Industry Alert - Recovery

2025 Press Releases🛰️

Alert Number: I-073125-PSA, Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure

The Federal Bureau of Investigation (FBI) is warning the public, private sector, and international community of the threat posed to computer networks and critical infrastructure by cyber actors attributed to the Russian Federal Security Service's (FSB) Center 16. The FBI detected Russian FSB cyber actors exploiting Simple Network Management Protocol (SNMP) and end-of-life networking devices running an unpatched vulnerability (CVE-2018-0171) in Cisco Smart Install (SMI) to broadly target entities in the United States and globally.

In the past year, the FBI detected the actors collecting configuration files for thousands of networking devices associated with US entities across critical infrastructure sectors. On some vulnerable devices, the actors modified configuration files to enable unauthorized access to those devices. The actors used the unauthorized access to conduct reconnaissance in the victim networks, which revealed their interest in protocols and applications commonly associated with industrial control systems.

The FSB Center 16 unit conducting this activity is known to cybersecurity professionals by several names, including "Berserk Bear" and "Dragonfly," which refer to separate but related cyber activity clusters. For over a decade, this unit has compromised networking devices globally, particularly devices accepting legacy unencrypted protocols like SMI and SNMP versions 1 and 2. This unit has also deployed custom tools to certain Cisco devices, such as the malware publicly identified as "SYNful Knock" in 2015.

The FBI and law enforcement partners previously released guidance that remains relevant in a Technical Alert, "Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices" on 20 April 2018, and a Joint Advisory, "Primary Mitigations to Reduce Cyber Threats to Operational Technology" on 6 May 2025. In addition, Cisco Talos published a blog post on 20 August 2025 with more information on their analysis of this threat actor, identified by Cisco Talos as Static Tundra.

If you suspect you have been targeted or compromised by a Russian FSB cyber intrusion, immediately report the activity to your local FBI field office or file a report on the FBI's Internet Crime Complaint Center (IC3).

Prior to initiating a IC3 report, evaluate your router and other networking devices for any configuration changes or malware that could have been installed on the devices. Once evaluated, provide this detailed information within the IC3 report.

Alert Number: I-073125-PSA, Unsolicited Packages Containing QR Codes Used to Initiate Fraud Schemes

The FBI warns the public about a scam variation in which criminals send unsolicited packages containing a QR code¹ that prompts the recipient to provide personal and financial information or unwittingly download malicious software that steals data from their phone. To encourage the victim to scan the QR code, the criminals often ship the packages without sender information to entice the victim to scan the QR code. While this scam is not as widespread as other fraud schemes, the public should be aware of this criminal activity.

This is a variation of a "brushing scam," which is used by online vendors to increase ratings of their products. In a traditional brushing scam, online vendors send merchandise to an unsolicited recipient and then use the recipient's information to post a positive review of the product. In this variation, scam actors have incorporated the use of QR codes on packages to facilitate financial fraud activities.

Tips to Protect Yourself

Criminals continue to evolve their tactics to target unsuspecting victims. Precautions should be taken prior to scanning any QR codes received through unsolicited communications or packages.

Beware of unsolicited packages containing merchandise you did not order.
Beware of packages that do not include sender information.
Take precautions before authorizing phone permissions and access to websites and applications.
Do not scan QR codes from unknown origins.
If you believe you are the target of a brushing scam, secure your online presence by changing account profiles and request a free credit report from one or all the national credit reporting agencies (Equifax, Experian, and TransUnion) to identify possible fraudulent activity.

Report It

The FBI requests the public report these fraudulent or suspicious activities to the FBI IC3 at www.ic3.gov. Be sure to include as much information as possible:

The name of the person or company that contacted you.
Methods of communication used, including websites, emails, and telephone numbers.
Any applications you may have downloaded or provided permissions to on your electronic device.

Individuals aged 60 or over who need assistance with filing an IC3 complaint can contact the DOJ Elder Justice Hotline, 1-833-FRAUD-11 (or 833-372-8311).

For additional information on similar scams, please see previous Public Service Announcements:

IC3 | "The FBI Warns of Fraudulent Schemes Leveraging Cryptocurrency ATMs and QR Codes to Facilitate Payment"

¹Quick Response codes or "QR codes" are scannable codes that connect to a website. ↩

Alert Number: I-072325-4-PSA, North Korean IT Worker Threats to U.S. Businesses

The Federal Bureau of Investigation (FBI) is providing an update to previously shared guidance regarding Democratic People's Republic of Korea (North Korea) Information Technology (IT) workers to raise public awareness of the threat posed to U.S. businesses. North Korea is evading U.S. and U.N. sanctions by targeting private companies to illicitly generate substantial revenue for the regime. North Korean IT workers use a variety of techniques to disguise their identities, including leveraging U.S.-based individuals, both witting and unwitting, to gain fraudulent employment and access to U.S. company networks to generate this revenue.

These witting and unwitting U.S.-based individuals provide a U.S.-based location for companies to send devices, enabling North Korea to circumvent controls companies may have in place to prevent the hiring of illicit, overseas workers as well as controls intended to prevent unauthorized access to company networks by North Korean IT workers, including through the unauthorized installation of remote access software. North Korean IT workers' activities illegally violate U.S. and U.N. sanctions and threaten the security of the targeted companies. Companies that outsource IT work to third-party vendors can face additional vulnerabilities since these companies are removed from the direct hiring process.

Specifically, U.S.-based facilitators have provided the following services to North Korean IT workers:

A U.S.-based internet connection enabled through U.S. company laptops received on their behalf by facilitators in the United States.
Setup of U.S.-based infrastructure, including by enabling remote desktop connections to U.S. company laptops through protocols or remote desktop connection software download and installation.
Reshipment of U.S. company laptops to North Korean IT workers overseas.
Setup of financial accounts for North Korean IT workers. Some U.S.-based facilitators receive shares of the proceeds earned through North Korean IT worker employment schemes.
Creation of accounts on popular job search sites for use by North Korean IT workers.
Assistance purchasing and funding web services, such as artificial intelligence models and background check programs for use by North Korean IT workers.
Attendance at virtual interviews and meetings on behalf of North Korean IT workers; and
Creation of U.S.-based front businesses, including businesses purporting to offer short-term technical contract workers.

Tips to Protect Your Business

Scrutinize identity verification documents

Check for misspellings and cross-reference photographs and contact information (e.g. phone numbers, addresses, emails, etc.) with social media profiles, portfolio websites, and payment platforms.

Verify prior employment and education

Verify prior employment and higher education history directly with businesses and educational institutions.

Require in-person meetings

When possible, mandate in-person drug tests or fingerprinting to verify identity and claimed location. If needing to rely on virtual meetings:

Mandate video and request that their backgrounds be unobscured.
Have the individual point the camera out a window and ask questions about their claimed current location and the location listed on their identification documents.
Ask the individual to wave their hand in front of their face as it may prompt a malfunction in AI generated video.

Capture images of individuals

Capture images for comparison with future meetings. Sometimes an individual is employed to pass the initial interview, but the on-the-job work is completed by a different individual.

Analyze payment methods

Compare payment accounts of all employees, flagging those using similar documentation to establish accounts or with matching banking information. Monitor employees who change their bank accounts often, due to banks closing accounts of concern. Beware of agreements to pay employees using virtual currency, which enables funds to be transferred internationally without high levels of scrutiny.

Shipping work related materials

If sending documents or work-related equipment such as a laptop, only send to the address listed in the employee's identification documents. If the employee requests delivery to a different address, require additional documentation to verify the address. Additionally, do not grant access to any systems until the background check is completed.

Contracted IT workers

If your company employs contracted IT workers that have been hired by a third-party company, seek to educate the third-party company about this guidance. Contract IT work is a common way that North Korean IT workers procure employment.

Alert Number: I-072325-3-PSA, The Com: Theft, Extortion, and Violence are a Rising Threat to Youth Online

The Federal Bureau of Investigation is warning the public about a growing and evolving online threat group known as The Com, short for The Community. The Com is a primarily English speaking, international, online ecosystem comprised of multiple interconnected networks whose members, many of whom are minors, engage in a variety of criminal violations. The FBI estimates thousands of individuals identify as current or recent members of The Com with varying levels of associated activity. Criminal activity conducted by members of The Com includes, but is not limited to, swatting¹/hoax threats, extortion/sextortion of minors, production and distribution of child sexual abuse material, violent crime, and various types of cyber crimes. The latter category is broad and includes distributed denial-of-service (DDoS) attacks, subscriber identity module (SIM) swapping², ransomware, intellectual property theft, extortion, cryptocurrency theft, and money laundering. The motivations behind the criminal activity vary, but often fall within one of the following: financial gain, retaliation, ideology, sexual gratification, and notoriety.

The sophistication of The Com criminal activity has grown over the last four years, with subjects employing increasingly complex methods to mask their identities, hide financial transactions, and launder money. An underlying theme within the entirety of The Com is its members' interest in and proficiency with cyber related tactics, techniques, and procedures. The Com members have also demonstrated knowledge of the UK and US criminal justice systems. For example, subjects involved with The Com have been known to intentionally recruit juveniles within the United States to perform criminal acts based on their misperception that juveniles cannot be pursued by the US criminal justice system.

The deployment of swatting and hoax bomb threats to facilitate other illicit criminal activity is an underlying theme across subgroups within The Com. Members of The Com will engage in swatting when conducting cryptocurrency theft to distract from the ongoing crime. Of note, swatting is the most visible violation that occurs within The Com and often acts as the entry point into the larger Com ecosystem. While subgroups of The Com have different recruitment tactics, in general they target young and impressionable individuals using minor-friendly applications such as social media platforms or gaming sites and indoctrinate them into their ideology. Members of The Com typically range between 11 and 25 years old. Young people are often recruited on gaming sites and social media platforms based on shared interests, or through other members of The Com.

Subsets of The Com

There are currently three known primary subsets within The Com: Hacker Com,³ In Real Life (IRL) Com,⁴ and Extortion Com.⁵ Each subset has a distinct focus; however, members of The Com often participate in criminal activity encompassed in more than one subset and maintain relationships with members in multiple subsets simultaneously, in case their skills are beneficial. The members within these subgroups typically have a shared interest, ideology, or goal and work together, adding others to the group and splintering when necessary, to achieve their mission.

Recommendations

The FBI urges the public to exercise caution when posting or messaging personal information, photos, or videos on social media, dating sites, or other online platforms. Posting seemingly innocuous information online may provide threat actors with content to exploit for malicious purposes, including targeting and extortion.

The FBI recommends the public consider the following when sharing information or engaging online:

Monitor children's online activity and discuss risks associated with engaging with others in online platforms.
Exercise discretion when posting personal information, videos, or photos online, especially content that includes minors.
- Once information is shared online, it can be very difficult, if not impossible to remove, particularly if it has been shared by other individuals.
- Avoid posting personal information online, such as mobile phone number, address, or other personally identifying information.
- Apply privacy settings to social media accounts to limit public view of photos, videos, and personal information.
- Exercise caution when accepting friend requests, engaging in video calls, and sending images to individuals you do not know personally.
- Run searches of your information/your child's personal information to determine the level of exposure and spread of information.
- Do not provide money or other valuable items to individuals you do not know online. Complying with extortion or threats does not guarantee sensitive content will not be shared.
- Enable multifactor authentication on financial accounts, social media sites, and other applications.
- Do not reply to emails, text messages, or calls that request personal information, such as your password, PIN, or One Time Password sent to your email or phone. If someone claiming to be a company "representative" contacts you and asks you to provide personal information or to verify your account by providing a code, initiate a new call to the company by dialing the verified customer service line.
- Do not post or advertise information about financial assets, including ownership of or investment in cryptocurrency, on social media websites or forums.

Alert Number: I-072325-2-PSA, In Real Life (IRL) Com: Violent Subset of The Community (Com) is a Rising Threat to Youth Online

The Federal Bureau of Investigation is warning the public about In Real Life (IRL) Com, one of three subsets of the growing and evolving online threat group known as The Com, short for The Community. The Com is a primarily English speaking, international, online ecosystem comprised of multiple interconnected networks whose members, many of whom are minors, engage in a variety of criminal violations. The members within IRL Com typically have a shared interest, ideology, or goal and work together, adding others to the group and splintering when necessary, to achieve their mission.

IRL Com, which initially stemmed from the subscriber identity module (SIM) swapping¹ community, includes subgroups that provide violence as a service (VaaS) and encompasses a range of violent crime. IRL services include shootings, kidnappings, armed robbery, stabbings, physical assault, and bricking. Services are posted online with a price breakdown for each act of violence. Groups offering VaaS advertise contracts on social media platforms to solicit individuals willing to conduct the act of violence for monetary compensation.

Much of the IRL violence within The Com arose from online conflicts in the SIM swapping community; however, the IRL violence has not only intensified but also expanded to other layers of The Com, emerging as its own market. IRL violence, or the threat of violence, is a tool to harass and intimidate targets. The spread of the VaaS market has led other layers of The Com to adopt similar methods of retaliation.

Swatting and In Real Life Com

IRL Com subgroups offer swat²-for-hire services via communication applications and social media platforms. Infighting among Com subgroups often leads to targeted swatting and doxing of members. IRL Com actors who offer these swatting services use platforms and technologies to obscure their true identities and are often paid in cryptocurrency.

The goal of swatting differs among The Com subgroups. IRL Com groups use swatting as a way to earn money. The IRL Com groups also see swatting as a way of gaining credibility among members; the more attention a swatting incident gets, the more attention the member receives from the group. Additionally, leaders from IRL Com groups may use swatting to ensure members of the group remain obedient. When members of the IRL Com group disobey orders or refuse to comply with demands, the member or the member’s family may become the target of swatting.

Alert Number: I-070325-PSA, Fraudsters Target US Stock Investors through Investment Clubs Accessed on Social Media and Messaging Applications

The FBI warns the public about criminals targeting US stock investors through social media platforms and messaging service applications (apps). The scheme, known as a "ramp-and-dump" stock manipulation, targets US investors through online engagement, often via social media advertisements or messages promoting an "investment club" of fellow investors, some of which may be bots or fake accounts. These promotions typically direct victims to secure messaging apps where the group operates. To appear credible, perpetrators may impersonate legitimate brokerage firms or well-known stock analysts. They secretly control a large volume of a low-priced stock and coordinate efforts to inflate its price ("ramp up") by encouraging investment club members to purchase shares over a period of several weeks or months. Once the price is artificially elevated, the criminals sell off ("dump") their shares at a profit, leaving unsuspecting investors with significant losses as the stock value collapses.

Recognize and Avoid "Ramp-and-dump" Stock Fraud

So far in 2025, the FBI has seen at least a 300 percent increase in victim complaints referencing ramp-and-dump stock fraud from 2024. Investors can protect themselves from potential ramp-and-dump schemes by recognizing the following indicators:

Unsolicited investment tips received via "accidental" text messages or social media advertisements linking to online investment clubs, often hosted on secure messaging apps;
Claims from well-known financial advisors or wealth managers offering exclusive stock recommendations through these online clubs;
Pressure to act quickly based on a supposed market-moving event — such as a company breakthrough, new technology, or government approval; and,
Urgent pitches to purchase low-priced stocks in new or emerging companies, often paired with promises of dramatic price increases or guarantees to cover any investor losses.

If anyone requests your personal information, access to your financial account(s), or offers a financial benefit in exchange for sharing your information or opening an account, consider this a red flag; your information could be used to open an account through which another party can engage in manipulative activity.

Report Incidents of Investment Fraud

The FBI Internet Crime Complaint Center (IC3) confirms a sharp increase in complaints this past year referencing investment club fraud schemes or ramp-and-dump stock manipulation schemes. The FBI requests investors who suspect they have been victimized by investment fraud to report the incident to the FBI IC3 at www.ic3.gov as soon as possible.

Alert Number: I-060525-2-PSA, Recent Attacks Highlight Elevated Threat to Israeli and Jewish Communities

The Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) are issuing this Public Service Announcement to highlight potential public safety concerns related to ongoing threats to Jewish and Israeli communities.

Threat

On 1 June 2025, an individual approached several people at a pro-Israel gathering in Boulder, Colorado, and threw two Molotov cocktails at the group, injuring at least nine people. This attack followed a separate attack in late May 2025, in which an individual shot and killed two Israeli Embassy staffers after they attended an event at the Capital Jewish Museum in Washington, DC. The Capital Jewish Museum attacker allegedly cited Israel's treatment of the Palestinian people when taken into custody.

The ongoing Israel-HAMAS conflict may motivate other violent extremists and hate crime perpetrators with similar grievances to conduct violence against Jewish and Israeli communities and their supporters. Foreign terrorist organizations also may try to exploit narratives related to the conflict to inspire attacks in the United States. The FBI and DHS therefore urge the public to remain vigilant and to report any threats of violence or suspicious activity to law enforcement.

Alert Number: I-060525-PSA, Home Internet Connected Devices Facilitate Criminal Activity

The Federal Bureau of Investigation (FBI) is issuing this Public Service Announcement to warn the public about cyber criminals exploiting Internet of Things (IoT)¹ devices connected to home networks to conduct criminal activity using the BADBOX 2.0 botnet². Cyber criminals gain unauthorized access to home networks through compromised IoT devices, such as TV streaming devices, digital projectors, aftermarket vehicle infotainment systems, digital picture frames and other products. Most of the infected devices were manufactured in China. Cyber criminals gain unauthorized access to home networks by either configuring the product with malicious software prior to the users purchase or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process.³ Once these compromised IoT devices are connected to home networks, the infected devices are susceptible to becoming part of the BADBOX 2.0 botnet and residential proxy services⁴ known to be used for malicious activity.

What is BADBOX 2.0 Botnet

BADBOX 2.0 was discovered after the original BADBOX campaign was disrupted in 2024. BADBOX was identified in 2023, and primarily consisted of Android operating system devices that were compromised with backdoor malware prior to purchase. BADBOX 2.0, in addition to compromising devices prior to purchase, can also infect devices by requiring the download of malicious apps from unofficial marketplaces. The BADBOX 2.0 botnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cyber criminal actors exploit by either selling or providing free access to compromised home networks to be used for various criminal activity.

Indicators

The public is urged to evaluate IoT devices in their home for any indications of compromise and consider disconnecting suspicious devices from their networks. The FBI has identified potential indicators that may assist in detecting malicious devices. An indicator alone does not accurately determine malicious cyber activity or a crime. The following suspicious activities/indicators do not relate to any individual, group, or business and should be observed in context.

Possible indicators of BADBOX 2.0 botnet activity include:

The presence of suspicious marketplaces where apps are downloaded.
Requiring Google Play protect settings to be disabled.
Generic TV streaming devices advertised as unlocked or capable of accessing free content.
IoT devices advertised from unrecognizable brands.
Android devices that are not Play Protect certified.
Unexplained or suspicious Internet traffic.

Mitigations

The following mitigation strategies can be effective steps to minimize exposure to unauthorized residential proxy networks.

Maintaining awareness and monitor Internet traffic of home networks.
Assess all IoT devices connected to home networks for suspicious activity.
Avoid downloading apps from unofficial marketplaces advertising free streaming content.
Keeping all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps to minimize its exposure to cybersecurity threats. Prioritize patching firewall vulnerabilities and known exploited vulnerabilities in internet-facing systems.

Acknowledgements

Google, Human Security, Trend Micro, and the Shadowserver Foundation contributed to this product.

Victim Reporting

If you believe you have been a victim of an intrusion, please file a report with the FBI's Internet Crime Complaint Center (IC3) at www.ic3.gov.

Disclaimer

The information in this report is being provided "as is" for informational purposes only. FBI, does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI.

¹Internet of Things — Refers to a network of devices, vehicles, appliances and other physical objects that are embedded with sensors, software and network connectivity. ↩

²Botnet — A network of Internet-connected devices compromised by malware that can be controlled remotely without the owners' knowledge. ↩

³Backdoors — A hidden, unauthorized point of entry into a system, which is designed to bypass security measures. ↩

⁴Residential Proxy — A type of proxy server that uses real IP addresses assigned to residential users by their Internet Service Providers (ISPs). ↩

Alert Number: I-051525-PSA, Senior US Officials Impersonated in Malicious Messaging Campaign

FBI is issuing this announcement to warn and provide mitigation tips to the public about an ongoing malicious text and voice messaging campaign. Since April 2025, malicious actors have impersonated senior US officials to target individuals, many of whom are current or former senior US federal or state government officials and their contacts. If you receive a message claiming to be from a senior US official, do not assume it is authentic.

Specific Campaign Details

The malicious actors have sent text messages and AI-generated voice messages — techniques known as smishing and vishing, respectively — that claim to come from a senior US official in an effort to establish rapport before gaining access to personal accounts. One way the actors gain such access is by sending targeted individuals a malicious link under the guise of transitioning to a separate messaging platform. Access to personal or official accounts operated by US officials could be used to target other government officials, or their associates and contacts, by using trusted contact information they obtain. Contact information acquired through social engineering schemes could also be used to impersonate contacts to elicit information or funds.

"Smishing" is the malicious targeting of individuals using Short Message Service (SMS) or Multimedia Message Service (MMS) text messaging. "Vishing", which may incorporate AI-generated voices, is the malicious targeting of individuals using voice memos. Both smishing and vishing use tactics similar to spear phishing, which uses email to target specific individuals or groups.

Smishing, Vishing, and Spear Phishing Are Common Criminal Tactics

Traditionally, malicious actors have leveraged smishing, vishing, and spear phishing to transition to a secondary messaging platform where the actor may present malware or introduce hyperlinks that direct intended targets to an actor-controlled site that steals log-in information, like user names and passwords. For smishing, malicious actors typically use software to generate phone numbers that are not attributed to a specific mobile phone or subscriber to engage with a target by masquerading as an associate or family member. For vishing, malicious actors are more frequently exploiting AI-generated audio to impersonate well-known, public figures or personal relations to increase the believability of their schemes.

Recommendations

The following guidance can be used to identify a suspicious message and help protect yourself from this campaign.

Spotting a Fake Message

Verify the identity of the person calling you or sending text or voice messages. Before responding, research the originating number, organization, and/or person purporting to contact you. Then independently identify a phone number for the person and call to verify their authenticity.
Carefully examine the email address; messaging contact information, including phone numbers; URLs; and spelling used in any correspondence or communications. Scammers often use slight differences to deceive you and gain your trust. For instance, actors can incorporate publicly available photographs in text messages, use minor alterations in names and contact information, or use AI-generated voices to masquerade as a known contact.
Look for subtle imperfections in images and videos, such as distorted hands or feet, unrealistic facial features, indistinct or irregular faces, unrealistic accessories such as glasses or jewelry, inaccurate shadows, watermarks, voice call lag time, voice matching, and unnatural movements.
Listen closely to the tone and word choice to distinguish between a legitimate phone call or voice message from a known contact and AI-generated voice cloning, as they can sound nearly identical.
AI-generated content has advanced to the point that it is often difficult to identify. When in doubt about the authenticity of someone wishing to communicate with you, contact your relevant security officials or the FBI for help.

How to Protect Yourself from Potential Fraud or Loss of Sensitive Information

Never share sensitive information or an associate’s contact information with people you have met only online or over the phone. If contacted by someone you know well via a new platform or phone number, verify the new contact information through a previously confirmed platform or trusted source.
Do not send money, gift cards, cryptocurrency, or other assets to people you do not know or have met only online or over the phone. If someone you know (or an associate of someone you know) requests that you send money or cryptocurrency, independently confirm contact information prior to taking action. Also, critically evaluate the context and plausibility of the request.
Do not click on any links in an email or text message until you independently confirm the sender's identity.
Be careful what you download. Never open an email attachment, click on links in messages, or download applications at the request of or from someone you have not verified.
Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it. Actors may use social engineering techniques to convince you to disclose a two-factor authentication code, which allows the actor to compromise and take over accounts. Never provide a two-factor code to anyone over email, SMS/MMS text message or encrypted messaging application.
Create a secret word or phrase with your family members to verify their identities

Alert Number: I-043025-PSA, Emerging Discount Medical Insurance Scams

The Federal Bureau of Investigation (FBI) warns the public of discount medical insurance scams. Discount medical insurance scams involve misleading or fraudulent offers for medical insurance plans that promise reduced rates on legitimate medical insurance but do not provide any actual medical insurance coverage, resulting in millions of dollars in losses annually. These scams often target people who are looking for more affordable healthcare options and use misleading tactics such as stating to be a legitimate medical insurance provider, pressuring people to sign up quickly due to time limited special rates, or promising free services with hidden fees to lure people to sign up. A typical discount medical insurance scam begins with unsolicited contact via calls, texts, or emails from unknown businesses offering special deals or discounted medical insurance.

Washington state issued a cease-and-desist order against a discount medical insurance company after receiving over 100 complaints of fraudulent practices. The company misrepresented their plan coverage options and did not cover medical costs, which left beneficiaries paying out of pocket in full for medical costs they had been led to believe would be at least partially covered. Victims also did not receive refunds after cancelling their insurance plans as the discount medical insurance company had promised, and the company made unauthorized charges to victims' bank accounts. The company was conducting business under multiple names and was responsible for the following examples.¹
- A couple from Pennsylvania was pressured to sign up for a discount medical insurance plan through what they believed was a national provider. The couple was told to act quickly, or they would lose the temporarily discounted price for the plan. Following an emergency room visit and an appointment with their primary care physician, the couple received an explanation of benefits stating they were responsible for all medical bills as the medical services received by the couple were not covered by their policy.
- Another individual from Pennsylvania was contacted by a healthcare representative claiming that their company could offer a much cheaper plan than the one the individual had. The individual was told he would receive a refund for his current plan once he signed up for the new plan but did not receive any information regarding the refund. The representative indicated the individual had to act quickly or lose the deep discount. After purchasing the new healthcare plan, the individual never received the promised refund and was unable to get any information from the new insurance company.
An individual in Texas responded to an advertisement offering aid for gasoline and groceries to senior citizens. He was told he had to sign up for a dental policy with a specific insurance company to obtain the aid. After he signed up, he tried to cancel the dental insurance policy but was told by customer service to request the cancellation via email. The insurance company did not respond to his emails requesting to cancel his dental insurance policy, and he had to cancel his credit card to stop the charges.
An individual in Maryland was told he would save thousands of dollars by purchasing a health insurance policy and paying for the entire year up front. He was told the new policy would cover his current medical providers and hospitals, and he would only be responsible for a $20 co-pay per doctor's office visit and $50 per urgent care visit. After needing emergency surgery, the hospital informed him that they did not accept his new health insurance, and he was responsible for the $7000 cost of the surgery.

Tips to Protect Yourself

Always make sure the medical plan offered is from a reputable source, and that the company is licensed to operate in your state. The state insurance commissioner or the Better Business Bureau are good sources to verify the veracity of a plan.
Verify with current providers that they accept the insurance plan you are considering.
If no policy documents are sent, this could be a sign of a fraudulent plan. If policy documents are sent, review them and read the fine print. Understand exactly what is being offered before committing to anything.
Don't pay anything upfront. Be cautious if a company asks for large upfront payments or seems to be pressuring you into making quick decisions.
Do your own research. If the plan seems too good to be true, it probably is.

Alert Number: I-042425-2-PSA, FBI Seeking Tips about PRC-Targeting of US Telecommunications

FBI is issuing this announcement to ask the public to report information about PRC-affiliated activity publicly tracked as "Salt Typhoon" and the compromise of multiple US telecommunications companies, especially information about specific individuals behind the campaign. Investigation into these actors and their activity revealed a broad and significant cyber campaign to leverage access into these networks to target victims on a global scale. This activity resulted in the theft of call data logs, a limited number of private communications involving identified victims, and the copying of select information subject to court-ordered US law enforcement requests.

FBI and US Government partners have previously released public statements on Salt Typhoon activity on 25 October 2024 and 13 November 2024, and published the guide, "Enhanced Visibility and Hardening Guidance for Communications Infrastructure," on 3 December 2024.

FBI maintains its commitment to protecting the US telecommunications sector and the individuals and organizations targeted by Salt Typhoon by identifying, mitigating, and disrupting Salt Typhoon's malicious cyber activity. If you have any information about the individuals who comprise Salt Typhoon or other Salt Typhoon activity, we would particularly like to hear from you.

In addition, the U.S. Department of State's Rewards for Justice (RFJ) program is offering a reward of up to $10 million (USD) for information about foreign government-linked individuals participating in certain malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).

If you have any information on Salt Typhoon, contact your local FBI field office, file a report on the FBI's Internet Crime Complaint Center at www.ic3.gov, or submit your tip to RFJ on Signal at +1-202-702-7843 or via the RFJ Tor-based tip line: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (Tor browser required).

Alert Number: I-041825-PSA, FBI Warns of Scammers Impersonating the IC3

The Federal Bureau of Investigation (FBI) warns the public about an ongoing fraud scheme where criminal scammers are impersonating FBI Internet Crime Complaint Center (IC3) employees to deceive and defraud individuals. Between December 2023 and February 2025, the FBI received more than 100 reports of IC3 impersonation scams.

How It Works

Complainants report initial contact from the scammers can vary. Some individuals received an email or a phone call, while others were approached via social media or forums. Almost all complainants indicated the scammers claimed to have recovered the victim's lost funds or offered to assist in recovering funds. However, the claim is a ruse to revictimize those who have already lost money to scams.

A recent example of the impersonation scheme variant indicates scammers create female persona profiles on social media networking sites and join groups for financial fraud victims, representing themselves as fellow financial fraud victims. Scammers then recommend actual victims reach out to male persona, "Jaime Quin" (Quin), the alleged "Chief Director" of IC3, via Telegram. Once contacted, "Quin" claims to have recovered the lost funds, but uses this as a ruse to gain access to their financial information and revictimize them.

Tips to Protect Yourself

The IC3 will never directly communicate with individuals via phone, email, social media, phone apps, or public forums. If further information is needed, individuals will be contacted by FBI employees from local field offices or other law enforcement officers.
Scammers will change aliases and tactics; however, the scheme generally remains the same.
Never share sensitive information with people you have met only online or over the phone.
The IC3 will not ask for payment to recover lost funds, nor will they refer a victim to a company requesting payment for recovering funds.
Do not send money, gift cards, cryptocurrency, or other assets to people you do not know or have met only online or over the phone.

Report It

The FBI requests victims immediately report fraudulent or suspicious activity to the FBI IC3 at www.ic3.gov. Be sure to include as much information as possible:

Identifying information about the person or company that contacted you.
Methods of communication used, including websites, emails, and telephone numbers.
Financial transaction information, such as the date, type of payment, amount, account numbers involved, the name and address of the receiving financial institution, and receiving cryptocurrency addresses.
Description of your interaction with the individual, including how contact was initiated, such as the type of communication, purpose of the request for money, how you were told or instructed to make payment, what information you provided to the scammer, and any other details pertinent to your complaint.

Alert Number: I-030625b-PSA, Mail Scam Targeting Corporate Executives Claims Ties to Ransomware

The Federal Bureau of Investigation (FBI) is issuing this announcement to inform businesses of a scam involving letters delivered in the mail from unidentified criminal actors to corporate executives, claiming to have come from a ransomware group.

Stamped “Time Sensitive Read Immediately”, the letter claims the “BianLian Group” gained access into the organization’s network and stole thousands of sensitive data files. The letter then goes on to threaten that the victim’s data will be published to BianLian’s data leak sites if recipients do not use an included QR code linked to a Bitcoin wallet to pay between $250,000 and $500,000 within ten days from receipt of the letter, claiming the group will not negotiate further with victims.

FBI assesses the letters are an attempt to scam organizations into paying a ransom. The letter contains a US-based return address of “BianLian Group” originating from Boston, Massachusetts. We have not yet identified any connections between the senders and the widely-publicized BianLian ransomware and data extortion group.

Tips to Protect Yourself:

FBI recommends individuals take the following precautions:

Notify corporate executives and the organization of the scam for awareness.
Ensure employees are educated on what to do if they receive a ransom threat.
If you or your organization receive one of these letters, ensure your network defenses are up to date and that there are no active alerts regarding malicious activity.
If you discover you are a victim of BianLian ransomware, please visit our Joint Cybersecurity Awareness Bulletin for recent tactics, techniques, and procedures and indicators of compromise to help organizations protect against ransomware.

FBI requests victims report any incident to your local FBI Field Office or the Internet Crime Complaint Center (IC3).

Alert Number: I-022625-PSA, North Korea Responsible for $1.5 Billion Bybit Hack

The Federal Bureau of Investigation (FBI) is releasing this PSA to advise the Democratic People's Republic of Korea (North Korea) was responsible for the theft of approximately $1.5 billion USD in virtual assets from cryptocurrency exchange, Bybit, on or about February 21, 2025. FBI refers to this specific North Korean malicious cyber activity as "TraderTraitor."

TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains. It is expected these assets will be further laundered and eventually converted to fiat currency.

How You Can Help:

FBI encourages private sector entities including RPC node operators, exchanges, bridges, blockchain analytics firms, DeFi services, and other virtual asset service providers to block transactions with or derived from addresses TraderTraitor actors are using to launder the stolen assets.

The following Ethereum addresses are holding or have held assets from the theft, and are operated by or closely connected to North Korean TraderTraitor actors:

0x51E9d833Ecae4E8D9D8Be17300AEE6D3398C135D
0x96244D83DC15d36847C35209bBDc5bdDE9bEc3D8
0x83c7678492D623fb98834F0fbcb2E7b7f5Af8950
0x83Ef5E80faD88288F770152875Ab0bb16641a09E
0xAF620E6d32B1c67f3396EF5d2F7d7642Dc2e6CE9
0x3A21F4E6Bbe527D347ca7c157F4233c935779847
0xfa3FcCCB897079fD83bfBA690E7D47Eb402d6c49
0xFc926659Dd8808f6e3e0a8d61B20B871F3Fa6465
0xb172F7e99452446f18FF49A71bfEeCf0873003b4
0x6d46bd3AfF100f23C194e5312f93507978a6DC91
0xf0a16603289eAF35F64077Ba3681af41194a1c09
0x23Db729908137cb60852f2936D2b5c6De0e1c887
0x40e98FeEEbaD7Ddb0F0534Ccaa617427eA10187e
0x140c9Ab92347734641b1A7c124ffDeE58c20C3E3
0x684d4b58Dc32af786BF6D572A792fF7A883428B9
0xBC3e5e8C10897a81b63933348f53f2e052F89a7E
0x5Af75eAB6BEC227657fA3E749a8BFd55f02e4b1D
0xBCA02B395747D62626a65016F2e64A20bd254A39
0x4C198B3B5F3a4b1Aa706daC73D826c2B795ccd67
0xCd7eC020121Ead6f99855cbB972dF502dB5bC63a
0xbdE2Cc5375fa9E0383309A2cA31213f2D6cabcbd
0xD3C611AeD139107DEC2294032da3913BC26507fb
0xB72334cB9D0b614D30C4c60e2bd12fF5Ed03c305
0x8c7235e1A6EeF91b980D0FcA083347FBb7EE1806
0x1bb0970508316DC735329752a4581E0a4bAbc6B4
0x1eB27f136BFe7947f80d6ceE3Cf0bfDf92b45e57
0xCd1a4A457cA8b0931c3BF81Df3CFa227ADBdb6E9
0x09278b36863bE4cCd3d0c22d643E8062D7a11377
0x660BfcEa3A5FAF823e8f8bF57dd558db034dea1d
0xE9bc552fdFa54b30296d95F147e3e0280FF7f7e6
0x30a822CDD2782D2B2A12a08526452e885978FA1D
0xB4a862A81aBB2f952FcA4C6f5510962e18c7f1A2
0x0e8C1E2881F35Ef20343264862A242FB749d6b35
0x9271EDdda0F0f2bB7b1A0c712bdF8dbD0A38d1Ab
0xe69753Ddfbedbd249E703EB374452E78dae1ae49
0x2290937A4498C96eFfb87b8371a33D108F8D433f
0x959c4CA19c4532C97A657D82d97acCBAb70e6fb4
0x52207Ec7B1b43AA5DB116931a904371ae2C1619e
0x9eF42873Ae015AA3da0c4354AeF94a18D2B3407b
0x1542368a03ad1f03d96D51B414f4738961Cf4443
0x21032176B43d9f7E9410fB37290a78f4fEd6044C
0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e
0x55CCa2f5eB07907696afe4b9Db5102bcE5feB734
0xA5A023E052243b7cce34Cbd4ba20180e8Dea6Ad6
0xdD90071D52F20e85c89802e5Dc1eC0A7B6475f92
0x1512fcb09463A61862B73ec09B9b354aF1790268
0xF302572594a68aA8F951faE64ED3aE7DA41c72Be
0x723a7084028421994d4a7829108D63aB44658315
0xf03AfB1c6A11A7E370920ad42e6eE735dBedF0b1
0xEB0bAA3A556586192590CAD296b1e48dF62a8549
0xD5b58Cf7813c1eDC412367b97876bD400ea5c489

Reporting

FBI maintains its commitment to protecting the virtual asset community by identifying, mitigating, and disrupting North Korea's illicit cybercrime and virtual asset theft activities. If you have any information to provide, please contact your local FBI field office or FBI's Internet Crime Complaint Center at ic3.gov.

Alert Number: I-012725-PSA, Mail Theft-Related Check Fraud is on the Rise

The FBI and USPIS are warning that check fraud is on the rise, with a significant volume enabled through mail theft. Suspicious Activity Reports related to check fraud have nearly doubled from 2021 to 2023.¹ Fraudsters take advantage of regulations requiring financial institutions to make check funds available within specified timeframes, which is often too short a window for the consumer or financial institutions to identify and stop the fraud. As a result, the compromised checks clear, and the funds are withdrawn by the criminal participants before the fraud is detected.

Obtaining the Checks

Fraudsters gain access to legitimate checks and sensitive financial data by stealing mailed checks from USPS facilities or during delivery to the intended recipient. Check theft occurs several ways.

Five mechanisms used to obtain checks fraudulently. 1) Checks left in residential mailboxes overnight or for long periods of time. 2) USPS blue collection boxes after the last pickup time. 3) Burglary of USPS facilities. 4) Robbery of USPS employees. 5) Bribery/collusion of USPS employees.

Preparing/Altering the Checks for Deposit

To make the checks appear legitimate, fraudsters use check washing or other check "cooking" techniques to alter checks or create counterfeits. In other instances, checks are unaltered and deposited with forged endorsements.

Check washing involves the use of chemicals to physically alter the check, typically altering the original payee and financial amount.

Check cooking involves the digital manipulation of an image of a stolen check. Using readily available photo editing software and high-tech printers, fraudsters can manufacture checks. Check cooking allows fraudsters to manufacture multiple checks from a single check image. Often these checks are written for smaller amounts which can go undetected for longer periods of time by escaping the scrutiny or visibility of a larger check amount.

Depositing the Checks

Stolen checks are deposited, often by a collusive account holder who is recruited by the fraudster or sold online for a fraction of the face value to other criminal actors who deposit the checks. In many cases, financial institutions, consumers, and law enforcement agencies are not aware of the fraudulent activity until after funds have been illicitly withdrawn.

Who is Harmed by Check Fraud?

Businesses: Businesses could experience disruption to business activities and reputational harm due to overdue or missed payments or delays or disruption in finalizing payments when account details are compromised.
Consumers: Consumers can experience impacted credit scores for late payments for bills, account closures, stop payment fees for other outstanding checks, missed interest from refund checks, compromised personally identifiable information (PII) which may also be sold in subsequent fraud schemes, and loss of assets or investment money. Victims of fraud are often refunded some of the charges, but refunds are often delayed until investigations are complete.
Government Entities: Funds intended for citizens are intercepted and altered or forged, resulting in government funds being dispersed incorrectly. It can be a time intensive process to investigate and reissue payments to the rightful recipients of intercepted checks.

How to Protect Your Mail

Pick up your mail promptly after delivery. Do not leave mail in your mailbox overnight or for long periods of time.
If you are heading out of town, submit a USPS Hold Mail™ request asking your local Post Office to hold your mail until you return.
Sign up for Informed Delivery^® at USPS.com to receive daily email notifications of incoming mail and packages.
Contact the sender if you do not receive a check, credit card or other valuable mail you are expecting.
Consider buying and using security envelopes to conceal the contents of your mail.
Use the letter slots inside your local Post Office to send mail. If using a blue USPS collection box, be sure to drop your mail as close to the posted pickup time as possible and before the last collection of the day.

How to Protect Your Checks

Use pens with indelible black ink so it is more difficult for a criminal to wash your checks.
Don't leave blank spaces in the payee or amount lines.
Don't write personal details, such as your Social Security number, credit card information, driver's license number, or phone number on checks.
Use mobile or online banking to access copies of your checks and ensure they are not altered. While logged in, review your bank activity and statements for errors.
Consider using e-check, ACH automatic payments, and other electronic and/or mobile payments.
Follow up with payees to make sure they received your check.
Use check positive pay if available at financial institutions to help detect and stop fraudulent checks.
Use checks with security features to limit the effectiveness of check washing. Security features can include microprinting, holograms, heat-sensitive ink, watermarks, toner adhesion, chemically reactive paper, security screens, thermal thumbprints, void pantographs, ultraviolet overprinting, security padlock icon, and fraud warnings.
If you believe you have been defrauded, contact your bank immediately. Consider opening a new account and closing out the compromised account to prevent future counterfeit checks being drawn off the account.
Protect vulnerable members of your family and community. Fraudsters use high-tech, low-cost technology including printers, call spoofing technology, and AI-assisted voice recreation to fool vulnerable people into acting as unwitting accomplices.