Risky Bulletin: Belarus Deploys Spyware on Journalists' Phones

Podcast: Risky Bulletin (Risky.biz)
Host: Claire Aird (prepared by Catalin Cimpanu)
Date: December 19, 2025

Episode Overview

The final Risky Bulletin of 2025 delivers a roundup of major global cybersecurity stories. Key incidents include Belarusian authorities installing spyware on journalists’ phones, several noteworthy arrests for cybercrimes in Europe, breaches using zero-day exploits, large-scale cybercrime takedowns, and significant developments in cryptocurrency-related cyber attacks. The tone is factual and brisk, with an emphasis on major risks and law enforcement actions.

Key Discussion Points & Insights

1. Belarus: Spyware Deployment on Journalists

[00:04] Main Story: Belarusian authorities deployed BAT spyware on journalists’ phones during police interrogations.
The infrastructure for the spyware was set up during anti-government protests in 2021.
The malware was identified by Reporters Without Borders and a resident NGO.
Insight: Highlights state-sponsored targeting of journalists and the continued use of custom spyware in repressive regimes.

“Belarus has deployed spyware on the phones of local journalists. The resident BAT spyware was installed while the victims were being interrogated by police.”
— Claire Aird, [00:10]

2. High-Profile Cryptocurrency & Account Hacking

Naftali Bennett Telegram Compromise:
- Iranian group “Handala” leaked conversations and contacts from former Israeli Prime Minister’s Telegram.
- Bennett claims only Telegram was breached, not his phone.
Enote Cryptocurrency Exchange Takedown:
- US authorities shut down a major laundering operation ($70 million+ from ransomware/account hacks).
- Operator Mikhailo Petrovich Chadnevets indicted.

3. European Law Enforcement Crackdowns

France: Interior Ministry Email Breach
- 22-year-old hacker arrested for stealing data on millions of citizens.
- Known repeat offender.
France: Ferry Malware Incident
- A Latvian crew member installed a remote access trojan on an Italian ferry (“Fantastic”).
- Believed to be working for a foreign-linked group.
“He allegedly installed a Remote Access Trojan on the ferry's systems while the ship was docked in the southern French port of Cette.”
— Claire Aird, [01:38]
Netherlands: Facial Recognition Fraud
- 34-year-old man manipulated ID images to trick bank facial recognition, opening accounts in victims' names.

4. Major Cybercrime Infrastructure Takedowns

India: Mass SMS Spam Platform
- Police dismantled a spam operation using 21,000 SIM cards to send millions of fake government messages targeting banking details.

5. Tech Sector Legal Actions & Vulnerability Exploits

Google Lawsuit Against Dhakala Phishing
- Lawsuit against phishing kingpin Yu Cheng Chong (and 24 others); seeking seizure of infrastructure.
- Chong exposed in a collaborative press investigation.
Cluster of Malicious Firefox Add-Ons
- 17 extensions on Mozilla’s store tracked users and injected Chinese affiliate links.
- Over 50,000 downloads since September.

6. Critical Vulnerabilities & Threat Developments

Microsoft 365 OAuth Phishing Surge
- Increase in device code phishing by both cybercrime and espionage actors.
“Proofpoint is reporting a surge in OAuth device code phishing campaigns targeting Microsoft 365 accounts. The campaigns have been linked to both eCrime and state-sponsored espionage groups.”
— Claire Aird, [03:30]
Kim Woof Android Botnet
- 1.8 million+ infected devices (TVs, tablets, set-tops), used for DDoS attacks.
- Linked to the group behind the record-breaking Isuru botnet.
Cisco & SonicWall Zero-Days
- Suspected Chinese state group exploiting a root command execution zero-day in Cisco email products.
- SonicWall SMA 1000 patched an actively exploited zero-day, related to a previous flaw.
“A suspected Chinese APT is exploiting a zero day in Cisco email security products. … The zero day allows the attackers to run commands as root on the devices if the spam quarantine feature is enabled.”
— Claire Aird, [04:34]
FreeBSD Critical RCE Patch
- Patched a 9.8/10 severity IPv6 router advertisement vulnerability.
React to Shell/Weaksaw Ransomware
- Ransomware group using “React to Shell” exploit to deliver Weaksaw ransomware—targets typically include MS SQL servers.

7. Crypto & Regulatory News

Nomad Bridge Hack Recovery & FTC Order
- Nomad Bridge operator must return $37M of the $186M stolen in the 2022 hack.
- Ordered to implement robust cybersecurity controls.
- Hack previously attributed to North Korean actors.
North Korea's Ongoing Crypto Theft
- North Korean cybercriminals stole $2B+ in crypto in 2025, making up nearly 60% of global thefts that year.

8. Final Noteworthy Update

Tor Project Funding
- Despite efforts to diversify, the US government remains Tor’s largest sponsor, providing $2.5M out of $7.3M raised last year.

Notable Quotes & Memorable Moments

On Belarusian spyware targeting:

“The BAT spyware’s infrastructure was built in 2021 during the country’s anti-government protests.”
— Claire Aird, [00:17]
On North Korea’s crypto theft dominance:

“North Korea’s hackers stole more than $2 billion worth of cryptocurrency this year. This represents almost 60% of all stolen crypto, according to Chainalysis.”
— Claire Aird, [04:10]
On state-linked supply chain attacks:

“Authorities believe the man worked for a group linked to a foreign power.”
— Claire Aird, [01:55]

Key Timestamps

[00:04] Belarus spyware on journalists
[00:42] Naftali Bennett Telegram breach
[00:52] French Interior Ministry email hack arrest
[01:13] Ferry malware incident
[01:38] Dutch ID fraud with facial recognition
[01:59] Enote crypto exchange takedown
[02:30] Indian bulk SMS platform shutdown
[02:55] Google lawsuit against Dhakala
[03:10] Nomad bridge/FTC order
[04:00] North Korean crypto theft report
[04:34] Cisco & SonicWall zero-days
[05:22] Tor Project funding

Conclusion

This episode offers a brisk, in-depth scan of the latest cyber risks, law enforcement actions, sophisticated espionage operations, and regulatory moves in the crypto world. The last bulletin of 2025 emphasizes the ongoing, complex interplay between cybercriminals, state actors, and defenders worldwide—closing with a reminder of the relentless pace of change and risk in cybersecurity.

The Risky Bulletin returns January 12, 2026. Happy new year to listeners!

Risky Bulletin: Belarus Deploys Spyware on Journalists' Phones

Podcast: Risky Bulletin (Risky.biz)
Host: Claire Aird (prepared by Catalin Cimpanu)
Date: December 19, 2025

Episode Overview

Key Discussion Points & Insights

1. Belarus: Spyware Deployment on Journalists

[00:04] Main Story: Belarusian authorities deployed BAT spyware on journalists’ phones during police interrogations.
The infrastructure for the spyware was set up during anti-government protests in 2021.
The malware was identified by Reporters Without Borders and a resident NGO.
Insight: Highlights state-sponsored targeting of journalists and the continued use of custom spyware in repressive regimes.

“Belarus has deployed spyware on the phones of local journalists. The resident BAT spyware was installed while the victims were being interrogated by police.”
— Claire Aird, [00:10]

2. High-Profile Cryptocurrency & Account Hacking

Naftali Bennett Telegram Compromise:
- Iranian group “Handala” leaked conversations and contacts from former Israeli Prime Minister’s Telegram.
- Bennett claims only Telegram was breached, not his phone.
Enote Cryptocurrency Exchange Takedown:
- US authorities shut down a major laundering operation ($70 million+ from ransomware/account hacks).
- Operator Mikhailo Petrovich Chadnevets indicted.

3. European Law Enforcement Crackdowns

France: Interior Ministry Email Breach
- 22-year-old hacker arrested for stealing data on millions of citizens.
- Known repeat offender.
France: Ferry Malware Incident
- A Latvian crew member installed a remote access trojan on an Italian ferry (“Fantastic”).
- Believed to be working for a foreign-linked group.
“He allegedly installed a Remote Access Trojan on the ferry's systems while the ship was docked in the southern French port of Cette.”
— Claire Aird, [01:38]
Netherlands: Facial Recognition Fraud
- 34-year-old man manipulated ID images to trick bank facial recognition, opening accounts in victims' names.

4. Major Cybercrime Infrastructure Takedowns

India: Mass SMS Spam Platform
- Police dismantled a spam operation using 21,000 SIM cards to send millions of fake government messages targeting banking details.

5. Tech Sector Legal Actions & Vulnerability Exploits

Google Lawsuit Against Dhakala Phishing
- Lawsuit against phishing kingpin Yu Cheng Chong (and 24 others); seeking seizure of infrastructure.
- Chong exposed in a collaborative press investigation.
Cluster of Malicious Firefox Add-Ons
- 17 extensions on Mozilla’s store tracked users and injected Chinese affiliate links.
- Over 50,000 downloads since September.

6. Critical Vulnerabilities & Threat Developments

Microsoft 365 OAuth Phishing Surge
- Increase in device code phishing by both cybercrime and espionage actors.
“Proofpoint is reporting a surge in OAuth device code phishing campaigns targeting Microsoft 365 accounts. The campaigns have been linked to both eCrime and state-sponsored espionage groups.”
— Claire Aird, [03:30]
Kim Woof Android Botnet
- 1.8 million+ infected devices (TVs, tablets, set-tops), used for DDoS attacks.
- Linked to the group behind the record-breaking Isuru botnet.
Cisco & SonicWall Zero-Days
- Suspected Chinese state group exploiting a root command execution zero-day in Cisco email products.
- SonicWall SMA 1000 patched an actively exploited zero-day, related to a previous flaw.
“A suspected Chinese APT is exploiting a zero day in Cisco email security products. … The zero day allows the attackers to run commands as root on the devices if the spam quarantine feature is enabled.”
— Claire Aird, [04:34]
FreeBSD Critical RCE Patch
- Patched a 9.8/10 severity IPv6 router advertisement vulnerability.
React to Shell/Weaksaw Ransomware
- Ransomware group using “React to Shell” exploit to deliver Weaksaw ransomware—targets typically include MS SQL servers.

7. Crypto & Regulatory News

Nomad Bridge Hack Recovery & FTC Order
- Nomad Bridge operator must return $37M of the $186M stolen in the 2022 hack.
- Ordered to implement robust cybersecurity controls.
- Hack previously attributed to North Korean actors.
North Korea's Ongoing Crypto Theft
- North Korean cybercriminals stole $2B+ in crypto in 2025, making up nearly 60% of global thefts that year.

8. Final Noteworthy Update

Tor Project Funding
- Despite efforts to diversify, the US government remains Tor’s largest sponsor, providing $2.5M out of $7.3M raised last year.

Notable Quotes & Memorable Moments

On Belarusian spyware targeting:

“The BAT spyware’s infrastructure was built in 2021 during the country’s anti-government protests.”
— Claire Aird, [00:17]
On North Korea’s crypto theft dominance:

“North Korea’s hackers stole more than $2 billion worth of cryptocurrency this year. This represents almost 60% of all stolen crypto, according to Chainalysis.”
— Claire Aird, [04:10]
On state-linked supply chain attacks:

“Authorities believe the man worked for a group linked to a foreign power.”
— Claire Aird, [01:55]

Key Timestamps

[00:04] Belarus spyware on journalists
[00:42] Naftali Bennett Telegram breach
[00:52] French Interior Ministry email hack arrest
[01:13] Ferry malware incident
[01:38] Dutch ID fraud with facial recognition
[01:59] Enote crypto exchange takedown
[02:30] Indian bulk SMS platform shutdown
[02:55] Google lawsuit against Dhakala
[03:10] Nomad bridge/FTC order
[04:00] North Korean crypto theft report
[04:34] Cisco & SonicWall zero-days
[05:22] Tor Project funding

Conclusion

The Risky Bulletin returns January 12, 2026. Happy new year to listeners!

wavePod

Risky Bulletin: Belarus deploys spyware on journalists' phones

Powered by Wave AI

Summary

Risky Bulletin: Belarus Deploys Spyware on Journalists' Phones

Episode Overview

Key Discussion Points & Insights

1. Belarus: Spyware Deployment on Journalists

2. High-Profile Cryptocurrency & Account Hacking

3. European Law Enforcement Crackdowns

4. Major Cybercrime Infrastructure Takedowns

5. Tech Sector Legal Actions & Vulnerability Exploits

6. Critical Vulnerabilities & Threat Developments

7. Crypto & Regulatory News

8. Final Noteworthy Update

Notable Quotes & Memorable Moments

Key Timestamps

Conclusion

Summary

Risky Bulletin: Belarus Deploys Spyware on Journalists' Phones

Episode Overview

Key Discussion Points & Insights

1. Belarus: Spyware Deployment on Journalists

2. High-Profile Cryptocurrency & Account Hacking

3. European Law Enforcement Crackdowns

4. Major Cybercrime Infrastructure Takedowns

5. Tech Sector Legal Actions & Vulnerability Exploits

6. Critical Vulnerabilities & Threat Developments

7. Crypto & Regulatory News

8. Final Noteworthy Update

Notable Quotes & Memorable Moments

Key Timestamps

Conclusion