In early January 2026, one of the largest automated investment platforms in the United States found itself exposed not by a software flaw or a zero-day exploit, but by a far more familiar weakness, trust. Betterment suffered a data breach that exposed sensitive customer information after attackers abused a trusted third-party platform, rapidly converting stolen access into a large-scale crypto scam.

This incident was not accidental, opportunistic, or novel. It was the deliberate work of Scattered Lapsus$ Hunters, a cybercriminal ecosystem that has refined identity abuse into a repeatable intrusion model. The breach highlights a growing reality for fintech and beyond, attackers no longer need to break systems when they can convincingly impersonate them.

A Quiet Breach With Loud Consequences

On January 9, attackers gained access to third-party software used by Betterment for customer communications through social engineering. Rather than targeting core financial systems, the operation focused on exploiting the implicit trust embedded in outsourced platforms, a tactic increasingly favored by modern threat actors.

Once access was secured, fraudulent messages were sent to Betterment customers, disguised as legitimate company notifications. The messages promoted a classic crypto giveaway scam, promising to triple cryptocurrency deposits sent to attacker-controlled wallets. Because the messages originated from a trusted communication channel, the scam carried a level of legitimacy that would have been difficult for many recipients to immediately question.

Betterment quickly disabled the compromised access and warned customers through official channels. The company stated that no passwords, Social Security numbers, or investment accounts were directly accessed. However, the damage had already been done.

The Data That Slipped Through the Cracks

The attackers exfiltrated personally identifiable information, including:

• Full names

• Email addresses

• Physical addresses

• Phone numbers

• Dates of birth

Subsequent analysis indicated that more than 1.4 million unique customer records were exposed. While this data does not enable immediate account takeover, its value lies elsewhere. Aggregated PII fuels identity fraud, targeted phishing, SIM swapping, and high-confidence impersonation campaigns.

This reflects a broader shift in attacker priorities. Instead of going after transactional control, adversaries increasingly harvest data that enables scalable deception. The financial impact may not be immediate, but the downstream risk persists long after breach notifications fade.

Anatomy of the Attack, Identity Over Exploitation

This intrusion did not rely on advanced malware, zero-days, or persistence mechanisms.

• No core banking systems were compromised

• No vulnerabilities were publicly disclosed

• Access was gained through deception, not exploitation

A third-party SaaS platform became the entry point, demonstrating how communication and marketing systems now function as trust delivery mechanisms, not peripheral tools. Once compromised, they allow attackers to speak with the full authority of the brand.

This model bypasses many traditional security controls. MFA, EDR, and network segmentation offer limited protection when an attacker successfully convinces a system, or a human, that they belong.

Attribution, Scattered Lapsus$ Hunters Behind the Breach

The Betterment breach was carried out by Scattered Lapsus$ Hunters, a federated cybercriminal brand that has emerged as one of the most disruptive forces in recent years.

Scattered Lapsus$ Hunters is not a single hierarchical group. It is a loosely connected ecosystem of operators that consolidated reputational and operational elements from Scattered Spider, ShinyHunters, and LAPSUS$. Rather than merging infrastructure, the cluster operates as a shared brand, amplifying visibility, credibility, and intimidation across campaigns.

This federated model allows multiple actors to collaborate, imitate, or operate independently while benefiting from a common identity. The result is a threat actor that behaves less like a gang and more like a franchise.

A Brand Built on Identity Abuse and Visibility

According to threat intelligence reporting, Scattered Lapsus$ Hunters prioritizes social engineering and trust exploitation over technical sophistication. Their operations consistently feature:

• Impersonation of internal IT staff, vendors, or partners

• Social engineering of employees and third parties

• Abuse of SaaS platforms and identity workflows

• Rapid data exfiltration followed by immediate monetization or extortion

• 

  
  

Unlike traditional ransomware groups, Scattered Lapsus$ Hunters favors speed and impact over stealth. Access is obtained, leveraged, and discarded quickly. Data is weaponized immediately, either for extortion, resale, or follow-on fraud.

The Betterment operation fits this pattern precisely. Stolen access was used within hours. Data was repurposed for scam delivery rather than long-term persistence. The objective was not infrastructure control, but trust hijacking at scale.

Strategic Implications for Fintech

The breach underscores several uncomfortable truths for financial platforms:

1. Third-party platforms expand the attack surface. Any system that communicates with customers inherits brand authority, and therefore risk.

2. PII is now a primary objective. Data that enables impersonation is more scalable than direct theft.

3. Attribution models are changing. Federated threat brands blur traditional group boundaries, complicating defense and response.

Regulatory scrutiny around third-party risk, data protection, and disclosure is likely to intensify as incidents like this continue.

The Show Ends in Rotherham

The curtain dropped in an unremarkable flat in Rotherham. Inside: laptops, hard drives, and one man who fancied himself both digital warrior and cyber-rockstar.

Al-Tahery Al-Mashriky, 26, wasn’t new to the stage. For years, he’d carved his name into the internet with defacements plastered across government domains, faith-based organizations, and even critical infrastructure. His favorite calling cards? Political slogans, ideological manifestos, banners screaming into the void. NCA investigators were able to link Al-Mashriky to the Yemen Cyber Army through social media and email accounts.

But when the National Crime Agency came knocking, they didn’t just find a graffiti artist in the digital alley. They found millions of stolen credentials—Facebook, Netflix, PayPal, entire swathes of everyday life siphoned off and stashed away like trophies.

The “hacktivist” label was theater. The credential thief was the truth.

Hacktivism as Stage Prop

Defacements are the oldest cyber trick in the book. They’re cheap, they’re loud, they get headlines. They also distract.

Al-Mashriky’s game wasn’t advanced exploitation—it was repetition. He didn’t need zero-days or bespoke implants. He preyed on the weak, the misconfigured, the forgotten. Each compromised site was another billboard for ideology, another performance to prove he mattered.

But behind the flashing banners, another show was running:

• Harvested credentials spilling out of his devices.

• Millions of logins sitting in neat little lists ready for resale or reuse.

• Access turned into currency, traded in the dark corners where digital chatter never stops.

This wasn’t hacktivism. This was fraud draped in politics.

The Ego Economy

Cybercrime has its own economy, and ego is the tax you can’t avoid.

Al-Mashriky didn’t just hack—he bragged. On forums and in groups, he claimed 3,000 websites in three months. Not for money, not even for ideology—but for recognition.

Every boast was an IOU to investigators. Every defacement a breadcrumb. Every credential dump another nail in his digital coffin.

And in the end, it wasn’t the millions of stolen logins that brought him down. It was the performance. The need to be seen. The compulsive posting of proof.

Why the Sentence Matters (and Why It Doesn’t)

On August 15, 2025, the UK court handed him 20 months in prison. For some, that sounds light. For others, it’s symbolic: a line in the sand that hacktivism isn’t harmless vandalism—it’s data theft, fraud, and operational disruption wrapped in a slogan.

But here’s the uncomfortable truth: while Al-Mashriky serves time, the tactics don’t. Defacement will remain a smokescreen. Credentials will remain currency. And the next ego-driven operator is already warming up backstage.

The CodeAIntel Breakdown

• Defacement is theater. It grabs headlines, it confuses responders, but it’s never the real play.

• The real payload is identity. Stolen logins fuel fraud, social engineering, and resale markets. That’s where the money—and the damage—lives.

• Ego is the investigator’s ally. Bragging rights on forums accelerate investigations faster than malware signatures ever will.

• Sentences are signals, not solutions. Punishment sets precedent, but the cycle persists until credentials stop being the weakest link.

What To Do (Before You’re the Next Stage)

1. Audit and isolate. Stop assuming your public-facing site is “too small” to matter. If it can be defaced, it can be used.

2. Credential hygiene isn’t optional. Weak or reused passwords are still the number-one breach vector. Kill them before they kill you.

3. Monitor your name in the underground. If your org pops up in a dump, you’re not the first to know—you’re the last.

4. Don’t chase graffiti. If your SOC is consumed by web banners, the real damage—the credential theft—has already passed you by.

Final Word

Al-Mashriky thought he was scripting ideology into cyberspace. In reality, he was a middle-tier credential broker with a flair for banners and a desperate need for clout. The NCA closed his act, but the stage is never empty.

Somewhere else, another defacer is polishing their slogans, another ego is counting breached sites, and another organization is about to mistake propaganda for the real payload.

At CodeAIntel, we don’t watch the slogans. We watch the trade. Because in cybercrime, the show is never on stage—it’s always in the backroom.

Soruce: https://www.nationalcrimeagency.gov.uk/news/serial-hacker-who-defaced-official-websites-is-sentenced

What Actually Happened

On July 9, French police picked up Stanislav Makshantsev, a 32-year-old Russian pro basketball player, in Provence.
They grabbed him on a U.S. extradition request.
Why?
He’s accused of helping the Hive ransomware gang wash their ransom cash.
At least $200,000 in victim payments tracked so far, but prosecutors say that’s just the tip.

The Real Charges

He didn’t run the ransomware, he didn’t code it, he didn’t pop the boxes.
He laundered the profits, according to U.S. charges.
Multiple bank accounts, crypto swaps, shell companies, all the usual tricks.
Hive was one of the nastiest crews around, hitting hospitals, schools, critical infrastructure until the FBI knocked them over in early 2023.
Without a launderer, none of that ransom money sticks.
Simple math.

The Double Life

Day job? Semi-pro hoops, Russian national youth team vet, local club contract in France.
Night gig? Allegedly moving dirty crypto, turning extorted Bitcoin into clean money.
He lived in France for years, nobody blinked.
No hoodies in a basement, just a sports jersey and a side hustle that paid more than any mid-tier court ever could.

Why It Actually Matters

Everyone thinks ransomware is just the code.
It’s not.
The real choke point is the cash out.
No mules, no accounts, no shell companies?
No payday.
Crews like Hive live and die by their launderers.
They don’t wear ski masks, they blend in.
Athletes, influencers, gig workers with clean credit — anyone who can slip big payments past nosey banks.

What’s Next

Makshantsev’s lawyers say it’s all political, but the U.S. wants him on a plane.
He’s stuck in French detention fighting the warrant.
Either way, he’s now the face of an old lesson: ransomware isn’t just code, it’s people.
Your real risk might be playing pick-up ball while moving millions for someone else’s extortion ring.

The CodeAIntel Take

People keep looking for threat actors in basements, but your real threat actor might be draining your account, then draining three-pointers the next day.
This is hybrid crime at its cheapest.
Take away the money guys and the whole ecosystem starves.
Watch the money, watch the mules, and stop assuming everyone with a clean record is really clean.
Stay loud, stay paranoid, keep your eyes on the cash.

The Forum That Wouldn’t Die

BreachForums (the V2 version) rose from the ashes of RaidForums and the original BreachForums, both dismantled in high-profile takedowns. But like malware with persistence mode, it came back.

This wasn’t just another forum. It was a full-blown marketplace, coordination hub, and PR machine for cybercriminals. And its cast of characters? Top-tier:

• ShinyHunters – Known for high-volume credential leaks. Think Ticketmaster, AT&T, and dozens more.

• IntelBroker – Credited (or blamed) for leaks targeting U.S. agencies, including the DC Health Link (which manages data for members of Congress).

• Hollow, Noct, Depressed – Moderators, orchestrators, facilitators. The infrastructure layer.

Together, they didn’t just post data—they ran a platform that industrialized cybercrime.

The French Connection

These weren’t distant arrests from a faceless country. French authorities went hard: coordinated raids in Paris, Normandy, and even Réunion Island. Why? Because the forum had been directly tied to breaches of French organizations like SFR and France Travail (ex-Pôle Emploi). That’s millions of French citizens’ data burned—an attack on national infrastructure.

And yes, they were reportedly operating under the BreachForums banner until at least April.

Why It Matters (More Than You Think)

This isn’t just about shutting down another .onion domain. It’s about cutting the head off the hydra.

• Leadership matters. These weren’t low-level posters. This was the command structure.

• They weren’t anonymous. Despite all the opsec memes, these actors had fingerprints. Digital and physical.

• BreachForums was infrastructure. Without it, affiliate leaks, ransomware proof-packs, and data resale pipelines stall.

Also: it proves that coordinated law enforcement still works when it hits the right targets.

But Don’t Celebrate Too Soon

Forums like this don’t die. They mutate.

ShinyHunters goes down? Someone else will copy the brand. IntelBroker disappears? Another persona will emerge with the same tone and tools.

The idea of BreachForums—a scalable, moderated data crime platform—is harder to kill than the admins who built it.

What’s next:

• A diaspora of members moving to alt forums and Telegram

• Clones, rebrands, and phoenix domains

• Law enforcement lurking in places we haven’t seen yet

The CodeAIntel Take

This takedown is a tactical win. But we’re in a long war.

Criminal forums today aren’t just message boards. They’re logistics chains. They run on crypto, they enforce refunds, they manage disputes, and they move at the speed of startup culture.

In dark corners of Russian-run cyber marketplaces, that chilling pitch isn't hyperbole, it’s the daily reality. What feels like a minor revelation is actually a full-blown violation: Russian hackers are trading detailed profiles of American citizens, drawn from active U.S. databases. And they’re doing it with the audacity of open markets, crypto wallets in hand.

The Digital Bazaar: How It Works

On underground forums (many multilingual in Russian and English), vendors publish menus that look disturbingly benign:

• SSN + DOB: $7

• SSN last 4 + DOB: $4

• Reverse SSN lookups: $8

• Driver’s license info: $8

• Mother’s maiden name: $15

• Address, phone number, VIN: $2 each

These aren’t scraps, they’re pulled straight from leaked U.S. databases. Each entry is carefully packaged: full names, birth dates, license info, even credit histories, all ready-to-use for identity theft, fraudulent loan applications, or covert espionage.

Crypto Payments & Moscow Time Shifts the Blame

Yes, payments are anonymous, primarily in Bitcoin (BTC) or Tether (USDT), and support is “respectful” and professional (their words, not ours). The entire operation runs like a legitimate business: wholesale orders handled individually, 100% upfront payments, refunds if the data’s invalid, and a service window aligned to “12:00–00:00 Moscow time.”

It’s a chilling normalization of cybercrime, no red flags, no reservations, just cold, transactional logic shrouded in digital deniability.

Why This Is More Than Just Identity Theft

Let’s unpack the far-reaching implications:

• High precision tools for mass deception
  Hackers aren’t randomly guessing identities, they’re deploying complete dossiers. Imagine someone using stolen SSN and DOB paired with driver’s license info to open lines of credit in minutes.

• State-enabled infrastructure, state-enabled reach
  The tone, language, and timing suggest these actors are embedded somewhere within Russian-aligned cyber ecosystems, part of infrastructure orchestrated for geopolitical advantage.

• Psychological warfare on the U.S. public
  It’s not just data, it’s a message: “We’re inside your databases, and we know your identity.” Undermining trust in systems is subtle but destabilizing.

The Underlying Threat: Digital Sovereignty at Risk

This isn’t just about credit card theft, it’s about erosion of digital sovereignty. U.S. citizens are waking up to cold, hard proof that their lives are on sale in foreign cyber marketplaces. Where once we worried about traditional hacking and ransomware, now our identities are commodities.

As transactional data becomes more granular and accessible, these markets could fuel everything from deepfakes to targeted political influence campaigns.

Final Thought

The next time you hear that identity theft is “just a minor inconvenience,” remember this: Russian hackers are actively selling your identity, SSNs, driver licenses, phone numbers, as if they were spare keys. And it’s not happening in some hidden corner of the internet, it’s on display, near-globally accessible, and frighteningly well-structured.

Americans need to wake up. Our digital selves are under siege, and above all, we must treat them as assets worth defending.

The Truth Behind the "ChatGPT Hack" Claims

In the last days, the cybersecurity community has been buzzing with alarming headlines about a so-called "ChatGPT data breach." A widely circulated post on underground forums claimed that a threat actor had stolen 20 million OpenAI account credentials, offering them for sale at a nominal price. However, as is often the case in the cybercrime ecosystem, the reality is far different from the sensationalized claims.

The alleged "breach" was, in fact, another case of stealer logs being marketed as a large-scale compromise. Instead of a direct breach of OpenAI’s systems, these credentials were most likely harvested through infostealer malware deployed on compromised devices. Infostealers like RedLine, Raccoon, and Vidar are commonly used by cybercriminals to extract saved credentials from infected systems, later repackaging and reselling them under the guise of a large-scale hack. This pattern has been seen before, with previous "hacks" of platforms such as Netflix, Facebook, and LinkedIn often being nothing more than aggregated logs from compromised users.

The Difference Between a Breach and Stealer Logs

A genuine data breach occurs when an attacker successfully infiltrates a system, extracting sensitive information directly from the target’s infrastructure. This often results from security misconfigurations, zero-day vulnerabilities, or credential stuffing attacks. On the other hand, stealer logs contain credentials stolen from individual users’ devices, often obtained through phishing campaigns, malicious browser extensions, or Trojanized software downloads. While both pose security risks, the implications of a direct database breach are far more severe, as they indicate flaws in the organization’s security posture.

Unlike a stealer log dump, a direct database breach means the attacker had access to user communications, stored information, and potentially proprietary data—something far more damaging than a simple credential theft. And that brings us to the latest, more concerning case: OmniGPT.

OmniGPT’s Massive Data Leak: 30,000 Emails, 34 Million Messages

While OpenAI’s systems remain uncompromised, a new breach has surfaced, affecting OmniGPT.co—a lesser-known ChatGPT alternative. A hacker operating under the alias "Gloomer" recently posted on a cybercrime forum, offering a database containing:

• 30,000 user emails and phone numbers

• 34 million messages exchanged between users and the chatbot

• Files uploaded by users, potentially containing sensitive information

The leaked messages, according to the threat actor, may contain API keys, credentials, and billing information—an alarming prospect considering the growing reliance on AI chatbots for professional and personal use.

Unlike the misleading OpenAI breach claims, this OmniGPT leak appears to be legitimate. However, the exact method of compromise remains unknown. Possible explanations include a misconfigured database, an exposed API endpoint, or an insider threat. Given that the breach contains both user communications and metadata, it is likely that the attacker gained full access to OmniGPT’s backend systems.

Implications and Lessons

This breach serves as yet another reminder that AI-driven platforms, particularly third-party alternatives to mainstream models, are becoming attractive targets for cybercriminals. Users should be especially cautious when entering sensitive information into these platforms, as their security standards may not match those of established companies like OpenAI or Google.

Additionally, organizations must enforce strict data protection measures, including:

• Proper encryption of stored user data

• Regular security audits and penetration testing

• Restricting API access to authorized users

• Implementing multi-factor authentication (MFA) for administrative access
  

While OpenAI users can breathe easy knowing the recent claims were exaggerated, OmniGPT users should take immediate precautions, such as changing associated credentials and reviewing any sensitive data they may have shared.

As AI adoption continues to accelerate, so too will the cybersecurity threats against these platforms. Staying informed and vigilant is no longer optional—it’s a necessity.

What Happened?

Crazy Evil operates as a well-coordinated traffer network, specializing in identity fraud, cryptocurrency theft, and malware distribution. The gang relies on traffers—social engineering experts—who redirect legitimate traffic to malicious phishing pages. These traffers exploit platforms like Telegram, where their network operates under the alias @c, boasting over 4,800 subscribers.

Since at least 2021, Crazy Evil has acted as an intermediary, directing traffic to botnet operators who compromise users based on region, operating system, or specific targeting needs. According to researchers, their model closely resembles lead generation, but instead of selling products, they deliver victims to cybercriminal groups.

Unlike typical e-commerce scams, Crazy Evil specializes in digital asset theft, targeting non-fungible tokens (NFTs), cryptocurrencies, payment cards, and online banking accounts. Their operations have generated over $5 million in illicit revenue and compromised tens of thousands of devices worldwide.

Why This Matters

While many scam groups operate within narrow silos, Crazy Evil’s malware arsenal spans both Windows and macOS, broadening their attack surface. Their campaigns are highly targeted, with traffers spending days or weeks conducting reconnaissance before launching attacks.

Recent exit scams involving cybercrime groups Markopolo and CryptoLove have left a gap in the black market, and Crazy Evil has stepped in to fill the void. Their tactics have evolved into a fully structured affiliate program, offering instruction manuals, crypter services, and operational support to traffers.

Crypto Drainer Malware Operations

Crazy Evil operates through multiple sub-teams, each managing a specific scam to spread malware under the guise of legitimate services:

• AVLAND (AVS | RG or AVENGE) – Uses fake job offers and investment scams to distribute StealC and AMOS via a fake Web3 tool called Voxium.

• TYPED – Propagates AMOS stealer disguised as an AI software named TyperDex.

• DELAND – Spreads AMOS stealer under the pretense of a community development platform called DeMeet.

• ZOOMLAND – Uses phishing pages impersonating Zoom and WeChat to infect users with AMOS stealer.

• DEFI – Distributes AMOS stealer via a fake digital asset management service named Selenium Finance.

• KEVLAND – Spreads AMOS stealer disguised as AI-powered virtual meeting software called Gatherum.
  

  

The Bigger Picture

Crazy Evil’s model represents the next evolution of cybercrime-as-a-service (CaaS). With the use of Telegram as a command hub, traffers are directed to private channels, each dedicated to specific criminal activities:

• Payments Channel – Tracks traffers’ earnings.

• Logbar – Provides details of stolen credentials and attack successes.

• Info Channel – Shares administrative and technical updates.

• Global Chat – Acts as a general forum for traffers.

Beyond phishing attacks and malware distribution, Crazy Evil’s tactics mirror those of nation-state actors in the way they conduct intelligence gathering before deploying malware. Their approach involves deep reconnaissance, personalized phishing lures, and persistent targeting of high-value cryptocurrency users.

The Bottom Line

As long as crypto scams remain lucrative, groups like Crazy Evil will continue to evolve. Their highly structured, well-organized trafficking system makes them an ongoing threat to the cryptocurrency sector. Cybersecurity teams must remain constantly vigilant as criminals refine their social engineering playbook.

The game is changing. Threat actors aren’t just using malware—they’re building entire business models around deception, infiltration, and monetization.

Stay ahead. Stay informed.

These weren’t just your average forums. They were breeding grounds for cybercrime, offering everything from stolen credentials to cracked software, botnets, malware, and fraud tools. And now? They’re gone.

What Happened?

Late last night, visitors to Cracked.io, Nulled.to, Sellix.io, Mysellix.io, and Starkrdp.io were met with a familiar sight—a government seizure notice stamped with the logos of the FBI, DOJ, and international law enforcement partners.

The forums, which collectively boasted millions of registered users, have been under surveillance for months. Authorities didn’t just take them down; they likely scooped up huge amounts of user data, which could mean arrests are incoming for high-profile members.

Why Does This Matter?

This is not just another forum takedown. This move hits some of the biggest marketplaces for cybercriminal tools and data—and it sends a clear message: law enforcement is closing in.

Here’s what made these forums different:

Massive marketplaces for stolen credentials – Data dumps, login breaches, and leaked databases were constantly traded.

Cracked software & malware distribution – These forums specialized in breaking software protections and repackaging malware-laced programs.

Cybercrime-as-a-service (CaaS) – Botnets, phishing kits, and automated attack tools were available for purchase.

This isn’t just about these forums. It’s about the underground’s ability to keep operating.

What’s next?

Users will scatter to new forums, Telegram groups, and dark web sites.

Law enforcement is watching. This kind of takedown doesn’t happen without long-term surveillance. Expect more busts.

Leaked user data? If the FBI has full access to forum databases, high-profile members could be exposed, arrested, or doxxed.

The Bottom Line

For years, these forums were the go-to platforms for cybercriminals looking for tools, stolen credentials, and illicit services. Now, they’re gone—and their users are on the run.

But the cycle continues. Another forum will rise. Another takedown will follow.

The game never stops. But for now? Law enforcement is winning.

Stay ahead of the underground. Subscribe to CodeAIntel for exclusive insights into the cybercrime ecosystem.

Belsen Group has kicked off 2025 with a cyberattack that sends shockwaves through the global cybersecurity community. On the infamous BreachedForums, the group announced their acquisition of sensitive data from over 15,000 Fortigate devices worldwide. The leaked data, categorized by country, includes full configuration dumps and VPN password files. What’s more, this trove of information is being offered completely free, signaling a bold and potentially catastrophic cyber incident.

What Happened?

A ZIP file shared by the Belsen Group contains folders for each targeted IP address. Inside each folder are two critical files:

1. config.conf – A full configuration dump of the Fortigate device.

2. vpn-passwords.txt – Sensitive VPN access credentials.

Analysis reveals that the leaked data likely originates from Fortigate 7.x and 7.2.x devices, hinting at a potential zero-day exploit in Fortinet’s latest firmware. Some of the IP addresses even align with Shodan, a search engine for internet-connected devices, suggesting targeted reconnaissance was employed to identify these systems.

The legitimacy of the data is supported by the unique configurations and the alignment of these devices to Shodan queries, demonstrating a calculated and effective breach.

Why This Matters

The scale of this breach, affecting over 15,000 devices in both governmental and private sectors, underscores the severity of the attack. Here’s why it poses a significant threat:

• Network Compromise: With access to configuration files and VPN passwords, attackers could infiltrate sensitive networks undetected.

• Zero-Day Exploit: The possibility of an unreported Fortigate vulnerability means thousands of organizations worldwide are at immediate risk.

• Supply Chain Implications: Breached Fortigate devices could serve as entry points for further attacks, compromising entire ecosystems.
  

  

The Bigger Picture

This incident is another example of threat actors exploiting overlooked or undisclosed vulnerabilities in widely used systems. Fortinet devices are staples in the cybersecurity infrastructure of countless organizations, and a breach of this magnitude undermines trust in critical systems.

The Belsen Group’s audacity to release the data for free adds a layer of chaos to the event. While some see it as an act of defiance, it’s clear that this move was designed to attract attention, disrupt systems, and erode confidence in cybersecurity standards.

The Bottom Line

This is a wake-up call for organizations relying on Fortinet products. Immediate actions to mitigate risks include:

• Audit and Update: Ensure devices are running the latest firmware versions, and review configurations for vulnerabilities.

• Change Credentials: Update all VPN credentials as a precaution.

• Monitor Traffic: Proactively monitor for unauthorized access or unusual network behavior.

The Belsen Group has made a bold statement, but this is far from the end of the story. The incident demonstrates that no organization, no matter how robust its security measures, is immune to determined threat actors.

P.S

[Bergen-]Belsen, commonly known as Belsen, was a Nazi concentration camp located in Lower Saxony, Germany. Established in 1943, it initially functioned as an "exchange camp," where Jewish hostages were detained with the intent of exchanging them for German prisoners of war held overseas.

What Happened?

The enigmatic figure known as Hikki-Chan, an alleged administrator of the infamous Hellcat ransomware group, has found themselves under an even “brighter” spotlight. A recent "interview" conducted by the infamous hacker named Grep attempts to paint Hikki as a credible, skilled threat actor. However, upon closer inspection, this effort seems to be an orchestrated ploy to bolster a false narrative.

It all started with a small Telegram group (Nice name Grep) that published what seem to be an interesting article..

Why This Matters

The cybersecurity community must remain cautious about the glorification and legitimization of individuals like Hikki-Chan. By feeding into the mythos of so-called "elite" hackers without thorough validation, we risk giving undue credibility to actors who may not actually possess the prowess they claim.

More importantly, the attempts to elevate Hikki-Chan's status through platforms like Grep’s "interview" serve as a reminder of how social engineering extends beyond direct hacking tactics. This is a psychological operation aiming to instill fear, recruit, and distract from the real operators behind Hellcat's campaigns.
As you can see in the beginning of the “Interview” (Don’t forget the remember that face) :

The Projection Method

Rey, don’t deny.. misinformation is exactly what you are doing, its called Projection:

Projection is a defense mechanism where an individual unconsciously attributes their own thoughts, feelings, or behaviors to someone else to avoid acknowledging them within themselves.

For example:

• If someone is lying but accuses others of dishonesty, they are projecting their behavior onto others.

More False Claims

I've never seen any attempt of you to contact me and provide different data that could affect my attribution. I am still 90% sure your are IRGC affiliated, and more then that, based on your BF posts and databases you “Hacked’ (more like reposted), you are a phony.

The Bigger Picture

Hellcat ransomware has caused considerable disruption, but attributing its success solely to Hikki-Chan may be a deliberate diversion. The group has targeted sensitive industries, leveraging advanced tools and techniques—characteristics that often require a collective effort rather than the work of a single individual.

This narrative manipulation has larger implications:

• Recruitment Tactics: Fabricating a "leader" persona can attract aspiring hackers seeking guidance or notoriety.

• Media Manipulation: Sensational stories about "master hackers" distract from actual investigative efforts into Hellcat's broader network.

• Security Posturing: Overestimating or mischaracterizing adversaries can lead organizations to focus on the wrong defensive priorities.

  

  
  

Did you remember the face?

The Bottom Line

The cybersecurity community cannot afford to be swayed by smoke and mirrors. While figures like Hikki-Chan dominate headlines, the real focus should remain on dismantling the infrastructure supporting Hellcat ransomware operations.

Don’t be misled by flashy interviews or hyped personas. The real danger lies in the shadows, and uncovering it requires vigilance, critical thinking, and collaboration across the cybersecurity ecosystem.

The Exploit at a Glance

• What it does: The exploit manipulates a buffer overflow in the LZMA stream decoder of 7-Zip, allowing attackers to execute arbitrary code. A seemingly harmless .7z file could trigger this exploit when opened, delivering a payload like launching calc.exe—or worse.

• How it works: It leverages malformed streams to tamper with internal buffer pointers, creating an opening for shellcode execution. With some adjustments to offsets, attackers can tailor it to specific targets.

• Impact: If successfully exploited, this vulnerability could allow attackers to take complete control of a victim's system, putting businesses, individuals, and even critical infrastructure at risk.

  

The Role of @NSA_Employee39

This isn’t the first time @NSA_Employee39 has stirred controversy on X. Known for sharing exploit code and vulnerability disclosures, their account has become a magnet for both aspiring hackers and concerned cybersecurity professionals. Their followers have grown rapidly in the wake of these leaks, and their posts often spark heated debates about the ethics of public exploit disclosure.

Key highlights from the X post:

• A Pastebin link to the exploit, openly shared with followers.

• Mentions of further 0-day drops planned for the week, keeping the community on edge.

  

What’s the Bigger Picture?

This leak is part of a broader trend of 0-day vulnerabilities being dropped publicly. While some see this as irresponsible, others argue that exposing these exploits forces vendors to act quickly to secure their software.

Key concerns:

• Attackers’ playground: Threat actors now have an advanced exploit at their disposal, potentially increasing attacks against unpatched 7-Zip versions.

• Wider reach: 7-Zip is used globally, from enterprise environments to individual users, making this a high-impact vulnerability.

• Ethics of disclosure: The public nature of @NSA_Employee39’s post reignites debates over whether such leaks do more harm than good.

Why It Matters

The release of this exploit highlights several pressing issues in cybersecurity:

• Patch urgency: If you’re using 7-Zip, update to the latest version immediately—or risk being an easy target.

• Public vs. private disclosure: The ethics of dropping exploits publicly without prior vendor notification remain hotly debated.

• Influence of X profiles: The platform is becoming a significant hub for exploit releases, bringing both awareness and chaos to the cybersecurity space.
  

  

What Should You Do?

1. Update your software: Check for the latest version of 7-Zip and apply updates immediately.

2. Audit your environment: Review where 7-Zip is used in your organization and consider alternatives for critical workflows.

3. Monitor for threats: Security teams should look for indicators of exploitation targeting this vulnerability.

This latest 0-day drop is a sobering reminder of the fragility of our digital tools—and the chaos that can unfold when they’re exploited. Platforms like X are proving to be double-edged swords: a space for knowledge sharing and a battlefield for cyber vulnerabilities.

Welcome to the wild world of Operation Trojan Shield, the FBI’s backdoored encrypted phone system, Anom.

Now, the spotlight has turned to Afgoo, the mysterious figure who proposed Anom to the FBI, built it, and helped take down over 12,000 criminal users, netting 27 million intercepted messages along the way. But as new legal filings show, Anom's legacy might not be as clean-cut as law enforcement hoped.

What Is Operation Trojan Shield?

In 2018, Afgoo, a confidential human source (CHS), approached the FBI with a proposition: take over the embryonic Anom encrypted phone system he was developing. The FBI, seeing an unprecedented opportunity, agreed. With a secret backdoor installed, Anom became the tool that infiltrated global criminal networks involved in drug trafficking, weapons smuggling, and assassinations.

The results?

• Hundreds of criminal syndicates dismantled in more than 100 countries.

• Major figures taken down, including Hakan Ayik, leader of the billion-dollar Aussie Cartel.

• Tens of millions of messages intercepted, uncovering plots ranging from narcotics shipments to murder-for-hire schemes.
  

  

Why Is Afgoo in the Crosshairs?

Now, a defense attorney representing Alexander Dmitrienko, one of 17 defendants charged in connection with Anom, is demanding the government reveal Afgoo’s identity. Why? Because Afgoo wasn’t just a passive informant—he was allegedly the key architect of Anom, making him a crucial witness.

Afgoo’s contributions, according to court filings, include:

• Acting as the principal organizer, promoter, and technician for Anom.

• Running Anom on behalf of the FBI while working closely with agents.

• Operating under promises of financial compensation ($180,000 in payments) and potential sentence reductions for his own criminal charges.

Defense lawyers argue they need to thoroughly investigate Afgoo’s background to prepare a proper cross-examination. That includes digging into his criminal history, substance abuse issues, and any agreements with the government.

The Risk to Afgoo

Revealing Afgoo’s real identity isn’t just a legal issue—it’s a safety concern. Operation Trojan Shield exposed global criminal networks, including violent drug cartels and organized crime groups. If Afgoo’s identity goes public, he could face serious retaliation from those implicated in the sting.

What’s Next?

Court filings reveal:

• The government will disclose Afgoo’s identity before trial, which is set for March.

• If the case goes to trial, Afgoo may testify, potentially revealing his real name in open court.

The defense has already obtained detailed technical documents about how Anom operated, along with millions of intercepted messages. But they argue that without full disclosure about Afgoo’s role and credibility, their ability to defend the accused is compromised.

The Stakes for Law Enforcement

Operation Trojan Shield was celebrated as a landmark achievement in disrupting organized crime. But as the legal battles unfold, questions arise:

• How far can law enforcement go in using informants to build operations?

• Will exposing confidential sources jeopardize future sting operations?

• Could this case set a precedent for greater transparency in undercover work?

Why This Matters

The Anom saga isn’t just about one informant or one case. It’s about the balance between justice and accountability in global law enforcement. As defense attorneys press for answers, the future of large-scale undercover operations could hang in the balance.

Thanks to Joseph Cox for bringing this information up and the amazing team of 404media.co

This article takes you inside this dark world, explaining the role of IABs, their relationship with stealer logs, and how organizations can defend against this evolving threat.

Who Are Initial Access Brokers (IABs)?

IABs are specialized cybercriminals who sell access to compromised systems. Their offerings typically include Remote Desktop Protocol (RDP) servers, VPN credentials, and other access points to corporate networks. What makes them particularly dangerous is their efficiency. By focusing solely on gaining initial access, they enable other threat actors—such as ransomware operators or espionage groups—to execute their attacks without wasting time on reconnaissance or exploitation.

Example: The Listings Above

The two listings illustrate IAB activity:

• "lacrim" offers access to a manufacturing company in the USA with $27M in revenue, pricing access at $600.

• "Rivka" ups the stakes with a $1B revenue company, selling access for $3,000.

These brokers use forums and dark web marketplaces to auction compromised systems to the highest bidder, often providing details like revenue, industry, and number of accessible hosts to entice buyers.

The Role of Stealer Logs in This Ecosystem

Stealer logs are data dumps created by malware designed to harvest credentials, cookies, and other sensitive information from infected devices. This data becomes the raw material for IABs, who use it to identify and verify vulnerable organizations.

Here’s how it works:

1. Infection: Stealer malware spreads through phishing emails, malicious downloads, or cracked software.

2. Data Harvesting: The malware collects login credentials, session cookies, and other sensitive information.

3. Filtering and Selling: IABs sift through these logs, identifying high-value targets based on organizational size, industry, or geographic location. The access points are then sold to other cybercriminals.

By leveraging stealer logs, IABs can continuously replenish their inventory of compromised systems, creating a self-sustaining economy of cybercrime.

Why This Matters: The Broader Cybercrime Ecosystem

IABs serve as a linchpin in the broader cybercrime ecosystem:

• Ransomware-as-a-Service (RaaS) operators rely on IABs for quick access to corporate networks.

• Data extortion groups use IAB services to identify and breach high-value targets.

• Espionage and sabotage actors may purchase access to cripple industrial competitors or steal intellectual property.

This ecosystem thrives because of the specialization of roles. IABs focus on access, malware developers refine tools like stealers, and ransomware gangs monetize the breach—creating an industrialized chain of cybercrime.

The Risks to Organizations

The risks posed by IABs are significant and multifaceted:

• Financial Losses: Ransom payments, fines, and lost revenue can cripple organizations.

• Operational Disruption: Attacks on manufacturing firms, for instance, can halt production and delay supply chains.

• Reputation Damage: A breach erodes customer trust and damages brand equity.

• Regulatory Consequences: In industries like healthcare or finance, breaches can result in severe penalties under regulations like GDPR or HIPAA.

How to Defend Against IABs

While the threat landscape is daunting, organizations can take several steps to reduce their risk:

1. Implement Strong Authentication:

   • Enforce multi-factor authentication (MFA) to make it harder for stolen credentials to be used.

2. Harden Access Points:

   • Limit RDP and VPN access to essential personnel and implement strict IP whitelisting.

3. Monitor for Threat Intelligence:

   • Use tools that detect if your organization's credentials appear in stealer logs or dark web marketplaces.

4. Invest in Endpoint Detection:

   • Deploy EDR solutions to identify and isolate stealer malware infections early.

5. Train Employees:

   • Conduct regular training to recognize phishing attempts and other social engineering tactics.

6. Regularly Update Software:

   • Patch vulnerabilities promptly to minimize the risk of exploitation.

The Road Ahead

The rise of IABs highlights the industrialization of cybercrime. As organizations grow increasingly dependent on digital systems, they become more attractive to threat actors. By understanding the mechanisms of the cybercrime ecosystem and adopting proactive defenses, businesses can stay one step ahead of the attackers.

The Anatomy of an XSS.is Account Sale

On September 2024, a BreachForums user known as "notwj" posted an offer that sent ripples through the cybercriminal community: fully activated XSS.is accounts, complete with email access. To understand the gravity of this offer, one must first grasp the exclusivity of XSS.is:

1. Vetting Process: XSS.is employs a rigorous vetting system, requiring potential members to demonstrate not only technical prowess but also a history of malicious activities and endorsements from existing members.

2. Technical Barriers: The forum often requires solving complex coding challenges or demonstrating proficiency in specific hacking techniques as part of the application process.

3. Linguistic Hurdle: As a primarily Russian-speaking forum, XSS.is naturally excludes a significant portion of the global cybercriminal community.

4. Reputation System: Within XSS.is, members operate under a strict reputation system, where trust is hard-earned and easily lost.

The sale of these accounts effectively bypasses these safeguards, potentially flooding the exclusive forum with less experienced but equally motivated cybercriminals.

Threat Actor Profile: Unmasking "notwj"

Understanding the threat actor behind these sales is crucial for assessing the broader implications of this development. Here's what we can infer about "notwj" based on their activities:

Operational Security (OpSec)

• Username Choice: "notwj" could be a deliberate misdirection, possibly implying "not white hat/black hat joker," showcasing a playful yet cautious approach to identity concealment.

• Platform Diversity: Operating on both BreachForums and Telegram indicates a strategy to compartmentalize activities and reduce the risk of complete exposure if one platform is compromised.

Implications for the Cyber Threat Landscape

The sale of XSS.is accounts represents a significant shift in the cybercriminal ecosystem:

1. Democratization of Advanced Threats: Less skilled actors now have potential access to sophisticated tools and techniques previously reserved for elite cybercriminals.

2. Increased Attack Surface: Organizations must now contend with a broader range of threat actors capable of launching advanced persistent threats (APTs).

3. Evolution of Cybercriminal Services: This trend may spark a new "Access-as-a-Service" model in the cybercriminal underground, focusing on providing entry to exclusive forums and marketplaces.

4. Challenges for Law Enforcement: The influx of new actors into established cybercriminal circles may complicate ongoing investigations and disrupt existing intelligence gathering efforts.

Conclusion: A New Chapter in Cybercrime

The sale of XSS.is accounts on BreachForums marks a significant milestone in the evolution of cybercrime. It represents not just a breach of an exclusive community, but a potential restructuring of the entire cybercriminal hierarchy. As the barriers between amateur and elite hackers continue to erode, organizations must adapt their security postures to address a threat landscape that is becoming increasingly complex and democratized.

The emergence of actors like "notwj" underscores the need for a dynamic, intelligence-driven approach to cybersecurity. By understanding the technical underpinnings of these transactions and the motivations of the actors involved, defenders can better anticipate and mitigate the next wave of cyber threats.

As we move forward, the cybersecurity community must remain vigilant, collaborative, and innovative. The sale of XSS.is accounts is likely just the beginning of a new chapter in the ongoing saga of cybercrime—one that promises to be more inclusive, more technically sophisticated, and more challenging to combat than ever before.

New threat actors frequently emerge, each claiming responsibility for high-profile attacks. Recently, a figure known as "Hikki-Chan" has gained notoriety on hacking forums. However, careful analysis reveals that this supposed hacker may be nothing more than a fraudster attempting to capitalize on current geopolitical tensions. This report aims to dissect Hikki-Chan's claims and expose the reality behind the facade.

The VK Leak: A Cornerstone of Credibility?

Hikki-Chan's reputation largely rests on a purported leak of data from VK (VKontakte), a popular Russian social networking site. However, closer examination suggests that this "leak" consists of scraped public data rather than information obtained through a genuine breach. This pattern of presenting publicly available information as exclusive, stolen data is a common tactic among fraudulent actors seeking to build credibility in hacking communities.

The Kavim Incident: A Case of False Attribution

One of Hikki-Chan's most audacious claims involves the alleged hacking of Kavim, an Israeli public transportation company. However, this incident can be definitively attributed to "Black Shadow," an IRGC-affiliated group that targeted Kavim in 2021.

Bleeping Computer, a respected cybersecurity news outlet, reported on the Black Shadow attack in detail.

Their article, available here, provides a comprehensive breakdown of the actual incident.

Hikki-Chan's attempt to take credit for this well-documented attack raises serious questions about the veracity of their other claims.

The Israeli Police Database: A Misrepresentation

Another significant claim by Hikki-Chan involves an alleged breach of the Israeli Police database. However, analysis of the data offered reveals that it is unrelated to law enforcement. Instead, the information pertains to "Aharai" (After Me), a youth organization that helps prepare Israeli teenagers for military service.

Moreover, this data isn't new. Research conducted by ClearSky, a cybersecurity intelligence firm, confirms that this exact dataset first appeared on hacking forums in June 2023, months before Hikki-Chan's emergence. This strongly suggests that Hikki-Chan is recycling old, previously leaked data rather than obtaining new information through actual hacking activities.

Thanks to research by ClearSky cyber security analysts, we could provide you with the data mentioned above.

The Iranian Connection

Iranian state-sponsored Advanced Persistent Threat (APT) groups have been observed engaging in sophisticated disinformation campaigns, notably involving the publication of purportedly leaked Israeli databases. This analysis examines the tactics, techniques, and procedures (TTPs) employed in these operations, with a focus on their strategic objectives and potential impact.

• Prominent Threat Actors:

  • Charming Kitten (APT35)

  • OilRig (APT34)

• Primary Tactics:

  • Dissemination of fabricated or outdated databases

  • False claims of data exfiltration from Israeli sources

• Strategic Objectives:

  • Generate media attention

  • Conduct psychological operations

  • Undermine Israeli reputation and perceived security posture

• Operational Patterns:

  • Release of ostensibly sensitive information, often including personal data

  • Utilization of social media and dark web forums for distribution

• Data Veracity:

  • Many leaked databases proven to be:

    • Outdated

    • Incomplete

    • Entirely fabricated

These disinformation campaigns represent a nuanced approach to cyber warfare, where the primary objective extends beyond direct system compromise. By creating the illusion of successful cyber intrusions, these APT groups aim to:

1. Sow confusion among targeted populations

2. Erode trust in Israeli cybersecurity measures

3. Compel Israeli security resources to be allocated to threat verification and mitigation

Here are examples of Iranian APT groups publishing fake or outdated Israeli databases as part of their cyber operations:

1. Charming Kitten (APT35) - "Pay2Key" Ransomware Campaign (2020)

In late 2020, the Iranian-linked APT group Charming Kitten (APT35) was believed to be behind the "Pay2Key" ransomware attacks targeting Israeli companies. After some attacks, the group posted what they claimed were stolen databases from Israeli organizations. However, cybersecurity analysts found that some of these leaked databases were either outdated or fabricated, likely aimed at causing panic and reputational damage rather than gaining financial benefit or releasing valuable information.

2. MuddyWater (APT34) - Fake Leaks of Israeli Government Data

MuddyWater (APT34), another Iranian-affiliated group, has been involved in disinformation campaigns where they claim to have breached Israeli networks. In several instances, MuddyWater published what they purported to be sensitive Israeli government or military databases. Investigations into these leaks revealed that some of the data was outdated or tampered with, undermining the credibility of the claims but still creating headlines that served their propaganda goals.

3. Hackers of Sabrin - Fake Israeli Voter Database (2020)

In 2020, an Iranian-affiliated group known as Hackers of Sabrin claimed to have leaked a database of Israeli voters, which they said they obtained from government systems. While parts of the data appeared authentic, much of it was old and incomplete. Analysts concluded that the group’s goal was to incite fear and distrust within the Israeli public rather than to expose current or useful information.

4. Black Shadow - Insurance Data Leak (2021)

The Black Shadow hacking group, believed to have ties to Iran, breached Israeli insurance company Shirbit in 2021. They published personal details of Israeli citizens on the dark web. While some of the leaked data was accurate, many of the published records were old or had already been publicly available, signaling an attempt to cause panic and damage Israel’s reputation.

5. Islamic Revolutionary Guard Corps (IRGC) - Fake Financial Data Leak (2018)

In 2018, an Iranian state-affiliated cyber group, believed to have links to the IRGC, claimed to have breached Israeli banks and financial institutions. They released what they said was sensitive financial information. Upon review, cybersecurity experts determined that much of the data was outdated or fabricated, designed to manipulate the public perception of Israel's cyber vulnerabilities.

These incidents demonstrate how Iranian APTs use the tactic of releasing fake or old databases as part of broader cyber warfare strategies that include disinformation, psychological operations, and propaganda. The goal is often less about the immediate impact of the data and more about shaping narratives and inciting fear.

Huge thanks to The Co-Founder & CTO @ Hudson Rock (Cybercrime intelligence)

Threat Actor Profile Analysis

Based on the available information, we can construct the following profile of Hikki-Chan:

Alias: Hikki-Chan

Forum Reputation: As of the latest check, Hikki-Chan has accumulated 197 reputation points on their primary forum. It's worth noting that this increase in reputation coincides with heightened geopolitical tensions following the events of October 7th, 2023.

Suspected Motivation: While it's challenging to determine precise motivations without direct evidence, the pattern of behavior suggests that Hikki-Chan may be affiliated with or acting as a proxy for state-sponsored actors, possibly the Islamic Revolutionary Guard Corps (IRGC). The primary goal appears to be conducting psychological operations (Psy-Ops) aimed at portraying Israeli cyber defenses as vulnerable.

Modus Operandi: Hikki-Chan's strategy involves:

1. Repurposing old, publicly available data leaks

2. Falsely claiming credit for well-documented attacks by other groups

3. Misrepresenting the nature and origin of the data they claim to have obtained

4. Leveraging current geopolitical tensions to gain credibility and attention

Conclusion

The evidence strongly suggests that Hikki-Chan is not a legitimate threat actor but rather a fraudulent entity engaged in misinformation and reputation-building through deception. Their claims consistently fail to withstand scrutiny, relying on misattributed attacks, recycled data, and misrepresented information.

For cybersecurity professionals and researchers, this case underscores the importance of rigorous verification and cross-referencing when evaluating claims made by purported hackers or leak sellers. It also highlights how geopolitical events can be exploited by bad actors to gain credibility in underground forums.

As I always appreciate sharing data in our field, I must say they analysis of Sam Bent, in this case, seems to be wrong:

Source: https://doingfedtime.com/kavim-data-leak-29-000-records-compromised/

The Grand Unmasking: USDoD's "Oops, I Did It Again" Moment

In a move that's got the cybersecurity world doing a collective spit-take, the infamous hacker known as USDoD (or EquationCorp, for those who like their hackers with a side of math puns) has revealed his true identity. Ladies and gentlemen, meet Luan G, a 33-year-old from Minas Gerais, Brazil, who apparently decided that anonymity was so last season.

A Hacking Repertoire That Would Make Ocean's Eleven Jealous

Our friend Luan hasn't just been sipping caipirinha on the beaches of Copacabana. Oh no, he's been busy:

• Breached National Public Data, leaking 3.2 billion SSNs (Because why stop at "Big Data" when you can go for "Colossal Data"?)

• Hacked the FBI's InfraGard, exposing 87,000 members (Talk about an exclusive club membership leak)

• Scraped and leaked CrowdStrike's 100,000-line IoC list (Indicators of Compromise? More like Indicators of Chutzpah)

And that's just the greatest hits album!

The "Dox" That Rocked: CrowdStrike's Uno Reverse Card

According to our digital desperado, he got "doxed by CrowdStrike." Apparently, CrowdStrike decided to show that they can play the hacking game too. It's like watching the cybersecurity version of "Tag, you're it!"

But wait, there's more! Luan claims he's been doxed before, even prior to the InfraGard hack. At this point, getting doxed seems to be his hobby.

Brazil: Where Hackers Go for Carnival and... Legal Protection?

Here's where it gets spicier than a Bahian hot sauce. Brazil, land of samba, football, and... strict extradition laws? Yep, turns out Brazil is the ultimate VPN for its citizens - it just doesn't let them out.

So while Uncle Sam might be sending friend requests, Brazil's response is basically "New IP address, who dis?"

The Hacker's Heartfelt Monologue

In a statement that reads like a mix between a retirement speech and a telenovela monologue, Luan said:

"I want to say thank you, it is time to admit I got defeated and I will retire my Jersey. Yes, this is Luan speaking. I won't run, I'm in Brazil, the same city where I was born. I am a huge valuable target and maybe I will talk soon to whoever is in charge but everyone will know that behind USDoD I'm a human like everyone else."

Cue the dramatic music and slow-motion walk into the sunset.

The Moral of the Story

1. If you're going to be a world-famous hacker, maybe don't keep your Instagram public.

2. Always read the fine print on extradition treaties before choosing your hacking headquarters.

3. When life gives you lemons, make caipirinhas... and then maybe turn yourself in to the authorities.

In conclusion, dear readers, remember: in the grand chess game of cybersecurity, sometimes the queen reveals herself. And when she does, we'll be here with the cheesy puns and dad jokes to make sense of it all.

Stay safe out there, and maybe check if your SSN is one of the 3.2 billion. You know, just in case.