Risky Bulletin: Trump admin's Signal clone gets hacked, messages exposed - Risky Bulletin

Summary6 min read

Risky Bulletin: Trump Admin's Signal Clone Gets Hacked, Messages Exposed

Hosted by risky.biz, the "Risky Bulletin" podcast delivers comprehensive cybersecurity news updates. In this episode released on May 5, 2025, host Claire Aird presents critical developments in the cybersecurity landscape, ranging from governmental cyber strategies to significant data breaches and regulatory actions.

1. Telemessage Breach Exposes Secure Messaging Data

A significant security incident unfolded as Telemessage, an Israeli company renowned for its secure messaging applications, fell victim to a data breach. The breach compromised TM Signal, a modified version of the Signal app utilized by several U.S. government agencies, including the White House.

Incident Details: A hacker exploited a password to access Telemessage's backend systems, retrieving user identities and some message content. This vulnerability came to light when a journalist photographed former National Security Advisor Mike Waltz using TM Signal.
Implications: The exposure of TM Signal undermines the perceived security of government communications, raising concerns about the integrity of sensitive discussions.
Quote: Claire Aird stated, “A hacker has breached and stolen customer data from Telemessage... accessing the identities of users and the content of some messages” ([00:04]).

2. Magento Plugin Backdoors Hijack Nearly 1,000 Online Stores

Cyber attackers have activated dormant backdoors within Magento plugins, leading to the hijacking of approximately 1,000 online retail stores.

Backdoor Origins: The malicious code was initially inserted in 2019 when attackers infiltrated three Magento software development environments. Security firm Sansec identified modifications in the source code of 21 plugins.
Activation and Impact: Though planted years earlier, the backdoors remained inactive until April 2025, allowing attackers to compromise a $40 billion multinational among other victims.
Quote: Claire Aird highlighted, “Hackers have hijacked almost 1,000 online stores by activating backdoors they planted inside Magento plugins” ([00:04]).

3. Trump Administration's Shift Towards Offensive Cyber Operations

The Trump administration is poised to incorporate offensive cyber operations as a central element of national power strategy.

Policy Changes: National Security Council’s Senior Director for Cyber, Alex Bulezel, revealed plans to normalize offensive cyber tactics. The administration intends to actively retaliate with cyberattacks against adversaries targeting the U.S.
Budget Cuts: Concurrently, there are proposals to reduce the Cybersecurity and Infrastructure Security Agency’s (CISA) budget by $491 million, focusing cuts on international affairs programs and initiatives combating misinformation.
Rationale: The administration asserts that CISA has been misused to suppress conservative voices, including those of Donald Trump.
Quote: Alex Bulezel remarked, “The US will eventually respond with its own cyber attacks against foreign adversaries who target the US” ([00:04]).

4. International Criminal Court Expands Jurisdiction to Cyber-enabled Crimes

A groundbreaking policy amendment extends the International Criminal Court's (ICC) jurisdiction to encompass cyber-enabled crimes.

Rome Statute Amendment: The draft policy broadens the ICC’s mandate beyond genocide, war crimes, crimes against humanity, and international military aggression to include cyber-related offenses.
Triggering Event: Russia’s cyber activities against civilian targets in Ukraine played a pivotal role in prompting this expansion, enabling the ICC to address digital warfare's implications.

5. TikTok Fined €530 Million for GDPR Violations

Ireland's Data Protection Agency imposed a substantial fine on TikTok for non-compliance with General Data Protection Regulation (GDPR) transparency obligations.

Violation Details: TikTok was found to have transferred EU citizens' data to China without explicit user consent, violating privacy standards.
Compliance Deadline: The platform has been granted six months to rectify these practices and achieve compliance.

6. Ransomware Group Dragonforce Targets Major UK Retailers

The ransomware collective Dragonforce has claimed responsibility for cyberattacks against prominent UK retailers, including Marks and Spencer, Co Op, and Harrods.

Attack Strategy: In an extortion campaign, Dragonforce has threatened further intrusions while showcasing stolen data. For instance, a sample of Co Op’s user data was released to the BBC as proof of compromise.

7. SK Telecom Responds to SIM Card Database Theft

South Korean telecommunications giant SK Telecom is grappling with a significant security breach involving its SIM card database.

Response Measures: The company has halted new user registrations and is in the process of replacing all customer SIM cards. Additionally, SK Telecom has ceased number porting to thwart potential misuse of the stolen SIM data by hackers.

8. Raw Mobile Dating App Suffers Data Leak

The Raw mobile dating application addressed a critical data leak that exposed users' personal information due to an unsecured API server.

Exposed Data: Unauthenticated queries allowed attackers access to sensitive information, including names, birthdates, geolocation data, and sexual preferences. Furthermore, the app lacked end-to-end encryption despite advertising such features.

9. US Charges Yemeni National for Black Kingdom Ransomware Activities

The U.S. Justice Department has indicted a Yemeni national, Rami Khaled Ahmed, for orchestrating ransomware attacks against American firms.

Modus Operandi: Ahmed exploited the proxy logon vulnerability to breach Microsoft Exchange servers, deploying ransomware across over 1,500 systems. He demanded $10,000 in Bitcoin for decryption keys.

10. Wisconsin Man Sentenced for Swatting Incidents

A Wisconsin resident, Kaya Christian Nelson, received nearly four years in prison for his role in a series of swatting incidents conducted in 2020.

Criminal Activities: Nelson hacked victims' Ring door cameras, initiated police responses, and live-streamed the swatting events on social media. His accomplice was sentenced to seven years in 2024.

11. California Man Pleads Guilty to Hacking The Walt Disney Co.

Ryan Mitchell Kramer has admitted guilt in hacking into The Walt Disney Company's systems.

Attack Method: Kramer installed malware on an employee’s device, infiltrated Disney’s internal Slack channels, and exfiltrated data. He disseminated the stolen information on hacking forums under the guise of a fictitious Russian hacktivist group, Null Bulge.

12. Phishing Service Administrator Identified as Chinese National

Investigative efforts by German, French, and Norwegian media have uncovered Yu Cheng Sea, a 24-year-old Chinese national, as the operator behind the phishing service Darkala.

Service Operations: Darkala has been associated with over 20,000 phishing domains, many imitating package delivery services to deceive users and steal credentials.

13. Hong Kong Police Crack Down on Fraudulent Bank Account Operations

Hong Kong authorities have detained eight individuals linked to a triad-associated group involved in opening fraudulent bank accounts using forged documents.

Modus Operandi: The group employed AI technology to alter identity card photos reported lost, enabling the creation of three fraudulent bank accounts despite underreporting losses.
Ongoing Investigation: Law enforcement continues to probe how the group initially acquired the genuine ID cards used in the forgeries.

14. US Treasury Targets Cambodian Financial Firm for Money Laundering

The U.S. Treasury has labeled the Cambodian-based Hwan Group and its subsidiaries as money laundering concerns, proposing sanctions against them.

Criminal Activities: The Hwan Group is accused of laundering over $4 billion derived from North Korean cryptocurrency heists and Southeast Asian scam operations over four years.

15. Disinformation Campaigns Target Romanian Election

A coordinated disinformation effort involved impersonated Romanian news outlets and government agencies, aiming to influence the presidential elections.

Attribution: The Romania communications watchdog linked the fake sites to a Russian disinformation group known as Doppelganger.
Election Impact: The interference contributed to the cancellation of Romania’s 2024 election amidst Russian-backed support for a pro-Kremlin presidential candidate, who advanced past the first round with increased votes.

16. OASIS Open Consortium Proposes New Device Support Framework

The OASIS Open Consortium, founded by IBM and including tech giants like Cisco, Microsoft, Google, and Intel, has introduced a machine-readable format for publishing device end-of-support and end-of-life dates.

Purpose: This initiative aims to enhance transparency and complement existing frameworks such as software bills of materials and the Common Security Advisory Framework, thereby improving device lifecycle management and security.

This comprehensive overview encapsulates the critical cybersecurity developments discussed in the "Risky Bulletin" podcast episode. From governmental cyber strategies and significant data breaches to regulatory actions and advanced disinformation tactics, the podcast provides valuable insights into the evolving cybersecurity landscape.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
The Trump Admin signal clone gets hacked A six year old backdoor comes to life to hijack online stores A phishing kingpin identified as a 24 year old Chinese man An island finds TikTok for transferring EU user data to China this is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 5th of May and this podcast episode is brought to you by stairwell A hacker has breached and stolen customer data from Telemessage, an Israeli company that sells secure messaging apps. Several U.S. government agencies, including the White House, used the company's modified version of Signal named TM Signal. The software was identified after a journalist took a picture of former National Security Advisor Mike Waltz using the app. According to 404Media, the hacker was able to find a password to log into a Telemessage backend. The system provided access to the identities of users and the content of some messages. Hackers have hijacked almost 1,000 online stores by activating backdoors they planted inside Magento plugins. In 2019, the backdoors were planted when attackers gained access to three Magento software developers. Security firm Sansec said the hackers modified the source code of 21 plug ins. The malicious code was left dormant until April this year, when the attackers activated it. Sensex says one victim is a $40 billion multinational the Trump administration plans to use offensive cyber operations as a tool of national power. The National Security Council's senior director for cyber, Alex Bulezel, said the White House intends to normalise the use of offensive cyber. Bullezel says the US will eventually respond with its own cyber attacks against foreign adversaries who target the US. The Trump administration plans to cut CISA's budget by $491 million next year. The cuts would target programs focused on international affairs and countering misinformation and propaganda. The Trump administration claims CISA was used to censor conservative voices and specifically Donald Trump. A new International Criminal Court policy has added cyber enabled crimes to the court's jurisdiction. The draft policy amends the Rome Statute, an international treaty that codifies the ICC's judicial power. The Rome Statute previously covered four main types of genocide, war crimes, crimes against humanity and international military aggression. Russia's use of cyber against civilian targets in Ukraine prompted the ICC prosecutor's office to consider expanding its mandate. Ireland's Data Protection Agency has fined TikTok 530 million euros for failing to meet transparency obligations under the GDPR. The agency says TikTok transferred the data of EU citizens to China without telling users. TikTok has six months to become compliant Ransomware group Dragonforce has claimed credit for recent cyber attacks against UK retailers Marks and Spencer, Co Op and Harrods. The group sent a sample of Co Op's user data to the BBC last week as proof. It claimed that other intrusions are still to be revealed. The attacks are part of an extortion campaign targeting the UK's retail sector. South Korean telco SK Telecom has suspended new user registrations as it grapples with the recent theft of its SIM card database. The company is in the process of replacing all customer sims and has said it needs to prioritise that SK Telecom will also stop porting numbers in and out of its network to prevent hackers from using the stolen SIM card data. The Raw mobile dating app has fixed a data leak that exposed its users personal information. Its API server allowed anyone to query personal user information without credentials. Attackers could retrieve sensitive data including names, birth dates, geolocation data and sexual preferences, according to TechCrunch. The company also didn't use end to end encryption despite marketing claims stating otherwise. The US Justice Department has charged a Yemeni national with extorting US companies using the Black Kingdom ransomware. Rami Khaled Ahmed allegedly exploited the proxy logon vulnerability to hack Microsoft Exchange email servers and deploy ransomware. He's accused of hacking more than 1,500 systems and asking for $10,000 in Bitcoin to decrypt victims servers. US authorities have sentenced a Wisconsin man to almost four years in prison for participating in a swatting spree. Kaya Christian Nelson hacked victims ring door cameras, called the police and streamed the swatting on social media in 2020. One of Nelson's co cons conspirators was sentenced to seven years in 2024. A California man has pleaded guilty to hacking the Walt Disney Co. Ryan Mitchell. Kramer infected an employee with malware, accessed Disney's internal Slack and stole data. Kramer leaked the data on a hacking forum where he posed as a fake Russian hacktivist group Null Bulge. Journalists have identified the administrator of the phishing service Darkala As a 24 year old Chinese national Yu Cheng Sea. German, French and Norwegian journal ran a joint investigation into the phishing service which launched in 2023. Darkala has been linked to more than 20,000 phishing domains, many of which impersonate package delivery services. Hong Kong police have detained eight people accused of opening bank accounts with forged documents. Authorities say the triad linked group used AI to replace the photos on identity cards that had been reported lost. The modified documents passed ID checks, and the group opened a total of three 30 bank accounts. Hong Kong police are still investigating how the group obtained the ID cards. The US treasury has designated a Cambodian financial company as a money laundering concern and is proposing sanctions. Officials say the Hwan Group laundered the proceeds of North Korean crypto heists and Southeast Asian scam compounds. Hwan and its subsidiaries allegedly laundered over $4 billion in four years. A network of websites and social media accounts have been impersonating Romanian news outlets and government agencies. Romania's communications watchdog said the sites were peddling disinformation in the lead up to yesterday's presidential election. The sites were linked to a Russian disinformation group tracked as doppelganger. Romania's 2024 election was cancelled following Russia's interference in support of one of the candidates. A pro Kremlin presidential candidate won this weekend's first round of elections, receiving even more votes than and finally, the OASIS Open Consortium has proposed a machine readable format allowing device makers to publish end of support and end of life dates for their products. The new format is intended to complement the use of software, bills of materials and the Common Security Advisory Framework. The OASIS Open Consortium was founded by IBM. It includes some of the world's largest tech companies such as Cisco, Microsoft, Google and Intel. And that is all for this podcast edition. Today's show was brought to you by by our sponsor Stairwell. Find them@stairwell.com Thanksy Company.