Malware Bytes Security

A parcel mule scam, also called a reshipping scam, is a fake job offer designed to recruit people into handling stolen goods.

It usually starts with a fake remote job offer that promises easy money for receiving, inspecting, repackaging, and forwarding packages from home. The “employer” may claim to be connected to familiar companies, but the real purpose is to move goods bought with stolen payment information so they are harder to trace. Victims often think they are doing routine logistics work, but they are actually helping criminals launder stolen merchandise.

Targets get “recruited” to work from home for shipping companies or retailers. Scammers reach them by email, direct messages on social media, WhatsApp, and any other channel they can think of. One job title that appears frequently is “Parcel Expert.”

Let’s look at an example received unsolicited on WhatsApp:

“Hi! I hope you’re doing well.
My name is Elena from the Logistics Department. We reviewed your profile and would like to offer you a position as a Parcel Expert. This is a remote part-time opportunity with flexible hours and a monthly income of up to $5,300.
Your main duties will be: receiving packages at your home address, checking items against invoices, taking photos if needed, preparing documents, and forwarding the parcels to our distribution hubs. In some cases, you may be asked to send urgent orders directly to international destinations.

We work with well-known retailers, including Amazon, Best Buy, Walmart, and Zappos, so the process is simple and safe. No experience is necessary, and we provide full instructions.

Please reply ‘interested’ if you would like to proceed, and we will send you the onboarding details.”

It follows the classic pattern closely: high pay for low-skill, home-based work, packages sent to a private address, and a requirement to forward items to hubs or international destinations. The mention of well-known retailers like Amazon, Best Buy, and Walmart is also a common trust signal scammers use to make the offer sound legitimate.

How to recognize parcel mule scams

All I really need to do here is quote the Malwarebytes Scam Guard analysis:

Red flags identified

The companies mentioned in the scams vary by location. For example, a German target was “recruited” to work for DHL, a Spanish customer got an offer for Mercado, and a US victim received one for Freight Metro. But it’s mostly the big global names like Amazon, FedEx, and retailers like Best Buy, AliExpress, and Walmart.

1. Work from home shipping packages: Legitimate companies do not ship high-value goods to the private home address of someone they just hired online, especially for work-from-home roles.
2. Payment promises seem too good to be true: $4,400 base salary plus performance bonuses for unskilled logistical work is extremely unrealistic, especially for remote roles with no experience required.
3. Handling of items from retailers: Fraud rings commonly use stolen credit card info to order goods sent to recruited “mules” (victims) who unknowingly forward them, making tracing harder for law enforcement.
4. International reshipping: Legitimate logistics companies use professional hubs—they do not ask new hires to ship internationally directly from their homes.
5. Personal risk: You may become involved in credit card fraud and have law enforcement contact you, as your home address will be connected to the receipt and shipping of stolen goods.
6. Typical language patterns: The description is nearly identical to those used by scammers globally.

What are the risks

The most obvious risk is wasting your time on a job you’ll never get paid for. But there are others:

• Scammers may ask for personal documents, increasing the risk of fraud and identity theft if they collect IDs, banking details, or other sensitive data during the “onboarding” process.
• Victims can become suspects or persons of interest if authorities trace stolen goods back to them.
• Criminals know you are vulnerable and will try to take advantage of you again.

How to stay safe

Recognizing scams for what they are is the best protection, so keep reading our blog.

• The most important rule for all types of scams is simple: Do not interact. Not even for fun or to waste the scammers’ time. It takes a lot of preparation to do that safely.
• Verify the company independently, search for complaints or scam reports, and be skeptical of any offer that is unusually vague or highly paid.
• Do not share identity documents, your home address, phone number, or bank details.
• Be cautious of any role that requires upfront payments or fees to get started. While some legitimate franchise or business opportunities involve investment, they should be transparent, well-documented, and independently verifiable.
• Be aware that receiving and forwarding stolen goods is illegal and could implicate you in a crime.
• Report the incident to the proper authorities. In the US, report it to the FTC.

Pro tip: Malwarebytes Scam Guard identified this scam for what it is and will advise users on how to proceed.

Something feel off? Check it before you click.  

Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

Try it free → 

Google released a security update for Chrome that fixes 18 vulnerabilities, including four rated Critical. There is no indication that any of these newly patched bugs are being actively exploited in the wild.

The stable channel has been updated to 149.0.7827.196/197 for Windows and Mac and 149.0.7827.196 for Linux. The update will roll out over the coming days and weeks. Chrome for Android was also recently updated to 149.0.7827.197.

How to update Chrome

If you don’t want to wait for the rollout to reach you, manually updating is easy.

The easiest option is to allow Chrome to update automatically. But you can end up lagging behind on updates if you never close your browser or if something goes wrong, such as an extension preventing the update.

To update manually, click the More menu (three dots), then go to Settings > About Chrome. If an update is available, Chrome will start downloading it automatically. Restart Chrome to complete the update, and you’ll be protected against these vulnerabilities.

Chrome 149.0.7827.196/197 is up to date

You can find an explanation of the version numbering system and also find step-by-step instructions in our guide to how to update Chrome on every operating system.

Technical details

Let’s look at the two Critical WebGL vulnerabilities. WebGL, short for Web Graphics Library, is a browser technology that lets websites display interactive 2D and 3D graphics.

We’ll start with the only vulnerability that wasn’t discovered by Google. It’s a use-after-free vulnerability in WebGL, tracked as CVE-2026-13028, that could allow an attacker to escape Chrome’s browser sandbox using a specially crafted HTML page.

Use-after-free is a class of vulnerability caused by incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can abuse that mistake to crash a program or make it run code it should not run.

The browser sandbox is a restricted, sealed-off environment that is supposed to contain any malicious activity within the browser rather than directly on your whole computer. So a sandbox escape is dangerous because it can help attackers move from “something bad happened inside the browser” to “something bad can affect the wider system.”

The other Critical WebGL vulnerability is CVE-2026-13032. It’s also a use-after-free  flaw that could allow a remote attacker to escape the sandbox via a crafted HTML page.

Even without confirmed in‑the‑wild exploitation for these CVEs, Chrome has had several zero‑days exploited this year, so attackers clearly invest in web-based attacks. For example, CVE‑2026‑2441, which got its own separate update, allowed attackers to run code inside Chrome’s sandbox through a malicious web page. Paired with either of the WebGL flaws discussed above, it could have helped attackers break out of the browser’s protections. Together, those vulnerabilities could potentially have allowed attackers to take control of the wider system.

Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

You receive an email warning that your website’s domain name is about to expire. Renew now, it says, or your website and email could stop working. The link opens a professional-looking page that already knows your domain name, displays your registrar and expiry date, and starts a countdown timer.

It feels urgent and personal, so it feels real.

The site, branded Renovarix, doesn’t renew domains. Instead, it pushes visitors through a series of pages that collect personal information and eventually payment details.

How the scam works

Domain names really do expire, and losing one can be a serious problem. For many people and businesses, a domain is more than a web address. It’s your brand, your email, your search rankings, and the name customers type in when they want to find you. If it lapses, your website and email can stop working. If someone else registers it before you get it back, recovery can be difficult or impossible. That’s a lot to lose, and scammers know it.

This scam takes advantage of that fear with a convincing fake renewal process.

The email and website are fake. The “live registry data” is only partly real. Clicking Renew Now doesn’t renew your domain. Instead, it sends you through a chain of websites that first collect your name, address, phone number, and email, then eventually ask for payment details.

If you deleted the email, there’s nothing to worry about. If you clicked the link, simply close the page. If you entered personal or payment information, follow the guidance above.

The email that starts it

The scam begins with an email, although the presentation varies. Some are crude: a plain “Domain Renewal Reminder” from a generic “Domain Services Inc.” with an invoice number and an amount due.

Others are much more polished, using the Renovarix brand, a reference number, and a respectable-looking London business address.

But they share the same giveaway. The “official” Renovarix renewal notice was sent from an ordinary Gmail address. A company claiming a London office and 24/7 support isn’t likely to send billing notices from Gmail. When the branding looks professional but the sender doesn’t match, that’s a major red flag.

A page that knows too much

The link opens a page that immediately performs a “lookup,” narrating its progress with messages such as “connecting to registry” and “fetching WHOIS records” before displaying your domain name, registrar, and expiry date.

That makes it look as though the site has queried the official domain registry. Some of the information may come from genuine public records, but much of what makes the page appear authoritative is invented. For example, the displayed “Registry ID” isn’t retrieved from any registry. It’s generated locally in your browser from your domain name and exists purely to look official.

Everything is designed to push your panic button

Once that dashboard loads, the whole page becomes a funnel built to rush you.

A red banner claims your domain expires in “03 days,” regardless of its real expiry date. A second countdown says a “special price” of €2.00, reduced from €9.99, expires in fifteen minutes. Try closing the page and a pop-up appears warning, “Wait — Your Domain Is At Risk!” with a dismiss button that reads, “No thanks, I’ll risk it.”

Legitimate registrars don’t rely on countdown timers or guilt-inducing pop-ups. The pressure is the scam.

The “renewal” renews nothing

Here’s the clearest sign something is wrong: clicking Renew Now doesn’t contact your registrar or process a renewal. It simply redirects your browser to another website.

Some versions even display a cheerful “Renewal Complete!” confirmation with a new expiry date, confirmation number, and a message claiming a receipt has been emailed. None of it reflects a real transaction. Everything is generated in your browser.

Where your details actually go

The button sends you, through a marketing affiliate link, to a page called “Secure Checkout.”

The page asks for your name, address, postcode, city, phone number, and email address. Once submitted, you’re passed through additional pages where payment is eventually requested.

Two details suggest this is a recycled scam kit rather than a genuine domain service. It can automatically populate your details from the link you clicked, and its fake five-star reviews still refer to “HappyPrizes” and how easy it was to “win something nice”—leftover text from an earlier prize scam that used the same template.

Why people fall for it

The scam works because it exploits a genuine concern. The scam starts with a believable premise. Domain renewals are a normal part of running a website, so an expiry notice doesn’t seem out of place. The scammers build on that with convincing branding, public domain information, and manufactured urgency.

It also feels personal. Many people wonder how scammers knew about their specific domain. The answer is that they don’t know you personally. Every registered domain appears in public WHOIS/RDAP records, which include the domain name, registrar, important dates, and sometimes a contact email address. Scammers collect this information in bulk, then generate links that display your own domain details back to you. Seeing familiar information makes the page feel legitimate, even though it came from public records.

Finally, the scam creates urgency. Countdown timers, warnings that your domain is at risk, and a €2.00 “special offer” are all designed to make you act before you stop to verify the claim. The low price isn’t the objective. Your personal information and payment details are.

None of this makes a victim careless. It makes them human, targeted by people who know how a worried site owner reacts.

What to do

If you receive an email like this, simply delete it. The safest way to handle any domain renewal is simple:

• Don’t click on the email’s link. Go to your registrar through your own bookmark or by typing the address yourself and check your real expiry date there. If you clicked the link, close the page. Looking at it doesn’t put your domain at risk.
• Know who your registrar is. Renewal happens in the account you already have, not on a website you’ve never heard of.
• Treat urgency as a warning sign, not a reason to hurry. Real renewals aren’t fifteen-minute emergencies.
• Check the sender. Billing notices from a Gmail address, or a brand name that doesn’t match your actual provider, are red flags.
• Malwarebytes Browser Guard is free and can help block scam and phishing pages while you browse.

If you already entered personal information (such as your name, address, phone number, or email address):

• Be prepared for follow-up scams. Attackers may contact you by phone or email, claiming to be your registrar or referring to your domain, an “order,” or a “renewal.”
• Don’t trust unsolicited calls or emails, even if they seem to know details about your domain.
• If you need to contact your registrar or bank, use contact details from their official website, not those provided in the email or on the scam page.

If you entered payment card details:

Turn on transaction alerts so you’re notified as soon as your card is used.

Contact your bank or card issuer immediately. Tell them you entered your card details on a fraudulent website and ask whether they recommend blocking and replacing the card, even if you don’t see any unauthorized charges yet.

Monitor your account closely. Scammers sometimes make small “test” charges before attempting larger transactions.

Indicators of compromise

• renovarix[.]org — fake domain renewal page
• xe54ghj[.]com — redirector
• paysuccessful[.]site — personal-data capture page
• molipy8trk[.]com — redirector
• topprogressstores[.]online — final offer landing

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Some organizations exist to be exclusive. They’re invite-only, and discreet, the kind of place where the membership directory is the product.

Dialog, the exclusive network founded by billionaire investor and PayPal co-founder Peter Thiel, whose members include a sitting NATO commander, two US senators, and the US Treasury Secretary, is one of those.

Last week, information on hundreds of those members was sitting in plaintext on its app distribution site, visible to anyone who knew how to right-click. Then Dialog said it had been hacked.

A signup page that led straight to members’ files

The site was set up to distribute a phone app to support an upcoming gathering for the network, which arranges high-end get-togethers. Any visitor could sign up using any email address. It did not request a password.

After submitting an email, the visitor landed on a near-empty holding page that reportedly loaded internal files on roughly 200 high-profile people directly into their browser. They were visible using “tools built into every major browser,” which appears to refer to the browser’s built-in developer tools.

Those files were not minimal. Loading the questionnaire forms returned dates of birth, emergency contacts, cell phone numbers, the political leanings Dialog assigns to its members, internal rankings and grading notes, and the digital keys that serve as members’ logins. For nearly all of them, the exposed data was comprehensive, from private contact information through to active login tokens.

The records also included a current White House intelligence official, a retired general who held a senior role in US intelligence, and the heads of national security policy at two leading AI firms. Dialog also privately scores attendees, weighing their wealth and prominence in decisions about admission, seating, and pricing. Those scores were among the things sitting in the public HTML.

Dialog on the defensive

Dialog’s managing director described the access as a hack

“executed by a well-known criminal who is wanted in the United States.”

WIRED, which broke the story, found no evidence that any break-in was required. In fact, it seems to have involved little more than clicking on a link on a web page.

The forms were built using Fillout, a popular online form builder. The data was stored in Airtable, a widely used cloud database platform. Fillout said it was unaware of any compromise to its own systems and noted that customers are responsible for configuring their forms, connected data sources, and workflows.

Dialog has not said when the misconfigured page first went live, meaning members’ data could have been openly accessible for an indeterminate period before it was discovered.

Security misconfiguration now ranks #2 on the OWASP Top 10 for 2025, which is an industry list of the top application security risks. It has risen from #5 in 2021. The category accounts for more than 719,000 of documented security weaknesses.

The fix is also routine: build systems with only the features you need, and configure them securely.

What this means for the rest of us

How organizations describe incidents matters beyond a single breach. If simply accessing publicly available information is routinely labeled a “hack,” security researchers may become more reluctant to investigate and responsibly disclose exposed systems, leaving misconfigurations undiscovered for longer.

For end users, the lesson is older than the internet. If an organization collects your date of birth, your emergency contacts, and a private score of how much you’re worth to them, ask where that data lives. Any answer involving “our website” deserves a second question, and anything that stops at “we take your security very seriously” deserves further questioning.

A newly discovered vulnerability in FFmpeg’s MagicYUV decoder can turn a tiny, malformed video into a foothold for attackers.

Researchers have disclosed PixelSmash, a critical vulnerability tracked as CVE-2026-8461, in FFmpeg’s MagicYUV video decoder with a CVSS score of 8.8.

By crafting a specially formatted AVI, MKV, or MOV file, an attacker can crash or potentially run code on any system that tries to generate a thumbnail, extract metadata, or play the file with a vulnerable version of FFmpeg.

What is FFmpeg and is this serious?

FFmpeg is an open‑source toolkit for recording, converting, and streaming audio and video, and its libavcodec library implements hundreds of audio and video decoders.

One of those is MagicYUV, a lossless codec popular in video editing. A newly discovered vulnerability in FFmpeg’s MagicYUV decoder can turn a tiny, malformed video into a foothold for attackers.

Researchers have disclosed PixelSmash, a critical vulnerability tracked as CVE-2026-8461, in FFmpeg’s MagicYUV video decoder with a CVSS score of 8.8.

By crafting a specially formatted AVI, MKV, or MOV file, an attacker can crash or potentially execute code on any system that tries to generate a thumbnail, extract metadata, or play the file with a vulnerable version of FFmpeg.

What is FFmpeg and is this serious?

FFmpeg is an open‑source toolkit for recording, converting, and streaming audio and video, and its libavcodec library implements hundreds of audio and video decoders.

One of those is MagicYUV, a lossless codec popular in video editing. The researchers found it was enabled by default in upstream FFmpeg and every Linux distribution package they tested up to FFmpeg 9.0.

The impact is more serious than you may think. If you run anything that touches video—from a Linux desktop to a Jellyfin or Nextcloud server, or even an AI model that ingests clips—you probably rely on FFmpeg under the hood.

It’s hard to put an exact number on how many systems are affected, but it helps to know that:

• Tens of millions of Linux systems rely on ffmpegthumbnailer and system libavcodec for thumbnails, meaning “just browsing a folder” can trigger the bug if a malicious file is present.
• Jellyfin and Nextcloud, among the most popular self‑hosted media and file platforms globally, each have at least tens of thousands of active internet‑reachable servers. Almost all of those that did not update FFmpeg or disable MagicYUV are vulnerable to denial of service (DoS) and, in some configurations, targeted remote code execution (RCE) attacks.
• A large fraction of consumer network attached storage (NAS) and smart TV platforms use FFmpeg for previews and thumbnails. These devices are sold in the millions.

The most worrying part of PixelSmash is how little it takes to trigger it. All you need is an application that uses FFmpeg to process untrusted media and has the MagicYUV decoder compiled in.

PixelSmash is a good illustration of a broader problem in the open‑source ecosystem: a bug in a deep dependency that silently propagates everywhere.

How to protect yourself

This vulnerability is not something most home users need to worry about. It needs to be taken care of upstream. Users of affected Linux distributions should keep an eye out for FFmpeg updates or security updates from their distro.

But if you’re responsible for systems that handle video, you should assume you are affected until you prove otherwise. The main mitigation steps are:

• Update FFmpeg. FFmpeg version 8.1.2, released on June 17, 2026, includes a fix for CVE‑2026‑8461. If your distribution or vendor provides an updated FFmpeg, install it across desktops, servers, and containers.
• Check if MagicYUV is enabled and disable it or apply patches where possible.
• Reduce automatic processing of untrusted video. Review which preview providers and thumbnailers are enabled, especially for rarely used formats.

Finally, it is worth watching for abnormal crashes of media players, thumbnailers, or media servers, especially after opening or downloading a new video file. You should treat repeated crashes or missing thumbnails as potential indicators of malicious content until systems are patched.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The impact is more serious than you may think. If you run anything that touches video—from a Linux desktop to a Jellyfin or Nextcloud server, or even an AI model that ingests clips—you probably rely on FFmpeg under the hood.

It’s hard to put an exact number on how many systems are affected, but it helps to know that:

• Tens of millions of Linux systems rely on ffmpegthumbnailer and system libavcodec for thumbnails, meaning “just browsing a folder” can trigger the bug if a malicious file is present.
• Jellyfin and Nextcloud, among the most popular self‑hosted media and file platforms globally, each have at least tens of thousands of active internet‑reachable servers. Almost all of those that did not update FFmpeg or disable MagicYUV are vulnerable to denial of service (DoS) and, in some configurations, targeted remote code execution (RCE) attacks.
• A large fraction of consumer network attached storage (NAS) and smart TV platforms use FFmpeg for previews and thumbnails. These devices are sold in the millions.

The most worrying part of PixelSmash is how little it takes to trigger it. All you need is an application that uses FFmpeg to process untrusted media and has the MagicYUV decoder compiled in.

PixelSmash is a good illustration of a broader problem in the open‑source ecosystem: a bug in a deep dependency that silently propagates everywhere.

How to protect yourself

This vulnerability is not something most home users need to worry about. It needs to be taken care of upstream. Users of affected Linux distributions should keep an eye out for FFmpeg updates or security updates from their distro.

But if you’re responsible for systems that handle video, you should assume you are affected until you prove otherwise. The main mitigation steps are:

• Update FFmpeg. FFmpeg version 8.1.2, released on June 17, 2026, includes a fix for CVE‑2026‑8461. If your distribution or vendor provides an updated FFmpeg, install it across desktops, servers, and containers.
• Check if MagicYUV is enabled and disable it or apply patches where possible.
• Reduce automatic processing of untrusted video. Review which preview providers and thumbnailers are enabled, especially for rarely used formats.

Finally, it is worth watching for abnormal crashes of media players, thumbnailers, or media servers, especially after opening or downloading a new video file. You should treat repeated crashes or missing thumbnails as potential indicators of malicious content until systems are patched.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Fake subscription renewal notices are doing the rounds again. Some of these scams impersonate Malwarebytes, and we’ve also seen them reach our customers.

You’re more likely to trust the message if you’re already a customer of the company mentioned in the email. That’s what the scammers are counting on.

So we want to make people aware that these scams are becoming increasingly common, and explain how to spot them.

Software renewal scams (including fake Malwarebytes “renewal” emails and calendar invites) are a specific, very active form of phishing and tech support fraud that contribute to millions of dollars in losses every year.

What to look out for

The template is easy enough to recognize once you know how to spot the signs:

• The sender’s email address doesn’t belong to the company the sender claims to represent. Often the messages come from compromised accounts or from lookalike domains designed to appear legitimate. Always check the sender’s email address carefully.
• The emails will often include lots of official-looking (but made-up) details and reference numbers, along with a charge large enough to provoke concern. The amount is typically several hundred dollars, but it can be much higher.
• The message usually ends with a phone number to call or a link where you can supposedly dispute the charge. The wording and amounts vary from scam to scam. The phone numbers change too, often using local-looking numbers or hosted voice services to appear more trustworthy. Below is one example we saw that uses a callback lure, encouraging the target to call a phone number and engage with a tech support scam:

Subject: Account Maintenance Update

From: <redacted sender name> <redacted-email@example.com>

Your order for Malwarebytes Ultimate Protection has been confirmed. The total amount of $276.50 USD has been successfully charged.

Invoice Details:

Invoice #: INV‑ZIDNQCWSMO
Product: Ultimate Security Pack
License Term: 3 Years
Seats: 3 Devices
Subtotal: $276.50 USD
Tax: $0.00 USD
Grand Total: $276.50 USD
Activation Code: 8fd14ea8‑4014‑4430‑ba19‑313554098112

Your license is now active and will renew automatically.

For billing inquiries, reach us at +1 (810) 210‑5434.

• Other fake renewal notices may pretend to come from PayPal or other payment providers and direct you to a website where you’re asked to log in. These are phishing emails trying to steal your banking credentials.

How to stay safe

If you receive a subscription renewal communication claiming to be from us, our Help Center article explains how our legitimate renewal notices work and how to verify they’re genuine.

In general:

• Do not click links or call phone numbers in unsolicited emails.
• When in doubt, check the origin of the email by going directly to the company’s official website and ask about it through official channels. Don’t follow sponsored search results to get there, as these can be scams.
• Do not give out personal details, pins, passwords, payment information, or verification codes during an unsolicited call. Legitimate companies will not ask for passwords or verification codes over the phone.
• Never allow a stranger to take over your computer remotely. It allows scammers to quickly search your computer for valuable information.

Pro tip: Malwarebytes Scam Guard can help you determine whether an email is a scam and advise you on the next steps.

Something feel off? Check it before you click.  

Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

Try it free → 

At the moment, we’re seeing all kinds of sextortion emails. The scam is cheap to run, easy to automate, and apparently profitable enough that cybercriminals keep using it. Some criminals put more effort into their messages than others.

Sextortion emails are messages claiming that scammers recorded you through your webcam while you watched pornography and now demand payment. They have been around for years and keep evolving with small changes in wording and fake technical detail.

What hasn’t changed is the basic truth: there is no malware, no recording, and no credible evidence behind the threat. Despite seeing countless versions of these emails over the years, I’ve yet to encounter one that was backed up by the evidence the sender claimed to have.

Below, we’ll walk through the email line by line, interrupting the scammer’s story with commentary that explains where the claims come from and why they don’t stand up to scrutiny.

“Hi there!

I regret to inform you about some sad news for you. Approximately a month or two ago I have succeeded to gain a total access to all your devices utilized for browsing internet. Moving forward, I have started observing your internet activities on continuous basis.”

The opening sets the tone. “Total access to all your devices” is an immediate red flag because it’s extremely unlikely and technically vague. Real attackers tend to be more specific about what they accessed (which device, which OS, which app), whereas scammers deliberately keep it broad so anyone can think it applies to them.

 “Go ahead and take a look at the sequence of events provided below for your reference: Initially I bought an exclusive access from hackers to a long list of email accounts (in today’s world, that is really a common thing, which can arranged via internet). Evidently, it wasn’t hard for me to proceed with logging in your email account (<REDACTED_EMAIL>). “

Here the scammer claims to have bought access to a “long list of email accounts.” That’s a warped reference to real initial access brokers (IABs) and credential markets, where criminals trade stolen passwords or session tokens. In this email, however, no password, login time, or IP address is provided—just an email address they already knew. So, there’s no actual evidence of account takeover or compromise.

“Within the same week, I moved on with installing a Trojan virus in Operating Systems for all devices that you use to login to email. Frankly speaking, it wasn’t a challenging task for me at all (since you were kind enough to click some of the links in your inbox emails before). Yeah, geniuses are among us.”

The “Trojan virus” claim echoes what we’ve seen in other sextortion campaigns that name‑drop random malware families or exploits to sound believable. Again, there is no specific malware name, file path, or exploit described—just a generic story designed to scare anyone who’s ever clicked on a link.

“Because of this Trojan I am able to gain access to entire set of controllers in devices (e.g., your video camera, keyboard, microphone and others). As result, I effortlessly downloaded all data, as well as photos, web browsing history and other types of data to my servers. Moreover, I have access to all social networks accounts that you regularly use, including emails, including chat history, messengers, contacts list etc. My unique virus is incessantly refreshing its signatures (due to control by a driver), and hence remains undetected by any type of antiviruses.”

This section tries to sound technical by mentioning things like “controllers,” “drivers,” “refreshing signatures.” But none of this is how security products or malware actually work. Modern Trojans and spyware may use drivers, persistence mechanisms, or encryption, but claims like “any type of antiviruses” and “incessantly refreshing its signatures” are pure bluff aimed at non‑technical readers.

“Hence, I guess by now you can already see the reason why I always remained undetected until this very letter… “

This line tries to explain away a major inconsistency. If the attacker truly had full control and had been monitoring the victim for “a month or two,” why is the only evidence an email with no logs, screenshots, or sample video? If someone genuinely has compromising material, they will provide at least some proof, because that’s what forces victims to take it seriously.

“During the process of compilation of all the materials associated with you, I also noticed that you are a huge supporter and regular user of websites hosting nasty adult content. Turns out to be, you really love visiting porn websites, as well as watching exciting videos and enduring unforgettable pleasures. As a matter of fact, I was not able to withstand the temptation, but to record certain nasty solo action with you in main role, and later produced a few videos exposing your masturbation and cumming scenes.”

Here comes the classic sextortion hook: “I recorded you while you watched porn.” We’ve seen variations of this wording since at least 2018, often reused word-for-word across huge spam campaigns. The scam relies on shame and fear rather than technical credibility. The goal is to make victims panic into paying.

“If until now you don’t believe me, all I need is one-two mouse clicks to make all those videos with everyone you know, including your friends, colleagues, relatives and others. Moreover, I am able to upload all that video content online for everyone to see.”

Again, note the lack of proof. There’s no preview image, no sample video, no mention of a specific social media account—just a threat to send it to “everyone you know.” It’s deliberately vague. The same message needs to work for millions of recipients with completely different social circles.

“I sincerely think, you certainly would not wish such incidents to take place, in view of the lustful things demonstrated in your commonly watched videos, (you absolutely know what I mean by that) it will cause a huge adversity for you. There is still a solution to this matter, and here is what you need to do: You make a transaction of $1490 USD to my account (an equivalent in bitcoins, which recorded depending on the exchange rate at the date of funds transfer), hence upon receiving the transfer, I will immediately get rid of all those lustful videos without delay. After that we can make it look like there was nothing happening beforehand. Additionally, I can confirm that all the Trojan software is going to be disabled and erased from all devices that you use. You have nothing to worry about, because I keep my word at all times.”

The price point and payment method—just under $1,500, paid in Bitcoin—are typical for this kind of scam. Cryptocurrency is popular with scammers because payments are difficult to reverse and can be moved quickly. Despite its reputation, Bitcoin is not anonymous, and law enforcement has successfully traced many criminal transactions.

“That is indeed a beneficial bargain that comes with a relatively reduced price, taking into consideration that your profile and traffic were under close monitoring during a long time frame. If you are still unclear regarding how to buy and perform transactions with bitcoins – everything is available online. Below is my bitcoin wallet for your further reference: <REDACTED_ACCOUNT> All you have is 48 hours and the countdown begins once this email is opened (in other words 2 days).”

Short deadlines and countdown language are psychological pressure tactics, not technical realities. Scammers want you panicking, not thinking, because a calm reader is more likely to spot the holes in the story.

“The following list includes things you should remember and avoid doing:
> There’s no point to try replying my email (since this email and return address were created inside your inbox).
> There’s no point in calling police or any other types of security services either. Furthermore, don’t you dare sharing this info with any of your friends. If I discover that (taking into consideration my skills, it will be really simple, because I control all your systems and continuously monitor them) – your nasty clip will be shared with public straight away.
> There’s no point in looking for me too – it won’t result in any success. Transactions with cryptocurrency are completely anonymous and untraceable.
> There’s no point in reinstalling your OS on devices or trying to throw them away. That won’t solve the issue, since all clips with you as main character are already uploaded on remote servers.”

This section is essentially objection handling. The scammer anticipates common reactions—talking to someone, calling the police, reinstall your system—and tries to shut them down. The claim that the email address was “created inside your inbox” is particularly revealing. It’s an attempt to make a generic sender address look like evidence of compromise.

“Things that may be concerning you:
> That funds transfer won’t be delivered to me. Breathe out, I can track down everything right away, so once funds transfer is finished, I will know for sure, since I interminably track down all activities done by you (my Trojan virus controls all processes remotely, just as TeamViewer).”

Referencing TeamViewer, a legitimate remote‑access tool, is another tactic we’ve seen in recent sextortion emails.. It helps the scammer anchor their story to something users may have heard of or used at work. But there is still no evidence of remote access, and the claim that the malware “controls all processes” ignores how real operating systems and security controls work.

“> That your videos will be distributed, even though you have completed money transfer to my wallet. Trust me, it is worthless for me to still bother you after money transfer is successful. Moreover, if that was ever part of my plan, I would do make it happen way earlier! We are going to approach and deal with it in a clear manner! In conclusion, I’d like to recommend one more thing… after this you need to make certain you don’t get involved in similar kind of unpleasant events anymore! My recommendation – ensure all your passwords are replaced with new ones on a regular basis.”

Ending with security advice is a manipulative touch. By offering helpful recommendations, the scammer tries to appear credible and trustworthy rather than criminal. It doesn’t change the fact that the email contains no evidence that any of the claims are true.

How to react to sextortion emails

This example is unusually badly written, but many sextortion emails are far more polished and convincing. Regardless of how professional they look, they should be treated the same way: as unsubstantiated threats designed to scare victims into paying.

• First and foremost, never reply to emails of this kind. Responding confirms that someone is actively reading messages sent to that address and may encourage further scam attempts.
• Don’t let yourself get rushed into action or decisions. Scammers rely on the fact that you will not take the time to think this through and subsequently make mistakes. Ask for advice if you’re not sure.
• An attachment is not proof. Most sextortion emails contain no evidence at all, and cybercriminals often use attachments to spread malware or make their threats appear more convincing.
• If the email includes a password you have used before, change it immediately anywhere it’s still in use. Then enable two-factor authentication wherever possible. If you are having trouble organizing your passwords, consider using a password manager.
• Delete the message, report it as spam, and move on.

While these sextortion emails are almost always bluffs, if you’re concerned about webcam spying, Malwarebytes Webcam Monitoring can alert you when applications attempt to access your camera.

Most people have heard of the dark web, but few understand what it actually looks like or what goes on there. To separate fact from fiction, our research team spent 48 hours exploring it firsthand and documenting what we found.

The dark web isn’t inherently bad. It also serves legitimate purposes, providing a layer of privacy for journalists, whistleblowers, activists, and others who need to communicate anonymously. Accessing it typically requires the Tor browser, and a number of reputable organizations operate official dark web sites. For example, the BBC’s news website is available through the following Tor address: http://bbcweb3hytmzhn5d532owbu6oqadra5z3ar726vq5kgwwn6aucdccrad.onion

But alongside these legitimate uses is a thriving criminal ecosystem.

What we discovered was an organized, active underground economy that operates in ways most people never imagine. Cybercriminals don’t work alone. They gather in underground cybercrime forums where they discuss emerging attack methods, share techniques, and collaborate on ways to target people around the world.

Think of it less as a dark alley and more as a professional network for cybercriminals.

WWH is a Russian-language community that advertises itself as a meeting place for professionals More than 115,000 members on the underground forum Dark Forums, a hub for stolen data and hacking tools

Beyond these forums, we encountered dedicated cybercrime marketplaces. These function like online stores where hackers and fraudsters can buy and sell a range of compromised digital goods, from stolen account credentials to hacking tools, all transacted anonymously using cryptocurrency.

Fun fact: Many of these marketplaces are named after well-known public figures, including US President Donald Trump.

A “Donald Trump Store” ad for stolen credit card data The dark web compass

Cybercriminals come from every corner of the world, and like any global community, they need a way to find each other. That’s where link boards come in.

Link boards are directories that collect hundreds of underground forums and marketplaces. They’re organized by language, and act as a dark web compass.

A cybercriminal can operate within a community that speaks their native language or join larger English-language forums that attract an international audience.

Not all forums carry the same weight, though. In 2026, the community is largely concentrated around dominant platforms like BreachForums and DarkForums. More exclusive Russian-language forums such as Exploit and XSS tend to attract some of the underground’s more sophisticated cybercriminals.

The Link-Base directory Compromised data: Your information may already out there

Most people have no idea how much of their personal information is already circulating on the dark web. In many cases, the first challenge is simply knowing whether your information has been exposed at all. You can check yours here.

To understand the scale of the problem, it helps to compare what’s publicly known with what we found beneath the surface.

Publicly reported breaches are only part of the story. Since the beginning of 2026, Malwarebytes researchers have identified more than 7,500 compromised data sets containing over 8.4 billion records. These include data stolen in breaches, harvested through phishing campaigns, scraped from online services, and exposed through misconfigured systems.

Among the organizations affected are household names such as SoundCloud, ADT, Hallmark, Amtrak, Vimeo, and Instagram.

But as significant as those numbers are, they only tell part of the story.

A section of DarkForums dedicated to leaked databases

When we examined the databases section on DarkForums, one of the underground’s most active platforms, we found 63 pages of listings posted since the start of 2026. With 20 listings per page, that’s over 1,200 small and medium-sized data breaches, most of which never made public headlines.

The picture on BreachForums was similar. Since the beginning of the year, the platform has accumulated 37 pages of database listings, each containing 20 entries, adding more than 700 additional compromised databases to the already huge pool of stolen data.

Add it all together, and the publicly reported breaches are only the tip of the iceberg. Much of the stolen personal data traded online changes hands quietly and out of sight.

Typical forum page listing compromised data US identities for sale

One of the most consistently sought-after commodities in the cybercrime underground is something hackers call “fullz”: a complete package of a real person’s identity information. In 2026, US identities remain especially valuable due to the country’s financial infrastructure, high credit limits, and wide range of services that can be exploited for fraud.

A typical fullz package includes a full name, Social Security Number (SSN), date of birth, address, and other personal details. In the wrong hands, this information is a ready-made toolkit for identity fraud. It allows cybercriminals to open fraudulent credit accounts, file fake tax returns, access financial accounts, or even obtain medical services under someone else’s name.

What makes fullz particularly dangerous is that victims often have no ideatheir identity has been compromised until long after the damage is done. Sometimes that’s months or even years later, when debt collectors come calling or a credit application gets unexpectedly denied.

It’s no surprise that the US remains one of the countries most heavily targeted by identity thieves. More than 1.15 million cases of identity theft were reported to the Federal Trade Commission (FTC) in the first three quarters of 2025 alone, already surpassing the total number reported during all of 2024.

During our research, we came across 9-Digits Market, one of many dark web marketplaces specializing in selling stolen identity data. What stood out was the price. A complete US identity profile was listed for as little as $0.95.

For less than the cost of a cup of coffee, a cybercriminal can buy enough information to devastate someone’s financial life.

9-Digits marketplace selling stolen US identities How cybercriminals use malware to target your computer

Data breaches aren’t the only way your personal information ends up on the dark web. Sometimes the source is much closer to home: your own computer. During our time on the dark web, we encountered the developers behind a particularly dangerous category of malware known as infostealers, or just “stealers”. The concept is simple, which is partly why it’s so effective.

Once installed, an infostealer silently searches a device for anything valuable. That can include saved usernames and passwords, autofill data, stored payment details, cryptocurrency wallets and other sensitive information. That stolen data is then sent back to the attacker.

Below is a sneak peek at the STORM stealer panel, which compromised a US-based computer and stole 87 username-and-password combinations from the device.

STORM infostealer discovered on a Russian-language cybercrime forum  STORM infostealer management panel STORM infostealer capabilities

Perhaps the most alarming part is how accessible this type of malware has become. In 2026, any aspiring cybercriminal can rent an infostealer on a subscription basis, requiring little technical knowledge and no major financial investment. Cybercrime-as-a-service has dramatically lowered the barrier to entry.

The STORM infostealer can be rented by cybercriminals 

The stolen data is then sold or leaked on underground forums and marketplaces. We were shocked by the sheer volume involved.

On any given day, millions of stolen credentials are shared across these platforms. Behind each of those rows is a real person, completely unaware that their digital life is being picked apart and traded like a commodity.

Datasets of leaked usernames and passwords shared on the dark web  Correlations of leaked usernames and passwords shared on the dark web  Fake investments and cryptocurrency scams

Not all cybercrime revolves around stolen passwords or leaked databases. Some criminals chase much more lucrative payouts through carefully planned social engineering scams. One of the most sophisticated and damaging examples we encountered were crypto investment scams, also known as pig butchering.

The tactic behind it is highly effective. Criminals invest considerable time and effort into building what appears to be a genuine relationship with their target through dating apps, social media, or messaging platforms.

They are patient, friendly, and convincing, slowly earning the victim’s trust over days or even weeks. Only after establishing trust do they introduce what appears to be an exciting investment opportunity. By the time the victim realizes something is wrong, their money is gone and the person they trusted has vanished without a trace.

Active crypto scam operation on a dark web forum 

During our research, we observed a large-scale crypto fraud operation already fully up and running, targeting new victims with polished, high-end fake investment platforms specifically designed to keep victims hooked for long periods.

The operation offered:

• Full documentation, scripts, and credibility props. Everything needed to appear legitimate from day one.
• Carefully crafted communication guides and social engineering playbooks designed to psychologically pressure victims into maxing out credit cards, taking out loans, and repeatedly investing more money.
• In-house development teams building fake trading platforms that closely mimic legitimate investment services.

Ongoing scam project on a dark web forum 

Our researchers also managed to gain access to one of these fraudulent platforms, and we were unsettled by the level of sophistication.

These are not amateur operations. They are well-funded, professionally run criminal enterprises that treat deception as a business.

Sneak peek into real investment scam project 

In just 48 hours, we found stolen identities, malware-for-hire, leaked passwords, and industrial-scale fraud operations. Most people will never visit the dark web, but its effects can still reach them through data breaches, malware infections, and scams.

Malwarebytes helps protect against each of those threats. Our data breach monitoring service alerts you if your personal information appears in a known breach. Identity Theft Protection monitors sensitive information, including your Social Security number, while Scam Guard uses AI-powered detection to help identify suspicious texts, emails, links, and phone numbers before they can cause harm.

The dark web thrives on stolen information. Knowing when your data is exposed is the first step to staying ahead of it.

Meta has paused a controversial employee‑tracking program after an internal security review found that highly granular keystroke and screen‑capture data from staff laptops was far more widely accessible inside the company than intended.

The program was part of Meta’s Model Capability Initiative (MCI), which collected mouse movements, click locations, keystrokes, and screen content from employees’ work laptops to help train internal AI systems.

The program also introduced an obvious risk. Collecting highly sensitive employee activity data is one thing. Keeping it properly secured is another.

According to reporting based on internal documents and employee accounts, the data wasn’t just collected. It was left accessible across thousands of internal data tables, including AI prompts, transcriptions, private conversations, and performance‑related information.

After coverage of the exposure, Meta scaled back and then paused the initiative, amid sustained internal backlash and questions about whether privacy protections were ever more than a reassurance in a memo.

From Meta’s perspective, the Model Capability Initiative was an efficiency play. The goal was to provide AI models with “real examples of how people actually use computers” by passively logging how employees navigate everyday tools like Gmail, GChat, Metamate, and VS Code. Agents would be able to learn from live workflows instead of synthetic benchmarks.

Employees were promised that the data gathering would be limited to work apps and not employees’ phones. But you can imagine how it was perceived:

• Keystroke and mouse‑tracking software was pushed to US workers’ laptops, with no option to opt out on company devices, as confirmed internally by Meta’s CTO.
• The software captured inputs plus associated screen content, creating a behavioral dataset: what you type, where you click, what is on your screen while you do it.

The program prompted significant internal criticism. An engineer’s internal post protesting “laptop surveillance” and screen monitoring went viral inside Meta, sparking a petition to kill the program entirely.

From a compliance angle, employee-monitoring programs of this scope can raise difficult legal and regulatory questions, particularly in jurisdictions that require transparency around workplace surveillance and data collection.

The reputational impact is arguably even worse. When a company is always under scrutiny for tracking users, breaking trust with employees sends a strong signal about its default attitude toward data.

All this while knowing that keystroke and screenshot data is high‑risk by design. That type of data is content‑rich, behavioral, and often contains secrets. Collecting it at scale creates a security burden. Every new data point adds obligations around access control, minimization, retention, and audit, that the organization must actively manage for as long as the data exists.

• Access controls must be precise and regularly audited, because a simple misconfiguration can have big consequences.
• Data minimization and retention limits are essential since long‑term storage multiplies the impact of a potential breach.
• Any future data leak—internal or external—could expose not just emails, but the exact sequences employees type, including authentication flows and draft content. In the wrong hands, this kind of information could expose the company to compromise.

This episode is a reminder that every new dataset creates new responsibilities. The more detailed and sensitive the information, the greater the consequences when access controls fail.

Scammers don’t need to hack you. They just need you to click once. 

Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.

You can change a password and cancel a card. But replacing a passport or driver’s license number every time someone leaves yours unsecured in a vendor database isn’t so easy.

More than three million Texans are facing that problem after a data breach involving a vendor used by the Texas Parks and Wildlife Department (TPWD) to process hunting and fishing licenses.

In an announcement confirming the breach, TPWD says the hackers gained access through the third-party vendor’s systems and exposed personal information belonging to 3,087,721 people. The agency says the exposed data may include driver’s license information, passport numbers, email addresses, phone numbers, and residential addresses.

However, exactly what information was stolen remains unclear.

Conflicting accounts of what was exposed

In a breach notification filed with the Texas Attorney General’s office, TPWD said the incident affected:

• Name of individual
• Address
• Social Security number information
• Driver’s license number
• Government-issued ID number (e.g. passport, state ID card)
• Date of birth

When we asked them for clarification, TPWD referred us to the same public statement they put on the website, which lists this data as possibly stolen:

• Driver license information
• Passport numbers (if provided)
• Email addresses
• Phone numbers
• Residential addresses

It explicitly said that Social Security numbers, dates of birth, and financial information, including credit card details, were not included in the incident.

“Social Security numbers, dates of birth and financial information, including credit card details were not obtained from this incident.” 

Those two lists don’t tally up, leaving Texans unclear as to exactly what information has been stolen.

TPWD has not identified the third-party vendor involved in the incident. It also declined to answer questions about when it first learned of the breach, how the attackers gained access to the data, or what specific security controls failed.

TPWD did say it is working with the license system vendor to implement increased safeguards. It didn’t say what those safeguards were, though, or exactly how the information was stolen in the first place.

Not the first major Texas data exposure

This isn’t the Texas government’s first data breach rodeo, which matters because criminals often combine data from multiple leaks. Information that seems limited on its own becomes much more useful when paired with other stolen data.

In 2020, software vendor Vertafore exposed records belonging to nearly 28 million Texas drivers by leaving the data in an unsecured external storage service, according to a StateScoop investigation.

In January last year, the Texas Department of Health and Human Services informed people that its employees had been stealing their data. At least 61,000 people were affected, it said at the time, before expanding that number in April to at least 94,000.

The latest breach, and the admission that government IDs were among the stolen data, may also complicate the Texas government’s repeated attempts to introduce digital identity programs. Senate Bill 215, which proposed a state digital ID for citizens, didn’t make it past committee.

If you bought a Texas hunting or fishing license

TPWD has offered affected individuals one year of free credit monitoring through Kroll. Enrollment closes September 14, 2026.

If you may have been affected:

• Freeze your credit with Equifax, Experian, and TransUnion to make it harder for identity thieves to open accounts in your name.
• Enroll in the Kroll credit monitoring before September 14, 2026.
• Watch for phishing emails and texts referencing TPWD, fishing licenses, or the breach itself. Leaked emails and phone numbers are exactly what scammers use next.
• Be suspicious of anyone who contacts you unexpectedly and asks you to verify driver’s license, passport, or other personal information.

Whether Texas ever reveals the vendor’s identity remains to be seen. What is certain is that the personal information of more than three million Texans is now in criminal hands.

Your name, address, and phone number are probably already for sale.  

Data brokers collect and sell your personal details to anyone willing to pay. Malwarebytes Personal Data Remover finds them and gets your information removed, then keeps watch so it stays that way. 

SCAN NOW

A new wave of scam websites is offering something millions of people want: a way to play Grand Theft Auto VI before it comes out.

“Get GTA 6 before everyone else.” “Buy VIP early access.” Pay a few hundred dollars in cryptocurrency, enter a payment code, and supposedly unlock the game.

But it’s a scam.

Any site claiming to sell GTA 6 early access is not authorized by Rockstar Games and should be treated as fraudulent unless Rockstar announces it through official channels. You pay, you get nothing, and because the payment is made in cryptocurrency, there’s usually no way to get your money back.

Here’s why these pages exist, why they work, and how to avoid them.

What these pages look like

They’re designed to look premium and exclusive. Think neon Vice City artwork, GTA 6 logos, luxury cars, and glamorous AI-generated images. The pitch is usually some version of “VIP Digital Access” or “Exclusive Early Access Preview.” The example we examined charged $250 and accepted only Bitcoin, USDT, or Ethereum.

The final step reveals what’s really happening. After sending cryptocurrency, victims are told to wait for payment confirmation and then enter their transaction ID to “unlock” the download. There are QR codes, payment verification messages, and a large DOWNLOAD button.

But there is no game.

Two details make this more than an ordinary rip-off.

First, cryptocurrency payments generally can’t be reversed. There’s no chargeback process and no fraud department to call. Once you send the money, it’s gone.

Second, there is no product at all. This isn’t a case of receiving something different from what was promised. GTA 6 is not available outside Rockstar, so there is nothing for these sites to deliver.

Why GTA 6 is the perfect bait

To understand why these scams are appearing now, you need to understand how enormous GTA is.

Grand Theft Auto is one of the most successful gaming franchises ever created. According to publisher Take-Two Interactive, the series has sold more than 465 million copies worldwide, with GTA 5 alone accounting for more than 225 million of those sales.

When Rockstar announced a sequel, anticipation was inevitable. Then came the waiting.

GTA 5 launched in September 2013, and GTA 6 is now scheduled for November 19, 2026.That’s a 13-year gap between releases. Add multiple delays and years of speculation, and you’ve got millions of fans eagerly looking for any news, leak, preview, or chance to get early access.

Scammers simply exploit that excitement.

Why people fall for it

Scams like this work because they mix something people want with tactics designed to create urgency.

Desire overrides suspicion. When people want something badly enough, they’re more likely to look for reasons to believe an offer is real than reasons to doubt it.

Early access is a real thing in gaming. Players are used to beta tests, founder’s packs, deluxe editions, and early-access programs. A page selling “VIP access” doesn’t automatically sound suspicious because legitimate offers often use similar language.

Scarcity and urgency short-circuit caution. “Before everyone else.” “Exclusive.” “Unlock in one minute.” These are phrases designed to encourage quick decisions before people stop to think.

The sites look professional. Good artwork, polished design, and a smooth payment flow can make a scam feel legitimate, even when the offer itself doesn’t stand up to scrutiny.

Payment by crypto is becoming more common. It may feel routine to many gamers, but it’s one of the biggest warning signs. Unlike a credit card payment, crypto transactions generally can’t be reversed, so scammers prefer them.

None of this makes a victim foolish. It makes them human, and targeted by people who understand exactly how to manipulate them.

How to protect yourself

One fact protects you from every GTA 6 early-access scam:

GTA 6 is not available to buy, download, or play early through unofficial websites. Rockstar is selling pre-orders, not early access.

It’s scheduled to launch on November 19, 2026, and Rockstar has announced that official pre-orders begin on June 25 through digital storefronts and select retailers.

That makes spotting scams easy. If a website claims to offer early access, VIP access, secret downloads, or a playable copy of GTA 6 before release, it isn’t an authorized seller. Rockstar is offering pre-orders only.

Until then:

• Stick to official GTA 6 pre-orders through authorized retailers and storefronts. Any site offering early access, exclusive downloads, or playable versions before release is likely a scam.
• Be wary of any gaming offer that requires payment in cryptocurrency.
• Get GTA 6 news directly from Rockstar Games and Take-Two Interactive.
• Treat “exclusive access” claims in ads, social media posts, videos, and comment sections with skepticism.
• Pause before sending money. If an offer sounds like a way to skip the line, that’s exactly why scammers are using it.
• Malwarebytes Browser Guard is free and can help by blocking malicious websites, scam pages, and other online threats while you browse.

Remember

Nobody can sell you a legitimate copy of GTA 6 before Rockstar does. If a website claims otherwise, it’s not offering exclusive access. It’s trying to take your money.

When GTA 6 finally launches, it will be available through the same trusted stores gamers already use. Until then, any site promising a head start is promising something it can’t deliver.

Researchers have found that the recently discovered AryStinger botnet has quietly hijacked thousands of end‑of‑life D‑Link routers and some network-attached storage (NAS) devices, turning them into a distributed scanning and proxy network that attackers can use to hide their activity and launch attacks against other targets. 

Having your devices under control of a botnet is not just a problem for the people being targeted. It can also put your own privacy and security at risk. 

The AryStinger botnet is mainly built on compromised D‑Link DIR‑850L and DIR‑818LW routers. Although these devices are long past end‑of‑life, they are still widely used in homes and small offices, making them attractive targets for botnet operators.

The attackers exploited vulnerabilities disclosed 13 years ago to compromise a large number of routers. According to the researchers:

“At least 4,300 routers worldwide have already been infected, and the number is still continuously rising.”

By targeting routers that are no longer supported by the vendor, the attackers gain access to devices that will never receive security patches but remain connected to the internet.

AryStinger turns each infected device into what the researchers call an “Executor”: a remotely controlled node that can scan networks, act as a proxy, create tunnels, and run commands on behalf of the attacker.

The botnet’s controller splits large reconnaissance tasks into many smaller ones and distributes them across these Executors, effectively turning a fleet of consumer routers into a large-scale scanning platform.

The botnet’s primary purpose is reconnaissance at scale. The controller can:

• Push scanning jobs (for IP ranges, open ports, DNS records) down to many Executors in parallel.
• Use those results to map networks, identify new vulnerable services, and prepare further compromises (“footprinting”).

For owners of infected devices, a more worrying capability is AryStinger’s ability to tamper with DNS settings. This allows attackers to:

• Redirect victims’ browser traffic to phishing pages or malware‑hosting sites.
• Silently monitor and potentially steal all inbound and outbound network traffic passing through the router or NAS.

This can put otherwise well-protected devices at risk. Mobile phones, tablets, and laptops connected to the compromised router can be redirected as well.

How to tell if you’re impacted

For owners of an affected router or NAS, the immediate signs may be subtle or non‑existent. Possible indicators might be:

• Slightly slower connectivity
• Occasional unexplained DNS failures or redirects
• Spikes in outbound traffic at odd times

But the underlying risks are serious enough:

• Privacy: Attackers may be able to inspect or redirect your traffic, potentially capturing usernames, passwords, session cookies, or other sensitive data.
• Liability and reputation: Your IP address could be used for fraud, credential‑stuffing, harassment, or other criminal activity, potentially attracting attention from service providers or law enforcement—something already seen in other proxy botnets.
• Pivoting into your network: Particularly on compromised NAS devices, attackers may be able to map internal networks and look for additional systems to target.

What to do

This is not the first time attackers have built a botnet from abandoned networking equipment. Unfortunately, the most effective solution is also the least popular one: Replace end-of-life routers and NAS devices.

If that’s not an immediate option, there are some steps you can take to make your device harder to compromise:

• Apply the latest firmware available for your device, even if it’s old, and review any vendor security advisories for known vulnerabilities.
• Change the default administrator password to a unique, strong password or passphrase; never reuse passwords from other accounts.
• Disable remote management from the internet (WAN). Only access the admin interface from inside your home or office network.
• Use WPA2 or WPA3 wireless encryption and a strong Wi‑Fi password to reduce the chance of local abuse.
• If your router supports it, turn off unused services such as UPnP on the WAN side or legacy remote access protocols.
• Run an anti-malware scan on computers and other devices connected to the router to check whether any were separately infected while traffic was being tampered with.

Even if you apply all of these recommendations, an end-of-life router should be considered untrusted. Make plans to replace it as soon as you can.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

One of Malwarebytes’ managers recently received a call from scammers pretending to be a document delivery service.

The voicemail sounded official:

“I am calling on behalf of document delivery services. We have been retained to schedule and deliver legal documents to you between the hours of 8 AM and 4 PM at either your home or your place of employment. We’ll be making only two attempts to deliver these documents, which will require a signature as proof of delivery. If we are unable to deliver these documents after 2 attempts, it will be classified as a failed action to serve, which will resolve in the pending matter to proceed further without your consent. If you have any questions or if you need to reschedule this delivery, press one now to be connected to the next available representative, or you can call the office directly at 888-843-1510 and reference your file number 2026-957849. Please be advised this call has been logged and submitted as proof you have been notified of this pending legal matter. Have a good day.”

The goal is to scare you into calling back and handing over personal information, or even money.

Red flags

There are several clues that give this scam away:

• The caller ID doesn’t add up. The call may appear to come from a local number, while the callback number is a toll-free 888 number. Scammers sometimes spoof phone numbers to make calls appear local and trustworthy. If you try to call the number that is listed as the “caller,” you may find it doesn’t exist.
• The company name is vague. “Document delivery services” isn’t the name of the company. A legitimate company would have mentioned their name, or at least the party they are representing.
• The legal language is carefully crafted to create panic. Terms like “failure to serve,” “pending matter,” and “proceed without your consent” are all designed to create anxiety, leading targets to assume they’re facing legal action or arrest.

What are they after?

What’s worrying is that scammers often already know some of your personal information, such as your name and telephone number. They use the call to try to gather more information, like asking for your physical address and other personal and payment information.

People who called the number reported that the scammers asked them to “verify” personal details. They then claimed the victim owed money on an old debt or unpaid charge and offered a discounted settlement if payment was made quickly.

According to complaints filed with the Better Business Bureau, some victims reported losses ranging from $100 and $500.

Several people also reported that the scammers became angry when victims questioned them or refused to provide personal details.

How to stay safe

Recognizing scams is the best way to avoid becoming a victim.

If you receive a call like this:

• Stay calm. Scammers always try to rush you into decisions before you can think them through. Legitimate organizations don’t usually demand immediate action, threaten arrest over the phone, or pressure you to make quick payments.
• Don’t be afraid to ask for help. Anyone can be caught off guard by a convincing scam. If you’re unsure, talk it through with someone you trust or use Malwarebytes Scam Guard, which identified this as a scam and can explain what to do next.
• Don’t call back numbers provided in unsolicited messages. If someone claims to represent a company, law firm, or government agency, look up their contact details independently and verify the claim yourself.
• Never share personal or payment information unless you’re certain who you’re dealing with. Even if the caller already knows some details about you, that information may have come from a data breach, public records, or other sources.
• Finally, make yourself a harder target. Avoid posting your phone number publicly on social media or websites where it can be collected by scammers and data brokers.

Something feel off? Check it before you click.  

Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

Try it free → 

Last week on Malwarebytes Labs:

• Nearly 15,000 infected websites cleaned in SocGholish crackdown
• Apple patches Beats Studio Buds flaw that could turn earbuds into a wiretap
• Microsoft working on a fix for RoguePlanet, a flaw that grants full PC control
• Retro gaming fans are the new target for fake GitHub malware
• Kodak confirms breach as ShinyHunters’ leak threat reaches deadline
• Roblox developers are losing entire games to malware attacks
• Rokarolla Android malware can take over your phone and steal banking logins
• 24 billion stolen records exposed online. Here’s what to do
• Malwarebytes earns AV-TEST Top Product award, aces other third-party tests
• “Free World Cup stream” sites are serving scams, not football
• Cardiac patients’ medical data stolen and held to ransom
• Deepfake posting sites depicting famous women taken down by feds
• Inside a malicious infrastructure delivering EtherRAT, phishing pages, and malicious software
• Claude Fable 5 and Mythos 5 “abruptly disabled” after US gov. ban
• Deepfake porn sites are going offline (re-air) (Lock and Code S07E12)

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

We’re always happy to end the week with some positive news. A law enforcement action called Operation Endgame just delivered a major win against the long‑running SocGholish (aka FakeUpdates) operation.

SocGholish is a malware framework that has been active since at least 2017 and is best known for abusing hacked, legitimate WordPress sites to push fake browser and software updates to visitors. When a user clicks one of these convincing “update now” prompts, the malware opens a backdoor on the system, giving attackers initial access that is often used to deploy ransomware and other malicious software. The operation has been linked to the Russian cybercriminal group Evil Corp, previously associated with Zeus and Dridex malware, as well as major ransomware and money‑laundering schemes.

This week, Dutch police and the Public Prosecution Service, working with the Royal Canadian Mounted Police, FBI, German Federal Criminal Police Office, Europol, and Eurojust, struck directly at SocGholish’s infrastructure. As part of Operation Endgame, they took down 106 servers and domains and cleaned 14,971 infected WordPress sites that had been silently redirecting visitors into the FakeUpdates trap.

Investigators say they found exposed login credentials for around 1.4 million WordPress sites. To check whether any passwords associated with your email address have been exposed in a breach, use Malwarebytes Digital Footprint Scanner.

Dutch authorities also used their hacking powers to remove backdoors and malware from compromised sites and notified affected site owners, urging them to update WordPress, enable multi-factor authentication (MFA), and change passwords.

Authorities say the infected sites included everyday businesses such as restaurants and car garages, meaning visitors could have been exposed to malware simply by browsing trusted local websites.

The scale and intent matter here. Endgame is billed as the largest international operation against ransomware and cybercrime to date, and this SocGholish takedown specifically disrupts a key infection chain used by multiple ransomware groups. By breaking the link between thousands of everyday websites and a sophisticated malware‑as‑a‑service ecosystem, law enforcement has reduced the pool of future victims and increased the cost of operating for Evil Corp and its partners.

So, as you head into the weekend, here’s a malware story where the good guys actually pushed back and made it hurt.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Apple has patched a Bluetooth flaw in Beats Studio Buds that could potentially turn your earbuds into a nearby wiretap.

When you buy a pair of Bluetooth earbuds, you expect them to play your music and your calls—not someone else’s. But a vulnerability in Apple’s Beats Studio Buds shows how that trust can be abused, turning everyday audio gear into a potential eavesdropping tool for anyone close enough and skilled enough to exploit it.

The vulnerability is tracked as CVE-2025-20701. Researchers disclosed flaws in Airoha system-on-a-chip (SoCs) devices at a security conference in Germany in 2025. Because Airoha chips are used in a wide range of audio products, the issue affected multiple devices, including Beats Studio Buds.

The researchers also showed how the vulnerability could be combined with flaws they found in the same Airoha component. By chaining these flaws, attackers could:

• Eavesdrop via headphone microphones.
• Extract pairing keys.
• Impersonate trusted headphones.
• Compromise the user’s phone, enabling call hijacking, contact extraction, triggering voice assistants, and more.

The good news is that these attacks are not easy to pull off. Exploitation is complex, and the attacker must be within Bluetooth range of the target device.

Basically, CVE-2025-20701 is a flaw in the authentication process and affects devices that are not yet paired and are actively looking for something to connect to. In a normal scenario, your headphones and your phone go through a pairing process that establishes keys and trust before any sensitive operations—like using the microphone—are allowed.

In this case, devices in pairing mode did not properly verify who they were talking to. That opened a window where any nearby attacker could pose as a legitimate partner and connect to the earbuds before the user completes the pairing process.

As Apple describes it:

“An attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests.”

How to stay safe

To address this vulnerability, Apple shipped Beats Firmware Update 1B211, which rolls out automatically once the earbuds are near and connected to an iPhone, iPad, or Mac.

For the average user, the need for physical proximity, specialized hardware and software, and some patience means opportunistic criminals are more likely to stick with phishing and credential stuffing than stalking Bluetooth signals in public spaces.

But for a motivated attacker targeting a high-profile individual, this is exactly the kind of bug they’d use.

There is no “Update now” button, but if you own Beats Studio Buds and use them with an iPhone, iPad, or Mac, you should automatically receive the update when:

• The earbuds are paired with your Apple device
• They are in their charging case, with the lid closed
• The case and buds have sufficient charge, and the Apple device is nearby with Bluetooth enabled

To check whether you’re protected:

• On iOS or iPadOS, go to Settings > Bluetooth
• Tap the info icon next to your Beats Studio Buds
• Look at the firmware or version number. It should read 1B211 if the security update has been applied. If it says anything else, your earbuds may not have received the update yet. If you see an older version, keep the earbuds in their case near your iPhone, iPad, or Mac for a while to give them time to update. This can take some time and may happen silently in the background, so checking again later is worth the effort.

Scammers know more about you than you think. 

Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in. 

Download for iOS → Download for Android → 

A publicly available exploit called RoguePlanet can give attackers the highest level of access on Windows systems. Microsoft has confirmed the vulnerability and says it’s working on a security update.

RoguePlanet is tracked under CVE-2026-50656, where it’s described as a Microsoft Defender Elevation of Privilege (EoP) vulnerability.

In its advisory, Microsoft says:

“Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as “RoguePlanet “. We are working to provide a high quality security update that addresses this vulnerability. We will provide information in this CVE when the update is available.”

If successfully exploited, RoguePlanet can allow an attacker to elevate privileges from a standard user account to NT AUTHORITY\SYSTEM, the highest privilege level on Windows.

This means an attacker who manages to get access to a standard user account on your computer could use the vulnerability to gain complete control of the system. They don’t need advanced hacking skills or administrator permission to do this.

The success of the published exploit does depend on a race condition, though. This means its success depends on the precise timing of two events. The researcher wrote:

“I have managed to get a 100% success rate on some machines while it struggled to work on others.”

According to the researcher, the problem lies in a high-level part of the Microsoft Defender code, which may help to explain why Microsoft says it’s working on a “high quality security update.”

This same researcher has submitted three earlier Microsoft Defender vulnerabilities known as BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091), as well as four other Windows zero-days, all of which have since been patched by Microsoft.

How to protect your machine

The exploit reportedly works whether you’re using active protection or not, so disabling Microsoft Defender is not a solution. But there are a few things you can do to protect your machine:

• Look out for a Microsoft security update addressing this vulnerability and install it as soon as it becomes available.
• Back up your important data on a platform or device that is not directly connected to your computer.
• Be careful about downloading executable files from unknown sources or running files that are recommended to you without you asking for them.
• Do not rely on Microsoft Defender as your only anti-malware solution. Malwarebytes detects RoguePlanet.exe (the exploit code) based on its behavior.
  

Obviously, we’ll keep you posted about this and other security issues, so stay tuned.

“One of the best cybersecurity suites on the planet.” 

According to CNET. Read their review →

Retro gaming fans should be careful with GitHub projects that claim to be tools or plugins for their consoles. Attackers can disguise ordinary computer malware as homebrew software, and the technique works against any retro platform with an active modding scene, not just one console.

We recently looked at one example aimed at PlayStation Vita owners: a fake project that pretends to be a free audio tool but actually runs Windows malware on your computer.

The project, called EQVita, looks like a normal homebrew plugin. It has a polished README, a download button, screenshots, and a tidy layout. But the file you download doesn’t contain anything for a Vita at all. It contains three Windows files, and the harmless-looking text file among them is actually a hidden script that quietly connects to the attacker’s server once you run it.

This isn’t a one-off. Other researchers have observed attackers using fake GitHub repositories—dressed up with AI-generated descriptions—to spread a type of malware called SmartLoader, which then pulls in password and wallet-stealing malware such as Lumma Stealer. The EQVita download uses the same method, repackaged to appeal to retro gaming fans.

Take a look at the comparison below. On the left we have a fake GitHub repository, on the right a real one.

There’s even a small trick in the version number. The real EQVita is on version 1.10, while the fake is labeled 1.3. At a glance, 1.3 may appear newer—but it isn’t. In software, 1.10 comes after 1.9, so the real project is the more up-to-date one. The fake just borrows a number that looks current.

Why this targets the Vita community

If you’re not into retro consoles, the PS Vita might not mean much to you. But for a large and active community, it’s a big deal, and that makes it a target.

I’ll admit a soft spot here: I bought my own Vita 1000 second hand about ten years ago, and it still runs beautifully. It comes off the shelf every now and then, mostly because the library is so deep there’s always something worth coming back to. I’m clearly not alone.

Even though Sony stopped making the Vita years ago, fans have kept it alive by writing their own software for it: emulators, file managers, and plugins. A modded Vita can run its own PSP games at full speed and emulate older systems like the SNES, Game Boy Advance, and Sega Genesis, which turns the handheld into a do-everything retro machine. In 2026 the scene is thriving, with active developers and even homebrew contests with cash prizes.

That demand shows up in the price, too. With no new units made since 2019, working Vitas have become a sought-after retro item, and resale prices have climbed across the major marketplaces over the past year—the older OLED model, prized by modders for its firmware, has risen the most. In other words, more people than ever are buying a Vita specifically to mod it, which means more people hunting for plugins and tools to install.

That enthusiasm is exactly what attackers abuse. Homebrew users are used to downloading files from GitHub, dropping them into folders, and running them. The whole hobby runs on trusting code from individual developers. Scammers know this, so a fake “Vita plugin” is an easy way to get people to run something they normally wouldn’t.

How the scam works

The download, EQ_Vita_v1.3.zip, contains three files:

• Launch.bat
• luajit.exe
• x64.txt

Here’s the clever part. luajit.exe is a real, harmless program that runs scripts. The batch file simply tells it to open x64.txt. Despite the .txt name, that file isn’t text at all—it’s a hidden script, and LuaJIT runs it. Calling it .txt is what makes it look harmless and easy to scroll past. Researchers found the same setup in the SmartLoader campaign: the only dangerous file in the download is the disguised script, and everything around it is legitimate.

So nothing in the download looks dangerous on its own. There’s no obvious installer and no scary-looking app—just a trusted tool being used to run someone else’s code.

We watched what happened when it ran. First, the script checked where in the world the computer was. Then it quietly contacted a server on the internet and sent it data, using a web address scrambled into a meaningless-looking string. The server answered back.

An audio plugin has no reason to do any of that. This is how a malware “loader” behaves: it phones home to the attacker’s server to receive instructions and fetch its next piece of malware. In this campaign, that next piece is usually a stealer—malware that hunts for cryptocurrency wallets, saved browser passwords, and login codes.

Malwarebytes blocks this threat, so protected users are stopped before the file can run.

How to spot the fake

Most Vita plugins are installed on the Vita, using tools like VitaShell or Autoplugin, and they come as Vita files (the kind ending in .skprx or .vpk).

Some legitimate tools in the scene—installers, file-transfer helpers, build tools—do run on a PC, so a Windows program isn’t automatically bad. The key is to check before you run it.

Is it well known? Is it widely used? Is it recommended by trusted community sources, or did you just stumble onto it in an unfamiliar repository? A “plugin” that quietly leans on a .bat file to launch a hidden program is exactly what that check is meant to catch.

A few habits help:

• Match the file to the device, and verify PC tools. Most Vita plugins are Vita files, not Windows programs. Some legitimate tools do run on your PC, so don’t panic at an .exe or .bat, but check that it’s a well-known, trusted tool before running it.
• Be wary of “Download Now” polish. Real homebrew READMEs are written for users like other developers. In this campaign, the fake repositories lean on AI-generated text, which tends to read like marketing: heavy on emoji, friendly phrasing, and a big download button. A project that pushes you to click fast deserves a second look.
• Stick to trusted sources. Established community hubs and trusted-source lists exist for a reason. Check before you download.
• Add another layer of protection. Malwarebytes Browser Guard can help block known malicious pages and downloads before they reach you.

What to do if you’ve already run it

If you have downloaded and run EQ_Vita_v1.3.zip, you should treat the computer as compromised. Here’s what to do:

• Run a full malware scan with up-to-date security software.
• Because this campaign delivers information-stealing malware, change your important passwords from a different, clean device, and review your accounts for unauthorized logins.
• If you keep any cryptocurrency on that computer, move your funds using a different, clean device and rotate your keys and seed phrases.
• Check your two-factor authentication (2FA) settings, as stealers can also target 2FA data.
• Finally, delete the three files and report the GitHub repository so it can be taken down.

Why this scam works

It works because it doesn’t look like a scam. It lives on GitHub, where homebrew users already place their trust. It uses a real, harmless tool to do its dirty work. And it hides the dangerous part inside a file that looks like plain text. None of those tricks is clever on its own, but together they slip right past the quick checks most people actually do.

What makes this one worth noting is where it’s aimed. Retro communities run on goodwill—volunteers who keep old hardware alive, share their work for free, and vouch for one another’s tools. That same trust is what this campaign exploits, and every fake repository that slips through makes the next genuine project a little harder to trust.

The best defense is the one these communities already have: trusted-source lists, established wikis, and people who test things and report back. Verify where a file comes from before you run it, and when something doesn’t add up, say so. That habit is what keeps the scene safe for everyone in it.

Indicators of Compromise (IOCs) Domains

https://github.com/Voistace/EQVita
https://voistace.github.io

IP

85.137.52.21 C2

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The Eastman Kodak Company (Kodak) confirmed to BleepingComputer that it is investigating a security breach after the ShinyHunters extortion group claimed responsibility for the incident.

Kodak is the latest organization to land on the group’s leak site. ShinyHunters claims it stole more than 2.2 million records and threatened to publish the data unless the company responded by June 18.

“Over 2.2 million records containing customer PII and other internal corporate data was compromised. This is a final warning to reach out by 18 June 2026 before we leak along with several annoying (digital) problems that’ll come your way.”

Kodak has now confirmed a data breach, while also saying the incident was limited in scope, contained, and did not pose a threat to its systems or operations.

ShinyHunters has been busy making the same point across multiple victims: modern extortion is often less about ransomware (encryption) and more about access, stealing valuable data, and applying pressure.

ShinyHunters claims it stole customer information and internal corporate data, but has not publicly provided proof. That’s a common pattern for extortion groups. They make public claims, set a deadline, and use the threat of a data leak to pressure victims before the full facts are known.

Kodak told SecurityWeek that an unauthorized third party gained access to a limited amount of company data, and that the incident appears to have been contained. The company said it brought in external cybersecurity experts, notified law enforcement, and believes there is no threat to its systems or operations.

It’s not yet known how the attackers gained entry to Kodak’s systems, but the extortion group is well-known for social engineering, bribery, and utilizing zero-day vulnerabilities to perform supply-chain attacks. The investigation is ongoing.

How to stay safe

While Kodak works to determine who was affected and exactly what information was accessed, there’s no reason to panic. But there are a few things you can do:

• Change the password on your Kodak account and make sure you haven’t reused the same password on other accounts.
• Turn on multi-factor authentication (MFA) wherever possible, to ensure that a stolen password is not enough to take over your account.
• If you’re in the US, consider placing a credit freeze with Equifax, Experian, and TransUnion. A credit freeze helps prevent identity thieves from opening new accounts in your name by blocking lenders from accessing your credit file.
• Depending on the information involved, Kodak may offer affected customers free credit monitoring. Even if it doesn’t, you may want to consider identity monitoring services, which can alert you if your personal information appears in suspicious places or is used to open accounts, apply for credit, or commit fraud.
• Check your Digital Footprint regularly to see if your personal details have been exposed.

Cybercriminals often exploit the confusion that follows a breach. They know victims will be expecting emails and updates from the affected company, making phishing messages more convincing.

Monitor Kodak’s official website for updates, and be skeptical of unsolicited emails, texts, or phone calls the reference the incident. Look for inconsistencies, unusual sender addresses, and strange links, and watch out for the two biggest warning signs: pressure to act immediately and requests for money, passwords, or personal information.

Let’s face it, an incognito window can only do so much. 
 
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

Account theft usually ends with someone losing a password. This one ends with hackers walking off with the entire game.

Developers behind some of Roblox’s millions of games told 404 Media that attackers persuaded them to run a single file. Then they watched their group, their game, and their Robux (in-platform currency) balance vanish into someone else’s account within hours. In several cases, Roblox support didn’t help them get the games back until a reporter called the company for comment.

From beaming to hostile takeover

Roblox attacks used to be opportunistic. “Beamers” targeted individual players to steal rare hats, limited items, and accounts, then resold them. The pattern has shifted. The new targets are developer accounts, and the prize is the game itself.

Ioannis Matziaris told 404 Media that his two 20-year-old sons spent five years building a Roblox game called The Shadow Network. In April, attackers approached one of them with a job offer and convinced him to run a particular file. It was malware. The attackers stole control of the game, the group’s Roblox account, and their Robux balance.

Another developer, Jovan Rai, received the same project-manager job pitch. This time, the attackers were impersonating Cheesy Studios, the Matziaris brothers’ company, to lend the offer credibility. The 15-year-old was earning roughly 10,000 Robux (around $38) per day from his game. He spent more than 30 days trying to recover it through Roblox support before media attention helped move the case forward.

The malware behind the theft

Developer Mohamed Kaparoza described how the attack worked. Attackers contacted him on Discord, dangled a project-manager role, and asked him to install a Python package called “robase,” which they claimed was a database tool. Shortly after installing it, he was logged out of Roblox on both his PC and his phone. His Discord account went with it, and his two-step verification settings and passkey were changed.

This is a case of session-token theft, rather than credential theft. Once an infostealer steals an authenticated browser session, attackers can often bypass security measures such as two-factor authentication (2FA) because they are reusing a session that has already been authenticated.

The technique itself isn’t new. We reported on a similar campaign in January 2025 that targeted Roblox players with offers to beta test new games. The “installer” was actually an infostealer designed to steal data, including Discord and Steam sessions, and cryptocurrency wallet information.

What developers can do

If you build Roblox games, the defensive advice is unglamorous and mostly behavioral.

• Treat unsolicited Discord job offers with caution. If a stranger asks you to install a “database tool,” a custom installer, or any file at all, do not run it.
• Developers who need to test unfamiliar software should do so in an isolated environment, such as a virtual machine, rather than on a device where they are signed in to Roblox, Discord, GitHub, or other important accounts.
• Review active Roblox sessions and signed-in devices regularly, and switch on Roblox’s Enhanced Protection features where available. They won’t stop session-stealer malware, but they can help protect against many other forms of account compromise.
• If the worst happens, document everything as early as possible. Keep records of messages, screenshots, account changes, and support requests to help with any recovery process.
• Use security software with real-time protection. Malwarebytes Premium can detect and block infostealers and other malware before they compromise your accounts.
  

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.