We round up the week’s key cybersecurity developments.
- Checkmate for crypto extortionists.
- Cyberattacks on retailers and Aeroflot.
- Minnesota’s capital hit by a major cyberattack.
- A dating app lost confidential images.
Checkmate for crypto extortionists
Law-enforcement action disrupted BlackSuit, a cybercriminal network specialising in ransomware.
Ukraine’s cyber police joined the international Operation Checkmate, which involved law-enforcement agencies from more than five Europol member countries and US authorities.
The attackers built malware that encrypted user data using various combinations of algorithms. They demanded cryptocurrency in exchange for decryption and for not publishing stolen information.
According to Ukraine’s cyber police, the group repeatedly rebranded:
- from 2022 as Quantum;
- in 2022–2023 as Royal;
- from 2023 as BlackSuit;
- from 2025 as Chaos.
Total ransom demands exceeded $500m, with the largest single demand at $60m. Targets were mainly commercial and public-sector organisations outside the CIS—particularly in the US, Europe and Japan.
According to FBI Dallas, more than 20 bitcoins were seized on April 15 as part of the operation. The funds were traced to an address allegedly linked to a member of the Chaos group using the alias Hors.
Today, FBI Dallas made public the seizure of over $1.7 million worth of cryptocurrency as part of ongoing efforts to combat ransomware. The seized funds were traced to a cryptocurrency address allegedly associated with a member of the Chaos ransomware group, known as “Hors,” who… pic.twitter.com/uWeIMMGE9J
— FBI Dallas (@FBIDallas) July 28, 2025
The US Department of Justice said that on July 24, 2025 it filed a forfeiture complaint for more than $2.4m.
Cyberattacks on retailers and Aeroflot
On July 28 Aeroflot reported disruptions to its IT systems. Hacktivist groups “Cyberpartisans BY” and Silent Crow claimed responsibility; more than 100 flights were cancelled.
According to RBC, the airline could have lost over 250m roubles in a single day. Factoring in infrastructure recovery, lost revenue and other costs, the damage may reach several billion roubles.
Pharmacy chains Stolichki and Neopharm also faced issues—they halted online reservations and temporarily closed some retail outlets. Roskomnadzor said there were no signs of DDoS attacks.
Earlier, Novabev Group reported a cyberattack that hit the Winelab alcohol retail chain, knocking out supermarkets in Moscow, the Moscow region, St Petersburg and other cities. The attackers demanded a ransom, which the company refused to pay.
Minnesota’s capital hit by a major cyberattack
Minnesota governor Tim Walz called in the National Guard in response to a destructive cyberattack that hit the state capital, St Paul, on July 25.
The incident continued through July 26–27 and caused widespread disruption across the city, impairing digital services and critical systems.
“Since the cyberattack was detected, the Saint Paul authorities have been working around the clock, closely coordinating with Minnesota IT Services and an external cybersecurity firm. Unfortunately, the scale and complexity of the incident exceeded the capabilities of both internal and commercial response services,” the emergency executive order states.
As of July 29, online payments were unavailable and some services at libraries and recreation centres were suspended. City authorities are working with local, state and federal partners to investigate and fully restore systems.
A dating app lost confidential images
On July 25 Tea, a popular safety-focused dating app, suffered a data breach that exposed 72,000 sensitive images. These included selfies and ID photos used for account verification, as well as images from user messages and posts.
A second vulnerability later came to light, leaking additional user data. On July 29 the developers disabled direct messages.
The developers said the first leak affected only users who registered before February 2024. However, in a comment to 404 Media, cybersecurity specialist Kasra Rahjerdi said the leaked dataset contains messages from 2023 up to the discovery of the attack—more than 1.1m in total.
Hackers plugged into a bank—literally
According to Group-IB, the threat group UNC2891, also known as LightBasin, used a Raspberry Pi microcomputer with 4G to attack a bank in a recently identified incident.
The single-board computer was physically connected to an ATM network switch, creating a covert access channel into the bank’s internal infrastructure. This allowed the attackers to move laterally and plant backdoors.
Group-IB discovered the intrusion attempt while investigating suspicious activity. According to the firm, the goal was to spoof ATM authorisation and conduct fraudulent cash withdrawals.
Although LightBasin did not succeed, the incident is a rare example of a hybrid attack that combines physical access with remote intrusion and extensive tradecraft to evade detection.
Also on ForkLog:
- Nvidia denied backdoors in its chips.
- The hacker behind the X accounts of Beeple and Louis Vuitton was sentenced to a year in prison.
- TRM Labs: Telegram’s attempt to block Huione proved ineffective.
- A CoinDCX employee helped hackers steal $44m.
- A bug in Gemini’s interface allowed execution of malicious code.
- Samourai Wallet’s founders pleaded guilty to money laundering.
- The “anti-scam” platform RugProof was accused of fraud.
What to read this weekend?
How do millions hide behind hundreds of $50 transfers? What tools make sense of the crypto chaos, and can the digital trail be followed to the end? Grigory Osipov, director of investigations at Shard, explains.