Ransomware sick day.
A suspected ransomware attack disrupts hundreds of Swedish municipalities. Google warns Gmail users of emerging cyberattacks tied to the ShinyHunters group. A malicious supply chain attack hits the npm registry. Senators press AFLAC for answers following a data breach. Law enforcement takedowns splinter the ransomware ecosystem. The FBI and Dutch police take down a major online fakeID marketplace. Florida proposes requiring healthcare providers to strengthen data breach preparedness and reporting. Our guest is Kathleen Peters, Chief Innovation Officer at Experian North America, explaining why AI is both accelerating and mitigating fraud. An affiliate army pushes fake casinos worldwide.
Today is Friday August 29th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
A suspected ransomware attack disrupts hundreds of Swedish municipalities.
A suspected ransomware attack on Swedish IT supplier Miljödata [meal-YO-data] has disrupted systems across nearly 200 municipalities and regions. Miljödata provides HR software used for sick leave, medical certificates, and workplace injury reports. The attack, detected Saturday, is now under police investigation, with extortion attempts reported. Civil Defence Minister Carl-Oskar Bohlin confirmed the government is closely monitoring the situation, though the full impact remains unclear. CERT-SE and the national cybersecurity center are assisting both Miljödata and affected municipalities. Miljödata’s CEO Erik Hallén said external experts are working to restore functionality and assess damage. With 290 municipalities in Sweden, the scale of disruption is significant. Bohlin emphasized the need for stronger national cybersecurity, noting a forthcoming bill that would impose stricter security requirements.
Google warns Gmail users of emerging cyberattacks tied to the ShinyHunters group.
Google has issued an emergency warning to Gmail users after cyberattacks tied to the ShinyHunters group emerged following a Salesforce data breach. While Google’s own systems remain secure, hackers are exploiting stolen business data through social engineering, particularly by impersonating IT staff in phone-based “vishing” attacks. Google’s Threat Analysis Group detected the activity in June, confirming several successful intrusions by August through compromised passwords. The ShinyHunters, active since 2020, have a track record of high-profile breaches at companies like Microsoft, AT&T, and Ticketmaster, often leaking or selling stolen records. Impacted users were notified on August 8. With Gmail serving over 2.5 billion people, Google urges all users to strengthen defenses by updating passwords and enabling two-factor authentication.
TransUnion is notifying over 4.4 million people of a July 28, 2025, data breach exposing names, Social Security numbers, and birth dates. The compromised data came from a third-party application used for U.S. consumer support, though not from core credit files. Victims are being offered two years of free credit monitoring and fraud assistance. Hackers linked to ShinyHunters, reportedly tied to a broader Salesforce breach campaign, claim additional data like addresses and emails was stolen. The incident follows similar Salesforce-related breaches at major global firms.
A malicious supply chain attack hits the npm registry.
A malicious supply chain attack hit the npm registry on August 26, when attackers published compromised versions of Nx, a popular open-source build platform. NPM is a massive public database of JavaScript software packages. Eight versions, starting with 21.5.0, contained malware that stole developer secrets, SSH keys, GitHub/npm tokens, and even cryptocurrency wallets. The malware abused AI CLI tools like Claude, Gemini, and Amazon Q to scan systems, then exfiltrated data to GitHub by creating repositories under victims’ own accounts. Within just five hours, thousands may have been exposed. StepSecurity later confirmed a second wave: attackers weaponized stolen GitHub CLI OAuth tokens, converting private repos into public ones and forking them for persistence. Researchers called this the first known supply chain attack that hijacked AI developer tools for data theft, urging urgent credential resets and repo audits.
Senators press AFLAC for answers following a data breach.
The U.S. Senate Health, Education, Labor and Pensions Committee is pressing insurance giant Aflac for answers after a recent cyberattack exposed personal and health data. In an Aug. 22 letter, Sens. Bill Cassidy (R-La.) and Maggie Hassan (D-N.H.) asked CEO Daniel Amos to detail the company’s security protocols, how protected health information was safeguarded, and what measures are planned going forward. Aflac first disclosed the breach to the SEC on June 20, calling it part of a cybercrime campaign targeting insurers. Regulators later confirmed that HIPAA-protected data for at least 500 individuals was compromised. Lawmakers compared the incident to last year’s Change Healthcare breach and warned of rising cyber risks in healthcare, which cost organizations nearly $10 million per incident and disrupt patient care.
Law enforcement takedowns splinter the ransomware ecosystem.
The ransomware ecosystem is splintering as law enforcement takedowns scatter affiliates and force criminal rebrands. Malwarebytes reports that between July 2024 and June 2025, 41 new groups emerged, pushing the total over 60 active gangs for the first time. This doubling over three years has fueled a surge in attacks, aided by leaked ransomware code, commoditized tools, and even AI, which lower barriers to entry. Large ransomware-as-a-service (RaaS) groups like LockBit, Hive, and AlphV have been disrupted, but affiliates often rebrand or form new crews. Researchers note that trust within the cybercriminal underground is eroding, leading to infighting, exit scams, and stolen data being sold across multiple leak sites. With dominance more fleeting, small groups now drive attacks, fragmenting the ecosystem further.
The FBI and Dutch police take down a major online fakeID marketplace.
The FBI and Dutch police have shut down VerifTools, a major online marketplace selling fake IDs for as little as $9. The site offered counterfeit driver’s licenses, passports, and other documents from all 50 U.S. states and several countries. Criminals used the IDs for fraud, IT job scams, and bank help-desk cons, while teens exploited them to buy alcohol. On August 27, Dutch police seized VerifTools’ servers in Amsterdam, while the FBI took its domains offline. Investigators linked the marketplace to about $6.4 million in illicit proceeds. Undercover agents even purchased fake New Mexico licenses using cryptocurrency during the probe, which began in 2022. Authorities said the takedown marks a major step against fraud and identity theft, though users and admins remain under investigation.
Florida proposes requiring healthcare providers to strengthen data breach preparedness and reporting.
Florida’s Agency for Health Care Administration (AHCA) has proposed a new rule requiring healthcare providers to strengthen data breach preparedness and reporting. Providers would need a written contingency plan to ensure critical operations and patient care continue during IT incidents, including secure, redundant data backups within the U.S. and verified restorability. The rule defines incidents broadly, covering cyberattacks and insider misuse. Providers must report incidents to AHCA within 24 hours. These requirements would supplement existing HIPAA rules. A workshop is scheduled for September 17, 2025.
An affiliate army pushes fake casinos worldwide.
According to Krebs on Security, It turns out that the flood of shiny new online gambling sites wasn’t the work of entrepreneurial Vegas hopefuls, but of a Russian affiliate program called Gambler Panel—a “soulless project made for profit,” in its own words. The scam is polished: ads promise $2,500 in credits, players register, win fake jackpots, then hit a wall when trying to cash out. Cue the “verification deposit” request in crypto—money that, of course, never comes back. The scheme is disturbingly professional, complete with fake casino software, chat support scripts, and a wiki that could pass for startup documentation if you ignored the part about fleecing victims. Affiliates, some 20,000 strong, are promised up to 70% of profits, complete with Telegram brag posts of sports cars and models. As one teen researcher dryly noted, it’s basically fraud-as-a-service—franchising the casino dream, but with none of the winnings.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.
N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
