Cybercriminals Expose a WordPress Backdoor Empire—And New Entra Passkey Scams Hit Microsoft 365
A cluster of cybersecurity reports highlights how attackers are scaling identity theft and wallet theft while leaving operational traces behind. One cybercrime crew reportedly left a server exposed to the internet for roughly three weeks, revealing internal tooling, activity logs, and target lists naming more than 1.4 million WordPress sites, even though far fewer were actually compromised. Separately, a threat actor tracked by Okta as O-UNC-066 used voice-based fake security requests to trick Microsoft 365 users into enrolling a new Microsoft Entra passkey, aiming to enable data extortion. In parallel, Coinspect disclosed a crypto wallet vulnerability dubbed “Ill Bloom,” where weak randomness in recovery-phrase generation can allow attackers to reconstruct the phrase and drain funds, with reported theft totaling about $3.1 million. Strategically, the common thread is that cybercrime is increasingly blending identity manipulation, social engineering, and supply-chain-style targeting of widely deployed platforms like WordPress and enterprise identity systems. The WordPress exposure suggests opportunistic infrastructure reuse and a willingness to run at scale, which increases the probability of downstream compromise of websites that serve as trust anchors for brands and local commerce. The Entra passkey scheme underscores a shift from password phishing toward authentication lifecycle abuse, exploiting the human and workflow layer rather than only credential theft. The crypto wallet flaw demonstrates that even “self-custody” security can fail when implementation details—like randomness quality—undermine the core recovery mechanism, benefiting attackers who can automate cracking attempts. Market and economic implications are indirect but potentially material through incident-driven risk premia and operational costs. Microsoft 365 and identity security tooling are the immediate operational focus, and sustained attacks can raise enterprise spending on IAM hardening, incident response, and passkey governance, pressuring budgets in IT and security departments. On the crypto side, a demonstrated $3.1 million drain from wallets tied to a specific vulnerability can amplify investor sensitivity to wallet software quality and recovery-phrase generation practices, likely increasing demand for audited wallet implementations and faster patching. For financial institutions, the separate reporting that VTB warned about evolving investment-fraud schemes—shifting from classic pyramid-style offerings toward modern investment services and crypto operations—signals that cyber-enabled fraud funnels may increasingly intersect with regulated finance, raising compliance and reputational risk. Next, defenders should treat these reports as a coordinated warning about authentication and recovery workflows rather than isolated vulnerabilities. For Microsoft environments, monitor for anomalous Entra passkey enrollments, especially those initiated via voice or “security request” social engineering, and enforce stronger verification for enrollment events. For WordPress, prioritize scanning for webshells and backdoor artifacts across the highest-risk segments of the exposed target list, then validate that server-side file integrity is intact. For crypto wallets, rapidly identify whether affected software versions generate recovery phrases with weak randomness, rotate any compromised recovery material, and consider moving funds to wallets with verified entropy sources. Escalation triggers include evidence of credential-less access via passkey enrollment at scale, repeated extortion campaigns using the same voice lures, or public confirmation that “Ill Bloom” affects additional wallet families beyond the initially disclosed scope.
Geopolitical Implications
- 01
Cybercrime scaling against widely used platforms (WordPress and Microsoft identity) can create cross-sector disruption that indirectly affects national economic resilience.
- 02
Authentication lifecycle abuse (passkeys) increases the difficulty of attribution and response, complicating government and corporate coordination during incidents.
- 03
Crypto-enabled theft and fraud funnels can undermine trust in both digital assets and regulated financial channels, raising regulatory pressure.
Key Signals
- —Spike in anomalous Entra passkey enrollments and related MFA/SSO events tied to voice or social-engineering lures
- —Indicators of WP webshell/backdoor artifacts appearing across high-value domains and CMS plugin ecosystems
- —Public advisories confirming affected wallet software versions and entropy/recovery-phrase generation weaknesses
- —Regulatory or bank communications expanding on crypto-linked investment fraud typologies
Topics & Keywords
Related Intelligence
Full Access
Unlock Full Intelligence Access
Real-time alerts, detailed threat assessments, entity networks, market correlations, AI briefings, and interactive maps.