Cyber Threat Report | November 2022


</Reports </ Cybersecurity </ Cybercrime </ News


With the holiday season just around the corner, cybercriminals tend to rise from their hibernation, becoming more active and exploiting every opportunity. 

Around this time of the year, phishing schemes are on the rise, where malicious actors pose as authorities and verified third-party services via email or messaging platforms.

So, before you click on the link or enter any sensitive data, make sure you check the authenticity of the:

  • Email address you received the communication from
  • Spelling and grammar of all text
  • Signature at the end

Remember to always stay wary and smart in the digital space!

On another note, crucial events, including successful Interpol/ Europol operations and DOJ arrests, impacting the cybersecurity space happened in November 2022.

Within our newsletter, we'll provide you with a brief overview of the recent updates. Read on to find out more about:

  • Australia considers making ransomware payments illegal to minimize the profitability of cybercrime as a result of Medibank and various ransomware attacks.
  • An official report hints at the substantial amount accumulated by the Hive group as a result of ransom payments, in the last +1.5 years.
  • A phishing scheme targeted Dropbox developer accounts, accessing the company's code repositories. "Because we take our commitment to security, privacy, and transparency seriously, we have notified those affected and are sharing more." 
  • Department of Justice seizes "historic" $3.36 billion in cryptocurrency: what happened next?
  • Two Estonians are arrested, believed to have been associated with an "astounding" cryptocurrency (Ponzi-like) fraud scheme.

Cybercrime Breaking News

Australian minister for cybersecurity, Clare O’Neil, announces that the country is considering banning ransomware payments to decrease the profitability of the cybercriminal business model. The news comes, after Medibank, Australia's largest health insurance provider, discloses that they won't be paying the ransom asked for by hackers, who gained access to 9.7 million customer accounts. The Australian Federal Police (AFP) believe that Russia-based cybercriminals are behind the attack

Following the advice of a cybersecurity company, Medibank officials noted that “Paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.” At the end of November, the leak site, used by the ransomware attackers, went offline.

A joint advisory between the FBI, CISA, and the Department of Health and Human Services notes that over an 18-month period (June 2021 to November 2022) the Hive ransomware group has amassed more than $100 million in ransom payments. The Hive cybercriminals have perpetrated campaigns against 1,300 companies across the world.

A phishing attack targeted Dropbox developers, gaining access to the hosting service's GitHub accounts, where 130 code repositories are stored. The repositories host third-party libraries; internal prototypes; security tools and configuration files. An official statement, released by Dropbox, noted that "No one’s content, passwords, or payment information was accessed, and the issue was quickly resolved. Our core apps and infrastructure were also unaffected."

Microsoft’s Security Threat Intelligence team report warns of ways in which Royal ransomware is being distributed, including posing as legitimate software download sites to deliver phishing links and using VHD file formats.

Finland’s Computer Emergency Response Team (CERT) officials report rising denial-of-service attacks through October. 

Cyberwar between Russia and Ukraine: Updates

A unit of Roskomnadzor (Russian media and internet regulator) confirm that its systems were attacked by hackers. Cyber Partisans, Belarusian hacktivists, claim responsibility for the breach.

Cybersecurity Justice

Interpol Operation HAECHI III seizes nearly $130 million in virtual assets and arrested almost 1000 suspects in fraud investigations. These were conducted over a five-month period to help countries "recover and return illicitly obtained funds to victims" as a result of cybercrime. Operation HAECHI III's specific focus was cybercrime targeting online gambling, which includes voice phishing, romance scams, sextortion, investment fraud, and money laundering.

The Department of Justice (DOJ) announces that a defendant pled guilty to committing wire fraud from the Silk Road dark web marketplace in 2012. This news comes after US law enforcement seized a "historic" $3.36 billion in cryptocurrency hidden in devices in the defendant's home.

DOJ: two Estonian citizens are arrested for a global cryptocurrency fraud scheme with an "astounding" size and scope of $575 million. The 18-count indictment alleges that they sold fraudulent cryptocurrency mining contracts to investors across the globe. "These defendants capitalized on both the allure of cryptocurrency, and the mystery surrounding cryptocurrency mining, to commit an enormous Ponzi scheme,” U.S. Attorney Nick Brown of the Western District of Washington noted in an official statement.

A UK operation, supported by Europol, leads to the arrests of more than 140 suspects believed to be associated with the fraud-as-a-service website iSpoof. 

​​CISA is partnering with the U.S. Department of State and the Spanish Ministry of the Interior in developing a capacity-building tool to "help countries utilize public-private partnerships (PPPs) to combat ransomware".

Ireland's Data Protection Commission announces a fine of $275 million and a range of corrective measures for Meta Platforms Ireland Limited (MPIL), following the 2019 "Facebook" data breach inquiry.

An alleged gang member is being extorted to the US in relation to LockBit global ransomware campaigns.

FinTech Updates

At the beginning of the month, the cryptocurrency platform, Deribit, was attacked by a cybercriminal, who stole $28 million. Deribit noted that it'll use its reserves to pay the losses and that 99% of user funds are protected in "cold storage".

Other Industry News

$300,000 is stolen from sports betting company, DraftKing, customers in a credential stuffing attack. DraftKing advised customers to have unique passwords for each website they use and not to share their passwords with anyone.

AMATAS will continue to monitor this space and deliver salient information regularly. 

Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website or by e-mailing

As always – be vigilant, stay alert, and think twice.

Ralitsa Kosturska in AMATAS