Reading view

There are new articles available, click to refresh the page.

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

✇Security Boulevard
By: Agnidipta Sarkar

As we head into 2026, I am thinking of a Japanese idiom, Koun Ryusui (行雲流水), to describe how enterprises should behave when facing a cyberattack. Koun Ryusui means “to drift like clouds and flow like water.” It reflects calm movement, adaptability, and resilience. For enterprises, this is an operating requirement. Cyber incidents are no longer isolated disruptions. They are recurring tests […]

The post Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026 appeared first on ColorTokens.

The post Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026 appeared first on Security Boulevard.

The Good, the Bad and the Ugly in Cybersecurity – Week 51

✇SentinelOne
By: SentinelOne

The Good | Authorities Dismantle Global Fraud Ring and Crypto Laundering Network

Eurojust officials have dismantled a transnational fraud ring running call centers in Ukraine that scammed European victims out of more than €10 million.

In collaboration with authorities from the Czech Republic, Latvia, Lithuania, and Ukraine, police arrested 12 suspects and conducted 72 searches across three Ukrainian cities, seizing vehicles, weapons, cash, computers, a polygraph machine, and forged IDs.

The network operated multiple call centers employing around 100 people and targeted more than 400 known victims. Scammers impersonated bank employees and police, claimed accounts were compromised, and coerced victims into transferring funds to “safe” accounts. Others used remote access software to steal credentials or collect cash in person.

Further seizures this week targeted the E-Note cryptocurrency exchange, dismantling its servers and domains after determining the service was used to launder more than $70 million in illicit funds. According to the DoJ, the proceeds stemmed largely from ransomware operations and account takeover attacks, routed through a global network of money mules.

The takedown was led by the FBI with support from German and Finnish authorities and Michigan State Police, with investigators confiscating multiple domains, mobile applications, backend servers, and customer databases containing transaction records.

Prosecutors have also unsealed an indictment against alleged operator Mykhalio Petrovich Chudnovets and are charging him with money laundering conspiracy. While no arrests have been made, Chudnovets faces up to 20 years in prison. Authorities say seized records may support further identifications and follow-on enforcement actions.

The Bad | North Korean Hackers Drive Record $2B Crypto Theft Surge in 2025

DPRK-linked threat actors drove a record surge in global cryptocurrency theft this year, claiming at least $2.02 billion of the $3.4 billion+ stolen worldwide between January and early December.

A new report delves into the 51% year-over-year increase, which marks the most severe year on record for DPRK-linked crypto crime while accounting for roughly 76% of all service compromises. Cumulatively, North Korean actors are now estimated to have stolen at least $6.75 billion in cryptocurrency.

DPRK hack activities graph (2016-2025) from Chainaylsis
Source: Chainalysis

A single incident, attributed to the TraderTraitor cluster, dominated the year: the February breach of Bybit that resulted in losses of approximately $1.5 billion. Beyond Bybit, DPRK-linked actors are also suspected in the theft of $36 million from South Korea’s most popular cryptocurrency exchange, Upbit.

These operations roll up into what is widely referred to as the Lazarus Group, a long-running threat actor tied to Pyongyang’s Reconnaissance General Bureau (RBG), which has historically blended large-scale crypto heists with espionage campaigns such as Contagious Interview, a campaign using fake recruitment-themed lures to deliver malware and harvest job applicant’s data.

In recent years, these state-backed actors have expanded tactics to include covert IT worker infiltration, sometimes via front companies, to gain privileged access at exchanges and Web3 firms – all to fund the regime despite international sanctions.

The growing scale of DPRK-linked crypto theft shows the profitability of high-value, state-backed operations, also incentivizing other actors to adopt similar tactics, including advanced laundering schemes, affiliate-based attacks, and cross-border exploitation.

For the broader ecosystem, North Korean threat operations continue to both normalize large-scale crypto heists and accelerate the professionalization of illicit networks, complicating attribution and straining global law enforcement resources.

The Ugly | Threat Actors Upscaling Abilities with Widespread Adoption of LLMs

Ransomware operations are undergoing a rapid, dangerous transformation not through novel “super-hacks” but via the industrialized efficiency of Large Language Models (LLMs). A new report by SentinelLABS assesses that LLMs have become a critical operational accelerator, compressing the ransomware lifecycle and dramatically lowering the barrier to entry for novice cybercriminals.

The researchers say that threat actors are now automating reconnaissance, generating localized phishing lures, and triaging massive datasets across language barriers with unprecedented speed and accuracy with the help of LLMs. Ransomware-as-a-Service operators are already claiming to offer AI-assisted tools to affiliates to increase attack productivity.

Global RaaS offering Ai-Assisted Chat
Global RaaS offering Ai-Assisted Chat

SentinelLABS says attackers are successfully evading commercial guardrails through “prompt smuggling”, a process by which malicious requests are broken down into innocent-looking pieces across multiple chats. The outputs are then stitched together offline to build working attack tools.

The researchers predict that top-tier actors will go further, likely migrating to self-hosted, open-source models like Ollama to entirely avoid provider guardrails. This evolution would allow criminals to operate without telemetry or censorship, effectively weaponizing unrestricted AI.

Real-world campaigns already illustrate this escalation. Anthropic has reported on tools like Claude Code being used to automate entire extortion chains, from technical reconnaissance to calculating optimal ransom demands. In other instances, malware such as QUIETVAULT has been seen hijacking a victim’s own locally installed LLMs to intelligently hunt for crypto-wallets and sensitive files.

While the report adds to the general industry concern around the use of AI by threat actors, it also debunks one of the wider myths in common circulation. The risk from today’s LLMs, the researchers say, isn’t superintelligent malware or novel attack vectors, it’s the more mundane industrialization of extortion with smarter target selection, tailored demands, and faster operational tempo, factors that increasingly complicate attribution and challenge defenders to adapt to a significantly higher-volume threat landscape.

The WAF must die – some interesting thoughts – FireTail Blog

✇Security Boulevard
By: FireTail - AI and API Security Blog

Dec 19, 2025 - Jeremy Snyder - A recent posting by Dr. Chase Cunningham from Ericom Software on LinkedIn took an interesting view on web application firewalls, most commonly known as a WAF.

WAF’s Must Die Like the Password and VPN’s

Here at FireTail.io, we are also not fans of a WAF. Why? We do not believe that a WAF will catch most modern attacks. WAFs are fundamentally based on firewall (perimeter defense) structures that are designed to keep attackers out based on where they are coming from, where they are going to, and what they are trying to access. A simple search for bypassing a WAF returns quite a lot of results:

Bypass WAF, 1.28M results

Dr. Cunningham’s post shares some interesting opinions and statistics on WAFs:

* “WAFs are antithetical to the move to Zero Trust”
* “According to most innovators and experts, the pattern and rule-based engine used by WAFs are not aligned with current security needs.”
* “Ponemon conducted research at that time to probe the market for issues with WAF solutions, and more than 600 respondents made their point clear: WAFs aren’t helping.”

The Ponemon WAF research referenced also included some eye-opening statistics:

* While 66% of respondent organizations consider the WAF an important security tool, over 40% use their WAFs only to generate alerts (not to block attacks)
* 86% of organizations experienced application-layer attacks that bypassed their WAF in the last 12 months.
* Managing WAF deployments are complex and time-consuming, requiring an average of 2.5 security administrators who spend 45 hours per week processing WAF alerts, plus an additional 16 hours per week writing new rules to enhance WAF security.
* The CapEx and OpEx for WAFs together average $620K annually. This includes $420K for WAF products, plus an additional $200K annually for the skilled staffing required to manage the WAF.

SUMMARY OF WAF FAILURES FROM DR. CHASE CUNNINGHAM

If you wanted the tl;dr version of what Dr. Cunningham had to say, it’s this:

> In other words, WAFs are not stopping attacks, require continuous configuration and intensive management and security human capital, and are more expensive than other better-suited technologies.

WHAT IS A BETTER APPROACH THAN USING A WAF THEN?

This is where our view may both overlap with and also differ from from Dr. Cunningham’s. Dr. Cunningham speaks of the model of Web Application Isolation (WAI), whereby an application is effectively public on the Internet, but only behind a required authentication controller, and then creates a secure tunnel.

Our view on this is two-fold:

* For public or consumer applications, this can work. But it requires an immediate control for authorization. Too often, developers assume controlled inputs and no attempts at unauthorized access. But the provisioning of a “secure tunnel” is something that happens already via SSL / TLS, and there’s no need for another “secure tunnel”.
* Applications need to have a security configuration of their own that defines authorization options around various API routes and methods, because the API is both the future of application development paradigms, and the API will become the most frequently attacked surface / vector.

Please contact us if you want to hear more about our view on WAFs for API security.

The post The WAF must die – some interesting thoughts – FireTail Blog appeared first on Security Boulevard.

Unlocking New Possibilities for Security Operations: NSFOCUS’s AI Agent Capabilities Recognized by Authoritative Institution

✇Security Boulevard
By: NSFOCUS

Recently, Forrester, a globally renowned independent research and advisory firm, released the report “Navigate The AI Agent Ecosystem In China, Forrester Research, October 2025[1].” NSFOCUS was successfully included in this report. In the report, Forrester identified four key technological trends: With the rapid advancement of Artificial Intelligence, AI Agent technology is deepening its application within […]

The post Unlocking New Possibilities for Security Operations: NSFOCUS’s AI Agent Capabilities Recognized by Authoritative Institution appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

The post Unlocking New Possibilities for Security Operations: NSFOCUS’s AI Agent Capabilities Recognized by Authoritative Institution appeared first on Security Boulevard.

❌