June has been a high-stakes month in cybersecurity, marked by historic data breaches, rising AI abuse, and escalating cyber attacks shaking global industries and governments alike.
As threat actors evolve, so too must our defenses, and June’s developments prove the urgency.
Cybercrime Breaking News
- A record-breaking 16 billion login credentials leak reveals the scale of infostealer operations.
- A cyber attack on United Natural Foods disrupts U.S. grocery supply chains coast to coast.
- OpenAI shuts down dozens of ChatGPT accounts tied to state-backed hacking operations.
Cybersecurity Justice & Regulation
- INTERPOL’s Operation Secure takes down 20,000+ malicious domains and arrests 32 people worldwide.
- French police dismantle BreachForums 2.0, tied to massive breaches across key French institutions.
- A former CIA analyst is sentenced after leaking top-secret defense plans involving Iran.
From AI-powered phishing to record-setting breaches and bold justice operations, June shows that the battle for cybersecurity isn’t just technical – it’s geopolitical.
Cybercrime Breaking News
A massive data breach involving 16 billion exposed login credentials (believed to stem from various infostealers) marks one of the largest leaks in history, raising serious concerns over account takeovers, identity theft, and targeted cyber attacks.
- United Natural Foods, a major U.S. food distributor and key Whole Foods supplier, says it’s making progress restoring systems after a June 5 cyber attack disrupted operations and left grocery shelves empty across the country.
- Aflac says it contained a cyber attack within hours but confirmed that files containing sensitive personal data were stolen in a broader campaign targeting the insurance industry.
- Nearly 3,000 North Face customer accounts were breached in a credential stuffing attack, exposing personal details like names, addresses, and purchase histories.
- Indian car-sharing company Zoomcar reported a data breach affecting 8.4 million users, exposing personal information such as names, phone numbers, and car registration numbers, although no financial data or passwords were compromised.
Exploited Vulnerabilities
Google has warned that cybercriminals are exploiting Salesforce’s Data Loader tool through sophisticated phone-based social engineering, tricking employees into installing malicious apps that grant access to sensitive corporate data. The campaign, led by threat group UNC6040, has impacted at least 20 organizations across multiple sectors and regions, with extortion attempts sometimes surfacing months after initial compromise.
CISA and Microsoft have warned of a high-severity Windows zero-day vulnerability actively exploited in an attack on a major Turkish defense organization, allowing hackers to run remote code via a malicious URL disguised as a military PDF.
CISA has also warned that ransomware gangs are exploiting a critical vulnerability in SimpleHelp remote access software (CVE-2024-57727) to target utility billing providers and large retail chains, urging immediate patching to prevent further double extortion attacks.
The FBI has also warned that millions of off-brand and aftermarket IoT devices may be infected with BadBox 2.0 malware, turning them into part of a global botnet used by cybercriminals to mask malicious activity and sell access to compromised home networks.
Threat hunters have uncovered a China-linked cyber espionage campaign dubbed LapDogs, which uses over 1,000 compromised SOHO devices worldwide (primarily in the U.S. and Southeast Asia) as covert infrastructure controlled via a custom backdoor called ShortLeash.
The FBI has confirmed that Scattered Spider is now targeting the airline industry, using advanced social engineering tactics to bypass MFA and gain access to high-value accounts.
Cybercriminals from the FIN6 group pose as job seekers on LinkedIn to trick recruiters into downloading fake resumes laced with the MoreEggs backdoor, enabling credential theft and potential ransomware attacks.
Cybersecurity and AI
OpenAI has taken down dozens of ChatGPT accounts linked to state-backed threat actors from countries including China, Russia, Iran, North Korea, and the Philippines, citing misuse for malware development, employment scams, and coordinated disinformation campaigns. The company said it found no evidence that access to ChatGPT gave these actors capabilities they couldn’t otherwise obtain, but emphasized that the activity highlights evolving abuse of AI tools in global cyber operations.
An Iranian state-sponsored group known as Educated Manticore, linked to the IRGC, has launched AI-crafted spear-phishing campaigns targeting Israeli journalists, cybersecurity experts, and professors, luring them via email and WhatsApp to fake Gmail and Google Meet pages to steal credentials.
Researchers say cybercriminals are selling jailbroken versions of AI tools from Mistral and xAI on dark web forums to generate malicious code, phishing emails, and hacking tutorials.
Cybersecurity Justice
A global crackdown on infostealer malware (Operation Secure) led by INTERPOL resulted in 32 arrests, the seizure of 41 servers, and the takedown of over 20,000 malicious IPs and domains across 26 countries, with Vietnam alone arresting 18 suspects linked to a scheme involving the sale of corporate accounts. Authorities also notified more than 216,000 victims of potential breaches and dismantled infrastructure tied to major malware strains like Lumma, RisePro, and Meta.
Police have dismantled Archetyp Market – one of the longest-running dark web drug platforms, with over 600,000 users and €250M in transactions – arresting its alleged German administrator in Spain and seizing €7.8M in assets after coordinated raids across six countries.
Singapore led a multinational law enforcement operation that dismantled dozens of scam centers across Asia, resulting in over 1,800 arrests and the seizure of $20 million tied to online fraud schemes that stole an estimated $225 million from victims.
The U.S. Department of Justice has filed a civil forfeiture complaint to claim over $7.74 million linked to a North Korean scheme in which IT workers used fake identities to gain remote jobs at U.S. companies and launder crypto earnings back to the regime.
- A former CIA analyst was sentenced to 37 months in prison for leaking Top Secret U.S. national defense information (including Israel’s planned attack on Iran) to unauthorized individuals, with some documents later surfacing on Telegram.
- French police reportedly arrested five individuals accused of operating the revived BreachForums site, which was linked to major data breaches at France Travail, SFR, Boulanger, and the French Football Federation, exposing sensitive data of millions.
- U.S. authorities charged a British national with breaching over 40 companies (including a telecom provider, healthcare organizations, and ISPs) in a years-long hacking spree that caused more than $25 million in damages worldwide.
- A suspected ransomware operator accused of helping extort over $100 million from global victims has been extradited from Ukraine to the U.S.
- Russia sentenced four men to five years in prison for payment card fraud linked to REvil but released them immediately, citing the nearly three years they had already served during their pre-trial detention.
- A Romanian man has pleaded guilty to orchestrating a years-long swatting and bomb threat conspiracy that endangered over 75 public officials, journalists, and religious institutions across the U.S., prompting armed law enforcement responses to fabricated emergencies.
- Nine Chinese nationals have been sentenced to one year in prison in Nigeria for their roles in an international cyberfraud syndicate that recruited and trained young Nigerians to carry out online scams, following a major raid that uncovered large-scale identity theft and cybercrime operations.
- The U.S. is offering $10 million for information on Iranian hacker “Mr. Soul,” linked to the IRGC-backed CyberAv3ngers group behind IOControl malware attacks on U.S. critical infrastructure, including water utilities and industrial control systems.
The U.S. House of Representatives has banned WhatsApp from official devices due to cybersecurity concerns, citing risks such as lack of transparency and stored data encryption.
FinTech Updates
The U.S. Department of Justice has recovered $225.3 million in cryptocurrency linked to sophisticated investment scams (marking the largest crypto seizure in U.S. Secret Service history) after tracing funds from 400+ victims through a vast laundering network involving 93 scam addresses, 35 intermediary wallets, and support from Tether, TRM Labs, and OKX.
U.S. and Dutch authorities have taken down nearly 145 domains linked to BidenCash, a darknet marketplace that trafficked over 15 million stolen credit card numbers and generated $17 million in illicit revenue.
Five men have pleaded guilty to laundering nearly $37 million stolen through fake cryptocurrency investment scams run from Cambodian cyber scam centers, using shell companies, offshore bank accounts, and crypto wallets to move the funds.
Ukrainian police, with support from Europol, have arrested a hacker accused of breaching over 5,000 accounts at a global hosting provider and using its servers to mine cryptocurrency, causing nearly $4.5 million in damages.
Hackers linked to the group Gonjeshke Darande have stolen over $90 million from Iran’s largest crypto exchange, Nobitex, in what experts say appears to be a politically motivated attack rather than one driven by profit.
A ransomware attack on an Asian financial firm involving the Fog strain has alarmed experts due to its use of legitimate employee monitoring software and rare pentesting tools, raising concerns that espionage, not just extortion, may have been the attackers’ true goal.
Researchers have unveiled two new methods (bad shares and wallet banning) that exploit weaknesses in mining protocols to effectively shut down cryptomining botnets like those targeting Monero, forcing attackers to overhaul or abandon their operations.
Cybersecurity News Across The Globe
- Iran’s state TV was hacked to broadcast anti-government protest videos, amid escalating cyber tensions with Israel.
- An Iran-linked cyberespionage group known as BladedFeline has been targeting Kurdish and Iraqi government officials since at least 2017, using custom malware to maintain long-term access to sensitive systems, according to new research from cybersecurity experts.
- Pro-Cambodian hacktivists known as AnonSecKh have launched over 70 cyber attacks on Thai government and private-sector websites since late May, amid renewed border tensions following the fatal shooting of a Cambodian soldier.
- A ransomware attack on South Korea’s major ticketing platform Yes24 has paralyzed online bookings, disrupted concerts and musicals, and triggered a government investigation into potential data breaches
- An infostealer infection on a Paraguayan government employee’s device led to the theft and leak of personal data on 7.4 million citizens in one of the largest breaches in the country’s history.
Want to find out more about:
- Inside the Evolving World of Crypto Security | Webinar On-Demand
- The HIPAA Security Rule Explained: How to Simplify Compliance
- What a CREST-Accredited SOC Really Means for Your Security
- How to Strengthen Cybersecurity in Healthcare Organizations
AMATAS will continue to monitor this space and deliver salient information regularly.
Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.
As always – be vigilant, stay alert, and think twice.
