Dark Web News

A massive cybercrime operation tied to one of the internet’s most powerful DDoS-for-hire botnets, Rapper Bot, has been brought down, and at the center of the case is a 22-year-old man from Eugene, Oregon. According to a federal criminal complaint filed on August 6, 2025, in the District of Alaska, Ethan Foltz is alleged to be the mastermind behind Rapper Bot, a botnet responsible for hundreds of thousands of disruptive attacks around the world.  Also known as “Eleven Eleven Botnet” and “CowBot,” Rapper Bot functioned as a large-scale DDoS-for-hire botnet, targeting devices like WiFi routers and digital video recorders (DVRs). Once compromised, these devices were used to flood targeted systems with overwhelming internet traffic, resulting in Distributed Denial of Service (DDoS) attacks that could cripple websites, networks, and digital services within seconds.  The Rapper Bot Botnet Scale and Global Impact  Between April 2025 and the time of the complaint, Rapper Bot is believed to have launched over 370,000 separate attacks against more than 18,000 unique victims in over 80 countries. The botnet’s capabilities were staggering, operating between 65,000 and 95,000 infected devices, the attacks often peaked between 2 to 3 Terabits per second, with the largest potentially reaching over 6 Terabits per second.  Among the targets were U.S. government networks, major tech firms, and a prominent social media platform. Authorities confirmed that at least five of the infected devices used in these attacks were located in Alaska.  According to the court documents, Ethan Foltz and unnamed co-conspirators monetized the botnet by offering paid access to Rapper Bot’s infrastructure. Some clients allegedly used it for extortion, threatening to launch devastating attacks unless victims paid up. A single 30-second DDoS attack could cost businesses $500 to $10,000 in damages and recovery efforts.  Takedown and Seizure of Rapper Bot  Law enforcement’s breakthrough came on August 6, 2025, when federal agents executed a search warrant on Foltz’s residence in Oregon. During the operation, they seized control of Rapper Bot, disabling its attack infrastructure. Since then, no further Rapper Bot activity has been reported, following the handover of its command-and-control systems to the Defense Criminal Investigative Service (DCIS).  “Rapper Bot was one of the most powerful DDoS botnets to ever exist, but the outstanding investigatory work by DCIS cyber agents and support of my office and industry partners has put an end to Foltz’s time as administrator,” said U.S. Attorney Michael J. Heyman for the District of Alaska.  Charges, Partners, and Ongoing Operations  Ethan Foltz is charged with one count of aiding and abetting computer intrusions, a felony that carries a maximum sentence of 10 years in prison if convicted. The case is being prosecuted by Assistant U.S. Attorney Adam Alexander and investigated by the DCIS, with major contributions from industry partners. This enforcement action was carried out as part of Operation PowerOFF, a coordinated international law enforcement effort aimed at dismantling DDoS-for-hire botnets around the globe.  As with all criminal cases, Foltz is presumed innocent until proven guilty beyond a reasonable doubt in a court of law. 

Cybersecurity researchers at Cyble Research and Intelligence Labs (CRIL) have uncovered a new Android banking trojan called RedHook that is actively targeting Vietnamese mobile users. The malware is distributed via carefully crafted phishing sites impersonating trusted financial and government agencies. Once installed, RedHook delivers a dangerous combination of phishing, keylogging, and remote access capabilities, enabling full control over infected devices, yet it remains low‑profile with limited antivirus detection.  Decoding the RedHook Android Banking Trojan Campaign  CRIL first detected RedHook via a phishing website at sbvhn[.]com, which mimics the State Bank of Vietnam. The site lures users into downloading a trojanized APK (SBV.apk) from an exposed AWS S3 bucket (hxxps://nfe‑bucketapk.s3.ap‑southeast‑1.amazonaws[.]com/SBV.apk). The bucket, which has been public since November 2024, contained screenshots, phishing templates, and malware versions. It revealed that RedHook has been active since at least November 2024, with samples appearing in the wild by January 2025.  Phishing site distributing a malicious APK file (Source: Cyble) RedHook’s infrastructure includes domains such as mailisa[.]me, previously associated with a Vietnamese cosmetic scam. That shift indicates the threat actor has evolved from social engineering fraud to wielding an Android banking trojan embedded in phishing sites.  Infection Workflow and Capabilities  After installation, the malware prompts the user for overlay access and Android accessibility services. These elevated permissions enable RedHook to perform a range of intrusive actions: launching overlay phishing pages, capturing all keystrokes (keylogging), exfiltrating contacts and SMS, and installing or uninstalling apps. The malware abuses Android’s MediaProjection API to capture the screen and streams images via WebSocket to the attacker’s control infrastructure.  RedHook maintains persistent WebSocket communication with its command‑and‑control (C2) server, using the subdomain skt9.iosgaxx423.xyz, while initial HTTP requests go to api9.iosgaxx423.xyz. The malware supports 34 distinct remote commands from the server, numbered actions that let operators collect device info, SMS, screenshots, send commands, trigger overlays, and more. Technical Deep Dive  Upon launch, the malware presents a spoofed login page imitating the State Bank of Vietnam. Once credentials are entered, the trojan sends them to /auth/V2/login. In response, the server issues a JWT access token and client ID. Using these tokens, RedHook reports device specifics to /member/info/addDevice, including device ID, brand, orientation, and screen lock type, allowing the attacker to register and track each compromised device. At the time of the analysis, the number of returned user IDs had increased to 570, indicating over 500 infections.  RedHook’s phishing workflow unfolds in stages:  Victims are prompted to photograph and upload their citizen ID. The resulting image is transmitted to /file/upload/.  Users then provide bank name, account number, name, address, birthdate, and other personal data via templates that interestingly appear in Indonesian, not Vietnamese.  Finally, the victim is asked to enter a 4‑digit password and 6‑digit two‑step verification code.  Every keystroke entered is logged, tagged with app package name and foreground activity, and sent to the C2 server.  The RAT (Remote Access Trojan) capability is enabled via WebSocket connection over skt9. During this session, captured screen frames (converted to JPEG) are streamed live. The exposed S3 bucket contained screenshots showing the WebSocket session and Chinese‑language interface elements, implying a possible Chinese‑speaking threat actor. Chinese‑language strings also appear in the malware logs.  Exposed S3 bucket used by malware (Source: Cyble) The AWS S3 bucket exposed RedHook’s phishing templates mimicking several well‑known Vietnamese targets, including Sacombank, Central Power Corporation, the traffic police (CSGT), and government portals. Exposed data on open S3 bucket (Source: Cyble) Icons and branding closely mirrored those institutions to deceive victims into trusting the phishing sites.  Attribution and Indicators  Several artifacts strongly suggest a Chinese-speaking origin: Chinese text is present throughout screenshots captured from the C2 interface, and internal code and log strings also contain Chinese language. Additionally, the staging domain mailisa[.]me has links to previous Vietnamese fraud campaigns, including one case where a victim lost over 1 billion VND after being redirected to MaiLisa salon-branded phishing content.  Malware receiving mailisa.me domain from the server (Source: Cyble) Screenshots from an exposed data bucket referenced “MaiLisa Beauty Salon” and showed payments of 5.5 million VND to “DTMG TRADING CO. LTD D MAILISA,” closely resembling the earlier scam. Exposed S3 bucket images associated with the MaiLisa Beauty Salon theme (Source: Cyble) Together, these elements indicate a group likely operating from a Chinese-language background, evolving from basic scams to deploying RedHook, a sophisticated Android banking trojan, through phishing sites.  Conclusion  RedHook represents a dangerous shift in Android malware, combining phishing, remote access, and surveillance to target users, especially in Vietnam, while evading detection through spoofed sites and sideloaded APKs. Its advanced features and low VirusTotal visibility make it highly stealthy.   To combat threats like RedHook, users should avoid installing apps from unknown sources, be cautious of suspicious permission requests, and use behavior-based mobile security. Institutions must proactively share threat intelligence to disrupt mobile attack infrastructure. 

Cyble’s Research and Intelligence Lab (CRIL) has analyzed a new quishing campaign that leverages QR codes embedded in PDF files to deliver malicious payloads. The campaign, dubbed Scanception, bypasses security controls, harvests user credentials, and evades detection by traditional systems.  Unlike conventional phishing attacks, which rely on malicious links within emails or attachments, Scanception leverages user curiosity by embedding QR codes within legitimate PDF documents. Victims are prompted to scan these codes using their mobile devices, a tactic that cleverly shifts the attack vector to endpoints that lie outside organizational visibility, such as personal smartphones.  This approach allows attackers to bypass security systems like secure email gateways (SEGs) and endpoint detection tools, which often do not scrutinize mobile device traffic. The attack typically begins with a phishing email that includes a PDF file mimicking official corporate communication. These decoys are crafted to resemble HR notifications, employee handbooks, or onboarding documents, complete with logos, tables of contents, and multiple pages to avoid signature-based detection tools.  Scanception Quishing Campaign: Over 600 Unique Lures in Three Months  Phishing QR code (Source: Cyble) CRIL’s analysis over three months uncovered over 600 distinct phishing PDFs and emails tied to the Scanception campaign. Shockingly, nearly 80% of these files had zero detections on VirusTotal at the time of their discovery. These documents are not randomly distributed; instead, they are precision-targeted based on industry verticals, geographic location, and user roles.  This quishing campaign has a global reach throughout the tracking period, affecting organizations in over 50 countries, with high activity concentrations in North America, EMEA (Europe, the Middle East, and Africa), and the APAC region. The sectors most impacted include technology, healthcare, manufacturing, and BFSI (banking, financial services, and insurance), industries known for their data sensitivity and high-value targets.  Credential Theft via AITM Phishing Infrastructure  Office 365 sign-in portal (Source: Cyble) The end goal of Scanception is credential harvesting. The embedded QR codes lead to adversary-in-the-middle (AITM) phishing pages, often designed to impersonate Microsoft Office 365 login portals. These pages collect user credentials in real-time and use advanced techniques to bypass security measures such as multi-factor authentication (MFA).  Once credentials are entered, the attacker’s infrastructure captures the data using tools like randroute and randexp.min.js, which dynamically generate URLs to evade signature-based detection. The phishing pages also employ browser fingerprinting and detect debugging tools like Selenium and Burp Suite. If such tools are identified, the attack immediately halts by redirecting to a blank or legitimate webpage.  This dynamic infrastructure maintains an open communication channel with the attacker, potentially prompting for secondary authentication details like 2FA codes or one-time passwords (OTPs), enabling full session hijacking and long-term access to compromised accounts.  Abuse of Trusted Platforms and Redirection Techniques  One of Scanception’s most insidious strategies involves the abuse of trusted redirection services and reputable cloud-hosting platforms. The campaign has misused services such as YouTube, Google, Bing, Cisco, Medium, and even email protection vendors to host or relay phishing infrastructure. This tactic not only masks the attack behind seemingly legitimate URLs but also helps in evading content and reputation-based security filters.  Examples include:  Redirect URLs embedded in Google search links  Medium articles containing hidden redirect links  Cisco-secure URLs redirecting to phishing pages  Email security links that lead victims to fake login portals  By embedding malicious payloads behind such domains, attackers bypass security measures that typically whitelist these platforms.  Evolution of Tactics and Continued Activity  Scanception is not a static operation; it is adapting and changing rapidly. Initial versions of the decoy PDFs were single-page documents. Newer versions now include multiple pages, structured content, and advanced visual designs to enhance credibility. Some phishing pages now feature multi-stage harvesting and dynamic evasion techniques, including right-click disablement and real-time debugging detection.  Scanception is a new and advanced player in phishing, blending social engineering with technical evasion to exploit QR codes, trusted platforms, and unmanaged mobile devices. With over 600 unique lures identified in just 90 days, most undetected by threat engines, it highlights how attackers bypass security and target users beyond traditional perimeters.  

Thailand Ministry of Labour cyberattack has intensified as new revelations came which indicates that a planned data breach impacted the Ministry’s digital infrastructure. What was initially reported as a defacement of the Ministry’s website has now been confirmed as a full scale cyberattack on Thailand’s Ministry of Labour that compromised internal systems, encrypted critical data, and disrupted government operations. Boonsong Tapchaiyut, Permanent Secretary of the Ministry of Labour, had confirmed that on the morning of July 17, 2025, hackers had defaced the Ministry’s official website, replacing its homepage with a message announcing their successful attack. Further, Boonsong emphasized that the data breach was limited to visible content and that the internal servers and data repositories remained secure. However, recent developments have painted an extremely different picture. Hacker Group ‘Devman’ Claims Responsibility A threat actor identifying as Devman had claimed responsibility for Thailand Ministry of Labour cyberattack through a post on a dark web blog. According to the post, the group had maintained undetected access to the Ministry’s network for more than 43 days, infiltrating Active Directory servers and multiple Linux systems during that period. The group claims to have exfiltrated over 300 GB of sensitive data, encrypted approximately 2,000 laptops, and taken control of 98 Linux servers and over 50 Windows servers. Moreover, they state that they have completely wiped the Active Directory environment and destroyed all tape backups, rendering data recovery almost impossible. Website Defacement After Thailand Ministry of Labour cyberattack Thailand Ministry of Labour cyberattack became publicly known after the Ministry’s website was defaced with a chilling message: “THIS IS NOT JUST THE WEBSITE. WHAT YOU WITNESS HERE IS PART OF OUR COORDINATED ATTACK, AIMED AT CRIPPLING THIS MINISTRY.” Although the message was removed shortly afterward and the website was restored using backup files, the deeper implications of the cyberattack are now emerging. Boonsong stated that immediate actions were taken by the Ministry’s Information and Communication Technology Center (ICTC) to shut down the compromised system, remove the malicious files, and restore web functionality using backups. New security measures were also implemented, including closing access points, and resetting all usernames and passwords. He further clarified that the circulating claim of a $15 million loss was inaccurate and that damage assessments were still ongoing. Full System Compromise Confirmed In an update on Thailand Ministry of Labour cyberattack issued late July 17, the Ministry acknowledged that their internal systems had been compromised and encrypted, with no recovery possible without the decryption key. An internal error during IT operations has made short-term recovery unlikely, leaving the Ministry’s infrastructure completely down for the time being due to Thailand Ministry of Labour cyberattack. “The severity of the situation has elevated. We are treating this matter with utmost urgency and will provide more updates as we work through the crisis,” read the official statement. Boonsong Tapchaiyut, Permanent Secretary of the Ministry of Labor (Source: Official Website) Legal Action and Cybercrime Report Filed Boonsong confirmed that the Ministry has filed a report with the Cyber Police, urging legal action against the perpetrators under the Computer Crime Act, citing reputational damage and the entry of false data into a government system. “I’ve instructed the legal department to examine all possible avenues. This is not just a technical incident — it is a violation of national security and law,” said Boonsong. What’s Next? The Ministry of Labour is currently working with external cybersecurity firms, law enforcement, and national cyber defense agencies to determine the full extent of the damage of Thailand Ministry of Labour cyberattack and prevent future incidents. Recovery efforts are underway, though the destruction of backups and encryption of internal systems present a formidable challenge. As this story continues to unfold, The Cyber Express will monitor updates on the Thailand Ministry of Labour cyberattack, including any official responses, confirmations, or public statements from affected agencies.

A threat actor named Devman has claimed responsibility for a cyberattack on Thailand Ministry of Labour, compromising over 300 gigabytes of sensitive data and severely disrupting government operations.  The Thailand Ministry of Labour cyberattack was not a hit-and-run incident. According to a post on Devman’s dark web blog, the hackers had access to the Ministry’s systems for over 43 days before executing their attack. They claim to have infiltrated both Active Directory and multiple Linux servers, methodically collecting data and preparing for their strike.  Ministry of Labour Cyberattack Claims (Source: X) The breach came to public attention when the Ministry’s official website was defaced, with the homepage replaced by a message: “THIS IS NOT JUST THE WEBSITE. WHAT YOU WITNESS HERE IS PART OF OUR COORDINATED ATTACK, AIMED AT CRIPPLING THIS MINISTRY.”  Source: X However, at the time of writing this, the message was deleted.   In addition to the website defacement, the group alleges that they have encrypted approximately 2,000 laptops, over 98 Linux servers, and more than 50 Windows servers. Perhaps most disturbingly, Devman claims to have completely wiped the Active Directory environment and destroyed all tape backups, potentially crippling restoration efforts.  Details of the Thailand Ministry of Labour Cyberattack  According to Devman, the stolen data includes:  Over 600 classified government documents  Large portions of the citizen and foreign visitor datasets  Confidential government communications and personal details  A ransom of $15 million has been demanded in exchange for not publishing or selling the data.  Technical Analysis: How Was This Possible?  In response to the cyberattack on the Thailand Ministry of Labour, The Cyber Express conducted a preliminary investigation using PentestTools’ Light Website Vulnerability Scanner. While this was a limited scan and did not check for critical issues such as SQL Injection or Remote Code Execution, several vulnerabilities were discovered. Medium-Risk Vulnerabilities Identified:  Insecure Cookie Settings: Missing Secure and HttpOnly flags on session cookies (PHPSESSID), which increases the risk of session hijacking.  Outdated jQuery UI Library: The site was using jQuery UI 1.11.4, known to have multiple CVEs, including XSS vulnerabilities and unsafe parameter use that could allow arbitrary code execution.  Weak Content Security Policy (CSP): The use of unsafe-inline, unsafe-eval, and open object-src policies could allow attackers to execute malicious JavaScript.  Exposed Email Addresses: Addresses like webmaster@mol.mail.go.th and servicemol@mol.mail.go.th were publicly available, increasing phishing risks.  Server Technology Fingerprinting: The scan identified the use of PHP, Apache, MySQL, WordPress, Bootstrap, and other technologies, giving attackers a blueprint for targeted exploits.  Misconfigured robots.txt: The file revealed potentially sensitive or admin paths that should not have been publicly accessible.  The combination of these vulnerabilities suggests that the cyberattack on Thailand may have involved a client-side XSS exploit, leveraged through outdated libraries and weak session security, allowing the attackers to escalate access and infiltrate deeper systems.  To Wrap Up As of now, no official response has been issued by the Ministry of Labour. The Cyber Express has reached out for comment, but the Ministry has not responded yet. If Devman’s claims are confirmed, this cyberattack on Thailand would rank among the most severe data breaches in Southeast Asia’s recent history, not just in terms of data volume, but also due to the long-term systemic damage inflicted on a critical government institution.  Given the reported destruction of backup infrastructure and the scale of encrypted systems, recovery may be slow and complex. This story is developing. The Cyber Express will continue to monitor updates on the Thailand Ministry of Labour cyberattack, including any official responses, confirmations, or public statements from affected agencies. 

The popular U.S. department store chain Belk is under scrutiny following a cyberattack that may have compromised sensitive customer information. The Belk data breach has drawn attention, particularly after the hacking group DragonForce claimed responsibility for attack.  According to the law firm Schubert Jonckheer & Kolbe LLP, which is actively investigating the data breach, Belk identified unauthorized access to its network between May 7 and 11, 2025.   The data breach at Belk prompted an immediate internal response: the company disconnected affected systems, restricted access across its networks, reset passwords, and rebuilt compromised systems. These actions caused noticeable operational disruptions for several days.  Despite the data breach being detected in early May, Belk did not begin notifying potentially affected individuals until around June 5, 2025.  What Data Was Compromised in Belk Data Breach?  The scope of the data breach appears serious. Reports indicate that the following types of personal information may have been exposed:  Full names  Dates of birth  Residential addresses  Social Security numbers  Phone numbers  Email addresses  Details of customer orders, including purchased items  This combination of data puts affected individuals at high risk for identity theft, fraud, and other forms of privacy violations.  Adding to the tension further, the hacking collective DragonForce has claimed credit for the cyberattack on Belk. The group, previously responsible for an attack on UK retailer Marks & Spencer, listed Belk as one of its victims on its DarkForce dark web blog.  Legal and Consumer Action  In response to the Belk data breach, the legal firm Schubert Jonckheer & Kolbe LLP is evaluating the possibility of a class action lawsuit. The firm suggests that impacted individuals may be eligible for monetary compensation and injunctive relief, including mandatory changes to Belk’s cybersecurity practices. “If your personal information was impacted by this incident, you may be at risk of identity theft and other serious violations of your privacy,” the firm stated in a public notice. Consumers who received a breach notification or believe their data may have been affected are encouraged to seek legal guidance through ClassActionLawyers.com. Conclusion  The Cyber Express has reached out to Belk to learn more about this incident. However, at the time of writing this, no official statement or response had been received. This is an ongoing story, and The Cyber Express is closely monitoring the situation. We will update this post once we have more data on the Belk data breach or any additional information from the company.  The company’s June 2025 breach notification to the New Hampshire Attorney General acknowledged “unauthorized access to certain corporate systems and data,” but stopped short of connecting the incident to the DragonForce claims. 

In an international law enforcement operation, 270 individuals involved in dark web criminal activity have been arrested across ten countries. Coordinated by Europol, the operation, codenamed Operation RapTor, targeted online vendors and buyers dealing in illegal drugs, weapons, counterfeit goods, and other illicit items. This large-scale crackdown sends a strong message to criminals hiding behind the anonymity of the dark web: their digital hiding places are no longer safe. Operation RapTor: A Coordinated International Effort Operation RapTor was led by Europol, with support from law enforcement and intelligence agencies across North America, Europe, South America, and Asia. The arrests followed intelligence gathered from several previously dismantled dark web marketplaces, including Nemesis, Tor2Door, Bohemia, and Kingdom Market. Many of the suspects had carried out thousands of transactions on these platforms, relying on encryption and cryptocurrencies to mask their identities and operations. However, the coordinated efforts of international law enforcement agencies allowed investigators to track and identify them. The arrests were distributed across several countries: United States: 130 arrests Germany: 42 arrests United Kingdom: 37 arrests France: 29 arrests South Korea: 19 arrests Austria & Netherlands: 4 arrests each Brazil: 3 arrests Switzerland & Spain: 1 arrest each Investigations are ongoing, and more arrests may follow as authorities continue to analyze seized data. Massive Seizures Disrupt Dark Web Supply Chains In addition to the arrests, law enforcement officers confiscated a large volume of illegal goods and financial assets. The operation led to the seizure of: Over €184 million in cash and cryptocurrency More than 2 tonnes of illegal drugs, including amphetamines, cocaine, ketamine, opioids, and cannabis Over 180 firearms, along with imitation weapons, tasers, and knives 12,500 counterfeit products, ranging from fake IDs to branded knock-offs Over 4 tonnes of illicit tobacco These seizures have significantly disrupted criminal supply chains that feed the dark web economy, particularly those involved in the sale of illegal drugs and counterfeit goods. Europol’s Role and Strategy Europol played a central role in the operation by analyzing and sharing intelligence collected from previously seized dark web marketplaces. Investigators compiled this data into intelligence packages and distributed them to national authorities through the Joint Cybercrime Action Taskforce (J-CAT), hosted at Europol headquarters. This collaborative approach mirrors the success of Operation SpecTor, conducted in 2023, which resulted in 288 arrests. Together, these efforts highlight a growing ability among law enforcement agencies to work across borders and identify key players in the dark web ecosystem. According to Edvardas Šileris, Head of Europol’s European Cybercrime Centre: “Operation RapTor shows that the dark web is not beyond the reach of law enforcement. Through close cooperation and intelligence sharing, officers across four continents identified and arrested suspects, sending a clear message to those who think they can hide in the shadows.” The Growing Threat of Online Crime As traditional dark web marketplaces face increasing pressure, criminals are shifting their tactics. Law enforcement officials have observed a growing trend toward single-vendor shops—websites operated by individual sellers. These smaller platforms aim to reduce exposure and avoid the risks associated with larger, centralized marketplaces. Illegal drugs remain the top commodity sold on the dark web. However, law enforcement is also tracking a rise in prescription drug trafficking and fraudulent services. These include scam websites offering fake hitmen, forged documents, or non-existent goods to exploit unsuspecting buyers. This shift highlights the evolving nature of cybercrime. As criminals adopt new methods to avoid detection, law enforcement must adapt and innovate accordingly. Cooperation Is Key The success of Operation RapTor was made possible through cooperation between multiple international agencies, including: Austria: Criminal Intelligence Service and Provincial Criminal Police Departments Brazil: Civil Police of the States of Pará and São Paulo France: Customs and National Gendarmerie Germany: Federal Criminal Police, Prosecutor’s Office in Cologne, and German Customs Netherlands: Team High Tech Crime and other national units Spain: National Police South Korea: Darknet Investigations Unit of the Seoul Central District Prosecutors’ Office Switzerland: Zurich Cantonal Police and Public Prosecutor’s Office United Kingdom: National Crime Agency and Police Chiefs’ Council United States: Department of Justice and a host of federal agencies, including the FBI, DEA, HSI, IRS, ATF, CBP, NCIS, and more Strengthening Law Enforcement Magnus Brunner, European Commissioner for Internal Affairs and Migration, emphasized the importance of continued investment in law enforcement capabilities: “This operation is proof of how criminal gangs operate today: offline and online, internationally and locally, using technology to their full advantage. To counter this, coordinated action is essential. And that is exactly the added value Europol provides.” He added that the European Union is working on ProtectEU, an Internal Security Strategy designed to make law enforcement future-proof. Part of this effort includes increasing funding and expanding the mandate of Europol to respond more effectively to emerging digital threats. A Clear Message to Criminals The success of Operation RapTor sends a strong and clear message: the dark web is no longer a safe haven for criminals. While the internet provides tools that criminals can use to hide, it also offers opportunities for law enforcement to track and catch them. Through advanced investigative techniques, cross-border cooperation, and the intelligent use of data, law enforcement agencies around the world are proving that even in the darkest corners of the internet, justice can still reach.

Nova Scotia’s largest electric utility, Nova Scotia Power, has confirmed that customer information was stolen in a recent cyberattack that compromised parts of its IT systems. The company, along with its Halifax-based parent firm Emera, discovered the Nova Scotia Power data breach on April 25, 2025, prompting immediate action to isolate and secure the affected servers. In an official update shared on Wednesday, Nova Scotia Power revealed that the cyber incident had resulted in unauthorized access to sensitive customer information. According to their investigation, the Nova Scotia Power cyberattack occurred on or around March 19, 2025, nearly five weeks before it was detected. Nova Scotia Power Data Breach: Investigation and Response Underway Nova Scotia Power stated it is working closely with external cybersecurity experts to assess the extent of the data breach and to restore and rebuild impacted systems. “We are continuing to investigate the cyber incident that has affected certain IT systems in our network,” the company said in its public communication. “Our priority is to safely and securely restore operations while protecting customer information.” Though the investigation is still ongoing, Nova Scotia Power has confirmed that an unauthorized third party accessed and stole certain customer data from the affected servers. Physical operations—such as power generation, distribution, and transmission—were not impacted, and customers are still receiving uninterrupted electric service. Types of Data Compromised The stolen information varies by individual and is based on what each customer had previously provided to the company. The affected data may include: Full name Phone number Email address Mailing and service addresses Participation in Nova Scotia Power programs Date of birth Customer account history (including power consumption, service requests, payment and billing records, credit history, and past customer support communication) Driver’s license number Social Insurance Number (SIN) Bank account numbers (for those enrolled in pre-authorized payments) While there is currently no evidence that the stolen information has been misused, the company is urging customers to remain alert for potential fraud or scams that may follow. Support for Affected Customers To support impacted individuals, Nova Scotia Power is offering a free two-year subscription to TransUnion’s myTrueIdentity® credit monitoring service. Affected customers will receive notification letters by mail with details about what information was exposed and how to activate the complimentary monitoring service. “If you receive a letter from us, it will contain a dedicated phone number you can call to ask questions and enroll in the credit monitoring service,” the company said in its announcement. This service is intended to help individuals detect any suspicious activity tied to their identity or financial information. Increase in Fraud Attempts Since the incident, Nova Scotia Power has noticed a surge in fraudulent messages and phishing attempts that appear to come from the utility company. These include fake emails, text messages, social media posts, and websites impersonating Nova Scotia Power. On its official website and social media, the company has issued a clear warning: “Due to the recent cyber incident, there has been an increase in fraudulent communications posing as Nova Scotia Power. Please remain cautious of any unsolicited messages asking for your personal information. Do not click on links or download attachments from unverified sources.” The company advises customers to confirm any suspicious communication by contacting their Customer Care Centre directly through verified contact details listed on their official website. Source: Nova Scotia Power Official Website Social Media Update Nova Scotia Power also used its official X (formerly Twitter) account to share updates. A thread posted on Wednesday reiterated the company’s apology and reassured customers that every effort is being made to protect their privacy. “We sincerely apologize that this has occurred. Protecting the privacy and security of the information we hold is of the utmost importance to every member of our team,” the company stated. “Starting today, notifications will be sent to impacted individuals via mail. While we have no evidence of misuse of personal information, we have arranged for a two-year subscription to TransUnion’s myTrueIdentity® credit monitoring service at no cost.” Source: X As part of its ongoing efforts, Nova Scotia Power’s IT team is working around the clock with external cybersecurity specialists to rebuild affected systems, improve security measures, and prevent future incidents. The utility emphasized that safeguarding customer data remains a top priority. It encourages customers to practice good cyber hygiene by: Verifying the source of any unexpected communication Not sharing personal information over phone, text, or email unless certain of the recipient’s identity Monitoring financial accounts for unusual activity Activating the provided credit monitoring service if notified What You Should Do If you are a Nova Scotia Power customer and suspect your information may be involved: Watch for a mailed letter from the company with detailed instructions. Enroll in the free two-year credit monitoring service offered through TransUnion. Report any suspicious communications claiming to be from Nova Scotia Power. Contact Nova Scotia Power’s Customer Care Centre if you are unsure about the authenticity of a message. While physical infrastructure was unaffected in Nova Scotia Power cyberattack, the exposure of personal customer data reveals how critical IT security has become in the utility sector. As investigations continue, this cyberattack on Nova Scotia Power highlights the urgent need for stronger data protection practices, real-time dark web monitoring, and faster breach detection.