Security
FBI Busts AI Phishing Ring, Conti Plea, REDCap Hack & Ransomware Surge
FBI dismantles China-based phishing service, Conti member pleads guilty, medical research breached, and ransomware activity hits record levels.
FBI and Google Takedown AI Phishing Service Outsider Enterprise
The FBI, Google, and Black Lotus Labs have dismantled a massive Chinese phishing-as-a-service operation called Outsider Enterprise, active since 2023. The platform used AI and distributed phishing kits to impersonate trusted brands via SMS over AT&T, T-Mobile, and Verizon networks. Authorities link the operation to over 3.8 million stolen credit card records and an estimated $1.9 billion in losses. Google identified 9,000 fake websites and more than a million fraudulent URLs tied to the service. Subscribers paid as little as $88 per week via a Telegram bot to access over 290 pre-built templates for banks, toll systems, and government agencies. The kit captured victim data in real time and could bypass two-factor authentication by requesting SMS codes and app approvals. Google’s civil lawsuit alleges that Outsider operators provided tutorials on prompting Gemini to generate HTML for phishing pages, circumventing the model’s safety filters. The takedown, part of Operation Riptide, resulted in the seizure of administration servers, a Shopify storefront, and $100,000 in USDT from payment wallets. Thousands of phishing domains now redirect to an FBI splash page. Google also advocates for the Stop SCAMS Act to strengthen legal protections against AI-enabled fraud.
FBI disrupts massive AI-powered phishing service using a million URLs →
Chinese Hackers Breach REDCap Servers, Steal Medical Research Data
A China-linked espionage campaign targeted exposed REDCap servers to deploy the InfiniteRed malware and steal sensitive data from a medical institution in North America. Google Threat Intelligence Group attributes the attacks to threat actor UNC6508, who remained undetected for over a year. The compromise occurred in September 2023, and malicious activity continued through November 2025. Three months after initial access, attackers deployed InfiniteRed, a custom malware hidden in trojanized server files. It includes a persistence module, credential harvester, and backdoor. The backdoor allowed shell commands, file uploads, SQL queries, and retrieval of stolen credentials. A notable technique was the use of legitimate content compliance rules to exfiltrate data via email, creating a rule named ‘Patriot’ that automatically BCCed matching emails to an attacker-controlled account. Keywords targeted medical research, advanced technology, military topics, and geo-strategic policy. Google notified multiple organizations in the U.S. and Canada. REDCap administrators are urged to upgrade instances, enable MFA, and use Device Bound Session Credentials.
Chinese hackers breach REDCap servers, steal medical research →
Ukrainian Conti Ransomware Operator Pleads Guilty in US
A 44-year-old Ukrainian national, Oleksii Oleksiyovych Lytvynenko, pleaded guilty on June 12 to conspiracy to commit wire fraud for his role in the Conti ransomware operation. He contributed to developing a malware loader and managed stolen data from 12 victims, eight of whom were in the United States. Conti operated as a ransomware-as-a-service model, infecting over 1,000 networks and extorting at least $150 million in Bitcoin. Lytvynenko was arrested in Ireland in July 2023 and extradited to the U.S. in October 2025. His sentencing is set for September 10, 2026. The case highlights ongoing US prosecutions of Conti members years after the group dissolved in mid-2022. Bitcoin’s transparency on the public ledger has aided law enforcement in tracing ransom payments and identifying perpetrators.
Ukrainian man pleads guilty in US to Conti ransomware charges →
AI Drives Record Ransomware Activity in Q1 2026, Travelers Reports
Travelers’ Q1 2026 cyber threat report recorded the highest level of ransomware activity since tracking began in 2020. Eighty-four criminal groups posted over 2,400 victim companies on dark web leak sites, with the top three groups accounting for 34% of postings. While 20 groups went inactive, 19 new ones emerged, indicating a more competitive ecosystem. The report notes that AI is fueling an increase in the quality and volume of business-email-compromise and social-engineering attacks. Phishing emails are now grammatically perfect, tailored, and psychologically persuasive. AI is also advancing voice impersonation and deepfake video attacks. Travelers recommends secondary verification for money or sensitive data requests. Shadow AI—employees using unapproved AI tools—poses additional data exfiltration risks when sensitive information is pasted into third-party platforms without oversight.
AI is fueling a surge of new ransomware threats: Travelers →
NCSC Chief: Ransomware Preparedness Must Be Boardroom Priority
Richard Horne, CEO of the UK’s NCSC, urged business leaders to treat ransomware preparedness as a strategic priority. Speaking on the FBI’s Ahead of the Threat podcast, he asked organizations to assess whether they could operate for four weeks without critical IT systems. Horne stressed that paying ransoms is not a recovery strategy; data may remain on criminal infrastructure even after payment, as seen in the LockBit disruption. He warned of a coming ‘patch wave’ as attackers exploit known vulnerabilities faster than defenders can fix them, fueled by AI. Horne called for multi-year cybersecurity roadmaps and executive accountability, arguing that cyber risk cannot remain solely with technical teams. He also highlighted public-private cooperation and the use of AI to accelerate threat detection. The message from both NCSC and FBI is clear: organizations must invest in resilience and plan for inevitable incidents.
Ransomware Preparedness Must Be a Boardroom Priority: NCSC Chief →