ZeroFox Daily Intelligence Brief - December 17, 2025

ZeroFox Daily Intelligence Brief - December 17, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Major Ukrainian Call Center Scam Network Disrupted
• FTC Takes Action Against Illusory Systems Following USD 186 Million Security Breach
• ShinyHunters Claims Data Theft From Popular Adult Site

Major Ukrainian Call Center Scam Network Disrupted

Source: https://www.eurojust.europa.eu/news/fraudulent-call-centres-ukraine-rolled

What we know: European law enforcement agencies have dismantled a large cross-border fraud operation run from call centers in Ukraine. Authorities raided multiple locations and arrested multiple suspects. Vehicles, weapons, cash, computers, forged IDs, and other equipment used in the scams were seized.

Context: The network involved around 100 people and defrauded more than 400 victims across Europe of over EUR 10 million (approximately USD 11 million). Scammers impersonated bank staff or the police to trick victims into moving funds to “safe” accounts. They also tricked victims into installing remote access software, enabling criminals to hijack their bank accounts.

Analyst note: The law enforcement action likely halted ongoing social-engineering operations, preventing further real-time account takeovers and fraudulent transfers.

FTC Takes Action Against Illusory Systems Following USD 186 Million Security Breach

Source: https://www.ftc.gov/news-events/news/press-releases/2025/12/ftc-will-require-illusory-systems-return-money-stolen-hackers-implement-information-security-program

What we know: The U.S. Federal Trade Commission (FTC) has taken action against Illusory Systems (doing business as Nomad), a blockchain infrastructure company, after a major security breach enabled threat actors to steal USD 186 million from customers.

Context: The FTC alleged Nomad marketed itself as “security-first” while failing to implement basic security and incident response measures. Threat actors reportedly exploited a critical vulnerability introduced through inadequately tested code, which Nomad failed to detect or contain.

Analyst note: Implementing security programs suggested by the FTC is likely to address the weaknesses, reducing the risk of further cyberattacks. Robust security measures protect consumers and connected vendors from financial and data losses, and help prevent software supply chain attacks.

ShinyHunters Claims Data Theft From Popular Adult Site

Source: https://www.reuters.com/world/americas/hacking-group-shinyhunters-claims-theft-data-users-leading-sex-site-pornhub-2025-12-16/

What we know: Threat group “ShinyHunters” is claiming to have stolen data from a popular adult website, allegedly affecting premium subscribers of the site. ShinyHunters is threatening to publish the data if the ransom is not paid.

Context: A news agency confirmed partial authentication of sample data shared by the group. The adult site has blamed the breach on third-party data analytics provider Mixpanel. However, Mixpanel has denied the allegations claiming that a legitimate employee at the adult site’s parent company Aylo had last accessed the stolen data in 2023.

Analyst note: Exposed individuals are likely at risk of blackmail and extortion if data is published or sold. Threat actors are very likely increasingly recruiting employees of target organizations to steal sensitive data, a tactic also used by threat collective Scattered Lapsus$ Hunters (whose links to ShinyHunters remains disputed). ZeroFox has observed threat actors soliciting employees across organizations for access to networks in deep and dark web posts.

DEEP AND DARK WEB INTELLIGENCE

Telegram user Infrastructure Destruction Squad: Threat group “Infrastructure Destruction Squad” (IDS) has claimed to have gained unauthorized access to supervisory control and data acquisition (SCADA) networks of three organizations located in the United States, Romania, and Norway. The United States recently warned of pro-Russia hacktivists targeting SCADA networks. While IDS’s national affiliation is unverified, the alleged access is very likely to appeal to Russian and Chinese threat actors, including state-sponsored actors.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-59718: This is an improper verification of cryptographic signature vulnerability in Fortinet, which is being actively exploited. The flaw enables attackers to bypass the FortiCloud SSO login authentication via a crafted SAML response message. If successfully exploited, threat actors are likely to bypass enterprise security controls used to protect networks, servers, and applications, leading to network intrusion and data theft.

Affected products: The affected products are listed in this advisory.