Lights out for Lumma. - CyberWire Daily

Summary8 min read

CyberWire Daily: "Lights out for Lumma" – May 22, 2025

Hosted by N2K Networks

Introduction

On the May 22, 2025 episode of CyberWire Daily, host Dave Bittner delivers a comprehensive overview of the latest cybersecurity developments, including significant breaches, regulatory actions, and evolving threats. The episode culminates with an in-depth interview with David Holmes, CTO for Application Security at Imperva, who provides expert insights into the role of artificial intelligence (AI) in bot-driven cyber attacks and scams.

Key Highlights

1. Joint Operation Takes Down Luma Infrastructure

A major international collaboration involving U.S., EU, and Japanese authorities, supported by Microsoft and other cybersecurity firms, successfully dismantled the infrastructure behind Luma, a notorious infostealer malware also known as Luma C2. Since its emergence in 2023, Luma has infected over 10 million devices, exfiltrating sensitive data such as passwords, credit card information, and cryptocurrency wallets. According to the FBI, Luma facilitated approximately $36.5 million in credit card thefts in 2023 alone. Microsoft reported nearly 400,000 infections between March and May 2025.

“This takedown is a significant setback for cybercriminals, but they may attempt to rebuild,” warned the FBI at [02:30].

The operation successfully took down around 2,300 domains, disrupting communications between infected devices and Luma servers. Developed by a Russian actor known as Shamel, Luma was distributed via Telegram and utilized in phishing and malvertising campaigns, making it accessible even to low-skilled criminals through a subscription model.

2. FTC Finalizes Security Settlement with GoDaddy

The Federal Trade Commission (FTC) has imposed a security settlement on GoDaddy following years of data breaches attributed to inadequate security measures. The FTC identified critical lapses, including the absence of multi-factor authentication (MFA), improper software updates, and insufficient threat monitoring, which led to multiple breaches from 2019 to 2022. In one notable incident, attackers installed malware and stole source code after prolonged undetected access.

Under the settlement, GoDaddy is mandated to:

Implement MFA for all users, including non-phone options.
Ensure all software and firmware are regularly updated.
Establish a robust security program, including independent security assessments every two years.
Report any data exposure incidents within 10 days.

GoDaddy has acknowledged the changes but the settlement does not include any admission of fault or financial penalties.

“GoDaddy must not mislead customers about security,” stated the FTC spokesperson at [05:45].

3. Telemessage Breach Compromises US Officials’ Messages

A breach of Telemessage, a government-secured messaging service based on Signal, has exposed messages from over 60 US officials, including those from FEMA, Customs, the Secret Service, and even one White House staffer. Reuters, analyzing data leaked by Distributed Denial of Secrets, discovered intercepted chats that included sensitive travel discussions. Although much of the data was fragmentary, the breach heightens metadata-related counterintelligence risks.

“The breach raises significant concerns about the security of metadata,” noted a cybersecurity expert at [08:15].

Telemessage, which archives encrypted messages for compliance, went offline on May 5 after a Reuters photo revealed its use by former Trump national security adviser Mike Waltz. The White House has acknowledged the incident but has provided limited details.

In response, Signal Desktop has introduced a new screen security feature for Windows 11 to block screenshots and protect chats from Microsoft's Recall feature, enhancing user privacy against similar vulnerabilities.

4. Insider Breach at Opexus Affects Multiple Federal Agencies

Opexus, a software provider servicing nearly all US federal agencies, suffered a significant breach in February 2025 due to insider threats. Twin brothers Muneeb and Sahaib Akhtar, previously convicted hackers hired as engineers, allegedly accessed and deleted sensitive data from agencies including the IRS and GSA. The breach resulted in the permanent loss of records, including FOIA requests, and disrupted key systems.

A Mandiant report highlighted severe security lapses at Opexus, such as improper access controls during employee terminations and inadequate data security measures. As a result, the FBI is investigating, and federal agencies are reassessing their contracts with Opexus.

“The breach exposed critical vulnerabilities in contractor vetting and data security within government IT systems,” explained a Mandiant analyst at [10:50].

5. US Telecom Providers Fail to Notify Senate of Data Requests

An investigation led by Senator Ron Wyden revealed that major US telecom providers—AT&T, Verizon, and T-Mobile—failed to notify the Senate when law enforcement agencies requested data from Senate-issued devices. This oversight left senators unaware of potential surveillance activities. One carrier even admitted to providing Senate data to law enforcement without the required notifications.

In response, all three companies have initiated compliance with the Senate's notification requirements for Senate-funded lines. However, gaps remain, particularly concerning personal and campaign devices commonly used by senators. T-Mobile has agreed to notify about surveillance requests on personal and campaign devices flagged by the Senate sergeant at arms, while AT&T and Verizon are limited to Senate-issued lines.

“We urge our colleagues to consider carriers that comply with notification requirements,” stated Senator Wyden at [12:20].

6. Dragon Force Ransomware Group Evolves

Dragon Force, an emerging ransomware group, is redefining the threat landscape with its aggressive tactics and strategic repositioning. Initially appearing in 2023 with a ransomware-as-a-service model, Dragon Force rebranded as a cartel in March 2025, allowing affiliates to use its infrastructure while branding their own campaigns. They have targeted both IT and virtualized environments and have reportedly collaborated with the Ransom Hub group, including defacing rival leak sites and attempting a hostile takeover of Ransom Hub's infrastructure.

Recent attacks by Dragon Force have included malware linked to Gold Harvest (Scattered Spider), a cybercriminal collective known for social engineering, MFA bypasses, and the use of infostealers. High-profile targets include UK retailers like Marks & Spencer, underscoring the group's sophisticated and adaptable nature.

“Organizations must reinforce social engineering defenses and monitor credentials to combat these evolving threats,” advised a Sophos security expert at [14:35].

7. Data Breach at UK’s Legal Aid Agency Exposes Domestic Abuse Survivors

A cyberattack on the UK's Legal Aid Agency has compromised the personal data of over 2 million individuals, including survivors of domestic abuse. The Ministry of Justice confirmed that applicants for legal aid since 2010 are affected, with exposed data including addresses, national IDs, and contact details. This breach poses significant risks, such as harassment, impersonation, and tracking of survivors.

The Ministry of Justice has refused to pay ransom and is proactively contacting vulnerable individuals, prioritizing abuse survivors, asylum seekers, and trafficking victims. Refuge, a charity supporting abuse survivors, warns that the data leak could escalate abuse campaigns despite a court injunction against distribution.

“We urge affected individuals to contact legal advisors immediately,” stated a Refuge spokesperson at [16:10].

8. Lexmark Discloses Critical Printer Vulnerability

Lexmark has identified a critical vulnerability in the embedded web server of over 120 printer models. The flaw combines a path traversal and concurrent execution issue, enabling remote attackers to access unauthorized files and execute arbitrary code. Exploiting this vulnerability could allow full compromise of affected printers.

Users are strongly advised to update their firmware to mitigate the threat and prevent potential exploitation.

“This vulnerability could allow attackers to fully compromise your Lexmark printer,” warned Lexmark's security team at [17:40].

In-Depth Interview: The Role of AI in Bot Attacks with David Holmes

In the latter part of the episode, Dave Bittner engages in a detailed conversation with David Holmes, CTO for Application Security at Imperva. They delve into the findings of the 2025 Bad Bot Report, highlighting the escalating sophistication and prevalence of bot-driven cyber threats.

Bot Traffic Surpasses Human Traffic

David Holmes explains that for the first time in over a decade, automated traffic surpassed human-generated traffic, constituting 51% of all web traffic. Of this, 37% is malicious automation, meaning approximately 80% of bot traffic is harmful, leaving only 20% as benign bots like web crawlers.

“The average Joe on the street has no idea that a hidden war is being fought across every website they visit,” said Dave Bittner at [15:23].

AI’s Dual Role in Bot Attacks

Holmes discusses how AI tools have lowered the barrier for cyber attackers. Even novice hackers can create malicious bots with minimal effort by leveraging AI-driven scripts.

“The number of accessible AI tools has significantly lowered the barrier of entry for cyber attackers,” Holmes noted at [16:34].
Advanced attackers utilize AI to refine their bots, making them more effective and harder to detect. This dual use of AI—both by low-skilled and highly skilled attackers—has expanded the complexity and volume of bot attacks.

“We’re seeing AI at both the simple end and the advanced end of the spectrum,” Holmes added at [17:00].

Common Evasion Tactics

Bots continuously evolve to evade detection. As soon as defenders identify and block a bot's fingerprint, the attackers adapt by modifying their tactics to bypass new defenses.

“It’s a constant retooling on their part to evade your fingerprint and continue conducting business,” Holmes explained at [18:04].

Exploitation of APIs

A significant concern highlighted is the exploitation of APIs by malicious bots. Holmes emphasizes that about half of the advanced malicious bots are attacking APIs, targeting high-value digital assets like bank accounts and airline reservations.

“It’s easier for them to directly machine to machine for their attack,” stated Holmes at [19:20].

Recommendations to Combat Bot Threats

Holmes outlines several strategies to mitigate bot attacks:

Implement Risk Identification: Understanding the value of assets and monitoring potential targets for attacks.
Enhance API Security: Evolving API defenses to address the increasing targeting by bots.
Use Automation in Defense: Leveraging automation and AI to defend against automated attacks, while acknowledging the need for human oversight.
Monitor and Respond Continuously: Establishing robust monitoring systems to detect and respond to bot activities promptly.

“It’s time for everybody to start evolving their API security,” Holmes urged at [20:25].

Future Outlook

Looking ahead, Holmes predicts a steady increase in malicious bot attacks due to the ease and cost-effectiveness of launching such attacks. Unlike seasonal spikes seen in previous years, bot attacks are expected to continue year-round, driven by the persistent financial incentives for cybercriminals.

“We’re not going to see as much seasonality and we’re just going to see more and more malicious attacks,” concluded Holmes at [21:44].

Conclusion

The "Lights out for Lumma" episode of CyberWire Daily provides a thorough examination of current cybersecurity challenges, from major malware takedowns and regulatory actions to sophisticated ransomware groups and critical data breaches. The feature interview with David Holmes offers valuable perspectives on the evolving landscape of bot-driven threats, emphasizing the critical role of AI in both facilitating and combating cyber attacks. Cybersecurity professionals and enthusiasts alike will find the episode's insights and recommendations crucial for navigating the increasingly complex digital defense environment.

For more detailed stories and updates, visit CyberWire Daily and subscribe to their daily briefing.

Loading summary

Transcript20 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network, powered by N2K.
[00:12]
David Holmes
And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire a joint operation takes down Luma infrastructure the FTC finalizes a security settlement with GoDaddy. The telemessage breach compromised far more US officials than initially known Twin hackers allegedly breach a major federal software provider from the inside. US telecom providers fail to notify the Senate when law enforcement agencies request data from Senate issued devices. Dragon Force makes its mark on the ransomware front. A data leak threatens survivors of domestic abuse in the UK Lexmark discloses a critical vulnerability affecting over 120 printer models. Our guest is David Holmes, CTO for application security at Imperva, with insights on the role of AI in bot attacks and scammers. Ships stolen cash in squishmallows Foreign It's Thursday, May 22, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. Great to have you with us as always. A joint operation by us, EU and Japanese authorities, with help from Microsoft and other cybersecurity firms, has dismantled the infrastructure behind Luma, a major infostealer malware also known as Luma C2. The malware has infected millions of devices since 2023, stealing sensitive data like passwords, credit card info and cryptocurrency wallets. Luma was sold via subscription, making it easy for even low skilled criminals to exploit. The FBI tracked over 10 million infections and estimated $36.5 million in credit card thefts in 2023 alone. Microsoft identified nearly 400,000 infections between March and May of this year. The operation took down about 2,300 domains and disrupted communications between infected devices and Luma servers. Developed by a Russian actor known as Shamel, Luma has been marketed on Telegram and used in phishing and malvertising campaigns. The FBI warned that while this takedown is a blow, Luma's operations may attempt to rebuild. The Federal Trade Commission has finalized an order requiring GoDaddy to bolster its security after years of data breaches due to weak practices, the agency found GoDaddy lacked key protections like multi factor authentication, proper software updates and threat monitoring leading to breaches between 2019 and 2022. In one case, attackers installed malware and stole source code after years of undetected access. Under the new order, GoDaddy must not mislead customers about security, implement HTTPs for APIs, ensure software and firmware are updated, and set up a robust security program. The company must also add MFA for all users, including non phone options, and undergo independent security assessments every two years. GoDaddy must report any data exposure incidents within 10 days. While GoDaddy says it's already making changes, the settlement includes no admission of fault or fines. A hacker breach of Telemessage, a government used messaging service based on Signal compromised messages from over 60 US officials, far more than previously known. Reuters reviewed a cache of leaked data provided by Distributed Denial of Secrets. The material revealed intercepted chats from fema, Customs, the Secret Service, US Diplomats, and even one White House staffer. Though much of the data was fragmentary and not overtly sensitive, it included travel related discussions for senior officials. Telemessage, little known outside federal circles, became public after a Reuters photo showed former Trump national security adviser Mike Waltz using the app. The service, which archives encrypted messages for compliance, went offline May 5. The breach raises metadata related counterintelligence risks, experts say. While some users confirmed message authenticity, federal agencies have offered little comment. The White House acknowledged the cybersecurity incident but didn't elaborate on its use of the platform. Elsewhere, Signal Desktop has added a new screen security feature for Windows 11 to block screenshots and protected chats from Microsoft Recall, which captures app screenshots every few seconds. This setting, now enabled by default, uses a DRM flag to prevent content from appearing in Recall or similar tools. Signal made the move after Microsoft relaunched Recall despite prior backlash. While the setting may impact usability and accessibility, users can disable it with a warning. Signal urges OS vendors to better support privacy focused apps. Bloomberg reports that opexis, a software provider for nearly all US Federal agencies, suffered a major cyber breach in February caused by insider threats. Twin brothers Muneeb and Sahaib Akhtar, both convicted hackers hired as engineers despite their past, they allegedly accessed and deleted sensitive data across multiple agencies, including the IRS and gsa. The attack disrupted key systems and permanently erased records, including FOIA requests. The FBI is investigating, and federal agencies are reassessing contracts with opexus A Mandiant report revealed serious security lapses, including improper access during termination and file exfiltration, contradicting opex's public claims the breach exposed the vulnerabilities in contractor vetting and data security within government IT systems. Under contracts established in 2020, major US telecom providers at and T, Verizon and T Mobile are required to notify the Senate when law enforcement agencies request data from Senate issued devices. However, an investigation by Senator Ron Wyden revealed that these carriers failed to implement such notification systems, leaving senators unaware of potential surveillance activities. One carrier even admitted to providing Senate data to law enforcement without the mandated notification. Following the investigation, all three companies have begun complying with the notification requirement for Senate funded lines. Nevertheless, significant gaps remain, particularly concerning personal and campaign devices, which are commonly used by Senators but fall outside the scope of current protections. While AT and T and Verizon limit notifications to Senate issued lines, T Mobile has agreed to notify about surveillance requests on personal and campaign devices flagged by the Senate sergeant at arms. Senator Wyden urges his colleagues to consider switching to carriers like T Mobile, Google, fi, US Mobile and cape, which have policies to inform customers of government surveillance demands whenever legally permissible. Dragon Force is a rising ransomware group reshaping the threat landscape through aggressive tactics and strategic repositioning, Sophos reports. First appearing in 2023 with a standard ransomware as a service model, the group rebranded in March of this year as a cartel, offering affiliates flexibility to use its infrastructure while branding their own campaigns. Dragon Force has targeted both IT and virtualized environments and reportedly teamed up, if contentiously, with the prolific Ransom Hub group. This included defacing rival leak sites and a potential hostile takeover of Ransom Hub's infrastructure. In recent attacks, Dragon Force linked malware was used by Gold Harvest, also known as Scattered Spider, a decentralized cybercriminal collective known for social engineering, MFA bypasses and use of infostealers. Attacks on UK retailers including Marks and Spencer, highlight their threat as internal feuds destabilize ransomware networks, organizations must reinforce social engineering defenses, monitor credentials and strengthen incident response to withstand unpredictable attacks from increasingly flexible and chaotic cybercrime groups. A CyberAttack on the UK's Legal Aid Agency has exposed sensitive data of over 2 million people, including survivors of domestic abuse, raising fears of imminent leaks. The Ministry of Justice confirmed that anyone who applied for legal aid since 2010 could be affected. Compromised data includes addresses, national IDs and contact details, potentially revealing the locations of confidential women's refuges. The MOJ has refused to pay ransom and is preparing to contact vulnerable individuals, prioritizing abuse survivors, asylum seekers and trafficking victims. Refuge, a charity supporting abuse survivors, warns the breach could escalate abuse campaigns, including harassment, impersonation or tracking survivors. While a court injunction has been issued against the data's distribution, it's unlikely to deter cybercriminals. Refuge is working to identify at risk individuals and urges anyone affected to contact legal advisors immediately. Lexmark has disclosed a critical vulnerability affecting the embedded web server in over 120 printer models. The flaw combines a path traversal and concurrent execution issue, allowing remote attackers to access unauthorized files and execute arbitrary code. If exploited, this vulnerability could let attackers fully compromise affected Lexmark printers. Users are urged to update firmware to mitigate the threat. Coming up after the break, my conversation with David Holmes from Imperva. We're discussing the role of AI in bot attacks and scammers ship stolen cash in squishmallows. Stay with us.
[12:46]
Vanta Representative
Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots or wrangling manual processes just to keep your GRC program on track, you're not alone. But let's be clear. There is a better way. Vanta's trust management platform takes the headache out of governance, risk and compliance. It automates the essentials from internal and third party risk to consumer trust, making your security posture stronger. Yes, even helping to drive revenue. And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact.
[13:42]
David Holmes
So if you're ready to trade in.
[13:43]
Vanta Representative
Chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC how much easier trust can be? Get started@vanta.com Cyber.
[14:05]
David Holmes
Worried about cyber attacks? Cyber Care from Storm Guidance is a comprehensive cyber incident response and resilience service that helps you stay prepared and protected. A unique onboarding process integrates your team with industry leading experts, so if an incident occurs, your response is optimal. Get priority access to deeply experienced responders, digital investigators, legal and crisis PR experts, ransom negotiators, trauma counselors and much more. The best part? 100% of unused response time can be repurposed for a range of proactive resilience activities. Find out more at Cyber Care Cyberwire. David Holmes is CTO for application security at Imperva I recently caught up with him for insights on the role of AI in bot attacks. So today we are talking about the 2025 Bad Bot Report. Can we start off here with some high level stuff? What prompts the creation of this report? Every year we do this to bring.
[15:23]
Dave Bittner
Awareness to the, say, problem of malicious automation. People who run popular websites are very, very familiar with this problem. But your average Joe on the street has no idea that day after day this sort of hidden war is being fought across every website that they go and visit on a regular basis. And so part of it is a tribute to the defender.
[15:46]
David Holmes
Well, let's talk about some of the details here. I mean, can you give us some of the groundwork here on exactly where we find ourselves with the bot situation?
[15:58]
Dave Bittner
This past year was the first time in over a decade that automated traffic, or what we call bot traffic, actually surpassed human generated traffic. So 51% of all traffic in the previous year was automated and 37% of all traffic was malicious automation. So if you think about it, that 37% is translating almost to 80% of all the automated traffic is malicious, leaving only about 20% being what we call good bots, like web crawlers, search engines, et cetera.
[16:34]
David Holmes
So help me understand, David, how artificial intelligence is part of the game now when it comes to these bad bots.
[16:43]
Dave Bittner
The number of accessible AI tools has significantly lowered the barrier of entry for cyber attackers. So on the simple end for say your first time script kitty, it's even easier for them to create a malicious bot. Right? They just have to prompt, write the right prompt, get a bot. So we actually see that in our data where we categorize the sophistication of the bots that we see. And we blocked 13 trillion connections last year, so we see a ton of these. Then the percentage of bots that were basically simple self identifying bots, you know, it might be like attacker tool 22x increased to nearly 45% of traffic. And on the other end, the advanced attackers appear to be using artificial intelligence to further refine their attacks so that they're becoming even more, more effective. And they also are at about 45% of the automated attacks, leaving kind of the middle ground to be a very, very small 10%. So we're seeing, just to say it again, we're seeing AI at both the simple end of the spectrum and at the advanced end of the spectrum.
[17:55]
David Holmes
Can we talk about some of the common evasion tactics that you all are seeing here? What are the bots doing to try to stay under the radar.
[18:04]
Dave Bittner
Oh, this is a daily grind where as soon as you, let's say you're being attacked by a persistent attacker, as soon as you figure out, oh, here's a fingerprint that I can, I can use to identify the queries coming from this particular kind of bot. As soon as you start blocking on, on that fingerprint, they know, oh, they figured it out. And now they just go back and figure out, what did we change recently? So it's not so much as a individual evasive technique, but being particularly effective. It's just this constant retooling on their part to be evasive and ultimately continue to evade your fingerprint so that they can continue conducting business. And the reason why this stuff is so persistent is because this is a business for them, right? If they're reselling your shoes or your hotel room reservations or whatever it is that they're, they're monetizing, they, every time you block them, they have a financial interest in figuring out how you blocked them and then evading it.
[19:12]
David Holmes
One of the things the reports highlight is how bad bots are exploiting APIs. Can we dig into that a little bit?
[19:20]
Dave Bittner
Yeah, absolutely. Remember when I said 45% of the malicious automation out there is what we categorize as advanced? Right. It's evasive, it's trying to fly under the radar of that traffic. About half of that is specifically attacking APIs. And we expect this trend to continue. Right? Partly it's because targets they are attacking have APIs exposed somewhere and it's just easier for them to directly machine to machine for their attack. And also a lot of the targets out there that have, say, high value digital assets, you know, maybe a bank account or airline reservations, they will already have some kind of defense in front of their website and maybe not so much in front of their APIs. And in our report, the very end of the report has recommendations. And one of the recommendations is, hey, it's time for everybody to start evolving their API security. Because this trend we're seeing is only going to get worse.
[20:26]
David Holmes
Well, let's talk about some of those recommendations. I mean, you mentioned API security, but what else is on the list?
[20:34]
Dave Bittner
So other recommendations that we have in our report are, one is to implement risk identification, understand the value of the assets that you have, whether or not they might be under attack. For example, if you're not monitoring, which is another recommendation that we have, of course, you might not know that there might be a million probes a month trying to figure out is the particular web property that you've put up there worth attacking in the first place. Another one is using automation as a defense, right? And this is where the war becomes the attacker using automation and the defender using automation. And that's just the nature of the game. It doesn't mean that you can solely rely on automation, that you can't solely programmatically have a set of scripts or an AI defend against the human attacker, because the human attacker is a human. And also using scripts and AI.
[21:34]
David Holmes
Well, based on the information that you all have gathered here, where do you suppose we're headed? What's the future with the bots themselves and the mitigations against them?
[21:44]
Dave Bittner
Great question, Dave. One of the statistics that we saw in this, this year, I want to highlight this to make a point, is in the last 12 months we saw the travel industry under attack more than the retail industry. And one would be tempted to say oh, or to extrapolate and go, oh, that means that we're going to see more attacks against travel in the future. But I've been in this business a long time and sometimes trends can just be, I don't want to say anomalies, but they can be local, right? Maybe it was just this particular year. However, that said, another one of the statistics that we saw last year was attacks seem to be happening all year round now, where that was true before, but they would definitely spike seasonally around things like Christmas or the summer travel season. But we saw a much smoother graph of more automation over the last year. So I think as it becomes easier and cheaper to launch attacks and continue to launch attacks, we're not going to see as much seasonality and we're just going to see more and more malicious attack.
[22:51]
David Holmes
That's David Holmes, CTO for Application Security at Imperva. And finally, the DOJ has thrown a sizable legal book at a 27 member crypto crime ring accused of scamming over $250 million globally, proving once again that organized crime has gone digital and decadent. Leading the charge is 20 year old Malone Lamb, who allegedly finessed 4,100 Bitcoin from a D.C. crypto tycoon using nothing more than fake Google alerts and a convincing tech support impersonation. His alias, Anne Hathaway, of course, Lam. And partner in fraud, Jean Dio Serrano, who went by Versace God, reportedly turned their loot into a luxury lifestyle. Lambos G wagons, $68,000 a month rentals and nightclub tabs bigger than most mortgages. Meanwhile, the gang, recruited via online gaming, had roles ranging from hackers to real life burglars, even smuggling cash in squishmallows, stuffing up to $25,000 inside each toy for stealthy shipment across the U.S. even after arrest, Lam allegedly kept the crime spree alive, buying his girlfriend Hermes bags from behind bars. The moral? If someone offers crypto advice under a celebrity pseudonym, maybe don't share your MFA code. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Hey, everybody. Dave here. I've talked about Delete Me before, and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. DeleteMe keeps finding and removing my personal information from data broker sites. And they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The DeleteMe team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. DeleteMe also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal. 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.