In Other News: Hellcat Hackers Unmasked, CrushFTP Bug Controversy, NYU Hacked

SecurityWeek’s cybersecurity news roundup provides a concise compilation of noteworthy stories that might have slipped under the radar.

We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape.

Each week, we curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports.

Here are this week’s stories:

Truly random numbers generated using quantum computers

Researchers from JPMorgan, Quantinuum, Oak Ridge National Laboratory, Argonne National Laboratory and The University of Texas at Austin have managed to generate truly random numbers using a quantum computer. The researchers said this is the first time certified randomness has been experimentally demonstrated, pointing out that classical computers cannot create true randomness on demand. This is more about what can be achieved with quantum computers rather than generating random numbers. For practical purposes, quantum random number generators (QRNGs) have been around for a while. For instance, Quantum Dice’s QRNG, which is already used by major firms such as AT&T and Thales, is significantly more efficient for practical purposes, without the huge energy requirements of a quantum computer. Randomness is critical in areas such as encryption and the implementation of differentially private machine learning algorithms.

Troy Hunt falls for phishing attack

Renowned cybersecurity expert Troy Hunt, the owner and administrator of the Have I Been Pwned breach notification service, admitted falling for a phishing attack that resulted in his Mailchimp mailing list getting stolen. Hunt said the attack did not appear to be targeted, but the phishing email and the phishing page were well designed. The expert quickly realized that he had been phished, but by the time he changed his password the mailing list (containing thousands of entries) had already been exported.

Advertisement. Scroll to continue reading.

Canadian accused of Snowflake hack agrees to US extradition

Connor Moucka, a 26-year-old Canadian national accused of being involved in the Snowflake hack, has agreed to be extradited to the United States. Moucka was arrested in Canada in October. In the US he faces 20 charges. Others believed to have been involved in the Snowflake hack are US Army soldier Cameron Wagenius and US citizen John Binns.

NYU website hacked

NYU’s website was hacked and defaced, with the attackers exposing the information of three million students. The website was apparently targeted by hacktivists accusing the university of using race-sensitive admissions. The hackers defaced the NYU website and posted charts apparently showing average admitted SAT scores, ACT scores and GPAs.

VanHelsing ransomware

CheckPoint has analyzed an emerging ransomware operation named VanHelsing, which is offering affiliates 80% of the ransom payments. Its file-encrypting malware targets Windows, but the cybercriminals suggest that Linux and other types of systems can also be targeted. At the time of its analysis, CheckPoint was aware of three victims, from one of which the hackers demanded a $500,000 ransom in order to decrypt files and delete stolen data.

Google’s Titan Security Keys available for purchase in more countries

Google announced this week that its Titan Security Keys can now be purchased in more countries. The hardware security key is now available in 22 markets. The latest added to the list are Ireland, Portugal, the Netherlands, Denmark, Norway, Sweden, Finland, Australia, New Zealand, Singapore and Puerto Rico.

StreamElements data breach

Live streaming platform StreamElements is notifying users of a data breach. The company said customer data was obtained from a third-party service provider it no longer works with. The incident came to light after a hacker offered to sell StreamElements user data — over 200,000 records — including name, address, phone number, and email address. StreamElements said its own servers have not been breached.

Key members of Hellcat ransomware group unmasked

Threat intelligence firm Kela claims to have uncovered the real identities of two key members of the ransomware group named Hellcat, which recently targeted Ascom and Jaguar Land Rover. The cybercriminals are known online as Pryx and Rey. Kela’s investigation showed that Rey (aka Hikki-Chan) is likely an individual whose first name is Saif from Amman, Jordan. Pryx (aka HolyPryx) is believed to be an individual whose first name is Adem. Pryx is believed to reside in the UAE, but originates from a different Arab country. The suspects’ full names and other information has been provided to law enforcement agencies.

Android VRP bonus

Google announced that researchers who submit vulnerability reports to the Android Vulnerability Reward Program (VRP) are eligible for a $1,000 bonus if they include an AutoRepro test in their report. These reports include an automated test designed to trigger vulnerable conditions to help validate the presence of a reachable vulnerability.

CrushFTP vulnerability controversy

Users were warned recently about a critical vulnerability in the CrushFTP enterprise file transfer tool. The risk posed by such vulnerabilities is severe, considering that flaws in this type of software have been known to be exploited by cybercriminals. CrushFTP developers said exploitation could lead to unauthenticated access, but the flaw is mitigated if the DMZ feature is enabled. CrushFTP 11.3.1+ and 10.8.4+ patch the issue. After seeing that CrushFTP developers were taking a long time to get a CVE assigned to the vulnerability, VulnCheck decided to take charge and got the CVE-2025-2825 assigned to it. However, the security firm was told by CrushFTP’s CEO that the “real CVE is pending” and “your reputation will go down if you do not voluntarily remove your fake item”.