Police in the UK have arrested a 17-year-old suspected hacker. the arrest is connected to the Rockstar Games hack that led to a . The individual may have been involved with an intrusion on as well.
According to journalist Matthew Keys’ sources, the arrest is the result of an investigation involving the City of London Police, the UK’s National Cyber Crime Unit and the FBI. that the police and/or the FBI will reveal more details about the arrest later today. The City of London Police told Engadget it had “no further information to share at this stage.”
The GTA VI leak is unquestionably one of the biggest in video game history. Last weekend, the hacker shared a trove of footage from a test build of the game, which is one of the most hotly anticipated titles around. Rockstar, which tends to keep a tight lid on its development process, that the leak was legitimate. It said the incident won’t impact work on the game and that it will “properly introduce” fans to the next title in the blockbuster series once it’s ready.
Uber was also subject to a this month. The company that the hacker in question didn’t access user accounts but, as of Monday, it was still trying to determine the impact of the intrusion. Uber also noted reports suggesting that the same person or group might have been responsible for the Rockstar hack. In addition, it said the perpetrator may be connected to the Lapsus$ hacking group.
The 17-year-old was arrested in Oxfordshire, where one of the leaders of Lapsus$ is said to live. In March, reported that a 16-year-old from Oxford (who may have had a birthday since then) had been identified by researchers and hackers as having ties to the group. That same month, City of London Police with alleged ties to Lapsus$, but it wasn’t confirmed if the Oxford teen was among them. Lapsus$ has also targeted the likes of , Okta and .
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission. All prices are correct at the time of publishing.
I didn’t think I would be scared of a USB cable until I went to Def Con. But that’s where I first learned about the O.MG Cable. Released at the notorious hacker conference, the Elite cable wowed me with a combination of technical prowess and its extremely stealth design.
Put simply, you can do a lot of damage with a cable that doesn’t behave the way your target expects.
What is it?
It’s just an ordinary, unremarkable USB cable — or that’s what a hacker would want you to think.
“It’s a cable that looks identical to the other cables you already have,” explains MG, the cable’s creator. “But inside each cable, I put an implant that’s got a web server, USB communications, and Wi-Fi access. So it plugs in, powers up, and you can connect to it.”
That means this ordinary-looking cable is, in fact, designed to snoop on the data that passes through it and send commands to whatever phone or computer it’s connected to. And yes, there’s a Wi-Fi access point built into the cable itself. That feature existed in the original cable, but the newest version comes with expanded network capabilities that make it capable of bidirectional communications over the internet — listening for incoming commands from a control server and sending data from whatever device it’s connected to back to the attacker.
What can it do?
Stressing, again, that this is a totally normal-looking USB cable, its power and stealth are impressive.
Firstly, like the USB Rubber Ducky (which I also tested at Def Con), the O.MG cable can perform keystroke injection attacks, tricking a target machine into thinking it’s a keyboard and then typing in text commands. That already gives it a huge range of possible attack vectors: using the command line, it could launch software applications, download malware, or steal saved Chrome passwords and send them over the internet.
It also contains a keylogger: if used to connect a keyboard to a host computer, the cable can record every keystroke that passes through it and save up to 650,000 key entries in its onboard storage for retrieval later. Your password? Logged. Bank account details? Logged. Bad draft tweets you didn’t want to send? Also logged.
(This would most probably require physical access to a target machine, but there are many ways that an “evil maid attack” can be executed in real life.)
Lastly, about that built-in Wi-Fi. Many “exfiltration” attacks — like the Chrome password theft mentioned above — rely on sending data out over the target machine’s internet connection, which runs the risk of being blocked by antivirus software or a corporate network’s configuration rules. The onboard network interface skirts around these protections, giving the cable its own communications channel to send and receive data and even a way to steal data from targets that are “air gapped,” i.e., completely disconnected from external networks.
Basically, this cable can spill your secrets without you ever knowing.
How much of a threat is it?
The scary thing about the O.MG cable is that it’s extremely covert. Holding the cable in my hand, there was really nothing to make me suspicious. If someone had offered it as a phone charger, I wouldn’t have had a second thought. With a choice of connections from Lightning, USB-A, and USB-C, it can be adapted for almost any target device including Windows, macOS, iPhone, and Android, so it’s suitable for many different environments.
For most people, though, the threat of being targeted is very low. The Elite version costs $179.99, so this is definitely a tool for professional penetration testing, rather than something a low-level scammer could afford to leave lying around in the hope of snaring a target. Still, costs tend to come down over time, especially with a streamlined production process. (“I originally made these in my garage, by hand, and it took me four to eight hours per cable,” MG told me. Years later, a factory now handles the assembly.)
Overall, chances are that you won’t be hacked with an O.MG cable unless there’s something that makes you a valuable target. But it’s a good reminder that anyone with access to sensitive information should be careful with what they plug into a computer, even with something as innocuous as a cable.
Could I use it myself?
I didn’t get a chance to test the O.MG cable directly, but judging by the online setup instructions and my experience with the Rubber Ducky, you don’t need to be an expert to use it.
The cable takes some initial setup, like flashing firmware to the device, but can then be programmed through a web interface that’s accessible from a browser. You can write attack scripts in a modified version of DuckyScript, the same programming language used by the USB Rubber Ducky; when I tested that product, I found it easy enough to get to grips with the language but also noted a few things that could trip up an inexperienced programmer.
Given the price, this wouldn’t make sense as a first hacking gadget for most people — but with a bit of time and motivation, someone with a basic technical grounding could find many ways to put it to work.
Hackers have found an unusual and unconventional method to infect PCs with malware: distributing dangerous code with Windows Calculator.
The individuals behind the well-known QBot malware have managed to find a way to use the program to side-load malicious code on infected systems.
As reported by Bleeping Computer, Dynamic Link Libraries (DLLs) side-loading is when an actual DLL is spoofed, after which it is moved to a folder in order to trick the machine’s operating system to load the doctored version as opposed to the real DLL files.
QBot, a strain of Windows malware, was initially known as a banking trojan. However, ransomware gangs now rely on it due to its evolution into a malware distribution platform.
QBot has been utilizing the Windows 7 Calculator program in particular to execute DLL side-loading attacks, according to security researcher ProxyLife. These attacks have been infecting PCs since at least July 11, and it’s also an effective method for carrying out malicious spam (malspam) campaigns.
Emails that contain the malware in the form of an HTML file attachment include a ZIP archive that comes with an ISO file, which contains a .LNK file, a copy of ‘calc.exe’ (Windows Calculator), as well as two DLL files: WindowsCodecs.dll, joined by a malicious payload (7533.dll).
Opening the ISO file eventually executes a shortcut, which upon further investigation of the properties dialog for the files, is linked to Windows’ Calculator app. Once that shortcut has been opened, the infection infiltrates the system with QBot malware through Command Prompt.
Due to the fact that Windows Calculator is obviously a trusted program, tricking the system to distribute a payload through the app means security software could fail to detect the malware itself, making it an extremely effective — and creative — way to avoid detection.
That said, hackers can no longer use the DLL sideloading technique on Windows 10 or Windows 11, so anyone with Windows 7 should be wary of any suspicious emails and ISO files.
Windows Calculator is not a program commonly used by threat actors to infiltrate targets with, but when it comes to the current state of hacking and its advancement, nothing seems to be beyond the realm of possibility. The first appearance of QBot itself occurred more than a decade ago, and it has previously been used for ransomware purposes.
Elsewhere, we’ve been seeing an aggressive rate of activity in the malware and hacking space throughout 2022, such as the largest HTTPS DDoS attack in history. Ransomware gangs themselves are also evolving, so it’s not a surprise they’re continuously finding loopholes to benefit from.
With the alarming rise in cybercrime in general, technology giant Microsoft has even launched a cybersecurity initiative, with the “security landscape [becoming] increasingly challenging and complex for our customers.”
Cybercrime may be a global industry — but that doesn’t mean criminals are immune from facing prosecution across borders.
The Department of Justice (DOJ) announced today that it had extradited dual Romanian / Latvian national Mihai Ionut Paunescu — known as “Virus” — to the US from Colombia for allegedly designing malware used to steal money from bank accounts across the world and operating the infrastructure used to distribute it.
Paunescu is alleged to be one of the creators of the Gozi Virus, a Trojan that infected millions of computers in countries including the US, UK, Germany, Italy, and Finland between 2007 to 2012. Distributed through corrupted PDF documents, the Gozi Virus captured banking login details and passwords from infected machines, allowing its creators to steal tens of millions of dollars from bank accounts around the world.
According to an indictment filed in 2013 in the Southern District Court of New York, Paunescu also ran a “bulletproof hosting” service that was rented out to other cybercriminals, providing servers that could be used for online criminal activity like distributing malware and controlling botnets while keeping the operators’ identities anonymous.
The indictment also claims that NASA was a victim of the malware, with one of the allegations stating:
From in or about late 2011 through at least in or about mid-2012, MIHAI IONUT PAUNESCU a/k/a/ “Virus” … caused approximately 60 computers belonging to the National Aeronautics and Space Administration (“NASA”) to be infected with the Gozi Virus, resulting in approximately $19,000 in losses to NASA.
Per other details shared by US prosecutors, Paunescu was also a pioneer of a financial model that has now become commonplace, where he would rent access to the virus and its proceeds to other cybercriminals rather than using it himself. Paunescu allegedly charged $500 per week to use the Gozi Virus as a service.
In the aftermath of the Gozi Virus’ main activity period, Paunescu was arrested in Romania in 2012 but managed to avoid extradition after being released on bail. Almost 10 years later, he was caught in Colombia in June 2021 after being detained at Bogota airport, according to Colombia’s attorney general.
In a statement, Damian Williams, US attorney for the Southern District of New York, emphasized the willingness of prosecutors and law enforcement agencies to track cyber criminals over the long term.
“Even though he was initially arrested in 2012, Paunescu will finally be held accountable inside a U.S. courtroom,” Williams said. “This case demonstrates that we will work with our law enforcement partners here and abroad to pursue cyber criminals who target Americans, no matter how long it takes.”
Previously, another Latvian programmer involved in designing the virus was also extradited to the US and sentenced to 37 months in prison and a $7 million fine after taking a plea bargain.
So-called “bulletproof” hosting services play a crucial role in enabling global cybercrime, but operators often escape prosecution by hiding their identities or basing their activities in obscure locations. In 2019, police in Germany raided a former NATO bunker that had been converted into a bulletproof hosting data center by a Dutch national who had bought it from local authorities.
An anonymous hacker has stated that he has successfully infiltrated the Shanghai police department’s database. In doing so, he apparently extracted personal information of a staggering one billion Chinese citizens.
The individual, ‘ChinaDan’, took sole responsibility for the data breach. As reported by Reuters and PCMag, he detailed the incident on hacker forum Breach Forums.
He’s currently offering the huge amount of information for 10 Bitcoins, which would translate to around $200,000 at current rates. The aforementioned data is said to equal 23 terabytes (TB) in size.
Dan said he obtained the files containing the names, addresses, and mobile numbers from the Shanghai National Police (SHGA) database.
He also reportedly managed to gain access and retrieve the birthplaces, national ID numbers, and every single crime case related to the one billion citizens, all of whom are based primarily in China.
Currently, Reuters wasn’t able to confirm whether the claim of the post is indeed real. The Shanghai government and its police department have yet to comment on the situation since it materialized earlier this week.
That said, Zhao Changpeng, CEO of popular cryptocurrency exchange Binance, confirmed that the company has intensified its user verification processes. Why? Its threat intelligence arm detected that these records are now being sold on the dark web.
The leak could be attributed to “a bug in an Elastic Search deployment by a (government) agency, he detailed in a tweet. “This has impact on hacker detection/prevention measures, mobile numbers used for account takeovers, etc.”
He continued that “apparently, this exploit happened because the gov developer wrote a tech blog on CSDN [the China Software Developer Network] and accidentally included the credentials.”
Kendra Schaefer, the head of tech policy research at consultancy Trivium China, said that if the data was actually obtained via the Ministry of Public Security, it would naturally be bad for “a number of reasons. Most obviously it would be among [the] biggest and worst breaches in history,” she said.
Indeed, if the claim from the hacker is ultimately verified, then the cyber incident would rank as probably the largest data breach in history.
The post from ChinaDan itself is already generating a considerable amount of discussion on Chinese social media platform Weibo, as well WeChat throughout the weekend. In fact, the hashtag “data leak” was blocked on Weibo by Sunday afternoon, according to Reuters.
Elsewhere, an underground online marketplace that sold the personal details of around 24 million U.S. citizens was recently shut down. The service’s profits, meanwhile, far exceeds Dan’s $200,000 asking price — since April 2015, blockchain analysis company Chainalysis confirmed that it found $22 million in Bitcoin transactions retrieved by SSNDOB.
2022 has undoubtedly been a busy year for hackers in general. There have been a number of unprecedented situations related to the hacking scene, ranging from various shutdowns such as the largest dark web marketplace being taken offline, to Microsoft launching its own cybersecurity initiative to combat the sheer rise in cybercrime.
A (or group of hackers) claims to have stolen data on a billion Chinese citizens from a Shanghai police database. According to , the hacker is attempting to sell 23 terabytes of data for 10 bitcoin, which is worth just over $198,000 at the time of writing.
The data includes names, addresses, birthplaces, national IDs and phone numbers. reports that the hacker provided a sample of the data, which included crime reports dating as far back as 1995. Reporters confirmed the legitimacy of at least some of the data by calling people whose numbers were listed.
It’s not yet clear how the hacker infiltrated the police database, though there have been suggestions that they gained access via an cloud computing company called Aliyun, which was said to host the database. Alibaba said it’s investigating the matter.
The true scope of the leak is unknown. However, cybersecurity experts have dubbed it the biggest cybersecurity breach in China’s history.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
The US Treasury Department blames North Korean hacking group Lazarus for stealing $625 million in cryptocurrency from the Ronin network, the blockchain backing the Axie Infinity play-to-earncrypto game, according to a report from Vice. On Thursday, the Department of Treasury updated sanctions to include the wallet address that received the funds and attributed it to the Lazarus group.
In an updated post about the incident, the Ronin network, which is owned by developer group Sky Mavis, explains the US Department of Treasury and FBI have pinned the attack on Lazarus. “We are still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk,” the post reads. “We expect to deliver a full post mortem that will detail security measures put in place and next steps by the end of the month.” Ronin says it will bring its bridge back online “by the end of the month.” The bridge allows users to transfer funds between other blockchains and Axie Infinity and has been blocked off since the attack.
As noted by Vice, the flagged wallet address currently contains over $445 million USD (148,000 Ethereum) and sent almost $10 million (3,302.6 ETH) to another address less than a day ago. Crypto transaction tracker Etherscan labels the address as “reported to be involved in a hack targeting the Ronin bridge.”
On March 29th, hackers made off with $625 million worth of Ethereum in one of the biggest crypto heists to date. According to cryptocurrency investigation group Chainanalysis, the Lazarus group is tied to North Korea’s intelligence agency and was responsible for seven attacks last year. The group gained notoriety for hacking Sony Pictures in 2014, leaking The Interview, a comedy set in North Korea directed by Seth Rogen. It later used Trojan malware to steal millions from ATMs across Asia and Africa in 2018 and has also been linked to WannaCry ransomware.
On Sunday, an attacker managed to drain around $182 million of cryptocurrency from Beanstalk Farms, a decentralized finance (DeFi) project aimed at balancing the supply and demand of different cryptocurrency assets. Notably, the attack exploited Beanstalk’s majority vote governance system, a core feature of many DeFi protocols.
The attack was spotted on Sunday morning by blockchain analytics company PeckShield, which estimated the net profit for the hacker was around $80 million of the total funds stolen, minus some of the borrowed funds that were required to perform the attack.
Beanstalk admitted to the attack in a tweet shortly afterward, saying they were “investigating the attack and will make an announcement to the community as soon as possible.”
Beanstalk describes itself as a “decentralized credit based stablecoin protocol.” It operates a system where participants earn rewards by contributing funds to a central funding pool (called “the silo”) that is used to balance the value of one token (known as a “bean”) at close to $1.
Like many other DeFi projects, the creators of Beanstalk — a development team called Publius — included a governance mechanism where participants could vote collectively on changes to the code. They would then obtain voting rights in proportion to the value of tokens that they held, creating a vulnerability that would prove to be the project’s undoing.
The attack was made possible by another DeFi product called a “flash loan,” which allows users to borrow large amounts of cryptocurrency for very short periods of time (minutes or even seconds). Flash loans are meant to provide liquidity or take advantage of price arbitrage opportunities but can also be used for more nefarious purposes.
According to analysis from blockchain security firm CertiK, the Beanstalk attacker used a flash loan obtained through the decentralized protocol Aave to borrow close to $1 billion in cryptocurrency assets and exchanged these for enough beans to gain a 67 percent voting stake in the project. With this supermajority stake, they were able to approve the execution of code that transferred the assets to their own wallet. The attacker then instantly repaid the flash loan, netting an $80 million profit.
“We are seeing an increasing trend in flash loan attacks this year,” said CertiK CEO and co-founder Ronghui Gu. “These attacks further emphasize the importance of a security audit, and also being educated about the pitfalls of security issues when writing Web3 code.”
When implemented properly, DeFi services benefit from all the security of blockchain, but their complexity can make code difficult to fully audit, making such projects an attractive target for hackers. In the case of the Beanstalk hack, the Publius team admitted that they had not included any provision to mitigate the possibility of a flash loan attack, although presumably this was not apparent until the situation occurred.
A request for comment (sent to the Publius team through Discord) has not yet received a response as of press time.
Brian Pasfield, CTO at cryptocurrency lending platform Fringe Finance, said that decentralized governance structures (known as DAOs) could also create problems.
“DAO governance is currently trending in DeFi,” Pasfield said. “While it is a necessary step in the decentralization process, it should be done gradually and with all the possible risks carefully weighted. Developers and administrators should be aware of new points of failure that can be created by developers or DAO members intentionally or by accident.”
For investors in Beanstalk who have lost their staked coins, there may be little recourse. In a message posted immediately after the hack, the Beanstalk founders wrote that it was “highly unlikely” the project would receive a bailout since it had not been developed with VC backing, adding “we are fucked.”
In the project’s Discord server, many users claim to have lost tens of thousands of dollars of invested cryptocurrency. Since the attack, the hacker has been moving funds through Tornado Cash, a privacy-focused mixer service that has become a go-to step in laundering stolen cryptocurrency funds. With much of the stolen money now obscured, it’s unlikely to be traced and returned.
In the wake of the attack, the value of the BEAN stablecoin has tanked, breaking the $1 peg and trading for around 14 cents on Monday afternoon.
Verizon is dealing with an incident where a hacker captured a database containing company employee data, including the full names of workers as well as their ID numbers, email addresses, and phone numbers. Motherboard reported that the database is legitimate, as the anonymous hacker contacted them last week, and they were able to verify the data by calling some of the numbers.
“These employees are idiots,” the hacker told Motherboard via chat. The hacker is seeking $250,000 in exchange for not leaking the database and said they are in contact with Verizon.
A Verizon spokesperson contacted Motherboard confirming the incident, saying, “A fraudster recently contacted us threatening to release readily available employee directory information in exchange for payment from Verizon. We do not believe the fraudster has any sensitive information and we do not plan to engage with the individual further. As always, we take the security of Verizon data very seriously and we have strong measures in place to protect our people and systems.”
The hacker claims they nabbed the database by social engineering their way into remotely connecting to a Verizon employee’s computer. The hacker’s account, in an email sent to Vice, is that they posed as internal support, coerced the Verizon employee to allow remote access, and then launched a script that copied data from the computer.
The information that was stolen could still be harmful. If you’ve ever had to get support from a carrier over the phone, you might have had to deal with the different departments that handle activating your SIM card. If a purported hacker poses as an employee and spoofed their number as one from the database, they could continue to use social engineering for SIM swapping fraud. The technique has been used frequently over the years as attackers manipulated accounts through carriers like T-Mobile and AT&T to steal cryptocurrency or access to social media accounts, including one belonging to former Twitter CEO Jack Dorsey.
A Canadian hacker named Gary Bowser (yes, like Mario’s nemesis) has agreed to pay the company $10 million to settle . Bowser, who was part of Switch hacking group Team Xecuter, was accused of being part of a “cybercriminal enterprise that hacked leading gaming consoles,” as notes. Nintendo argued Bowser violated the company’s copyright and it seems the hacks were not in another castle.
NEW: Gary Bowser agrees to pay Nintendo $10 million in video game piracy civil lawsuit. This follows Bowser’s guilty plea in October in the federal criminal case against him (where he agreed pay Nintendo $4.5 million in restitution.) https://t.co/zohn0SPHnHpic.twitter.com/KMJro3l8Zw
News of the settlement emerged several weeks after Bowser pleaded guilty to . He was fined $4.5 million in that case and faces up to 10 years in prison. Bowser, who was arrested in the Dominican Republic in October 2020 and deported to the US, admitted to having “developed, manufactured, marketed, and sold a variety of circumvention devices” that let people play ROMs on consoles.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.