Risky Bulletin: Hunters International Ransomware Shuts Down, Releases Decryption Keys
Hosted by Claire Aird | Released on July 4, 2025

The latest episode of Risky Bulletin delves into significant developments in the cybersecurity landscape, highlighting ransomware shutdowns, major data breaches, law enforcement actions, and emerging threats. Hosted by Claire Aird and prepared by Catalyn Kimpanu, this edition provides a comprehensive overview of recent cyber incidents and responses from around the globe.

1. Shutdown of Hunters International Ransomware Operation

The episode opens with a major update on the Hunters International ransomware group, which has officially ceased its operations and has pledged to release free decryption keys to its victims. This group, responsible for over 300 attacks since its inception in late 2023, targeted prominent organizations such as India's Tata Technologies and the US Marshals Service. Hunters International was formed by former members of the Hive ransomware gang, which was dismantled earlier in 2023. In addition to ransomware activities, Hunters launched a separate World Leaks platform, expanding their cybercriminal endeavors.

"The Hunters International group has been a significant threat since its launch, and their decision to shut down is a noteworthy development in the ransomware landscape," notes Claire Aird.

2. FBI Investigates Ransomware Negotiator for Kickbacks

Further complicating the ransomware ecosystem, the FBI is currently investigating a former employee of Digital Mint, a security firm, for allegedly accepting kickbacks from ransomware gangs. This individual, whose role involved negotiating payments during ransomware attacks on behalf of clients, is accused of diverting funds to malicious actors when companies opted to pay ransoms.

According to Bloomberg, the employee received incentives from ransomware groups to convince organizations to comply with their demands. In response, Digital Mint has terminated the employee and is proactively notifying affected customers about the ongoing investigation.

3. Massive Breach of Brazilian Financial Institutions

A significant breach has targeted the Brazilian financial sector, with hackers successfully infiltrating CNM Software, an IT provider for Brazilian banks. This cyberattack resulted in the theft of over $185 million, affecting six financial institutions, including BNP Bank. Following the breach, Brazil's central bank ordered CNM to disconnect all its customers to facilitate a thorough investigation, although operations have since resumed.

"The scale of this breach underscores the vulnerabilities within financial service providers and the critical need for robust cybersecurity measures," states Claire Aird.

4. Security Breach at Qantas Customer Support Center

Australian airline Qantas has reported a security breach at one of its customer support centers. An unauthorized actor gained access to a third-party system housing sensitive details of 6 million customers. The airline is actively investigating the extent of the incident and its impact on customer data.

In related news, the FBI, in collaboration with Google and Palo Alto Networks, issued warnings about the Scattered Spider group, which has been targeting airlines with ransomware attacks. The convergence of these threats highlights the persistent targeting of the aviation sector by cybercriminals.

5. Ransomware Attack on German Charity

A disturbing ransomware attack has affected Deutsche Welthungerhilfer (World Hunger Help), a German charity dedicated to providing food and water to communities grappling with hunger. The Raisita ransomware group claimed responsibility for the attack in June, demanding a ransom of $2.2 million. In response, the charity has shut down all IT systems to mitigate further damage and restore operations.

"The impact on organizations like Deutsche Welthungerhilfer demonstrates how ransomware can disrupt humanitarian efforts, beyond just financial losses," Claire Aird emphasizes.

6. Russian Government's Anti-Scam Initiatives

In an effort to combat telephone scams, the Russian government plans to establish a comprehensive database of known scammers. This database will include voice samples, phone numbers, and caller IDs, with Russian mobile operators required to display warnings for incoming calls recognized as fraudulent. Additionally, these voice samples will be made accessible to law enforcement agencies to aid in scammer identification and prevention.

7. U.S. Efforts to Address Telecom Breaches

U.S. officials assert that they have largely contained the Salt Typhoons breaches affecting U.S. telecommunications companies last year. Brett Leatherman, the FBI's Cyber Division Leader, stated, "The agency is focusing on supporting victims and evicting the hackers" at [timestamp not provided]. Despite these containment efforts, Cyberscoop reports that substantial costs related to addressing the breaches remain forthcoming.

Simultaneously, U.S. Customs and Border Protection (CBP) is seeking proposals for new data analysis tools capable of processing information from seized devices. According to Wired, CBP requires technologies that can analyze data from laptops and smartphones to identify hidden messages and discern patterns within user data, enhancing their investigative capabilities.

8. Arrests in Spain for Government Hacks and Investment Scams

Spanish authorities have made significant arrests in connection with cybercrimes. Two individuals were detained in the Canary Islands for hacking government networks and selling sensitive data online, including personal details of government officials, politicians, and journalists. One suspect is charged with conducting the hacks, while the other managed the financial aspects of their operations.

In a separate case, Spanish police have apprehended 21 suspects involved in an investment scam ring. Operating call centers in Barcelona, the group promoted fake investment platforms on social media, defrauding victims of over 10 million euros by convincing them to invest their savings.

9. Sentencing of Andrei Smirnov for DDoS Attacks

In a noteworthy legal outcome, Andrei Smirnov, a 36-year-old individual, has been sentenced to 16 years in a high-security prison for launching DDoS attacks against Russian critical infrastructure. Smirnov, arrested in 2020 in the city of Byelova, was reported by Russian officials to have conducted these attacks under the direction of Ukrainian intelligence services, illustrating the complex interplay between cyber activities and geopolitical tensions.

10. Malicious Firefox Extensions Targeting Crypto Users

A concerning discovery by Koi Security revealed over 40 malicious Firefox extensions within the official store. These extensions masquerade as legitimate crypto wallet brands but contain malicious code designed to steal wallet credentials. The campaign, which began in April, utilized fake reviews to enhance the extensions' credibility. Koi Security attributes this operation to a Russian-speaking threat actor, highlighting the ongoing risks within browser extension ecosystems.

11. Iranian State-Sponsored Cyber Activities

Security firm Armis has reported that Iranian state-sponsored hackers are providing sophisticated tools and training to hacktivist groups targeting Israel and Western nations. Additionally, Recorded Future indicates that Iran is leveraging hacktivist proxies to carry out cyberattacks, thereby attempting to evade direct military reprisals. This collaboration underscores the evolving strategies of state actors in cyberspace, blending state resources with non-state actors to achieve strategic objectives.

12. Emergence of Android Malware Targeting Financial Apps

A new variant of Android malware, named Quiz Serial, has been identified by Group IB. This malware intercepts SMS messages used for multi-factor authentication in financial applications, affecting approximately 100,000 users, primarily in Uzbekistan where SMS remains the prevalent method for securing transactions. The rise of such malware emphasizes the vulnerabilities in mobile security, especially concerning authentication mechanisms.

13. Google's $314 Million Lawsuit Over Mobile Data Practices

In a landmark legal development, Google has been ordered to pay $314 million to Californian users in a class-action lawsuit. Plaintiffs allege that Google inflated their mobile bills by generating unwarranted network traffic, including unsolicited advertising and data collection activities while devices were idle. The lawsuit, which encompasses 49 additional U.S. states, is slated for further proceedings in April next year, potentially setting a precedent for tech companies' responsibilities regarding user data and consent.

14. Cisco's Removal of Vulnerable SSH Credentials

Cisco has taken action to remove a set of hard-coded SSH credentials from its enterprise telephony platform, specifically the Unified Communications Manager. These credentials, inadvertently embedded during the platform's development, posed a significant security risk by potentially allowing attackers to gain root access. Cisco's prompt response highlights the importance of secure coding practices and the need for vigilance in software development to prevent such vulnerabilities.

15. Exploitation of Call of Duty World War II Vulnerability

The episode concludes with reports of a vulnerability in Call of Duty: World War II being actively exploited in the wild. Players have experienced unauthorized file pop-ups containing threatening messages on their PCs during gameplay. While Activision has yet to confirm these hacks, the incidents follow a surge in new player activity after the game was added to the Xbox Game Pass. Previous Call of Duty titles have encountered similar security issues, pointing to an ongoing challenge in securing popular gaming platforms against cyber threats.

Conclusion

This episode of Risky Bulletin underscores the dynamic and multifaceted nature of cybersecurity threats and responses. From the dissolution of a major ransomware group to intricate law enforcement operations and emerging malware threats, the landscape remains highly volatile. The insights provided by Claire Aird offer listeners a thorough understanding of current challenges and the measures being implemented to counteract them. Staying informed through such detailed analyses is crucial for individuals and organizations alike to navigate the ever-evolving cyber realm effectively.

This summary is based on the transcript provided and structured to encapsulate the key points discussed in the episode. For more detailed information, listeners are encouraged to tune into the full episode of Risky Bulletin.