Summary5 min read

Risky Bulletin: US Raids SIM Farm in New York

Podcast: Risky Bulletin
Host: risky.biz
Date: September 24, 2025
Summary prepared by: Catalyn Kim Panu, read by Claire Airdrop

Main Theme

This episode delivers a roundup of the latest cyber incidents and security updates, with a focus on a dramatic US Secret Service raid on a massive SIM farm operation in New York. The bulletin also covers ransomware attacks impacting European airports and major carmakers, sensitive data breaches, physical crimes facilitated by cyber attacks, critical infrastructure threats, and the latest in security patches and defenses.

Key Stories & Discussion Points

1. US Secret Service Raids New York SIM Farm

[00:09] The Secret Service seized 300 servers from five sites in the New York Tri-state area.
- The farm managed over 100,000 SIM cards.
- The investigation began after White House officials received death threats traced to the operation.
- Quote: “White House officials received anonymous death threats earlier this year from the sim farm, which prompted the investigation.” – [00:17]

2. European Airport Disruptions & Ransomware

[00:24] Ransomware attack disrupts European airports.
- The EU's cybersecurity agency identified the ransomware; law enforcement is on the case.
- Attack targeted Collins Aerospace, which operates self check-in kiosks.
- Disruptions expected for the rest of the week.

3. NPM Security Overhaul by GitHub

[00:37] GitHub mandates FIDO-based two-factor authentication for NPM package updates.
- This follows a recent supply chain attack and worm incident.
- Legacy NPM tokens are being deprecated in favor of new, short-duration tokens (7 days).

4. Ransomware Impact on Jaguar Land Rover

[00:48] Jaguar Land Rover halts production until October 1st due to ransomware.
- Impacted suppliers report potential bankruptcy risk.
- Losses surpass £50 million since early September.

5. Automotive Data Breaches

[01:01] Hackers steal customer contact info from Stellantis (Maserati, Jeep, Alfa Romeo, Fiat).
- Breach affected a third-party service provider.
[01:11] Digital Charging Solutions (DCS), a European EV charging firm, reports a breach.
- Unauthorized third-party accessed customer info.
- BMW and Kia notified as DCS partners.

6. Museum Gold Heist Linked to Cyber Attack

[01:23] €600,000 in gold nuggets stolen from the French Natural History Museum.
- Physical security (alarms, cameras) downed by preceding cyber attack.
- Quote: “The thieves appear to have known about the lack of surveillance.” – [01:32]

7. Retail and Transit Sector Attacks

[01:36] 400 Circle K stores in Hong Kong disrupted by a cyber attack.
- Only accepting Octopus card payments; email and loyalty down.
[01:47] Maryland Public Transport Agency investigates internal breach.
- Affected mainly call centers for on-demand and paratransit services.

8. Crypto Platform Hacked – Instant Karma

[01:56] UX Link crypto platform breached; ~$30 million in assets and trillions of custom coins stolen.
- The attacker themselves then fell for a phishing scam, losing $48 million.
- Quote: “In a rare case of instant karma, the attacker fell for a phishing attack shortly after the hack and lost $48 million.” – [02:04]

9. Failing Doxxing App Backfires

[02:10] Cancel the Hate – app to dox Charlie Kirk critics – leaks its own user data.
- Reporter intervention led to the app being taken offline.

10. EU Moves on Cookie Consent Law

[02:19] Proposed amendment to ePrivacy Directive would reduce required cookie pop-ups.
- Aims to simplify user experience and legal compliance.

11. Poland and Romania Threaten Hackback

[02:29] After attacks on critical infrastructure, Polish and Romanian officials publicly discuss retaliatory hacking capabilities.
- Polish Digital Affairs Minister:
  Quote: “Poland has threatened to hack back any country that cripples its critical infrastructure.” – [02:33]
Response to EU airport disruptions and Polish city water attack.

12. Crypto Fraud Ring Busted

[02:43] EU authorities dismantle Spanish and Portuguese organized crypto-fraud group.
- Stole over €100 million since 2018; suspects detained, accounts frozen.

13. Record DDoS Attack

[02:55] Cloudflare mitigates 22.2 Tbps DDoS attack—double previous record.
- Lasted 40 seconds; described as "hypervolumetric."

14. Security Updates and Vulnerabilities

[03:04] SonicWall releases firmware update for SMA appliances to remove rootkits.
- Hackers had abused compromised passwords for rootkit and ransomware deployment.
[03:13] Libre ESVA patches email gateway zero-day exploited by a foreign state.
- Vulnerability: command injection via crafted compressed email attachments.
[03:22] Two new bugs in Dassault Delmia Apriso manufacturing platform allow remote takeover.
- Attackers could create privileged accounts and upload web shells.
- Previous exploits in the same platform also noted by CISA.

Notable Quotes & Memorable Moments

“White House officials received anonymous death threats earlier this year from the sim farm, which prompted the investigation.” – [00:17]
“The thieves appear to have known about the lack of surveillance.” – [01:32]
“In a rare case of instant karma, the attacker fell for a phishing attack shortly after the hack and lost $48 million.” – [02:04]
“Poland has threatened to hack back any country that cripples its critical infrastructure.” – [02:33]

Key Timestamps

00:09 – US SIM farm bust: scale, methods, investigation trigger
00:24 – European airports ransomware and ongoing disruption
00:37 – NPM/GitHub new security requirements and changes
00:48 – Jaguar Land Rover ransomware impact
01:11 – DCS and partner breach notifications
01:23 – Physical gold robbery linked to prior cyber attack
01:56 – UX Link hack and post-hack attacker phishing
02:10 – Cancel the Hate app doxxes supporters
02:29 – Poland/Romania hackback rhetoric
02:55 – Cloudflare record-breaking DDoS mitigation
03:04+ – SonicWall, Libre ESVA, and Delmia Apriso vulnerabilities

This fast-paced bulletin encapsulates the evolving risks and interplay between digital and physical security, highlighting both large-scale criminal innovation and failures, as well as the global urgency for proactive cyber defense.

Loading summary

Transcript1 lines

[00:05]
A
The US Secret Service raids a SIM farm in New York EU airport disruptions were caused by ransomware Thieves steal gold nuggets from a French museum after a cyber attack and Sonicwall releases a firmware update to remove SMA rootkits. This is the Risky bulletin prepared by Catalyn Kim Panu and read by me, Claire airdrop. Today is the 24th of September and this podcast episode is brought to you by Spectrops, the experts in attack path management. In today's top story, the U.S. secret Service has seized 300 servers during a Sim Farm raid. The farm was operating from five locations across the New York Tri state area. Together, the seized servers were running more than 100,000 SIM cards. White House officials received anonymous death threats earlier this year from the sim farm, which prompted the investigation. In other news, A ransomware attack is responsible for this week's disruptions at European airports. The EU's cybersecurity agency says it's identified the type of ransomware used in the attack and that law enforcement is investigating. The attack began on Friday and targeted Collins Aerospace, which operates self check in kiosks. Disruptions are expected to continue throughout the week. GitHub will require developers to use FIDO based two factor authentication to authorise updates to their NPM packages. The requirement is part of the company's NPM security overhaul following a recent supply chain attack and self propagating worm. The company will also deprecate legacy NPM tokens and roll out new ones that only last seven days. UK carmaker Jaguar Land Rover has extended its halt in production until October 1st. The company paused production following a ransomware attack in early September. Several of the company's suppliers have said they may face bankruptcy. The company has lost more than 50 million pounds since the attack began. Hackers have stolen the contact information of Stellantis customers. Stellantis is the parent company of multiple car brands including Maserati, Jeep, Alfa Romeo and Fiat. The data was stolen from a third party service provider. The breach only impacted the company's customers. A European EV charging provider has notified customers of a security breach. Digital Charging Solutions builds public charging solutions for car manufacturers and fleet managers. The company confirmed a third party customer service provider had viewed customer information without authorisation. DCS also notified BMW and Kia, who used DCS for their charging networks. Thieves have stolen gold nuggets worth €600,000 from the French Natural History Museum following a cyber attack. The theft occurred while the museum's alarms and camera surveillance were down due to the cyber attack weeks earlier, according to investigators. The Thieves appear to have known about the lack of surveillance. A cyber attack has disrupted almost 400 circle K convenience stores in Hong Kong. Payment, email and loyalty systems have been down all week. The STOR have remained open but have only accepted payments via Hong Kong's custom Octopus payment cards. Maryland's Public Transport Agency is investigating a breach of its internal IT network. The incident occurred last week but did not impact public transportation operations. It mainly affected the agency's call centres, which are used for on demand mobility and paratransit services. A hacker has breached the UX Link crypto platform. The attacker stole almost $30 million in assets and minte minted trillions of the platform's custom coins. In a rare case of instant karma, the attacker fell for a phishing attack shortly after the hack and lost $48 million. An app designed to dox people that spoke against Charlie Kirk has wound up doxxing its own users. The Cancel the Hate app leaked the email addresses and phone numbers of its users, according to Straight Arrow News. The app was taken offline last week after reporters reached out the European Union is aiming to simplify its cookie consent pop up law. A proposed amendment to the E Privacy Directive could reduce the number of cases where consent must be obtained. The directive was passed in 2009 and required websites to obtain user consent before placing cookies on their devices. Poland has threatened to hack bag any country that cripples its critical infrastructure. Minister of Digital Affairs Krzysztof Gavkoski says the country has the capability to retaliate. Gavkowski was responding to questions about recent attacks that disrupted European airports and an attack that attempted to cut off water supply to a Polish city. Romania has also threatened hackback operations. EU authorities have dismantled a crypto fraud ring operating out of Spain and Portugal. The group has been operating since 2018. It allegedly stole more than 100 million euros from victims across Europe. The five suspects were detained and bank accounts have been frozen in multiple countries. Cloudflare says it's mitigated a new record DDoS attack of 22.2 terabits per second. The attack was almost double the previous record, which also targeted Cloudflare's infrastructure earlier this month. The attack lasted 40 seconds. Cloudflare is calling these attacks hypervolumetric DDoS attacks due to their size. SonicWall has released a firmware update to remove the overstep rootkit from its SMA appliances. The rootkit has been used in a campaign targeting SMA devices for almost a year. According to Google. The hackers abused compromised passwords to deploy both the rootkit and ransomware. Libre Ezbar has patched an actively exploited zero day in its email security gateways. The company says the bug was exploited by a foreign state. The vulnerability is a command injection bug. Attackers can run malicious code on Librez via email servers by sending email containing a specially crafted compressed attachment. And finally, two new vulnerabilities can allow hackers to remotely take over factory management systems. The bugs impact Dassault's Delmia Apreso manufacturing line management platform. Remote attackers can create privileged employee accounts and use them to upload web shells. Both issues are likely to be exploited. Earlier this month, CISA also warned that hackers were exploiting another Delmia Aprezo bug to compromise factories. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Spectrops. Find them@Spectropsio. Thanks for your.