Posted in Commentary with tags Hacked on August 29, 2025 by itnerd
The Salvation Army is notifying victims of a May 2025 data breach that leaked names, Social Security Numbers, and driver’s license numbers. Ransomware group Chaos claimed responsibility for the data breach at the end of May. The Salvation Army has not verified Chaos’ claim.
Commenting on this is Paul Bischoff, Consumer Privacy Advocate at Comparitech:
“Chaos is a ransomware gang that first surfaced in 2021 but didn’t start claiming victims on its data leak site until March 2025. The group attacks both individuals and organizations through drive-by-downloads and phishing. It employs a double-extortion scheme in which organizations are extorted both for stolen data and to restore infected systems. Chaos has taken credit for three other confirmed ransomware attacks and made eight more unconfirmed claims that haven’t been publicly acknowledged by the targeted organizations.”
“In 2025 to date, Comparitech researchers have logged 632 confirmed ransomware attacks compromising 28.8 million records. The average ransom demand is $1.7 million. The Salvation Army is not the first ransomware attack on a charitable organization. Earlier this year, Welthungerhilfe, a German non-profit aid organization, received a $2.15 million ransom demand from ransomware group Rhysida. We’ve recorded another 3,955 unconfirmed attack claims made by ransomware groups this year so far that haven’t been acknowledged by the targeted organizations.”
This is particularly bad as the victims in this case are kind of vulnerable and are more likely to be victims of secondary attacks that are launched by threat actors. Hopefully these victims are in a place where they are not taken advantage of.
Today, SOCRadar published its Europe Regional Threat Landscape Report. This research breaks down what exactly is happening since August 2024 when it comes to dark web, ransomware, and phishing.
Key Takeaways Include:
Finance and Insurance is the top exposed sector on the dark web with 14,08%, and when Commercial Banking and Crypto are added, total financial exposure reaches 22,8%.
Retail and e-commerce follow closely with 19,5%, confirming criminals’ focus on quick monetization. Selling dominates threat categories at 61,93%, while sharing stands at 24,34%, showing that over 70% of activity is trade-driven.
Data leaks remain the most common threat type at 58,23%, with access sales at 21,90%, meaning more than 80% of threats revolve around stolen information and entry points.
At the country level, France (5,62%), the UK (4,89%), and Germany (4,68%) lead in dark web targeting, while ransomware strikes are highest in the UK (22,94%), Germany (16,47%), and France (10,10%).
Ransomware activity is fragmented: Akira (8,7%), Qilin (8,1%), and RansomHub (6,8%) are visible, but smaller groups make up 76,4%.
Phishing shows a different pattern, with Bulgaria (24,26%) and Russia (21,06%) leading.
Information Services (19,77%), National Security & International Affairs (13,31%), and Banking (11,45%) are the main phishing targets.
73,44% of phishing sites use HTTPS, showing how attackers exploit encryption to build trust.
Posted in Commentary with tags Fortra on August 29, 2025 by itnerd
By John Wilson, Senior Fellow, Threat Research, Fortra
In the sprawling digital ecosystem of the modern web, trust hinges on invisible scaffolding: DNS configurations, registrar records, and cryptographic signaling that determines whether your inbox will deliver truth or treachery. With phishing, spoofing, and business email compromise continuing to exploit lapses in email authentication, one question looms large: Just how secure are the world’s most-visited domains?
Armed with DNS records (MX, SPF, DMARC) and whois metadata from the top 10 million domains on the internet, this analysis offers one of the most expansive snapshots of global email hygiene to date. From configuration trends to systemic weak points, we peel back the layers of digital trust to reveal what’s been hiding in plain sight.
The findings? At once expected and alarming. While many domains have embraced modern security standards, millions remain vulnerable — inviting attackers to impersonate, manipulate, and deceive. By analyzing registrar behavior, domain age, and adoption patterns, we uncover which corners of the internet are actively fortifying their defenses and which have left the door ajar.
Sender Policy Framework (SPF): Adoption and Pitfalls in the Wild
SPF serves as the internet’s first line of defense against email spoofing, specifying which IP addresses are authorized to send mail on behalf of a domain. But while it’s foundational to email authentication, its real-world implementation varies wildly across the web’s most popular domains.
SPF Adoption at a Glance
Out of the 10 million domains analyzed:
3,666,641 (36.7%) published a syntactically valid SPF record
140,843 (1.4%) published an SPF record with syntax errors or excessive DNS lookups
6,192,516 (61.9%) had no SPF record at all
This means that 63.3% of the 10 million most popular domains on the internet remain vulnerable to unauthorized sending and/or delivery issues.
Common Misconfigurations
Among the domains with SPF records:
110,732 (1.1%) exceeded the 10-DNS-lookup limit, rendering SPF evaluations unreliable.
4,479 (0.045%) used the `+all` mechanism (i.e., allow all), effectively nullifying the purpose of SPF. Worse, these domains open the door for cybercriminals to hijack the trust inherent in these domains to send phishing links, malware-laden messages, and launch social engineering attacks. Two particularly notable examples were ubuntu.com and civilservice.gov.uk. Imagine how easy it would be to lure UK citizens interested in civil service jobs with an authenticated message from careers@civilservice.gov.uk. Or consider the message below, which I sent to myself using nothing more than telnet: <Image Redacted for Email>
2,632 misspelled the ip4: mechanism either by omitting the “4” or by inserting a “v”.
DMARC: Visibility, Policy, and Gaps
DMARC builds upon SPF and DKIM to offer domain owners the ability to define how unauthenticated messages should be handled — and to receive reporting data on abuse attempts. It’s a vital control against phishing and brand impersonation, yet widespread adoption remains elusive.
DMARC Adoption Snapshot
From the dataset of 10 million domains:
1,816,866 (18.2%) had a valid DMARC record
1,061,585 (10.6%) had a record with a `p=none` policy, offering visibility but no enforcement
755,281(7.6%) implemented enforcement policies (`p=quarantine` or `p=reject`)
20,384 (0.2%) had malformed or incomplete DMARC entries
8,162,614 (81.6%) lacked a DMARC record entirely
Despite growing awareness, only 388,096 (3.9%) of the internet’s 10 million most popular domains enforce a reject policy including on subdomains, exposing the remaining domains to spoofing risks even when SPF and DKIM are configured.
Common DMARC Configuration Issues
For domains that published a DMARC record, the most common error was the omission of the mailto: before the rua and/or ruf reporting addresses. The second most common error was misplacement of the policy p= tag, which must occur immediately after the v=DMARC1; tag.
While not an error, 47.7% of domains with a valid DMARC record did not include a rua tag, meaning those domain owners are not receiving aggregate feedback to enable them to correct any SPF or DKIM configuration issues.
73% of domains with a valid DMARC record did not include a ruf tag, depriving the domain owner of forensic feedback reports. Forensic reports are helpful to diagnose SPF and DKIM misconfigurations and can also help the domain owner see attempts to hijack their domain in near real time.
DMARC Provider Correlation to Policy
DMARC records specify the domain owner’s policy for how they would like receivers to treat unauthenticated mail that uses their domain in the “From:” header. There are three DMARC policies:
“None,” which indicates the domain owner would like no special treatment applied to messages which fail authentication.
“Quarantine,” which indicates the domain owner would like unauthenticated mail from their domain placed in a quarantine such as a spam folder.
“Reject,” which indicates the domain owner would like the receiving organization to block the message outright, typically by issuing a 550 error at the end of the DATA portion of the SMTP transaction.
Receivers may honor the domain owner’s wishes or may override the sender’s DMARC policy for a variety of reasons specific to the receiving organization.
For maximum security, domain owners should publish a DMARC reject policy. This is often a difficult task, as it requires the domain owner to ensure that all legitimate email from their domain is properly authenticated with SPF and/or DKIM. The complexities of identifying all third-party senders and then working with those senders to ensure they follow DMARC-compatible authentication practices have led many companies to work with third parties who specialize in DMARC implementation.
Our analysis of the top 10 million internet domains found that only 22.9% of domains who send their DMARC reporting data to themselves have a DMARC reject policy. 72.8% of domains whose DMARC records point to Fortra, publish DMARC reject policies. The chart below shows the policy breakdown for the major DMARC solution providers. The data suggests that working with a third-party vendor who specializes in DMARC implementations can increase the likelihood of achieving DMARC reject status.
<Image Redacted for Email>
Conclusions
This analysis of the DNS and email authentication configurations of the top 10 million internet domains reveals both encouraging trends and significant shortcomings in the global state of email security. While the adoption of foundational protocols like SPF and DMARC has increased in recent years, the data shows a concerning level of misconfiguration, underutilization, and overall neglect — leaving the majority of domains vulnerable to spoofing, phishing, and business email compromise.
While tools and standards exist to dramatically reduce spoofing and phishing risk, their protection is only as good as their implementation. The internet’s most visited domains include both shining examples of secure configuration and gaping vulnerabilities waiting to be exploited. Strengthening global email hygiene requires not only broader adoption of standards like SPF and DMARC, but also a concerted effort to ensure they are implemented correctly — and supported by the right infrastructure, partnerships, and oversight.
The Safety Detectives have just published a report with the results of a research we’ve recently conducted focused on the recent leak of thousands of ChatGPT conversations.
While conducting our research they identified some concerning privacy related key points such as:
Users are sharing personally identifiable information (PII), sensitive emotional disclosures, and confidential material with ChatGPT.
Only around 100 out of 1,000 total chats make up 53.3% of the over 43 million words we analyzed.
Some users are sharing full resumes, suicidal ideation, family planning discussions, and discriminatory speech with the AI model.
“Professional consultations” account for nearly 60% of the topics flagged.
Posted in Commentary with tags Hacked on August 28, 2025 by itnerd
Consumer credit reporting giant TransUnion warns it suffered a data breach exposing the personal information of over 4.4 million people in the United States. According to a filing submitted to the Office of the Maine AG, the breach occurred on July 28, 2025, and was discovered two days later.
Paul Bischoff, Consumer Privacy Advocate at Comparitech had this comment:
“For context, the TransUnion breach compromised 4.4 million people. The 2017 Equifax breach compromised 147 million. It’s not as big, but it’s just as serious for those 4.4 million people. TransUnion does more than just generate credit reports. Other businesses that suffer data breaches frequently enlist TransUnion to provide credit monitoring and identity theft protection to breach victims. This breach could dissuade victims of other breaches from enrolling in those protective services.”
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 had this to say:
“Another data breach? “Only” involving single millions of digits? It’s almost a non-event. Data breaches involving hundreds of millions of records barely make the news anymore. How worried can you be about one “little” data breach when the information revealed to the hackers has likely been stolen many times? My only problem is why the breach was confirmed in late July and not reported to consumers until late August? Four weeks to publicly report, while likely legal, seems like a lot of time to let involved compromised users go around blindly without knowing about the additional risk, whether big or small. I’ve seen this lately…data breaches that must be reported publicly, taking a month or many months before they are publicly reported to those who are impacted. In today’s instant online world is seems more and more unacceptable.”
When the company that helps to protect people from getting taken advantage of after a breach gets breached, we’re all in deep trouble. These companies need to ensure that everything they do is beyond reproach or consumers will stop trusting them.
KnowBe4 today released a comprehensive resource kit in support of Cybersecurity Awareness Month 2025. The toolkit aligns with this year’s theme “Secure Our World” and supports the global movement to emphasize the importance of securing our digital lives. Cybersecurity Awareness Month, established in 2004 through a joint effort by the U.S. Department of Homeland Security and the National Cyber Security Alliance, provides organizations worldwide an opportunity to strengthen their security culture through education and awareness. This year’s focus is on simple, effective practices like using strong passwords, enabling non-phishable multifactor authentication (MFA), recognizing and reporting phishing attempts, and keeping software up to date.
EnGenius Technologies Inc., a global leader in advanced connectivity and cloud-managed networking solutions, today announced the official launch and immediate availability of the ECW510 Wi-Fi 7 indoor access point. Expanding the company’s line of affordable Wi-Fi 7 access points, the ECW510 makes next-generation wireless networking even more accessible for small businesses. Ideal for deployments in small offices, retail shops, motels, apartments, and cafés or small restaurants, the ECW510 delivers enterprise-grade Wi-Fi 7 performance in everyday business environments.
EnGenius ECW510: Reliable Wi-Fi 7 Made Simple for Small Businesses
Powered by the Qualcomm® Networking Pro 1220 platform, the ECW510 delivers dual band 2×2 Wi-Fi 7 performance with aggregated speeds up to 5 Gbps. At an MSRP of just $129, the ECW510 redefines value in professional-grade networking—empowering IT professionals, managed service providers (MSPs), and integrators to deliver reliable, future-ready connectivity at a disruptive price point.
The ECW510 is equipped with essential features including:
Affordable Wi-Fi 7: High-speed tri-band performance (up to 5 Gbps) for less than the cost of many Wi-Fi 6 access points.
Easy to Set Up: Use the free EnGenius Cloud To-Go app—most networks are running in under 5 minutes.
No Hidden Fees: Centralized cloud management comes license-free, saving ongoing costs.
Coverage & Capacity: Delivers strong Wi-Fi across up to 1,000 sq. ft. and supports up to 400 connected devices at once.
Built for Growth: Supports multiple access points, making it easy to expand as your business grows.
Secure and Reliable: WPA3 Enterprise-grade security and a 5-year warranty for peace of mind.
Cybercriminals are always looking for new ways to trick people, using exploitative tactics to steal money, data, and sensitive information. Netcraft has observed a recent shift in how they have been leaning on a subtle but clever tactic that exploits how we visually process text using the Japanese Hiragana character ん. Netcraft uncovered novel attacks targeting cryptocurrency wallets and exchanges, prominent travel websites, large cloud services, and as we’ve also seen, security researchers use it in testing.
Initial reports earlier in August have identified that campaigns are leveraging this abuse against Booking.com. However, our own investigation revealed that this technique can be tracked back to November 25, 2024, beginning with the domain ioんhardware-wallet[.]best. Netcraft later identified more than 600 related domains using this technique.
Figure 1: The Hiragana character “ん” (Latin “n”) deployed in a URL
By using carefully chosen lookalike Unicode characters in domain names, attackers can make fake websites URLs that look almost identical to legitimate ones. This type of attack, often called a homoglyph attack, works because different scripts or writing systems have characters that look similar; think about a Latin ’a’ and a Greek ‘α’ (alpha). This is not a new attack vector, dating back to the early 2000s, but threat actors have found a new twist exploiting an edge case in the processing rules designed to prevent confusion.
These attacks rely on the use of “confusable” characters like Unicode symbols that resemble Latin letters or symbols but are encoded differently. Recent activity has begun to use the Japanese character “ん” (hiragana ‘n’). At a quick glance, it is intended to look like a forward slash “/”. And when it’s dropped into a domain name, it’s easy to see how it can be convincing. That tiny swap is enough to make a phishing site domain look real, which is the goal of threat actors trying to steal logins and personal information or distribute malware.
Figure 2: How Hiragana ん appears in Chrome’s URL display. The host domain name is “comprehensive-protection[.]guru” in the example shown.
To make these deceptive domains functional, threat actors rely on Punycode, a way to encode Unicode characters into ASCII so they can be used in DNS. For instance, a domain like example.comんlogin would be encoded as example.xn--comlogin-0o4g, allowing it to be registered and resolved like any other domain.
Tracing the Campaign’s Early Activity
Our investigation revealed that the majority of the 600 domains leveraging this deceptive character technique were aimed at cryptocurrency users. These domains frequently impersonated legitimate browser extensions, particularly fake versions of the Google Chrome Web Store, as part of an effort to lure victims into downloading malicious wallet applications. These wallets include Phantom, Rabby, OKX, Coinbase, MetaMask, Exodus, PancakeSwap, Bitget, and Trust.
Mapping the Infrastructure Behind New Domain Activity
Days after the Booking.com domains were uncovered, we identified a wave of newly registered domains that appeared shortly after the initial public reporting:
First, we took chromewebstore[.]google[.]comんdetailんokx-wallet.comprehensive-protection[.]guru and examined the contents of the phishing page, which mimicked Google’s Chrome Web Store to download the OKX cryptocurrency wallet browser extension. Clicking “Add to Chrome” prompted us to add the OKX Wallet as an extension, however, this was fake. Instead, it redirected to /welcome, which prompted us to either create or import a wallet.
Figure 4: Navigation path leading to fake OKX Wallet import page
Once a seed phrase was entered, we tracked that the phrase was sent to process.php, which appeared to validate the phrase before harvesting it. After validation, the seed phrase was leaked, giving threat actors unlimited access to the victim’s Bitcoin wallet.
While this page looks nearly identical to the example above, the outcome is quite different. Clicking ‘Add to Chrome’ did not redirect us to a web-based seed phrase stealer. Instead, it immediately downloaded an .exe file named “acmacodkjbdgmoleebbolmdjsighsdch.exe,” a malicious file that the page implies is a browser extension for Chrome named Rabby Wallet (a commonly available wallet for the Ethereum and EVM cryptocurrencies). After the download, the page presents a fake error message appears, claiming the installation failed and instructing the page visitor to manually open the downloaded file.
Figure 6: Error message used to trick users into running the malicious file
Upon closer analysis, the .exe appears to be malicious. The file is signed with a valid cryptographic signature, issued to OLAN LLC, which introduces a new layer of uncertainty. It is possible that the certificate belongs to a legitimate IT services company, and that the threat actors are now leveraging it for malicious activity, as other campaigns have abused other commercial IT administration tools, such as ConnectWise.
Further investigation revealed that the malware communicates with 826exe.carnegie.workers[.]dev. In communication we intercepted between the executable and this address, the program transmitted profile data about the infected system to its command & control service, including the logged-in user account name, machine name, operating system version, and other parameters.
Figure 7: The initial C2 check-in communication with profile data masked out
Subsequent connections to the C2 address revealed that the program self-identifies as “Performance Enhancement Tool v.3.7.2” and deploys a payload into a folder named PerformanceModules under the logged in user’s AppData\Local folder path.
Figure 8: The “Performance Enhancement Tool” executable communicates with its C2 that it has deployed a payload under the MyTestExtension folder
Inside that folder, the malware placed a subfolder named Module_ with eight random hexadecimal characters appended to the folder name, and inside that folder, creates a folder named MyTestExtension that contains more than 900 files that appear to contain some of the actual Rabby Wallet code, as well as scripts, images, and text that seems to have nothing to do with Rabby Wallet, including references to online Web games. Some of the graphics embedded in this code appear to prompt the user with guidance on how to change the cryptocurrency wallet address their currency is contained within.
Figure 9: The “Rabby Wallet” code appears inside this MyTestExtension folder the file drops into the user’s AppData path
Additionally, we identified a malicious payload hosted at storage.googleapis[.]com/8-26b/acmacodkjbdgmoleebbolmdjsighsdch.exe. This suggests a well-orchestrated setup that blends certificate abuse, cloud-hosted payloads, and evasive infrastructure to facilitate data theft or remote access.
Following the initial wave of phishing domains targeting Booking.com and popular cryptocurrency wallets, our investigation uncovered a broader and rapidly evolving infrastructure leveraging the deceptive character. While many of these domains initially focused on impersonating cryptocurrency platforms, we have since identified a growing number of domains that extend beyond crypto and travel sectors.
A significant portion of these newly observed domains currently lack active content, but their structural patterns, registration timing, and thematic similarities suggest they are likely part of a coordinated setup. Notably, we saw these domains that do not target cryptocurrency, begin appearing shortly after public reporting on August 14, 2025, indicating that threat actors may be quickly adopting this tactic across multiple verticals.
Some of the newly discovered domains appear to target major tech platforms. For instance, we found several Microsoft-themed domains such as:
This domain is impersonating Cloudflare’s access control feature. Interestingly, both the original Booking.com phishing domain hxxps://account[.]booking[.]comんdetailんrestric-access[.]www-account-booking[.]com/en/ and the Cloudflare domain share the same hostname segment: restric-access. This reuse of hostname structure across different brands likely suggests a shared domain generation pattern or toolkit, possibly indicating a common threat actor or automated infrastructure setup.
Other domains seem to target educational services. Examples include:
sdu[.]edu[.]cnんcasんlogin[.]pass-sdu-edu[.]cn
These resemble login portals for universities and could be used in credential harvesting campaigns targeting students.
We also observed additional crypto-related domains like booth[.]pmんgiftsん8f53a3a2-adbc-4d10-9d03-f338215de494ん[.]sakurayuki[.]dev, which appears to be themed around digital gifts or giveaways, a common lure in crypto phishing. Another domain www[.]revolut[.]comんviewんtransactionんb3edf3638c29m4qdl5kdlx3んstatus[.]online, mimics the all-in-one finance application, likely intended to exploit user trust and familiarity with financial platforms.
In addition to these, we found several domains that are likely test cases or proof-of-concept setups, possibly created by researchers or security teams:
These domains contain keywords such as “test”, “donot[.]press”, and “webphishing”, which suggest they are likely not part of active malicious campaigns but rather used for experimentation or awareness.
While these domains are not currently serving malicious content, their existence highlights how quickly this tactic is spreading. It’s common for threat actors to register domains in advance, either to avoid detection or to prepare infrastructure for future campaigns. The consistent use of the ん character across both malicious and experimental domains reinforces its potential as a tool for visual deception.
Implications for Defenders
One of the challenges with tracking these kinds of phishing campaigns is that Unicode makes detection and monitoring more complex than traditional Latin characters. Characters like ん are visually similar to Latin letters but are coded differently, meaning it is possible that they can slip past basic string-matching filters or regex-based detection rules.
Chrome’s IDN policy allows certain scripts, such as Latin and Hiragana to be used within a single label. This is permitted to support multilingual domain names, but with some exceptions to prevent abuse. For example, Chrome restricts combinations that are known to be highly confusable or deceptive. However, the policy still allows enough flexibility that threat actors can exploit visually similar characters like ん in phishing domains.
Many security tools and URL scanners aren’t configured to normalize or visually compare Unicode characters, which allows these domains to evade automated detection.
Outpacing Confusable Character Threats
The use of confusable Unicode characters in phishing domains isn’t new but is evolving. The abuse of Hiragana ん is just one example of how subtle character swaps can bypass filters and fool even vigilant users. Netcraft will continue to monitor this tactic, track emerging infrastructure, and share updates as attackers refine their methods.
Alluxio today announced strong results for the second quarter of its 2026 fiscal year. During the quarter, the company launched Alluxio Enterprise AI 3.7, a major release that delivers sub-millisecond TTFB (time to first byte) latency for AI workloads accessing data on cloud storage.
Alluxio also reported new customer wins across multiple industries and AI use cases, including model training, model deployment, and feature store query acceleration. In addition, the MLPerf Storage v2.0 benchmark results underscored Alluxio’s leadership in AI infrastructure performance, with the platform achieving exceptional GPU utilization and I/O acceleration across diverse training and checkpointing workloads.
Key Features of Alluxio Enterprise AI 3.7
Ultra-Low Latency Caching for Cloud Storage – Alluxio AI 3.7 introduces a distributed, transparent caching layer that reduces latency to sub-millisecond levels while retrieving AI data from cloud storage. It achieves up to 45× lower latency than S3 Standard and 5× lower latency than S3 Express One Zone, plus up to 11.5 GiB/s (98.7 Gbps) throughput per worker node, with linear scalability as nodes are added.
Enhanced Cache Preloading – The Alluxio Distributed Cache Preloader now supports parallel loading, delivering up to 5× faster cache preloading to ensure hot data availability for faster AI training and inference cold starts.
Role-Based Access Control (RBAC) for S3 Access – New granular RBAC capabilities allow tight integration with identity providers (OIDC/OAuth 2.0, Apache Ranger), controlling user authentication, authorization, and permitted operations on cached data.
Customer Momentum in H1 2025
The first half of 2025 saw record market adoption of Alluxio AI, with customer growth exceeding 50% compared to the previous period. Organizations across tech, finance, e-commerce, and media sectors have increasingly deployed Alluxio’s AI acceleration platform to enhance training throughput, streamline feature store access, and speed inference workflows. With growing deployments across hybrid and multi-cloud environments, demand for Alluxio AI reflects rapidly rising expectations for high-performance, low-latency AI data infrastructure. Notable customers added in the half include:
Salesforce
Dyna Robotics
Geely
Substantial I/O Performance Gains Confirmed in MLPerf Storage v2.0 Benchmark
Alluxio’s distributed caching architecture underscores its commitment to maximizing GPU efficiency and AI workload performance. In the MLPerf Storage v2.0 benchmarks:
Training Throughput
ResNet50: 24.14 GiB/s supporting 128 accelerators with 99.57% GPU utilization, scaling linearly from 1 to 8 clients and 2 to 8 workers.
The Salvation Army notifies victims of data breach that leaked Social Security Numbers
Posted in Commentary with tags Hacked on August 29, 2025 by itnerdThe Salvation Army is notifying victims of a May 2025 data breach that leaked names, Social Security Numbers, and driver’s license numbers. Ransomware group Chaos claimed responsibility for the data breach at the end of May. The Salvation Army has not verified Chaos’ claim.
Commenting on this is Paul Bischoff, Consumer Privacy Advocate at Comparitech:
“Chaos is a ransomware gang that first surfaced in 2021 but didn’t start claiming victims on its data leak site until March 2025. The group attacks both individuals and organizations through drive-by-downloads and phishing. It employs a double-extortion scheme in which organizations are extorted both for stolen data and to restore infected systems. Chaos has taken credit for three other confirmed ransomware attacks and made eight more unconfirmed claims that haven’t been publicly acknowledged by the targeted organizations.”
“In 2025 to date, Comparitech researchers have logged 632 confirmed ransomware attacks compromising 28.8 million records. The average ransom demand is $1.7 million. The Salvation Army is not the first ransomware attack on a charitable organization. Earlier this year, Welthungerhilfe, a German non-profit aid organization, received a $2.15 million ransom demand from ransomware group Rhysida. We’ve recorded another 3,955 unconfirmed attack claims made by ransomware groups this year so far that haven’t been acknowledged by the targeted organizations.”
This is particularly bad as the victims in this case are kind of vulnerable and are more likely to be victims of secondary attacks that are launched by threat actors. Hopefully these victims are in a place where they are not taken advantage of.
Leave a comment »