1nternaut 🕵️

🚨 Allianz allegedly targeted in ~500 internal Docker images leak A threat actor on an underground forum is claiming to release a full dump of roughly 500 Docker images, totaling around 40 GB, allegedly originating from Allianz internal infrastructure. The actor claims the images contain exposed configuration files, source code, credentials, and private keys. 𝗪𝗵𝗮𝘁'𝘀 𝗮𝗹𝗹𝗲𝗴𝗲𝗱𝗹𝘆 𝗲𝘅𝗽𝗼𝘀𝗲𝗱: • Exposed configuration files with API keys, DB passwords, and service tokens • Internal microservices with source code • Hardcoded credentials for staging and prod environments • TLS private keys and internal CA certs 𝗗𝗲𝘁𝗮𝗶𝗹𝘀: 𝗧𝗮𝗿𝗴𝗲𝘁: Allianz 𝗦𝗲𝗰𝘁𝗼𝗿: Insurance / Financial Services 𝗔𝗰𝘁𝗼𝗿: hackformetome 𝗖𝗹𝗮𝗶𝗺: Full dump of internal Docker images 𝗘𝘅𝗽𝗼𝘀𝘂𝗿𝗲: ~500 Docker images (~40 GB) 𝗣𝗿𝗶𝗰𝗲: 10 Points 𝗢𝗯𝘀𝗲𝗿𝘃𝗲𝗱: May 28, 2026 💥 Stop guessing what's redacted. Paid subscribers see everything: https://t.co/281Qjc6p2J

🔎🇷🇺Inside Russia's elite Bauman University, a secret department trains the GRU's next-gen hackers, saboteurs & spies. Now, 2,000+ leaked docs expose how its graduates feed the units behind Russia's cyberattacks, election interference, and NATO sabotage. https://t.co/EBC2DLb8HC

🚨 Two US cybersecurity professionals have been sentenced for moonlighting as ALPHV BlackCat ransomware affiliates. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, deployed BlackCat ransomware against multiple US victims between April and December 2023. They paid the operators a 20% cut for access to the platform, hit medical and engineering firms, leaked patient data to pressure payment, and split a $1.2 million Bitcoin ransom three ways with co-conspirator Angelo Martino. Martino had a second job. He worked as a ransomware negotiator for victims, and used that role to leak confidential victim information to the attackers to push ransom prices up. When Goldberg tried to flee abroad, the FBI tracked him through 10 countries before he was caught. Both men were sentenced yesterday. Martino is sentenced July 9.

A security researcher just documented a large-scale counterfeit Ledger Nano S Plus operation selling compromised devices across multiple online marketplaces. The fake units look identical to the real thing but contain completely different hardware. Instead of Ledger's secure element chip, the counterfeits run an ESP32 microcontroller with modified firmware labeled "Nano S+ V2.1." Seeds and PINs are stored in plain text and transmitted to attacker-controlled servers. Any wallet initialized on the device is drained. The operation goes beyond the hardware. The sellers also distribute a fake version of Ledger Live built with React Native and signed with a debug certificate. It intercepts transactions and exfiltrates sensitive data to multiple command-and-control servers. The campaign spans five attack vectors: compromised hardware, Android APKs, Windows executables, macOS installers, and iOS apps distributed through TestFlight to bypass App Store review. This comes days after ZachXBT documented a separate fake Ledger Live app that made it through Apple's Mac App Store review process. That operation drained over $9.5 million from more than 50 victims, including musician G. Love, who lost 5.92 BTC after entering his recovery phrase into what he believed was the legitimate app. The pattern is clear: the attack surface for hardware wallet users has shifted from firmware exploits to supply chain and distribution fraud. The devices themselves remain secure. The problem is that users are being intercepted before they ever touch a real one. Ledger's own "genuine check" feature can be bypassed when the hardware itself is compromised at the source, which makes where you buy the device as important as how you use it. The rules haven't changed, but they've never been more important: buy hardware wallets only from the manufacturer. Never enter your recovery phrase into any software. If a companion app asks for your 24 words on a screen, it's a scam. Every time.

Ex-BND (German Foreign Intelligence Service) deputy chief Arndt Freytag von Loringhoven received a message from fake Signal “support” asking for his PIN. He typed it in. His contacts then got a malicious link through his hijacked account. He’s a former NATO intelligence chief, and the author of a book called Putin’s Attack on Germany, where he apparently covers Russian cyberattacks. He fell for a fake customer service message.

A forum thread advertising Qilin RaaS activity alongside Cry0 has been spotted. The post openly recruits affiliates and outlines ransomware capabilities including selective encryption modes and shadow copy removal. jprrin6bqe3flvtpyxkt4zsmzc3u6vvn7ahgtcbul224w3xn4h3gawid[.]onion t1eron3[.]vip