“Weekend Briefing” is a weekly newsletter sent to subscribers of The Readable every Friday.
This is Dain Oh reporting from South Korea, and here is your weekend briefing.
1. FSI expands cross-border cybersecurity efforts with Japan amid rising AI threats – The Readable
South Korea’s Financial Security Institute (FSI) reaffirmed its commitment to global cyber defense by joining the 2025 Financials ISAC Japan Annual Conference, held in Tokyo from May 26–27. The event brought together regulators and cybersecurity experts from Japan, the U.S., and leading financial firms to share threat intelligence and strengthen joint response efforts.
Delivering a keynote address, FSI CEO Park Sang-won stressed the urgency of embedding strong security principles into artificial intelligence (AI)-powered financial services. He pointed to FSI’s ongoing efforts to build an AI safety framework and train internal specialists, noting, “AI is fundamentally reshaping the financial sector, and innovation must be grounded in robust security.”
Park also held talks with officials from Japan’s Financials ISAC and the U.S.-based FS-ISAC, where discussions centered on secure AI deployment, cybersecurity regulations, and potential joint training and simulation exercises—part of broader efforts to deepen international collaboration in countering emerging digital threats.
2. Prague accuses China of hacking Czech foreign ministry – Politico
The Czech government has publicly accused China of conducting a cyberattack on its foreign ministry, exposing thousands of unclassified emails exchanged with EU institutions and embassies. The attack, attributed to the Chinese state-backed hacking group APT31, reportedly began in 2022 when Czechia held the EU presidency. Foreign Minister Jan Lipavský condemned the intrusion as a serious threat to national resilience and announced plans to summon the Chinese ambassador.
This marks the first time Czechia has formally blamed a foreign state for a cyberattack. The conclusion was backed by multiple Czech intelligence and cybersecurity agencies. APT31, which is tied to China’s Ministry of State Security, has also been accused of past cyber campaigns targeting political figures in the U.S. and Europe.
The revelation triggered strong reactions from the EU and NATO. EU foreign policy chief Kaja Kallas expressed solidarity with Czechia and urged China to respect international norms. NATO echoed this sentiment, warning of persistent cyber threats to democratic institutions and pledging to strengthen collective defenses.
3. US Treasury takes action against major cyber scam facilitator – US Treasury Department
The U.S. Department of the Treasury has imposed sanctions on Funnull Technology Inc., a Philippines-based cloud infrastructure provider, for its role in facilitating widespread cryptocurrency investment scams known as “pig butchering.” These scams, which involve fraudsters building trust with victims online before convincing them to invest in fake crypto platforms, have led to over $200 million in reported losses by U.S. victims. Funnull is accused of supplying the technical infrastructure—such as bulk-purchased IP addresses and hosting services—that enabled scammers to operate fraudulent websites and evade detection.
The Treasury also sanctioned Liu Lizhi, a 40-year-old Chinese national identified as Funnull’s administrator. Investigations revealed that Funnull’s services were linked to most of the virtual currency investment scam websites reported to the FBI. Security firm Silent Push found that Funnull operated as a criminal content delivery network, routing traffic through U.S.-based cloud providers like Amazon Web Services and Microsoft Azure to mask malicious activities. Despite efforts by these providers to curb abuse, Funnull continued to exploit their platforms to support scam operations.
Pig butchering scams typically begin with unsolicited messages on social media or dating apps, where scammers pose as potential romantic or business partners. After establishing trust, they persuade victims to invest in fraudulent cryptocurrency schemes, often requiring additional payments under the guise of taxes or fees. Ultimately, victims find themselves unable to withdraw funds, resulting in significant financial losses.
4. New Russian state hacking group hits Europe and North America – Infosecurity Magazine
Microsoft has identified a Russian state-linked hacking group called Void Blizzard that is targeting government and critical sectors across Europe and North America, especially NATO countries and Ukraine. The group has successfully breached organizations, including a Ukrainian aviation agency, and is focused on collecting sensitive data like emails and cloud files.
Recently, Void Blizzard launched a targeted phishing campaign using fake Microsoft login pages and malicious QR codes to steal user credentials. These attacks have grown more sophisticated, posing greater risks to NGOs, government bodies, and defense-related industries.
Dutch intelligence, which tracks the group as Laundry Bear, confirmed breaches in several national organizations, including the police. Authorities say the group is conducting espionage to gather information on Western military technology and arms support for Ukraine.
5. How cybercriminals weaponize fake AI-themed websites – Google Cloud
Google’s cybersecurity arm, Mandiant, has uncovered a new cybercrime campaign that exploits the growing interest in AI tools. A threat group linked to Vietnam, known as UNC6032, created fake websites mimicking popular AI video tools like Luma AI, Canva Dream Lab, and Kling AI. These fake sites were promoted through thousands of ads on social media platforms like Facebook and LinkedIn, reaching over 2.3 million users in the EU alone.
When users visited these fake websites and clicked on buttons like “Start Free Trial,” they unknowingly downloaded ZIP files containing malware instead of real AI tools. The files delivered a dropper called STARKVEIL, which then installed malicious software such as GRIMPULL, XWORM, and FROSTRIFT. These programs are designed to steal sensitive information, including login credentials, cookies, credit card data, and Facebook session tokens.
This attack targets everyday users, not just tech professionals. To stay safe, it’s important to verify website URLs before downloading any AI tools and to avoid clicking on ads or suspicious links. Using trusted security software is also essential to protect personal data from such threats.
6. Safari flaw enables stealthy fullscreen phishing attacks, a security firm says – The Readable
Cybersecurity firm SquareX has identified an advanced variant of the Browser-in-the-Middle (BitM) attack leveraging Safari’s fullscreen API to deceive users. This method allows attackers to launch fake login pages in fullscreen mode, completely hiding the browser’s address bar and other visual indicators—making the deception nearly impossible to spot.
The vulnerability takes advantage of the vague requirements in the fullscreen API, which lets attackers trigger fullscreen mode with a simple click on a fake button. Safari users are especially at risk, as the browser does not clearly notify users when fullscreen mode is activated. While other browsers like Chrome and Firefox do show messages, they are often brief and easy to miss.
Because this attack happens entirely within the browser and avoids creating suspicious local traffic, traditional security tools like EDR (Endpoint Detection and Response) and SASE (Secure Access Service Edge) solutions fail to detect it. The fullscreen BitM technique opens new avenues for credential theft, session hijacking, and even disinformation campaigns using convincing, attacker-controlled pages.
7. The Mandiant M-Trends 2025 Report – Google Cloud
The Mandiant M-Trends 2025 report reveals that cyber attackers in 2024 exploited weak security practices, especially through infostealer malware, stolen credentials, and unprotected data. Exploited software vulnerabilities accounted for a third of intrusions, with the financial sector being the most targeted. The average time attackers remained undetected rose slightly to 11 days, and insider threats—particularly North Korean IT workers hired under false identities—posed growing risks.
Ransomware remained a dominant threat, comprising 21% of cases. Groups like RANSOMHUB and REDBIKE used a mix of common tools and fast-moving tactics, with many attacks detected within a week. Access was often gained through brute-force attacks or stolen credentials, and operations frequently combined encryption with data theft for extortion.
Geopolitics heavily influenced threat activity. Russian and North Korean groups escalated operations, with APT44 and APT45 formally recognized for their roles in espionage and cybercrime. Iran-linked actors expanded custom malware use and relied on social engineering, fake websites, and public cloud services to stay hidden. Overall, attackers showed growing sophistication in blending into trusted environments.
Editor’s note: Each item in this briefing was initially summarized or translated by ChatGPT-4o based on the author’s specific instructions, which included news judgment, fact-checking, and thorough editing before publication.
