Spotify music library scraped, DDoS disrupts French postal services, Fake delivery sites hit holiday shoppers - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines – December 23, 2025

Host: Sarah Lane | Podcast: CISO Series
Episode Theme:
A run-through of the day’s top information security news stories, with a focus on a major Spotify data scrape, DDoS attack on French postal services, holiday phishing scams, and developments in global cybercrime.

Main Theme Overview

This episode highlights significant cybersecurity events including the large-scale scraping of Spotify’s music library by data pirates, disruptive DDoS attacks affecting France’s postal and banking services, a surge in holiday-themed phishing attacks, and notable updates about malware campaigns in Uzbekistan, malicious npm packages, international cybercrime arrests, and new identity verification laws in South Korea.

Key Discussion Points and Insights

[00:08] Spotify Music Library Scraped

Incident: Anna's Archive, a pirate activist collective, scraped Spotify’s entire music database:
- Stolen Data: 256 million rows of track metadata, 86 million audio files (~300 TB).
- Stated Purpose: To create a “preservation archive” and “safeguard humanity's musical heritage.”
- Violations: This act breaches Spotify’s terms and copyright law.
- Spotify’s Response:
  - Confirmed scraping of public metadata and attempts to bypass DRM for some files.
  - Disabled involved accounts and introduced new safeguards.
  - Stressed that no user account data was compromised.

Quote:
"Anna's Archive describes this as a mission to safeguard humanity's musical heritage, but this violates copyright and Spotify's terms." — Sarah Lane [00:16]

[01:04] CISA’s ASUS Live Update CVE Update

Clarification: Last week’s CISA advisory about an ASUS Live Update vulnerability actually refers to the Shadow Hammer supply chain attack (2018–2019).
- The software is end-of-life; fixes issued years ago.
- No current risk to supported ASUS devices; the listing is retrospective documentation, not about a new threat.

[01:34] DDoS Disrupts France's Postal and Banking Services

Incident:
- La Poste (France's national postal service) experienced a significant DDoS (Distributed Denial of Service) attack.
- Impacts:
  - Disrupted websites and mobile apps.
  - Slowed deliveries, knocked digital services offline.
  - Lebanc Postal's online banking and app affected, but card payments, ATMs, and in-store transactions were unaffected.
  - Some physical post offices worked at reduced capacity.
  - No evidence of customer data compromise.

Quote:
"France's national postal service La Poste says a suspected DDoS attack disposal disrupted its websites and mobile apps, slowing deliveries and knocking some digital services offline." — Sarah Lane [01:36]

[02:04] Fake Delivery Websites Hit Holiday Shoppers

Trend: Cybercriminals increased fake delivery website campaigns by 86% ahead of the holidays.
- Common Tactics: Phishing texts/emails purportedly from postal carriers.
- Impersonated Brands: DHL (#1), spikes in fake USPS sites (+850% month over month).
- Objective: Exploit shopper urgency about deliveries to steal personal/financial information.
- Impact:
  - Text message fraud losses for 2024: $470 million (FTC data).

Quote:
"Cybercriminals ramped up fake Delivery websites by 86% in the past month, targeting holiday shoppers with phishing texts and emails posing as postal alerts." — Sarah Lane [02:07]

[02:50] Uzbek Android Users Targeted by SMS Stealers

Attack:
- Group-IB analysts found Android malware in Uzbekistan, distributed via Telegram and linked to multiple threat groups.
- Capabilities:
  - Uses droppers, obfuscation, and social engineering.
  - Steals banking credentials, funds.
  - Persists by hijacking Telegram accounts, spreading further to victim contacts.
- Note: Campaign seen as a significant leap in attacker sophistication since October.

[03:40] Fake WhatsApp API Package Steals Data

Threat:
- Malicious npm package ‘Lotus Bail’ posing as a legit WhatsApp API—downloaded 56,000+ times.
- What it does:
  - Steals messages, contacts, media, and auth tokens.
  - Silently links attacker’s device to victim’s WhatsApp for persistent access.
  - Mimics the Bailey’s WhatsApp web library, intercepts WebSocket traffic, and even survives package removal unless the victim manually revokes access.

[04:40] Interpol-Led Action Decrypts Ransomware Strains

Operation Sentinel: International Interpol action:
- Results:
  - 574 arrests.
  - 6,000+ malicious links taken down.
  - Decryption of six ransomware strains across 19 countries (especially Africa).
  - $3 million recovered (cases tied to $20 million+ in losses).
- Help From: Private sector (Trend Micro, Shadow Server).
- Note: Finance and energy cyberattacks are accelerating in Africa.

Quote:
"Interpol says Operation Sentinel led to 574 arrests, the takedown of more than 6,000 malicious links and the decryption of six ransomware strains across 19 countries, mainly in Africa." — Sarah Lane [04:43]

[05:22] South Korea to Require Facial Recognition for Mobile Numbers

Policy Change:
- From March 23, facial recognition required when registering new mobile numbers.
- Goal: Combat identity theft, voice phishing.
- Scope: Applies to all major carriers and MVNOs.
- Context:
  - Over 21,000 phishing cases in the year.
  - Recent breach at SK Telecom exposed SIM data for almost 27 million users.
Broader Implication: Represents a global trend of tightening identity verification in telecom.

Notable Quotes & Memorable Moments

Spotify scraping motivation:
"Anna's Archive describes this as a mission to safeguard humanity's musical heritage, but this violates copyright and Spotify's terms." — Sarah Lane [00:16]
French postal attack impact:
"La Poste says a suspected DDoS attack ... knocked some digital services offline." — [01:36]
Concerning text fraud growth:
"... losses from text message fraud continue to climb, with FTC data showing $470 million lost in 2024." — [02:30]
On Interpol’s Operation Sentinel:
"Operation Sentinel led to 574 arrests, the takedown of more than 6,000 malicious links and the decryption of six ransomware strains ..." — [04:43]

Timestamps for Major Segments

Spotify Data Scraping: [00:08–01:04]
CISA/ASUS Shadow Hammer Update: [01:04–01:34]
French Postal DDoS Attack: [01:34–02:04]
Fake Delivery Websites/Phishing: [02:04–02:50]
Uzbek Android Malware Campaign: [02:50–03:40]
Malicious WhatsApp npm Package: [03:40–04:40]
Interpol’s Ransomware Crackdown: [04:40–05:22]
South Korea’s Facial Recognition Law: [05:22–06:05]

Summary

This episode delivers fast-paced coverage of global cybersecurity news, marked by escalations in data scrapes, DDoS attacks, and phishing campaigns during the holiday season, along with global law enforcement successes and new legislative responses to cyber threats. Listeners get both headline news and clear implications for digital trust and safety.

For more details or to follow up on any story, visit CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Tuesday, December 23, 2025. I'm Sarah Lane. Spotify Music Library Scraped A pirate activist group called Anna's Archive scraped Spotify's Music library, collecting 256 million rows of track metadata and 86 million audio files totaling around 300 terabytes of data. It says it plans to distribute it as a preservation archive. Anna's Archive describes this as a mission to safeguard humanity's musical heritage, but this violates copyright and Spotify's terms. The company confirmed the unauthorized access to scrape public metadata and bypass DRM to access social media some audio files, but says it's disabled. The accounts involved added safeguards and there is no indication that user account Data was compromised. CISA's ASUS Live update CVE Update Last week we told you that CISA added a new vulnerability to its known exploited vulnerabilities list, but the issue appears to document the 2018-2019 shadow hammer supply chain attack against ASUS Live Update which which wouldn't be a new or active threat. The compromised software is end of life fixes were issued years ago and no supported ASUS devices appear to be affected, with the recent activity reflecting retrospective documentation rather than new exploitation. DDoS disrupts France's postal and banking services France's national postal service La Poste says a suspected DDoS attack disposal disrupted its websites and mobile apps, slowing deliveries and knocking some digital services offline. The outage also affected Lebanc Postal's online banking and mobile app, though card payments, ATMs and in store transactions continued to work, there's no evidence that customer data was compromised. Some post offices operated at reduced capacity as teams worked to restore services. Fake delivery websites hit holiday shoppers Cybercriminals ramped up fake Delivery websites by 86% in the past month, targeting holiday shoppers with phishing texts and emails posing as postal alerts. That's according to NORDVPN data, DHL was the most impersonated carrier, while fake USPS sites surged 850%, but month over month exploiting urgency around delayed packages to steal personal and financial information. Losses from text message fraud continue to climb, with ftc data showing $470 million lost in 2024. Huge thanks to our sponsor Threat Locker. Want real zero trust training? Zero Trust World 2026 delivers hands on labs and workshops that show CISO's exactly how to implement and maintain zero trust in real environments. Join us March 4th through the 6th in Orlando, plus a live CISO series episode on March 6th. Get $200 off with ztw ciso26.com Uzbek users attacked by SMS stealers Security researchers at Group IB say Android users in Uzbekistan are facing a new wave of SMS stealer malware attacks spread via Telegram with multiple threat groups. Using sophisticated droppers, obfuscation and social engineering, the malware steals banking credentials and funds. It quietly persists on devices and spreads by hijacking victims Telegram accounts to target their contacts. Group IB says the campaign marks a significant jump in operational maturity since October. Fake WhatsApp API package steals data Researchers from Coy Security say a malicious NPM package called Lotus Bail, posing As a legitimate WhatsApp API has been downloaded more than 56,000 times and can steal messages, contacts, media and authentication tokens while silently linking an attacker's device to a victim's WhatsApp account for persistent access. The malware mimics the Bailey's WhatsApp web library, intercepts Web socket traffic, exfiltrates encrypted data and remains active even after removal unless the linked device is manually revoked. Interpol led action decrypts ransomware strains Interpol says Operation Sentinel led to 574 arrests, the takedown of more than 6,000 malicious links and the decryption of six ransomware strains across 19 countries, mainly in Africa. Authorities also recovered $3 million with cases tied to more than $20 million in losses, including business, email, compromise, ransomware and large scale fraud with private sector help from firms including Trend Micro and Shadow Server. Interpol says cyber attacks targeting sectors like finance and energy in Africa are accelerating South Korea to require facial recognition for mobile numbers South Korea will require facial recognition when registering new mobile phone numbers starting March 23 following a pilot program. This is part of a broader push to curb identity theft and voice phishing scams. The policy applies to major carriers and MVNOs and comes after more than 21,000 phishing cases this year in and a major breach at SK Telecom that exposed SIM Data from nearly 27 million users. If you have thoughts on the news from today or about our show in general, be sure to reach out to us@feedbacksoseries.com we really want to hear from you. I am Sarah Lane reporting for the CISO series. You stay classy and dry and warm or cool.
[06:34]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.