A Cartel Spy, Spanish Crime Ring Bust, and Other Cybersecurity Events

• Drug cartel hired a hacker to spy on the FBI
• A Spanish group stole more than €460 million
• Hackers infiltrated gamers' PCs through the game Call of Duty: WWII
• Migrants hacked into a program that locates agents of state control

Drug cartel hired hacker to spy on FBI

In late June, the U.S. Justice Department released a report on the FBI's internal security review.

According to the document, the bureau conducted an investigation in 2018 that ended with the arrest of syndicate leader Joaquin "El Chapo" Guzman. A person associated with the cartel told the FBI that the criminal organization had hired a hacker. The cybercriminal hacked into electronic devices, cell phones, and monitored people visiting the U.S. Embassy in the Mexican capital. A key figure in the surveillance was an FBI assistant legal attaché working overseas.

The hacker was able to use the FBI employee's phone number to obtain call and geolocation data. In addition, the attacker tapped into the city's surveillance camera system in Mexico City to track the attaché's movements and identify the people he met with.

According to the operative, the cartel used the information to intimidate and kill potential witnesses and informants.

Spanish group stole more than €460 million

Members of the Spanish Guardia Civil, together with Europol, uncovered a major fraud network that stole more than €460 million from over 5,000 victims around the world through bogus cryptocurrency investment schemes.

On June 25, law enforcement detained three suspects in the Canary Islands and two in Madrid. Europol had coordinated the investigation since 2023 and involved a cryptocurrency expert during the Spanish operation.

According to the investigation, the organizers created a global scheme to collect funds through bank transfers, cryptocurrency transactions, and cash. They allegedly used payment gateways, cryptocurrency exchange accounts, and a corporate structure linked to Hong Kong. The network operated with agents around the world who lured victims to fake investment platforms.

Hackers infiltrated gamers' PCs through Call of Duty: WWII

The release of Call of Duty: WWII triggered massive hacks. On July 3, two days after the release, complaints from players began about attacks from an unknown hacker using remote code execution (RCE) exploits.

An attacker exploiting multiplayer vulnerabilities executed arbitrary commands on users' computers while they were playing and streaming.

There are known cases of hackers forcibly opening the Notepad application, displaying unwanted content on the screen, and rebooting the system.

According to a gamer under the nickname MikeRxqe, the outdated P2P network model used in the game makes it much easier to get the IP addresses of players. In this case, users connect directly to each other, and the IP address of each becomes known to everyone else.

The attacker can then send specially crafted network packets directly to the victim. These packets masquerade as legitimate game data (movement and shot information) but contain malicious payloads.

On July 2, Activision conducted short-term technical maintenance on the servers, but there were no official statements regarding any connection to the RCE vulnerability.

Migrants hacked the program that determines the location of state control agents

The ICEBlock iPhone app, which allows anonymous reporting of sightings of U.S. Immigration and Customs Enforcement (ICE) agents, went viral following a mention by Attorney General Pam Bondi.

The bulk of ICEBlock users—about 20,000 people—are in Los Angeles, where ICE raids have become commonplace in recent weeks. After Bondi's evening statements, the following day on July 2, it made the list of the most downloaded free software in the United States.

With ICEBlock, users can share the location of ICE agents within an ~8 km radius. The app sends a notification when enforcement officers are spotted in the vicinity.

Police arrest two hackers targeting high-ranking officials and journalists

On July 1, Spanish police arrested two men in Las Palmas province on suspicion of cybercrimes, including stealing data from the country's government agencies.

Both suspects have been characterized as a "serious threat to national security." The investigation began after law enforcement officials detected a leak of personal data. The leaked data directly concerned politicians, representatives of the central and regional governments, as well as media workers.

It is believed that the first suspect specialized in siphoning data, while the second managed the financial part: selling access to databases and accounts, as well as controlling the cryptocurrency wallet that received the funds.

Both were detained. During the searches, police seized a large number of electronic devices that could lead to new evidence, buyers, or accomplices.

Malware targeting cryptocurrency theft has learned to self-heal

North Korean hackers are using a new macOS malware family, NimDoor, targeting cryptocurrency and Web3 organizations.

The attack chain includes contacting victims via Telegram and trying to convince them to install a fake update for Zoom. The malware is being distributed via the Calendly meeting scheduling service and email.

In a report published on July 2, SentinelOne experts said the attackers used binaries compiled in C++ and Nim to attack macOS, which is a fairly rare choice.

The most sophisticated element of the attack is the event-driven CoreKitAgent application. A notable feature is the use of persistence mechanisms that make it difficult to terminate or delete.

Bluetooth vulnerability allows hackers to eavesdrop on gadget owners

At the TROOPERS security conference, researchers from ERNW disclosed three vulnerabilities in Airoha chips (SoCs). They are widely used in speakers, headphones, headsets, and wireless microphones across 29 types of devices.

Hackers can exploit the Bluetooth chipset to eavesdrop and steal sensitive information. At risk are gadgets from Beyerdynamic, Bose, Sony, Marshall, Jabra, JBL, Jlab, EarisMax, MoerLabs, and Teufel.

Security issues allow attackers to gain control of your device. On some smartphones, an attacker within Bluetooth range can extract call history and contact lists.

Airoha has released an updated SDK with the necessary protection measures, and device manufacturers have already started developing and distributing patches.

The number of attacks via contactless payments has increased 35 times globally since the beginning of the year

According to data from ESET experts, the number of thefts via contactless payment systems continues to grow. In the first half of the year alone, the number of NFC attacks worldwide increased by a factor of 35 compared to 2024.

This scheme combines standard attack methods (social engineering, phishing, Android malware) with a tool called NFCGate to create an entirely new scenario.

The NGate malware allows relaying NFC data between two devices remotely, including bank cards, and bypasses security by acting on behalf of the victim.

More than 40 malicious extensions that steal private keys have been discovered in Firefox

The extensions are visually indistinguishable from legitimate ones and have a huge number of fake reviews and ratings to gain trust.

More than 40 fake extensions for the Firefox browser are designed to steal cryptocurrency wallet data. They masquerade as solutions from popular platforms: Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox.

Once installed, the software stealthily steals data, putting users' assets at risk. During initialization, the attackers also send the victim's external IP address, presumably for tracking or pinpoint targeting.

The campaign has been active since at least April 2025. New malicious extensions were uploaded to the Firefox catalog as recently as the last days of June.