Senior Threat Intel Advisor @TeamCymru | Co-founder @CuratedIntel | Co-author @SANSForensics FOR589 | Co-founder @BSidesBournemth | @darknetdiaries #126: REvil
Joined March 2013
- Tweets 12,905
- Following 3,390
- Followers 38,164
- Likes 37,146
2,242 Photos and videos
Pinned Tweet
Jun 8
ICYMI — I have started a new blog series called 🇬🇧 the UK Cybercrime Journal on my personal site 🥷
I’ll be dropping a new one every Wednesday on what I deem are the latest notable cybercrime issues for the UK.
You can read them all here: blog.bushidotoken.net/search…
Stay tuned 🔍
3
20
2,385
I recently experimented with turning one of my blogs from back in 2020 (the pre-AI era!) into an AI-generated video via @NotebookLM and was surprised with the result.
🎥 Video: The Law of the Jungle 🐍 🦁 🦈 🦀
youtu.be/gb1aOjXly7E
Original blog: blog.bushidotoken.net/2020/0…
4
1,358
We recently ran our first ever @CuratedIntel Con 2026 #CIC2026
It was an incredible member-only, vetted TLP:RED 🔴 CTI & DFIR conference.
It was also the first time for many of our members to meet each other, fostering deeper connections and intelligence sharing relationships.
1
5
27
2,812
It was an amazing opportunity to hear and see the latest research and insights from the top CTI teams in the world.
Thank you to all members who lended us their time and energy to support the event 🙇♂️
That’s all I can share, #TrackThePlanet
3
1,390
Jun 10
New 🇬🇧 UK Cybercrime Journal Entry: Arup Group Breached by FulcrumSec
What do AWS DCs, Disneyland, Wembley Football Stadium, HS2 and HS1 Channel Tunnel Rail Link network, and the Eden Project all have in common? They were engineered by Arup Group 👀
blog.bushidotoken.net/2026/0…
1
5
12
3,290
Jun 6
Interesting whistleblower case about APT10 🇨🇳 breaching IBM between 2013 and 2016 “across every IBM business unit, eighteen countries, and multiple IBM products” as well as subsidiaries Trusteer and Truven 👀
Jun 5
Former cyber executive turned whistleblower accuses IBM of covering up several data breaches techcrunch.com/2026/06/05/fo…
1
21
79
16,831
Jun 5
The 🇷🇺 GRU was already doing this via Telegram and cryptocurrency for years now…
(theguardian.com/world/ng-int…)
Introducing pump fun GO: Pay ANYONE to do ANYTHING
Create & complete bounties for ANY task and leverage the power of humans & money across the globe
The world is at your fingertips. It’s time to GO 👇
1
4
16
4,766
Jun 4
Shade Infostealer Dashboard Uncovered 🧐 [now offline]
Exfils passwords, cookies, credit cards & crypto wallets, plus it does HVNC
1
5
26
4,699
Jun 3
New 🇬🇧 UK Cybercrime Journal Entry: British Universities Struck by ShinyHunters Before Exam Season
blog.bushidotoken.net/2026/0…
6
14
2,079
Will retweeted
INTEL DROP
We've been tracking suspicious open directories in our detection pipeline.
14 total IPs in the 149.50.98.0/24 (MEVSPACE) range are showing a likely single operator deploying shared tools.
Possibly targeting SonicWall devices based on some of the names of directory files:
brute[.]py
hidden_payload.zip
server_obonz.jar
SonicDropper.exe
Sonic/
sonic_logs/
sonic_panel.py
sonic_panel_v3.py
sonic_panel_v5.py
IP List:
149.50.98.24
149.50.98.36
149.50.98.28
149.50.98.34
149.50.98.26
149.50.98.29
149.50.98.25
149.50.98.30
149.50.98.35
149.50.98.23
149.50.98.33
149.50.98.32
149.50.98.27
149.50.98.31
#threatintel #totalinsights
5
19
87
7,676
May 31
Please look into this @virginmedia you’re blocking legitimate security researchers:
We’re not malicious @virginmedia 🥺
ctrlaltintel[.]com is for sharing intel, we’re only a threat to cybercriminals 🙏
1
7
24
8,680
May 31
“SRG sends a threat actor to the victim’s location to gain access to insert a storage device into the victim’s computer. In this scheme, the threat actor tells the victim they need to image the device or create a backup file to address potential impacts from the phishing email”🫣
May 27
Yesterday the FBI released an advisory on the Silent Ransom Group (SRG), aka Luna Moth, Chatty Spider, and UNC3753, who use social engineering techniques like phone calls and phishing emails to access victim computers. SRG actors have been steadily targeting law firms since 2023, and they focus on accessing victim systems, exfiltrating data, and extorting their victims by threatening to release or sell the stolen data.
Since SRG actors use legitimate remote access tools, there are few artifacts of their attacks. Review the advisory to learn how SRG actors operate to exfiltrate data and potential signs of SRG activity: ic3.gov/CSA/2026/260526.pdf.
ALT FBI alert about Silent Ransom Group using social engineering to impersonate IT staff, dated May 26, 2026.
2
8
39
10,792
May 27
New 🇬🇧 UK Cybercrime Journal Entry: £102 million Lost to Scams in 2025
blog.bushidotoken.net/2026/0…
1
2
5
1,966
May 26
I feel so back. Keep an eye on blog.bushidotoken.net tomorrow, and the next few Wednesdays after that.
1
2
19
2,372
May 24
📣 I have been wanting to write more regularly for my site blog.bushidotoken.net and have made a new series: The UK Cybercrime Journal.
These are short UK cybercrime incident reports with a BLUF, Analyst Comment, and Defensive Takeaways.
Starting here: blog.bushidotoken.net/2026/0…
8
41
4,326
May 22
Had a great evening in Rome 🇮🇹 with some friends who work in cyber and we all unanimously came to the conclusion that everyone is vibe coding multiple cyber vendors out of their budgets. For context, two of us worked in TI and one was a professional bug hunter 🧵1/6
3
2
39
6,222
May 22
Ultimately we agreed that for vendors to survive they must have rare & unique data. As the industry/community is shift to vibe coding everything on their own, they will still want unique data to power those systems. NetFlow data like Team Cymru has is highly desired. 🧵5/6
1
13
1,693
May 22
This is where we realised databases of human-curated fingerprints, detection rules, and block/allow vetting logic is what the AI/LLM companies likely want the most right now to improve their systems and automate their own detection generation pipelines. 🧵6/6
1
1
15
1,426