Connect with us

Infosecurity

Taiwan Charges Two Businessmen for Allegedly Helping Chinese Espionage Campaign

Published

on

Chinese espionage campaign

Two Taiwanese Executives Accused of Feeding Accounts to Chinese Hackers

Taiwanese prosecutors have formally charged two local businessmen for allegedly running a company that supplied hacked messaging accounts to Chinese state-backed cyber operators. The case, announced Tuesday by Taiwan’s Ministry of Justice Investigation Bureau, adds a concrete legal dimension to what researchers describe as a sprawling, years-long phishing campaign.

The suspects are accused of collecting and leasing accounts for LINE, the dominant messaging app in Taiwan and much of East Asia. Investigators say the accounts were rented to Xiamen Empress Information Technology, a Chinese firm they link to the Chinese Communist Party’s cyber apparatus, for roughly 1,100 yuan ($162) per account. The goal was simple: impersonate real journalists to trick politicians, academics, and activists into downloading malware.

The Fake Reporter Trap: How the Scheme Worked

According to the bureau, the company’s director gathered LINE accounts registered with Taiwanese mobile numbers — a crucial detail, because locals trust numbers from their own country. Chinese operators then used those accounts to pose as reporters from outlets including the International Consortium of Investigative Journalists (ICIJ).

The fake journalists would request interviews or ask targets to contribute articles. Standard phishing fare. But the twist came next: the attackers pushed a fake encrypted communications app, claiming it was needed to protect sources. Instead, it deployed malware designed to take over the victim’s computer.

Prosecutors searched the company’s offices and other locations during two operations earlier this year. This week, they issued deferred prosecution orders against the two executives, charging them with violations of Taiwan’s Personal Data Protection Act and other offenses.

A Campaign Backed by Research

The charges line up with findings published earlier this year by the ICIJ and researchers at The Citizen Lab, based at the University of Toronto. That report documented a Beijing-linked phishing campaign targeting journalists, democracy activists, and members of Uyghur, Tibetan, Hong Kong, and Taiwanese communities abroad.

The Citizen Lab said the operation relied on more than 100 malicious internet domains over nine months. The researchers noted something else unusual: mistakes in some phishing emails suggested the attackers may have used artificial intelligence to automate message generation and target selection. It’s a sign that even state-backed hackers are experimenting with AI tools to scale their operations.

“The attackers noted that journalists routinely use secure messaging tools to protect confidential sources and encouraged victims to download the fake software,” the Investigative Bureau said in its statement.

Why LINE Accounts Were the Key

LINE is deeply embedded in Taiwanese daily life — used for everything from work chats to family groups. A message from a local number on LINE carries instant credibility. By renting accounts that already had Taiwanese registrations, the Chinese operators bypassed the first line of suspicion.

For about $162 per account, they got a digital identity that felt real. It’s a low-cost, high-impact tactic. The suspects allegedly acted as middlemen, collecting the accounts and selling access to the Chinese firm. Prosecutors did not name the company or the executives, citing ongoing investigations.

China’s Denials and the Broader Context

Beijing has repeatedly denied conducting cyber-espionage against foreign governments and civil society organizations. The Chinese foreign ministry did not immediately respond to a request for comment on the Taiwanese charges.

But the case is part of a pattern. Over the past two years, researchers have documented multiple campaigns using stolen or rented messaging accounts to target Taiwanese officials and pro-democracy activists. The use of fake journalist personas is particularly insidious — it exploits the trust that reporters rely on to do their jobs.

The charges also come amid heightened tensions between Taiwan and China. Taipei has increasingly cracked down on what it calls “cross-strait espionage networks” operating through shell companies and tech intermediaries.

What’s Next for the Accused?

The two businessmen face potential prison time if convicted under Taiwan’s Personal Data Protection Act, which carries penalties of up to five years for serious violations involving organized crime or foreign intelligence ties. The deferred prosecution orders suggest they may be cooperating with investigators.

The case serves as a warning to companies operating in gray areas: renting out local digital identities to foreign entities — even if disguised as legitimate business — can land executives in criminal court. And for the rest of us, it’s a reminder that not every friendly message from a local number is what it seems.

For more on how to spot phishing attempts, check out our guide on identifying fake journalist outreach. And if you’re a journalist or activist using secure messaging apps, consider reading our breakdown of safe communication tools for high-risk environments.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Infosecurity

‘Selfish Bravado’ Behind TfL Cyber-Attack, Judge Says as Pair Jailed for Five Years

Published

on

TfL cyber-attack

Two men who breached Transport for London’s systems in 2024, stealing data from millions of Oyster card users and forcing the shutdown of key accessibility services, have been sentenced to five years and six months in prison.

Owen Flowers, 18, and Thalha Jubair, 20, pleaded guilty in June 2026 to unauthorized acts under the UK’s Computer Misuse Act. The judge at Woolwich Crown Court, Justice Turner, said the attack was driven partly by “selfish bravado” — not purely by money.

The case is the second criminal prosecution of its kind under the CMA in the UK. And it’s the largest cybercrime prosecution ever brought before British courts, according to the National Crime Agency (NCA).

How the TfL cyber-attack unfolded

Flowers was 17 and Jubair 18 when they first broke into TfL systems on August 31, 2024. They held access for three days.

Their entry point? Partial employee credentials bought from “well-known online criminal marketplaces and forums,” a senior NCA officer confirmed. Then came social engineering: multiple attempts to reset two-factor authentication (2FA) for TfL staff accounts.

“It took multiple attempts to successfully reset that 2FA, so they were persistent — as we know they are,” the officer said. Once inside, the pair escalated privileges, moving deeper into TfL’s network.

Telegram messages between the two showed they knew they’d accessed the database of Oyster cardholders. They even streamed their progress live to an online audience, the judge noted.

£29m in damages — and a near miss for the UK economy

The TfL cyber-attack cost the transport body £29 million ($38 million) in direct losses and recovery. TfL also reported an additional £10 million ($13.5 million) in lost income.

While the hackers never shut down trains or buses, the operational fallout was severe:

  • The Oyster refund system was compromised, forcing TfL to close applications for Oyster photocards for children and young people.
  • The Dial-a-Ride booking system — used by people with disabilities — was taken offline.
  • Live Tube data on apps like TfL Go and CityMapper was suspended.
  • Over 27,000 TfL employees had to reset their passwords in person.
  • Some staff worked from home for the whole of September 2024.

In total, between seven and 10 million people across the UK were affected. Had the attackers succeeded in disabling the transport network, the NCA estimated the cost to the UK economy could have reached £56 billion ($75 billion).

Scattered Spider: from teenage hackers to a major threat

Flowers and Jubair are believed to be part of Scattered Spider, a hacking group linked to attacks on Marks & Spencer and Co-op in 2025. Scattered Spider emerged from a loose collective known as The Com, which also spawned groups like Lapsus$ and ShinyHunters.

The NCA describes Scattered Spider as “the most significant cybercrime threat to the UK in recent years.” Their tactics? Phishing, voice phishing (vishing), SIM swapping, and ransomware.

Jubair’s record is extensive: 22 prior convictions, starting at age 14. In 2023, he received a Youth Rehabilitation Order for offences linked to Lapsus$. He is also wanted by US authorities for alleged cybercrimes involving the theft and extortion of millions of dollars.

Flowers had a history too. In October 2023, West Midlands Police issued him a cease-and-desist notice. He was offered training on computer misuse laws — and turned it down. After his arrest for the TfL hack, he was granted bail but violated conditions twice: once in October 2024 and again in May 2025. He also received a formal warning in March 2025.

Sentencing: youth, neurodiversity, and high expertise

Justice Turner weighed mitigating factors — the defendants’ youth and diagnosed neurodiversity — against aggravating ones, particularly their “high expertise,” which meant they likely understood the full impact of their actions.

The five-and-a-half-year sentences reflect that balance. Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, called the prosecution “the culmination of nearly two years of painstaking work by the NCA, Crown Prosecution Service (CPS) and our policing partners.”

“Through this investigation, we have severely disrupted that threat and brought key offenders to justice,” Foster added.

What this means for UK cybercrime in 2026

The NCA warns that the threat from serious organized cybercrime to the UK remains “very high” in 2026. While a small number of attacks come from UK-based individuals motivated by notoriety, the vast majority are launched by criminals abroad, driven by financial gain.

The TfL cyber-attack case sets a significant precedent. It shows UK courts are willing to hand down long sentences for cyber intrusions — even when the perpetrators are teenagers. And it underscores the vulnerability of critical public infrastructure to determined, socially engineered attacks.

For TfL, the recovery continues. For the millions of Londoners whose data was exposed, the question remains: how many more attacks like this are coming?

Continue Reading

Infosecurity

ClickLock Stealer: New macOS Malware Locks Your Mac Until You Type Your Password

Published

on

ClickLock Stealer

A new macOS stealer called ClickLock Stealer is making the rounds, and it has a nasty trick: it crashes essential apps in a loop until you type your password. Researchers at Group-IB spotted the malware, which combines a classic social engineering lure with a brutal coercion routine.

Published on June 16, the Group-IB report details how ClickLock Stealer has hit at least 100 victims across 33 countries in roughly two months. More than half of those targets are in Europe. The first sample appeared on VirusTotal on June 9 with zero detections.

This isn’t your average info-stealer. It’s modular, aggressive, and designed to make your machine unusable until you give up the goods.

The ClickFix Lure: Paste a Command, Lose Your Data

It all starts with a ClickFix page. Victims are tricked into copying a command and pasting it into Terminal. The page might pretend to be a Cloudflare verification or a browser update. Once pasted, an orchestrator script kicks in.

That script hides the cursor and plays a fake Cloudflare progress animation. Meanwhile, it downloads four separate components from two compromised WordPress sites. The user thinks they’re waiting for a verification to complete. In reality, their machine is being armed.

The Four Modules of ClickLock Stealer

The malware is built in pieces, each with a specific job:

  • Keychain stealer: Queries macOS for the Chrome Safe Storage key. That’s the AES key that decrypts passwords and cookies stored in Chrome’s offline database. Once obtained, the attacker can dump everything.
  • Credential module: Pops up a fake password dialog built in AppleScript. Here’s the clever (and terrifying) part: it validates the entered password against the local directory service. If you type the wrong password, the dialog just sits there. Only the correct password gets sent to the operator. No typos allowed.
  • Cryptocurrency module: Scans for more than 30 wallet extensions, including MetaMask and Phantom. It extracts encrypted vault fields from LevelDB storage. Crypto assets are a prime target.
  • GSocket backdoor: Installs an open-source reverse-shell tool, reused with roughly 80% of its original code. On macOS, it disguises itself as an iCloud process. This gives the attacker persistent remote access.

Kill Loops: The Coercion Tactic

If you type your password on the first prompt, the attacker gets it along with a system fingerprint. Game over. But what if you cancel? That’s where the coercion begins.

The orchestrator installs two LaunchAgents. These ensure that both credential modules relaunch every time you log in. Then the kill loops start.

A tight cycle terminates Finder, Dock, browsers, Terminal, and Activity Monitor. This cycle runs for up to 83 hours. Your desktop becomes a frozen mess. You can’t click anything. You can’t open a window. The only way to stop the madness is to type your password.

Meanwhile, a parallel loop kills NotificationCenter for about six hours. This suppresses Gatekeeper warnings. You won’t see the security prompts that might normally alert you to malicious activity.

Everything exfiltrates over Telegram. Three separate Telegram bots handle the stolen data. There’s no dedicated command-and-control server. Modules forge timestamps and delete themselves after execution, leaving only the GSocket backdoor behind.

A Broader Shift in macOS Malware

ClickLock Stealer doesn’t exist in a vacuum. The broader macOS stealer ecosystem is evolving fast. The Atomic macOS Stealer (AMOS) family gained an embedded backdoor in July 2025. Just this week, Jamf Threat Labs documented CrashStealer, which uses a signed dropper to bypass Gatekeeper entirely.

Attackers are getting more aggressive. They’re not just stealing data quietly anymore. They’re willing to break your machine to get what they want.

How to Protect Yourself

Group-IB has clear advice. Treat any website that instructs you to paste a command into Terminal as an active attack. Legitimate services never ask you to do this.

If your desktop suddenly starts killing applications and you haven’t entered a password, don’t give in. Force-shutdown the machine. Boot into Safe Mode (hold Shift during startup). Run a malware scan. The password you refuse to type is the one that keeps your data safe.

For more on similar threats, read about Atomic Stealer macOS ClickFix attacks that bypass Apple security warnings.

Continue Reading

Infosecurity

Cash App owner Block to pay $45 million over claims it misled users on security

Published

on

Cash App settlement

Block Inc. agrees to multi-state payout after security failures exposed users to scammers

The parent company of Cash App is forking over $45 million to resolve claims that it downplayed security risks and left users vulnerable to fraud. State attorneys general from 46 states announced the bipartisan settlement with Block, Inc. on Wednesday, accusing the fintech giant of promising protections it never delivered.

New York Attorney General Letitia James was blunt: the company “failed to help users when they were scammed, misled consumers about the safety of Cash App, and failed to provide the fraud protection and resolution that it promised and was required to provide by law.”

Texas will receive $5 million from the settlement. New York gets $1.6 million. Smaller states are collecting less than $1 million each.

What investigators found: no phone support, fake numbers, and unlimited accounts

The probe uncovered a cascade of basic failures. Cash App didn’t offer a phone number for customer support — so users searched online and wound up calling scammers who had set up fake helplines. Block knew this was happening, James said, but didn’t warn customers or launch a real phone line until 2021.

Signing up required no Social Security number or date of birth. There was no cap on how many accounts one person could open. That allowed a single bad actor to run a whole network of scam accounts, investigators concluded.

Texas Attorney General Ken Paxton described the situation bluntly: “Lax verification standards, a years-long absence of phone support, and deceptive social media promotions left users exposed to scammers.” He added that Cash App dragged its feet on internal fraud investigations and locked victims out of accounts with no way to recover stolen money.

The settlement requires real human support — at least 13.5 hours a day

The consent judgment filed in New York, mirroring those in other states, forces Block to maintain live customer support 24 hours a day. At least 13.5 hours of that must be staffed by “a real person.” That’s a direct response to years of complaints about automated, unhelpful responses.

This agreement also reaffirms a separate federal consent order from January 2025. Under that deal with the Consumer Financial Protection Bureau, Block must distribute between $75 million and $120 million to states. Combined, the two settlements push Block’s total payout over $120 million.

Block stays silent — and faces a credibility problem

As of Wednesday afternoon, neither Block nor Cash App had issued a statement about the settlement. That silence speaks volumes for a company that once built its brand on simplicity and trust.

Founded by Jack Dorsey in 2009, Block also owns the payment platform Square and the music streaming service Tidal. The company has long positioned itself as an alternative to traditional banking. But this settlement suggests its security and customer service fell short of even basic expectations.

What Cash App users should know now

If you use Cash App, a few things are worth keeping in mind:

  • Verify support channels. Only use the official app or website for help. Don’t Google a customer service number — scammers still run fake ones.
  • Watch for account limits. The settlement doesn’t change the fact that Cash App lacks FDIC insurance on most balances. Your money isn’t protected the way it would be in a bank.
  • Report fraud quickly. Block is now required to respond faster to fraud claims. If you’re scammed, document everything and file a report through the app immediately.

The broader lesson? A sleek interface and a famous founder don’t guarantee security. The Cash App settlement is a reminder that when fintech companies cut corners on support and verification, users pay the price.

Continue Reading

Trending