An international law enforcement action called Operation Alice has shut down over 373,000 dark web sites that offered fake CSAM packages.

The investigation, led by Germany and supported by Europol, began in mid-2021 and focused on a platform called “Alice with Violence CP,” operated by a 35-year-old suspect based in China.

These sites advertised child sexual abuse material (CSAM) and cybercrime-as-a-service offerings, including stolen credit card data and access to compromised systems.

According to Europol, the sites used showed previews of claimed CSAM “packages” to trick users into entering their email addresses and paying between EUR 17 and EUR 250 in Bitcoin, receiving nothing in return.

“Each package had an estimated cost of between EUR 17 and EUR 215, and promised data volumes ranging from a few gigabytes to several terabytes of CSAM,” explains Europol.

“However, these were purely fraudulent sites where CSAM was advertised and previewed but never delivered.”

The fraudulent CSAM platform fooled around 10,000 users into paying roughly $400,000 to the operator of the sites. Of those, the authorities have identified 440 users in 23 countries, and are currently investigating 100 of them.

Although these people never received the illegal material, they still tried to purchase CSAM, financially supporting child abuse and demonstrating criminal intent. Even attempting to buy such material is prosecuted in many jurisdictions.

At its peak, the scam network’s infrastructure comprised 287 servers, with a significant portion (105) located in Germany, all of which have now been seized. German authorities have also issued an international arrest warrant for the Chinese operator.

Europol highlights its broader child protection work, including the Help4U support platform launched in November 2025, and its “Stop Child Abuse – Trace an Object” initiative, which invites people to identify the origin of objects seen in CSAM material that may lead to the identification of perpetrators, and the saving of children from abuse.

Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.

Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.

Download The Report

Microsoft Azure Monitor alerts are being abused to send callback phishing emails that impersonate warnings from the Microsoft Security Team about unauthorized charges on your account.

Azure Monitor is Microsoft’s cloud-based monitoring service that collects and analyzes data from Azure resources, applications, and infrastructure. It enables users to track performance, notify about billing changes, detect issues, and trigger alerts based on various conditions.

Over the past month, numerous people have reported receiving Azure Monitor alerts warning of suspicious charges or invoice activity on their accounts, urging them to call an enclosed phone number.

“Alert rule description MICROSOFT CORPORATION BILLING AND ACCOUNT SECURITY NOTICE (REF: MS-FRA-6673829-KP). Our system has detected a potentially unauthorized charge on your account. Transaction Details: Merchant: Windows Defender. Transaction ID: PP456-887A-22B. Amount: 389.90 USD. Date: 03/05/2026l,” reads the fake billing alert.

“For your protection, this transaction has been temporarily placed on hold by our Fraud Detection Team. To prevent possible account suspension or additional fees, please verify this transaction immediately. If you did NOT authorize this payment, contact our 24/7 Microsoft Account Security Support at +1 (864) 347-2494 or +1 (864) 347-4846.”

“We apologize for any inconvenience and appreciate your prompt response. Microsoft Account Security Team.”

Unlike other phishing campaigns, these messages are not spoofed, but are sent directly by the Microsoft Azure Monitor platform using the legitimate azure-noreply@microsoft.com email address.

As the emails are sent through Microsoft’s legitimate email platforms, they pass SPF, DKIM, and DMARC email security checks, making them appear more trustworthy.

Authentication-Results: relay.mimecast.com;
	dkim=pass header.d=microsoft.com header.s=s1024-meo header.b=CKfQ8iOB;
	arc=pass ("microsoft.com:s=arcselector10001:i=1");
	dmarc=pass (policy=reject) header.from=microsoft.com;
	spf=pass (relay.mimecast.com: domain of azure-noreply@microsoft.com designates 40.107.200.103 as permitted sender) smtp.mailfrom=azure-noreply@microsoft.com

The threat actors are conducting this campaign by creating alerts in Azure Monitor for easily triggered conditions, such as new orders, payments, generated invoices, and other billing events. 

When creating alerts, you can enter any message you want in the description field, which the attackers use to put their callback phishing message.

These alerts are then configured to send emails to what is believed to be a mailing list under the attacker’s control, which forwards the email to all the targeted people in the attack.

This also preserves the original Microsoft headers and authentication results, helping the emails bypass spam filters and user suspicion.

BleepingComputer has seen multiple alert categories used in this campaign, mostly using invoice and payment-themed rules designed to resemble automated billing notifications:

• Azure monitor alert rule order-22455340 was resolved for invoice22455340
• Azure monitor alert rule Invoice Paid INV-d39f76ef94 was resolved for invd39f76ef94
• Azure monitor alert rule Payment Reference INV-22073494 was resolved for purchase22073494
• Azure monitor alert rule Funds Successfully Received-ec5c7acb41 was triggered for subec5c7acb41
• Azure monitor alert rule MemorySpike-9242403-A4 was triggered
• Azure monitor alert rule DiskFull-3426456-A6 was triggered for locker3426456

The campaign relies on creating a sense of urgency, which in this case is the unusual $389 Windows Defender charge, to trick the users into calling the listed phone number.

While BleepingComputer did not call the number in this scam, previous callback phishing campaigns led to credential theft, payment fraud, or the installation of remote access software.

As these emails use a more enterprise or corporate theme, they may be intended to gain initial access to corporate networks for follow-on attacks.

Users should treat any Azure or Microsoft alert that includes a phone number or urgent request to resolve billing issues with suspicion.

Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.

Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.

Download The Report

The Government of Mexico City has launched Xoli, a chatbot that will provide information on services, tourism, and cultural offerings. It’s available now via WhatsApp in both English and Spanish.

The platform was designed to meet the demand of the millions of visitors expected to arrive during the 2026 FIFA World Cup. However, the authorities assure that the tool will remain active once the sporting event is over, with the aim of promoting economic activities and facilitating access to public services in the capital.

In a press conference, Clara Brugada, head of the Mexico City government, stated that Xoli “will be the technological instrument that will allow us to link culture, tourism, recreation, and entertainment with the population.”

Chat With Xoli

The tool was developed entirely by the capital’s government, as a result of the collaboration between the Digital Agency for Public Innovation and the local Ministries of Tourism and Culture.

The chatbot is already available on mobile devices and will operate continuously, seven days a week, 24 hours a day. To use it, just open WhatsApp, start a chat with the number 55 6565 9395, and send the word “Hola.”

Xoli (pronounced sho-lee) will immediately ask if you want to continue in English or Spanish. After selecting the preferred language, users will be able to access a menu with various categories of information, including culture, tourism, gastronomy, and mobility, or just ask a question about anything in the city.

In the context of the 2026 World Cup, there will be a specific section with information about the competition, including special events, match details, broadcasts of games in public places, and ticket purchase options.

Screenshot of Xoli, Mexico City’s tourist chatbot for the 2026 World Cup.

Advertisement

Cortesía Xoli

The capital’s government highlighted that this technology contributes to the city’s consolidation as “a more innovative and accessible city,” by speeding up access to official information, offering timely responses and strengthening tourism promotion strategies.

Alejandra Frausto, head of Mexico City’s Ministry of Tourism, pointed out that close to 3,000 tourist, recreational, and cultural activities are carried out daily in the capital. In seasons of high demand, this figure can increase to 5,000 events a day. “Translating this data into reliable and accessible information involves a great effort, but it is now possible thanks to this chatbot,” he says.

A Good Sport

The launch of Xoli adds to the technological efforts driven by the federal government to turn the upcoming World Cup into an engine of development for commerce, sports, tourism, and culture throughout the country.

Late last year, Mexican president Claudia Sheinbaum presented the Mexico 2026 Social World Cup plan, which calls for more than 177 festivities and 5,000 activities linked to the tournament, as well as 74 tournaments and soccer cups aimed at students, workers, and the general public. The program also includes around 1,500 actions within the Vive Saludable (Live Healthy) initiative, aimed at promoting healthy lifestyles, as well as the rehabilitation of 4,200 public sports fields and spaces.

Among the actions announced is the creation of the Conoce México app developed jointly by the Agency for Digital Transformation and Telecommunications (ATDT) and the Ministry of Tourism. This app will allow fans, both national and foreign, to get updated information on matches, venues, routes, services, and cultural activities.

The war with Iran and ensuing blockade in the Strait of Hormuz, a critical shipping lane, has spiked oil prices and sent governments scrabbling for their reserves. How high will prices go, and how bad could it get?

On Friday night, United Airlines CEO Scott Kirby published a memo to his employees showing that his very fuel-dependent business is prepping for a very long fallout. “Our plans assume oil goes to $175/barrel and doesn’t get back down to $100/barrel until the end of 2027,” he wrote.

Jet fuel accounts for between a quarter and a third of airlines’ operating costs. Prices have doubled from $70 a barrel since the war started four weeks ago, threatening to seriously cut into airlines’ profitability. Kirby said that his airline has a strategy: United will cut some 5 percent of its planned flight schedule during the second and third quarters of this year, with trims coming especially in off-peak periods like red-eyes and less popular travel days: Tuesdays, Wednesdays, and Saturdays.

“Honestly, I think there’s a good chance it won’t be that bad,” Kirby wrote in the memo, “but … there isn’t much downside for us to prepare for that outcome.”

United’s moves are significant for not only the travel industry but the wider global economy, analysts say. If it all plays out the way Kirby predicts, “this would be incredibly unwelcome news to everyone who is not in the oil refining business,” says Jason Miller, a professor of supply chain management at Michigan State University’s Eli Broad College of Business.

Airlines might be a particularly notable canary in the economic coal mine because their business leans even more heavily on oil prices, and especially refined oil prices, than most. Air transportation ranks just below asphalt paving as the US industry that spends the greatest share of its non-labor costs on refined petroleum products, Miller has calculated. Kirby’s predictions, while dire, are in line with what others in the commodity market are predicting, Miller says.

“Economically, this energy shock is hitting at the worst time possible,” Miller says. Add its effects to a sluggish job market and a global economy shaken by the US’s erratic tariff regime, and economists start to think about recession. The Iran war and the ensuing energy crisis “have played out longer than many expected it to,” Miller says. Kirby’s memo is an acknowledgment that “Hormuz may not be open for business very quickly.”

The effects of the fuel price spikes are already affecting the travel industry. Last week, American Airlines CEO Robert Isom said the company had spent an additional $400 million on fuel. Airlines have reported strong demand in the past weeks, with United’s Kirby noting in his memo that the past 10 weeks had seen the airline take in the most revenue on bookings ever. But it remains to be seen whether lots of people are actually enthusiastic about travel, or flyers spooked about geopolitics and fears of high ticket prices moved early to lock in their plans before oil costs got higher. Isom noted that, if oil prices remain high, “we’re certainly going to be nimble in terms of capacity, to make sure that supply and demand stay in balance.”

How bad it could get for airlines—and its passengers—depends not just on how long oil prices stay elevated, but how long the businesses’ questions about the crisis remain unanswered.

“If we stay in this uncertainty for a long time, this is adding to the complexity,” says Ahmed Abdelghany, who studies airline operations as a professor in Embry-Riddle Aeronautical University’s College of Business. “The longer it goes, the more problematic to the airlines that remain.”

An anonymous Substack post published this week accuses compliance startup Delve of “falsely” convincing “hundreds of customers they were compliant” with privacy and security regulations, potentially exposing those customers to “criminal liability under HIPAA and hefty fines under GDPR.”

Delve is a Y Combinator-backed startup that last year announced raising a $32 million Series A at a $300 million valuation. (The round was led by Insight Partners.) On Friday, the startup attempted to refute the accusations on its blog, calling the Substack post “misleading” and saying it “contains a number of inaccurate claims.”

The Substack post is credited to “DeepDelver,” who described themselves as working at a (now former) Delve client. In response to emailed questions from TechCrunch, DeepDelver said that they and their collaborators “chose to remain anonymous out of fear for retaliation by Delve.”

In their post, DeepDelver recounted receiving an email in December claiming the startup had “leaked a spreadsheet with confidential client reports.” While Delve CEO Karun Kaushik apparently assured customers in a subsequent email that they were in compliance and that no external party gained access to sensitive data, DeepDelver said they and other customers had become suspicious.

“Having the shared experience of being underwhelmed with the Delve experience, and having the overall sense that something fishy was going on, we decided to pool resources and investigate together,” they wrote.

Their conclusion? That Delve “achieves its claim of being the fastest platform by producing fake evidence, generating auditor conclusions on behalf of certification mills that rubber stamp reports, and skipping major framework requirements while telling clients they have achieved 100% compliance.”

DeepDelver went into considerable detail about those claims, accusing the startup of providing customers with “fabricated evidence of board meetings, tests, and processes that never happened,” then forcing those customers to “choose between adopting fake evidence or performing mostly manual work with little real automation or AI.”

DeepDelver also claimed that virtually all of Delve’s clients seem to have gone through two audit firms, Accorp and Gradient, which they described as “part of the same operation,” one that operates primarily in India, with only a nominal presence in the United States.

Those firms, they said, are just rubber-stamping reports that were generated by Delve. As a result, DeepDelver said the startup “inverts” the normal compliance structure: “By generating auditor conclusions, test procedures, and final reports before any independent review occurs, Delve places itself in the role of both implementer and examiner. This is not a technicality. It is a structural fraud that invalidates the entire attestation.”

In addition to accusing Delve of misleading its customers, DeepDelver said the startup is helping those customers “mislead the public by hosting trust pages that contain security measures that were never implemented.” 

DeepDelver said that while their company was discussing its issues with Delve, the startup “sent us multiple boxes of donuts […] to keep us happy.” Nonetheless, DeepDelver’s employer supposedly unpublished its trust page and no longer relies on the startup for compliance.

Delve responded to the accusations by saying it does not issue compliance reports at all. Instead, it’s an “automation platform” that ingests information about compliance, then provides auditors with access to that information.

“Final reports and opinions are issued solely by independent, licensed auditors, not Delve,” the company said.

Delve also said that its customers “can opt to work with an auditor of their choosing or opt to work with one from Delve’s network of independent, accredited third-party audit firms.” Those auditors, the startup said, are “established firms used broadly across the industry, including by other compliance platforms.”

In response to the accusation that it’s providing customers with “fake evidence,” Delve countered that it’s simply offering “templates to help teams document their processes in accordance with compliance requirements, as do other compliance platforms.”

“Draft templates are not the same as ‘pre-filled evidence,’” the company said.

Delve added that it is “actively investigating any leaks” and is “still reviewing the Substack.”

When asked about Delve’s response, DeepDelver told TechCrunch that they were “baffled by the laziness, clumsiness and brazenness of it.”

“They are trying to snake their way out [of] being held accountable by denying having ‘pre-filled evidence’ but calling it ‘templates’ instead, effectively shifting the blame to customers for adopting the ‘templates’ as is,” DeepDelver said. “They’re claiming they are not the ones to ‘issue’ the report, which is easy to claim if you define issuing a report as providing the final stamp.”

They added that there are “a number of very serious allegations” that Delve did not address at all: “The India accusation, the lack of AI (they only talk about ‘automations’), and the trust (lol) page containing controls that were never implemented.”

Apparently DeepDelver isn’t done with its criticism, as it promised, “Part II will follow soon.”

In addition, following the initial Substack post, an X user named James Zhou said they were able to gain access to sensitive information from Delve, such as employee background checks and equity vesting schedules. Dvuln founder Jamieson O’Reilly shared more details from what O’Reilly said was a conversation with Zhou about “several gaping security holes in Delve’s external attack surface.”

TechCrunch sent an email seeking additional comment to the media contact address listed on Delve’s website. The email bounced, but after this article was published, I received a calendar invite for a “Delve demo” later this week.

This post was initially published on March 21, 2026. It has been updated with emailed answers from DeepDelver, additional information about purported security vulnerabilities provided by Jamieson O’Reilly, and additional details about Delve’s response to TechCrunch.

Elon Musk has announced the Terafab project, a joint venture between Tesla, SpaceX and xAI, to build the “largest chip manufacturing facility ever.” In his usual grandiose fashion, Musk claims Terafab is the next step towards harnessing the power of the sun and creating a “galactic civilization.”

Musk, CEO of all three companies, announced plans for the Terafab in a livestream on X. As the name implies, the project’s ultimate goal is to produce a terawatt of computing power each year so that it can match the companies’ growing demand for chips. Musk explained during the livestream that he’s grateful to existing supply chain partners like Samsung, TSMC and Micron, but the current capacity of chip manufacturers only adds up to about two percent to what Tesla and SpaceX needs in terms of future computing power needs.

“We either build the Terafab or we don’t have the chips,” Musk said during the event. “And we need the chips so we’re going to build the Terafab.”

The Terafab project, estimated to cost at least $20 billion, will start with the Advanced Technology Fab in Austin, Texas, where Tesla is already headquartered. Musk said that the two types of chips will be produced in the Terafab: one for terrestrial purposes, like to power Full Self-Driving or Optimus robots, and another more high-powered, durable chip to be used in space. If you’re wondering what Musk has in store for space, the SpaceX CEO filed an application with the Federal Communications Commission to launch a million satellites to create an “orbital data center” earlier this year. As promising as this sounds, it’s worth noting that Musk has previously overpromised and underdelivered on other projects, like the Hyperloop, a $40,000 Cybertruck and fully autonomous driving.

AI coding company Cursor launched a new model this week called Composer 2, which it promoted as offering “frontier-level coding intelligence.” 

However, an X user posting under the name Fynn soon claimed that Composer 2 was “just Kimi 2.5” with additional reinforcement learning — Kimi 2.5 being an open source model recently released by Moonshot AI, a Chinese company backed by Alibaba and HongShan (formerly Sequoia China). 

As evidence, Fynn pointed to code that seemed to identify Kimi as the model.

“[A]t least rename the model ID,” they scoffed.

It was a surprising revelation, since Cursor is a well-funded U.S. startup that raised a $2.3 billion round last fall at a $29.3 billion valuation, and is reportedly exceeding $2 billion in annualized revenue. Also, the company didn’t mention anything about Moonshot AI or Kimi in its announcement.

However, Cursor’s vice president of developer education Lee Robinson soon acknowledged, “Yep, Composer 2 started from an open-source base!” But he said, “Only ~1/4 of the compute spent on the final model came from the base, the rest is from our training.” As a result, he said Composer 2’s performance on various benchmarks is “very different” from Kimi’s.

Robinson also insisted that Cursor’s use of Kimi was consistent with the terms of its license, a point the Kimi account on X repeated in a subsequent post congratulating Cursor, where it said Cursor used Kimi “as part of an authorized commercial partnership” with Fireworks AI.

“We are proud to see Kimi-k2.5 provide the foundation,” the Kimi account said. “Seeing our model integrated effectively through Cursor’s continued pretraining & high-compute RL training is the open model ecosystem we love to support.”

So why not acknowledge Kimi upfront? Beyond any potential embarrassment in not creating a model from scratch, building on top of a Chinese model might feel particularly fraught right now, with the so-called AI “arms race” often framed as an existential battle between United States and China. (See, for example, Silicon Valley’s apparent panic after Chinese company DeepSeek released a competitive model early last year.)

Cursor co-founder Aman Sanger acknowledged, “It was a miss to not mention the Kimi base in our blog from the start. We’ll fix that for the next model.”