Suspected XSS Cybercrime Forum Admin Arrested | #cybercrime | #infosec

See Also: On Demand | Global Incident Response Report 2025

Ukrainian police arrested the suspected administrator of Russian-speaking cybercrime forum XSS, Europol announced Thursday.

The forum, active since 2013, had more than 50,000 registered users and facilitated the sale of stolen data and malware, Europol said. French prosecutors located in Paris opened the investigation in July 2021, leading to the arrest on Tuesday, they said.

The unidentified Kyiv man accused of running XSS is also accused of running thesecure.biz, a private messaging service for the cybercriminal underground. The suspect wasn’t just a site administrator but an active participant in the cybercrime occurring on the site, arbitrating disputes and guaranteeing transactions, Europol said. The cybercrime site earned him more than 7 million euros worth of advertising fees, it said.

Running a cybercrime forum is more and more a risky undertaking, given a string of success by law enforcement in shutting down platforms and arresting individuals, including operations against Cracked and Nulled and iterations of BreachForums including a recent generation of admins. Server seizures and arrests do not guarantee the forums won’t come back under new management – but they introduce friction and uncertainty and sow distrust (see: Reborn: Cybercrime Marketplace Cracked Appears to Be Back).

Household cleaning product giant Clorox filed a $380 million lawsuit against IT services provider Cognizant, accusing the firm of gross negligence that enabled a major cyberattack in August 2023. Filed in California state court, the complaint alleged that Cognizant service desk agents handed over employee credentials to a cybercriminal posing as a Clorox staffer – without proper identity verification – granting access to critical systems.

Clorox, maker of eponymous cleaning products as well as personal care Burt’s Bees products and Hidden Valley Ranch, told the court the incident caused approximately $380 million in damages, “including over $49 million in remedial costs alone to fix the damage caused by Cognizant’s entirely preventable errors.” The attack was part of an early wave of attacks stemming from the native English-speaking, adolescent-dominated cybercrime collective commonly tracked as Scattered Spider (see: British Police Bust Four Scattered Spider Suspects in England).

“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” the lawsuit states. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over.” Scattered Spider is known for its social engineering techniques and manipulation of help desks to gain access to the networks of large corporations.

The attacker gained access to Clorox’s Okta sign-on portal and reset the MFA credentials and phone numbers tied to employee accounts. Clorox claims Cognizant ignored its established procedures, failed to send required verification emails and did not alert managers of the reset.

Although the attacker was ejected within three hours, Clorox says the breach forced it to shut down systems, pause manufacturing and switch to manual operations, leading to weeks of disruption and product shortages (see: Clorox Expects Double-Digit Sales Drop Following Cyberattack).

In an emailed statement, a Cognizant spokesperson said the company isn’t responsible for the incident. “It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack,” the spokesperson said. “Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox.”

More signs of resurgent Lumma Stealer malware following a U.S. federal law enforcement-led takedown in May that seized the central command structure and thousands of online domains used to control the malware.

Cybersecurity firm Trend Micro said Tuesday that Lumma operations appeared to have returned to normal within weeks of the takedown. The main change, the cybersecurity company said, is that the malware now “is distributed with more discreet channels and stealthier evasion tactics.”

A Lumma infection often is a prelude to a ransomware attack from groups including Scattered Spider. It’s “a go-to tool for cybercriminals and online threat actors,” a Microsoft executive wrote in May.

Trend Micro reports that Lumma’s operators quickly rebuilt, launching new command and control servers and altering their approach. They now avoid Cloudflare, instead using providers less likely to cooperate with law enforcement, including Russian hosts.

Cybersecurity firm Check Point in June observed resurgent Lumma activity just days after the takedown (see: Lumma Stealer Malware Resurgence Challenges Global Takedown).

New York State proposed new cybersecurity regulations targeting water and wastewater systems to address growing threats to critical infrastructure. Governor Kathy Hochul said Tuesday that the rules are open for public comment.

The rules would apply to community water systems serving more than 3,300 people and require vulnerability assessments, cyber incident reporting within 24 hours and periodic cybersecurity training. Wastewater regulations would mandate access controls, multifactor authentication, OT-IT network separation and incident response plans.

The federal government attempted to make cybersecurity a regular part of water system safety assessments during the Biden administration but backed down after a federal judge blocked the effort in a lawsuit from the attorneys general of Missouri, Arkansas and Iowa (See: US EPA Nixes Cybersecurity Assessments of Water Systems).

A U.S. Coast Guard rule governing maritime industry cybersecurity is now fully in effect, applying to all U.S.-flagged vessels, outer continental shelf facilities and sites regulated under the Maritime Transportation Security Act of 2002.

The regulation mandates that owners and operators develop and maintain a cybersecurity plan, designate cybersecurity officers and implement key account security measures. These include enforcing automatic account lockouts after failed logins, changing default passwords, using strong passwords and multifactor authentication, applying least-privilege principles, separating user credentials and promptly revoking access for departing users.

By Jan. 12, 2026, annual cybersecurity training will become mandatory. Full compliance – including officer designation, risk assessment and plan submission – is required by July 16, 2027.

The Coast Guard also announced it will ramp up cybersecurity checks under Port State Control for foreign-flagged vessels, focusing on deficiencies that may violate International Safety Management Code standards.

A new variant of the Coyote banking Trojan, active in Latin America since February 2024, is exploiting the Windows UI Automation framework to steal banking and crypto credentials. According to Akamai researchers, the malware targets users of up to 75 banks and exchanges in Brazil, signaling a shift in how attackers use legitimate Windows features for stealth.

Once installed, Coyote collects system information such as computer name and usernames and monitors open windows to match them against a target list. If no matches are found, it uses UI Automation to scan browser tabs and address bars for financial data. This technique is more stable than traditional browser injections, which often break due to UI or version changes.

Coyote is persistent, running two threads to search for targets – one online and one offline. Even without an internet connection, it continuously scans for banking activity and loops until it can reconnect to its command-and-control server.

A hacker exposed a database revealing the real-time locations of all auxiliary police officers in Mexico City, reported the Mexican edition of the online Publimetro news site.

The leaked data reportedly includes geographic coordinates, full names, photos, work schedules and patrol routes of the officers. The hacker, operating under the handle “Fantom Security,” published a sample of the data and claimed they could access more than 20,000 records.

Cybercrime in Latin America intensified in the first half of this year, with government institutions and the healthcare sector being the most targeted, Eset researchers found. A midyear report reveals that the public sector has experienced the largest number of attacks in the first half of the year, followed by medical institutions.

Threat actors are using ransomware, data breaches and denial-of-service attacks to cripple essential services and extort sensitive data. The increase is driven by the digitization of services without adequate cybersecurity investments, Eset said. The use of pirated software, weak access controls and outdated systems also make government agencies especially vulnerable.

In Brazil, Mexico, Colombia and Argentina, attacks on critical infrastructure have increased significantly. Healthcare institutions were particularly affected due to their reliance on digital records and limited IT security budgets.

A rebranded cyber extortion gang called “World Leaks” breached Dell’s Customer Solution Centers, a platform used to demonstrate products to clients. The group is now attempting to extort the company. Dell confirmed the intrusion to BleepingComputer, saying that the platform is isolated from core networks and customer systems and contains mostly synthetic, public or non-sensitive test data.

The attackers likely believed they obtained valuable information but actually stole fake financial and medical datasets. Dell said the only real data taken was an outdated contact list. Dell did not disclose how the breach occurred or whether a ransom was demanded, stating the investigation is ongoing.

World Leaks is the latest identity of the Hunters International ransomware group, which pivoted from file encryption to pure data theft. The group has since claimed over 280 attacks and leaked data from 49 organizations.

Other Stories From Last Week

With reporting from Information Security Media Group’s Gregory Sirico in New Jersey and David Perera in Northern Virginia.