This study empirically analyzes the transaction activity of Bitcoin addresses linked to Russian intelligence services, which have liquidated over 7 Bitcoin (BTC), i.e., equivalent to approximately US$300,000 based on the exchange rate at the time. Our investigation begins with an observed anomaly in transaction outputs featuring the Bitcoin Script OP_RETURN operation code, tied to input addresses identified by cyber threat intelligence sources and court documents as belonging to Russian intelligence agencies. We explore how an unauthorized entity appears to have gained control of the associated private keys, with messages embedded in the OP_RETURN outputs confirming the seizure. Tracing the funds' origins, we connect them to cryptocurrency mixers and establish a link to the Russian ransomware group Conti, implicating intelligence service involvement. This analysis represents one of the first empirical studies of large-scale Bitcoin misuse by nation-state cyber actors.

Current black-box backdoor attacks in convolutional neural networks formulate attack objective(s) as singleobjective optimization problems in single domain. Designing triggers in single domain harms semantics and trigger robustness as well as introduces visual and spectral anomaly. This work proposes a multi-objective black-box backdoor attack in dual domains via evolutionary algorithm (LADDER), the first instance of achieving multiple attack objectives simultaneously by optimizing triggers without requiring prior knowledge about victim model. In particular, we formulate LADDER as a multiobjective optimization problem (MOP) and solve it via multiobjective evolutionary algorithm (MOEA). MOEA maintains a population of triggers with trade-offs among attack objectives and uses non-dominated sort to drive triggers toward optimal solutions. We further apply preference-based selection to MOEA to exclude impractical triggers. LADDER investigates a new dualdomain perspective for trigger stealthiness by minimizing the anomaly between clean and poisoned samples in the spectral domain. Lastly, the robustness against preprocessing operations is achieved by pushing triggers to low-frequency regions. Extensive experiments comprehensively showcase that LADDER achieves attack effectiveness of at least 99%, attack robustness with 90.23% (50.09% higher than state-of-the-art attacks on average), superior natural stealthiness (1.12× to 196.74× improvement) and excellent spectral stealthiness (8.45× enhancement) as compared to current stealthy attacks by the average l2-norm across 5 public datasets.

Internet-wide scanning services are widely used for attack surface discovery across organizations and the Internet. Enterprises, government agencies, and researchers rely on these tools to assess risks to Internet-facing infrastructure. However, their reliability and trustworthiness remain largely unexamined. This paper addresses this gap by comparing results from three commercial scanners – Shodan, ONYPHE, and LeakIX – with findings from our independent experiments using verified Nuclei templates, designed to identify specific vulnerabilities through crafted benign requests. We found that the payload based detections of Shodan are mostly confirmed. Yet, Nuclei finds many more vulnerable endpoints, so defenders might face massive underreporting. For Shodan’s banner-based detections, the opposite issue arises: a significant overreporting of false positives. This indicates that banner-based detections are unreliable. Moreover, three commercial services and Nuclei scans exhibit significant discrepancies. Our work has implications for industry users, policymakers, and the many academic researchers who rely on the results provided by these attack surface management services. By highlighting their shortcomings in vulnerability monitoring, this work serves as a call for action to advance and standardize such services to enhance their trustworthiness.

The continuous increase in malware samples, both in sophistication and number, presents many challenges for organizations and analysts, who must cope with thousands of new heterogeneous samples daily. This requires robust methods to quickly determine whether a file is malicious. Due to its speed and efficiency, static analysis is the first line of defense.
In this work, we illustrate how the practical state-of-the-art methods used by antivirus solutions may fail to detect evident malware traces. The reason is that they highly depend on very strict signatures where minor deviations prevent them from detecting shellcodes that otherwise would immediately be flagged as malicious. Thus, our findings illustrate that malware authors may drastically decrease the detections by converting the code base to less-used programming languages. To this end, we study the features that such programming languages introduce in executables and the practical issues that arise for practitioners to detect malicious activity.

This paper investigates the feasibility and potential role of using Large Language Models (LLMs) to support systemic risk audits under the European Union’s Digital Services Act (DSA). It examines how automated tools can enhance the work of DSA auditors and other ecosystem actors by enabling scalable, explainable, and legally grounded content analysis. An interdisciplinary expert workshop with twelve participants from legal, technical, and social science backgrounds explored prompting strategies for LLM-assisted auditing. Thematic analysis of the sessions identified key challenges and design considerations, including prompt engineering, model interpretability, legal alignment, and user empowerment. Findings highlight the potential of LLMs to improve annotation workflows and expand audit scale, while underscoring the continued importance of human oversight, iterative testing, and cross-disciplinary collaboration. This study offers practical insights for integrating AI tools into auditing processes and contributes to emerging methodologies for operationalizing systemic risk evaluations under the DSA.

Attackers regularly use SSH (Secure SHell) to compromise systems, e.g., via brute-force attacks, establishing persistence by deploying SSH public keys. This ranges from IoT botnets like Mirai, over loader and dropper systems, to the back-ends of malicious operations. Identifying compromised systems at the Internet scale would be a major break-through for combatting malicious activity by enabling targeted clean-up efforts.

In this paper, we present a method to identify compromised SSH servers at scale. For this, we use SSH's behavior to only send a challenge during public key authentication, to check if the key is present on the system. Our technique neither allows us to access compromised systems (unlike, e.g., testing known attacker passwords), nor does it require access for auditing.

With our methodology used at an Internet-wide scan, we identify more than 21,700 unique systems (1,649 ASes, 144 countries) where attackers installed at least one of 52 verified malicious keys provided by a threat intelligence company, including critical Internet infrastructure. Furthermore, we find new context on the activities of malicious campaigns like, e.g., the 'fritzfrog' IoT botnet, malicious actors like 'teamtnt', and even the presence of state-actor associated keys within sensitive ASes. Comparing to honeypot data, we find these to under-/over-represent attackers' activity, even underestimating some APTs' activities. Finally, we collaborate with a national CSIRT and the Shadowserver Foundation to notify and remediate compromised systems. We run our measurements continuously and automatically share notifications.

Telecommunication services are essential in ensuring the operation of numerous critical infrastructures. While mobile network security increased with the advancement of generations, emerging concepts such as the Open Radio Access Network (O-RAN) are transforming the traditional operation of Radio Access Networks (RANs). Novel concepts and technologies are finding their way into RANs with a focus on softwareization and virtualization. This increases the overall attack surface and introduces new attack vectors not necessarily found in traditional RANs. This paper shows that Denial of Service (DoS) attacks leveraging subscription mechanisms can compromise O-RAN implementations. We present a novel DoS attack targeting the Near Real-Time (Near-RT) RAN Intelligent Controller (RIC). By deploying a malicious xApp, we demonstrate how an adversary can flood the Near-RT RIC with excessive subscription requests, leading to service disruption. This attack exploits the lack of rate-limiting mechanisms within the Service Model (SM), a critical component of the Near-RT RIC responsible for handling E2 subscription requests. We systematically evaluate various attack scenarios and investigate the underlying vulnerabilities exposed. Furthermore, we propose and assess countermeasures to safeguard publicly accessible O-RAN systems from such threats.

Point of Sale (PoS) machines have become extremely popular recently. In many economies, most transactions occur using them. Although PoS technology is evolving, PINs are still heavily used. In this paper, we perform a large-scale study to understand how difficult it is to uncover user PINs at PoS, even when the users cover the pad with their hands. Our study involves 142 participants, two types of PoS, and around 13,800 PINs. We develop machine learning techniques to infer PoS PINs by using hidden cameras. Our results show that uncovering PINs in PoS is more complex than in other cases where a user PIN is used, e.g., ATMs, because of the small pad area of PoS. Nevertheless, we could achieve more than 50% Top-3 accuracy for 4-digit PINs and 45% Top-3 accuracy for 5-digit PINs, even when the PIN is covered by the user's hand. We comment on the impact of the camera's position and PoS on the successful inference of the user's PINs. We also comment on the hardness of inferring PINs depending on the physical distance of digits and recommend what are good practices to generate PINs and cover PoS to make PIN inference difficult.

Industrial control systems have enabled the digitalization and automation of industrial production and services, such as electric powerhouses, the electric grid, and water supply networks. Due to their critical role, any exposure to the public Internet makes them vulnerable to attacks that may have catastrophic implications.In this paper, we report that the readily available application-layer scanning on all ports opens new avenues to assess the exposure of devices that run industrial control protocols that were not possible with previously proposed active port scanning. We consider 17 widely used industrial control system protocols and develop a methodology that unveils around 150 thousand industrial control systems exposed around the globe. Our study shows that many allegedly exposed industrial control systems are honeypots that emulate industrial protocols. Our methodology infers the presence of honeypots and classifies them into three tiers based on the confidence that these act as honeypots: low-, medium-, and high-confidence. We classify them thanks to large-scale application-layer scanning on all ports and multiple independent attributes, including network information, number of open ports, and known honeypot signatures. Our results show that 15% to 25% of the exposed industrial control systems are honeypots (with two-thirds of them belonging to the medium- or high-confidence categories). Our results challenge previous reports on the prevalence and distribution of exposed industrial control systems. The developed methodology enables industry operators to assess exposed assets and aid protection teams in creating stealthier honeypots.

The rapid expansion of multi-cloud environments and the growing prevalence of collaborative data ownership present significant challenges in ensuring the verifiable deletion of co-owned data. Current approaches predominantly address individual ownership and often rely on simplistic one-bit result protocols where a deletion command merely outputs success or failure, turning the deletion into a black box without proper verification. This paper tackles the problem of secure processing and verifiable deletion of shared outsourced data in multi-cloud environments. We design a framework that enables a data owner to outsource encrypted data to multiple co-owners, who perform computations directly within their respective cloud providers---ensuring that sensitive data never leaves the cloud. Our system leverages readily available cloud Hardware Security Modules (HSMs) to manage cryptographic keys from generation to controlled destruction---ensuring data remains inaccessible beyond its intended use. Secure Enclaves enforce on-cloud data computation, eliminating local copies and preventing unauthorized exposure. Encrypted data is structured within a fixed storage model, ensuring controlled allocation and strict storage constraints. When data expires or must be deleted to meet regulatory requirements, our framework triggers zero-residual permuted overwriting to remove the data traces irreversibly. Verifiability is achieved at two levels: Bounded Merkle Hash Tree (BMHT) ensures bounded storage and verifiable deletion within each cloud provider. In contrast, Global Merkle Forest (GMF) aggregates BMHT roots across providers, enabling consistent global verification. The data owner maintains a log of these BMHT roots, allowing independent verification of secure deletion across the multi-cloud environment.

Time synchronization is of paramount importance on the Internet, with the Network Time Protocol (NTP) serving as the primary synchronization protocol. The NTP Pool, a volunteer-driven initiative launched two decades ago, facilitates connections between clients and NTP servers. Our analysis of root DNS queries reveals that the NTP Pool has consistently been the most popular time service. We further investigate the DNS component (GeoDNS) of the NTP Pool, which is responsible for mapping clients to servers. Our findings indicate that the current algorithm is heavily skewed, leading to the emergence of time monopolies for entire countries. For instance, clients in the US are served by 551 NTP servers, while clients in Cameroon and Nigeria are served by only one and two servers, respectively, out of the 4k+ servers available in the NTP Pool. We examine the underlying assumption behind GeoDNS for these mappings and discover that time servers located far away can still provide accurate clock time information to clients. We have shared our findings with the NTP Pool operators, who acknowledge them and plan to revise their algorithm to enhance security.

To avoid exploitation of known vulnerabilities, it is standard security practice to not disclose any model information regarding the antennas used in cellular infrastructure. However, in this work, we show that end-user devices receive enough information to infer, with high accuracy, the model-family of antennas. We demonstrate how low-cost hardware and software setups can fingerprint the cellular infrastructure of whole regions within a few minutes by only listening to cellular broadcast messages. To show the effectiveness and hence risk of such fingerprinting, we collected an extensive dataset of broadcast messages from three different countries. We then trained a machine-learning model to classify broadcast messages based on the model-family they belong to. Our results reveal a worryingly high average accuracy of 97% for model-family classification. We further discuss how inferring the model-family with such high accuracy can lead to a class of identification attacks on cellular infrastructure and we subsequently suggest countermeasures to mitigate the fingerprint effectiveness.

Satellites have become part of critical infrastructure utilized for diverse applications, from Earth observation to communication and military missions. Several trends have reshaped satellite deployment and utilization in recent years, making satellite systems more accessible and vulnerable to cybersecurity threats. A notable trend is adopting Commercially Off-the-Shelf (COTS) hardware and software for satellite systems. However, this approach renders satellites susceptible to well-known cyberattacks. This paper presents a comprehensive exploration of attacks on satellite systems, with a specific emphasis on the security aspects of the satellite platform, encompassing both the bus and payload subsystems. The discussion includes existing security defenses that can enhance the security of the satellite platform. Ultimately, we present a real-world security framework designed to improve the overall security of the satellite platform.

On February 24, 2022, Russia invaded Ukraine after months of military preparations. Although secondary to the human tragedy resulting from the war, the Internet connectivity in the region was disrupted due to the military conflicts and economic sanctions. We study the Internet peering connectivity of the conflicted countries before, during, and after the Russian invasion of Ukraine. Our analysis shows that de-peering activity by Ukrainian, Russian, and international networks started months before the invasion at peering facilities in Ukraine and Russia, respectively. De-peering continued after the Russian invasion of Ukraine, with only minor changes in peering taking place until end of 2023. Our study shows that several Internet exchange points have stopped operating in Ukraine. We also report that the invasion has impacted the registry country code of operational networks in Ukraine and Russia, creating a new status quo in Internet peering in the region.

List of keywords used to build the text classifier for the paper Reviewing War: Unconventional User Reviews as a Side Channel to Circumvent Information Controls. For more information on how these keywords were obtained, see the "Data Labeling" section of this paper. The provided CSV file contains 3 columns: "keyword": Lowercased keyword in either English, Russian, Ukranian or Polish. "weight": Score indicating the keyword's war-related affinity, with 3 being the most related. Negative weights are used to correct for exceptions in our classifier. "topic": Subject of the keyword used for topic analysis.

Time synchronization is of paramount importance on the Internet, with the Network Time Protocol (NTP) serving as the primary synchronization protocol. The NTP Pool, a volunteer-driven initiative launched two decades ago, facilitates connections between clients and NTP servers. Our analysis of root DNS queries reveals that the NTP Pool has consistently been the most popular time service. We further investigate the DNS component (GeoDNS) of the NTP Pool, which is responsible for mapping clients to servers. Our findings indicate that the current algorithm is heavily skewed, leading to the emergence of time monopolies for entire countries. For instance, clients in the US are served by 551 NTP servers, while clients in Cameroon and Nigeria are served by only one and two servers, respectively, out of the 4k+ servers available in the NTP Pool. We examine the underlying assumption behind GeoDNS for these mappings and discover that time servers located far away can still provide accurate clock time information to clients. We have shared our findings with the NTP Pool operators, who acknowledge them and plan to revise their algorithm to enhance security.

List of keywords used to build the text classifier for the paper Reviewing War: Unconventional User Reviews as a Side Channel to Circumvent Information Controls. For more information on how these keywords were obtained, see the "Data Labeling" section of this paper. The provided CSV file contains 3 columns: "keyword": Lowercased keyword in either English, Russian, Ukranian or Polish. "weight": Score indicating the keyword's war-related affinity, with 3 being the most related. Negative weights are used to correct for exceptions in our classifier. "topic": Subject of the keyword used for topic analysis.

Port scanning is the de-facto method to enumerate active hosts and potentially exploitable services on the Internet. Over the last years, several studies have quantified the ecosystem of port scanning. Each work has found drastic changes in the threat landscape compared to the previous one, and since the advent of high-performance scanning tools and botnets a lot has changed in this highly volatile ecosystem.
Based on a unique dataset of Internet-wide scanning traffic collected in a large network telescope, we provide an assessment of Internet-wide TCP scanning with measurement periods in the last 10 years (2015 to 2024). We collect over 750 million scanning campaigns sending more than 45 billion packets and report on the evolution and developments of actors, their tooling, and targets. We find that Internet scanning has increased 30-fold over the last ten years, but the number and speed of scans have not developed at the same pace. We report that the ecosystem is extremely volatile, where targeted ports and geographical scanner locations drastically change at the level of weeks or months. We thus find that for an accurate understanding of the ecosystem we need longitudinal assessments. We show that port scanning becomes heavily commoditized, and many scanners target multiple ports. By 2024, well-known scanning institutions are targeting the entire IPv4 space and the entire port range.

Phishing on the web is a model of social engineering and an attack vector for getting access to sensitive and financial data of individuals and corporations. Phishing has been identified as one of the prime cyber threats in recent years. With the goal to effectively identify and mitigate phishing as early as possible, we present in this paper a longitudinal analysis of phishing attacks from the vantage point of three country-code top-level domain (ccTLD) registries that manage more than 8 million active domains -- namely the Netherlands' .nl, Ireland's .ie, and Belgium's .be. We perform a longitudinal analysis on phishing attacks spanning up to 10 years, based on more than 28 thousand phishing domains. Our results show two major attack strategies: national companies and organizations are far more often impersonated using malicious registered domains under their country's own ccTLD, which enables better mimicry of the impersonated company. In stark contrast, international companies are impersonated using any domains that can be compromised, reducing overall mimicry but bearing no registration and financial costs. Although most research works focus on detecting new domain names, we show that 80% of phishing attacks in the studied ccTLDs employ compromised domain names. We find banks, financial institutions, and high-tech giant companies at the top of the most impersonated targets. We also show the impact of ccTLDs' registration and abuse handling policies on preventing and mitigating phishing attacks, and that mitigation is complex and performed at both web and DNS level at different intermediaries. Last, our results provide a unique opportunity for ccTLDs to compare and revisit their policies and impacts, with the goal of improving mitigation procedures.