Cryptocurrency Ransomware Rings, Data Leaks from Dating Apps, and Other Cybersecurity Developments

As part of ongoing operations, the activities of the BlackSuit cybercrime network, known for its involvement in the distribution of ransomware, were successfully disrupted.

The Cyber Police of Ukraine has joined the international operation named Checkmate, which includes law enforcement agencies from over five countries working alongside Europol and U.S. authorities.

The perpetrators developed malware that encoded user data utilizing various algorithm combinations. They demanded ransom payments in cryptocurrency for decryption and non-disclosure of the stolen information.

According to the Cyber Police of Ukraine, the group has frequently changed its name.

The total amount demanded by the group has surpassed $500 million, with the largest single ransom reaching $60 million. Their primary targets were mainly commercial and public entities outside the CIS, particularly in the U.S., Europe, and Japan.

On April 15, the FBI in Dallas reported that over 20 bitcoins were confiscated during the operation. The cryptocurrency was traced back to an address believed to be linked to a member of the Chaos group operating under the alias Hors.

According to the U.S. Department of Justice, a lawsuit was filed on July 24, 2025, seeking the forfeiture of more than $2.4 million.

On July 28, representatives from Aeroflot reported difficulties regarding their information systems. This incident, claimed by hacking groups “Cyber Partisans BY” and Silent Crow, resulted in the cancellation of over 100 flights.

As reported by RBC, Aeroflot may have incurred losses exceeding 250 million rubles in a single day. Including expenses for infrastructure recovery, lost revenue, and damages, the total may reach several billion rubles.

Major pharmacy chains «Stolichki» and «Neopharm» also faced issues, halting their online reservation services and temporarily closing some retail locations. Roskomnadzor noted that there were no signs of DDoS attacks.

Earlier, Novabev Group announced cyberattacks that impacted the resources of the «Vinlab» alcohol retail chain. This disruption affected supermarkets in Moscow, the Moscow region, St. Petersburg, and other cities. The attackers demanded ransom; however, the company’s management refused to comply.

In response to a significant cyberattack that struck the state capital of St. Paul on July 25, Minnesota Governor Tim Walz called in the National Guard.

The incident persisted from July 26 to 27, causing widespread disruptions across the city, affecting digital services and critical systems.

“In the wake of discovering the cyberattack, the St. Paul authorities have been working around the clock, closely cooperating with the Minnesota Department of Information Technology and an external cybersecurity firm. Unfortunately, the scale and complexity of the incident surpassed the capabilities of both internal and commercial response services,” stated the emergency executive order.

By July 29, online payment systems were down, and some library and recreation center services were suspended. Authorities are collaborating with local, state, and federal agencies to investigate the incident and restore full operational capacity.

On July 25, the popular safe dating application Tea experienced a data breach, resulting in the exposure of 72,000 confidential images, including selfies and photos of identification used for account verification, as well as images from user messages and posts.

A second vulnerability was later discovered, leading to additional user data leaks. On July 29, developers disabled the private messaging feature.

The developers claimed that the initial leak affected only users registered before February 2024. However, cybersecurity expert Kasra Rahjgerdi informed 404 Media that the leaked database contained messages dating back to 2023 and included over 1.1 million total records.

According to Group-IB, the hacking group UNC2891, also known as LightBasin, employed a Raspberry Pi mini-computer with 4G support to attack a bank in a recently uncovered incident.

The single-board computer was physically connected to the ATM network switch, thus creating an invisible access channel to the bank’s internal infrastructure. This enabled the perpetrators to navigate across the network and install backdoors.

Group-IB identified the intrusion attempt during an investigation into suspicious activity. Experts suggest the attack’s goal was to counterfeit authorizations at ATMs and execute fraudulent cash withdrawals.

Although LightBasin did not achieve this objective, the incident exemplifies a rare hybrid attack combining physical access and remote penetration using sophisticated concealment techniques.

How do millions remain hidden behind hundreds of $50 transfers? What tools help unravel this crypto chaos, and is it even possible to trace where the digital trail ends? This is discussed by Grigory Osipov, the Head of Investigations at Shard.