The Federal Bureau of Investigation (FBI) has issued a warning about a scam where criminals pretend to be…

The Federal Bureau of Investigation (FBI) has issued a warning about a scam where criminals pretend to be health insurance companies or their fraud investigators. These fraudsters are sending emails and text messages to individuals and healthcare providers, making them believe the messages are from legitimate health authorities.

The aim is to pressure people into revealing private health information, medical records, or banking details. They might also try to get money for supposed overpayments or services not covered by insurance.

****Understanding the Scam’s Tactics****

These messages, as per the FBI, are carefully crafted to look official, often designed to create a sense of urgency or even excitement. The criminals exploit human emotions, whether it’s fear of having made a mistake or the happy thought of receiving a refund.

For instance, Erich Kron, Security Awareness Advocate at KnowBe4, states that if someone is told they are due money back, they might quickly provide bank account information for the refund or personal details to “confirm their identity.”

“This tactic can be used to collect sensitive information such as Social Security numbers, physical addresses, email addresses, phone numbers, or much more, all of which can be sold on the dark web” Kron further explained in his comment shared with Hackread.com.

This allows the scammers to collect sensitive information, which can then be sold on illegal online marketplaces. These scams contribute significantly to cybercrime losses, with fraud accounting for a large portion of the $16.6 billion in total cybercrime losses the FBI reported in 2024.

****How to Stay Safe****

This ongoing threat highlights the importance of being careful when receiving unexpected communications about healthcare. To protect yourself from these scams, the FBI advises to be suspicious of any uninvited messages – emails, texts, or calls – asking for personal information. It’s crucial to never click on links in such suspicious messages.

Always use strong passwords for your online accounts and turn on Multi-Factor Authentication (MFA), which adds an extra layer of security. Most importantly, if you receive a message about your health insurance that seems questionable, contact your health insurance provider directly using a known, official phone number or website to confirm its legitimacy before sharing any details.

FBI Warns of Health Insurance Scam Stealing Personal and Medical Data

Google has released an urgent update for the Chrome browser to patch a vulnerability which has already been exploited.

Google has released an update for its Chrome browser to patch an actively exploited flaw.

This update is crucial since it addresses an actively exploited vulnerability which can be exploited when the user visits a malicious website. It doesn’t require any further user interaction, which means the user doesn’t need to click on anything in order for their system to be compromised.

The update brings the Stable channel to 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for Mac and 138.0.7204.96 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click the more menu (three stacked dots), then choose **Settings** > **About Chrome**. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is reload Chrome in order for the update to complete, and for you to be safe from the vulnerability.

You can find more elaborate update instructions and the version number information in our article on how to update Chrome on every operating system.

**Technical details on the vulnerability**

The vulnerability, tracked as CVE-2025-6554 is a type confusion in V8 in Google Chrome that, prior to 138.0.7204.96, could have allowed a remote attacker to perform arbitrary read/write via a crafted HTML page.

A type confusion bug happens when code doesn’t verify the object type passed to it, and then uses the object without type-checking. Unfortunately, this bug occurs on the V8 JavaScript engine, Google’s open-source JavaScript engine.

The browser mistakenly treats a piece of data as the wrong type, which lets attackers manipulate memory in unintended ways. This can allow them to perform unauthorized read and write operations in the browser’s memory.

Clément Lecigne of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on June 25, 2025. The TAG group focuses on spyware and nation-state attackers who abuse zero days for espionage purposes.

**We don’t just report on** **browser vulnerabilities**, Malwarebytes’ Browser Guard protects your browser against malicious websites and credit card skimmers, blocks unwanted ads, and warns you about relevant data breaches and scams.

 Update your Chrome to fix new actively exploited zero-day vulnerability 

A new study of integrated development environments (IDEs) like Microsoft Visual Studio Code, Visual Studio, IntelliJ IDEA, and Cursor has revealed weaknesses in how they handle the extension verification process, ultimately enabling attackers to execute malicious code on developer machines.
"We discovered that flawed verification checks in Visual Studio Code allow publishers to add functionality

New Flaw in IDEs Like Visual Studio Code Lets Malicious Extensions Bypass Verified Status

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

Alert fatigue, slow detection, and delayed response times directly impact your team’s effectiveness and your organization’s risk posture. These problems often trace back to one thing: not having the right tools to understand threats quickly and clearly.

Most security teams are still stuck dealing with vague alerts or waiting for time-consuming manual analysis. What they need instead is instant visibility into how a threat behaves, what it targets, and how dangerous it really is.

Let’s discover how you can improve those Key Performance Indicators (KPIs) with faster, more effective threat analysis using the right tool.

****The Right Solutions Can Transform Your Security Operations****

When your team has access to clear, immediate threat insights, everything changes. Detection gets faster, responses become more precise, and analysts spend less time chasing dead ends.

The right solution can help you:

*   Cut down alert noise and focus on real threats
*   Reduce manual analysis and free up analyst time
*   Improve detection accuracy with deeper behavioral visibility
*   Speed up decision-making with context-rich threat data
*   Strengthen overall SOC performance with scalable workflows

For instance, interactive sandboxes like ANY.RUN provides real-time visibility into how a threat behaves, from the moment it detonates to the tactics it uses, giving your team the clarity they need to act with confidence.

****1.   Reduce Mean Time to Detect and Increase Detection Rate****

Slow detection often comes down to one thing: a lack of visibility. Security teams waste time trying to understand what a file is doing, especially when threats hide behind user interaction or uncommon file types.

ANY.RUN solves this by combining real-time behaviour monitoring with safe, interactive analysis. Analysts can engage with suspicious files, just like they would on a real machine, while the sandbox captures every action and uncovers the full execution chain.

View analysis session with full attack chain

In the following analysis session, an SVG attack is exposed with a file pretending to be a PDF and containing several hidden components, such as a .si file and a malicious DLL.

SVG analyzed inside ANY.RUN sandbox revealing its full attack range

ANY.RUN flags the sample as malicious (visible in the top-right corner) and displays the entire process tree on the right, showing how the payload was executed.

Why this is important for your SOC:

*   Analysts don’t waste time guessing; they see exactly what happens from start to finish
*   The process tree reveals each step of the attack, no reverse engineering needed
*   Malicious behavior is detected automatically in minutes, not hours
*   Teams can reduce Mean Time to Detect, avoid false negatives, and focus on real threats

Experience how ANY.RUN can cut detection time, reveal full attack behaviour, and help your SOC make smarter, faster decisions Get a 14-day trial of ANY.RUN now.

Faster detection means faster response and that leads to measurable improvements in your security KPIs.

****2.   Speed up Response and Inform Better Security Decisions****

Fast detection is only part of the equation. To respond effectively, your team needs to understand what the threat is trying to do, where it’s headed, and how it fits into a broader attack chain.

ANY.RUN provides that context instantly, with detailed process data, automated TTP mapping, and support for API-based integrations that let you respond faster and smarter.

View analysis session with Keylogger

In this example, a Snake Keylogger sample is delivered through an archive file. ANY.RUN automatically extracts the file and detonates the payload inside a safe environment. Within seconds, the sandbox labels the session as malicious and highlights the exact process that dropped the keylogger.

Malicious process with relevant TTPs revealed inside ANY.RUN sandbox

To understand the attack’s scope, analysts simply click the MITRE ATT&CK tab. From there, they get a full breakdown of the tactics and techniques used, like credential theft, persistence via registry keys, and evasion through disabling event logs.

Complete TTP mapping with a single click, no extra tools required

Why this is important for your SOC:

*   The sandbox automatically extracts and detonates files; no manual unpacking needed
*   Analysts can see TTPs instantly using MITRE ATT&CK, with no extra investigation overhead
*   Security teams can automate responses based on the analysis results received through API integrations
*   Insights are clear enough to act on immediately and detailed enough to support incident reports

When your team understands the threat’s intent, behaviour, and context upfront, they can move faster and respond with confidence.

****3.   Enrich Threat Hunting and Proactive Defense****

Stopping today’s alert is good but stopping tomorrow’s breach is better. ANY.RUN turns every analysis session into a springboard for proactive defence by putting all indicators and malware configs in one place.

Using the same Snake Keylogger sample:

Click _IOC_**.** Hashes, domains, IPs, file paths, and registry keys are collected automatically.

Gathered IOCs related to Snake Keylogger attack

**Open _MalConf_.** The sandbox extracts embedded configuration data (C2 addresses, encryption keys, protocol details) that SIEMs rarely catch on their own.

Malicious configurations detected inside ANY.RUN sandbox

**Build detection rules.** Feed those indicators into YARA, Sigma, or your EDR to hunt for related activity across the environment.

Why this is important for your SOC:

*   Analysts spend seconds gathering IOCs instead of digging through logs.
*   Threat hunters pivot faster, reducing the window of exposure.
*   New rules based on real-world samples raise overall detection coverage without extra headcount.

With clear, consolidated threat intel from ANY.RUN, your team moves from reactive firefighting to proactive protection and your risk scores trend in the right direction.

****Turn Detection into Decisive Action That Moves Your KPIs****

Improving security KPIs is about giving your team the visibility and control to act with confidence, reduce time spent on false positives, and respond before damage is done.

With ANY.RUN’s interactive sandbox, your analysts can detect hidden threats in minutes, understand their full behaviour, map out TTPs instantly, and extract IOCs without delay. No time lost jumping between tools. Just clear, actionable insight from the first click to the final report.

Whether you’re aiming to reduce Mean Time to Detect, raise your detection rate, or strengthen your threat-hunting program, ANY.RUN makes your SOC faster, smarter, and more effective across every level.

How SOCs Improve Key Cybersecurity KPIs with Better Threat Analysis

The US Justice Department revealed the identity theft number along with one arrest and a crackdown on “laptop farms” that allegedly facilitate North Korean tech worker impersonators across the US.

For years, the North Korean government has found a burgeoning source of sanctions-evading revenue by tasking its citizens with secretly applying for remote tech jobs in the West. A newly revealed takedown operation by American law enforcement makes clear just how much of the infrastructure used to pull off those schemes has been based in the United States—and just how many Americans' identities were stolen by the North Korean impersonators to carry them out.

On Monday, the Department of Justice announced a sweeping operation to crack down on US-based elements of the North Korean remote IT workers scheme, including indictments against two Americans who the government says were involved in the operations—one of whom the FBI has arrested. Authorities also searched 29 “laptop farms” across 16 states allegedly used to receive and host the PCs the North Korean workers remotely access, and seized around 200 of those computers as well as 21 web domains and 29 financial accounts that had received the revenue the operation generated. The DOJ’s announcement and indictments also reveal how the North Koreans didn’t merely create fake IDs to insinuate themselves into Western tech firms, according to authorities, but allegedly stole the identities of “more than 80 US persons” to impersonate them in jobs at more than a hundred US companies and funnel money to the Kim regime.

“It's huge,” says Michael Barnhart, an investigator focused on North Korean hacking and espionage at DTEX, a security firm focused on insider threats. “Whenever you have a laptop farm like this, that's the soft underbelly of these operations. Shutting them down across so many states, that's massive.”

In total, the DOJ says it's identified six Americans it believes were involved in a scheme to enable the North Korean tech worker impersonators, though only two have been named and criminally charged—Kejia Wang and Zhenxing Wang, both based in New Jersey—and only Zhenxing Wang has been arrested. Prosecutors accuse the two men of helping to steal the identities of scores of Americans for the North Koreans to assume, receiving laptops sent to them by their employers, setting up remote access for North Koreans to control those machines from across the world—often enabling that remote access using a hardware device called a “keyboard-video-mouse switch” or KVM—and creating shell companies and bank accounts that allowed the North Korean government to receive the salaries they allegedly earned. The DOJ says the two American men also worked with six named Chinese coconspirators, according to the charging documents, as well as two Taiwanese nationals.

To create the cover identities for the North Korean workers, prosecutors say the two Wangs accessed the personal details of more than 700 Americans in searches of private records. But for the individuals the North Koreans impersonated, they allegedly went far further, using scans of the identity theft victims' drivers' licenses and Social Security cards to enable the North Koreans to apply for jobs under their names, according to the DOJ.

It's not clear from the charging documents just how those personal documents were allegedly obtained. But DTEX's Barnhart says North Korean impersonation operations typically obtain Americans' identifying documents from dark web cybercriminal forums or data leak sites. In fact, he says the 80-plus stolen identities cited by the DOJ represent a tiny sample of thousands of US IDs he's seen pulled in some cases from North Korean hacking operations' infrastructure.

“They have a stable of these,” says Barnhart. “Any place a criminal is going to get an ID, they're just going to piggyback, because then they don't even have to carry out the breach. It's already out there.” Barnhart says he's seen North Korean impersonators go so far as to screen their stolen identities for criminal backgrounds and even choose to impersonate Americans who are based in states without income tax to maximize their earnings.

Distinct from the DOJ's charges against Kejia Wang and Zhenxing Wang, prosecutors also announced that the FBI had carried out searches of 21 other suspected laptop farms across 14 US states and seized approximately 137 PCs that prosecutors say were used in North Korean remote worker schemes. In two other cases, prosecutors say that North Koreans used the insider access they gained through impersonating Western tech workers at crypto firms to steal more than $900,000 worth of funds, including around $740,000 stolen from one Atlanta-based company.

While most of the North Korean impersonation schemes the DOJ sought to disrupt appeared to be focused on money, prosecutors also note that one of the companies the North Korean workers penetrated in the operation allegedly facilitated by the two Wangs was a California-based defense contractor focused on AI-related technology. In that instance, the government claims the North Korean impersonators also accessed and likely stole technical data, including some information sensitive enough to be protected under the export controls known as the International Trafficking in Arms Regulations, or ITAR.

While the raids, indictments, and arrests carried out by the DOJ and FBI are significant, DTEX's Barnhart says, they're far from the end of North Korea's attempts to infiltrate Western and, specifically, US companies, both for profit and for espionage. Only one suspect, after all, is in custody even among the individuals the DOJ has named—and countless more North Koreans involved in these types of schemes remain untouched within the regime's borders and in the neighboring regions of China where they operate.

“This is going to put a heavy dent in what they're doing,” says Barnhart. “But as we adapt, they adapt.”

Identities of More Than 80 Americans Stolen for North Korean IT Worker Scams

electron's ASAR Integrity can be bypass by modifying the content.

### Impact
This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. This issue is specific to Windows, apps using these fuses on macOS are unimpacted.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against.

### Workarounds
There are no app side workarounds, you must update to a patched version of Electron.

### Fixed Versions
* `30.0.5`
* `31.0.0-beta.1`

### For more information
If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)

electron's ASAR Integrity can be bypass by modifying the content.

**Impact**

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to Windows, apps using these fuses on macOS are unimpacted.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against.

**Workarounds**

There are no app side workarounds, you must update to a patched version of Electron.

**Fixed Versions**

*   30.0.5
*   31.0.0-beta.1

**For more information**

If you have any questions or comments about this advisory, email us at security@electronjs.org

**References**

*   GHSA-xw5q-g62x-2qjc

GHSA-xw5q-g62x-2qjc: electron ASAR Integrity bypass by just modifying the content

Palo Alto, California, 30th June 2025, CyberNewsWire

**Palo Alto, California, June 30th, 2025, CyberNewsWire**

Every security practitioner knows that employees are the weakest link in an organization, but this is no longer the case. SquareX’s research reveals that Browser AI Agents are more likely to fall prey to cyberattacks than employees, making them the new weakest link that enterprise security teams need to look out for. 

Browser AI Agents are software applications that act on behalf of users to access and interact with web content. Users can instruct these agents to automate browser-based tasks such as flight bookings, scheduling meetings, sending emails, and even simple research tasks. The productivity gains that Browser AI Agents provide make them an extremely compelling tool for employees and organizations alike. Indeed, a survey from PWC found that 79% of organizations have already adopted browser agents today. 

Yet, Browser AI Agents expose organizations to a massive security risk. These agents are trained to complete the tasks they are instructed to do, with little to no understanding of the security implications of their actions. Unlike human employees, Browser AI Agents are not subject to regular security awareness training. They cannot recognize visual warning signs like suspicious URLs, excessive permission requests, or unusual website designs that typically alert employees of a malicious site. Consequently, Browser AI Agents are more likely to fall prey to browser-based attacks than even a regular employee. Even if it is possible for users to add these guardrails, the overhead required to extensively write the security risk of every task performed by the agent in every prompt would probably outweigh the productivity gains. More importantly, employees using Browser AI Agents are unlikely to have enough security expertise to be able to write such a prompt in the first place.  

With the popular open-source Browser Use framework used by thousands of organizations, SquareX demonstrated how the Browser AI Agent, instructed to find and register for a file-sharing tool, succumbed to an OAuth attack. In the process of completing its task, it granted a malicious app complete access to the user’s email despite multiple suspicious signals – irrelevant permissions, unfamiliar brands, suspicious URLs – that likely would have stopped most employees from granting these permissions. In other scenarios, these agents might expose the user’s credit card information to a phishing site while trying to purchase groceries or disclose sensitive data when responding to emails from an impersonation attack. 

Unfortunately, neither browsers nor traditional security tools can differentiate between actions performed by users and these agents. Thus, it is critical for enterprises working with Browser AI Agents to provide browser-native guardrails that will prevent agents and employees alike from falling prey to these attacks.

> Vivek Ramachandran, Founder & CEO of SquareX, warns, “The arrival of Browser AI Agents have dethroned employees as the weakest link within organizations. Optimistically, these agents have the security awareness of an average employee, making them vulnerable to even the most basic attacks, let alone bleeding-edge ones. Critically, these Browser AI Agents are running on behalf of the user, with the same privilege level to access enterprise resources. Until the day browsers develop native guardrails for Browser AI Agents, enterprises must incorporate browser-native solutions like Browser Detection and Response to prevent these agents from being tricked into performing malicious tasks. Eventually, the new generation of identity and access management tools will also have to take into account Browser AI Agent identities to implement granular access controls on agentic workflows.”

To learn more about this security research, users can visit http://sqrx.com/browser-ai-agents .

SquareX’s research team is also holding a webinar on **July 11, 10am PT/1pm ET** to dive deeper into the research findings. To register, users can click here. 

**About SquareX**

SquareX’s browser extension turns any browser on any device into an enterprise-grade secure browser. SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively detect, mitigate, and threat-hunt client-side web attacks, including malicious browser extensions, advanced spearphishing, browser-native ransomware, genAI DLP, and more. Unlike legacy security approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables security leaders to reduce their attack surface, gain actionable intelligence, and strengthen their enterprise cybersecurity posture against the newest threat vector – the browser. Find out more on www.sqrx.com.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Reveals that Employees are No Longer the Weakest Link, Browser AI Agents Are

We've seen several spikes in Android threats since the start of 2025. Here's how to protect yourself.

The Android threat landscape in the first half of 2025 has entered a new phase. An era marked not just by volume, but by coordination and precision. Attackers are no longer simply throwing malware at users and hoping for results. They’re building ecosystems .

Recent Malwarebytes threat research data reveals a sharp rise in mobile threats across the board, with malware targeting Android devices up 151%.

We’ve seen a 147% increase in spyware, a broad category of apps that collect user data without consent, with a notable spike in Feb and March. In fact, the February/March levels represent nearly a 4x multiplication of the baseline. 

Perhaps even more alarming is a 692% spike in SMS-based malware between April and May, a jump that we can’t just chalk up to coincidence. It could be due to seasonal scams like those we always see around tax season, which hit consumers hard this year, or widespread campaigns like toll fee scams, which also come in surges.

These numbers reflect a shift in strategy: Attackers are scaling operations, fine-tuning delivery, and exploiting both human psychology and systemic weak points. Take Spyloan, for example, a threat that lures targets with incredible loan conditions (low rates, no pre-check) but ends up stealing from desperate people. We saw a significant spike in May of this predatory app, which could well signal a resurgence for the summer. We’ll continue to monitor this uptick.

Banking Trojans and spyware are now outpacing more traditional nuisances like adware and riskware, and what’s changed is the level of sophistication. Threat actors are actively distributing malware through both official and unofficial app channels, often cloaking malicious apps behind layers of legitimacy.

Fake financial tools, predatory loan apps, and cleverly disguised “updates” aren’t just slipping through the cracks, they are being engineered with that objective in mind. Peaks in their activity often coincide with periods of personal stress, like tax season or holiday travel, suggesting a methodical approach to targeting.

As Sr. Director, Research and Development, Online Platforms at Malwarebytes, Shahak Shalev explains:

> Attackers know we trust our mobile devices implicitly—we bank on them, authenticate with them, store our entire digital lives on them. Now attackers are amping up the volume and sophistication of mobile threats. When spyware jumps 147% in five months, that tells us attackers are moving beyond simple scams to building sustainable criminal enterprises. They’re playing the long game now — developing monetization strategies for every type of data they can harvest; every user behavior they can exploit. The February spike shows this isn’t random, it’s methodical business development in the cybercrime space. 

Smishing (SMS phishing) has quickly become one of the most effective tools in the attacker’s playbook. Using AI-generated text and increasingly well-crafted lures, these campaigns are harder to spot than ever. And while smishing is rising fast, it’s not alone. We’re also seeing a growing number of PDF phishing attacks, where malicious documents act as entry points for broader compromise.

But perhaps the most systemic issue is lack of updates, with over 30% of Android devices remaining stuck on outdated operating systems. These devices are sitting ducks, because they are unable to receive critical security patches, yet are still being actively used. Combine this with counterfeit or gray-market devices that come preloaded with malware, and you’ve got a recipe for widespread exposure.

What we’re seeing isn’t a collection of one-off scams. It’s infrastructure. The Android threat landscape has matured into a network of monetization schemes that thrive on scale, persistence, and user trust. Attackers aren’t just after quick wins—they’re building operations that last.

The takeaway? Mobile security can’t be an afterthought. Individuals and organizations alike need to treat Android threats with the same seriousness as traditional desktop attacks. That means prioritizing device hygiene, avoiding sideloaded apps (where you download an app not from the Google Play store), staying current with patches where possible, and educating users about the social engineering tactics that increasingly underpin these attacks.

**How to protect your Android device**

Google Play Protect is a built in security feature from Android that automatically protects users against apps that engage in malicious behavior. That’s great, but we still see malware campaigns that are spread, partially or as a whole, through the Google Play Store.

To keep your devices free from Android malware:

*   Get your apps from the Google Play store whenever you can.
*   Be careful about the permissions you allow a new app. Does it really need those permissions for what it’s supposed to do? Permissions like “Display over other apps” should particularly raise a red flag, because they can be used to intercept login credentials.
*   Don’t allow notifications as much as possible. Dubious ad sites often request permission to display notifications. Allowing this will increase the number of ads as they push them to the device’s notification bar.
*   Use up-to-date and active security software on your Android.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android threats rise sharply, with mobile malware jumping by 151% since start of year 

Grocery giant Ahold Delhaize USA faced a major data breach affecting over 2.2 million employees. Learn what sensitive info was stolen and the ransomware group behind the Nov 2024 attack.

A data breach at Ahold Delhaize USA Services, LLC, a company providing support to the major East Coast grocery retailer Ahold Delhaize USA, has affected more than 2.2 million (2,242,521) individuals (including over 95,000 Mainers).

The incident, which involved unauthorized access to internal US business systems, occurred between November 5th and 6th, 2024, leading to the theft of highly sensitive personal, financial, and health information primarily belonging to current and former employees.

Ahold Delhaize USA is a prominent name in the US grocery sector, operating popular brands such as Food Lion, Giant Food, The GIANT Company, Hannaford, and Stop & Shop. According to Ahold Delhaize USA’s official statement, the company is notifying those impacted and is providing two years of complimentary credit monitoring and identity protection services. A help desk has also been established to assist individuals with inquiries.

****Details of the Cyberattack****

Ahold Delhaize USA Services detected the cybersecurity issue on November 6, 2024, and swiftly launched an investigation with the help of leading external cybersecurity experts., also coordinated with US federal law enforcement.

The investigation revealed that an unauthorized third party had gained access to and obtained files from one of their internal US file repositories. While the company quickly took some systems offline to contain the issue, leading to temporary disruptions for online orders and pharmacy services, these systems were soon restored.

The stolen data varied from person to person but was extensive, as per the breach notification submitted to the Maine Attorney General. It included names, contact details, dates of birth, government-issued identification numbers like Social Security numbers, passport numbers, and driver’s license numbers. Financial account records, including bank account numbers, were also compromised.

Additionally, health information, specifically workers’ compensation details and medical records within employment histories, along with other employment-related data, were exposed.

“Our review of the impacted files is still ongoing. At this time, we believe that many associates who were working for Ahold Delhaize Group, Ahold Delhaize Europe & Indonesia (EBS), Albert Heijn, Etos, Gall & Gall and the Ahold Delhaize Coffee Company in the Netherlands and who were on the payroll in April 2021 may have been affected by this issue,” the company noted.

Ahold Delhaize confirms that it found “no indication that customer payment or pharmacy systems were compromised” and “no customer credit card numbers contained in the affected files,” suggesting the focus of the attack was on employee data.

****Ransomware Group Claims Responsibility****

In a development that surfaced on April 16, 2025, the INC ransomware group publicly claimed responsibility for breaching Ahold Delhaize on their dark data leak website and threatened to release it fully after providing samples.

INC Ransomware on its dark web leak blog (Image: Hackread.com)

This group, active since mid-2023, often uses tactics like phishing emails or exploit kit malware to gain access. They are known for avoiding attacks in Russia, possibly indicating a base there or in a neighbouring country.

Ahold Delhaize confirmed on April 17, 2025, that data had indeed been stolen and began reviewing the affected files to identify the personal information at risk. This complex investigation, which has taken seven months to identify affected US individuals and also uncovered some Dutch employment data from April 2021, highlights the intricate nature of responding to such cyber incidents.

“To date, this is one of the most significant data breaches following a ransomware attack, particularly within the food and beverage sector,” said Rebecca Moody, Head of Data Research at Comparitech. “In fact, since we began tracking ransomware attacks at the start of 2018, this attack on Ahold Delhaize is the largest within the food and beverage sector (based on records affected).”

“In most cases, attacks on this sector have focused on system encryption, as this is often where the most disruption is caused. For example, from 2018 to the present, the average number of records breached in a ransomware attack on a food and beverage company was 53,200,_“_ explained Rebecca.

_“_This highlights the severity of this breach as well as the new focus on data theft (as well as system encryption) for the majority of ransomware gangs. It is likely that we’ll see larger data breaches within the food and beverage industry going forward. We are also yet to see the extent of the breaches on the UK’s Marks & Spencer and Co-op attacks this year.”

Ahold Delhaize Confirms Data Breach of 2.2M amid INC Ransomware Claims

Cybercriminals use malicious AI models to write malware and phishing scams Cisco Talos warns of rising threats from uncensored and custom AI tools.

New research from Cisco Talos reveals a rise in cybercriminals abusing Large Language Models (LLMs) to enhance their illicit activities. These powerful AI tools, known for generating text, solving problems, and writing code, are, reportedly, being manipulated to launch more sophisticated and widespread attacks.

For your information, LLMs are designed with built-in safety features, including alignment (training to minimize bias) and guardrails (real-time mechanisms to prevent harmful outputs). For instance, a legitimate LLM like ChatGPT would refuse to generate a phishing email. However, cybercriminals are actively seeking ways around these protections.

Talos’s investigation, shared with Hackread.com highlights three primary methods used by adversaries:

**Uncensored LLMs**: These models, lacking safety constraints, readily produce sensitive or harmful content. Examples include OnionGPT and WhiteRabbitNeo, which can generate offensive security tools or phishing emails. Frameworks like Ollama allow users to run uncensored models, such as Llama 2 Uncensored, on their own machines.

**Custom-Built Criminal LLMs**: Some enterprising cybercriminals are developing their own LLMs specifically designed for malicious purposes. Names like GhostGPT, WormGPT, DarkGPT, DarkestGPT, and FraudGPT are advertised on the dark web, boasting features like creating malware, phishing pages, and hacking tools.

**Jailbreaking Legitimate LLMs**: This involves tricking existing LLMs into ignoring their safety protocols through clever prompt injection techniques. Methods observed include using encoded language (like Base64), appending random text (adversarial suffixes), role-playing scenarios (e.g., DAN or Grandma jailbreak), and even exploiting the model’s self-awareness (meta prompting).

The dark web has become a marketplace for these malicious LLMs. FraudGPT, for example, advertised features ranging from writing malicious code and creating undetectable malware to finding vulnerable websites and generating phishing content.

However, the market isn’t without its risks for criminals themselves; Talos researchers found that the alleged developer of FraudGPT, CanadianKingpin12, was scamming potential buyers out of cryptocurrency by promising a non-existent product.

Image via Cisco Talos

Beyond direct illicit content generation, cybercriminals are leveraging LLMs for tasks similar to legitimate users, but with a malicious twist. In December 2024, Anthropic, developers of Claude LLM, noted programming, content creation, and research as top uses for their model. Similarly, criminal LLMs are used for:

*   Programming: Crafting ransomware, remote access Trojans, wipers, and code obfuscation.

*   Content Creation: Generating convincing phishing emails, landing pages, and configuration files.

*   Research: Verifying stolen credit card numbers, scanning for vulnerabilities, and even brainstorming new criminal schemes.

LLMs are also becoming targets themselves. Attackers are distributing backdoored models on platforms like Hugging Face, embedding malicious code that runs when downloaded. Furthermore, LLMs that use external data sources (Retrieval Augmented Generation or RAG) can be vulnerable to data poisoning, where attackers manipulate the data to influence the LLM’s responses.

Cisco Talos anticipates that as AI technology continues to advance, cybercriminals will increasingly adopt LLMs to streamline their operations, effectively acting as a “force multiplier” for existing attack methods rather than creating entirely new “cyber weapons.”

Tag

#mac