[…] , the Cybernews research team discovered a plethora of supermassive datasets, housing billions upon billions of login credentials. From social media and corporate platforms to VPNs and developer portals, no stone was left unturned.

Our team has been closely monitoring the web since the beginning of the year. So far, they’ve discovered 30 exposed datasets containing from tens of millions to over 3.5 billion records each. In total, the researchers uncovered an unimaginable 16 billion records.

None of the exposed datasets were reported previously, bar one: in late May, Wired magazine reported a security researcher discovering a “mysterious database” with 184 million records. It barely scratches the top 20 of what the team discovered. Most worryingly, researchers claim new massive datasets emerge every few weeks, signaling how prevalent infostealer malware truly is.

[…]

“This is not just a leak – it’s a blueprint for mass exploitation. With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing. What’s especially concerning is the structure and recency of these datasets – these aren’t just old breaches being recycled. This is fresh, weaponizable intelligence at scale,” researchers said.

The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data. Most of the datasets were temporarily accessible through unsecured Elasticsearch or object storage instances.

[…]

Information in the leaked datasets opens the doors to pretty much any online service imaginable, from Apple, Facebook, and Google, to GitHub, Telegram, and various government services. It’s hard to miss something when 16 billion records are on the table.

[…]

 

Source: 16 billion passwords exposed in colossal data breach​ | Cybernews

https://localmess.github.io/

We disclose a novel tracking method by Meta and Yandex potentially affecting billions of Android users. We found that native Android apps—including Facebook, Instagram, and several Yandex apps including Maps and Browser—silently listen on fixed local ports for tracking purposes.

These native Android apps receive browsers’ metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users’ mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users’ visiting sites embedding their scripts.

This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android’s permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.

[…]

Android OS allows any installed app with the INTERNET permission to open a listening socket on the loopback interface (127.0.0.1). Browsers running on the same device also access this interface without user consent or platform mediation. This allows JavaScript embedded on web pages to communicate with native Android apps and share identifiers and browsing habits, bridging ephemeral web identifiers to long-lived mobile app IDs using standard Web APIs.

[…]

Additional risk: Browsing history leak

Using HTTP requests for web-to-native ID sharing (i.e. not WebRTC STUN or TURN) may expose users browsing history to third-parties. A malicious third-party Android application that also listens on the aforementioned ports can intercept the HTTP requests sent by the Yandex Metrica script and the first, now-unused, implementation of Meta’s communication channel by monitoring the Origin HTTP header.

We developed a proof-of-concept app to demonstrate the feasibility of this browsing history harvesting by a malicious third-party app. We found that browsers such as Chrome, Firefox and Edge are susceptible to this form of browsing history leakage in both default and private browsing modes. Brave browser was unaffected by this issue due to their blocklist and the blocking of requests to the localhost; and DuckDuckGo was only minimally affected due to missing domains in their blocklist.

[…]

According to BuiltWith, a website that tracks web technology adoption: Meta Pixel is embedded on over 5.8 million websites. Yandex Metrica, on the other hand, is present on close to 3 million websites. According to HTTP Archive, an open and public dataset that runs monthly crawls of ~16 million websites, Meta Pixel and Yandex Metrica are present on 2.4 million and 575,448 websites, respectively.

[…]

Disclosure

Our responsible disclosure to major Android browser vendors led to several patches attempting to mitigate this issue; some already deployed, others currently in development. We thank all participating vendors (Chrome, Mozilla, DuckDuckGo, and Brave) for their active collaboration and constructive engagement throughout the process. Other Chromium-based browsers should follow upstream code changes to patch their own products.

However, beyond these short-term fixes, fully addressing the issue will require a broader set of measures as they are not covering the fundamental limitations of platforms’ sandboxing methods and policies. These include user-facing controls to alert users about localhost access, stronger platform policies accompanied by consistent and strict enforcement actions to proactively prevent misuse, and enhanced security around Android’s interprocess communication (IPC) mechanisms, particularly those relying on localhost connections.

[…]

A mystery whistleblower calling himself GangExposed has exposed key figures behind the Conti and Trickbot ransomware crews, publishing a trove of internal files and naming names.

The leaks include thousands of chat logs, personal videos, and ransom negotiations tied to some of the most notorious cyber-extortion gangs —believed to have raked in billions from companies, hospitals, and individuals worldwide.

It’s part of his “fight against an organized society of criminals known worldwide,” GangExposed told The Register via Signal chat. He claims that he’s not interested in the $10 million bounty that the Feds have put up for information about one key Conti leader that he’s already named, as well as a second that he says will soon be identified on Telegram.

“I take pleasure in thinking I can rid society of at least some of them,” GangExposed said. “I simply enjoy solving the most complex cases.”

After creating his latest Telegram channel on May 5 — GangExposed says two earlier accounts were shut down days ago — he published his first “revelation” and outed Stern, the leader of Trickbot and Conti, as 36-year-old Russian named Vitaly Nikolaevich Kovalev. Stern’s identity was later confirmed by German police.

I take pleasure in thinking I can rid society of at least some of them

A couple of days later, GangExposed claimed to identify another key Conti crim who goes by Professor as Vladimir Viktorovich Kvitko, a 39-year-old Russian national who reportedly relocated from Moscow to Dubai. According to chat logs and other communications leaked by GangExposed, Kvitko and other Conti leaders moved to Dubai in 2020 and set up shop in the United Arab Emirates to continue their cyberattacks against Western organizations.

“Kvitko maintains a modest lifestyle, with known property in Moscow and several vehicles registered to family members,” GangExposed posted. “Income mostly originates from RM RAIL Management Company and Rosselkhozbank. In contrast, other Conti leaders (e.g., ‘Target’) display significant luxury assets, including a Moscow City apartment, Ferrari, and 2 multiple Maybach vehicles.”

He also published a video of what GangExposed says is six Conti ransomware members on a private jet, celebrating the birthday of another key leader, Target. 

The US government has offered up to $10 million for information leading to the identification or location of five key Conti operators, including “Professor” and “Target.” GangExposed says he’s going to identify Target next.

“Essentially I burned $10 million when I published Professor,” he told The Register. “And I’m about to burn another $10 million when I publish Target.”

And on Thursday, he posted a whopping 15 photos of alleged Conti members along with a more detailed write-up of Conti’s lead sysadmin Defender, aka Andrey Yuryevich Zhuykov, and Mango, aka Mikhail Mikhailovich Tsaryov, a senior manager within the group.

This is no longer just a leak — it’s a high-stakes intelligence war

“This is no longer just a leak — it’s a high-stakes intelligence war,” FalconFeeds threat intel analysts posted on social media.

Who is GangExposed?

GangExposed calls himself an “independent anonymous investigator” without any formal IT background, and said he hasn’t had “a ‘real’ name in years.”

“My toolkit includes classical intelligence analysis, logic, factual research, OSINT methodology, stylometry (I am a linguist and philologist), human psychology, and the ability to piece together puzzles that others don’t even notice,” he said. “I am a cosmopolitan with many homes but no permanent base — I move between countries as needed. My privacy standards are often stricter than those of most subjects of my investigations.”

GangExposed says he obtained all of the data he leaked via “semi-closed databases, darknet services (for probing state records through corrupt officials), and I often purchase information. I have access to the leaked FSB border control database,” which he says was being sold on the darkweb for $250,000. 

He hopes his investigation can achieve three objectives. First, he wants to publicly identify all of the gangs’ key criminal participants — GangExposed puts this number at around 50 — see them sanctioned, and also named on Interpol’s wanted persons list.

Second, GangExposed says he wants to “disrupt their current enrichment schemes by exposing the organizers of the Blockchain Life forum, which serves as a breeding ground for fraudulent pyramid schemes.” 

Blockchain Life, according to the internal chat logs, was a scheme organized by Khitrov and Kovalev (aka Stern) that aimed to legitimize Trickbot’s and Conti’s illegally obtained cryptocurrency earnings

Finally, GangExposed says he wants to “deprive them of a safe haven in the UAE. The respected authorities of the UAE strictly uphold their laws, and while they lack extradition agreements for cybercriminals, I’ve managed to investigate and prove that Conti used the UAE specifically for carrying out attacks. In other words, they physically committed a series of crimes while being present there.”

Some security researchers think he could in fact be a disgruntled former ransomware criminal looking to burn his bosses or simply resurface the 2022 Conti leaks.

“The data we’ve reviewed provides strong indicators that the source behind the leak is either an ex-member or a disgruntled insider from within the group — given the level of access, context, and internal coordination reflected in the communications,” Technisanct founder and CEO Nandakishore Harikumar told The Register. Technisanct owns FalconFeeds.

Harikumar’s threat-intel group has analyzed all of GangExposed’s leaks, and shared a 34-page analysis with The Register about the massive data dump. He recommends that law enforcement pursue investigative leads from the newly disclosed personally identifiable information about key Conti leaders detailed in the leaks. ®

https://www.theregister.com/2025/05/31/gangexposed_coni_ransomware_leaks/