VulnHub

Real-time Cybersecurity News

$250 million cryptocurrency heist funded luxury fashion, nightclub parties, and private jets

Help Net Security
Actively Exploited

Overview

Marlon Ferro, a 20-year-old from California, was sentenced to over six years in prison for his involvement in a massive cryptocurrency theft that totaled more than $250 million. This criminal network operated from late 2023 to early 2025, with members located across multiple states and even internationally. Ferro's role included hacking databases and making fraudulent phone calls to execute the theft. The stolen funds were reportedly used to finance a lavish lifestyle, including luxury fashion, nightclub parties, and private jets. This case highlights the ongoing risks associated with cryptocurrency theft and the lengths to which criminals will go for financial gain.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: Cryptocurrency assets
  • Timeline: Ongoing since late 2023

Original Article Summary

20-year-old California resident Marlon Ferro, known online as “GothFerrari,” was sentenced to 78 months in prison for his role in a cryptocurrency theft operation tied to more than $250 million in stolen digital assets. Federal prosecutors said Ferro participated in a criminal network active between late 2023 and early 2025. Members of the group, based in California, Connecticut, New York, Florida, and overseas, carried out roles that included database hacking, target identification, fraudulent phone calls, … More → The post $250 million cryptocurrency heist funded luxury fashion, nightclub parties, and private jets appeared first on Help Net Security.

Impact

Cryptocurrency assets

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Ongoing since late 2023

Remediation

Not specified

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Read Original Article

Related Coverage

Malware Found in Laravel-Lang Composer Packages After Git Tag Poisoning Attack

Security Affairs

Recently, attackers compromised four Laravel-Lang Composer packages, which are widely used for providing translation and localization files in Laravel applications. By rewriting over 700 Git tags linked to historical versions, they managed to inject malware into these packages, potentially affecting numerous Laravel apps. This incident poses a significant risk to developers using Laravel-Lang, as the malware could lead to unauthorized access or other security breaches in their applications. Users of these packages should take immediate action to ensure their systems are not vulnerable and consider removing or updating the compromised packages. This situation serves as a reminder for developers to monitor the integrity of their dependencies closely.

May 26, 2026

High-severity SharePoint RCE bug patched by Microsoft (CVE-2026-45659)

Help Net Security

Microsoft has patched a serious remote code execution vulnerability in SharePoint, identified as CVE-2026-45659. This flaw impacts SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. The vulnerability arises from the way SharePoint handles untrusted data, allowing an authenticated attacker to execute code on a vulnerable server without requiring any user interaction. The simplicity of the attack makes it particularly concerning, as it poses a risk to organizations using these versions of SharePoint. Companies should prioritize applying the patches to safeguard their systems from potential exploitation.

May 26, 2026

MFA Prompt Bombing: Why Your Second Factor Isn't Saving You

The Hacker News

Multi-factor authentication (MFA) was designed to enhance security by requiring users to provide a second form of verification, making it harder for attackers to gain access to accounts. However, researchers have found that some attackers are using a technique called MFA prompt bombing, where they bombard users with repeated authentication requests until they inadvertently approve one. This method takes advantage of users being overwhelmed and mistakenly granting access. As a result, organizations that rely solely on MFA may be putting themselves at risk, as this approach can easily bypass the intended security measures. It's essential for companies to educate their employees about this tactic and consider additional security layers to protect against unauthorized access.

May 26, 2026

Iran-Linked Hackers Target US Aviation with Phishing and SEO Poisoning Campaign

Infosecurity Magazine

Iranian hackers, known as Nimbus Manticore, have launched a campaign targeting U.S. aviation through phishing attacks and SEO poisoning. They are distributing a malicious backdoor called MiniFast, which is designed to exploit vulnerabilities in systems related to aviation. This campaign poses a significant risk to the aviation sector, as it could potentially allow attackers to gain unauthorized access to sensitive information and disrupt operations. The use of AI to create the MiniFast backdoor indicates a sophisticated approach to cyberattacks, raising concerns about the evolving tactics of state-sponsored hacking groups. Companies in the aviation industry need to be vigilant and enhance their cybersecurity measures to protect against such threats.

May 26, 2026

CISA orders feds to patch actively exploited Drupal vulnerability

BleepingComputer

The Cybersecurity and Infrastructure Security Agency (CISA) has mandated that U.S. government agencies address a critical SQL injection vulnerability in the Drupal content management system by Wednesday evening. This vulnerability, which has been flagged as actively exploited, poses a significant risk to the security of servers running Drupal. Government organizations must act swiftly to protect their systems from potential attacks that could exploit this weakness. The urgency of this directive highlights the ongoing challenges faced by agencies in maintaining secure web platforms, especially as attackers increasingly target widely used software like Drupal. Ensuring that these systems are patched is essential to safeguard sensitive data and maintain operational integrity.

May 26, 2026

Anthropic’s restricted Claude Mythos model may be coming to Claude Code

BleepingComputer

Anthropic is reportedly getting ready to release its Mythos model, which was initially announced in April as a restricted version due to its potential security risks. This model poses significant threats to both private and public software, raising concerns among developers and users about its implications for security. The rollout of such a model could lead to vulnerabilities being exploited if not properly managed. As the technology moves closer to public availability, it’s crucial for stakeholders to understand the risks and prepare accordingly. The situation emphasizes the need for careful consideration in how AI models are deployed, especially those that can impact software security.

May 25, 2026