Dutch police say they dismantled a large botnet this week comprising at least 17 million infected devices. After being tipped off by a researcher at the Netherlands' National Cyber Security Centre (NCSC-NL), police began an investigation, which resulted in the discovery of 200 servers underpinning the botnet's infrastructure located in the country. Cybercrime specialists at The Hague Police Unit seized a number of servers from a hosting provider for further analysis, and the provider then shut down the botnet after realizing it was being used for "criminal purposes." Botnets can be used for various types of cybercrime, but officials did not say how this botnet in particular was used. Police merely stated the general types of abuse, which include phishing, launching DDoS attacks, and online fraud. Neither the police nor the NCSC-NL revealed the botnet's name – an oddity for takedowns of this kind – and also did not detail exactly what devices were enrolled in it. However, both organizations' announcements identified poorly secured consumer-grade kit such as routers, mobile devices, and IoT hardware as common examples. Both also advised users to stop relying on default passwords for new hardware, avoid installing apps from unofficial sources, and keep software up to date. Botnets and proxies on the rise Just before the police announced the botnet takedown, NCSC-NL published a blog highlighting a rise in residential proxy networks used for malicious purposes, calling it a "worrying trend." Botnets and residential proxy networks are often mentioned in the same breath, since both require enrolling legitimate devices into a broader network, although they are typically used for different purposes. Botnets are almost exclusively malicious, with only a few benign exceptions. Folding@home, a voluntary distributed computing project, is possibly the closest clean-living comparison. Residential proxy networks are different. They're legal, and you can find large operators advertising their services on the open web, usually promoting privacy benefits, although experts agree that these networks are a problem, and are more often abused than used for good. Willingly or not – often the latter – consumers have their IP addresses enrolled into these networks, which are also used by cybercriminals to hide the true source of malicious traffic, complicating cyber incident response. These proxies can be used for DDoS attacks, similar to how botnets rely on compromised devices, as well as other trickery such as phishing, brute-force attacks, bypassing impossible travel checks, and malware distribution, among others. "The misuse of residential proxies makes it more difficult to map digital threats and attacks," NCSC-NL wrote. "As the scale of digital attacks increases, the resilience of organizations can come under pressure. "Additionally, the devices of unsuspecting users can become part of such proxy networks, often without their knowledge. In this way, consumers are unknowingly part of cybercrime." Dutch cyberattack reports hit nine-year low On Thursday, shortly after the police announced the botnet takedown and concerns about the rise of residential proxy networks, NCSC-NL published its annual Cybercrime Monitor report, which revealed cyberattacks on Dutch companies had fallen to the lowest level in nine years. According to 2024 data, the most recent available, just four percent of organizations reported an external cyberattack compared to 11 percent in 2016. The report noted the downward trend was noticeable across all company sizes. Phishing and spoofing were by far the most common types of attack, with 23 percent of organizations experiencing this to some degree. At the other end of the scale, attacks involving DDoS, data breaches, business email compromise fraud, and ransomware were each reported by around one percent of organizations. NCSC-NL linked the improvements to wider adoption of multi-factor authentication (MFA). It said the technology is effectively universal across larger organizations, with 87 percent implementing it in 2025, up from 71 percent in 2017. For smaller organizations, the uptake was even more pronounced, more than doubling to 79 percent from 29 percent eight years prior. ®
The Jacksonville Jaguars recently released a viral schedule announcement video that appeared to show their star quarterback chopping off his signature long blond hair. The clip spread quickly online, pulling in nearly 4 million views on X and triggering reactions from fans, friends, and even Lawrence’s grandmother.
The catch? It wasn’t real.
The team later confirmed the moment was partially staged, partially AI-generated and part of the joke. Even Lawrence admitted the fake looked convincing.
And that’s exactly the problem.
What started as a harmless sports prank is also a reminder of how realistic AI-generated videos have become and how easily scammers can use the same technology to fool people online.
Why Deepfake Scams Are Growing Fast
Deepfake scams use artificial intelligence to clone someone’s face, voice, or likeness to create fake videos, ads, phone calls, or social media posts that appear real.
And increasingly, scammers are using celebrities, influencers, athletes, and trusted public figures to do it.
72% of Americans say they’ve seen fake celebrity or influencer endorsements online
39% say they’ve clicked on one
1 in 10 victims lost money or personal data
Average losses reached $525 per person
Why does it work? Because scammers know familiarity lowers our guard.
When people see a recognizable face, whether it’s Trevor Lawrence, Taylor Swift, Tom Hanks, or a favorite influencer, they’re more likely to trust what they’re seeing before stopping to question it.
From Funny Sports Videos to Real Financial Scams
The Jaguars video was meant as entertainment.
But scammers are already using the same technology for fraud.
McAfee researchers recently identified a growing wave of celebrity deepfake scams involving fake giveaways, investment schemes, romance scams, and fraudulent ads.
Some recent examples include:
Fake videos of TV personalities promoting “miracle” products
Usernames with extra characters or copied profile photos
Requests for money or personal data
Especially through DMs, crypto links, gift cards, or wire transfers
How McAfee Helps Protect You
AI scams are evolving fast, but layered protection can help you stay ahead of them.
McAfee’s Scam Detector, included in all core McAfee plans, can help identify suspicious links, messages, videos, and deepfake-related scams across texts, email, and social platforms before you click.
Additional protections like Web Protection and Identity Monitoring can also help reduce your risk if scammers attempt to steal your credentials or personal information.
Other Scam News This Week
Charter Confirms Data Breach
Charter Communications confirmed a data breach tied to a third-party vendor, exposing customer information. Whenever breaches like this happen, scammers often follow up with phishing emails and fake customer support calls pretending to help affected users.
7-Eleven Data Breach Reports Surface
Reports surrounding a potential 7-Eleven data breach are circulating online. Consumers should stay alert for fake password reset emails, loyalty account phishing attempts, and scam texts impersonating retailers.
‘Tom Selleck’ Celebrity Scam Highlights Rise of AI Impersonation Fraud
A tragic case tied to an alleged Tom Selleck impersonation scam is drawing attention to the growing threat of celebrity AI fraud. Experts warn that scammers are increasingly using fake celebrity profiles, AI-generated messages, cloned voices, and deepfake videos to build trust with victims online, especially older adults.
The case underscores how emotionally manipulative and financially devastating these scams can become.
Hackers Are Exploiting AI Chatbot “Personalities”
Researchers told The Verge that attackers are beginning to manipulate chatbot behavior and personalities to trick users into unsafe actions, highlighting growing concerns around AI trust and social engineering.
Fake Inheritance Email Scams Are Getting More Convincing
A phishing scam making headlines this week uses fake inheritance notices and “unclaimed estate” emails to pressure victims into sharing personal information.
Unlike older scam emails full of spelling mistakes, newer versions look polished and professional, often using legal-sounding language, fake reference numbers, and urgent 48-hour deadlines designed to trigger panic before people stop to verify the message.
McAfee Safety Tips This Week
The next deepfake won’t always look fake. That’s what makes these scams dangerous.
Here are some practical, go-to tips
Pause before clicking celebrity endorsements or viral videos
Verify accounts through official sources before trusting promotions
Never send money or personal data based on social media messages alone
Be skeptical of urgency, especially “limited time” threats
Use AI-powered scam protection tools to help identify suspicious content before you engage
Getting the location of troops at war might be as easy as buying the data from a legitimate business. America’s foreign adversaries have exploited commercial geolocation data tied to US troops, the Pentagon admits, using it to target or surveil US personnel in the Middle East. Despite that, the Defense Department hasn’t exactly moved fast to secure the information, elected officials say. Senator Ron Wyden (D-OR), Representative Pat Harrigan (R-NC), and a dozen other Congress critters sent a letter to DoD CIO Kirsten Davies on Thursday, demanding a change in smartphone security posture among US military branches. Included in the letter is what lawmakers describe as the first public confirmation that commercial location data has been used to target or surveil American troops in active war zones. The information was shared with Wyden’s office in April. The reason for the delay in publishing the information, Wyden’s team told The Register, was due to “markings that restricted public release,” which Wyden reportedly pushed back on, leading to Thursday’s letter and the attached responses [PDF] from the DoD confirming info purchased from commercial data brokers was used to target troops. “USCENTCOM [US Central Command] has received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater,” the DoD’s responses from April indicate. As for how exactly data brokers got access to the data that allowed adversaries to locate troops and their movements, they got it from the same sources as anyone else buying data from a commercial broker: Smartphone advertising profiles. According to the DoD responses included in Wyden’s letter, not only are US military personnel allowed to use personal devices within operational areas, there’s no actual policy that requires servicemembers to turn off geolocation capabilities on their devices when located in active war zones. “USCENTCOM's geolocation risk guidance directs personnel to disable geolocation functionality when not needed; periodically review device and application privacy settings; and limit public sharing of information,” the DoD said last month, while simultaneously admitting that such guidance doesn’t always fully disable geolocation on smartphones. In addition to personally-owned devices, the DoD’s own issued smartphones don’t disable advertising profiles, either. “The Personalized Advertising setting is disabled by group policy on the Mobile Device Management Server,” the DoD told Wyden’s team. “However, Ad Targeting Information is not disabled and can be edited by a user.” That’s not the most straightforward answer, and, when we asked Wyden’s team what it thought of the response, it agreed with our assessment that the Pentagon’s MDM disables the serving of personal ads to users, but doesn’t stop the transmission of device advertising IDs or other associated data. The DoD noted in the response that it’s in the process of migrating to a new MDM solution that allows location services to be completely disabled on government-issued devices and was targeting a completion date of early May, though it’s not clear whether the process has been finished yet. The Pentagon declined to answer any of our questions, only saying it would respond to Wyden, not us. It’s also not clear how effective that MDM migration will be, as the DoD appears to be phasing out government-issued devices in favor of a broader BYOD policy in at least one branch. According to a US Army press release from earlier this month, the branch is targeting the end of this month for the return of Army-managed work smartphones, as “the primary and preferred method for connectivity is the Bring Your Own Device, or BYOD, program.” CENTCOM has reportedly strengthened its geolocation controls in its area of operations; whether the average soldier, sailor, airman, and Marine is complying isn’t indicated. They’ve known about this for how long?! Failure to prevent the exposure of sensitive location data of military assets could be forgivable if it were a new problem, but according to Wyden’s letter, it’s not: The Pentagon likely knew about the issue for a decade. According to the letter, government contractors briefed military leadership about the ease of tracking smartphones owned by military members way back in 2016. “DoD officials have not treated this counterintelligence and force protection threat as a five-alarm fire,” the letter asserts, adding that the Pentagon “has known about this threat for over a decade, yet have failed to take meaningful steps to protect our men and women in uniform.” It’s not like there haven’t been plenty of examples of sloppy location data management compromising military operations, either. Data culled from workout tracking app Strava has been used to identify the workout routes of US military personnel jogging on base - and reveal the location of French President Emmanuel Macron thanks to his bodyguards’ sloppy security practices - and social media has also been flagged as an OPSEC disaster waiting to happen. Despite all those examples and briefings going back a decade, the problem has continued right up to the latest operations in Iran. “That foreign adversaries are still able to buy location data collected from the phones of U.S. personnel serving in military hotspots is a direct result of DoD leadership’s failure to prioritize this threat and implement commonsense cyber defenses,” the letter charges. Whether anything will be done about it remains to be seen. ®
The ongoing saga of Microsoft versus Nightmare Eclipse (aka Chaotic Eclipse), the disgruntled bug hunter with a deep understanding of Windows and an even deeper grudge against Microsoft, reached a fever pitch, with the researcher, who has thus far released six Windows zero-days, promising a “bone shattering” drop on July 14. Microsoft, for its part, finally responded to the security researcher and their weaponized Windows flaws with a blog post on (un)coordinated vulnerability disclosure about the now-public bugs: RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. Redmond says that none of these were reported via its official channels prior to being made public. Attackers began hammering three of the six - BlueHammer, RedSun, and UnDefend - soon after Nightmare published working proof-of-concept exploit code for each on now-banned GitHub (owned by Microsoft) and GitLab accounts. YellowKey, GreenPlasma, and MiniPlasma still don’t have fixes, and Microsoft has deemed “exploitation more likely” for YellowKey, aka CVE-2026-45585, citing a working POC. “We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem,” Microsoft wrote in a Wednesday blog, and then seemingly threatened legal action against Nightmare: “Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.” Microsoft did not respond to The Register’s questions, including whether its legal team planned to sue Nightmare, whether the zero-day researcher is a current or former employee, and whether Microsoft axed Nightmare’s MSRC account, meaning that the bug hunter can’t disclose vulnerabilities to the Windows giant. Nightmare, in their latest anti-Microsoft missive, claims Microsoft did just that. “When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people,” they wrote on Saturday. “You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot.” Nightmare also noted that “Microsoft still has chains in my hands,” preventing them from releasing “documents” yet, or anytime in June, and then warned: “Mark this date July 14th, I will make sure your bones are shattered that day.” Regardless of what does or does not happen on July 14, Nightmare has already caused chaos - and real enterprise-level damage, as systems engineer Muhammad Qasim Shahzad said on LinkedIn. “One person caused more enterprise-level damage in six weeks than most APT groups cause in a year,” Shahzad wrote. “The gap between disclosure and weaponization is now measured in hours, not days. Your patching window is shrinking fast.” Zero Day Initiative’s bug hunter-in-chief Dustin Childs, who previously spent about seven years working for Microsoft security and has decades of experience on both sides of the coordinated vulnerability disclosure (CVD) process, told The Register that Microsoft could have handled this better. And he wondered what happened between the two parties to get to this point. “CVD is a two-way street,” he said. “The vendor has some responsibility as well, so to go out publicly stating this person violated CVD without showing any of the correspondence seems bold.” Microsoft could also improve its communications to customers on “what the real risks from these bugs are and how they can defend themselves,” Childs added. “That clear direction seems to be missing.” Microsoft's 'dumpster fire' Luta Security founder and CEO Katie Moussouris, who pioneered Microsoft’s bug bounty program despite execs vowing never to pay researchers for bugs, said Redmond’s response to Nightmare sends “mixed messages.” “It confusingly claims their program ‘ensures researchers are compensated and publicly acknowledged’ in a statement answering a researcher who says he got neither,” Moussouris told The Register. “The language choices are also not deescalating. Microsoft invoked the outdated term ‘responsible disclosure,’ which I retired years ago at Microsoft because it was subjective and judgy.” This phrase, Moussouris added, “got in the way of coordination” when the two sides disagreed about how to best protect end users. “The mention of the Digital Crimes Unit in a post discussing vulnerability disclosure makes the post vaguely threatening, which seems intentional, but then they wrap up the post saying they welcome reports regardless of disclosure history,” she said. “No one except the parties involved can know for sure what happened between this researcher and Microsoft. Whatever the facts, it's hard to imagine why Microsoft would not try to deescalate, if for no other reason than avoiding the chilling effect on other researchers.” Security sleuth Kevin Beaumont, in his blog on the ongoing Microsoft-Nightmare Eclipse saga, called it a "dumpster fire of [Microsoft’s] own making.” Beaumont also used to work at Microsoft, and he noted that the Windows company previously hired a hacker called SandboxEscaper after she published zero-day POC exploits for Microsoft products - something that Redmond’s blog now describes as criminal. “If Microsoft’s tactic is to try to criminalise not following often arbitrary ‘responsible disclosure’ frameworks, good luck defending that in court - because there’s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process,” Beaumont said. To be clear: neither Beaumont nor the researchers that The Reg spoke to support Nightmare’s zero-day antics. Childs called the “July 14” post “troubling” and Moussouris said the date plus “incendiary language … doesn't help organizations trying to make sense of the technical risk.” 'David and Goliath dynamic' Moussouris did add that this latest missive, taken in context with the earlier blog posts, “paint[s] a picture of someone who believes they have been pushed to this extreme. It is the sound of someone who believes every legitimate channel was closed to them: GitHub account deleted, payments withheld, credit stripped, then publicly accused of violating CVD after Microsoft cut off their ability to coordinate. The researcher's grievances are serious and specific.” Ultimately, “the bugs are Microsoft's,” Moussouris said. “They wrote the code and they own the risk to customers. Often researchers who previously work with a vendor respond in the extreme only when they feel there is no other choice. The power they hold is not at all proportionate to the vendor. This is a David and Goliath dynamic we don't like to see play out, especially since it’s users who lose when coordination negotiations fail." While it’s a very extreme - perhaps the most extreme - example of coordinated disclosure gone wrong, it’s not an isolated problem. Researchers have been complaining about CVD, and specifically Redmond’s bug disclosure habits, for years. “While some companies have improved, Microsoft has not,” Childs said. “If anything, they are seen as difficult to work with, especially if your bug is Moderate instead of Critical. I’ve had researchers tell me that they stopped looking at Microsoft altogether because they were too difficult to work with.” Plus, these types of disagreements between researchers and bug bounty programs will likely increase, as AI-assisted bug reports become the norm and vulnerabilities skyrocket. “We as an industry need to take a breath, remember there are real people involved, and that poor interactions could lead to real customer risk,” Childs said. “Real-world impact is lost far too often when disclosure goes wrong.” ®
Login
