Connect with us

CyberSecurity

UK Sanctions Chinese Crypto Marketplace Xinbi in Major Scam Hub Crackdown

Published

on

UK Takes Unprecedented Action Against Crypto-Fueled Scams

The UK has drawn a line in the sand. In a landmark move, the government has imposed sanctions on a sprawling network of individuals and companies tied to industrial-scale scam operations in Southeast Asia. These aren’t petty frauds. They are sophisticated, organized crime hubs running romance scams and other schemes that have defrauded countless victims globally.

At the center of this crackdown is Xinbi, a China-based cryptocurrency marketplace. The UK is the first country to formally sanction this platform, accusing it of being one of the largest illicit online crypto marketplaces in the region. How large? Authorities point to inflows exceeding a staggering $19.7 billion.

Xinbi’s Role in a Vast Criminal Ecosystem

What exactly does Xinbi do? According to the UK government, its operators have been deeply embedded in the scam economy. Their alleged activities go beyond simple crypto trading. They are accused of selling the personal data of scam victims and trading satellite internet equipment—the very tools used to contact and deceive people.

Perhaps most damning is Xinbi’s connection to a specific, massive operation. The platform is said to provide services to #8 Park, a scam compound in Cambodia linked to the notorious Prince Group. This facility is believed to have the capacity to house up to 20,000 trafficked workers forced to run online scams. The UK also accuses Xinbi of facilitating the laundering of stolen crypto assets for North Korea.

The Sanctioned Network

Xinbi wasn’t alone on the sanctions list. The UK action targeted a web of interconnected entities:

  • Legend Innovation Co.: The operator of the #8 Park compound.
  • BSquare Technology & Tian Xu International Technology: Companies linked to the Prince Group’s crypto platform, Byex.
  • Key Individuals: Including Eang Soklim (director of Legend), associates of Prince Group chairman Chen Zhi, and Wan Kuok Koi, a former triad leader involved in Myanmar scam centers.

The UK plans to freeze a number of London properties as a direct result of these sanctions, hitting the network where it stores its wealth.

How Investigators Unraveled the Network

This action didn’t happen in a vacuum. It was built on detailed forensic work by UK crypto-analysis firm Elliptic. The firm played a crucial role in investigating #8 Park and the Xinbi network, tracing the immutable trails left on the blockchain.

Elliptic had previously identified Xinbi as “the second-largest illicit online marketplace ever.” Their research into #8 Park was particularly revealing. They uncovered crypto addresses used by merchants inside the compound—a supermarket, bakery, and food stalls—all accepting USDT payments from the trafficked workers.

The impact of this exposure was immediate. Just five days after Elliptic published its findings, intelligence suggested the Xinbi-linked compound was ordered to evacuate. Online videos showed large-scale departures, and on-chain data confirmed it: payments to the compound’s merchants plummeted and nearly stopped entirely by mid-February.

A Growing International Fight Against Crypto Fraud

This latest round of sanctions is part of a broader, escalating campaign. It follows coordinated US and UK action against 146 Prince Group-linked entities in late 2025. That pressure contributed to the arrest and extradition of the group’s chairman, Chen Zhi, to China in early 2026.

The ripple effects are being felt on the ground. Following the 2025 sanctions, Cambodian authorities launched their largest-ever crackdown, raiding an estimated 2,500 sites. This led to the closure of hundreds of scam centers and the release of tens of thousands of foreign nationals who had been forced to work there.

The UK is now pushing for a more systemic response. British ministers point to new initiatives like the UK-backed Interpol Global Fraud Taskforce and the UK’s new Online Crime Centre. These are designed to track, trace, and shut down cross-border crypto fraud at its source. The issue is set to be a top priority at the UK’s Illicit Finance Summit in June, where the government will seek to drive international action against money laundering via crypto and property.

As British Minister Stephen Doughty stated, the message is unequivocal: “We will not allow British people to become victims of these dreadful scams or tolerate the awful human rights abuses perpetrated in these scam centers.” The sanctions against Xinbi mark a significant step in turning that statement into action.

CyberSecurity

FBI Seizes NetNut Proxy Platform, Popa Botnet Infrastructure Dismantled

Published

on

NetNut seizure

FBI Takes Down NetNut Proxy Network

The FBI has seized hundreds of domains linked to NetNut, a residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action, announced today, comes roughly two weeks after security researchers tied NetNut to the Popa botnet — a sprawling network of at least two million compromised devices.

Visitors to NetNut’s homepage now see a seizure banner from the FBI and the Internal Revenue Service Criminal Investigation division. The notice credits Google, Lumen, Shadowserver, and other industry partners for their help dismantling the infrastructure.

The Popa Botnet Connection

On June 19, three separate security firms published findings linking NetNut to the Popa botnet. Their research showed that NetNut distributes software for common household devices — smart TVs and streaming boxes — turning them into always-on residential proxy nodes. These nodes are then rented to customers, who use them to relay abusive traffic: mass content scraping, advertising fraud, and account takeover attacks.

The Google Threat Intelligence Group (GTIG) published a blog post today detailing how NetNut’s proxy network is widely resold and white-labeled by third-party providers. Cybercriminals heavily seek out these services to hide the source of their malicious traffic. In a single week during June 2026, GTIG observed 316 distinct clusters of threat actors using suspected NetNut exit nodes, including both criminal and espionage groups.

“These bad actors can use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks,” GTIG wrote.

How NetNut Exposed Home Networks

Google’s analysis highlighted a dangerous side effect: when a consumer device becomes an exit node, unauthorized network traffic passes through it. This means attackers can access other private devices on the same home network, effectively exposing them to internet threats. Google disabled accounts and services used by NetNut for malware command and control, and shared technical intelligence on NetNut’s software development kits (SDKs) with platform providers, law enforcement, and research firms.

Alarum Technologies Responds

Omer Weiss, legal counsel for NetNut parent Alarum Technologies, confirmed the company is aware of the seizure and cooperating with investigators. “Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account,” Weiss said in a written statement.

Benjamin Brundage, founder of proxy tracking service Synthient, said the domain seizures appear to have disrupted both the Popa botnet and the NetNut proxy network that rides on top of it. “I think this takedown is going to have a big impact, because NetNut gained significant popularity after the IPIDEA takedown,” he said.

Ripple Effects Across the Cybercrime Ecosystem

Brundage noted that NetNut’s apparent demise is a major blow to the cybercrime community, which was already reeling from legal actions by Google earlier this year that seized infrastructure for IPIDEA, NetNut’s biggest competitor. “NetNut has been incredibly common among resellers, and they were on par with IPIDEA in terms of their daily traffic, quality, size, price per gigabyte, all of it,” he said.

The takedown may also reduce the impact of large distributed denial-of-service botnets built on poorly configured residential proxy services. In January, Synthient revealed how cybercriminals built the world’s largest DDoS botnet (Kimwolf) by tunneling through IPIDEA proxy connections into TV box owners’ local networks.

Google Warns of Resilient Proxy Networks

Google reckons today’s actions have caused “significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions.” But the company warns that proxy networks can rebuild themselves by reselling other proxy services, as IPIDEA has done. “Google has high confidence that many popular residential proxy brands are in fact whitelabeling the NetNut botnet,” the GTIG report concludes.

“While we expect this disruption to have a larger ripple effect across the residential proxy ecosystem, observations after the disruption of IPIDEA proved that individual networks can appear resilient,” Google wrote. “We recognize that creating a lasting disruption in this fluid ecosystem means we must scale our efforts to target the infrastructure of several interconnected providers.”

What This Means for Consumers

KrebsOnSecurity has repeatedly warned that most no-name TV streaming boxes sold on major e-commerce websites either come pre-installed with residential proxy software or require installing proxy SDKs to use the device for streaming pirated content. Google’s advice is straightforward: stick to name-brand TVs from reputable manufacturers, and be sparing with the apps you install.

The sketchy TV boxes commandeered by the Popa botnet all run unofficial Android operating systems outside Google’s Official Play Protect store. Google says consumers can check whether a device is built with the official Android TV OS and Play Protect certification by following instructions on its support site.

Even people without streaming boxes can find their smart TVs enrolled in proxy networks. A report from proxy tracking company Spur last month found 42 percent of apps available for LG’s webOS operating system include SDKs that turn the TV into an always-on proxy node. More than a quarter of apps for Samsung’s Tizen OS had similar components.

The FBI’s NetNut seizure sends a clear message, but the battle against residential proxy networks is far from over. As Google noted, these networks are fluid and interconnected — taking down one operator often means others simply buy capacity from competitors. For now, the Popa botnet has been dealt a serious blow. But the ecosystem will adapt.

Continue Reading

CyberSecurity

Veil#Drop Attacks Weaponize Blogspot and Compromised Sites to Deploy PureLog Stealer

Published

on

Veil#Drop attacks

Trusted Google Infrastructure Abused in Multi-Stage Campaign

Security researchers have uncovered a sophisticated malware delivery operation that weaponizes Blogspot, Google’s long-standing blogging platform, to distribute information-stealing payloads. Dubbed Veil#Drop attacks, the campaign uses compromised websites and social engineering lures to infect victims with PureLog Stealer, a .NET-based credential thief.

Analysts at Securonix detailed the framework in a new report, describing a multi-stage chain that blends JavaScript, PowerShell, and fileless execution techniques. The goal: slip past traditional antivirus and leave minimal forensic traces.

How the Infection Chain Unfolds

The attack starts with a JavaScript file that masquerades as a legitimate document. When a victim opens it, the script launches PowerShell code, bypassing execution policies that would normally block such activity.

That PowerShell acts as a download cradle. It reaches out to attacker-controlled Blogspot pages to pull down the next stage. Because Blogspot sits on Google’s trusted infrastructure, the traffic often blends in with normal web activity.

Once retrieved, the Blogspot-hosted payload does three things: it displays a decoy document to keep the victim occupied, terminates certain running processes, and decrypts embedded content. The decoded code then generates additional Blogspot URLs and executes further payloads directly in memory — nothing touches the hard drive.

Fileless Execution and XOR Obfuscation

A second-stage loader contains XOR-encoded .NET assemblies stored as large embedded data blobs. According to Securonix, these are “reconstructed and decrypted at runtime, preventing straightforward static analysis and reducing the effectiveness of signature-based detection mechanisms.”

The chain also includes fallback mechanisms and abuses LOLBINs — legitimate Microsoft-signed binaries — for code execution and defense evasion. This layered approach makes it harder for endpoint protection to spot the malicious activity.

PureLog Stealer: What It Takes

By the end of the infection, the victim’s machine runs PureLog Stealer. This .NET-based malware performs system reconnaissance and then starts harvesting data from browsers including Google Chrome, Microsoft Edge, Firefox, Brave, Opera, and any Chromium-based browser.

Its targets are broad: credentials, cookies, autofill data, session tokens, browsing histories, and cryptocurrency wallet information. Beyond browsers, PureLog Stealer can also pillage messaging apps, email clients, remote access tools, FTP clients, cloud storage software, developer utilities, and password managers.

All stolen data is packaged and sent to attacker-controlled servers in encrypted form.

Enterprise Risk: More Than Just Stolen Passwords

The danger goes beyond a single compromised workstation. PureLog Stealer’s reach means a single infection can yield credentials, tokens, and keys that unlock larger parts of an organization’s network.

“In enterprise environments, information stealers are frequently the first stage of larger intrusion campaigns,” Securonix warns. “Stolen credentials may later be used to deploy ransomware, conduct data theft operations, perform business email compromise attacks, or facilitate long-term espionage activities.”

This makes Veil#Drop attacks a concern for security teams already stretched thin. The combination of trusted platforms, fileless execution, and multi-stage payloads demands detection strategies that go beyond signature matching.

Defending Against Blogspot-Based Malware Delivery

Organizations can reduce exposure by restricting PowerShell execution policies where possible and monitoring for anomalous outbound connections to cloud platforms like Blogspot. Behavioral detection tools that spot in-memory execution patterns offer another layer of defense.

User education also matters. The initial JavaScript lure relies on someone opening an attachment they weren’t expecting. A healthy dose of skepticism — and a clear policy on unsolicited documents — can stop the chain before it starts.

For more on related threats, see our coverage of the CryptoBandits malware doubling as a backdoor and the Rokarolla banking Trojan targeting 200 applications.

Continue Reading

CyberSecurity

‘BusySnake’ Infostealer Slithers into Critical Infrastructure Networks

Published

on

BusySnake infostealer

New Malware Campaign Targets Power Grids and Government Networks

A previously undocumented infostealer malware, tracked as BusySnake, has been found infiltrating government agencies and electrical power companies in Russia, Brazil, and Kazakhstan. Security researchers at Kaspersky attribute the campaign to a threat actor they call Armored Likho.

The discovery marks a worrying expansion of cyber-espionage into operational technology environments. While the malware itself is not designed to disrupt power grids directly, its ability to siphon credentials, system data, and internal communications gives attackers a dangerous foothold.

Think about it: once you have an attacker inside a utility’s IT network, the jump to industrial control systems becomes far easier. That’s the real nightmare scenario.

What Is BusySnake? A Low-and-Slow Data Thief

BusySnake is not a fast-moving worm. It’s the opposite — a stealthy, modular infostealer that operates in stages. The malware arrives via spear-phishing emails, often disguised as official correspondence from government or energy-sector partners.

Once executed, it performs several key actions:

  • Credential harvesting — steals login data from browsers, email clients, and VPN software
  • Screen capture — takes periodic screenshots of the victim’s desktop
  • Keylogging — records keystrokes to capture passwords and sensitive conversations
  • File exfiltration — uploads documents matching specific extensions (.doc, .xls, .pdf) to a command-and-control server

The malware communicates over HTTPS to blend in with normal traffic, making detection harder for traditional network monitoring tools.

Armored Likho: Who’s Behind the Attacks?

Kaspersky’s researchers have been tracking Armored Likho since mid-2024. The group shows a clear preference for targeting critical infrastructure — primarily electricity generation and distribution entities, along with central government bodies.

Geographically, the campaign has hit three countries hardest:

  • Russia — multiple regional energy companies and federal agencies
  • Brazil — at least two major electrical utilities and a state-level government network
  • Kazakhstan — a national power grid operator and a ministry

Why these three? The geographic spread suggests the attackers are not driven by simple regional conflict. Instead, they appear interested in energy-sector intelligence across different continents. This could point to state-sponsored espionage or a sophisticated cybercrime group selling access to the highest bidder.

How BusySnake Evades Detection

The malware uses several tricks to stay under the radar. First, it checks for sandbox environments and debuggers before executing its payload — a common anti-analysis technique. If it detects a virtual machine or security tool, it simply shuts down.

Second, BusySnake encrypts its configuration files and uses steganography to hide stolen data inside innocent-looking image files before exfiltration. Security teams scanning for unusual file transfers might miss these pictures entirely.

Third, the malware employs a modular structure. The initial dropper is small and lightweight. Only after confirming a successful infection does it download additional components from the C2 server. This makes signature-based detection nearly useless.

Implications for Critical Infrastructure Security

For organizations running power plants, electrical grids, or government networks, the BusySnake campaign is a wake-up call. The attackers are not just after credit card numbers — they want operational blueprints, SCADA credentials, and internal communications.

Once an attacker has that level of access, they can map out the entire network. From there, it’s a short step to sabotaging industrial control systems or launching ransomware that could black out a city.

Security teams should take immediate action:

  • Segment IT and OT networks — ensure that compromised office computers cannot directly communicate with industrial systems
  • Deploy behavioral detection — look for unusual data transfers, not just known malware signatures
  • Train staff on spear-phishing — many BusySnake infections start with a single employee clicking a malicious attachment
  • Monitor for BusySnake indicators — Kaspersky has published IOCs including C2 domains, file hashes, and registry keys

What Comes Next?

The Armored Likho group shows no signs of slowing down. Kaspersky expects them to expand into other regions and sectors, possibly targeting oil and gas or water treatment facilities next.

For now, the best defense is awareness. Critical infrastructure security teams need to assume they are already being probed. The question is not if an infostealer like BusySnake will arrive at their network perimeter — it’s whether they’ll catch it before the data walks out the door.

Organizations that have not yet reviewed their cybersecurity best practices for power grids should do so immediately. And for anyone still relying on antivirus alone to stop modern infostealers — it’s time to rethink that strategy.

Continue Reading

Trending