Cybercrime
,
Fraud Management & Cybercrime
,
Incident & Breach Response
Also: Interpol Says ‘Pig Butchering’ Shames Victims, A Data Leak Scandal in Mexico

Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, a U.S. extradition petition for alleged Israeli LockBit coder, Interpol said the phrase “pig butchering” shames victims and an Apache Struts vulnerability. Also, police in Mexico hunt for two alleged law enforcement data thieves, the European Commission probed TikTok and a Dutch agency fined Netfilix 4.75 million euros for privacy violations. A ransomware attack against Texas medical centers and notifications about a data breach from a South Carolina credit union.
See Also: Live Webinar | Active Directory Under Attack: How to Build a Resilient Enterprise
U.S. Seeks Extradition from Israel of Alleged LockBit Coder
The United States is seeking the extradition from Israel of Rostislav Panev, an alleged coder for the LockBit ransomware-as-a-service operation. Israeli news site Ynet reported Thursday that American authorities filed an extradition petition in October following the Israeli citizen’s arrest in Haifa in August. The Israeli government granted a request for a gag order that expired Thursday after the U.S. expressed concern that making the petition public could spook other LockBit suspects into fleeing to Russia.
The once top-tier ransomware group is under a concerted international pressure campaign that has involved multiple server seizures, arrests, and the outing of its leader, Dmitry Yuryevich Khoroshev (see: LockBitSupp’s Identity Revealed: Dmitry Yuryevich Khoroshev).
The extradition petition asserts that Panev served as a LockBit software developer starting in 2019. He allegedly created tools such as a module allowing ransom notes to be printed from any printer connected to an infected system. A defense attorney told Ynet that Panev “is a computer technician” not aware of or involved in ransomware hacking. Investigators found in Panev’s apartment apparent LockBit ransom letters and digital wallets linked to payments for services rendered.
Interpol Urges End to ‘Pig Butchering’ Term for Online Scams
Interpol urged the cybersecurity community, law enforcement and media to ditch the term “pig butchering” to describe online relationship and investment scams, arguing it shames victims and hinders reporting.
The term originates from scammers’ tactics of “fattening up” victims through trust-building before exploiting them financially. These scams often involve establishing fake friendships or romantic relationships online to manipulate victims into “loaning” money or “investing” in fraudulent schemes, often involving cryptocurrencies. Once victims are heavily invested, scammers steal the funds and cut off all communication.
Interpol advocates using “romance baiting,” which focuses on the fraudsters’ manipulation tactics rather than stigmatizing victims. “The term ‘pig butchering’ dehumanizes and shames victims, deterring them from seeking help,” Interpol stated. “In contrast, ‘romance baiting’ highlights the sophisticated tactics of the perpetrators.”
Shifting terminology aims to encourage victims to come forward without fear of judgment, facilitating better support and intelligence sharing with authorities. While law enforcement may not always recover stolen funds, timely reporting can provide critical indicators to prevent further victimization and aid in tracking cybercriminals.
Critical Apache Struts Vulnerability
Hackers may be exploiting an Apache Struts 2 vulnerability using public proof-of-concept code to identify vulnerable systems. The flaw, tracked CVE-2024-53677 with a CVSS 4.0 score of 9.5, lies in the framework’s file upload logic and enables path traversal and malicious file uploads, potentially leading to remote code execution. The patch can be difficult to apply, with Apache warning that it “isn’t backward compatible” and that system administrators “must rewrite your actions to start using the new Action File Upload mechanism and related interceptor. Using the old File Upload mechanism keeps you vulnerable to this attack.”
SANS Institute Dean of Research Johannes Ullrich wrote Sunday that “we are seeing active exploit attempts for this vulnerability that match the PoC exploit code. Attackers are leveraging the exploit to upload an “exploit.jsp” file that confirms the presence of vulnerable systems by returning “Apache Struts,” he said.
Security researcher Kevin Beaumont urged calm. Reports that the vulnerability is being exploited in the wild are exaggerated, he posted on Mastodon. “People are spraying and praying – the exploit payloads don’t work,” he wrote. The proof of concept “doesn’t work. You’d have to make a vulnerable webapp, and then tailor the PoC to it.”
National cybersecurity agencies in Canada, Australia and Belgium issued alerts urging immediate action.
Nuevo León Police Look for Alleged Data Thieves
Mexican police in the state of Nuevo León are looking for two former state employees suspected of stealing nearly 15 gigabytes of law enforcement data.
During a Wednesday press conference, State Attorney General Pedro Arce Jardón acknowledged the data breach incident dates to the first months of this year amid reports by local media that authorities attempted to cover up the incident. Journalist Ignacio Gómez Villaseñor on Monday posted on social media screenshots from a hacking forum purporting to show snippets from a 14.7-gigabyte archive including forensic evidence and information on active investigations. The state attorney’s office the same day published a statement stating that it detected unusual activity on its servers in March and that any stolen information has not compromised investigations or court cases.
Arce Jardón also told reporters that authorities in October identified a hard drive connected to the state attorney network, sparking a review of security tapes leading to the identity of the two suspects, employees of the Nuevo León department of treasury. One quit his job in February and the other in October, he said.
A hacker going by the handle “Scorpion” claimed – according to screenshots posted by Gómez Villaseñor – to have been given access to the state attorney network for a period of three months by an insider who installed a pre-programmed Raspberry Pi device. Scorpion asserted the insider believed his job to be at risk and wanted access to sensitive data as a counterweight. The insider “betrayed” Scorpion by revealing the network penetration. The hacker claims to have downloaded law enforcement data stretching back to 2021 and has threatened to make public more of the stolen data. Arce Jardón said Wednesday that his office will not fall for “blackmail or extortion.”
EU Probes TikTok Over Alleged Interference in Romanian Elections
The European Commission launched Monday an investigation into potential violations of the Digital Services Act by social media service TikTok following allegations of foreign interference in Romanian presidential elections.
Romania’s Nov. 24 election saw a surprise first-round win for nationalist and Eurosceptic candidate Calin Georgescu, later annulled by the Constitutional Court due to evidence of Russian interference via TikTok. Intelligence reports revealed that TikTok’s recommendation algorithm and unlabelled political ads, potentially driven by bots and fake accounts, amplified pro-Georgescu content.
Netflix Fined 4.75M Euros by Dutch DPA Over GDPR Violations
Netflix must pay $4.93 million to the Dutch government after the Netherlands data protection authority fined the streaming giant for failing to provide sufficient information about its data practices between 2018 and 2020.
An investigation initiated in 2019 determined that Netflix privacy statements lacked clarity about the purpose and legal basis for collecting user data such as email addresses, payment details and viewing habits. The company failed to adequately explain data sharing with third parties, retention periods and security measures for data transfers outside Europe.
Users who requested access to their data were not given complete information, violating the General Data Protection Regulation, said the data protection authority, known as Autoriteit Persoonsgegevens in Dutch.
Netflix’s headquarters for its European, Middle East and African operations are in Amsterdam. Dutch authorities began the investigation following a complaint from Austrian privacy group noyb. The group published a statement declaring the fine a win while also complaining that “it took almost five years to obtain it, and in a very simple case.”
Netflix has objected to the fine.
Ransomware Attack Exposes Data of 1.5 Million at Texas Tech Medical Centers
Texas Tech University Health Sciences Center notified nearly 1.5 million individuals impacted by a September ransomware attack. The center reported 815,000 affected individuals, with an additional 650,000 patients in the center’s El Paso campus.
The attack, from Sept. 17 to Sept. 29, disrupted IT systems and allowed threat actors to access and remove files containing sensitive data. Compromised information includes names, Social Security numbers, addresses, financial details, health insurance and medical records, among other personal and medical details.
A combined breach notice said their investigation continues. Both are part of the Texas Tech University system, which focuses on medical education and research.
The University Medical Center in Lubbock, the center’s primary teaching hospital, also faced related IT disruptions in September. UMC posted its own breach notice but has not clarified if affected individuals overlap with the newest breach notice. The IT outage disrupted UMC’s patient care and forced ambulance diversions (see: UMC Recovers EHR; Other Systems Offline 3 Weeks Post-Attack).
SRP Federal Credit Union Data Breach Impacts 240,000 Individuals
South Carolina-based SRP Federal Credit Union notified over 240,000 individuals of a data breach that exposed sensitive personal information. The breach occurred between Sept. 5 and Nov. 4, during which a threat actor accessed systems and potentially exfiltrated data.
Compromised information includes names, dates of birth, driver’s license numbers, Social Security numbers and financial details.
Although SRP Federal Credit Union stated it has no evidence of misuse, the ransomware group Nitrogen claimed responsibility for the attack, listing the organization on its leak site and alleging the theft of 650 gigabyte of data. Nitrogen, an emerging ransomware group active since late September, has targeted several U.S. and Canadian organizations, leaking stolen data over the past two months.
Other Stories From Last Week
With reporting from Information Security Media Group’s Marianne Kolbasuk McGee in the Boston exurbs and David Perera in Washington, D.C.