The CyberWire Daily Podcast 12.22.23
Ep 1973 | 12.22.23

Sentenced to hospital detention.


A Lapsus$ hacker is sentenced to hospital detention. Online ads and phishing drain crypto wallets. Cyberespionage continues. LockBit and ALPHV say they want to form a ransomware cartel. The 8220 gang's cryptojacking. DarkGate RAT's propagation. The evolution of Bandook. A prominent title insurance company takes systems offline. Rick Howard speaks with guests John Goodman & Amanda Satterwhite of Accenture Federal Services about the launch of a public sector Cybersecurity Center of Excellence. And Trump’s Dumps lead to BidenCash.

It’s Friday, December 22nd, 2023. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Lapsus$ hacker sentenced to hospital detention.

Arion Kurtaj, an 18-year-old hacker associated with the infamous Lapsus$ group, has been sentenced to an indefinite hospital order after a series of high-profile cyber attacks, including a significant leak from the highly anticipated Grand Theft Auto VI game. Alongside a younger accomplice who remains unnamed due to legal protections for minors, Kurtaj faced a six-week trial at Southwark Crown Court, where their guilt was established.

The Lapsus$ group, described as 'digital bandits' in court, has been involved in various attacks targeting entities from the Brazilian Ministry of Health to major corporations like Nvidia, Uber, and BT Group. These teens, mainly based in the UK and Brazil, have caused an estimated $10 million in damages through their coordinated cyber attacks, which include attempting to extort a $4 million ransom from BT/EE using exfiltrated data.

Notably, Kurtaj continued his hacking spree even while under police custody, managing to compromise Rockstar Games and exfiltrate 90 clips and the source code of the unreleased GTA VI. He executed these attacks from a Travelodge hotel using a hotel TV, mobile phone, and Amazon Fire Stick. His brazen actions, including a threat to release the source code unless contacted within 24 hours, led to his rearrest and eventual sentencing.

Judge Patricia Lees deemed Kurtaj unfit for a traditional trial due to his autism but recognized him as a high risk to the public due to his advanced hacking skills and determination to continue cybercrime activities. As a result, Kurtaj will reside in a secure hospital until a mental health tribunal assesses him fit for release. This sentence reflects the court's understanding of both his mental health needs and the serious threat his capabilities pose.

Online ads and phishing drain crypto wallets.

Google and Twitter ads are being used to promote phishing sites featuring a cryptocurrency drainer named 'MS Drainer,' which has already stolen $59 million from over 63,210 victims in nine months. Researchers at ScamSniffer identified over ten thousand phishing websites utilizing MS Drainer, with notable spikes in activity throughout 2023. The drainer deceives users into approving malicious contracts on seemingly legitimate websites, allowing attackers to transfer funds from victims' wallets. Ads on Google and Twitter (X), including those from verified accounts possibly compromised by malware, have significantly contributed to the spread and success of these phishing campaigns. Users are advised to exercise extreme caution with cryptocurrency-related ads and thoroughly vet new platforms.

Cyberespionage continues.

Deep Instinct reports ongoing cyberespionage by "UAC-0099" against Ukraine, exploiting a WinRAR vulnerability typically through bogus court documents. This actor uses simple but effective tactics involving PowerShell and VBS files, with newer WinRAR versions being immune. While suggestive of Russian involvement, no formal attribution is given. Concurrently, the Cloud Atlas group is targeting Russian entities with phishing campaigns, exploiting a known Microsoft Office vulnerability. Both campaigns exemplify persistent cyberespionage activities in the region, with state-direction suspected but not confirmed.

LockBit and ALPHV say they want to form a ransomware cartel.

After the FBI-led takedown of the ALPHV/BlackCat's dumpsite, the Cyber Express reports that ALPHV and LockBit are discussing forming a cartel as a strategy for criminal survival and resistance against law enforcement. Citing the need for unity in the face of international law enforcement collaboration, they propose banding together. However, it's uncertain whether this will make them stronger or just a bigger target. Meanwhile, the global community and law enforcement continue their pursuit of these cybercriminals.

8220 gang's cryptojacking.

Researchers at Imperva have identified the 8220 gang, a cybercriminal group from China, exploiting a vulnerability in Oracle WebLogic Server to install cryptojacking malware. By combining this with using compromised credentials, they execute code and deploy malware. The 8220 gang employs gadget chains to load XML files and execute OS commands. They are primarily targeting healthcare, telecommunications, and financial services in the United States, South Africa, Spain, Columbia, and Mexico.

DarkGate RAT's propagation.

Proofpoint is monitoring a malware operator known as "BattleRoyal," which notably began exploiting a Windows SmartScreen vulnerability before Microsoft disclosed it. The initial campaign, detected on October 2, 2023, utilized multiple traffic delivery systems, specifically 404 TDS and Keitaro TDS. Despite variations in the attack chain, .URL files exploiting the SmartScreen flaw were a consistent element in all campaigns by this actor.

The evolution of Bandook.

Fortinet has identified a new variant of the Bandook remote access Trojan, emerging in October and spread through shortened URLs in PDF files. Despite a large number of commands for C2 communication within the malware, its actual payload performs fewer tasks. This discrepancy is due to multiple commands being used for single actions, some calling functions in other modules, and others solely responding to the server.

Title insurance company takes systems offline.

First American Financial Corporation, a major U.S. title insurance company, took some systems offline to manage a cyberattack. The incident led to their official website being taken down, with the company working to resume normal operations. This incident follows a May 2019 breach, which exposed the personal and financial data of many individuals due to a vulnerability in their EaglePro application. The California-based company, with a history dating back to 1889, recently paid a $1 million penalty for the 2019 breach, underlining the serious implications of cybersecurity lapses in handling sensitive data.


Up next, we’ve got N2K’s Rick Howard talking with guests John Goodman & Amanda Satterwhite of Accenture Federal Services about the public sector Cybersecurity Center of Excellence they recently launched in conjunction with Google.

BidenCash's loss-leaders.

The BidenCash criminal marketplace is giving away 1.9 million stolen credit cards for free, as a marketing ploy, BleepingComputer reports. The cards include numbers, expiration dates (mostly between 2025 and 2029), and CVVs. While the validity of the dataset is unconfirmed, BleepingComputer notes that “[g]iven the platform's history of providing genuine data in previous releases, it seems improbable that the shop would risk tarnishing its reputation with a fake pack.”

BidenCash, despite its name and the smiling face of Joe Biden it displays on its page, is not related to the US President. According to Searchlight Cyber, the name is a jokey riff on a predecessor criminal market that called itself “Trump’s Dumps,” which went offline after it was raided in early February 2022. As Flashpoint reported at the time, the illicit service was taken down by (of all people) Russian law enforcement authorities. January and early February of 2022 saw a false dawn of Russian gestures toward legality in cyberspace. Those gestures ended on February 24th when Russia invaded Ukraine. Since then it's been all privateering, all the time.

Trump's Dumps had, of course, no more to do with Mr. Trump than BidenCash does with Mr. Biden. BidenCash launched shortly after Trump’s Dumps hit the law enforcement bumps. So not a Joe, nary even a Hunter; just sleazy carders shilling fullz to some punter.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.


We’d love to know what you think of this podcast. You can email us at—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at


This episode was produced by Liz Irvin. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.