Risky Bulletin: DC Sues Crypto ATM Operator for Profiting from Scams

Podcast: Risky Bulletin
Host: risky.biz
Date: September 15, 2025
Prepared by: Catalin Cimpanu
Read by: Claire Aird

Episode Overview

This episode of the Risky Bulletin delivers a round-up of major cybersecurity news headlines, highlighting legal actions, cyberattacks, exploitation of vulnerabilities, and new research findings. The main story focuses on Washington D.C.'s lawsuit against Athena Bitcoin, the US's largest crypto ATM operator, over alleged facilitation of scams. Other topics include ransomware attacks affecting public and private entities, ongoing cybercrime extradition cases, and technical vulnerabilities in devices and payment systems.

Key Discussion Points and Insights

1. DC Sues Athena Bitcoin for Enabling Crypto ATM Scams

[00:18]

• Allegations: The District of Columbia filed suit against Athena Bitcoin, claiming the company knowingly profited from crypto scams.
• Statistics: Officials allege "93% of deposits into the company's ATMs were allegedly made by scam victims."
• Company Conduct: Athena is said to have ignored suspicious deposits, charged hidden fees, and refused refunds to victims.
• Sought Outcome: D.C. aims to secure restitution for scam victims and enforce anti-fraud regulations.

“D.C. officials are seeking restitution for victims and to force the company to comply with anti-fraud regulations.” – Claire Aird [00:28]

2. CISA Misapplied Cyber Talent Retention Funds

[00:46]

• Audit Findings: An internal DHS Inspector General report found CISA misused funds designated for cybersecurity talent.
• Details: Over 240 bonus recipients weren’t in cyber roles, violating the fund’s intended purpose.

3. Dutch Military to Deploy Hackers on the Frontlines

[01:06]

• Development: The Dutch army will embed cyber operatives with frontline units for hacking local infrastructure.
• Context: The move emulates Russian and Ukrainian military practices, leveraging cyber capabilities directly in conflict.

4. Ransomware Aftermath at Jaguar Land Rover

[01:27]

• Recovery: The company is still struggling post-ransomware, with at least three production lines resuming soon.
• Wider Impact: Suppliers are facing bankruptcy due to prolonged production downtime.
• Loss Estimate: At least £50 million in damages.

5. Uvalde, Texas School Closure After Ransomware Attack

[01:54]

• Impact: The school district closed due to system outages impacting phones, cameras, visitor management, and even thermostats.
• Safety Relevance: These systems are deemed "critical to students' well-being."
• Historical Note: Uvalde is the site of the 2022 Robb Elementary School shooting.
• Resumption Timeline: Classes expected to resume Friday.

6. French Authorities Take Down Dark Web Marketplace

[02:29]

• Operation: The "Dark French Anti System" market, serving 12,000 users, was seized.
• Content: Drugs, hacking tools, and illicit services were sold.
• Enforcement: Both the admin and a user were arrested. This is the fifth such French platform seized since 2018.

7. US-Portugal Extradition Dispute Over Raid Forums Admin

[02:56]

• Subject: Diogo Santos Coelho ("Omnipotent"), arrested in the UK, continues to fight US extradition.
• Defense: Coelho claims Portugal is better for his autism care and family support.
• Case Status: UK judge found procedural issues with the US extradition request.

8. Theft and Pre-Release Movie Piracy

[03:22]

• Crime: Stephen R. Hale, a DVD and Blu-ray manufacturing worker, got nearly five years in prison for stealing and reselling major Hollywood releases before they premiered.

9. Russian Messenger Account Access for Sale

[03:40]

• Black Market: Russian messenger app “Max” accounts sold for up to $250 or rented by the hour.
• Official Response: Over 67,000 accounts blocked for spamming or spreading malware.

10. NotPetya Ransomware Variant Bypasses Secure Boot

[03:56]

• New Strain: ESET detected a variant capable of bypassing Secure Boot by attacking the EFI partition.
• Distribution Unclear: Found on VirusTotal, but no evidence of active exploitation yet.

11. Samsung Patches Zero-Day in Android Used Against WhatsApp

[04:15]

• Exploit Chain: Vulnerability allowed spyware via WhatsApp; a similar exploit hit Apple devices.
• Resolution: Samsung has released a patch.

12. Delmia Apriso Manufacturing Software Under Attack

[04:32]

• Vulnerability: Recently patched bug is being actively exploited.
• Risk: Attackers could steal IP, sabotage lines, or deploy ransomware in factories using the software.

13. Vulnerability in Kiosoft Stored Value Cards

[04:58]

• Flaw: Stored value cards from laundromat/car wash kiosks could have their balances fraudulently increased, since the dollar value is stored on the cards themselves.
• Response: Patch issued in 2025, hardware changes planned.

14. Smartphone Cameras’ Lens Blur as Fingerprinting Tool

[05:23]

• Forensic Use: Every smartphone camera’s unique lens blur pattern can now be used as a "camera fingerprint."
• Application: Useful for forensic investigations.

15. Correction

[05:40]

• Clarification: Last episode misstated a leak’s magnitude—data leaked from 600 Australian doctors/staff, not almost 6,000.

“This had nothing to do with Catalin Kimpanu’s excellent journalism, just my crappy reading.” – Claire Aird [05:47]

Notable Quotes & Memorable Moments

• On ATM Scams:
  “93% of deposits into the company's ATMs were allegedly made by scam victims.” — Claire Aird [00:17]

• On CISA Spending:
  “CISA paid bonuses from the program to more than 240 employees who did not hold cybersecurity roles.” — Claire [00:51]

• On Lens Blur Fingerprinting:
  “Academic researchers have described the effect, known as a lens BL, as a camera fingerprint. It can be used for forensic and other investigative purposes.” — Claire [05:26]

Important Timestamps

• [00:04] – Episode headlines
• [00:18] – Athena Bitcoin lawsuit coverage
• [00:46] – CISA internal audit
• [01:06] – Dutch army cyber units
• [01:27] – Jaguar Land Rover ransomware impact
• [01:54] – Uvalde school closure
• [02:29] – French dark web market takedown
• [02:56] – RAID Forums admin extradition
• [03:22] – Hollywood DVD theft case
• [03:40] – Russian “Max” Messenger accounts for sale
• [03:56] – NotPetya ransomware Secure Boot variant
• [04:15] – Samsung WhatsApp zero-day
• [04:32] – Delmia Apriso vulnerability exploitation
• [04:58] – Kiosoft payment card flaw
• [05:23] – Smartphone camera lens BL research
• [05:40] – Correction to previous episode

The Risky Bulletin episode provides a sweep of critical security stories, regulatory actions, and cutting-edge technical findings—all with concise, matter-of-fact delivery.