A new Rust-based malware, codenamed VENON, targets 33 Brazilian banks and digital asset platforms. The malware uses credential-stealing overlays and shares behaviors with known Latin American banking trojans. It employs sophisticated evasion techniques and is distributed via social engineering ploys, including DLL side-loading and a complex infection chain. The malware's developer appears to have used generative AI to rewrite and expand functionalities in Rust, indicating significant technical expertise.

Hive0163, a financially motivated threat actor, has been observed using a new AI-assisted malware called Slopoly to maintain persistent access in ransomware attacks. The malware, discovered in early 2026, is part of a command-and-control (C2) framework and was deployed during the post-exploitation phase of an attack. Slopoly is believed to have been developed with the help of a large language model (LLM), although it lacks advanced polymorphic capabilities. The malware functions as a backdoor, beaconing system information to a C2 server and executing commands. Hive0163 is also known for using other malicious tools like NodeSnake, Interlock RAT, and JunkFiction loader in their operations.

Veeam has released security updates to address multiple vulnerabilities in its Backup & Replication software, including critical remote code execution (RCE) flaws. The latest updates patch four new RCE vulnerabilities (CVE-2026-21666, CVE-2026-21667, CVE-2026-21669, and CVE-2026-21708) that allow low-privileged domain users and Backup Viewers to execute remote code on vulnerable backup servers. Additionally, several high-severity bugs were addressed, which could be exploited to escalate privileges, extract SSH credentials, and manipulate files on Backup Repositories. All vulnerabilities affect earlier versions and have been fixed in versions 12.3.2.4465 and 13.0.1.2067. Veeam has warned admins to upgrade to the latest release promptly, as threat actors often develop exploits post-patch release. Ransomware gangs, including FIN7 and the Cuba ransomware gang, have targeted VBR servers to simplify data theft and block restoration efforts.

Law enforcement agencies in the U.S. and Europe, along with private partners, have disrupted the SocksEscort cybercrime proxy network. This network relied on edge devices compromised by the AVRecon malware for Linux. The disruption involved taking down multiple servers and domains, freezing cryptocurrency, and disconnecting infected devices. The network had been active for over a decade, offering access to 'clean' IP addresses from major ISPs and facilitating various fraudulent activities. The SocksEscort network had an average of 20,000 infected devices weekly and was used in several high-value fraud cases, including the theft of $1 million in cryptocurrency and losses of $700,000 from a Pennsylvania-based manufacturing business.

Six new Android malware families have been discovered, targeting Pix payments, banking apps, and cryptocurrency wallets. These malware families include PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, Oblivion RAT, and SURXRAT. They steal data and conduct financial fraud, with some using advanced techniques like real-time screen monitoring and AI integration. PixRevolution specifically targets Brazil's Pix instant payment platform, hijacking money transfers in real-time. It uses an "agent-in-the-loop" model where a remote operator watches the victim's phone screen in near real time and intervenes at the exact moment a payment is processed. BeatBanker spreads via phishing attacks and uses an unusual persistence mechanism involving an almost inaudible audio file. TaxiSpy RAT abuses Android's accessibility service and MediaProjection APIs to collect sensitive data. Mirax and Oblivion are offered as malware-as-a-service (MaaS) with various capabilities. SURXRAT is marketed through a Telegram-based MaaS ecosystem and includes a ransomware-style screen locker module.

The **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** has added **CVE-2025-68613** to its **Known Exploited Vulnerabilities (KEV) catalog**, mandating federal agencies to patch n8n instances by **March 25, 2026**, due to **active exploitation** of this critical remote code execution (RCE) flaw. Meanwhile, **Pillar Security** has disclosed two new critical vulnerabilities (**CVE-2026-27577** and **CVE-2026-27493**), with the latter being a **zero-click, unauthenticated flaw** that allows **full server compromise** via public form endpoints (e.g., a "Contact Us" form) without requiring authentication or user interaction. Over **40,000 unpatched instances** remain exposed globally, with **18,000+ in North America and 14,000+ in Europe**, per Shadowserver data. This development follows a series of **critical n8n vulnerabilities** disclosed since late 2025, including **CVE-2026-21877 (CVSS 10.0)**, **CVE-2026-21858 (unauthenticated RCE)**, and **four March 2026 flaws (CVE-2026-27577, CVE-2026-27493, CVE-2026-27495, CVE-2026-27497)** enabling **sandbox escapes, credential theft, and unauthenticated expression injection**. Affected versions span **<1.123.22, >=2.0.0 <2.9.3, and >=2.10.0 <2.10.1**, with patches available in **1.123.22, 2.9.3, and 2.10.1**. The platform’s widespread use in **AI orchestration and enterprise automation**—coupled with its storage of **API keys, database credentials, and cloud secrets**—makes it a prime target for attackers seeking **full server compromise** or **lateral movement into connected systems**.

Google paid $17.1 million to 747 security researchers in 2025 through its Vulnerability Reward Program (VRP), marking the highest payout in the program's history. The total payouts since 2010 have surpassed $81.6 million. The program expanded in 2025 with new initiatives, including the AI Vulnerability Rewards Program and rewards for OSV-SCALIBR, an open-source tool for finding security flaws in software dependencies. The highest reward in 2025 was $250,000, while the highest reward in 2024 was $100,115 for a MiraclePtr Bypass.

Telus Digital, the business process outsourcing (BPO) arm of Canadian telecommunications provider Telus, has confirmed a security breach after threat actors known as ShinyHunters claimed to have stolen nearly 1 petabyte of data. The breach, which involved unauthorized access to a limited number of Telus Digital's systems, is currently under investigation. ShinyHunters claims to have accessed a wide range of customer data related to Telus' BPO operations and call records for Telus' consumer telecommunications division. The threat actors reportedly used Google Cloud Platform credentials discovered in data stolen during the Salesloft Drift breach to gain initial access. Telus has engaged cyber forensics experts and is working with law enforcement to manage the situation.

Cybercriminals are actively trading compromised airline and hotel loyalty accounts in underground markets, converting stolen miles into real-world travel commodities. The process involves credential compromise, inventory listing, redemption, and resale at discounted rates. This fraudulent activity is structured, with repeated sellers and a focus on major brands like United, American Airlines, Delta, Marriott, and Hilton. The monetization model follows four stages: gaining control over loyalty accounts, identifying valid miles, redeeming miles for travel, and reselling the bookings. The fraud is challenging to detect and recover from due to the conversion of points into tangible assets.

Google's Threat Intelligence Group identified the Coruna exploit kit, targeting iOS versions 13.0 to 17.2.1. The kit includes five exploit chains and 23 exploits, some using non-public techniques. It has been used by multiple threat actors, including government-backed groups and financially motivated actors. The kit was first observed in February 2025 and has since been linked to campaigns involving Russian and Chinese actors. The exploit kit leverages vulnerabilities in WebKit and other components, some of which were patched by Apple but remained undocumented until later. The kit is designed to fingerprint devices and deliver appropriate exploits based on the iOS version. It avoids execution on devices in Lockdown Mode or private browsing. The Coruna exploit kit marks a shift from targeted spyware attacks to broader exploitation of iOS devices, including crypto theft attacks. The kit includes a stager loader called PlasmaGrid, which targets cryptocurrency wallet apps such as MetaMask, Phantom, Exodus, BitKeep, and Uniswap. The exploit kit was used in watering hole attacks targeting iPhone users visiting compromised Ukrainian websites in summer 2025 and on fake Chinese gambling and crypto websites in late 2025. The exploit kit includes a binary loader that deploys the final stage of the attack after the initial browser exploit succeeds. It uses custom encryption and compression methods to deliver payloads and is ineffective against the latest iOS versions. CISA added three of the 23 Coruna vulnerabilities to its catalog of Known Exploited Vulnerabilities, ordering federal agencies to patch the vulnerabilities by March 26, 2026. CISA also urged all organizations to prioritize patching these flaws to secure their devices against attacks. Apple has backported fixes for CVE-2023-43010 to older iOS versions to address vulnerabilities used in the Coruna exploit kit. The vulnerability relates to an unspecified vulnerability in WebKit that could result in memory corruption when processing maliciously crafted web content. The fix was originally shipped in iOS 17.2 on December 11th, 2023, and the latest round of fixes brings the patch to older versions of iOS and iPadOS, including iOS 15.8.7 and iPadOS 15.8.7, and iOS 16.7.15 and iPadOS 16.7.15. Additionally, iOS 15.8.7 and iPadOS 15.8.7 incorporate patches for three more vulnerabilities associated with the Coruna exploit: CVE-2023-43000, CVE-2023-41974, and CVE-2024-23222. Coruna may have been designed by U.S. military contractor L3Harris and passed to Russian exploit broker Operation Zero by Peter Williams. The exploit kit uses two exploits (CVE-2023-32434 and CVE-2023-38606) that were weaponized as zero-days in a campaign dubbed Operation Triangulation targeting users in Russia in 2023. Apple has released security updates to patch older iPhones and iPads against vulnerabilities targeted by the Coruna exploit kit. The patches address vulnerabilities CVE-2023-41974, CVE-2024-23222, CVE-2023-43000, and CVE-2023-43010. The affected devices include a wide range of older models running iOS 15.8.7/16.7.15 and iPadOS 15.8.7/16.7.15. CISA added three of the 23 vulnerabilities targeted by Coruna to its catalog of Known Exploited Vulnerabilities, including CVE-2023-43010. CISA ordered Federal Civilian Executive Branch (FCEB) agencies to patch their iOS devices by March 26, 2026, as mandated by the Binding Operational Directive (BOD) 22-01. Apple has also fixed a zero-day vulnerability (CVE-2026-20700) exploited in an "extremely sophisticated attack" targeting specific individuals and allowing threat actors to execute arbitrary code on compromised devices.

Modern phishing attacks increasingly use trusted infrastructure, legitimate-looking authentication flows, and encrypted traffic to evade traditional detection methods. This poses significant challenges for Security Operations Centers (SOCs), as they struggle to handle the volume and sophistication of these attacks. The consequences include stolen corporate identities, account takeovers, lateral movement through SaaS and cloud platforms, delayed incident detection, operational disruption, financial impact, and regulatory consequences. To address these issues, CISOs are prioritizing the scaling of phishing detection to operate at the same speed and scale as the attacks themselves.

Meta has introduced new tools to protect users of Messenger and WhatsApp from scams. The tools include warnings for screen sharing during video calls on WhatsApp, a scam detection feature on Messenger, and a new security feature to help users spot potential scams when being added to a group chat by unknown contacts. Meta also reported actions taken against fraudulent accounts and scam centers. Meta's efforts are part of ongoing measures to combat scams, including romance baiting schemes operated by cybercrime syndicates in Southeast Asia. These scams often involve psychological manipulation and financial fraud. In 2025, Meta removed over 159 million scam ads and took down over 10.9 million accounts on Facebook and Instagram linked to criminal scam operations. Meta also participated in a global law enforcement operation that led to the arrest of 21 suspects and the shutdown of more than 150,000 accounts linked to scam networks in Southeast Asia. Meta collaborated with the FBI, the DOJ Scam Center Strike Force, and Thai police to disrupt scam centers in Southeast Asia. The operation targeted scam centers that targeted users in the US, UK, and the APAC region. Thai Police arrested 21 suspects and Meta shut down more than 150,000 accounts linked to the scam centers. In a similar operation conducted in December, Meta removed 59,000 accounts, pages, and groups across its platforms.

A large-scale OAuth consent abuse campaign, active in early 2025, involved 19 malicious applications impersonating well-known brands like Adobe, DocuSign, and OneDrive. The campaign targeted multiple organizations, exploiting 'consent fatigue' to gain access to users' sensitive data without needing their passwords. The access token obtained through this method was sent to the attacker's redirect URL, granting them unauthorized access to files or emails. The campaign was documented by Proofpoint in August 2025, highlighting the ongoing threat posed by malicious OAuth applications.

CISA has issued Emergency Directive (ED) 26-03 to mitigate vulnerabilities in Cisco SD-WAN systems, which pose an unacceptable risk to federal networks. The directive requires immediate action from Federal Civilian Executive Branch (FCEB) agencies to inventory, collect artifacts, patch, hunt for evidence of compromise, and implement hardening measures. The directive follows collaborative efforts with international partners and emphasizes the critical need for immediate response due to the ease of exploitation of these vulnerabilities. Attackers are actively exploiting vulnerabilities in Cisco Catalyst SD-WAN infrastructure, with a critical authentication bypass vulnerability (CVE-2026-20127) allowing unauthenticated attackers to obtain administrative access.

FinCEN's report reveals that ransomware gangs extorted over $2.1 billion from 2022 to 2024, with a peak in 2023 followed by a decline in 2024 due to law enforcement actions against major gangs like ALPHV/BlackCat and LockBit. The report details 4,194 ransomware incidents, with manufacturing, financial services, and healthcare being the most targeted industries. The top ransomware families, including Akira, ALPHV/BlackCat, and LockBit, were responsible for the majority of attacks and ransom payments, with Bitcoin being the primary payment method. Recently, the U.S. Department of Justice charged Angelo Martino, a former DigitalMint employee, for his involvement in a scheme with the BlackCat (ALPHV) ransomware operation. Martino shared confidential information with BlackCat operators and was directly involved in ransomware attacks alongside accomplices Kevin Tyler Martin and Ryan Goldberg. The defendants operated as BlackCat affiliates, demanding ransom payments and threatening to leak data stolen from victims' networks.

Attackers are increasingly designing phishing campaigns to overwhelm Security Operations Centers (SOCs) by flooding them with low-sophistication emails, creating an informational denial-of-service (IDoS) condition. This tactic exploits the predictable failure modes of SOCs under high workload, leading to degraded investigation quality and increased risk of missing targeted spear-phishing attacks. The asymmetry in cost between attacker and defender favors attackers, as they can generate thousands of decoy emails at near-zero cost, while defenders incur significant analyst time and cognitive bandwidth. Organizations are now focusing on decision-ready AI triage to maintain investigation quality and speed regardless of volume, flipping the strategic advantage back to defenders.

Police Scotland was fined £66,000 after sharing the entire contents of a female officer's phone with a colleague she accused of rape. The incident, which occurred in early 2021, involved the unauthorized disclosure of medical records, intimate photos, and personal contact details. The Information Commissioner’s Office (ICO) found that the force failed to implement appropriate security measures, minimize data sharing, and report the breach within the required 72-hour timeframe. The victim, a detective constable, was diagnosed with PTSD as a result of the incident.

The Iranian hacktivist group Handala (a.k.a. Handala Hack Team) has claimed responsibility for a data-wiping attack against Stryker, a global medical technology company. The attack reportedly affected over 200,000 systems, servers, and mobile devices across Stryker’s offices in 79 countries. Handala claims to have stolen 50 terabytes of data before wiping tens of thousands of systems and servers. The group cited retaliation for a U.S. missile strike that killed 175 people, including children, as the motive. Stryker’s operations, particularly in Ireland, have been severely disrupted, with over 5,000 workers sent home. The attack utilized Microsoft Intune to issue remote wipe commands, causing significant operational downtime. Stryker confirmed the attack in an 8-K filing with the SEC, noting global disruption to the company’s Microsoft environment. The timeline for a full restoration of affected functions and systems access is not yet known, but Stryker has business continuity measures in place to support its customers and partners. Experts suggest Handala is more than a hacktivist group, with tactics and targeting consistent with Iranian state actors.

Static Tundra, a Russian state-sponsored cyber espionage group linked to the FSB's Center 16 unit, has been actively exploiting a seven-year-old vulnerability in Cisco IOS and IOS XE software (CVE-2018-0171) to gain persistent access to target networks. The group has been targeting organizations in telecommunications, higher education, manufacturing, and critical infrastructure sectors across multiple continents. The attacks involve collecting configuration files, deploying custom tools like SYNful Knock, and modifying TACACS+ configurations to achieve long-term access and information gathering. The FBI and Cisco Talos have issued advisories warning about the ongoing campaign, which has been active for over a year and has targeted critical infrastructure sectors in the US and abroad. The group has also increased attacks on Ukraine since the start of the war. The vulnerability allows unauthenticated, remote attackers to execute arbitrary code or trigger DoS conditions. Cisco has advised customers to apply the patch for CVE-2018-0171 or disable Smart Install to mitigate the risk. The group has also targeted networks of US state, local, territorial, and tribal (SLTT) government organizations and aviation entities over the last decade. The threat extends beyond Russia's operations—other state-sponsored actors are likely conducting similar network device compromise campaigns. Additionally, the INC ransomware operation has been targeting healthcare organizations in Oceania, including Australia, New Zealand, and Tonga. The Australian Cyber Security Centre (ACSC), CERT Tonga, and New Zealand's National Cyber Security Centre (NCSC) issued a joint advisory on March 6, 2026, about INC's targeting of critical networks in the region. INC initially focused on the US and the UK but expanded to Australia in the summer of 2024, targeting professional services and healthcare industries. The ACSC responded to 11 INC ransomware attacks in Australia between July 2024 and December 2025, predominantly affecting healthcare or professional services companies.

WhatsApp has introduced parent-managed accounts for pre-teens, allowing parents to control who can contact their children and which groups they can join. These accounts are restricted to messaging and calling, with end-to-end encryption ensuring privacy. Parents must set up the account by verifying the child's phone number and linking devices via a QR code. Parents can manage privacy settings and activity alerts with a 6-digit PIN. The child can transition to a standard account upon turning 13.

An SQL injection vulnerability (CVE-2026-2313) in the Elementor Ally WordPress plugin, with over 400,000 installations, allows unauthenticated attackers to inject SQL queries via the URL path. The flaw affects versions up to 4.0.3 and can be exploited to steal sensitive data. Only 36% of users have updated to the patched version 4.1.0, leaving over 250,000 sites vulnerable. The vulnerability arises from insufficient escaping of user-supplied URL parameters in the `get_global_remediations()` method, enabling time-based blind SQL injection attacks. Exploitation requires the plugin to be connected to an Elementor account with the Remediation module active. WordPress 6.9.2, released recently, addresses multiple vulnerabilities, including XSS, authorization bypass, and SSRF flaws, and is recommended for immediate installation.

An ongoing npm credential harvesting campaign dubbed PhantomRaven has been active since August 2025. The malware steals npm tokens, GitHub credentials, and CI/CD secrets from developers worldwide. New attack waves occurred between November 2025 and February 2026, distributing 88 packages via 50 disposable accounts. At least 126 npm packages have been infected, resulting in over 86,000 downloads. The attack uses Remote Dynamic Dependencies (RDD) to hide malicious code in externally hosted packages, evading npm security scans. The campaign exploits AI hallucinations to create plausible-sounding package names, a technique known as slopsquatting. As of October 30, 2025, the attacker-controlled URL can serve any kind of malware, initially serving harmless code before pushing a malicious version. The malware scans the developer environment for email addresses and gathers information about the CI/CD environment. The npm ecosystem allows easy publishing and low friction for packages, with lifecycle scripts executing arbitrary code at install time. As of October 29, 2025, at least 80 of the infected packages remain active. Researchers have discovered a malicious npm package named "@acitons/artifact" that typosquats the legitimate "@actions/artifact" package to target GitHub-owned repositories. The package incorporated a post-install hook to download and run malware in versions 4.0.12 to 4.0.17, and has been downloaded 47,405 times. The malware specifically targets repositories owned by the GitHub organization, indicating a targeted attack against GitHub.

France's National Cybersecurity Agency (ANSSI) reported a decline in ransomware attacks in 2025, attributing the drop to successful preventive interventions and law enforcement operations. Despite the decrease, ransomware remains a significant threat, particularly targeting SMBs, healthcare, and education sectors. The most prevalent ransomware strains observed were Qilin, Akira, and LockBit 3.0/LockBit Black. ANSSI also noted a rise in data exfiltration incidents and a drop in DDoS attacks. The agency highlighted the increasing overlap between nation-state groups and cybercriminals, complicating attribution efforts. Vincent Strubel, ANSSI’s director general, warned of potential hybrid attacks on critical infrastructure by 2030.

AI-driven browsers are vulnerable to a new prompt injection technique called PromptFix, which tricks them into executing malicious actions. The exploit embeds harmful instructions within fake CAPTCHA checks on web pages, leading AI browsers to interact with phishing sites or fraudulent storefronts without user intervention. This vulnerability affects AI browsers like Perplexity's Comet, which can be manipulated into performing actions such as purchasing items on fake websites or entering credentials on phishing pages. Researchers have demonstrated that AI browsers can be tricked into phishing scams in under four minutes by exploiting agentic blabbering. The attack leverages the AI browser's tendency to reason its actions and use it against the model to lower security guardrails. By intercepting traffic between the browser and AI services and feeding it to a Generative Adversarial Network (GAN), researchers made Perplexity's Comet AI browser fall victim to a phishing scam. The technique builds on prior methods like VibeScamming and Scamlexity, which exploit hidden prompt injections to carry out malicious actions. The attack involves building a 'scamming machine' that iteratively optimizes and regenerates a phishing page until the AI browser stops complaining and proceeds with the threat actor's actions. Once a fraudster iterates on a web page until it works against a specific AI browser, it works on all users relying on the same agent. The disclosure comes as Trail of Bits demonstrated four prompt injection techniques against the Comet browser to extract users' private information. Zenity Labs detailed two zero-click attacks affecting Perplexity's Comet, using indirect prompt injection to exfiltrate local files or hijack a user's 1Password account. Prompt injection attacks remain a fundamental security challenge for large language models (LLMs) and their integration into organizational workflows. OpenAI noted that prompt injection vulnerabilities in agentic browsers are unlikely to be fully resolved, but risks can be reduced through automated attack discovery and adversarial training.

Infosecurity Europe 2026 has announced its keynote lineup, featuring industry leaders and experts in cybersecurity. The event will include keynotes from Shlomo Kramer, Cynthia Kaiser, Maggie Alphonsi, and Jason Fox, covering topics such as technology trends, ransomware tactics, leadership, and cyber resilience. Additionally, technical sessions will delve into AI-driven cloud threats and post-quantum security. The conference is scheduled for June 2-4, 2026, with free registration available until May 5.

Nine cross-tenant vulnerabilities, collectively named LeakyLooker, were discovered in Google Looker Studio. These flaws could allow attackers to execute arbitrary SQL queries on victims' databases and exfiltrate sensitive data within Google Cloud environments. The vulnerabilities affected connectors to multiple cloud services, including BigQuery, Spanner, PostgreSQL, MySQL, Google Sheets, and Cloud Storage. Two distinct attack paths were identified: 0-click attacks targeting owner credentials and 1-click attacks targeting viewer credentials. The vulnerabilities were disclosed responsibly and have been addressed by Google. No evidence of exploitation in the wild has been found.

A widespread cybercriminal campaign has compromised over 250 legitimate WordPress websites across 12 countries to deliver infostealer malware. The attackers exploit user trust in these sites to infect visitors with malware such as Vidar Stealer, Impure Stealer, Vodka Stealer, and Double Donut. The campaign, active since December 2025, uses fake Cloudflare Captcha pages and ClickFix social engineering techniques to trick users into running malicious code, ultimately stealing sensitive data including login credentials and financial information.

A Russian-speaking threat actor has been targeting HR departments with a sophisticated malware campaign that delivers a new EDR killer named BlackSanta. The campaign employs social engineering and advanced evasion techniques to steal sensitive information from compromised systems. The malware is suspected to be distributed via spear-phishing emails containing ISO image files disguised as resumes, hosted on cloud storage services like Dropbox. The attack chain involves steganography, DLL sideloading, and process hollowing to execute malicious payloads while evading detection. BlackSanta specifically targets and disables endpoint security solutions, including antivirus, EDR, SIEM, and forensic tools, by terminating their processes at the kernel level. The campaign has been active for over a year, utilizing Bring Your Own Driver (BYOD) components to gain elevated privileges and suppress security tools. The malware performs checks on system language, hostnames, and running processes before carrying out further actions. The campaign's ability to exfiltrate sensitive information while maintaining encrypted communications underscores both its persistence and the risk posed to targeted organizations.

Researchers at Unit 42, Palo Alto Networks’ research lab, discovered that security guardrails in generative AI tools can be bypassed through prompt injection attacks. These guardrails, implemented as 'AI Judges' to enforce safety policies and evaluate output quality, can be manipulated into authorizing policy violations using stealthy input sequences. The attack method, demonstrated in a report published on March 10, 2026, involves an automated fuzzer called AdvJudge-Zero, which identifies trigger sequences that exploit the LLM’s decision-making logic to bypass security controls. The technique achieves a 99% success rate in bypassing controls across various widely used architectures, including open-weight enterprise LLMs and specialized reward models.

Meta has disabled over 150,000 accounts linked to scam centers in Southeast Asia, in collaboration with authorities from multiple countries. This action follows a pilot initiative in December 2025 and includes new tools to detect and prevent scams. The U.K. government has also launched an Online Crime Centre to combat cybercrime, including scam operations across various regions. The coordinated effort resulted in 21 arrests by the Royal Thai Police. Meta highlighted the sophistication and industrialization of online scams, which often operate as full-scale business operations in countries like Cambodia, Myanmar, and Laos. The company introduced new tools to warn users about suspicious activities on Facebook, WhatsApp, and Messenger. In 2025, Meta removed 159 million scam ads and 10.9 million accounts associated with criminal scam centers. The U.K.'s new Online Crime Centre aims to disrupt scam operations using AI and specialized teams.