{"id":25770,"date":"2025-08-02T08:23:41","date_gmt":"2025-08-02T05:23:41","guid":{"rendered":"https:\/\/forklog.com\/en\/half-billion-crypto-extortion-a-dating-app-leak-and-other-cybersecurity-headlines\/"},"modified":"2025-08-02T08:23:41","modified_gmt":"2025-08-02T05:23:41","slug":"half-billion-crypto-extortion-a-dating-app-leak-and-other-cybersecurity-headlines","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/half-billion-crypto-extortion-a-dating-app-leak-and-other-cybersecurity-headlines\/","title":{"rendered":"Half-billion crypto extortion, a dating-app leak and other cybersecurity headlines"},"content":{"rendered":"<p>We round up the week\u2019s key cybersecurity developments.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>Checkmate for crypto extortionists.<\/li>\n<li>Cyberattacks on retailers and Aeroflot.<\/li>\n<li>Minnesota\u2019s capital hit by a major cyberattack.<\/li>\n<li>A dating app lost confidential images.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\">Checkmate for crypto extortionists<\/h2>\n<p>Law-enforcement action disrupted BlackSuit, a cybercriminal network specialising in ransomware.<\/p>\n<p>Ukraine\u2019s cyber police <a href=\"https:\/\/cyberpolice.gov.ua\/news\/vymagaly--mln-dolariv-vykupu-kiberpoliczejski-dopomogly-zneshkodyty-mizhnarodnu-xakersku-merezhu-1279\/\">joined<\/a> the international Operation Checkmate, which involved law-enforcement agencies from more than five Europol member countries and US authorities.<\/p>\n<p>The attackers built malware that encrypted user data using various combinations of algorithms. They demanded cryptocurrency in exchange for decryption and for not publishing stolen information.<\/p>\n<p>According to Ukraine\u2019s cyber police, the group repeatedly rebranded:<\/p>\n<ul class=\"wp-block-list\">\n<li>from 2022 as Quantum;<\/li>\n<li>in 2022\u20132023 as Royal;<\/li>\n<li>from 2023 as BlackSuit;<\/li>\n<li>from 2025 as Chaos.<\/li>\n<\/ul>\n<p>Total ransom demands exceeded $500m, with the largest single demand at $60m. Targets were mainly commercial and public-sector organisations outside the CIS\u2014particularly in the US, Europe and Japan.<\/p>\n<p>According to FBI Dallas, more than 20 bitcoins were seized on April 15 as part of the operation. The funds were traced to an address allegedly linked to a member of the Chaos group using the alias Hors.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Today, FBI Dallas made public the seizure of over $1.7 million worth of cryptocurrency as part of ongoing efforts to combat ransomware. The seized funds were traced to a cryptocurrency address allegedly associated with a member of the Chaos ransomware group, known as &#8220;Hors,&#8221; who\u2026 <a href=\"https:\/\/t.co\/uWeIMMGE9J\">pic.twitter.com\/uWeIMMGE9J<\/a><\/p>\n<p>\u2014 FBI Dallas (@FBIDallas) <a href=\"https:\/\/twitter.com\/FBIDallas\/status\/1949851086795288670?ref_src=twsrc%5Etfw\">July 28, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The US Department of Justice said that on July 24, 2025 it filed a forfeiture complaint for more than $2.4m.<\/p>\n<h2 class=\"wp-block-heading\">Cyberattacks on retailers and Aeroflot<\/h2>\n<p>On July 28 Aeroflot <a href=\"https:\/\/www.kommersant.ru\/doc\/7923214\">reported<\/a> disruptions to its IT systems. Hacktivist groups \u201cCyberpartisans BY\u201d and Silent Crow claimed responsibility; more than 100 flights were cancelled.<\/p>\n<p>According to <a href=\"https:\/\/www.rbc.ru\/business\/28\/07\/2025\/6887a4db9a794707f4c56daf\">RBC<\/a>, the airline could have lost over 250m roubles in a single day. Factoring in infrastructure recovery, lost revenue and other costs, the damage may reach several billion roubles.<\/p>\n<p>Pharmacy chains Stolichki and Neopharm also faced issues\u2014they halted online reservations and temporarily closed some retail outlets. Roskomnadzor said there were no signs of <span data-descr=\"distributed denial-of-service\" class=\"old_tooltip\">DDoS<\/span> attacks.<\/p>\n<p>Earlier, Novabev Group <a href=\"https:\/\/novabev.com\/press-room\/lenta\/official-statement-of-novabev-group-and-winelab-on-the-cyberattack\/\">reported<\/a> a cyberattack that hit the Winelab alcohol retail chain, knocking out supermarkets in Moscow, the Moscow region, St Petersburg and other cities. The attackers demanded a ransom, which the company refused to pay.<\/p>\n<h2 class=\"wp-block-heading\">Minnesota\u2019s capital hit by a major cyberattack<\/h2>\n<p>Minnesota governor Tim Walz <a href=\"https:\/\/www.stpaul.gov\/news\/important-information-city-services-during-digital-security-incident-1\">called in<\/a> the National Guard in response to a destructive cyberattack that hit the state capital, St Paul, on July 25.<\/p>\n<p>The incident continued through July 26\u201327 and caused widespread disruption across the city, impairing digital services and critical systems.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cSince the cyberattack was detected, the Saint Paul authorities have been working around the clock, closely coordinating with Minnesota IT Services and an external cybersecurity firm. Unfortunately, the scale and complexity of the incident exceeded the capabilities of both internal and commercial response services,\u201d<\/em> the emergency executive order states.<\/p>\n<\/blockquote>\n<p>As of July 29, online payments were unavailable and some services at libraries and recreation centres were suspended. City authorities are working with local, state and federal partners to investigate and fully restore systems.<\/p>\n<h2 class=\"wp-block-heading\">A dating app lost confidential images<\/h2>\n<p>On July 25 Tea, a popular safety-focused dating app, <a href=\"https:\/\/www.teaforwomen.com\/cyberincident\">suffered<\/a> a data breach that exposed 72,000 sensitive images. These included selfies and ID photos used for account verification, as well as images from user messages and posts.<\/p>\n<p>A second vulnerability later came to light, leaking additional user data. On July 29 the developers disabled direct messages.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXfaFtJzNgFkHtSKVOTeDOXGsQimW78dox6ELSOoiWGsXlH-Vy8kFpiiAjqkF0hl8ktvmkF9z-M9S9zTJ67NXhyfsSAIj8TycCpY0jzIMZH2PrnXmhFK62zPdqMx8FhVEl7-241c?key=0NA5JxMQDPw8hsESgNKrXw\" alt=\"Half-billion crypto extortion, a dating-app leak and other cybersecurity developments\"\/><figcaption class=\"wp-element-caption\">Tea app interface. Source: <a href=\"https:\/\/www.teaforwomen.com\/\">Tea<\/a>.<\/figcaption><\/figure>\n<p>The developers said the first leak affected only users who registered before February 2024. However, in a comment to <a href=\"https:\/\/www.404media.co\/women-dating-safety-app-tea-breached-users-ids-posted-to-4chan\/\">404 Media<\/a>, cybersecurity specialist Kasra Rahjerdi said the leaked dataset contains messages from 2023 up to the discovery of the attack\u2014more than 1.1m in total.<\/p>\n<h2 class=\"wp-block-heading\">Hackers plugged into a bank\u2014literally<\/h2>\n<p>According to <a href=\"https:\/\/www.group-ib.com\/blog\/unc2891-bank-heist\/\">Group-IB<\/a>, the threat group UNC2891, also known as LightBasin, used a Raspberry Pi microcomputer with 4G to attack a bank in a recently identified incident.<\/p>\n<p>The single-board computer was physically connected to an ATM network switch, creating a covert access channel into the bank\u2019s internal infrastructure. This allowed the attackers to move laterally and plant backdoors.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXdfzMgZSfQB5qpg91M9OrAix0Rq2ysD-j1v_v7ec0mP7F1ooUwoTC1rOGYeEtZobW0r13gJnGCZ3YtQv_XRretwVMy4TtlJwdSfyB1X908kREN0DLC5sQT8yCeXF4L2NhS0hrPspw?key=0NA5JxMQDPw8hsESgNKrXw\" alt=\"Half-billion crypto extortion, a dating-app leak and other cybersecurity developments\"\/><figcaption class=\"wp-element-caption\">Diagram of a hybrid attack using a Raspberry Pi with a 4G modem. Source: <a href=\"https:\/\/www.group-ib.com\/blog\/unc2891-bank-heist\/\">GROUP-IB<\/a>.<\/figcaption><\/figure>\n<p>Group-IB discovered the intrusion attempt while investigating suspicious activity. According to the firm, the goal was to spoof ATM authorisation and conduct fraudulent cash withdrawals.<\/p>\n<p>Although LightBasin did not succeed, the incident is a rare example of a hybrid attack that combines physical access with remote intrusion and extensive tradecraft to evade detection.<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>Nvidia <a href=\"https:\/\/forklog.com\/en\/news\/nvidia-denies-backdoor-presence-in-its-chips\">denied<\/a> backdoors in its chips.<\/li>\n<li>The hacker behind the X accounts of Beeple and Louis Vuitton was <a href=\"https:\/\/forklog.com\/en\/news\/hacker-of-beeple-and-louis-vuitton-x-accounts-sentenced-to-one-year-in-prison\">sentenced<\/a> to a year in prison.<\/li>\n<li>TRM Labs: Telegram\u2019s attempt to block Huione <a href=\"https:\/\/forklog.com\/en\/news\/telegrams-attempt-to-block-huione-proves-ineffective-says-trm-labs\">proved ineffective<\/a>.<\/li>\n<li>A CoinDCX employee <a href=\"https:\/\/forklog.com\/en\/news\/coindcx-employee-implicated-in-44-million-crypto-theft\">helped hackers<\/a> steal $44m.<\/li>\n<li>A bug in Gemini\u2019s interface <a href=\"https:\/\/forklog.com\/en\/news\/flaw-in-gemini-interface-allowed-execution-of-malicious-code\">allowed<\/a> execution of malicious code.<\/li>\n<li>Samourai Wallet\u2019s founders <a href=\"https:\/\/forklog.com\/en\/news\/samourai-wallet-founders-admit-to-money-laundering-charges\">pleaded guilty<\/a> to money laundering.<\/li>\n<li>The \u201canti-scam\u201d platform RugProof was <a href=\"https:\/\/forklog.com\/en\/news\/rugproof-platform-promising-scam-protection-faces-fraud-allegations\">accused<\/a> of fraud.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">What to read this weekend?<\/h2>\n<p>How do millions hide behind hundreds of $50 transfers? What tools make sense of the crypto chaos, and can the digital trail be followed to the end? Grigory Osipov, director of investigations at Shard, explains.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We round up the week\u2019s key cybersecurity developments. Checkmate for crypto extortionists. Cyberattacks on retailers and Aeroflot. Minnesota\u2019s capital hit by a major cyberattack. A dating app lost confidential images. Checkmate for crypto extortionists Law-enforcement action disrupted BlackSuit, a cybercriminal network specialising in ransomware. Ukraine\u2019s cyber police joined the international Operation Checkmate, which involved law-enforcement [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":25769,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-25770","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"43","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/25770","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=25770"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/25770\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/25769"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=25770"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=25770"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=25770"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}