Today’s Topics:

• LockBit Admin Panel Hacked: Leaked Data Offers Rare Insight into Ransomware Operations
• Google to Pay $1.375 Billion in Texas Settlement Over Unauthorized Location and Biometric Tracking
• How can Netizen help?

LockBit Admin Panel Hacked: Leaked Data Offers Rare Insight into Ransomware Operations

On May 7, an administration panel belonging to the LockBit ransomware-as-a-service (RaaS) operation was compromised, resulting in the public release of internal communications, attacker infrastructure details, and affiliate negotiation records—information with immediate value to law enforcement, incident response teams, and threat intelligence researchers.

The attacker defaced a LockBit admin domain with the message: “Don’t do crime, crime is bad xoxo from Prague,” along with a link to a compressed archive containing data extracted from the compromised server. This includes:

• Bitcoin wallet addresses tied to affiliate transactions
• Chat logs between affiliates and victims
• TOX IDs, usernames, and passwords for 76 registered users
• Indicators of infrastructure, malware, and operational procedures

Rapid7’s Christiaan Beek confirmed that the Bitcoin wallet addresses could aid law enforcement in tracing transactions and identifying actors involved in LockBit’s affiliate network. Searchlight Cyber’s Luke Donovan reported that 22 of the leaked user accounts were associated with TOX IDs—metadata commonly reused across dark web forums. Researchers were able to correlate some of these to known threat actor aliases, potentially enabling further attribution or linking affiliate activity across campaigns.

The chat logs—spanning December 2024 to April 2025—expose negotiation tactics in detail. According to Beek, affiliates pressured victims with rapid ransom demands that varied significantly, sometimes requesting amounts as low as $5,000 and in other cases demanding six-figure payments. This range of tactics provides valuable insight for incident responders and negotiators working on live ransomware cases.

Donovan noted similarities between this attack and a prior defacement of the Everest ransomware group’s infrastructure, suggesting the breach may stem from infighting or retaliation within the cybercriminal ecosystem. Though attribution remains speculative, the reused messaging indicates the same threat actor may be behind both compromises.

LockBit has acknowledged the breach but claimed no victim data or decryptors were exposed. The group’s figurehead, known as LockBitSupp—identified by law enforcement as Russian national Dmitry Yuryevich Khoroshev—has publicly offered a reward for information on the identity of the attacker responsible.

While LockBit infrastructure was dealt a significant blow in coordinated takedowns last year, this leak is one of the most substantial windows into their internal operations to date. For security teams and intelligence analysts, the exposed records offer a rare opportunity to better understand affiliate dynamics, operational workflows, and negotiation strategies used in active ransomware campaigns.

Security teams should review the leaked indicators, monitor for reused TOX IDs or wallet addresses, and remain alert to opportunistic attacks or impersonation attempts stemming from the breach.

Google to Pay $1.375 Billion in Texas Settlement Over Unauthorized Location and Biometric Tracking

Google has agreed to pay $1.375 billion to the state of Texas to settle two major lawsuits alleging the unauthorized tracking of users’ physical location and the collection of biometric data, including facial recognition and voiceprints—without user consent. The figure represents the largest privacy-related settlement Google has made with a single U.S. state and far exceeds the amounts it previously paid in similar lawsuits across other jurisdictions.

Filed in 2022 by Texas Attorney General Ken Paxton, the lawsuits accused Google of violating state privacy laws by tracking users’ movements even when location history was turned off, recording incognito searches, and capturing biometric identifiers such as facial geometry and voice profiles without explicit user permission. These practices were allegedly performed through core services like Google Maps, Search, and Photos.

“For years, Google secretly tracked people’s movements, private searches, and even their voiceprints and facial geometry through their products and services,” said Attorney General Paxton. “This $1.375 billion settlement is a major win for Texans’ privacy and tells companies that they will pay for abusing our trust.”

The magnitude of this settlement not only surpasses Google’s $391 million payout to 40 states in 2022, but also its $93 million agreement with California in 2023 and a $29.5 million resolution involving Indiana and Washington. It is on par with the $1.4 billion settlement Meta reached with Texas over similar biometric privacy violations.

In response to regulatory and public pressure, Google has made incremental privacy changes. These include storing Maps Timeline data locally on users’ devices rather than in the cloud and introducing auto-deletion controls for location data when tracking features are enabled.

With increasing regulatory scrutiny from both U.S. and international authorities, this settlement further intensifies pressure on Google, which is already facing antitrust calls to break up key areas of its business. Privacy professionals should view this as a signal to review data handling practices—particularly those involving sensitive categories such as biometrics and geolocation—and ensure compliance with both existing and emerging state-level regulations.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Today’s Topics:

• Microsoft Pushes Passkeys as Default for New Accounts, Paving the Way for a Passwordless Future
• Disk-Wiping Linux Malware Hidden in Malicious Go Modules Highlights Growing Supply Chain Risk
• How can Netizen help?

Microsoft Pushes Passkeys as Default for New Accounts, Paving the Way for a Passwordless Future

Microsoft is now setting passkeys as the default sign-in method for all newly created consumer accounts, part of a broader industry push to eliminate passwords altogether. According to a joint announcement by Microsoft executives Joy Chik and Vasu Jakkal, the change means that new users will never need to create or manage a traditional password, instead relying on phishing-resistant authentication methods like biometrics and device-based verification.

The update streamlines the sign-up and login process, automatically selecting the most secure available method for each user. For instance, if both a password and a one-time code are present, the system will default to the code, prompting users to upgrade to a passkey afterward.

This shift aligns Microsoft with Apple, Google, Amazon, and other major tech firms that are accelerating adoption of passwordless authentication through the use of passkeys. Passkeys are supported by the FIDO (Fast Identity Online) Alliance and leverage public/private key cryptography to verify a user’s identity. When a user registers with a service, their device creates a secure key pair—one private key stored locally, and one public key shared with the service. Authentication requires the user to confirm their identity using biometrics or a device PIN, which then signs a cryptographic challenge with the private key.

Passkeys remove the need to remember or store passwords, reducing the attack surface for phishing, credential stuffing, and brute-force attacks. As a result, they’re increasingly viewed as a critical defense against account compromise.

As of late 2024, more than 15 billion user accounts globally support passkey authentication, and Microsoft’s decision to make it the default marks a significant step toward standardizing this method. The company first introduced passkey support in Windows 11 in September 2023, followed by enhancements to Windows Hello. Google similarly began rolling out passkeys as the default login method that same year.

In addition to improving security for consumer accounts, the FIDO Alliance recently announced a Payments Working Group to explore how passkeys can be applied in payment authentication systems—furthering the goal of widespread passwordless security in both consumer and enterprise environments.

Existing Microsoft account holders can switch to passkeys by removing their password in their account settings, making full adoption a user-controlled option. With this update, Microsoft makes clear that the future of secure login doesn’t involve passwords at all.

Disk-Wiping Linux Malware Hidden in Malicious Go Modules Highlights Growing Supply Chain Risk

Researchers have uncovered three malicious Go modules that deliver a destructive disk-wiping payload to Linux systems, underscoring the severe threat posed by software supply chain attacks. Disguised as legitimate packages, these modules contain heavily obfuscated code that fetches a remote shell script designed to overwrite the system’s primary disk (/dev/sda) with zeroes—permanently disabling the machine.

The compromised Go modules are:

• github[.]com/truthfulpharm/prototransform
• github[.]com/blankloggia/go-mcp
• github[.]com/steelpoor/tlsproxy

According to Socket researcher Kush Pandya, once executed, the packages confirm the host OS is Linux and then download the payload using wget. The script executes without warning, rendering the system unbootable and erasing all data beyond recovery.

“This malicious script leaves targeted Linux servers or developer environments entirely crippled,” Pandya said. “It highlights the extreme danger posed by modern supply-chain attacks that can turn seemingly trusted code into devastating threats.”

The Go module discovery comes amid a broader trend: researchers from Socket, Sonatype, and Fortinet have also found dozens of malicious packages in the npm and PyPI ecosystems targeting cryptocurrency users and developers.

Malicious npm packages targeting crypto wallets:

• crypto-encrypt-ts
• react-native-scrollpageviewtest
• bankingbundleserv
• buttonfactoryserv-paypal
• tommyboytesting
• compliancereadserv-paypal
• oauth2-paypal
• paymentapiplatformservice-paypal
• userbridge-paypal
• userrelationship-paypal

These packages aim to steal mnemonic seed phrases and private keys used for cryptocurrency wallets, exfiltrating data to attacker-controlled infrastructure.

Malicious PyPI packages abusing Gmail and WebSockets:

• cfc-bsb (2,913 downloads)
• coffin2022 (6,571 downloads)
• coffin-codes-2022 (18,126 downloads)
• coffin-codes-net (6,144 downloads)
• coffin-codes-net2 (6,238 downloads)
• coffin-codes-pro (9,012 downloads)
• coffin-grave (6,544 downloads)

These packages used hard-coded Gmail credentials to quietly send stolen data via SMTP and open remote access channels over WebSockets. This allowed attackers to bypass network detection by leveraging trusted domains such as smtp.gmail.com.

Olivia Brown, another researcher at Socket, warned that even long-standing packages can be repurposed for malicious use. “Do not trust a package solely because it has existed for more than a few years without being taken down.”

To defend against these supply chain attacks, security teams and developers should:

• Audit all open-source dependencies frequently.
• Verify package authorship, repository links, and update history.
• Monitor network traffic for unusual outbound connections, including unexpected SMTP or WebSocket activity.
• Apply strict access controls to protect sensitive environment variables and private keys.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.