Cybersecurity Decrypted #40: Crypto Fraud, Aviation Attacks, AI Regulation Debate

• Crypto fraudsters caught: With the support of Europol and other global law enforcement organizations, the Spanish Guardia Civil has taken down a cryptocurrency investment fraud ring that had laundered $542M stolen from 5,000 victims globally. 🔗
• Scattered Spider targets airlines: With attacks on WestJet and Hawaiian Airlines, the APT group has begun targeting the aviation sector. Australian airline Quantas was also hit by a cyber incident this week, but while the attack shares similarities with Scattered Spider’s methods, the airline has yet to confirm whether the infamous APT was responsible. 🔗
• Cyberattack hits International Criminal Court: The Court announced on Monday that it was hit by a “sophisticated” cyberattack. The ICC has yet to confirm whether the attackers were able to exfiltrate any data but stated that the incident has been contained. 🔗

Prefer to get your news on-the-go? You can listen to this briefing on the Decrypted Podcast.

This week, the US Senate struck a ban on state regulation of AI from President Trump’s tax-cut and spending bill. The original proposal would have blocked individual states from creating any laws to regulate AI for the next 10 years, while a later compromise would have shortened this period to 5 years and allowed a handful of exceptions.

During the debate around the “big, beautiful bill”, many AI companies argued that it is difficult for them to comply with every state’s individual rules. However, it was ultimately decided that states should be allowed to protect their constituents against threats such as deepfakes, unsafe autonomous vehicles, and misinformation instead of letting the AI industry go completely unchecked.

While the moratorium was scrapped, it’s pulled a heated debate into the limelight: should the development, dissemination, and use of AI be regulated?

“The data scientist in me says, ‘Yes, there needs to be firm guidance to guide people to do this responsibly,’” Darktrace’s SVP of Security and AI Strategy Nicole Carignan tells Expert Insights. “I’m not at all scared about AI. As a data scientist, I am scared of stupid people innovating with AI without thinking through the ethical and security implications.

“But as an innovator, you have to be able to run fast. And with this great innovation, we can achieve some really cool, almost miraculous things. So, can we innovate quickly with good data science principles to do it safely, responsibly, ethically, and securely? I think we can.”

Perhaps as Nicole says, the answer lies in presenting innovators with guidance, rather than strict regulation. Guidance that enables companies to innovate at scale, whilst encouraging them to focus on their ethical and security intentions, rather than checking specific boxes for compliance.

As for who writes that guidance? That remains to be seen.

Industry news, including funding, acquisitions and new product releases to watch this week.

• LevelBlue to acquire Trustwave:The acquisition will position LevelBlue (formerly AT&T Cybersecurity) as the largest pure-play MSSP on the market. 🔗
• Rubrik acquires Predibase: The acquisition of the AI training platform will enable Rubrik to build a governed model layer on top of their secure data lake, accelerating agentic AI adoption. 🔗
• Cato Networks raises $359m: Cato Networks landed $359 million in funding, bringing its valuation to nearly $4.8 billion. This indicates strong investment availability for Secure Access Service Edge (SASE) and cloud security solutions. 🔗

Threats and APTs

• Cybercrime hits crypto market: The cryptocurrency industry has suffered over $2.47 billion in losses due to scams, hacks, and exploits in the first half of 2025, according to a report published this week. 🔗
• 263k patients’ data leaked: Missouri-based healthcare provider Esse Health has notified over 263k patients that their personal data was compromised in a cyberattack, including names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, health information, and some Social Security numbers. 🔗
• Scammers using M365 Direct Send to spoof emails: Scammers are exploiting a Microsoft 365 feature to spoof internal emails and bypass security filters in phishing attacks targeting US firms. 🔗

Government and Policy

• Azea Group sanctioned for supporting cybercrime: The US sanctioned the Russia-based company, along with four of its key operators, for allegedly providing bulletproof hosting (BPH) services for the BianLian ransomware gang, RedLine infostealer operations, and the BlackSprut darkweb market. 🔗
• US clamps down on fake IT worker scheme: In 9-month-long operation against the North Korean IT worker scheme, the DoJ successfully arrested a key facilitator and seized 29 financial accounts, 21 fraudulent websites, and nearly 200 computers. 🔗
• Meta and Anthropic win copyright lawsuits: While both cases were dismissed, Meta hasn’t been granted the legal “green light” to train their AI on copyrighted works, and Anthropic will still need to answer for how they acquired all of those books… 🔗
• German regulator fights against Deepseek: The Berlin Commissioner for Data Protection has requested that Google and Apple remove Deepseek AI from their app stores due to alleged GDPR violations, claiming that the app unlawfully collects data from German users and transfers it to China for processing. 🔗

The Danish government has announced a new initiative to combat the creation and dissemination of deepfakes and put a stop to online misinformation. As part of the initiative, Denmark is working on changing copyright law to give individuals the property rights over their own image, facial features, and voice.

If approved, the change in law will enable Danish citizens to demand that online platforms remove deepfakes of themselves shared without consent. It will also enable artists to demand the removal of “realistic, digitally generated imitations” of their performances shared without consent.

With the aim of preserving freedom of expression, parodies and satire will still be allowed, though the criteria for defining what content falls under exempted categories is yet to be clearly defined.

If platforms don’t comply with the new legislation, they could be subject to “severe fines”, says Culture Minister Jakob Engel-Schmidt.

The announcement comes just a few months after the US signed into law the TAKE IT DOWN Act, which bans “the nonconsensual online publication of intimate visual depictions of individuals, both authentic and computer-generated, and requires certain online platforms to promptly remove such depictions upon receiving notice of their existence.”

Following our deep dive into deepfakes in last week’s issue, we think Denmark’s plans are a great step towards tackling the deepfake dilemma. But will the rest of the world follow suit?

• SecOps in the age of AI: Chas Clawson, Field CTO at Sumo Logic, discusses the promise of agentic AI and how the responsible adoption of AI could reshape the future of security operations. Listen now.
• Leaders in innovation: In this RSAC omnibus, Andy Cao, COO at Innovation Sandbox winner ProjectDiscovery, discusses the importance of global community when it comes to vulnerability management, and Donnchadh Casey, CEO of runner-up CalypsoAI, discusses how AI is beginning to make real-world decisions that carry risk and impact. Listen now.

Subscribe today.

• Top RMM Solutions For MSPs
• Top Mobile Device Management (MDM) Solutions
• Top Email Security Gateways
• Top Email Security Solutions For Office 365
• Top Identity And Access Management Solutions
• Top Phishing Protection Solutions
• Top Phishing Simulation And Testing Solutions
• Top Cyber Threat Intelligence Solutions