ZeroFox Weekly Intelligence Brief – December 6, 2025

ZeroFox Weekly Intelligence Brief – December 6, 2025

ZeroFox’s Weekly Intelligence Briefing highlights the major developments and trends across the threat landscape, including digital, cyber, and physical threats. ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 6:00 AM (EDT) on December 4, 2025; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

Read the Brief

View the full report here

U.S. Justice Department Hits Burmese Tai Chang Network with Domain Seizure

What we know:

• The U.S. Department of Justice (DOJ) seized the tickmilleas[.]com domain, which was actively used to defraud Americans through cryptocurrency investment fraud (CIF) scams.
• Posing as “a legitimate investment platform,” the site tricked victims into depositing funds while showing fabricated returns and fake deposits to simulate real investments.
• Within one month of registration, the Federal Bureau of Investigation (FBI) identified multiple victims who had already lost money.
• A splash page now alerts visitors that the domain has been seized, effectively disrupting the scammers’ operations.

Authorities Shut Down Cryptomixer, Seizing EUR 25 Million in Bitcoin

What we know:

• Law enforcement agencies have taken down illegal cryptocurrency mixing service Cryptomixer, which was suspected of facilitating cybercrime and money laundering.
• During the operation, authorities seized three servers, the cryptomixer[.]io domain, over 12 TB of data, and more than EUR 25 million (approximately USD 29 million) in Bitcoin.

North Korean Threat Actors Load Npm Packages With Malware

What we know:

• North Korean threat actors behind the Contagious Interview campaign have reportedly added nearly 200 new malicious npm packages, which have been downloaded over 31,000 times, to deliver an updated OtterCookie malware variant.