ZeroFox Daily Intelligence Brief - August 18, 2025

ZeroFox Daily Intelligence Brief - August 18, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Crypto Worth USD 2.8 Million Linked to Zeppelin Ransomware Operator Seized
• Stolen PayPal Credentials for Sale on Dark Web Forum
• Geopolitical Focus: Russia-Ukraine Peace Talks, Shooting Incidents, and Natural

Crypto Worth USD 2.8 Million Linked to Zeppelin Ransomware Operator Seized

Source: https://www.bleepingcomputer.com/news/security/us-seizes-28-million-in-crypto-from-zeppelin-ransomware-operator/

What we know: U.S. law enforcement has seized over USD 2.8 million in cryptocurrency linked to the suspected operator of Zeppelin ransomware, Ianis Aleksandrovich Antropenko. Additionally, USD 70,000 in cash and a luxury vehicle were also seized.

Context: Zeppelin ransomware was active between 2019 and 2022, targeting multiple businesses and individuals worldwide, including in the United States. The ransomware operators often encrypted the victim's data and demanded ransom to decrypt it, threatening to publish publicly or sell if unpaid.

Analyst note: The seizure indicates how ransomware operators can be brought to justice even years after the crimes have stopped. The asset confiscation is likely to prevent affiliates from using the proceeds to rebuild crime infrastructure.

Stolen PayPal Credentials for Sale on Dark Web Forum

Source: https://hackread.com/threat-actor-selling-plain-text-paypal-credentials/

What we know: Threat actor "Chucky_BF" is allegedly selling a dataset of more than 15 million PayPal logins on a cybercrime forum for USD 750.

Context: The 1.1 GB dataset, described as “Global PayPal Credential Dump 2025,” reportedly includes emails, plaintext passwords, and URLs. Additionally, Chucky_BF claims that many of the passwords are reused.

Analyst note: If the leak is real, it likely exposes users to social engineering, impersonation, and financial fraud. Buyers could also exploit the stolen data for credential stuffing and brute-force attacks against accounts including PayPal and beyond.

Geopolitical Focus: Russia-Ukraine Peace Talks, Shooting Incidents, and Natural Disasters

• U.S. President Donald Trump will meet Ukrainian President Volodymyr Zelensky and European leaders in Washington on August 18 to discuss ending the war with Russia. Trump met with Russian leader Vladimir Putin on August 15, where he pushed for a permanent peace deal instead of a ceasefire and hinted at a possible NATO-like security pact for Ukraine.
• Meanwhile, Russian strikes on Ukraine continued on August 17, with a missile hitting Kharkiv and injuring 11 people.
• On August 17, a shooting at a Brooklyn nightclub left three dead and nine injured. Authorities are investigating the possibility of multiple shooters. Another shooting outside a pub in Sydney, Australia, on the same day left one man dead and another seriously wounded.
• On August 17, Spain battled 20 significant wildfires, hindered by intense heat. In response, the government dispatched 500 additional troops from the military emergency unit to assist firefighting efforts. In Pakistan, flash floods caused by heavy monsoon rains have reportedly resulted in at least 321 fatalities.

DEEP AND DARK WEB INTELLIGENCE

Crypto laundering Grinex sanctioned: The U.S. Treasury has sanctioned Grinex, successor to Russian crypto exchange Garantex along with a few associated individuals and entities, for laundering ransomware proceeds and evading prior sanctions. Similar successors to this sanctioned crypto exchange are likely to emerge where sanctioned actors continue exploiting rebranded exchanges.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Plex vulnerability: Plex has requested users of certain versions of its media servers to update their system immediately following a recently patched vulnerability. The flaw was reportedly flagged through its bug bounty program and the company is yet to reveal the details. The vulnerability is likely to be actively exploited when more details about the flaw are revealed publicly, as similar instances targeting Plex media servers have been reported earlier.

Affected products: Plex Media Server versions 1.41.7.x to 1.42.0.x