ZeroFox Daily Intelligence Brief - November 5, 2025

ZeroFox Daily Intelligence Brief - November 5, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• U.S. Sanctions North Korean Bankers and Entities for Laundering Cybercrime Proceeds
• EU Cracks Down on EUR 600 Million Crypto Laundering Network
• Top EU Officials' Location Data Exposed via Data Broker

U.S. Sanctions North Korean Bankers and Entities for Laundering Cybercrime Proceeds

Source: https://home.treasury.gov/news/press-releases/sb0302

What we know: The United States has sanctioned eight individuals and two entities for laundering funds to North Korea, derived through cybercrime and information technology (IT) worker fraud. These funds aid the regime’s nuclear weapons program, posing a direct threat to the United States and global security.

Context: The sanctioned entities and individuals include North Korean bankers, an IT company operating worker delegations in at least two cities in China, and a financial institution providing assistance to Pyongyang to avoid sanctions.

Analyst note: The new and old U.S. sanctions are likely to help map the broader network supporting North Korean cybercrime. Individuals and entities operating in Chinese border cities such as Dandong and Shenyang are likely to face increased scrutiny for unusual or high-value transactions related to the United States.

EU Cracks Down on EUR 600 Million Crypto Laundering Network

Source: https://www.eurojust.europa.eu/news/decisive-actions-against-cryptocurrency-scammers-earning-over-eur-600-million

What we know: Nine suspects have been arrested in Cyprus, Spain, and Germany for running a crypto money-laundering network that defrauded victims of over EUR 600 million. The operation also led to the seizure of around EUR 1.5 million in cash, crypto, and bank assets.

Context: The group ran fake cryptocurrency investment websites that mimicked legitimate platforms and lured victims through ads, cold calls, and fake celebrity endorsements. Once victims sent their funds, the scammers stole the money and laundered it through blockchain transactions.

Analyst note: After this operation, criminals are likely, in the short term, to avoid current laundering routes since they could be monitored. They could instead seek alternative, less traceable channels, such as smaller exchanges and privacy-focused cryptocurrencies.

Top EU Officials' Location Data Exposed via Data Broker

Source: https://techcrunch.com/2025/11/04/phone-location-data-of-top-eu-officials-for-sale-report-finds/

What we know: European journalists reportedly found it “easy” to buy commercial phone-location data from a data broker and track top European Union (EU) officials, confirming granular movement data for hundreds of devices linked to EU officials.

Context: A data broker offered a sample dataset containing 278 million mobile-location points from devices across Belgium, sourced from ordinary applications. Reporters reviewing the data found 2,000 location markers tied to 264 devices used around sensitive EU Commission areas and 5,800 markers linked to over 750 devices near the European Parliament.

Analyst note: Commercial data streams can bypass security controls and provide intelligence insight into officials’ movements, meetings, and secure locations without hacking. This could enable cybercriminals and hostile actors to track targets in real time, identify sensitive travel, and facilitate coercion, blackmail, or physical threats. It also gives foreign intelligence an avenue to monitor diplomatic activity and exploit behavioral patterns to influence or recruit insiders.

DEEP AND DARK WEB INTELLIGENCE

Nikkei data breach: Japanese publishing company Nikkei has disclosed a data breach exposing personal information and chat histories of over 17,368 employees and business partners. Threat actors stole Slack authentication credentials of an employee after infecting the target’s computer with malware. Threat actors are likely to demand ransom in exchange for not exposing or selling confidential business information. In the recent months, multiple Japanese entities have faced data breaches, theft, and hacks likely indicating a regional targeting.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-11953: A critical flaw in the React Native Metro development server enables unauthenticated attackers to send crafted POST requests and execute arbitrary OS commands on Windows, with limited code-execution impact on macOS/Linux. Because the development server binds to external interfaces by default, attackers can exploit it remotely and not just via local access. This could enable adversaries to breach developer environments, plant malicious code in mobile or web apps, and abuse the toolchain for broader supply-chain attacks, potentially resulting in downstream compromise of applications built with React Native.

Affected products: @react-native-community/cli and @react-native-community/cli-server-api package, versions 4.8.0 to 20.0.0-alpha.2