Summary5 min read

Risky Bulletin: YouTubers Unmask and Help Dismantle Chinese Scam Ring

Podcast: Risky Bulletin (Risky.biz)
Date: September 3, 2025
Host: Claire Aird (prepared by Catalin Cimpanu)

Overview

This episode of Risky Bulletin delivers concise, up-to-date cybersecurity news highlights, with a special focus on a major bust of a Chinese-operated fraud ring—thanks in part to the investigative work of prominent YouTube scam-baiting channels. Additional stories cover breaches at high-profile security firms, a ransomware attack on Jaguar Land Rover, new international cyber-defense initiatives, and notable vulnerabilities and hacks.

Key Stories and Insights

1. YouTubers Unmask and Help Dismantle Chinese Scam Operation

[00:05–01:15]

Two YouTube channels, Scammer Payback and Trilogy Media, were instrumental in collecting evidence that led to the dismantling of a Chinese fraud ring operating in the US.
U.S. authorities charged 28 suspects and arrested 25 in coordinated raids across California, New York, Texas, and Michigan.
The suspects, including Chinese citizens residing illegally in the US, were accused of stealing over $65 million, much from retired Americans.
Schemes operated via call centers in India and China, funneling victim funds through a network of money mules.
Quote:
- "Videos recorded by the YouTube channel Scammer Payback and Trilogy Media played a key role in identifying the group's members." [00:37]
Impact: Demonstrates real-world influence of citizen-driven cybercrime investigations and the growing synergy between online content creators and law enforcement.

2. Salesloft Breach Ripple Effects

[01:15–01:52]

More fallout from last month’s Salesloft hack as major security and SaaS firms alert customers their data may have been accessed.
Impacted organizations include Cloudflare, Tenable, Zscaler, Palo Alto Networks, SpyCloud, Tanium, PagerDuty, Exclaimer, and Cloudinary.
Attackers used stolen authentication tokens for SalesLoft's Drift AI system to laterally access data across platforms.
Quote:
- "The attackers then accessed customer data and attempted to identify even more authentication tokens to continue moving between cloud systems." [01:38]
Takeaway: Highlights supply-chain risk where breaches in one SaaS provider can cascade into many prominent tech companies.

3. Ransomware Halts Jaguar Land Rover Production

[01:52–02:07]

A ransomware attack has disrupted vehicle production at Jaguar Land Rover in the UK; retail activities also affected.
No group has yet claimed responsibility.
Trend: Ongoing rise in ransomware targeting critical manufacturing operations.

4. New Joint Cyber Hunt Kit by US, Australia, and New Zealand

[02:08–02:28]

The nations have tested a new, portable Joint Cyber Hunt kit: a toolkit + nine-person team designed for rapid deployment to analyze network intrusions.
US will acquire the first systems later in 2025.
Takeaway: Growing international collaboration for agile defensive response in cybersecurity.

5. US Homeland Security Re-Activates Contract with Paragon Solutions

[02:29–02:55]

US re-engages Israeli surveillance vendor Paragon Solutions after last year’s contract pause, allocating $2 million.
Paragon will supply hacking tools for the Homeland Security Investigations cyber division.
Marks continuation of controversial government-private surveillance partnerships.

6. Cloudflare Mitigates Largest Ever DDoS Attack

[02:56–03:10]

Cloudflare stopped a record 11.5 Tbps DDoS attack, sourced largely from Google Cloud infrastructure.
Lasted just 35 seconds, but was over 50% larger than the previous record attack.
Quote:
- "Cloudflare says most of the traffic came from Google Cloud and lasted only 35 seconds." [03:07]

7. TP-Link Router Vulnerability Remains Unpatched

[03:11–03:31]

Chinese networking device firm TP-Link has failed to patch a serious TR069 protocol flaw in its routers for over a year.
Bug allows attackers to remotely commandeer routers at customer premises.
Timeline: Reported to TP-Link in May 2024; still no patch as of this episode.

8. Copeland Industrial Cooling Vulnerabilities

[03:32–03:53]

Copeland, a US manufacturer of industrial cooling, has patched 10 vulnerabilities in its HVAC/refrigeration units.
Two critical bugs enabled remote control via predictable passwords—potentially allowing sabotage of refrigeration or disabling emergency systems.
Vulnerabilities discovered by security firm Armis.

9. $8.4 Million Crypto Theft at Bunny DEX

[03:54–04:10]

Hackers exploited Ethereum smart contract vulnerabilities to steal $8.4M from decentralized crypto exchange Bunny.
Firm has paused all transactions while investigating the breach.

Notable Quotes

Claire Aird (on YouTubers' impact):
"Videos recorded by the YouTube channel Scammer Payback and Trilogy Media played a key role in identifying the group's members." [00:37]
Claire Aird (on token spillover risks):
"The attackers then accessed customer data and attempted to identify even more authentication tokens to continue moving between cloud systems." [01:38]
Claire Aird (on DDoS scale):
"Cloudflare says most of the traffic came from Google Cloud and lasted only 35 seconds." [03:07]

Timeline Index

| Segment | Headline/Event | Timestamp | |--------------------------|------------------------------------------------------|----------------| | Chinese Scam Ring Bust | YouTubers aid US fraud investigation | 00:05–01:15 | | Salesloft Breach Fallout | Major companies notify customers post-breach | 01:15–01:52 | | Jaguar Land Rover Attack | Ransomware disrupts UK vehicle production | 01:52–02:07 | | Joint Cyber Hunt Kit | International rapid response kit tested | 02:08–02:28 | | Paragon Solutions Deal | DHS reactivates Israeli surveillance contract | 02:29–02:55 | | Cloudflare DDoS Attack | Record 11.5 Tbps attack mitigated | 02:56–03:10 | | TP-Link Router Bug | Unpatched critical flaw for over a year | 03:11–03:31 | | Copeland Cooling Bugs | Industrial refrigeration systems patched | 03:32–03:53 | | Bunny Crypto Hack | $8.4M stolen from decentralized exchange | 03:54–04:10 |

Episode Highlights

Citizen investigations and social media vigilance are having a growing impact on real-world cybercrime.
Supply-chain attacks remain a major threat—even to security vendors.
Ransomware continues to disrupt major industrial and consumer brands.
Cyber defense partnerships and portable response tools are expanding internationally.
Persistent vulnerabilities in common hardware (like routers) and critical infrastructure pose ongoing risk.
The velocity and scale of DDoS attacks continue to set new records.
Crypto exchanges remain high-profile, high-value hacking targets—with millions at stake.

For more in-depth cybersecurity updates, tune in regularly to Risky Bulletin.

Loading summary

Transcript1 lines

[00:04]
A
Two YouTube channels help dismantle a Chinese scam operation Cloudflare, Zscaler and Palo Alto disclose Salesloft related breaches A ransomware attack disrupts vehicle production at Jaguar Land Rover and we have a new record DDoS attack. This is the risky bulletin prepared by Catalan Kim Panu and read by me, Claire Aird. Take today is the 3rd of September and this podcast episode is brought to you by Push Security. In Today's top story, two YouTube scam baiting channels have helped dismantle a fraud ring. U.S. authorities have charged 28 suspects and arrested 25 of them last week in California, New York, Texas and Michigan. Chinese citizens who were in the US illegally were among the suspects. The group allegedly stole more than $65 million, much of it from retired Americans. They worked with call centres in India, China to trick victims into sending funds to the group's money mules. Videos recorded by the YouTube channel Scammer Payback and Trilogy Media played a key role in identifying the group's members. In other news, more victims of last month's Salesloft hacked are notifying their customers. They include security firms Cloudflare, Tenable, Zscaler, Palo Alto Networks, Spy Cloud and Tanium, along with SaaS platforms package PagerDuty and Exclaimer and cloud platform Cloudinary. The attackers stole authentication tokens used by SalesLoft's Drift AI system to access data on other platforms. The attackers then accessed customer data and attempted to identify even more authentication tokens to continue moving between cloud systems. A ransomware attack has disrupted vehicle production at UK automaker Jaguar Land Rover. Retail activities have also been impacted. No threat actor has taken credit for the attack, yet the us, Australia and New Zealand have tested a new cyber defence kit. The new Joint Cyber Hunt kit is a collection of equipment and software designed to identify network intrusions. The kits are operated by a nine person team and are intended to be easily moved and deployed when needed. The US is expected to purchase the first systems later this year. The U.S. department of Homeland Security has reactivated a contract with Israeli surveillance vendor Paragon Solutions. The contract was put on hold last October by the Biden administration. Paragon will provide its hacking tools to the Cyber division of the Homeland Security Investigations Unit. The contract is worth $2 million. Cloudflare says it mitigated a new record DDoS attack of 11.5 terabits per second. The attack was more than 50% larger than the previous record. Cloudflare says most of the traffic came from Google Cloud and lasted only 35 seconds. Chinese company TP Link has failed to patch a vulnerability in its routers for more than a year. The bug is in its implementation of the protocol that Internet service providers use to manage routers at customer premises. Known as TR069, the flaw lets attackers remotely take over the routers. TP Link was notified about the bug in May last year, but has yet to release a patch. American industrial cooling systems company Copeland has released a firmware Update to fix 10 vulnerabilities. The company's compliance components are used to manage H Vac and refrigeration systems. The vulnerabilities were discovered by security firm Armis. Two of the critical flaws allow remote control through predictably generated passwords. This access can be used to sabotage refrigeration systems and disable emergency functions. And finally, hackers have stolen $8.4 million worth of crypto assets from decentralized exchange platform Bunny. The company paused transaction processing on Tuesday when, while it investigates the hack, the exploit targeted security vulnerabilities in the platform's Ethereum smart contracts. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Push Security. Find them@PushSecurity.com thanks for your company.