When hackers become the hunted.

Pro-Russian Hackers, scam lords, and ransomware gangs face global justice. Louis Vuitton ties customer data breaches to a single cyber incident. The White House is developing a “Zero Trust 2.0” cybersecurity strategy. OVERSTEP malware targets outdated SonicWall Secure Mobile Access (SMA) devices. An Australian political party suffers a massive ransomware breach. Our guest Jacob Oakley speaks with T-Minus Space Daily host Maria Varmazis. Jacob is Technical Director at SIXGEN and Space Lead for the DEFCON Aerospace Village. An Italian YouTuber faces a retro reckoning.

Today is Thursday July 17th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Pro-Russian Hackers, scam lords, and ransomware gangs face global justice. 

Between July 14 and 17, an international operation named “Eastwood,” coordinated by Europol and Eurojust, targeted the pro-Russian cybercrime group NoName057(16). Authorities from 13 core countries, including the U.S., Germany, and France, worked together to dismantle the group’s infrastructure, disrupting over 100 servers and taking major parts offline. Seven arrest warrants were issued, mainly for Russian nationals, and two individuals were detained. More than 1,000 supporters were warned of legal consequences. The group, which ran ideologically driven DDoS attacks, especially against Ukraine supporters and NATO members, used gamified tactics and crypto payments to recruit largely Russian-speaking sympathizers. Europol provided intelligence, coordination, and technical support, while Eurojust facilitated judicial cooperation. The operation also exposed a decentralized network that relied on automated tools, informal recruiting, and propaganda to sustain cyberattacks.

Cambodia has arrested over 1,000 suspects this week in a nationwide crackdown on cybercrime following an order by Prime Minister Hun Manet. The move targets foreign-led online scam operations that, according to global estimates, generate billions annually. Raids took place across at least five provinces, netting hundreds of suspects from Vietnam, China, Taiwan, Indonesia, and other countries. Authorities seized computers and phones used in scams. Amnesty International recently accused the Cambodian government of complicity in human trafficking and forced labor within scam compounds, citing serious abuses. Many workers are lured under false promises and then held captive. The crackdown also unfolds amid rising tensions with Thailand over border disputes and cybercrime hubs like Poipet, where Thailand has taken unilateral actions, including border closures and power cuts.

Karen Serobovich Vardanyan, a 33-year-old Armenian national, has been extradited from Ukraine to the U.S. to face federal charges related to Ryuk ransomware attacks. Along with three other co-conspirators, Vardanyan allegedly deployed ransomware from 2019 to 2020, extorting over $15 million in Bitcoin from U.S. companies, including one in Oregon. Victims included schools, hospitals, and local governments. Vardanyan pleaded not guilty and remains in custody pending trial. The FBI is investigating the case, with international support from Ukraine and France.

Italian police have dismantled a Romanian ransomware group known as “Diskstation,” which targeted civil rights groups, film companies, and nonprofits in northern Italy. The gang encrypted victims’ systems and demanded cryptocurrency ransoms. The investigation, launched after attacks in Lombardy, was coordinated with French and Romanian authorities. Raids in Bucharest led to multiple arrests and digital evidence seizures. A Milan judge ordered the detention of the suspected ringleader. Diskstation has exploited vulnerabilities in Synology NAS devices since at least 2021.

Louis Vuitton ties customer data breaches to a single cyber incident. 

Louis Vuitton has confirmed that recent customer data breaches in the UK, South Korea, and Turkey are part of a single cyber incident, believed to involve the ShinyHunters extortion group. The breach, discovered on July 2, 2025, resulted in the unauthorized access and exfiltration of personal client data. Payment information was not affected. The company has notified regulators and is working with cybersecurity experts to investigate. ShinyHunters is suspected to have accessed data via a compromised third-party vendor, the same vector used in breaches at Dior, Tiffany & Co., and Adidas. ShinyHunters has previously been linked to high-profile cyberattacks, including the Snowflake breach affecting major brands. Although French authorities recently arrested several BreachForum members, some ShinyHunters operators remain active, raising concerns about further incidents.

The White House is developing a “Zero Trust 2.0” cybersecurity strategy. 

The White House is developing a “Zero Trust 2.0” cybersecurity strategy, aiming for more targeted and efficient cyber investments across federal agencies. Nick Polk from the Office of Management and Budget (OMB) said the focus will shift from broad mandates to specific, high-impact initiatives. The Biden-era zero trust plan, released in 2022, required agencies to adopt layered defenses, but the new approach emphasizes results and investment efficiency. Additionally, the Trump administration’s latest cybersecurity executive order scraps a vendor artifact requirement but keeps secure software attestations. The Defense Department is piloting new methods, like continuous monitoring and Software Bills of Materials (SBOMs), while civilian agencies will tailor security based on risk. Upcoming OMB guidance will also address drone security and begin transitioning agencies to post-quantum cryptography standards set by NIST.

OVERSTEP malware targets outdated SonicWall Secure Mobile Access (SMA) devices. 

A new malware called OVERSTEP is targeting outdated SonicWall Secure Mobile Access (SMA) devices, allowing hackers to maintain persistent, hidden access and steal credentials. Google’s Threat Intelligence Group links the attacks to UNC6148, an actor active since late 2023. The rootkit modifies the boot process and uses anti-forensic tools to hide its tracks. Attacks may have started through a known vulnerability that provided admin credentials. UNC6148 has used stolen data in extortion attempts and may deploy Abyss ransomware. Researchers suspect OVERSTEP was installed via a reverse shell, though how this access was achieved remains unclear. The malware allows remote access, password theft, and log manipulation. Security experts urge organizations using SMA devices to create disk images for forensic analysis, as standard inspection may miss the stealthy malware.

An Australian political party suffers a massive ransomware breach. 

Clive Palmer’s United Australia Party and Trumpets of Patriots suffered a ransomware attack in June 2025, potentially exposing all their emails, documents, and sensitive data. The breach, confirmed in a public notice, may include personal details such as email addresses, phone numbers, banking records, and confidential documents. The parties admit they don’t fully know what data was accessed and say notifying all affected individuals is “impractical.” They reported the incident to the Office of the Information Commissioner and Australian Signals Directorate. A party spokesperson claimed no contact with the attackers so far. Legal experts note that while political parties are largely exempt under Australia’s Privacy Act, recent legal changes may open the door to lawsuits. The breach is seen as a possible landmark case in data accountability for political groups.

An Italian YouTuber faces a retro reckoning. 

Italy is known for fine wine, ancient ruins, and, as YouTuber Once Were Nerd just discovered, some of the strictest copyright enforcement this side of the Alps. The retro gaming enthusiast, who reviews Android-based handheld consoles loaded with old-school games, recently had his collection of nostalgia confiscated by the Guardia di Finanza, Italy’s economic and copyright watchdog.

The agents showed up with a search warrant in April, seizing over 30 consoles and requesting emails with device makers like Anbernic. While emulation itself is legal, many of these consoles come pre-loaded with pirated game ROMs, something Italian authorities aren’t about to overlook. The creator could face charges under Article 171 of Italy’s copyright law, which carries up to three years in prison.

Italy doesn’t mess around. From forcing Google to block pirated soccer streams to now eyeing YouTubers, its message is clear: if you’re profiting off copyrighted content, even indirectly, you’d better save your progress.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.