Subscribe now

How The Scam Works

Malwarebytes researcher Pieter Arntz documented the full attack chain after encountering the post in the wild. The setup is deceptively low-tech. A Facebook account, likely either compromised or purpose built by fraudsters, publishes a post targeting users aged 40 and older. The post claims that Aldi is clearing out excess stock and rather than letting food go to waste, the company is offering meat boxes to people willing to fill out a short form.

The copy is written to sound casual and personal. “Sounds crazy, but it actually worked,” the post reads. It wraps up by telling readers the worst that can happen is they lose a minute. That framing is deliberate. It preemptively neutralizes skepticism by making hesitation feel irrational.

What actually happens after clicking is far more structured than the breezy tone suggests. The researcher’s device was fingerprinted first, a technique used to identify the browser, operating system, and potentially the geographic location of the visitor. That fingerprint data helps fraudsters filter out security researchers, bots, and users from regions outside their target audience, ensuring the scam page only fully loads for likely victims.

From there, the user lands on a spoofed Aldi landing page. The page hosts a fake gift box game, visually similar to the lottery-style interactive promotions popularized by shopping apps like Temu. The game is engineered so the user always wins. After “winning,” the victim is redirected again to a data collection form requesting full name, address, phone number, and credit card details, supposedly to cover the cost of the box and faster delivery.

That is the endgame. The meat box does not exist. The credit card details, however, are very real and very much collected.

Why This Works on the Target Demographic

The age targeting in this scam is not incidental. Users over 40 represent a demographic that grew up before the social media era, which means their intuitions about trust were formed in contexts where a neighbor’s word-of-mouth recommendation carried genuine weight. The post mimics exactly that register. It is casual, anecdotal, and non-threatening.

There is also a broader pattern at play here. Research into social media advertising fraud has found that nearly one in three Meta ads point to scams, phishing pages, or malware distribution. That figure, reported by TechRadar, puts the Aldi scam in a much larger industrial context. This is not a lone fraudster testing their luck. Social advertising infrastructure is being exploited systematically.

The gamified element of the scam also matters. Interactive gift box games lower cognitive guard because they feel playful. When someone wins a game, even a trivially simple one, there is a mild dopamine response. That psychological state, brief as it is, can make a person more willing to complete the next step of a process. Security researchers have noted this tactic appearing across multiple scam campaigns, particularly ones impersonating e-commerce and retail brands.

The Red Flags That Should Stop Anyone Cold

Arntz published a detailed breakdown of the warning signs embedded in this specific campaign. The list is worth internalizing because these flags appear across hundreds of scam variants, not just this one.

The first is the price-to-value mismatch. A box of premium meat for under ten dollars does not pass basic economic scrutiny. Retailers do not offload perishable inventory through informal Facebook posts targeting specific age groups. The second flag is the age-targeting language itself. Legitimate promotions from grocery chains do not restrict participation to people over 40 for stock clearance purposes. That qualifier exists to create a sense of exclusivity and to filter the audience toward a demographic the scammers have profiled as more susceptible.

The third flag is the redirect chain. Legitimate retailers do not funnel users through multiple page redirections before showing them a product. Each redirect in a scam chain serves a functional purpose: fingerprinting, geo-filtering, or loading tracking infrastructure. The fourth and most critical flag is any request for full credit card details. Do not enter your credit card details into websites you are not familiar with.

What To Do If You Interacted With This or a Similar Page

If a person filled out the form and entered card details, the immediate steps are to contact the card issuer and report potential fraud, request a card replacement, and monitor account statements for unauthorized charges. If a name, address, and phone number were submitted, those details may be used in follow-on phishing attempts via SMS or phone calls impersonating banks or delivery companies.

It is also worth reporting the Facebook post directly through Meta’s reporting tools. While platform-level enforcement on this category of scam has been inconsistent, reports do contribute to detection models that can flag similar accounts.

The Bigger Problem This Scam Represents

The Aldi meat box scam is one data point inside a much larger trend. Cybercriminals are increasingly using trusted consumer brand names as bait because the trust those brands carry is essentially free to exploit. A person who has shopped at Aldi for years has a conditioned positive response to the name.

The sophistication of the attack chain, device fingerprinting, spoofed landing pages, gamified interactions, multi-step redirect funnels, is not what most people picture when they think of a Facebook scam. Most people imagine bad grammar and obvious tells. This campaign is built to pass a casual inspection. That gap between expectation and reality is where victims get caught.

The principle Arntz closed with holds up as practical guidance: if a post promises premium goods for the price of a sandwich, treat it as a scam by default until it can be independently verified through the retailer’s official website or a direct call to customer service. The burden of proof belongs on the offer, not on the skeptic.

Sources and Further Reading

Malwarebytes blog post by Pieter Arntz detailing the Aldi meat box Facebook scam, including full attack chain analysis and red flag checklist

https://www.malwarebytes.com/blog/scams/2026/05/facebook-scam-promises-cheap-aldi-meat-boxes-steals-payment-info-instead

TechRadar report on nearly one in three Meta ads pointing to scams, phishing, or malware

https://www.techradar.com/pro/security/social-advertising-is-being-used-to-defraud-at-scale-across-some-of-the-largest-platforms-nearly-one-in-three-meta-ads-reportedly-point-to-a-scam-phishing-or-malware

TechRadar original news coverage of the Aldi Facebook scam

https://www.techradar.com/pro/security/bizarre-facebook-scam-falsely-offers-aldi-meat-boxes-for-under-usd10-but-just-steals-your-card-details

Over 600,000 Salesforce records. Franchise applicant data. A $250,000 ransom demand. That is the current state of the 7-Eleven breach, confirmed in May 2026, and it is another data point in a pattern that security teams can no longer afford to ignore.

Subscribe now

What Actually Happened

7-Eleven, the world’s largest convenience store chain, confirmed a data breach after detecting unauthorized access to systems used to store franchisee documents on April 8, 2026. The company began notifying affected parties and filed a breach notification with the Maine Attorney General’s Office, acknowledging that personal information submitted during franchise applications had been compromised. The total number of affected individuals has not been disclosed publicly, though the Maine filing noted only two state residents were impacted, which suggests personal data exposure may be relatively contained.

That said, “limited personal data” does not mean limited breach. The scope of what was taken is the real story here.

The ShinyHunters Angle

ShinyHunters listed 7-Eleven on its leak site on April 17, claiming to have exfiltrated more than 600,000 Salesforce records containing both personal information and corporate data. The group set a ransom deadline of April 21. When that passed without a payment, they pivoted to a direct sale on a hacker forum, asking $250,000 for the dataset.

This is a textbook ShinyHunters playbook: breach, threaten, sell. The group has been systematically targeting Salesforce environments since mid-2025, pulling millions of records across multiple major organizations. The intrusions are not the result of zero-days in Salesforce’s core platform. According to SecurityWeek’s reporting, the attack vectors are phishing, abuse of third-party integrations, and misconfiguration errors.

That last category should concern every security team running a Salesforce instance. Misconfigurations are preventable. They are also embarrassingly common.

This Is Not an Isolated Event

It would be easy to treat this as a one-off retail breach. It is not. ShinyHunters and affiliated threat actors have confirmed attacks on a growing list of high-profile organizations in recent months.

Instructure, the company behind the Canvas educational platform, was hit and ultimately reached a deal with the hackers to delete stolen data. Vimeo confirmed user and customer data was taken. Wynn Resorts disclosed that approximately 21,000 employees were affected. Vercel, the company behind Next.js, was breached. Medtronic confirmed a hack after ShinyHunters threatened a data leak.

That is five confirmed victims across education, entertainment, hospitality, developer infrastructure, and medical devices. Now add a global convenience store franchise. The diversity of these targets tells you this is not a targeted campaign against one sector. It is an opportunistic sweep of organizations that share one common weakness: a poorly secured Salesforce environment.

Why Salesforce Keeps Showing Up in Breach Reports

Salesforce is not the vulnerability. That distinction matters. The problem is how organizations configure, integrate, and maintain access to their Salesforce instances over time.

Third-party integrations are a particularly high-risk surface. Many organizations connect Salesforce to other platforms using service accounts with excessive permissions, often set up years ago and never reviewed. A phishing email targeting one employee with access to one of those integrations can open a direct path into a data store containing hundreds of thousands of records.

Misconfiguration is the other major factor. Publicly accessible reports, guest user settings left enabled, sharing rules set too broadly, and stale OAuth tokens all create exposure that has nothing to do with Salesforce’s own security posture.

What a Proper Salesforce Security Review Looks Like

Any organization running Salesforce should treat this breach as a function to run through a few non-negotiable checks.

Start with the Health Check tool built into Salesforce. It scores your configuration against baseline security settings and flags deviations. It takes under an hour to run and costs nothing. There is no excuse for skipping it.

Audit connected apps and OAuth grants. Pull a list of every third-party integration currently authorized in your org. Remove anything that is no longer actively used. For those that remain, verify that permissions are scoped to the minimum required. Broad “full access” grants for integrations that only need to read contact records are a standing invitation.

Review guest user access and public site configurations. Guest users in Salesforce can access more data than most administrators realize, particularly if sharing rules have been modified without a full impact assessment.

Enable event monitoring if your license tier supports it. Suspicious bulk data exports, login anomalies, and API activity spikes are detectable if someone is watching. Attackers pulling 600,000 records do not do it silently.

The Bottom Line

ShinyHunters is running a repeatable, scalable operation against Salesforce environments across industries. The 7-Eleven breach is confirmation that no vertical is out of scope. The attack vector is not unique. Phishing, stale integrations, and misconfiguration are baseline security hygiene problems that have existed for years.

The organizations getting hit are not necessarily the ones with the worst security teams. They are the ones that allowed complexity and integration sprawl to outpace their visibility. That is a solvable problem, but it requires someone to own it proactively rather than waiting for a leak site posting to force the conversation.

Sources and Further Reading

7-Eleven breach confirmation and Maine AG filing: https://www.securityweek.com/7-eleven-data-breach-confirmed-after-shinyhunters-ransom-demand/

Maine Attorney General breach notification submission: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/4fe778c0-a3a9-4dbe-8e79-2c229ac5c36b.html

ShinyHunters topic coverage at SecurityWeek: https://www.securityweek.com/topics/shinyhunters/

ShinyHunters Salesforce campaign targeting hundreds of organizations: https://www.securityweek.com/hundreds-of-salesforce-customers-allegedly-targeted-in-new-data-theft-campaign/

Instructure Canvas breach and data deletion deal: https://www.securityweek.com/deal-reached-with-hackers-to-delete-data-stolen-from-the-canvas-educational-platform/

Vimeo data breach confirmation: https://www.securityweek.com/vimeo-confirms-user-and-customer-data-breach/

Wynn Resorts breach affecting 21,000 employees: https://www.securityweek.com/wynn-resorts-says-21000-employees-affected-by-shinyhunters-hack/

Vercel breach: https://www.securityweek.com/next-js-creator-vercel-hacked/

Medtronic hack confirmation: https://www.securityweek.com/medtronic-hack-confirmed-after-shinyhunters-threatens-data-leak/

Schools have posted student photos online for decades. A named child in a school blazer, students grinning after a science fair win, photos captioned with their grade and their full name. It’s a way for the school to celebrate their student’s accomplishments. That practice just became a serious threat vector.

Experts from the UK’s National Crime Agency, the Internet Watch Foundation (IWF), and an advisory group called the Early Warning Working Group (EWWG) are now urging schools to pull those photos down. The reason is blunt: criminal actors are scraping school websites, running those images through AI deepfake tools, generating child sexual abuse material (CSAM), and then using that material to extort the schools and families involved.

This is not a theoretical future risk. It has already happened.

Subscribe now

The Incident That Changed the Conversation

Late in 2024, an unnamed UK secondary school was contacted by blackmailers who had done exactly the above. The IWF reviewed the output, classified 150 images as CSAM under UK law, and generated digital fingerprints for each one so major platforms could detect and block any reuploads.

The IWF was clear that this was not viewed as an isolated incident. The EWWG stated publicly that it is “only a matter of time” before more schools face identical demands. UK safeguarding minister Jess Phillips described it as a “deeply worrying emerging threat.”

In February 2025, the UK became the first country to specifically ban AI tools designed to generate CSAM, a legislative move that acknowledged the scale of the problem before most of the public had registered it existed.

How the Threat Evolved to This Point

Sextortion is not new. The criminal playbook has been running for years: obtain intimate images, threaten to distribute them, demand payment. What changed is that attackers no longer need to obtain real intimate images.

The FBI’s Internet Crime Complaint Center logged more than 16,000 sextortion complaints in just the first half of 2021, with losses exceeding eight million dollars. By June 2023, the FBI was warning specifically that attackers had pivoted to using ordinary social media photos to synthesize fake explicit content and extort minors.

That pivot hit children hard. UK children’s counseling helpline Childline had already been handling sextortion cases involving minors who were manipulated into sharing real images of themselves. The more disturbing shift was children contacting Childline after being sent AI-generated CSAM of themselves, with no prior relationship with the attacker at all. One 15-year-old girl reported receiving a “really convincing” fake nude image built from her public Instagram photos.

In a November 2025 report, the IWF published data showing rising cases of AI-generated CSAM, climbing from 199 to 426 confirmed cases. Specifically, this data represented the period between January and October 2025 compared to the exact same period in the previous year. Girls accounted for 94 percent of victims. Reported cases included children ranging from newborns to two-year-olds.

The Infrastructure Behind It

This is not one person with a laptop. The ecosystem is industrial in scale. In April 2025, a researcher discovered an exposed AWS S3 bucket belonging to South Korean “nudify” application GenNomis. It contained 93,485 AI-generated images alongside the prompts used to create them. That is a production-scale operation, and it was left unsecured.

The tooling is accessible, cheap, and increasingly automated. The current situation still requires attackers to manually identify and scrape photos. The concern flagged by security professionals is that this manual step is the last friction point before the entire process becomes fully automated, enabling bulk scraping of school websites, social platforms, and club pages at scale.

What Schools Are Being Told to Do Right Now

The EWWG’s guidance covers several practical changes. Schools are advised to replace close-up, identifiable photos with images taken from a distance, or images shot from behind. Full names should be removed from captions. Existing image archives should be audited. Parents should be asked to re-sign consent forms with updated context about the risk.

The advisory group goes further than that. It is questioning whether schools need to publish photos of children at all.

Some institutions have already acted. Loughborough Schools Foundation, a group of three private schools sharing a website, removed recognizable pupil images entirely in the Autumn term of 2025.

The Legal Picture Is Messier Than It Should Be

In the UK, the Information Commissioner’s Office says it “would still generally expect you to offer an opt-out to parents” when publishing an identifiable photo of a child. But an opt-out is not legally the same as consent, which carries a higher threshold.

In the US, the framework is fragmented. Under the Family Educational Rights and Privacy Act (FERPA), schools typically classify identifiable student photos as directory information, a category that also includes names, addresses, telephone listings, dates of birth, and activity participation. Schools can publish directory information unless a guardian has specifically opted out, and the notification requirement may not extend indefinitely after a student leaves the school. That means photos and names can sit on school websites for years after families assume they have been removed.

The Regulatory Response Is Moving Fast

The UK government is amending the Crime and Policing Bill to require platforms to take down flagged intimate images within 48 hours or face fines equivalent to 10 percent of global revenue. Childline’s Report Remove service, which allows children to flag explicit images of themselves, took 394 blackmail reports from under-18s in the past year alone, up one-third compared to 2024.

These are meaningful enforcement mechanisms, but they are reactive by design. A 48-hour takedown window is genuinely fast for regulatory action. It is still 48 hours after the damage begins.

What Parents Can Actually Do

The most effective mitigation at the individual level is reducing the available attack surface. That means being deliberate about how many identifiable photos of a child are publicly accessible online. School websites are the obvious starting point, but the same logic applies to sports club sites, extracurricular group pages, church or community organization pages, and the child’s own social media accounts if they have them.

Parental social media behavior matters too. A parent who posts a public photo of their child at a school event, tagged with the child’s name and school, is contributing to the same pool of data attackers are scraping.

This is not about fear. It is about understanding that public photos of named children are no longer neutral data. The tools to weaponize them are cheap, accessible, and already in use.

The honest bottom line

The attack surface here was created by past decades of well-intentioned behavior: schools celebrating their students publicly, parents sharing proud moments online. None of that was wrong at the time. The threat model has changed, and the practice needs to change with it.

Sources and Further Reading

• The Guardian reporting on UK schools removing student photos due to AI blackmail threat: https://www.theguardian.com/technology/2026/may/08/uk-schools-remove-pupils-photos-online-ai-blackmail-threat-grows

• UK government announcement on banning AI tools designed to generate CSAM: https://www.gov.uk/government/news/britains-leading-the-way-protecting-children-from-online-predators

• FBI IC3 PSA on sextortion complaints and financial losses in 2021: https://www.ic3.gov/PSA/2021/PSA210902

• FBI IC3 PSA warning on attackers using social media photos to extort minors in 2023: https://www.ic3.gov/PSA/2023/psa230605

• The Guardian report on a 15-year-old receiving AI-generated fake nude images and Childline sextortion cases: https://www.theguardian.com/uk-news/article/2024/aug/21/amid-rise-in-financial-sextortion-childline-is-helping-teenagers-fight-back

• The Guardian report on AI-generated CSAM reports doubling at the IWF year over year: https://www.theguardian.com/technology/2025/nov/12/tech-companies-child-safety-agencies-test-ai-tools-abuse-images-ability

• The Register investigation into exposed GenNomis AWS S3 bucket containing 93,485 AI-generated images: https://www.theregister.com/2025/04/01/nudify_website_open_database/

• US Department of Education FERPA guidance on when a student photo is an education record: https://studentprivacy.ed.gov/faq/when-photo-or-video-student-education-record-under-ferpa

• UK government Crime and Policing Bill amendment requiring 48-hour takedown of intimate images: https://www.gov.uk/government/news/tech-firms-will-have-to-take-down-abusive-images-within-48-hours-under-new-law-to-protect-women-and-girls

• Malwarebytes guidance on sharenting and limiting children’s digital footprints: https://www.malwarebytes.com/blog/inside-malwarebytes/2025/11/sharenting-are-you-leaving-your-kids-digital-footprints-for-scammers-to-find

Two out of three people cannot reliably tell a scam from a legitimate message. That stat, from Malwarebytes’ own research, is not a failure of intelligence. It is a reflection of how sophisticated scam infrastructure has become. Phishing kits are cheap, AI-generated lures are convincing, and the volume is relentless. The answer cannot just be “be more careful.” It has to be structural. That is exactly what this integration is trying to address.

Malwarebytes announced its connector for Anthropic’s Claude on April 29, 2026, adding to an existing integration with ChatGPT. The move puts threat intelligence directly inside the AI tools people are already using for daily tasks, from drafting emails to planning travel.

What the Integration Actually Does

The integration works as a connector inside Claude, requiring no Malwarebytes account to activate. Users navigate to Customize, then Connectors, search for Malwarebytes, and click Connect. Three steps.

Once connected, users can paste a suspicious URL, phone number, or email address directly into a Claude conversation and ask for a check. Claude calls Malwarebytes’ threat intelligence database and returns one of four verdicts: Malicious, Suspicious, Safe, or Unknown.

The Unknown verdict deserves attention. Rather than treating a lack of data as implicit safety, the system automatically triggers a WHOIS lookup to surface domain registration details and registrar abuse contacts. That is a sensible design choice, because newly registered domains are a consistent marker in phishing infrastructure.

Users can also check multiple items simultaneously. If a message contains three links and two phone numbers, one query handles all five. That matters in practice, because real phishing attempts often layer multiple contact vectors into a single lure.

Why Embedding This in an AI Tool Makes Sense

The instinct to ask an AI assistant “is this legit?” is already there. People already paste suspicious text into ChatGPT and Claude and ask for an opinion. The problem is that without grounded threat intelligence, the answer is a general-purpose language model making an educated guess. That is not the same as a lookup against a threat database built from years of active malware and scam tracking.

Malwarebytes has been accumulating that kind of data for a long time. CNET recognized the platform with its Editors’ Choice Award in 2026, describing it as “one of the best cybersecurity suites on the planet.” That reputation is now being channeled into a conversational interface that meets users where their attention already is.

The scam problem the integration is responding to is concrete. Scams arrive through SMS, email, voice calls, and direct messages. The 66 percent figure from Malwarebytes’ own survey reflects a population that is confused and underserved by existing tools. Most people are not running link scanners before they click. They are asking a question and acting on the answer. Building threat verification into that conversational layer is a logical response to actual behavior.

Malwarebytes Affiliate Link

Understanding the Four Verdicts and How to Act on Them

Malicious means a confirmed threat. Do not click, do not call, do not reply. This verdict draws from Malwarebytes’ established threat intelligence and should be treated as definitive.

Suspicious means risk indicators are present but no confirmed threat exists yet. The practical advice here is to avoid interaction and, if the message claimed to be from a known organization, verify through that organization’s official channels independently.

Safe means the item is recognized and legitimate. This does not mean a legitimate domain cannot be used in a future attack, but for current purposes, the item checks out.

Unknown means the database has no record. This is where users should apply the most skepticism. The automatic WHOIS lookup that triggers on Unknown results can surface useful signals, including domain age, which is one of the more reliable indicators of whether a site was spun up specifically to run a short-duration phishing campaign.

Users who confirm a scam can also report it through Claude back to the Malwarebytes threat intelligence team. That feedback loop is important. It means user encounters with novel scams can feed directly into detection, tightening the system over time.

The Broader Context: AI Tools as Security Infrastructure

This integration reflects a shift in how security tooling is being distributed. Browser extensions, dedicated apps, and standalone scanners all require user intent and installation friction. Connectors inside AI assistants are different. They operate at the point of confusion, which is exactly when someone is staring at a message they are not sure about.

The fake CAPTCHA scam reported by Malwarebytes Labs on April 28, 2026 is a good example of what users are up against. That campaign used fake CAPTCHA pages to authorize international SMS charges, then redirected a cut of the proceeds to the scammers. It is the kind of attack that looks superficially legitimate and requires active verification to catch. A tool that enables that verification inside a conversation, without friction, is addressing a real gap.

The PhantomRPC situation reported the same day, where Microsoft rated a privilege escalation issue as “moderate” and declined to patch it, is a reminder that the threat surface is broad and institutional responses are often slow. User-facing tools that offer immediate, accessible verification are filling a real need.

The Malwarebytes and Claude integration is available now. Setup instructions and full documentation are available through the Malwarebytes Help Center.

Sources and Further Reading

Malwarebytes Product and Scams Blog: https://www.malwarebytes.com/blog/category/product

Malwarebytes Labs Author Page: https://www.malwarebytes.com/blog/authors/malwarebyteslabs

Malwarebytes in Claude Announcement (April 29, 2026): https://www.malwarebytes.com/blog/product/2026/04/scam-checking-just-got-a-lot-easier-malwarebytes-is-now-in-claude

Malwarebytes Help Center: Using Malwarebytes in Claude: https://help.malwarebytes.com/hc/en-us/articles/47985341083675-Using-Malwarebytes-in-Claude

CNET Editors’ Choice: Malwarebytes Antivirus Review: https://www.cnet.com/tech/services-and-software/malwarebytes-antivirus-review/

Malwarebytes Labs: Fake CAPTCHA Scam Turns a Quick Click Into a Costly Phone Bill (April 28, 2026): https://www.malwarebytes.com/blog/news/2026/04/fake-captcha-scam-turns-a-quick-click-into-a-costly-phone-bill

Malwarebytes Labs: Microsoft Won’t Patch PhantomRPC: Feature or Bug? (April 29, 2026): https://www.malwarebytes.com/blog/news/2026/04/microsoft-wont-patch-phantomrpc-feature-or-bug

GlassWorm: The Multi-Stage Supply Chain RAT Hiding in Plain Sight

Imagine running npm install on a trusted package and, within hours, every credential on the machine is gone. Browser sessions hijacked. Crypto wallets drained. A persistent backdoor phoning home through the Solana blockchain. That is exactly what GlassWorm does, and it is active right now.

This is not a theoretical exercise. GlassWorm is a multi-stage attack framework targeting software developers through poisoned packages on npm, PyPI, GitHub, and the OpenVSX marketplace. It moves from initial compromise to full system takeover across three distinct stages, each more dangerous than the last.

Subscribe now

How GlassWorm Gets In

The initial infection vector is the software supply chain itself. The threat actor operates on two parallel tracks: publishing entirely new malicious packages and compromising the accounts of legitimate maintainers to push trojanized updates to trusted projects. This dual approach has been tracked across hundreds of compromised GitHub repositories and popular React packages on npm.

Two loader variants have been observed. The first uses invisible Unicode characters to hide malicious code, a technique that defeats visual code review entirely. The second takes a more conventional route via an obfuscated preinstall script. Both variants converge on the same execution logic once they reach the victim machine.

Check out my YouTube channel

Anti-Analysis and Geofencing

Before doing anything else, the loader checks whether the victim is located in Russia. It examines five locale signals, including the system username, LANG environment variable, and Intl locale settings, against a Russian locale pattern. It also checks the system timezone and UTC offset against a hardcoded list spanning Europe/Moscow through Asia/Anadyr. If a Russian locale is detected, execution halts. This CIS-region exclusion is a common pattern in financially motivated malware operations and offers a strong clue about the operator’s geography.

A rate-limiting mechanism also prevents repeated execution. The loader checks a timestamp file at ~/init.json (or %USERPROFILE%\init.json on Windows). If the file was written less than two hours ago, the loader goes dormant.

The Blockchain Dead Drop

Here is where GlassWorm gets genuinely clever. Rather than hardcoding a command-and-control URL that defenders can block or take down, the loader queries the Solana blockchain for its Stage 2 address. The operator stores the C2 URL in the memo field of a Solana transaction, which is permanent, publicly visible on-chain, and hosted on infrastructure that no single party can shut down.

The loader cycles through nine public Solana RPC endpoints until one responds, then polls in a 10-second loop until it finds a transaction with a non-null memo. The memo contains a Base64-encoded URL pointing to the Stage 2 payload server. The operator can rotate this URL at any time simply by sending a new Solana transaction. No package update is required. No infrastructure needs to be redeployed.

Two Solana wallet addresses have been observed across the loader variants, confirming that the Unicode loader and the obfuscated preinstall loader are part of the same operation.

Stage 2: Credential Harvesting at Scale

Once Stage 2 lands, the payload becomes an aggressive data-theft framework. It targets 71 browser extension wallet IDs covering MetaMask, Phantom, Coinbase, Exodus, Binance, Ronin, Keplr, and others. It also sweeps standalone wallet application directories and collects .txt files and images from Documents and Desktop folders whose filenames suggest seed phrases or crypto holdings.

Developer credentials receive equally thorough treatment. The payload reads .npmrc files and NPM_TOKEN environment variables, validates stolen npm tokens in real time against the npm registry, and extracts tokens via the git credential command and VS Code internal storage. Cloud provider credentials for AWS, GCP, Azure, Docker, Kubernetes, SSH keys, Heroku, DigitalOcean, and Terraform are also copied.

Everything is staged under %TEMP%\hJxPxpHP, zipped, and exfiltrated via a POST request to 217.69.3[.]152/wall.

Stage 3: The Persistent RAT

Stage 3 downloads two components. The first is a .NET phishing binary that targets users with physical Ledger or Trezor hardware wallets. It monitors for USB device connections via a WMI event subscription. When a hardware wallet is plugged in, the binary launches a convincing phishing window that requests the 24-word recovery phrase. A background loop kills any real Ledger Live processes at one-second intervals and prevents the victim from closing the phishing window without entering credentials. Stolen seed phrases are transmitted to 45.150.34[.]158.

The second component is a WebSocket-based RAT saved as %APPDATA%\QtCvyfVWKH\index.js. Persistence is achieved through both a scheduled task (UpdateApp, running with highest privileges) and a Run registry key that executes a PowerShell launcher. The RAT hooks SIGINT, SIGTERM, SIGQUIT, and several other signals. If the process is killed, it schedules a re-download and restart of the payload.

DHT-Based C2 and Fallback Chains

The RAT resolves its primary C2 through a distributed hash table lookup for a pinned public key, bootstrapping through dht.libtorrent.org, router.bittorrent.com, and router.utorrent.com. If the DHT lookup fails, it falls back to the Solana memo dead-drop to fetch a new IP address. This layered resilience makes traditional network-based blocking extremely difficult. Defenders cannot simply sinkhole a domain or block a single IP.

The recovered infrastructure includes 217.69.0[.]159:10000 as the DHT bootstrap node, 45.32.150[.]251 as the WebSocket C2, and 217.69.3[.]152:80 as the exfiltration server.

The Fake Chrome Extension

Deep in Stage 3, the RAT force-installs a Chrome extension masquerading as “Google Docs Offline” (version 1.95.1). This extension resolves its own C2 from a separate Solana wallet, registers as an agent via a POST request, and begins polling for commands at randomized intervals between 5 and 30 seconds.

The extension’s capabilities are extensive. It can capture the full DOM tree of the active tab, dump all cookies (optionally filtered by domain), extract localStorage key-value pairs, take screenshots, read clipboard contents, pull up to 5,000 browser history entries, export the full bookmark tree, fingerprint the browser and hardware, and run a keylogger that hooks keydown, keyup, keypress, input, change, focus, and blur events across all pages.

It also performs targeted session surveillance. The extension ships with Bybit pre-configured as a monitored target, watching for authentication cookies and firing webhooks when they are detected.

Why This Matters Beyond Crypto

The current targeting skews heavily toward developers with cryptocurrency assets, but that framing undersells the threat. The stolen npm tokens, git credentials, cloud provider secrets, and VS Code data create the foundation for broader supply chain attacks that can reach far beyond the original victim. A compromised npm token, for example, can be used to push malicious code to packages consumed by thousands of downstream applications.

The SOCKS proxy capability in the RAT compounds this risk. It turns the victim machine into a proxy node, allowing the threat actor to route other attacks through the victim’s IP address.

Detection Priorities

Defenders should focus on several indicators. Check for the existence of %APPDATA%\QtCvyfVWKH\index.js and the PowerShell launcher at %LOCALAPPDATA%\QtCvyfVWKH\AghzgY.ps1. Look for the scheduled task named UpdateApp and the Run registry keys UpdateApp and UpdateLedger under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

On macOS, the malicious Chrome extension installs to /Library/Application Support/Google/Chrome/myextension/. On Windows, look for the extension directory named “jucku” under the Chrome local data path.

Audit browser extensions regularly. A duplicate “Google Docs Offline” entry, especially at version 1.95.1, is a strong signal. Monitor for outbound connections to the four IP addresses published in the IOCs. Pin package versions. Treat sudden maintainer changes or large code rewrites in minor releases as review triggers.

GlassWorm is a reminder that the software supply chain is now a primary attack surface. The combination of blockchain-based C2, DHT resilience, and layered persistence makes this threat significantly harder to disrupt than a conventional RAT. The developers it targets today are the entry point to the companies and users it compromises tomorrow.

Sources

1. Malwarebytes, “GlassWorm attack installs fake browser extension for surveillance,” https://www.malwarebytes.com/blog/news/2026/03/glassworm-attack-installs-fake-browser-extension-for-surveillance

2. Aikido Security, “GlassWorm Hides a RAT Inside a Malicious Chrome Extension,” March 18, 2026. https://www.aikido.dev/blog/glassworm-chrome-extension-rat

What if the next wire transfer your finance team approves is authorized by a voice that sounds exactly like your CFO, on a video call where every face looks real, but none of them are human? That scenario already happened. In early 2024, a multinational firm lost $25 million after an employee was deceived by a fully AI-generated video call impersonating the company's CFO and entire leadership team. The employee was invited to a conference call with other senior staff members, and everyone on the call was a deepfake. Scammers had scraped publicly available data from social media platforms like LinkedIn and fed it into AI to create matching video and audio.

This is not a thought experiment. It is the current state of phishing in 2026.

Over 90% of cyberattacks begin with phishing, making it the leading method threat actors use to breach networks and steal data. Understanding where this threat started and where it is going is no longer optional security hygiene. It is table stakes for anyone defending a network.

The Classic Playbook: How Traditional Phishing Works

The original phishing attack is simple by design. An attacker sends a mass email impersonating a trusted brand, a bank, a shipping carrier, an HR department, and waits for someone to click a link or open an attachment. The goal is credential theft, malware delivery, or direct financial fraud.

Microsoft remains the most imitated brand, with 43.1% of phishing attempts targeting it, according to the Zscaler ThreatLabz 2024 Phishing Report. That number makes sense. A stolen Microsoft 365 login is a skeleton key to email, SharePoint, Teams, and often the identity layer of an entire organization.

The click window is alarmingly short. The median time for users to click on a phishing simulation link was just 21 seconds, and 28 seconds to submit sensitive data, according to Verizon’s 2024 Data Breach Investigations Report. A security awareness program that drills “think before you click” is fighting against a biological reflex baked into routine work behavior.

Traditional phishing remains the foundation because it scales. An estimated 3.4 billion phishing emails are sent globally every single day. Even a tiny conversion rate on that volume produces millions of compromised accounts per year.

Spear Phishing: When the Attack Knows Your Name

Spray-and-pray email blasts are giving way to targeted campaigns that reference your actual job title, your manager, your clients, or a project you are actively working on. This is spear phishing, and it operates on the principle that context eliminates suspicion.

A 2019 study highlighted that spear phishing was the most popular attack method for cybercriminals, used by 65% of all known groups, with intelligence gathering as the primary motive in 96% of cases. The targeting information comes from LinkedIn profiles, company websites, press releases, and breached credential databases available on dark web marketplaces.

The variation targeting executives specifically is called whaling. A single whaling attack costs businesses $47 million on average. The mechanism is the same as spear phishing, but the research investment is heavier because the target has authority to approve large transactions.

Approximately 88% of organizations experience spear phishing attacks annually. If your organization has a public web presence and a LinkedIn company page, it is a spear phishing target. There is no threshold of size below which this stops being true.

Smishing and Vishing: Phishing Moves Off Email

At some point, attackers realized that corporate email filters had gotten better and that the same psychological levers work equally well over SMS and phone calls. The result was smishing (SMS phishing) and vishing (voice phishing), and both have grown dramatically.

Smishing exploits the trust that most people place in text messages. Smishing click-through rates range from 19 to 36%, significantly higher than email phishing’s 2 to 4%. Part of that gap is technical: mobile screens hide full URLs, making it harder to spot spoofed domains before tapping a link. In 2024, U.S. consumers reported $470 million in losses to text-message scams, a figure the FTC noted is five times higher than in 2020.

Vishing uses phone calls to manufacture urgency. A caller pretending to be IT support, a bank fraud team, or a government agency pressures a target into revealing credentials or authorizing a payment in real time. CrowdStrike observed an explosive increase in vishing incidents, with cases jumping 442% between early and late 2024.

The MGM Resorts ransomware attack, which caused extensive operational disruption, reportedly began when an attacker called the IT help desk and impersonated an employee to gain access. That is the defining feature of vishing: no malware required, just a convincing caller and a helpful employee following normal procedure.

Quishing: The QR Code Trap

QR codes were a niche technology until the pandemic normalized scanning them for menus, check-ins, and payments. Attackers noticed and pivoted quickly. Quishing embeds a malicious URL inside a QR code image, which email security filters cannot read the way they parse text-based links.

According to Abnormal Security, QR code attacks increased 400% between 2023 and 2025, with energy, healthcare, and manufacturing among the most affected sectors. The technique is particularly effective against executives. In Q4 2023, the average C-suite executive saw 42 times more QR code phishing attacks compared to the average employee.

56% of quishing emails involve Microsoft two-factor authentication resets, and only 39% of consumers can identify a malicious QR code. The delivery method also extends beyond email. Physical QR codes have been placed on parking meters, restaurant tables, and event signage, redirecting people who scan them for a legitimate purpose.

AI-Powered Phishing: The Threat That Broke the Old Rules

The “badly written email” heuristic that security awareness programs relied on for years is now dead. Generative AI produces grammatically flawless, contextually appropriate phishing content at industrial scale. In an experiment by IBM security researchers, AI needed only 5 prompts and 5 minutes to build a phishing attack as effective as one that took human experts 16 hours.

The numbers reflect this shift. Since December 2024, AI-generated phishing campaigns flooded inboxes with a 14x surge and now represent around half of all attacks reported by users. According to one external threat intelligence report, 67.4% of all phishing attacks in 2024 utilized some form of AI.

Deepfake Vishing and Executive Impersonation

AI voice cloning is now accessible to anyone willing to spend roughly $20 on dark web tooling. As Deloitte notes, there is now an entire dark web cottage industry selling AI-driven scamming tools for as little as $20, a democratization of fraud tech that is challenging traditional anti-fraud defenses.

Voice cloning technology can replicate executive voices using as little as three seconds of audio obtained from earnings calls, podcasts, or conference presentations. One of the first documented cases occurred in 2019 when a UK energy firm lost $243,000 after a subordinate was convinced by an AI-cloned CEO voice to wire funds to a fraudulent account. The 2024 Arup incident involving $25 million in losses represented a direct escalation of the same method, now extended to video.

The CEO of WPP was also targeted by scammers who cloned his voice and used it on a fake Teams-style call, with the voice sounding authentic and instructing staff to share sensitive access credentials and transfer funds. That attempt was identified before financial loss occurred, but it demonstrates that no profile is too public or too prominent to be targeted.

Malicious LLMs and Phishing-as-a-Service

The ecosystem around AI phishing has professionalized. Threat actors have created malicious large language models including WormGPT, FraudGPT, Fox8, and DarkBERT to help them create malware, malicious code, and other illegal materials at scale. These tools strip out the ethical guardrails that commercial AI platforms enforce and are sold on subscription through dark web forums.

Phishing-as-a-Service (PhaaS) kits have grown 21%, giving even low-skilled actors the tools to run large-scale campaigns. The barrier to entry for a sophisticated, multi-channel phishing operation is now measured in dollars and hours rather than weeks of technical expertise.

What a Modern Attack Actually Looks Like

A current high-sophistication campaign does not rely on a single vector. 41% of phishing incidents now involve multi-channel attacks combining SMS, QR codes, and voice calls, with 40% of campaigns extending beyond traditional email to platforms like Slack, Teams, and social media.

The sequence typically runs as follows. An initial email establishes context, referencing a real internal project scraped from LinkedIn. A follow-up SMS creates urgency. A phone call from someone claiming to sound like a known colleague closes the loop. Each step by itself might trigger a flag. Together they build a narrative that overrides normal skepticism.

Phishing-related breaches take an average of 254 days to identify and contain, the third-longest dwell time of any breach vector, and organizations often do not realize they are compromised until attackers have established a firm foothold.

What Actually Works Against These Threats

Security controls need to match the threat model, not the one from five years ago. Password policies and standard email gateways were designed for a different era. Adversary-in-the-Middle (AiTM) frameworks like EvilGinx2 bypass MFA by proxying the authentication session and stealing the session cookie after MFA completes, with Microsoft reporting over 10,000 AiTM attacks per month targeting its users in 2024.

Training still matters but only if it evolves. Users who had more recent training reported phishing emails at a rate of about 21%, compared to a base rate of 5%, a four times relative increase. The content of that training needs to shift from “spot the typo” to “verify the request through a separate channel regardless of how convincing the communication appears.”

Out-of-band verification is the most consistently effective control against deepfake voice and video attacks. Organizations that require a callback over a pre-registered number, or a confirmation through a second authenticated channel, break the social engineering chain even when the impersonation is technically flawless.

The threat has become multi-modal, AI-assisted, and deeply personalized. The organizations that keep pace are the ones that treat verification as a process requirement, not a judgment call made under pressure.

SOURCES AND FURTHER READING

1. Hoxhunt Phishing Trends Report: https://hoxhunt.com/guide/phishing-trends-report

2. Hunto AI Phishing Attack Statistics 2026: https://hunto.ai/blog/phishing-attack-statistics/

3. Zensec Phishing Statistics 2025-2026: https://zensec.co.uk/blog/2025-phishing-statistics-the-alarming-rise-in-attacks/

4. Keepnet Phishing Statistics: https://keepnetlabs.com/blog/top-phishing-statistics-and-trends-you-must-know

5. Guardz 33 Phishing Statistics 2025: https://guardz.com/blog/33-phishing-statistics-every-msp-should-know-about/

6. AAG Phishing Statistics: https://aag-it.com/the-latest-phishing-statistics/

7. Brightside AI Phishing Risk Analysis 2025: https://www.brside.com/blog/ai-generated-phishing-vs-human-attacks-2025-risk-analysis

8. Right-Hand AI Deepfake Vishing 2025: https://right-hand.ai/blog/deep-fake-vishing-attacks-2025/

9. Norton Top 5 AI and Deepfakes 2025: https://us.norton.com/blog/online-scams/top-5-ai-and-deepfakes-2025

10. CybelAngel Rise of AI Phishing: https://cybelangel.com/blog/rise-ai-phishing/

11. StrongestLayer AI Phishing 2026: https://www.strongestlayer.com/blog/ai-generated-phishing-enterprise-threat

12. Jericho Security Deepfake Phishing: https://www.jerichosecurity.com/blog/deepfake-phishing-the-ai-powered-social-engineering-threat-putting-cisos-on-high-alert-in-2025

13. TechTarget AI Phishing Dangers: https://www.techtarget.com/searchsecurity/tip/Generative-AI-is-making-phishing-attacks-more-dangerous

14. Hoxhunt AI Phishing Infographic: https://hoxhunt.com/blog/ai-phishing-attacks

15. Keepnet Smishing Statistics: https://keepnetlabs.com/blog/smishing-statistics-the-latest-trends-and-numbers-in-sms-phishing

16. Keepnet Quishing Statistics: https://keepnetlabs.com/blog/qr-code-phishing-trends-in-depth-analysis-of-rising-quishing-statistics

17. CaptainDNS Phishing Trends 2025-2026: https://www.captaindns.com/en/blog/phishing-trends-2025-2026-statistics

18. Bright Defense Phishing Statistics: https://www.brightdefense.com/resources/phishing-statistics/

19. Parachute Cloud Phishing Statistics 2026: https://parachute.cloud/phishing-attack-statistics/

20. Controld Global Phishing Statistics: https://controld.com/blog/phishing-statistics-industry-trends/

Security researchers have uncovered DarkSword, a sophisticated cyberattack that can silently steal everything on your iPhone in minutes, with nothing but a visit to a website.

If your iPhone is running iOS 18.4 through 18.6.2, you may be at risk right now. The fix is simple: update to iOS 18.7.3 or later.

Subscribe to my YouTube channel

What Is DarkSword?

Imagine a burglar who can walk through your locked front door, rifle through every drawer in your house, photograph everything valuable, and disappear, all without making a sound, and without you ever opening the door for them. That is essentially what DarkSword does to an iPhone.

Discovered by security firm Lookout in March 2026, DarkSword is a full iOS exploit chain and payload targeting iPhones running iOS versions between 18.4 and 18.6.2. lookout It was built to silently break into iPhones, steal a sweeping range of personal information, and then vanish, leaving almost no trace behind.

What makes it especially alarming is the delivery mechanism. You don’t have to download a suspicious app. You don’t have to click a phishing link that looks obviously fake. Simply visiting a compromised legitimate website is enough to trigger the attack, a technique known as a watering hole attack. Even if a user needs to be lured to the site, social engineering defensive training is not effective since the infection URL is legitimate. lookout

“The infection URL is legitimate. Even security-aware users have no way to detect it.” - Lookout Threat Labs, March 2026

Who Is At Risk?

DarkSword specifically targets iPhones running iOS versions 18.4 through 18.6.2. If your phone is on any of these software versions and you haven’t updated yet, you may be vulnerable.

While the attacks observed so far have targeted Ukrainian users, particularly visitors to Ukrainian news sites and government websites, DarkSword’s use of exploits affecting newer iOS versions could potentially affect hundreds of millions of devices. lookout Any iPhone user on an affected iOS version should treat this as a personal concern.

People most at risk include iPhone users running iOS 18.4 through 18.6.2 who haven’t yet updated, people who use cryptocurrency apps like Coinbase, Binance, MetaMask, Ledger, and Trezor, journalists, activists, or government employees who may be of interest to foreign intelligence services, business professionals whose phones hold access to corporate email and files, and anyone who stores sensitive passwords, financial details, or private messages on their iPhone.

That last point deserves emphasis. DarkSword doesn’t just steal obvious targets like bank apps. It goes after your photos, your notes, your location history, your calendar, even your health data. For most people, a complete copy of everything on their phone would be deeply invasive, regardless of whether they consider themselves a “high-value” target.

What Does It Actually Steal?

Once DarkSword gets into a device, it takes a hit-and-run approach, collecting and exfiltrating targeted data within seconds or at most minutes, followed by cleanup. lookout Here is the full picture of what it is designed to take: saved passwords, emails from all accounts, photos and videos, iCloud Drive files, Telegram messages, WhatsApp messages, SMS and iMessages, your address book and contacts, call history, Safari browsing history and cookies, Wi-Fi network passwords, location and location history, notes, calendar events, health data, cryptocurrency wallet data, SIM and cellular information, and a list of all installed apps.

After all the data has been exfiltrated, the staged files are cleaned up and the process exits cleanly, lookout making it very difficult to know after the fact whether you were ever compromised.

Who Is Behind This?

The attackers have been given the designation UNC6353 by researchers, described as a likely Russian threat actor. lookout Here is what is known.

Researchers believe this group is likely connected to Russian intelligence interests, based on its targets (Ukrainian government and news sites) and tactics that mirror known Russian cyber operations. However, the group also targets cryptocurrency wallets, a clearly financially motivated target, indicating a dual-use approach that is an important insight into the threat actor’s motives. lookout

They are assessed to have access to a supply of high-quality iOS exploit chains, likely developed for tier-1 commercial surveillance vendors, indicating they are likely well funded and may have connections to exploit brokers such as Matrix LLC / Operation Zero. lookout They bought this weapon rather than building it themselves. Sophisticated cyberweapons are now available on a shadowy secondary market, putting nation-state-grade hacking tools into the hands of groups with money but not necessarily deep technical expertise.

Analysis of patterns suggests that AI tools were used in the creation of at least some of the implant code, and it appears probable that UNC6353 relied on AI support to add additional functionality to purchased tooling. lookout

Researchers assess that UNC6353 is a well-funded, well-connected but technically less sophisticated threat actor whose goals include both financial gain and espionage aligned with Russian intelligence requirements. lookout

How to Protect Yourself

Devices running the most recent versions of iOS (18.7.3 or later for iOS 18) are not susceptible to this threat or the vulnerabilities exploited by it. lookout Updating is the single most important thing you can do.

Beyond updating, here are practical steps to reduce your risk.

First, update your iPhone right now. Updating to iOS 18.7.3 or later closes the exact vulnerabilities DarkSword uses.

Second, enable automatic updates. Turn on automatic software updates so your phone stays protected without you having to remember. Go to Settings, then General, then Software Update, then Automatic Updates, and turn both toggles on.

Third, be cautious on unfamiliar websites. DarkSword spreads via compromised legitimate websites, so standard advice about avoiding suspicious links won’t always help. Minimizing browsing on unfamiliar sites, especially on public Wi-Fi, reduces exposure.

Fourth, secure your cryptocurrency. Cryptocurrency exchanges targeted by DarkSword include Coinbase, Binance, Kraken, Kucoin, OKX, and MEXC, and it also targets wallets such as Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe. lookout If you use any of these, treat this as a high-priority alert and consider moving funds to a hardware wallet not connected to any device.

Fifth, change critical passwords. If you believe your device may have been at risk, consider changing your most sensitive passwords, including email, banking, and crypto, from a separate updated device.

Sixth, consider enabling Lockdown Mode. If you are a high-risk individual such as a journalist, activist, executive, or government employee, Apple’s Lockdown Mode significantly reduces the attack surface on your device. Go to Settings, then Privacy and Security, then Lockdown Mode. Note that it restricts some features.

How to Update Your iPhone

Updating your iPhone takes less than 15 minutes in most cases. Here is exactly how to do it.

Step 1: Open the Settings app on your iPhone (the grey icon with gears).

Step 2: Scroll down and tap General.

Step 3: Tap Software Update. Your phone will check for available updates, which may take a moment.

Step 4: If an update is available, tap “Update Now,” or “Download and Install” if it hasn’t downloaded yet.

Step 5: Enter your iPhone passcode if prompted.

Step 6: Your iPhone will download the update and restart. Make sure you’re connected to Wi-Fi with at least 50% battery, or plug it in. The process typically takes 5 to 15 minutes.

Step 7: After the restart, go back to Settings, then General, then Software Update, to confirm you are now running iOS 18.7.3 or later.

As a bonus step, while in the Software Update screen, tap Automatic Updates and turn on both “Download iOS Updates” and “Install iOS Updates” so this happens on its own in future.

If your iPhone is too old to receive iOS 18, older devices may not receive security patches for newer vulnerabilities. If your device cannot update beyond iOS 16 or 17, consider speaking with your employer’s IT department or evaluating whether it may be time to upgrade your hardware.

The protection is available, free, and takes less time than making a cup of coffee. Share this with anyone who uses an iPhone.

Based on research published by Lookout Threat Labs, March 18, 2026. For informational purposes only. Always consult official sources for the latest guidance.

Tax season has always attracted scammers, but 2026 is shaping up to be a turning point. The scams targeting American taxpayers this year are not the clumsy, obvious schemes of the past. They are industrialized, AI-powered operations that can fool even careful, savvy people. Here is what you need to know to protect yourself.

YouTube Channel

The Numbers Are Staggering

Before diving into the specifics, it helps to understand the scale of the problem. The FBI’s Internet Crime Complaint Center recorded over 859,000 complaints in 2024, with total financial losses exceeding $16.6 billion, a 33% jump over the prior year. Scammers are also getting more efficient. The share of fraud attempts that resulted in an actual financial loss jumped from 27% to 38% in a single year, meaning nearly four in ten people who encountered a scam lost real money.

The Game-Changer: AI Voice Cloning

The most alarming development this tax season is the rise of AI-generated voices used to impersonate IRS agents, family members, and financial professionals. This technology has contributed to a reported 400% increase in successful voice phishing attempts.

How does it work? Scammers can now create a convincing synthetic replica of a real person’s voice using as little as a three-second audio sample, often pulled from public social media videos, podcasts, or even voicemail greetings. They then use that voice in high-pressure phone calls, spoofing official IRS caller ID numbers, to demand immediate payment for supposed back taxes.

What makes these calls so dangerous is that modern AI-synthesized voices include filler words, natural pauses, and shifting tones that make them essentially indistinguishable from a real human on a standard phone line. The old advice of simply listening carefully no longer applies.

What to do: If you receive an unexpected call from someone claiming to be the IRS, hang up and call the IRS directly using the number on their official website irs.gov. The real IRS initiates most contact through the U.S. Postal Service, not phone calls.

Don’t Believe Everything You See on TikTok

Social media has become a major pipeline for tax misinformation. Self-proclaimed tax influencers on platforms like TikTok and Instagram have been promoting fraudulent strategies, convincing followers they are eligible for credits the IRS is supposedly withholding from the public.

One of the most widespread examples is a fictitious “Self-Employment Tax Credit.” Promoters claim gig workers and self-employed individuals can receive payments of up to $32,000. No such credit currently exists. The actual pandemic-era credits they reference expired years ago, and scammers instruct victims to misuse tax forms by claiming credits based on income that does not qualify.

The cruel reality is that taxpayers who follow this bad advice are still fully liable for the taxes owed, plus interest and civil penalties, even if they genuinely believed the advice was legitimate.

What to do: If a tax tip seems too good to be true, verify it directly with a licensed CPA or on IRS.gov, not in a comment section.

Phishing Texts Are More Convincing Than Ever

Smishing, which refers to scam text messages, has become particularly effective because mobile browsers show far less of a URL than a desktop browser, making it much easier to disguise a fake website as a legitimate one.

Learn more about phishing scams here

A typical 2026 smishing attack follows a predictable pattern. A text claims your refund is approved or that there is unusual activity on your account. A link takes you to a convincing replica of the IRS website, where you are prompted to enter your Social Security Number and bank details. After collecting your information, the fake site often displays a placeholder page telling you to wait 24 hours, giving scammers time to move funds before you realize what happened.

What to do: Never click links in unsolicited tax-related texts. Go directly to IRS.gov by typing it into your browser.

Tax Professionals Are Targets Too

Scammers are not just going after individual filers. They are targeting the accountants and preparers who serve hundreds or thousands of clients at once. In what is known as the “new client” scam, a cybercriminal poses as a prospective client and sends a spearphishing email to a tax professional. Once the preparer responds, a malicious attachment installs malware that gives the attacker access to the firm’s entire client database.

Separately, “ghost preparers” continue to cause serious harm. These are unlicensed individuals who prepare returns for a fee but never sign them. Red flags include charging a percentage of your refund rather than a flat fee, refusing to provide their IRS Preparer Tax Identification Number, and asking you to sign a blank or incomplete return.

What to do: Always verify your preparer’s credentials at IRS.gov, and never sign an incomplete return.

Seniors Are Being Specifically Targeted

People over age 60 suffered the greatest financial losses from fraud in 2024, accounting for nearly $5 billion in reported losses. Scammers use threatening phone calls to claim that Social Security benefits will be suspended or that immediate arrest is imminent for unpaid taxes.

One particularly damaging tactic involves convincing seniors to withdraw from their retirement accounts to pay fake fines. That withdrawal then triggers a real tax liability, leaving the victim worse off on two fronts.

What to do: Talk to elderly family members about these tactics. Consider establishing a family code word to verify identity if anyone ever receives a suspicious call claiming to be from a relative in distress.

The Best Defense: Get an IP PIN

The single most effective step any taxpayer can take right now is enrolling in the IRS Identity Protection PIN program. This six-digit number prevents anyone from filing a tax return using your Social Security Number, even if a scammer already has your name, birthdate, and SSN. The IRS issues a new PIN every year, making previously stolen numbers useless. You can enroll at IRS.gov in just a few minutes.

The Bottom Line

The IRS will never demand payment via gift card or cryptocurrency, will never threaten immediate arrest over the phone, and will never use a synthetic voice to pressure you into action. When in doubt, slow down. The urgency that scammers manufacture is itself the weapon. Take a breath, hang up, and verify through official channels before doing anything with your money or personal information.