Unmasking Cybersecurity Events: From GPS Data Leaks to Hacker Chats

Here’s the text translated into English with unique phrasing while maintaining the original meaning:

We have compiled the most significant developments in cybersecurity from the past week.

On February 11, an unknown insider made public a collection of internal chats from the Black Basta ransomware group, which were originally hosted on the Matrix platform. Cyber threat researchers from PRODAFT drew attention to this revelation.

The correspondence spans from September 2023 to September 2024. It includes cryptocurrency wallet addresses, victim accounts, descriptions of phishing schemes, and hacking tactics.

Additionally, the chats disclosed the identities of certain group members, notably the suspected leader Oleg Nefedov (alias GG, AA, «Trump») and two probable administrators known as Lapa and YY.

Hudson Rock has shared over a million internal messages with the ChatGPT bot, launching an open tool called BlackBastaGPT for their analysis.

Experts believe the leak may have resulted from internal conflicts within the gang.

A January breach at the American location-tracking firm Gravy Analytics led to a major data leak affecting users globally, from Russia to the United States. The broker was reselling geolocation information collected through thousands of mobile applications.

The leaked database contains connections to advertising identifiers IDFA for iOS and AAID for Android devices, which can often be used to track individuals’ movements and, in some cases, even de-anonymize them.

Researcher Baptiste Robert conducted an experiment tracking the movements of a user from Columbus Circle in Manhattan to their home in Tennessee, and the following day to the residence of their parents. Relying solely on OSINT data, he discovered extensive personal information about this individual, including their mother’s name and the fact that their late father was a U.S. Air Force veteran.

The Gravy Analytics breach has raised concerns about the severe risks associated with the data broker industry.

In a report from Google Threat Intelligence Group, it was announced that Russian hackers are actively attempting to compromise Signal accounts by exploiting the device linking feature. Potential victims are tricked into scanning malicious QR codes, which link the messenger to the hacker’s device.

To target specific individuals, phishing links are disguised as group invitations on Signal or as device pairing instructions from legitimate sources.

This new attack vector is particularly dangerous because it does not require complete control over the victim’s device to monitor their secure conversations.

Signal users are advised to update to the latest version of the app, which includes enhanced protection against phishing attacks identified by Google.

North Korean hackers from Lazarus have employed previously unknown JavaScript malware named Marstech1 in targeted attacks against blockchain developers, as reported by SecurityScorecard.

The malware is integrated into websites or npm packages associated with various cryptocurrency projects. Once it infects a victim’s device, it searches for MetaMask, Exodus, and Atomic Wallet extensions within Chromium browser directories and modifies their settings.

Marstech1 was first observed in 2024 and has already impacted at least 233 individuals across the United States, Europe, and Asia.

Researchers traced the malware back to a public GitHub repository created by a now-blocked profile named SuccessFriend.

The hackers from the «Ukrainian Cyber Alliance» reported a breach of the infrastructure of the Russian micro-financial company CarMoney, gaining access to a substantial amount of borrower data. This included entities like the GRU, FSB, and various military units.

To substantiate their claims, the group published documents for loans taken out in the names of servicemen Dmitry Solovyov and Maxim Vagin.

The Telegram channel “Agency” analyzed the leaks and uncovered information about individuals with similar names, dates, and places of birth. However, the media was unable to independently verify the information provided by the hackers.

In a post on their «VKontakte» page, the press service of CarMoney stated that «one of the company’s older websites» had been compromised, but personal data of clients and investors remained unaffected. Nevertheless, specialists temporarily deactivated all systems to conduct monitoring and prevent potential fallout.

CarMoney was founded by Eduard Gurinovich, who claims to be the exclusive partner of the game Hamster Kombat in Russia. Journalists also referenced the publication «Sobesednik,» noting that a share of CarMoney is owned by Lyudmila, the ex-wife of President Vladimir Putin.

Kaspersky Lab specialists found that on December 31, 2024, cybercriminals launched a mass infection campaign with the XMRig cryptominer using trojanized versions of popular games on torrent sites. The StaryDobry attack lasted for a month.

Malicious game releases for BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy were prepped in advance and uploaded to torrent trackers around September 2024. The compromised installers included popular simulations and sandbox games requiring minimal disk space.

After installation, the cryptominer would check the number of CPU cores and would not run if there were fewer than eight. Additionally, the attackers hosted their mining pool server within their own infrastructure rather than on public servers, complicating the tracking of their profits.

This campaign affected individuals and businesses worldwide, including in Russia, Brazil, Germany, Belarus, and Kazakhstan.

We are investigating who is truly behind the series of «presidential» meme tokens.