Mar 14, 2026

Subject: Risky Bulletin: Another residential proxy provider falls as authorities continue crackdowns

Sender: risky-biz@ghost.io

Key Points:

– American and European law enforcement seized infrastructure of SocksEscort, a residential proxy provider operating since 2021 with over 369,000 IPs.

– SocksEscort was linked by FBI, Europol, Dutch Police, and Lumen’s Black Lotus Labs to a malware operation infecting modems and home routers, associated with the AVRecon botnet.

– The botnet supported various cybercrime activities: ransomware, DDoS attacks, CSAM distribution. Operators reportedly earned over €5 million.

– FBI released advisories for telcos and consumers to protect routers and detect AVRecon infections.

– US crackdown ongoing against residential proxy networks used by foreign adversaries for masking attacks.

– Notable past takedowns include botnets like 911 S5, RSOCKS, Moobot, VPNFilter, and others.

– Breaches & incidents reported this week include:

* Former DOGE employee accused of stealing SSA data affecting 500 million Americans.

* FBI hacked in 2023, Epstein sex trafficking documents stolen.

* Iranian hackers wiped Stryker medical device maker’s systems; attributed to hacktivist group Handala.

* Cyberattacks targeted Polish nuclear center, Israel Railways signage, and Albania Parliament, linked to Iranian actors.

* Multiple data breaches reported at Quittr, Loblaw, Telus, Laurens county (SC), and Lotte Card fined for data leak.

* Michelin hit by Oracle EBS server hacking spree.

– General tech news: Dutch ISP Odido removed unauthorized AI telemetry data collection; Node.js slows release schedule; Atlassian layoffs; Automattic launches local WordPress instance; Chrome 146 release with new Sanitizer API; YouTube expands likeness detection; Meta introduces parental controls on WhatsApp.

– Government & policy: China warns against OpenClaw AI agent due to security risks; Iran threatens US tech firms; France reports rising data theft amid declining ransomware; new US Cyber Command leader appointed; EU extends voluntary CSAM scanning but Parliament votes to end untargeted mass scanning.

– Arrests & cybercrime: Thai police arrest 21 in scam operations; Nigerian hackers arrested in India; DigitalMint employee charged for ransomware attacks; Dutch police warn against hostile web hosting resellers; Joint ISAC advisory on Iranian threats; CISA mandates Cisco SD-WAN log uploads; malicious themes and campaigns uncovered; new threat actor techniques involving RMM daisy-chaining and Telegram bot abuse.

– Malware reports: Several botnets (RCtea, RondoDox), new malware variants (BlackSanta, Falcon, Venon), and attacks like PixRevolution highlighted.

– APT activity: Increased espionage around Middle East conflicts; Iranian hacktivist Handala profiled; Russian APT28 leaked Roundcube exploit kit.

– Vulnerabilities & patches: Apple patches iOS exploits (Coruna), Cisco advisories, live n8n exploitation, Simple-Git RCE, Azure Arc local privilege escalation patched, new ZIP evasion techniques, Google bug bounty totals top $17 million in 2025.

– Industry & events: Logpoint rebrands to Guardsix; Google closes Wiz deal; Kaspersky cuts French staff; ENISA releases package manager security guide; open source tools and conference videos released; podcasts on Trump Cyber Strategy and US cyber operations in Iran.

Subject: International operation takes down massive cybercrime proxy network SocksEscort

Sender: info@metacurity.com

Key Points:

– USA and European law enforcement dismantled SocksEscort, a global proxy network built from hacked routers and devices.

– SocksEscort operated a paid residential proxy service, facilitating cybercrime by masking attacker locations via approx. 369,000 compromised IPs across 163 countries since 2020.

– Action involved FBI, Europol, Eurojust, and agencies from Austria, France, Netherlands, and USA; seizure of 34 domains, 23 servers, and freezing roughly $3.5M cryptocurrency.

– The malware AVrecon infected routers, allowing attackers to route malicious traffic anonymously; botnet kept ~20,000 active infected devices at once.

– Crimes facilitated include cryptocurrency theft, account takeovers, and financial fraud in US, e.g., $1M crypto theft, $700k manufacturing fraud, $100k military credit card fraud.

– FBI issued advisory on securing routers: firmware updates, disable remote access features, change default passwords, monitor suspicious activity.

– Case highlights criminals’ increasing use of hijacked home devices to evade detection.

– Other major incidents:

* Telus investigates breach claimed by extortion group ShinyHunters; no impact on core services confirmed.

* Medical device maker Stryker hit by disruptive cyberattack linked to Iran-aligned actors, causing operational delays; Handala hacktivist claims responsibility.

* Former DOGE employee John Solly accused of stealing SSA data; internal and agency investigations ongoing; Solly denies allegations.

* GAO finds gaps in Pentagon’s Cybersecurity Maturity Model Certification (CMMC) rollout planning; DoD plans risk assessments.

* Google fixes two actively exploited Chrome zero-days (CVE-2026-3909 and CVE-2026-3910).

* Endor Labs exposes PhantomRaven npm supply-chain malware campaign stealing developer credentials and CI/CD tokens.

* Starbucks reports breach of 889 employee HR accounts; data exposed includes sensitive personal and banking info; identity protection offered.

* England Hockey investigates ransomware claim by AiLock group with 129GB data theft threat.

* FBI’s searches of Americans’ data collected under Section 702 FISA increased ~35% in 2025, raising privacy concerns amid upcoming reauthorization.

* Google paid $17M+ in bug bounties in 2025, a 40% increase over previous year, including new AI-related bug bounty programs.

– European Parliament voted against untargeted mass scanning of private communications (“Chat Control”).

– Data Labelers Association in Kenya demands better pay and conditions for AI training work.

– US officials warn about China’s extensive infiltration of telecoms.

– False positives in facial recognition continue to cause wrongful arrests as in recent Tennessee case.

Subject: Hacker Newsletter #786s

Sender: kale@hackernewsletter.com

Summary:

– Weekly curated content from Hacker News community.

– Highlights include tech essays, programming language development using Claude Code, software projects, and discussions on AI-assisted coding.

– Features articles on software tools, programming tips, design resources like turning handwriting into fonts, and thought pieces on stagnancy in publishing, science fiction, and personal productivity.

– Miscellaneous topics on workplace culture, security interviews, manufacturing precision, and leisure gaming.

– Community discussions on research projects, OSINT dashboards, automation, and AI agent engineering.

– The newsletter emphasizes human-driven conversation without AI-generated moderation.

Subject: The Homeland Security surveillance machines

Sender: info@metacurity.com

Key Points:

– Series of press investigations expose DHS’s quietly built surveillance system tracking Americans’ movements, identities, and digital activities.

– Mother Jones reports on DHS and US Secret Service plan for a central travel records database collecting airline passenger manifests and itineraries nationwide.

– Wired reveals internal turmoil in DHS privacy oversight after disclosure of biometric identification tools capturing data from migrants and US citizens; privacy teams reassigned and documents withheld from FOIA requests.

– Privacy Threshold Analyses, important for public transparency on surveillance, are being classified as privileged, limiting access.

– Independent reports from 404 Media highlight immigration enforcement’s use of commercial data brokers and analytics platforms to track individuals.

– The investigations collectively indicate a sweeping expansion of DHS’s surveillance infrastructure with limited public knowledge or oversight.

Subject: Europol and Interpol announce counter-cybercrime operations | The CyberWire 3.13.26s

Sender: editor@newsletter.n2k.com

Highlights:

– Europol launched “Operation Lightning,” dismantling SocksEscort criminal proxy service with over 369,000 compromised routers/IoT devices globally; seizure of domains/servers in seven countries; $3.5M crypto frozen; cooperation from Eurojust, Austria, France, Netherlands, US.

– Interpol concluded third wave of Operation Synergia with takedown of 45,000 malicious IPs/servers and 94 arrests across 72 countries; 40 arrests in Bangladesh; 110 under investigation.

– Google released emergency patches for two actively exploited Chrome zero-days: CVE-2026-3909 (out-of-bounds write in Skia) and CVE-2026-3910 (remote code execution in V8 engine).

– US DOJ charged Angelo Martino, former ransomware negotiator, for collaborating with BlackCat ransomware group to increase ransom payouts; co-conspirators previously pleaded guilty; DigitalMint and Sygnia firms not accused.

– Sponsored messaging emphasizes controlling application execution and security through ThreatLocker and Meter enterprise network solutions.

– CyberWire also promotes RSAC 2026 conference to gather cybersecurity community in San Francisco.

Subject: Iran-Linked Hackers Take Aim at US and Other Targets, Raising Risk of Cyberattacks During Wars

Sender: news@securityweek.com

Summary:

– Iran-linked hackers continue disruptive cyber operations, including the attack on Stryker disrupting manufacturing and shipping.

– Increasing cyberattacks targeting US and allied targets raise concerns about escalation during ongoing and future conflicts.

– Exploitation of vulnerabilities in platforms like n8n workflow automation software; spreading Slopoly malware.

– Interpol announces cybercrime crackdowns aligning with similar international enforcement actions against SocksEscort.

– Major data breach at Starbucks affecting hundreds of employees due to phishing access of internal HR accounts; compromised sensitive PII and banking details.

– Security funding landscape evolving with new startups raising $40M.

– Google’s bug bounty payout surpasses $17M in 2025, showing continued emphasis on vulnerability discovery.

– Meta launches new security tools and platform protections.

– Chrome 146 update patches two active zero-days; Apple updates legacy iOS versions to address Coruna exploit framework.

– Other key stories: ransomware and malware developments, federal leadership appointments, and major cybersecurity conferences upcoming.

---

Summary of Insights Across Emails:

– Significant international law enforcement coordination culminated in the takedown of SocksEscort, a major residential proxy crime network based on infected home internet devices globally.

– Related disclosures highlight growing risks from malware like AVrecon and supply-chain infection campaigns (e.g., PhantomRaven npm malware).

– High-profile cyberattacks and data breaches continue, notably involving Iranian-linked threat actors and targeting medical, government, and corporate sectors.

– Software patching remains critical; Chrome zero-day exploits fixed urgently and numerous advisories released.

– Privacy and surveillance concerns arise around DHS’s expanded domestic tracking infrastructure and increasing FBI querying of surveillance data.

– Security research and bug bounty programs are growing, with large payouts from Google and increasing attention to AI-related vulnerabilities.

– Cybersecurity community and industry initiatives continue with events, tool releases, and collaborative threat intelligence sharing.

Stay Well!