Iran blackmails Trump with leaked emails
Robert, an Iranian hacking group is threatening to release hacked emails it has in its possession after a hack of associates of President Donald Trump, including adviser Roger Stone and White House chief of staff Susie Wiles, according to Reuters. The group that hacked the president’s 2024 campaign claimed to have about 100 gigabytes of emails.
The hackers, who operate under the pseudonym Robert, previously released several emails in the run-up to last year’s US presidential election. They are also said to have obtained emails from the accounts of Trump lawyer Lindsey Halligan and Stormy Daniels, who reportedly received $130,000 to sign a nondisclosure agreement about an affair she claims to have had with Trump.
CISA spokeswoman Marci McCarthy called the breach a “calculated smear campaign” intended to damage the president.
Reuters has authenticated some of the material from the previous leak, which came out in the run-up to the presidential election. The material, which included emails from accounts belonging to Wiles and others, was sent to journalists.
One email appeared to detail a financial settlement between Trump and lawyers representing Robert F. Kennedy Jr., Trump’s nominee for Health and Human Services secretary. Another email discussed settlement negotiations with Daniels.
The latest threat comes at a time of high tension between the US and Iran, after Trump ordered US strikes on the country’s nuclear facilities in June. The threat to publish leaked emails from Trump aides is an escalation in the cyberwar between Iran and the US, amid recent military tensions.
Perpetrator of crypto entrepreneur kidnapping caught
Moroccan police have arrested a man suspected of a series of kidnappings in France. He is said to be the mastermind behind the kidnapping of crypto entrepreneurs. At least one of them had his finger cut off. The suspect, 24-year-old Badiss Mohamed Bajjou, was arrested in the Moroccan city of Tangier. He was on Interpol’s wanted list. He has dual French and Moroccan nationality. According to the French newspaper Libération, Badiss Mohamed Bajjou is suspected of a whole series of kidnappings.
Cybercrime often causes major losses for companies
The number of data thefts by cybercriminals will have almost doubled in 2024. With data theft, cybercriminals steal personal data from people and threaten to sell it or put it on the internet. Many organizations still appear not to have thought about a security policy or base their policy on a paper reality. One in five companies suffered cybercrime damage in 2024. For large companies, this was almost 30 percent. The damage can amount to hundreds of thousands of euros per incident, but the damage is often not only financial. “We see that 8 percent suffered financial damage, but you can also think of the loss of customer data or reputational damage. The police warned earlier this year about ransomware attacks that are happening more and more often. Cybercriminals then try to get their hands on data to blackmail a company with the threat of throwing this data on the street if payment is not made. Nevertheless, many companies think that their security is in order. They also think that the threat mainly comes from individual hackers. The attention of hackers also seems to be shifting to SMEs. And it is precisely there that companies often do not properly assess the risks. They have often invested in a firewall but not yet in the detection of break-ins. Also, few SMEs have a plan for when they are hacked. “We are only as strong as the weakest link. An entire chain can suffer damage if a party is attacked by cybercriminals. European regulations force companies to increase their cyber security from this year.
International police action Operation Endgame
APT28
The Russian GRU cyber unit 26165, better known as APT28, is responsible for cyber espionage against Ukraine and NATO countries and is therefore of great strategic importance to Russia in the war with Ukraine. ”By making this Russian method public, the digital freedom of movement of GRU employees is restricted. Their operations are disrupted,” says MIVD director Vice Admiral Peter Reesink. “Victims are also helped to discover whether they have been attacked and what they can do about it. In concrete terms, APT28 wants to obtain military, diplomatic and economic information about Ukraine and NATO allies. Through its operations, this GRU unit tries to gain insight into the transports of Western military aid, both inside and outside Ukraine. That is why countries such as the Netherlands, which are part of the supply route, are the target of these cyber operations. In September 2024, the MIVD already warned. At that time, about cyber operations by GRU unit 29155 with the same aim: disrupting Western aid to Ukraine. At the time, the US, together with the MIVD and other partner services, also issued a warning and technical advice. This did not only state how countries and organisations could recognise the operations of unit 29155. It also indicated what the possibilities were to arm themselves against this. American services National Security Agency (NSA), Cybersecurity & Infrastructure Security Agency (CISA) and also the Federal Bureau of Investigation (FBI) and the Dutch Military Intelligence and Security Service (MIVD) are on top of this. The NSA, CISA, FBI, MIVD and more than 15 other international services warn about this in a so-called Cybersecurity Advisory. In 2018, hackers from APT28 travelled to the Netherlands with the intention of setting up a cyber operation here. The target was the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague. The MIVD disrupted this cyber operation at the time. The 4 Russian intelligence officers involved were expelled from the country. This prevented the OPCW systems from being hacked at the time. At that time, this organization was investigating, among other things, the poisoning of the Russian Sergei Skripal and his daughter.
The OPCW case
In 2018, hackers from APT28 travelled to the Netherlands with the intention of setting up a cyber operation here. The target was the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague. The MIVD disrupted this cyber operation at the time. The 4 Russian intelligence officers involved were expelled from the country. This prevented the OPCW systems from being hacked at the time. At the time, this organisation was investigating the poisoning of Russian Sergei Skripal and his daughter.
Hackers stole customer data from crypto exchange Coinbase in early May and are demanding a ransom of $20 million (17.9 million euros). The largest American trading platform for cryptocurrencies says it will not pay the ransom. Coinbase reports that criminals bribed customer service employees to provide data such as names, addresses and copies of IDs. The hackers used this data to approach customers and pose as Coinbase employees. They tried to convince customers to hand over their crypto coins. The attackers said they would keep their action quiet if Coinbase paid the ransom, but the company refused. The crypto exchange has promised to compensate the customers who lost their crypto coins. According to the company, this concerns less than 1 percent of the monthly active users. The announcement of the hack has cost Coinbase dearly: the company’s share price fell by more than 4 percent. Coinbase is offering a $20 million reward for the golden tip that leads to the arrest of the criminals responsible. Coinbase acquired the Dutch digital currency company Deribit last week. The acquisition involved approximately 2.6 billion euros.
The central reporting point at the government where institutions such as banks, brokers and notaries must report suspicious transactions came to an amount of more than 25 billion euros in suspicious money for the whole of 2023. Earlier this year it was announced that 41 million euros in criminal crypto money was seized in 2024. Criminals are finding their way to crypto more quickly in the digital world.
Penetration test
A pentest is a “Manual check in which one wants to penetrate as deeply as possible into a digital system to find weak spots and to know the consequences of these. One uses the weak spots to get even deeper into the system. The aim of the test is not to find as many weak spots as possible, but to investigate whether a system has weak spots. Searching for as many weak spots as possible is done with a vulnerability scan.”
A tester with knowledge and experience of the system and attack techniques looks at how a system or application reacts to, for example, deviating input. As a result, a penetration test is more than just completing a standard checklist and can therefore, in my opinion, never be fully automated, as is sometimes claimed in the market. A checklist can help to check all relevant points. The least you can do is to go through a list of points. You actually mainly want to understand the operation of the systems within the scope and discover any vulnerabilities that may be present. During a pentest, automated tools are used to efficiently perform simple and repetitive tasks.
What distinguishes a penetration test from a vulnerability scan or vulnerability assessment is that identified vulnerabilities and weaknesses are abused to gain access to the system. From that obtained position, it is re-examined which vulnerabilities can be abused. A penetration test therefore offers more depth than a vulnerability scan or vulnerability assessment, where vulnerabilities or configuration weaknesses are examined more broadly, without actually exploiting them.
A major limitation of a penetration test is that the goal is not necessarily to find all vulnerabilities. The pentester looks for a combination of vulnerabilities and configuration weaknesses that can be converted into an attack path, which can gain access to a system or confidential data.
Data breach due to serious error at educational institution Fontys
A data leak made medical data of students public. Unauthorized persons were given access to the Intranet by Fontys. This also gave visitors access to passport photos, addresses, mobile phone numbers and emails and reports of employees. Internship agreements, grade lists and decisions of the examination committee could be freely viewed. The documents were shared publicly by the employees themselves. The leak has reportedly been closed in the meantime.
Serious leak at Rijnhart Wonen
Rijnhart Wonen leaked all personal data of candidates for the new construction at the Pinksterbloem in Leiderdorp on March 19, 2025. The leaked data included name, gender, date of birth, address, zip code, house number and city, telephone number and e-mail address, household size, income, current home, which home was assigned, if not assigned, the reason for rejection and attendance at the viewing. All confidential data was sent to other candidates. Rijnhart Wonen is active as a housing association in Leiderdorp, Voorschoten and Zoeterwoude with approximately 4,500 homes.
Law enforcement agencies from fifteen different countries are taking large-scale action against DDoS-for-hire services together with Europol. In Operation PowerOFF , three arrests were made internationally, 27 websites were taken offline and data from three servers was secured. The Dutch police , under the authority of the Public Prosecution Service, was one of the coordinators in this international investigation. In addition to detection, there is also a strong focus on perpetrator prevention.
The Rotterdam police Cybercrime Team, together with the Belgian police, has dismantled a large international cybercrime network . Four arrests were made in the Netherlands on Tuesday, December 3, 2024. They are suspected of being part of a criminal organization that is believed to have stolen millions of euros through phishing and bank helpdesk fraud in at least ten countries in Europe.
In 2023, 70,000 reports and declarations of online fraud were made to the police. The total financial damage amounted to more than 100 million euros. A total of 236 data leaks were reported in 2023, of which 15 were reported to the Dutch Data Protection Authority (AP); 21 were reported to the AP and to the Attorney General at the Supreme Court (PG-HR); and 200 were reported to the PG-HR. Most data leaks are addressing errors. Examples include swapping documents, incorrect attachments in the envelope, incorrect addressing and incorrect delivery by PostNL.
Due to the increased geopolitical tensions, the cyber threat has increased. States want to spy digitally and possibly also sabotage. The dividing lines are sometimes thin: openly or covertly, states also use companies or hacktivists to carry out digital attacks. And in China, for example, there are people who work in science, but are also connected to intelligence services and (state) companies.
The US Department of the Treasury was the victim of a hack in early December 2024, in which employees’ computers were among those affected. The hackers were supported by the Chinese government and managed to gain access to unclassified documents. Nevertheless, according to the government agency, it was a “serious incident”. An investigation is being conducted together with the FBI. A software supplier had informed the department that the hackers had gained access to a security key with which they were able to circumvent security protocols.
An email from your bank to urgently update your details. Or a message that an important file is ready for you. In 2023, 2 out of 3 Dutch people aged 15 and over had to deal with emails or other messages from online criminals. 1 in 10 actually fell victim to online fraud. That is 1.4 million people. To arm people against online fraud, the Dutch government is running the ‘ Don’t be internetped ‘ campaign in the cybersecurity month of October. In 2024, online bank Bunq paid more than 10 million euros to customers who had fallen victim to such fraud. That is much more than the 203,000 euros that the bank spent on this in 2023
There is a new form of fraud in which physical letters are sent with QR codes. If you scan these codes, you unknowingly install malware on your smartphone. The fraudsters send letters on behalf of official institutions, requesting you to download a new app via a QR code. In reality, the QR code leads to a computer virus (malware) that tries to steal sensitive data from your smartphone. The malware only targets smartphones with an Android operating system.
The police warns against fake webshops. The website pakketdealsnu.nl seems deceptively real, but is in fact an action by the police to make people aware of the risks of buying online without properly checking whether there are fraudsters at work. In order to attract visitors, the police have been advertising a fake webshop on social media such as Facebook and Instagram for three months. That webshop has already attracted more than 125,000 unique visitors.
After various investigations, the police have arrested several data traders in various locations in the Netherlands in the past period. They are suspected of involvement in the sale of personal data. This data was traded within various Telegram groups. Through data theft, hacks or a data leak, for example at companies or organisations, personal data can end up in the hands of people with bad intentions. This often concerns data such as names, dates of birth, telephone numbers, bank details, e-mail addresses or home addresses. In many cases, the personal data is then sold, this is called data trading. The buyer, a criminal, can use this data for new, criminal activities. Because the criminal has this data, he or she can, for example, pose as a bank employee and thus gain the trust of citizens. In some cases, lists are sold containing only data of older people in order to play on their (possible) vulnerability. This form of data trading is illegal and sellers risk a prison sentence of up to four years. The trade in so-called ‘leads’ (personal data) therefore often forms the basis for other forms of crime. That is why the police are not only focusing on tracking down hackers, for example, but also on disrupting and preventing the trade in stolen data. In the investigation into illegal data trading, the police came across several Telegram groups in which data was traded. The Cybercrime Team of the Northern Netherlands unit obtained a great deal of information about and from these groups, after which they gained insight into the largest data traders. In the past period, four suspects, aged between 21 and 31, have been arrested in various places in the country. They are three men and one woman. Their data carriers, such as telephones, have been confiscated. Part of the investigation is where and when the data they had was stolen. A total of three firearms were also found and confiscated during the various arrests. More arrests are not ruled out.
Future quantum computers will be able to crack any computer and largely disable commonly used computer security. The AIVD is also concerned about this. On 12 March 2024, the Senate approved the Temporary Cyber Operations Act. After this act comes into effect, the General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD) will be able to use their existing powers more quickly and effectively against threats from countries that commit cyber attacks against the Netherlands.
Authorities in 19 African countries have arrested 1,006 suspects and dismantled 134,089 malicious infrastructures and networks in a joint INTERPOL -AFRIPOL operation against cybercrime. Operation Serengeti (2 September – 31 October) targeted criminals behind ransomware, business e-mail compromise (BEC), digital extortion and online scams, all of which were identified as significant threats in the 2024 Africa Cyber Threat Assessment Report. The operation identified more than 35,000 victims, causing financial losses of almost US$193 million worldwide. Information from participating countries on ongoing INTERPOL cases was incorporated into 65 cyber analysis reports to ensure that actions on the ground were intelligence-based and targeted at key actors.
Hundreds of foreigners rescued from online scam centers in Myanmar
Some 260 of the total of 300,000 foreigners who were forced by gangs to defraud internet users in Myanmar have been handed over to the Thai army by a regional warring party. They are 221 men and 39 women from some twenty different countries. More than half have Ethiopian nationality. Thailand is investigating whether all persons can return to their country.
The release of the group of human traffickers comes a week after the meeting between Thai Prime Minister Paetongtarn Shinawatra and Chinese leader Xi. Shinawatra promised to put an end to the online scam centers that have sprung up in Southeast Asia in recent years, including on the border between Thailand and Myanmar. Shortly before the meeting, the Thai government had ordered that those border areas in the neighboring country no longer be supplied with electricity, gas and internet. China increased the pressure on Thailand because Chinese people are also being recruited for the scam practices. Stories regularly emerge of Chinese people who left for Bangkok with the promise of a good job, but ended up in Myanmar against their will and had to try to extort money from others online under miserable conditions. Earlier this year, a Chinese actor ended up in such a so-called scam farm after traveling to Thailand. The foreigners who have now left Myanmar, including ten Chinese, were handed over to the Thai army by the DKBA near Mae Sot. That is one of the militias in the country that controls territory in the Karen state on the border with Thailand. These armed groups have previously been accused of allowing and maintaining the fraudulent practices. For criminal gangs, the fraud centers are an extremely lucrative business model. They have now forced an estimated hundreds of thousands of people in countries such as Myanmar, Cambodia and Laos to participate in their fraudulent practices. These employees are said to have already extorted tens of billions of euros from their victims worldwide. To lure victims into the trap, the gangs are constantly resorting to new methods. Such as pig butchering, a form of dating fraud in which people are lured on dating apps to invest money in cryptocurrencies. Victims can first count on warm words from their imaginary loved one and make a small profit; then they are fleeced. After earlier pressure from China, suspected forced laborers at fraud centers were also released in 2023. Guerrilla groups in Myanmar with close ties to Beijing shut down many such scam factories in Shan State, on the border with China. An estimated 45,000 Chinese people who were allegedly involved were then transferred to China. A year earlier, in 2022, at least 700 Thais were released after falling into the hands of Chinese gangs across the border in Cambodia. They had been promised regular jobs, but once in Cambodia they found that they were being forced to scam compatriots in Thailand by phone. An apartment building from which they worked was surrounded by barbed wire and under camera surveillance.
Bybit
In a single hack attack, North Korean hackers managed to steal 400,000 Ethereum with a total market value of no less than 1.5 billion dollars. This makes it the largest crypto hack ever. The hack hit the major international crypto exchange Bybit. With specific wallet software, the hackers were able to influence the routine actions of employees. During this process, Bybit employees saw a valid transaction that had to be signed, they thought. Under the hood, there appeared to be tampering. Bybit seems to survive this attack. Ben Zhou, CEO of the crypto exchange, said in a statement that the company can cover the loss of 1.5 billion. Customers have therefore not lost their money, there are enough tokens in other wallets to compensate them. ‘Bybit is solvent, even if this loss is not recovered due to the hack’, Zhou stated. In the meantime, everyone was still able to withdraw everything. This was also done en masse, 350,000 withdrawals were made in the first ten hours after the attack.
Crypto trader defrauded nearly 300 investors
The 24-year-old crypto trader from Hengelo made millions of euros disappear and invested illegally in cryptocurrencies. The man sent an email in which he reported that all the money had disappeared. The loss probably runs into millions of euros. Several victims did not leave it at that and filed a report. After months of investigation, the Hengelo resident was arrested this week, but he has since been released.
Traffic lights in the Netherlands can be hacked
Tens of thousands of traffic lights in the Netherlands can be hacked and controlled remotely. Malicious parties could abuse the leak to cause chaos or obstruct emergency services. The vulnerability can only be fixed by physically replacing traffic lights, and that will take until at least 2030. The leak was discovered by 29-year-old ethical hacker Alwin Peppels. He investigated the way in which traffic lights connect to emergency services.
Data breach at US broadband providers
Data breach in student transport
The data of hundreds of Amersfoort children who use student transport became public in January 2024 during the information phase of the tender procedure, when a document with personal data of students appeared on TenderNed. This included postcodes, house numbers and the type of transport the children needed. The personal data was on TenderNed from 10 January to 20 August. For Amersfoort alone, this involved the data of 384 children, but for the entire Amersfoort region it involved the data of more than a thousand students.
Data breach at British lawyers
Law firms in the UK have left their virtual doors wide open to cybercriminals. Almost three quarters of the firms have had at least one employee password leaked to publicly accessible sources. A study of 5,140 firms examined, with at least one username and password combination found on lists exchanged on the Dark Web in 72 percent of these firms. In total, the researchers found more than a million passwords that could be linked to law firms. Cybercriminals can use this information to gain access to the firms’ IT systems. Less than half of the firms examined (46 percent) had implemented a system to protect their digital domain from cybercriminal hijacking. Just over half (53 percent) of the firms have implemented special protection to stop phishing emails.
Data breach at the police by Russian Laundry Bear
Due to a data leak at a police volunteer, work-related contact details including the names and email addresses of 65,000 police officers, but sometimes also private telephone numbers and names of undercover officers, were made public in September 2024. Minister of Justice Van Weel announced that data from police chain partners such as public prosecutors, probation officers and lawyers were also stolen. Minister of Justice David van Weel said after the Council of Ministers that this group of officers is being specifically looked at. The Outlook hack included the work data of all police officers, including names and positions. Only undercover officers whose data are not on the list for security reasons are not involved in this leak. The intelligence services AIVD and MIVD already considered it ‘highly likely’ at the time that another country, possibly Russia, was responsible for the hack. The Microsoft Teams program is said to have played a role in the leak. Photos or images used in police business cards may also have been stolen. The Russian hacking group called ‘Laundry Bear’ now appears to be behind the hack. This is evident from research by intelligence services AIVD and MIVD. The group was previously unknown, say the intelligence services, who themselves have stuck the name on the Russian collective.
Google Stops Russian Spyware
Google has discovered hackers using commercial spyware to compromise the Chrome app for Android. Apple’s WebKit for iOS was also targeted. The attackers have been identified as APT29, or “Midnight Blizzard,” a hacking group backed by the Russian government. Google’s Threat Analysis Group (TAG) report indicates that the cyberattacks targeted the government of Mongolia (via Android Police). The attackers placed watering holes on government websites and exposed vulnerabilities in both Chrome for Android and WebKit for iOS. Such vulnerabilities could allow hackers to steal passwords, cookies and other sensitive user data.
A watering hole is malware that is placed on a high-traffic website, such as a government website. Visitors to the site are then attacked by the malware. It can take some time to be noticed because it does not affect the host site. Google says that a new watering hole was placed on the Mongolian government website in late July that specifically targeted Chrome for Android. Google suspects that APT29 uses commercially available spyware. Spyware developed by organizations such as NSO Group and Intellexa is frequently used by authorities to attack journalists and activist groups. According to Google, the recent attacks contain the same patterns as the spyware of both organizations.
Ongoing state cyber espionage campaign
Earlier this year, the NCSC , together with the Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD), published a report on the advanced Coathanger malware targeting FortiGate systems. Since then, the MIVD has conducted further research and has revealed that the Chinese cyber espionage campaign is much more extensive than previously known. The NCSC is therefore requesting extra attention for this campaign and the abuse of vulnerabilities in edge devices. To this end, the NCSC has drawn up a knowledge product with additional information on edge devices, associated challenges and measures to be taken.
Since the publication in February, the MIVD has conducted further research into the broader Chinese cyber espionage campaign. This has revealed that the state actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023 through the vulnerability with the characteristic CVE-2022-42475. Furthermore, research shows that the state actor behind this campaign was already aware of this vulnerability in FortiGate systems at least two months before Fortinet announced the vulnerability. During this so-called ‘zero-day’ period, the actor infected 14,000 devices alone. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry. The state actor installed malware at relevant targets at a later time. In this way, the state actor gained permanent access to the systems. Even if a victim installs FortiGate security updates, the state actor continues to have this access. It is unknown how many victims actually had malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor was able to potentially expand its access to hundreds of victims worldwide and perform additional actions such as stealing data. Even with the technical report on the COATHANGER malware, infections from the actor are difficult to identify and remove. The NCSC and the Dutch intelligence services therefore state that it is likely that the state actor still has access to the systems of a significant number of victims at this time.
Two Russian men aged 21 and 34 have confessed to a US court that they carried out attacks together with the ransomware group LockBit. The men were involved as ‘partners’ in the Lockbit group and could receive 25 to 45 years in prison. Earlier this year, the LockBit website was taken offline during a major international police operation. Dozens of LockBit servers were also taken offline and several suspects were arrested. A few days later, the group had a new website online and threatened to attack governments more often. A North Korean hacker group has attempted to steal nuclear and military information from the United States. Air force bases and defense companies, among other things, were reportedly attacked. The US, Great Britain and South Korea are warning about this. The hacker group could also pose a risk to the Netherlands
Approval fishing
Approval phishing involves tricking victims into signing a kind of consent transaction. This gives the fraudster access to the money from their crypto wallet. In an international operation, 186 Dutch victims of ‘approval phishing’ have also been identified in recent months. In this form of crypto fraud, victims unknowingly give permission to a fraudster to manage their crypto account. Two Dutch victims had not yet been robbed and their money was secured in time. In one of them, 65,000 euros were prevented from being stolen. The operation, called Spincaster, took place in the Netherlands, the US, the United Kingdom, Canada, Spain and Australia. In total, more than 162 million dollars of stolen money was identified. According to the police, this form of fraud is increasingly common in dating fraud and investment fraud. For example, young people are tempted via social media to get rich quickly via crypto or victims are convinced to make an investment via an online (love) relationship. “It’s a kind of shell game. Criminals let you earn money, give you the feeling that it’s a safe investment, and then cheat you out of the big money. Victims lose thousands of euros on average,” says Ruben van Well of the Cybercrime Team Rotterdam. During the operation to detect and prevent approval phishing, the police worked together with blockchain data platform Chainalysis and trading platforms. Operation Spincaster is “a successful start in showing how well this form of fraud can be detected and prevented,” says Van Well. According to him, it is now important to “jointly look at how we can recognize this form of fraud, even outside of such a sprint, in real time and intervene to prevent more people from becoming victims.”
A cyber stress test conducted by the European Central Bank (ECB) revealed several shortcomings that could make a serious successful cyberattack a significant threat. Some 109 banks were tested on their ability to recover from a cyberattack. They had to implement a recovery program and demonstrate that they had successfully repelled the attack.
Sam Bankman-Fried, the founder of crypto exchange FTX, has been sentenced to 25 years in prison for fraud, money laundering and conspiracy. He has also pleaded guilty to perjury and witness tampering.
The High Court in London has seized the assets of Ruja Ignatova, the German-Bulgarian entrepreneur who defrauded investors of billions of dollars with OneCoin, a fictional cryptocurrency. The global freezing order, which also applies to seven other individuals and four companies, is part of a mass claim by 400 duped OneCoin investors. Ignatova became known worldwide with OneCoin, a cryptocurrency that she claimed would become bigger than bitcoin. She managed to persuade more than 3 million investors to invest a total of approximately 4.5 billion dollars in the cryptocurrency. In the end, the coin turned out to be a large pyramid scheme. The OneCoin debacle is one of the largest crypto fraud scandals in history in terms of scale. Ignatova was last seen in October 2017 when she stepped off a plane in Athens. The entire scandal is shrouded in mystery. The Bulgarian underworld, among others, has been linked to the scandal. The FBI has placed Ignatova on its 10 most wanted list and in June 2024 increased the reward for information leading to her capture from $250,000 to $5 million. In 2019, the BBC launched the successful podcast series ‘The Missing Cryptoqueen’, which explores the OneCoin scandal in detail. The BBC recently released a new episode in which it reports on a Bulgarian police report that allegedly shows Ignatova was murdered by Bulgarian criminals as early as 2018. However, the FBI still assumes that Ignatova is alive.
Four million solar panel systems from the American company Enphase could recently be taken over by a hacker without any problems. The leak was noticed by ‘ethical hacker’ Wietse Boonstra, who discovered that the systems were spread across 150 different countries. The hacker was able to make himself the administrator of private systems, and then use an algorithm to control millions of systems worldwide. Enphase is the largest micro-inverter company in the Netherlands, which converts direct current from solar panels into alternating current.
The X account of the Vereniging Eigen Huis has been hacked on X. The hackers post an endless stream of messages every day with links that lead you to crypto criminals. Potential victims are told that they will receive free cryptos if they link their wallet, a kind of digital purse. The opposite happens: your crypto wallet is actually emptied. The organization has now filed a report with the police. X itself is the only party that can stop the problem, but the company is doing nothing for the time being and only sends automated messages back. The VEH emphasizes that no personal data was stolen in the hack and is relieved that it uses a different email address for the other accounts. The hack was possible because the VEH had not set up additional protection through two-step verification.
Advance payment fraud
Fraudsters pressure victims to lie to their bank when asked difficult questions about suspicious transactions. Some victims are even given a detailed script of what to answer to make the bank suspicious.
Six bitcoins in an account that has not been looked at for years and that are now worth half a million euros. It must have felt like winning the jackpot for an ABN Amro customer when he received a call with this story from a company that trades in crypto coins. About ten years ago, bitcoin had indeed aroused his interest, but had he actually bought anything? The customer can no longer remember well, but the scammer makes him believe that he had.
There is just one problem. These bitcoins can only be paid out once the additional costs involved have been reimbursed. A few hundred euros have to be paid out. A piece of cake compared to the wealth that awaits him. The customer bites and transfers the first euros. But then he is caught in the trap where the scammer wants him. The scammers manage to get more and more money out of the customer for ever new invented problems and expenses that crop up when paying out these bitcoins. When the customer has finally transferred more than 300,000 euros, he slowly realizes that he has very probably been scammed and asks his bank for advice.
The bank employee confirms his hunch. It is advance fraud , as they call it in the fraud department. People are approached with the good news that there is money waiting for them somewhere, because they made an investment in the past. And this amount has increased considerably. If there is so much money waiting, why don’t fraudsters deduct those costs from it in order to be able to pay it out?
ABN’s fraud department received a signal when this customer was about to transfer the first few hundred euros. It was a very unusual transaction for him, but the customer convinced the bank employee that it was at his own request, because he wanted to try out an investment in crypto coins. When he later asks the bank for help, he confesses that he had to tell this because of the fraudster who put him under a lot of pressure.
And there are more worrying developments, especially on social media. Fraudsters try to entice people to do business with dubious crypto companies. They even post fake photos and videos of celebrities, such as Lucille Werner or Jort Kelder, to gain the trust of their viewers. Those celebrities are said to have already done business with the company. “And once you are in this algorithm on social media, you get one success story after another about how much wealth investing in crypto has brought these people,” says Swaak.
With a few mouse clicks, you can reach real people who want to help you. “Cryptos are still something intangible and complicated for many people. So how nice is it when there are people who do understand it and say that they want to help you. Investing in crypto can be lucrative, but can also lead to major losses. Major Dutch banks are extremely reluctant to offer platforms to trade in this and often do not provide advice on it. They consider it too risky, difficult to understand and vulnerable to deception, fraud and manipulation.
Telegram
39-year-old Russian Telegram founder and CEO Pavel Durov has been arrested at Paris-Le Bourget airport after his private jet landed from Azerbaijan. Durov is alleged to have facilitated criminal activity through his encrypted Telegram app. France has issued an arrest warrant for Durov on charges of complicity in drug trafficking, crimes against children, and fraud. The reason for this is the lack of moderation on Telegram and his refusal to cooperate with law enforcement. On his platform Telegram, he has allowed countless offenses and crimes to be committed, for which he has done nothing to moderate or cooperate with law enforcement. Durov knew that he was persona non grata in France and therefore rarely traveled to Europe and avoided countries where Telegram was guarded by security forces. Platform Telegram, like X, has become a major platform for sharing information about the war in Ukraine and is reportedly also used by the Russian military to communicate. Telegram is the main social media network for disseminating open-source information about the war. That includes images, but also opinions and analysis from Russian and Ukrainian military sources. Russian State Duma Deputy Speaker Vladislav Davankov wants him free and has filed a request with Foreign Minister Sergei Lavrov to have Durov released. His arrest could help gain access to the personal and secret information of Telegram users. Telegram has more than 900 million users and currently lives in Dubai. He became a naturalized French citizen in August 2021. Durov, also the founder of the social network VKontakte, left Russia in 2014 after refusing to share VKontakte user data with Russian security services. Russia later tried unsuccessfully to block Telegram over its refusal to provide users’ online communications to security services. Pavel Durov was transferred to a Paris court on August 28 after four days of questioning, where he may face formal charges. A Parisian judge must now decide whether he should remain in custody or be released, possibly with restrictions on his freedom of movement. Durov is under investigation for 12 counts of violations related to failing to combat extremist and criminal content on Telegram. Russia has since protested the whole affair. French President Emmanuel Macron met Durov several times before he was granted French citizenship in 2021, through a special procedure reserved for people who have made a special contribution to the country. Macron and his team have been avid Telegram users in the past.During such a lunch in 2018, Macron asked Durov if he would not be better off moving Telegram’s headquarters to Paris. Durov, however, refused to move his company. French and Emirati spies wiretapped Pavel Durov’s iPhone in 2017. The joint espionage operation, codenamed “Purple Music,” is said to have stemmed from concerns about the Islamic State’s use of Telegram, a private messaging app, for recruitment and attack planning. It is unclear whether Macron was aware of the wiretap and whether the spies still have backdoor access to Durov’s phone.
WhisperGate
The United States has charged five Russian military personnel with carrying out cyberattacks on civilian infrastructure in Ukraine prior to the Russian invasion. Deputy Attorney General Matthew Olsen said the members of Russia’s GRU military intelligence agency charged in Maryland waged a cyber campaign against Ukraine known as WhisperGate. The WhisperGate campaign targeted civilian infrastructure and Ukrainian computer systems unrelated to the military or national defense. FBI agent William DelBagno said the January 2022 WhisperGate malware attack “can be considered the first shot in the war.” DelBagno said the intent was to cripple the Ukrainian government and critical infrastructure by targeting financial systems, agriculture, emergency services, health care, and schools. Olsen said the cyber campaign was not limited to Ukraine but also included attacks on computer systems in the United States and other NATO countries that support Ukraine. A Russian citizen, Amin Timovich Stigal, 22, was indicted in Maryland in June on charges of conspiracy to hack into and destroy computer systems for his alleged involvement in WhisperGate. Stigal and the five Russian GRU members remain at large, and the State Department offered a $60 million reward for information leading to their capture. Stigal was accused in the indictment of distributing WhisperGate malware to dozens of Ukrainian government computer systems prior to the Russian incursion. According to the Justice Department, WhisperGate was designed to look like ransomware, but was in fact a “cyberweapon designed to completely destroy the target computer and its data.” It said that patient records had been extracted from computer systems and that websites had been defaced with the message: “Ukrainians! All information about you has been exposed, be afraid and expect the worst.” The hacked data was also offered for sale online. According to U.S. Attorney Erek Barron, the indicted GRU agents were members of a subset of Unit 29155 of Russia’s Main Intelligence Directorate, which he described as “a military intelligence agency responsible for attempting deadly dirty tricks around the world.” The indictment names Colonel Yuri Denisov, commander of Unit 29155’s cyber operations, and four lieutenants: Vladislav Borovkov, Denis Denisenko, Dmitri Goloshyubov and Nikolai Korchagin.The announcement of the indictment comes a day after the United States accused the Russian state-funded news outlet RT of trying to influence the 2024 US presidential election. Attorney General Merrick Garland also announced the seizure of 32 internet domains that were part of an alleged campaign “to secure the outcome desired by Russia”. According to US officials, this would mean that Donald Trump would win the election in November. The US is offering a reward of up to 10 million dollars for information about a Russian hacking group. The Dutch intelligence service also warns against the actions of the group. It concerns a group of hackers that is part of the Russian military secret service GRU. This unit 29155 is held responsible for actions that disrupt society, such as attempts to cause coups and commit physical sabotage in Europe. The group is said to be responsible for the poisoning of former GRU officer Sergei Skripal in 2018 and an attempted coup in Montenegro. The unit is not only active offline, but has also become increasingly active digitally in recent years. Now the American FBI sees that the unit is planning to disrupt the presidential election. “The 10 million dollars that the Americans are willing to pay for information is an exceptionally high amount,” says security expert Rickey Gevers.
DSA
The European Digital Services Act (DSA) will apply from Saturday 17 February 2024 to all online marketplaces, social networks, search engines, cloud providers, online travel and accommodation platforms, internet service providers and content sharing platforms, such as video platforms. Following the example of the 19 largest platforms, which will have to comply with (the strictest obligations of) the DSA from August 2023, other digital services must now also better protect users’ fundamental rights, tackle online deception and illegal information and create a level playing field for users. For example, online marketplaces must collect and publish more information about the companies (traders) on their platform. This should help to discourage and identify fraudulent traders, eliminate unfair competition and make it easier for consumers to obtain justice. Digital services must also, among other things, explain the rules for removing information or user accounts to users in more detail. They must also have easily accessible and user-friendly complaints procedures for users. The DSA will prohibit online platforms from personalizing advertisements based on, for example, religious beliefs or sexual orientation. Minors will also soon have extra protection against personalized advertisements. This should help ensure that they do not see inappropriate advertising. From February 2024, more Dutch parties such as Marktplaats.nl, Bol.com and Catawiki will also have to comply with the DSA. The 19 largest online platforms and search engines have had to comply with the DSA since August 2023. For example, they must specifically tackle illegal content and disinformation, adjust their recommendation systems and be transparent about online advertising via their platforms. This includes Apple, Google, Meta (Facebook and Instagram), X (formerly Twitter), but also the platforms AliExpress, Booking.com and Snapchat. The latter three operate (legally) from the Netherlands in Europe. The European Commission primarily supervises compliance with the DSA by the 19 largest online platforms and search engines. The Member States are responsible for supervising the other online services. In the Netherlands, the ACM and the AP are the intended supervisors for this. The ACM was designated by ministerial decree this week as the so-called digital services coordinator. This enables the ACM to perform a number of tasks under the DSA. This includes participation in the Digital Services Council, the European cooperation of supervisors. The DSA has already received more than 70 notifications that require action. The Commission then had YouTube, Snapchat and TikToka request for information under the Digital Services Act, asking platforms to provide more information on the design and functioning of their recommendation systems. According to Article 74(2) of the Digital Services Act, the Commission may impose fines for incorrect, incomplete or misleading information in response to RFIs. If no response is provided, the Commission may issue a formal request by decision. In that case, failure to respond within the set deadline may result in the imposition of penalty payments. Since the entry into force of the Digital Services Act, the Commission has focused on compliance with the provisions of the Digital Services Act regarding recommendation systems. Forum voor Democratie, through Gideon van Meijeren, expressed his reservations in a debate on the law about the possible restriction of freedom of expression and censorship. The minister did not want to comment on this in his response and stressed that this is not a censorship law. The DSA will be evaluated at the end of 2027. According to the Minister of National, there are no plans for additional age verification because this is already being worked on in the EU context and there is extra attention for child abuse and privacy legislation. The House of Representatives had submitted a motion for this. The platform Telegram with its 200,000 users, like hate speech publications, does not fall under the DSA by definition.
On October 24, 2023, the House of Representatives approved an amendment to the Intelligence Act. This should give the intelligence services more scope to intercept internet traffic. More than three quarters of all companies have had to deal with cybercrime. The increase among SMEs, with an annual turnover of less than 10 million, is rapid. Last year, 39 percent of respondents were targeted by cybercriminals. This percentage has now risen to 80 percent.
On 16 and 18 May 2024, a NATO Cyber Conference in The Hague discussed which measures countries can take to better defend the alliance against cyber threats. Ways in which the government and companies can work together to better recognize and prevent cyber attacks will also be examined. Last year, 2.3 million Dutch people were affected by a form of online crime. People and companies suffer enormous financial damage, but it mainly undermines trust: in each other and in the digital infrastructure. These mapped developments are included in the Cybercrime Image Netherlands 2024 of the Public Prosecution Service (OM) and the police.
The Mother of All Breaches (MOAB) is the largest data breach ever discovered. 26 billion personal data from LinkedIn, Dropbox, Adobe, Canva Telegram and Twitter were leaked. The leak was discovered by Bob Dyachenko’s Cybernews team and is 12 terabytes in size. The police are actively fighting cybercrime. Seized datasets sometimes contain private data of citizens that have been used by criminals. To prevent damage, it is important to check whether your email address appears in datasets.
Cookies are vulnerable and can compromise Google or other accounts, warns Trevor Hilligoss, former FBI digital crime expert and current vice president of SpyCloud Labs. This was proven by the recently discovered OAuth vulnerability.
FBI Director Christopher Wray has issued a warning that Chinese hackers from Volt Typhoon are poised to attack critical infrastructure in the United States
Future quantum computers will be able to crack any computer and largely neutralize commonly used computer security. The AIVD is also concerned about this. On 12 March 2024, the Senate approved the Temporary Cyber Operations Act. After this act comes into effect, the General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD) will be able to use their existing powers more quickly and effectively against threats from countries that commit cyber attacks against the Netherlands. The bill was submitted by Minister De Jonge (Home Affairs and Kingdom Relations) and Minister Ollongren (Defence). The Temporary Act stipulates that prior assessment will shift to binding supervision during the exercise of the authority. This binding supervision is carried out by the Intelligence and Security Services Supervision Committee (CTIVD). With this new authority, the CTIVD can immediately stop an operation and decide that the data acquired during this operation must be destroyed. An appeal option has also been introduced with the Council of State. This corrects a flaw in the system of testing and supervision and places the definitive interpretation of the legislation where it belongs, with the courts.
The bill-drafting system that plays a crucial role in pushing legislation for state lawmakers at the Capitol in Albany has been taken offline by a hack. The cyberattack coincides with the finalization of state budget bills.
The European Parliament and the national governments of EU member states want to use a new ICT law to oblige companies to report serious cyber attacks to the authorities and they must also meet a number of security requirements. In the meantime, traces of spyware have been found on members of the European Parliament, including President Nathalie Loiseau. In 2022, this also happened on telephones of members of the Catalan independence movement.
The Foreign Affairs Council has adopted sanctions against 6 Russian individuals responsible for far-reaching cyber attacks that have caused considerable damage in the EU, such as hacks on banks and ransomware attacks on the healthcare sector. Two of them are leaders in the cybercrime circuit. Thanks to close cooperation between the Ministry of Foreign Affairs, Justice and Security, the Public Prosecution Service (OM) and the Police, they could now be sanctioned by the EU.
Google, Amazon and eBay are now required to report hacks. Twitter and Facebook are not covered by the law because they are not part of the critical infrastructure. As of 1 January 2016, all public organisations that process personal data are required to report security breaches that lead to, for example, theft, loss or misuse of personal data. The Dutch Data Protection Authority (Cbp) may also impose an administrative fine for violations of more general obligations that the law sets for the use and processing of personal data. For example, if personal data are not processed in a proper and careful manner or are stored longer than necessary or if the security is not sound or poorly organised, or if sensitive information such as political preference or beliefs of users has been misused. Since the Data Breach Notification Act was introduced, 3,400 data breaches have been reported.
Companies are so often victims of hackers that it is no longer interesting for insurers to sell cyber policies. Policies are becoming 30 to 50 percent more expensive on average and the deductible is increasing. In addition, additional requirements are being imposed on companies that want to take out insurance. The damage caused by ransomware is even so high that insurer Hiscox prefers not to sell cyber insurance to companies with an annual turnover of more than 100 million euros.
More than 1.2 million people are victims of digital crime every year. This mainly concerns teenagers and young adults. According to a study, men are just as often victims as women.
In 2021, there were a total of 24,866 reports of data leaks in the Netherlands. In 2022, the total number fell by 15% to 21,151, but in 2023 there were more again, namely 25,694. Based on the reports of these data leaks, you can estimate the number of people who have been affected by a cyber attack in the past year, and that is approximately 20 million. Half of the victims also reported it. Two out of ten also reported it to the police. There is a good chance that countries that have imposed sanctions against Russia will become the target of cyber attacks on critical infrastructure such as power plants. This is stated by intelligence services in the US, Australia, the United Kingdom, Canada and New Zealand. The economic sanctions in response to the invasion of Ukraine are hitting Russia so hard that Russia could fight back digitally, warns the Five Eyes, the collaboration of the intelligence services in the US, the UK, Australia, New Zealand and Canada. 16.9 percent of the population fell victim to online crime. That is about the same number as traditional crimes such as burglary, theft, violence and vandalism. Almost 10 percent of the population aged 15 or older fell victim to online fraud and scams. In most cases, it involved purchase fraud, in which products or services purchased online were not delivered. Other, less common, crimes were sales fraud (products sold are not paid for), payment fraud, identity fraud and phishing. 7 percent fell victim to hacking. 2 percent were confronted with online threats and intimidation. These include threats, bullying, stalking and shamesexting. Of all victims of online crime, 47 percent reported what had happened to them somewhere, 19 percent reported it to the police. More than three quarters of victims reported payment fraud to a bank, the police, the Fraud Help Desk or another agency. A quarter of fraud victims reported it to the police. Victims of phishing reported the most (55 percent). Hacking was reported the least often. In April 2024, hackers managed to break into Eutelsat. They also managed to take over the encrypted TV signal of BabyTV and broadcast Russian propaganda video. As far as is known, this is the first time that hackers have taken over a TV broadcast via satellite. The propaganda images were not only visible in the Netherlands. The images also appeared on BabyTV in Scandinavia and Portugal.
WhisperGate
The United States has charged five Russian military personnel with carrying out cyberattacks on civilian infrastructure in Ukraine prior to the Russian invasion. Deputy Attorney General Matthew Olsen said the members of Russia’s GRU military intelligence agency charged in Maryland waged a cyber campaign against Ukraine known as WhisperGate. The WhisperGate campaign targeted civilian infrastructure and Ukrainian computer systems unrelated to the military or national defense. FBI agent William DelBagno said the January 2022 WhisperGate malware attack “can be considered the first shot in the war.” DelBagno said the intent was to cripple the Ukrainian government and critical infrastructure by targeting financial systems, agriculture, emergency services, health care, and schools. Olsen said the cyber campaign was not limited to Ukraine but also included attacks on computer systems in the United States and other NATO countries that support Ukraine. A Russian citizen, Amin Timovich Stigal, 22, was indicted in Maryland in June on charges of conspiracy to hack into and destroy computer systems for his alleged involvement in WhisperGate. Stigal and the five Russian GRU members remain at large, and the State Department offered a $60 million reward for information leading to their capture. Stigal was accused in the indictment of distributing WhisperGate malware to dozens of Ukrainian government computer systems prior to the Russian incursion. According to the Justice Department, WhisperGate was designed to look like ransomware, but was in fact a “cyberweapon designed to completely destroy the target computer and its data.” It said that patient records had been extracted from computer systems and that websites had been defaced with the message: “Ukrainians! All information about you has been exposed, be afraid and expect the worst.” The hacked data was also offered for sale on the internet. According to U.S. Attorney Erek Barron, the indicted GRU agents were members of a subset of Unit 29155 of Russia’s Main Intelligence Directorate, which he described as “a military intelligence agency responsible for attempting deadly dirty tricks around the world.” The indictment names Colonel Yuri Denisov, commander of cyber operations of Unit 29155, and four lieutenants: Vladislav Borovkov, Denis Denisenko, Dmitry Goloshyubov and Nikolai Korchagin. The indictment’s disclosure comes a day after the United States accused Russian state-funded news outlet RT of trying to influence the 2024 U.S. presidential election.Attorney General Merrick Garland also announced the seizure of 32 internet domains that were part of an alleged campaign “to secure the outcome desired by Russia,” which U.S. officials said would mean Donald Trump winning the November election.
ESET
For over three decades, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly complex digital threats. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give users the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables safe use of technology. This is supported by ESET’s R&D centers worldwide, committed to our shared future. For more information, visit www.eset.com/nl or follow us on LinkedIn, Facebook, Instagram and X (formerly Twitter). The Dutch government is allocating millions for this purpose. The National Detection Center was expanded. Cybercriminals are increasingly investing in advanced digital attack methods. They carry out “long-term and high-value operations”. In addition to ransomware, companies are also confronted with economic espionage. The Dutch intelligence and security services have observed espionage at companies in the defense industry and in the most important economic sectors. On December 20, 2016, the House of Representatives approved the law that allows the police to hack suspects, also using unknown holes in software. For example, security company ESET has already discovered a new virus that can shut down power grids. With “Industroyer” malware, hackers can remotely shut down distribution systems in high-voltage networks. Oil plants, transport networks and locks can also be shut down with a modified version. ESET suspects that the same virus was responsible for partially shutting down the power plant in the Ukrainian capital Kiev.
AfterWash
Since March 2014, there has been NaWas (The National Anti-DDoS Washing Station). A company that provides security against DDoS attacks and uses anti-DDoS equipment that can be used to route traffic if an ISP network is under a DDoS attack. NaWas cleans the internet traffic and sends the clean traffic back to the participating ISP via a separate VLAN of the AMS-IX. The foundation National Management Organization Internet Providers (NBIP) that set up NaWas was founded in 2002 by a group of six Internet Service Providers. The NBIP organization is ready 24 hours a day, 7 days a week to intervene if a tap has been made or a DDoS attack needs to be repelled. 18-year-old Jelle S. from Oosterhout was arrested on Monday, February 5. He had previously reported himself to the bank Bunq and the website Tweakers had also tracked him down. In late January and early February, he attacked multiple banks and companies with DDoS attacks. The sites of Rabobank, ABN Amro, DigiD and ASN Bank, among others, were temporarily unavailable. At first, experts assumed that the attack was carried out via Russian networks, but that turned out to be complete nonsense.
Infostealers RedLine and META dismantled
In an internationally coordinated action by investigative services called Operation Magnus”” . the infostealers RedLine and META were dismantled on Monday 28 October. The investigation by Team Cybercrime was prompted by a tip from the security company ESET Nederland about the servers present in the Netherlands in relation to malware. The investigation was initiated over a year ago under the leadership of the Public Prosecution Service Parket Limburg. Through this investigation, Team Cybercrime gained insight into the technical infrastructure of the infostealers, the communication channels used and the entire user base. An infostealer is a form of malware that is developed to steal data from victims’ computers. Victims are infected through, among other things, downloads of software from unreliable sources. Subsequently, sensitive data such as login details, financial information, e-mails and system information are stolen from the victim’s computer unnoticed and forwarded to the criminal. The stolen data can be sold by the criminals or used for identity theft, financial fraud and ransomware, among other things. RedLine and META are among the most well-known infostealers worldwide with millions of victims and have been active for years. The investigation has identified thousands of customers of this service who in turn have independently made victims. The stolen data is traded or directly misused in the commission of other cybercrime, such as hacking or theft of data or cryptocurrencies. Due to the global spread of the malware, international forces were joined in the Joint Cybercrime Action Taskforce (J-CAT). The authorities of the Netherlands, the United States, the United Kingdom, Belgium, Portugal and Australia work together in this task, with the support of Europol and Eurojust. To date, the United States authorities have charged one administrator and the Belgian police have arrested two people. One person has since been released, the other person is still in custody. This concerns a customer of the infostealer. A search was also carried out in his home. The seized data is being investigated. Follow-up actions and arrests cannot be ruled out. With the help of international law enforcement agencies, multiple Telegram accounts have been taken offline. The infostealers RedLine and META were offered to customers via these groups. Until recently, Telegram was a service where criminals felt untouchable and anonymous. This action has shown that this is no longer the case. This has dealt a serious and significant blow to the criminal world. Taking these groups offline has caused the sale of the stealers RedLine and META to come to a standstill.Using the hacking authority, the police were able to take the infrastructure of both infostealers offline with a technical feat. As a result, the malware no longer functions and it is no longer possible to steal new data from (infected) victims. Based on the secured customer base, further investigation is being conducted into the purchasers of this service. In addition, these criminals were communicated directly about this action, with the opportunity to contact the police to share information. Tens of thousands of Dutch people have now been infected with the Infostealer malware, often without knowing it – and dozens of new victims are added every day.
Cybercrime arrests and investigations
In the Netherlands, there will be at least 147 ransomware incidents in 2023. These cases probably only represent a small part of the total. Many companies do not report for fear of reputational damage. In Germany, it is mandatory to report a ransomware attack. There, the counter ended at four thousand incidents last year. Experts do not see the number of cyber attacks decreasing yet. “Ransomware remains extremely popular among criminals, especially Ransomware as a Service (RaaS).” In this RaaS model, a gang offers ransomware as a service. Other parties can purchase that service and use it to carry out attacks themselves. Behind the providers is often a large company, with a customer service that helps the customer with problems. If the servers of a provider such as Lockbit are taken down by authorities, that does not mean that the software they supplied no longer works. “The customers are still making victims.”
In May 2024, the police shut down important infrastructure of ransomware criminals in the largest international operation against ransomware ever. Dozens of servers were seized in Dutch data centers, on which programs were running to break into companies. Fourteen countries participated in the operation and four people in Ukraine and Armenia were arrested. Five different botnets were shut down that had the potential to infect millions of computers worldwide and steal hundreds of millions of euros. Of the more than one hundred servers seized, 33 were in Dutch data centers.
Blackcat
The hacker group Blackcat that was previously busted by international law enforcement agencies is active again. BlackCat, also known as ALPHV, is a ransomware-as-a-service (RaaS) that has already attacked many organizations worldwide and will continue to do so in the near future. It is a highly advanced ransomware that can target many different environments due to a large number of advanced features. BlackCat spreads easily between computers. It infects different versions of Windows and Linux operating systems and can also terminate running processes and close files that are open during the attack. BlackCat’s access to an organization’s network starts with the use of stolen access data. In this respect, BlackCat is no different from many other malware. There is a reason for that. Because Identity and Access Management (IAM) is not optimal in many companies, a large number of stolen and leaked passwords and usernames are for sale on the dark web. Access to environments is easy and cheap for those with malicious intent. Given the pace of security breaches, it is difficult to estimate how many credentials are stolen each year. About 50% of known security incidents in 2021 were initiated by stolen credentials. After initial access is gained, BlackCat or similar ransomware groups gather information in the background, mapping the entire network and manipulating accounts for deeper access. Based on the information the attackers gather, they determine the most effective route to take to further the attack. They disable security and backup systems. In December 2023, the FBI released a decryption tool that allowed victims of the Alphv/BlackCat ransomware to regain access to their encrypted files. The security agency has also taken down several websites belonging to the ransomware gang. According to the department, the group has been one of the most active ransomware gangs in the world over the past year and a half and is said to have collected hundreds of millions of dollars. In the United States, government agencies, emergency services, critical infrastructure institutions and schools have also been victimized. The FBI is said to have already helped more than 500 victims to recover data or restore systems. At the end of 2022, Alphv/BlackCat also made the news in the Netherlands. It was then announced that the vaccine company Bilthoven Biologicals had been hit by the ransomware gang and that data from Dutch MPs had been leaked after a hack at the supplier of access systems for the First and Second Chambers. The hacker group is also said to have been behind the Reddit hack this year. The ransomware gang had then demanded that the Reddit board roll back the API changes that had been made at the time.A Russian hack of Ukrainian provider Kyivstar left 24 million people without phone calls or internet access. The hackers had had access to the telecom provider’s systems since May. Kyivstar is a heavily secured company, but the attack destroyed almost everything on Kyivstar’s systems, including thousands of virtual servers and PCs. Thanks to backups, business operations were restarted within a few days. The Ukrainian secret service SBU reports that the hackers were probably able to steal personal data. They also had access to telephone locations and could possibly intercept text messages. The penalties for cybercrime were increased as of 1 July 2015. The penalties for a number of offences have been doubled. The maximum sentence for destroying computer data or tampering with passwords or sending spam to crash systems is two years. Many twenty-somethings in particular are guilty of cybercrime. The maximum sentence for offences involving the use of a botnet is three years in prison. Attackers of vital infrastructures in particular are punished more severely. For computer crimes that cause serious damage to a vital infrastructure, a maximum sentence of five years is now imposed. There are major geopolitical risks due to cyber attacks on (financial) infrastructure by governments, which creates a growing operational risk for financial institutions. The FED recently set up a special department for this.The Fed recently created a special department for this purpose.The Fed recently created a special department for this purpose.
CLOP
Clop has been active since around 2019. The gang is known for a ransomware attack, which shut down the systems of Maastricht University. In 2023, the group also abused file transfer software (MoveIT) to penetrate the systems of holiday park company Landal GreenParks and accounting firm PwC, among others. Centric , together with another company, fell victim to the Russian hacker gang Clop in December. A leak in the software of supplier Cleo gave them access to a lot of government information. hit, an SME. In mid-January 2025, it already became apparent that the hackers had also attacked several large foreign companies via the same leak, including the German chemical company Covestro and the American car rental company Hertz. According to Centric, there was a vulnerability on one of the test systems. Only a very limited number of privacy-sensitive data from one customer was compromised. Cleo is an American supplier of file-sharing software. Clop demanded ransom and the gang made data public from companies that refused to pay. Chemical company Covestro also announced that the hackers had managed to gain access to a server with logistical information. The data was said to be largely ‘non-sensitive in nature’. Car rental company Hertz stated that there was ‘no evidence’ that the company had been hit by hackers. Clop is said to have collected between 75 and 100 million dollars from the MoveIT attacks.
Cracked and Nulled
The underground platforms Cracked.io and Nulled.to, which were dismantled by Europol in late January 2025, had a combined user base of over 10 million. The sites, like HeartSender, operated as one-stop cybercrime hops, used for discussions about cybercrime and as marketplaces for illicit goods and cybercrime-as-a-service, such as stolen data, malware or hacking tools. Investigators estimated that two suspects made €1 million in criminal profits. Seven raids were conducted, during which 17 servers and over 50 electronic devices were seized, as well as €300,000 in cash and cryptocurrencies. Twelve domains belonging to the platforms were taken offline. Associated services were also taken offline; including a financial processor called Sellix that was used by Cracked, and a hosting service called StarkRDP, which was promoted on both platforms and operated by the same suspects. Europol’s experts from the European Cybercrime Centre (EC3) facilitated the exchange of information as part of the Joint Cybercrime Action Taskforce (J-CAT) hosted at Europol’s headquarters in The Hague, the Netherlands. One of Europol’s priorities is to act as a broker of law enforcement knowledge, providing a hub where Member States can connect and benefit from each other’s and Europol’s expertise. The two forums also offered AI-based tools and scripts to automatically scan for vulnerabilities and optimise attacks. Advanced phishing techniques are often developed and shared on these platforms, sometimes using AI to create more personalised and persuasive messages. As cybercrime becomes more aggressive and confrontational, Europol aims to strengthen the fight against this type of crime by bringing together relevant partners for cross-border cooperation and joint action.
HeartSender
The Pakistani hack software shop HeartSender was dismantled and eliminated by the Dutch police in January 2025. The HeartSender site and a large number of underlying domains went black. The criminal web shops were advertised on YouTube and other channels. Visitors could simply buy cheap software there to be able to hack with. The site had existed on the regular internet for ten years. The Pakistani group, known as The Manipulaters, specialized in phishing products that could be used to obtain login details by sending fake emails. But already hacked infrastructure was also for sale, such as access to web servers, email servers and a system for managing websites. Lists with login details of victims were also offered. HeartSender had thousands of customers worldwide. These probably also include Dutch people who can expect a visit from the investigative services in the coming months. The police have seized the servers that were used to keep the web shops running. The customer details can also be found on them. The action was carried out by the cybercrime team of the police in East Brabant. They came across the HeartSender software on the computer of a cybercrime suspect and decided to dig further. At the same time, the FBI investigated the group behind the web shops. Both investigations were carried out simultaneously and led to the action day at the end of January. According to the police, millions of details of victims all over the world were found in the datasets of HeartSender and the other web shops. There are around 100,000 Dutch usernames and passwords among them. The impact of this can be significant, warns the police. Criminals can still send e-mails in the name of their victims, buy things from online shops or modify someone’s website. You can check on the police website whether your details were in the hands of HeartSender.
Lab host
In late 2021, LabHost (AKA LabRat) emerged as a new PhaaS platform, growing over time to eventually serve dozens of phishing pages targeting banks, high-profile organizations, and other service providers around the world, but most notably in Canada, the US, and the UK. The platform’s popularity meant that at the time of its takedown, it had well over 2,000 criminal users, who had used it to deploy over 40,000 fraudulent sites, resulting in hundreds of thousands of victims worldwide.
Lockbit
The hacker group Lockbit, led by 31-year-old Dmitry Khoroshev, is held responsible for setting up a large criminal network that made billions of dollars worth of victims worldwide. The group was briefly paralyzed thanks to a joint operation by American and British security services, Europol and the Dutch police, and the old website is now under the control of the security services. According to spokespeople for the British NCA and American justice, the operation is still ongoing. The names of victims who did not pay quickly were published on the Lockbit website. There is now a statement on the website: ‘This site is now under the control of the National Crime Agency of the United Kingdom, who have worked closely with the FBI and the international task force of ‘Operation Cronos’. The Netherlands, together with France, Japan, Switzerland, Canada, Australia, Sweden, Finland and Germany, participated in this operation. Two Russian men, aged 21 and 34, have confessed in a court in the US that they carried out attacks together with the ransomware group LockBit. The men were involved as ‘partners’ in the group and could receive 25 to 45 years in prison. When their victims refused to pay the ransom, their systems remained locked and sensitive data was published online. Part of the ransom went to the developers of LockBit. The 21-year-old suspect has made at least twelve victims between 2020 and 2023 in the US, Japan, France, Scotland and Kenya. The victims included several companies. In total, this perpetrator stole at least 1.9 million dollars. The 34-year-old suspect has also affected at least twelve citizens and companies in the US, UK and Switzerland. He has caused at least $500,000 in damages and could face up to 45 years in prison.
Earlier this year, LockBit’s website was taken offline during a major international police operation. Dozens of LockBit servers were also taken offline and several suspects were arrested. A few days later, the group had a new website up and running and threatened to attack governments more often. Last year, the group broke into China’s largest bank. The KNVB (Royal Dutch Football Association) also fell victim to Lockbit and paid a million euros in ransom to prevent hacked personal data from ending up on the street. The American authorities report that the gang has hit more than 1,700 organizations in the US since 2019. More than 100 million dollars in ransom has been demanded from the American companies. Lockbit’s new website can already be found on the dark web. The website lists new victims, such as a British steel company. Other victims come from the US and New Zealand. A total of five people have been charged. One of the most high-profile of them is Russian Mikhail Pavlovich Matvejev (31), who is known by his hacker name Wazawaka. Matvejev has been on the FBI’s Most Wanted list for two years and there is a $10 million reward for information leading to his arrest. According to the FBI, he is a ‘central figure’ within Lockbit. But instead of staying under the radar, Matvejev had his Most Wanted poster printed on a T-shirt and started selling them. Matvejev is also active on X and last year he gave the FBI a middle finger. The Russian previously said that he also attacked companies in the Netherlands, including a large transport company. According to Matvejev, the company paid $2 million in ransom. Two new charges are now pending: against Russians Artur Soengatov (34) and Ivan Kondratjev (27). Kondratjev is a notorious hacker known as Bassterlord who published manuals with which companies can be hacked. Both are suspected of hacking and holding companies hostage. Mikhail Vasiliev and Ruslan Magomedovich Astamirov. Vasiliev (35) were arrested. Russian Astamirov (20) from Chechnya was arrested last year in Arizona, USA. Other suspected gang members were also arrested in Poland and Ukraine. In Ukraine, a father and son were arrested on suspicion of cyber attacks on French organizations. In Warsaw, Poland, a 38-year-old man was arrested on suspicion of laundering money for Lockbit. The FBI is now offering a reward of 10 million dollars for the tip that leads to Khoroshev’s arrest.
One Coin
The High Court in London has seized the assets of Ruja Ignatova, the German-Bulgarian entrepreneur who defrauded investors of billions of dollars with OneCoin, a fictional cryptocurrency. The global freezing order, which also applies to seven other individuals and four companies, is part of a class action lawsuit by 400 duped OneCoin investors. Ignatova became known worldwide with OneCoin, a cryptocurrency that she claimed would become bigger than bitcoin. She managed to persuade more than 3 million investors to invest a total of approximately 4.5 billion dollars in the cryptocurrency. In the end, the coin turned out to be a large pyramid scheme. The OneCoin debacle is one of the largest crypto fraud scandals in history in terms of scale. Ignatova was last seen in October 2017 when she stepped off a plane in Athens. . The Bulgarian underworld, among others, has been linked to the scandal. The FBI has placed Ignatova on its 10 most wanted list and in June 2024 increased the reward for information leading to her capture from $250,000 to $5 million. In 2019, the BBC launched the successful podcast series ‘The Missing Cryptoqueen’, which explores the OneCoin scandal in detail. The BBC recently released a new episode in which it reports on a Bulgarian police report that allegedly shows Ignatova was murdered by Bulgarian criminals as early as 2018. However, the FBI still assumes that Ignatova is alive.
Pegasus
Finnish diplomats have been targeted by the Israeli spyware Pegasus, without them realizing it. The Finnish diplomats were mainly working abroad. NSO Group, the developer of the spyware, has not yet responded to the Finnish government’s message. Pegasus can be used to gain access to information on phones. The malware infects phones, after which almost everything can be read. For example, the software can copy messages, browse through photos and record conversations. With all the information that the program collects, it can potentially be traced where the user has been and who he or she has been in contact with. This is useful in the hunt for terrorists and criminals, but some countries are also said to use the spyware to spy on activists, journalists and diplomats. The US Department of Justice previously investigated an alleged attempt to hack the accounts of 1,400 WhatsApp users in early 2019. At the time, the hack was already being investigated by the FBI and WhatsApp itself had already started a lawsuit against NSO, which makes spyware that would only be delivered to governments and law enforcement. However, NSO’s spyware was used to spy on journalists, civil servants and human rights organizations. Among the hacked users was a phone number from the American capital Washington DC, numbers of political activists from Spain, journalists from India and Morocco, and of Rwandan dissidents and pro-democracy clerics from Togo. The Pegasus spyware would work on both Android and iOS, and could listen to conversations of targets, take screenshots and transmit data such as location, internet history and the user’s address book. NSO says it is not aware of any investigation. WhatsApp was supported by Google, Microsoft and Amnesty International.
Sky ECC
With the government cracking Sky, the largest provider of crypto phones, organized crime has been exposed. Since February 2021, the police have been able to read hundreds of millions of messages live. The server was taken offline and seized by the Dutch authorities on March 10, 2021. Many EncroChat users switched to Sky ECC in 2020. The company is now the largest provider of crypto communication worldwide with around 70,000 users. There are approximately 11,000 Dutch users in the Netherlands. The police have been able to read message traffic for approximately three weeks since February 2021. At least 500 officers were needed to identify all suspects, to make 30 arrests and to search 75 homes and offices. 28 firearms were seized in Rotterdam, 20 knives, 70 telephones, 12 cars, 2 boats and a jet ski. The investigation under the name Argus also led to the seizure of thousands of kilos of cocaine, heroin and hash. Drug labs were also dismantled and millions of euros were seized. Sky offered crypto phones with a one-year subscription for two thousand euros. For example, subscribers were given the ‘panic wipe’, an option where the entire device could be disabled immediately in the event of an impending arrest. Sent messages were automatically deleted after 30 seconds. The phones could not be used to make calls, they were only intended for sending messages. In addition, Sky also competed fiercely with other competing providers such as Ennetcom, PGP-Safe and Encrochat. The police also managed to retrieve millions of messages from the period between 2018 and 2021. The police also hope to be able to continue the investigations into the murders of the brother of crown witness Nabil B. and lawyer Derk Wiersum. There has also been a major police operation in Belgium in the Antwerp region. About 1,500 officers searched more than 200 locations as part of a major drug investigation with international ramifications.
STRETCHES
Pepijn van der S., 21, from Zandvoort, was sentenced to four years in prison on November 3, 2023, one year of which was suspended. He (Rekt) mainly made victims in 2021. He used RaidForums for this. RaidForums has been defunct since April 2022 after the hacker forum was taken offline in a major international police operation. In addition to Pepijn van der S., two other co-suspects were arrested in January. On March 24, 2021, REKT offered a database with stolen information from the automotive industry on RaidForums. Five days later, RDC, the company from which the data was stolen, filed a report with the police. It was the start of a months-long investigation that led to three arrests in January 2023. In 2022, Pepijn got a job at cybersecurity company Hadrian, where he became a volunteer at the Dutch Institute for Vulnerability Disclosure (DIVD). In these positions, he was able to use his talent to digitally protect companies and organizations against malicious parties. Such hackers with good intentions are called white hat, or ethical hackers. What his colleagues do not know is that Pepijn had also been operating for years as a black hat, a hacker with bad intentions. “White hat by day, black hat by night”. Twelve companies actually filed a report, but during the investigation by the Public Prosecution Service it became clear that the number of victims is larger. One of them was Senior Publications, the publisher of seniors’ magazine Plus Magazine and the website PlusOnline. In February 2021, the company discovered that there had been a digital break-in in which more than 130,000 e-mail addresses were stolen. The publisher was blackmailed for 14,200 euros. Ticketcounter director Sjoerd Bakker was also blackmailed for 7 bitcoins. When, after a few days, on March 1, it was in the news that data had been stolen from Ticketcounter, the blackmail was no longer effective. 1.5 million to 1.8 million different e-mail addresses of visitors to zoos and amusement parks from the period mid-2017 to 4 August, including names, e-mails, dates of birth, addresses and bank account numbers, were stolen. Ticketcounter arranges reservations and payments on behalf of zoos, amusement parks, museums and events. Pepijn (Rekt) was active on RaidForums at the time, but under a different name: Lizardon. In revenge, he published the Ticketcounter data on the forum. In May 2022, Pepijn van der S. made his last victim. He had been working for Hadrian and the DIVD for just a few months. In January 2023, he was arrested together with two co-suspects. Lizardon made multiple references to Pokémon, including user names. Lizardon is the Japanese name of the Pokémon that is called Charizard in Dutch. In September, the same RaidForums user, using the name Espeon – also a Pokémon – sold data from the Dutch app Scoupy for a few thousand euros, which allows people to get money back if they share their receipt.That same month, it was announced that the Arnhem Nijmegen University of Applied Sciences (HAN) had fallen victim to blackmail. The person called himself masterballz, a reference to Pokémon. The university did not pay him, but hundreds of thousands of private details of 56,000 students and employees of Inholland University of Applied Sciences were then for sale on the hacker forum. Sometimes it only involved email details, but in other cases it also involved home addresses, telephone numbers and passwords. In November 2022, the Homerun application platform was a victim. At that time, Espeon was operating on RaidForums again under the name of a Pokémon: Umbreon. Homerun did pay. The Dutch police discovered that the forum’s server was located in Germany and, with the help of German investigative services, the police obtained a copy. In that data, the investigative team saw an email address of a RaidForums account. That account had once offered data from one of the Dutch companies that filed a report. It put the police on the trail of Pepijn van der S.
Smartphones can pick up malware or spyware when charging at public charging stations in shopping malls, hotels and airports. Public Wi-Fi networks are also generally unsafe.
The Public Prosecution Service East Netherlands arrested a 26-year-old man from Assen in January 2024. According to the Public Prosecution Service, the hacker has been guilty of cracking email, cryptocurrency and webshop accounts on a large scale. The suspect was arrested at the end of January and has been in pre-trial detention since then. Customers of a hosting company from Zwolle were, it turned out, the target of computer hacking, identity fraud and phishing. The hosting provider filed two reports. In addition, a company that manages a parking app also filed a report of computer hacking, because it was the victim of a cyber attack committed by the same suspect. The Assenaar developed a cybercrime tool himself, used it to collect enormous amounts of login details from others and then placed orders for large sums of money with, for example, webshops. He used his tool to retrieve customer login details. He was then able to test those login details in an automated manner with other websites. He then logged in again at other locations and subsequently – unnoticed and unseen – withdrew bitcoins from victims at cryptocurrency services, and ordered expensive clothing items from online stores. Emails with order confirmations and/or reminders of unpaid invoices were automatically intercepted, so that victims never saw them. He also redirected the emails from the delivery services to a temporary mailbox of his own. These emails included a link to change the delivery address; the suspect had the packages delivered to parcel points or parcel machines. An identity document is sometimes required to collect these packages. The cybercrime tool also contained a functionality that allowed an image of an identity document to be created with a self-chosen first and last name and a random document number. Ultimately, the suspect was able to collect the packages himself using these identity documents. A substantive hearing is scheduled for 9 July 2024. Until that date, the suspect will remain in pre-trial detention.
On January 23, 2023, the police in Amsterdam arrested three suspects of, among other things, data theft from companies, extortion and money laundering. The suspects are a 21-year-old man from Zandvoort, a 21-year-old man from Rotterdam and an 18-year-old man without a fixed abode. One of the perpetrators worked as a volunteer for cybersecurity organization DIVD. This government-subsidized organization is supposed to protect companies. The suspects were in possession of tens of millions of privacy-sensitive data from people. The hackers managed to gain access to the data of the companies, which then received an email to pay bitcoin because otherwise the company and customer data would be made public. They also threatened to destroy the network. Affected companies suffered millions of euros in damage, up to more than 100,000 euros per company. One company even had to pay 700,000 euros. The stolen data was still traded after payment. The main suspect earned 2.5 million euros from this in recent years.
Four Dutchmen were sentenced to prison for hacking and infecting computers with a virus, via a fake web page of a bank. The personal data obtained in this way were used to plunder accounts. Obtained telephone numbers received a text message containing smartphone malware that intercepted the text message traffic, which also made the TAN codes for internet banking available. Two of the four perpetrators supplied the necessary software. A lower prison sentence was given in connection with the young age of the suspects. Two were given a prison sentence of 24 months and two of 36 to 39 months with a further 6 months suspended.
Operation Cookie Monster resulted in the arrest of 119 computer criminals in seventeen countries on April 4, 2023, 17 of whom were in the Netherlands. More than 200 raids were carried out. The suspects are said to have plundered bank accounts, stolen cryptocurrencies, falsified social media profiles and blackmailed and defrauded people and companies. The stolen data came from the Genesis Market website, where not only login details of around two million people were sold, but also their online data consisting of which operating system or browser someone uses, the content of cookies that record surfing behavior, keyboard and screen settings and even the battery level of the laptop that may have been used. Banks and web shops use these specific characteristics to check whether it is the real customer who is logging in or possibly someone else. By hijacking this online data, criminals were able to copy and enter their victims. Since 2018, Genesis Market has been selling data from 50,000 Dutch people. Suspects plundered a savings account of 70,000 euros and opened a whole series of new bank accounts in order to commit fraud. The created accounts were used to make purchases at online stores. He was also called on behalf of his credit company to extort even more money from him, his ID was misused and his mail was redirected to another address. Around 40,000 members worldwide had access to the Genesis site. The price of stolen data ranged from 70 cents to a few hundred dollars. An algorithm determined the price. In this way, access to cryptocurrencies significantly increased the value. Genesis also only sold the stolen data once, so that a criminal could be sure that only he had access to the victim. Genesis received the data from hackers who monitored the victim’s computer using malware. New passwords were automatically passed on to the criminals, so that they could continue to log in. Check here whether you are also a victim. The ringleader, a 32-year-old man, was arrested in Barendrecht on July 18, 2023. After his arrest, he was in full confinement. The man lived in Brazil. “With the arrest of this suspect, the Rotterdam police believe they have made a big breakthrough.
In April 2024, the police in several countries dismantled a large phishing network that resold fake websites of, for example, banks and government agencies. 500,000 credit card details were stolen and 1.2 million passwords were stolen. Worldwide, 37 people were arrested, five of them in the Netherlands. In total, police services searched more than 70 addresses. The investigation began in the summer of 2022
A cryptographer has cracked the SHA1 algorithm, which is used to give every email, payment and password a unique fingerprint. SHA1 is widely used in browsers. Google Chrome has already solved it and done it differently, Mozilla’s Firefox will do it soon.
Temu
Dutch hacks
Addcom
On May 17, 2024, AddComm fell victim to a digital break-in. The Municipal Tax Office Twente (GBTwente) is one of the institutions affected by the hack. Ransom was paid and agreements were made with the cybercriminals. AddComm arranges digital messages from housing associations to their tenants and also provided services to the Municipal Tax Office Twente. AddComm produces assessments for GBTwente, including reminders, notices and writs of execution and takes care of sending them. They send this by post and via the My Government environment. AddComm, together with external cyber security experts, mapped out the extent of the security breach of May 17. Research showed that data from ‘a select group of customers’ was stolen and also affected Eneco, ABN Amro, pension fund PNO Media, water companies and municipalities. These customers have been informed by AddComm.
Albert Heijn
Ahold Delhaize, the parent company of supermarket chain Albert Heijn, was hit by a major ransomware attack in November 2024. A total of 6 terabytes of data was said to have been stolen. The group threatened to make data public if no ransom was paid. Now that AH has not done so, INC Ransom is sharing some of the documents that were stolen. These include old data, such as a confidentiality agreement from someone visiting an Ahold Delhaize location. ID cards of individuals have also already been released. According to Ahold Delhaize, this was an ‘American’ incident and the investigation into this is still ongoing. . In order to nip the attack in the bud at the time, several systems were taken offline. That apparently did not prevent the group from now on apparently having data. The American branch of the food and grocery company indicated at the time that various pharmacies and online sales channels in the United States were affected by the hack. According to ethical hacker Peter Lahousse, old documents have now been released. ‘They start by leaking old data. The more time passes, the more comes online.’ At first, it seems to concern American data, but the collective also reports that it has Dutch documents. INC Ransom has been active since the summer of 2023 and has already hit numerous organizations. Last year, a children’s hospital in Liverpool was hit by the collective. Healthcare organizations are among the group’s favorite targets. Although it has never been clear where INC Ransom’s origins lie, Russia is mainly pointed to as the group’s birthplace. Cybersecurity expert Dave Maasland, CEO of ESET Netherlands, adds that the group has been quite active recently and profiles itself with ‘double extortion’, stealing as much valuable data as possible and threatening to make that data public. As it turned out, the personnel data of employees of Albert Heijn, Etos and Gall & Gall were stolen during the hack. Although the target was the American part of Ahold Delhaize, Dutch personnel data may also have been stolen. Ahold believes that it mainly concerns employees who were on the payroll in 2021. Employees whose data may have been stolen have been notified by email. Ahold informs them that their name, parts of their bank account number (as known to Ahold’s payroll administration) and the amount of their salary from early April 2021 may be known to the hacker. Ahold warns employees to “be alert to phone calls or messages by email, text message or WhatsApp in which people try to extract information, such as your PIN code”. The company has no indication that customer data or data from Bol.com employees has also been leaked in the hack.
Allekabels.nl
The database of Allekabels.nl, containing the private data of some 3.6 million people, was offered for sale on the dark web for an amount starting at 15,000 euros. In total, it involved some 2.6 million unique e-mail addresses that were linked to names, home addresses, telephone numbers, dates of birth and encrypted passwords.
Apps
A new Android virus discovered by the Slovakian cybersecurity company ESET infected around 3,000 mainly Dutch Android smartphones with a virus that could steal usernames and passwords for online banking. The virus was spread via various apps that could be downloaded via Google Play, including news apps and apps to clean your device. Users who had downloaded the apps via Google Play had to install additional apps such as Adobe Flash Player, Adobe Update or Android Update. By disabling Adobe Flash Player, Adobe Update or Android Update now and then removing the malicious app, you could prevent further abuse. The apps to be removed are called: MEX Tools, Clear Android, Cleaner for Android, World News, WORLD NEWS or World News PRO. On the already infected devices, passwords must be changed and banking transactions must be monitored.
The location data collected by around a hundred apps, such as Buienalarm, Candy Crush and Tinder, is for sale online. This affects millions of Dutch users, according to research by BNR
Artis
Artis was the target of a cyberattack with ransomware on 28 June 2022. The hackers demanded an amount of 1 million euros in crypto currency. ARTIS has filed a report with the police and is seeking advice from a cybercrime specialist. Measures were immediately taken to prevent further access to the systems in order to stop the digital attack. Because it is not yet clear whether the criminals have gained access to personal data and email traffic, a report has been filed with the Dutch Data Protection Authority as a precaution.
Delta
The provider DELTA, which is mainly active in Zeeland, was hit by a major DDoS attack on August 28, 2020. As a result, many customers in the southwest of the country were without internet, television and telephony.
Easypark
The parking app Easypark, formerly Parkmobile, was hacked in mid-December 2023, with personal data and partial payment details stolen. The data breach was the result of a cyber attack on 10 December. External security experts were called in and a report was made to the supervisory authority. Names, telephone numbers, addresses and e-mail addresses of customers were not stolen, but IBAN or credit card numbers were also viewed. According to Easypark, this concerns ‘non-sensitive data’. Criminals would not be able to make fraudulent payments with this data. ‘No combination of these stolen data can be used to make payments.
Bricklink
The most important marketplace for second-hand Lego bricks has been offline since November 3, 2023. Bricklink was founded in 2000 under the name BrickBay by Daniel Jezek, who wanted to connect fans all over the world with the site. He soon received questions from members about whether it was possible to sell second-hand Lego via the site. After a complaint from eBay, he changed the name to Bricklink. The site was so popular that it was taken over by Lego itself in 2019. Millions of people from more than seventy countries use the website and more than 10,000 stores are affiliated with the website. You can buy complete Lego projects via the site, but also individual bricks. Sellers must first have been active as a buyer themselves for a period of time. As a result, there are few to no scammers active on the marketplace, which makes the site very reliable. The site was hacked on November 3. A very small percentage of the accounts are said to have been accessible, but the size of the hack and what data was stolen is unclear. A message from the possible hacker is circulating online, demanding that Lego pay 50,000 euros in bitcoin. If that money is not paid, items from major stores active on the site will be removed.
BWB hack
In a data breach in March 2021, the data of taxpayers in the region were hacked at the Tax Cooperation West Brabant (BWB). It concerned the names, addresses and WOZ assessments of taxpayers and court rulings in debt relief cases in which people are mentioned by name. The tax authorities were tipped off three times. The service only took action when the press was called in. In 2017, there was also a data breach at the BWB.
Citrix
The Amphia hospital in Breda, the Leeuwarden hospital, the Zaans Medical Center, several other medical institutions and even the Ministry of Economic Affairs were hacked on a large scale on January 18, 2020. Schiphol, the House of Representatives and government institutions disabled the Citrix gateway to prevent more hacks. As a result, no one could call into the system from outside. The National Cyber Security Center (NCSC) of the Ministry of Justice and Security advised organizations that use Citrix to disable the servers due to a serious leak for which there was no solution at that time. The system error was in the Application Delivery Controller and the Gateway itself. It is likely that an attempt was made to install ransomware. More than a hundred healthcare institutions work with Citrix, as do some 200 municipalities. On Monday morning, January 20, some of the servers were able to be turned on again after an update. The rest will take the rest of the week.
Diginotar
DigiNotar, the now defunct company that provided security for government websites and was sold to Vasco Data Security, was hacked in July 2011 due to poor security, which resulted in the issuing of more than 500 false certificates. Websites that were indicated as safe in the internet browser were therefore not safe in practice. The break-in almost led to a complete failure of the government’s computers. Since then, the government has had its own cybercrime service called “The National Cyber Security Center”. This NCSC has existed since January 1, 2012 and is confronted with approximately 293 cyber incidents per day at the government, and that number is increasing. Cryptoware extortions in particular are common in the central government and in the financial sector, but there is also a lot of fishing and use of malware to hack internet banking. In addition to criminals, more and more espionage activities have been reported at government sites.
Gab
Gab is an alt-right chat platform. Large amounts of passwords of users and groups and more than 40 million messages are in the hands of the Wikileaks-like Distributed Denial of Secrets (DDoS) that wants to expose the users of the platform. The hacker took more than 70 gigabytes of data from the platform and shared it with DDoS. Among the stolen data are thousands of private messages and messages from closed groups, and encrypted passwords of users. The encrypted passwords are said to include those of former president Donald Trump, as well as that of Alex Jones, the man behind conspiracy website InfoWars. Gab CEO Andrew Torba is investigating the leak. DDoS wants to share the stolen data with journalists and researchers so that research can be done into neo-Nazis and militias within the alt-right movement, QAnon supporters and the storming of the American Capitol on December 6. Many far-right ideas are shared on Gab. Gab became a platform where users could share their opinions without censorship. The app was previously taken offline after the alleged perpetrator of the attack on a synagogue in Pittsburgh shared anti-Semitic texts and conspiracy theories on the network.
Grindr
Dozens of other apps, including Candy Crush, Tinder, Grindr and rain radar, had their location data leaked and then offered for sale.
HEMA and Jumbo
Since November 21, 2024, HEMA and Jumbo have been experiencing disruptions in their distribution processes due to a ransomware attack on their American software supplier Blue Yonder, which supplies the systems for automated logistics processes in the distribution centers. The software is used to maintain inventory levels in their branches. The software was disabled and the stores are temporarily using backup systems. This concerns the private cloud environment and not the public Azure cloud environment that the company also uses. Blue Yonder has been part of the Japanese technology group Panasonic since 2021.
Infoplaza/rain radar
Infoplaza Network, the parent company of Buienalarm, leaked location data of Buienalarm users that was subsequently traded. t
The International Criminal Court
The International Criminal Court (ICC) in The Hague was hit by another “sophisticated” and targeted cyberattack at the end of June. The attack was quickly detected, identified and repelled by its security. It is not clear who carried out the attack. In mid-September 2023, the ICC was also targeted by hackers. They were then out to spy on it. The court explicitly refers to the 2023 attack and calls the new incident “the second of this type”. The court calls for continued help to counter such threats. The ICC is struggling with waning international support and, above all, with US punitive measures. Because, among other things, American software suppliers are no longer allowed to serve the court as customers, The ICC was founded in 2002 by dozens of states. The court brings to trial suspects of genocide, war crimes and crimes against humanity who cannot receive a normal trial in their own country, for example due to war or corruption. Later, many more countries joined, but major powers such as China, Russia and the US do not cooperate with the court.
Limburg.net
In the cyber attack on Limburg.net in December 2023, data from 292,734 customers was leaked, reports expert agency Ernst & Young. They also discovered that more national register numbers were stolen than previously known.
KNVB
The KNVB Campus in Zeist also received news from Lockbit that personal data of KNVB employees had ended up in their hands. More than five hundred people work at the KNVB. At the end of April 2023, KNVB was forced to pay almost a million ransom to release the data. The KNVB site has been offline since it became known on September 12, 2023. Lockbit are cybercriminals from Russia.
Managed IT
The ICT company Managed IT of notaries was hacked and notary offices could no longer pass deeds or provide other services. As a precaution, servers and databases of notary offices and several suppliers of notary software were closed. As a result, notaries could not access the contact information of their clients and clients could not be actively informed about the hack and its consequences. 96 notary offices did not have access to client contact details and could not use digital systems of the civil registry, the Land Registry, banks and mortgage providers. They were also unable to digitally check whether property had been seized. Managed IT is a small ICT manager from Nieuwegein and has approximately 25 employees. In addition to full ICT management for companies, it offers services for protecting against malware and ransomware, multi-factor authentication and hosted telephony for clients. Communication from Managed IT is provided by Csirt Dsp, the cybersecurity incident response and incident team for digital service providers of the Ministry of Economic Affairs and Climate.
Mandemakers Group
The Mandemakers Group was hit by ransomware on June 30, 2021. The group includes brands such as Keuken Kampioen, Keuken Concurrent, Brugmans, Woonexpress, Piet Klerx, Sanidirect, and Mandemakers Keukens. The stores were unreachable by phone, the hackers had blocked a large part of the operational systems. A large part of the operational systems were blocked, the stores were unreachable by phone. The cybercriminals contacted the company by email and demanded a ransom. The Mandemakers Group is a large group in the Netherlands with two hundred branches and thousands of employees.
Media Market
MediaMarkt is investigating the cyberattack that caused major problems in branches across Europe. The hackers demanded 50 million dollars (43 million euros) in ransom in bitcoin. The MediaMarkt stores remained open, but purchases could only be paid for in the stores themselves. Collection and returns were not possible. The cyberattack began at night on November 7, 2021. The group Hive is said to be behind the attack. That group has been attacking companies and organizations since June of this year and demands ransom in bitcoin.
The Press Group
A database of 350,000 email addresses belonging to De Persgroep was hacked in June 2018. The file contained, among other things, answers to competition questions and complaints from subscribers. The messages had been received via forms on the company’s websites, mainly those of regional newspapers.
Police
A data breach at the police in September 2024 exposed work-related contact details including the names and email addresses of 65,000 officers, but sometimes also private telephone numbers and names of undercover officers. Minister of Justice David van Weel said after the Council of Ministers that this group of officers was being specifically looked at. The hack exposed the work details of all police officers, including names and positions. Only undercover officers whose details were not included in the list for security reasons were not involved in this breach.
RDC
ICT manager RDC was hacked and all data of garages and their customers is for sale on the dark web. All ID data but also VIN numbers and license plates are offered for sale. The leak was in the software that allows garages to automatically email customers when it is time for their MOT inspection. The company received some of the information from the Dutch Vehicle Authority (RDW). This agency keeps track of the vehicle administration. The data appeared on the dark web on March 21, 2021 and is offered for 35,000 dollars. Some of the data has been placed publicly on the internet. NOS approached the hackers and received from them the data of 58,000 Amsterdam residents with a car or motorcycle. This involved 54,000 unique license plates. Some of this is outdated data, including cars that are no longer in use. But although the license plate may now be registered in a different name, the home address, email address or telephone number, for example, may still be correct. It even contains data on cars that were at a particular garage more than ten years ago.
Eindhoven University
Eindhoven University of Technology was hit by another cyber attack. The university took its internal network offline, which meant that education was not possible for several days. Students and staff were also unable to access their email. Since 9 p.m. on January 11, there was a lot of suspicious activity on the network and the servers had to be taken offline. The university buildings and campus are open, but staff and students cannot use online services or Wi-Fi. The university expects the systems to be back online on Tuesday, January 14 at the earliest. The university will provide clarity on this on Monday at 4 p.m. The hacker who was caught carrying out a cyber attack on Eindhoven University of Technology in January had had undetected access to the computer network for days. The university switched off its network in the night of Saturday, January 11 to Sunday, January 12 after the cyber attack was discovered a few hours earlier. Education at Eindhoven University of Technology was then virtually paralyzed for a week. Students were unable to access their email and study material, which meant that exams had to be postponed. The hacker was most likely after a digital hostage situation, a so-called ransomware attack. This means that the attacker digitally locks down the computer network. The files are only released if a ransom is paid. The university managed to prevent this at the last minute. While the hacker tried to penetrate further into the network, the university staff tried to “push him out of the network”. When it became clear that the hacker was winning, the university decided to take the network offline. Around that time, the hacker tried to get his hands on the backup. This is crucial when you are dealing with a hostage attack. The university makes a backup every night, so in this case all the data up to and including Friday was there. If hackers got their hands on it, the damage could be enormous. It was really touch and go.” The investigation showed that the hacker used stolen login details to break into the network. This happened on Monday 6 January: five days before the attack began. The attacker probably used login details that could be found on the dark web, the underground part of the internet. These types of accounts often have an extra layer of security, so that – in addition to a login name and password – an extra code is required. But that security was not set up. As a result, the hacker only needed the login details. The TU/e had also received a report months earlier that stolen login details were online. At that time, the owners of the accounts were asked to reset their password, says Groothuis. “That is what happened, but they then reused their old password.” So there was no technical measure to prevent that. The university wanted to tackle these two risks this summer,says Groothuis. “That makes it extra sour that they still managed to get in.” People now have to enter an extra code to log in to the network. It has also been made impossible to reuse an old password if it turns out that the login details have been stolen. The university is making the research results public in the hope that others can learn from them. Five years ago, Maastricht University did the same. At that time, it was successfully hit by a ransomware attack. The university paid 200,000 euros in bitcoins as ransom. Some of the crypto coins were later found and confiscated. Because the bitcoins were now worth considerably more, the university got back the equivalent of 500,000 euros.
At the end of 2019, Maastricht University was also hit by a cyber attack that shut down the systems. That was a ransomware attack. After a week, the university decided to pay 200,000 euros in ransom. Part of that ransom was recovered in 2022. Because the crypto coins had increased in value in the meantime, the university eventually received 500,000 euros back. The personal data of thousands of students at Eindhoven University of Technology (TUE) were published on the dark web by hackers in October 2022. The hack took place at the IT company ID-Ware, the supplier of the campus card system of the TU/e — but also of the First and Second Chambers. Data of at least 21,000 cardholders is on the street, in addition to students, also of university employees. Criminal hackers stole the data with a ransomware attack. This concerns full names, address details, student numbers, place of birth and private e-mail addresses.
Shell
Hackers managed to gain access to Shell’s so-called Accellion FTA server on March 15, 2021 and stole large files including parts of companies it works with, such as contractors and marketing agencies. It is not clear how much data and from how many people or companies that data has disappeared.
Tadaah
Due to a data leak at mediation platform Tadaah, the identity documents of approximately 800 healthcare and childcare workers were accessible to third parties for some time. Tadaah mediates between self-employed healthcare and childcare workers and clients. The copy of the front and back of their ID, passport or driver’s license had to be sent digitally to Tadaah. VOGs (Certificate of Good Conduct), insurance policies and diplomas were also accessible to everyone due to the data leak. In total, this concerns thousands of leaked sensitive documents. The copies were not protected against misuse. Tadaah had stored the documents on an unsecured and publicly accessible server. The files could be found with search queries such as ‘copy of passport’, ‘copy of driver’s license’ or ‘copy of VOG’.
Tinder
Tinder leaked location data that was subsequently traded.
UWV
The UWV was hacked again after 2019 on May 4, 2024. 150,000 CVs could be downloaded by unknown persons. Even government companies appear unable to sufficiently secure personal data. In 2019, this involved 117,000 CVs.
Utrecht
Early March 2016, there was a data leak at the municipality of Utrecht. 316 pages with names and associated citizen service numbers were accessible via the intranet. This involved a minimum of 5,000 and a maximum of 140,000 personal details. Some 4,000 civil servants had access to it and it is not clear how long this data was available for access. The mandatory notification to the Dutch Data Protection Authority (AP) was made one day too late. The intranet was turned off after the leak was discovered. Of the nine data leaks that occurred at the municipality up to May, two were so serious that the Dutch Data Protection Authority was informed. The municipality now structurally budgets 550,000 euros for ICT security. The municipality of Utrecht does not yet have sufficient control over its processes and systems to prevent or minimize data leaks. In Amersfoort, too, data from 1,900 citizens was made public via email.
VDL
Industrial group VDL Groep Eindhoven was hit by a ransomware hack on October 6, 2021. The group includes 105 companies, including those in Asia and America. All companies have been affected, but not all to the same extent. Several of the affiliated companies are unable to produce or can only produce partially. VDL Nedcar in Born was unable to start production, meaning that around three quarters of the car factory’s 4,000 employees were unable to work. Volunteers from the Dutch Institute for Vulnerability Disclosure (DIVD) had previously discovered vulnerabilities in the software of manufacturer Kaseya and informed the company, but the group was still hit by ransomware on July 3, 2021. REvil is behind the attack. They were able to exploit the vulnerabilities before Kaseya customers could secure or disable their software. The hackers managed to encrypt data at hundreds of companies and demand ransom. Supermarket chain Coop in Sweden even had to close its doors. Kaseya is a private company, founded in 2000 and based in ten countries and they have to pay 70 million euros in Biotcoins to get the system working again with a universal key. By default, REvil asks for 49,000 dollars. In October 2021, Revil was hacked and shut down by a counterattack from the FBI itself. It is said to be a joint operation between the FBI, the US Secret Service and the US Department of Defense. Several other countries assisted. During the operation, the law enforcement agencies gained control of several servers used by REvil.
Friends of Amstel Live
The data of approximately 22,000 visitors who participated in a survey for Vrienden van Amstel Live was hacked on March 10, 2023. Earlier, data of approximately 700,000 Vodafone-Ziggo customers was also made public by a hack. The leaks were caused by market researcher Blauw. Through a software supplier of theirs (Nebu BV), the hackers gained access to personal data such as names and e-mail addresses. On March 28, 2023, the personal data of 780,000 customers at the Dutch Railways (NS) also came out, possibly due to the same data leak. Other customers of theirs such as Albert Heijn, Etos, Bol.com and Vattenfall, the Efteling, Marktplaats, Thuisbezorgd.nl and ESPN are said not to have been hacked (yet). Nebu was ordered by the court to provide market researcher Blauw with information about the break-in on its own systems and the theft of data that took place, under penalty of a fine of up to 500,000 euros. The interim relief judge granted a large part of Blauw’s claim. Nebu must share all available data about stolen data, as well as all available information about the attackers, including Nebu’s analysis of the attackers’ actions, the text file found by Nebu that was left behind on its systems by the attackers, as well as other messages it received from the attackers. In addition, Nebu must have an independent forensic investigation carried out into the data breach. Nebu was ordered to pay the legal costs and additional costs of 2,400 euros. Due to the data breach at Nebu, 139 organizations have already reported it to the Dutch Data Protection Authority.
Web shops
This year, 1338 web shops are expected to be investigated by web shop surveillance officers of the police. An estimated 1026 will be judged ‘rogue’ and 708 Notice & Takedown Procedures will be initiated. This is a request to a provider to take unwanted content offline. On an annual basis, the number of rogue web shops increases by 32 percent, the number of NTDs by 69 percent.
Wehkamp
Wehkamp ultimately paid 144,000 euros to recover the stolen data.
Housing associations
Cybercriminals who attacked eight housing corporations with ransomware at the end of March 2022 have offered some of the stolen data for sale on the dark web. In total, 8 GB of the 200 GB of files are said to be on the web. The corporations involved are Alwel (Roosendaal), Brederode Wonen (Bloemendaal), Laurentius (Breda), l’esceaut (Vlissingen), Trivire (Dordrecht), QuaWonen (Krimperwaard), De Woningstichting (Wageningen) and Zayaz (‘s-Hertogenbosch). of which thousands of files with private customer data, such as copies of identity documents, were hacked. The information comes from eight housing corporations that are together responsible for more than 75,000 homes and private customer data. They previously announced that they had reported it to the Dutch Data Protection Authority (AP). Criminal hackers from the Russian group Conti hijacked the computer system of ICT company The Sourcing Company. The housing corporations are customers of this company. The eight affected housing corporations stated in a statement that they would not pay ransom to the criminal hackers. Woonkracht10 did pay ransom after an ICT attack on April 22, 2023. The Zwijndrecht housing corporation has made agreements with the attackers to ensure that they delete stolen data. The housing corporation has more than 10,000 rental properties in Zwijndrecht, Papendrecht and Alblasserdam. The cybercriminals from the Play group had access to data from Woonkracht10. It is now estimated that data from tenants, employees and other parties involved was stolen. The hacker group was also behind attacks on the computer system of the city of Antwerp. More than 500 gigabytes of data were stolen.
A 24-year-old Ukrainian was sentenced in the United States in early May 2024 to a prison term of thirteen years and seven months and approximately 15 million euros in damages. The Ukrainian was part of 2,500 attacks, in which more than 650 million euros in ransom was demanded, writes the US Department of Justice. The man was found guilty of carrying out cyber attacks with ransomware via software maker Kaseya. The Ukrainian is held responsible for the attack on Kaseya in July 2021. That attack on Kaseya made it possible to break into systems of all kinds of other companies. Computer networks were then encrypted there until victims paid a ransom. The attacks, which were claimed by the criminal hacker group REvil, had a major impact on companies. For example, hundreds of supermarkets in Sweden had to close because cash registers no longer worked. Several companies in the Netherlands were also affected.
Researchers from Radboud University in Nijmegen have discovered that most routers in the Netherlands are poorly secured with an easily guessable password. The password that is set by default on routers by the manufacturer or internet provider is a variant of the network address or serial number, making the routers vulnerable to hacker attacks. This concerns routers from internet providers such as KPN, Ziggo and Tele2.
Thousands of stolen passports can be found on the dark web, the hidden part of the internet. These documents, which criminals abuse for identity fraud and scams, were stolen in ransomware attacks on Dutch companies.
International hacks
23andMe
In a hack of an American commercial DNA database 23andMe, the data of 6.9 million people was leaked. At 23andMe, people can have DNA tested for kinship or hereditary diseases. The company’s tests are also available outside the US, including in the Netherlands. The hack was in October 2023, but it only became clear later on the scale of data that had been stolen. The company has confirmed that user data has been offered for sale on the dark web in recent months.
AMD
Cybercriminals are offering data from chipmaker AMD for sale online on June 19, 2024. The cybercriminals claim in a post on the forum that they have stolen information about AMD employees, financial documents and other confidential information, including information about future products, databases with customer and employee data, firmware, source code and financial data. AMD says it is investigating the claims together with the authorities and its hosting partner. The organization offering the data for sale, IntelBroker, is not new to the field. The group was previously responsible for a hack of DC Health Link, an American organization that arranges health insurance for American elected officials. In Europe, the gang managed to break into the Europol Platform for Experts, a portal for cooperation between police services.
AT&T
At the American telecom company AT&T, the data of more than 70 million people has been leaked. This includes social security numbers, names and email addresses of customers. According to AT&T, the data of approximately 7.6 million current customers and 65.4 million former customers can be found on the dark web. It does not appear that financial information of customers has been leaked, AT&T reports. According to the company, the data concerns data from before 2019.
Adobe
In 2019, Adobe leaked 7.5 million Adobe Creative Cloud account credentials via an unsecured ElasticSearch database that contained email addresses, account creation dates, Adobe products used, subscription status, Adobe employee status, user IDs, country, last login date and time, and payment status—but no passwords or payment information. The database was likely open for about a week. The leak was reported to Adobe on October 19, 2019, and the database was immediately taken offline.
Adyen
Payment service Adyen has been the target of a DDoS attack twice. This has seriously disrupted the payment of debit cards and online payments. The company offers payment services for consumers and businesses. The first attack took place on April 21 at around 7:00 PM. It led to “limited availability of the services. It is said to have led to payment problems in stores, the hospitality industry and at online shops. According to the company, the payment disruption was resolved after half an hour and a little later online payments were possible again. However, an hour and a half later there was a new attack. The Dutch listed company Adyen is an important player in global payment transactions. For example, Adyen enables payments for Meta (the parent company of Facebook and Instagram), taxi service Uber and eBay, the American auction site.
Ahol Delhaize VS
A hack shut down the entire system on November 11, 2024. The site of subsidiary Hannaford also went down. Online ordering was no longer possible
Akira
Supermarket chain Boni fell victim to a cyber attack by Akira in mid-August 2024. According to cybersecurity company Hackmanac, 16 gigabytes of data were stolen. This would include financial data, personal data and internal company files. Earlier this year, the FBI and Europol, among others, warned of attacks by Akira. In the past six months, the gang attacked more than 250 organizations in North America, Europe and Australia. Akira tries to extort ransom from victims in exchange for the stolen data. In total, the gang has demanded at least 42 million dollars, which victims must pay in bitcoins. It is not known how many affected organizations have actually done so. It is also unknown whether Boni was extorted in this way and whether the supermarket chain has paid a ransom. The company now says it has taken measures to prevent this type of cyber attack. In total, the gang has demanded at least 42 million dollars (38 million euros), which victims must pay in bitcoins. The company now says it has taken measures to prevent this type of cyber attack.
Apple iPhones
The operating system of Apple iPhones can be remotely taken over by just clicking on an infected link. A malware variant appears to be able to jailbreak an iPhone through three weak spots. The leak was discovered by a human rights activist from the Emirates. With a link, he received a message that a certain website demonstrated new torture practices. He forwarded the message with the link to Citizen Lab and Lookout Security, who detected malware in the message. Recipients who click on the link are jailbroken and can then be listened to. The malware is said to have come from the Israeli company NSO Group, which encouraged Zerodium hackers to develop spyware for a reward of one million dollars. Users with a beta version of iOS 10 are also at risk, unless they have the latest version. For developers, this is version 7, for users version 6. Devices that run iOS 8 must be updated to iOS 9. The iPhone 4 cannot update to IOS 9 and therefore remain vulnerable to the hack. iPhones are more likely to experience problems than Android smartphones. 65% of all iPhones with a problem were plagued by frequently crashing apps.
AU10TIX
A company that verifies the identities of TikTok, Uber and X users has leaked user uploaded identity documents. The data was accessible for at least a year. The Israeli company AU10TIX, which not only verifies identities but also does age verification, was hacked. A security researcher discovered that the company’s credentials were online. TikTok was taken offline on January 19 .
Axie Infinity
Hackers have stolen 40 million euros from the Ronin blockchain network of the popular online game Axie Infinity. The hackers have managed to obtain special private keys of some of the people who approve transactions. A similar theft also took place on another blockchain platform in February. Around 300 million dollars in cryptocurrencies were embezzled.
Black Cat
The oil companies SEA-Tank, Oiltanking and Evos were hit, as well as a terminal in Terneuzen and eleven branches of Oiltanking in Germany were hit by digital attacks. The source of the attack is still unknown, but it is said to be an attack with the ransomware BlackCat.
Boeing
Aircraft manufacturer Boeing has been hit with an extortion by hackers who claim to have stolen large amounts of sensitive data from the aerospace and defense company. Cybercrime group LockBit announced on its own website that it would post the data online if Boeing did not get in touch. “Sensitive data has been stolen and is ready for publication,” the hacker group stated on a page with a countdown clock. “We are not sending out lists or samples for now to protect the company, but that will not continue until the deadline. On November 2, the hackers followed through on their words and published all of Boeing’s sensitive data.
Booking.com
Booking.com must pay a fine of 475,000 euros because a data breach was reported too late to the Dutch Data Protection Authority. Hackers gained access to the reservation system and obtained thousands of customer details. In almost 300 cases, they also obtained credit card details. Booking.com reported the data breach 22 days too late. The reservation site itself knew on 13 January 2019 that there was a data breach, but only reported it to the Dutch Data Protection Authority (AP) on 7 February. An American hacker also broke in early 2016 and stole details of thousands of hotel reservations in the Middle East. Affected customers were not informed at that time either. The hacker is said to have close ties to American intelligence services.
CBK
A double cyberattack at dealer management system supplier CDK Global has temporarily shut down fifteen thousand dealers in the US and Canada. CDK has gradually restarted the systems. The attack took place on Wednesday, June 19, 2024 at the largest supplier of management systems in North America. As a result, dealers were unable to use their systems, complete sales, book incoming cars and complete other transactions. Last weekend, towards the end of the quarter (one of the busiest times for sales), these dealers could only process transactions manually. CDK warned them about phishing scams and also to protect sensitive information such as passwords. The hackers are said to have demanded millions of dollars in ‘ransom’ and come from Eastern Europe.
Candycrush
Candycrush leaked location data that was subsequently traded.
Carpetright
The British carpet company was hit by a cyber attack by ransomware in mid-April 2024. As a result, the Dutch branch closed its ICT system. To prevent further risks, all pin terminals of the Dutch stores were disconnected.
Carphone Warehouse
The Information Commissioner’s Office (ICO) is investigating a cyber breach at Carphone Warehouse, a subsidiary of Dixons Carphone, in which data from 2.4 million customers, credit card details (of 90,000 customers) and unencrypted passwords were stolen. The report was not filed until 7 August, although it had already taken place on Wednesday 5 August. Customers were not informed until 8 August. The Dixons division provides services to OneStopPhoneShop.com, e2save.com and Mobiles.co.uk, iD Mobile, TalkTalk Mobile, Talk Mobile. The ICO was unable to start an official investigation until three days after the report was filed. The perpetrators could face a fine of more than 700 thousand euros if they are caught.
Coop
Supermarket chain Co-op shut down some of its IT systems in early May 2025 after hackers attempted to break in. Staff at the company were told to keep their cameras on during online meetings to prevent strangers from joining.
Cencora
In February 2024, Cencora suffered a cyberattack that stole sensitive personal and medical information of patients, including names, addresses, dates of birth, diagnoses, and medication records. The attack affected at least 27 pharmaceutical companies that work with Cencora, including big names such as Novartis, Bayer, AbbVie, and GlaxoSmithKline. While Cencora claims the attack had no material impact on its operations and there is no evidence of misuse of the stolen data, the company has notified approximately half a million affected individuals and is offering two years of free credit monitoring. The scope of the data breach may be larger, as Cencora serves 18 million patients. This led to a class action lawsuit filed on July 18, 2024, by Lisa Bledsoe in the Eastern District Court of Pennsylvania, accusing Cencora and its subsidiary The Lash Group of negligence in securing sensitive information. The case seeks damages and improved security measures. Werner Baumann, former CEO of Bayer , joined Cencora’s board of directors in October 2023.
German Telecom
British police arrested a 29-year-old man in London for hacking into ’s routers in November 2016, leaving more than a million of the company’s customers without internet and television. The hack occurred on a Sunday afternoon, and the company took a day to get the outage under control. Deutsche Telekom said it was a failed attempt to hack routers for a larger internet attack.
Duvel Moortgat
The Belgian brewery Duvel Moortgat will be shut down on March 9, 2024 due to a cyber attack. No Duvel and La Chouffe will be brewed for a while. A ransomware attack caused production to be halted for security reasons. Breweries in Puurs-Sint-Amands, Belgium, Stadsbrouwerij De Koninck in Antwerp, Brasserie d’Achouffe in Achouffe and Brouwerij Liefmans in Oudenaarde and the production of subsidiary Boulevard Brewing in the United States have been halted. Not only the production of Duvel and La Chouffe but also of De Koninck, Liefmens, Vedett and Maredsous beers. The damage is enormous.
Equation Group
Hacker group Shadow Brokers published a blog post claiming to have stolen a package of espionage malware from the NSA-related Equation Group, intended for hacking Cisco and Juniper routers. They initially offered the complete code for sale in an auction for 1 million bitcoins, but to no avail. On a now-deleted Tumblr page, they revealed part of the code in their blog post. NSA states that it was not a hack but a leak that was responsible for the issue. At the request of the National Coordinator for Counterterrorism and Security (NCTV) and the General Intelligence and Security Service (AIVD), the Rathenau Institute conducted research into computer security among citizens, companies and government. The institute conducted a literature study, interviewed more than 25 experts and stakeholders and held two workshops to no avail. In 2016, the House of Representatives passed laws that expanded the powers of investigative and intelligence services.
Equifax
The American credit agency Equifax settled for more than 512 million euros for a major data hack in 2017. The amount could possibly increase to 700 million dollars. The data leak leaked the names and dates of birth of 147 million people as well as the personal numbers of 145.5 million people and the details of 209,000 payment cards with their associated expiration dates. The leak was due to the lack of basic security measures. All data was stored unencrypted and the leaks were not closed or isolated from other parts of the network. The 575 million dollars consists of a fine of 100 million dollars and compensation of 175 million dollars for 48 American states. The remaining 300 million dollars will go to a compensation fund for affected customers. This amount can be supplemented with a maximum of 125 million dollars. Victims can claim personal damages of up to 20,000 dollars. Equifax knew about the potential leak but did nothing about it. As part of the settlement, Equifax promised to have the company’s information security assessed by a third party every two years. Four Chinese military personnel were charged for the hack. The data has economic value and was supposed to help China create artificial intelligence. Following the many fraud cases, an international investigation was conducted for four months into the 281 perpetrators. Arrests were made in Turkey, Ghana, France, Italy, England, Kenya, Malaysia and Japan in early September. During the arrest and investigation, 3.7 million dollars were seized.
eXch
The German police have seized 34 million euros in crypto from the service eXch. The service has been around since 2014. Criminals could exchange different cryptocurrencies for other cryptocurrencies, for example bitcoins in exchange for ethereum. This was done anonymously, they did not have to verify their identity and their data was not stored. The people behind eXch are therefore suspected of money laundering and the operation of an online criminal trading platform. The police have seized the servers of the service. The German police worked closely with the Dutch tax intelligence and investigation service FIOD in this case.
Facebook/Meta
The ‘Safe Harbour Decision’, which provides for the protection of private data for the US, is not sufficient. On 6 October, the European Court of Justice in Luxembourg ruled in a far-reaching ruling against Facebook that personal data of Europeans are not safe in the United States, that mass surveillance of content is in conflict with the fundamental right to privacy and that secret services should not have general access to personal data. Data flows from Europe to the US are now illegal. Facebook must now investigate whether the transfer of data to the US should be stopped. Companies such as Google, Amazon, Twitter, Apple, Uber, Microsoft and Facebook must now make individual agreements with the institutions that monitor privacy before they can store European user data on American servers in each European country. In the Netherlands, this is the Dutch Data Protection Authority, the CBP. The ruling also has consequences for the use of the Cloud.
Fast cash
North Korean hackers have also used banks around the world to conduct fraudulent money transfers and initiate ATM cashouts and withdrawals. U.S. law enforcement has dubbed the hacking campaign “Fast Cash” and blamed the North Korean Reconnaissance General Bureau, a spy agency. They described the operation as ongoing since at least 2016 but recently increasing in sophistication and volume. Cybersecurity experts and foreign policy analysts have said such hacking operations are carried out to help fund the North Korean government, which is strapped for cash due to extensive sanctions imposed by the U.S. and other Western countries. “The continued attacks are a testament to the regime’s reliance on these funds, but also a testament to its technical prowess and determination,” said Vikram Thakur, a chief technical officer at U.S. cybersecurity firm Symantec.
Friend Finder Network
Some 412 million users of the erotic Friend Finder Network have been hacked by LeakedSource. Almost 4 million of these users are of Dutch or Flemish descent. The majority of the accounts (339.7 million) come from sex site AdultFriendFinder. Cams.com (62 million accounts), Penthouse.com (7 million accounts) and Stripshow.com (1.4 million users) were also hacked. Last year, sex site Ashley Madison was hacked with 37 million accounts and in 2013 MySpace with 360 million accounts. Yahoo had 500 million users hacked in 2014. Names, addresses, phone numbers, encrypted passwords and dates of birth were hijacked. Russian, French and Italian Twitter logins are traded on the dark web. According to LeakedSource, the login details were collected via malware. Earlier, the data of over 4.8 million parents and 6.3 million children worldwide were also stolen by a hack at toy manufacturer Vtech. Over 120,000 profiles of Dutch children and the data of around a hundred thousand parents were retrieved by the hacker who has since been arrested. He is also said to have obtained photos, chat conversations and audio files from the Kid Connect network. The hack was kept secret by the company for three days, which means that the stolen data may have also been used to gain access to other sites before customers could change their passwords.
Game Mania
The now bankrupt computer game chain Game Mania was hit by a ransomware attack in January 2022 in which the name, address, email address and telephone number of customers were stolen.
Harrods
Hackers attempted to break into the systems of British department store Harrods in early May 2025. The company has slowed down internet traffic in its stores as a precaution. It is the third company in two weeks to suffer a cyberattack in the United Kingdom. In addition to the well-known luxury department store on Brompton Road in London, Harrods also has cosmetics stores in the UK and stores at British airports. The UK’s National Cyber Security Centre, which provides online security advice, is investigating the attacks. The agency says it is working with the affected businesses to do so.
ICBC
The US division of Industrial and Commercial Bank of China (ICBC) has been hacked with ransomware. As a result, traders have been forced to use USB sticks. The attack appears to have come again from Lockbit, which has been active since early 2020 and has already hacked and blackmailed around a thousand companies worldwide. The US Department of Justice reports that a total of more than 100 million dollars in ransom has now been demanded. Earlier this year, the British postal service Royal Mail and Boeing were the target of a ransomware attack by Lockbit.
Crack
Hacker Blackmails Crypto Exchange Kraken With $3 Million Worth of Crypto Kraken reports that a research team has obtained (or stolen) $3 million worth of crypto via a recently discovered bug. An anonymous, self-described “security researcher” found a critical security flaw on June 9 and alerted Kraken. According to Nicholas Percoco, Kraken’s chief security officer, two accounts linked to the researcher used the bug to withdraw over $3 million worth of digital assets. Following this withdrawal, the researcher is demanding a reward for the stolen funds, Percoco wrote on the X on June 19: “Instead, they demanded to speak to their business development team (i.e. their sales reps) and refused to return the funds until we give them an estimated amount of money this bug would have caused if they hadn’t reported it. This is not ethical hacking, this is blackmail!” The cryptocurrency was stolen directly from Kraken wallets. The exchange assures that no user funds were compromised. Kraken is continuing its bug bounty programs to ensure the security of the exchange and is working with law enforcement to recover the stolen funds, a Kraken spokesperson said. “We are disappointed by this experience and are now working with law enforcement to recover the assets of these security researchers.” One of the three Kraken accounts linked to the exploit previously completed Know Your Customer (KYC) verification for an individual claiming to be a security researcher, but his identity remains unknown. The researcher initially demonstrated the bug with a $4 crypto transfer, which would have been enough to prove the bug and receive a “significant reward” from Kraken’s bounty program. However, the researcher shared the bug with two other accounts, who subsequently fraudulently withdrew nearly $3 million from their Kraken accounts.
LOT
Due to a cyber attack, Polish airline LOT had to ground its planes at Warsaw’s Frédéric Chopin Airport for five hours on June 21, 2016. The hackers shut down the flight schedule system from 4 p.m. to 10 p.m., preventing planes from taking off during that time.
Marks & Spencer
Department store Marks & Spencer has been struggling with a hostage attack on its servers since April 25. In this type of attack, hackers block important files of the company. In exchange for ransom, they are released again. As a result, M&S has not accepted any online orders since the beginning of May. The shelves in some of the chain’s stores are also empty. The value of the company has fallen by half a billion pounds on the stock exchange because of the attack. It is not known who is behind the attacks. It is also unknown whether the attacks are related. The British police and the National Crime Agency are investigating the cyber attack on M&S.
Skeyes
Belgian airspace is closed. At the air traffic control, also called Skeyes, arriving flights are diverted to Amsterdam, Lille and Paris. Around 15:00 it appeared that the air traffic control system of Skeyes ‘was not functioning properly. That is why that part of the airspace is temporarily closed and no aircraft can land or take off from at least five Belgian airports. The cause of the problem is still unclear. All aircraft that were flying in the airspace that Skeyes controls at that time have been diverted to surrounding countries. “This was done in a safe manner using a backup system,” according to the spokesperson. Aircraft flying above 7,500 meters can continue their journey as usual.
Meridianlink
Ransomware group BlackCat has reported its own hack to the US Securities and Exchange Commission (SEC), in order to enforce its extortion drive. BlackCat/ALPHV hacked and blackmailed digital credit solutions provider MeridianLink on November 7, 2023, and the company refused to pay the ransom. BlackCat is attempting to take advantage of new SEC rules that require breaches with a “material impact” to be disclosed within four days. According to screenshots posted on X by MalwareHunterTeam, the threat actors filed a request on the SEC’s Tips, Complaints, and Referrals site. BlackCat gave Meridian 24 hours to pay the ransom or risk a complete leak of the stolen data. However, the new SEC reporting rules do not officially go into effect until December 15 of this year. ImmuniWeb’s chief architect, Ilia Kolochenko, warned that disclosures to US and EU regulators could become more frequent in the future, increasing the risk to publicly traded companies. Data breach victims should urgently consider revising their digital forensics and incident response (DFIR) strategies by inviting in-house lawyers and outside law firms specializing in cybersecurity to participate in the creation, testing, management and continuous improvement of their DFIR plan. Meridian said the hackers did not have access to production platforms and that the incident caused only minimal business disruption.
Microsoft, Okta and NVIDIA
Behind the hacking group Lapsus$, which repeatedly carried out hacking attacks on Microsoft, Okta and NVIDIA, among others, a sixteen-year-old English teenager appeared to be. The boy appears to live in England, about 5 kilometers away from the University of Oxford. The teenager received help from another teenager from Brazil. A total of seven accounts are linked to the hacking group. Lapsus$ has been in the news several times in recent weeks because it has carried out various attacks on large tech companies. First Samsung and chipmaker NVIDIA were the targets and last week it became clear that authentication software supplier Okta and tech giant Microsoft were also affected. Both of these companies say that the damage caused by the attack has remained limited.
Nexperia
Nexperia, formerly part of NXP and known for the computer chips used in telephones, vacuum cleaners and cars, has been hacked and is being blackmailed. It concerns hundreds of gigabytes of sensitive material, such as trade secrets, chip designs and many hundreds of folders with customer data from SpaceX, Apple and Huawei, among others. As evidence, the criminals have published dozens of these confidential documents on the dark web. These include internal e-mails and the passport of a former senior vice president of the company. Nexperia’s knowledge is not only in the chips, but mainly in the secret production process of these components. The perpetrators are part of the Dunghill group, a relatively new cybercriminal group that has made dozens of victims in recent times. The group calls itself ‘an international team of technical specialists who conduct research in the field of information security’. “Yes, security costs money and so does our time. That is why we offer our services for a fee,” the criminals write. Nexperia has reported the incident to the police and the Dutch Data Protection Authority. Together with cybersecurity expert Fox-IT, Nexperia is investigating the full scope and impact of the case.
Sprinter
Last winter 2023, the now bankrupt Sprinter was hit by a data hack.
SWIFT
Hackers stole 4.8 million euros in a year through a hack attack on the SWIFT payment system in Belgium. The hack was carried out at the workplace of a SWIFT operator. The SWIFT system is used by banks to carry out international transactions. In 2016, about a fifth of the hacks were successful.
Syniverse
The American Syniverse, which manages the SMS traffic for more than three hundred telecom providers worldwide, appeared to have had an unnoticed data leak since 2016. The company recently discovered that the login details of more than two hundred customers were publicly accessible. These customers include telecom companies from all over the world, including AT&T and Verizon.
Teamviewer
TeamViewer was hit by a cyberattack on June 27, 2024. According to the company behind the software, it concerns an attack on the corporate environment. What type of attack it is and which group is behind it is not yet clear, but everything points to an attack by Russian hacker collective APT29
Tesla
In May 2023, two former employees turned over personal data of nearly 76,000 employees to German business newspaper Handelsblatt, which reported that they had obtained approximately 100 gigabytes of data from employees who had worked for Tesla and employees who are currently still employed by Tesla. In addition to names and addresses, the data also includes social security numbers. In addition, thousands of complaints from customers expressing serious concerns about the safety of Tesla’s Full Self-Driving (FSD) features were reportedly leaked. The complaints, which were reported in the US, Europe and Asia, span from 2015 to March 2022. During that period, Handelsblatt reported that Tesla customers reported more than 2,400 self-acceleration problems and 1,500 braking problems, including 139 reports of “unintended emergency braking” and 383 reports of “phantom stops” from false collision warnings.
Ticketmaster
The personal data of 560 million Tickmaster customers fell into the hands of hackers at the end of May 2024. The group has stolen names, addresses, email addresses, telephone numbers, credit card details and ticket purchases of customers. The hacker group, called ShinyHunters, has put the data up for sale on the Dark Web for 500,000 million dollars (463,000 euros) as a “one-time offer”. The group is also demanding a ransom to not release the data. Ticketmaster has many customers in Australia. The Australian government says it is aware of the incident and is investigating the case with Ticketmaster. According to a spokesperson for the American embassy, the American FBI has offered assistance. Ticketmaster has not yet responded to the hack. It is not known whether data from Dutch customers has also been stolen.
Toyota
240GB of internal data was stolen by hacker group ZeroSevenGroup. According to the perpetrator, the loot consists of information about customers, employees, contracts and finances. This information is said to have been stolen from the American branch of the company. Toyota has been in the news several times in recent years because of data leaks. This happened, among other things, after the revelation of source code on GitHub , a public database with customer data and an unsecured cloud database . As far as is known, none of these data leaks were the result of an external attacker.
Trello
Trello, a subsidiary of Atlassian and a provider of team management project tools, has been hacked, potentially exposing the personal data of millions of customers. The revelation was shared on X, or Twitter, on January 22, 2024, by cyber watchdogs Hack Manac and Have I Been Pwned. Trello has not yet commented, but parent company Atlassian told Cybernews that the attacker may have used a separate list of email addresses, implying some sort of brute-force attack using data from another source.
UnitedHealth Group
A ransomware attack on a subsidiary of UnitedHealth Group that disrupted pharmacies across the U.S. may have left the personal data of a third of Americans exposed. It could take “several months” for UnitedHealth to notify those affected. During hours-long hearings in the Senate and House of Representatives on Wednesday, Witty apologized to patients and doctors, admitted that hackers broke into the subsidiary through a poorly secured computer server and confirmed that he authorized a $22 million ransom payment to the hackers.
Volkswagen
Volkswagen has been hacked for years and robbed of approximately 19,000 documents. China had access to the systems of the German car company from 2010 to 2015. This was reported by the German broadcaster ZDF and the weekly magazine Der Spiegel after their own investigation. The hackers first attacked Volkswagen in 2010 and made off with data in 2011 and 2012. A year later, the hackers obtained even more access rights to the systems. The IP address of the hackers was traced back to the Chinese capital Beijing” and the Chinese army. Later, the data of around 800,000 electric cars from Volkswagen ended up on the street due to a data leak. The data of around 61,000 vehicles registered in the Netherlands was also made public. Various car brands that are part of the Volkswagen Group, such as SEAT, Audi, SKODA and Volkswagen itself, were affected by the leak. Detailed data of more than half of the electric vehicles involved, such as personal data of owners and their travel movements, ended up on the street. This was the case with the Volkswagen models ID.3 and ID.4. The owners also include politicians, prominent businessmen and all 35 electric vehicles of the Hamburg police, writes Der Spiegel . Cars from all over the world were affected by the data leak. Most of the leaked data dates from 2024, but in some cases the leaked information is older. The leak was caused by errors at Volkswagen’s subsidiary Cariad, which was set up in 2019 to create a platform with data from the group’s electric cars. Data is said to have become available because a whistleblower managed to bypass certain security mechanisms without malicious intent. Cariad speaks of a “configuration error”, not a leak. The company says there are “no indications of misuse of data by third parties”.
WordPress
A security hole has been discovered in the WordPress plugin Forminator, a form-generating plugin that was installed by 300,000 users. The hole gives access to the scripts. The hole can be used to take over websites.
Yahoo
3 billion Yahoo (Verizon) customers were hacked in 2013. A year later, the data of 500 million users was hacked. A hack from 2012 also came to light, involving another 200 million accounts. An attack from 2014 was carried out on the orders of two Russian spies from the Russian secret service FSB who have now been charged by the US. The Department of Justice in Washington announced on Wednesday that the hackers were also able to gain access to some Google data using Yahoo’s data. Spies Dmitri Dokuchaev (33) and Igor Susjgin (43) had hackers Aleksei Belan and Karim Baratov carry out the hack. Belan escaped to Russia and Baratov was the only one of the four arrested in his home country of Canada. The hackers’ assignment was to gather information about American government employees at Yahoo. Ron Bell, Yahoo!’s top lawyer, said: was forced to resign in early March 2017 and CEO Marissa Mayer forwent her annual bonus and option package.
Cryptocurrency
In July 2023, hackers stole approximately $310 million in cryptocurrency. The counter for the entire year as of September stands at $1.3 billion. In 2022, the amount was around $3.8 billion. Worldwide, the number of stolen tokens increased to $66.7 million in the first half of 2022. That is no less than 30% more than in the first half of 2021. In January, there was a record amount of $18.4 million in thefts. That is almost three times as much as the previous record from March 2020, which was $15.49 million. September was good for the preliminary high of this year, with North Korean state hackers as the main perpetrators.
Hackers are attacking organizations in other countries on behalf of the Turkish government, British and American officials have reported. The hackers have attacked the email services of the governments of Greece and Cyprus, among others. Iraq’s national security adviser has also been targeted, as have Albania’s intelligence services. The hackers have also reportedly targeted Turkish organizations such as the national chapter of the Freemasons. The attacks are believed to have taken place in 2018 and 2019.
Cybercriminals caused 62.5 million euros in damage in 2021, including through bank helpdesk fraud and phishing. That is 25 percent more than the 50 million euros two years ago. Some 6,000 companies were confronted with extortion and ransomware in 2021. Cybercriminals are increasingly posing as employees of a bank helpdesk. The number of companies that fell victim to hacking, malware or phishing and reported this to the supervisory authority rose by 88 percent in 2021 compared to 2020, when an increase was also observed compared to 2019. In 2022, the number increased by 40%.
Hackers have installed malicious software on ATMs in dozens of European countries, including the Netherlands, causing the machines to dispense money without authorization. There were also attacks on ATMs in Spain, Poland and the United Kingdom. These attacks were carried out remotely via computers in the banks’ networks. The hacks are said to have come from criminals operating under the name Cobalt, which is derived from software called Cobalt Strike. In July, amounts of 2.5 million dollars and 350,000 dollars were stolen from ATMs in Taiwan and Thailand.
Malware
Godless malware is equipped with several exploits (PingPongRoot and Towelroot) and can therefore root Android devices and easily install spyware on them, even via the Google Play Store. The malware can nestle itself in all devices with Android 5.1 or older, so on 90 percent of all Android phones and tablets. Trend Micro discovered this new dangerous Android malware and states that around 850,000 devices worldwide have already been infected, especially in India and Indonesia. Most infections are said to come from apps that are downloaded outside the Play Store.
The globally operating hacker collective Avelanche was busted on 1 December 2016. Bank accounts in more than 180 countries were plundered with malware. The German justice department received assistance from international organisations such as Europol and Eurojust and from colleagues in thirty countries. Five suspects were arrested and 39 servers were seized. A special command centre was set up at the Europol headquarters in The Hague to supervise the operation. In Germany alone, 6 million euros were embezzled from bank accounts.
A 20-year-old man from Utrecht has been arrested on suspicion of large-scale production and sale of malicious software. He sold programs to embed hidden codes or malware in Word and Excel files. The man is said to be behind the Rubella program, which he sold for a price ranging from a few hundred to thousands of euros. This allows a piece of hidden code to be added to common Office documents such as Excel and Word. When such an infected document is opened, the code is executed, after which malware is secretly downloaded or a program is started locally. The distribution of such malware is usually via an e-mail to which an infected document is added as an attachment. Data from dozens of credit cards and manuals on carding, a form of credit card fraud, were also found on the suspect. He also had login details for thousands of sites. Approximately 20,000 euros worth of crypto coins were seized during the arrest.
A 49-year-old man from Boxtel has been sentenced to four years in prison, one year of which is suspended, for defrauding two companies. By hacking into the email accounts of a company in Belgium, he stole tons of loot in 2015. The company sold aircraft parts to a company in Jordan, and the man managed to change the account number to which the Jordanians had to transfer money. Shortly after the transaction, he transferred money to acquaintances, who in turn withdrew money and returned it to him in cash. The man from Boxtel was arrested last year, after having been on a wanted list for some time. The suspect says that he was pressured by Russian criminals. The Public Prosecution Service wants him to pay back the damage to the companies, among other things. The deal involved an amount of more than half a million euros. The verdict will be delivered on Tuesday, 30 July.
In February 2019, the Public Prosecution Service demanded a 36-month prison sentence, of which 34 months were conditional, and 240 hours of community service against 20-year-old Kian S. from The Hague for carrying out DDoS attacks. Between 2014 and 2017, S. carried out multiple DDoS attacks with a network of an estimated 25,000 infected computers on the servers of the British broadcaster BBC, Zalando and YahooNews. S. is also suspected of computer hacking, attempted extortion and offering a botnet and had access to 12.5 million third-party passwords.
Russian hacker Peter Levashov (hacker name Petr Severa) has pleaded guilty to leading the Kelihos botnet for years. Kelihos hacked and collected usernames, passwords, credit card details, which he sold on the black market. Kelihos also distributed billions of spam emails per day. The hacked computers could also be used for DDoS attacks and for spreading ransomware. Levashov was arrested in April 2017 and extradited to the United States. The verdict will follow in September 2019. Other major Russian hackers, such as Yevgeny Nikulin, Andrei Tyurin and Roman Seleznev were also arrested. Roman was sentenced to 27 years in prison. Hacker Alexander Vinnik was arrested in Greece and the United States, Russia and France have all requested his extradition.
FBI and Interpol cybercrime interventions
The FBI has uncovered a major Chinese cyber operation in the country. According to federal police, the Chinese tried to penetrate, among other things, the American electricity grid and the drinking water supply. According to FBI director Christopher Wray, the Chinese government was behind the hacking attempts. According to him, the Chinese are looking to cause damage ‘in the real world’
Europol (police) and Eurojust (justice) have arrested the leader and taken the platform offline during an operation against Ragnar Locker. Five servers were seized. The main suspect was arrested in Paris on October 16, 2023 and his home in the Czech Republic was searched. Five other suspects have been questioned in Spain and Latvia. The dark web platform has been taken offline in Sweden, but servers have also been seized in the Netherlands, Germany and Sweden. Ragnar Locker has been active since December 2019. Its creators have infected and locked computer systems. They also stole internal data. The ransom they demanded from victims to unlock the hijacked sites amounted to tens of millions of euros and they also threatened to release all files if victims filed a complaint. The group is said to have hacked 168 organizations including TAP, the national airline of Portugal and in September a hospital near Tel Aviv in Israel. In 2021, two other Ragnar Locker leaders were arrested in Ukraine. In 2022, another suspect was arrested in Canada.
FBI and Europol previously dismantled the Andromeda botnet and arrested a suspect from Belarus. The Andromeda botnet was able to take over computers to spread malware. The malware is said to be on millions of computers and is associated with eighty other types of malware. The FBI and Europol have taken over 1,500 domain names to stop the malware.
The Russian Ministry of Defense provided “irrefutable evidence” that the United States would support ISIS and published photos that were supposed to show the Americans providing air support to ISIS in Syria. However, one of the photos turns out to be from a mobile game called AC-130 Gunship Simulator. The other four came from photos from 2016 from the Iraqi Ministry of Defense, according to the Conflict Intelligence Team (a Russian research group).
Hacker Lauri Love, who suffers from Asperger’s syndrome and depression, will not be extradited to the US due to his mental health, following an appeal. Lauri Love was accused of involvement in hacking US government services in 2012 and 2013 and is said to have broken into servers of the US military, the Missile Defense Agency, the FBI and NASA. Love is also said to have ties to hacker group Anonymous and to have caused millions of dollars in damage.
China
The first “Heartbleed” vulnerability was announced in early April 2014 and when the leak was discovered, some 600,000 servers were vulnerable. Attackers could easily retrieve secret keys and certificates from a vulnerable server or other device. All vulnerable servers and devices had to be upgraded to a non-vulnerable version of OpenSSL and certificates and their associated secret keys had to be replaced or rekeyed. Such a Heartbleed attack is only visible in network traffic, not in server logs and is therefore not easily noticed. Chinese hackers used the leak to steal the data of 4.5 million patients of Community Health Systems, the largest operator of hospitals in the United States.
A long-standing Shellshock vulnerability also poses a threat. This vulnerability allows hackers to send code that can completely take over the operation of a computer. The bug is in the Bash program that runs Unix software. The vulnerability is even more serious than Heartbleed, which was a threat to approximately 500,000 computers, while Shellshock is a threat to 500 million computers. There is also no remedy. External hard drives that are connected to the home or business network appear to be poorly secured or cannot be secured at all.
The director of the Military Intelligence and Security Service (MIVD) advises large organisations not to hold meetings with a smartphone or tablet on the table. The risk of espionage is too great. According to the General Intelligence and Security Service (AIVD), economic digital espionage in Europe is also increasing slightly and in 2017 the service observed digital break-ins at European multinationals and at research institutions for energy, technology and chemistry. Terabytes of confidential data appear to have been stolen, which led to enormous economic damage. The attacks are also said to be increasingly complex and difficult to prevent. Germany has suffered more than 43 billion euros in damage due to cyber attacks in the past two years. Companies have fallen victim to sabotage, data theft and espionage. The Netherlands has attracted the interest of Russian and Chinese hackers, partly due to its temporary seat on the UN Security Council and its membership of the EU and NATO. The AIVD also observed recruitment attempts by key figures via social media, such as LinkedIn. Since 2014, large-scale espionage attacks have been taking place within the ICT networks of the Ministry of Defence. Some of them were even notable for the large scale of the attempts to steal company data or sensitive government information. The intelligence service has been able to link a number of the attacks to digital espionage by other countries. The criminal Russian-speaking hackers who obtained the payment details of 380,000 British Airways customers were also behind the hack of Ticketmaster, the British book publisher Faber and Faber, sports brand Everlast, fashion brand Rebecca Minkoff and hundreds of web shops. In previous attacks with “MageCart”, program code from suppliers was edited.
Several hundred servers in the Netherlands were infected on January 5, 2021 due to major security holes at Microsoft, which had already warned about holes in the email platform Exchange Server two weeks earlier. The cyberattack is attributed to the hacker group Hafnium, which is said to have ties to the Chinese authorities. The attacks are said to be mainly aimed at scientific institutions, defense companies, think tanks and non-governmental organizations. Microsoft said on February 8 that it would accelerate an internal investigation, and promised to release more information about the vulnerability later on March 9. On March 2, updates were supposed to fix the vulnerabilities in Exchange Server. The NCSC warned Dutch companies at the beginning of March to take active action regarding the vulnerabilities. Approximately nine out of ten Exchange servers in the Netherlands have been updated. The 1,200 servers where this has still not happened are “almost certainly” infected, says the NCSC. The NCSC calls on these organizations to continue to monitor their systems carefully.
In July 2023, Chinese hackers from Storm-0558 broke into the email accounts of at least 25 companies and organizations, including governments in Western Europe. The hackers were active in a large-scale cyber espionage campaign looking for sensitive information and are said to be directed by the Chinese government. Email accounts linked to the US government were also broken into. The hacking group, which calls itself Storm-0558, forged digital authentication tokens to gain access to email accounts. Beijing denies involvement in hacking attacks. China, in turn, accuses the US of cyber attacks. According to the Chinese Foreign Ministry, the accusations against them are a way to divert attention. A few months ago, Microsoft and several Western intelligence agencies warned that hackers, directed by China, were penetrating US critical infrastructure. These hackers would be preparing to shut down communications, transportation and other crucial systems during a future crisis in Asia. Earlier, the AIVD and MIVD announced that Dutch companies and universities are also being targeted on a large scale by Chinese espionage and by Chinese hackers. In July 2023, Chinese hackers stole tens of thousands of emails from employees of the US Department of State. In total, this concerns 60,000 emails from 10 accounts of the ministry. Nine employees who fell victim have East Asia and the Pacific as their diplomatic area. The other employee is involved in Europe. Hackers are said to have gained access to email accounts of around 25 organizations, including the US Departments of Commerce and Foreign Affairs, and governments in Western Europe. The hackers managed to get hold of a computer from a Microsoft developer, with which they were able to carry out the hack. They forged digital authentication tokens in order to gain access to email accounts.
Fortinet
There is persistent state cyber espionage via vulnerable edge devices. Earlier this year, the NCSC, together with the Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD), published a report on the advanced COATHANGER malware targeting FortiGate systems. Since then, the MIVD has conducted further research and has shown that the Chinese cyber espionage campaign is much more extensive than previously known. The NCSC is therefore requesting extra attention for this campaign and the abuse of vulnerabilities in edge devices. To this end, the NCSC has drawn up a knowledge product with additional information about edge devices, associated challenges and measures to be taken. Since the publication in February, the MIVD has conducted further research into the broader Chinese cyber espionage campaign. This has revealed that the state actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023 through the vulnerability with the characteristic CVE-2022-42475. Furthermore, research shows that the state actor behind this campaign was aware of this vulnerability in FortiGate systems at least two months before Fortinet announced the vulnerability. During this so-called ‘zero-day’ period, the actor infected 14,000 devices alone. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry. The state actor installed malware at relevant targets at a later time. In this way, the state actor gained permanent access to the systems. Even if a victim installs FortiGate security updates, the state actor continues to have this access. It is not known how many victims actually had malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor was able to expand its access to potentially hundreds of victims worldwide and to carry out additional actions such as stealing data. Even with the technical report on the COATHANGER malware, infections by the actor are difficult to identify and remove. The NCSC and the Dutch intelligence services therefore state that it is likely that the state actor still has access to the systems of a significant number of victims.
Sharmoon
Saudi Arabia was hit again by the infamous Sharmoon virus that infected tens of thousands of computers in 2012. In particular, oil company Saudi Aramco was hit. The computer network of the Ministry of Labor was also infected by Shamoon 2.
Stuxnet
States hack each other, influence elections and shut down ICT systems. They place hacks on the ICT structure that can be used to switch off power or destroy chemical factories and even dams. Within the Iranian nuclear weapons program, 10 to 20 percent of the centrifuges of the Natanz enrichment plant were sabotaged. Until the Mossad made Stuxnet just a little too aggressive in 2010, after which the worm spread across half the world and was discovered. Erik van Sabben (36) from Vlissingen, recruited by the AIVD, managed to get the virus into an Iranian nuclear complex in 2007. The politicians were allegedly not informed about the action directed by the US and Israel. Van Sabben placed the software in a water pump that he had to install in the underground nuclear complex in the city of Natanz. Van Sabben died in January 2009 in a motorcycle accident in his hometown of Dubai. The intelligence services knew that they were collaborating in sabotage of the Iranian nuclear program, but not that their agent brought in Stuxnet. The then Balkenende IV cabinet was not informed and the Stiekem committee also knew nothing. The Dutch sabotage action can be considered an act of war in Iran. Stuxnet caused a large number of nuclear centrifuges to break down. The nuclear program was delayed by an estimated few years. The program infected computers worldwide, such as at a factory for low-enriched uranium in Almelo. The intelligence services naturally remain silent about the matter. There is a documentary series on NPO 2 about this Dutch action. Secret agent Van Sabben was already recruited by the AIVD in 2005. Van Sabben already did business in Iran and had an Iranian wife with family there and had lived in the Middle East for years. He was praised there as an engineer who had made an important contribution to the rapid development of the Gulf state and traveled extensively for his work to Sudan, Yemen, East Africa and also to Iran.
Nitro Zeus was intended to ensure the shutdown and training of nuclear weapons production in the event of a conflict with Iran. Nitro Zeus could cripple Iran’s air defenses, communications systems and crucial parts of the energy network and was to be the successor to operation “Olympic Games”. The attack would be able to disable Iran’s air defenses, communications systems and crucial parts of the power supply. The attack was to be carried out by United States Cyber Command and the NSA. The plan was shelved when an agreement was made with Iran in 2015 regarding the uranium facilities. Access to all relevant Iranian systems was already available.
Fordo Iran’s most secure facility deep in a mountain also had to be destroyed by a computer worm, which could slow down the uranium mining. Israel developed a more aggressive version that inadvertently infected other machines in 2009. The US is also said to have tried to shut down a North Korean nuclear program with a Stuxnet variant. Russian programmers discovered the computer virus by accident discovered the program that spied and analyzed how and when an attack would cause the most damage in order to strike at just the right time without the need for an extra command from outside. When the nuclear centrifuges suddenly went haywire, the Iranian technicians had no idea what hit them. Stuxnet is also said to be the culprit in the attack on a Russian nuclear power plant.
The computer systems of the Arabic news channel al-Jazeera were attacked on a large scale on 8 June. The channel remained on the air. Al-Jazeera is owned by the government of Qatar, which is in dispute with Egypt and Saudi Arabia after the emir allegedly spoke positively about Iran and negatively about Trump. Qatar is also said to support Isis and Al Qaeda and facilitate the Muslim Brotherhood. According to Qatar, however, the reports are not correct and were placed as fake news by Russian government hackers in order to force a rift between Qatar and the Western countries. The reason behind Qatar’s isolation may therefore also have to do with the relationship between Qatar, Iran, Turkey and Russia. Qatar and Iran share one of the world’s largest gas fields and export to Russia via Turkey. Due to a rift, the gas supply by Russia has been secured again for a while. Qatar is also home to America’s largest military base in the region. Russia is also said to have used ICT to influence the presidential elections in the US.
Legian, Intermax, Grabowsky, Restment, Keylocker and Hudson Cybertec will collaborate to better protect vital Dutch infrastructure, such as ports, locks, hospitals and air traffic control. The collaboration is an idea of former director of the Military Intelligence and Security Service (MIVD) Pieter Cobelens.
Led by Germany’s Kriminalinspektion Mayen in cooperation with Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), a specialized group of the EC3, an international operation called Neuland saw six people arrested, twenty house searches conducted and 36 people questioned in six European countries. The suspects were suppliers and buyers of a platform that helps circumvent anti-virus software and a crypto service. The tools are used to test and hide malware to prevent the malicious software from being discovered. The suspects came from countries including Cyprus, Italy, Norway, the United Kingdom and the Netherlands.
A 29-year-old man confessed to being responsible for a large-scale internet outage that affected some 900,000 Deutsche Telekom routers in November 2016. The man was allegedly hired by a Liberian ISP to carry out DDoS attacks on local competitors, for which he was allegedly paid 10,000 dollars. The man wanted to carry out the attacks using a botnet that he had built. In order to increase the capacity of this botnet, the man claims to have wanted to add the routers of Deutsche Telekom and British ISPs to the network. In the attack in October 2016, a modified version of the Mirai malware was used to launch a large-scale DDoS attack against DNS provider Dyn, causing a large number of popular websites to be temporarily difficult or impossible to access. The attacker, who has since been arrested, claims to have wanted to build a botnet that could be used for DDoS attacks. In addition to Deutsche Telekom routers, more than 100,000 routers of various British Internet Service Providers were also affected. The attacker is known online as “BestBuy” or “Popopret.” German authorities refer to the man as “Spiderman,” a name he used to use domain names used in the attack on Deutsche Telekom routers. The man has been extradited to Germany.
Ransomware
In the Netherlands, there will be at least 147 ransomware incidents in 2023. These cases probably only represent a small part of the total. Many companies do not report for fear of reputational damage. In Germany, it is mandatory to report a ransomware attack. There, the counter ended at four thousand incidents last year. Experts do not see the number of cyber attacks decreasing yet. “Ransomware remains extremely popular among criminals, especially Ransomware as a Service (RaaS).” In this RaaS model, a gang offers ransomware as a service. Other parties can purchase that service and use it to carry out attacks themselves. Behind the providers is often a large company, with a customer service that helps the customer with problems. If the servers of a provider such as Lockbit are taken down by authorities, that does not mean that their supplied software no longer works. “The customers are still making victims”. Despite this, it is good that the criminal groups continue to be tackled and that authorities make their successes public, say the experts. The successes should demotivate criminals to continue. Police actions show that criminals are not as anonymous as they think and that they remain on their heels .
Systems are usually infected when an employee clicks on a link in an email. When systems are not properly secured, hackers can often gain access to all of the company’s IT systems and hold data hostage. It is usually not disclosed whether or how much was paid to get data back, but the damage regularly runs into the millions.
The Netherlands is in fourth place among countries with the most ransomware infections. Research by Kaspersky Lab shows that the number of computers infected by ransomware has risen to 718,000 per year worldwide. In the Netherlands, the number rose to 9,967. The average blackmail amount demanded via ransomware has risen in recent years from 372 dollars in 2014 to 679 dollars in 2016. Ransomware is malware that locks data on computers so that the user can no longer access his own data. The perpetrator makes the files accessible again in exchange for payment of a ransom.
TeslaCrypt has released a new version of Ransomware, which cannot be neutralized by third parties and for which the National Police’s Nomoreransom.org site, which was set up in collaboration with Europol and security companies Kaspersky Lab and Intel Security, therefore offers no solution. The site only helps to remove older ransomware and the tool offered only works against Coinvault, Bitcryptor and Shade. The police’s High Tech Crime Team has already been able to arrest suspects and found almost 5,800 data records on their server, mainly from Dutch and Belgian victims. The perpetrators were two brothers from Amersfoort. They were given a community service order of 240 hours. They each earned approximately 10,000 euros from the scam, but had to pay back part of it. The brothers stood out because the code contained flawless Dutch sentences. A lot of ransomware comes from Eastern Europe. Security company Kaspersky confirmed that the brothers’ software was well put together. Police have posted codes on the online portal ‘No more ransom’ that allow victims to unlock their computers.
After a major hack at the American Colonial Pipeline in early May 2021, which temporarily shut down a major oil pipeline in the US, and a hack at Toshiba, on May 30, Brazilian JBS, the largest meat processor in the world, suffered another ransomware hack, which brought work at branches in North America, Australia and Canada to a standstill and forced tens of thousands of employees to return home. The company was only able to resume operations after paying a ransom of $11 million. The hack, which originated in Russia, targeted JBS’s American computer servers. JBS in Australia is one of the largest branches of the Brazilian company, from where beef, lamb and pork are exported to more than fifty countries. The factory in Canada slaughters approximately 4,200 cattle per day. The amount of the ransom has not been disclosed. According to the FBI, it concerns software created by DarkSide, a relatively new group that uses ransomware as a service, which means that the group develops the ransomware and recruits others to carry out attacks. The group then receives a percentage of the ransom and demands large ransoms: between 200,000 and 2 million dollars, whereby they not only lock down the systems, but also steal data and threaten to put it online. In the case of the pipeline, almost 100 GB of data is said to have been stolen. Once inside with a hack, DarkSide would first gather information. If it turns out that they have penetrated a university or hospital, they will not continue. They also claim to have donated parts of the loot to charities, which would not have accepted this. DarkSide joins established names in the hacking sector such as REvil, Maze or Sodinokibi.
Kitchen specialist De Mandemakers Groep was hit by ransomware on June 30, 2021. The group includes brands such as Keuken Kampioen, Keuken Concurrent, Brugmans, Woonexpress, Piet Klerx, Sanidirect, and Mandemakers Keukens. The stores were unreachable by phone, the hackers had blocked a large part of the operational systems. De Mandemakers Groep is a large group in the Netherlands with two hundred branches and thousands of employees.
The GandCrab ransomware virus is currently spreading rapidly. Victims have to pay over 1000 euros in cryptocurrency to regain access to their files. GandCrab has been active since early 2018 and comes with infected attachments in email or with so-called free software. The number of reports has increased over the past two months. Victims are given two days to pay with Bitcoin or Dash. After that, the amount is doubled.
The Limburgs Voortgezet Onderwijs (LVO) foundation, which includes 23 schools, was attacked on February 26 with a new type of ransomware that was not yet recognized by virus scanners. At least 1,800 companies worldwide have been victims of ransomware. In the Netherlands, dozens of companies, including a university and a currency exchange office, were hit by ransomware Sodinokibi, also known as REvil. The government systems of several municipalities in the United States were also hit by ransomware in early 2019. In June, Riviera Beach in Florida decided to pay the criminals $600,000 (approximately €532,000) in bitcoins to regain access to the encrypted files.
A February ransomware attack on a subsidiary of UnitedHealth Group that disrupted pharmacies across the U.S. may have left the personal data of a third of Americans exposed. It will likely take “several months” for UnitedHealth to identify and notify Americans affected by the hack as the company continues to sort through the stolen data. During hours-long hearings in the Senate and House of Representatives on Wednesday, Witty apologized to patients and doctors, admitted that hackers broke into the subsidiary through a poorly secured computer server, and confirmed that he authorized a $22 million ransom payment to the hackers.
Police in Ukraine have arrested two people in Kiev, the capital of Ukraine, in early October 2021 on suspicion of using ransomware. The Ukrainian police, the French gendarmerie, the FBI, Interpol and Europol are involved in the arrest and investigation into the suspects. The suspects are said to have committed major hacks for more than 150 million dollars (around 130 million euros). The police investigated and found several computers, 375,000 dollars in ransom, two cars and more than 1 million dollars in crypto coins. The suspects are said to be part of a hacking group that has been active since April 2020. Which group it concerns has not been disclosed due to the ongoing investigation. The group is said to be known as REvil, the group behind the major Kaseya hack last year in which a ransom of 70 million dollars was also demanded.
The computer system of the House of Representatives was also infected with ransomware on 28 March 2017. A month later, energy company Iberdrola and gas company Gas Natural were hit by ransomware from WannaCry in Spain. At least fifteen hospitals in our country have suffered from ransomware in the past three years. The perpetrators respond every time a solution is found and then start a new version. Telecom giant Telefonica and Q-park were also infected, as well as a university in Italy. Worldwide, more than 200,000 cases have now been recorded in 150 countries. The National Association De Zonnebloem was also affected at the end of May. A file with data from 4,700 holiday participants appeared to have disappeared. Six affected companies are known in Belgium, but according to the police, that is just the tip of the iceberg. The perpetrators used a long-standing leak in Windows that was discovered by the American intelligence service NSA but not reported. Microsoft has now fixed the leak with updates. The perpetrators were able to use the leak because the information that the NSA had was distributed via WikiLeaks.
Joshua Schulte, 35, was sentenced to 40 years in prison for espionage, hacking, contempt of court, making false statements to the FBI, and possession of child pornography. Schulte worked for the CIA from 2012 to 2016, where he used software to break into computer systems. After he left his job, he sent the software to WikiLeaks. The NSA developed software that could be used to exploit the leak for espionage purposes. During the investigation, Proofpoint discovered another attack called Adylkuzz, which also used technical tools developed by the NSA. This attack dates back to May 2, so it was launched before WannaCry. Researchers found evidence that the Lazarus Group, a hacking group working for the North Korean state, was behind the distribution of WannaCry. The attack used IP addresses previously associated with Lazarus. Furthermore, Symantec has found code similarities between various components of the WannaCry ransomware and older programs from Lazarus. French Comae Technologies has developed the tool WanaKiwi and put development platform GitHub to undo the lock. The tool is said to work on Windows XP, Windows 7 and possibly also on Windows 2003 and Vista.
Russian ransomware
Three major hacking groups with ties to Russia are threatening to launch a major attack on the banking system in Europe in the coming days. The threat comes from the groups Anonymous Sudan, REvil and Killnet. In a message they say the attack is retaliation for Western support for Ukraine: “No money, no weapons, no Kiev regime
Container terminals of APM of the AP Moller-Maersk organization in Rotterdam, pharmaceutical producer MSD, animal feed company Royal Canin, trust office TMF, freight forwarder TNT Express, advertising agency WPP, Saint Gobain/Raab Karcher, biscuit manufacturer Modelez in the US, supermarkets in Russia, the French bank BNP Paribas and steel producer Evraz were all infected with ransomware on June 27, 2018 by downloading or retrieving simple fishing mail. A new variant of the so-called Petya ransomware appears to be used in the attack. According to security experts, the new attack does use elements of Petya, but also contains all kinds of new elements. Some researchers have therefore started calling the new variant NotPetya. The messages displayed on affected computers of the Ukrainian energy company Kyivenergo and the Rotterdam APM Terminals are consistent. The Ukrainian computer network was the first and most important victim. All other infected were business related to Ukraine and include many large companies, banks, the Ukrainian electricity grid operator, aircraft manufacturer Antonov, MeDoc accounting software and the airport of the capital Kiev. In Russia, oil company Rosneft and the radiation monitoring system in Chernobyl were among the affected. India, Poland, Spain, Italy and Germany were also infected. It is not yet known whether the power outage in Berlin is related to this. The hackers asked for 300 dollars per hacked computer, but because the email address to be used for this was quickly blocked by the provider, it is impossible to unlock files after payment of the ransom. In total, around 60 countries have been affected by the virus. According to Microsoft, fewer than 20,000 computers worldwide have been infected with Petya and the attack is smaller than that of WannaCry. The United States has prosecuted six of the hackers from this Russian hacker group Sandworm. The hackers are around thirty years old and all six live in Russia. One of the suspects was also charged two years ago for his role in hacking the American electoral college during the 2016 elections. The six are said to be employed by the Russian intelligence service. They continue to attack anyone they believe is an opponent of Russia. A trial against the hackers can only start if they are extradited to the United States. The charges will make it more difficult for the six to travel, because they cannot go to countries that have an extradition treaty with the US. In addition, they cannot use Western payment systems. Ukraine will be the first target of the Russian state hackers, according to Lasoen. ‘The country has been the victim of cyber attacks continuously since 2014, but we can expect an even bigger offensive. Kiev has focused on an adequate defense,but the question is whether it is equipped for this. In response to the attack, Anonymous has started a “cyber war” against Russia. Through a message on social networks, the group of hackers has made a statement and expressed its support for Ukraine and they plan to spread a virus that will delete all data from the systems to which it has access without being able to restore it. Russia has denied being responsible for this computer attack on Ukraine, but all suspicions are directed against them. The European Central Bank (ECB) is also preparing European banks for cyber attacks by Russia.
A Russian has pleaded guilty in a court case to hacking more than 160 million credit card numbers from the systems of 7-Eleven, Jetblue and Dow Jones and reselling them for between 10 and 50 dollars per credit card number. After his arrest and two and a half years in detention in the Netherlands, he was recently extradited to the US. The hack caused more than 300 million dollars in damage. The hacker is said to have worked with several other Russian and Ukrainian hackers. In exchange for his confession, nine other charges were dropped. The sentence could be up to 30 years in prison.
A Russian hacker named Yevgeniy Nikulin was found guilty in the US in early July 2020 of hacking LinkedIn and Dropbox in 2012. The hack resulted in the data of 100 million LinkedIn users being stolen. It was one of the largest data thefts in US history. Nikulin was arrested in Prague in October 2016. He was then extradited to the United States and spent years in pre-trial detention. The verdict in the case should actually have been delivered in March, but it was temporarily suspended due to the corona crisis. The verdict will follow in September. He could be sentenced to up to ten years in prison.
DoppelPaymer
On February 28, 2023, German and Ukrainian police, supported by Europol, Dutch police, and the FBI, arrested suspected members of a criminal group responsible for carrying out large-scale cyberattacks with the DoppelPaymer ransomware. The ransomware was distributed via phishing and spam emails with attached documents that affected 37 companies. One of the most serious attacks was against the University Hospital in Düsseldorf. In the US, victims paid at least 40 million euros between May 2019 and March 2021. Europol set up a Virtual Command Post to connect investigators and experts from Europol, Germany, Ukraine, the Netherlands, and the United States in real time and coordinate activities during the searches. Europol’s Joint Cybercrime Action Taskforce (J-CAT) also supported the operation. This permanent operational team consists of cybercrime liaison officers from various countries who work on high-profile cybercrime investigations.
Hackers are attacking organizations in other countries on behalf of the Turkish government, British and American officials have reported. The hackers have attacked the email services of the governments of Greece and Cyprus, among others. Iraq’s national security adviser has also been targeted, as have Albania’s intelligence services. The hackers have also reportedly targeted Turkish organizations such as the national chapter of the Freemasons. The attacks are believed to have taken place in 2018 and 2019.
The Belgian brewery Duvel Moortgat will be shut down on March 9, 2024 due to a cyber attack. No Duvel and La Chouffe will be brewed for a while. A ransomware attack caused production to be halted for security reasons. Breweries in Puurs-Sint-Amands, Belgium, Stadsbrouwerij De Koninck in Antwerp, Brasserie d’Achouffe in Achouffe and Brouwerij Liefmans in Oudenaarde and the production of subsidiary Boulevard Brewing in the United States have been halted. Not only the production of Duvel and La Chouffe but also of De Koninck, Liefmens, Vedett and Maredsous beers. The damage is enormous.
TeslaCrypt has released a new version of Ransomware, which cannot be neutralized by third parties and for which the National Police’s Nomoreransom.org site, which was set up in collaboration with Europol and security companies Kaspersky Lab and Intel Security, therefore offers no solution. The site only helps to remove older ransomware and the tool offered only works against Coinvault, Bitcryptor and Shade. The police’s High Tech Crime Team has already been able to arrest suspects and found almost 5,800 data records on their server, mainly from Dutch and Belgian victims. The perpetrators were two brothers from Amersfoort. They were given a community service order of 240 hours. They each earned approximately 10,000 euros from the scam, but had to pay back part of it. The brothers stood out because the code contained flawless Dutch sentences. A lot of ransomware comes from Eastern Europe. Security company Kaspersky confirmed that the brothers’ software was well put together. Police have posted codes on the online portal ‘No more ransom’ that allow victims to unlock their computers.
After a major hack at the American Colonial Pipeline in early May 2021, which temporarily shut down a major oil pipeline in the US, and a hack at Toshiba, on May 30, Brazilian JBS, the largest meat processor in the world, suffered another ransomware hack, which brought work at branches in North America, Australia and Canada to a standstill and forced tens of thousands of employees to return home. The company was only able to resume operations after paying a ransom of $11 million. The hack, which originated in Russia, targeted JBS’s American computer servers. JBS in Australia is one of the largest branches of the Brazilian company, from where beef, lamb and pork are exported to more than fifty countries. The factory in Canada slaughters approximately 4,200 cattle per day. The amount of the ransom has not been disclosed. According to the FBI, it concerns software created by DarkSide, a relatively new group that uses ransomware as a service, which means that the group develops the ransomware and recruits others to carry out attacks. The group then receives a percentage of the ransom and demands large ransoms: between 200,000 and 2 million dollars, whereby they not only lock down the systems, but also steal data and threaten to put it online. In the case of the pipeline, almost 100 GB of data is said to have been stolen. Once inside with a hack, DarkSide would first gather information. If it turns out that they have penetrated a university or hospital, they will not continue. They also claim to have donated parts of the loot to charities, which would not have accepted this. DarkSide joins established names in the hacking sector such as REvil, Maze or Sodinokibi.
The GandCrab ransomware virus is currently spreading rapidly. Victims have to pay over 1000 euros in cryptocurrency to regain access to their files. GandCrab has been active since early 2018 and comes with infected attachments in email or with so-called free software. The number of reports has increased over the past two months. Victims are given two days to pay with Bitcoin or Dash. After that, the amount is doubled.
The Limburgs Voortgezet Onderwijs (LVO) foundation, which includes 23 schools, was attacked on February 26 with a new type of ransomware that was not yet recognized by virus scanners. At least 1,800 companies worldwide have been victims of ransomware. In the Netherlands, dozens of companies, including a university and a currency exchange office, were hit by ransomware Sodinokibi, also known as REvil. The government systems of several municipalities in the United States were also hit by ransomware in early 2019. In June, Riviera Beach in Florida decided to pay the criminals $600,000 (approximately €532,000) in bitcoins to regain access to the encrypted files.
Police in Ukraine have arrested two people in Kiev, the capital of Ukraine, in early October 2021 on suspicion of using ransomware. The Ukrainian police, the French gendarmerie, the FBI, Interpol and Europol are involved in the arrest and investigation into the suspects. The suspects are said to have committed major hacks for more than 150 million dollars (around 130 million euros). The police investigated and found several computers, 375,000 dollars in ransom, two cars and more than 1 million dollars in crypto coins. The suspects are said to be part of a hacking group that has been active since April 2020. Which group it concerns has not been disclosed due to the ongoing investigation. The group is said to be known as REvil, the group behind the major Kaseya hack last year in which a ransom of 70 million dollars was also demanded.
The computer system of the House of Representatives was also infected with ransomware on 28 March 2017. A month later, energy company Iberdrola and gas company Gas Natural were hit by ransomware from WannaCry in Spain. At least fifteen hospitals in our country have suffered from ransomware in the past three years. The perpetrators respond every time a solution is found and then start a new version. Telecom giant Telefonica and Q-park were also infected, as well as a university in Italy. Worldwide, more than 200,000 cases have now been recorded in 150 countries. The National Association De Zonnebloem was also affected at the end of May. A file with data from 4,700 holiday participants appeared to have disappeared. Six affected companies are known in Belgium, but according to the police, that is just the tip of the iceberg. The perpetrators used a long-standing leak in Windows that was discovered by the American intelligence service NSA but not reported. Microsoft has now fixed the leak with updates. The perpetrators were able to use the leak because the information that the NSA had was distributed via WikiLeaks.
Joshua Schulte, 35, was sentenced to 40 years in prison for espionage, hacking, contempt of court, making false statements to the FBI, and possession of child pornography. Schulte worked for the CIA from 2012 to 2016, where he used software to break into computer systems. After he left his job, he sent the software to WikiLeaks. The NSA developed software that could be used to exploit the leak for espionage purposes. During the investigation, Proofpoint discovered another attack called Adylkuzz, which also used technical tools developed by the NSA. This attack dates back to May 2, so it was launched before WannaCry. Researchers found evidence that the Lazarus Group, a hacking group working for the North Korean state, was behind the distribution of WannaCry. The attack used IP addresses previously associated with Lazarus. Furthermore, Symantec has found code similarities between various components of the WannaCry ransomware and older programs from Lazarus. French Comae Technologies has developed the tool WanaKiwi and put development platform GitHub to undo the lock. The tool is said to work on Windows XP, Windows 7 and possibly also on Windows 2003 and Vista.
Snake malware
The US Department of Justice has taken down a network of computers that had been hacked by Russian state hackers. The group had allegedly been stealing information for 20 years via hacked computers using Snake malware, a program from the Turla unit of the Russian security service. They operated from their office in the Russian city of Ryazan. Turla used the Snake malware all that time to steal sensitive documents from hundreds of systems in at least fifty countries, including NATO countries. These were computers of governments, journalists and other targets that were of interest to Russia. After stealing these documents, they were distributed via a secret network of computers infected with Snake. This made it impossible to trace who stole the files. The network was eventually taken down because the FBI developed a tool that made the Snake malware harmless from the inside. Turla malware included a keylogger, among other things.
Russian hackers calling themselves Shadow Brokers want to crowdfund 10,000 bitcoins (about $6.3 million) and provide each participant with a password that can be used to access tools to break into corporate systems like Cisco and bypass security measures like Fortinet’s.
The US Departments of Commerce, Treasury, Homeland Security, State and parts of Defense were hacked for months without being noticed by what are believed to be six Russian hackers from APT29 and Cozy Bear. The National Institutes of Health (NIH) was also hacked. The government agencies must stop using software from the American software company SolarWinds, which was responsible for the vulnerability. Russia denies any involvement. The hack was discovered when cybersecurity company FireEye investigated a hack attack on its own network. The SolarWinds software was identified as a weak link. The hackers abused the backdoor to install malware, which then ended up in the systems of SolarWinds customers when they updated their software. Some 18,000 entities may have downloaded the malicious software and some 250 networks were victimized.
Approval fishing
Approval phishing involves deceiving victims into signing a kind of consent transaction. This gives the fraudster access to the money from their crypto wallet. In an international operation, 186 Dutch victims of ‘approval phishing’ have also been identified in recent months. In this form of crypto fraud, victims unknowingly give permission to a fraudster to manage their crypto account. Two Dutch victims had not yet been robbed and their money was secured in time. In one of them, 65,000 euros were prevented from being stolen. The operation, called Spincaster, took place in the Netherlands, the US, the United Kingdom, Canada, Spain and Australia. In total, more than 162 million dollars in stolen money was identified. According to the police, this form of fraud is increasingly common in dating fraud and investment fraud. For example, young people are tempted via social media to get rich quickly via crypto or victims are convinced to make an investment via an online (love) relationship. “It’s a kind of shell game. Criminals let you earn money, give you the feeling that it’s a safe investment, and then cheat you out of the big money. Victims lose thousands of euros on average,” says Ruben van Well of the Cybercrime Team Rotterdam. During the operation to detect and prevent approval phishing, the police worked together with blockchain data platform Chainalysis and trading platforms. Operation Spincaster is “a successful start in showing how well this form of fraud can be detected and prevented,” says Van Well. According to him, it is now important to “jointly look at how we can recognize this form of fraud, even outside of such a sprint, in real time and intervene to prevent more people from becoming victims.”
Fishing
The damage caused by phishing and bank helpdesk fraud is increasing. In the first six months of 2021, the total damage was more than 22.5 million euros. In one month, 40,000 reports were made of fake reminders. For example, fraudsters pose as the Tax Authorities on the internet. Normally, there are around 2,000 phishing reports per week. During the corona crisis, there were between 10,000 and 12,000 per week. Large amounts of money are also extorted via WhatsApp under false pretenses. By assuming a false identity, money is urgently requested. Because a known person or a family member is usually impersonated, many people fall for it.
Smishing
A combination of “SMS” and “phishing”, is a form of cyber fraud in which scammers send text messages to steal personal data such as login details, banking information or two-step verification codes. In the context of Bitvavo, a well-known Dutch crypto platform, criminals often send fake text messages that appear to come from Bitvavo, claiming a suspicious login attempt, for example from Dortmund or Geneva. These messages ask you to call a phone number or click on a link, such as to a fake website like bitvavo-privacy.com, to “secure” your account. This is a classic form of bank helpdesk fraud. Bitvavo warns that they never send text messages about login attempts or ask you to share sensitive information via text or phone. Fraudsters use spoofing to forge the sender ID, making the text message appear credible, and play on fear by emphasizing urgency. To protect yourself, do not click on links or call numbers in suspicious text messages. Report it immediately to fraud@bitvavo.com and check your account via the official website (bitvavo.com). Enable two-step verification, preferably with an authenticator app, and check if your data has been leaked via haveibeenpwned.com. If you are a victim, change your password, contact Bitvavo via support@bitvavo.com, monitor your bank account and report it to the police. Smishing is effective because text messages seem personal and reliable, but with vigilance and the right steps you can protect yourself.
Spoofing
Bank helpdesk fraud is also called spoofing. A form of fraud in which scammers call from an existing telephone number of a bank. They then pose as a bank employee to then cheat people out of money. The damage caused by this amounted to 16.5 million euros in the first half of 2021.
A Toronto couple is accused of defrauding approximately 570 Canadians of millions of euros. The two were caught after an extensive investigation by the London Metropolitan Police with the help of the Dutch police and Europol called Elaborate. The pair posed as bank, government or police employees to mislead victims and used software to hide their own phone numbers while making hundreds of fraudulent phone calls, apparently from different numbers. The two suspects, aged 29 and 31, used a fake website to make the calls and were the most active subscribers to iSpoof.cc. iSpoof has 38,000 subscribers and is often used for (bank) helpdesk fraud. The software allows criminals to pose as trusted companies. In addition to spoofing, the couple was also guilty of phishing (a form of internet fraud in which people are lured to a fake website, which is a copy of a real website) and smishing (a form of cybercrime in which criminals send you a message in an attempt to obtain login details, credit card information, PIN numbers or other personal data). The couple was arrested on February 19, 2025 and charged with fraud, unauthorized computer use, money laundering proceeds of crime, unauthorized possession of credit card information and possession of proceeds of crime and are due to appear in court in Toronto on February 21. Police suspect that almost every bank in Canada has fallen victim to the two.
It was recently announced that Dutch numbers, starting with country code 31, are increasingly being used in Europe. Previously, it was mainly 44, the country code for England, but it is said to be used too much by criminals, which makes victims more suspicious. Dutch banks announced a few months ago that they would better help customers not to fall for (fake) phone calls. Often via an online tool in the app with which customers can check whether they really have a bank employee on the line.
Consumers are often not aware of what a bank does or does not ask of customers. A quarter of the Dutch do not know this, according to research commissioned by ABN Amro. Customers therefore increasingly need tools to be able to bank safely.
DDoS
After investigating the data behind the so-called ‘booter websites’, the Dutch police managed to discover the identity of approximately 200 suspects, of which at least four suspects are now being prosecuted. These are four men between the ages of 22 and 26 and from Rijen, Voorhout, Lelystad and Barneveld. The 26-year-old man from Barneveld is suspected of carrying out no fewer than 4,169 DDoS attacks. The other three suspects probably carried out hundreds of attacks. These suspects have now been questioned by the police. Their files will be sent to the Public Prosecution Service for further criminal prosecution. The police expect to summon more suspects for questioning soon and do not rule out more arrests. In the Netherlands, one frequently used website on which people could ‘order’ DDoS attacks has also been taken offline. The system used to create SSL certificates for DigiD is often cracked by hackers, but is also often disabled by DDoS attacks. The disruptions in January 2025 at Digi were caused by a major DDoS attack. The DigiD server had to process so much traffic that the site could not handle it. This was reported by Logius, the government institution that manages DigiD. Although the daily system should be able to withstand such attacks, the size and breadth of this attack led to the temporary unavailability of several Logius services. The attack on multiple facilities simultaneously had an “exceptionally high” volume. The joint network of universities and colleges in the south of the Netherlands was also hit by a cyber attack. Maastricht University reported that this made the university’s systems inaccessible. This time too, it concerns a DDoS attack on Surf’s systems. The educational institutions work together in the IT field. TU Eindhoven was hit the hardest and has had to do without a properly functioning network for three days in a row. The university in Maastricht says that, among other things, WiFi and VPN on campus were not connected. SURF is systematically the target of DDoS attacks. In SURF, all universities, colleges, university hospitals and a group of vocational schools and research institutes work together in the IT field. On Friday 17 January, SURF was once again the target of a Ddos attack. SURF is in close contact with the National Cyber Security Center (NCSC).
DDoS attacks are becoming increasingly efficient with smaller attacks that last longer. An attack is carried out via a software program or with a botnet. Hackers are increasingly targeting routers, media servers, webcams, smart TVs and network printers. 20 percent of all attacks are Simple Service Discovery Protocol attacks (SSDP). Last year, 35 percent of all DDoS attacks were aimed at the gaming industry and 30 percent at healthcare institutions that are then blackmailed with the threat of releasing patient data. Carrying out a DDoS attack can be punished with a prison sentence. When an attack causes a lot of damage, such as at Ziggo, a prison sentence of six years can even be demanded. When lives are in danger, for example due to an attack on a hospital, the sentence can increase to fifteen years. Fines can amount to tens of thousands of euros and it is also possible that damages suffered are recovered from perpetrators. In November 2016, 39-year-old hacker Sven Olaf K. was sentenced to 240 days in prison, 185 of which were suspended, for the major DDoS attack in March 2013 on the network of the American internet company Spamhaus. In July 2018, the Cybercrime Team Northern Netherlands (‘Operation Power Off’) made six arrests in Northern Netherlands, after the police dismantled the largest cybercriminal website Webstresser.org on 24 April. It concerns two people from Drenthe, three from Friesland and one from Groningen. Four suspected administrators in Serbia and Croatia, among others, were also tracked down. Actions were also taken against suspected administrators in Canada and the United Kingdom. The website Webstresser.org was a so-called ‘booter’ or ‘stresser’ service: a website where powerful DDoS attacks could be purchased at low prices. IT service providers, cloud providers and SaaS service providers were the most frequently targeted by DDoS attacks. 58% of all mitigation activities to stop DDoS attacks were performed by these parties. Financial services companies accounted for 28% of mitigation activities, while media, entertainment and content companies were responsible for 6%.
Wikileaks
WikiLeaks published hundreds of thousands of secret documents in 2010, including on US military operations in Afghanistan and Iraq. Assange has been fighting lawsuits since then to avoid justice in the US. Before being transferred to a British prison in 2019, he hid in the Ecuadorian embassy in London for seven years. WikiLeaks published the video Collateral Murder in 2010. The footage from 2007 shows, among other things, American helicopter pilots opening fire on a square in the Iraqi capital Baghdad. A group of Iraqi civilians and two journalists from the Reuters news agency were killed. WikiLeaks also published thousands of documents from the CIA, containing extensive information about hacking software that is used. The data leak, Year Zero, contains 8,761 documents entitled ‘Vault 7’. The documents come from a network within the CIA office in Langley USA that was lost control of. A collection of malware, viruses and hacking software is circulating among former government hackers and contractors. The documents include instructions to hack iOS, Android and Windows devices, as well as Samsung smart TVs. Software was used to install keyloggers to read along as users typed text. The US consulate in Frankfurt is said to have served as a hacker base for the CIA, for espionage in Europe, Africa and the Middle East. Zero-day leaks were hoarded and not reported to tech companies. WikiLeaks leader Julian Assange was arrested by British police on April 11, 2019, after seven years in prison at the Ecuadorian embassy in London, after his asylum was revoked. 35-year-old CIA agent Joshua Schulte was sentenced to 40 years in prison for espionage, hacking, contempt of court, making false statements to the FBI and possession of child pornography. Schulte worked for the CIA from 2012 to 2016, using software to break into computer systems. After he left his job, he sent the software to WikiLeaks.
Hackers have compromised the data of 1.1 million users of the Clash of Clans forum. Game developer Supercell reported this. The hackers are said to have obtained usernames, IP addresses, email addresses and encrypted passwords. In 2016, almost 5,500 data leaks were reported to the Dutch Data Protection Authority.
WikiLeaks leader Julian Assange (52) was finally arrested by British police on April 11, 2019, after seven years in the Ecuadorian embassy in London, after his asylum was revoked and he faced possible extradition to the US where he could face a conviction for espionage. He made a deal with the public prosecutor in the United States on June 24, 2024 and was released from prison. He immediately left the United Kingdom via London Stansted Airport on June 24, 2024. Assange pleaded guilty to conspiracy to obtain and publish classified defense information. In the deal, Assange must serve 62 months in prison, but he does not have to serve that sentence because he has already been in a British prison since 2019. The Australian government responded to the news of Assange’s release through a spokesperson on Tuesday. Assange is an Australian citizen. Assange will officially hear his sentence on Wednesday, June 26, 2024 at 9:00 am (local time) during a hearing on the Pacific island of Saipan. Saipan is part of the US overseas territory of the Northern Mariana Islands. According to prosecutors, that location was chosen because Assange did not want to travel to the mainland of the US, and because it is relatively close to Australia. According to WikiLeaks, Assange will fly to his home country after the hearing. Former Democratic senator and member of the Foreign Relations Committee, Bob Menendez (71), the man who was behind the extradition of Julian Assange, has been sentenced to 11 years in prison for years of corruption, bribery and extortion that had earned him bags of cash and gold bars from countries including Qatar and Egypt. During the investigation, authorities discovered hidden gold bars and more than $480,000 in cash. Menendez was a prominent proponent of the witch hunt against Julian Assange in the Senate. He spared no effort to pressure the U.S. government into expelling Assange from its embassy in London. This included leading a group of Democrats in a letter to then-Vice President Mike Pence, as well as another letter to Secretary of State Mike Pompeo. He also wrote a letter in Spanish, published in Ecuador, threatening economic consequences if the country did not comply with demands to extradite Assange. He did all this at a time when he himself was as corrupt as hell. You have to be brave… At his own trial, Memendez tearfully begged the judge for mercy, but the judge would not listen. “You are corrupt,” he said. The judge also ordered forfeiture of all of Menendez’s illicit profits, which totaled $992,188.10, according to the attorney general’s office. Menendez was also federally charged with corruption in 2006 and 2015,but he managed to get those charges dropped.
Click farms
Worldwide, tens of billions of euros in marketing money are lost because online advertisements are clicked fraudulently. The advertiser thinks that his expensive advertisements and listings on Google matter, while the reality is different. Online advertising fraud used to be mainly done with ‘click farms’: in low-wage countries where hundreds of people sit behind computers and physically click on advertisements or rooms with countless mobile phones in racks on which advertisements are received. Nowadays, criminals use AI, bots and computer programs that imitate human behavior or workers are hired freelance, via Randstad, or online via Telegram and WhatsApp to control these bots from home. These programs imitate human click behavior increasingly better and a lot of money is made with it. It involves tens of billions of euros. The Russian cybercriminal Aleksandr Zhukov was sentenced to ten years in prison in New York for this form of cybercrime. His gang obtained advertisements from large companies via online flash auctions and placed them on empty web pages. These pages posed as major American publishers such as the New York Times and The Wall Street Journal through a trick. This is called spoofing. Zhukov then had bots click on these ads. As a result, he received at least seven million dollars from the advertising networks. Clicking on ads illegally is not prohibited and generates a huge amount of money. The home workers are often unaware of the wrongdoing and often do not even understand that it is unethical because it is not prohibited by law. But it is not just bots and automation. Click farms and other forms of human-driven fraud have become so common that they are actually out in the open and anyone can purchase their services at a low price, which means that the number of botnets, scrapers, crawlers, automation tools and click farms will only continue to increase.
The Public Prosecution Service East Netherlands arrested a 26-year-old man from Assen in January 2024. According to the Public Prosecution Service, the hacker has been guilty of cracking email, cryptocurrency and webshop accounts on a large scale. The suspect was arrested at the end of January and has been in pre-trial detention since then. Customers of a hosting company from Zwolle were, it turned out, the target of computer hacking, identity fraud and phishing. The hosting provider filed two reports. In addition, a company that manages a parking app also filed a report of computer hacking, because it was the victim of a cyber attack committed by the same suspect. The Assenaar developed a cybercrime tool himself, used it to collect enormous amounts of login details from others and then placed orders for large sums of money with, for example, webshops. He used his tool to retrieve customer login details. He was then able to test those login details in an automated manner with other websites. He then logged in again at other locations and subsequently – unnoticed and unseen – withdrew bitcoins from victims at cryptocurrency services, and ordered expensive clothing items from online stores. Emails with order confirmations and/or reminders of unpaid invoices were automatically intercepted, so that victims never saw them. He also redirected the emails from the delivery services to a temporary mailbox of his own. These emails included a link to change the delivery address; this way, the suspect had the packages delivered to parcel points or parcel machines. An identity document is sometimes required to collect these packages. The cybercrime tool also contained a functionality that allowed an image of an identity document to be made with a self-chosen first and last name and a random document number. Ultimately, the suspect was able to collect the packages himself using these identity documents. A substantive hearing is scheduled for 9 July.
More than three quarters of companies have had to deal with cybercrime. The increase among SMEs, with an annual turnover of less than 10 million, is rapid. Last year, ‘only’ 39 percent of respondents were the target of cybercriminals. This percentage has now almost doubled to 80 percent.
Bank hacks
Cybercriminals cause tens of millions of euros in damage every year, including through bank helpdesk fraud and phishing. Thousands of companies are confronted with extortion and ransomware. Cybercriminals increasingly pose as employees of a bank helpdesk. The number of companies that have fallen victim to hacking, malware or phishing and reported this to the supervisory authority is still rising.
Hackers have installed malicious software on ATMs in dozens of European countries, including the Netherlands, causing the machines to dispense money without authorization. There were also attacks on ATMs in Spain, Poland and the United Kingdom. These attacks were carried out remotely via computers in the banks’ networks. The hacks are said to have come from criminals operating under the name Cobalt, which is derived from software called Cobalt Strike. In July, amounts of 2.5 million dollars and 350,000 dollars were stolen from ATMs in Taiwan and Thailand.
Equifax
The American credit agency Equifax settled for more than 512 million euros for a major data hack in 2017. The amount could possibly increase to 700 million dollars. The data leak leaked the names and dates of birth of 147 million people as well as the personal numbers of 145.5 million people and the details of 209,000 payment cards with their associated expiration dates. The leak was due to the lack of basic security measures. All data was stored unencrypted and the leaks were not closed or isolated from other parts of the network. The 575 million dollars consists of a fine of 100 million dollars and compensation of 175 million dollars for 48 American states. The remaining 300 million dollars will go to a compensation fund for affected customers. This amount can be supplemented with a maximum of 125 million dollars. Victims can claim personal damages of up to 20,000 dollars. Equifax knew about the potential breach but did nothing about it. As part of the settlement, Equifax agreed to have a third party review the company’s information security every two years. Four Chinese military personnel were charged in connection with the hack. The data has economic value and was supposed to help China create artificial intelligence.
Following the many fraud cases, an international investigation was conducted for four months into the 281 perpetrators. Arrests were made in Turkey, Ghana, France, Italy, England, Kenya, Malaysia and Japan in early September. During the arrest and investigations, 3.7 million dollars were seized.
Malware
Godless malware is equipped with several exploits (PingPongRoot and Towelroot) and can therefore root Android devices and easily install spyware on them, even via the Google Play Store. The malware can nestle itself in all devices with Android 5.1 or older, so on 90 percent of all Android phones and tablets. Trend Micro discovered this new dangerous Android malware and states that around 850,000 devices worldwide have already been infected, especially in India and Indonesia. Most infections are said to come from apps that are downloaded outside the Play Store.
The globally operating hacker collective Avelanche was busted on 1 December 2016. Bank accounts in more than 180 countries were plundered with malware. The German justice department received assistance from international organisations such as Europol and Eurojust and from colleagues in thirty countries. Five suspects were arrested and 39 servers were seized. A special command centre was set up at the Europol headquarters in The Hague to supervise the operation. In Germany alone, 6 million euros were embezzled from bank accounts.
A 20-year-old man from Utrecht has been arrested on suspicion of large-scale production and sale of malicious software. He sold programs to embed hidden codes or malware in Word and Excel files. The man is said to be behind the Rubella program, which he sold for a price ranging from a few hundred to thousands of euros. This allows a piece of hidden code to be added to common Office documents such as Excel and Word. When such an infected document is opened, the code is executed, after which malware is secretly downloaded or a program is started locally. The distribution of such malware is usually via an e-mail to which an infected document is added as an attachment. Data from dozens of credit cards and manuals on carding, a form of credit card fraud, were also found on the suspect. He also had login details for thousands of sites. Approximately 20,000 euros worth of crypto coins were seized during the arrest.
A 49-year-old man from Boxtel has been sentenced to four years in prison, one year of which is suspended, for defrauding two companies. By hacking into the email accounts of a company in Belgium, he stole tons of loot in 2015. The company sold aircraft parts to a company in Jordan, and the man managed to change the account number to which the Jordanians had to transfer money. Shortly after the transaction, he transferred money to acquaintances, who in turn withdrew money and returned it to him in cash. The man from Boxtel was arrested last year, after having been on a wanted list for some time. The suspect says that he was pressured by Russian criminals. The Public Prosecution Service wants him to pay back the damage to the companies, among other things. The deal involved an amount of more than half a million euros. The verdict will be delivered on Tuesday, 30 July.
In February 2019, the Public Prosecution Service demanded a 36-month prison sentence, of which 34 months were conditional, and 240 hours of community service against 20-year-old Kian S. from The Hague for carrying out DDoS attacks. Between 2014 and 2017, S. carried out multiple DDoS attacks with a network of an estimated 25,000 infected computers on the servers of the British broadcaster BBC, Zalando and YahooNews. S. is also suspected of computer hacking, attempted extortion and offering a botnet and had access to 12.5 million third-party passwords.
Russian hacker Peter Levashov (hacker name Petr Severa) has pleaded guilty to leading the Kelihos botnet for years. Kelihos hacked and collected usernames, passwords, credit card details, which he sold on the black market. Kelihos also distributed billions of spam emails per day. The hacked computers could also be used for DDoS attacks and for spreading ransomware. Levashov was arrested in April 2017 and extradited to the United States. The verdict will follow in September 2019. Other major Russian hackers, such as Yevgeny Nikulin, Andrei Tyurin and Roman Seleznev were also arrested. Roman was sentenced to 27 years in prison. Hacker Alexander Vinnik was arrested in Greece and the United States, Russia and France have all requested his extradition.
An eighteen-year-old man from Oosterhout in Brabant was arrested in early February 2018 for the DDoS attack that shut down the Tax and Customs Administration website. The young man is also suspected of earlier DDoS attacks on the bank Bunq in September of last year, and recent attacks on the internet site Tweakers and provider Tweak. The most common DDoS attacks are UDP floods (46%). TCP-based attacks are also common; 33% of all DDoS attacks were TCP-based attacks. The NOS, the NPO, many schools, the Volkskrant and Ziggo all suffered DDoS attacks in the past year. Anonymous is said to be responsible for this in order to draw attention to the lack of security for users. Four of the five suspects arrested for this were between 14 and 17 years old, the fifth was 21 years old. Two million Ziggo customers had their internet shut down for two days in a row due to DDoS attacks. Ziggo has 3.1 million internet customers. About 60 percent of the customers were affected by the consequences of the DDoS attack on August 18 and 19.
Operation Jackal
After Interpol arrested around a hundred people in Africa and the EU in ‘Operation Jackal’ in early August 2023 from the Black Axe organization, which specializes in credit card fraud, romance scams and money laundering, fourteen people were arrested in Operation Africa Cyber Surge II and more than 20,000 suspicious networks were identified in 25 African countries. The suspects are said to be jointly responsible for 37 million euros in embezzlement. The organization was guilty of online scams, such as phishing, extortion and forging business emails. The arrests were made in Nigeria, Mauritius and Cameroon, among others.
Operation Duck Hunt
The Qakbot, which had been active since 2008, played a key role in global cybercrime. Through this network, people were able to access large numbers of computers for a fee in order to install ransomware. In recent years, hundreds of millions of dollars in damage was caused to companies and government institutions. With Operation Duck Hunt, the FBI managed to dismantle and shut down the network in August 2023. Germany, France, the United Kingdom, the United States, Romania and Lithuania participated in the operation.
All traffic on Qakbot was redirected to FBI servers. Several computer servers connected to the computer network were also seized in the Netherlands. Several servers were taken offline in France and Germany. The operation resulted in the seizure of $8.6 million in cryptocurrencies.
After hacking CIA Director Brennan’s email account, Crackas With Attitude (CWA) have now gained access to the Joint Automated Booking System via the chat system that the FBI uses to communicate with law enforcement agencies in the US in real time. The portal contains data on arrests and tools for sharing information on terrorist activities and firearms offences. JABS also contains data on arrests of suspects who cooperate as informants in the investigation.
JPMorgan Chase was also targeted by hackers and had to watch as they committed one of the largest thefts of consumer data ever. The perpetrators were arrested. Digital energy contracts were stolen internally from two million households at a Dutch energy supplier. The data contained annual consumption, type of connection and the end date of the contracts.
Graham Clark, 18, from Tampa, who in 2020 managed to obtain the Twitter accounts of Joe Biden, Bill Gates, Elon Musk and Kanye West with the help of Nima Fazeli from Orlando and Mason Sheppard from the United Kingdom, has been caught and convicted. Together with the two partners in crime, a dozen prominent Twitter accounts were taken over and the users were extorted for Bitcoin. In total, Clark earned around 117,000 dollars in this way. Because he was arrested while he was still 17 years old, he was sentenced as a juvenile. After a confession, he was given three years in juvenile detention and another three years of probation with a minimum sentence of 10 years if he breaks probation. He must return the money to the victims. Both the FBI and Twitter started an investigation. It turned out that Clark had gained access to internal systems through Twitter employees by convincing them that he worked in the company’s information technology department. He then gained access to the company’s customer service portal. Clark is also banned from using computers without police permission and supervision for the future. He will have to submit to searches of his property and provide the passwords to all accounts he controls.
In Europe, 27 people, mainly from Romania, Moldova, Russia and Ukraine, were arrested in connection with hacking ATMs. Two of the arrests were in the Netherlands. The suspects drilled or melted holes in the covers of ATMs, after which they could connect laptops or other electronic devices, so-called ‘black boxes’, to the PIN computer and thus instruct the machines to pay out money. This form of electronic theft has been going on since 2015. The LuminosityLink program, which allowed users to turn on webcams, disable antivirus software and enable keylogging, was neutralized in an international police operation in September 2017. The program was sold for 40 euros and was very user-friendly. More than 8,600 people from dozens of countries are said to have bought and used the program.
Encrochat
In the spring of 2021, the police hacked Encrochat and were able to read millions of messages exchanged by criminals live for three months. This led the police to, among other things, the torture complex in Wouwse Plantage in Brabant. Hundreds of arrests were also made and major drug gangs were dismantled. In addition, the police got a very disturbing picture of corruption within the government: agents who sold information and customs officers who let containers full of cocaine pass.
Nitro Zeus was intended to ensure the shutdown and training of nuclear weapons production in the event of a conflict with Iran. Nitro Zeus could cripple Iran’s air defenses, communications systems and crucial parts of the energy network and was to be the successor to operation “Olympic Games”. The attack would be able to disable Iran’s air defenses, communications systems and crucial parts of the power supply. The attack was to be carried out by United States Cyber Command and the NSA. The plan was shelved when an agreement was made with Iran in 2015 regarding the uranium facilities. Access to all relevant Iranian systems was already available.
The computer systems of the Arabic news channel al-Jazeera were attacked on a large scale. The channel remained on the air. Al-Jazeera is owned by the government of Qatar, which is in dispute with Egypt and Saudi Arabia after the emir allegedly spoke positively about Iran and negatively about Trump. Qatar is also said to support Isis and Al Qaeda and facilitate the Muslim Brotherhood. According to Qatar, however, the reports are not correct and were placed as fake news by Russian government hackers in order to force a rift between Qatar and the Western countries. The reason behind Qatar’s isolation may therefore also have to do with the relationship between Qatar, Iran, Turkey and Russia. Qatar and Iran share one of the world’s largest gas fields and export to Russia via Turkey. Due to a rift, the gas supply by Russia has been secured again for a while. Qatar is also home to America’s largest military base in the region. Russia is also said to have used ICT to influence the presidential elections in the US.
Legian, Intermax, Grabowsky, Restment, Keylocker and Hudson Cybertec will collaborate to better protect vital Dutch infrastructure, such as ports, locks, hospitals and air traffic control. The collaboration is an idea of former director of the Military Intelligence and Security Service (MIVD) Pieter Cobelens.
Led by Germany’s Kriminalinspektion Mayen in cooperation with Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), a specialized group of the EC3, an international operation called Neuland saw six people arrested, twenty house searches conducted and 36 people questioned in six European countries. The suspects were suppliers and buyers of a platform that helps circumvent anti-virus software and a crypto service. The tools are used to test and hide malware to prevent the malicious software from being discovered. The suspects came from countries including Cyprus, Italy, Norway, the United Kingdom and the Netherlands.
A 29-year-old man later confessed to being responsible for a large-scale internet outage that affected some 900,000 Deutsche Telekom routers in November 2016. The man was allegedly hired by a Liberian ISP to carry out DDoS attacks on local competitors, for which he was allegedly paid 10,000 dollars. The man wanted to carry out the attacks using a botnet that he had built. In order to increase the capacity of this botnet, the man claims to have wanted to add the routers of Deutsche Telekom and British ISPs to the network. In the attack in October 2016, a modified version of the Mirai malware was used to launch a large-scale DDoS attack against DNS provider Dyn, causing a large number of popular websites to be temporarily difficult or impossible to access. The attacker, who has since been arrested, claims to have wanted to build a botnet that could be used for DDoS attacks. In addition to Deutsche Telekom routers, more than 100,000 routers of various British Internet Service Providers were also affected. The attacker is known online as “BestBuy” or “Popopret.” German authorities refer to the man as “Spiderman,” a name he used to use domain names used in the attack on Deutsche Telekom routers. The man was extradited to Germany.
European Counter Terrorism Center – ECTC
Interpol established the ECTC in January 2016 as a measure against international terrorism. The ECTC focuses on tackling foreign terrorists, illicit arms trafficking, the dissemination of online terrorist propaganda and extremism, and the international fight against terrorism in general. The main task of the ECTC is to provide operational support to Member States in investigations, such as those following the attacks in Paris, Nice and Brussels. The ECTC can build on the counter-terrorism networks established by Europol, which have already played a key role in, for example, the attacks in Paris. The ECTC teams of analysts and experts collect operational information from law enforcement in all Member States, as well as from third parties, and work closely with other operational centres at Europol, such as the European Cybercrime Centre (EC3) and the European Human Smuggling Centre (EMSC).
Snake malware
The US Department of Justice has taken down a network of computers that had been hacked by Russian state hackers. The group had allegedly been stealing information for 20 years via hacked computers using Snake malware, a program from the Turla unit of the Russian security service. They operated from their office in the Russian city of Ryazan. Turla used the Snake malware all that time to steal sensitive documents from hundreds of systems in at least fifty countries, including NATO countries. These were computers of governments, journalists and other targets that were of interest to Russia. After stealing these documents, they were distributed via a secret network of computers infected with Snake. This made it impossible to trace who stole the files. The network was eventually taken down because the FBI developed a tool that made the Snake malware harmless from the inside. Turla malware included a keylogger, among other things.
Russian hackers calling themselves Shadow Brokers want to crowdfund 10,000 bitcoins (about $6.3 million) and provide each participant with a password that can be used to access tools to break into corporate systems like Cisco and bypass security measures like Fortinet’s.
The US Departments of Commerce, Treasury, Homeland Security, State and parts of Defense were hacked for months without being noticed by what are believed to be six Russian hackers from APT29 and Cozy Bear. The National Institutes of Health (NIH) was also hacked. The government agencies must stop using software from the American software company SolarWinds, which was responsible for the vulnerability. Russia denies any involvement. The hack was discovered when cybersecurity company FireEye investigated a hack attack on its own network. The SolarWinds software was identified as a weak link. The hackers abused the backdoor to install malware, which then ended up in the systems of SolarWinds customers when they updated their software. Some 18,000 entities may have downloaded the malicious software and some 250 networks were victimized.
DSA
The European Digital Services Act (DSA) will apply from Saturday 17 February 2024 to all online marketplaces, social networks, search engines, cloud providers, online travel and accommodation platforms, internet service providers and content sharing platforms, such as video platforms. Following the example of the 19 largest platforms, which will have to comply with (the strictest obligations of) the DSA from August 2023, other digital services must now also better protect users’ fundamental rights, tackle online deception and illegal information and create a level playing field for users. For example, online marketplaces must collect and publish more information about the companies (traders) on their platform. This should help to discourage and identify fraudulent traders, eliminate unfair competition and make it easier for consumers to obtain justice. Digital services must also, among other things, explain the rules for removing information or user accounts to users in more detail. They must also have easily accessible and user-friendly complaints procedures for users. The DSA will prohibit online platforms from personalizing advertisements based on, for example, religious beliefs or sexual orientation. Minors will also soon have extra protection against personalized advertisements. This should help ensure that they do not see inappropriate advertising. From February 2024, more Dutch parties such as Marktplaats.nl, Bol.com and Catawiki will also have to comply with the DSA. The 19 largest online platforms and search engines have had to comply with the DSA since August 2023. For example, they must specifically tackle illegal content and disinformation, adjust their recommendation systems and be transparent about online advertising via their platforms. This includes Apple, Google, Meta (Facebook and Instagram), X (formerly Twitter), but also the platforms AliExpress, Booking.com and Snapchat. The latter three operate (legally) from the Netherlands in Europe. The European Commission primarily supervises compliance with the DSA by the 19 largest online platforms and search engines. The Member States are responsible for supervising the other online services. In the Netherlands, the ACM and the AP are the intended supervisors for this. The ACM was designated by ministerial decree this week as the so-called digital services coordinator. This enables the ACM to already perform a number of tasks under the DSA. This includes participation in the digital services council, the European cooperation of supervisors.