The Good | Fraud Networks Disrupted, Crypto Exchanges Sanctioned & Doxer Arrested

This week, the DoJ’s Scam Center Strike Force unveiled results from “Disruption Week,” a first-of-its-kind joint initiative between U.S. agencies and private industry targeting cyber-enabled cryptocurrency investment fraud. Federal investigators from the FBI, Secret Service, and HSI shared threat intelligence with major technology firms including Apple, Google, and Meta in May.

Acting on that intelligence, the private sector participants voluntarily disrupted over 1.4 million social media and email accounts operated by transnational criminal networks in Southeast Asia, while also decommissioning servers and hosting infrastructure supporting their scam operations.

The initiative also resulted in the arrest of seven scammers in Thailand, with new cases opened by the Royal Thai Police Anti Cyber Scam Center. The government additionally shared information enabling firms to freeze over $3.8 million in cryptocurrency tied to laundering funds stolen from Americans.

In other news, the U.S. Treasury this week sanctioned Nobitex, Iran’s largest cryptocurrency exchange, for facilitating financial transactions linked to ransomware actors and terrorist operations. As part of the “Economic Fury” campaign, authorities designated multiple key executives alongside three additional Iranian trading platforms.

Investigators revealed that Nobitex systematically processed over half of the nation’s digital asset inflow in 2025, directly assisting the Islamic Revolutionary Guard Corps in broad sanctions evasion. The new sanction mandates the immediate freezing of all associated assets falling under U.S. jurisdiction, and prohibits U.S. citizens from doing any business with all named crypto exchanges.

Elsewhere, Spanish National Police have arrested an individual in connection to a data leak that exposed sensitive information from several critical government organizations. The records contained personal details of employees from the National Cybersecurity Institute, the National Police, the Civil Guard, and the State Attorney General’s Office.

The arrested individual allegedly published the personal data across various internet portals, prompting an immediate investigation into its distribution. While the leak created significant security risks, findings suggest that the aggregated data likely originated from historical credential dumps rather than direct system compromises.

The Bad | China-Based Actor TA4922 Expands Phishing Campaigns to Europe and Africa

A China-linked cybercrime syndicate tracked as TA4922 is actively expanding its phishing campaigns to target organizations across multiple regions. New research finds that the financially-motivated group, historically focused on East Asian networks, has now hit entities in Germany, Italy, South Africa, and the U.K.

TA4922 is known to share overlapping tradecraft with the Silver Fox espionage group but primarily pursues financial objectives, including massive data theft, corporate fraud, and persistent network access and its resale.

In recent months, attackers breached enterprise perimeters by launching credential phishing campaigns using human resources, corporate taxation, and invoice-themed lures.

During intrusions, TA4922 attempts to shift victim communications away from monitored email platforms onto out-of-band messaging channels like WhatsApp, LINE, and Microsoft Teams. The actor is also known to use DLL side-loading techniques to silently deploy remote access trojans like ValleyRAT and Atlas RAT, alongside tools such as RomulusLoader and SilentRunLoader.

These advanced loaders drop secondary executables designed to harvest sensitive corporate data, specifically targeting Google Chrome to exfiltrate stored credentials, cookies, and browsing information.

Researchers warn that although TA4922 prioritizes illicit financial gain, its capabilities facilitate deep network surveillance, creating risks that stolen access could be sold directly to espionage groups.

The Ugly | Cyberattackers Exploit Palo Alto VPN Authentication Bypass Vulnerability

Threat actors are actively exploiting a high severity (CVSSv4: 7.8) authentication bypass vulnerability, tracked as CVE-2026-0257 in PAN-OS GlobalProtect portals and gateways. The flaw allows attackers to bypass security restrictions and establish unauthorized VPN connections.

Cyber researchers observed initial in-the-wild exploitation against numerous PAN-OS users beginning on May 17, with successive attack waves originating from infrastructure hosted by Vultr and Dromatics Systems.

The vulnerability stems from an improper validation process regarding authentication override cookies. When PAN-OS decrypts these cookies, it automatically trusts the contents without performing essential signature verification. The issue manifests when administrators configure the system to use the same certificate for both HTTPS services and authentication overrides.

Threat actors are then able to initiate an HTTPS session to retrieve the corresponding public key, which they use to generate a forged authentication cookie, allowing attackers to authenticate without valid credentials. In several incidents, attackers secured full VPN IP assignments, granting them direct access to internal networks.

CISA has subsequently added the vulnerability to its Known Exploited Vulnerabilities catalog.

🛡️ We added Palo Alto Networks PAN-OS authentication bypass vulnerability CVE-2026-0257 to our KEV Catalog. Visit https://t.co/myxOwap1Tf for more information. #Cybersecurity #InfoSec pic.twitter.com/iqNABP4rQ9

— CISA Cyber (@CISACyber) May 29, 2026

Palo Alto Networks advisory lists available patches and workarounds.