A cartel spy, a dismantled Spanish ring, and other cybersecurity news

We have gathered the week’s most important cybersecurity news.

A drug cartel hired a hacker to spy on the FBI

At the end of June, the US Department of Justice published a report on the FBI’s internal security.

According to the document, in 2018 the Bureau was conducting an investigation that culminated in the arrest of Sinaloa syndicate boss Joaquín “El Chapo” Guzmán. An individual linked to the cartel told the FBI the organisation had hired a hacker. The cybercriminal broke into electronic devices and mobile phones and monitored people visiting the US embassy in Mexico’s capital. A key target was an FBI legal attaché assistant working abroad.

The hacker used the FBI employee’s phone number to obtain call records and geolocation data. They also tapped into Mexico City’s CCTV system to track the attaché’s movements and identify the people he met.

According to the source, the cartel used the information to intimidate and kill potential witnesses and informants.

Spanish fraud ring stole over €460m

Spain’s Civil Guard, together with Europol, dismantled a major fraud network that stole more than €460m from over 5,000 victims worldwide by pitching fake cryptocurrency investments.

On 25 June, officers arrested three suspects in the Canary Islands and two in Madrid. Europol had coordinated the probe since 2023 and deployed a cryptocurrency expert during the Spanish operation.

Investigators say the organisers built a global fundraising scheme via bank transfers, crypto transactions and cash. They allegedly used payment gateways, accounts on crypto exchanges and a corporate structure linked to Hong Kong. The network worked with salespeople worldwide who lured victims onto bogus investment platforms.

Hackers broke into gamers’ PCs via Call of Duty: WWII

The launch of Call of Duty: WWII triggered mass compromises. On 3 July, two days after release, players began reporting attacks by an unknown hacker using RCE. 

Exploiting multiplayer vulnerabilities, the attacker executes arbitrary commands on gamers’ machines during play and streams. 

Reported antics include forcibly opening Notepad, displaying “undesirable content” on screen and rebooting systems.

Surprised but not surprised it took such a short time for exploits to be found. Thank you for the heads up man. I will say it’s not entirely surprising since it seems anyway that multiplayer is P2P connections and not dedicated servers. I could be wrong, but figured that since…

— Mike | KRNG Rxqe (@MikeRxqe) July 2, 2025

Gamer MikeRxqe believes the game’s outdated P2P network model makes it far easier to obtain players’ IP addresses. In such setups, users connect directly to each other and everyone learns everyone’s IP.

The attacker can then send specially crafted network packets straight to the victim. These masquerade as legitimate game data (movement, shots) but carry a malicious payload.

On 2 July Activision performed “short-term technical maintenance” on servers, but did not officially link it to the RCE flaw.

App for locating immigration agents goes viral 

ICEBlock, an iPhone app that lets users anonymously report sightings of US Immigration and Customs Enforcement (ICE) agents, went viral after comments by Attorney General Pam Bondi.

Roughly 20,000 ICEBlock users are in Los Angeles, where ICE raids have been frequent in recent weeks. On 2 July, following Bondi’s remarks the day before, the app entered the US free-download charts.

Users can share the locations of ICE agents within roughly an 8 km radius. The app sends alerts when agents are reported nearby. 

Police arrest two hackers who targeted senior officials and journalists

On 1 July, Spanish police arrested two people in Las Palmas province on suspicion of cybercrimes, including data theft from government bodies.

Both suspects were described as “a serious threat to national security.” The investigation began after authorities detected a leak of personal data affecting politicians, central and regional government representatives, and media workers.

The first suspect is believed to have specialised in data exfiltration, while the second handled the money: selling access to databases and accounts and controlling a cryptocurrency wallet for incoming funds.

Both were detained. During searches, police seized numerous electronic devices that could point to new evidence, buyers or accomplices.

Crypto-stealing malware learns to revive itself

North Korean hackers are using a new macOS malware family, NimDoor, aimed at cryptocurrency and Web3 organisations.

The attack chain starts with outreach on Telegram and an attempt to persuade targets to install a fake Zoom update. Delivery runs via Calendly and email.

In a report published on 2 July, SentinelOne said the attackers used binaries compiled in C++ and Nim to hit macOS—a relatively rare choice.

The most sophisticated element is the event-driven CoreKitAgent app. Notably, it uses persistence mechanisms that make it hard to terminate and remove cleanly.

Bluetooth flaw lets hackers eavesdrop on device owners

At the TROOPERS security conference, ERNW researchers disclosed three vulnerabilities in Airoha system-on-chips (SoCs). They are widely used in speakers, headphones, headsets and wireless microphones across 29 devices.

The Bluetooth chipset can be abused to eavesdrop and steal sensitive information. Devices from Beyerdynamic, Bose, Sony, Marshall, Jabra, JBL, Jlab, EarisMax, MoerLabs and Teufel are at risk.

The security issues allow device takeover. On some smartphones, an attacker within Bluetooth range could extract call history and contact lists.

Airoha has released an updated SDK with required mitigations, and manufacturers have begun developing and distributing patches.

Contactless-payment attacks have risen 35-fold this year

ESET reports that thefts via contactless payments continue to surge. In the first half of the year alone, NFC-based attacks worldwide increased 35-fold versus 2024.

The scheme blends familiar techniques (social engineering, phishing, Android malware) with a tool called NFCGate, creating a new attack scenario. 

The NGate malware relays NFC data between two devices remotely, including bank-card data, and bypasses protections by acting on the victim’s behalf.

According to ESET, a fifth of all installed NGate malware worldwide is in Russia. Scammers trick victims into installing it under the guise of a government or banking app and steal funds. In early 2025, losses reached 40 million rubles.

Over 40 Firefox extensions found stealing private keys

The extensions are visually indistinguishable from the real thing and carry swathes of fake reviews and ratings to build trust. 

More than 40 rogue Firefox add-ons are designed to steal crypto-wallet data. They impersonate popular platforms including Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet and Filfox.

Once installed, the software quietly exfiltrates data, putting users’ assets at risk. During initialisation, attackers also send the victim’s external IP address, presumably for tracking or targeted attacks.

The campaign has been active since at least April 2025. New malicious extensions were uploaded to the Firefox catalogue as late as the end of June.

Also on ForkLog:

• An engineer from India laundered drug-trafficking proceeds via Monero.
• A ransom negotiator was suspected of colluding with hackers.
• The US sanctioned a bulletproof hosting provider.
• A US crypto startup lost $900,000 because of North Koreans on its team.
• The Resupply protocol will burn 6m reUSD after a hack.

What to read this weekend?

The latest FLMonthly digest answers pressing cybersecurity questions in an interview with Shard’s director of investigations, Grigory Osipov.