Summary5 min read

Risky Bulletin: Iranian Hackers Are Scanning for Security Cameras to Aid Missile Strikes

Date: March 6, 2026

Host: Risky Business Media (Read by Claire Aird, prepared by Catalyn Kim Panu)

Episode Overview

This episode delivers a rapid-fire update on notable cybersecurity events from around the world, with a primary focus on how Iranian hackers are exploiting internet-connected security cameras to support missile strikes in the Middle East. The bulletin covers government crackdowns, major law enforcement operations, significant hacks and ransomware actions, as well as policy changes impacting internet security and privacy.

Key Discussion Points & Insights

1. Iranian Hackers Target Security Cameras for Military Support

[00:04 – 01:15]

Iranian hackers are scanning for vulnerable internet-linked security cameras (Hikvision and Dahua models) in Israel and the Middle East.
Goal: Gather intelligence to "support the country’s missile strikes."
Noted escalation in such activity after the October 7th attacks and during the Iran-Israel war in 2025.
Quote: “Check Point has observed an increase in scans for vulnerable hikvision and Dahua cameras in several countries hit by Iranian missiles.” (Claire Aird, 00:33)
These operations are attributed to a known Iranian hacking group.

2. Regional Conflict & Cyberwar Developments

[01:15 – 02:00]

Israel claims to have bombed Iran's Cyber and Electronic Warfare Unit headquarters in Tehran during a coordinated strike.
Iranian state media has not confirmed these attacks.
During recent US-Israeli strikes, Iran imposed an internet blackout and is threatening citizens connecting via smuggled Starlink dishes with arrest.
Quote: “Meantime, Iranian authorities have threatened to arrest citizens who connect to the Internet.” (Claire Aird, 01:42)

3. SIM Card Registration and Privacy in Mexico

[02:00 – 02:18]

All SIM card users in Mexico (including foreigners) must register their SIMs with government ID by end of June 2026.
Applies to prepaid, subscription, eSIM plans.

4. Major Hacking Forum "Leak Base" Taken Down

[02:18 – 02:51]

US and European law enforcement dismantle Leak Base, a prominent hacking forum trafficking in credentials stolen via infostealers.
Over 142,000 users, with 13 suspects arrested and more than 100 global locations raided.
Memorable Statistic: “More than 142,000 registered members.”

5. Tycoon2FA Phishing Service Disrupted

[02:51 – 03:18]

Joint law enforcement operation seizes 330+ domains linked to Tycoon2FA, a phishing platform specializing in bypassing Multi Factor Authentication.
Quote: “Tycoon was one of the first phishing platforms that successfully automated the process of intercepting Multi Factor Authentication codes.” (Claire Aird, ~03:10)
According to Proofpoint, Tycoon was the “most active MFA capable phishing toolkit” in observed data.

6. Cybercrime, Scams, and Sanctions in Asia

[03:18 – 03:49]

Taiwan indicts 62 individuals linked to Cambodian cyber scam compounds, $340 million laundered.
US and UK impose sanctions on the “Prince Group” and its founder, Chen Xi, now extradited to China.

7. Phobos Ransomware: Russian Operator Pleads Guilty

[03:49 – 04:13]

Russian national Evgeny Chichin pleads guilty in US court for running Phobos ransomware, netting $39 million.
Extradited from South Korea, faces up to 20 years in prison.

8. Major Vulnerabilities, AI, and Malware Delivery Shifts

N8N AI Automation Server Vulnerability

[04:13 – 04:27]

Over 100,000 servers missing a critical patch; attackers can fully compromise these systems.

Malvertising Surpasses Email for Malware

[04:27 – 04:44]

2026 Media Trust report: Malicious online ads responsible for 60% of malware campaigns (vs. email).
AI is frequently used to generate deepfakes and target victims precisely.

9. Ransomware and Exploited Vulnerabilities

Qilin Group

[04:44 – 04:55]

Most active ransomware group of 2025, responsible for 13% of attacks.
Global ransomware attacks up 50% since 2024, with North America most targeted.

VMware ARIA Vulnerability

[04:55 – 05:08]

Recently patched command injection flaw actively exploited in the wild; highlights the need for timely patching.

Avira Antivirus Vulnerabilities

[05:08 – 05:20]

Three bugs disclosed, including local file deletion and privilege escalation.
Vendor demanded NDA before disclosure; researchers published details and PoC publicly.

10. Data Breaches and Extortion Campaigns

French Torrent Site Hack

[05:20 – 05:32]

6.6 million user records, source code, and passwords leaked after download limits angered users.

Hong Kong Cable Car System (Nongping 360)

[05:32 – 05:42]

Threat actor demands ransom, threatens to leak internal/customer data. No impact on service safety reported.

Hunger Rush (Texas-based POS Platform)

[05:42 – 05:59]

Attackers contact restaurant patrons directly threatening to leak data unless Hunger Rush pays ransom.
Breach traced to a compromised employee account; no card data exposed.

11. TikTok on Encrypted Messaging

[05:59 – 06:15]

TikTok refuses to introduce encrypted private messaging, arguing it would lower user safety by hampering malicious content scans.
Quote: “TikTok says it will not introduce encrypted private messaging. The company told the BBC that encrypted DMs will make its users less secure...” (Claire Aird, 06:00)
Contrasts with Meta and Telegram, which have introduced encryption and now face regulatory pressure.

Notable Quotes & Memorable Moments

On Iranian hackers using security cameras:
“Check Point has observed an increase in scans for vulnerable hikvision and Dahua cameras in several countries hit by Iranian missiles.” – Claire Aird, [00:33]
On law enforcement’s global action:
“Authorities raided more than 100 locations globally and arrested 13 suspects.” – Claire Aird, [02:39]
On modern phishing advancements:
“Tycoon was one of the first phishing platforms that successfully automated the process of intercepting Multi Factor Authentication codes.” – Claire Aird, [03:10]
On TikTok’s security stance:
“TikTok says it will not introduce encrypted private messaging. The company told the BBC that encrypted DMs will make its users less secure because it wouldn’t be able to scan messages for malicious content.” – Claire Aird, [06:00]

Key Timestamps

00:04 – Introduction and Top Story: Iranian hackers, missiles, and cyberwarfare
01:15 – Israel bombs Iran’s cyber headquarters; internet blackout and Starlink in Iran
02:00 – SIM card registration law in Mexico
02:18 – Leak Base hacking forum taken down
02:51 – Tycoon2FA phishing service disrupted
03:18 – Taiwan’s crackdown on Cambodia-linked cybercrime
03:49 – Russian Phobos ransomware operator pleads guilty
04:13 – N8N AI server flaw and malvertising report
04:44 – Ransomware report: Qilin Group, rising global attacks
04:55 – VMware ARIA vulnerability actively exploited
05:08 – Avira antivirus vulnerabilities disclosed
05:20 – French torrent portal breach
05:32 – Cable car and POS platform extortion attempts
05:59 – TikTok declines encrypted DMs

Summary & Takeaways

This Risky Bulletin underscores the escalation of cyber threats entangled with military conflict, the frequent targeting of widely used products (cameras, POS systems, antivirus software), and a growing law enforcement response to large-scale cybercrime. The landscape is rapidly evolving, with malvertising overtaking traditional email-based malware delivery and the enduring debate over encryption vs. content monitoring intensifying as exemplified by TikTok’s recent decision.

Listeners gain an up-to-date snapshot of the global cyber risk environment, major vulnerabilities in popular software, and the persistent challenge of defending infrastructure against sophisticated, state-backed threats.

Loading summary

Transcript1 lines

[00:04]
A
Iran attempts to hack security cameras to support its missile strikes Israel bombs Iran's cyber headquarters, Authorities take down leak base and tycoon 2fa and TikTok says no to encrypted private messaging. This is the Risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 6th of March and this podcast episode is brought to you by Okta. In today's top story, Iranian hackers are targeting security cameras in Israel and the Middle east to support the country's missile strikes. Security firm Check Point has observed an increase in scans for vulnerable hikvision and Dahua cameras in several countries hit by Iranian missiles. The company's linked the activity to a known Iranian hacking group. Similar activity followed the October 7th terrorist attack and and Iran's 12 day war with Israel last year. In other news, Israel says it's bombed the headquarters of Iran's Cyber and Electronic Warfare Unit. The building in Tehran was one of 10 major targets hit by the IDF on Wednesday. Iranian state media has not confirmed the attacks. Meantime, Iranian authorities have threatened to arrest citizens who connect to the Internet. The country imposed an Internet blackout on Saturday as US Israeli strikes began Monday. Many Iranians are connecting via Starlink dishes smuggled into the country. Local police warned citizens via SMS messages this week. Mexicans have until the end of June to register their SIM cards with a government id. The new requirement applies to subscription and prepay plans as well as ESIMs. It also applies to foreigners using Mexican SIMs. US and European law enforcement have taken down the leak based hacking forum the the site launched in 2021 and sold credentials stolen via infostealers. It catered to English speaking users and had more than 142,000 registered members. Authorities raided more than 100 locations globally and arrested 13 suspects. Multiple law enforcement agencies and cybersecurity firms have disrupted the activity of the Tycoon2FA phishing service. The joint operation took control of more than 330 domains powering Tycoon's platform. The service launched in 2023 and allowed threat actors to easily impersonate online services. Tycoon was one of the first phishing platforms that successfully automated the process of intercepting Multi Factor Authentication codes. Proofpoint says Tycoon was the most active MFA capable phishing toolkit in its data. Taiwan has indicted 62 suspects over their involvement in cyberscam operations. They're accused of running 13 companies associated with Cambodian Cyberscam Compound Oper. The Prince Group officials say they laundered close to $340 million in stolen assets. The US and the UK have imposed sanctions on the Prince Group and its founder. Chen Xi. Xi was arrested in Cambodia last month and extradited to China. A Russian national has pleaded guilty in the US for running the Phobos ransomware operation. Evgeny Chichin built and advertised the platform. He's estimated to have made more than $39 million from ransoms. He was arrested and extradited from South Korea in 2024. Jichin faces a maximum penalty of 20 years in prison. More than 100,000 N8N AI automation servers are missing a critical security patch. A vulnerability disclosed last week can allow attackers to escape the server's sandbox in the default configuration. This can allow full compromise of the system. Online ads have surpassed email as the main delivery method for malware. Last year, malicious ads accounted for 60% of all malware campaigns observed by the media trust. The company's 2026 intelligence report said. AI has played a major role in generating deepfake ads and precision targeting of malware campaigns. The Qilin Group was last year's most active ransomware operation, accounting for 13% of all attacks. The number of total ransomware attacks increased by 50% from 2024, an all time high, according to the NCC Group's yearly threat report. North America remained the top target. Threat actors are exploiting a recently patched vulnerability in VMware ARIA operations servers. The flaw allows unauthenticated remote code execution attacks via a command injection vector. CISA flagged it as being exploited in the wild this week. It was patched in February. Security firm quarkslab has published details about three vulnerabilities in Avira antivirus. The bugs can allow attackers to delete local files and elevate privileges. Quarkslab released the details and proof of concept code without an available fix, researchers said. Avira's owner, Gen Digital, demanded they report the bugs via bugcrowd and agree to an NDA. Hackers have leaked data from French torrent portal. The stolen data includes 6.6 million user records, source code, databases, configs and passwords. The hackers said they attacked the site after free user accounts were limited to five torrents a day. A threat actor is extorting a major Hong Kong cable car operator. Hackers are demanding a ransom from Nongping360, threatening to release internal files and customer data. The company said the hack did not impact the safety of its cable car service. Hackers are extorting Texas company Hunger Rush, a point of sale platform for small restaurants. The attackers emailed restaurant patrons directly, threatening to release their personal data if Hunger Rush doesn't pay. The entry point for the hack is believed to be a compromised employee account. The company confirmed the breach and said no card data was exposed. And finally, TikTok says it will not introduce encrypted private messaging. The company told the BBC that encrypted DMs will make its users less secure because it wouldn't be able to scan messages for malicious content. Meta and Telegram have introduced encrypted DMs and are now facing pressure from authorities. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Okta. Find them@okta.com thanks for your company.