Wave of Cyberattacks Amid Middle East Escalation, iPhone Spyware Leak, and Other Cybersecurity Events

We’ve compiled the most significant cybersecurity news from the past week.

• The conflict in the Middle East has triggered cyberattacks in 16 countries.
• A group in Kazakhstan is suspected of laundering $4.7 million through cryptocurrency.
• Researchers have discovered spyware capable of hacking iPhones.
• The FBI has shut down a cyber forum with data from 142,000 users.

Middle East Conflict Triggers Cyberattacks in 16 Countries

Cybersecurity researchers at Radware warned of a surge in hacker activity following a coordinated military campaign by the U.S. and Israel against Iran.

The first recorded DDoS attack occurred on February 28, attributed to Hider Nex (also known as Tunisian Maskers Cyber Force), a Tunisian hacktivist group. They employ a "hack-and-leak" strategy, combining network overload with data theft to further their agenda.

According to Radware, from February 28 to March 2, there were 149 reports of denial-of-service attacks targeting 110 organizations across 16 countries, carried out by 12 different groups, with Keymous+ and DieNet accounting for about 70% of the activity.

Attack statistics include:

• The vast majority of attacks (107) were concentrated in the Middle East, with Europe accounting for 22.8% of global activity;
• Nearly 47.8% of the affected organizations were in the public sector, followed by finance (11.9%) and telecommunications (6.7%);
• Within the Middle East, attacks impacted Kuwait (28%), Israel (27.1%), and Jordan (21.5%).

Other groups involved included Nation of Saviors, Conquerors Electronic Army, Sylhet Gang, 313 Team, Handala Hack, APT Iran, and others.

According to The Hacker News, the current scale of cyberattacks includes:

• Hacks on military networks. Pro-Russian groups Cardinal and Russian Legion claimed to have hacked Israeli military networks, including the Iron Dome missile defense system;
• SMS phishing. One target of the hackers was the RedAlert app, a mobile version of the early warning system "Tzeva Adom" ("Red Color"). The attackers likely exploited vulnerabilities to install spyware on devices;
• Revival of old threats. The Cotton Sandstorm group (Haywire Kitten) resumed operations under the name Altoufan Team, attacking websites in Bahrain.

Group in Kazakhstan Suspected of Laundering $4.7 Million via Cryptocurrency

Kazakhstan law enforcement has detained suspects involved in illegal activities and money laundering using cryptocurrency. This was reported by the press service of the Financial Monitoring Agency.

According to the investigation, the organizer devised a scheme to profit from transactions involving digital assets. Participants were responsible for finding drop accounts, setting up bank cards and accounts on cryptocurrency exchanges, conducting financial operations, and subsequently cashing out funds.

Money deposited into bank cards of over 150 intermediaries was transferred to their cryptocurrency wallets on the ATAIX exchange. The criminals provided fake loan agreements between account holders and affiliated legal entities, after which the funds were converted into digital assets and sent to addresses on OKX.

A controlled exchange point was used for converting and withdrawing cryptocurrency, through which funds were converted into foreign currency. As a result, the total amount of transactions exceeded 3.5 billion tenge (approximately $4.7 million at the time of writing).

During the search, law enforcement seized 46 mobile phones, 92 bank cards, and 25,463 USDT.

Researchers Discover Spyware for Hacking iPhones

Researchers from Google’s Threat Intelligence Group (GTIG) found a powerful toolkit for hacking iPhones running older versions of iOS. They suspect that the spyware was leaked from a government contractor.

The exploit package, named Coruna, was first discovered by Google in February 2025 during an attempt by a surveillance technology provider to hack a phone using spyware commissioned by a government agency.

Months later, the malware was identified during a large-scale campaign by a Russian espionage group targeting Ukrainian users, and later found with a hacker in China.

Google researchers warned of the emergence of a market for "used" exploits being resold to hackers looking to maximize profits from vulnerabilities.

The mobile security company iVerify conducted reverse engineering on these tools. Experts linked the Coruna package to the U.S. government based on similarities with software previously attributed to the U.S.

According to Google experts, the Coruna tools are extremely dangerous: they can bypass iPhone security simply by visiting a malicious website (for instance, by clicking a link), known as a watering hole attack. The package can compromise a smartphone in five different ways, utilizing a chain of 23 separate vulnerabilities. The threat remains for device owners with iOS versions from 13 to 17.2.1.

FBI Shuts Down Cyber Forum with Data from 142,000 Users

The FBI, in a joint operation led by Europol, arrested a major online platform used by hackers for buying and selling hacking tools and stolen data.

On March 3 and 4, law enforcement blocked two domains, LeakBase, and warned users about the collection of evidence. Simultaneously, searches, arrests, and interrogations took place in the U.S., Australia, Belgium, Poland, Portugal, Romania, Spain, and the UK.

The LeakBase platform had been operational since 2021 and was initially supported by the hacker group ARES. It significantly grew after the closure of the Breached forum, boasting over 142,000 users.

Registration was free. The forum provided access to databases, a marketplace for selling leaks and exploits, an escrow payment system, as well as sections on programming, social engineering, and cryptography.

Alabama Resident Blackmailed Hundreds of Women After Hacking Their Accounts

A 22-year-old Alabama resident pleaded guilty to extortion, cyberstalking, and fraud after hacking social media accounts of hundreds of women. This was reported by the U.S. Department of Justice.

According to law enforcement, from April 2022 to May 2025, Jamarkus Mosley impersonated victims' friends and used other manipulation tactics to trick girls into giving him recovery codes and passwords. Once obtained, the fraudster took control of their accounts on Snapchat, Instagram, and other social media platforms.

After hacking, he threatened to expose private intimate photos and videos of the victims or permanently block their access unless they complied with his demands:

• granting full access to additional accounts;
• sending new sexually explicit content;
• paying various sums of money.

Prosecutors stated that in one instance, Mosley used a hacked account of a 17-year-old victim to contact her 13-year-old sister. He sent her a screenshot of a map on Snapchat, implying he knew where she lived. In another case, the hacker posted stolen images of a victim online.

Also on ForkLog:

• A hacker withdrew $2.7 million from Solv Protocol amid an unexpected token surge.
• U.S. authorities arrested a suspect in the theft of $46 million from a government wallet.
• Microsoft and Coinbase helped shut down the phishing service Tycoon.
• Hackers attacked crypto specialists posing as venture investors.
• A new application for detecting smart glasses has emerged online.
• Errors were found in the AI benchmark by OpenAI for blockchain verification.
• A court dismissed fraud charges against Uniswap.
• Crypto market losses from hacks dropped to an 11-month low.
• Tether froze $4.2 billion in illegal funds over its history.

What to Read This Weekend?

In a new piece from ForkLog, Krzysztof Szpak explores how AI surveillance systems are set up in major cities and why governments rushed to implement them widely.