Before a crackdown by Telegram, Xinbi Guarantee grew into one of the internet’s biggest markets for Chinese-speaking crypto scammers and money laundering. And all registered to a US address.

As the underground industry of crypto investment scams has grown into one of the world's most lucrative forms of cybercrime, the secondary market of money launderers for those scammers has grown to match it. Amid that black market, one such Chinese-language service on the messaging platform Telegram blossomed into an all-purpose underground bazaar: It has offered not only cash-out services to scammers but also money laundering for North Korean hackers, stolen data, targeted harassment-for-hire, and even what appears to be sex trafficking. And somehow, it's all overseen by a company legally registered in the United States.

According to new research released today by crypto-tracing firm Elliptic, a company called Xinbi Guarantee has since 2022 facilitated no less than $8.4 billion in transactions via its Telegram-based marketplace prior to Telegram’s actions in recent days to remove its accounts from the platform. Money stolen from scam victims likely represents the “vast majority” of that sum, according to Elliptic's cofounder Tom Robinson. Yet even as the market serves Chinese-speaking scammers, it also boasts on the top of its website—in Mandarin—that it's registered in Colorado.

“Xinbi Guarantee has served as a giant, purportedly US-incorporated illicit online marketplace for online scams that primarily offers money laundering services,” says Robinson. He adds, though, that Elliptic has also found a remarkable variety of other criminal offerings on the market: child-bearing surrogacy and egg donors, harassment services that offer to threaten or throw feces at any chosen victim, and even sex workers in their teens who are likely trafficking victims.

Xinbi Guarantee is the second such crime-friendly Chinese-language market that Robinson and his team of researchers have uncovered over the past year. Last July, they published a report on Huione Guarantee, a similar Cambodia-based service that Elliptic said in January had facilitated $24 billion in transactions—largely from crypto scammers—making it the biggest illicit online marketplace in history by Elliptic's accounting. That market's parent company, Huione Group, was added to a list of known money laundering operations by the US Treasury's Financial Crimes Enforcement Network earlier this month in an attempt to limit its access to US financial institutions.

After WIRED reached out to Telegram last week about the illicit activity taking place on Xinbi Guarantee’s and Huione Guarantee’s channels on its messaging platform, Telegram appears to have responded Monday by banning many of the central channels and administrator accounts used by both Xinbi Guarantee and Huione Guarantee. “Criminal activities like scamming or money laundering are forbidden by Telegram's terms of service and are always removed whenever discovered,” Telegram spokesperson Remi Vaughn wrote to WIRED in a statement. “Communities previously reported to us by WIRED or included in reports published by Elliptic have all been taken down.”

Telegram had banned several of Huione Guarantee’s channels in February following an earlier Elliptic report on the marketplace, but Huione Guarantee quickly re-created them, and it’s not clear whether the new removals will prevent the two companies from rebuilding their presence on Telegram again, perhaps with new accounts or even new branding. “These are very lucrative businesses, and they’ll attempt to rebuild in some way,” Robinson said of the two marketplaces following Telegram’s latest purge.

Elliptic’s accounting of the total lifetime revenue of the biggest online black markets.Courtesy of Elliptic

Xinbi Guarantee didn't respond to multiple requests for comment on Elliptic's findings that WIRED sent to the market's administrators on Telegram.

Like Huione Guarantee, Xinbi Guarantee has offered a similar “guarantee” model of enabling third-party vendors to offer services by requiring a deposit from them to prevent fraud. Yet it's flown under the radar, even as it grew into one of the biggest hubs for crypto crime on the internet. In terms of scale of transactions prior to Telegram’s crackdown, it was second only to Huione's market, according to Elliptic.

Both services “offer a window into the China-based underground banking network,” Robinson says. “It's another example of these huge Chinese-language ‘guaranteed’ marketplaces that have thrived for years.”

On Xinbi Guarantee, Elliptic found numerous posts from vendors offering to accept funds related to “quick kills,” “slow kills,” and “pig butchering” transactions, all different terms for crypto investment scams and other forms of fraud. In some cases, Robinson explains, these Xinbi Guarantee vendors offer bank accounts in the same country as the victim so that they can receive whatever payment they're tricked into making, then pay the scammer in the cryptocurrency Tether. In other cases, the Xinbi Guarantee merchants offer to receive cryptocurrency payments and cash them out in the scammer's local currency, such as Chinese renminbi.

Aside from Xinbi Guarantee's central use as a cash-out point for crypto scammers, Elliptic also found that the market's vendors offered other wares for scammers such as stolen data that could be used for finding victims, as well as services for registering SIM cards and Starlink internet subscriptions through proxies.

North Korean state-sponsored cybercriminals also appear to have used the platform for money laundering. Elliptic found through blockchain analysis, for instance, that about $220,000 stolen from the Indian cryptocurrency exchange WazirX—the victim of a $235 million theft in July 2024, widely attributed to North Korean hackers—had flowed into Xinbi Guarantee in a series of transactions in November.

Those money-laundering and scam-enabling services, however, are far from the only shady offerings found on Xinbi Guarantee's market. Elliptic also found listings for surrogate mothers and egg donors, with one post showing faceless pictures of the donor's body. Other accounts have offered services that will, for a payment in Tether, place a funeral wreath at a target's door, deface their home with graffiti, post damaging statements around their home, have someone verbally threaten them, throw feces at them, or even, most bizarrely, surround their home with AIDS patients. One posting suggested these AIDS patients would carry “case reports and needles for intimidation."

Other listings have offered sex workers as young as 18 years old, noting the specific sex acts that are allowed and forbidden. Elliptic says that one of its researchers was even offered a 14-year-old by a Xinbi Guarantee merchant. (The account holder noted, however, that no transaction for sex with someone below the age of 18 would be guaranteed by Xinbi. The legal age of consent in China is 14.)

Exactly why Xinbi Guarantee is legally registered in the US remains a mystery. Its incorporation record on the Colorado Secretary of State's website shows an address at an office park in the city of Aurora that has no external Xinbi branding. The company appears to have been registered there in August of 2022 by someone named “Mohd Shahrulnizam Bin Abd Manap.” (WIRED connected that name with several people in Malaysia but couldn't determine which one might be Xinbi Guarantee's registrant.) The listing is currently marked as “delinquent,” perhaps due to failure to file more recent paperwork to renew it.

For fledgling Chinese companies—legitimate and illegitimate—incorporating in the US is an increasingly common tactic for “projecting legitimacy,” says Jacob Sims, a visiting fellow at Harvard's Asia Center who focuses on transnational Chinese crime. “If you have a US presence, you can also open US bank accounts,” Sims says. “You could potentially hire staff in the US. You could in theory have more formalized connections to US entities.” But he notes that the registration's delinquent status may mean Xinbi Guarantee tried to make some sort of inroads in the US in the past but gave up.

While Telegram has served as the chief means of communication for the two markets, the stablecoin cryptocurrency Tether has served as their primary means of payment, Elliptic found. And despite Telegram’s new round of removals of their channels and accounts, Xinbi Guarantee and Huione Guarantee are far from the only companies to use Tether and Telegram to create essentially a new, largely Chinese-language darknet: Elliptic is tracking close to 30 similar marketplaces, Robinson says, though he declined to name others in the midst of the company's investigations.

Just as Telegram shows new signs of cracking down on that sprawling black market, Tether, too, has the ability to disrupt criminal use of its services. Unlike other more decentralized cryptocurrencies such as Bitcoin, Tether can freeze payments when it identifies bad actors. Yet it’s not clear to what degree Tether has taken measures to stop Chinese-language crypto scammers and others on Xinbi Guarantee and Huione Guarantee from using its currency.

When WIRED wrote to Tether to ask about its role in those black markets, the company responded in a statement that it encourages “firms like Elliptic and other blockchain intelligence providers to share critical data with law enforcement so we can act swiftly and in coordination.”

“We are not passive observers—we are active players in the global fight against financial crime,” the Tether statement continued. “If you’re considering using Tether for illicit purposes, think again: it is the most traceable asset in existence. We will identify you, and we will work to ensure you are brought to justice.”

Despite that promise—and Telegram’s new effort to remove Huione Guarantee and Xinbi Guarantee from its platform—both tools have already been used to facilitate tens of billions of dollars in theft and other black market deals, much of it occurring in plain sight. The two largely illegal and very public markets have been “remarkable for both the scale at which they're operating and also the brazenness,” says Harvard’s Jacob Sims.

Given that brazenness and the massive criminal fortunes at stake, expect both markets to attempt a revival in some form—and plenty of competitors to try to take their place atop the Chinese-language crypto crime economy.

An $8.4 Billion Chinese Hub for Crypto Crime Is Incorporated in Colorado

Roblox hit with class action over alleged secret tracking of kids’ data; lawsuit claims privacy law violations and…

Roblox hit with class action over alleged secret tracking of kids’ data; lawsuit claims privacy law violations and unauthorized data sharing.

Roblox, a platform known for its popularity among children and teens, is now the focus of a class action lawsuit that accuses the company of covertly harvesting data from its youngest users.

Filed in a California federal court by plaintiffs Michael and Salena Garcia, the suit claims Roblox has been quietly monitoring players without proper consent. According to the 45-page complaint, Roblox uses hidden tracking tools to collect a wide range of data, from keystrokes and chat messages to mouse activity and search queries.

The lawsuit also alleges that the company links these interactions to individual devices using unique identifiers. This allows Roblox to build detailed behavioural profiles of players, which the plaintiffs say are used for targeted content and shared with third-party advertisers.

Roblox has been secretly collecting detailed personal data and intercepting user activity through hidden tracking code built into its site and apps, without users or their parents knowing.

> _“This data surveillance begins the moment a user visits or launches Roblox, even before account login or consent, and continues across platforms (web, iOS, Android, macOS, Windows) via persistent identifiers and fingerprinting techniques.”_
> 
> _Source: Class Action Complaint, Garcia v. Roblox Corporation, U.S. District Court, Northern District of California, 2024._

This legal move puts Roblox in the same spotlight as other tech companies facing criticism over data privacy practices affecting children. While the company promotes itself as a safe space for play and creativity, the complaint suggests a different story unfolding behind the scenes.

Kern Smith, Vice President of Global Solutions at mobile security firm Zimperium, warns that mobile security often takes a back seat in discussions about child safety online. “Parents focus heavily on what their kids are doing in the game, but the device and the app itself are also areas of concern,” he said.

“When a mobile app is widely used, it becomes a bigger target for phishing, malware, and data breaches. If a phone or tablet is compromised, it opens the door for attackers to access sensitive data or manipulate app behaviour.”

The lawsuit shows the public worry about how companies collect and use data from minors. Under federal law, including the Children’s Online Privacy Protection Act (COPPA), companies must obtain verifiable parental consent before collecting personal data from children under 13. The Garcias claim that Roblox sidesteps these requirements through silent tracking that parents never see.

For now, the case remains in the early stages, but it indicates legal pressure on platforms serving young audiences. If the court finds the claims valid, Roblox could face serious consequences, not only in the form of financial penalties but also tougher oversight of its data handling practices.

Parents concerned about their child’s digital safety are advised to monitor not only app content but also the security of the devices their kids use. Tools that offer real-time threat detection and malware protection can help reduce risks tied to invisible data collection.

Roblox Corporation has not issued a public statement in response to the lawsuit as of publication.

Roblox Lawsuit Claims Hidden Tracking Used to Monetize Kids Data

Optimizing your online productivity is more important than ever. Whether you’re a business owner, freelancer, or simply someone…

Optimizing your online productivity is more important than ever. Whether you’re a business owner, freelancer, or simply someone looking to streamline your personal digital workflow, improving your efficiency can save you time, reduce stress, and boost performance. Here are some practical strategies to enhance your digital efficiency.

****1\. Streamline Your Digital Workspace****

A cluttered digital environment can slow you down significantly. Organize your desktop, categorize your files, and declutter unnecessary applications. Use cloud storage services like Dropbox or Google Drive to keep essential documents accessible and secure, reducing the need for excessive local storage.

Use productivity tools like Trello, Asana, or Notion to effectively manage tasks and projects. These platforms help you visualize your workload, prioritize tasks, and collaborate seamlessly with others.

****2\. Automate Repetitive Tasks****

Automation is a game-changer when it comes to digital efficiency. Identify repetitive tasks that consume your time and automate them. For instance:

*   **Email filtering and sorting**: Use rules and filters to automatically categorize incoming messages.
*   **Social media scheduling**: Use platforms like Buffer or Hootsuite to schedule posts in advance, saving you from constant manual posting.
*   **Data entry and reporting**: Utilize tools such as Zapier or Integromat to automate workflows between different apps.

Automating routine processes frees up valuable time for more strategic and creative tasks.

****3\. Optimize Your Internet and Hosting Solutions****

Slow-loading websites and unreliable hosting services can hamper your efficiency, especially if you rely on web-based applications. Upgrading to a reliable DS hosting solution can significantly boost your website’s performance, ensuring faster loading times and improved reliability. Dedicated servers offer more control, security, and better resource allocation compared to shared hosting, making them ideal for businesses or resource-intensive applications.

****4\. Use Keyboard Shortcuts and Productivity Hacks****

Mastering keyboard shortcuts can drastically decrease the time spent navigating your computer or specific applications. For example:

*   **Ctrl + C** and **Ctrl + V** for copy-paste
*   **Ctrl + Z** to undo
*   **Alt + Tab** to switch between windows quickly.

In addition, explore browser extensions like LastPass for password management or Grammarly for real-time grammar checks, making your digital activities more streamlined and error-free.

****5\. Limit Digital Distractions****

Distractions are one of the main barriers to digital efficiency. Use website blockers like Freedom or StayFocusd to limit time-wasting sites during work hours. Turn off unnecessary notifications and schedule regular tech-free breaks to improve your focus. You can also investigate app blockers for your smartphone to limit distractions more generally. 

****6\. Leverage Cloud-Based Collaboration Tools****

For teams, cloud-based collaboration tools are essential for maintaining efficiency. Platforms like Slack, Microsoft Teams, and Google Workspace allow for real-time communication, file sharing, and collaboration, decreasing the need for lengthy email threads and streamlining project management.

****Final Thoughts****

Improving your digital efficiency doesn’t require a massive overhaul, it’s about making small, intentional changes to your workflow. From investing in reliable DS hosting to automating repetitive tasks, every improvement adds up to significant time and productivity gains. Embrace these strategies and watch your digital efficiency soar.

(Image by Moondance from Pixabay)

Practical Ways to Improve Your Digital Efficiency

A hacker group claiming affiliation with Anonymous says it breached GlobalX Airlines, leaking sensitive flight and passenger data…

A hacker group claiming affiliation with Anonymous says it breached GlobalX Airlines, leaking sensitive flight and passenger data tied to controversial deportation flights

GlobalX Airlines, a US government-contractual charter airline for conducting deportation flights, has been targeted by hacktivists claiming affiliation with Anonymous. The attackers allegedly accessed sensitive information, including flight records and passenger manifests, and defaced the airline’s official website with a politically charged message, expressing opposition to the company’s role in controversial deportation processes.

The defaced webpage, reportedly, featured the legendary Guy Fawkes mask, a symbol typically associated with Anonymous. The image was accompanied by a message aimed at the former US President, referencing a “Judge’s order” and accusing GlobalX of disregarding lawful directives and their perceived “fascist plans.”

This suggests the attack was ideologically motivated, originating from hacktivists’ disapproval of the airline’s involvement in deporting US citizens.

Deface page from the hacktivist group

Apart from the symbolic act of website defacement, the hacktivists contacted journalists, including those at 404 Media, to share a substantial amount of leaked data. This trove of information reportedly includes detailed flight logs, comprehensive passenger lists, and itinerary details spanning several months.

404 Media, after careful verification against official Immigration and Customs Enforcement (ICE) flight logs and court documents, confirmed the authenticity of data sorted into folders dated from January 19th to May 1st. This data, reportedly, contains specifics regarding flights used to deport hundreds of Venezuelan migrants, some of whom were actively contesting the legality of their deportation while already airborne.

According to the anonymous hacker, the breach was facilitated by the discovery of a GlobalX developer’s token, which allowed them to uncover access and secret keys for the airline’s Amazon Web Services (AWS) cloud storage buckets, effectively granting them unauthorized entry into the company’s digital infrastructure.

The extent of their access went beyond data exfiltration and website manipulation. The hacker claimed to have sent internal messages to pilots using NAVBLUE, a flight operations tool provided by Airbus, and accessing the company’s GitHub repository, a platform used by developers for managing and sharing code.

One particularly concerning case is of Ricardo Prada Vásquez, a Venezuelan man who, as per his family, was disappeared by US immigration authorities. His name was leaked in a GlobalX flight manifest, revealing his deportation to El Salvador.

This breach comes at a time when the Trump administration’s handling of sensitive data is under increased scrutiny after the Atlantic reports on top US officials, sharing military attack plans on Signal, US-Israeli firm TeleMessage’s data breach impacting TM SGNL app, used by Trump officials, and now the leaking of passenger lists raises further concerns about the government’s data security practices.

GlobalX’s leaked data and hacktivist messages suggest a politically motivated operation to expose and disrupt the deportations. Hackread.com will promptly update you when we receive an official response from the airline and the US immigration authorities, or further details emerge regarding the breach.

Anonymous Hackers Steal Flight Data from US Deportation Airline GlobalX

### Impact
Potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code.

### Patches
This is patched in 1.13.6

### Workarounds
Downgrade to <1.13.2

### References

* [Understanding the Risk of Script Injections](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-2487-9f55-2vg9: OZI-Project/ozi-publish Code Injection vulnerability

Check Point’s April 2025 malware report reveals increasingly sophisticated and hidden attacks using familiar malware like FakeUpdates, Remcos,…

Check Point’s April 2025 malware report reveals increasingly sophisticated and hidden attacks using familiar malware like FakeUpdates, Remcos, and AgentTesla. Education remains the top targeted sector. Learn about the latest cyber threats and how to stay protected.

Check Point Research (CPR) has revealed its findings for April 2025, which describe a concerning trend of attackers using more complex and sneaky methods to deliver harmful software. Although some well-known malware families remain prevalent, the methods used to infect systems are becoming more sophisticated, making them harder to detect.

According to CPR, most attacks discovered in April involved phishing emails disguised as order confirmations. These emails contained a hidden 7-Zip file that released scrambled instructions, leading to the installation of common malware like AgentTesla, Remcos, and XLoader.

The attacks were particularly concerning due to their well-hidden nature, using encoded scripts and injecting malicious software into legitimate Windows processes. Researchers also noticed a “dangerous convergence of commodity tools with advanced threat actor tactics” means even basic malware is now being used in highly sophisticated operations, CPR’s blog post read.

Despite these new sneaky methods, some familiar names still topped the list of most prevalent malware in April, including the following:

****FakeUpdates****

This malware remained the most widespread, affecting 6% of organizations globally. It tricks users into installing fake browser updates from compromised websites has been linked to the Russian hacking group Evil Corp and is used to deliver further malicious software.

****Remcos and AgentTesla:****

This remote access tool, often spread through malicious documents in phishing emails, can bypass Windows security features, giving attackers high-level control over infected systems.

AgentTesla, which is an advanced tool, can log keystrokes, steal passwords, take screenshots, and grab login details for various applications. It is openly sold online.

Malware families’ analysis revealed a rise in Androxgh0st usage, which targets web applications to steal sensitive information, while the use of remote access tool AsyncRat has declined. Other notable families included in the top ten include Formbook, Lumma Stealer, Phorpiex, Amadey, and Raspberry Robin.

In April, SatanLock emerged as a new ransomware group, listing numerous victims on their data leak site. However, most of these victims had already been claimed by other groups, indicating a potentially competitive environment within the cybercrime community. Moreover, Akira was the most prevalent ransomware group, followed by SatanLock and Qilin.

Mobile devices remain a significant target, with Anubis, AhMyth, and Hydra topping the list of mobile malware in April. Most concerning is that these malware are becoming increasingly sophisticated, offering remote access, ransomware capabilities, and multi-factor authentication interceptions.

Furthermore, for a third consecutive month, the education sector remained the most vulnerable globally, probably due to its large user base and weak cybersecurity infrastructure. Government and telecommunications sectors followed closely. Whereas, regional analysis showed varying malware trends, with Latin America and Eastern Europe experiencing more FakeUpdates and Phorpiex, and Asia witnessing increased activity of Remcos and AgentTesla.

Given this increasingly complex and persistent cyber threat environment, CPR recommends that organizations adopt a “prevention-first” strategy, including employee training on phishing, regular software updates, and the implementation of advanced threat prevention solutions to detect and block these sophisticated attacks before they can cause harm.

FakeUpdates, Remcos, AgentTesla Top Malware Charts in Stealth Attack Surge

With the digital transformation movement sweeping the world and cyber threats evolving simultaneously to pose greater and greater…

With the digital transformation movement sweeping the world and cyber threats evolving simultaneously to pose greater and greater threats, today’s organizations are faced with two seemingly opposing imperatives. With the pathways to success and security seemingly diverging, Zero Trust Architecture has emerged to highlight a new way forward. Here, we’ll discuss how and shed some light on the critical relationship between Zero Trust security and digital adoption strategy.

****Our evolving security needs****

The past five years have seen a rapid acceleration in the expansion of digital infrastructures. Organizations everywhere, both commercial and governmental, have begun introducing a wider range of digital technologies to their IT stacks.

From adopting cloud computing to IoT (Internet of Things), organizations are faced with the prospect of dealing with large and more complex digital ecosystems than ever before. What’s more, with remote collaborations, mobile computing, and third-party services becoming an ever more integral part of operating models, the number of potentially exploitable attack vectors is at an all-time high.

While the adoption of these new technological innovations is undoubtedly beneficial, empowering organizations in driving efficiency and productivity, there is no question that it brings complex new security challenges. Traditional, perimeter-based security approaches are looking increasingly outdated, and it would seem that before long, they will become unfit for purpose altogether in an increasingly active and fluid digital infrastructure. 

At a time when continual digital transformation is now a non-negotiable for sustainable success, the zero-trust approach is surely the only way to go. And with 81% of organizations indicating intentions to implement Zero Trust principles, it would seem the jury is in on the matter.

****The tenets of Zero Trust****

So, what is Zero Trust all about, then? 

Rather than a single technology or technique, Zero Trust represents a whole new way of thinking about cybersecurity. As such, depending on the specific infrastructure in question, it can involve a wide range of different measures and solutions. However, there are some key principles which comprise the core of what Zero Trust is.

*   **Continuous authentication:** Under a Zero Trust model, every user and every device must be continuously verified and authorized before being allowed to access network resources. Unlike in traditional perimeter-based models, which operate on the basis of a ‘circle of trust’ composed of established users, no one is considered implicitly trustworthy.

*   **Least Privilege Access:** Zero Trust systems implement the principle of least privilege, meaning network users are granted the minimum permissions required to carry out their designated roles. This mitigates the impact of potential breaches if credentials are compromised.

*   **Micro-segmentation**: In Zero Trust Architecture (ZTA), networks are deliberately partitioned into smaller microsegments, each of which is separated with comprehensive access control measures. This serves to protect against lateral movement and escalation if a threat actor gains access to the network.

*   **Assumed breach**: Security teams that implement Zero Trust operate at all times on the assumption that their networks have already been compromised. This promotes proactive defence and rapid response should a real incident occur.

****The digital adoption aspect****

Implementing Zero Trust principles is one thing, but for them to truly take root and remain effective, that implementation needs to occur as part of a wider change management approach– one which sees a transition to a more holistic view of digital security, taking digital adoption into account.

With digital transformation now a prerequisite for long-term success, as this expert source illustrates, a robust and well-thought-out digital adoption framework has become integral to how organizations reliably evolve themselves. Of course, as we’ve discussed, the adoption of new technologies comes with new security responsibilities, meaning Zero Trust and digital adoption must go hand in hand. 

In their endeavour to implement the principles of Zero Trust, organizations must synthesize the two, ensuring that their cybersecurity measures, processes, and procedures evolve in tandem with their digital ecosystems. This not only means deploying new security measures with each new technology introduced, but also establishing a cohesive and comprehensive adoption strategy that teaches employees how to leverage new tech with security in mind.

By aligning technological advancement with security iteration, organizations can establish frameworks that empower them to continuously evolve and improve while simultaneously managing risk.

****Wrapping up****

Our digital landscape is evolving rapidly, becoming a much more dynamic place, and each innovation brings the limitations of traditional security into sharper relief. As digital infrastructures become more flexible, modular, and complex, cybersecurity needs to be proactive rather than reactive, and this is what Zero Trust empowers.

As organizations pursue the abundant benefits that come with digital transformation, Zero Trust will be essential to facilitating sustainable growth. By promoting a culture of vigilance and synthesizing security evolution with digital adoption strategies, organizations can build resilient digital infrastructures and secure the pathway to long-term success.

(Image by ChiaJo from Pixabay)

Zero Trust in the Age of Digital Transformation: The New Cybersecurity Paradigm

Detecting leaked credentials is only half the battle. The real challenge—and often the neglected half of the equation—is what happens after detection. New research from GitGuardian's State of Secrets Sprawl 2025 report reveals a disturbing trend: the vast majority of exposed company secrets discovered in public repositories remain valid for years after detection, creating an expanding attack

The Persistence Problem: Why Exposed Credentials Remain Unfixed—and How to Change That

As AI-driven fraud becomes increasingly common, more people feel the need to verify every interaction they have online.

These days, when Nicole Yelland receives a meeting request from someone she doesn’t already know, she conducts a multistep background check before deciding whether to accept. Yelland, who works in public relations for a Detroit-based nonprofit, says she’ll run the person’s information through Spokeo, a personal data aggregator that she pays a monthly subscription fee to use. If the contact claims to speak Spanish, Yelland says, she will casually test their ability to understand and translate trickier phrases. If something doesn’t quite seem right, she’ll ask the person to join a Microsoft Teams call—with their camera on.

If Yelland sounds paranoid, that’s because she is. In January, before she started her current nonprofit role, Yelland says, she got roped into an elaborate scam targeting job seekers. “Now, I do the whole verification rigamarole any time someone reaches out to me,” she tells WIRED.

Digital imposter scams aren’t new; messaging platforms, social media sites, and dating apps have long been rife with fakery. In a time when remote work and distributed teams have become commonplace, professional communications channels are no longer safe, either. The same artificial intelligence tools that tech companies promise will boost worker productivity are also making it easier for criminals and fraudsters to construct fake personas in seconds.

On LinkedIn, it can be hard to distinguish a slightly touched-up headshot of a real person from a too-polished, AI-generated facsimile. Deepfake videos are getting so good that longtime email scammers are pivoting to impersonating people on live video calls. According to the US Federal Trade Commission, reports of job and employment related scams nearly tripled from 2020 to 2024, and actual losses from those scams have increased from $90 million to $500 million.

Yelland says the scammers that approached her back in January were impersonating a real company, one with a legitimate product. The “hiring manager” she corresponded with over email also seemed legit, even sharing a slide deck outlining the responsibilities of the role they were advertising. But during the first video interview, Yelland says, the scammers refused to turn their cameras on during a Microsoft Teams meeting and made unusual requests for detailed personal information, including her driver’s license number. Realizing she’d been duped, Yelland slammed her laptop shut.

These kinds of schemes have become so widespread that AI startups have emerged promising to detect other AI-enabled deepfakes, including GetReal Labs and Reality Defender. OpenAI CEO Sam Altman also runs an identity-verification startup called Tools for Humanity, which makes eye-scanning devices that capture a person’s biometric data, create a unique identifier for their identity, and store that information on the blockchain. The whole idea behind it is proving “personhood,” or that someone is a real human. (Lots of people working on blockchain technology say that blockchain is the solution for identity verification.)

But some corporate professionals are turning instead to old-fashioned social engineering techniques to verify every fishy-seeming interaction they have. Welcome to the Age of Paranoia, when someone might ask you to send them an email while you’re mid-conversation on the phone, slide into your Instagram DMs to ensure the LinkedIn message you sent was really from you, or request you text a selfie with a time stamp, proving you are who you claim to be. Some colleagues say they even share code words with each other, so they have a way to ensure they’re not being misled if an encounter feels off.

“What’s funny is, the lo-fi approach works,” says Daniel Goldman, a blockchain software engineer and former startup founder. Goldman says he began changing his own behavior after he heard a prominent figure in the crypto world had been convincingly deepfaked on a video call. “It put the fear of god in me,” he says. Afterward, he warned his family and friends that even if they hear what they believe is his voice or see him on a video call asking for something concrete—like money or an internet password—they should hang up and email him first before doing anything.

Ken Schumacher, founder of the recruitment verification service Ropes, says he’s worked with hiring managers who ask job candidates rapid-fire questions about the city where they claim to live on their résumé, such as their favorite coffee shops and places to hang out. If the applicant is actually based in that geographic region, Schumacher says, they should be able to respond quickly with accurate details.

Another verification tactic some people use, Schumacher says, is what he calls the “phone camera trick.” If someone suspects the person they’re talking to over video chat is being deceitful, they can ask them to hold up their phone camera to show their laptop. The idea is to verify whether the individual may be running deepfake technology on their computer, obscuring their true identity or surroundings. But it’s safe to say this approach can also be off-putting: Honest job candidates may be hesitant to show off the inside of their homes or offices, or worry a hiring manager is trying to learn details about their personal lives.

“Everyone is on edge and wary of each other now,” Schumacher says.

While turning yourself into a human captcha may be a fairly effective approach to operational security, even the most paranoid admit these checks create an atmosphere of distrust before two parties have even had the chance to really connect. They can also be a huge time suck. “I feel like something’s gotta give,” Yelland says. “I’m wasting so much time at work just trying to figure out if people are real.”

Jessica Eise, an assistant professor studying climate change and social behavior at Indiana University Bloomington, says her research team has been forced to essentially become digital forensics experts due to the amount of fraudsters who respond to ads for paid virtual surveys. (Scammers aren’t as interested in the unpaid surveys, unsurprisingly.) For one of her research projects, which is federally funded, all of the online participants have to be over the age of 18 and living in the US.

“My team would check time stamps for when participants answered emails, and if the timing was suspicious, we could guess they might be in a different time zone,” Eise says. “Then we’d look for other clues we came to recognize, like certain formats of email address or incoherent demographic data.”

Eise says the amount of time her team spent screening people was “exorbitant” and that they’ve now shrunk the size of the cohort for each study and have turned to “snowball sampling,” or recruiting people they know personally to join their studies. The researchers are also handing out more physical flyers to solicit participants in person. “We care a lot about making sure that our data has integrity, that we’re studying who we say we’re trying to study,” she says. “I don’t think there’s an easy solution to this.”

Barring any widespread technical solution, a little common sense can go a long way in spotting bad actors. Yelland shared with me the slide deck that she received as part of the fake job pitch. At first glance, it seemed legit, but when she looked at it again, a few details stood out. The job promised to pay substantially more than the average salary for a similar role in her location and offered unlimited vacation time, generous paid parental leave, and fully covered health care benefits. In today’s job environment, that might have been the biggest tipoff of all that it was a scam.

_Update 5/12/2025, 6:34 PM ET: This article was updated to clarify the nature of a federally funded research project._

Deepfakes, Scams, and the Age of Paranoia

Varonis reveals attackers are using SEO poisoning to trick IT admins into downloading malware, alongside a critical root…

Varonis reveals attackers are using SEO poisoning to trick IT admins into downloading malware, alongside a critical root access vulnerability in Azure’s AZNFS-mount utility affecting HPC/AI workloads. Update Azure immediately.

Cybersecurity researchers at Varonis have issued warnings on two distinct but significant threats targeting IT administrators and cloud infrastructure. Emerging within the last two months, as noted by Varonis in a blog post published on 2 May 2025, a growing trend of attackers using SEO poisoning to trick administrators into downloading malware disguised as legitimate tools is observed.

Separately, on May 6th, the company’s Threat Labs reported a critical vulnerability in a preinstalled Azure utility that could allow unprivileged users to gain full root access to cloud systems.

The SEO poisoning campaign involves cybercriminals manipulating search engine rankings to place malicious websites at the top of results for common IT administration tools. Unsuspecting admins, believing they are downloading genuine software, instead install malware that can lead to the installation of backdoors like SMOKEDHAM, enabling persistent access for attackers.

Varonis MDR Forensics team members Tom Barnea and Simon Biggs highlighted cases where this technique led to the deployment of monitoring software like a renamed version of Kickidler (grabber.exe), allowing attackers to secretly observe infected machines and steal credentials.

Attack flow – Image credit: Varonis

This initial access often paves the way for data exfiltration, as seen in one instance where the attackers successfully transferred nearly a terabyte of data out of the network, followed by the encryption of critical systems like the customer’s ESXi devices for ransom.

Ransom note – Image credit: Varonis

In a separate but equally concerning discovery, Varonis Threat Labs, led by researcher Tal Peleg, identified a critical flaw in the AZNFS-mount utility, a tool preinstalled on Azure High-Performance Computing (HPC) and Artificial Intelligence (AI) images. This vulnerability, affecting all versions up to 2.0.10, could allow an ordinary user to escalate their privileges to root on a Linux machine.

As per Veronis’ research, shared with Hackread.com, the flaw exists in the “mount.aznfs” binary, which, due to incorrect permissions, could be exploited to execute arbitrary commands with the highest system privileges. By manipulating a specific environment variable, attackers could effectively take complete control of the affected Azure systems.

Varonis Threat Labs responsibly disclosed this vulnerability to Microsoft Azure, which classified it as low severity. However, the potential impact of gaining root access to cloud infrastructure is significant, as it may allow attackers to mount additional storage, install malware, and move laterally within cloud environments. Microsoft has since released a fix in version 2.0.11 of the AZNFS-mount utility.

Still, these findings show cybercriminals are constantly improving their tactics for targeting critical IT infrastructure more effectively. The SEO poisoning campaign highlights the need for better awareness among IT professionals when downloading tools from online searches, even those appearing highly ranked. The Azure utility vulnerability emphasizes the importance of timely patching and careful configuration of cloud resources.

Varonis advises organizations to implement a “Defense in Depth” strategy, including employee training, endpoint security, network segmentation, and strict access controls, to mitigate these growing threats. Azure customers utilizing HPC images or NFS for Azure Storage are advised to update their AZNFS-mount utility immediately.

Tag

#git