FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks
CISA and FBI Director Kash Patel jointly warned Friday that Russian intelligence-linked threat actors are conducting an active, widescale phishing campaign targeting users of encrypted commercial messaging apps — primarily Signal and WhatsApp — that has already resulted in unauthorized access to thousands of individual accounts belonging to current and former U.S. government officials, military personnel, political figures, and journalists. The attacks do not exploit any vulnerability in Signal or WhatsApp themselves; instead, attackers use a combination of tactics including malicious QR codes that abuse the apps’ legitimate “linked devices” feature to silently mirror a victim’s conversations to an attacker-controlled device, device code phishing via fake app invitations, and spoofed support messages impersonating the apps’ own security teams to harvest PINs and 2FA codes. CISA and the FBI urged high-value individuals to enable phishing-resistant FIDO authentication, activate Lockdown Mode on iPhones, move away from SMS-based MFA, and periodically audit their linked devices list in both Signal and WhatsApp to check for unauthorized pairings.
US Seizes Domains and Infrastructure Used in Sprawling Botnet Campaigns
The U.S. Justice Department, in coordination with law enforcement in Germany and Canada, announced the seizure of command-and-control infrastructure, virtual servers, and domains underpinning four major IoT botnets — Aisuru, KimWolf, JackSkid, and Mossad — which together had compromised over three million devices globally, including cameras, routers, and streaming devices, and collectively issued more than 316,000 DDoS attack commands against victims worldwide including against IP addresses owned by the Department of Defense Information Network. The Aisuru botnet is responsible for the largest publicly documented DDoS attacks in history — including a 31.4 Tbps peak in December 2025 — while KimWolf drew particular notice from researchers for its novel technique of infiltrating residential proxy networks to compromise devices sitting behind home routers, a method that evades the IP-blocking approaches that typically stop internet-facing attacks. The Justice Department did not announce arrests in connection with the takedown, instead describing the action as an infrastructure disruption designed to prevent further infections and eliminate or limit the botnets’ ability to launch future attacks — consistent with the FBI’s increasingly common strategy of using civil seizure authority to disrupt criminal infrastructure even when criminal prosecution is not yet ripe.
Navia Benefit Solutions Discloses Data Breach Impacting 2.7 Million People
Navia Benefit Solutions — a benefits administration company serving more than 10,000 employers across the U.S. that manages Flexible Spending Accounts, Health Savings Accounts, Health Reimbursement Arrangements, commuter benefits, and retirement services — has notified nearly 2.7 million individuals that their personal data was stolen after hackers maintained unauthorized access to company systems from December 22, 2025 through January 15, 2026, with the breach discovered on January 23. Exposed data includes names, Social Security numbers, dates of birth, financial account information, health insurance details, and other sensitive personal records — though Navia says claims data and financial payment information were not affected — and affected individuals are being offered 12 months of identity monitoring through Kroll. No ransomware group has claimed the attack, and the breach adds to a growing pattern of benefits administration and HR software vendors being targeted as high-value single points of compromise, where one successful intrusion exposes the full employee populations of thousands of downstream client organizations. (Note: BleepingComputer blocks automated fetches but is fully accessible in-browser.)
US Soldier Sentenced for Helping North Korean IT Workers
A U.S. Army soldier has been sentenced after pleading guilty to charges stemming from his role in helping North Korean nationals fraudulently obtain remote IT employment at American companies — the first active-duty military member to face criminal prosecution in connection with North Korea’s sprawling IT worker scheme, which the U.S. government estimates has generated hundreds of millions of dollars for Pyongyang’s weapons programs. The case follows a steady stream of prosecutions over the past 18 months targeting U.S.-based enablers of the scheme — including laptop farm operators in Arizona, Tennessee, Florida, and Maryland — but the military angle is significant: it raises concerns that North Korean operatives may be deliberately cultivating relationships with U.S. service members as facilitators, exploiting financial pressures or other vulnerabilities to recruit insiders with elevated system access and security clearances. The Justice Department has increasingly framed the IT worker scheme not merely as fraud but as a national security threat, noting that North Korean workers have in multiple documented cases attempted to exfiltrate sensitive data, conduct extortion against employer companies, and gain access to government contractor systems after being placed in roles requiring clearances.
Operation Alice Takes Down 370,000+ Dark Web Sites
A Europol-backed, German-led law enforcement operation called Operation Alice has dismantled over 373,000 dark web sites that were advertising child sexual abuse material (CSAM) and cybercrime-as-a-service tools, using a creative honeypot strategy that began by targeting a fraudulent dark web marketplace called “Alice with Violence CP” — a Chinese-national-run scam platform that defrauded would-be CSAM buyers — and turning the investigation into a nearly five-year intelligence-gathering operation that unmasked the identities of 440 customers who attempted to purchase illegal material. The operation ran from March 9-19, 2026, and Europol said investigations are actively continuing into more than 100 of the 440 identified individuals, with authorities acting immediately in any case where a child was assessed to be in danger — including a 2023 case in which Bavarian police raided the home of a 31-year-old father who attempted to purchase CSAM and subsequently convicted him. The simultaneous takedown of hundreds of thousands of dark web sites representing the infrastructure underlying both the CSAM and cybercrime-as-a-service marketplaces reflects a maturing law enforcement strategy of using criminal honeypots to map and then disrupt entire illicit ecosystems rather than targeting individual vendors one at a time.
