Lights out for Lumma.

A joint operation takes down Lumma infrastructure. The FTC finalizes a security settlement with GoDaddy. The Telemessage breach compromised far more U.S. officials than initially known. Twin hackers allegedly breach a major federal software provider from the inside. U.S. telecom providers fail to notify the Senate when law enforcement agencies request data from Senate-issued devices.DragonForce makes its mark on the ransomware front. A data leak threatens survivors of domestic abuse in the UK. Lexmark discloses a critical vulnerability affecting over 120 printer models. Our guest is David Holmes, CTO for Application Security at Imperva, with insights into the role of AI in bot attacks. Scammers ship stolen cash in Squishmallows.

Today is Thursday May 22nd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A joint operation takes down Lumma infrastructure. 

A joint operation by U.S., EU, and Japanese authorities, with help from Microsoft and cybersecurity firms, has dismantled the infrastructure behind Lumma, a major infostealer malware. Also known as LummaC2, the malware has infected millions of devices since 2023, stealing sensitive data like passwords, credit card info, and cryptocurrency wallets. Lumma was sold via subscription, making it easy for even low-skilled criminals to exploit.

The FBI tracked over 10 million infections and estimated $36.5 million in credit card thefts in 2023 alone. Microsoft identified nearly 400,000 infections between March and May 2025. The operation took down about 2,300 domains and disrupted communications between infected devices and Lumma servers.

Developed by a Russian actor known as “Shamel,” Lumma has been marketed on Telegram and used in phishing and malvertising campaigns. The FBI warned that while this takedown is a blow, Lumma’s operators may attempt to rebuild.

The FTC finalizes a security settlement with GoDaddy. 

The FTC has finalized an order requiring GoDaddy to bolster its security after years of data breaches due to weak practices. The agency found GoDaddy lacked key protections like multi-factor authentication (MFA), proper software updates, and threat monitoring, leading to breaches between 2019 and 2022. In one case, attackers installed malware and stole source code after years of undetected access.

Under the new order, GoDaddy must not mislead customers about security, implement HTTPS for APIs, ensure software and firmware are updated, and set up a robust security program. The company must also add MFA for all users, including non-phone options, and undergo independent security assessments every two years. GoDaddy must report any data exposure incidents within 10 days. While GoDaddy said it’s already making changes, the settlement includes no admission of fault or fines.

The Telemessage breach compromised far more U.S. officials than initially known. 

A hacker breach of TeleMessage, a government-used messaging service based on Signal, compromised messages from over 60 U.S. officials—far more than previously known. Reuters reviewed a cache of leaked data provided by Distributed Denial of Secrets. The material revealed intercepted chats from FEMA, Customs, the Secret Service, U.S. diplomats, and even one White House staffer. Though much of the data was fragmentary and not overtly sensitive, it included travel-related discussions for senior officials.

TeleMessage, little-known outside federal circles, became public after a Reuters photo showed former Trump national security adviser Mike Waltz using the app. The service, which archives encrypted messages for compliance, went offline May 5. The breach raises metadata-related counterintelligence risks, experts say. While some users confirmed message authenticity, federal agencies have offered little comment. The White House acknowledged the cybersecurity incident but didn’t elaborate on its use of the platform.

Elsewhere, Signal Desktop has added a new “Screen security” feature for Windows 11 to block screenshots and protect chats from Microsoft Recall, which captures app screenshots every few seconds. This setting, now enabled by default, uses a DRM flag to prevent content from appearing in Recall or similar tools. Signal made the move after Microsoft relaunched Recall despite prior backlash. While the setting may impact usability and accessibility, users can disable it with a warning. Signal urges OS vendors to better support privacy-focused apps.

Twin hackers allegedly breach a major federal software provider from the inside. 

Bloomberg reports that Opexus, a software provider for nearly all U.S. federal agencies, suffered a major cyber breach in February, caused by insider threats—twin brothers Muneeb and Suhaib Akhter, both convicted hackers. Hired as engineers despite their past, they allegedly accessed and deleted sensitive data across multiple agencies, including the IRS and GSA. The attack disrupted key systems and permanently erased records, including FOIA requests. The FBI is investigating, and federal agencies are reassessing contracts with Opexus. A Mandiant report revealed serious security lapses, including improper access during termination and file exfiltration, contradicting Opexus’s public claims. The breach exposed the vulnerabilities in contractor vetting and data security within government IT systems.

U.S. telecom providers fail to notify the Senate when law enforcement agencies request data from Senate-issued devices.

Under contracts established in 2020, major U.S. telecom providers—AT&T, Verizon, and T-Mobile—are required to notify the Senate when law enforcement agencies request data from Senate-issued devices. However, an investigation by Senator Ron Wyden revealed that these carriers failed to implement such notification systems, leaving senators unaware of potential surveillance activities. One carrier even admitted to providing Senate data to law enforcement without the mandated notification. Following the investigation, all three companies have begun complying with the notification requirement for Senate-funded lines. Nevertheless, significant gaps remain, particularly concerning personal and campaign devices, which are commonly used by senators but fall outside the scope of current protections. While AT&T and Verizon limit notifications to Senate-issued lines, T-Mobile has agreed to notify about surveillance requests on personal and campaign devices flagged by the Senate Sergeant at Arms. Senator Wyden urges his colleagues to consider switching to carriers like T-Mobile, Google Fi, U.S. Mobile, and Cape, which have policies to inform customers of government surveillance demands whenever legally permissible. 

DragonForce makes its mark on the ransomware front. 

DragonForce is a rising ransomware group reshaping the threat landscape through aggressive tactics and strategic repositioning, Sophos reports. First appearing in 2023 with a standard Ransomware-as-a-Service (RaaS) model, the group rebranded in March 2025 as a “cartel,” offering affiliates flexibility to use its infrastructure while branding their own campaigns. DragonForce has targeted both IT and virtualized environments, and reportedly teamed up—if contentiously—with the prolific RansomHub group. This included defacing rival leak sites and a potential hostile takeover of RansomHub’s infrastructure.

In recent attacks, DragonForce-linked malware was used by GOLD HARVEST (aka Scattered Spider), a decentralized cybercriminal collective known for social engineering, MFA bypasses, and use of infostealers. Attacks on UK retailers, including Marks and Spencer, highlight their threat. As internal feuds destabilize ransomware networks, organizations must reinforce social engineering defenses, monitor credentials, and strengthen incident response to withstand unpredictable attacks from increasingly flexible and chaotic cybercrime groups.

A data leak threatens survivors of domestic abuse in the UK. 

A cyberattack on the UK’s Legal Aid Agency has exposed sensitive data of over 2 million people, including survivors of domestic abuse, raising fears of imminent leaks. The Ministry of Justice (MoJ) confirmed that anyone who applied for legal aid since 2010 could be affected. Compromised data includes addresses, national IDs, and contact details—potentially revealing the locations of confidential women’s refuges. The MoJ has refused to pay ransom and is preparing to contact vulnerable individuals, prioritizing abuse survivors, asylum seekers, and trafficking victims. Refuge, a charity supporting abuse survivors, warns the breach could escalate abuse campaigns, including harassment, impersonation, or tracking survivors. While a court injunction has been issued against the data’s distribution, it is unlikely to deter cybercriminals. Refuge is working to identify at-risk individuals and urges anyone affected to contact legal advisors immediately.

Lexmark discloses a critical vulnerability affecting over 120 printer models. 

Lexmark has disclosed a critical vulnerability (CVE-2025-1127, CVSS 9.1) affecting the embedded web server in over 120 printer models. The flaw combines a Path Traversal and Concurrent Execution issue, allowing remote attackers to access unauthorized files and execute arbitrary code. Devices running firmware version .240.205 or earlier are at risk. If exploited, this vulnerability could let attackers fully compromise affected Lexmark printers. Users are urged to update firmware to mitigate the threat.

 

Scammers ship stolen cash in Squishmallows. 

The DOJ has thrown a sizable legal book at a 27-member crypto crime ring accused of scamming over $250 million globally, proving once again that organized crime has gone digital—and decadent. Leading the charge is 20-year-old Malone Lam, who allegedly finessed 4,100 Bitcoin (worth $230M) from a D.C. crypto tycoon using nothing more than fake Google alerts and a convincing “tech support” impersonation. His alias? “Anne Hathaway.” Naturally.

Lam and partner-in-fraud Jeandiel Serrano (“VersaceGod”—yes, really) reportedly turned their loot into a luxury lifestyle: Lambos, G-Wagons, $68K-a-month rentals, and nightclub tabs bigger than most mortgages. Meanwhile, the gang—recruited via online gaming—had roles ranging from hackers to real-life burglars, even smuggling cash in Squishmallows, stuffing up to $25,000 inside each toy for stealthy shipment across the U.S.

Even after arrest, Lam allegedly kept the crime spree alive, buying his girlfriend Hermes bags from behind bars.

The moral? If someone offers crypto advice under a celebrity pseudonym, maybe don’t share your MFA code.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.