Security
Russian JLR Hack Costs $2.5B; DirtyClone Exploit Published
JLR attack blamed on Russian hackers, DirtyClone root exploit goes public, and more in today's security briefing.
Russian Hackers Behind Jaguar Land Rover Attack That Cost $2.5 Billion
Russian hackers carried out the cyberattack on Jaguar Land Rover that began on 31 August 2025, shutting down production for nearly six weeks and costing the British economy an estimated $2.5 billion, making it the most financially damaging cyberattack in UK history. Investigators have not determined whether the hackers were working directly for Vladimir Putin’s government, were independent criminals, or were operating with tacit approval. Microsoft tracked the Russian hacking group and alerted JLR to their identities, while the FBI, Britain’s National Crime Agency, the National Cyber Security Centre, Google’s Mandiant unit, and Palo Alto Networks all contributed to the investigation.
The attack originated with a vishing campaign weeks before the breach, in which attackers posing as internal staff tricked JLR employees into handing over login credentials. Armed with valid usernames and passwords, the hackers entered through normal authentication flows and moved laterally across JLR’s IT networks. Production lines ceased on 1 September, and staff were told to stay home. The UK’s Cyber Monitoring Centre estimated the total economic cost at £1.9 billion, with more than 5,000 organizations across JLR’s supply chain affected. The Bank of England later attributed a shortfall in GDP growth partly to the attack. A group calling itself Scattered Lapsus$ Hunters initially claimed responsibility on Telegram, but a New York Times investigation pointed to a separate Russian operation. The attribution comes amid an intensifying pattern of Russian-linked cyber operations targeting Western and Ukrainian infrastructure.
Iranian National Wanted for $3.4B in Hacking Attacks Arrested in Montenegro
An Iranian national wanted by the United States for mass hacking attacks that caused $3.4 billion in damage was arrested in Montenegro on Thursday. The 39-year-old man holds both Iranian and Turkish citizenship and is wanted by a federal court in New York on multiple charges including conspiracy to commit computer fraud, hacking, and identity theft. Police located him in the coastal resort town of Kotor and arrested him at the request of the U.S. and the FBI.
Since 2013, as an associate of a legal entity from Iran, he committed massive hacking attacks on U.S. infrastructure, including 150 universities. The stolen data and compromised university profiles were used for the benefit of the Islamic Revolutionary Guard Corps and other Iranian beneficiaries, including universities based in Iran. A court in the capital Podgorica will handle extradition proceedings. Montenegro is a U.S. ally and member of NATO.
Iranian national U.S. sought for $3.4 billion in hacking attacks arrested in Montenegro →
DirtyClone Linux Kernel Exploit Published, Enables Stealth Root Access
JFrog Security Research published the detailed exploit chain for DirtyClone (CVE-2026-43503) on Thursday, June 25, marking the first public demonstration of a working attack against this high-severity Linux kernel flaw. The patch has been available in Linux mainline since May 21, but many distributions have not yet shipped it. The vulnerability belongs to the DirtyFrag family, a class of kernel memory corruption bugs that turn a zero-copy networking feature into a write primitive. The vulnerable function is __pskb_copy_fclone(), which drops the SKBFL_SHARED_FRAG safety flag when cloning a packet via the Linux netfilter TEE target.
JFrog researchers documented a seven-step attack chain that allows an attacker to overwrite the page-cache copy of a privileged binary such as /usr/bin/su, patching the password-check branch in memory without altering the on-disk file. Standard file-integrity monitoring sees nothing because no file was changed. Under certain shared-infrastructure configurations, the same primitive also enables container escape to the host. DirtyClone is the third named variant in the DirtyFrag family. The highest-risk environments are multi-tenant cloud instances, Kubernetes clusters with user namespaces enabled, and CI runners. Debian and Fedora are vulnerable by default; Ubuntu 24.04 and later are partially mitigated. The permanent fix is a kernel update. No confirmed in-the-wild exploitation had been reported as of publication.
Linux Kernel Root Exploit Published: DirtyClone Attack Leaves No Trace →
Scammers Exploit GTA VI Hype to Steal Bank Details and Deploy Malware
Cybersecurity researchers have warned that criminals are exploiting the wait for Grand Theft Auto VI with a coordinated wave of fraudulent websites. GTA VI is scheduled for console release on November 19, 2026, and official preorders have not yet opened. Malwarebytes and NordVPN have flagged sites promising VIP early access or exclusive beta keys. Some fraudulent sites ask victims to pay a few hundred dollars in cryptocurrency for a VIP beta key, making refunds or fraud reports nearly impossible once payment clears.
Stefan Dasic of Malwarebytes stated that GTA VI is the perfect bait for cybercriminals because the franchise sold hundreds of millions of copies and went 13 years without a new entry. Gerald Kasulis of NordVPN said scammers use AI to mimic Rockstar’s official branding so convincingly that polished emails and websites evade gamers’ usual scepticism. Some pages use the phrase help us build Vice City to create a false sense of insider access. Victims are sometimes directed to download software branded as an early build, including a fake file called GTA Mobile 6 that contains malware capable of remote access and bypassing antivirus software. NordVPN has traced some fraudulent domains to a wider network with a history of spreading banking trojans, infostealers, and ransomware. Rockstar Games has not responded to requests for comment.
Cybercriminals Hire Burglars to Physically Infect US Law Firms
The FBI and private investigators suspect that the Russian-speaking Silent Ransom Group has hired people in the US to physically visit law firms and plug thumb drives into computers, bypassing remote anti-virus protections. In April, an executive at a US law firm received a phone call from someone claiming to be from IT support who said a virus was spreading and needed physical access. When a visitor appeared at the front desk claiming to be from IT, the lawyer became suspicious and the visitor fled. On a private Telegram channel, the group offered $500 for such visits, according to a cybersecurity professional.
Silent Ransom Group has extorted roughly $100 million from law firms in the last six months, according to one estimate, with other sources estimating at least tens of millions of dollars. In another case, a man posing as IT support entered a law firm speaking Russian into smart glasses, likely to give the group a live view of computers; an accomplice called the lawyer posing as a FedEx dispatcher to lure him away, but the firm’s defenses blocked the attack. The FBI stated that Silent Ransom Group is the only data extortion group it knows of that physically accesses victim properties, and that there have been numerous physical access attempts in cities across the US. Cybersecurity researchers believe some Silent Ransom Group members were involved in the Conti ransomware gang. The FBI is building a case by tracking law firms’ payments on the blockchain. Over the last year, at least two US law firms received extortion letters in the mail demanding payment in cryptocurrency or cash, with return addresses at empty offices.
Claude Code Repo Attack Delivers Reverse Shell via DNS TXT Record
An attacker can gain shell access to a developer’s machine by having Claude Code clone and set up a malicious GitHub repository. The repository contains no malicious code; every file appears benign and passes review. The malicious instruction is never stored in the repo but is injected at runtime from a DNS TXT record controlled by the attacker. The attack uses three components that individually look harmless: a repo with normal setup instructions, a Python package called Axiom that refuses to do anything until initialized, and an init command that fetches a config value from a DNS TXT record and executes it as a command.
The sequence: the developer copies the repo link and asks Claude Code to get it running. Claude Code reads files, installs requirements, tries to use the app, hits a RuntimeError, and runs python3 -m axiom init as routine error recovery. The init command runs a shell script that resolves the DNS TXT record containing a base64-encoded payload that decodes to a reverse shell. Claude Code never evaluates the reverse shell directly; it is three indirection steps away. The attacker gains a fully interactive shell with access to all environment secrets and the ability to persist. One repo link shared in a job posting or tutorial can compromise everyone who opens it with Claude Code. Defenses require agents to surface what a setup command will actually run, including any script content and anything it fetches at runtime.
Clone This Repo and I Own Your Machine | 0din.ai →
Polymarket Loses $3.1M to Frontend Hack Amid CFTC Investigation
Polymarket disclosed that a compromised third-party vendor allowed attackers to inject malicious JavaScript into its website frontend on June 25, draining $3.1 million in pUSD from 11 confirmed user wallets. The stolen funds were converted to approximately 1,893 ETH and bridged from the Polygon network to Ethereum, where they remained in attacker-controlled addresses as of Saturday. The attack did not exploit any flaw in Polymarket’s smart contracts; it targeted the web layer through which users access those contracts. According to DefiLlama, the Polymarket breach was the 89th recorded security incident in decentralized finance in Q2 2026, the highest quarterly count ever reported.
The incident is Polymarket’s second security event in five weeks, following a separate breach on May 22 that drained between $520,000 and $700,000 from internal operations wallets. Polymarket said it discovered the compromise early and is contacting each impacted user to arrange full reimbursements. The platform has not publicly identified the compromised vendor. Meanwhile, CNBC reported that the Commodity Futures Trading Commission is conducting an ongoing and extensive investigation into Polymarket. A Wall Street Journal investigation published June 20 alleged that Polymarket orchestrated a social media campaign with paid content creators posting videos of simulated trades. Senators Adam Schiff and John Curtis sent a bipartisan letter to the CFTC demanding written answers by July 10. On June 23, the CFTC filed suit against Kentucky after its attorney general sued Polymarket and Kalshi in state court.
Polymarket Loses $3.1M to Frontend Vendor Hack While CFTC Investigation Deepens →