Summary4 min read

Risky Bulletin: Domain Resurrection Attacks Come to Canonical's Snap Store

Podcast: Risky Bulletin (Risky Business)
Date: January 21, 2026
Host/Narrator: Amberly Jack
Prepared by: Cataline Campanu

Episode Overview

This episode of Risky Bulletin delivers a fast-paced, expertly curated roundup of the most significant cybersecurity news from the past week. Highlights include the exploitation of Canonical’s Snap Store by domain resurrection attackers, geopolitical cyber maneuvering in Russia and Iran, cybercrime crackdowns in Greece and on Telegram, and updates on major malware and ransomware incidents. Amberly Jack presents the stories with the concise, incisive delivery Risky Business fans expect.

Key Discussion Points and Insights

1. Domain Resurrection Attacks on Canonical's Snap Store

[00:04] Threat actors are hijacking Snap Store developer accounts by re-registering expired email domains (“Domain Resurrection” attacks).
- At least two Snap Store accounts have been compromised.
- Quote: “Attackers are using expired email domains to hijack developer accounts on Canonical's Linux app Store. At least two accounts...have been taken over through Domain Resurrection attacks, according to Linux expert Alan Pope.” [00:17]
- The attackers, believed to be based in Croatia, have targeted Snap Store for malicious package uploads for two years.
- Similar attacks have occurred on GitHub, PyPI, and npm in recent years.

2. Policy Updates and Government Response

Ireland’s Lawful Interception Power:
- [00:37] Ireland implements new laws granting police and intelligence agencies expanded surveillance capabilities, including the use of spyware.
- Service providers are now obligated to assist government operations.
UK’s New Cybercrime Reporting Platform:
- [00:52] The UK government replaces its old Action Fraud portal with a new, more streamlined reporting service for online scams, cybercrime, and fraud.
- Users can now upload evidence for criminal investigations.

3. State-Sponsored Cyber Surveillance & Censorship

Russia’s AI-Based VPN Detection:
- [01:09] Russia’s Internet watchdog (Roscovnadzor) will invest $30M to automatically detect VPN users with AI technology.
- VPN usage is criminalized and heavily censored information is under strict control.
Russian Banks’ Card Blocking:
- [01:32] Nearly 3 million bank cards have been blocked due to stricter new rules, with some users affected by ordinary e-commerce activity.

4. High-Profile Hacks and Internal Turbulence

CISA Leadership Dispute:
- [01:59] Acting chief of the US Cybersecurity and Infrastructure Security Agency (CISA) attempted to oust the CIO, Robert Costello, but reversed course after management pushback.
Luxshare Ransomware Attack:
- [02:17] The Ransom Hub group claims theft of sensitive circuit board designs and documents from Apple assembler Luxshare, including unpublished Apple and Nvidia data from the last six years.

5. International Espionage and Countermeasures

Iranian Hackers Use Starlink:
- [02:40] The Iranian Handala group leveraged Starlink satellite internet after national connectivity was cut, indicating increased resilience and adaptability by state-backed attackers.
- Quote: “Iranian hacking group Handala is carrying out its attacks via Starlink connections...Fresh activity was spotted a few days later coming from Starlink IP ranges.” [03:01]
Greek SMS Spammers Arrested:
- [03:13] Greek police apprehended two Chinese nationals driving around Athens with a mobile SMS blaster, discovered through tips about suspicious mall activity.

6. Cybercrime, Marketplace Shutdowns, and Legal Recovery

Ransom Payment Recovery Attempt:
- [03:35] Real estate firm Minto Holdings seeks to recover $830,000 paid to the CACBOT ransomware from alleged developer Rustam Rafalevich Gallyamov, currently at large.
Telegram Marketplace Shutdown:
- [03:48] TUDO, a Telegram-based illicit marketplace, has shuttered most operations after processing over $12B in transactions, making it the third-largest platform of its type.

7. Critical Vulnerability Disclosures and Emerging Malware

TP Link Camera Bugs Patched:
- [04:07] TP Link releases updates for 32 camera models to fix a LAN-based device takeover exploit.
Void Link AI-Malware:
- [04:25] Security firm Check Point reveals the discovery of Void Link, a Linux cloud-targeting malware framework almost entirely developed using AI IDE tools.

Notable Quotes & Memorable Moments

On the Snap Store attack:
“Attackers are using expired email domains to hijack developer accounts on Canonical's Linux app Store.”
— Amberly Jack, [00:17]
On Iranian hackers adapting to connectivity loss:
“Fresh activity was spotted a few days later coming from Starlink IP ranges.”
— Amberly Jack, [03:01]
On Russia’s clampdown on personal finance:
“Some Russians have reported that their cards were blocked after everyday activities such as buying goods online.”
— Amberly Jack, [01:45]
On Telegram black market scale:
“Prior to its shutdown, it had processed more than $12 billion in user transactions. According to Elliptic, this made Tudo the third largest illicit marketplace of all time.”
— Amberly Jack, [03:52]

Important Segment Timestamps

| Segment | Timestamp | |----------------------------------------------|------------| | Canonical Snap Store hijack via domain resurrection | 00:04-00:37 | | Ireland’s new interception law | 00:37-00:52 | | UK’s online scam reporting overhaul | 00:52-01:09 | | Russia’s AI-driven VPN crackdown | 01:09-01:32 | | Russian bank card blocking | 01:32-01:59 | | CISA leadership dispute | 01:59-02:17 | | Luxshare ransomware incident | 02:17-02:40 | | Iranian hackers leveraging Starlink | 02:40-03:13 | | Greece: SMS spammers apprehended | 03:13-03:35 | | Ransom recovery action (Cacbot) | 03:35-03:48 | | Telegram’s TUDO illicit marketplace shutdown | 03:48-04:07 | | TP Link camera vulnerabilities patched | 04:07-04:25 | | Void Link Linux AI malware uncovering | 04:25-04:45 |

Closing Remarks

Risky Bulletin delivers another tightly packed issue of must-know security headlines, including attack techniques, policy changes, and real-world criminal takedowns. The episode’s tone is brisk, factual, and clear, making it an indispensable update for cybersecurity professionals.

Loading summary

Transcript1 lines

[00:04]
A
Canonical's Snap Store hit by Domain Resurrection attacks Russia will use AI to detect VPN users, Iranian hackers use Starlink during Internet outage, and Greece arrests SMS blasters by dumb luck. This is the risky bulletin prepared by Cataline Campanu and read by me, Amberly Jack Today is January 21st and this podcast episode is brought to you by Spectrops. The experts in attack path management threat actors are using expired email domains to hijack developer accounts on Canonical's Linux app Store. At least two accounts on the Snap Store have been taken over through Domain Resurrection attacks, according to Linux expert Alan Pope. The group responsible is based in Croatia and has been targeting Snap with malicious packages for two years. GitHub, PyPi and npm have all experienced similar attacks. Ireland has adopted new lawful interception powers. The law grants police and intelligence agencies the power to surveil any type of modern communications channel. It also allows them to use covert software for their operations, including spyware. Under the new law, communications service providers must cooperate with government operations. The British government has launched a new service for reporting online scams, cybercrime and fraud. The report fraud service soft launched in December and was made widely available this week. It will replace the previous cybercrime reporting tool, Action Fraud. The new service features a streamlined process and allows victims to submit evidence for criminal investigations. Russia's Internet watchdog will use AI technology to automatically detect VPN users. The Roscovnadzor will spend close to $30 million this year to develop the system. The Russian government has blocked access to dozens of VPN apps. It is a crime in Russia to share information about censorship, circumvention Russian banks have blocked access to almost 3 million bank cards this month. The banks are implementing new fraud detection rules issued by the Russian central bank. The number of specific rules that banks must follow have doubled from 6 to 12. Some Russians have reported that their cards were blocked after everyday activities such as buying goods online. CISA's acting head, Madu Ghotamakawa, tried to forcibly reassign the agency's chief information officer last week. Robert Costello was given the choice to accept a management directed reassignment or resign by Friday. Gotchmakhala backed down after pushback from senior officials. Costello has been the agency's CIO for four years. A major Apple iPhone assembler has fallen victim to a ransomware attack. The Ransom Hub group claims to have stolen circuit board designs and internal documents from Chinese company Luxshare. The stolen files allegedly include data about Apple and Nvidia products going back six years Hackers have disrupted Iran's state TV channel to broadcast anti government propaganda. The broadcast displayed messages from the country's exiled crown prince who urged the military to join the anti regime protests. Thousands of protesters have been killed by the military in Iran during recent unrest. Iranian hacking group Handala is carrying out its attacks via Starlink connections. According to security firm Check Point, activity from the group initially stopped when the Iranian regime cut off the country's Internet access. Fresh activity was spotted a few days later coming from Starlink IP ranges. The Handala group poses as hacktivists but is run by Iran's MOIS intelligence service. Greek authorities have arrested two Chinese nationals for sending SMS spam. The suspects drove around Athens with an SMS blaster in their car. The two were questioned by police after they were reported to be acting suspiciously at a mall. The device was found during a subsequent search of their car. Real estate company Minto holdings is seeking to recover a ransom payment made to the CACBOT malware. The company is seeking $830,000 from Cacbot's developer Rustam Rafalevich Gallyamov. A 49 year old Moscow resident. Gallyamov was indicted by the US last year for running Cacbot. He is still at large. A Telegram based criminal marketplace appears to have shut down most of its operations. TUDO provided services for cyber scams. Prior to its shutdown, it had processed more than $12 billion in user transactions. According to Elliptic. This made Tudo the third largest illicit marketplace of all time. Tudo launched in 2025 after Telegram shut down the Huey One Guarantee Marketplace, which processed $27 billion worth of similar transactions. TP Link has released a security update for its Viji cameras to patch a critical device takeover vulnerability. The bug can allow attackers on the same LAN to bypass authentication during the password reset process. The vulnerabilities impact 32 camera models. And finally, security firm Check Point believes the new Void Link malware framework was almost entirely coded using AI tools. The malware was designed to target Linux servers running in cloud environments. It was discovered this month. Check Point believes the malware is the work of a single developer using the Trey AI based ide. That's all for this podcast edition. Today's show was brought to you by our sponsor Spectrops. Find them@Spectropsio. Thanks for your company.