Casmer Labs monitors the dynamic landscape of cybersecurity, cloud security, and particularly cloud data security. Our mission is to ensure that our customers and the public are informed about critical security developments, incidents, and updates.

Our Q1 threat report anticipated that significant financial losses would result from high-profile data breaches, particularly those caused by misconfigurations, throughout the remainder of the year. Since then, numerous significant security breaches, vulnerabilities, and incidents have been reported and verified by Casmer Labs.

Crypto Exchange Heist Results in Millions in Damages

On May 15, 2025, Coinbase, the largest cryptocurrency exchange in the world, reported that they experienced a major cybersecurity incident where internal Coinbase employees willingly exfiltrated customer data from Coinbase’s environment. This incident continues the streak of high-profile cybersecurity incidents involving insiders in the past 12 months. Most notably, the KnowBe4 incident, where a North Korean agent using a stolen United States ID was successfully able to land a job at the US-based security awareness training company.

The leaked Coinbase records have been reported to contain the following information:

• Full names
• Phone numbers
• Email addresses
• Physical addresses
• Partially redacted bank account numbers
• Partially redacted social security numbers
• Government identification scans/images
• Coinbase account balances

Similar to the HipShipper data breach earlier this year, the primary associated risk is that cyber actors could use this information to both supplement and extend targeted social engineering schemes, particularly phishing campaigns. Information such as account balances could be used to aid targeting towards customers with the highest possible reward, and bank account numbers as well as social security numbers could be used to attempt to further “legitimize” scam calls and/or phishing emails.

The “Hazy Hawk” Threat Actor

Reported on May 20 by Ravie Lakshmanan, a threat actor dubbed “Hazy Hawk” has been observed hijacking high-profile domain names in order to deliver malware, execute social engineering schemes, and more. Hazy Hawk Exploits DNS Records to Hijack CDC, Corporate Domains for Malware Delivery

Since at least December of 2023, Hazy Hawk has been confirmed to successfully attack:

• US Centers for Disease Control and Prevention (CDC)
• Deloitte
• PwC (PricewaterhouseCoopers)
• Ernst & Young
• Various high-profile research universities and institutions

It should be noted that the process of hijacking web domains are nothing new and have been carried out en masse for years. Hazy Hawk in particular is notable, and more dangerous, because of its high degree of effectiveness in executing and obfuscating the subsequent hijacking of cloud resources in addition to the original DNS compromise.

The attacks start by locating dangling CNAME DNS records, which reference deprecated or non-existent domains. By locating and “claiming” these records, attackers can redirect traffic to whatever address they choose. In the case of Hazy Hawk, a carefully curated funnel of malicious content is designed to push users into other scams, social engineering schemes, malware delivery systems, and more.

The prevention of attacks like Hazy Hawk is relatively simple. CSS, along with other industry experts, recommends that all organizations remove the associated CNAME DNS record as soon as resources are deprecated. This ensures that attackers have no way to hijack the domain and execute a similar attack.

More Cloud Data Breaches (But Who’s Counting?)

Reported by Cyble, major cloud providers’ customers host more than 660,000 publicly accessible or otherwise exposed buckets containing over 200 billion publicly accessible files and records. The most recent organization to experience a high-profile data breach was US-based recruitment platform HireClick, where over 5.7 million files, primarily resumes, were left publicly accessible due to a misconfigured Amazon S3 bucket.

About Casmer Labs

Casmer Labs is a division of Cloud Storage Security (CSS) focused on threat intelligence and research concerning cloud computing, especially the storage layer in the cloud.

Casmer Labs provides threat intelligence, security education, trend reports, and other information important to modern organizations. We provide this information free of charge and aim to educate the public and reduce the frequency of cyberattacks across all industries. The Casmer Labs team is composed of engineering, product, support, and dedicated threat research personnel.

Casmer Labs is dedicated to Ed Casmer, founder and Chief Technology Officer at CSS, who passed away in 2023.