The New York Times reported Thursday that a grid outage timed to coincide with a Jan. 3 U.S. military operation in Venezuela was a cyberattack. The military deployed cyber weapons against the electricity grid and to interfere with radar, the Times said.
Whether U.S. forces blended cyber and kinetic operations to pull off the capture of Venezuelan President Nicolás Maduro has been the subject of intense speculation since the operation, particularly after U.S. President Donald Trump attributed the grid blackout “to a certain expertise that we have.”
Some experts have been skeptical, citing the difficulty that Russia has had in coordinating cyberattacks with kinetic attacks in Ukraine, as well as availability of munitions designed to short out power transformers (see: Trump, the US and a Blackout: What Cut Off Venezuela’s Grid?).
But, citing sources “briefed on the matter,” the Times said military officials believe the operation demonstrated an ability for precision cyberattacks, including the ability to reinitiate grid operations when convenient.
Website Publishes Identities of Thousands of ICE, Border Patrol Staff
The identities, work emails and telephone numbers of thousands of U.S. Immigration and Customs Enforcement and Customs and Border Patrol employees, including thousands of frontline agents, are putatively available on a public website run by ICE List, a self-styled “accountability initiative.”
ICE List founder Dominick Skinner told The Daily Beast the dataset includes about 1,800 on-the-ground agents and 150 supervisors. ICE and Border Patrol agents operating in aggressive immigration sweeps under U.S. President Donald Trump have taken steps to keep their identities secret, mostly by donning masks or gaiters in public.
Immigration enforcers in the United States have come under scrutiny especially after the Jan. 7 fatal shooting of Minneapolis resident and U.S. citizen Renée Good by an ICE agent. Trump said Thursday he may invoke the Insurrection Act to deploy military forces to Minnesota after sustained protests against ICE.
Massive User Leak Hits BreachForums
A hacker dumped a stolen database containing usernames, email addresses and IP addresses of 323,986 users of BreachForums, an English-speaking cybercriminal forum that’s been under various owners and registered at different domains.
Someone using the online handle “James” on Jan. 9 published the database on shinyhunt.er, a site apparently meant to refer to cybercriminal group ShinyHunters – but apparently not controlled by it. The current administrator of BreachForums said that James could be a former member of the group, mostly compromised of native English-speaking adolescents.
Cybersecurity firm Resecurity said Friday the leaked dataset contains metadata for 323,986 users, sourced from a MySQL table named hcclmafd2jnkwmfufmybb_users, indicating the platform was running on MyBB, an open-source forum software. Many of the records in the dataset “are definitely authentic and can be cross-checked with other sources regarding specific actors,” Resecurity wrote. “Some records have been edited, removed, or contain non-existent information.”
Many of the email accounts used to register on the forum clearly suggest the origin of forum members because they’re written in French, Chinese, Russian, Turkish, or Arabic. Analysis by the firm shows that of the users whose nationality can be identified, a plurality come from the United States, followed by Germany. Users hail from across the globe including from Turkey, India, Brazil and Vietnam.
What motivated James is unknown, although he bundled into the data set a 4,400 word semi-coherent screed praising himself as the greatest hacker of all time and defender of “the French Nation.”
Technical indicators point to a backend compromise rather than simple scraping. Researchers said attackers likely extracted the data by exploiting a web application vulnerability or abusing a misconfiguration – a recurring failure point in infrastructure that prioritizes uptime over secure operations.
BreachForums first emerged in 2022 under the tutelage of Conor Brian Fitzpatrick, alias “Pompompurin,” a New Yok man currently serving a three year prison sentence in Danbury Federal Prison. ShinyHunters and a previous administrator, “Baphomet,” reopened the forum in 2023 but have had to contend with an FBI shutdown and arrests of key personnel (see: French Police Reportedly Bust Five BreachForums Administrators).
The current iteration is operated by an account using the moniker “N/A,” who took to the forum to deride the breach as containing “an old database” and to assert that “the staff information leaked, including me, is entirely false.”
According to free breach notification service Have I Been Pwned, the breach occurred months before the latest law enforcement seizure of the forum, in October 2025.
Threat Actor Claims Data Theft From Endesa
Spanish energy company Endesa said a breach of its commercial systems exposed customer data. A threat actor active on cybercrime forums claimed responsibility for the intrusion, alleging the theft of a one-terabyte database containing records of more than 20 million individuals. The actor said the dataset includes sensitive personal and financial information.
Endesa said it detected unauthorized access on its platform, which allowed the attacker to access and potentially exfiltrate personal data linked to energy contracts. The exposed information may include customer names, contact details, national identity numbers, contract details and, in some cases, banking information such as IBAN numbers. The company said passwords and login credentials were not compromised.
The utility has not disclosed when the breach occurred or how many customers were affected.
Telegram One-Click Proxy Links Can Leak Users’ Real IP Addresses
There’s a new privacy risk in Telegram’s mobile app that can expose a user’s real IP address with a single click.
The issue, first spotlighted in a Russian-language Telegram post, involves specially crafted t.me proxy links that masquerade as ordinary usernames or harmless URLs. Telegram supports MTProto proxies to help users bypass censorship and mask their true location. But analysts say attackers can set up their own malicious proxy servers and embed links pointing to them.
A self-described malware enthusiast going as “0x6rss” on social media network X demonstrated how when a user taps such a link on Android or iOS, Telegram automatically tests the proxy connection before adding it. This connectivity test bypasses configured VPNs or anonymity tools, sending a direct request from the device to the attacker’s server. That lets the proxy operator log the real IP address instantly.
A proof-of-concept published on GitHub shows Telegram’s automated proxy testing can be abused to capture a victim’s public IP address with minimal user interaction. Telegram’s own MTProxy documentation positions proxies as a way to route Telegram traffic through separate infrastructure for users facing blocking or surveillance.
MuddyWater Modernizes Tradecraft With RustyWater
An Iran-linked cyberespionage group tracked as MuddyWater is upgrading its offensive toolkit. The group is deploying a new Rust-based remote access Trojan dubbed “RustyWater” in an active spear-phishing campaign targeting organizations across the Middle East, cyber intelligence company CloudSEK said.
RustyWater signals a shift from MuddyWater’s traditionally script-heavy infection chains toward more stealthy, modular tooling. CloudSEK said the infection begins with phishing emails carrying weaponized Microsoft Word documents, using icon spoofing to lure victims into executing the payload.
Researchers describe RustyWater as a modular implant capable of asynchronous command-and-control, registry-based persistence and a growing set of post-compromise capabilities that can be expanded after initial access. The malware also includes anti-analysis techniques designed to complicate detection and reverse engineering.
The group’s shift to the Rust programing language mirrors a broader trend of threat actors moving toward compiled malware for improved performance and portability, while increasing operational friction for defenders.
The latest campaign hit multiple sectors, including diplomatic, maritime, financial and telecommunications firms.
The deployment also follows other recent evolution on MuddyWater’s evolving tooling (see: Breach Roundup: MuddyWater Strikes Middle East Orgs With Fresh Backdoor).
U.S. government advisories have previously documented MuddyWater’s reliance on spear-phishing, exploitation of known vulnerabilities and open-source tooling to access sensitive networks.
Dutch Court Jails Port Hacker 7 Years in Cocaine Smuggling Case
A Dutch appeals court sentenced a 44-year old man to seven years in prison for hacking into port-linked computer systems to help smugglers move 210 kilograms of cocaine into the Netherlands.
The Amsterdam Court of Appeal said the intrusion was not a random cybercrime but a deliberate attempt to support organized drug trafficking. The court said the defendant illegally accessed computer systems to obtain operational information that could be used to move shipments through port processes without being flagged. The intrusion involved using a USB device to facilitate the breach.
ServiceNow Patches AI Agent Flaw
Software company ServiceNow patched a critical vulnerability that could let unauthenticated attackers impersonate users and abuse agentic AI workflows inside affected ServiceNow deployments.
The flaw, dubbed BodySnatcher, is tracked as CVE-2025-12420. AppOmni, which disclosed the issue, said the flaw lets an attacker use only a victim’s email address to spoof identity and potentially trigger privileged actions through ServiceNow’s Virtual Agent API and Now Assist AI Agents. The company warned attackers could bypass standard protections such as single sign-on and multifactor authentication in certain configurations and use AI-driven automation paths to escalate access.
The flaw effects on-premises deployments running specific versions of the two components.
Other Stories From This Week
With reporting from Information Security Media Group’s David Perera in Northern Virginia.