From cryptomixers to recipe mixers.

European authorities take down an illegal cryptomixer. An Australian man is sentenced for running an airport evil twin WiFi campaign. Researchers unmask a Scattered LAPSUS$ Hunters impresario. CISA flags a cross-site scripting flaw in OpenPLC ScadaBR. A major South Korean retailer suffers a data breach affecting over 33 million customers. Threat actors abuse digital calendar subscription features. New York’s new hospital cybersecurity mandates may raise the bar nationwide. Scammers target Cyber Monday shoppers. Monday business brief. Ann Johnson speaks with Microsoft’s Amy Hogan-Burney on the Afternoon Cyber Tea segment. Google gets caught reheating someone else’s holiday recipe. 

Today is Monday December 1st, 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

European authorities take down an illegal cryptomixer. 

Europol and Eurojust, working under Operation Olympia, seized three servers in Zurich and took control of the cryptomixer.io domain in late November 2025. The site now displays a warning that data tied to the service has been obtained and users may face investigation. Authorities collected more than 12 terabytes of information that could include logs capable of identifying customers. Europol says Cryptomixer operated on both the clear web and dark web and was widely used by ransomware operators and other criminals to hide the flow of illicit funds. Since 2016, it allegedly mixed more than 1.3 billion euros in Bitcoin. The takedown follows a similar 2023 operation against ChipMixer, which resulted in the seizure of servers, data, and millions in cryptocurrency.

An Australian man is sentenced for running an airport evil twin WiFi campaign. 

A 44-year-old Australian man received a seven-year, four-month prison sentence for running “evil twin” WiFi networks to steal travelers’ data on domestic flights and in airports in Perth, Melbourne, and Adelaide. Authorities say he used a WiFi Pineapple device to clone legitimate SSIDs, luring users to a phishing page that captured social-media credentials. He then accessed women’s accounts to monitor messages and steal private images and videos. Forensic analysis found thousands of intimate files, stolen credentials, and fraudulent WiFi pages. After his equipment was seized in April 2024, he attempted to delete evidence and access confidential information from his employer’s laptop. He later pleaded guilty to multiple cybercrime, theft, and evidence-destruction charges. The AFP urges travelers to treat free WiFi with caution and use VPNs.

Researchers unmask a Scattered LAPSUS$ Hunters impresario. 

“Scattered LAPSUS$ Hunters” (SLSH), a group linked to Scattered Spider, LAPSUS$, and ShinyHunters, has spent 2025 extorting major global companies after stealing data, often through social engineering campaigns that tricked victims into connecting malicious apps to Salesforce environments. The group’s public face, “Rey,” surfaced this week after KrebsOnSecurity identified him as 15-year-old Saif Al-Din Khader of Amman, Jordan. Investigators connected multiple online identities—including “Hikki-Chan,” “@wristmug,” and “o5tdev”—to Saif through leaked passwords, infostealer data, and posts across Telegram and BreachForums, where he was an administrator. SLSH recently launched its own ransomware-as-a-service, ShinySp1d3r, which Saif helped release. He told Krebs he has been attempting to leave the group and claims to be cooperating with European law enforcement, though those details remain unverified. The revelation follows SLSH’s ongoing recruitment of insiders and continued extortion activity targeting dozens of major corporations.

CISA flags a cross-site scripting flaw in OpenPLC ScadaBR. 

CISA has added CVE-2021-26829, a cross-site scripting flaw in OpenPLC ScadaBR on Windows and Linux, to its Known Exploited Vulnerabilities catalog. Forescout reports that pro-Russian group TwoNet recently exploited the bug in an ICS/OT honeypot they mistook for a water plant, using default credentials, creating a “BARLATI” account, and defacing the HMI login page. TwoNet continues expanding from DDoS into industrial targeting and access services. Federal agencies must patch the flaw by December 19, 2025, and experts urge private organizations to follow suit.

A major South Korean retailer suffers a data breach affecting over 33 million customers. 

South Korean retailer Coupang confirmed that personal details from 33.7 million customer accounts were compromised, prompting a formal apology and an emergency government meeting. Officials from the Ministry of Science and ICT warned of strict sanctions if safety-measure violations are found. Coupang initially detected unauthorized access to 4,500 accounts in November, later revising the figure sharply upward. Exposed data includes names, contact details, addresses, and order histories, though payment information and passwords were not affected. Investigators are examining the possibility of an insider threat, with reports pointing to a former Chinese employee, though police have not confirmed this. The breach follows major incidents at SK Telecom and Lotte Card and has renewed concerns about structural weaknesses in South Korea’s data-protection regime.

Threat actors abuse digital calendar subscription features. 

BitSight researchers warn that threat actors are abusing digital calendar subscription features to push harmful content directly onto users’ devices. Calendar subscriptions let third-party servers add events and notifications, and attackers are exploiting expired or hijacked domains to deliver deceptive calendar files containing malicious links, attachments, or phishing content. BitSight’s sinkhole investigation began with a single suspicious German holiday calendar domain receiving 11,000 daily unique IP connections, then expanded to 347 related domains contacted by roughly four million unique IPs per day. Many of these requests appeared to be background syncs from long-established subscriptions, meaning anyone who takes over an expired domain could silently inject new events. BitSight says this highlights a major blind spot in personal and corporate security, as calendar subscriptions lack the protections applied to email and other communication channels.

New York’s new hospital cybersecurity mandates may raise the bar nationwide. 

New York’s new hospital cybersecurity mandates will likely influence security expectations well beyond the state, according to Chris Stucker, deputy CISO at Froedtert ThedaCare Health. The rules, effective Oct. 1, require multifactor authentication, formal risk analysis, incident response planning, and a designated, qualified CISO. Stucker says the 72-hour incident reporting rule is straightforward, but the CISO requirement will have nationwide effects given the shortage of experienced leaders. He predicts insurers will soon ask hospitals whether they follow New York’s model, pushing others to align. Stucker adds that New York facilities may begin recruiting CISOs from other states, affecting the broader workforce. He also highlights emerging safe-harbor protections elsewhere and says Froedtert ThedaCare is focused on identity modernization and zero-trust projects.

Scammers target Cyber Monday shoppers. 

CloudSEK has uncovered a massive holiday-season scam involving more than 2,000 fake online stores designed to steal shoppers’ money and personal information during peak events like Black Friday and Cyber Monday. The firm identified two major clusters: one linking over 750 sites, including 170 Amazon impersonators using identical banners and urgency timers, and another group of more than 1,000 .shop domains spoofing brands such as Apple, Samsung, Dell, and Ray-Ban. All load resources from shared infrastructure, revealing a coordinated operation. Victims are funneled to shell checkout pages that harvest payment data, often routed through China-based hosts. CloudSEK estimates each fake site could net thousands of dollars before takedown. Researchers warn these scams could significantly erode trust in e-commerce and urge shoppers to avoid deals that seem unreal, suspicious domains, aggressive urgency tactics, and stores with identical templates.

Monday business brief. 

Cybersecurity investment and M&A activity accelerated this past week across sectors spanning consumer protection, offensive security, product security, identity, AI risk, and observability. Israeli consumer security firm Guardio raised $80 million led by ION Crossover Partners to expand its detection engine, AI-era protection layers, and global go-to-market efforts. Offensive security startup Twenty emerged from stealth with $38 million and a Pentagon contract, while product security company Clover secured $36 million to double its workforce. Method Security raised $26 million to scale its autonomous cyber platform for government and critical enterprises, and identity startup Opti emerged with $20 million for product expansion. AI procurement platform Coverbase collected $20 million, AI agent security firm Vijil raised $17 million, and Runlayer secured $11 million.

 

M&A included Palo Alto Networks’ $3.35 billion acquisition of Chronosphere to pair observability with autonomous AI remediation, plus deals by Redsquid, Xoriant, Amplix, and Keycard, which acquired Runebook to expand its AI-agent ecosystem.

Coming up after the break on our Afternoon Cyber Tea segment, Ann Johnson speaks with Microsoft’s Amy Hogan-Burney. We’ll be right back.

Welcome back. You can find a link to Ann and Amy's full conversation in our show notes and catch new episodes of Afternoon Cyber Tea every other Tuesday on your favorite podcast app.

 

Google gets caught reheating someone else’s holiday recipe. 

Google spent the week discovering that “family recipes” generated by AI sometimes look suspiciously like someone else’s family recipes. A NotebookLM promo on X showcased a cozy infographic for “Classic Buttery Herb Stuffing,” only for users to notice it matched a HowSweetEats blog post almost ingredient for ingredient. Nate Hake, who tracks AI slop, accused Google of scraping content, skipping attribution, and quietly repackaging it as marketing material. Google deleted the post with the same enthusiasm one deletes burnt stuffing and moved on, though Microsoft recently suffered a similar embarrassment. All this arrives as Google tests ads inside AI-generated answers, blurring the line between citations and sponsored links. OpenAI is experimenting with ads too, suggesting the future of “helpful AI answers” may look a lot like the internet’s old business model, only with more cheerful recipe cards.

Programming Note: Our team was invited by NATO Cyber Coalition to cover their 2025 Cyber Range Exercise. Stay tuned for our coverage from the event later this week where we were one of three podcasts invited and the only one based in the US. Our T-Minus Space Daily host Maria Varmazis and N2K Producer Liz Stokes are on the ground in Tallinn, Estonia. 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Don’t forget to check out the “Grumpy Old Geeks'' podcast where I contribute to a regular segment on Jason and Brians’s show, every week. You can find “Grumpy Old Geeks'' where all the fine podcasts are listed. 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.