Middle East Cyberattacks Hit 16 Countries, iPhone Spyware Leaked, FBI Shuts Down LeakBase Forum

Last week brought major cybersecurity developments: the military escalation in the Middle East triggered a surge of hacktivist attacks across 16 countries, Google's threat researchers uncovered a potent iPhone exploit toolkit, and the FBI partnered with Europol to dismantle the LeakBase hacker marketplace.

Middle East Conflict Sparks Cyber Offensive Across 16 Nations

Cybersecurity researchers at Radware flagged a sharp uptick in hacker activity following the coordinated US-Israel military campaign against Iran. The first DDoS attacks were recorded on February 28 and attributed to Hider Nex (also known as Tunisian Maskers Cyber Force), a Tunisian hacktivist group that employs a hack-and-leak strategy combining network overload with data theft.

Between February 28 and March 2, Radware documented 149 denial-of-service attack claims targeting 110 organizations in 16 countries. Twelve distinct groups carried out the operations, with Keymous+ and DieNet responsible for roughly 70% of all activity.

Key statistics:

• 107 attacks were concentrated in the Middle East; Europe accounted for 22.8% of global activity;
• 47.8% of affected organizations belonged to the government sector, followed by finance (11.9%) and telecommunications (6.7%);
• Within the Middle East, Kuwait (28%), Israel (27.1%), and Jordan (21.5%) were hit hardest.

According to The Hacker News, pro-Russian groups Cardinal and Russian Legion claimed breaches of Israeli military networks, including the Iron Dome missile defense system. Hackers also targeted the RedAlert app, a mobile version of Israel's early warning system. Additionally, the Cotton Sandstorm group (Haywire Kitten) resumed operations under the new name Altoufan Team, attacking websites in Bahrain.

Why This Matters

The convergence of geopolitical conflict and cyberspace is becoming a persistent pattern. Hacktivist groups operating across borders can paralyze critical infrastructure — from government portals to financial systems. For the crypto industry, this poses a direct threat: attacks on the financial sector and telecommunications could impact crypto exchanges and payment services operating in affected regions.

$4.7 Million Crypto Laundering Scheme Uncovered in Kazakhstan

Law enforcement in Kazakhstan arrested a group suspected of money laundering through cryptocurrency, according to the country's Agency for Financial Monitoring (AFM). The alleged organizer built a system for extracting income from digital asset operations.

Participants recruited money mules, opened bank cards and crypto exchange accounts in their names, and executed financial transactions followed by cash-outs. Funds received on cards belonging to over 150 intermediaries were transferred to crypto wallets on the ATAIX exchange. The group used fictitious loan agreements with an affiliated legal entity, then converted the funds into digital assets and routed them to OKX addresses. A controlled exchange office handled the final conversion into foreign currency.

Total transaction volume exceeded 3.5 billion tenge (approximately $4.7 million). Authorities seized 46 mobile phones, 92 bank cards, and 25,463 USDT during searches.

Google Discovers Powerful iPhone Exploit Kit Called Coruna

Google's Threat Intelligence Group (GTIG) identified a toolkit dubbed Coruna designed to compromise iPhones running older iOS versions. Researchers believe the spyware was leaked from a government client.

The package was first detected in February 2025 when a surveillance technology vendor attempted to deploy it against a phone on behalf of a government agency. Months later, the same malware appeared in a large-scale campaign by a Russian espionage group targeting Ukrainian users, and subsequently turned up with a hacker in China.

Coruna can compromise an iPhone through a simple visit to a malicious website — a technique known as a watering hole attack. The toolkit exploits a chain of 23 separate vulnerabilities and can breach a device through five different methods. Devices running iOS 13 through 17.2.1 remain at risk.

Mobile security firm iVerify reverse-engineered the tools and linked Coruna to the US government based on similarities with previously attributed software. Google researchers warned about an emerging market for "secondhand" exploits being resold among threat actors seeking maximum leverage from known vulnerabilities.

FBI Takes Down LeakBase Hacker Marketplace

In a joint operation led by Europol, the FBI seized LeakBase, an online platform used by hackers to buy and sell breach tools and stolen data. On March 3 and 4, law enforcement blocked two LeakBase domains and notified members that evidence was being collected.

Simultaneous raids, arrests, and interviews took place across eight countries: the United States, Australia, Belgium, Poland, Portugal, Romania, Spain, and the United Kingdom.

LeakBase had been operational since 2021, initially supported by the ARES hacking group. After the Breached forum was shut down, LeakBase grew significantly to over 142,000 registered members with free sign-up. The platform offered database access, a marketplace for leaks and exploits, an escrow payment system, and sections on programming, social engineering, and cryptography.

Alabama Man Extorted Hundreds of Women After Hacking Their Accounts

Jamarcus Mosley, a 22-year-old from Alabama, pleaded guilty to extortion, cyberstalking, and fraud after hijacking the social media accounts of hundreds of women, the US Department of Justice announced. Between April 2022 and May 2025, Mosley impersonated friends of victims and used manipulation tactics to trick them into handing over recovery codes and passwords for Snapchat, Instagram, and other platforms.

Once in control, Mosley threatened to publish intimate photos and videos or permanently lock victims out of their accounts unless they complied with his demands: providing access to additional accounts, sending new explicit content, or making payments. In one case, prosecutors said Mosley used the compromised account of a 17-year-old victim to contact her 13-year-old sister, sending a Snapchat map screenshot implying he knew her location.