Security

A major leak spills a Chinese hacking contractor’s tools and targets

Bartholome Zieme

November 15, 2025


The United States this week issued a seizure warrant to Starlink related to satellite internet infrastructure used in a scam in Myanmar. The action is part of a larger US law enforcement interagency initiative announced this week called the District of Columbia Scam Center Strike Force.

Meanwhile, Google moved this week to sue 25 people allegedly behind a “stunning” and “relentless” scam text operation that uses a notorious phishing-as-a-service platform called Lighthouse.

WIRED reported this week that the U.S. Department of Homeland Security collected data on Chicago residents accused of gang ties to test whether police files could feed an FBI watch list — and then, crucially, kept the records for months in violation of domestic espionage rules.

And there is more. Each week we round up the security and privacy news we haven’t covered in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

China’s massive intelligence apparatus has never had its Edward Snowden moment. So any peak in its surveillance and hacking capabilities represents a rare find. One such glimpse has now arrived in the form of around 12,000 documents leaked from Chinese hacking contractor firm KnownSec, first revealed on the Chinese-language blog Mxrn.net and then picked up by Western news outlets this week. The leak includes hacking tools such as remote access trojans, as well as data extraction and analysis programs. More interesting, perhaps, is a target list of more than 80 organizations from which the hackers claim to have stolen information. According to Mrxn, the listed stolen data includes 95 GB of Indian immigration data, three TB of call records from South Korean telecom operator LG U Plus, and a mention of 459 GB of road planning data obtained from Taiwan, for example. In case there was any doubt about who KnownSec is carrying out this hack, the leak also details its contracts with the Chinese government.

The cybersecurity community has been warning for years that state-sponsored hackers will soon begin using AI tools to bolster their intrusion campaigns. Now the first known AI-driven hacking campaign has surfaced, according to Anthropic, which says it discovered a group of China-backed hackers that used its Claude toolset extensively in every step of the hacking spree. According to Anthropic, the hackers used Claude to write malware and extract and analyze stolen data with “minimal human interaction”. Although the hackers bypassed Claude’s guardrails through the malicious use of his tools in terms of defensive and white hat hacking, Anthropic says it nevertheless detected and stopped them. By then, however, the espionage campaign had successfully breached four organizations.

Even so, fully AI-based hacking isn’t necessarily ready for prime time yet, points out Ars Technica. The hackers had a relatively low intrusion rate, as they targeted 30 organizations, according to Anthropic. The AI ​​startup also notes that the tool hallucinated some stolen data that didn’t exist. For now, state-sponsored spies still have some job security.

The North Koreans raising money for the regime of Kim Jong Un by finding work as remote IT workers with fake identities are not working alone. Four Americans pleaded guilty this week to paying North Koreans to use their identities, as well as receiving and setting up corporate laptops for the North Korean workers to control remotely. Another man, Ukrainian national Oleksandr Didenko, pleaded guilty to stealing the identities of 40 Americans to sell to North Koreans for use in creating IT worker profiles.

A report from 404 Media shows that a Customs and Border Protection app that uses facial recognition to identify immigrants is being hosted by Google. The application can be used by local law enforcement to determine whether a person is of potential interest to Immigration and Customs Enforcement. Meanwhile, while Google has the CBP app platform, Google recently removed some apps in the Google Play Store that are used for community discussions about ICE activity and ICE agent sightings. Google justified these app removals as necessary under its terms of service, because the company says ICE agents are a “vulnerable group.”

Related posts:
  1. The Trump administration is reducing Russia as a cyber threat
  2. Hacking Spree Hits Uk Retail Giants
  3. Hackers likely stole FBI call logs from AT&T that could put insiders at risk
  4. US names one of hackers allegedly behind massive salt typhoon breaches

Leave a Reply

Your email address will not be published. Required fields are marked *