This Shockingly Invasive Malware Stole Data from 3.25 Million Windows Computers

A woman rushes by Microsoft headquarters.

Photo: Robert Giroux (Getty Images)

Between 2018 and 2020, a mysterious strain of malware infected and stole sensitive data from approximately 3.25 million Windows-based computers—taking with it a horrifying amount of intimate information about the users of those devices.


The data includes login credentials—both usernames and passwords—for dozens of online platforms, as well as billions of browser cookies, millions of user files stolen right off of infected desktops and, in some cases, pictures of the device’s user taken with the computer’s own webcam.

The malicious epidemic was uncovered recently when a large database of the stolen information was spotted on the dark web, reports NordLocker in a new analysis of the incident.

The firm characterizes the virus as Trojan-style malware that was deployed onto computers via email and by illegal software, such as pirated versions of games and Adobe Photoshop, as well as “Windows cracking” tools. The malware was unnamed and likely a cheap, customizable variant that could be purchased easily on the dark web.

“Nameless, or custom, trojans such as this are widely available online for as little as $100. Their low profile often helps these viruses stay undetected and their creators unpunished,” analysts write.

According to Nord, the malware took careful steps to catalog people it had compromised, even assigning “unique device IDs to the stolen data, so it can be sorted by the source device” and also frequently photographing the computer’s user if their device had a webcam.

As to the stolen data, it’s pretty overwhelming. The compromised login information includes 1,471,416 Facebook credentials; 261,773 Twitter credentials; 145,436 PayPal credentials; 87,282 Dropbox credentials; 1,540,650 Google account credentials, and so on. Other compromised accounts include Coinbase, Blockchain, Outlook, Skype, Netflix…you get the picture.


On top of this, the malware also apparently took screenshots of the desktops it had infected, which retroactively helped researchers piece together just how much information had been compromised. To get a better idea of how extensive the damage is, here is a little breakdown:

  • 2 billion cookies
  • 26 million login credentials
  • 6.6. million files (apparently stolen off of desktops)
  • Upwards of 1 million images (696,000 .png and 224,000 .jpg files)
  • More than 650,000 Word documents and .pdf files

So, yeah, it’s all pretty disturbing. The market for personal information on the dark web—particularly login credentials—has always been big, but it’s seen a real uptick in recent years. Hundreds of millions of passwords are compromised every year through cyberattacks and breaches, leaving victims at the mercy of money-grubbing goons. While it’s up to you to decide how to protect yourself, there’s no shortage of resources out there and, it goes without saying, they’re worth checking out.


You can check out a more detailed breakdown of all of the stolen files here.

Hackers Stole Source Code from Electronic Arts and Are Selling It Online

Illustration for article titled Hackers Stole Source Code from Electronic Arts and Are Selling It Online

Photo: Kevork Djansezian (Getty Images)

Cybercriminals have hacked and stolen large amounts of data and code from Electronic Arts, the prominent gaming publisher responsible for producing The Sims, Battlefield, and a number of other classic games.


“We are investigating a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen,” an EA spokesperson said in a statement provided to Gizmodo. “No player data was accessed, and we have no reason to believe there is any risk to player privacy. Following the incident, we’ve already made security improvements and do not expect an impact on our games or our business. We are actively working with law enforcement officials and other experts as part of this ongoing criminal investigation.”

The company did not say when the incident actually occurred.

A security professional shared a link with Gizmodo to the dark website where cybercriminals appear to be selling EA’s digital goods. According to the hackers, the cache is comprised of some 780GB of data, and includes full source code for the soccer game FIFA 21, as well as source code for the company’s game engine FrostBite—a core piece of software necessary for EA’s games to run properly.

Illustration for article titled Hackers Stole Source Code from Electronic Arts and Are Selling It Online

Screenshot: Lucas Ropek

First reported by Motherboard, the attack is one of several recent cyber incidents involving gaming companies. In November, the Japanese firm Capcom suffered a breach, leading to the potential compromise of data on hundreds of thousands of current and former employees and contractors. More recently, CD Projekt Red was hacked, leading to the theft of source code for some of the company’s biggest games—including Cyberpunk 2077 and The Witcher.

The motive here, like in many other cyberattacks, is financial: selling this kind of proprietary information on the dark web can net you big money. In the case of whoever hacked EA, they apparently only want offers from big, serious buyers. Motherboard reports that the hackers wrote in a dark web post: “Only serious and rep [reputation] members all other would be ignored.”

Chinese Authorities Arrest Over 1,100 People in Crypto Crime Crackdown

Illustration for article titled Chinese Authorities Arrest Over 1,100 People in Crypto Crime Crackdown

Photo: Philippe Lopez (Getty Images)

Chinese authorities are upping their crackdown on all things crypto by arresting more than 1,100 people suspected of using these digital tokens for money laundering. The news comes courtesy of a Wednesday Wechat post from China’s Ministry of Public Security, which oversees law enforcement throughout the country.


The bust spanned 23 different major provinces and cities, and rounded up more than 170 “criminal gangs,” the Ministry said. This is the fifth leg of what local authorities dubbed “Operation Card Broken,” which is meant to crack down on fraudsters peddling phone cards and credit cards across international borders. Back in late 2020, Chinese President Xi Jinping pushed law enforcement to take a tougher stance on telco fraud, after more than 30,000 people were caught committing these sorts of scams in the first half of the year.

Typically, scammers involved with sim-swap fraud or similar schemes will use stolen bank account credentials when they need to launder money. In recent years though, that’s become a bit more difficult, thanks to Chinese authorities getting better at intercepting payments before swindlers can pocket them. To get around this, the Ministry explained, these actors turned to crypto to transfer their funds and convert them between multiple currencies to cover their tracks.

Per the Ministry’s statement, the people caught up in the latest crackdown weren’t only the telco fraudsters themselves, but also folks who offered bitcoin-laundering services to these criminal enterprises.

These arrests are happening amid Chinese authorities fighting to rein in crypto nationwide—last month, China’s State Council put out a statement noting that the country needed to “crack down on Bitcoin mining and trading behavior” as part of the country’s efforts to take on financial crimes. Naturally, Bitcoin’s overall price took a tumble in the immediate aftermath. It’s worth assuming that this latest crackdown won’t do much to help crypto’s recent slump.

A Capitol Hill Tech Vendor Is the Latest Ransomware Victim

Illustration for article titled A Capitol Hill Tech Vendor Is the Latest Ransomware Victim

Photo: Win McNamee (Getty Images)

An email newsletter provider with dozens of customers on Capitol Hill has suffered a ransomware attack, the U.S. House of Representatives’ chief administrative officer confirmed Tuesday.


Punchbowl News was first to report that nearly 60 House offices from both parties were affected by an attack on iConstituent, a government-facing platform designed to help government officials reach out to the voting public. While the company is reportedly working with CAO Catherine Szpindor to resolve the issue, sources familiar with the matter told Punchbowl that there’s frustration from House members that want to, well, reach out to their constituents.

“The CAO is coordinating with the impacted offices supported by iConstituent and has taken measures to ensure that the attack does not affect the House network and offices’ data,” Szpindor said in a statement to Punchbowl, noting that the office “is not aware” of any House data being impacted by the breach thus far. The biggest problem, per Punchbowl’s report, is that these House members haven’t been able to access any of their constituent information “for several weeks.”

This attack is just the latest in a series of hacks that have kneecapped major U.S. businesses like the Colonial Pipeline and global meat supplier JBS. Last week, the White House began urging private companies to safeguard themselves against ransomware attacks in an open letter describing how “the private sector has a distinct and key responsibility,” in buffing the country’s cyberattack response.

While iConstituent’s site notes that the company has worked with “hundreds of government offices,” the homepage only features a few endorsements, including one from Pennsylvania Sen. Jay Costa and another from Oklahoma Rep. Frank Lucas. Gizmodo reached out to both of their offices for comment on the case. Illinois Republican Rep. Rodney Davis (also an iConstituent customer) told Punchbowl that he “understands there is some frustration at the vendor in question here.”

DOJ Seizes $2.3 Million in Cryptocurrency From Hackers After Colonial Pipeline Cyberattack

Illustration for article titled DOJ Seizes $2.3 Million in Cryptocurrency From Hackers After Colonial Pipeline Cyberattack

Screenshot: Lucas Ropek/U.S. Justice Department

Federal agents have tracked and seized over half of the $4.4 million ransom paid by Colonial Pipeline to the cybercriminal gang DarkSide following May’s cyberattack, the U.S. Justice Department announced Monday.


At a press conference, Deputy Attorney General Lisa O. Monaco said that the operation was coordinated with the help of the Justice Department’s newly created ransomware task force and that the investigation had effectively recovered a majority of the multi-million dollar crypto payment. In a press release, the DOJ said that agents were able to track “multiple transfers of bitcoin” which led them to the discovery of a crypto wallet holding “approximately 63.7 bitcoins,” or approximately $2.3 million. The “FBI has the ‘private key,’ or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address,” officials said.

“The sophisticated use of technology to hold businesses—and even whole cities—hostage for profit is decidedly a 21st-century challenge. But the old adage ‘follow the money’ still applies,” said Monaco, during Monday’s presser. “Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks.”

The Colonial Pipeline ransomware attack, which took place on May 7th, not only temporarily crippled the operations of one of America’s largest oil companies; it also spurred a mini-energy crisis throughout the Southeast, while also engendering a large political response and alleged turmoil within the criminal underworld.

It’s unclear how the FBI ultimately got ahold of the key to DarkSide’s crypto wallet—or why, over a month later, the ransom hadn’t yet been transferred into fiat via a crypto exchange or dark market. However, CNN reports that after paying DarkSide, Colonial also took “early steps to notify the FBI and followed instructions that helped investigators track the payment to a cryptocurrency wallet used by the hackers, believed to be based in Russia.” We don’t have details on how exactly those steps ultimately helped law enforcement to track and seize the payment after it was made.

The announcement of the asset seizure comes as the federal government has signaled a much more targeted, strategic, and comprehensive approach to fighting the ransomware epidemic currently embroiling the country. Just last week, the Justice Department announced a new national strategy for investigating and pursuing leads in ransomware attacks.

“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” said FBI Deputy Director Paul Abbate, during Monday’s press conference. “We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”


DOJ to Treat Ransomware Hacks Like Terrorism Now: Here’s the Full Memo

Illustration for article titled DOJ to Treat Ransomware Hacks Like Terrorism Now: Here's the Full Memo


The U.S. Department of Justice plans to take a much harsher tack when pursuing cybercriminals involved in ransomware attacks—and will investigate them using strategies similar to those currently employed against foreign and domestic terrorists.


The new internal guidelines, first reported by Reuters, were passed down to U.S. attorney’s offices throughout the country on Thursday, outlining a more coordinated approach to investigating attacks. The new guidance includes a stipulation that such investigations be “centrally coordinated” with the newly created task force on ransomware run by the Justice Department in Washington, DC. That task force, formed in April, is currently developing a “strategy that targets the entire criminal ecosystem around ransomware,” including “prosecutions, disruptions of ongoing attacks and curbs on services that support the attacks, such as online forums that advertise the sale of ransomware or hosting services that facilitate ransomware campaigns,” the Wall Street Journal previously reported.

“To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralize our internal tracking,” says the guidance, which runs just over three pages.

In response to a request for comment, the Justice Department provided the memo in full.

Illustration for article titled DOJ to Treat Ransomware Hacks Like Terrorism Now: Here's the Full Memo

Screenshot: Gizmodo/DOJ

“It’s a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain,” John Carlin, acting deputy attorney general at the Justice Department, told Reuters. “We’ve used this model around terrorism before but never with ransomware,” he added.

The announcement follows an ongoing and ever-intensifying cybercrime spree—in which larger and larger commercial and governmental entities have been hamstrung by cybercrime groups. The last several weeks have seen large companies—including JBS and Colonial Pipeline—paralyzed by hackers, throwing industrial supply chains that millions of Americans rely on into chaos.


Read the full DOJ memo below:


More: Supreme Court Issues Radical New Reading of Anti-Hacking Law

Fujifilm Is the Latest Victim of the Global Ransomware Spree

Illustration for article titled Fujifilm Is the Latest Victim of the Global Ransomware Spree

Photo: KAZUHIRO NOGI/AFP (Getty Images)

Fujifilm, the Japanese film company that somehow survived (and then thrived) amidst the digital photography revolution, would appear to be the latest victim in a recent blitz of ransomware attacks. The firm has announced that it’s investigating the “possibility of a ransomware attack,” while noting that it was still working to determine “the extent and the scale” of the incident.


“FUJIFILM Corporation is currently carrying out an investigation into possible unauthorized access to its server from outside of the company,” it said in a statement Wednesday. “As part of this investigation, the network is partially shut down and disconnected from external correspondence,” the company further stated, while noting it had suspended “all affected systems in coordination with our various global entities.”

While it’s not yet clear who the culprits behind the attack are, Advanced Intel CEO Vitali Kremez told Bleeping Computer that the incident was preceded by a Qbot infection affecting the company’s systems. Qbot (also known by its alternative nicknames “Qakbot and Pinkslipbot,”) is a banking trojan used to steal personal and financial information. Historically speaking, Qbot’s proprietors are known to collaborate with ransomware gangs in order to carry out larger attacks.

“Based on our unique threat prevention platform Andariel, FUJIFILM Corporate appeared to be infected with Qbot malware based on May 15, 2021,” Kremez told the outlet. “Since the underground ransomware turmoil, the Qbot malware group currently works with the REvil ransomware group.”

When he talks about “turmoil,” Kremez is referencing a recent shakeup within the cybercrime ecosystem that was largely spurred by fallout from the Colonial Pipeline attack. In essence, Colonial was such a big attack that it finally encouraged governments to take action against criminal groups, which, in turn, encouraged said groups to shift their tactics and allegiances in an effort to evade the heat. Regardless of these changes, Colonial does not appear to have slowed down the ransomware industry at all. If anything, the attacks over the past few weeks seem increasingly brazen.

In the ransomware world, REvil has stood out for some of its more high-profile attacks—including ones involving an elite Hollywood law firm, Acer Computers, and Apple supplier Quanta. REvil is also believed to be the main culprit behind the JBS attack.

We have reached out to Fujifilm for further comment and will update this story when we hear back.


FBI: Conti Ransomware Gang Behind Ireland Attack Also Hit 16 U.S. Health and Emergency Networks

Illustration for article titled FBI: Conti Ransomware Gang Behind Ireland Attack Also Hit 16 U.S. Health and Emergency Networks

Photo: Mandel Ngan (Getty Images)

The same hackers that took down the Irish health system last week also hit at least 16 U.S. medical and first responder networks in the past year, according to a Federal Bureau of Investigation alert made public Thursday by the American Hospital Association.


As first spotted by the security news site Bleeping Computer, the FBI Cyber Division said these hackers used the strain of ransomware known as Conti to target law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities in the U.S. Ransomware is a type of malicious software that breaks into a victim’s devices and encrypts their files so cybercriminals can then extort payment in exchange for restoring access.

The FBI didn’t name specific victims of these breaches or whether ransoms were successfully extorted, saying only that these networks “are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S.” It added that the latest ransom demands have been as high as $25 million.

The hackers that crippled the Irish health system are reportedly part of “Wizard Spider,” a sophisticated cybercrime gang based in Russia that’s been increasingly active in the past year. The group’s threatened to release patient records unless Irish authorities fork over $20 million.

For the last week, this ransomware attack has cut off access to patient records, forced medical facilities to cancel appointments, and disrupted covid-19 testing in the nation. Ireland’s minister overseeing e-government, Ossian Smyth, has called it “possibly the most significant cybercrime attack on the Irish state.”

Ireland Shuts Down Hospital Computer Systems Nationwide After Ransomware Attack

File photo of the CEO of Ireland’s Health Service Executive (HSE) Paul Reid (center) and Chief of Staff of Ireland’s Defense Forces, Vice Admiral Mark Mellett (left) with Irish Army cadets on March 13, 2020.

File photo of the CEO of Ireland’s Health Service Executive (HSE) Paul Reid (center) and Chief of Staff of Ireland’s Defense Forces, Vice Admiral Mark Mellett (left) with Irish Army cadets on March 13, 2020.
Photo: Paul Faith/AFP (Getty Images)

Ireland’s public health care system, known as the Health Service Executive or HSE, shut down all of its computer systems nationwide Friday after hospital administrators became aware of a cyberattack late Thursday.


The attack is being characterized as a ransomware hack, but it’s not yet clear if the hackers succeeded at acquiring enough data to hold hostage. Ransomware hackers will steal data that hasn’t been backed up sufficiently and refuse to return it until a certain amount of money has been paid, like in the Colonial Pipeline hack in the U.S. where nearly $5 million was paid just yesterday.

“There is a significant ransomware attack on the HSE IT systems,” the HSE said in a statement posted to Twitter early Friday. “We have taken the precaution of shutting down all our our IT systems in order to protect them from this attack and to allow us fully assess the situation with our own security partners.”

All medical equipment at Ireland’s hospitals are reportedly still operational, according to the Irish Times, but registration and record-keeping have reverted to pen and paper. The nation’s ambulance service is also operating normally, according to the HSE, and covid-19 vaccinations are still taking place.

Ransomware hackers will also sometimes threaten to release sensitive information publicly, such as medical records, as another angle to make money. It’s not clear whether any patient records have been compromised.

Paul Reid, the CEO of HSE, told Irish radio that the attack was “significant” and they were working with the military as well as third-party experts on cybersecurity, according to the Irish Times.

“There has been no ransom demand at this stage. The key thing is to contain the issue,” said Reid.


Reid also said the perpetrators were an, “internationally operated criminal operation,” though didn’t go into specifics about who might be behind this attack on the Irish health system.

Fergal Malone, an administrator at the Rotunda Maternity Hospital in Dublin, told RTE Radio Ireland that his hospital was shutting down for everything deemed non-urgent and explained that doctors were currently unable to access the electronic records of patients. The radio host asked Malone when he expected the hospital would continue normal operations and he said they were simply taking it a day at a time.


“All appointment have been cancelled for today Friday 14th May. The only exception are for patients who are 36 weeks or over pregnant,” the Rotunda Hospital said in a statement to Ireland’s RSVP Live.

“Otherwise you are asked NOT to attend at the Rotunda unless it is an emergency. The Rotunda will issue updated information as soon as possible.”


Ireland’s HSE did not immediately respond to an inquiry emailed early Friday but Gizmodo will update this post if we hear back.

Colonial Pipeline Reportedly Paid Hackers $5 Million for Decryption Key That Wasn’t Very Useful

Illustration for article titled Colonial Pipeline Reportedly Paid Hackers $5 Million for Decryption Key That Wasn't Very Useful

Photo: JIM WATSON / AFP (Getty Images)

About a week ago, Colonial Pipeline apparently paid the ransomware group DarkSide approximately $5 million in exchange for a data decryption key that didn’t really decrypt that much data.


An investigation from Bloomberg found that, despite earlier reports suggesting the company had no intention of paying the cybercriminals, Colonial actually did just that “within hours of the attack,” using an untraceable cryptocurrency. In exchange for that fat stack of cash, Colonial received a decryption tool that was so slow that the company had to partially rely on its own back-ups to continue restoring service, the news outlet reports. New York Times reporter Nicole Perlroth later stated that the ransom was paid using 75 Bitcoin. Gizmodo sent multiple emails to Colonial representatives for comment and will update this story when we hear back.

The network-crippling attack on the energy giant brought the operation of its 5,500-mile oil pipeline system to an abrupt halt last week, swiftly spurring an energy crisis throughout many of the Southeastern cities to which it delivers oil. The incident led to shortages in multiple states and subsequently spurred a gas-buying binge, as panicked Americans flocked to stores and gas stations to purchase car fuel. The epidemic of End Time-type behavior even led the U.S. Consumer Product Safety Commission to helpfully remind consumers to “not fill plastic bags with gasoline,” always a helpful tip.

However, just as it looked like society might collapse, the pipeline came back online Wednesday night and began to churn oil back into America’s veins once more. In a statement published Thursday, the energy company iterated that it had regained almost full operational capacity—though getting back to a regular fuel flow is expected to take some time.

“Colonial Pipeline has made substantial progress in safely restarting our pipeline system and can report that product delivery has commenced in a majority of the markets we service. By mid-day today, we project that each market we service will be receiving product from our system,” the company said, while also providing a map of the areas that it said were currently operational, as of 9 a.m. EST. As of noon EST, the entire system was expected to have been fully operational.

Illustration for article titled Colonial Pipeline Reportedly Paid Hackers $5 Million for Decryption Key That Wasn't Very Useful

Screenshot: Lucas Ropek/Colonial Pipeline

President Joe Biden also addressed the nation on Thursday, hoping to quell fears about surging gas prices and to update Americans about how the government was handling the incident. The President reiterated during his remarks that the White House did not believe that the Russian government had been involved in the ransomware attack but that it would be communicating with the Kremlin to more effectively target the criminals responsible.


“We do not believe that the Russian government was involved in this attack—but we do have strong reason to believe that the criminals who did the attack are living in Russia,” said the President. “We have been in direct communications with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks. We’re also going to pursue a measure to disrupt their ability to operate.”

Biden also referenced an executive order he passed Wednesday night, designed to bolster America’s defenses against cybercriminal networks. The order requires the creation of a Cyber Safety Review Board, a Department of Homeland Security team that will be in charge of investigating major cyber incidents. It also introduces measures to increase information sharing between private industry and the U.S. government on cyberattacks. And it creates a mandate for federal agencies to introduce multi-factor authentication and data encryption within a period of six months.


Biden did not comment at all on any financial exchange that may have occurred between Colonial and the hackers. Several high-level federal officials also refused to talk about it: “I have no knowledge of whether a ransom was paid, how much was paid, if it was paid, when it was paid,” said Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, which has been working with the embattled gas company since the attack last week.

One of the oft-made arguments for not paying ransomware gangs is that there is no guarantee that hackers will actually make good on their word to assist with decryption once money has been paid. While the ransomware business model largely hinges on criminals sticking to their promise, in many cases, decryption can be a slow, hugely imperfect process—as the Colonial episode may well demonstrate. At the same time, payment also legitimates the business model, encouraging criminals to continue seeking out new victims.