Cybersecurity Chronicles: From Drug Cartel Hacks to Global Fraud Scams

At the end of June, the U.S. Department of Justice released a report examining the FBI’s internal security.

The document revealed that in 2018, the Bureau was involved in an investigation that led to the arrest of Joaquín «El Chapo» Guzmán’s syndicate leader. An individual connected to the cartel informed the FBI that the criminal organization had hired a hacker. This cybercriminal accessed electronic devices and mobile phones, monitoring individuals who visited the U.S. embassy in Mexico City. A key player in this surveillance was an FBI legal attaché assistant stationed abroad.

The hacker managed to utilize the FBI employee’s phone number to gather call logs and geolocation data. Furthermore, the perpetrator tapped into the city’s surveillance systems to track the legal attaché’s movements and identify the people he met with.

According to the operative, the cartel exploited this information to intimidate and eliminate potential witnesses and informants.

In Spain, civil guards, with the collaboration of Europol, uncovered a massive fraud network that had swindled over €460 million from more than 5,000 victims globally by offering fake cryptocurrency investments.

On June 25, law enforcement apprehended three suspects in the Canary Islands and two more in Madrid. Europol has been coordinating the investigation since 2023 and brought in a cryptocurrency expert for the operation in Spain.

The investigators believe that the organizers established a worldwide fundraising scheme involving bank transfers, cryptocurrency transactions, and cash. They purportedly employed payment gateways, accounts on crypto exchanges, and a corporate structure linked to Hong Kong. The network involved vendors worldwide who lured victims to counterfeit investment platforms.

The release of Call of Duty: WWII triggered a wave of hacks. On July 3, just two days post-launch, players began reporting attacks from an unidentified hacker through means of RCE.

Leveraging vulnerabilities in multiplayer mode, the hacker executed arbitrary commands on users’ computers during gameplay and streaming sessions.

There have been instances where the hacker forcibly opened Notepad, displayed “undesired content” on-screen, and rebooted the system.

While some gamers were surprised, many felt it was expected that exploits would surface quickly. «I appreciate you giving me the heads-up, man. It’s not shocking because it seems that multiplayer uses P2P connections rather than dedicated servers. I could be mistaken, but it seems that way….»

According to player MikeRxqe, the outdated P2P networking model used in the game significantly simplifies the process of obtaining players’ IP addresses. In such scenarios, users directly connect to one another, making each individual’s IP address visible to the others.

Once that information is gathered, the attacker can send specifically crafted network packets directly to the victim. These packets are disguised as legitimate game data (such as movement and shot information) but carry malicious payloads.

On July 2, Activision conducted “short-term technical maintenance” on the servers, yet there were no official statements linking this work to the RCE vulnerability.

The ICEBlock app for iPhone allows users to anonymously report sightings of agents from the U.S. Immigration and Customs Enforcement (ICE) and went viral following comments made by Attorney General Pam Bondi.

The majority of ICEBlock’s users—about 20,000—are located in Los Angeles, where ICE raids have become increasingly common in recent weeks. Following Bondi’s evening remarks, on July 2 the app surged to the top of the U.S. free app download charts.

Using ICEBlock, users can share information about the whereabouts of ICE agents within a range of approximately 8 kilometers. The app sends alerts about the presence of nearby enforcement personnel.

On July 1, the Spanish police arrested two individuals in Las Palmas province on suspicion of cybercrimes, including data theft from government bodies.

The suspects were described as a “serious threat to national security.” The investigation began after law enforcement observed a leak of personal information directly affecting politicians, members of the central and regional governments, and media professionals.

It is believed that the first suspect specialized in data extraction, while the second managed the financial aspects, selling access to databases and accounts, and overseeing a cryptocurrency wallet where funds were deposited.

Both were detained. During searches, police seized a large number of electronic devices that could lead to additional evidence, buyers, or accomplices.

North Korean hackers are using a new family of malware for macOS named NimDoor, targeting cryptocurrency and Web3 organizations.

The attack chain includes contacting victims through Telegram and attempting to convince them to install a fake Zoom update. This is spread through the scheduling service Calendly and email.

In a report released on July 2 by SentinelOne, specialists indicated that the perpetrators utilized binary files compiled in C++ and Nim to attack macOS, which is quite an uncommon choice.

The most intricate part of the attack is the event-driven application CoreKitAgent. A noteworthy feature is its use of resilience mechanisms that make proper termination and removal difficult.

At the security conference TROOPERS, researchers from ERNW reported on three vulnerabilities in Airoha chips (SoC). These chips are extensively used in speakers, headphones, headsets, and wireless microphones across 29 devices.

The Bluetooth chipset possesses the ability to eavesdrop and steal confidential information. Products from Beyerdynamic, Bose, Sony, Marshall, Jabra, JBL, Jlab, EarisMax, MoerLabs, and Teufel are at risk.

The security flaws allow for control over the device. In some smartphones, an attacker within Bluetooth range could extract call logs and contact lists.

Airoha has released an updated SDK with the necessary protective measures, and device manufacturers have already begun developing and distributing patches.

According to ESET experts, the number of thefts via contactless payment systems continues to rise. In the first half of the year alone, NFC attacks worldwide increased thirty-fivefold compared to 2024.

This scheme combines traditional attack methods (social engineering, phishing, malware targeting Android) with a tool called NFCGate, creating an entirely new scenario.

The malicious NGate enables the remote retransmission of NFC data between two devices, including bank cards, circumventing defenses while acting as if it’s the victim.

According to ESET, one-fifth of all installed NGate malware in the world is located in Russia. Scammers trick victims into installing software disguised as legitimate government services or bank applications, leading to fund theft. Early in 2025, the damage amounted to 40 million rubles.

Extensions indistinguishable to the original ones contain a plethora of fake reviews and ratings to gain trust.

Over 40 counterfeit extensions for the Firefox browser are designed to steal cryptocurrency wallet data, masquerading as solutions from popular platforms like Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox.

Once installed, the software discreetly pilfers user data, putting their assets at risk. During initialization, the hackers also relay the victim’s external IP address, presumably for tracking or targeted attacks.

The campaign has been active since at least April 2025. New malicious extensions were still being uploaded to the Firefox catalog as recently as late June.

The latest edition of the monthly digest, FLMonthly, offers insights into pressing cybersecurity issues in an interview with Grigory Osipov, the director of investigations at “Shard.”