November 12th – This Week’s Top Cybersecurity and Dark Web Stories

Congressional Budget Office hacked

The Congressional Budget Office (CBO) was hacked, potentially exposing its communications with lawmakers’ offices, according to an email sent to congressional staff.

The email from the Senate sergeant at arms did not name a culprit, but a US official briefed on the hack told CNN on Thursday that Chinese state-backed hackers are suspected of being behind the breach. The email warned the incident was “ongoing” and advised staffers to avoid clicking links from CBO accounts, which may still be compromised.

CBO economists and analysts provide lawmakers with cost estimates and analysis of legislation. The office also does long-term US budget projections and analyzes the president’s budget—information of interest to foreign intelligence services closely monitoring US economic policy.

This is one of multiple recent China-linked hacks targeting non-public US policy information amid fierce US-China trade tensions. In July, it was reported that suspected Chinese hackers had also breached Wiley Rein, a law firm involved in helping US companies and the government navigate the trade war with China.

CBO spokesperson Caitlin Emma said in a statement on Thursday evening that the agency identified the security incident, took immediate action to contain it, implemented new security controls, and continues its work for Congress. She added that the incident is under investigation and that the CBO continually monitors and addresses network threats.

Liu Pengyu, spokesperson for the Chinese Embassy in Washington, D.C., responded in an email that China “consistently opposes and strictly combats all forms of cyberattacks in accordance with the law.”

The hack occurs while the federal government faces a record 37-day shutdown, which has stretched cyber defense resources thin. The Cybersecurity and Infrastructure Security Agency (CISA) had planned to furlough two-thirds of its workforce. Even as the shutdown continues, the threat from state-backed and criminal hackers persists; CISA issued an “emergency order” in September requiring federal agencies to defend against a prior hacking campaign.

Microsoft Detects “SesameOp” Backdoor

Microsoft has discovered a novel backdoor, SesameOp, which abuses the OpenAI Assistants API for command-and-control (C2) communication. This approach allows threat actors to stealthily fetch and orchestrate malicious commands by using the API as a covert storage or relay mechanism.

The implant was found in July 2025 during an investigation into a sophisticated security incident where threat actors had maintained long-term persistence, suggesting the overarching goal was espionage. The infection chain involves a heavily obfuscated .NET-based backdoor (“OpenAIAgent.Netapi64”) and a loader (“Netapi64.dll”) that uses .NET AppDomainManager injection to execute. The malware fetches encrypted commands, executes them locally, and sends the results back via the OpenAI API.

Microsoft shared its findings with OpenAI, which promptly disabled the API key and associated account used by the adversary.

Operation Chargeback Uncovers €300m Fraud Scheme

Operation “Chargeback,” an international coordinated action day on 4 November 2025, targeted three major fraud and money laundering networks. Led by the General Prosecutor’s Office in Koblenz and the German Federal Criminal Police Office (BKA), the investigation has been ongoing since December 2020. The operation resulted in over 60 house searches and 18 arrests, targeting networks suspected of misusing credit card data from over 4.3 million cardholders across 193 countries. Estimated damage from the fraud exceeds EUR 300 million, with attempted damages over EUR 750 million.

The Europol-supported investigation targeted 44 suspects, including fraud network members, executives from German payment service providers, and crime-as-a-service providers. Assets worth over EUR 35 million were secured in Luxembourg and Germany.

The fraud scheme (2016-2021) involved using stolen credit card data to create around 19 million fake online subscriptions (primarily pornography, dating, and streaming). The networks charged low monthly amounts (~EUR 50) with obscure descriptions to evade detection. Suspects exploited four major German payment service providers, with six individuals (including executives) accused of collusion for fees. They laundered transactions through numerous shell companies (UK and Cyprus) supplied by crime-as-a-service providers.

The action day involved coordinated measures in Germany, the USA, Canada, Singapore, Luxembourg, Cyprus, Spain, Italy, and the Netherlands. Europol and Eurojust facilitated this extensive international cooperation, which included over 90 legal assistance requests to 30 countries. The suspects currently face charges of organised computer fraud, membership in a criminal organisation, and money laundering.