The Good, the Bad and the Ugly in Cybersecurity – Week 17

SentinelOne's Week 17 roundup covers three major stories: two cybercrime guilty pleas, Chinese-linked botnet expansions, and a newly discovered pre-Stuxnet sabotage framework.

The Good: Two Cybercrime Leaders Face Justice

Tyler Robert Buchanan, a 24-year-old British national and alleged leader of the UNC3944 cybercrime group (also known as 0ktapus or Scattered Spider), pleaded guilty to wire fraud and aggravated identity theft. Between 2021 and 2023, Buchanan and four accomplices used SMS phishing attacks to steal at least $8 million in cryptocurrency. Victims were tricked into entering credentials on fake company login pages, allowing attackers to hijack email accounts, conduct SIM swaps, and drain cryptocurrency wallets. Buchanan was arrested in Spain in 2024 and extradited to the U.S., where he now faces up to 22 years in prison at sentencing in August. UNC3944 has been linked to major breaches at MGM Resorts International, Twilio, and Caesars Entertainment.

In a second guilty plea, Angelo Martino, a former ransomware negotiator at DigitalMint, admitted to helping the BlackCat ransomware gang extort U.S. companies. Martino secretly shared clients' confidential negotiation strategies and insurance policy limits with BlackCat operators, enabling them to demand larger ransoms. He also worked with accomplices to launch ransomware attacks against law firms, school districts, medical facilities, and financial firms in 2023. In one case, a victim paid over $25 million. Authorities have seized $10 million in Martino's assets, including cryptocurrency and luxury vehicles. He faces up to 20 years in prison when sentenced in July.

The Bad: Chinese-Linked Threat Actors Expand Botnets

The U.K.'s National Cyber Security Centre (NCSC-UK) and allied agencies warn that China-linked actors are increasingly using hijacked consumer devices to conceal cyberattacks. A new joint statement details how threat actors route malicious traffic through compromised routers, cameras, recorders, and NAS devices instead of rented infrastructure, making attacks harder to trace. One example is the Raptor Train botnet, which infected over 260,000 devices in 2024 and was linked to state-backed Flax Typhoon and Integrity Technology Group. Another, KV Botnet, tied to Volt Typhoon, targets vulnerable routers and was revived after a January 2024 disruption. Authorities urge organizations to strengthen edge security with MFA, updated device inventories, dynamic threat intelligence, and zero-trust controls.

The Ugly: ShadowBrokers Leak Links to Pre-Stuxnet Sabotage Framework

SentinelLABS identified a previously undocumented cyber sabotage framework, tracked as "fast16," with core components dating back to 2005. The framework centers on a kernel driver, fast16.sys, designed to intercept executable files in memory and subtly alter high-precision calculations to corrupt scientific and engineering outputs. It predates Stuxnet by at least five years and is one of the earliest known modular, Lua-based malware architectures. The framework was discovered alongside a companion service binary, svcmgmt.exe, which embeds a Lua virtual machine and modules for propagation and persistence. SentinelLABS linked fast16.sys to the 2017 ShadowBrokers leak via deconfliction signatures used within NSA tooling ecosystems, suggesting potential alignment with high-precision simulation software used in engineering.