Connect with us

CyberSecurity

Operation Atlantic Freezes $12 Million in Crypto Losses: How Approval Phishing Scams Were Disrupted

Published

on

Operation Atlantic Freezes $12 Million in Crypto Losses: How Approval Phishing Scams Were Disrupted

In a coordinated crackdown spanning three continents, law enforcement agencies from the United Kingdom, the United States, and Canada have joined forces to combat a rising tide of digital theft. The initiative, known as Operation Atlantic, has already frozen $12 million in crypto losses tied to a deceptive technique called approval phishing. This marks a significant victory in the ongoing battle against cryptocurrency fraud, which continues to drain billions from victims worldwide.

What Is Approval Phishing and How Does It Work?

Approval phishing is a sophisticated form of cybercrime where scammers trick victims into granting full access to their cryptocurrency wallets. Typically, this involves fake alerts or pop-ups that appear to come from trusted apps or services. Once the victim approves the transaction, the scammer can drain the wallet without needing passwords or private keys.

This method has become increasingly common, partly because it exploits the trust users place in legitimate platforms. According to a report from blockchain analytics firm Chainalysis, approval phishing scams netted criminals at least $1 billion between May 2021 and December 2023. The technique often incorporates romance fraud tactics, where scammers build emotional connections with victims before convincing them to sign approval transactions.

Operation Atlantic: A Global Response to Crypto Fraud

Operation Atlantic, led by the UK’s National Crime Agency (NCA) with support from the US Secret Service, Ontario Provincial Police, and Ontario Securities Commission, ran for one week last month. The operation resulted in the freezing of $12 million in crypto losses and identified an additional $33 million stolen through similar schemes.

Private sector partners, including Binance, Coinbase, Tether, and blockchain analytics firms Elliptic, TRM Labs, and Chainalysis, played a crucial role. The NCA reported that multiple fraud networks were “disrupted” during the operation, with over 20,000 crypto wallets linked to fraud victims across more than 30 countries identified. Authorities also contacted 3,000 victims directly and disrupted over 120 web domains used for fraudulent schemes.

Miles Bonfield, NCA deputy director of investigations, emphasized the power of collaboration: “This intensive action has led to the safeguarding of thousands of victims in the UK and overseas, stopped criminals in their tracks, and helped save others from losing their funds.” He added, “We know that fraudsters operate globally and, together with our international partners, so will the NCA to target them wherever they are based.”

The Scale of Crypto Crime: Billions Lost Annually

The success of Operation Atlantic highlights a broader problem. According to the FBI’s Internet Crime Report 2025, cryptocurrency-related crime cost victims over $11.3 billion last year. Cryptocurrency investment fraud alone accounted for $7.2 billion in losses—the vast majority of the $8.6 billion lost to all investment scams. This makes crypto fraud the highest-earning crime category for cybercriminals, far surpassing traditional phishing, which accounted for an estimated $215 million.

Brent Daniels, assistant director for the US Secret Service’s Office of Field Operations, noted: “Operation Atlantic demonstrated the importance and need for international collaboration to stop cryptocurrency fraud. Through this operation, investigators prevented millions of dollars in fraud losses and disrupted millions more in fraudulent transactions, denying criminals the ability to prey on innocent victims.”

How to Protect Yourself from Approval Phishing

Protecting against approval phishing requires vigilance. Never approve transactions from unsolicited pop-ups or emails, even if they appear legitimate. Always verify the source by contacting the service directly through official channels. Use hardware wallets for large holdings and enable multi-factor authentication where possible.

For more insights, read our guide on how to avoid crypto scams. Additionally, stay updated on the latest cryptocurrency fraud trends to recognize emerging threats.

Conclusion: A Model for Future Enforcement

Operation Atlantic serves as a powerful example of what global cooperation can achieve. By freezing $12 million in crypto losses and disrupting extensive fraud networks, the initiative has sent a clear message to cybercriminals. However, with billions still at stake, continued collaboration between law enforcement and the private sector remains essential. As the crypto landscape evolves, so too must the strategies to protect investors from exploitation.

CyberSecurity

Nightmare Eclipse Strikes Again: ‘LegacyHive’ Windows Zero-Day Lands on Patch Tuesday

Published

on

LegacyHive Windows zero-day

Another Patch Tuesday, Another Zero-Day From a Disgruntled Researcher

On July 14, 2026 — the same day Microsoft shipped its latest batch of security fixes — the security researcher known as Nightmare Eclipse (also called Chaotic Eclipse) published yet another unpatched Windows vulnerability. This one is called LegacyHive.

It’s a local privilege escalation bug hiding inside the Windows User Profile Service. Successful exploitation lets an attacker load other users’ registry hives, including those belonging to administrators. That’s a direct path to gaining higher privileges on a compromised machine.

The timing is deliberate. Nightmare Eclipse has made a habit of dropping zero-days on or near Patch Tuesday, maximizing pressure on Microsoft while minimizing the window for defenders to react.

What LegacyHive Does — and What It Doesn’t Do (Anymore)

The proof-of-concept (PoC) exploit code works on systems running the July 2026 patches. According to the researcher, the PoC requires credentials for a standard user account plus a third username — which can be an admin account. If it succeeds, the exploit mounts the target user’s hive into the current user’s classes root.

Here’s where it gets interesting. Nightmare Eclipse released LegacyHive with a stripped PoC — deliberately neutered to reduce the chance of immediate in-the-wild exploitation. That’s a departure from previous drops.

The original version, the researcher claims, didn’t need user credentials at all. It could load any hive, not just the usrclass.dat file. That full-power variant is still possible, the researcher says, but would require extra work to reconstruct.

Why Strip the PoC?

It’s a calculated move. By releasing a limited proof-of-concept, Nightmare Eclipse publicizes the vulnerability’s existence without handing attackers a ready-made weapon. Security teams can test defenses and Microsoft can develop a patch — but the bar for real-world exploitation stays higher than it would be with a full exploit.

Whether that restraint holds is another question. Other researchers or threat actors could reverse-engineer the stripped code and rebuild the missing functionality.

Nightmare Eclipse’s Growing Zero-Day Arsenal

This isn’t a one-off. Nightmare Eclipse has now released more than half a dozen zero-days targeting Microsoft products. The list includes BlueHammer, RedSun, and UnDefend — all of which have been spotted in active attacks. Then there are GreenPlasma, RoguePlanet, YellowKey, and GreatXML.

Each one follows a similar pattern: a focused, single-vulnerability exploit with enough detail to demonstrate the flaw but often short of a full weaponized payload. The cumulative effect is a steady drumbeat of unpatched Windows bugs that keeps defenders scrambling.

For context on related attack techniques, see Windows Bind Link Attacks Can Hide Malware From EDR Tools.

Microsoft Hasn’t Responded Yet

As of publication, Microsoft has not acknowledged the LegacyHive vulnerability. SecurityWeek reached out to the company for comment but hasn’t received a reply. This article will be updated if and when Microsoft responds.

The lack of official acknowledgment is itself telling. Microsoft typically stays silent on zero-days until it has a patch ready or the vulnerability becomes widely exploited. Given Nightmare Eclipse’s track record, it’s reasonable to expect a fix in a future cumulative update — but no timeline has been offered.

What Defenders Should Do Right Now

Until Microsoft ships a patch, organizations running Windows should take these steps:

  • Monitor for unusual User Profile Service activity. LegacyHive targets this service specifically. Logs showing unexpected hive mounts or privilege escalations are red flags.
  • Restrict standard user credentials. The stripped PoC requires another standard user’s credentials to work. Limiting credential exposure reduces the attack surface.
  • Apply the July 2026 Patch Tuesday updates. Even though LegacyHive works on patched systems, the latest updates fix other critical vulnerabilities. Don’t skip them.
  • Watch for follow-on research. Other researchers may analyze the stripped PoC and release a working exploit. Stay informed through trusted security news sources.

For a broader view of recent Microsoft vulnerabilities, see Microsoft Patches Record 622 Vulnerabilities, Including Two Exploited Zero-Days.

A Pattern That Won’t Stop

Nightmare Eclipse shows no signs of slowing down. The researcher’s motives remain murky — part whistleblower, part provocateur — but the output is consistent: a new Windows zero-day every few months, timed for maximum disruption.

LegacyHive is the latest. It probably won’t be the last.

For related coverage on unpatched flaws in other software, see Unpatched Cursor Vulnerability Exposes Users to Code Execution.

Continue Reading

CyberSecurity

GhostLock: A 15-Year-Old Linux Kernel Flaw Lets Any User Take Full Root Control

Published

on

GhostLock Linux flaw

The Ghost in the Kernel

For fifteen years, a silent vulnerability has sat inside the Linux kernel, waiting. Now, researchers at Nebula Security have pulled back the curtain on GhostLock — officially tracked as CVE-2026-43499. The bug is brutal in its simplicity: any logged-in user, no special permissions required, can seize full root control of an unpatched machine. Container escapes? That’s on the menu too.

This isn’t some obscure edge case. The vulnerable code has shipped by default in nearly every mainstream Linux distribution since 2011. No unusual settings needed. No network access required. Just a user account on the box.

How GhostLock Works: A 15-Year Blind Spot

The flaw lives deep in the kernel’s memory management subsystem — specifically, in how it handles certain locking mechanisms during process scheduling. Nebula Security’s team found that a race condition in the kernel’s futex (fast userspace mutex) implementation allows an attacker to corrupt kernel memory. From there, it’s a straight shot to root privileges.

What makes GhostLock particularly nasty is its longevity. The vulnerable code was introduced in kernel version 2.6.39, released in May 2011. Every major distro that has shipped a kernel based on that version or later — which is essentially all of them — carries the bug. We’re talking about Ubuntu, Debian, Fedora, CentOS, RHEL, SUSE, Arch, and virtually every other distribution in active use.

“This is the kind of bug that keeps infrastructure engineers up at night,” said a Nebula Security researcher in a technical write-up shared with select media. “It’s been there for over a decade, silently compiling into every kernel build.”

Root Access and Container Escape in One Package

GhostLock isn’t just a privilege escalation bug. It also enables container escape — a nightmare scenario for cloud-native environments. An attacker who compromises a single container can break out to the host system and gain root control there too. In multi-tenant Kubernetes clusters or shared hosting platforms, that means one compromised workload can potentially spill into every other workload on the same node.

Nebula Security demonstrated a proof-of-concept exploit that achieves both goals: full root on the host and escape from a Docker container. The exploit runs entirely from user space, requires no special capabilities, and completes in under a second on modern hardware.

Who Is Affected?

Short answer: almost everyone running Linux. Here’s a quick breakdown:

  • Desktop users: Any Linux desktop installed or updated since 2011 is vulnerable if it hasn’t received the GhostLock patch.
  • Server administrators: Every server running a mainstream distro with a kernel from the last 15 years needs patching immediately.
  • Cloud and container environments: Kubernetes nodes, Docker hosts, and any container orchestration platform are at risk for container escape attacks.

Nebula Security has not released the full exploit code publicly, but they have shared technical details with kernel maintainers and major distro security teams. Patches are already rolling out.

What You Need to Do Right Now

The fix is straightforward: update your kernel. All major distributions have released or are in the process of releasing patched kernels. Here’s the action plan:

  1. Check your kernel version: Run uname -r to see what you’re running. If it’s older than the patched version for your distro, you’re exposed.
  2. Apply updates immediately: Use your package manager to install the latest kernel. For Ubuntu/Debian: sudo apt update && sudo apt upgrade. For RHEL/CentOS/Fedora: sudo dnf upgrade.
  3. Reboot: Kernel updates require a reboot to take effect. Plan maintenance windows for production systems.
  4. For container environments: Update the host kernel, then restart all containers. Container escape protections like user namespaces and seccomp profiles can help but do not fully mitigate GhostLock.

Nebula Security also recommends enabling kernel address space layout randomization (KASLR) and disabling unprivileged user namespaces where possible — though these are mitigations, not fixes. The only real cure is the kernel patch.

For those running long-term support (LTS) kernels, check your distro’s security advisory page. Canonical, Red Hat, and SUSE have all issued advisories for CVE-2026-43499.

The Bigger Picture: 15 Years of Silent Exposure

GhostLock raises uncomfortable questions about kernel security auditing. How many other bugs have been sitting in plain sight for over a decade? The Linux kernel is one of the most audited pieces of software on the planet, yet this one slipped through. It was introduced in a routine commit that touched memory management code — exactly the kind of change that rarely gets the scrutiny it deserves.

“The futex code is notoriously complex,” noted a kernel developer who asked not to be named. “It’s been rewritten multiple times, and each rewrite can introduce subtle new races. Catching something like this requires not just code review but systematic fuzzing and formal verification.”

Nebula Security’s discovery was the result of targeted fuzzing of the futex subsystem — a reminder that even mature, well-tested codebases can harbor critical vulnerabilities. The researchers have published a detailed technical analysis of the GhostLock vulnerability for those who want to dig into the kernel internals.

For now, the message is simple: patch your kernels. GhostLock has been hiding in plain sight for 15 years. Don’t let it stay there any longer.

Continue Reading

CyberSecurity

WriteOut Flaw: How a Session Token Leak Could Have Exposed Every Writer AI Tenant

Published

on

Writer AI flaw

They called it WriteOut. And it could have blown open every tenant on the Writer AI platform.

Cybersecurity researchers at Sand Security have revealed the details of a critical vulnerability in Writer, an enterprise generative AI platform. The flaw, now patched, allowed a one-click attack that could leak session tokens across tenants — effectively letting an outsider hijack any agent preview without ever logging in.

The bug is being tracked as WriteOut. And it’s a textbook case of what happens when session isolation isn’t bulletproof.

What exactly was the Writer AI flaw?

The vulnerability lived inside Writer’s agent preview feature — the sandbox where users test and iterate on AI agents before deploying them. Under the hood, each tenant is supposed to be walled off from every other tenant. That’s basic multi-tenant security: your data, your sessions, your agents — all isolated.

WriteOut broke that wall.

Sand Security found that a malicious actor could craft a specially designed link. Click it, and the victim’s browser would execute a cross-tenant request that leaked their session token. From there, the attacker could impersonate the victim inside Writer, accessing their agents, their prompts, their history — everything.

No credentials needed. No brute force. Just one click.

Cross-tenant compromise: the real danger

Cross-tenant vulnerabilities are the nightmare scenario for any SaaS platform. They mean that a breach at Company A can spill directly into Company B’s data — without either company doing anything wrong.

In Writer’s case, the agent preview feature was the entry point. The platform uses session tokens to keep users authenticated as they move between features. But the token validation logic didn’t properly enforce tenant boundaries during preview requests. A request from Tenant A could include a token from Tenant B, and the server would accept it.

That’s the kind of bug that keeps CISOs up at night.

Sand Security’s team demonstrated the attack with a proof-of-concept they called WriteOut. It required no authentication from the attacker. Just a link, a victim, and a click.

How Writer fixed the session isolation vulnerability

Writer patched the flaw after Sand Security disclosed it responsibly. The fix involved tightening session token validation to ensure that tokens are scoped to their originating tenant. Now, a token from Tenant A simply won’t work when presented to Tenant B’s resources.

The company also added additional checks on the server side to verify tenant identity on every request involving agent previews. It’s the kind of layered defense that should have been there from the start — but at least it’s there now.

Writer has not disclosed whether the vulnerability was ever exploited in the wild. But given the nature of the bug — a cross-tenant session leak — the potential blast radius was enormous. If an attacker had discovered WriteOut before Sand Security did, they could have silently harvested tokens from any Writer user who clicked a malicious link.

That’s the quiet danger of session isolation flaws: no alarms, no unusual login activity. Just a stolen token and a ghost in the machine.

What this means for enterprise AI security

Writer is far from alone. Enterprise AI platforms are being built at breakneck speed, and security often takes a backseat to shipping features. Agent previews, custom model tuning, and collaborative workspaces all introduce new surfaces for cross-tenant attacks.

The WriteOut vulnerability is a reminder that session isolation isn’t a checkbox — it’s a continuous engineering discipline. Every new feature that touches authentication needs to be audited, not just for its intended behavior, but for what happens when someone sends unexpected data across tenant boundaries.

For enterprises using AI platforms, the lesson is clear: don’t assume your data is walled off just because the marketing materials say so. Ask your vendors about their session isolation architecture. Ask about their bug bounty program. And if they can’t give you a straight answer, that’s an answer in itself.

Key takeaways

  • One-click exploitation: WriteOut required only a single click from a victim to leak their session token.
  • Cross-tenant scope: The flaw broke tenant isolation, meaning data from one organization could be accessed by an attacker posing as a user from another.
  • No authentication needed: The attacker didn’t need valid credentials — just a crafted link and a victim.
  • Patched responsibly: Sand Security disclosed the bug to Writer, which fixed it before public disclosure.

For more on securing generative AI workflows, check out our guide on AI platform security best practices and how to audit session token handling in multi-tenant SaaS apps.

Writer has since confirmed the patch is complete and no customer data was compromised. But WriteOut will go down as a near-miss — one that could have exposed every agent, every prompt, and every session on the platform.

Continue Reading

Trending