CERT-GIB

Cybercrime tactics evolve fast. Which threat concerns you the most right now?

Since 2021, North Korean (#DPRK) IT workers have built a sprawling ecosystem of synthetic developer personas complete with AI‑generated photos, overlapping #GitHub repositories, and reusable portfolio sites. Our investigation uncovered a single GitHub account (cybersage14) that switched identities from “Nicolas Sammaritano” (Argentina) to “Caddo Smith” (Texas) while keeping the same technical profile. This is not isolated fraud; it is a structured, labor‑enabled access model designed to infiltrate global companies and evade sanctions. #InsiderThreat

Fake shipment tracking #scams are rapidly scaling across the #MEA region, exploiting the 161B annual parcel volume that fuels global e-commerce. Attackers use Sender ID spoofing to insert #phishing messages directly into legitimate courier SMS threads, claiming failed deliveries. Victims who click to "update address details" or "pay small fees" are led to pages stealing both credentials and payment data in a two-stage theft process. #ThreatIntel

Threat actors behind #GTFire are systematically abusing Google's trusted infrastructure to evade detection at scale. By chaining Google Firebase hosting with Google Translate's proxy, they create a multi-stage redirect chain that obfuscates final phishing destinations. The translate.goog layer acts as a "phishing shield," leveraging Google's reputation to bypass email security filters and web gateways, with the malicious *.web.app domain only visible deep in the network traffic. #Phishing #ThreatIntel

🚨 Tracking the Rise of Chinese Tap-to-Pay Android Malware Tap-to-pay fraud is no longer limited to stolen cards or physical proximity. Threat actors are now abusing NFC-enabled #Androidmalware to relay #paymentdata in real time, enabling remote, contactless fraud at scale. Our latest research uncovers how Chinese #cybercrime communities are industrializing this technique and turning it into a fully operational fraud ecosystem. Key Highlights: 🔹 Over 54 NFC-enabled Android malware samples identified, designed to relay payment APDUs remotely 🔹 Multiple Telegram-based vendors offering tap-to-pay malware as a service, complete with subscriptions, support, and custom regional builds 🔹 At least $355,000 in fraudulent transactions linked to a single illicit POS vendor between Nov 2024 and Aug 2025 🔹 #Smishing and #vishing campaigns actively used to trick victims into installing malware and tapping their cards 🔹 Mule networks and compromised mobile wallets enabling global, card-present fraud without physical cards Alongside these findings, the research provides in-depth technical analysis of TX-NFC, #NFU, and related variants, examining code overlaps, cash-out infrastructure, and key defensive considerations for #financialinstitutions and payment networks. Read the full research now: link.group-ib.com/3Li56bI

Organized #cybercriminal groups are flooding the Middle East and Africa with fake job ads on social media, impersonating trusted brands and government ministries to harvest personal data and payments. Our analysis has already identified 1,500+ fraudulent ads in 2025 alone, with the real scale likely significantly higher. These #scams target vulnerable job seekers with promises of high daily income for simple tasks. #MENA

A coordinated scam campaign is spreading across several regions, including Latin America, using fake news pages and #deepfakes to promote alleged investment platforms. Goal? to steal personal and payment data by exploiting politically sensitive periods, such as pre- and post-election moments. #ScamAlert

Adversaries can bind-mount a manipulated workspace over /proc/<pid> to rewrite what tools like ps/top show, renaming #malicious processes into benign tokens and sabotaging initial triage. We reproduce this technique end-to-end in our lab walkthrough. #CyberSecurity

This case highlights a new era of organized, cross-border financial fraud, where legitimacy is simulated through verified platforms and regulatory loopholes. Read more: link.group-ib.com/4ngcXmX

Key Highlights: 🔹 28 verified Google advertiser accounts targeting Singapore users 🔹 Over 50 intermediary redirect domains to evade detection 🔹 Fabricated media sites mimicking #CNA and #Yahoo! News 🔹 AI-generated deepfakes used to build false credibility

Group-IB has uncovered a coordinated scam operation exploiting verified Google Ads, #deepfake videos, and fake news outlets to impersonate Singapore’s government officials and noted public figures in a fraudulent investment campaign known as the “Immediate Era” scam.

#InvestmentScam platforms are run by sophisticated multi-actor networks, not lone operators. Our analysis breaks down the roles of Masterminds, Target Intelligence, Backend Operators, and Payment Handlers that enable these fraud campaigns. Discover how these ecosystems operate and how you can detect them. #CyberCrime #FinSec

🎯 Cybercriminals don’t need to hack your system. They just need to hack your trust. From fake job offers to “verified account” messages, social media has become a playground for scammers who prey on emotion, urgency, and curiosity. Understanding how these tactics work is the first step in stopping them. Our latest carousel breaks down the most common social media scams and how to stay ahead of them. Think before you click. Verify before you trust. #CyberSecurityAwarenessMonth #GroupIB #FraudProtection #OnlineSafety #FightAgainstCybercrime #CyberSecurity #OnlineScams #SocialMedia

Group-IB uncovered a sophisticated Singapore-targeted scam campaign abusing verified Google Ads, 52 redirect domains, and 119 fake news sites to drive victims toward a Mauritius-registered trading platform. The operation blended malvertising, #deepfakes, and localized deception to mimic legitimate media and regulators. #ThreatIntel

As we move toward 2026, which cyber threat do you think will pose the greatest risk to global businesses?

Can you trust the voice on the other end? #Cybercriminals are leveraging accessible #AI voice cloning platforms, needing only seconds of public audio, combined with telecom SS7/PSTN vulnerabilities for caller ID spoofing to execute highly convincing Vishing attacks. Explore technical analysis of real-world incidents, including a $243K UK scam and an $18.5M Hong Kong stablecoin theft, and learn actionable defense strategies for telecom providers and enterprises to counter AI-driven #SocialEngineering. Download the report to understand how to defend against #Deepfake enabled fraud: link.group-ib.com/3IzDe1p

Group-IB provided critical investigative intelligence supporting @INTERPOL_HQ’s #OperationContender 3.0, a successful multinational cybercrime takedown across Africa. The operation resulted in law enforcement agencies across 14 countries arresting 260 suspects and the seizure of 1,235 electronic devices linked to 81 cybercriminal infrastructures. These networks, involved in #RomanceScams and #sextortionschemes, caused nearly US$2.8 million in financial losses affecting 1,463 identified victims. Our collaboration with international law enforcement underscores a shared commitment to dismantling criminal operations that cause both financial devastation and profound psychological harm. This operation highlights the critical importance of public-private partnerships in the ongoing fight against cybercrime. Read the full press release for detailed insights: link.group-ib.com/4nqyJW6 #INTERPOL #ThreatIntelligence

From live #deepfakes to scam call centers powered by synthetic voices, #AI is no longer hype—it’s already embedded in cybercrime workflows. According to a report by Resemble AI, in just Q2 2025, deepfake fraud alone caused $350M in damages. Threat actors are scaling impersonation, #phishing, and fraud with AI as a force multiplier.

Group-IB is proud to have supported @INTERPOL_HQ's #OperationSerengeti 2.0, a large-scale multinational crackdown on cybercrime conducted between June and August 2025. Investigators from 18 #African countries and the #UnitedKingdom took part in the operation, which led to the arrest of 1,209 cybercriminals who targeted nearly 88,000 victims worldwide. The coordinated efforts also resulted in US $97.4 million being recovered and 11,432 malicious infrastructure and networks dismantled that were used to facilitate #ransomwareattacks, online scams, and business email compromise (BEC). Read more: link.group-ib.com/478Q14F

Scammers are using #deepfakes, AI-generated content & localized #Scam infrastructure to push fake #AiTrading platforms. Investigation uncovers networks of fake blogs, #YouTube channels & malicious domains harvesting data under the guise of KYC. Read more: link.group-ib.com/4oBxGU9