The Good | Teens Arrested in Nursery Doxing Case as OpenAI Disrupts Cybercrime Clusters
U.K. police have arrested two 17-year-olds in Hertfordshire for allegedly doxing children following a ransomware attack on London-based Kido nurseries. The Radiant Group claimed responsibility, saying they stole sensitive data and photos of over 8000 children and leaked some online to extort Kido. Later, the files were removed after the groups’ threats to both Kido and parents of the affected children failed to make headway. Kido, supporting over 15,000 families in the U.K, U.S, China, and India, confirmed the breached data was hosted by Famly, a nursery software platform, which said its systems were not compromised.
The UK’s NCSC called the attack on children “particularly egregious” and the Met Police emphasized their commitment to bringing the perpetrators to justice. The arrests reflect a wider trend of teenagers involved in major U.K. cyberattacks, with recent cases linked to Marks & Spencer, Co-op, Harrods, and Transport for London.
Also this week, OpenAI said it disrupted three malicious activity clusters abusing ChatGPT for cybercrime and influence operations. The first involved Russian-speaking actors using multiple accounts to develop components of remote access trojans (RATs), credential stealers, and data exfiltration tools. The second, tied to North Korean actors, used ChatGPT to assist in malware, phishing, and C2 development – using the chatbot to draft copy, perform experiments, and explore new techniques. The third was linked to Chinese threat group ‘UNK_DropPitch’, which leveraged the tool to create multilingual phishing content and automate hacking tasks.
Beyond these, OpenAI also blocked networks from Cambodia, Myanmar, Nigeria, Russia, and China for using AI in scams, propaganda, and surveillance, though all mentioned actors tried to mask signs of their abuse of the tool to further their operations.
The Bad | Crimson Collective Group Breach Cloud Systems to Steal Data & Extort Victims
A threat group called ‘Crimson Collective’ has launched a series of targeted attacks on AWS cloud environments, stealing sensitive data and extorting victims through multi-stage intrusions. The group just recently exfiltrated 570 GB of data from thousands of private GitLab repositories before joining forces with Scattered Lapsus$ Hunters to intensify its extortion efforts.
Researchers explain how Crimson Collective’s operations begin with harvesting exposed long-term access credentials using open-source tools like TruffleHog. Once inside, they create new privileged accounts and escalate privileges by assigning administrative policies, effectively gaining complete control over the compromised environment. Here, the attackers enumerate users, databases, and storage systems in preparation of large-scale data theft.
The group’s exfiltration process involves modifying database master passwords, creating snapshots of databases before exporting them to S3 for transfer through API calls. EBS (Elastic Block Store) volumes are then launched and attached under permissive security groups to move data more freely. Victims typically receive ransom demands via in-platform email systems and external addresses once exfiltration is complete.
Investigations found that the group employs many IP addresses, some reused across different incidents, which allowed partial tracking of its operations. While Crimson Collective’s size and infrastructure remain unclear, its extortion tactics indicate an expanding threat to organizations relying on cloud-based infrastructure. Using short-term, least-privileged credentials and enforcing IAM policies can help mitigate the chance of breaches.
Researchers warn that leaked credentials and lax privilege management continue to be major enablers for these attacks, and urge companies to tighten access controls, limit credential lifespan, and regularly audit for exposed secrets using open-source scanning tools.
The Ugly | Attackers Breach Discord Ticketing Support, Exposing Data of 5.5M Users
Threat actors claiming to have breached Discord’s customer support systems are now threatening to leak data allegedly stolen from millions of users after the company refused to pay ransom demands. This latest threat follows reports that the attackers first gained access to a third-party support provider in late September, exfiltrating sensitive user information such as names, emails, government IDs, and partial payment details.
Discord confirmed that the compromise affected a vendor system used for customer service, not its internal infrastructure, and said around 70,000 users had their government ID photos exposed – far fewer than the 2.1 million claimed by the attackers. The company stressed that inflated figures and ransom demands were part of an extortion campaign and that it will not reward illegal actions.
According to the threat actors, they accessed Discord’s support platform for 58 hours through a compromised account belonging to an outsourced support agent. During this window, the scope of their claim includes 1.6 terabytes of data, including 8.4 million support tickets affecting 5.5 million users, with roughly 580,000 containing partial payment information. The attackers also said integrations between the support system and Discord’s internal database allowed them to run millions of API queries for additional user data.
The actors initially demanded $5 million, later reducing it to $3.5 million before Discord ended negotiations and went public with the breach. The group has since threatened to release the stolen data, marking one of the largest extortion-driven data thefts to hit a major communication platform in 2025.
