Security intelligence, curated for practitioners.

CYBERA's H2 2025 report reveals that money mule accounts—the financial exit points for scams—are the most stable and actionable target for fraud prevention. By using agentic personas to directly engage scammers and extract verified account intelligence before transactions occur, CYBERA identified over 16,000 confirmed mule accounts across 72 countries, with 28% remaining active 30+ days after detection, indicating systemic gaps in detection. Regulatory pressure is mounting globally as the UK mandates APP fraud reimbursement and the US, Canada, and Australia follow suit, making proactive mule account intelligence a critical defense lever.

Researchers used AI to identify 38 security vulnerabilities in OpenEMR, an open-source electronic health record (EHR) platform deployed across more than 100,000 healthcare providers worldwide. The flaws span database compromise, remote code execution, and data theft capabilities, exposing sensitive patient health information to potential attack. This discovery highlights both the security risks in widely-used healthcare infrastructure and the emerging role of AI in vulnerability detection.

Ukrainian authorities arrested three individuals (aged 19, 21, 22) who compromised over 610,000 Roblox gaming accounts between October 2025 and January 2026, generating $225,000 in profit. The threat group distributed info-stealing malware disguised as a game-enhancer tool to harvest login credentials, then categorized and sold accounts—including at least 357 high-value "elite" accounts—via Russian websites and closed online communities. The suspects face charges under theft and unauthorized IT system interference statutes, with sentences up to 15 years.

Offshore.LC is a bulletproof hosting provider operating across six jurisdictions (NL, RO, RU, UA, SE, FI) offering dedicated servers, VPS, and RDP with explicit DMCA non-responsiveness, zero-log policies, and crypto-only payments. The service markets itself as takedown-resistant infrastructure designed for threat actors, with anonymous signup, no KYC requirements, and full root access. This represents active criminal infrastructure-as-a-service targeting malicious actors.

A threat actor using the alias "Xorcat" claims to have breached Polymarket, a decentralized cryptocurrency prediction market, by exploiting multiple API vulnerabilities including undocumented endpoints, pagination bypass, CORS misconfiguration, and two publicly disclosed CVEs (CVE-2025-62718 and CVE-2024-51479). Polymarket denies the breach, asserting that most exposed data is already public on the blockchain and that the incident is likely data scraping rather than a true breach. Security researchers agree the evidence points to automated data harvesting rather than unauthorized system access.

A critical authentication bypass vulnerability affecting cPanel and WebHost Manager (WHM) was patched in an emergency update across multiple product versions (11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.136.0.5, 11.134.0.20). The flaw allows unauthenticated attackers to gain unauthorized access to the control panel, potentially compromising hosted websites, databases, and email. Namecheap temporarily blocked access to ports 2083 and 2087 to protect customers until patches became available.