FinWise Bank insider breach impacts 689K American First Finance customers

A large-scale campaign, codenamed ShadowCaptcha, has been exploiting over 100 compromised WordPress sites to spread ransomware, information stealers, and cryptocurrency miners. The campaign uses fake CAPTCHA verification pages to trick users into executing malicious payloads. The attacks began in August 2025 and target various sectors, including technology, hospitality, legal/finance, healthcare, and real estate. The primary objectives are data theft, illicit cryptocurrency mining, and ransomware deployment. The campaign employs social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload delivery to maintain persistence on targeted systems. The attacks start with malicious JavaScript code injected into compromised WordPress sites, redirecting users to fake CAPTCHA pages. From there, the attack chain forks into two paths: one using the Windows Run dialog and the other guiding victims to save and run an HTML Application (HTA) file. The compromised sites are primarily located in Australia, Brazil, Italy, Canada, Colombia, and Israel. The attackers likely gained access through known exploits in WordPress plugins and compromised credentials. The "Scattered Lapsus$ Hunters" group, linked to Shiny Hunters, Scattered Spider, and Lapsus$, has been identified as behind widespread data theft attacks targeting Salesforce data and other high-profile companies. The group has claimed access to Google's Law Enforcement Request System (LERS) and the FBI's eCheck background check system, raising concerns about potential impersonation of law enforcement and unauthorized access to sensitive user data. Mitigation strategies include user training, network segmentation, and securing WordPress sites with multi-factor authentication (MFA).

ShinyHunters and Scattered Spider, two distinct cybercrime groups, have been collaborating in recent attacks on major companies. This partnership combines ShinyHunters' expertise in large-scale data theft with Scattered Spider's proficiency in social engineering. The collaboration, evident in shared tactics, infrastructure, and synchronized targeting, makes future campaigns harder to detect and mitigate. The groups have targeted companies like Google, Louis Vuitton, Allianz, Salesforce customers, and Workday, using tactics such as vishing, domain spoofing, credential misuse, and VPN obfuscation. This collaboration poses a significant threat to organizations, necessitating a shift in defensive strategies to focus on behavioral patterns and proactive detection measures. The collaboration has also expanded to include the development of a ransomware-as-a-service solution called ShinySp1d3r, and the groups have ties to a broader cybercriminal network known as The Com. Additionally, BreachForums, a cybercrime forum associated with ShinyHunters, has been turned into a honeypot by international law enforcement. The Allianz Life breach, part of this campaign, impacted 1.1 million individuals, with personal information stolen and leaked by ShinyHunters. Scattered Spider has also been involved in sophisticated social engineering attacks targeting high-profile organizations worldwide, and has recently shifted focus to the aviation and transportation industries. A 20-year-old member of Scattered Spider, Noah Michael Urban, was sentenced to ten years in prison for wire fraud and aggravated identity theft. Urban, also known by aliases Sosa, Elijah, King Bob, Gustavo Fring, and Anthony Ramirez, was ordered to pay $13 million in restitution. Urban was arrested in January 2024 for thefts totaling at least $800,000 from at least five victims. Urban and co-conspirators used SIM swapping attacks to hijack cryptocurrency accounts. The DoJ unsealed charges against Urban and four other Scattered Spider members in November 2023. Tyler Robert Buchanan, another member, was extradited from Spain to the U.S. in April 2025. Scattered Spider, ShinyHunters, and LAPSUS$ have formed a new cybercrime alliance associated with The Com. Scattered Spider uses tactics to generate urgency and fear, including timed leaks and countdown threats. Scattered Spider targets specific sectors and attacks multiple organizations within that vertical over a short span. Scattered Spider exploits weaknesses in security programs by targeting people through social engineering. The group Scattered Lapsus$ Hunters, a collaboration of ShinyHunters, Scattered Spider, and LAPSUS$, has claimed responsibility for accessing Google's Law Enforcement Request System (LERS) and the FBI's eCheck system. The group has targeted Salesforce data through social engineering and exploitation of exposed authentication tokens, impacting multiple high-profile companies. Google Threat Intelligence (Mandiant) has been actively tracking and disclosing the activities of the Scattered Lapsus$ Hunters group, which has taunted law enforcement and security researchers through various Telegram channels. Scattered Spider has resumed attacks on the financial sector despite claims of retirement. The group gained access to a U.S. banking organization by socially engineering an executive's account and resetting passwords via Azure Active Directory Self-Service Password Management. They accessed sensitive IT and security documents, moved laterally through Citrix and VPN environments, and compromised VMware ESXi infrastructure. The group attempted to exfiltrate data from Snowflake and AWS repositories, reset a Veeam service account password, and assigned Azure Global Administrator permissions. Scattered Spider's recent activity contradicts their claims of ceasing operations and is likely a strategic move to evade law enforcement pressure. The group may regroup or rebrand under a different alias in the future.