“Weekend Briefing” is a weekly newsletter sent to subscribers of The Readable every Friday.
In recent months, governments and cybersecurity researchers have observed a consistent rise in cyberattacks targeting critical infrastructure, state agencies and private entities. International law enforcement operations, financially motivated thefts and state-linked espionage campaigns have revealed significant vulnerabilities across digital ecosystems. This collection of articles outlines recent developments involving pro-Russian and Chinese cyber actors, large-scale cryptocurrency thefts and software vulnerabilities affecting government communication tools. A report published by The Readable this week is also included at the end.
This is Dain Oh reporting from South Korea and here is your weekend briefing.
1. Europol-led crackdown hits Russian-aligned DDoS group in global cybercrime sweep – Europol
Authorities from across Europe and the United States have disrupted the pro-Russian cybercrime group NoName057(16) through a sweeping international operation known as Eastwood, coordinated by Europol and Eurojust between July 14 and 17. Law enforcement agencies from 12 countries executed house searches, issued arrest warrants and dismantled over 100 global servers including a significant portion of the group’s command infrastructure. German authorities issued six arrest warrants targeting Russian nationals, two of whom are believed to be the group’s ringleaders. In total, over 1,000 individuals affiliated with the network, including 15 administrators, were formally notified of their legal liability.
NoName057(16) is known for launching distributed denial-of-service (DDoS) attacks, particularly against countries supporting Ukraine in its defense against Russia’s invasion. Though lacking sophisticated leadership or technical capabilities, the group has used gamified recruitment tactics and paid participants in cryptocurrency to conduct attacks. Their recent targets include critical infrastructure in Germany, Switzerland, Sweden and the Netherlands, with notable incidents timed alongside political events such as NATO summits and Ukrainian diplomatic addresses. Despite the scale of operations, most attacks were mitigated without major service disruptions.
Europol provided centralized coordination, digital forensics and real-time support via its Virtual Command Post. Eurojust facilitated judicial cooperation through investigation orders and legal assistance during the raids. The operation reflects a growing consensus among Western nations to crack down on ideologically driven cyber threats, with particular attention to the manipulation of young tech-savvy sympathizers mobilized through social media and online forums.
2. Crypto thefts surge past $2.17B in 2025 as North Korea-linked ByBit hack sets new record – Chainalysis
The first half of 2025 has already surpassed 2024 in terms of cryptocurrency theft, with more than $2.17 billion stolen to date—placing the year on track to exceed $4 billion in losses. A single $1.5 billion breach at ByBit attributed to North Korea represents nearly 70% of this figure and marks the largest crypto theft on record. Meanwhile, attacks on individual wallets now account for almost a quarter of all stolen funds, reflecting a growing trend of targeting private users rather than institutional services.
These evolving tactics highlight a shift in the digital crime landscape. Threat actors exploiting personal wallets are increasingly leaving stolen assets untouched on-chain, amassing more than $8.5 billion in dormant holdings. Furthermore, physical violence linked to crypto theft known as “wrench attacks” has sharply increased and shows a correlation with rising bitcoin prices, suggesting that volatility and valuation drive opportunistic attacks. A high-profile kidnapping in the Philippines underscores how blockchain forensics can aid in solving violent crypto-related crimes, despite these incidents often going unreported.
Geographic analysis shows that the U.S., Germany, Russia and several Asian countries have the highest victim counts, with regional differences in asset types reflecting varying patterns of crypto adoption. Laundering behavior also differs by target type: actors attacking services display greater technical sophistication and urgency, while those compromising personal wallets often rely on centralized exchanges and sanctioned entities. These developments underscore the urgent need for enhanced security measures across both institutional and individual levels as the crypto sector reaches a pivotal point in defending against increasingly complex threats.
3. China-linked hackers target Taiwan’s chip industry with increasing attacks, researchers say – Reuters
Chinese-linked hacking groups have intensified cyber espionage efforts targeting Taiwan’s semiconductor sector and financial analysts, according to cybersecurity firm Proofpoint. In a newly released report, researchers revealed that at least three distinct China-aligned threat actors carried out previously unreported campaigns between March and June 2025, with some activity likely still ongoing. The targets, ranging from small firms to analysts at a U.S.-based global bank, were attacked via spear-phishing emails often using compromised Taiwanese university accounts to deliver malware disguised as job-related documents.
This surge in espionage coincides with U.S. export restrictions on advanced chips destined for China, which has spurred Beijing’s urgency in securing alternative sources, especially in sectors such as AI. While major Taiwanese firms including TSMC, MediaTek and UMC are central to global chip supply, none have commented on whether they were affected. One campaign mimicked an investment firm to lure analysts while another targeted chipmakers and supply chain partners. A Taiwanese cybersecurity firm, TeamT5, confirmed an uptick in such attacks, but noted they remain targeted rather than widespread.
Chinese officials denied involvement stating that China opposes all forms of cybercrime. However, researchers emphasize that espionage against semiconductor entities, including peripheral industries like chemicals has long been a focal point for Chinese state-affiliated hackers. The campaigns highlight ongoing geopolitical and technological tensions surrounding chip dominance, with Taiwan remaining a key battleground.
4. National Guard hacked by Chinese ‘Salt Typhoon’ campaign for nearly a year, DHS memo says – NBC News
A Chinese-linked cyberespionage group known as Salt Typhoon infiltrated a U.S. state’s Army National Guard network for at least nine months, according to a Department of Homeland Security memo disclosed in June. The breach, which occurred from March to December 2024, is part of a broader and highly persistent espionage campaign attributed to one of China’s most sophisticated cyberspy units. Though the affected state has not been named, the memo suggests that sensitive military, law enforcement and infrastructure data may have been compromised. Officials continue to assess the full scope of the breach.
Salt Typhoon is already known for breaching major U.S. telecommunications firms, including AT&T and Verizon, and for conducting surveillance tied to the Harris and Trump campaigns, as well as the office of Senator Chuck Schumer. Its infiltration of the National Guard raises fresh concerns about exposure across state and federal systems, especially given the Guard’s integration with local law enforcement and cybersecurity partners. The attackers reportedly accessed network maps, service member data and sensitive architecture diagrams, which could be used to facilitate further intrusions elsewhere.
While China’s embassy in Washington denied official involvement and demanded evidence linking the campaign to Beijing, U.S. authorities recently sanctioned a Sichuan-based company accused of supporting Salt Typhoon on behalf of China’s Ministry of State Security. Cybersecurity experts warn that Salt Typhoon is difficult to expel once inside a network, with one report documenting the group’s presence in compromised systems for as long as three years. Despite containment efforts by some previous victims such as AT&T and Verizon, officials caution that long-term vulnerabilities may remain.
5. Hackers are trying to steal passwords and sensitive data from users of Signal clone – TechCrunch
Hackers are actively exploiting a known vulnerability in TeleMessage, a corporate messaging app modeled on Signal, to access users’ private information, according to cybersecurity researchers and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The flaw, identified as CVE-2025-48927, can reportedly be exploited to obtain plaintext usernames, passwords and other sensitive data. Despite the vulnerability being disclosed in May, security firm GreyNoise warns that many systems remain exposed and that exploitation is “trivial” for attackers.
The issue gained heightened attention after TeleMessage, previously little-known, was revealed to have been used by high-level Trump administration officials. In one incident, then-National Security Advisor Mike Waltz mistakenly added a journalist to a secret chat discussing military plans leading to a scandal and Waltz’s removal. Following public exposure of the app’s use within sensitive government and corporate environments, hackers breached TeleMessage in May, accessing message data from users including U.S. Customs and Border Protection and crypto company Coinbase, according to reporting by 404 Media.
Although CISA has added the TeleMessage flaw to its catalog of Known Exploited Vulnerabilities — confirming that hackers are actively targeting it — no specific follow-up breaches tied to this vulnerability have yet been disclosed. TeleMessage, which markets secure communication tools for compliance-conscious clients, did not respond to requests for comment regarding the ongoing exploitation attempts.
6. Pega’s cybersecurity approach: Guardrails over guarantees – The Readable
As enterprise systems grow more automated and interconnected, cybersecurity is no longer just a matter of defending the perimeter. For Pega, a maker of low-code process automation tools used across regulated industries, security is a question of balance—between openness and control, speed and stability, autonomy and oversight. And that balance according to Chief Cloud Officer Frank Guerrera comes with a catch: the tools are there, but the responsibility isn’t shared equally.
“We support SAML (Security Assertion Markup Language) integration for clients to choose their own authentication mechanisms including Okta,” Guerrera says. In other words, clients can plug Pega into their own identity and access setups. But who gets access to what? That’s not something Pega decides. “As part of the shared responsibility model, clients must define appropriate policies for managing access permissions in systems such as RBAC (Role-Based Access Control) and ABAC (Attribute-Based Access Control).”
This hands-off stance isn’t a loophole—it’s a core design choice. Pega gives customers the infrastructure and security scaffolding but not the rules. It’s up to each client to define boundaries and monitor who crosses them. Misconfigured roles or delegated privileges that grant too much power? Pega won’t block those outright. It simply expects clients to use the provided tools correctly. READ MORE
Editor’s note: Each item in this briefing was initially summarized or translated by ChatGPT-4o based on the author’s specific instructions, which included news judgment, fact-checking, and thorough editing before publication.
