Global Law Enforcement Shuts Down Major Data Marketplace

A sprawling online bazaar for stolen personal information has been erased from the web. In a coordinated international strike, law enforcement agencies led by Europol seized the domains of LeakBase, one of the world’s largest public forums for trading hacked data.

The site operated openly on the surface web, not the dark web, acting as a bustling marketplace. Its primary commodity was ‘stealer logs’—vast archives of usernames, passwords, and other credentials siphoned from victims’ computers by infostealer malware.

By the time of its takedown, the forum had grown to a massive community. Europol’s investigation revealed over 142,000 registered users, who had exchanged more than 215,000 private messages. The platform facilitated thousands of illegal transactions.

Operation Leak: Arrests, Searches, and a Clear Message

The action, codenamed ‘Operation Leak,’ culminated on March 3. Police across eight countries—including the US, UK, Australia, and several European nations—executed arrests, conducted house searches, and held interviews with suspects.

Authorities specifically targeted the platform’s most active members. Europol confirmed that 37 high-profile users were in their crosshairs, with dozens more under investigation. A day later, the final blow landed: the seizure of LeakBase’s domains.

Visitors to the site now find a law enforcement banner in its place. Crucially, investigators also captured the forum’s entire customer database, a treasure trove of evidence for identifying users who believed they were anonymous.

“This operation shows that no corner of the internet is beyond the reach of international law enforcement,” stated Edvardas Šileris, head of Europol’s European Cybercrime Centre. “What began as a shadowy forum for stolen data has now been dismantled.”

The message to cybercriminals was unequivocal. Trafficking in stolen information will lead to consequences. The anonymity of these platforms is an illusion.

The Endless Game of Whack-a-Mole

The takedown of LeakBase is the latest chapter in an ongoing battle against data trading forums. Its predecessors, like RaidForums and BreachForums, met similar fates in recent years.

Yet the problem persists, driven by an explosion in infostealer malware. One report indicated a staggering 800% increase in stolen credentials in the first half of 2025 compared to the previous six months, totaling 1.8 billion records.

This creates a ‘whack-a-mole’ dynamic. As soon as one forum is shuttered, another often pops up. The FBI and French police, for instance, had to shutter a new BreachForums domain again in 2025, just a year after its initial takedown.

The fight is expanding on multiple fronts. In a related move, a separate operation involving Microsoft and Europol recently disrupted ‘Tycoon2FA,’ a phishing-as-a-service site that helped criminals bypass multi-factor authentication (MFA) protections.

While each victory is significant, the sheer volume of stolen data and the profitability of the trade ensure that law enforcement’s work is never done. Operations like this one, however, prove that the moles can be hit hard.

A Silent Takeover: The FreeScout Zero-Click RCE

Imagine your helpdesk system, a hub for customer communication and sensitive data, being compromised without anyone clicking a link. That’s the stark reality of a newly disclosed maximum-severity vulnerability in the open-source FreeScout platform. Dubbed CVE‑2026‑28289, or Mail2Shell, this flaw allows an unauthenticated attacker to execute remote code simply by sending a specially crafted email to any address configured within the software.

Security firm Ox Security uncovered the bug, revealing it as a bypass for a previously patched vulnerability (CVE-2026-27636). Their discovery highlights a persistent problem in cybersecurity: incomplete fixes. “We found a patch bypass that let us reproduce the same RCE on newly updated servers,” Ox Security stated. “It shows how quickly inadequate fixes can be circumvented.” The researchers didn’t stop there. They escalated the attack chain, transforming it into a true zero-click threat requiring no user interaction whatsoever.

Widespread Impact and Urgent Mitigation

The potential fallout is severe. With full server control, attackers could exfiltrate all data from helpdesk tickets and mailboxes. They could also pivot laterally to other systems on the network, turning a single compromised application into a gateway for a broader breach. Ox Security estimates thousands of customers may be at risk, noting over 1,100 publicly exposed FreeScout instances.

The immediate action is clear. All FreeScout administrators must upgrade to version 1.8.207 or later without delay. There’s a critical configuration step, too. Even on the latest version, you must disable AllowOverrideAll in the Apache configuration on the FreeScout server. This layered defense is essential to close the door completely.

The Peril of Patch Bypasses and Incomplete Fixes

This incident isn’t an isolated case. It’s a symptom of a chronic industry issue. Threat actors have made a science of dissecting security patches. “They routinely diff patches, probe fixes, and search for variant exploitation paths within hours of disclosure,” Ox Security warned. A patch that doesn’t address the root cause or misses variant code paths is just a temporary roadblock.

History backs this up. In 2021, Google’s Project Zero found that a quarter of the previous year’s zero-day exploits could have been avoided with more thorough patching. Trend Micro’s Zero Day Initiative later highlighted the staggering cost of faulty updates, estimating it could burden customers with over $400,000 per botched patch. The message is consistent: patch quality and comprehensive root-cause analysis are non-negotiable for security.

Securing Your Helpdesk’s Future

What does this mean for teams running FreeScout or similar software? Vigilance must be continuous. Applying updates promptly is the first step, but it can’t be the last. Administrators should treat every patch as a potential starting point for attackers, not an absolute finish line. Monitoring for anomalous system behavior and maintaining strict network segmentation for critical applications like helpdesks are crucial defensive layers.

The FreeScout vulnerability serves as a powerful reminder. In our interconnected digital environments, a single line of flawed code can become an open invitation. Proactive maintenance, defense-in-depth, and a healthy skepticism toward “fixed” vulnerabilities are the best tools to ensure your helpdesk remains a tool for support, not a vector for attack.

The Coruna Exploit Kit: A New Threat for Older iPhones

Cybersecurity experts at Google have pulled back the curtain on a remarkably advanced piece of malware. Dubbed Coruna, this exploit kit represents one of the most comprehensive collections of iOS vulnerabilities ever seen in active attacks. It’s a toolkit built not for mass infection, but for precise, targeted compromise.

The kit contains five complete exploit chains and leverages 23 distinct vulnerabilities. Its goal is singular: to silently infiltrate Apple iPhones and siphon off sensitive financial information. What makes Coruna particularly concerning is its sophistication. Researchers note it employs several previously unseen exploitation methods and cleverly bypasses Apple’s built-in security mitigations.

From Espionage to Financial Theft: The Kit’s Evolving Use

The story of Coruna’s discovery reads like a cyber-thriller. First spotted in early 2025, its initial use was linked to a customer of a commercial surveillance vendor. The plot thickened later that year when investigators traced the same tools to highly targeted attacks against users in Ukraine. These operations were attributed to a suspected Russian espionage group known as UNC6353.

By late 2025, the toolkit’s purpose had shifted. It reappeared in broader campaigns orchestrated by a financially motivated actor operating from China, tracked as UNC6691. This group distributed the exploits through a network of convincing fake websites. Posing as legitimate financial and cryptocurrency platforms, these sites lured victims into visiting with their iPhones.

The attack was stealthy. A hidden frame on the webpage would silently deliver the exploit kit the moment an iOS device loaded the site. Researchers managed to recover hundreds of samples during this phase, painting a clear picture of the operation’s scale.

How the Coruna Exploit Kit Operates

This isn’t a blunt instrument. The framework surrounding the exploits is highly engineered for efficiency and evasion. It begins with a reconnaissance phase. Before firing a single exploit, the kit first profiles the visitor’s device. It identifies the exact iPhone model and iOS version, like a burglar casing a house.

Only after this fingerprinting does it select the correct, compatible exploit chain from its arsenal. This tailored approach increases its success rate dramatically. The kit’s key technical features include:

• Precise Device Fingerprinting: Identifies specific iPhone models and software versions to choose the right attack path.
• Automatic Vulnerability Selection: Picks the perfect WebKit flaw to exploit based on the device profile.
• Advanced Bypass Techniques: Designed to circumvent Apple security protections like pointer authentication.
• Stealthy Delivery: Uses custom encryption and compression to hide its malicious payloads during delivery.

A final binary loader then deploys the attack’s last stage once the initial browser exploit succeeds, completing the device compromise.

The Ultimate Goal: Stealing Your Financial Data

What happens after the phone is hacked? Unlike many surveillance tools, Coruna’s payload, called PlasmaLoader, has a very specific focus. It installs itself within a system process and goes hunting for money.

The malware scans the device’s stored images, looking for QR codes that might lead to crypto wallets or accounts. It rummages through text files, searching for tell-tale keywords like “backup phrase,” “seed phrase,” or “bank account.” Its objective is to find cryptocurrency wallet recovery phrases—the keys to a digital fortune. Any discovered data is immediately transmitted to servers controlled by the attackers.

Is your device safe? There is a clear line of defense. Google confirms the exploit kit is ineffective against the latest iOS versions. The company has already added related malicious domains to its Safe Browsing protection lists. The advice from experts is straightforward and emphatic: update your device. Installing the newest iOS software is the single most effective action you can take. For devices that can no longer receive updates, enabling Apple’s Lockdown Mode provides a critical layer of additional protection.