Risky Bulletin: Trump Admin's Signal Clone Gets Hacked, Messages Exposed

Hosted by risky.biz, the "Risky Bulletin" podcast delivers comprehensive cybersecurity news updates. In this episode released on May 5, 2025, host Claire Aird presents critical developments in the cybersecurity landscape, ranging from governmental cyber strategies to significant data breaches and regulatory actions.

1. Telemessage Breach Exposes Secure Messaging Data

A significant security incident unfolded as Telemessage, an Israeli company renowned for its secure messaging applications, fell victim to a data breach. The breach compromised TM Signal, a modified version of the Signal app utilized by several U.S. government agencies, including the White House.

• Incident Details: A hacker exploited a password to access Telemessage's backend systems, retrieving user identities and some message content. This vulnerability came to light when a journalist photographed former National Security Advisor Mike Waltz using TM Signal.

• Implications: The exposure of TM Signal undermines the perceived security of government communications, raising concerns about the integrity of sensitive discussions.

• Quote: Claire Aird stated, “A hacker has breached and stolen customer data from Telemessage... accessing the identities of users and the content of some messages” ([00:04]).

2. Magento Plugin Backdoors Hijack Nearly 1,000 Online Stores

Cyber attackers have activated dormant backdoors within Magento plugins, leading to the hijacking of approximately 1,000 online retail stores.

• Backdoor Origins: The malicious code was initially inserted in 2019 when attackers infiltrated three Magento software development environments. Security firm Sansec identified modifications in the source code of 21 plugins.

• Activation and Impact: Though planted years earlier, the backdoors remained inactive until April 2025, allowing attackers to compromise a $40 billion multinational among other victims.

• Quote: Claire Aird highlighted, “Hackers have hijacked almost 1,000 online stores by activating backdoors they planted inside Magento plugins” ([00:04]).

3. Trump Administration's Shift Towards Offensive Cyber Operations

The Trump administration is poised to incorporate offensive cyber operations as a central element of national power strategy.

• Policy Changes: National Security Council’s Senior Director for Cyber, Alex Bulezel, revealed plans to normalize offensive cyber tactics. The administration intends to actively retaliate with cyberattacks against adversaries targeting the U.S.

• Budget Cuts: Concurrently, there are proposals to reduce the Cybersecurity and Infrastructure Security Agency’s (CISA) budget by $491 million, focusing cuts on international affairs programs and initiatives combating misinformation.

• Rationale: The administration asserts that CISA has been misused to suppress conservative voices, including those of Donald Trump.

• Quote: Alex Bulezel remarked, “The US will eventually respond with its own cyber attacks against foreign adversaries who target the US” ([00:04]).

4. International Criminal Court Expands Jurisdiction to Cyber-enabled Crimes

A groundbreaking policy amendment extends the International Criminal Court's (ICC) jurisdiction to encompass cyber-enabled crimes.

• Rome Statute Amendment: The draft policy broadens the ICC’s mandate beyond genocide, war crimes, crimes against humanity, and international military aggression to include cyber-related offenses.

• Triggering Event: Russia’s cyber activities against civilian targets in Ukraine played a pivotal role in prompting this expansion, enabling the ICC to address digital warfare's implications.

5. TikTok Fined €530 Million for GDPR Violations

Ireland's Data Protection Agency imposed a substantial fine on TikTok for non-compliance with General Data Protection Regulation (GDPR) transparency obligations.

• Violation Details: TikTok was found to have transferred EU citizens' data to China without explicit user consent, violating privacy standards.

• Compliance Deadline: The platform has been granted six months to rectify these practices and achieve compliance.

6. Ransomware Group Dragonforce Targets Major UK Retailers

The ransomware collective Dragonforce has claimed responsibility for cyberattacks against prominent UK retailers, including Marks and Spencer, Co Op, and Harrods.

• Attack Strategy: In an extortion campaign, Dragonforce has threatened further intrusions while showcasing stolen data. For instance, a sample of Co Op’s user data was released to the BBC as proof of compromise.

7. SK Telecom Responds to SIM Card Database Theft

South Korean telecommunications giant SK Telecom is grappling with a significant security breach involving its SIM card database.

• Response Measures: The company has halted new user registrations and is in the process of replacing all customer SIM cards. Additionally, SK Telecom has ceased number porting to thwart potential misuse of the stolen SIM data by hackers.

8. Raw Mobile Dating App Suffers Data Leak

The Raw mobile dating application addressed a critical data leak that exposed users' personal information due to an unsecured API server.

• Exposed Data: Unauthenticated queries allowed attackers access to sensitive information, including names, birthdates, geolocation data, and sexual preferences. Furthermore, the app lacked end-to-end encryption despite advertising such features.

9. US Charges Yemeni National for Black Kingdom Ransomware Activities

The U.S. Justice Department has indicted a Yemeni national, Rami Khaled Ahmed, for orchestrating ransomware attacks against American firms.

• Modus Operandi: Ahmed exploited the proxy logon vulnerability to breach Microsoft Exchange servers, deploying ransomware across over 1,500 systems. He demanded $10,000 in Bitcoin for decryption keys.

10. Wisconsin Man Sentenced for Swatting Incidents

A Wisconsin resident, Kaya Christian Nelson, received nearly four years in prison for his role in a series of swatting incidents conducted in 2020.

• Criminal Activities: Nelson hacked victims' Ring door cameras, initiated police responses, and live-streamed the swatting events on social media. His accomplice was sentenced to seven years in 2024.

11. California Man Pleads Guilty to Hacking The Walt Disney Co.

Ryan Mitchell Kramer has admitted guilt in hacking into The Walt Disney Company's systems.

• Attack Method: Kramer installed malware on an employee’s device, infiltrated Disney’s internal Slack channels, and exfiltrated data. He disseminated the stolen information on hacking forums under the guise of a fictitious Russian hacktivist group, Null Bulge.

12. Phishing Service Administrator Identified as Chinese National

Investigative efforts by German, French, and Norwegian media have uncovered Yu Cheng Sea, a 24-year-old Chinese national, as the operator behind the phishing service Darkala.

• Service Operations: Darkala has been associated with over 20,000 phishing domains, many imitating package delivery services to deceive users and steal credentials.

13. Hong Kong Police Crack Down on Fraudulent Bank Account Operations

Hong Kong authorities have detained eight individuals linked to a triad-associated group involved in opening fraudulent bank accounts using forged documents.

• Modus Operandi: The group employed AI technology to alter identity card photos reported lost, enabling the creation of three fraudulent bank accounts despite underreporting losses.

• Ongoing Investigation: Law enforcement continues to probe how the group initially acquired the genuine ID cards used in the forgeries.

14. US Treasury Targets Cambodian Financial Firm for Money Laundering

The U.S. Treasury has labeled the Cambodian-based Hwan Group and its subsidiaries as money laundering concerns, proposing sanctions against them.

• Criminal Activities: The Hwan Group is accused of laundering over $4 billion derived from North Korean cryptocurrency heists and Southeast Asian scam operations over four years.

15. Disinformation Campaigns Target Romanian Election

A coordinated disinformation effort involved impersonated Romanian news outlets and government agencies, aiming to influence the presidential elections.

• Attribution: The Romania communications watchdog linked the fake sites to a Russian disinformation group known as Doppelganger.

• Election Impact: The interference contributed to the cancellation of Romania’s 2024 election amidst Russian-backed support for a pro-Kremlin presidential candidate, who advanced past the first round with increased votes.

16. OASIS Open Consortium Proposes New Device Support Framework

The OASIS Open Consortium, founded by IBM and including tech giants like Cisco, Microsoft, Google, and Intel, has introduced a machine-readable format for publishing device end-of-support and end-of-life dates.

• Purpose: This initiative aims to enhance transparency and complement existing frameworks such as software bills of materials and the Common Security Advisory Framework, thereby improving device lifecycle management and security.

This comprehensive overview encapsulates the critical cybersecurity developments discussed in the "Risky Bulletin" podcast episode. From governmental cyber strategies and significant data breaches to regulatory actions and advanced disinformation tactics, the podcast provides valuable insights into the evolving cybersecurity landscape.