A 19-year-old college student from Worcester, Massachusetts, the US, was sentenced to four years in prison for his involvement in a cyber-attack on education software giant PowerSchool that resulted in one of the largest data breaches in the K-12 education sector. He was also ordered to pay $14 million in restitution and a $25,000 fine.

Matthew D. Lane pleaded guilty in May to four federal charges, including unauthorized access to protected computers, cyber extortion conspiracy, cyber extortion, and aggravated identity theft. According to court records, Lane and unnamed accomplices compromised PowerSchool’s systems in December 2024, using stolen login credentials from a subcontractor. They accessed the company’s PowerSource customer support portal and a back-end maintenance tool to exfiltrate sensitive data from over 6,500 school districts worldwide.

The breach exposed the personal information of 9.5 million teachers and 62.4 million students, including full names, Social Security numbers, home addresses, phone numbers, passwords, medical records, and parent contact details. The attackers then demanded ransom totaling $2.85 million in Bitcoin, threatening to leak the stolen data.

Although PowerSchool reportedly paid a ransom to prevent the data from being leaked, prosecutors say Lane and his co-conspirators continued to demand money from individual school districts, attempting to extort them with threats of releasing student data.

Spain dismantles GXC Team banking phishing gang, arrests lead developer

Spanish authorities have dismantled the infamous GXC Team cybercrime group and have arrested its 25-year-old Brazilian leader known online as “GoogleXcoder.”

The group ran a phishing and fraud operation that sold malware, Android-based spyware, and AI-driven scam tools through Telegram and Russian-language cybercrime forums. The targets included financial institutions and victims across Spain, the UK, and several EU countries.

Investigators from the Guardia Civil’s cybercrime unit (UCO) spent months tracking the suspect, who frequently changed locations and identities to avoid detection. He allegedly used spoofed phone numbers and anonymous payment methods to cover his tracks.

The GXC Team came under the spotlight in early 2024 following a report detailing the group’s activities, including software used for wire fraud and BEC scams. Access to the tool was sold for up to $2,000 per week. Authorities say the group’s phishing kits could bypass two-factor authentication and impersonated major banks, government agencies, and platforms such as PayPal, Amazon, and Microsoft 365. Malicious Android apps were also used to harvest sensitive credentials.

Following years of investigation, the police have conducted six raids across Spain, during which electronic devices, cryptocurrency wallets, and stolen credentials were seized, as well as chat logs linking the suspect to a broader cybercriminal network. Six individuals linked to GXC Team have been identified so far. The group’s Telegram channels have been shut down, and the investigation remains ongoing, police said.

The FBI seizes BreachForums domain linked to Salesforce extortion scheme

The US Federal Bureau of Investigation (FBI), in coordination with international law enforcement, has seized BreachForums.hn, a data leak site used by the Scattered Lapsus$ Hunters group to extort victims of the recent Salesforce data breach.

Previously controlled by affiliates of ShinyHunters, Scattered Spider, and Lapsus$, the domain has been taken offline and replaced with a standard FBI seizure notice. The operation, carried out in collaboration with French authorities, allowed officials to gain control of the domain’s infrastructure before a mass leak of stolen Salesforce data could occur.

BreachForums.hn briefly resurfaced in July after a relaunch led by ShinyHunters but went dark again following the arrest of four key members in France. Around the same time, US prosecutors charged Kai West, also known as “IntelBroker”, in connection with the forum’s activities. In August, Noah Michael Urban, a key member of Scattered Spider, was sentenced to 10 years in the US prison. A month later, UK police arrested two alleged Scattered Spider members in connection with a 2024 cyber-attack on Transport for London (TfL).

In early October, BreachForums.hn was repurposed to serve as a leak site linked to the Salesforce attacks, allegedly impacting a wide range of high-profile companies, including FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, and Toyota.

The US charges Cambodian tycoon in $15 billion crypto scam

US authorities have charged a Cambodian business executive in connection with a massive cryptocurrency fraud scheme, resulting in the seizure of over $15 billion worth of bitcoin.

Federal prosecutors in Brooklyn unsealed an indictment against Chen Zhi, 38, chairman of the Prince Holding Group, a Cambodian conglomerate with business interests in real estate, finance, online gambling, and cryptocurrency mining. Known by the alias ‘Vincent,’ Chen is accused of orchestrating an extensive global fraud operation involving forced labor, bribery, and international money laundering.

According to the indictment, Chen and unnamed co-conspirators allegedly lured victims worldwide into fake online investment platforms. The profits from the scams were used to purchase luxury assets such as yachts and private jets. Prosecutors say the operation relied on coerced workers and violent enforcement tactics, with scam centers operating across Southeast Asia.

In addition to the criminal charges, the US and UK officials imposed sanctions on Chen and his network. The US also seized 127,271 bitcoin, currently valued at more than $14 billion. According to blockchain analytics firm Elliptic, the bitcoins have been linked to a 2020 theft from LuBian, a bitcoin mining firm with operations in China and Iran.

Separately, the US designated Huione Group, another Cambodia-based financial services company, as a “primary money laundering concern” under the USA PATRIOT Act. Officials allege Huione has long facilitated the laundering of illicit funds from crypto scams and cybercrime operations.

Get a Demo

ImmuniWeb can help you to prevent data breaches and meet regulatory requirements.

German authorities take down over 1,400 illegal trading websites

The Cybercrime Center at the General Prosecutor’s Office in Karlsruhe, together with the State Office of Criminal Investigation (LKA) of Baden-Württemberg, has dismantled a vast network of fraudulent online trading platforms.

As part of Operation Herakles, authorities, in cooperation with Germany’s Federal Financial Supervisory Authority (BaFin), Europol, and Bulgarian law enforcement, seized and took offline 1,406 illegal websites used by cybercriminals to trick unsuspecting investors into fake financial schemes.

The fraudulent platforms were designed to imitate legitimate trading services, luring users into investing significant sums of money under false pretenses.

The action follows a previous shutdown of 800 illegal domains in June of this year. Investigators suspect a widespread case of cyber trading fraud, a growing scam model known as “Crime-as-a-Service,” where professional cybercriminals operate elaborate websites and call centers to trick victims, primarily targeting users in Germany.