Your Weekly Cybersecurity Update (22 June 2025)

• 16 Billion Credentials Leak: A Closer Look at the Hype and Reality Behind the “Massive” Data Dump

• Ransomware Group Allegedly Steals Confidential Files from Taos County, NM, and Demands Ransom Within a Week

• Scattered Spider Behind Major Cyberattacks on M&S and Co-op, Resulting in Up to $592 Million in Damages

• Telecom giant Viasat breached by China’s Salt Typhoon hackers

• North Korea Targets Indian Job Seekers in Cryptocurrency with Malware

Exploring the Truth and Hype Surrounding the 16 Billion Credential Leak

Despite the sensationalism and dire warnings of “blueprints for mass exploitation,” this so-called breach is not new, nor is it evidence of a fresh compromise. It is a massive, disjointed compilation of previously leaked credentials, sourced mainly from infostealer malware and recycled from earlier incidents.

The claim originates from Cybernews, whose researchers uncovered 30 publicly exposed datasets on misconfigured Elasticsearch and object storage services. These datasets, ranging in size from tens of millions to 3.5 billion records, allegedly included credentials for major platforms like Apple, Facebook, Google, and Telegram. Their headline-grabbing total of 16 billion records may sound alarming, but it falls apart under scrutiny.

The truth? This is not a breach. It’s a data dump.

What Cybernews identified are collections of infostealer logs, credential stuffing data, and previously leaked material, not evidence of an active compromise at any major platform. There is no indication that Apple, Google, or other providers have been recently breached.

Most of this data was likely stolen months or years ago via infostealer malware such as RedLine, Raccoon Stealer, or Vidar. These logs typically include standard infostealer outputs, such as URL, username, password, cookies, tokens, and user agent strings. The files have been passed around criminal forums for years, often containing duplicates. This redundancy significantly inflates the $16 billion figure.

Even Cybernews admits overlap and inconsistency in the data structure, but frames the discovery as a single, cohesive breach. That framing is misleading.

This is not unprecedented—it’s a pattern.

Similar mega-dumps have surfaced before—RockYou2024 (9 billion records), Collection #1 (773 million records), and the so-called “Mother of All Breaches” (26 billion records). All follow the same playbook: repackaged credential logs hyped as new threats.

Media amplification of these reports fuels unnecessary panic.

Cybernews’ alarmist language—calling it a “blueprint for mass exploitation”—created a cascade of exaggerated headlines across outlets like 9to5Mac and Forbes. Readers were left with the false impression of an ongoing global cyberattack when, in reality, most of these credentials have long been exposed.

Security experts like Troy Hunt (Have I Been Pwned) have consistently pointed out that unless a dump contains new, verified credentials, its actual risk to users is limited, especially if accounts are protected by MFA or strong password hygiene.

The real threat isn’t this dump—it’s the malware ecosystem feeding it.

Infostealers continue to siphon login data from compromised endpoints on a daily basis. Aggregating this data into a single dump doesn’t create a new breach—it exposes how many users still rely on weak, reused passwords and ignore basic hygiene practices.

The bottom line: this isn’t news. It’s noise.

Calling recycled credential compilations “record-breaking breaches” not only misinforms the public—it also undermines trust in real, urgent disclosures. We must distinguish between legitimate security incidents and inflated narratives.

Instead of panic, take action:

• Use a password manager.

• Enable multi-factor authentication.

• Stop reusing passwords.

• Monitor your credentials via trusted services like Have I Been Pwned.

Ransomware Group Allegedly Steals Confidential Files from Taos County, NM, and Demands Ransom Within a Week

A cybercriminal group claims to have exfiltrated confidential files from Taos County, NM, and is now demanding a ransom, setting a 7-day deadline for payment. They’ve also threatened to publish the data if Taos County doesn’t comply. This is an example of “double extortion,” where attackers both encrypt systems and steal data, threatening to leak it publicly if the victim refuses to pay. This trend has become increasingly common.

Kairos is a ransomware group that started listing its attack targets on its data leak site in November 2024. Unlike many ransomware groups, Kairos does not encrypt infected systems. Instead, it steals data and extorts organisations by threatening to sell or release that data. Kairos has claimed responsibility for four confirmed attacks and has made 35 unconfirmed claims that the targeted organisations have not acknowledged. This year, it made 22 of those unconfirmed claims. The three confirmed attacks by Kairos are:

1. An accounting and advisory services firm reported a data breach in September 2024.

2. Vitenas Cosmetic Surgery informed 31,852 people about a data breach in February 2025, where Kairos posted an inappropriate image of a cosmetic surgery patient as evidence.

3. The Baltimore City State's Attorney's Office reported an attack in March 2025 attributed to Kairos.

A shift in ransomware tactics

In recent years, there has been a marked shift: most ransomware attacks now include data theft before encryption occurs. A Forbes analysis noted that 96% of ransomware incidents in 2024 involved data exfiltration, with an average extortion demand of around $600,000.

Escalating ransom amounts

The amounts demanded in double-extortion attacks have skyrocketed. The average demand is around $600,000, although some demands reach into the tens of millions. These massive figures highlight the high-stakes environment Taos County now faces.

Public shaming as leverage

Gangs have started publicly naming victims, shaming them online if the ransom isn’t paid. This tactic aims to increase pressure and the “conversion rate” of ransom payment.

What Taos County Can Do, or you can do in such situations

1. Do not pay without deliberation

   Government agencies, such as the FBI, generally discourage ransom payments—they don’t guarantee recovery, while fueling future attacks.

2. Engage experts and law enforcement

   Immediately consult cybersecurity specialists for incident response and management. File a report with the FBI’s IC3 unit and coordinate with federal agencies.

3. Verify extortion claims

   Ask attackers for specific proof of data possession (like sample files or metadata). That helps assess the extent of the damage.

4. Prioritise transparency

   Inform stakeholders and possibly the public. Many jurisdictions have data breach notification laws that require disclosure if sensitive personal data has been compromised.

5. Reinforce defences post-attack

   • Backups: Ensure secure, offline backups are in place. The Australian Cyber Security Centre (and others) strongly advise this.

6. Detect and deter: Implement multifactor authentication, regular patching, network segmentation, and endpoint protection. The FBI and CISA emphasise these measures.

Final Takeaways

Taos County’s situation exemplifies a critical, growing ransomware crisis that is particularly threatening to government sectors. The stakes have never been higher: attackers not only demand payment for decryption but also threaten to leak sensitive data unless their demands are met. A decisive response—one that effectively balances urgency with strategic thinking, expert consultation, and collaboration with law enforcement—is crucial. Moving forward, organisations must adopt resilient cybersecurity frameworks that prioritise proactive prevention, robust incident response strategies, and thorough policy development to safeguard against these escalating threats.

Scattered Spider, Successfully Transitioning from Retail to Insurance

Scattered Spider has escalated their sector-based cyber assault strategy, pivoting from European retailers to U.S. insurance and government entities. They exploit sophisticated social engineering, amplified by SIM swap and MFA fatigue, sometimes followed by RAT deployment (Spectre) and ransomware collaboration (DragonForce).

Scattered Spider—also known as UNC3944, BISCUIT, Muddled Libra, and Scatter Swine—is a British-American cybercrime collective founded in May 2022, comprising primarily English-speaking teenagers and young adults from the U.S. and the U.K. 

They’re highly skilled in social engineering (phishing, vishing, SIM swapping, and MFA fatigue) to manipulate help desk personnel into granting remote access or resetting credentials. Though they initially used BlackCat/ALPHV ransomware, recent activity focuses on data theft and extortion, often in partnership with ransomware groups like DragonForce.

Attacks on U.S. Insurance and Government Systems

• Shift to the insurance sector:

  Google’s Threat Intelligence Group has identified multiple intrusions in U.S. insurance companies, recognising classic Scattered Spider signatures, particularly compromised help-desk teams via phone-based social engineering.

• Incident cases include:

  • Philadelphia Insurance Companies (unauthorised access discovered June 9)

  • Erie Insurance (network outage starting June 7)

• Broader trend: Axios, WSJ, and Insurance Business all report ongoing waves of attacks against U.S. insurers since mid-June that mimic Scattered Spider’s modus operandi.

Google believes Scattered Spider is “focusing on a sector at a time,” meaning that after impacting U.K. retailers, they’ve set their sights on insurance firms—likely due to the potential for high-value data and expansive IT setups.

Telecom giant Viasat breached by China’s Salt Typhoon hackers

In June 2025, Viasat Inc.—a major satellite communications provider—confirmed it had been breached by Salt Typhoon (also known as GhostEmperor, Earth Estries), a sophisticated Chinese state-sponsored cyber-espionage group. The intrusion dates back to late 2024, during the U.S. presidential election cycle. The company detected unauthorised access via a compromised internal device and conducted a thorough investigation with federal partners and a third-party security firm. Viasat reported no evidence of customer data impact, and the breach appears to have been contained and remediated.

Context in the Broader Salt Typhoon Campaign

Salt Typhoon has been actively infiltrating critical communications infrastructure since at least 2019, primarily targeting U.S. and global telecom giants, including AT&T, Verizon, Lumen, Comcast, and Charter. The group specialises in deep espionage, accessing call-detail records, wiretapping platforms, phone metadata, and even recording communications, including those linked to senior figures in the 2024 U.S. presidential campaigns.

Notably, vocal U.S. officials have labelled the Salt Typhoon hack “the worst telecom hack in our nation’s history,” emphasising its scale, stealthy tradecraft, and extensive intelligence haul .

Technical & Operational Insights

• The breach at Viasat originated from a single compromised device, likely part of a broader, multi-stage intrusion strategy observed across the telecommunications sector.

• Salt Typhoon employs “living off the land” tactics—leveraging legitimate system tools and rootkits (e.g., Demodex)—to maintain persistence and evade detection.

• The attackers gained access to sensitive systems, including wiretap fulfilment platforms (CALEA) and call metadata repositories, enabling call interception and extensive surveillance.

Impact & Response

• National Security Threat: The campaign enabled potential geolocation and call interception of prominent U.S. individuals, raising serious counterintelligence concerns.

• Coordinated Intervention: U.S. agencies (FBI, CISA, NSA) worked with affected telecom firms to detect, contain, and expel Salt Typhoon intruders, though some persistence may remain  .

• Policy & Legislative Fallout: In response, legislation like the Secure American Communications Act was drafted to enforce stricter telecom cybersecurity standards; the U.S. also sanctioned individuals linked to Salt Typhoon 

North Korea Targets Indian Job Seekers in Cryptocurrency with Malware

North Korean threat actors are actively targeting job applicants in the cryptocurrency and blockchain sector, using deceptive recruitment tactics to deliver malware and compromise candidate devices.

According to Cisco Talos, a state-sponsored group known as Famous Chollima has been running a highly targeted campaign since mid-2024, primarily aimed at professionals in India with backgrounds in software engineering, marketing, and design.

The attackers pose as legitimate employers, directing applicants to counterfeit skill-assessment portals that impersonate known brands, such as Coinbase, Uniswap, Robinhood, and Archblock. These sites appear credible and are designed to collect personal information and trick users into deploying malware under the guise of technical testing.

Applicants are sent access codes to what appear to be formal evaluation platforms. Once engaged, they’re prompted to record a video interview. During this process, they’re instructed to approve camera access and execute locally pasted code, presented as a requirement for the recording setup. In reality, this step initiates the deployment of malware.

Cisco Talos identified the malware as PylangGhost, a custom payload exclusive to Famous Chollima. The infection mechanism, dubbed ClickFix, manipulates users into “resolving” a fake issue, coercing them into copying and executing commands that result in the installation of malware.

Variants of PylangGhost have been developed for both macOS and Windows, enabling attackers to exfiltrate browser-stored credentials, session cookies, and sensitive data from browser extensions.

This campaign is part of a broader North Korean strategy: embedding operatives inside Western crypto firms to steal funds and intelligence. These efforts generate both direct financial gains and valuable recruitment intelligence that can be used to refine infiltration methods or place North Korean nationals into sensitive roles.

Evidence suggests that some of these implants are latent—malware sits dormant on the applicant's machine until the victim secures a position at a legitimate blockchain firm, at which point access is reactivated. This approach was confirmed in the Radiant Capital breach, where a $50 million loss was traced back to a malware-laced PDF disguised as a contractor report. The payload, INLETDRIFT, was a macOS-specific backdoor designed for long-term persistence.

Since early 2023, analysts have consistently warned that MacBook users in the cryptocurrency space are prime targets for North Korean cyber operators, especially those involved in development, operations, or security.