Coinbase said it received this demand, which it has refused to pay, on May 11. “Criminals targeted our customer support agents overseas. They used cash offers to convince a small group of insiders to copy data in our customer support tools for less than 1% of Coinbase monthly transacting users,” Coinbase said in a blog post. “Their aim was to gather a customer list they could contact while pretending to be Coinbase—tricking people into handing over their crypto.”

About 1 million Coinbase customers are thought to be impacted, with information stolen including name, address, phone number, and email, as well as masked social security and bank account numbers. However, it said no passwords, private keys, or hot or cold wallets were exposed. Coinbase fired the insiders who were found to be accessing systems without authorization, but not before the data had been stolen.

While Coinbase refused to pay the ransom, it has offered a $20 million reward fund for any leads that could help find the criminals who planned this attack.

Coinbase is one of the world’s best known cryptocurrency exchanges, with an estimated 100 million customers.

AI agents could be prompted to perform malicious actions by implanting “fake memories” into the data they’re trained on.

According to new research carried out by Princeton University and the Sentient AI, features which permit agent customization based on user preferences are vulnerable to “memory injection” attacks, where a malicious actor could train them with carefully crafted prompts that will affect their future actions.

“Think of it like gaslighting the AI; the attacker sneaks false information or instructions into the agent’s memory logs, so later the agent ‘remembers’ something that never truly happened and acts on it,” said Pramod Viswanath, professor of engineering at Princeton University.

By way of example, the study showed how an attacker could train an agent to always send cryptocurrency payments to an attacker-controlled wallet. The agent remembered the instructions and continued to do so when it received requests from other users.

A researcher named Christiaan Beek has created a proof of concept (PoC) for a potential CPU-based ransomware that is said to be able to evade commonly used detection technologies. The key to this approach is to target vulnerable CPUs that allow microcode updates without appropriate levels of protection. In his research, Beek used the knowledge from the Google team that found the AMD Zen processors have a flaw that could allow a skilled attacker to load malicious microcode into the CPU itself.

When the CPU behavior is altered at this level, it allows for the attacker to execute their code before most other systems on the device, including the operating system layer and any traditional security technologies that may run on top of it, such as those used by organizations to detect malware or intrusions. This could potentially give attackers the upper hand in any potential stealthy attack scenario should such a technique be used. A similar approach was already used in the past when malware creators targeted the BIOS with UEFI bootkits to enable them to run on devices before the operating system.

In the recent RSAC, Beek showed some evidence from the 2022 Conti leaked materials that appeared to suggest that ransomware creators were already exploring the idea of UEFI-based ransomware a few years ago. While he has not seen any such ransomware in the wild, he believes it is only a matter of time before somebody “will get smart enough at some point and start creating this stuff.”

Nucor Corporation, the largest steel producer in the U.S., has been forced to take offline parts of its networks and implement containment measures in the wake of a cyberattack. The incident caused the company to temporarily suspend production at multiple locations.

“Nucor Corporation recently identified a cybersecurity incident involving unauthorized third-party access to certain information technology systems used by the Company,” reads a filing submitted to the U.S. Securities and Exchange Commission (SEC) on Wednesday (May 14). “Upon detecting the incident, the Company began promptly taking steps to contain and respond to the incident, including activating its incident response plan, proactively taking potentially affected systems offline, and implementing other containment, remediation, or recovery measures.”

No details about what type of attack or when it took place were provided. At the time of writing, no ransomware groups have claimed responsibility.

Fashion giant Dior has disclosed a data breach in which it said customer data was exposed.

“The House of Dior recently discovered that an unauthorized external party accessed some of the data we hold for our Dior Fashion and Accessories customers,” Dior said in a statement. “No passwords or payment information, including bank account or payment card information, were in the database affected in the incident.”

The information that was stolen reportedly included customers’ full names, gender, phone number, email address, home address, and purchase history. The incident was reportedly discovered on May 7.

Dior did not specify the number of customers or regions impacted by this breach, but South Korean and Chinese customers have reportedly received data breach notifications from the fashion house. Korean media have reported that Dior may face legal scrutiny for failing to notify all the applicable authorities in the country about the data breach.

“We are working to notify relevant regulators and customers in line with applicable law,” Dior said in its statement.

Years after the original Spectre CPU vulnerability was found and supposedly vanquished, the ghost of its legacy continues to haunt chipmakers with new attacks inspired by it that continue to appear from time to time. The latest reincarnation of Spectre involves a new branch privilege injection issue, tracked as CVE-2024-45332 (CVSS score: 5.6), that was discovered by researchers at Swiss university ETH Zurich.

The new vulnerability, described as a “potential vulnerability” in the “indirect branch predictors”, that affected some Intel CPUs, is said to bring back “the full might of branch target injection attacks (Spectre-BTI) on Intel [CPUs]” which had largely been kept at bay for several years by the mitigations that were introduced by Intel.

The researchers recently shared details about it in a coordinated release, showing how it was possible to defeat the previous Spectre-BTI (aka Spectre v2) mitigations due to a race condition impacting Intel CPUs. Using this, they could target the CPU with their technique to garner potentially sensitive data like encryption keys and passwords from privileged memory. In response to this discovery, Intel developed and released new microcode updates on May 13, 2025, to mitigate the issue, and Intel CPU users should check to see if their systems are affected and apply any updates as necessary.

Meanwhile, other researchers from VU Amsterdam revealed details of their research entitled “Training Solo,” which is a set of three new self-training Spectre v2 attack variants that can be used to bypass domain isolation protections on Intel CPUs. These new attacks leverage two new issues found in some Intel CPUs and are tracked as CVE-2024-28956 (CVSS score: 5.6) and CVE-2025-24495 (CVSS score: 5.6). Using these, an attacker could potentially access up to 17 KB per second of kernel memory. Intel advises users to check with their system manufacturers for updates to fix these issues.

AMD CPUs are reported to be not affected by these issues, and Arm has indicated that its CPUs may be impacted, but has only provided updated security advisories so far.

The hacking group suspected of carrying out a series of disruptive cyberattacks on retailers in the UK has now turned its attention to similar companies in the U.S.

John Hultquist, chief analyst at Google Threat Intelligence Group, said: “The U.S. retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944, also known as Scattered Spider.”

Scattered Spider (aka Octo Tempest, 0ktapus, UNC3944) is the name used to track a loosely affiliated cybercriminal group previously described by the Federal Bureau of Investigation (FBI) as an offshoot of a larger criminal subculture calling itself the Community, or the Com.

The news follows recent incidents affecting Marks & Spencer, the Co-op, and luxury retailer Harrods. The group behind these attacks is reported to have attempted to monetize its access to the victims’ networks using the DragonForce ransomware.

Microsoft’s May 2025 Patch Tuesday sees the software giant issue updates to address 71 vulnerabilities, including five zero-day flaws.

The number of bugs in each vulnerability category is as follows:

• 17 elevation of privilege vulnerabilities

• 2 security feature bypass vulnerabilities

• 28 remote code execution vulnerabilities

• 15 information disclosure vulnerabilities

• 7 denial of service vulnerabilities

• 2 spoofing vulnerabilities

Apple has released its May 2025 batch of updates across its range of devices with patches to fix multiple vulnerabilities across its product line.

For iOS and iPadOS, the notable fixes included in version 18.5 address high-severity vulnerabilities related to the AppleJPEG (CVE-2025-31251) and CoreMedia (CVE-2025-31233) components that could allow an attacker to execute arbitrary code by getting the targeted user to open a specially crafted media file.

There are an additional nine fixes for various bugs in the WebKit component, many of which are high severity and can cause memory corruption and crash the app. ImageIO gets a fix for a medium-rated (CVE-2025-31226) denial of service (DoS) vulnerability. A notable FaceTime-related bug (CVE-2025-31253) was also fixed that could allow the microphone to continue to record audio even when it is set to mute.

While none of these vulnerabilities are reported to be exploited in the wild, users of Apple devices are advised to apply the updates promptly to close any window of opportunity for attackers.