Cyber Briefing: 2025.07.04
Fake Firefox add-ons steal crypto, IconAds hides Android adware, browser cache flaw bypasses CSP. Major breaches hit IdeaLab, CIEE One, McLaughlin & Stern. Hunters folds, West Africa scam hubs grow.
👉 What are the latest cybersecurity alerts, incidents, and news?
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please Subscribe
🚨 Cyber Alerts
1. Malicious Firefox Add Ons Steal Crypto Keys
Security researchers have uncovered over 40 malicious Mozilla Firefox extensions designed to steal cryptocurrency wallet secrets. The extensions impersonate legitimate tools from major platforms like Coinbase and Trust Wallet and use fake five-star reviews to appear authentic. The malware injects malicious code into clones of legitimate open-source wallets to extract users' secret keys and seed phrases. Evidence points to a Russian-speaking threat actor, and Mozilla has since removed most of the malicious add-ons from its store.
2. Google Removes 352 'IconAds' Fraud Apps
A massive ad fraud operation called IconAds used 352 malicious apps on the Google Play Store to target Android users worldwide. The scheme displayed intrusive out-of-context ads and, at its peak, generated 1.2 billion fraudulent bid requests daily. A key tactic involved the apps making their own icons invisible, making it nearly impossible for users to find and uninstall them. Security researchers from HUMAN dismantled the operation, and Google has since removed all of the malicious apps from its store.
3. Browser Cache Attack Bypasses Web Security
Researchers have discovered a new technique that bypasses nonce-based Content Security Policy (CSP) protections on modern websites. The multi-stage attack begins by using CSS injection to leak the secret CSP nonce value from a page's meta tags. It then exploits browser caching mechanisms to force the reuse of a page with the now-known nonce for a malicious payload. This method exposes websites to Cross-Site Scripting (XSS) attacks previously thought to be mitigated by these CSP protections.
For more alerts, click here!
💥 Cyber Incidents
4. Tech Incubator IdeaLab Discloses Data Breach
The technology incubator IdeaLab is notifying individuals of a data breach claimed by the Hunters International ransomware group. After gaining access to its systems in October 2024, the hackers leaked 262 gigabytes of stolen data on the dark web. An investigation confirmed the breach impacted current and former employees, contractors, and their dependents. Although the ransomware group recently claimed it was shutting down, IdeaLab is now offering victims two years of credit protection.
5. Brazil's CIEE One Exposes 248,000 Records
The Brazilian recruitment platform CIEE One has suffered a data breach, exposing the sensitive information of over 248,000 individuals. Security firm Resecurity identified the root cause as an exposed Google Cloud Storage bucket that was not properly secured. The compromised data, which includes PII and medical reports, was later offered for sale on the dark web by a data broker. This incident highlights the significant risks posed by misconfigured cloud services that aggregate large amounts of personal information.
6. McLaughlin & Stern Discloses Data Breach
The New York law firm McLaughlin & Stern has reported a data breach that may have compromised sensitive personal information. The firm did not state how the incident occurred but confirmed the exposed data could include names, Social Security numbers, and financial account information. The investigation confirmed that the data breach impacted current and former employees, contractors, and their dependents. McLaughlin & Stern is now notifying affected individuals and offering them two years of complimentary credit monitoring services.
For more incidents, click here!
📢 Cyber News
7. Spain Busts $11.8M Investment Fraud Ring
Spanish police have dismantled a large-scale investment fraud operation that stole over $11.8 million from more than 300 victims. The group operated as a shell company, using fake advisors, manipulated websites, and call centers to lure victims into fraudulent investments. The Barcelona-based call centers were unusual for their location and for featuring a "panic button" to erase data during a police raid. During coordinated raids across Spain, authorities arrested twenty-one individuals and confiscated over $1.5 million in cash and assets.
8. Ransomware Gang Hunters International Folds
The Hunters International ransomware group has announced it is closing its operations and offering free decryptors to past victims. However, researchers believe this move is a rebrand, as the group has already launched a new extortion-only site called World Leaks. Security experts have previously assessed that Hunters International was itself a rebrand of the notorious Hive ransomware gang. During its two years of operation, the gang claimed responsibility for nearly 300 attacks against targets like the U.S. Marshals Service.
9. Interpol Warns of New West Africa Scam Hub
Interpol has identified West Africa as a potential new hotspot for cybercrime scam centers, mirroring a trend that began in Southeast Asia. These illicit operations rely on human trafficking, forcing people from around the world to conduct online investment and romance scams. Victims are held in nightmarish conditions, often subjected to torture and extortion by Chinese-speaking crime syndicates. This global human trafficking crisis has now affected victims from 66 different countries, with no continent left untouched.
For more news, click here!
💡 Cyber Tip
Be Cautious as Fake Firefox Extensions Steal Crypto Wallet Keys
Researchers have discovered over 40 malicious Firefox add-ons impersonating trusted crypto wallet tools like Coinbase, MetaMask, and Trust Wallet. These extensions use fake reviews to appear legitimate and contain hidden code that steals wallet seed phrases and private keys. The campaign appears to be tied to a Russian-speaking threat group, and while Mozilla has removed most of the malicious extensions, new ones continue to surface.
✅ What you should do:
Install browser extensions only from verified developers with a long-standing reputation.
Check user reviews and download counts carefully; be suspicious of extensions with few users but many five-star ratings.
Regularly audit your browser’s installed extensions and remove any you don’t recognize or no longer use.
Avoid entering sensitive crypto information in-browser unless absolutely necessary and verified safe.
Use browser security tools that monitor for malicious behavior from add-ons.
🔒 Why this matters:
Malicious extensions run directly in your browser and can silently steal sensitive data. Once your crypto wallet keys are compromised, attackers can drain your assets with no way to recover them. Staying cautious with browser add-ons is essential for protecting your digital wealth.
📚 Cyber Book
Privacy is Power: Why and How You Should Take Back Control of Your Data by Carissa Veliz
That concludes today’s briefing . You can check the top headlines here!
Copyright © 2025 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on:
Substack, LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.