion demand. Beyond Salesforce: Discord and Red Hat The criminal group also claimed responsibility for other significant intrusions:
Keywords ShinyHunters, BreachForums, Salesforce Extortion, FBI Takedown, Scattered Lapsus$ Hunters, Data Breach, Red Hat, Discord Hack, Voice Phishing, Cybercrime, Hacking Forum, ASYNCRAT, UNC6040, CVE-2025-61882, Security Validation. Relevant
In this episode of "Upwardly Mobile," we dive into the world of high-stakes corporate extortion, focusing on the sophisticated cybercriminal group ShinyHunters (also tracked as UNC6040) and the subsequent takedown of their infamous platform, BreachForums. The sources detail how the FBI, in collaboration with French law enforcement authorities, seized the Breachforums.hn domain, which the Scattered Lapsus$ Hunters (a gang linked to ShinyHunters, Scattered Spider, and Lapsus$) were using as a data leak and extortion site. This action involved switching the domain’s nameservers to ns1.fbi.seized.gov and ns2.fbi.seized.gov. ShinyHunters confirmed the seizure, noting that law enforcement gained access to BreachForums database backups dating back to 2023 and escrow databases since the latest reboot, effectively declaring that "the era of forums is over". Despite the clearnet site takedown, the threat actors maintained that their Tor dark web site was still accessible and that the seizure would not affect their campaign. The Massive Salesforce Extortion Campaign The core focus of the Scattered Lapsus$ Hunters’ recent activity was an extensive Salesforce extortion campaign. This campaign originated in May 2025 when ShinyHunters launched a social engineering campaign using voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal. The hackers claimed to have stolen more than one billion records containing customer information. The long list of affected companies included major corporations such as FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, and Chanel. Salesforce has publicly stated that they will not engage, negotiate with, or pay any extortion demand. Beyond Salesforce: Discord and Red Hat The criminal group also claimed responsibility for other significant intrusions:
- Red Hat Data Theft: The Scattered Lapsus$ Hunters took credit for compromising a Red Hat GitLab server, stealing more than 28,000 Git code repositories and sensitive internal documents, including customer secrets and infrastructure details.
- Discord Breach: ShinyHunters claimed responsibility for an incident affecting Discord users. Discord confirmed that an unauthorized party compromised a third-party customer service provider (5CA), impacting a limited number of users who had contacted Customer Support or Trust & Safety teams. Critically, the unauthorized party gained access to a small number of government-ID images submitted for age verification appeals, as well as usernames, emails, limited billing info, and IP addresses.
- Law Enforcement Takedown: Nameservers used in the FBI seizure: ns1.fbi.seized.gov and ns2.fbi.seized.gov.
- Publications Cited: Information confirmed by BleepingComputer and reported by KrebsOnSecurity.
- Discord Security Incident: Discord confirmed they would contact impacted users via noreply@discord.com.
- Security Validation: Join the Picus BAS Summit to experience the future of security validation.
- ASYNCRAT Analysis: Virustotal analysis on the ASYNCRAT malware provided via link.
Keywords ShinyHunters, BreachForums, Salesforce Extortion, FBI Takedown, Scattered Lapsus$ Hunters, Data Breach, Red Hat, Discord Hack, Voice Phishing, Cybercrime, Hacking Forum, ASYNCRAT, UNC6040, CVE-2025-61882, Security Validation. Relevant
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome today. We're looking into a really significant event unfolding
in cybersecurity right now. It involves a massive corporate extortion
campaign and a well a dramatic international effort by law
enforcement to take down the group's main communication hub.
Speaker 2 (00:16):
Yeah, we've been piecing together the reports this campaign is.
It's linked to what people are calling the Shiny Hunter
Scattered laps As Hunters collective. Yeah, we really need to
understand how they operate.
Speaker 1 (00:26):
Exactly, because the list of targets is staggering, Salesforce, Discord,
red Hat, big names, and we need to understand what
the FBI's move against their forum actually means.
Speaker 2 (00:36):
And it's key to remember this isn't one single organized
gang like you might picture. It's more fluid. Analysts use
different trackers, you know, UNC sixty forty, UNC sixty three
niney five, UNC sixty two forty. Basically, it's a mix
of people linked to Shiny Hunters, Scattered Spider and Lapses.
That loose structure is part of why they're so hard
to pin down.
Speaker 1 (00:53):
Okay, let's talk scale them because the victim list is well,
it's huge. The Scattered Lapses Hunters group, they put up
a website didn't they threatening dozens of Fortune five hundred companies.
Speaker 2 (01:03):
They did, and the claim was frankly stunning. They said
they'd stolen over one billion records, customer data, corporate info,
the works.
Speaker 1 (01:11):
A billion records. That number is almost hard to grasp.
Speaker 2 (01:14):
It is, But beyond just the sheer volume, the real
story here, I think, is how they're doing it. It
signals a dashall shift.
Speaker 1 (01:22):
How so, what's the shift.
Speaker 2 (01:24):
They've moved beyond just hitting individual user accounts. Now they're
systematically targeting the big cloud providers, size platforms, basically the
data supply chain itself. Do you look at the names FedEx, Disney,
Home Depot, Marriott, Google, Cisco, The list goes on. It's
clear there after places with huge amounts of aggregated data
and crucially third party access tokens.
Speaker 1 (01:44):
Okay, let's boom in on those attack methods. Salesforce is
a big one. How did this group, known partly for
well some almost teenage level antics in the past get
into Salesforce?
Speaker 2 (01:53):
That initial breach back around May twenty twenty five seems
to have leaned heavily on social engineering, very sophisticated.
Speaker 1 (02:01):
Voice fishing fishing, so actual phone calls.
Speaker 2 (02:03):
Yeah, phone calls, pretexting manipulation, basically talking high value targets
into connecting a malicious app right into their company's salesforce setup,
old school social engineering bypassing tech defenses.
Speaker 1 (02:16):
And salesforce data. They wouldn't pay the ransom, right.
Speaker 2 (02:18):
They made a public stance no extortion payments, which is
a strong message. But the damage from exploiting these third
party connections was already being felt elsewhere.
Speaker 1 (02:28):
Like the Discord incident. That wasn't a direct Discord breach,
was it?
Speaker 2 (02:31):
No, that's important. Discord itself wasn't hacked. The vulnerability was
with a company they used for customer service, a third
party provider called five CA, So it affected a specific
group of users, those who'd contacted customer support or trust
in safety and.
Speaker 1 (02:46):
What kind of data are we talking about? There?
Speaker 2 (02:48):
Some pretty sensitive stuff Discord user names, emails, ip addresses,
the last four digits of credit card numbers. But the
really worrying part. For about seventy thousand users who'd submitted
IDs for age verification appeals, their actual government ID images
were exposed.
Speaker 1 (03:03):
Oh wow, that's permanent. You can change a password. You
can't change your driver's license photo easily.
Speaker 2 (03:09):
Exactly. That's a nightmare scenario for identity theft down the line,
the liability for that third party five CAA must be immense.
Speaker 1 (03:17):
And then there's red Hat that seems like a different
kind of target. Less about customer PII, more about corporate secrets.
Speaker 2 (03:23):
Precisely, Red Hat confirmed a git lab server compromise. The
attackers claimed access to over twenty eight thousand Git repositories.
They were after internal intelligence. Specifically, they access things called
customer engagement reports or CRRs.
Speaker 1 (03:38):
Okay for those listening who aren't familiar. What makes CRRs
so valuable to attackers?
Speaker 2 (03:43):
Think of them as confidential technical files. They detail client setups,
potential security weaknesses, client secrets, and critically, they often contain
access tokens for things like artifactory or cloud infrastructure details
for AWS, Azure, you name it. Getting those tokens means
they could potentially pivot right into red Hat's client.
Speaker 1 (04:02):
Systems, which ties into the sales off connection you mentioned earlier,
right reinforcing that focus on the supply chain.
Speaker 2 (04:08):
Absolutely, that particular angle is tracked as UNC sixty three
to ninety five. Attackers stole authentication tokens from sales loft.
You know their AI chatbot helps generate salesforce leads, and
then they use those tokens to threaten hundreds of other
companies whose data was exposed via sales loft. They were
specifically after tokens for cloud services like Snowflake and AWS.
(04:31):
The pattern is clear, find one week link, get credentials
levers that access across potentially hundreds of downstream victims.
Speaker 1 (04:38):
It's a devastating strategy, exploiting trust, exploiting the supply chain
using social engineering. But they must also have some serious
tech tools to operate at this speed. Let's talk about
their toolkit because it seems like a mix of cunning
edge exploits and well some surprisingly old tricks.
Speaker 2 (04:52):
Right, and that mix tells you something about how they
share Intel. They're definitely using zero days vulnerabilities that vendors
haven't patched yet find them or more likely, quickly get
their hands on exploits developed by others.
Speaker 1 (05:04):
Can you give an example of that sharing.
Speaker 2 (05:06):
The big one recently was this critical flaw in Oracle's
E Business Suite. Its tracked is CVE twenty twenty five
six' one point eighty two allows remote code execution without
even needing to log in. Now the interesting part is
who used it. First the klop ransomware group exploited it
back In august twenty twenty, five but just weeks, later
(05:26):
the scripts to exploit it showed up on The scattered
Laps As hunter's.
Speaker 1 (05:29):
Blog so they're not just developing their own, tools they're
rapidly grabbing and adapting things from, other maybe even rival cybercrime.
Speaker 2 (05:37):
Groups that seems to be the. Case it makes defending
against them incredibly difficult because you're always playing catch. Up
patching efforts lag behind because the attack methods spread so,
fast and.
Speaker 1 (05:47):
It wasn't just high tech zero days you, mentioned they
also used simpler, malware even targeting security.
Speaker 2 (05:51):
Researchers, yeah that was, bold trying to silence or disrupt
the people investigating. Them they used a known backdoor called.
Asyncrat it was through very targeted fishing, messages sometimes even
including physical, threats trying to scare researchers into clicking a bad.
Speaker 1 (06:06):
Link and asyncrat, itself what can it?
Speaker 2 (06:08):
Do it's pretty. Potent it's dot net, based uses a custom.
Protocol you can log, keystrokes capture, screenshots steal, files and
crucially scrape saved passwords and credentials from browsers Like firefox And.
Speaker 1 (06:20):
Chrome and how did they disguise this potent? Malware you
said it was low, tech.
Speaker 2 (06:24):
Almost comically low tech but. Effective they disguised asyncrat as
A windows screensaver file and dot cr.
Speaker 1 (06:31):
File a screensaver file that sounds like something from the.
Nineties it, is but it.
Speaker 2 (06:36):
Still works on Some windows. Setups just viewing the file
icon and a folder can be enough to launch the hidden.
Trojan no need to even double. Click just shows they'll
use whatever, works old or.
Speaker 1 (06:44):
New, Okay so they've been running rampant with these techniques for.
Months but then came the law enforcement. Response let's talk
about the takedown of breech FORMS i a major.
Speaker 2 (06:53):
Blow the main, website breachforums dot hn was seized On october,
tenth twenty twenty. Five this was a joint OPERATION us
And french authorities working. Together the telltale sign was the
website's name server suddenly pointing TO ns one DOT, fbi
dot SiZ dot gov AND ns two DOT fbi dot
seized dot. Gov that message got out fast in the.
Speaker 1 (07:14):
Underground what did that seizure mean practically for the group
and its. Users what was the immediate? Damage it was.
Speaker 2 (07:21):
Significant Shiny hunters themselves confirmed it via a signed message
basically saying the seizure was unavoidable and the really damaging
part for. Users they admitted all forum database backups since
twenty twenty, three plus The escro databases used for, secure
high value illegal deals were. Compromised they're now in law enforcement.
(07:41):
Hands that's.
Speaker 1 (07:42):
Huge that's not just taking a website. Offline that's potentially identifying,
information private, messages transaction, histories years of, data.
Speaker 2 (07:50):
Exactly a massive operational security failure for everyone involved with a.
Forum but this is a big. Butt did it actually
stop the ongoing extortion? Campaign? No it, didn't, Right that
was my next.
Speaker 1 (07:59):
Question they put up that statement saying the era of
forums is. Over was that genuine or just trying to
save face after a big?
Speaker 2 (08:06):
Hit probably a bit of. Both, look the main website was, gone,
yes but their tour, site the Dark web league site
that stayed, up and they specifically said the planned data
league for salesforce for companies that hadn't paid was still
happening that, night right on. Schedule the seizure didn't stop.
Speaker 1 (08:23):
That so the message is you took our, clubhouse but
we still have the stolen goods and we can still release.
Speaker 2 (08:29):
Them that's essentially. It and the era of forums is.
Overline that's. Strategic they're telling everyone don't trust these kinds
of sites. Anymore they're like the honeypots run by the.
Cops they explicitly said they wouldn't launch another. Forum it
signals a shift away from those, centralized vulnerable.
Speaker 1 (08:47):
Platforms and all this is happening while the legal screws
are tightening globally Right.
Speaker 2 (08:51):
Definitely you see more international cooperation leading to arrests and
charges like the RECENT ukus actions against alleged, members including
a nineteen year old led You bear and you also
had the significant sentencing ten years For Noah Michael urban
who's only, twenty for his part in huge earlier attacks
like the ones ON Mgm resorts And Caesar's. Entertainment the
(09:11):
consequences are becoming very.
Speaker 1 (09:12):
Real, okay so let's try and synthesize what we've learned.
Today we've seen this very adaptable kind of, loose collective
SCATTERED lapsus hunters hitting major companies by exploiting third party
weaknesses the software supply chain and using clever social engineering
but at the same time law enforcement is having success
taking down their main communication, channel grabbing huge amounts of user,
(09:35):
data and forcing them to change.
Speaker 2 (09:36):
Tactics, yeah the key thing for, you the, listener to
take away is how dynamic this all. Is the threat
landscape shifts. Constantly they move from attacking endpoints to attacking
the cloud supply. Chain takedowns Like breech forums disrupt, infrastructure,
sure and expose past, activity but the data they've already,
stolen it's still out there and the group just pivots
using the dark web maybe other methods to continue their, Operations.
Speaker 1 (09:59):
Which brings us to our final. Thought given how fast
these groups, adapt jumping from vishing to using brand new zero,
days and given that explicit statement the era of forums is,
over what comes? Next what kind of communication or coordination
method do you think could replace that traditional hacker form
model for running these large scale extortion campaigns in the.
Future something to ponder
Welcome today. We're looking into a really significant event unfolding
in cybersecurity right now. It involves a massive corporate extortion
campaign and a well a dramatic international effort by law
enforcement to take down the group's main communication hub.
Speaker 2 (00:16):
Yeah, we've been piecing together the reports this campaign is.
It's linked to what people are calling the Shiny Hunter
Scattered laps As Hunters collective. Yeah, we really need to
understand how they operate.
Speaker 1 (00:26):
Exactly, because the list of targets is staggering, Salesforce, Discord,
red Hat, big names, and we need to understand what
the FBI's move against their forum actually means.
Speaker 2 (00:36):
And it's key to remember this isn't one single organized
gang like you might picture. It's more fluid. Analysts use
different trackers, you know, UNC sixty forty, UNC sixty three
niney five, UNC sixty two forty. Basically, it's a mix
of people linked to Shiny Hunters, Scattered Spider and Lapses.
That loose structure is part of why they're so hard
to pin down.
Speaker 1 (00:53):
Okay, let's talk scale them because the victim list is well,
it's huge. The Scattered Lapses Hunters group, they put up
a website didn't they threatening dozens of Fortune five hundred companies.
Speaker 2 (01:03):
They did, and the claim was frankly stunning. They said
they'd stolen over one billion records, customer data, corporate info,
the works.
Speaker 1 (01:11):
A billion records. That number is almost hard to grasp.
Speaker 2 (01:14):
It is, But beyond just the sheer volume, the real
story here, I think, is how they're doing it. It
signals a dashall shift.
Speaker 1 (01:22):
How so, what's the shift.
Speaker 2 (01:24):
They've moved beyond just hitting individual user accounts. Now they're
systematically targeting the big cloud providers, size platforms, basically the
data supply chain itself. Do you look at the names FedEx, Disney,
Home Depot, Marriott, Google, Cisco, The list goes on. It's
clear there after places with huge amounts of aggregated data
and crucially third party access tokens.
Speaker 1 (01:44):
Okay, let's boom in on those attack methods. Salesforce is
a big one. How did this group, known partly for
well some almost teenage level antics in the past get
into Salesforce?
Speaker 2 (01:53):
That initial breach back around May twenty twenty five seems
to have leaned heavily on social engineering, very sophisticated.
Speaker 1 (02:01):
Voice fishing fishing, so actual phone calls.
Speaker 2 (02:03):
Yeah, phone calls, pretexting manipulation, basically talking high value targets
into connecting a malicious app right into their company's salesforce setup,
old school social engineering bypassing tech defenses.
Speaker 1 (02:16):
And salesforce data. They wouldn't pay the ransom, right.
Speaker 2 (02:18):
They made a public stance no extortion payments, which is
a strong message. But the damage from exploiting these third
party connections was already being felt elsewhere.
Speaker 1 (02:28):
Like the Discord incident. That wasn't a direct Discord breach,
was it?
Speaker 2 (02:31):
No, that's important. Discord itself wasn't hacked. The vulnerability was
with a company they used for customer service, a third
party provider called five CA, So it affected a specific
group of users, those who'd contacted customer support or trust
in safety and.
Speaker 1 (02:46):
What kind of data are we talking about? There?
Speaker 2 (02:48):
Some pretty sensitive stuff Discord user names, emails, ip addresses,
the last four digits of credit card numbers. But the
really worrying part. For about seventy thousand users who'd submitted
IDs for age verification appeals, their actual government ID images
were exposed.
Speaker 1 (03:03):
Oh wow, that's permanent. You can change a password. You
can't change your driver's license photo easily.
Speaker 2 (03:09):
Exactly. That's a nightmare scenario for identity theft down the line,
the liability for that third party five CAA must be immense.
Speaker 1 (03:17):
And then there's red Hat that seems like a different
kind of target. Less about customer PII, more about corporate secrets.
Speaker 2 (03:23):
Precisely, Red Hat confirmed a git lab server compromise. The
attackers claimed access to over twenty eight thousand Git repositories.
They were after internal intelligence. Specifically, they access things called
customer engagement reports or CRRs.
Speaker 1 (03:38):
Okay for those listening who aren't familiar. What makes CRRs
so valuable to attackers?
Speaker 2 (03:43):
Think of them as confidential technical files. They detail client setups,
potential security weaknesses, client secrets, and critically, they often contain
access tokens for things like artifactory or cloud infrastructure details
for AWS, Azure, you name it. Getting those tokens means
they could potentially pivot right into red Hat's client.
Speaker 1 (04:02):
Systems, which ties into the sales off connection you mentioned earlier,
right reinforcing that focus on the supply chain.
Speaker 2 (04:08):
Absolutely, that particular angle is tracked as UNC sixty three
to ninety five. Attackers stole authentication tokens from sales loft.
You know their AI chatbot helps generate salesforce leads, and
then they use those tokens to threaten hundreds of other
companies whose data was exposed via sales loft. They were
specifically after tokens for cloud services like Snowflake and AWS.
(04:31):
The pattern is clear, find one week link, get credentials
levers that access across potentially hundreds of downstream victims.
Speaker 1 (04:38):
It's a devastating strategy, exploiting trust, exploiting the supply chain
using social engineering. But they must also have some serious
tech tools to operate at this speed. Let's talk about
their toolkit because it seems like a mix of cunning
edge exploits and well some surprisingly old tricks.
Speaker 2 (04:52):
Right, and that mix tells you something about how they
share Intel. They're definitely using zero days vulnerabilities that vendors
haven't patched yet find them or more likely, quickly get
their hands on exploits developed by others.
Speaker 1 (05:04):
Can you give an example of that sharing.
Speaker 2 (05:06):
The big one recently was this critical flaw in Oracle's
E Business Suite. Its tracked is CVE twenty twenty five
six' one point eighty two allows remote code execution without
even needing to log in. Now the interesting part is
who used it. First the klop ransomware group exploited it
back In august twenty twenty, five but just weeks, later
(05:26):
the scripts to exploit it showed up on The scattered
Laps As hunter's.
Speaker 1 (05:29):
Blog so they're not just developing their own, tools they're
rapidly grabbing and adapting things from, other maybe even rival cybercrime.
Speaker 2 (05:37):
Groups that seems to be the. Case it makes defending
against them incredibly difficult because you're always playing catch. Up
patching efforts lag behind because the attack methods spread so,
fast and.
Speaker 1 (05:47):
It wasn't just high tech zero days you, mentioned they
also used simpler, malware even targeting security.
Speaker 2 (05:51):
Researchers, yeah that was, bold trying to silence or disrupt
the people investigating. Them they used a known backdoor called.
Asyncrat it was through very targeted fishing, messages sometimes even
including physical, threats trying to scare researchers into clicking a bad.
Speaker 1 (06:06):
Link and asyncrat, itself what can it?
Speaker 2 (06:08):
Do it's pretty. Potent it's dot net, based uses a custom.
Protocol you can log, keystrokes capture, screenshots steal, files and
crucially scrape saved passwords and credentials from browsers Like firefox And.
Speaker 1 (06:20):
Chrome and how did they disguise this potent? Malware you
said it was low, tech.
Speaker 2 (06:24):
Almost comically low tech but. Effective they disguised asyncrat as
A windows screensaver file and dot cr.
Speaker 1 (06:31):
File a screensaver file that sounds like something from the.
Nineties it, is but it.
Speaker 2 (06:36):
Still works on Some windows. Setups just viewing the file
icon and a folder can be enough to launch the hidden.
Trojan no need to even double. Click just shows they'll
use whatever, works old or.
Speaker 1 (06:44):
New, Okay so they've been running rampant with these techniques for.
Months but then came the law enforcement. Response let's talk
about the takedown of breech FORMS i a major.
Speaker 2 (06:53):
Blow the main, website breachforums dot hn was seized On october,
tenth twenty twenty. Five this was a joint OPERATION us
And french authorities working. Together the telltale sign was the
website's name server suddenly pointing TO ns one DOT, fbi
dot SiZ dot gov AND ns two DOT fbi dot
seized dot. Gov that message got out fast in the.
Speaker 1 (07:14):
Underground what did that seizure mean practically for the group
and its. Users what was the immediate? Damage it was.
Speaker 2 (07:21):
Significant Shiny hunters themselves confirmed it via a signed message
basically saying the seizure was unavoidable and the really damaging
part for. Users they admitted all forum database backups since
twenty twenty, three plus The escro databases used for, secure
high value illegal deals were. Compromised they're now in law enforcement.
(07:41):
Hands that's.
Speaker 1 (07:42):
Huge that's not just taking a website. Offline that's potentially identifying,
information private, messages transaction, histories years of, data.
Speaker 2 (07:50):
Exactly a massive operational security failure for everyone involved with a.
Forum but this is a big. Butt did it actually
stop the ongoing extortion? Campaign? No it, didn't, Right that
was my next.
Speaker 1 (07:59):
Question they put up that statement saying the era of
forums is. Over was that genuine or just trying to
save face after a big?
Speaker 2 (08:06):
Hit probably a bit of. Both, look the main website was, gone,
yes but their tour, site the Dark web league site
that stayed, up and they specifically said the planned data
league for salesforce for companies that hadn't paid was still
happening that, night right on. Schedule the seizure didn't stop.
Speaker 1 (08:23):
That so the message is you took our, clubhouse but
we still have the stolen goods and we can still release.
Speaker 2 (08:29):
Them that's essentially. It and the era of forums is.
Overline that's. Strategic they're telling everyone don't trust these kinds
of sites. Anymore they're like the honeypots run by the.
Cops they explicitly said they wouldn't launch another. Forum it
signals a shift away from those, centralized vulnerable.
Speaker 1 (08:47):
Platforms and all this is happening while the legal screws
are tightening globally Right.
Speaker 2 (08:51):
Definitely you see more international cooperation leading to arrests and
charges like the RECENT ukus actions against alleged, members including
a nineteen year old led You bear and you also
had the significant sentencing ten years For Noah Michael urban
who's only, twenty for his part in huge earlier attacks
like the ones ON Mgm resorts And Caesar's. Entertainment the
(09:11):
consequences are becoming very.
Speaker 1 (09:12):
Real, okay so let's try and synthesize what we've learned.
Today we've seen this very adaptable kind of, loose collective
SCATTERED lapsus hunters hitting major companies by exploiting third party
weaknesses the software supply chain and using clever social engineering
but at the same time law enforcement is having success
taking down their main communication, channel grabbing huge amounts of user,
(09:35):
data and forcing them to change.
Speaker 2 (09:36):
Tactics, yeah the key thing for, you the, listener to
take away is how dynamic this all. Is the threat
landscape shifts. Constantly they move from attacking endpoints to attacking
the cloud supply. Chain takedowns Like breech forums disrupt, infrastructure,
sure and expose past, activity but the data they've already,
stolen it's still out there and the group just pivots
using the dark web maybe other methods to continue their, Operations.
Speaker 1 (09:59):
Which brings us to our final. Thought given how fast
these groups, adapt jumping from vishing to using brand new zero,
days and given that explicit statement the era of forums is,
over what comes? Next what kind of communication or coordination
method do you think could replace that traditional hacker form
model for running these large scale extortion campaigns in the.
Future something to ponder
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com