#NSBCS.098 - Lessons from Louvre Heists Old and New: Parallels with Digital Forensics and Incident Response
Two men carry the Mona Lisa back to the Louvre museum in Paris on 4 January, 1914, just over two years after it was stolen by Vincenzo Peruggia. (Getty Images)
Lessons from Louvre Heists Old and New: Parallels with Digital Forensics and Incident Response
The Louvre Museum, a bastion of cultural heritage, has endured two notable heists over a century apart, each revealing vulnerabilities with striking parallels to Digital Forensics and Incident Response (DFIR) in cybersecurity.
The 1911 theft of Leonardo da Vinci's Mona Lisa by Vincenzo Peruggia, a former employee, exemplified an insider threat. Hiding overnight, he removed the painting undetected due to lax security, no alarms or cameras, and escaped in disguise. The breach went unnoticed for a day, leading to a two-year investigation involving fingerprinting and high-profile suspects like Pablo Picasso. Recovery came when Peruggia tried selling it in Italy.
Fast-forward to 19 October 2025: thieves executed a brazen daylight heist, stealing crown jewels valued at $102 million in under eight minutes. Using a furniture lift to access a window, four masked perpetrators smashed display cases in the Galerie d'Apollon, grabbing nine items including Marie-Antoinette's diamonds. Alarms sounded, but the culprits fled via the lift, evading immediate capture. Two suspects were arrested days later, admitting partial involvement, though the jewels remain missing and are now in Interpol's database.
Comparing the two: the 1911 incident highlighted insider risks and delayed detection, akin to cyber breaches where employees exploit access and threats linger undetected. The 2025 heist demonstrates evolved tactics, rapid execution and physical intrusion, mirroring sophisticated cyberattacks like ransomware, where attackers strike swiftly through vulnerabilities.
In DFIR, both underscore layered defences: robust monitoring to reduce dwell time, as the 1911 delay allowed escape, and the 2025 alarm failed to prevent loss. Forensic lessons include evidence preservation, fingerprints in 1911 versus CCTV and tool marks today, paralleling digital artefact analysis like logs and malware traces.
Post-incident, the 1911 heist spurred security upgrades; similarly, the 2025 event prompts reviews amid rising museum thefts. For DFIR, this means threat intelligence sharing, simulations, and adaptive policies to counter evolving threats. Both cases exemplify how response maturity evolves from each incident, moving from reactive to proactive through continuous learning and the integration of preventive controls.
These heists remind us: whether art or data, vigilance against insiders, swift response, and continuous fortification are essential in an interconnected world.
What we read this week
'Jingle Thief' Hackers Exploit Cloud Infrastructure to Steal Millions in Gift Cards - Cybersecurity researchers from Palo Alto Networks Unit 42 have identified a threat actor dubbed Jingle Thief, a cybercriminal group targeting cloud environments in the retail and consumer services sectors to perpetrate gift card fraud. Active since at least late 2021, the group, tracked as CL-CRI-1032, is attributed with moderate confidence to Moroccan-based criminal clusters such as Atlas Lion and Storm-0539, known for financially motivated operations. In April and May 2025, Jingle Thief launched coordinated phishing and smishing campaigns to steal Microsoft 365 credentials from global enterprises. Once inside, attackers conducted extensive reconnaissance on SharePoint and OneDrive to identify gift card issuance workflows, VPN configurations, financial processes, and internal systems. They maintained persistent access for periods exceeding 10 months in some cases, compromising up to 60 user accounts in a single organisation. The group then issued high-value unauthorised gift cards, likely reselling them on grey markets for profit.
Malicious NPM Packages Disguised With 'Invisible' Dependencies - In the "PhantomRaven" campaign, threat actors have published 126 malicious npm packages that have evaded detection, amassing over 86,000 downloads. These packages steal npm tokens, GitHub credentials, and developer secrets from organisations worldwide. The campaign exploits Remote Dynamic Dependencies (RDD), a little-used npm feature allowing URLs as dependency specifiers. This hides malicious code in "invisible" dependencies fetched from attacker-controlled servers during installation, rather than from the npm registry. The packages appear benign to static analysis tools, showing "0 Dependencies," and include preinstall scripts that execute automatically without user notification. Attackers can target specific IP addresses, delivering safe payloads to researchers while deploying malicious ones to corporate or cloud environments. Koi Security first detected the campaign in August 2025 via behavioural monitoring of external network requests during installations.
Oracle EBS Attack Victims Potentially More Numerous Than Expected - Numerous organisations have been targeted by attacks exploiting the critical zero-day vulnerability CVE-2025-61882 in Oracle E-Business Suite (EBS), with evidence indicating a broader impact than initially reported. The ransomware-as-a-service group Clop has been actively exploiting this flaw, which allows unauthenticated attackers to remotely access and compromise Oracle Concurrent Processing, potentially leading to data theft and extortion. Confirmed victims include Harvard University and Envoy Air (a subsidiary of American Airlines). Researcher reports and Clop's data leak site suggest additional high-profile targets such as Schneider Electric, Pan American Silver, and Cox Enterprises. The full extent of compromised organisations is unclear, as Clop continues to update its leak site. This vulnerability enables remote code execution that poses a severe risk to internet-facing EBS environments.
Microsoft Issues Emergency Windows Update As Attacks Begin - Microsoft has released an emergency security update for a critical vulnerability in the Windows Server Update Service (WSUS), designated CVE-2025-59287. This flaw allows unauthenticated threat actors to remotely execute malicious code over the network, potentially granting system-level privileges. The vulnerability affects only Windows servers with the WSUS server role enabled, which is not active by default. The update was issued on 23 October 2025, following a preliminary scan by cybersecurity researchers at Eye Security, which identified approximately 8,000 potentially vulnerable WSUS servers worldwide. Telemetry indicates at least 2,500 such servers remain exposed and at risk. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-59287 to its Known Exploited Vulnerabilities Catalog, confirming active exploitation in ongoing attacks.
Dentsu Subsidiary Breached, Employee Data Stolen - A subsidiary of Japanese marketing and PR firm Dentsu, the US-based Merkle, has suffered a cyber breach resulting in the theft of sensitive employee data by unidentified threat actors. Dentsu detected unusual activity on Merkle's network and promptly initiated incident response protocols, including engaging a specialist cybersecurity firm. The company contained the attack, launched an investigation, and notified relevant authorities such as law enforcement, the UK's Information Commissioner's Office (ICO), and the National Cyber Security Centre (NCSC). Stolen files include bank and payroll details, salary information, National Insurance numbers, and personal contact details for current and former employees. The breach extends to data on some clients and suppliers. Dentsu has notified potentially affected individuals and is providing one year of credit and Dark Web monitoring services. The nature of the attack remains unspecified, though indicators suggest possible involvement of data extortion or ransomware tactics.
Referenceshttps://thehackernews.com/2025/10/jingle-thief-hackers-exploit-cloud.htmlhttps://www.darkreading.com/application-security/malicious-npm-packages-invisible-dependencieshttps://www.darkreading.com/vulnerabilities-threats/oracle-ebs-attack-victims-more-numerous-expectedhttps://www.forbes.com/sites/daveywinder/2025/10/26/act-now---microsoft-issues-emergency-windows-update-as-attacks-begin/https://www.darkreading.com/cyberattacks-data-breaches/dentsu-subsidiary-breached-employee-data-stolen