- Cybersecurity Docket
- Posts
- Blank Rome Hit With Two Proposed Class Actions Over Client Data Breach
Blank Rome Hit With Two Proposed Class Actions Over Client Data Breach
Plus, FBI and industry partners seized hundreds of domains associated with NetNut.

Good morning! Here’s what’s up.

People
Evan Kotsovinos announced in a LinkedIn post that he has departed Google, where he was head of its privacy, safety and security organization. He has joined the Goldman Sachs Group as a partner and head of Asset & Wealth Management (AWM) Engineering.

Clips ✂️
Blank Rome Hit With Two Lawsuits Over Breach of Client Data
Blank Rome LLP was hit with two proposed class actions Monday alleging it negligently failed to protect the personal information of more than 57,000 current and former clients in a May data incident.
The firm breached its duties under common law, contract law, industry standards, the Federal Trade Commission Act, and the Health Insurance Portability and Accountability Act to implement reasonable and adequate data security measures and provide timely notice of the breach, according to complaints filed in the US District Court for the Eastern District of Pennsylvania.
Laura Delapaz and Anthony Santana alleged in the separate lawsuits that the breach exposed names, Social Security numbers, physical and email addresses, phone numbers, dates of birth, taxpayer identification numbers, driver’s license numbers, state ID card numbers, passport numbers, financial-account numbers, payment card information, medical information, and health insurance information.
FBI Seizes NetNut Proxy Platform, Popa Botnet
The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut, a sprawling residential proxy service operated by the publicly traded Israeli company Alarum Technologies. The action comes roughly two weeks after KrebsOnSecurity published findings from multiple security firms connecting NetNut to the Popa botnet, a collection of at least two million devices that have been compromised by malicious software with little or no consent from victims.
On June 19, three different security firms issued similar findings: That NetNut is a residential proxy network which populates a botnet called Popa, and distributes software for devices commonly found in homes, such as smart TVs and streaming boxes. NetNut’s software turns those systems into always-on residential proxy nodes that are rented to others, who predominantly use them to relay abusive and intrusive Internet traffic, such as mass content scraping, advertising fraud, and account takeover activity.
Sysdig clocks first documented case of agentic ransomware
Artificial intelligence is claiming many firsts as it permeates every layer of technology, including the tools cybercriminals use to break into networks, steal sensitive data, hop into connected systems and deploy malware.
This includes, for the first time, according to Sysdig researchers, a case of agentic ransomware managing an extortion operation spanning reconnaissance, credential theft, lateral movement, persistence, encryption, destruction and the delivery of the ransom note itself.
The AI agent didn’t accomplish every step in the late June 2026 attack, but it allowed the threat actor, which Sysdig tracks as JadePuffer, to significantly reduce complexity, speed up the tempo and gain operational advantages.
“We have seen attackers script attacks for years, and we have seen AI speed up individual steps of attack chains,” Michael Clark, senior director of threat research at Sysdig, told CyberScoop. However, this recent attack was “driven end-to-end by the model’s own decision-making, rather than a human at the keyboard,” he added.
Government Launches Cyber Resilience Pledge, Claiming 60+ Signatories
The UK government has claimed over 60 businesses have signed up to a new initiative designed to improve the cyber resilience of British organizations.
The Cyber Resilience Pledge was first trailed at the government’s CYBERUK conference in Glasgow in April, alongside a £90m ($120m) cash injection.
Signatories now include Marks & Spencer, Nationwide, ITV, Microsoft UK, Cloudflare, Deloitte LLP, Accenture UK and Vodafone Group, the government claimed.
The voluntary scheme requires signatories to commit to:
• Making cybersecurity a board-level responsibility, by implementing the Cyber Governance Code of Practice and ensuring all members complete the NCSC’s Cyber Governance Training
• Registering for the NCSC’s free Early Warning alert service
• Taking a “risk-based approach” to requiring Cyber Essentials certification across their supply chain
The pledge is designed mainly for medium and large organizations. However, the hope is that they will be able to improve baseline security posture across a much larger swathe of businesses by forcing suppliers to sign up to Cyber Essentials.
Suspected Chinese espionage group used a Roundcube exploit chain to burrow into universities
China-aligned attackers broke into the networks of U.S. and Canadian universities to steal sensitive data and establish persistent access via webshells and backdoors, Proofpoint threat researchers said Tuesday.
The espionage-motivated attacks targeted physics and engineering departments, focusing on administrators and professors with national security links or organizations researching astrophysics and particle physics.
Proofpoint identified less than 10 university victims and estimates a few dozen universities may be impacted, Greg Lesnewich, principal threat researcher at Proofpoint, told CyberScoop. The company first observed the campaign in May and believes the campaign is ongoing.
“There is a high likelihood that many victims have not been made aware of this activity yet,” Lesnewich added.
Researchers traced the attacks to a pair of critical vulnerabilities in Roundcube, an open-source email client, that were exploited and chained together to steal credentials and gain long-term access.
Alleged member of Scattered Spider extradited to US
A suspected member of Scattered Spider has been extradited to the U.S. after being arrested in Finland on federal conspiracy charges, according to the Justice Department.
Officials said Peter Stokes, 19, was charged with conspiracy, cyber offenses and fraud, in connection with the 2025 hack of a luxury jewelry retailer.
Stokes, a dual citizen of the U.S. and Estonia, was arrested by Finnish authorities in April, pursuant to an Interpol Red Notice, while attempting to board a flight to Japan. He made an initial court appearance in Chicago on Tuesday. The suspect was known as “Bouquet” or “Jordan” in alleged communication with other members of the group, according to court documents.
After breaching the luxury jewelry retailer, which was not named in the documents, in May 2025, hackers demanded a ransom of more than $8 million in cryptocurrency. While incident responders were able to evict the hackers from the retailer’s systems, and no ransom was paid, the company took a $2 million hit related to lost business, investigation and mitigation.
